Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
24/05/2024, 23:30
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
77b0042941cc955976a5596656cf93db76ed75b3f1a75b71438d669b94d46172.exe
Resource
win7-20240419-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
77b0042941cc955976a5596656cf93db76ed75b3f1a75b71438d669b94d46172.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
77b0042941cc955976a5596656cf93db76ed75b3f1a75b71438d669b94d46172.exe
-
Size
320KB
-
MD5
739bd07eecf2dad2fd4d7c76bae96008
-
SHA1
5bf9ac4571c03af60ef263f49952809b2da27ebb
-
SHA256
77b0042941cc955976a5596656cf93db76ed75b3f1a75b71438d669b94d46172
-
SHA512
f7aabda0f9dc20aa5ab7f6d56f63f0f83b5e98a32304208a6b250fbbd6fd5edbffb1eacaeecc2549473c2c80155ed8d948d4d20c7a71bdf26dee7647cacec47c
-
SSDEEP
6144:26qDVbU1VLvl8Y/m05XUEtMEX6vluZV4U/vlf0DrBqvl8ZV4U/vlfl+9Q:2DDVoXvlm05XEvG6IveDVqvQ6IvP
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkmbgdfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qhooggdn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhbped32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpiipf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjmaaddo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Homclekn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdildlie.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adhlaggp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Filldb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idmhkpml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Leajdfnm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ioolqh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnicmdli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljkomfjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcihlong.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkobnqan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojficpfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blmdlhmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hellne32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lafndg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qabcjgkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnpinc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahokfj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhmepp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npnhlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhbped32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jabbhcfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgagfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lldlqakb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfahhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcefji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igonafba.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhjdbcef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aidnohbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgjefg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhnfkigh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhfagipa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dchali32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gegfdb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbqecg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cahail32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdgcpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilqpdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dchali32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gikaio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kilfcpqm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojficpfn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbehoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnpnndgp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kegqdqbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkmmhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndpfkdmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gohjaf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijdqna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djpmccqq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gegfdb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hknach32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbjochdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcfkfo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnjdhmdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgcpjmcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apajlhka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dqjepm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbllihbf.exe -
Executes dropped EXE 64 IoCs
pid Process 2252 Kcolba32.exe 2628 Kpemgbqf.exe 2756 Kphimanc.exe 2836 Kedaeh32.exe 2432 Kakbjibo.exe 2556 Klqfhbbe.exe 2368 Lkfciogm.exe 2800 Lhjdbcef.exe 2900 Lpeifeca.exe 2016 Lmiipi32.exe 1076 Lkmjin32.exe 2412 Lgdjnofi.exe 1664 Mcjkcplm.exe 2080 Mhgclfje.exe 2520 Mlelaeqk.exe 1756 Mhlmgf32.exe 1920 Mdcnlglc.exe 444 Mkmfhacp.exe 2084 Mhqfbebj.exe 1556 Mkobnqan.exe 1928 Ndgggf32.exe 1668 Nkaocp32.exe 2932 Npnhlg32.exe 2056 Ncmdhb32.exe 1528 Nnbhek32.exe 1796 Nqqdag32.exe 1128 Nlgefh32.exe 2996 Nofabc32.exe 2724 Nhnfkigh.exe 2544 Nkmbgdfl.exe 2872 Odegpj32.exe 768 Ohqbqhde.exe 2704 Obigjnkf.exe 1988 Odgcfijj.exe 2864 Okalbc32.exe 3016 Odjpkihg.exe 300 Ojficpfn.exe 1040 Obnqem32.exe 2172 Oelmai32.exe 316 Ojieip32.exe 2068 Omgaek32.exe 1572 Ocajbekl.exe 2936 Ojkboo32.exe 776 Pminkk32.exe 2504 Pgobhcac.exe 2200 Pjmodopf.exe 1172 Ppjglfon.exe 2948 Pcfcmd32.exe 692 Pfdpip32.exe 1932 Piblek32.exe 1876 Pchpbded.exe 3064 Peiljl32.exe 2748 Plcdgfbo.exe 2152 Pnbacbac.exe 2276 Pfiidobe.exe 2576 Pelipl32.exe 2592 Ppamme32.exe 2580 Pbpjiphi.exe 2876 Pabjem32.exe 1292 Qhmbagfa.exe 2500 Qnfjna32.exe 1448 Qdccfh32.exe 1696 Qhooggdn.exe 2284 Qnigda32.exe -
Loads dropped DLL 64 IoCs
pid Process 2288 77b0042941cc955976a5596656cf93db76ed75b3f1a75b71438d669b94d46172.exe 2288 77b0042941cc955976a5596656cf93db76ed75b3f1a75b71438d669b94d46172.exe 2252 Kcolba32.exe 2252 Kcolba32.exe 2628 Kpemgbqf.exe 2628 Kpemgbqf.exe 2756 Kphimanc.exe 2756 Kphimanc.exe 2836 Kedaeh32.exe 2836 Kedaeh32.exe 2432 Kakbjibo.exe 2432 Kakbjibo.exe 2556 Klqfhbbe.exe 2556 Klqfhbbe.exe 2368 Lkfciogm.exe 2368 Lkfciogm.exe 2800 Lhjdbcef.exe 2800 Lhjdbcef.exe 2900 Lpeifeca.exe 2900 Lpeifeca.exe 2016 Lmiipi32.exe 2016 Lmiipi32.exe 1076 Lkmjin32.exe 1076 Lkmjin32.exe 2412 Lgdjnofi.exe 2412 Lgdjnofi.exe 1664 Mcjkcplm.exe 1664 Mcjkcplm.exe 2080 Mhgclfje.exe 2080 Mhgclfje.exe 2520 Mlelaeqk.exe 2520 Mlelaeqk.exe 1756 Mhlmgf32.exe 1756 Mhlmgf32.exe 1920 Mdcnlglc.exe 1920 Mdcnlglc.exe 444 Mkmfhacp.exe 444 Mkmfhacp.exe 2084 Mhqfbebj.exe 2084 Mhqfbebj.exe 1556 Mkobnqan.exe 1556 Mkobnqan.exe 1928 Ndgggf32.exe 1928 Ndgggf32.exe 1668 Nkaocp32.exe 1668 Nkaocp32.exe 2932 Npnhlg32.exe 2932 Npnhlg32.exe 2056 Ncmdhb32.exe 2056 Ncmdhb32.exe 1528 Nnbhek32.exe 1528 Nnbhek32.exe 1796 Nqqdag32.exe 1796 Nqqdag32.exe 1128 Nlgefh32.exe 1128 Nlgefh32.exe 2996 Nofabc32.exe 2996 Nofabc32.exe 2724 Nhnfkigh.exe 2724 Nhnfkigh.exe 2544 Nkmbgdfl.exe 2544 Nkmbgdfl.exe 2872 Odegpj32.exe 2872 Odegpj32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Mnhlblil.dll Ogblbo32.exe File created C:\Windows\SysWOW64\Hjkbhikj.dll Qabcjgkh.exe File opened for modification C:\Windows\SysWOW64\Amkpegnj.exe Qfahhm32.exe File opened for modification C:\Windows\SysWOW64\Efcfga32.exe Eojnkg32.exe File created C:\Windows\SysWOW64\Ghfnkn32.dll Ginnnooi.exe File created C:\Windows\SysWOW64\Kfbkmk32.exe Kcdnao32.exe File created C:\Windows\SysWOW64\Kijmee32.dll Nglfapnl.exe File opened for modification C:\Windows\SysWOW64\Pgioaa32.exe Papfegmk.exe File created C:\Windows\SysWOW64\Adhlaggp.exe Aajpelhl.exe File created C:\Windows\SysWOW64\Fbdqmghm.exe Facdeo32.exe File opened for modification C:\Windows\SysWOW64\Ffnphf32.exe Fdoclk32.exe File created C:\Windows\SysWOW64\Djihnh32.dll Pgioaa32.exe File opened for modification C:\Windows\SysWOW64\Gmdadnkh.exe Giieco32.exe File created C:\Windows\SysWOW64\Hpdcdhpk.dll Bebkpn32.exe File opened for modification C:\Windows\SysWOW64\Edkcojga.exe Enakbp32.exe File opened for modification C:\Windows\SysWOW64\Fcefji32.exe Febfomdd.exe File created C:\Windows\SysWOW64\Ijdqna32.exe Ioolqh32.exe File opened for modification C:\Windows\SysWOW64\Legmbd32.exe Lbiqfied.exe File created C:\Windows\SysWOW64\Acahnedo.dll Ojolhk32.exe File created C:\Windows\SysWOW64\Obcccl32.exe Onhgbmfb.exe File created C:\Windows\SysWOW64\Gcghbk32.dll Qimhoi32.exe File created C:\Windows\SysWOW64\Eeqdep32.exe Ecpgmhai.exe File opened for modification C:\Windows\SysWOW64\Hdhbam32.exe Hlakpp32.exe File created C:\Windows\SysWOW64\Egahmk32.dll Omfkke32.exe File opened for modification C:\Windows\SysWOW64\Dogefd32.exe Dliijipn.exe File created C:\Windows\SysWOW64\Llcefjgf.exe Leimip32.exe File created C:\Windows\SysWOW64\Ailkjmpo.exe Abbbnchb.exe File opened for modification C:\Windows\SysWOW64\Lmlhnagm.exe Lfbpag32.exe File created C:\Windows\SysWOW64\Amfidj32.dll Ecqqpgli.exe File opened for modification C:\Windows\SysWOW64\Lahkigca.exe Lojomkdn.exe File created C:\Windows\SysWOW64\Bbdocc32.exe Bpfcgg32.exe File opened for modification C:\Windows\SysWOW64\Peiljl32.exe Pchpbded.exe File created C:\Windows\SysWOW64\Gljilnja.dll Pqkmjh32.exe File created C:\Windows\SysWOW64\Kiijnq32.exe Kjfjbdle.exe File created C:\Windows\SysWOW64\Odjpkihg.exe Okalbc32.exe File created C:\Windows\SysWOW64\Jondlhmp.dll Gacpdbej.exe File created C:\Windows\SysWOW64\Jkbcln32.exe Jehkodcm.exe File created C:\Windows\SysWOW64\Fjaonpnn.exe Echfaf32.exe File created C:\Windows\SysWOW64\Alenki32.exe Aigaon32.exe File created C:\Windows\SysWOW64\Okalbc32.exe Odgcfijj.exe File created C:\Windows\SysWOW64\Hjacko32.dll Kmopod32.exe File created C:\Windows\SysWOW64\Eqgnokip.exe Enhacojl.exe File created C:\Windows\SysWOW64\Bdfggf32.dll Kakbjibo.exe File opened for modification C:\Windows\SysWOW64\Egamfkdh.exe Eecqjpee.exe File created C:\Windows\SysWOW64\Gemaaoaf.dll Kngfih32.exe File opened for modification C:\Windows\SysWOW64\Ajphib32.exe Adeplhib.exe File created C:\Windows\SysWOW64\Daifmohp.dll Mffimglk.exe File created C:\Windows\SysWOW64\Bpjiammk.dll Apajlhka.exe File created C:\Windows\SysWOW64\Kfegbj32.exe Kcfkfo32.exe File opened for modification C:\Windows\SysWOW64\Nehmdhja.exe Ncjqhmkm.exe File created C:\Windows\SysWOW64\Ifjeknjd.dll Aamfnkai.exe File opened for modification C:\Windows\SysWOW64\Ilqpdm32.exe Ijbdha32.exe File created C:\Windows\SysWOW64\Bkfjhd32.exe Bhhnli32.exe File created C:\Windows\SysWOW64\Ajfaqa32.dll Dhpiojfb.exe File created C:\Windows\SysWOW64\Dhdcji32.exe Dfffnn32.exe File created C:\Windows\SysWOW64\Ghbaee32.dll Jnpinc32.exe File opened for modification C:\Windows\SysWOW64\Kiijnq32.exe Kjfjbdle.exe File opened for modification C:\Windows\SysWOW64\Blbfjg32.exe Bmpfojmp.exe File created C:\Windows\SysWOW64\Iaeiieeb.exe Hogmmjfo.exe File opened for modification C:\Windows\SysWOW64\Leajdfnm.exe Lafndg32.exe File created C:\Windows\SysWOW64\Mdmmfa32.exe Mpbaebdd.exe File opened for modification C:\Windows\SysWOW64\Eplkpgnh.exe Emnndlod.exe File created C:\Windows\SysWOW64\Gdmlko32.dll Hoopae32.exe File created C:\Windows\SysWOW64\Kjbgng32.dll Nmpnhdfc.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idhqkpcf.dll" Lpbefoai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amhpnkch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efaibbij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emnndlod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ailkjmpo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dbbkja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djnpnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmjfdejp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ilqpdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lbiqfied.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dchali32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfffnn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fncdgcqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mghohc32.dll" Cgejac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edhban32.dll" Kedaeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbcjffka.dll" Mkeimlfm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Peiepfgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdgafdfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkakief.dll" Ecpgmhai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcghbk32.dll" Qimhoi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jabbhcfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agmceh32.dll" Kfpgmdog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlgefh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maodqp32.dll" Jbgbni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nookinfk.dll" Ioaifhid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dljnnb32.dll" Icfofg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlbodgap.dll" Cckace32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdamqndn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebpkk32.dll" Caknol32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fjmaaddo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daoiajfm.dll" Lflmci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mkeimlfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbnhbg32.dll" Naoniipe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Linphc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nqqdag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikeelnol.dll" Ojieip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Beehencq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdbhke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ogblbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iknecn32.dll" Ojficpfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gopkmhjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nblnkb32.dll" Ojfaijcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pecomlgc.dll" Legmbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ejbfhfaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqgmkdbj.dll" Kfegbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbadbn32.dll" Eccmffjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eojnkg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmgninie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjfhfnim.dll" Kmjojo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhkdik32.dll" Cldooj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njgpdbgm.dll" Nqqdag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Idceea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmoado32.dll" Ijgdngmf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odobjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgbdhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oqhiplaj.dll" Ahikqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dolnad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddokpmfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bldcpf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lfmffhde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahokfj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojolhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdikkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fihicd32.dll" Gmpgio32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2288 wrote to memory of 2252 2288 77b0042941cc955976a5596656cf93db76ed75b3f1a75b71438d669b94d46172.exe 28 PID 2288 wrote to memory of 2252 2288 77b0042941cc955976a5596656cf93db76ed75b3f1a75b71438d669b94d46172.exe 28 PID 2288 wrote to memory of 2252 2288 77b0042941cc955976a5596656cf93db76ed75b3f1a75b71438d669b94d46172.exe 28 PID 2288 wrote to memory of 2252 2288 77b0042941cc955976a5596656cf93db76ed75b3f1a75b71438d669b94d46172.exe 28 PID 2252 wrote to memory of 2628 2252 Kcolba32.exe 29 PID 2252 wrote to memory of 2628 2252 Kcolba32.exe 29 PID 2252 wrote to memory of 2628 2252 Kcolba32.exe 29 PID 2252 wrote to memory of 2628 2252 Kcolba32.exe 29 PID 2628 wrote to memory of 2756 2628 Kpemgbqf.exe 30 PID 2628 wrote to memory of 2756 2628 Kpemgbqf.exe 30 PID 2628 wrote to memory of 2756 2628 Kpemgbqf.exe 30 PID 2628 wrote to memory of 2756 2628 Kpemgbqf.exe 30 PID 2756 wrote to memory of 2836 2756 Kphimanc.exe 31 PID 2756 wrote to memory of 2836 2756 Kphimanc.exe 31 PID 2756 wrote to memory of 2836 2756 Kphimanc.exe 31 PID 2756 wrote to memory of 2836 2756 Kphimanc.exe 31 PID 2836 wrote to memory of 2432 2836 Kedaeh32.exe 32 PID 2836 wrote to memory of 2432 2836 Kedaeh32.exe 32 PID 2836 wrote to memory of 2432 2836 Kedaeh32.exe 32 PID 2836 wrote to memory of 2432 2836 Kedaeh32.exe 32 PID 2432 wrote to memory of 2556 2432 Kakbjibo.exe 33 PID 2432 wrote to memory of 2556 2432 Kakbjibo.exe 33 PID 2432 wrote to memory of 2556 2432 Kakbjibo.exe 33 PID 2432 wrote to memory of 2556 2432 Kakbjibo.exe 33 PID 2556 wrote to memory of 2368 2556 Klqfhbbe.exe 34 PID 2556 wrote to memory of 2368 2556 Klqfhbbe.exe 34 PID 2556 wrote to memory of 2368 2556 Klqfhbbe.exe 34 PID 2556 wrote to memory of 2368 2556 Klqfhbbe.exe 34 PID 2368 wrote to memory of 2800 2368 Lkfciogm.exe 35 PID 2368 wrote to memory of 2800 2368 Lkfciogm.exe 35 PID 2368 wrote to memory of 2800 2368 Lkfciogm.exe 35 PID 2368 wrote to memory of 2800 2368 Lkfciogm.exe 35 PID 2800 wrote to memory of 2900 2800 Lhjdbcef.exe 36 PID 2800 wrote to memory of 2900 2800 Lhjdbcef.exe 36 PID 2800 wrote to memory of 2900 2800 Lhjdbcef.exe 36 PID 2800 wrote to memory of 2900 2800 Lhjdbcef.exe 36 PID 2900 wrote to memory of 2016 2900 Lpeifeca.exe 37 PID 2900 wrote to memory of 2016 2900 Lpeifeca.exe 37 PID 2900 wrote to memory of 2016 2900 Lpeifeca.exe 37 PID 2900 wrote to memory of 2016 2900 Lpeifeca.exe 37 PID 2016 wrote to memory of 1076 2016 Lmiipi32.exe 38 PID 2016 wrote to memory of 1076 2016 Lmiipi32.exe 38 PID 2016 wrote to memory of 1076 2016 Lmiipi32.exe 38 PID 2016 wrote to memory of 1076 2016 Lmiipi32.exe 38 PID 1076 wrote to memory of 2412 1076 Lkmjin32.exe 39 PID 1076 wrote to memory of 2412 1076 Lkmjin32.exe 39 PID 1076 wrote to memory of 2412 1076 Lkmjin32.exe 39 PID 1076 wrote to memory of 2412 1076 Lkmjin32.exe 39 PID 2412 wrote to memory of 1664 2412 Lgdjnofi.exe 40 PID 2412 wrote to memory of 1664 2412 Lgdjnofi.exe 40 PID 2412 wrote to memory of 1664 2412 Lgdjnofi.exe 40 PID 2412 wrote to memory of 1664 2412 Lgdjnofi.exe 40 PID 1664 wrote to memory of 2080 1664 Mcjkcplm.exe 41 PID 1664 wrote to memory of 2080 1664 Mcjkcplm.exe 41 PID 1664 wrote to memory of 2080 1664 Mcjkcplm.exe 41 PID 1664 wrote to memory of 2080 1664 Mcjkcplm.exe 41 PID 2080 wrote to memory of 2520 2080 Mhgclfje.exe 42 PID 2080 wrote to memory of 2520 2080 Mhgclfje.exe 42 PID 2080 wrote to memory of 2520 2080 Mhgclfje.exe 42 PID 2080 wrote to memory of 2520 2080 Mhgclfje.exe 42 PID 2520 wrote to memory of 1756 2520 Mlelaeqk.exe 43 PID 2520 wrote to memory of 1756 2520 Mlelaeqk.exe 43 PID 2520 wrote to memory of 1756 2520 Mlelaeqk.exe 43 PID 2520 wrote to memory of 1756 2520 Mlelaeqk.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\77b0042941cc955976a5596656cf93db76ed75b3f1a75b71438d669b94d46172.exe"C:\Users\Admin\AppData\Local\Temp\77b0042941cc955976a5596656cf93db76ed75b3f1a75b71438d669b94d46172.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\Kcolba32.exeC:\Windows\system32\Kcolba32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\SysWOW64\Kpemgbqf.exeC:\Windows\system32\Kpemgbqf.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Kphimanc.exeC:\Windows\system32\Kphimanc.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Kedaeh32.exeC:\Windows\system32\Kedaeh32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\Kakbjibo.exeC:\Windows\system32\Kakbjibo.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\Klqfhbbe.exeC:\Windows\system32\Klqfhbbe.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\Lkfciogm.exeC:\Windows\system32\Lkfciogm.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\Lhjdbcef.exeC:\Windows\system32\Lhjdbcef.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\Lpeifeca.exeC:\Windows\system32\Lpeifeca.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\Lmiipi32.exeC:\Windows\system32\Lmiipi32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\Lkmjin32.exeC:\Windows\system32\Lkmjin32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1076 -
C:\Windows\SysWOW64\Lgdjnofi.exeC:\Windows\system32\Lgdjnofi.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\Mcjkcplm.exeC:\Windows\system32\Mcjkcplm.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\SysWOW64\Mhgclfje.exeC:\Windows\system32\Mhgclfje.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\SysWOW64\Mlelaeqk.exeC:\Windows\system32\Mlelaeqk.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\Mhlmgf32.exeC:\Windows\system32\Mhlmgf32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1756 -
C:\Windows\SysWOW64\Mdcnlglc.exeC:\Windows\system32\Mdcnlglc.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1920 -
C:\Windows\SysWOW64\Mkmfhacp.exeC:\Windows\system32\Mkmfhacp.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:444 -
C:\Windows\SysWOW64\Mhqfbebj.exeC:\Windows\system32\Mhqfbebj.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2084 -
C:\Windows\SysWOW64\Mkobnqan.exeC:\Windows\system32\Mkobnqan.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1556 -
C:\Windows\SysWOW64\Ndgggf32.exeC:\Windows\system32\Ndgggf32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1928 -
C:\Windows\SysWOW64\Nkaocp32.exeC:\Windows\system32\Nkaocp32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1668 -
C:\Windows\SysWOW64\Npnhlg32.exeC:\Windows\system32\Npnhlg32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2932 -
C:\Windows\SysWOW64\Ncmdhb32.exeC:\Windows\system32\Ncmdhb32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2056 -
C:\Windows\SysWOW64\Nnbhek32.exeC:\Windows\system32\Nnbhek32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1528 -
C:\Windows\SysWOW64\Nqqdag32.exeC:\Windows\system32\Nqqdag32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1796 -
C:\Windows\SysWOW64\Nlgefh32.exeC:\Windows\system32\Nlgefh32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1128 -
C:\Windows\SysWOW64\Nofabc32.exeC:\Windows\system32\Nofabc32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2996 -
C:\Windows\SysWOW64\Nhnfkigh.exeC:\Windows\system32\Nhnfkigh.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2724 -
C:\Windows\SysWOW64\Nkmbgdfl.exeC:\Windows\system32\Nkmbgdfl.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2544 -
C:\Windows\SysWOW64\Odegpj32.exeC:\Windows\system32\Odegpj32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2872 -
C:\Windows\SysWOW64\Ohqbqhde.exeC:\Windows\system32\Ohqbqhde.exe33⤵
- Executes dropped EXE
PID:768 -
C:\Windows\SysWOW64\Obigjnkf.exeC:\Windows\system32\Obigjnkf.exe34⤵
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Odgcfijj.exeC:\Windows\system32\Odgcfijj.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1988 -
C:\Windows\SysWOW64\Okalbc32.exeC:\Windows\system32\Okalbc32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2864 -
C:\Windows\SysWOW64\Odjpkihg.exeC:\Windows\system32\Odjpkihg.exe37⤵
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\Ojficpfn.exeC:\Windows\system32\Ojficpfn.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:300 -
C:\Windows\SysWOW64\Obnqem32.exeC:\Windows\system32\Obnqem32.exe39⤵
- Executes dropped EXE
PID:1040 -
C:\Windows\SysWOW64\Oelmai32.exeC:\Windows\system32\Oelmai32.exe40⤵
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Ojieip32.exeC:\Windows\system32\Ojieip32.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:316 -
C:\Windows\SysWOW64\Omgaek32.exeC:\Windows\system32\Omgaek32.exe42⤵
- Executes dropped EXE
PID:2068 -
C:\Windows\SysWOW64\Ocajbekl.exeC:\Windows\system32\Ocajbekl.exe43⤵
- Executes dropped EXE
PID:1572 -
C:\Windows\SysWOW64\Ojkboo32.exeC:\Windows\system32\Ojkboo32.exe44⤵
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Pminkk32.exeC:\Windows\system32\Pminkk32.exe45⤵
- Executes dropped EXE
PID:776 -
C:\Windows\SysWOW64\Pgobhcac.exeC:\Windows\system32\Pgobhcac.exe46⤵
- Executes dropped EXE
PID:2504 -
C:\Windows\SysWOW64\Pjmodopf.exeC:\Windows\system32\Pjmodopf.exe47⤵
- Executes dropped EXE
PID:2200 -
C:\Windows\SysWOW64\Ppjglfon.exeC:\Windows\system32\Ppjglfon.exe48⤵
- Executes dropped EXE
PID:1172 -
C:\Windows\SysWOW64\Pcfcmd32.exeC:\Windows\system32\Pcfcmd32.exe49⤵
- Executes dropped EXE
PID:2948 -
C:\Windows\SysWOW64\Pfdpip32.exeC:\Windows\system32\Pfdpip32.exe50⤵
- Executes dropped EXE
PID:692 -
C:\Windows\SysWOW64\Piblek32.exeC:\Windows\system32\Piblek32.exe51⤵
- Executes dropped EXE
PID:1932 -
C:\Windows\SysWOW64\Pchpbded.exeC:\Windows\system32\Pchpbded.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1876 -
C:\Windows\SysWOW64\Peiljl32.exeC:\Windows\system32\Peiljl32.exe53⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Plcdgfbo.exeC:\Windows\system32\Plcdgfbo.exe54⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Pnbacbac.exeC:\Windows\system32\Pnbacbac.exe55⤵
- Executes dropped EXE
PID:2152 -
C:\Windows\SysWOW64\Pfiidobe.exeC:\Windows\system32\Pfiidobe.exe56⤵
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\Pelipl32.exeC:\Windows\system32\Pelipl32.exe57⤵
- Executes dropped EXE
PID:2576 -
C:\Windows\SysWOW64\Ppamme32.exeC:\Windows\system32\Ppamme32.exe58⤵
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Pbpjiphi.exeC:\Windows\system32\Pbpjiphi.exe59⤵
- Executes dropped EXE
PID:2580 -
C:\Windows\SysWOW64\Pabjem32.exeC:\Windows\system32\Pabjem32.exe60⤵
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Qhmbagfa.exeC:\Windows\system32\Qhmbagfa.exe61⤵
- Executes dropped EXE
PID:1292 -
C:\Windows\SysWOW64\Qnfjna32.exeC:\Windows\system32\Qnfjna32.exe62⤵
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Qdccfh32.exeC:\Windows\system32\Qdccfh32.exe63⤵
- Executes dropped EXE
PID:1448 -
C:\Windows\SysWOW64\Qhooggdn.exeC:\Windows\system32\Qhooggdn.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1696 -
C:\Windows\SysWOW64\Qnigda32.exeC:\Windows\system32\Qnigda32.exe65⤵
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Qagcpljo.exeC:\Windows\system32\Qagcpljo.exe66⤵PID:2772
-
C:\Windows\SysWOW64\Adeplhib.exeC:\Windows\system32\Adeplhib.exe67⤵
- Drops file in System32 directory
PID:332 -
C:\Windows\SysWOW64\Ajphib32.exeC:\Windows\system32\Ajphib32.exe68⤵PID:1136
-
C:\Windows\SysWOW64\Aajpelhl.exeC:\Windows\system32\Aajpelhl.exe69⤵
- Drops file in System32 directory
PID:1560 -
C:\Windows\SysWOW64\Adhlaggp.exeC:\Windows\system32\Adhlaggp.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:908 -
C:\Windows\SysWOW64\Affhncfc.exeC:\Windows\system32\Affhncfc.exe71⤵PID:852
-
C:\Windows\SysWOW64\Aiedjneg.exeC:\Windows\system32\Aiedjneg.exe72⤵PID:1520
-
C:\Windows\SysWOW64\Aalmklfi.exeC:\Windows\system32\Aalmklfi.exe73⤵PID:1328
-
C:\Windows\SysWOW64\Apomfh32.exeC:\Windows\system32\Apomfh32.exe74⤵PID:2736
-
C:\Windows\SysWOW64\Abmibdlh.exeC:\Windows\system32\Abmibdlh.exe75⤵PID:2740
-
C:\Windows\SysWOW64\Aigaon32.exeC:\Windows\system32\Aigaon32.exe76⤵
- Drops file in System32 directory
PID:2820 -
C:\Windows\SysWOW64\Alenki32.exeC:\Windows\system32\Alenki32.exe77⤵PID:2176
-
C:\Windows\SysWOW64\Apajlhka.exeC:\Windows\system32\Apajlhka.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2712 -
C:\Windows\SysWOW64\Aenbdoii.exeC:\Windows\system32\Aenbdoii.exe79⤵PID:1444
-
C:\Windows\SysWOW64\Amejeljk.exeC:\Windows\system32\Amejeljk.exe80⤵PID:1152
-
C:\Windows\SysWOW64\Apcfahio.exeC:\Windows\system32\Apcfahio.exe81⤵PID:1564
-
C:\Windows\SysWOW64\Abbbnchb.exeC:\Windows\system32\Abbbnchb.exe82⤵
- Drops file in System32 directory
PID:2952 -
C:\Windows\SysWOW64\Ailkjmpo.exeC:\Windows\system32\Ailkjmpo.exe83⤵
- Modifies registry class
PID:2328 -
C:\Windows\SysWOW64\Ahokfj32.exeC:\Windows\system32\Ahokfj32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1600 -
C:\Windows\SysWOW64\Bpfcgg32.exeC:\Windows\system32\Bpfcgg32.exe85⤵
- Drops file in System32 directory
PID:1860 -
C:\Windows\SysWOW64\Bbdocc32.exeC:\Windows\system32\Bbdocc32.exe86⤵PID:1904
-
C:\Windows\SysWOW64\Bebkpn32.exeC:\Windows\system32\Bebkpn32.exe87⤵
- Drops file in System32 directory
PID:2616 -
C:\Windows\SysWOW64\Blmdlhmp.exeC:\Windows\system32\Blmdlhmp.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2356 -
C:\Windows\SysWOW64\Bkodhe32.exeC:\Windows\system32\Bkodhe32.exe89⤵PID:2280
-
C:\Windows\SysWOW64\Beehencq.exeC:\Windows\system32\Beehencq.exe90⤵
- Modifies registry class
PID:2816 -
C:\Windows\SysWOW64\Bdhhqk32.exeC:\Windows\system32\Bdhhqk32.exe91⤵PID:2924
-
C:\Windows\SysWOW64\Bkaqmeah.exeC:\Windows\system32\Bkaqmeah.exe92⤵PID:3028
-
C:\Windows\SysWOW64\Bnpmipql.exeC:\Windows\system32\Bnpmipql.exe93⤵PID:2780
-
C:\Windows\SysWOW64\Bhfagipa.exeC:\Windows\system32\Bhfagipa.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1332 -
C:\Windows\SysWOW64\Bopicc32.exeC:\Windows\system32\Bopicc32.exe95⤵PID:1048
-
C:\Windows\SysWOW64\Banepo32.exeC:\Windows\system32\Banepo32.exe96⤵PID:2512
-
C:\Windows\SysWOW64\Bhhnli32.exeC:\Windows\system32\Bhhnli32.exe97⤵
- Drops file in System32 directory
PID:1768 -
C:\Windows\SysWOW64\Bkfjhd32.exeC:\Windows\system32\Bkfjhd32.exe98⤵PID:1088
-
C:\Windows\SysWOW64\Bnefdp32.exeC:\Windows\system32\Bnefdp32.exe99⤵PID:2960
-
C:\Windows\SysWOW64\Ckignd32.exeC:\Windows\system32\Ckignd32.exe100⤵PID:2508
-
C:\Windows\SysWOW64\Cngcjo32.exeC:\Windows\system32\Cngcjo32.exe101⤵PID:1100
-
C:\Windows\SysWOW64\Ccdlbf32.exeC:\Windows\system32\Ccdlbf32.exe102⤵PID:2332
-
C:\Windows\SysWOW64\Cjndop32.exeC:\Windows\system32\Cjndop32.exe103⤵PID:1800
-
C:\Windows\SysWOW64\Cphlljge.exeC:\Windows\system32\Cphlljge.exe104⤵PID:2260
-
C:\Windows\SysWOW64\Coklgg32.exeC:\Windows\system32\Coklgg32.exe105⤵PID:2832
-
C:\Windows\SysWOW64\Cgbdhd32.exeC:\Windows\system32\Cgbdhd32.exe106⤵
- Modifies registry class
PID:2588 -
C:\Windows\SysWOW64\Chcqpmep.exeC:\Windows\system32\Chcqpmep.exe107⤵PID:2540
-
C:\Windows\SysWOW64\Clomqk32.exeC:\Windows\system32\Clomqk32.exe108⤵PID:2624
-
C:\Windows\SysWOW64\Cpjiajeb.exeC:\Windows\system32\Cpjiajeb.exe109⤵PID:1996
-
C:\Windows\SysWOW64\Cbkeib32.exeC:\Windows\system32\Cbkeib32.exe110⤵PID:2052
-
C:\Windows\SysWOW64\Cfgaiaci.exeC:\Windows\system32\Cfgaiaci.exe111⤵PID:308
-
C:\Windows\SysWOW64\Cjbmjplb.exeC:\Windows\system32\Cjbmjplb.exe112⤵PID:1892
-
C:\Windows\SysWOW64\Copfbfjj.exeC:\Windows\system32\Copfbfjj.exe113⤵PID:2092
-
C:\Windows\SysWOW64\Cckace32.exeC:\Windows\system32\Cckace32.exe114⤵
- Modifies registry class
PID:868 -
C:\Windows\SysWOW64\Cdlnkmha.exeC:\Windows\system32\Cdlnkmha.exe115⤵PID:1028
-
C:\Windows\SysWOW64\Chhjkl32.exeC:\Windows\system32\Chhjkl32.exe116⤵PID:936
-
C:\Windows\SysWOW64\Ckffgg32.exeC:\Windows\system32\Ckffgg32.exe117⤵PID:2256
-
C:\Windows\SysWOW64\Cndbcc32.exeC:\Windows\system32\Cndbcc32.exe118⤵PID:2716
-
C:\Windows\SysWOW64\Ddokpmfo.exeC:\Windows\system32\Ddokpmfo.exe119⤵
- Modifies registry class
PID:2824 -
C:\Windows\SysWOW64\Dhjgal32.exeC:\Windows\system32\Dhjgal32.exe120⤵PID:2536
-
C:\Windows\SysWOW64\Dngoibmo.exeC:\Windows\system32\Dngoibmo.exe121⤵PID:2012
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-