Analysis
-
max time kernel
137s -
max time network
165s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
09-04-2024 22:29
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4a1498faddbfc02e758596c9b33f19ef.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
4a1498faddbfc02e758596c9b33f19ef.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
4a1498faddbfc02e758596c9b33f19ef.exe
-
Size
96KB
-
MD5
4a1498faddbfc02e758596c9b33f19ef
-
SHA1
c31575afc5dde9157ffc5e8ff70baee00c166d27
-
SHA256
0afca9e018ed42039d22ccad827492d752ca4124cb19d57c4d02a45eb4a5eaeb
-
SHA512
81a543b0426d425684a53cb2b170b44f4cc3f8fd32d07bc977aa85f590870a4bfad542a9b3a46808f7aaf112e100b8dbb2624f29e8a3d2394891bd09cbbde7ef
-
SSDEEP
1536:JTXlat7lehAmiP7D9P3lQ4lPaVC+r05Cs0G8Zyim/2auduV9jojTIvjr:JLl3hFiPyr057ayDfud69jc0v
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmfkjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iaifbg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adkelplc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lgccccec.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npnjcm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llngbabj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aompjamo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lkcaeige.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Begcjjql.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqbpjmeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Idinej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lgffci32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gicndaep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Odqbdnod.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Injmlbkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajikhfpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gideogil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kfhbifgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jikojcaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mphoob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ochjmd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcehejic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mpjleadh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohjlqklp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mjahfl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkofofbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Idahcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kpfggang.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Andqol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hbldkllm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mpiejkql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jepjbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pmnbpm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjlmdmqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Deoabj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oendaipn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pnmhqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ndagao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pmoabn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jjeflc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkeppeii.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfaigclq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojjoedfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ppjghgdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mkjnop32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcimmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mgdklb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egjebn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kmbdkj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmdihgkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aljcip32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohceqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nlbdba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hedhoc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpneom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Idceim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nieoal32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Caimachg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bemqcngl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qoplop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ijmapm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmbmbgmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kepdfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nogngp32.exe -
Executes dropped EXE 64 IoCs
pid Process 2852 Amnebo32.exe 5380 Bpedeiff.exe 2644 Bfaigclq.exe 3144 Cibain32.exe 644 Cgiohbfi.exe 5912 Ccppmc32.exe 5892 Dinael32.exe 5992 Dcibca32.exe 5488 Ddklbd32.exe 1408 Ejojljqa.exe 5524 Edfknb32.exe 4812 Fclhpo32.exe 4680 Fncibg32.exe 1016 Fgqgfl32.exe 1084 Gjficg32.exe 4560 Ggjjlk32.exe 2168 Hcedmkmp.exe 4888 Hegmlnbp.exe 988 Hcljmj32.exe 3792 Ilfodgeg.exe 4716 Inkaqb32.exe 3968 Jjihfbno.exe 4820 Jddiegbm.exe 2960 Koimbpbc.exe 4492 Klpjad32.exe 1480 Kbnlim32.exe 2692 Lbqinm32.exe 3416 Ledoegkm.exe 2884 Llngbabj.exe 648 Lamlphoo.exe 784 Mclhjkfa.exe 5056 Mkjjdmaj.exe 1712 Mllccpfj.exe 4684 Nlcidopb.exe 656 Nofoki32.exe 3192 Oomelheh.exe 2088 Okfbgiij.exe 4440 Podkmgop.exe 2296 Peempn32.exe 6096 Pmoagk32.exe 5452 Qfjcep32.exe 5424 Abcppq32.exe 3988 Bfjllnnm.exe 5348 Bpgjpb32.exe 4872 Cmmgof32.exe 1960 Cepadh32.exe 5896 Dpefaq32.exe 5880 Dlqpaafg.exe 5500 Emeffcid.exe 1600 Fjeibc32.exe 5496 Fcmnkh32.exe 4584 Fncbha32.exe 5076 Fcddkggf.exe 1660 Gnoacp32.exe 5820 Gggfme32.exe 4012 Gmfkjl32.exe 216 Hfamia32.exe 5876 Hcgjhega.exe 1852 Hdffah32.exe 4008 Ijfkpnji.exe 4568 Ijmapm32.exe 2376 Iaifbg32.exe 2200 Jmbdmg32.exe 3952 Jnfjbj32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Pmoagk32.exe Peempn32.exe File created C:\Windows\SysWOW64\Gcbnjh32.dll Lagepl32.exe File created C:\Windows\SysWOW64\Omneeicm.dll Fegiba32.exe File created C:\Windows\SysWOW64\Hmblee32.dll Iehfno32.exe File created C:\Windows\SysWOW64\Jlcnnhjo.dll Ndfqlnno.exe File created C:\Windows\SysWOW64\Fnacfp32.exe Fclohg32.exe File created C:\Windows\SysWOW64\Laqhao32.exe Llcoihmb.exe File created C:\Windows\SysWOW64\Nbbbggpb.dll Banabi32.exe File opened for modification C:\Windows\SysWOW64\Ccppmc32.exe Cgiohbfi.exe File created C:\Windows\SysWOW64\Hfniikha.exe Hpaqqdjj.exe File opened for modification C:\Windows\SysWOW64\Fhhaclqc.exe Fjdajhbi.exe File created C:\Windows\SysWOW64\Mjhepnno.exe Lclpmdhd.exe File created C:\Windows\SysWOW64\Jccodkca.dll Aehpof32.exe File created C:\Windows\SysWOW64\Ohceqo32.exe Omnqcfig.exe File opened for modification C:\Windows\SysWOW64\Iipfgm32.exe Icfnjcec.exe File opened for modification C:\Windows\SysWOW64\Aaenlj32.exe Afpjoaeo.exe File created C:\Windows\SysWOW64\Fclohg32.exe Fcibchgq.exe File created C:\Windows\SysWOW64\Bhjfpqcj.dll Peimcaae.exe File created C:\Windows\SysWOW64\Plkginal.dll Mhppcn32.exe File created C:\Windows\SysWOW64\Mbenfq32.exe Mhoiih32.exe File opened for modification C:\Windows\SysWOW64\Qkgcog32.exe Qaoofaoi.exe File opened for modification C:\Windows\SysWOW64\Edgkif32.exe Ekngqqol.exe File created C:\Windows\SysWOW64\Alkdnolh.dll Njnpie32.exe File created C:\Windows\SysWOW64\Cipppc32.exe Ccbhhl32.exe File opened for modification C:\Windows\SysWOW64\Gjficg32.exe Fgqgfl32.exe File opened for modification C:\Windows\SysWOW64\Lhammfci.exe Lagepl32.exe File opened for modification C:\Windows\SysWOW64\Hpqlof32.exe Hfhgfaha.exe File created C:\Windows\SysWOW64\Gmlngkld.dll Mbhina32.exe File created C:\Windows\SysWOW64\Jkaadebl.exe Jplmglbf.exe File created C:\Windows\SysWOW64\Oaomij32.exe Olbdacbp.exe File opened for modification C:\Windows\SysWOW64\Epndddnk.exe Efepln32.exe File created C:\Windows\SysWOW64\Oefpoi32.exe Okpkaqmp.exe File opened for modification C:\Windows\SysWOW64\Hdmohnhl.exe Higjkehf.exe File created C:\Windows\SysWOW64\Hnicbmod.dll Mabnlh32.exe File created C:\Windows\SysWOW64\Ccppmc32.exe Cgiohbfi.exe File created C:\Windows\SysWOW64\Cpdcmkpj.dll Nidhffef.exe File created C:\Windows\SysWOW64\Jlmlbdad.dll Bedgejbo.exe File opened for modification C:\Windows\SysWOW64\Ofqpje32.exe Odocbmfd.exe File created C:\Windows\SysWOW64\Jefinlal.dll Mjiljdaj.exe File created C:\Windows\SysWOW64\Fpflql32.dll Onhmhc32.exe File created C:\Windows\SysWOW64\Ijmapm32.exe Ijfkpnji.exe File opened for modification C:\Windows\SysWOW64\Ipmbcm32.exe Ikpjkf32.exe File opened for modification C:\Windows\SysWOW64\Amfqikko.exe Agglld32.exe File created C:\Windows\SysWOW64\Idfaolpb.exe Inlibb32.exe File created C:\Windows\SysWOW64\Jepjbm32.exe Jpcajflb.exe File created C:\Windows\SysWOW64\Pbpbhmcg.dll Oikngeoo.exe File created C:\Windows\SysWOW64\Haobnpkc.exe Glajeiml.exe File opened for modification C:\Windows\SysWOW64\Lnkgbibj.exe Lkjoqnei.exe File created C:\Windows\SysWOW64\Nabaklon.dll Hoakpi32.exe File created C:\Windows\SysWOW64\Fcmoqnea.dll Ojcidelf.exe File created C:\Windows\SysWOW64\Gmjlfbjj.dll Klceeejl.exe File created C:\Windows\SysWOW64\Qfjcep32.exe Pmoagk32.exe File created C:\Windows\SysWOW64\Eeackh32.dll Andqol32.exe File created C:\Windows\SysWOW64\Meogbcel.exe Loeoei32.exe File created C:\Windows\SysWOW64\Ihdaoajd.exe Ijcaaibe.exe File created C:\Windows\SysWOW64\Ddnigkcd.dll Kdkdqinj.exe File opened for modification C:\Windows\SysWOW64\Pjbkal32.exe Ppjghgdg.exe File opened for modification C:\Windows\SysWOW64\Pagbklae.exe Pjmjnb32.exe File created C:\Windows\SysWOW64\Hfhgfaha.exe Gnmbao32.exe File created C:\Windows\SysWOW64\Lbikcgbb.dll Mnaghb32.exe File opened for modification C:\Windows\SysWOW64\Jbfphh32.exe Jmihpa32.exe File created C:\Windows\SysWOW64\Kfbjhd32.dll Pnakaa32.exe File created C:\Windows\SysWOW64\Pjbkal32.exe Ppjghgdg.exe File created C:\Windows\SysWOW64\Oecnmi32.exe Opfedb32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 8172 7200 Process not Found 1133 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gnqflhcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmmeilpn.dll" Pghaghfn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jpfnqc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kdiobd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmkpdlhe.dll" Nknolaob.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mjahfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bpniaool.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mnggnh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ldpoinjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pahdfp32.dll" Npcokpln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bofojign.dll" Fnhlndqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Negfik32.dll" Ohebek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emjnfn32.dll" Fgqgfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nhnlelfm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cfjnch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dmdogpmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oldagc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oegejc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kmppneal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmpmel32.dll" Hedhoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mbamcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nabaklon.dll" Hoakpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Icbpkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Amfqikko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bglefdke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lbddpclj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hpjlgp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oqbagd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbpclq32.dll" Lbgaecjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Efepln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmjlfbjj.dll" Klceeejl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ndagao32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lgffci32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lnpopcni.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Djcoko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgbcilhf.dll" Omcjne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhcpbp32.dll" Jgfcfajg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbnifj32.dll" Ghbkdald.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dahogoog.dll" Fnacfp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Habeni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chbbfgah.dll" Ijpcbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ooalibaf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qcbmegol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ghkebd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aidokffk.dll" Qkgcog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bpedeiff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oomelheh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cnpibh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ijaimg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pckfdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnajolfl.dll" Gbgibgpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bfjllnnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gcpaiq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fahajbek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ddngdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lclpmdhd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Emikpeig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jbqpbbfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Llbphdfl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Amfqikko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Keonke32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dmlkaela.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qnamofdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gojgkl32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1856 wrote to memory of 2852 1856 4a1498faddbfc02e758596c9b33f19ef.exe 95 PID 1856 wrote to memory of 2852 1856 4a1498faddbfc02e758596c9b33f19ef.exe 95 PID 1856 wrote to memory of 2852 1856 4a1498faddbfc02e758596c9b33f19ef.exe 95 PID 2852 wrote to memory of 5380 2852 Amnebo32.exe 96 PID 2852 wrote to memory of 5380 2852 Amnebo32.exe 96 PID 2852 wrote to memory of 5380 2852 Amnebo32.exe 96 PID 5380 wrote to memory of 2644 5380 Bpedeiff.exe 97 PID 5380 wrote to memory of 2644 5380 Bpedeiff.exe 97 PID 5380 wrote to memory of 2644 5380 Bpedeiff.exe 97 PID 2644 wrote to memory of 3144 2644 Bfaigclq.exe 98 PID 2644 wrote to memory of 3144 2644 Bfaigclq.exe 98 PID 2644 wrote to memory of 3144 2644 Bfaigclq.exe 98 PID 3144 wrote to memory of 644 3144 Cibain32.exe 99 PID 3144 wrote to memory of 644 3144 Cibain32.exe 99 PID 3144 wrote to memory of 644 3144 Cibain32.exe 99 PID 644 wrote to memory of 5912 644 Cgiohbfi.exe 100 PID 644 wrote to memory of 5912 644 Cgiohbfi.exe 100 PID 644 wrote to memory of 5912 644 Cgiohbfi.exe 100 PID 5912 wrote to memory of 5892 5912 Ccppmc32.exe 101 PID 5912 wrote to memory of 5892 5912 Ccppmc32.exe 101 PID 5912 wrote to memory of 5892 5912 Ccppmc32.exe 101 PID 5892 wrote to memory of 5992 5892 Dinael32.exe 102 PID 5892 wrote to memory of 5992 5892 Dinael32.exe 102 PID 5892 wrote to memory of 5992 5892 Dinael32.exe 102 PID 5992 wrote to memory of 5488 5992 Dcibca32.exe 103 PID 5992 wrote to memory of 5488 5992 Dcibca32.exe 103 PID 5992 wrote to memory of 5488 5992 Dcibca32.exe 103 PID 5488 wrote to memory of 1408 5488 Ddklbd32.exe 104 PID 5488 wrote to memory of 1408 5488 Ddklbd32.exe 104 PID 5488 wrote to memory of 1408 5488 Ddklbd32.exe 104 PID 1408 wrote to memory of 5524 1408 Ejojljqa.exe 105 PID 1408 wrote to memory of 5524 1408 Ejojljqa.exe 105 PID 1408 wrote to memory of 5524 1408 Ejojljqa.exe 105 PID 5524 wrote to memory of 4812 5524 Edfknb32.exe 106 PID 5524 wrote to memory of 4812 5524 Edfknb32.exe 106 PID 5524 wrote to memory of 4812 5524 Edfknb32.exe 106 PID 4812 wrote to memory of 4680 4812 Fclhpo32.exe 107 PID 4812 wrote to memory of 4680 4812 Fclhpo32.exe 107 PID 4812 wrote to memory of 4680 4812 Fclhpo32.exe 107 PID 4680 wrote to memory of 1016 4680 Fncibg32.exe 108 PID 4680 wrote to memory of 1016 4680 Fncibg32.exe 108 PID 4680 wrote to memory of 1016 4680 Fncibg32.exe 108 PID 1016 wrote to memory of 1084 1016 Fgqgfl32.exe 109 PID 1016 wrote to memory of 1084 1016 Fgqgfl32.exe 109 PID 1016 wrote to memory of 1084 1016 Fgqgfl32.exe 109 PID 1084 wrote to memory of 4560 1084 Gjficg32.exe 110 PID 1084 wrote to memory of 4560 1084 Gjficg32.exe 110 PID 1084 wrote to memory of 4560 1084 Gjficg32.exe 110 PID 4560 wrote to memory of 2168 4560 Ggjjlk32.exe 111 PID 4560 wrote to memory of 2168 4560 Ggjjlk32.exe 111 PID 4560 wrote to memory of 2168 4560 Ggjjlk32.exe 111 PID 2168 wrote to memory of 4888 2168 Hcedmkmp.exe 112 PID 2168 wrote to memory of 4888 2168 Hcedmkmp.exe 112 PID 2168 wrote to memory of 4888 2168 Hcedmkmp.exe 112 PID 4888 wrote to memory of 988 4888 Hegmlnbp.exe 113 PID 4888 wrote to memory of 988 4888 Hegmlnbp.exe 113 PID 4888 wrote to memory of 988 4888 Hegmlnbp.exe 113 PID 988 wrote to memory of 3792 988 Hcljmj32.exe 114 PID 988 wrote to memory of 3792 988 Hcljmj32.exe 114 PID 988 wrote to memory of 3792 988 Hcljmj32.exe 114 PID 3792 wrote to memory of 4716 3792 Ilfodgeg.exe 115 PID 3792 wrote to memory of 4716 3792 Ilfodgeg.exe 115 PID 3792 wrote to memory of 4716 3792 Ilfodgeg.exe 115 PID 4716 wrote to memory of 3968 4716 Inkaqb32.exe 116
Processes
-
C:\Users\Admin\AppData\Local\Temp\4a1498faddbfc02e758596c9b33f19ef.exe"C:\Users\Admin\AppData\Local\Temp\4a1498faddbfc02e758596c9b33f19ef.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Windows\SysWOW64\Amnebo32.exeC:\Windows\system32\Amnebo32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\Bpedeiff.exeC:\Windows\system32\Bpedeiff.exe3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5380 -
C:\Windows\SysWOW64\Bfaigclq.exeC:\Windows\system32\Bfaigclq.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Cibain32.exeC:\Windows\system32\Cibain32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3144 -
C:\Windows\SysWOW64\Cgiohbfi.exeC:\Windows\system32\Cgiohbfi.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:644 -
C:\Windows\SysWOW64\Ccppmc32.exeC:\Windows\system32\Ccppmc32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5912 -
C:\Windows\SysWOW64\Dinael32.exeC:\Windows\system32\Dinael32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5892 -
C:\Windows\SysWOW64\Dcibca32.exeC:\Windows\system32\Dcibca32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5992 -
C:\Windows\SysWOW64\Ddklbd32.exeC:\Windows\system32\Ddklbd32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5488 -
C:\Windows\SysWOW64\Ejojljqa.exeC:\Windows\system32\Ejojljqa.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Windows\SysWOW64\Edfknb32.exeC:\Windows\system32\Edfknb32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5524 -
C:\Windows\SysWOW64\Fclhpo32.exeC:\Windows\system32\Fclhpo32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Windows\SysWOW64\Fncibg32.exeC:\Windows\system32\Fncibg32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4680 -
C:\Windows\SysWOW64\Fgqgfl32.exeC:\Windows\system32\Fgqgfl32.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1016 -
C:\Windows\SysWOW64\Gjficg32.exeC:\Windows\system32\Gjficg32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\SysWOW64\Ggjjlk32.exeC:\Windows\system32\Ggjjlk32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4560 -
C:\Windows\SysWOW64\Hcedmkmp.exeC:\Windows\system32\Hcedmkmp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\Hegmlnbp.exeC:\Windows\system32\Hegmlnbp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Windows\SysWOW64\Hcljmj32.exeC:\Windows\system32\Hcljmj32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:988 -
C:\Windows\SysWOW64\Ilfodgeg.exeC:\Windows\system32\Ilfodgeg.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3792 -
C:\Windows\SysWOW64\Inkaqb32.exeC:\Windows\system32\Inkaqb32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4716 -
C:\Windows\SysWOW64\Jjihfbno.exeC:\Windows\system32\Jjihfbno.exe23⤵
- Executes dropped EXE
PID:3968 -
C:\Windows\SysWOW64\Jddiegbm.exeC:\Windows\system32\Jddiegbm.exe24⤵
- Executes dropped EXE
PID:4820 -
C:\Windows\SysWOW64\Koimbpbc.exeC:\Windows\system32\Koimbpbc.exe25⤵
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\Klpjad32.exeC:\Windows\system32\Klpjad32.exe26⤵
- Executes dropped EXE
PID:4492 -
C:\Windows\SysWOW64\Kbnlim32.exeC:\Windows\system32\Kbnlim32.exe27⤵
- Executes dropped EXE
PID:1480 -
C:\Windows\SysWOW64\Lbqinm32.exeC:\Windows\system32\Lbqinm32.exe28⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Ledoegkm.exeC:\Windows\system32\Ledoegkm.exe29⤵
- Executes dropped EXE
PID:3416 -
C:\Windows\SysWOW64\Llngbabj.exeC:\Windows\system32\Llngbabj.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2884 -
C:\Windows\SysWOW64\Lamlphoo.exeC:\Windows\system32\Lamlphoo.exe31⤵
- Executes dropped EXE
PID:648 -
C:\Windows\SysWOW64\Mclhjkfa.exeC:\Windows\system32\Mclhjkfa.exe32⤵
- Executes dropped EXE
PID:784 -
C:\Windows\SysWOW64\Mkjjdmaj.exeC:\Windows\system32\Mkjjdmaj.exe33⤵
- Executes dropped EXE
PID:5056 -
C:\Windows\SysWOW64\Mllccpfj.exeC:\Windows\system32\Mllccpfj.exe34⤵
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\Nlcidopb.exeC:\Windows\system32\Nlcidopb.exe35⤵
- Executes dropped EXE
PID:4684 -
C:\Windows\SysWOW64\Nofoki32.exeC:\Windows\system32\Nofoki32.exe36⤵
- Executes dropped EXE
PID:656 -
C:\Windows\SysWOW64\Oomelheh.exeC:\Windows\system32\Oomelheh.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:3192 -
C:\Windows\SysWOW64\Okfbgiij.exeC:\Windows\system32\Okfbgiij.exe38⤵
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\Podkmgop.exeC:\Windows\system32\Podkmgop.exe39⤵
- Executes dropped EXE
PID:4440 -
C:\Windows\SysWOW64\Pilpfm32.exeC:\Windows\system32\Pilpfm32.exe40⤵PID:1404
-
C:\Windows\SysWOW64\Peempn32.exeC:\Windows\system32\Peempn32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2296 -
C:\Windows\SysWOW64\Pmoagk32.exeC:\Windows\system32\Pmoagk32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:6096 -
C:\Windows\SysWOW64\Qfjcep32.exeC:\Windows\system32\Qfjcep32.exe43⤵
- Executes dropped EXE
PID:5452 -
C:\Windows\SysWOW64\Abcppq32.exeC:\Windows\system32\Abcppq32.exe44⤵
- Executes dropped EXE
PID:5424 -
C:\Windows\SysWOW64\Bfjllnnm.exeC:\Windows\system32\Bfjllnnm.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:3988 -
C:\Windows\SysWOW64\Bpgjpb32.exeC:\Windows\system32\Bpgjpb32.exe46⤵
- Executes dropped EXE
PID:5348 -
C:\Windows\SysWOW64\Cmmgof32.exeC:\Windows\system32\Cmmgof32.exe47⤵
- Executes dropped EXE
PID:4872 -
C:\Windows\SysWOW64\Cepadh32.exeC:\Windows\system32\Cepadh32.exe48⤵
- Executes dropped EXE
PID:1960 -
C:\Windows\SysWOW64\Dpefaq32.exeC:\Windows\system32\Dpefaq32.exe49⤵
- Executes dropped EXE
PID:5896 -
C:\Windows\SysWOW64\Dlqpaafg.exeC:\Windows\system32\Dlqpaafg.exe50⤵
- Executes dropped EXE
PID:5880 -
C:\Windows\SysWOW64\Emeffcid.exeC:\Windows\system32\Emeffcid.exe51⤵
- Executes dropped EXE
PID:5500 -
C:\Windows\SysWOW64\Fjeibc32.exeC:\Windows\system32\Fjeibc32.exe52⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\Fcmnkh32.exeC:\Windows\system32\Fcmnkh32.exe53⤵
- Executes dropped EXE
PID:5496 -
C:\Windows\SysWOW64\Fncbha32.exeC:\Windows\system32\Fncbha32.exe54⤵
- Executes dropped EXE
PID:4584 -
C:\Windows\SysWOW64\Fcddkggf.exeC:\Windows\system32\Fcddkggf.exe55⤵
- Executes dropped EXE
PID:5076 -
C:\Windows\SysWOW64\Gnoacp32.exeC:\Windows\system32\Gnoacp32.exe56⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Gggfme32.exeC:\Windows\system32\Gggfme32.exe57⤵
- Executes dropped EXE
PID:5820 -
C:\Windows\SysWOW64\Gmfkjl32.exeC:\Windows\system32\Gmfkjl32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4012 -
C:\Windows\SysWOW64\Hfamia32.exeC:\Windows\system32\Hfamia32.exe59⤵
- Executes dropped EXE
PID:216 -
C:\Windows\SysWOW64\Hcgjhega.exeC:\Windows\system32\Hcgjhega.exe60⤵
- Executes dropped EXE
PID:5876 -
C:\Windows\SysWOW64\Hdffah32.exeC:\Windows\system32\Hdffah32.exe61⤵
- Executes dropped EXE
PID:1852 -
C:\Windows\SysWOW64\Ijfkpnji.exeC:\Windows\system32\Ijfkpnji.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4008 -
C:\Windows\SysWOW64\Ijmapm32.exeC:\Windows\system32\Ijmapm32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4568 -
C:\Windows\SysWOW64\Iaifbg32.exeC:\Windows\system32\Iaifbg32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2376 -
C:\Windows\SysWOW64\Jmbdmg32.exeC:\Windows\system32\Jmbdmg32.exe65⤵
- Executes dropped EXE
PID:2200 -
C:\Windows\SysWOW64\Jnfjbj32.exeC:\Windows\system32\Jnfjbj32.exe66⤵
- Executes dropped EXE
PID:3952 -
C:\Windows\SysWOW64\Kceoppmo.exeC:\Windows\system32\Kceoppmo.exe67⤵PID:5096
-
C:\Windows\SysWOW64\Kmppneal.exeC:\Windows\system32\Kmppneal.exe68⤵
- Modifies registry class
PID:4652 -
C:\Windows\SysWOW64\Kmeiie32.exeC:\Windows\system32\Kmeiie32.exe69⤵PID:1836
-
C:\Windows\SysWOW64\Lndfchdj.exeC:\Windows\system32\Lndfchdj.exe70⤵PID:1604
-
C:\Windows\SysWOW64\Lhogamih.exeC:\Windows\system32\Lhogamih.exe71⤵PID:448
-
C:\Windows\SysWOW64\Meljappg.exeC:\Windows\system32\Meljappg.exe72⤵PID:3956
-
C:\Windows\SysWOW64\Ngnppfgb.exeC:\Windows\system32\Ngnppfgb.exe73⤵PID:2676
-
C:\Windows\SysWOW64\Onhhmpoo.exeC:\Windows\system32\Onhhmpoo.exe74⤵PID:5152
-
C:\Windows\SysWOW64\Ogefqeaj.exeC:\Windows\system32\Ogefqeaj.exe75⤵PID:3400
-
C:\Windows\SysWOW64\Paocim32.exeC:\Windows\system32\Paocim32.exe76⤵PID:3376
-
C:\Windows\SysWOW64\Pfmlok32.exeC:\Windows\system32\Pfmlok32.exe77⤵PID:5324
-
C:\Windows\SysWOW64\Qoocnpag.exeC:\Windows\system32\Qoocnpag.exe78⤵PID:3016
-
C:\Windows\SysWOW64\Qbmpjkqk.exeC:\Windows\system32\Qbmpjkqk.exe79⤵PID:5944
-
C:\Windows\SysWOW64\Agjhbbob.exeC:\Windows\system32\Agjhbbob.exe80⤵PID:4956
-
C:\Windows\SysWOW64\Andqol32.exeC:\Windows\system32\Andqol32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2704 -
C:\Windows\SysWOW64\Agmehamp.exeC:\Windows\system32\Agmehamp.exe82⤵PID:5972
-
C:\Windows\SysWOW64\Afnefieo.exeC:\Windows\system32\Afnefieo.exe83⤵PID:5764
-
C:\Windows\SysWOW64\Akjnnpcf.exeC:\Windows\system32\Akjnnpcf.exe84⤵PID:4192
-
C:\Windows\SysWOW64\Agckiqgg.exeC:\Windows\system32\Agckiqgg.exe85⤵PID:4612
-
C:\Windows\SysWOW64\Bgkaip32.exeC:\Windows\system32\Bgkaip32.exe86⤵PID:5032
-
C:\Windows\SysWOW64\Beaohcmf.exeC:\Windows\system32\Beaohcmf.exe87⤵PID:4496
-
C:\Windows\SysWOW64\Bfpkbfdi.exeC:\Windows\system32\Bfpkbfdi.exe88⤵PID:4436
-
C:\Windows\SysWOW64\Cnpibh32.exeC:\Windows\system32\Cnpibh32.exe89⤵
- Modifies registry class
PID:3532 -
C:\Windows\SysWOW64\Cnbfgh32.exeC:\Windows\system32\Cnbfgh32.exe90⤵PID:5020
-
C:\Windows\SysWOW64\Cihjeq32.exeC:\Windows\system32\Cihjeq32.exe91⤵PID:5164
-
C:\Windows\SysWOW64\Donecfao.exeC:\Windows\system32\Donecfao.exe92⤵PID:4884
-
C:\Windows\SysWOW64\Didjqoae.exeC:\Windows\system32\Didjqoae.exe93⤵PID:3536
-
C:\Windows\SysWOW64\Fplnogmb.exeC:\Windows\system32\Fplnogmb.exe94⤵PID:3180
-
C:\Windows\SysWOW64\Fidbgm32.exeC:\Windows\system32\Fidbgm32.exe95⤵PID:5604
-
C:\Windows\SysWOW64\Fpeaeedg.exeC:\Windows\system32\Fpeaeedg.exe96⤵PID:4512
-
C:\Windows\SysWOW64\Gpodkdll.exeC:\Windows\system32\Gpodkdll.exe97⤵PID:2364
-
C:\Windows\SysWOW64\Geklckkd.exeC:\Windows\system32\Geklckkd.exe98⤵PID:5136
-
C:\Windows\SysWOW64\Hpaqqdjj.exeC:\Windows\system32\Hpaqqdjj.exe99⤵
- Drops file in System32 directory
PID:4344 -
C:\Windows\SysWOW64\Hfniikha.exeC:\Windows\system32\Hfniikha.exe100⤵PID:2164
-
C:\Windows\SysWOW64\Iqmplbpl.exeC:\Windows\system32\Iqmplbpl.exe101⤵PID:3564
-
C:\Windows\SysWOW64\Imjgbb32.exeC:\Windows\system32\Imjgbb32.exe102⤵PID:5012
-
C:\Windows\SysWOW64\Iiaggc32.exeC:\Windows\system32\Iiaggc32.exe103⤵PID:2264
-
C:\Windows\SysWOW64\Kcehejic.exeC:\Windows\system32\Kcehejic.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4824 -
C:\Windows\SysWOW64\Kjopbd32.exeC:\Windows\system32\Kjopbd32.exe105⤵PID:3056
-
C:\Windows\SysWOW64\Lfmghdpl.exeC:\Windows\system32\Lfmghdpl.exe106⤵PID:3944
-
C:\Windows\SysWOW64\Labkempb.exeC:\Windows\system32\Labkempb.exe107⤵PID:3020
-
C:\Windows\SysWOW64\Lccdghmc.exeC:\Windows\system32\Lccdghmc.exe108⤵PID:4480
-
C:\Windows\SysWOW64\Ljmmcbdp.exeC:\Windows\system32\Ljmmcbdp.exe109⤵PID:5396
-
C:\Windows\SysWOW64\Lagepl32.exeC:\Windows\system32\Lagepl32.exe110⤵
- Drops file in System32 directory
PID:5508 -
C:\Windows\SysWOW64\Lhammfci.exeC:\Windows\system32\Lhammfci.exe111⤵PID:4360
-
C:\Windows\SysWOW64\Miklkm32.exeC:\Windows\system32\Miklkm32.exe112⤵PID:3900
-
C:\Windows\SysWOW64\Nieoal32.exeC:\Windows\system32\Nieoal32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1504 -
C:\Windows\SysWOW64\Ohobebig.exeC:\Windows\system32\Ohobebig.exe114⤵PID:4980
-
C:\Windows\SysWOW64\Omlkmign.exeC:\Windows\system32\Omlkmign.exe115⤵PID:6084
-
C:\Windows\SysWOW64\Ppamjcpj.exeC:\Windows\system32\Ppamjcpj.exe116⤵PID:6004
-
C:\Windows\SysWOW64\Pkgaglpp.exeC:\Windows\system32\Pkgaglpp.exe117⤵PID:5564
-
C:\Windows\SysWOW64\Qnamofdf.exeC:\Windows\system32\Qnamofdf.exe118⤵
- Modifies registry class
PID:4256 -
C:\Windows\SysWOW64\Adkelplc.exeC:\Windows\system32\Adkelplc.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2308 -
C:\Windows\SysWOW64\Ahngmnnd.exeC:\Windows\system32\Ahngmnnd.exe120⤵PID:5200
-
C:\Windows\SysWOW64\Anjpeelk.exeC:\Windows\system32\Anjpeelk.exe121⤵PID:1376
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-