Analysis
-
max time kernel
93s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
22-07-2024 23:22
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
29e2a81f3a62b68aeec41105f39c6680N.exe
Resource
win7-20240704-en
windows7-x64
6 signatures
120 seconds
Behavioral task
behavioral2
Sample
29e2a81f3a62b68aeec41105f39c6680N.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
6 signatures
120 seconds
General
-
Target
29e2a81f3a62b68aeec41105f39c6680N.exe
-
Size
1.7MB
-
MD5
29e2a81f3a62b68aeec41105f39c6680
-
SHA1
d4213b487f19fffaf14fbf44e75316648f7a15eb
-
SHA256
e510104f2b02e2693f780abb8855a2cd902050f6856d04b38e19da53e4bd3331
-
SHA512
4bdba1ccc8ef71ac1b3a3b470505d905dbc6dffd00b659cce0bdb8456a8c9517432c5bb909e7a4a800d739304b3aaa943cfbc4973d728059db24a16c6238a7a5
-
SSDEEP
49152:hYix7/ix7yix7/ix7Xcix7/ix7yix7/ix7:eU/UyU/UXcU/UyU/U
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akiahcik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojnhdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfabfldd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iijdfc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mheekb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jijbnppi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jijbnppi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhnoocab.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nacgpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qkmjbo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anppiikk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lophcpam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbhfcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eakkkdnm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efkfbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gifhkpgk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fagcnmie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aellfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcfioj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmjlfgml.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmnkqcem.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kceehijb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncggifep.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bakgmgpe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhjldiln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnbhcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofbikf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajmihn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dopdgb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lepihndm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phlaqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cffqhmqd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlamfh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hldldq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gccjbo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgodchen.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddlloi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmohjopk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjclfmfe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpnmoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipbcbkmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kobhkh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Celnjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mneancpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qdhcinme.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gddbfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndlanf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohoiaf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knhoig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekqqea32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Naqkki32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odhjmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbilclhb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdlakf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlqniihl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eiipfbgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlppgihj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdbmkc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chgkgmoo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imdjlida.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Leaallcb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Noajmlnj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgkqeo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ephhmn32.exe -
Executes dropped EXE 64 IoCs
pid Process 2424 Ofbikf32.exe 2860 Opkndldc.exe 2876 Ppmkilbp.exe 2616 Pobgjhgh.exe 2844 Plheil32.exe 1292 Qdhcinme.exe 2368 Aellfe32.exe 1564 Gjcekj32.exe 2976 Hgbhibio.exe 2144 Imdjlida.exe 1668 Leaallcb.exe 424 Lkccob32.exe 3056 Nccmng32.exe 2388 Ncggifep.exe 1528 Qomcdf32.exe 1672 Bkhjcing.exe 2464 Cfmjoe32.exe 1584 Dpjhcj32.exe 1600 Dhmchljg.exe 564 Ephhmn32.exe 948 Elaego32.exe 1984 Eodknifb.exe 108 Faimkd32.exe 1732 Gcocnk32.exe 652 Gcfioj32.exe 2836 Gkancm32.exe 2856 Hkidclbb.exe 2408 Hcfenn32.exe 1860 Ifgooikk.exe 2816 Iijdfc32.exe 2644 Jehklc32.exe 2812 Kmjfae32.exe 2788 Kononm32.exe 2652 Kanhph32.exe 2928 Lmlofhmb.exe 1388 Lophcpam.exe 1184 Mgbcha32.exe 2428 Mjcljlea.exe 2432 Njjbjk32.exe 2284 Nkmkgc32.exe 2360 Ogiegc32.exe 2128 Oqajqi32.exe 484 Ojnhdn32.exe 264 Ofehiocd.exe 1016 Pldnge32.exe 2352 Pihnqj32.exe 2132 Qechqj32.exe 2056 Qmomelml.exe 744 Qjcmoqlf.exe 1548 Abnbccia.exe 2936 Ahbqliap.exe 2628 Bonenbgj.exe 2732 Bcedbefd.exe 2800 Cpkaai32.exe 2104 Cgnpmg32.exe 2700 Chmlfj32.exe 3008 Dknehe32.exe 2708 Dihojnqo.exe 1280 Djhldahb.exe 2108 Efolib32.exe 2260 Eckcak32.exe 896 Eapcjo32.exe 2520 Fabppo32.exe 2364 Fdbibjok.exe -
Loads dropped DLL 64 IoCs
pid Process 2796 29e2a81f3a62b68aeec41105f39c6680N.exe 2796 29e2a81f3a62b68aeec41105f39c6680N.exe 2424 Ofbikf32.exe 2424 Ofbikf32.exe 2860 Opkndldc.exe 2860 Opkndldc.exe 2876 Ppmkilbp.exe 2876 Ppmkilbp.exe 2616 Pobgjhgh.exe 2616 Pobgjhgh.exe 2844 Plheil32.exe 2844 Plheil32.exe 1292 Qdhcinme.exe 1292 Qdhcinme.exe 2368 Aellfe32.exe 2368 Aellfe32.exe 1564 Gjcekj32.exe 1564 Gjcekj32.exe 2976 Hgbhibio.exe 2976 Hgbhibio.exe 2144 Imdjlida.exe 2144 Imdjlida.exe 1668 Leaallcb.exe 1668 Leaallcb.exe 424 Lkccob32.exe 424 Lkccob32.exe 3056 Nccmng32.exe 3056 Nccmng32.exe 2388 Ncggifep.exe 2388 Ncggifep.exe 1528 Qomcdf32.exe 1528 Qomcdf32.exe 1672 Bkhjcing.exe 1672 Bkhjcing.exe 2464 Cfmjoe32.exe 2464 Cfmjoe32.exe 1584 Dpjhcj32.exe 1584 Dpjhcj32.exe 1600 Dhmchljg.exe 1600 Dhmchljg.exe 564 Ephhmn32.exe 564 Ephhmn32.exe 948 Elaego32.exe 948 Elaego32.exe 1984 Eodknifb.exe 1984 Eodknifb.exe 108 Faimkd32.exe 108 Faimkd32.exe 1732 Gcocnk32.exe 1732 Gcocnk32.exe 652 Gcfioj32.exe 652 Gcfioj32.exe 2836 Gkancm32.exe 2836 Gkancm32.exe 2856 Hkidclbb.exe 2856 Hkidclbb.exe 2408 Hcfenn32.exe 2408 Hcfenn32.exe 1860 Ifgooikk.exe 1860 Ifgooikk.exe 2816 Iijdfc32.exe 2816 Iijdfc32.exe 2644 Jehklc32.exe 2644 Jehklc32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Hkidclbb.exe Gkancm32.exe File created C:\Windows\SysWOW64\Eifcqc32.dll Cnbhcl32.exe File created C:\Windows\SysWOW64\Jknlfg32.exe Iodolf32.exe File created C:\Windows\SysWOW64\Ahhlnohm.dll Egdnjlcg.exe File opened for modification C:\Windows\SysWOW64\Qklhifhi.exe Pdpcgl32.exe File opened for modification C:\Windows\SysWOW64\Lhlgaedj.exe Knlpphnd.exe File created C:\Windows\SysWOW64\Mjdcofpe.exe Lqknfq32.exe File created C:\Windows\SysWOW64\Hlamfh32.exe Gbbbld32.exe File created C:\Windows\SysWOW64\Ojlgfmgh.dll Pgkjji32.exe File created C:\Windows\SysWOW64\Gdghbiem.dll Fqhegf32.exe File created C:\Windows\SysWOW64\Nihjfm32.exe Ndlanf32.exe File created C:\Windows\SysWOW64\Pfbkplni.dll Joomnm32.exe File opened for modification C:\Windows\SysWOW64\Gddbfm32.exe Gemhpq32.exe File created C:\Windows\SysWOW64\Oqaliabh.exe Nlfdjphd.exe File opened for modification C:\Windows\SysWOW64\Milagp32.exe Llagegfb.exe File created C:\Windows\SysWOW64\Epinic32.dll Imdjlida.exe File opened for modification C:\Windows\SysWOW64\Hbmpoj32.exe Gmnkqcem.exe File created C:\Windows\SysWOW64\Gggbcamq.dll Ljadqn32.exe File created C:\Windows\SysWOW64\Kceehijb.exe Kgodchen.exe File created C:\Windows\SysWOW64\Qipmdhcj.exe Pcahga32.exe File created C:\Windows\SysWOW64\Hgfqkokb.dll Pcahga32.exe File created C:\Windows\SysWOW64\Pgkqeo32.exe Poplqm32.exe File opened for modification C:\Windows\SysWOW64\Pnhegi32.exe Pgkqeo32.exe File opened for modification C:\Windows\SysWOW64\Danblfmk.exe Ddjbbbna.exe File created C:\Windows\SysWOW64\Gbejabln.dll Fipdci32.exe File created C:\Windows\SysWOW64\Kfabfldd.exe Jajcaj32.exe File created C:\Windows\SysWOW64\Pbqaha32.dll Ckkjmf32.exe File opened for modification C:\Windows\SysWOW64\Caohfl32.exe Cmappn32.exe File opened for modification C:\Windows\SysWOW64\Kmnonqce.exe Kdaajl32.exe File created C:\Windows\SysWOW64\Qaeeli32.dll Olclimif.exe File opened for modification C:\Windows\SysWOW64\Hkidclbb.exe Gkancm32.exe File created C:\Windows\SysWOW64\Nlgqod32.dll Dihojnqo.exe File created C:\Windows\SysWOW64\Gaibpa32.exe Gddbfm32.exe File created C:\Windows\SysWOW64\Hccbnhla.exe Gidgdcli.exe File created C:\Windows\SysWOW64\Polbemck.exe Onelbfab.exe File created C:\Windows\SysWOW64\Omdbfo32.exe Ohginhma.exe File created C:\Windows\SysWOW64\Jojmigpn.exe Jeahpa32.exe File opened for modification C:\Windows\SysWOW64\Qechqj32.exe Pihnqj32.exe File created C:\Windows\SysWOW64\Ebgefbed.dll Chmlfj32.exe File opened for modification C:\Windows\SysWOW64\Fbhfcf32.exe Fdbibjok.exe File created C:\Windows\SysWOW64\Jhjldiln.exe Jlqniihl.exe File created C:\Windows\SysWOW64\Pcmqnddq.dll Ddjbbbna.exe File opened for modification C:\Windows\SysWOW64\Cfmjoe32.exe Bkhjcing.exe File created C:\Windows\SysWOW64\Klliop32.dll Eapcjo32.exe File created C:\Windows\SysWOW64\Ponadfim.exe Onhkan32.exe File created C:\Windows\SysWOW64\Ikhpqn32.dll Ggifmgia.exe File created C:\Windows\SysWOW64\Objcnj32.exe Nbaqhk32.exe File opened for modification C:\Windows\SysWOW64\Aiegpg32.exe Qegnii32.exe File created C:\Windows\SysWOW64\Memghn32.dll Gccjbo32.exe File opened for modification C:\Windows\SysWOW64\Bfjhippb.exe Bqjcli32.exe File created C:\Windows\SysWOW64\Ojjanlod.exe Odnmkb32.exe File created C:\Windows\SysWOW64\Iikonh32.dll Hmnmil32.exe File created C:\Windows\SysWOW64\Gemhpq32.exe Gifhkpgk.exe File created C:\Windows\SysWOW64\Caohfl32.exe Cmappn32.exe File created C:\Windows\SysWOW64\Ihnfpjjj.dll Kkmakd32.exe File created C:\Windows\SysWOW64\Elaego32.exe Ephhmn32.exe File created C:\Windows\SysWOW64\Ajipmocp.exe Aiegpg32.exe File created C:\Windows\SysWOW64\Ebhlmlhl.exe Efakhk32.exe File created C:\Windows\SysWOW64\Gealfddm.dll Pqlhbo32.exe File opened for modification C:\Windows\SysWOW64\Egdnjlcg.exe Ekkppkpf.exe File opened for modification C:\Windows\SysWOW64\Ooccap32.exe Oqnfqcjk.exe File created C:\Windows\SysWOW64\Ldnapl32.dll Ffomjgoj.exe File created C:\Windows\SysWOW64\Odcqbapk.dll Mheekb32.exe File created C:\Windows\SysWOW64\Dopdgb32.exe Dohnfc32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ponfcl32.dll" Kmjfae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlgqod32.dll" Dihojnqo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmjohoej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbkmki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lophcpam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajmdmpmb.dll" Ahbqliap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gaibpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjlmpk32.dll" Nlfdjphd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpnmoe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gflcplhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpgain32.dll" Cgklma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iodolf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epgklj32.dll" Polbemck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cebfcj32.dll" Flcjjdpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjbpfopf.dll" Ofbikf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hccbnhla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alpkcn32.dll" Gmejdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oehiod32.dll" Aeommfnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onjeinde.dll" Fhjcmcep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpidah32.dll" Chgkgmoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcffhn32.dll" Niqijkel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hlamfh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hgknffcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmlffcog.dll" Agmbolin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akldhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjmnck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nknold32.dll" Phlaqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhcojn32.dll" Bkhjcing.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ealejn32.dll" Hkngbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijahed32.dll" Feeldk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mclbkjcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jajcaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Joomnm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cenjoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhpppmaf.dll" Iehejc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdkkkqlk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnkbcmaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgiidckm.dll" Hlmpjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Linmmf32.dll" Lafpipoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbamec32.dll" Clphjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kddobk32.dll" Onhkan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffoehg32.dll" Ijddokdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qkmjbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjfiajnd.dll" Jdlefd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faamni32.dll" Clheeh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbpegdik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Midgogjn.dll" Bknani32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iikonh32.dll" Hmnmil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpnnbm32.dll" Pobgjhgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahiimj32.dll" Angafl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chgkgmoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmmggo32.dll" Hbmpoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fedinobh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kldofi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pnhegi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oagkac32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omdbfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ehpjmoio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckcema32.dll" Ljdjildq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgklma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ceidfi32.dll" Pgkqeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbeaaiga.dll" Dpnmoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibmlepmp.dll" Kfabfldd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlgeffnb.dll" Eeecibci.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2796 wrote to memory of 2424 2796 29e2a81f3a62b68aeec41105f39c6680N.exe 29 PID 2796 wrote to memory of 2424 2796 29e2a81f3a62b68aeec41105f39c6680N.exe 29 PID 2796 wrote to memory of 2424 2796 29e2a81f3a62b68aeec41105f39c6680N.exe 29 PID 2796 wrote to memory of 2424 2796 29e2a81f3a62b68aeec41105f39c6680N.exe 29 PID 2424 wrote to memory of 2860 2424 Ofbikf32.exe 30 PID 2424 wrote to memory of 2860 2424 Ofbikf32.exe 30 PID 2424 wrote to memory of 2860 2424 Ofbikf32.exe 30 PID 2424 wrote to memory of 2860 2424 Ofbikf32.exe 30 PID 2860 wrote to memory of 2876 2860 Opkndldc.exe 31 PID 2860 wrote to memory of 2876 2860 Opkndldc.exe 31 PID 2860 wrote to memory of 2876 2860 Opkndldc.exe 31 PID 2860 wrote to memory of 2876 2860 Opkndldc.exe 31 PID 2876 wrote to memory of 2616 2876 Ppmkilbp.exe 32 PID 2876 wrote to memory of 2616 2876 Ppmkilbp.exe 32 PID 2876 wrote to memory of 2616 2876 Ppmkilbp.exe 32 PID 2876 wrote to memory of 2616 2876 Ppmkilbp.exe 32 PID 2616 wrote to memory of 2844 2616 Pobgjhgh.exe 33 PID 2616 wrote to memory of 2844 2616 Pobgjhgh.exe 33 PID 2616 wrote to memory of 2844 2616 Pobgjhgh.exe 33 PID 2616 wrote to memory of 2844 2616 Pobgjhgh.exe 33 PID 2844 wrote to memory of 1292 2844 Plheil32.exe 34 PID 2844 wrote to memory of 1292 2844 Plheil32.exe 34 PID 2844 wrote to memory of 1292 2844 Plheil32.exe 34 PID 2844 wrote to memory of 1292 2844 Plheil32.exe 34 PID 1292 wrote to memory of 2368 1292 Qdhcinme.exe 35 PID 1292 wrote to memory of 2368 1292 Qdhcinme.exe 35 PID 1292 wrote to memory of 2368 1292 Qdhcinme.exe 35 PID 1292 wrote to memory of 2368 1292 Qdhcinme.exe 35 PID 2368 wrote to memory of 1564 2368 Aellfe32.exe 36 PID 2368 wrote to memory of 1564 2368 Aellfe32.exe 36 PID 2368 wrote to memory of 1564 2368 Aellfe32.exe 36 PID 2368 wrote to memory of 1564 2368 Aellfe32.exe 36 PID 1564 wrote to memory of 2976 1564 Gjcekj32.exe 37 PID 1564 wrote to memory of 2976 1564 Gjcekj32.exe 37 PID 1564 wrote to memory of 2976 1564 Gjcekj32.exe 37 PID 1564 wrote to memory of 2976 1564 Gjcekj32.exe 37 PID 2976 wrote to memory of 2144 2976 Hgbhibio.exe 38 PID 2976 wrote to memory of 2144 2976 Hgbhibio.exe 38 PID 2976 wrote to memory of 2144 2976 Hgbhibio.exe 38 PID 2976 wrote to memory of 2144 2976 Hgbhibio.exe 38 PID 2144 wrote to memory of 1668 2144 Imdjlida.exe 39 PID 2144 wrote to memory of 1668 2144 Imdjlida.exe 39 PID 2144 wrote to memory of 1668 2144 Imdjlida.exe 39 PID 2144 wrote to memory of 1668 2144 Imdjlida.exe 39 PID 1668 wrote to memory of 424 1668 Leaallcb.exe 40 PID 1668 wrote to memory of 424 1668 Leaallcb.exe 40 PID 1668 wrote to memory of 424 1668 Leaallcb.exe 40 PID 1668 wrote to memory of 424 1668 Leaallcb.exe 40 PID 424 wrote to memory of 3056 424 Lkccob32.exe 41 PID 424 wrote to memory of 3056 424 Lkccob32.exe 41 PID 424 wrote to memory of 3056 424 Lkccob32.exe 41 PID 424 wrote to memory of 3056 424 Lkccob32.exe 41 PID 3056 wrote to memory of 2388 3056 Nccmng32.exe 42 PID 3056 wrote to memory of 2388 3056 Nccmng32.exe 42 PID 3056 wrote to memory of 2388 3056 Nccmng32.exe 42 PID 3056 wrote to memory of 2388 3056 Nccmng32.exe 42 PID 2388 wrote to memory of 1528 2388 Ncggifep.exe 43 PID 2388 wrote to memory of 1528 2388 Ncggifep.exe 43 PID 2388 wrote to memory of 1528 2388 Ncggifep.exe 43 PID 2388 wrote to memory of 1528 2388 Ncggifep.exe 43 PID 1528 wrote to memory of 1672 1528 Qomcdf32.exe 44 PID 1528 wrote to memory of 1672 1528 Qomcdf32.exe 44 PID 1528 wrote to memory of 1672 1528 Qomcdf32.exe 44 PID 1528 wrote to memory of 1672 1528 Qomcdf32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\29e2a81f3a62b68aeec41105f39c6680N.exe"C:\Users\Admin\AppData\Local\Temp\29e2a81f3a62b68aeec41105f39c6680N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\Ofbikf32.exeC:\Windows\system32\Ofbikf32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\Opkndldc.exeC:\Windows\system32\Opkndldc.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\Ppmkilbp.exeC:\Windows\system32\Ppmkilbp.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\Pobgjhgh.exeC:\Windows\system32\Pobgjhgh.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Plheil32.exeC:\Windows\system32\Plheil32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\Qdhcinme.exeC:\Windows\system32\Qdhcinme.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Windows\SysWOW64\Aellfe32.exeC:\Windows\system32\Aellfe32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\Gjcekj32.exeC:\Windows\system32\Gjcekj32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Windows\SysWOW64\Hgbhibio.exeC:\Windows\system32\Hgbhibio.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\Imdjlida.exeC:\Windows\system32\Imdjlida.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\Leaallcb.exeC:\Windows\system32\Leaallcb.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Windows\SysWOW64\Lkccob32.exeC:\Windows\system32\Lkccob32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:424 -
C:\Windows\SysWOW64\Nccmng32.exeC:\Windows\system32\Nccmng32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\Ncggifep.exeC:\Windows\system32\Ncggifep.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\Qomcdf32.exeC:\Windows\system32\Qomcdf32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\SysWOW64\Bkhjcing.exeC:\Windows\system32\Bkhjcing.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1672 -
C:\Windows\SysWOW64\Cfmjoe32.exeC:\Windows\system32\Cfmjoe32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2464 -
C:\Windows\SysWOW64\Dpjhcj32.exeC:\Windows\system32\Dpjhcj32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1584 -
C:\Windows\SysWOW64\Dhmchljg.exeC:\Windows\system32\Dhmchljg.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1600 -
C:\Windows\SysWOW64\Ephhmn32.exeC:\Windows\system32\Ephhmn32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:564 -
C:\Windows\SysWOW64\Elaego32.exeC:\Windows\system32\Elaego32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:948 -
C:\Windows\SysWOW64\Eodknifb.exeC:\Windows\system32\Eodknifb.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1984 -
C:\Windows\SysWOW64\Faimkd32.exeC:\Windows\system32\Faimkd32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:108 -
C:\Windows\SysWOW64\Gcocnk32.exeC:\Windows\system32\Gcocnk32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1732 -
C:\Windows\SysWOW64\Gcfioj32.exeC:\Windows\system32\Gcfioj32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:652 -
C:\Windows\SysWOW64\Gkancm32.exeC:\Windows\system32\Gkancm32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2836 -
C:\Windows\SysWOW64\Hkidclbb.exeC:\Windows\system32\Hkidclbb.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2856 -
C:\Windows\SysWOW64\Hcfenn32.exeC:\Windows\system32\Hcfenn32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2408 -
C:\Windows\SysWOW64\Ifgooikk.exeC:\Windows\system32\Ifgooikk.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1860 -
C:\Windows\SysWOW64\Iijdfc32.exeC:\Windows\system32\Iijdfc32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2816 -
C:\Windows\SysWOW64\Jehklc32.exeC:\Windows\system32\Jehklc32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2644 -
C:\Windows\SysWOW64\Kmjfae32.exeC:\Windows\system32\Kmjfae32.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:2812 -
C:\Windows\SysWOW64\Kononm32.exeC:\Windows\system32\Kononm32.exe34⤵
- Executes dropped EXE
PID:2788 -
C:\Windows\SysWOW64\Kanhph32.exeC:\Windows\system32\Kanhph32.exe35⤵
- Executes dropped EXE
PID:2652 -
C:\Windows\SysWOW64\Lmlofhmb.exeC:\Windows\system32\Lmlofhmb.exe36⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Lophcpam.exeC:\Windows\system32\Lophcpam.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1388 -
C:\Windows\SysWOW64\Mgbcha32.exeC:\Windows\system32\Mgbcha32.exe38⤵
- Executes dropped EXE
PID:1184 -
C:\Windows\SysWOW64\Mjcljlea.exeC:\Windows\system32\Mjcljlea.exe39⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Njjbjk32.exeC:\Windows\system32\Njjbjk32.exe40⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Nkmkgc32.exeC:\Windows\system32\Nkmkgc32.exe41⤵
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Ogiegc32.exeC:\Windows\system32\Ogiegc32.exe42⤵
- Executes dropped EXE
PID:2360 -
C:\Windows\SysWOW64\Oqajqi32.exeC:\Windows\system32\Oqajqi32.exe43⤵
- Executes dropped EXE
PID:2128 -
C:\Windows\SysWOW64\Ojnhdn32.exeC:\Windows\system32\Ojnhdn32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:484 -
C:\Windows\SysWOW64\Ofehiocd.exeC:\Windows\system32\Ofehiocd.exe45⤵
- Executes dropped EXE
PID:264 -
C:\Windows\SysWOW64\Pldnge32.exeC:\Windows\system32\Pldnge32.exe46⤵
- Executes dropped EXE
PID:1016 -
C:\Windows\SysWOW64\Pihnqj32.exeC:\Windows\system32\Pihnqj32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2352 -
C:\Windows\SysWOW64\Qechqj32.exeC:\Windows\system32\Qechqj32.exe48⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Qmomelml.exeC:\Windows\system32\Qmomelml.exe49⤵
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Qjcmoqlf.exeC:\Windows\system32\Qjcmoqlf.exe50⤵
- Executes dropped EXE
PID:744 -
C:\Windows\SysWOW64\Abnbccia.exeC:\Windows\system32\Abnbccia.exe51⤵
- Executes dropped EXE
PID:1548 -
C:\Windows\SysWOW64\Ahbqliap.exeC:\Windows\system32\Ahbqliap.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:2936 -
C:\Windows\SysWOW64\Bonenbgj.exeC:\Windows\system32\Bonenbgj.exe53⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Bcedbefd.exeC:\Windows\system32\Bcedbefd.exe54⤵
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\Cpkaai32.exeC:\Windows\system32\Cpkaai32.exe55⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Cgnpmg32.exeC:\Windows\system32\Cgnpmg32.exe56⤵
- Executes dropped EXE
PID:2104 -
C:\Windows\SysWOW64\Chmlfj32.exeC:\Windows\system32\Chmlfj32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2700 -
C:\Windows\SysWOW64\Dknehe32.exeC:\Windows\system32\Dknehe32.exe58⤵
- Executes dropped EXE
PID:3008 -
C:\Windows\SysWOW64\Dihojnqo.exeC:\Windows\system32\Dihojnqo.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2708 -
C:\Windows\SysWOW64\Djhldahb.exeC:\Windows\system32\Djhldahb.exe60⤵
- Executes dropped EXE
PID:1280 -
C:\Windows\SysWOW64\Efolib32.exeC:\Windows\system32\Efolib32.exe61⤵
- Executes dropped EXE
PID:2108 -
C:\Windows\SysWOW64\Eckcak32.exeC:\Windows\system32\Eckcak32.exe62⤵
- Executes dropped EXE
PID:2260 -
C:\Windows\SysWOW64\Eapcjo32.exeC:\Windows\system32\Eapcjo32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:896 -
C:\Windows\SysWOW64\Fabppo32.exeC:\Windows\system32\Fabppo32.exe64⤵
- Executes dropped EXE
PID:2520 -
C:\Windows\SysWOW64\Fdbibjok.exeC:\Windows\system32\Fdbibjok.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2364 -
C:\Windows\SysWOW64\Fbhfcf32.exeC:\Windows\system32\Fbhfcf32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:328 -
C:\Windows\SysWOW64\Gifhkpgk.exeC:\Windows\system32\Gifhkpgk.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1684 -
C:\Windows\SysWOW64\Gemhpq32.exeC:\Windows\system32\Gemhpq32.exe68⤵
- Drops file in System32 directory
PID:920 -
C:\Windows\SysWOW64\Gddbfm32.exeC:\Windows\system32\Gddbfm32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2208 -
C:\Windows\SysWOW64\Gaibpa32.exeC:\Windows\system32\Gaibpa32.exe70⤵
- Modifies registry class
PID:2764 -
C:\Windows\SysWOW64\Gidgdcli.exeC:\Windows\system32\Gidgdcli.exe71⤵
- Drops file in System32 directory
PID:1616 -
C:\Windows\SysWOW64\Hccbnhla.exeC:\Windows\system32\Hccbnhla.exe72⤵
- Modifies registry class
PID:2756 -
C:\Windows\SysWOW64\Hkngbj32.exeC:\Windows\system32\Hkngbj32.exe73⤵
- Modifies registry class
PID:2140 -
C:\Windows\SysWOW64\Hfdkoc32.exeC:\Windows\system32\Hfdkoc32.exe74⤵PID:2328
-
C:\Windows\SysWOW64\Ikembicd.exeC:\Windows\system32\Ikembicd.exe75⤵PID:1976
-
C:\Windows\SysWOW64\Jboanfmm.exeC:\Windows\system32\Jboanfmm.exe76⤵PID:1968
-
C:\Windows\SysWOW64\Knhoig32.exeC:\Windows\system32\Knhoig32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:812 -
C:\Windows\SysWOW64\Mgoohk32.exeC:\Windows\system32\Mgoohk32.exe78⤵PID:2264
-
C:\Windows\SysWOW64\Mpjqfpke.exeC:\Windows\system32\Mpjqfpke.exe79⤵PID:2392
-
C:\Windows\SysWOW64\Mheekb32.exeC:\Windows\system32\Mheekb32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:892 -
C:\Windows\SysWOW64\Noajmlnj.exeC:\Windows\system32\Noajmlnj.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2268 -
C:\Windows\SysWOW64\Nkhkbmco.exeC:\Windows\system32\Nkhkbmco.exe82⤵PID:548
-
C:\Windows\SysWOW64\Ncellpog.exeC:\Windows\system32\Ncellpog.exe83⤵PID:2088
-
C:\Windows\SysWOW64\Nchiao32.exeC:\Windows\system32\Nchiao32.exe84⤵PID:864
-
C:\Windows\SysWOW64\Oqnfqcjk.exeC:\Windows\system32\Oqnfqcjk.exe85⤵
- Drops file in System32 directory
PID:2760 -
C:\Windows\SysWOW64\Ooccap32.exeC:\Windows\system32\Ooccap32.exe86⤵PID:2112
-
C:\Windows\SysWOW64\Okjdfq32.exeC:\Windows\system32\Okjdfq32.exe87⤵PID:2640
-
C:\Windows\SysWOW64\Onkmhl32.exeC:\Windows\system32\Onkmhl32.exe88⤵PID:2920
-
C:\Windows\SysWOW64\Pnminkof.exeC:\Windows\system32\Pnminkof.exe89⤵PID:2312
-
C:\Windows\SysWOW64\Pnbcij32.exeC:\Windows\system32\Pnbcij32.exe90⤵PID:2576
-
C:\Windows\SysWOW64\Pcahga32.exeC:\Windows\system32\Pcahga32.exe91⤵
- Drops file in System32 directory
PID:1992 -
C:\Windows\SysWOW64\Qipmdhcj.exeC:\Windows\system32\Qipmdhcj.exe92⤵PID:1888
-
C:\Windows\SysWOW64\Qegnii32.exeC:\Windows\system32\Qegnii32.exe93⤵
- Drops file in System32 directory
PID:1124 -
C:\Windows\SysWOW64\Aiegpg32.exeC:\Windows\system32\Aiegpg32.exe94⤵
- Drops file in System32 directory
PID:1396 -
C:\Windows\SysWOW64\Ajipmocp.exeC:\Windows\system32\Ajipmocp.exe95⤵PID:672
-
C:\Windows\SysWOW64\Afoqbpid.exeC:\Windows\system32\Afoqbpid.exe96⤵PID:2124
-
C:\Windows\SysWOW64\Ajmihn32.exeC:\Windows\system32\Ajmihn32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1500 -
C:\Windows\SysWOW64\Babdhlmh.exeC:\Windows\system32\Babdhlmh.exe98⤵PID:2820
-
C:\Windows\SysWOW64\Bofebqlb.exeC:\Windows\system32\Bofebqlb.exe99⤵PID:2840
-
C:\Windows\SysWOW64\Bnkbcmaj.exeC:\Windows\system32\Bnkbcmaj.exe100⤵
- Modifies registry class
PID:1764 -
C:\Windows\SysWOW64\Calgoken.exeC:\Windows\system32\Calgoken.exe101⤵PID:2988
-
C:\Windows\SysWOW64\Cnbhcl32.exeC:\Windows\system32\Cnbhcl32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2376 -
C:\Windows\SysWOW64\Cgklma32.exeC:\Windows\system32\Cgklma32.exe103⤵
- Modifies registry class
PID:3052 -
C:\Windows\SysWOW64\Clheeh32.exeC:\Windows\system32\Clheeh32.exe104⤵
- Modifies registry class
PID:2500 -
C:\Windows\SysWOW64\Dohnfc32.exeC:\Windows\system32\Dohnfc32.exe105⤵
- Drops file in System32 directory
PID:732 -
C:\Windows\SysWOW64\Dopdgb32.exeC:\Windows\system32\Dopdgb32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2116 -
C:\Windows\SysWOW64\Ddlloi32.exeC:\Windows\system32\Ddlloi32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1368 -
C:\Windows\SysWOW64\Engnno32.exeC:\Windows\system32\Engnno32.exe108⤵PID:1740
-
C:\Windows\SysWOW64\Ekcdegqe.exeC:\Windows\system32\Ekcdegqe.exe109⤵PID:2100
-
C:\Windows\SysWOW64\Elfakg32.exeC:\Windows\system32\Elfakg32.exe110⤵PID:2712
-
C:\Windows\SysWOW64\Fngjmb32.exeC:\Windows\system32\Fngjmb32.exe111⤵PID:2412
-
C:\Windows\SysWOW64\Fagcnmie.exeC:\Windows\system32\Fagcnmie.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2768 -
C:\Windows\SysWOW64\Fjpggb32.exeC:\Windows\system32\Fjpggb32.exe113⤵PID:2752
-
C:\Windows\SysWOW64\Feeldk32.exeC:\Windows\system32\Feeldk32.exe114⤵
- Modifies registry class
PID:916 -
C:\Windows\SysWOW64\Ffiebc32.exeC:\Windows\system32\Ffiebc32.exe115⤵PID:2224
-
C:\Windows\SysWOW64\Gbpegdik.exeC:\Windows\system32\Gbpegdik.exe116⤵
- Modifies registry class
PID:2904 -
C:\Windows\SysWOW64\Gmejdm32.exeC:\Windows\system32\Gmejdm32.exe117⤵
- Modifies registry class
PID:2212 -
C:\Windows\SysWOW64\Gbbbld32.exeC:\Windows\system32\Gbbbld32.exe118⤵
- Drops file in System32 directory
PID:2524 -
C:\Windows\SysWOW64\Hlamfh32.exeC:\Windows\system32\Hlamfh32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1796 -
C:\Windows\SysWOW64\Hgknffcp.exeC:\Windows\system32\Hgknffcp.exe120⤵
- Modifies registry class
PID:2844 -
C:\Windows\SysWOW64\Hilghaqq.exeC:\Windows\system32\Hilghaqq.exe121⤵PID:2504
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-