Analysis
-
max time kernel
9s -
max time network
20s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
15-07-2024 13:24
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e335acc048bf74e4c20d53fd72c31650N.exe
Resource
win7-20240704-en
windows7-x64
6 signatures
120 seconds
Behavioral task
behavioral2
Sample
e335acc048bf74e4c20d53fd72c31650N.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
6 signatures
120 seconds
General
-
Target
e335acc048bf74e4c20d53fd72c31650N.exe
-
Size
1.9MB
-
MD5
e335acc048bf74e4c20d53fd72c31650
-
SHA1
98e42ca6d530721cdc57377acff1b1a6701451e7
-
SHA256
c558e37a5f554d3ec7c45a0076e8619f97c3a6c36bb761f9d8a54b7b0843e9a0
-
SHA512
c340cf988a847fa9df23d86cb5d803ad01ed0edd87f023d1fcc29616da93474c7f2a4d1273d43ce9089aedfdad09c6ca0bb9821696ab658e2467885336330d23
-
SSDEEP
12288:/wu6n/Ng1/Nmr/Ng1/Nblt01PBNkEoILClt01PBExKN4P6IfKTLR+6CwUkEoILT7:/wuhlkcEpelks/6HnEpnAc
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 60 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gllabp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkkaik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfnmnojj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcignoki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iaheqe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jaahgd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kphbmp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfnmnojj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmnoll32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgfqii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dapnfb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hchbcmlh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kphbmp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kobhillo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhhmle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdqfnhpa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iodlcnmf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlkigbef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlkigbef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdmdlc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdbkaoce.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dapnfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifikehii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ioapnn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lihifhoq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcpmonea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iaheqe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgdkbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmnoll32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmpkal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdbkaoce.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcocnk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdqfnhpa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khfcgbge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khfcgbge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kobhillo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcocnk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifikehii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ioapnn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfkdik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gllabp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcignoki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfkdik32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmcpqfba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbgkhoml.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhhmle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmpkal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgdkbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jaahgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdmdlc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcpmonea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkkaik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hchbcmlh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iodlcnmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmcpqfba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lihifhoq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad e335acc048bf74e4c20d53fd72c31650N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" e335acc048bf74e4c20d53fd72c31650N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgfqii32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbgkhoml.exe -
Executes dropped EXE 30 IoCs
pid Process 972 Nmnoll32.exe 2864 Nmpkal32.exe 2844 Pdqfnhpa.exe 2804 Bdbkaoce.exe 2288 Cgfqii32.exe 1020 Dapnfb32.exe 1168 Gcocnk32.exe 1692 Gllabp32.exe 2920 Hkkaik32.exe 880 Hchbcmlh.exe 2476 Ifikehii.exe 1476 Ioapnn32.exe 2056 Iodlcnmf.exe 2188 Iaheqe32.exe 2584 Jgdkbo32.exe 1044 Jmcpqfba.exe 1124 Jfkdik32.exe 688 Jaahgd32.exe 1528 Jlkigbef.exe 2292 Kphbmp32.exe 1924 Khfcgbge.exe 1816 Kdmdlc32.exe 2196 Kobhillo.exe 652 Kfnmnojj.exe 1592 Lbgkhoml.exe 2876 Lcignoki.exe 2472 Lhhmle32.exe 2852 Lihifhoq.exe 2800 Mcpmonea.exe 2916 Mlhbgc32.exe -
Loads dropped DLL 60 IoCs
pid Process 2556 e335acc048bf74e4c20d53fd72c31650N.exe 2556 e335acc048bf74e4c20d53fd72c31650N.exe 972 Nmnoll32.exe 972 Nmnoll32.exe 2864 Nmpkal32.exe 2864 Nmpkal32.exe 2844 Pdqfnhpa.exe 2844 Pdqfnhpa.exe 2804 Bdbkaoce.exe 2804 Bdbkaoce.exe 2288 Cgfqii32.exe 2288 Cgfqii32.exe 1020 Dapnfb32.exe 1020 Dapnfb32.exe 1168 Gcocnk32.exe 1168 Gcocnk32.exe 1692 Gllabp32.exe 1692 Gllabp32.exe 2920 Hkkaik32.exe 2920 Hkkaik32.exe 880 Hchbcmlh.exe 880 Hchbcmlh.exe 2476 Ifikehii.exe 2476 Ifikehii.exe 1476 Ioapnn32.exe 1476 Ioapnn32.exe 2056 Iodlcnmf.exe 2056 Iodlcnmf.exe 2188 Iaheqe32.exe 2188 Iaheqe32.exe 2584 Jgdkbo32.exe 2584 Jgdkbo32.exe 1044 Jmcpqfba.exe 1044 Jmcpqfba.exe 1124 Jfkdik32.exe 1124 Jfkdik32.exe 688 Jaahgd32.exe 688 Jaahgd32.exe 1528 Jlkigbef.exe 1528 Jlkigbef.exe 2292 Kphbmp32.exe 2292 Kphbmp32.exe 1924 Khfcgbge.exe 1924 Khfcgbge.exe 1816 Kdmdlc32.exe 1816 Kdmdlc32.exe 2196 Kobhillo.exe 2196 Kobhillo.exe 652 Kfnmnojj.exe 652 Kfnmnojj.exe 1592 Lbgkhoml.exe 1592 Lbgkhoml.exe 2876 Lcignoki.exe 2876 Lcignoki.exe 2472 Lhhmle32.exe 2472 Lhhmle32.exe 2852 Lihifhoq.exe 2852 Lihifhoq.exe 2800 Mcpmonea.exe 2800 Mcpmonea.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Lihifhoq.exe Lhhmle32.exe File created C:\Windows\SysWOW64\Idomll32.dll Nmnoll32.exe File created C:\Windows\SysWOW64\Mchjjo32.dll Nmpkal32.exe File created C:\Windows\SysWOW64\Gcocnk32.exe Dapnfb32.exe File created C:\Windows\SysWOW64\Hchbcmlh.exe Hkkaik32.exe File opened for modification C:\Windows\SysWOW64\Kfnmnojj.exe Kobhillo.exe File opened for modification C:\Windows\SysWOW64\Lbgkhoml.exe Kfnmnojj.exe File created C:\Windows\SysWOW64\Mdpkfa32.dll Kfnmnojj.exe File opened for modification C:\Windows\SysWOW64\Nmnoll32.exe e335acc048bf74e4c20d53fd72c31650N.exe File created C:\Windows\SysWOW64\Lbinkahf.dll e335acc048bf74e4c20d53fd72c31650N.exe File opened for modification C:\Windows\SysWOW64\Bdbkaoce.exe Pdqfnhpa.exe File opened for modification C:\Windows\SysWOW64\Gcocnk32.exe Dapnfb32.exe File created C:\Windows\SysWOW64\Qdapln32.dll Iodlcnmf.exe File created C:\Windows\SysWOW64\Ngalll32.dll Iaheqe32.exe File created C:\Windows\SysWOW64\Knijji32.dll Mcpmonea.exe File created C:\Windows\SysWOW64\Pdqfnhpa.exe Nmpkal32.exe File created C:\Windows\SysWOW64\Gkkgmd32.dll Jgdkbo32.exe File opened for modification C:\Windows\SysWOW64\Lcignoki.exe Lbgkhoml.exe File created C:\Windows\SysWOW64\Nmpkal32.exe Nmnoll32.exe File created C:\Windows\SysWOW64\Ogiqoelh.dll Hchbcmlh.exe File created C:\Windows\SysWOW64\Qiaikl32.dll Lhhmle32.exe File opened for modification C:\Windows\SysWOW64\Mlhbgc32.exe Mcpmonea.exe File opened for modification C:\Windows\SysWOW64\Cgfqii32.exe Bdbkaoce.exe File opened for modification C:\Windows\SysWOW64\Ifikehii.exe Hchbcmlh.exe File opened for modification C:\Windows\SysWOW64\Jfkdik32.exe Jmcpqfba.exe File opened for modification C:\Windows\SysWOW64\Jaahgd32.exe Jfkdik32.exe File created C:\Windows\SysWOW64\Hghkmd32.dll Jfkdik32.exe File opened for modification C:\Windows\SysWOW64\Gllabp32.exe Gcocnk32.exe File created C:\Windows\SysWOW64\Jlkigbef.exe Jaahgd32.exe File created C:\Windows\SysWOW64\Ohodnlfk.dll Kdmdlc32.exe File opened for modification C:\Windows\SysWOW64\Iodlcnmf.exe Ioapnn32.exe File opened for modification C:\Windows\SysWOW64\Jlkigbef.exe Jaahgd32.exe File created C:\Windows\SysWOW64\Lbgkhoml.exe Kfnmnojj.exe File created C:\Windows\SysWOW64\Mcpmonea.exe Lihifhoq.exe File opened for modification C:\Windows\SysWOW64\Mcpmonea.exe Lihifhoq.exe File created C:\Windows\SysWOW64\Jcdmpg32.dll Bdbkaoce.exe File opened for modification C:\Windows\SysWOW64\Kphbmp32.exe Jlkigbef.exe File created C:\Windows\SysWOW64\Kdmdlc32.exe Khfcgbge.exe File opened for modification C:\Windows\SysWOW64\Kdmdlc32.exe Khfcgbge.exe File created C:\Windows\SysWOW64\Lhhmle32.exe Lcignoki.exe File created C:\Windows\SysWOW64\Mlhbgc32.exe Mcpmonea.exe File opened for modification C:\Windows\SysWOW64\Lhhmle32.exe Lcignoki.exe File created C:\Windows\SysWOW64\Nmnoll32.exe e335acc048bf74e4c20d53fd72c31650N.exe File created C:\Windows\SysWOW64\Cgfqii32.exe Bdbkaoce.exe File created C:\Windows\SysWOW64\Hkkaik32.exe Gllabp32.exe File opened for modification C:\Windows\SysWOW64\Hchbcmlh.exe Hkkaik32.exe File created C:\Windows\SysWOW64\Jaahgd32.exe Jfkdik32.exe File created C:\Windows\SysWOW64\Khfcgbge.exe Kphbmp32.exe File created C:\Windows\SysWOW64\Begpdg32.dll Lbgkhoml.exe File created C:\Windows\SysWOW64\Pdncfedn.dll Lcignoki.exe File created C:\Windows\SysWOW64\Jgdkbo32.exe Iaheqe32.exe File opened for modification C:\Windows\SysWOW64\Jgdkbo32.exe Iaheqe32.exe File created C:\Windows\SysWOW64\Jmcpqfba.exe Jgdkbo32.exe File created C:\Windows\SysWOW64\Jfkdik32.exe Jmcpqfba.exe File created C:\Windows\SysWOW64\Bgnpfnnd.dll Jlkigbef.exe File created C:\Windows\SysWOW64\Mhmcao32.dll Kphbmp32.exe File created C:\Windows\SysWOW64\Ecahhhlc.dll Kobhillo.exe File created C:\Windows\SysWOW64\Njhgfljc.dll Pdqfnhpa.exe File opened for modification C:\Windows\SysWOW64\Dapnfb32.exe Cgfqii32.exe File created C:\Windows\SysWOW64\Gllabp32.exe Gcocnk32.exe File opened for modification C:\Windows\SysWOW64\Kobhillo.exe Kdmdlc32.exe File created C:\Windows\SysWOW64\Oknckq32.dll Lihifhoq.exe File created C:\Windows\SysWOW64\Boobcigh.dll Gcocnk32.exe File created C:\Windows\SysWOW64\Gkkkejhl.dll Gllabp32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mchjjo32.dll" Nmpkal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hljokk32.dll" Cgfqii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdapln32.dll" Iodlcnmf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lbgkhoml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qiaikl32.dll" Lhhmle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkkkejhl.dll" Gllabp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkkaik32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iodlcnmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jaahgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knijji32.dll" Mcpmonea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Begpdg32.dll" Lbgkhoml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} e335acc048bf74e4c20d53fd72c31650N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nmpkal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcdmpg32.dll" Bdbkaoce.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hchbcmlh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ifikehii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgnpfnnd.dll" Jlkigbef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbgdlq32.dll" Dapnfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hghkmd32.dll" Jfkdik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lcignoki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogiqoelh.dll" Hchbcmlh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgdkbo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmcpqfba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecahhhlc.dll" Kobhillo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdpkfa32.dll" Kfnmnojj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kfnmnojj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdncfedn.dll" Lcignoki.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmpkal32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdqfnhpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Boobcigh.dll" Gcocnk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifikehii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdcgpi32.dll" Ifikehii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkkgmd32.dll" Jgdkbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mcpmonea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgfqii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jmcpqfba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jfkdik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kobhillo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID e335acc048bf74e4c20d53fd72c31650N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgfqii32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dapnfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jgdkbo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jlkigbef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kdmdlc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lihifhoq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 e335acc048bf74e4c20d53fd72c31650N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node e335acc048bf74e4c20d53fd72c31650N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njhgfljc.dll" Pdqfnhpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dapnfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gcocnk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkkaik32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdmdlc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kobhillo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbinkahf.dll" e335acc048bf74e4c20d53fd72c31650N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idomll32.dll" Nmnoll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clgmka32.dll" Ioapnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iaheqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npqbka32.dll" Jmcpqfba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emaejfgn.dll" Khfcgbge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" e335acc048bf74e4c20d53fd72c31650N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmnoll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdbkaoce.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iaheqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpjhgkof.dll" Jaahgd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2556 wrote to memory of 972 2556 e335acc048bf74e4c20d53fd72c31650N.exe 29 PID 2556 wrote to memory of 972 2556 e335acc048bf74e4c20d53fd72c31650N.exe 29 PID 2556 wrote to memory of 972 2556 e335acc048bf74e4c20d53fd72c31650N.exe 29 PID 2556 wrote to memory of 972 2556 e335acc048bf74e4c20d53fd72c31650N.exe 29 PID 972 wrote to memory of 2864 972 Nmnoll32.exe 30 PID 972 wrote to memory of 2864 972 Nmnoll32.exe 30 PID 972 wrote to memory of 2864 972 Nmnoll32.exe 30 PID 972 wrote to memory of 2864 972 Nmnoll32.exe 30 PID 2864 wrote to memory of 2844 2864 Nmpkal32.exe 31 PID 2864 wrote to memory of 2844 2864 Nmpkal32.exe 31 PID 2864 wrote to memory of 2844 2864 Nmpkal32.exe 31 PID 2864 wrote to memory of 2844 2864 Nmpkal32.exe 31 PID 2844 wrote to memory of 2804 2844 Pdqfnhpa.exe 32 PID 2844 wrote to memory of 2804 2844 Pdqfnhpa.exe 32 PID 2844 wrote to memory of 2804 2844 Pdqfnhpa.exe 32 PID 2844 wrote to memory of 2804 2844 Pdqfnhpa.exe 32 PID 2804 wrote to memory of 2288 2804 Bdbkaoce.exe 33 PID 2804 wrote to memory of 2288 2804 Bdbkaoce.exe 33 PID 2804 wrote to memory of 2288 2804 Bdbkaoce.exe 33 PID 2804 wrote to memory of 2288 2804 Bdbkaoce.exe 33 PID 2288 wrote to memory of 1020 2288 Cgfqii32.exe 34 PID 2288 wrote to memory of 1020 2288 Cgfqii32.exe 34 PID 2288 wrote to memory of 1020 2288 Cgfqii32.exe 34 PID 2288 wrote to memory of 1020 2288 Cgfqii32.exe 34 PID 1020 wrote to memory of 1168 1020 Dapnfb32.exe 35 PID 1020 wrote to memory of 1168 1020 Dapnfb32.exe 35 PID 1020 wrote to memory of 1168 1020 Dapnfb32.exe 35 PID 1020 wrote to memory of 1168 1020 Dapnfb32.exe 35 PID 1168 wrote to memory of 1692 1168 Gcocnk32.exe 36 PID 1168 wrote to memory of 1692 1168 Gcocnk32.exe 36 PID 1168 wrote to memory of 1692 1168 Gcocnk32.exe 36 PID 1168 wrote to memory of 1692 1168 Gcocnk32.exe 36 PID 1692 wrote to memory of 2920 1692 Gllabp32.exe 37 PID 1692 wrote to memory of 2920 1692 Gllabp32.exe 37 PID 1692 wrote to memory of 2920 1692 Gllabp32.exe 37 PID 1692 wrote to memory of 2920 1692 Gllabp32.exe 37 PID 2920 wrote to memory of 880 2920 Hkkaik32.exe 38 PID 2920 wrote to memory of 880 2920 Hkkaik32.exe 38 PID 2920 wrote to memory of 880 2920 Hkkaik32.exe 38 PID 2920 wrote to memory of 880 2920 Hkkaik32.exe 38 PID 880 wrote to memory of 2476 880 Hchbcmlh.exe 39 PID 880 wrote to memory of 2476 880 Hchbcmlh.exe 39 PID 880 wrote to memory of 2476 880 Hchbcmlh.exe 39 PID 880 wrote to memory of 2476 880 Hchbcmlh.exe 39 PID 2476 wrote to memory of 1476 2476 Ifikehii.exe 40 PID 2476 wrote to memory of 1476 2476 Ifikehii.exe 40 PID 2476 wrote to memory of 1476 2476 Ifikehii.exe 40 PID 2476 wrote to memory of 1476 2476 Ifikehii.exe 40 PID 1476 wrote to memory of 2056 1476 Ioapnn32.exe 41 PID 1476 wrote to memory of 2056 1476 Ioapnn32.exe 41 PID 1476 wrote to memory of 2056 1476 Ioapnn32.exe 41 PID 1476 wrote to memory of 2056 1476 Ioapnn32.exe 41 PID 2056 wrote to memory of 2188 2056 Iodlcnmf.exe 42 PID 2056 wrote to memory of 2188 2056 Iodlcnmf.exe 42 PID 2056 wrote to memory of 2188 2056 Iodlcnmf.exe 42 PID 2056 wrote to memory of 2188 2056 Iodlcnmf.exe 42 PID 2188 wrote to memory of 2584 2188 Iaheqe32.exe 43 PID 2188 wrote to memory of 2584 2188 Iaheqe32.exe 43 PID 2188 wrote to memory of 2584 2188 Iaheqe32.exe 43 PID 2188 wrote to memory of 2584 2188 Iaheqe32.exe 43 PID 2584 wrote to memory of 1044 2584 Jgdkbo32.exe 44 PID 2584 wrote to memory of 1044 2584 Jgdkbo32.exe 44 PID 2584 wrote to memory of 1044 2584 Jgdkbo32.exe 44 PID 2584 wrote to memory of 1044 2584 Jgdkbo32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\e335acc048bf74e4c20d53fd72c31650N.exe"C:\Users\Admin\AppData\Local\Temp\e335acc048bf74e4c20d53fd72c31650N.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\Nmnoll32.exeC:\Windows\system32\Nmnoll32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:972 -
C:\Windows\SysWOW64\Nmpkal32.exeC:\Windows\system32\Nmpkal32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\Pdqfnhpa.exeC:\Windows\system32\Pdqfnhpa.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\Bdbkaoce.exeC:\Windows\system32\Bdbkaoce.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\Cgfqii32.exeC:\Windows\system32\Cgfqii32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\Dapnfb32.exeC:\Windows\system32\Dapnfb32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Windows\SysWOW64\Gcocnk32.exeC:\Windows\system32\Gcocnk32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Windows\SysWOW64\Gllabp32.exeC:\Windows\system32\Gllabp32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\SysWOW64\Hkkaik32.exeC:\Windows\system32\Hkkaik32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Hchbcmlh.exeC:\Windows\system32\Hchbcmlh.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:880 -
C:\Windows\SysWOW64\Ifikehii.exeC:\Windows\system32\Ifikehii.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\Ioapnn32.exeC:\Windows\system32\Ioapnn32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Windows\SysWOW64\Iodlcnmf.exeC:\Windows\system32\Iodlcnmf.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\Iaheqe32.exeC:\Windows\system32\Iaheqe32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\Jgdkbo32.exeC:\Windows\system32\Jgdkbo32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\Jmcpqfba.exeC:\Windows\system32\Jmcpqfba.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1044 -
C:\Windows\SysWOW64\Jfkdik32.exeC:\Windows\system32\Jfkdik32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1124 -
C:\Windows\SysWOW64\Jaahgd32.exeC:\Windows\system32\Jaahgd32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:688 -
C:\Windows\SysWOW64\Jlkigbef.exeC:\Windows\system32\Jlkigbef.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1528 -
C:\Windows\SysWOW64\Kphbmp32.exeC:\Windows\system32\Kphbmp32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2292 -
C:\Windows\SysWOW64\Khfcgbge.exeC:\Windows\system32\Khfcgbge.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1924 -
C:\Windows\SysWOW64\Kdmdlc32.exeC:\Windows\system32\Kdmdlc32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1816 -
C:\Windows\SysWOW64\Kobhillo.exeC:\Windows\system32\Kobhillo.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2196 -
C:\Windows\SysWOW64\Kfnmnojj.exeC:\Windows\system32\Kfnmnojj.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:652 -
C:\Windows\SysWOW64\Lbgkhoml.exeC:\Windows\system32\Lbgkhoml.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1592 -
C:\Windows\SysWOW64\Lcignoki.exeC:\Windows\system32\Lcignoki.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2876 -
C:\Windows\SysWOW64\Lhhmle32.exeC:\Windows\system32\Lhhmle32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2472 -
C:\Windows\SysWOW64\Lihifhoq.exeC:\Windows\system32\Lihifhoq.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2852 -
C:\Windows\SysWOW64\Mcpmonea.exeC:\Windows\system32\Mcpmonea.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2800 -
C:\Windows\SysWOW64\Mlhbgc32.exeC:\Windows\system32\Mlhbgc32.exe31⤵
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\Mdcfle32.exeC:\Windows\system32\Mdcfle32.exe32⤵PID:888
-
C:\Windows\SysWOW64\Mnlkdk32.exeC:\Windows\system32\Mnlkdk32.exe33⤵PID:2988
-
C:\Windows\SysWOW64\Mjcljlea.exeC:\Windows\system32\Mjcljlea.exe34⤵PID:2092
-
C:\Windows\SysWOW64\Mgglcqdk.exeC:\Windows\system32\Mgglcqdk.exe35⤵PID:2100
-
C:\Windows\SysWOW64\Mqoqlfkl.exeC:\Windows\system32\Mqoqlfkl.exe36⤵PID:1260
-
C:\Windows\SysWOW64\Nlfaag32.exeC:\Windows\system32\Nlfaag32.exe37⤵PID:1708
-
C:\Windows\SysWOW64\Nhmbfhfd.exeC:\Windows\system32\Nhmbfhfd.exe38⤵PID:2184
-
C:\Windows\SysWOW64\Ncbfcq32.exeC:\Windows\system32\Ncbfcq32.exe39⤵PID:2516
-
C:\Windows\SysWOW64\Ogkbmcba.exeC:\Windows\system32\Ogkbmcba.exe40⤵PID:1484
-
C:\Windows\SysWOW64\Ocbbbd32.exeC:\Windows\system32\Ocbbbd32.exe41⤵PID:1748
-
C:\Windows\SysWOW64\Ocdohdfc.exeC:\Windows\system32\Ocdohdfc.exe42⤵PID:2480
-
C:\Windows\SysWOW64\Ocglmcdp.exeC:\Windows\system32\Ocglmcdp.exe43⤵PID:1236
-
C:\Windows\SysWOW64\Ppnmbd32.exeC:\Windows\system32\Ppnmbd32.exe44⤵PID:864
-
C:\Windows\SysWOW64\Pembpkfi.exeC:\Windows\system32\Pembpkfi.exe45⤵PID:2248
-
C:\Windows\SysWOW64\Afjncabj.exeC:\Windows\system32\Afjncabj.exe46⤵PID:2784
-
C:\Windows\SysWOW64\Aijgemok.exeC:\Windows\system32\Aijgemok.exe47⤵PID:2944
-
C:\Windows\SysWOW64\Ahpdficc.exeC:\Windows\system32\Ahpdficc.exe48⤵PID:2320
-
C:\Windows\SysWOW64\Aajedn32.exeC:\Windows\system32\Aajedn32.exe49⤵PID:1612
-
C:\Windows\SysWOW64\Bambjnfn.exeC:\Windows\system32\Bambjnfn.exe50⤵PID:2928
-
C:\Windows\SysWOW64\Bglghdbc.exeC:\Windows\system32\Bglghdbc.exe51⤵PID:1940
-
C:\Windows\SysWOW64\Bjlpjp32.exeC:\Windows\system32\Bjlpjp32.exe52⤵PID:2824
-
C:\Windows\SysWOW64\Bpieli32.exeC:\Windows\system32\Bpieli32.exe53⤵PID:2068
-
C:\Windows\SysWOW64\Conbmfif.exeC:\Windows\system32\Conbmfif.exe54⤵PID:1980
-
C:\Windows\SysWOW64\Copobe32.exeC:\Windows\system32\Copobe32.exe55⤵PID:2224
-
C:\Windows\SysWOW64\Cnekcblk.exeC:\Windows\system32\Cnekcblk.exe56⤵PID:1952
-
C:\Windows\SysWOW64\Coehnecn.exeC:\Windows\system32\Coehnecn.exe57⤵PID:2124
-
C:\Windows\SysWOW64\Dddmkkpb.exeC:\Windows\system32\Dddmkkpb.exe58⤵PID:2488
-
C:\Windows\SysWOW64\Dcijmhdj.exeC:\Windows\system32\Dcijmhdj.exe59⤵PID:2368
-
C:\Windows\SysWOW64\Dfjcncak.exeC:\Windows\system32\Dfjcncak.exe60⤵PID:2172
-
C:\Windows\SysWOW64\Djhldahb.exeC:\Windows\system32\Djhldahb.exe61⤵PID:2648
-
C:\Windows\SysWOW64\Eeameodq.exeC:\Windows\system32\Eeameodq.exe62⤵PID:1072
-
C:\Windows\SysWOW64\Elnagijk.exeC:\Windows\system32\Elnagijk.exe63⤵PID:1976
-
C:\Windows\SysWOW64\Enokidgl.exeC:\Windows\system32\Enokidgl.exe64⤵PID:2140
-
C:\Windows\SysWOW64\Elbkbh32.exeC:\Windows\system32\Elbkbh32.exe65⤵PID:2496
-
C:\Windows\SysWOW64\Fncddc32.exeC:\Windows\system32\Fncddc32.exe66⤵PID:2200
-
C:\Windows\SysWOW64\Fhlhmi32.exeC:\Windows\system32\Fhlhmi32.exe67⤵PID:3032
-
C:\Windows\SysWOW64\Fdbibjok.exeC:\Windows\system32\Fdbibjok.exe68⤵PID:1576
-
C:\Windows\SysWOW64\Fdefgimi.exeC:\Windows\system32\Fdefgimi.exe69⤵PID:1208
-
C:\Windows\SysWOW64\Fmmjpoci.exeC:\Windows\system32\Fmmjpoci.exe70⤵PID:1256
-
C:\Windows\SysWOW64\Fehodaqd.exeC:\Windows\system32\Fehodaqd.exe71⤵PID:3044
-
C:\Windows\SysWOW64\Feklja32.exeC:\Windows\system32\Feklja32.exe72⤵PID:2356
-
C:\Windows\SysWOW64\Gbolce32.exeC:\Windows\system32\Gbolce32.exe73⤵PID:1460
-
C:\Windows\SysWOW64\Gmhmdc32.exeC:\Windows\system32\Gmhmdc32.exe74⤵PID:2752
-
C:\Windows\SysWOW64\Ggqamh32.exeC:\Windows\system32\Ggqamh32.exe75⤵PID:1652
-
C:\Windows\SysWOW64\Gddbfm32.exeC:\Windows\system32\Gddbfm32.exe76⤵PID:2708
-
C:\Windows\SysWOW64\Gaibpa32.exeC:\Windows\system32\Gaibpa32.exe77⤵PID:2108
-
C:\Windows\SysWOW64\Gnocdb32.exeC:\Windows\system32\Gnocdb32.exe78⤵PID:2424
-
C:\Windows\SysWOW64\Hnapja32.exeC:\Windows\system32\Hnapja32.exe79⤵PID:1928
-
C:\Windows\SysWOW64\Hoeigi32.exeC:\Windows\system32\Hoeigi32.exe80⤵PID:1996
-
C:\Windows\SysWOW64\Hkljljko.exeC:\Windows\system32\Hkljljko.exe81⤵PID:952
-
C:\Windows\SysWOW64\Hfdkoc32.exeC:\Windows\system32\Hfdkoc32.exe82⤵PID:1212
-
C:\Windows\SysWOW64\Ikcpmieg.exeC:\Windows\system32\Ikcpmieg.exe83⤵PID:1184
-
C:\Windows\SysWOW64\Jkjbml32.exeC:\Windows\system32\Jkjbml32.exe84⤵PID:2692
-
C:\Windows\SysWOW64\Kjalch32.exeC:\Windows\system32\Kjalch32.exe85⤵PID:2052
-
C:\Windows\SysWOW64\Kleeqp32.exeC:\Windows\system32\Kleeqp32.exe86⤵PID:2744
-
C:\Windows\SysWOW64\Klgbfo32.exeC:\Windows\system32\Klgbfo32.exe87⤵PID:388
-
C:\Windows\SysWOW64\Lohkhjcj.exeC:\Windows\system32\Lohkhjcj.exe88⤵PID:2664
-
C:\Windows\SysWOW64\Lomdcj32.exeC:\Windows\system32\Lomdcj32.exe89⤵PID:1360
-
C:\Windows\SysWOW64\Lkcehkeh.exeC:\Windows\system32\Lkcehkeh.exe90⤵PID:2536
-
C:\Windows\SysWOW64\Liibigjq.exeC:\Windows\system32\Liibigjq.exe91⤵PID:3004
-
C:\Windows\SysWOW64\Mikooghn.exeC:\Windows\system32\Mikooghn.exe92⤵PID:1752
-
C:\Windows\SysWOW64\Minldf32.exeC:\Windows\system32\Minldf32.exe93⤵PID:3148
-
C:\Windows\SysWOW64\Medligko.exeC:\Windows\system32\Medligko.exe94⤵PID:3208
-
C:\Windows\SysWOW64\Makmnh32.exeC:\Windows\system32\Makmnh32.exe95⤵PID:3268
-
C:\Windows\SysWOW64\Mcjihk32.exeC:\Windows\system32\Mcjihk32.exe96⤵PID:3328
-
C:\Windows\SysWOW64\Nndjhi32.exeC:\Windows\system32\Nndjhi32.exe97⤵PID:3388
-
C:\Windows\SysWOW64\Nocgbl32.exeC:\Windows\system32\Nocgbl32.exe98⤵PID:3440
-
C:\Windows\SysWOW64\Njmhcj32.exeC:\Windows\system32\Njmhcj32.exe99⤵PID:3512
-
C:\Windows\SysWOW64\Ngahmngp.exeC:\Windows\system32\Ngahmngp.exe100⤵PID:3576
-
C:\Windows\SysWOW64\Ngcebnen.exeC:\Windows\system32\Ngcebnen.exe101⤵PID:3640
-
C:\Windows\SysWOW64\Ofibcj32.exeC:\Windows\system32\Ofibcj32.exe102⤵PID:3688
-
C:\Windows\SysWOW64\Ofkoijhc.exeC:\Windows\system32\Ofkoijhc.exe103⤵PID:3772
-
C:\Windows\SysWOW64\Obbonk32.exeC:\Windows\system32\Obbonk32.exe104⤵PID:3820
-
C:\Windows\SysWOW64\Onipbl32.exeC:\Windows\system32\Onipbl32.exe105⤵PID:3892
-
C:\Windows\SysWOW64\Onkmhl32.exeC:\Windows\system32\Onkmhl32.exe106⤵PID:3956
-
C:\Windows\SysWOW64\Pjbnmm32.exeC:\Windows\system32\Pjbnmm32.exe107⤵PID:4016
-
C:\Windows\SysWOW64\Pkajgonp.exeC:\Windows\system32\Pkajgonp.exe108⤵PID:4080
-
C:\Windows\SysWOW64\Pclolakk.exeC:\Windows\system32\Pclolakk.exe109⤵PID:1728
-
C:\Windows\SysWOW64\Mlidplcf.exeC:\Windows\system32\Mlidplcf.exe110⤵PID:1040
-
C:\Windows\SysWOW64\Nppceo32.exeC:\Windows\system32\Nppceo32.exe111⤵PID:3076
-
C:\Windows\SysWOW64\Nelkme32.exeC:\Windows\system32\Nelkme32.exe112⤵PID:3180
-
C:\Windows\SysWOW64\Nlfdjphd.exeC:\Windows\system32\Nlfdjphd.exe113⤵PID:3276
-
C:\Windows\SysWOW64\Neaehelb.exeC:\Windows\system32\Neaehelb.exe114⤵PID:3260
-
C:\Windows\SysWOW64\Noiiaj32.exeC:\Windows\system32\Noiiaj32.exe115⤵PID:3360
-
C:\Windows\SysWOW64\Nhbnjpic.exeC:\Windows\system32\Nhbnjpic.exe116⤵PID:3532
-
C:\Windows\SysWOW64\Nnofbg32.exeC:\Windows\system32\Nnofbg32.exe117⤵PID:3572
-
C:\Windows\SysWOW64\Okbgkk32.exeC:\Windows\system32\Okbgkk32.exe118⤵PID:3596
-
C:\Windows\SysWOW64\Pbohmh32.exeC:\Windows\system32\Pbohmh32.exe119⤵PID:3676
-
C:\Windows\SysWOW64\Pobhfl32.exeC:\Windows\system32\Pobhfl32.exe120⤵PID:3792
-
C:\Windows\SysWOW64\Pnhegi32.exeC:\Windows\system32\Pnhegi32.exe121⤵PID:3840
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-