Analysis
-
max time kernel
121s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
20-03-2024 00:23
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c301c58e84e6c39a1e52fa8cd972666379ed0ed7d17458399c006bb77cf8b91f.exe
Resource
win7-20231129-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
c301c58e84e6c39a1e52fa8cd972666379ed0ed7d17458399c006bb77cf8b91f.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
c301c58e84e6c39a1e52fa8cd972666379ed0ed7d17458399c006bb77cf8b91f.exe
-
Size
64KB
-
MD5
7677ef05b80ad7c6a33243a481d39fb5
-
SHA1
cf68cbf9e02b01cbda6cd549c42321601cc6afb7
-
SHA256
c301c58e84e6c39a1e52fa8cd972666379ed0ed7d17458399c006bb77cf8b91f
-
SHA512
978f8ccfd5d284eb540267dbeee6c8fd2e7887ed34c103950bffc000293c1187255524deb0ce86e13842ef1bcea1b2ae206b566f2bdcf8392330ac2c5d76d1a7
-
SSDEEP
1536:uq8CK+ZFTBIQsCADwO4YuzVyfLDvlCYE8Rm0Z:58B+ZFdI/CDO41EvvlCY/m0Z
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjoailji.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Komfnnck.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdlkld32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldqegd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Menakj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhnjle32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmekoalh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlcgeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aplpai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebpkce32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hobcak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldqegd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mochnppo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpkjko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkjdhpea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kappfeln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbbfopeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlhaqogk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plcdgfbo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnbacbac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbgmbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkpnhgge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgajhbkg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqcagfim.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkodhe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjkkojlc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iffeoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbehoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjcgco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pigeqkai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apcfahio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ailkjmpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmhheqje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Limmokib.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Libgjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajdadamj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cphlljge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgaqgh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhmepp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jedefejo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpdhklkl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpfdalii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jegble32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oiellh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdooajdc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fejgko32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbijhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldcamcih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qlhnbf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dchali32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqonkmdh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgdjnofi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogjimd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qmlgonbe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajbdna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abbbnchb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccdlbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fehjeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgoacojo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aoffmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mepnpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Goddhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pminkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmoipopd.exe -
Executes dropped EXE 64 IoCs
pid Process 1692 Hlnega32.exe 2260 Hchmdklc.exe 2656 Hefipfkg.exe 2460 Hheelbjj.exe 2788 Hlpamq32.exe 2628 Hoonilag.exe 768 Hnandi32.exe 2900 Hfifff32.exe 1972 Hdkfacpo.exe 1896 Hgjbmoob.exe 1092 Hoakolod.exe 1428 Hndkji32.exe 1676 Hqbgfd32.exe 2632 Hhioga32.exe 2256 Hkhkcm32.exe 540 Hjkkojlc.exe 620 Hbbcpg32.exe 820 Hqddldcp.exe 1872 Hccphobd.exe 1052 Hkjhimcf.exe 1376 Inhdehbj.exe 1280 Imkdqe32.exe 1848 Idblbb32.exe 2144 Icemmopa.exe 1552 Ifdiijpe.exe 548 Inkakhpg.exe 2224 Igcecmfg.exe 2824 Iffeoj32.exe 2640 Ijaapifk.exe 2364 Impnldeo.exe 2676 Iqljlb32.exe 2892 Icjfhn32.exe 1700 Ifhbdj32.exe 2716 Iigoqe32.exe 2504 Imbkadcl.exe 2704 Ioagno32.exe 1576 Iclcnnji.exe 2056 Ifkojiim.exe 2008 Ienoff32.exe 1380 Imeggc32.exe 2412 Ioccco32.exe 1900 Infdolgh.exe 3036 Ifmlpigj.exe 2204 Jilhldfn.exe 2684 Jkjdhpea.exe 2988 Joepio32.exe 2668 Jnhqdkde.exe 1248 Jbdlejmn.exe 3040 Jebiaelb.exe 980 Jinead32.exe 2312 Jgqemakf.exe 2388 Jklanp32.exe 2876 Jjoailji.exe 2604 Jnkmjk32.exe 2564 Jbfijjkl.exe 2196 Jaiiff32.exe 1436 Jedefejo.exe 2724 Jgcabqic.exe 568 Jmpjkggj.exe 2620 Jegble32.exe 3004 Jcjbgaog.exe 2212 Jgenhp32.exe 2440 Jfhocmnk.exe 2232 Jjdkdl32.exe -
Loads dropped DLL 64 IoCs
pid Process 2180 c301c58e84e6c39a1e52fa8cd972666379ed0ed7d17458399c006bb77cf8b91f.exe 2180 c301c58e84e6c39a1e52fa8cd972666379ed0ed7d17458399c006bb77cf8b91f.exe 1692 Hlnega32.exe 1692 Hlnega32.exe 2260 Hchmdklc.exe 2260 Hchmdklc.exe 2656 Hefipfkg.exe 2656 Hefipfkg.exe 2460 Hheelbjj.exe 2460 Hheelbjj.exe 2788 Hlpamq32.exe 2788 Hlpamq32.exe 2628 Hoonilag.exe 2628 Hoonilag.exe 768 Hnandi32.exe 768 Hnandi32.exe 2900 Hfifff32.exe 2900 Hfifff32.exe 1972 Hdkfacpo.exe 1972 Hdkfacpo.exe 1896 Hgjbmoob.exe 1896 Hgjbmoob.exe 1092 Hoakolod.exe 1092 Hoakolod.exe 1428 Hndkji32.exe 1428 Hndkji32.exe 1676 Hqbgfd32.exe 1676 Hqbgfd32.exe 2632 Hhioga32.exe 2632 Hhioga32.exe 2256 Hkhkcm32.exe 2256 Hkhkcm32.exe 540 Hjkkojlc.exe 540 Hjkkojlc.exe 620 Hbbcpg32.exe 620 Hbbcpg32.exe 820 Hqddldcp.exe 820 Hqddldcp.exe 1872 Hccphobd.exe 1872 Hccphobd.exe 1052 Hkjhimcf.exe 1052 Hkjhimcf.exe 1376 Inhdehbj.exe 1376 Inhdehbj.exe 1280 Imkdqe32.exe 1280 Imkdqe32.exe 1848 Idblbb32.exe 1848 Idblbb32.exe 2144 Icemmopa.exe 2144 Icemmopa.exe 1552 Ifdiijpe.exe 1552 Ifdiijpe.exe 548 Inkakhpg.exe 548 Inkakhpg.exe 2224 Igcecmfg.exe 2224 Igcecmfg.exe 2824 Iffeoj32.exe 2824 Iffeoj32.exe 2640 Ijaapifk.exe 2640 Ijaapifk.exe 2364 Impnldeo.exe 2364 Impnldeo.exe 2676 Iqljlb32.exe 2676 Iqljlb32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ildamhjd.dll Ncmdhb32.exe File created C:\Windows\SysWOW64\Dbbkja32.exe Dngoibmo.exe File created C:\Windows\SysWOW64\Ghjkhm32.dll Ifdiijpe.exe File created C:\Windows\SysWOW64\Jiigehkl.exe Jjfgjk32.exe File opened for modification C:\Windows\SysWOW64\Fmekoalh.exe Fjgoce32.exe File created C:\Windows\SysWOW64\Djdbmo32.dll Kljqgc32.exe File created C:\Windows\SysWOW64\Ojjljknn.dll Kakbjibo.exe File created C:\Windows\SysWOW64\Lndipl32.dll Ldnhad32.exe File created C:\Windows\SysWOW64\Obigjnkf.exe Onmkio32.exe File created C:\Windows\SysWOW64\Cbnbobin.exe Cckace32.exe File opened for modification C:\Windows\SysWOW64\Imeggc32.exe Ienoff32.exe File opened for modification C:\Windows\SysWOW64\Mcjkcplm.exe Lplogdmj.exe File created C:\Windows\SysWOW64\Obopfpji.dll Paejki32.exe File created C:\Windows\SysWOW64\Ehgeib32.dll Kbalnnam.exe File opened for modification C:\Windows\SysWOW64\Nplkfgoe.exe Nnnojlpa.exe File created C:\Windows\SysWOW64\Jnmgmhmc.dll Fmjejphb.exe File created C:\Windows\SysWOW64\Hnempl32.dll Gdamqndn.exe File opened for modification C:\Windows\SysWOW64\Lodlom32.exe Lkhpnnej.exe File created C:\Windows\SysWOW64\Ahcfok32.dll Dbehoa32.exe File created C:\Windows\SysWOW64\Ppqqbdml.dll Mcodno32.exe File opened for modification C:\Windows\SysWOW64\Kqmoql32.dll Pabjem32.exe File created C:\Windows\SysWOW64\Benfcheg.dll Mgfgdn32.exe File opened for modification C:\Windows\SysWOW64\Bkaqmeah.exe Bhcdaibd.exe File created C:\Windows\SysWOW64\Jmloladn.dll Fjdbnf32.exe File opened for modification C:\Windows\SysWOW64\Eeqdep32.exe Efncicpm.exe File opened for modification C:\Windows\SysWOW64\Kanopipl.exe Koocdnai.exe File created C:\Windows\SysWOW64\Mhllhfdh.dll Njbcim32.exe File created C:\Windows\SysWOW64\Fmcqoe32.dll Pbkpna32.exe File created C:\Windows\SysWOW64\Gpknlk32.exe Globlmmj.exe File created C:\Windows\SysWOW64\Mgcgmb32.exe Mdejaf32.exe File created C:\Windows\SysWOW64\Ikeelnol.dll Ondajnme.exe File created C:\Windows\SysWOW64\Pminkk32.exe Ojkboo32.exe File opened for modification C:\Windows\SysWOW64\Cfgaiaci.exe Cbkeib32.exe File opened for modification C:\Windows\SysWOW64\Gaemjbcg.exe Gmjaic32.exe File created C:\Windows\SysWOW64\Dkhmpocj.dll Hndkji32.exe File opened for modification C:\Windows\SysWOW64\Kpjfba32.exe Klnjbbdh.exe File opened for modification C:\Windows\SysWOW64\Mochnppo.exe Mkhmma32.exe File created C:\Windows\SysWOW64\Iiciogbn.dll Cljcelan.exe File created C:\Windows\SysWOW64\Niifne32.dll Cndbcc32.exe File created C:\Windows\SysWOW64\Iffeoj32.exe Igcecmfg.exe File created C:\Windows\SysWOW64\Amclfbco.dll Lipjejgp.exe File created C:\Windows\SysWOW64\Njkfpl32.exe Nbdnoo32.exe File created C:\Windows\SysWOW64\Qlhnbf32.exe Pijbfj32.exe File created C:\Windows\SysWOW64\Mmlblm32.dll Qmlgonbe.exe File opened for modification C:\Windows\SysWOW64\Flmefm32.exe Fmjejphb.exe File created C:\Windows\SysWOW64\Cdakgibq.exe Cljcelan.exe File created C:\Windows\SysWOW64\Emhlfmgj.exe Eilpeooq.exe File created C:\Windows\SysWOW64\Kibjkgca.exe Kegnkh32.exe File created C:\Windows\SysWOW64\Fjgoce32.exe Ffkcbgek.exe File opened for modification C:\Windows\SysWOW64\Kibjkgca.exe Kegnkh32.exe File created C:\Windows\SysWOW64\Pccfge32.exe Pphjgfqq.exe File created C:\Windows\SysWOW64\Mkaggelk.dll Doobajme.exe File created C:\Windows\SysWOW64\Gncffdfn.dll Balijo32.exe File opened for modification C:\Windows\SysWOW64\Fdoclk32.exe Fpdhklkl.exe File opened for modification C:\Windows\SysWOW64\Enihne32.exe Epfhbign.exe File created C:\Windows\SysWOW64\Fdmneogq.dll Hchmdklc.exe File created C:\Windows\SysWOW64\Omloag32.exe Odegpj32.exe File opened for modification C:\Windows\SysWOW64\Cdakgibq.exe Cljcelan.exe File opened for modification C:\Windows\SysWOW64\Dchali32.exe Ddeaalpg.exe File created C:\Windows\SysWOW64\Cnbpqb32.dll Baildokg.exe File opened for modification C:\Windows\SysWOW64\Bgknheej.exe Bhhnli32.exe File created C:\Windows\SysWOW64\Ldahol32.dll Gangic32.exe File created C:\Windows\SysWOW64\Dbfjkpdk.dll Jebiaelb.exe File opened for modification C:\Windows\SysWOW64\Nnplpl32.exe Njdpomfe.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5840 5768 WerFault.exe 548 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgpkceld.dll" Bebkpn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjkkojlc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ennaieib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Flabbihl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpjfba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cibgai32.dll" Apcfahio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pigeqkai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhioga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mgcgmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjgoce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hellne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Coklgg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eilpeooq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Egdilkbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kegnkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ailkjmpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qnfjna32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bpafkknm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgcampld.dll" Eilpeooq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqpofkjo.dll" Ilknfn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlcple32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpjoqhah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbdppp32.dll" Omgaek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkaqmeah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnempl32.dll" Gdamqndn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njkfpl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nghphaeo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eloemi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iclcnnji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofpfnqjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Addnil32.dll" Gegfdb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gobgcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpkjko32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qnigda32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfbhnaho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgmhlp32.dll" Dcfdgiid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpolmdkg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onmkio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njcbaa32.dll" Dqelenlc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnnlgbcn.dll" Inkakhpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbijhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkcmiimi.dll" Dnilobkm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Epfhbign.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpbjlbfp.dll" Egdilkbf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ncancbha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qmlgonbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ealnephf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnmgmhmc.dll" Fmjejphb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdnaob32.dll" Iknnbklc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhjfhhen.dll" Onmkio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iddckpim.dll" Pjmodopf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djpmccqq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mepnpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hleajblp.dll" Aiinen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Flmefm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcmjhbal.dll" Ennaieib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eemeeh32.dll" Mcjkcplm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifjcng32.dll" Nbdnoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ognnoaka.dll" Cngcjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dqelenlc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mlcple32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkdmcdoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Geolea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfliqila.dll" Mkhmma32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2180 wrote to memory of 1692 2180 c301c58e84e6c39a1e52fa8cd972666379ed0ed7d17458399c006bb77cf8b91f.exe 28 PID 2180 wrote to memory of 1692 2180 c301c58e84e6c39a1e52fa8cd972666379ed0ed7d17458399c006bb77cf8b91f.exe 28 PID 2180 wrote to memory of 1692 2180 c301c58e84e6c39a1e52fa8cd972666379ed0ed7d17458399c006bb77cf8b91f.exe 28 PID 2180 wrote to memory of 1692 2180 c301c58e84e6c39a1e52fa8cd972666379ed0ed7d17458399c006bb77cf8b91f.exe 28 PID 1692 wrote to memory of 2260 1692 Hlnega32.exe 29 PID 1692 wrote to memory of 2260 1692 Hlnega32.exe 29 PID 1692 wrote to memory of 2260 1692 Hlnega32.exe 29 PID 1692 wrote to memory of 2260 1692 Hlnega32.exe 29 PID 2260 wrote to memory of 2656 2260 Hchmdklc.exe 30 PID 2260 wrote to memory of 2656 2260 Hchmdklc.exe 30 PID 2260 wrote to memory of 2656 2260 Hchmdklc.exe 30 PID 2260 wrote to memory of 2656 2260 Hchmdklc.exe 30 PID 2656 wrote to memory of 2460 2656 Hefipfkg.exe 31 PID 2656 wrote to memory of 2460 2656 Hefipfkg.exe 31 PID 2656 wrote to memory of 2460 2656 Hefipfkg.exe 31 PID 2656 wrote to memory of 2460 2656 Hefipfkg.exe 31 PID 2460 wrote to memory of 2788 2460 Hheelbjj.exe 32 PID 2460 wrote to memory of 2788 2460 Hheelbjj.exe 32 PID 2460 wrote to memory of 2788 2460 Hheelbjj.exe 32 PID 2460 wrote to memory of 2788 2460 Hheelbjj.exe 32 PID 2788 wrote to memory of 2628 2788 Hlpamq32.exe 33 PID 2788 wrote to memory of 2628 2788 Hlpamq32.exe 33 PID 2788 wrote to memory of 2628 2788 Hlpamq32.exe 33 PID 2788 wrote to memory of 2628 2788 Hlpamq32.exe 33 PID 2628 wrote to memory of 768 2628 Hoonilag.exe 34 PID 2628 wrote to memory of 768 2628 Hoonilag.exe 34 PID 2628 wrote to memory of 768 2628 Hoonilag.exe 34 PID 2628 wrote to memory of 768 2628 Hoonilag.exe 34 PID 768 wrote to memory of 2900 768 Hnandi32.exe 35 PID 768 wrote to memory of 2900 768 Hnandi32.exe 35 PID 768 wrote to memory of 2900 768 Hnandi32.exe 35 PID 768 wrote to memory of 2900 768 Hnandi32.exe 35 PID 2900 wrote to memory of 1972 2900 Hfifff32.exe 36 PID 2900 wrote to memory of 1972 2900 Hfifff32.exe 36 PID 2900 wrote to memory of 1972 2900 Hfifff32.exe 36 PID 2900 wrote to memory of 1972 2900 Hfifff32.exe 36 PID 1972 wrote to memory of 1896 1972 Hdkfacpo.exe 37 PID 1972 wrote to memory of 1896 1972 Hdkfacpo.exe 37 PID 1972 wrote to memory of 1896 1972 Hdkfacpo.exe 37 PID 1972 wrote to memory of 1896 1972 Hdkfacpo.exe 37 PID 1896 wrote to memory of 1092 1896 Hgjbmoob.exe 38 PID 1896 wrote to memory of 1092 1896 Hgjbmoob.exe 38 PID 1896 wrote to memory of 1092 1896 Hgjbmoob.exe 38 PID 1896 wrote to memory of 1092 1896 Hgjbmoob.exe 38 PID 1092 wrote to memory of 1428 1092 Hoakolod.exe 39 PID 1092 wrote to memory of 1428 1092 Hoakolod.exe 39 PID 1092 wrote to memory of 1428 1092 Hoakolod.exe 39 PID 1092 wrote to memory of 1428 1092 Hoakolod.exe 39 PID 1428 wrote to memory of 1676 1428 Hndkji32.exe 40 PID 1428 wrote to memory of 1676 1428 Hndkji32.exe 40 PID 1428 wrote to memory of 1676 1428 Hndkji32.exe 40 PID 1428 wrote to memory of 1676 1428 Hndkji32.exe 40 PID 1676 wrote to memory of 2632 1676 Hqbgfd32.exe 41 PID 1676 wrote to memory of 2632 1676 Hqbgfd32.exe 41 PID 1676 wrote to memory of 2632 1676 Hqbgfd32.exe 41 PID 1676 wrote to memory of 2632 1676 Hqbgfd32.exe 41 PID 2632 wrote to memory of 2256 2632 Hhioga32.exe 42 PID 2632 wrote to memory of 2256 2632 Hhioga32.exe 42 PID 2632 wrote to memory of 2256 2632 Hhioga32.exe 42 PID 2632 wrote to memory of 2256 2632 Hhioga32.exe 42 PID 2256 wrote to memory of 540 2256 Hkhkcm32.exe 43 PID 2256 wrote to memory of 540 2256 Hkhkcm32.exe 43 PID 2256 wrote to memory of 540 2256 Hkhkcm32.exe 43 PID 2256 wrote to memory of 540 2256 Hkhkcm32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\c301c58e84e6c39a1e52fa8cd972666379ed0ed7d17458399c006bb77cf8b91f.exe"C:\Users\Admin\AppData\Local\Temp\c301c58e84e6c39a1e52fa8cd972666379ed0ed7d17458399c006bb77cf8b91f.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\Hlnega32.exeC:\Windows\system32\Hlnega32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\SysWOW64\Hchmdklc.exeC:\Windows\system32\Hchmdklc.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\SysWOW64\Hefipfkg.exeC:\Windows\system32\Hefipfkg.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Hheelbjj.exeC:\Windows\system32\Hheelbjj.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\SysWOW64\Hlpamq32.exeC:\Windows\system32\Hlpamq32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\Hoonilag.exeC:\Windows\system32\Hoonilag.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Hnandi32.exeC:\Windows\system32\Hnandi32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Windows\SysWOW64\Hfifff32.exeC:\Windows\system32\Hfifff32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\Hdkfacpo.exeC:\Windows\system32\Hdkfacpo.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\SysWOW64\Hgjbmoob.exeC:\Windows\system32\Hgjbmoob.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\SysWOW64\Hoakolod.exeC:\Windows\system32\Hoakolod.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1092 -
C:\Windows\SysWOW64\Hndkji32.exeC:\Windows\system32\Hndkji32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Windows\SysWOW64\Hqbgfd32.exeC:\Windows\system32\Hqbgfd32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\SysWOW64\Hhioga32.exeC:\Windows\system32\Hhioga32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Hkhkcm32.exeC:\Windows\system32\Hkhkcm32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\SysWOW64\Hjkkojlc.exeC:\Windows\system32\Hjkkojlc.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:540 -
C:\Windows\SysWOW64\Hbbcpg32.exeC:\Windows\system32\Hbbcpg32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:620 -
C:\Windows\SysWOW64\Hqddldcp.exeC:\Windows\system32\Hqddldcp.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:820 -
C:\Windows\SysWOW64\Hccphobd.exeC:\Windows\system32\Hccphobd.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1872 -
C:\Windows\SysWOW64\Hkjhimcf.exeC:\Windows\system32\Hkjhimcf.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1052 -
C:\Windows\SysWOW64\Inhdehbj.exeC:\Windows\system32\Inhdehbj.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1376 -
C:\Windows\SysWOW64\Imkdqe32.exeC:\Windows\system32\Imkdqe32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1280 -
C:\Windows\SysWOW64\Idblbb32.exeC:\Windows\system32\Idblbb32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1848 -
C:\Windows\SysWOW64\Icemmopa.exeC:\Windows\system32\Icemmopa.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2144 -
C:\Windows\SysWOW64\Ifdiijpe.exeC:\Windows\system32\Ifdiijpe.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1552 -
C:\Windows\SysWOW64\Inkakhpg.exeC:\Windows\system32\Inkakhpg.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:548 -
C:\Windows\SysWOW64\Igcecmfg.exeC:\Windows\system32\Igcecmfg.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2224 -
C:\Windows\SysWOW64\Iffeoj32.exeC:\Windows\system32\Iffeoj32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2824 -
C:\Windows\SysWOW64\Ijaapifk.exeC:\Windows\system32\Ijaapifk.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2640 -
C:\Windows\SysWOW64\Impnldeo.exeC:\Windows\system32\Impnldeo.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2364 -
C:\Windows\SysWOW64\Iqljlb32.exeC:\Windows\system32\Iqljlb32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2676 -
C:\Windows\SysWOW64\Icjfhn32.exeC:\Windows\system32\Icjfhn32.exe33⤵
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Ifhbdj32.exeC:\Windows\system32\Ifhbdj32.exe34⤵
- Executes dropped EXE
PID:1700 -
C:\Windows\SysWOW64\Iigoqe32.exeC:\Windows\system32\Iigoqe32.exe35⤵
- Executes dropped EXE
PID:2716 -
C:\Windows\SysWOW64\Imbkadcl.exeC:\Windows\system32\Imbkadcl.exe36⤵
- Executes dropped EXE
PID:2504 -
C:\Windows\SysWOW64\Ioagno32.exeC:\Windows\system32\Ioagno32.exe37⤵
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Iclcnnji.exeC:\Windows\system32\Iclcnnji.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:1576 -
C:\Windows\SysWOW64\Ifkojiim.exeC:\Windows\system32\Ifkojiim.exe39⤵
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Ienoff32.exeC:\Windows\system32\Ienoff32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2008 -
C:\Windows\SysWOW64\Imeggc32.exeC:\Windows\system32\Imeggc32.exe41⤵
- Executes dropped EXE
PID:1380 -
C:\Windows\SysWOW64\Ioccco32.exeC:\Windows\system32\Ioccco32.exe42⤵
- Executes dropped EXE
PID:2412 -
C:\Windows\SysWOW64\Infdolgh.exeC:\Windows\system32\Infdolgh.exe43⤵
- Executes dropped EXE
PID:1900 -
C:\Windows\SysWOW64\Ifmlpigj.exeC:\Windows\system32\Ifmlpigj.exe44⤵
- Executes dropped EXE
PID:3036 -
C:\Windows\SysWOW64\Jilhldfn.exeC:\Windows\system32\Jilhldfn.exe45⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Jkjdhpea.exeC:\Windows\system32\Jkjdhpea.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\Joepio32.exeC:\Windows\system32\Joepio32.exe47⤵
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\Jnhqdkde.exeC:\Windows\system32\Jnhqdkde.exe48⤵
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Jbdlejmn.exeC:\Windows\system32\Jbdlejmn.exe49⤵
- Executes dropped EXE
PID:1248 -
C:\Windows\SysWOW64\Jebiaelb.exeC:\Windows\system32\Jebiaelb.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3040 -
C:\Windows\SysWOW64\Jinead32.exeC:\Windows\system32\Jinead32.exe51⤵
- Executes dropped EXE
PID:980 -
C:\Windows\SysWOW64\Jgqemakf.exeC:\Windows\system32\Jgqemakf.exe52⤵
- Executes dropped EXE
PID:2312 -
C:\Windows\SysWOW64\Jklanp32.exeC:\Windows\system32\Jklanp32.exe53⤵
- Executes dropped EXE
PID:2388 -
C:\Windows\SysWOW64\Jjoailji.exeC:\Windows\system32\Jjoailji.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Jnkmjk32.exeC:\Windows\system32\Jnkmjk32.exe55⤵
- Executes dropped EXE
PID:2604 -
C:\Windows\SysWOW64\Jbfijjkl.exeC:\Windows\system32\Jbfijjkl.exe56⤵
- Executes dropped EXE
PID:2564 -
C:\Windows\SysWOW64\Jaiiff32.exeC:\Windows\system32\Jaiiff32.exe57⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\Jedefejo.exeC:\Windows\system32\Jedefejo.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1436 -
C:\Windows\SysWOW64\Jgcabqic.exeC:\Windows\system32\Jgcabqic.exe59⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Jmpjkggj.exeC:\Windows\system32\Jmpjkggj.exe60⤵
- Executes dropped EXE
PID:568 -
C:\Windows\SysWOW64\Jegble32.exeC:\Windows\system32\Jegble32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Jcjbgaog.exeC:\Windows\system32\Jcjbgaog.exe62⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Jgenhp32.exeC:\Windows\system32\Jgenhp32.exe63⤵
- Executes dropped EXE
PID:2212 -
C:\Windows\SysWOW64\Jfhocmnk.exeC:\Windows\system32\Jfhocmnk.exe64⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Jjdkdl32.exeC:\Windows\system32\Jjdkdl32.exe65⤵
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\Jnofejom.exeC:\Windows\system32\Jnofejom.exe66⤵PID:2088
-
C:\Windows\SysWOW64\Jmbgpg32.exeC:\Windows\system32\Jmbgpg32.exe67⤵PID:2568
-
C:\Windows\SysWOW64\Jancafna.exeC:\Windows\system32\Jancafna.exe68⤵PID:1136
-
C:\Windows\SysWOW64\Jpqclb32.exeC:\Windows\system32\Jpqclb32.exe69⤵PID:944
-
C:\Windows\SysWOW64\Jghknp32.exeC:\Windows\system32\Jghknp32.exe70⤵PID:2776
-
C:\Windows\SysWOW64\Jfkkimlh.exeC:\Windows\system32\Jfkkimlh.exe71⤵PID:1996
-
C:\Windows\SysWOW64\Jjfgjk32.exeC:\Windows\system32\Jjfgjk32.exe72⤵
- Drops file in System32 directory
PID:1164 -
C:\Windows\SysWOW64\Jiigehkl.exeC:\Windows\system32\Jiigehkl.exe73⤵PID:2072
-
C:\Windows\SysWOW64\Jmdcfg32.exeC:\Windows\system32\Jmdcfg32.exe74⤵PID:1532
-
C:\Windows\SysWOW64\Kappfeln.exeC:\Windows\system32\Kappfeln.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1920 -
C:\Windows\SysWOW64\Kcolba32.exeC:\Windows\system32\Kcolba32.exe76⤵PID:1864
-
C:\Windows\SysWOW64\Kbalnnam.exeC:\Windows\system32\Kbalnnam.exe77⤵
- Drops file in System32 directory
PID:2120 -
C:\Windows\SysWOW64\Kfmhol32.exeC:\Windows\system32\Kfmhol32.exe78⤵PID:1544
-
C:\Windows\SysWOW64\Kjhdokbo.exeC:\Windows\system32\Kjhdokbo.exe79⤵PID:1604
-
C:\Windows\SysWOW64\Kikdkh32.exeC:\Windows\system32\Kikdkh32.exe80⤵PID:1916
-
C:\Windows\SysWOW64\Kmgpkfab.exeC:\Windows\system32\Kmgpkfab.exe81⤵PID:2580
-
C:\Windows\SysWOW64\Kljqgc32.exeC:\Windows\system32\Kljqgc32.exe82⤵
- Drops file in System32 directory
PID:2660 -
C:\Windows\SysWOW64\Kpemgbqf.exeC:\Windows\system32\Kpemgbqf.exe83⤵PID:1332
-
C:\Windows\SysWOW64\Kbcicmpj.exeC:\Windows\system32\Kbcicmpj.exe84⤵PID:2000
-
C:\Windows\SysWOW64\Kfoedl32.exeC:\Windows\system32\Kfoedl32.exe85⤵PID:952
-
C:\Windows\SysWOW64\Kinaqg32.exeC:\Windows\system32\Kinaqg32.exe86⤵PID:2004
-
C:\Windows\SysWOW64\Kmimafop.exeC:\Windows\system32\Kmimafop.exe87⤵PID:2524
-
C:\Windows\SysWOW64\Kphimanc.exeC:\Windows\system32\Kphimanc.exe88⤵PID:1072
-
C:\Windows\SysWOW64\Knjiin32.exeC:\Windows\system32\Knjiin32.exe89⤵PID:2092
-
C:\Windows\SysWOW64\Kfaajlfp.exeC:\Windows\system32\Kfaajlfp.exe90⤵PID:2096
-
C:\Windows\SysWOW64\Kedaeh32.exeC:\Windows\system32\Kedaeh32.exe91⤵PID:936
-
C:\Windows\SysWOW64\Khcnad32.exeC:\Windows\system32\Khcnad32.exe92⤵PID:940
-
C:\Windows\SysWOW64\Klnjbbdh.exeC:\Windows\system32\Klnjbbdh.exe93⤵
- Drops file in System32 directory
PID:1220 -
C:\Windows\SysWOW64\Kpjfba32.exeC:\Windows\system32\Kpjfba32.exe94⤵
- Modifies registry class
PID:2456 -
C:\Windows\SysWOW64\Komfnnck.exeC:\Windows\system32\Komfnnck.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2044 -
C:\Windows\SysWOW64\Kakbjibo.exeC:\Windows\system32\Kakbjibo.exe96⤵
- Drops file in System32 directory
PID:1732 -
C:\Windows\SysWOW64\Kegnkh32.exeC:\Windows\system32\Kegnkh32.exe97⤵
- Drops file in System32 directory
- Modifies registry class
PID:1720 -
C:\Windows\SysWOW64\Kibjkgca.exeC:\Windows\system32\Kibjkgca.exe98⤵PID:1508
-
C:\Windows\SysWOW64\Klqfhbbe.exeC:\Windows\system32\Klqfhbbe.exe99⤵PID:2236
-
C:\Windows\SysWOW64\Kjcgco32.exeC:\Windows\system32\Kjcgco32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:984 -
C:\Windows\SysWOW64\Koocdnai.exeC:\Windows\system32\Koocdnai.exe101⤵
- Drops file in System32 directory
PID:560 -
C:\Windows\SysWOW64\Kanopipl.exeC:\Windows\system32\Kanopipl.exe102⤵PID:2764
-
C:\Windows\SysWOW64\Keikqhhe.exeC:\Windows\system32\Keikqhhe.exe103⤵PID:2692
-
C:\Windows\SysWOW64\Kdlkld32.exeC:\Windows\system32\Kdlkld32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2560 -
C:\Windows\SysWOW64\Llccmb32.exeC:\Windows\system32\Llccmb32.exe105⤵PID:2968
-
C:\Windows\SysWOW64\Lkfciogm.exeC:\Windows\system32\Lkfciogm.exe106⤵PID:900
-
C:\Windows\SysWOW64\Loapim32.exeC:\Windows\system32\Loapim32.exe107⤵PID:320
-
C:\Windows\SysWOW64\Laplei32.exeC:\Windows\system32\Laplei32.exe108⤵PID:2272
-
C:\Windows\SysWOW64\Lekhfgfc.exeC:\Windows\system32\Lekhfgfc.exe109⤵PID:336
-
C:\Windows\SysWOW64\Ldnhad32.exeC:\Windows\system32\Ldnhad32.exe110⤵
- Drops file in System32 directory
PID:1636 -
C:\Windows\SysWOW64\Lfmdnp32.exeC:\Windows\system32\Lfmdnp32.exe111⤵PID:2108
-
C:\Windows\SysWOW64\Lkhpnnej.exeC:\Windows\system32\Lkhpnnej.exe112⤵
- Drops file in System32 directory
PID:1804 -
C:\Windows\SysWOW64\Lodlom32.exeC:\Windows\system32\Lodlom32.exe113⤵PID:856
-
C:\Windows\SysWOW64\Lmgmjjdn.exeC:\Windows\system32\Lmgmjjdn.exe114⤵PID:2960
-
C:\Windows\SysWOW64\Labhkh32.exeC:\Windows\system32\Labhkh32.exe115⤵PID:1172
-
C:\Windows\SysWOW64\Ldqegd32.exeC:\Windows\system32\Ldqegd32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2584 -
C:\Windows\SysWOW64\Lhlqhb32.exeC:\Windows\system32\Lhlqhb32.exe117⤵PID:2816
-
C:\Windows\SysWOW64\Lgoacojo.exeC:\Windows\system32\Lgoacojo.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1860 -
C:\Windows\SysWOW64\Limmokib.exeC:\Windows\system32\Limmokib.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1192 -
C:\Windows\SysWOW64\Lmiipi32.exeC:\Windows\system32\Lmiipi32.exe120⤵PID:956
-
C:\Windows\SysWOW64\Lmiipi32.exeC:\Windows\system32\Lmiipi32.exe121⤵PID:2808
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-