Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
29/03/2024, 05:31
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
fc0467a550727d639917e37d7a080de0b63622243b8e5b0a0af8bb23474e1524.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
fc0467a550727d639917e37d7a080de0b63622243b8e5b0a0af8bb23474e1524.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
fc0467a550727d639917e37d7a080de0b63622243b8e5b0a0af8bb23474e1524.exe
-
Size
78KB
-
MD5
341b0792173bbc8fd9a99691f8f970b6
-
SHA1
74cb308c98214c4e5d8623d9396e1a8fd124a8fa
-
SHA256
fc0467a550727d639917e37d7a080de0b63622243b8e5b0a0af8bb23474e1524
-
SHA512
9ff5c6ae322c3da6cc5d6da75bdad1af5a99b19a9f044beccf353fd25b8391ea1f3822005a4e5e38d2834fceeda1c6455da911d1314864e4c737495e3c6e436e
-
SSDEEP
768:uqGcolt5LLW8hjAggce6yTZxkt/i1hK7GZOxSXluZY/1H5KcXdnhgH1Ks6gsZsE6:umMzOZW5iukVcSjkIggsJVHcbns
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaemjbcg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjljhjkl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlbeqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lahkigca.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lecgje32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cppkph32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejkima32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpmgqnfl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dknekeef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emieil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Miooigfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dndlim32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohibdf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmicohqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckccgane.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llnofpcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjfccn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enakbp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efcfga32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Miooigfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofhick32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gacpdbej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpgljfbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdikkg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndmjedoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gaemjbcg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhmjkaoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkncmmle.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lahkigca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgljbm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ednpej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhdplq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpleef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efcfga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Piphee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aehboi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adnopfoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aaaoij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jifdebic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emkaol32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqgnokip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbpnanch.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcbjgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkiogn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olpdjf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kaceodek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lafndg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldidkbpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cklmgb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efaibbij.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ioijbj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmhodf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oikojfgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abjebn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hckcmjep.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfegbj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kifpdelo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajjcbpdd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bekkcljk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjhknm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfcampgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lecgje32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbhnhp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddigjkid.exe -
Executes dropped EXE 64 IoCs
pid Process 2236 Gacpdbej.exe 2228 Ggpimica.exe 2516 Gkkemh32.exe 2324 Gaemjbcg.exe 2628 Hahjpbad.exe 2448 Hdfflm32.exe 2900 Hkpnhgge.exe 2444 Hpmgqnfl.exe 2720 Hckcmjep.exe 348 Hiekid32.exe 2168 Hobcak32.exe 2780 Hlfdkoin.exe 568 Hacmcfge.exe 848 Hlhaqogk.exe 2776 Hkkalk32.exe 1996 Icbimi32.exe 1892 Ihoafpmp.exe 832 Ilknfn32.exe 1584 Ioijbj32.exe 1072 Ifcbodli.exe 2096 Ihankokm.exe 1280 Ikpjgkjq.exe 108 Iggkllpe.exe 2924 Inqcif32.exe 1884 Icmlam32.exe 888 Ikddbj32.exe 1972 Imfqjbli.exe 2092 Iqalka32.exe 2716 Jbgbni32.exe 2388 Jiakjb32.exe 2572 Jcgogk32.exe 1568 Jehkodcm.exe 2360 Jejhecaj.exe 2556 Jifdebic.exe 1616 Kaaijdgn.exe 1716 Kemejc32.exe 2196 Kbqecg32.exe 780 Kaceodek.exe 2112 Kgnnln32.exe 2148 Kjljhjkl.exe 2244 Kmjfdejp.exe 2472 Kfegbj32.exe 2220 Kiccofna.exe 1752 Kaklpcoc.exe 3008 Kifpdelo.exe 1788 Lbnemk32.exe 1984 Lpbefoai.exe 1272 Loeebl32.exe 836 Lhmjkaoc.exe 1636 Lpdbloof.exe 2272 Lbcnhjnj.exe 2520 Lafndg32.exe 3016 Lkncmmle.exe 2396 Lojomkdn.exe 2432 Lahkigca.exe 2928 Lecgje32.exe 352 Lhbcfa32.exe 1348 Llnofpcg.exe 1840 Ldidkbpb.exe 2688 Mhdplq32.exe 1724 Mkclhl32.exe 2176 Monhhk32.exe 1092 Mamddf32.exe 2160 Mdkqqa32.exe -
Loads dropped DLL 64 IoCs
pid Process 1220 fc0467a550727d639917e37d7a080de0b63622243b8e5b0a0af8bb23474e1524.exe 1220 fc0467a550727d639917e37d7a080de0b63622243b8e5b0a0af8bb23474e1524.exe 2236 Gacpdbej.exe 2236 Gacpdbej.exe 2228 Ggpimica.exe 2228 Ggpimica.exe 2516 Gkkemh32.exe 2516 Gkkemh32.exe 2324 Gaemjbcg.exe 2324 Gaemjbcg.exe 2628 Hahjpbad.exe 2628 Hahjpbad.exe 2448 Hdfflm32.exe 2448 Hdfflm32.exe 2900 Hkpnhgge.exe 2900 Hkpnhgge.exe 2444 Hpmgqnfl.exe 2444 Hpmgqnfl.exe 2720 Hckcmjep.exe 2720 Hckcmjep.exe 348 Hiekid32.exe 348 Hiekid32.exe 2168 Hobcak32.exe 2168 Hobcak32.exe 2780 Hlfdkoin.exe 2780 Hlfdkoin.exe 568 Hacmcfge.exe 568 Hacmcfge.exe 848 Hlhaqogk.exe 848 Hlhaqogk.exe 2776 Hkkalk32.exe 2776 Hkkalk32.exe 1996 Icbimi32.exe 1996 Icbimi32.exe 1892 Ihoafpmp.exe 1892 Ihoafpmp.exe 832 Ilknfn32.exe 832 Ilknfn32.exe 1584 Ioijbj32.exe 1584 Ioijbj32.exe 1072 Ifcbodli.exe 1072 Ifcbodli.exe 2096 Ihankokm.exe 2096 Ihankokm.exe 1280 Ikpjgkjq.exe 1280 Ikpjgkjq.exe 108 Iggkllpe.exe 108 Iggkllpe.exe 2924 Inqcif32.exe 2924 Inqcif32.exe 1884 Icmlam32.exe 1884 Icmlam32.exe 888 Ikddbj32.exe 888 Ikddbj32.exe 1972 Imfqjbli.exe 1972 Imfqjbli.exe 2092 Iqalka32.exe 2092 Iqalka32.exe 2716 Jbgbni32.exe 2716 Jbgbni32.exe 2388 Jiakjb32.exe 2388 Jiakjb32.exe 2572 Jcgogk32.exe 2572 Jcgogk32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Nncahjgl.exe Nkeelohh.exe File created C:\Windows\SysWOW64\Fpebfbaj.dll Ndpfkdmf.exe File created C:\Windows\SysWOW64\Bioqclil.exe Bjlqhoba.exe File created C:\Windows\SysWOW64\Blbfjg32.exe Bmpfojmp.exe File opened for modification C:\Windows\SysWOW64\Endhhp32.exe Egjpkffe.exe File opened for modification C:\Windows\SysWOW64\Hiekid32.exe Hckcmjep.exe File created C:\Windows\SysWOW64\Ilknfn32.exe Ihoafpmp.exe File opened for modification C:\Windows\SysWOW64\Blpjegfm.exe Bfcampgf.exe File created C:\Windows\SysWOW64\Bpleef32.exe Blpjegfm.exe File created C:\Windows\SysWOW64\Cnmehnan.exe Cojema32.exe File opened for modification C:\Windows\SysWOW64\Iqalka32.exe Imfqjbli.exe File created C:\Windows\SysWOW64\Chgdod32.dll Jiakjb32.exe File created C:\Windows\SysWOW64\Fbbkkjih.dll Mimbdhhb.exe File created C:\Windows\SysWOW64\Ijlhmj32.dll Mcegmm32.exe File created C:\Windows\SysWOW64\Ddgjdk32.exe Dbhnhp32.exe File opened for modification C:\Windows\SysWOW64\Dnoomqbg.exe Dkqbaecc.exe File created C:\Windows\SysWOW64\Enakbp32.exe Dggcffhg.exe File opened for modification C:\Windows\SysWOW64\Hckcmjep.exe Hpmgqnfl.exe File created C:\Windows\SysWOW64\Ckchjmoo.dll Lpbefoai.exe File created C:\Windows\SysWOW64\Mcbjgn32.exe Mdpjlajk.exe File opened for modification C:\Windows\SysWOW64\Ofjfhk32.exe Oqmmpd32.exe File created C:\Windows\SysWOW64\Mghohc32.dll Cgejac32.exe File opened for modification C:\Windows\SysWOW64\Eqgnokip.exe Emkaol32.exe File created C:\Windows\SysWOW64\Ihankokm.exe Ifcbodli.exe File created C:\Windows\SysWOW64\Dcmfoi32.dll Jehkodcm.exe File opened for modification C:\Windows\SysWOW64\Nncahjgl.exe Nkeelohh.exe File created C:\Windows\SysWOW64\Bbhela32.exe Bioqclil.exe File opened for modification C:\Windows\SysWOW64\Dpbheh32.exe Dndlim32.exe File opened for modification C:\Windows\SysWOW64\Pgplkb32.exe Pfoocjfd.exe File created C:\Windows\SysWOW64\Pclfkc32.exe Pmanoifd.exe File opened for modification C:\Windows\SysWOW64\Adnopfoj.exe Anafhopc.exe File opened for modification C:\Windows\SysWOW64\Cadhnmnm.exe Blgpef32.exe File created C:\Windows\SysWOW64\Kfimidmd.dll Kaklpcoc.exe File created C:\Windows\SysWOW64\Fljdpbcc.dll Nhiffc32.exe File opened for modification C:\Windows\SysWOW64\Nkiogn32.exe Ngnbgplj.exe File created C:\Windows\SysWOW64\Amkoie32.dll Okikfagn.exe File created C:\Windows\SysWOW64\Papfegmk.exe Pggbla32.exe File created C:\Windows\SysWOW64\Phofkg32.dll Hahjpbad.exe File opened for modification C:\Windows\SysWOW64\Hobcak32.exe Hiekid32.exe File created C:\Windows\SysWOW64\Kaklpcoc.exe Kiccofna.exe File created C:\Windows\SysWOW64\Iopodh32.dll Mmceigep.exe File created C:\Windows\SysWOW64\Endhhp32.exe Egjpkffe.exe File created C:\Windows\SysWOW64\Kdkpbk32.dll Mamddf32.exe File created C:\Windows\SysWOW64\Oegjkb32.dll Bpgljfbl.exe File created C:\Windows\SysWOW64\Djklnnaj.exe Dfoqmo32.exe File created C:\Windows\SysWOW64\Mdpjlajk.exe Mgljbm32.exe File opened for modification C:\Windows\SysWOW64\Pkndaa32.exe Piphee32.exe File opened for modification C:\Windows\SysWOW64\Gacpdbej.exe fc0467a550727d639917e37d7a080de0b63622243b8e5b0a0af8bb23474e1524.exe File created C:\Windows\SysWOW64\Jifdebic.exe Jejhecaj.exe File opened for modification C:\Windows\SysWOW64\Mcbjgn32.exe Mdpjlajk.exe File opened for modification C:\Windows\SysWOW64\Hahjpbad.exe Gaemjbcg.exe File created C:\Windows\SysWOW64\Dpajdp32.dll Ohibdf32.exe File created C:\Windows\SysWOW64\Bkddcl32.dll Pbfpik32.exe File created C:\Windows\SysWOW64\Cdbdjhmp.exe Cadhnmnm.exe File opened for modification C:\Windows\SysWOW64\Egoife32.exe Emieil32.exe File created C:\Windows\SysWOW64\Cfahajeg.dll Ikddbj32.exe File created C:\Windows\SysWOW64\Cfiini32.dll Mlmlecec.exe File opened for modification C:\Windows\SysWOW64\Blgpef32.exe Bhkdeggl.exe File created C:\Windows\SysWOW64\Ffpncj32.dll Emieil32.exe File created C:\Windows\SysWOW64\Cldooj32.exe Cjfccn32.exe File created C:\Windows\SysWOW64\Ghlpli32.dll Ifcbodli.exe File created C:\Windows\SysWOW64\Llnofpcg.exe Lhbcfa32.exe File opened for modification C:\Windows\SysWOW64\Nehmdhja.exe Namqci32.exe File opened for modification C:\Windows\SysWOW64\Pmanoifd.exe Pgeefbhm.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3996 3972 WerFault.exe 231 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cabknqko.dll" Hpmgqnfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnbgan32.dll" Hacmcfge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kemejc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mdpjlajk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chfpgj32.dll" Ofhick32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pbfpik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pkndaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elgkkpon.dll" Cjdfmo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlbeqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chpmpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdpfph32.dll" Ihoafpmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Imfqjbli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bahbme32.dll" Iqalka32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olpdjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Okikfagn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnjdhmdo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cadhnmnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmpkjkma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gaemjbcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mihiih32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Meccii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nblnkb32.dll" Ofjfhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enbfpg32.dll" Pgplkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkddcl32.dll" Pbfpik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oglegn32.dll" Amfcikek.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Blpjegfm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ihankokm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chgdod32.dll" Jiakjb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lojomkdn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmpkjkma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjljhjkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngnbgplj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onjgiiad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cojema32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdikkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lhmjkaoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nehmdhja.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhiffc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oqmmpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhnffb32.dll" Pkndaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pclfkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pggbla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qbcpbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Icmlam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbcjffka.dll" Mdkqqa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dpbheh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpbbidem.dll" Nehmdhja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecfhengk.dll" Ppbfpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlbeqb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cddaphkn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckccgane.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ednpej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odoghjmf.dll" Iggkllpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lhbcfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hojgbclk.dll" Aibajhdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpncj32.dll" Emieil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Llnofpcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qimhoi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bpleef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lbnemk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lkncmmle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jknpfqoh.dll" Mihiih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aibajhdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnhijl32.dll" Aaaoij32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1220 wrote to memory of 2236 1220 fc0467a550727d639917e37d7a080de0b63622243b8e5b0a0af8bb23474e1524.exe 28 PID 1220 wrote to memory of 2236 1220 fc0467a550727d639917e37d7a080de0b63622243b8e5b0a0af8bb23474e1524.exe 28 PID 1220 wrote to memory of 2236 1220 fc0467a550727d639917e37d7a080de0b63622243b8e5b0a0af8bb23474e1524.exe 28 PID 1220 wrote to memory of 2236 1220 fc0467a550727d639917e37d7a080de0b63622243b8e5b0a0af8bb23474e1524.exe 28 PID 2236 wrote to memory of 2228 2236 Gacpdbej.exe 29 PID 2236 wrote to memory of 2228 2236 Gacpdbej.exe 29 PID 2236 wrote to memory of 2228 2236 Gacpdbej.exe 29 PID 2236 wrote to memory of 2228 2236 Gacpdbej.exe 29 PID 2228 wrote to memory of 2516 2228 Ggpimica.exe 30 PID 2228 wrote to memory of 2516 2228 Ggpimica.exe 30 PID 2228 wrote to memory of 2516 2228 Ggpimica.exe 30 PID 2228 wrote to memory of 2516 2228 Ggpimica.exe 30 PID 2516 wrote to memory of 2324 2516 Gkkemh32.exe 31 PID 2516 wrote to memory of 2324 2516 Gkkemh32.exe 31 PID 2516 wrote to memory of 2324 2516 Gkkemh32.exe 31 PID 2516 wrote to memory of 2324 2516 Gkkemh32.exe 31 PID 2324 wrote to memory of 2628 2324 Gaemjbcg.exe 32 PID 2324 wrote to memory of 2628 2324 Gaemjbcg.exe 32 PID 2324 wrote to memory of 2628 2324 Gaemjbcg.exe 32 PID 2324 wrote to memory of 2628 2324 Gaemjbcg.exe 32 PID 2628 wrote to memory of 2448 2628 Hahjpbad.exe 33 PID 2628 wrote to memory of 2448 2628 Hahjpbad.exe 33 PID 2628 wrote to memory of 2448 2628 Hahjpbad.exe 33 PID 2628 wrote to memory of 2448 2628 Hahjpbad.exe 33 PID 2448 wrote to memory of 2900 2448 Hdfflm32.exe 34 PID 2448 wrote to memory of 2900 2448 Hdfflm32.exe 34 PID 2448 wrote to memory of 2900 2448 Hdfflm32.exe 34 PID 2448 wrote to memory of 2900 2448 Hdfflm32.exe 34 PID 2900 wrote to memory of 2444 2900 Hkpnhgge.exe 35 PID 2900 wrote to memory of 2444 2900 Hkpnhgge.exe 35 PID 2900 wrote to memory of 2444 2900 Hkpnhgge.exe 35 PID 2900 wrote to memory of 2444 2900 Hkpnhgge.exe 35 PID 2444 wrote to memory of 2720 2444 Hpmgqnfl.exe 36 PID 2444 wrote to memory of 2720 2444 Hpmgqnfl.exe 36 PID 2444 wrote to memory of 2720 2444 Hpmgqnfl.exe 36 PID 2444 wrote to memory of 2720 2444 Hpmgqnfl.exe 36 PID 2720 wrote to memory of 348 2720 Hckcmjep.exe 37 PID 2720 wrote to memory of 348 2720 Hckcmjep.exe 37 PID 2720 wrote to memory of 348 2720 Hckcmjep.exe 37 PID 2720 wrote to memory of 348 2720 Hckcmjep.exe 37 PID 348 wrote to memory of 2168 348 Hiekid32.exe 38 PID 348 wrote to memory of 2168 348 Hiekid32.exe 38 PID 348 wrote to memory of 2168 348 Hiekid32.exe 38 PID 348 wrote to memory of 2168 348 Hiekid32.exe 38 PID 2168 wrote to memory of 2780 2168 Hobcak32.exe 39 PID 2168 wrote to memory of 2780 2168 Hobcak32.exe 39 PID 2168 wrote to memory of 2780 2168 Hobcak32.exe 39 PID 2168 wrote to memory of 2780 2168 Hobcak32.exe 39 PID 2780 wrote to memory of 568 2780 Hlfdkoin.exe 40 PID 2780 wrote to memory of 568 2780 Hlfdkoin.exe 40 PID 2780 wrote to memory of 568 2780 Hlfdkoin.exe 40 PID 2780 wrote to memory of 568 2780 Hlfdkoin.exe 40 PID 568 wrote to memory of 848 568 Hacmcfge.exe 41 PID 568 wrote to memory of 848 568 Hacmcfge.exe 41 PID 568 wrote to memory of 848 568 Hacmcfge.exe 41 PID 568 wrote to memory of 848 568 Hacmcfge.exe 41 PID 848 wrote to memory of 2776 848 Hlhaqogk.exe 42 PID 848 wrote to memory of 2776 848 Hlhaqogk.exe 42 PID 848 wrote to memory of 2776 848 Hlhaqogk.exe 42 PID 848 wrote to memory of 2776 848 Hlhaqogk.exe 42 PID 2776 wrote to memory of 1996 2776 Hkkalk32.exe 43 PID 2776 wrote to memory of 1996 2776 Hkkalk32.exe 43 PID 2776 wrote to memory of 1996 2776 Hkkalk32.exe 43 PID 2776 wrote to memory of 1996 2776 Hkkalk32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\fc0467a550727d639917e37d7a080de0b63622243b8e5b0a0af8bb23474e1524.exe"C:\Users\Admin\AppData\Local\Temp\fc0467a550727d639917e37d7a080de0b63622243b8e5b0a0af8bb23474e1524.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Windows\SysWOW64\Gacpdbej.exeC:\Windows\system32\Gacpdbej.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\Ggpimica.exeC:\Windows\system32\Ggpimica.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\SysWOW64\Gkkemh32.exeC:\Windows\system32\Gkkemh32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\Gaemjbcg.exeC:\Windows\system32\Gaemjbcg.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\Hahjpbad.exeC:\Windows\system32\Hahjpbad.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Hdfflm32.exeC:\Windows\system32\Hdfflm32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\SysWOW64\Hkpnhgge.exeC:\Windows\system32\Hkpnhgge.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\Hpmgqnfl.exeC:\Windows\system32\Hpmgqnfl.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\SysWOW64\Hckcmjep.exeC:\Windows\system32\Hckcmjep.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\Hiekid32.exeC:\Windows\system32\Hiekid32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:348 -
C:\Windows\SysWOW64\Hobcak32.exeC:\Windows\system32\Hobcak32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\Hlfdkoin.exeC:\Windows\system32\Hlfdkoin.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\Hacmcfge.exeC:\Windows\system32\Hacmcfge.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:568 -
C:\Windows\SysWOW64\Hlhaqogk.exeC:\Windows\system32\Hlhaqogk.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:848 -
C:\Windows\SysWOW64\Hkkalk32.exeC:\Windows\system32\Hkkalk32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\Icbimi32.exeC:\Windows\system32\Icbimi32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1996 -
C:\Windows\SysWOW64\Ihoafpmp.exeC:\Windows\system32\Ihoafpmp.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1892 -
C:\Windows\SysWOW64\Ilknfn32.exeC:\Windows\system32\Ilknfn32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:832 -
C:\Windows\SysWOW64\Ioijbj32.exeC:\Windows\system32\Ioijbj32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1584 -
C:\Windows\SysWOW64\Ifcbodli.exeC:\Windows\system32\Ifcbodli.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1072 -
C:\Windows\SysWOW64\Ihankokm.exeC:\Windows\system32\Ihankokm.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2096 -
C:\Windows\SysWOW64\Ikpjgkjq.exeC:\Windows\system32\Ikpjgkjq.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1280 -
C:\Windows\SysWOW64\Iggkllpe.exeC:\Windows\system32\Iggkllpe.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:108 -
C:\Windows\SysWOW64\Inqcif32.exeC:\Windows\system32\Inqcif32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2924 -
C:\Windows\SysWOW64\Icmlam32.exeC:\Windows\system32\Icmlam32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1884 -
C:\Windows\SysWOW64\Ikddbj32.exeC:\Windows\system32\Ikddbj32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:888 -
C:\Windows\SysWOW64\Imfqjbli.exeC:\Windows\system32\Imfqjbli.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1972 -
C:\Windows\SysWOW64\Iqalka32.exeC:\Windows\system32\Iqalka32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2092 -
C:\Windows\SysWOW64\Jbgbni32.exeC:\Windows\system32\Jbgbni32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2716 -
C:\Windows\SysWOW64\Jiakjb32.exeC:\Windows\system32\Jiakjb32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2388 -
C:\Windows\SysWOW64\Jcgogk32.exeC:\Windows\system32\Jcgogk32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2572 -
C:\Windows\SysWOW64\Jehkodcm.exeC:\Windows\system32\Jehkodcm.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1568 -
C:\Windows\SysWOW64\Jejhecaj.exeC:\Windows\system32\Jejhecaj.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2360 -
C:\Windows\SysWOW64\Jifdebic.exeC:\Windows\system32\Jifdebic.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2556 -
C:\Windows\SysWOW64\Kaaijdgn.exeC:\Windows\system32\Kaaijdgn.exe36⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Kemejc32.exeC:\Windows\system32\Kemejc32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:1716 -
C:\Windows\SysWOW64\Kbqecg32.exeC:\Windows\system32\Kbqecg32.exe38⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\Kaceodek.exeC:\Windows\system32\Kaceodek.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:780 -
C:\Windows\SysWOW64\Kgnnln32.exeC:\Windows\system32\Kgnnln32.exe40⤵
- Executes dropped EXE
PID:2112 -
C:\Windows\SysWOW64\Kjljhjkl.exeC:\Windows\system32\Kjljhjkl.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2148 -
C:\Windows\SysWOW64\Kmjfdejp.exeC:\Windows\system32\Kmjfdejp.exe42⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Kfegbj32.exeC:\Windows\system32\Kfegbj32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2472 -
C:\Windows\SysWOW64\Kiccofna.exeC:\Windows\system32\Kiccofna.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2220 -
C:\Windows\SysWOW64\Kaklpcoc.exeC:\Windows\system32\Kaklpcoc.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1752 -
C:\Windows\SysWOW64\Kifpdelo.exeC:\Windows\system32\Kifpdelo.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3008 -
C:\Windows\SysWOW64\Lbnemk32.exeC:\Windows\system32\Lbnemk32.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:1788 -
C:\Windows\SysWOW64\Lpbefoai.exeC:\Windows\system32\Lpbefoai.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1984 -
C:\Windows\SysWOW64\Loeebl32.exeC:\Windows\system32\Loeebl32.exe49⤵
- Executes dropped EXE
PID:1272 -
C:\Windows\SysWOW64\Lhmjkaoc.exeC:\Windows\system32\Lhmjkaoc.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:836 -
C:\Windows\SysWOW64\Lpdbloof.exeC:\Windows\system32\Lpdbloof.exe51⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\Lbcnhjnj.exeC:\Windows\system32\Lbcnhjnj.exe52⤵
- Executes dropped EXE
PID:2272 -
C:\Windows\SysWOW64\Lafndg32.exeC:\Windows\system32\Lafndg32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2520 -
C:\Windows\SysWOW64\Lkncmmle.exeC:\Windows\system32\Lkncmmle.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3016 -
C:\Windows\SysWOW64\Lojomkdn.exeC:\Windows\system32\Lojomkdn.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2396 -
C:\Windows\SysWOW64\Lahkigca.exeC:\Windows\system32\Lahkigca.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Lecgje32.exeC:\Windows\system32\Lecgje32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Lhbcfa32.exeC:\Windows\system32\Lhbcfa32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:352 -
C:\Windows\SysWOW64\Llnofpcg.exeC:\Windows\system32\Llnofpcg.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1348 -
C:\Windows\SysWOW64\Ldidkbpb.exeC:\Windows\system32\Ldidkbpb.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1840 -
C:\Windows\SysWOW64\Mhdplq32.exeC:\Windows\system32\Mhdplq32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Mkclhl32.exeC:\Windows\system32\Mkclhl32.exe62⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Monhhk32.exeC:\Windows\system32\Monhhk32.exe63⤵
- Executes dropped EXE
PID:2176 -
C:\Windows\SysWOW64\Mamddf32.exeC:\Windows\system32\Mamddf32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1092 -
C:\Windows\SysWOW64\Mdkqqa32.exeC:\Windows\system32\Mdkqqa32.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:2160 -
C:\Windows\SysWOW64\Mihiih32.exeC:\Windows\system32\Mihiih32.exe66⤵
- Modifies registry class
PID:2044 -
C:\Windows\SysWOW64\Mmceigep.exeC:\Windows\system32\Mmceigep.exe67⤵
- Drops file in System32 directory
PID:2696 -
C:\Windows\SysWOW64\Mbpnanch.exeC:\Windows\system32\Mbpnanch.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1784 -
C:\Windows\SysWOW64\Mgljbm32.exeC:\Windows\system32\Mgljbm32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1228 -
C:\Windows\SysWOW64\Mdpjlajk.exeC:\Windows\system32\Mdpjlajk.exe70⤵
- Drops file in System32 directory
- Modifies registry class
PID:948 -
C:\Windows\SysWOW64\Mcbjgn32.exeC:\Windows\system32\Mcbjgn32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2216 -
C:\Windows\SysWOW64\Mimbdhhb.exeC:\Windows\system32\Mimbdhhb.exe72⤵
- Drops file in System32 directory
PID:884 -
C:\Windows\SysWOW64\Mmhodf32.exeC:\Windows\system32\Mmhodf32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2568 -
C:\Windows\SysWOW64\Moiklogi.exeC:\Windows\system32\Moiklogi.exe74⤵PID:1676
-
C:\Windows\SysWOW64\Mcegmm32.exeC:\Windows\system32\Mcegmm32.exe75⤵
- Drops file in System32 directory
PID:2952 -
C:\Windows\SysWOW64\Meccii32.exeC:\Windows\system32\Meccii32.exe76⤵
- Modifies registry class
PID:2484 -
C:\Windows\SysWOW64\Miooigfo.exeC:\Windows\system32\Miooigfo.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2428 -
C:\Windows\SysWOW64\Mlmlecec.exeC:\Windows\system32\Mlmlecec.exe78⤵
- Drops file in System32 directory
PID:1484 -
C:\Windows\SysWOW64\Mpigfa32.exeC:\Windows\system32\Mpigfa32.exe79⤵PID:2756
-
C:\Windows\SysWOW64\Namqci32.exeC:\Windows\system32\Namqci32.exe80⤵
- Drops file in System32 directory
PID:1668 -
C:\Windows\SysWOW64\Nehmdhja.exeC:\Windows\system32\Nehmdhja.exe81⤵
- Modifies registry class
PID:1848 -
C:\Windows\SysWOW64\Nlbeqb32.exeC:\Windows\system32\Nlbeqb32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:976 -
C:\Windows\SysWOW64\Nkeelohh.exeC:\Windows\system32\Nkeelohh.exe83⤵
- Drops file in System32 directory
PID:1964 -
C:\Windows\SysWOW64\Nncahjgl.exeC:\Windows\system32\Nncahjgl.exe84⤵PID:2728
-
C:\Windows\SysWOW64\Naoniipe.exeC:\Windows\system32\Naoniipe.exe85⤵PID:1652
-
C:\Windows\SysWOW64\Ndmjedoi.exeC:\Windows\system32\Ndmjedoi.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2764 -
C:\Windows\SysWOW64\Nhiffc32.exeC:\Windows\system32\Nhiffc32.exe87⤵
- Drops file in System32 directory
- Modifies registry class
PID:3024 -
C:\Windows\SysWOW64\Nocnbmoo.exeC:\Windows\system32\Nocnbmoo.exe88⤵PID:688
-
C:\Windows\SysWOW64\Nnennj32.exeC:\Windows\system32\Nnennj32.exe89⤵PID:2968
-
C:\Windows\SysWOW64\Npdjje32.exeC:\Windows\system32\Npdjje32.exe90⤵PID:3044
-
C:\Windows\SysWOW64\Ndpfkdmf.exeC:\Windows\system32\Ndpfkdmf.exe91⤵
- Drops file in System32 directory
PID:2852 -
C:\Windows\SysWOW64\Ngnbgplj.exeC:\Windows\system32\Ngnbgplj.exe92⤵
- Drops file in System32 directory
- Modifies registry class
PID:2348 -
C:\Windows\SysWOW64\Nkiogn32.exeC:\Windows\system32\Nkiogn32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2788 -
C:\Windows\SysWOW64\Nnhkcj32.exeC:\Windows\system32\Nnhkcj32.exe94⤵PID:2652
-
C:\Windows\SysWOW64\Nceclqan.exeC:\Windows\system32\Nceclqan.exe95⤵PID:2796
-
C:\Windows\SysWOW64\Onjgiiad.exeC:\Windows\system32\Onjgiiad.exe96⤵
- Modifies registry class
PID:2540 -
C:\Windows\SysWOW64\Olmhdf32.exeC:\Windows\system32\Olmhdf32.exe97⤵PID:2932
-
C:\Windows\SysWOW64\Onmdoioa.exeC:\Windows\system32\Onmdoioa.exe98⤵PID:2552
-
C:\Windows\SysWOW64\Olpdjf32.exeC:\Windows\system32\Olpdjf32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1740 -
C:\Windows\SysWOW64\Ofhick32.exeC:\Windows\system32\Ofhick32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1728 -
C:\Windows\SysWOW64\Oqmmpd32.exeC:\Windows\system32\Oqmmpd32.exe101⤵
- Drops file in System32 directory
- Modifies registry class
PID:2184 -
C:\Windows\SysWOW64\Ofjfhk32.exeC:\Windows\system32\Ofjfhk32.exe102⤵
- Modifies registry class
PID:860 -
C:\Windows\SysWOW64\Ohibdf32.exeC:\Windows\system32\Ohibdf32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2744 -
C:\Windows\SysWOW64\Oikojfgk.exeC:\Windows\system32\Oikojfgk.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2708 -
C:\Windows\SysWOW64\Okikfagn.exeC:\Windows\system32\Okikfagn.exe105⤵
- Drops file in System32 directory
- Modifies registry class
PID:1276 -
C:\Windows\SysWOW64\Pfoocjfd.exeC:\Windows\system32\Pfoocjfd.exe106⤵
- Drops file in System32 directory
PID:2352 -
C:\Windows\SysWOW64\Pgplkb32.exeC:\Windows\system32\Pgplkb32.exe107⤵
- Modifies registry class
PID:1456 -
C:\Windows\SysWOW64\Pnjdhmdo.exeC:\Windows\system32\Pnjdhmdo.exe108⤵
- Modifies registry class
PID:320 -
C:\Windows\SysWOW64\Pbfpik32.exeC:\Windows\system32\Pbfpik32.exe109⤵
- Drops file in System32 directory
- Modifies registry class
PID:2524 -
C:\Windows\SysWOW64\Piphee32.exeC:\Windows\system32\Piphee32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2916 -
C:\Windows\SysWOW64\Piphee32.exeC:\Windows\system32\Piphee32.exe111⤵
- Drops file in System32 directory
PID:2640 -
C:\Windows\SysWOW64\Pkndaa32.exeC:\Windows\system32\Pkndaa32.exe112⤵
- Modifies registry class
PID:2032 -
C:\Windows\SysWOW64\Pjadmnic.exeC:\Windows\system32\Pjadmnic.exe113⤵PID:2548
-
C:\Windows\SysWOW64\Pgeefbhm.exeC:\Windows\system32\Pgeefbhm.exe114⤵
- Drops file in System32 directory
PID:2544 -
C:\Windows\SysWOW64\Pmanoifd.exeC:\Windows\system32\Pmanoifd.exe115⤵
- Drops file in System32 directory
PID:2656 -
C:\Windows\SysWOW64\Pclfkc32.exeC:\Windows\system32\Pclfkc32.exe116⤵
- Modifies registry class
PID:2296 -
C:\Windows\SysWOW64\Pggbla32.exeC:\Windows\system32\Pggbla32.exe117⤵
- Drops file in System32 directory
- Modifies registry class
PID:1776 -
C:\Windows\SysWOW64\Papfegmk.exeC:\Windows\system32\Papfegmk.exe118⤵PID:1168
-
C:\Windows\SysWOW64\Ppbfpd32.exeC:\Windows\system32\Ppbfpd32.exe119⤵
- Modifies registry class
PID:1648 -
C:\Windows\SysWOW64\Pflomnkb.exeC:\Windows\system32\Pflomnkb.exe120⤵PID:1576
-
C:\Windows\SysWOW64\Pjhknm32.exeC:\Windows\system32\Pjhknm32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2060
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-