Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
09/04/2024, 22:32
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4d1de937d748bb12baafd641f52758bb.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
4d1de937d748bb12baafd641f52758bb.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
4d1de937d748bb12baafd641f52758bb.exe
-
Size
312KB
-
MD5
4d1de937d748bb12baafd641f52758bb
-
SHA1
fd8315c97406ba210776b9ef4d4b3ae9d9441520
-
SHA256
7a1f91b67bb98886869633adcd9bc99aa6271a0d83b0354e0ed7da95b4e2e1b4
-
SHA512
60158e38870373865e2c95bd8cd3f0fcee67d65eadb78d37fa66513fe9529da6a030c557b3413e323e6732a05d86fdf07e91c477e67872f1ea5fae83a2f21034
-
SSDEEP
6144:AGKKhCIzjxgPXuapoaCPXbo92ynnZlVrtv35CPXbo92ynn8sbeWDSf:xKCCIz+uqFHRFbev
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jclomamd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Midcpj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojkboo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eflgccbp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bghabf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kanopipl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojficpfn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qaefjm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncancbha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phjelg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjndop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eihfjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnbhek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbmmcq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfeddafl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnhqdkde.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmdpejfq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Loooca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Maphdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkobnqan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpcbqk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlgigdoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Paejki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccfhhffh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkihhhnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Balijo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dqhhknjp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emhlfmgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbgmbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klqfhbbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Magnek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njdpomfe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgobhcac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Penfelgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afiecb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aigaon32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgknheej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffkcbgek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mofecpnl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhnfkigh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qdccfh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njiijlbp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onmkio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofdcjm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qnigda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckdjbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfinoq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ichico32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmnhfjmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egdilkbf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ankdiqih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhffaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apcfahio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfeddafl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lodlom32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epaogi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebedndfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjdkdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llccmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icbimi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onmkio32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qlhnbf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnpmipql.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cciemedf.exe -
Executes dropped EXE 64 IoCs
pid Process 2152 Hlpamq32.exe 2040 Hoonilag.exe 2568 Hamjehqk.exe 2628 Hfifff32.exe 2584 Hhgbba32.exe 2476 Hhioga32.exe 2100 Hglocnmp.exe 2500 Hqddldcp.exe 2120 Hccphobd.exe 1916 Iqgqacam.exe 1556 Idblbb32.exe 1548 Iqimgc32.exe 2780 Ichico32.exe 2932 Ijaapifk.exe 2508 Impnldeo.exe 1880 Icjfhn32.exe 580 Ijdnehci.exe 808 Imbkadcl.exe 984 Iclcnnji.exe 1152 Imeggc32.exe 972 Ioccco32.exe 1280 Ibapoj32.exe 1704 Jeplkf32.exe 1172 Jilhldfn.exe 344 Jgnhga32.exe 2560 Jnhqdkde.exe 2432 Jinead32.exe 2408 Jbfijjkl.exe 2116 Jcgfbb32.exe 108 Jnmjok32.exe 2412 Jakfkfpc.exe 2764 Jgenhp32.exe 356 Jjdkdl32.exe 2924 Jmbgpg32.exe 1008 Jancafna.exe 1252 Jclomamd.exe 2252 Jfkkimlh.exe 2444 Jiigehkl.exe 712 Kappfeln.exe 1352 Kcolba32.exe 2788 Kfmhol32.exe 2168 Kmgpkfab.exe 1312 Kljqgc32.exe 1484 Kpemgbqf.exe 240 Kbcicmpj.exe 764 Kebepion.exe 2652 Kmimafop.exe 2676 Kphimanc.exe 2960 Kbfeimng.exe 2348 Kedaeh32.exe 1032 Khcnad32.exe 2588 Kpjfba32.exe 2124 Komfnnck.exe 1832 Kakbjibo.exe 1656 Kibjkgca.exe 1512 Klqfhbbe.exe 1400 Koocdnai.exe 2244 Kanopipl.exe 2460 Kdlkld32.exe 1824 Llccmb32.exe 2172 Lmdpejfq.exe 1740 Lekhfgfc.exe 2128 Ldnhad32.exe 792 Lfmdnp32.exe -
Loads dropped DLL 64 IoCs
pid Process 2280 4d1de937d748bb12baafd641f52758bb.exe 2280 4d1de937d748bb12baafd641f52758bb.exe 2152 Hlpamq32.exe 2152 Hlpamq32.exe 2040 Hoonilag.exe 2040 Hoonilag.exe 2568 Hamjehqk.exe 2568 Hamjehqk.exe 2628 Hfifff32.exe 2628 Hfifff32.exe 2584 Hhgbba32.exe 2584 Hhgbba32.exe 2476 Hhioga32.exe 2476 Hhioga32.exe 2100 Hglocnmp.exe 2100 Hglocnmp.exe 2500 Hqddldcp.exe 2500 Hqddldcp.exe 2120 Hccphobd.exe 2120 Hccphobd.exe 1916 Iqgqacam.exe 1916 Iqgqacam.exe 1556 Idblbb32.exe 1556 Idblbb32.exe 1548 Iqimgc32.exe 1548 Iqimgc32.exe 2780 Ichico32.exe 2780 Ichico32.exe 2932 Ijaapifk.exe 2932 Ijaapifk.exe 2508 Impnldeo.exe 2508 Impnldeo.exe 1880 Icjfhn32.exe 1880 Icjfhn32.exe 580 Ijdnehci.exe 580 Ijdnehci.exe 808 Imbkadcl.exe 808 Imbkadcl.exe 984 Iclcnnji.exe 984 Iclcnnji.exe 1152 Imeggc32.exe 1152 Imeggc32.exe 972 Ioccco32.exe 972 Ioccco32.exe 1280 Ibapoj32.exe 1280 Ibapoj32.exe 1704 Jeplkf32.exe 1704 Jeplkf32.exe 1172 Jilhldfn.exe 1172 Jilhldfn.exe 344 Jgnhga32.exe 344 Jgnhga32.exe 2560 Jnhqdkde.exe 2560 Jnhqdkde.exe 2432 Jinead32.exe 2432 Jinead32.exe 2408 Jbfijjkl.exe 2408 Jbfijjkl.exe 2116 Jcgfbb32.exe 2116 Jcgfbb32.exe 108 Jnmjok32.exe 108 Jnmjok32.exe 2412 Jakfkfpc.exe 2412 Jakfkfpc.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Afiecb32.exe Abmibdlh.exe File created C:\Windows\SysWOW64\Amejeljk.exe Aenbdoii.exe File created C:\Windows\SysWOW64\Mbiiek32.dll Cdlnkmha.exe File created C:\Windows\SysWOW64\Ppqqbdml.dll Mabejlob.exe File opened for modification C:\Windows\SysWOW64\Njbcim32.exe Mkobnqan.exe File opened for modification C:\Windows\SysWOW64\Nkaocp32.exe Ncjgbcoi.exe File created C:\Windows\SysWOW64\Ogfpbeim.exe Odgcfijj.exe File created C:\Windows\SysWOW64\Ioccco32.exe Imeggc32.exe File created C:\Windows\SysWOW64\Fiedkadc.dll Ogfpbeim.exe File created C:\Windows\SysWOW64\Gadkgl32.dll Ealnephf.exe File created C:\Windows\SysWOW64\Nfmjcmjd.dll Icbimi32.exe File created C:\Windows\SysWOW64\Iaeldika.dll Ffkcbgek.exe File created C:\Windows\SysWOW64\Hpenlb32.dll Ckffgg32.exe File created C:\Windows\SysWOW64\Ipdljffa.dll Dbpodagk.exe File created C:\Windows\SysWOW64\Cbolpc32.dll Dodonf32.exe File created C:\Windows\SysWOW64\Eecqjpee.exe Ebedndfa.exe File opened for modification C:\Windows\SysWOW64\Kbfeimng.exe Kphimanc.exe File created C:\Windows\SysWOW64\Lqamandk.dll Adhlaggp.exe File opened for modification C:\Windows\SysWOW64\Emcbkn32.exe Eihfjo32.exe File opened for modification C:\Windows\SysWOW64\Hiqbndpb.exe Hgbebiao.exe File created C:\Windows\SysWOW64\Memeaofm.dll Dgmglh32.exe File opened for modification C:\Windows\SysWOW64\Djbiicon.exe Dgdmmgpj.exe File created C:\Windows\SysWOW64\Eeqdep32.exe Ebbgid32.exe File created C:\Windows\SysWOW64\Mlgigdoh.exe Mhlmgf32.exe File created C:\Windows\SysWOW64\Ncmdhb32.exe Ndjdlffl.exe File created C:\Windows\SysWOW64\Pmlkpjpj.exe Pjmodopf.exe File opened for modification C:\Windows\SysWOW64\Qlhnbf32.exe Qhmbagfa.exe File created C:\Windows\SysWOW64\Boiccdnf.exe Bpfcgg32.exe File opened for modification C:\Windows\SysWOW64\Eiomkn32.exe Eecqjpee.exe File created C:\Windows\SysWOW64\Gieojq32.exe Gangic32.exe File created C:\Windows\SysWOW64\Alogkm32.dll Hcplhi32.exe File created C:\Windows\SysWOW64\Jfkkimlh.exe Jclomamd.exe File created C:\Windows\SysWOW64\Gangic32.exe Gegfdb32.exe File created C:\Windows\SysWOW64\Higdqfol.dll Pbpjiphi.exe File created C:\Windows\SysWOW64\Qecoqk32.exe Qagcpljo.exe File opened for modification C:\Windows\SysWOW64\Hobcak32.exe Hlcgeo32.exe File created C:\Windows\SysWOW64\Ijaapifk.exe Ichico32.exe File created C:\Windows\SysWOW64\Jgenhp32.exe Jakfkfpc.exe File created C:\Windows\SysWOW64\Olcehoom.dll Kedaeh32.exe File created C:\Windows\SysWOW64\Fonfbi32.dll Ncjgbcoi.exe File created C:\Windows\SysWOW64\Gfegkapd.dll Pchpbded.exe File created C:\Windows\SysWOW64\Cfgaiaci.exe Cciemedf.exe File opened for modification C:\Windows\SysWOW64\Ladeqhjd.exe Lmiipi32.exe File created C:\Windows\SysWOW64\Oghlgdgk.exe Oiellh32.exe File created C:\Windows\SysWOW64\Ldmndi32.dll Oiellh32.exe File created C:\Windows\SysWOW64\Cmmhnnlm.dll Ogmfbd32.exe File created C:\Windows\SysWOW64\Kphimanc.exe Kmimafop.exe File created C:\Windows\SysWOW64\Ondajnme.exe Okfencna.exe File created C:\Windows\SysWOW64\Bnefdp32.exe Bjijdadm.exe File created C:\Windows\SysWOW64\Hckcmjep.exe Hdhbam32.exe File created C:\Windows\SysWOW64\Odbkcj32.dll Pndniaop.exe File created C:\Windows\SysWOW64\Bhfagipa.exe Bdjefj32.exe File created C:\Windows\SysWOW64\Qlhnbf32.exe Qhmbagfa.exe File opened for modification C:\Windows\SysWOW64\Qbbfopeg.exe Qlhnbf32.exe File created C:\Windows\SysWOW64\Njqaac32.dll Eflgccbp.exe File opened for modification C:\Windows\SysWOW64\Ekholjqg.exe Eijcpoac.exe File created C:\Windows\SysWOW64\Lganiohl.exe Ldcamcih.exe File created C:\Windows\SysWOW64\Mgfgdn32.exe Loooca32.exe File created C:\Windows\SysWOW64\Odjpkihg.exe Obkdonic.exe File created C:\Windows\SysWOW64\Pmdmeemc.dll Plcdgfbo.exe File created C:\Windows\SysWOW64\Goddhg32.exe Gkihhhnm.exe File created C:\Windows\SysWOW64\Iiiaeiac.dll Ldqegd32.exe File created C:\Windows\SysWOW64\Oojimd32.dll Mlcple32.exe File created C:\Windows\SysWOW64\Aljgfioc.exe Ailkjmpo.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4360 4636 WerFault.exe 429 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ogfpbeim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pccfge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pndniaop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhkpmjln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lggiipie.dll" Kbfeimng.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Coklgg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebgacddo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Apcfahio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjndop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdhbam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbflib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcmgmp32.dll" Ngkmnacm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odegpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eajaoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijdnehci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kakbjibo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njkfpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kedlancd.dll" Ohqbqhde.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ogjimd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hckcmjep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijaapifk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inbndkhn.dll" Meigpkka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aadlib32.dll" Onmkio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qnigda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afmonbqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gclcefmh.dll" Cdakgibq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dnilobkm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Globlmmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlfkgnmg.dll" Jbfijjkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aimkgn32.dll" Gogangdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpgele32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Obnqem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdanej32.dll" Fhhcgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blipbfpp.dll" Lhlqhb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpgele32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohqbqhde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhcecp32.dll" Apomfh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djnpnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emcbkn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Goddhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Homnpp32.dll" Hlpamq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgocalod.dll" Lipjejgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnefdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Accikb32.dll" Bpcbqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pabfdklg.dll" Gobgcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omabcb32.dll" Hgbebiao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Necggg32.dll" Iqimgc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhnfkigh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iddckpim.dll" Pjmodopf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iklefg32.dll" Afiecb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Comimg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipdljffa.dll" Dbpodagk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Epaogi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fnbkddem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eemeeh32.dll" Loooca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gkgkbipp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kphimanc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aimcgn32.dll" Ahakmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epafjqck.dll" Emcbkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll" Inljnfkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jgnhga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojiich32.dll" Ojficpfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qjmkcbcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccfhhffh.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2280 wrote to memory of 2152 2280 4d1de937d748bb12baafd641f52758bb.exe 28 PID 2280 wrote to memory of 2152 2280 4d1de937d748bb12baafd641f52758bb.exe 28 PID 2280 wrote to memory of 2152 2280 4d1de937d748bb12baafd641f52758bb.exe 28 PID 2280 wrote to memory of 2152 2280 4d1de937d748bb12baafd641f52758bb.exe 28 PID 2152 wrote to memory of 2040 2152 Hlpamq32.exe 29 PID 2152 wrote to memory of 2040 2152 Hlpamq32.exe 29 PID 2152 wrote to memory of 2040 2152 Hlpamq32.exe 29 PID 2152 wrote to memory of 2040 2152 Hlpamq32.exe 29 PID 2040 wrote to memory of 2568 2040 Hoonilag.exe 30 PID 2040 wrote to memory of 2568 2040 Hoonilag.exe 30 PID 2040 wrote to memory of 2568 2040 Hoonilag.exe 30 PID 2040 wrote to memory of 2568 2040 Hoonilag.exe 30 PID 2568 wrote to memory of 2628 2568 Hamjehqk.exe 31 PID 2568 wrote to memory of 2628 2568 Hamjehqk.exe 31 PID 2568 wrote to memory of 2628 2568 Hamjehqk.exe 31 PID 2568 wrote to memory of 2628 2568 Hamjehqk.exe 31 PID 2628 wrote to memory of 2584 2628 Hfifff32.exe 32 PID 2628 wrote to memory of 2584 2628 Hfifff32.exe 32 PID 2628 wrote to memory of 2584 2628 Hfifff32.exe 32 PID 2628 wrote to memory of 2584 2628 Hfifff32.exe 32 PID 2584 wrote to memory of 2476 2584 Hhgbba32.exe 33 PID 2584 wrote to memory of 2476 2584 Hhgbba32.exe 33 PID 2584 wrote to memory of 2476 2584 Hhgbba32.exe 33 PID 2584 wrote to memory of 2476 2584 Hhgbba32.exe 33 PID 2476 wrote to memory of 2100 2476 Hhioga32.exe 34 PID 2476 wrote to memory of 2100 2476 Hhioga32.exe 34 PID 2476 wrote to memory of 2100 2476 Hhioga32.exe 34 PID 2476 wrote to memory of 2100 2476 Hhioga32.exe 34 PID 2100 wrote to memory of 2500 2100 Hglocnmp.exe 35 PID 2100 wrote to memory of 2500 2100 Hglocnmp.exe 35 PID 2100 wrote to memory of 2500 2100 Hglocnmp.exe 35 PID 2100 wrote to memory of 2500 2100 Hglocnmp.exe 35 PID 2500 wrote to memory of 2120 2500 Hqddldcp.exe 36 PID 2500 wrote to memory of 2120 2500 Hqddldcp.exe 36 PID 2500 wrote to memory of 2120 2500 Hqddldcp.exe 36 PID 2500 wrote to memory of 2120 2500 Hqddldcp.exe 36 PID 2120 wrote to memory of 1916 2120 Hccphobd.exe 37 PID 2120 wrote to memory of 1916 2120 Hccphobd.exe 37 PID 2120 wrote to memory of 1916 2120 Hccphobd.exe 37 PID 2120 wrote to memory of 1916 2120 Hccphobd.exe 37 PID 1916 wrote to memory of 1556 1916 Iqgqacam.exe 38 PID 1916 wrote to memory of 1556 1916 Iqgqacam.exe 38 PID 1916 wrote to memory of 1556 1916 Iqgqacam.exe 38 PID 1916 wrote to memory of 1556 1916 Iqgqacam.exe 38 PID 1556 wrote to memory of 1548 1556 Idblbb32.exe 39 PID 1556 wrote to memory of 1548 1556 Idblbb32.exe 39 PID 1556 wrote to memory of 1548 1556 Idblbb32.exe 39 PID 1556 wrote to memory of 1548 1556 Idblbb32.exe 39 PID 1548 wrote to memory of 2780 1548 Iqimgc32.exe 40 PID 1548 wrote to memory of 2780 1548 Iqimgc32.exe 40 PID 1548 wrote to memory of 2780 1548 Iqimgc32.exe 40 PID 1548 wrote to memory of 2780 1548 Iqimgc32.exe 40 PID 2780 wrote to memory of 2932 2780 Ichico32.exe 41 PID 2780 wrote to memory of 2932 2780 Ichico32.exe 41 PID 2780 wrote to memory of 2932 2780 Ichico32.exe 41 PID 2780 wrote to memory of 2932 2780 Ichico32.exe 41 PID 2932 wrote to memory of 2508 2932 Ijaapifk.exe 42 PID 2932 wrote to memory of 2508 2932 Ijaapifk.exe 42 PID 2932 wrote to memory of 2508 2932 Ijaapifk.exe 42 PID 2932 wrote to memory of 2508 2932 Ijaapifk.exe 42 PID 2508 wrote to memory of 1880 2508 Impnldeo.exe 43 PID 2508 wrote to memory of 1880 2508 Impnldeo.exe 43 PID 2508 wrote to memory of 1880 2508 Impnldeo.exe 43 PID 2508 wrote to memory of 1880 2508 Impnldeo.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\4d1de937d748bb12baafd641f52758bb.exe"C:\Users\Admin\AppData\Local\Temp\4d1de937d748bb12baafd641f52758bb.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\Hlpamq32.exeC:\Windows\system32\Hlpamq32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\Hoonilag.exeC:\Windows\system32\Hoonilag.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\Hamjehqk.exeC:\Windows\system32\Hamjehqk.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\Hfifff32.exeC:\Windows\system32\Hfifff32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Hhgbba32.exeC:\Windows\system32\Hhgbba32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\Hhioga32.exeC:\Windows\system32\Hhioga32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\Hglocnmp.exeC:\Windows\system32\Hglocnmp.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\Hqddldcp.exeC:\Windows\system32\Hqddldcp.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\Hccphobd.exeC:\Windows\system32\Hccphobd.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\Iqgqacam.exeC:\Windows\system32\Iqgqacam.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\SysWOW64\Idblbb32.exeC:\Windows\system32\Idblbb32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Windows\SysWOW64\Iqimgc32.exeC:\Windows\system32\Iqimgc32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Windows\SysWOW64\Ichico32.exeC:\Windows\system32\Ichico32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\Ijaapifk.exeC:\Windows\system32\Ijaapifk.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\Impnldeo.exeC:\Windows\system32\Impnldeo.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\Icjfhn32.exeC:\Windows\system32\Icjfhn32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1880 -
C:\Windows\SysWOW64\Ijdnehci.exeC:\Windows\system32\Ijdnehci.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:580 -
C:\Windows\SysWOW64\Imbkadcl.exeC:\Windows\system32\Imbkadcl.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:808 -
C:\Windows\SysWOW64\Iclcnnji.exeC:\Windows\system32\Iclcnnji.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:984 -
C:\Windows\SysWOW64\Imeggc32.exeC:\Windows\system32\Imeggc32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1152 -
C:\Windows\SysWOW64\Ioccco32.exeC:\Windows\system32\Ioccco32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:972 -
C:\Windows\SysWOW64\Ibapoj32.exeC:\Windows\system32\Ibapoj32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1280 -
C:\Windows\SysWOW64\Jeplkf32.exeC:\Windows\system32\Jeplkf32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1704 -
C:\Windows\SysWOW64\Jilhldfn.exeC:\Windows\system32\Jilhldfn.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1172 -
C:\Windows\SysWOW64\Jgnhga32.exeC:\Windows\system32\Jgnhga32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:344 -
C:\Windows\SysWOW64\Jnhqdkde.exeC:\Windows\system32\Jnhqdkde.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2560 -
C:\Windows\SysWOW64\Jinead32.exeC:\Windows\system32\Jinead32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2432 -
C:\Windows\SysWOW64\Jbfijjkl.exeC:\Windows\system32\Jbfijjkl.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2408 -
C:\Windows\SysWOW64\Jcgfbb32.exeC:\Windows\system32\Jcgfbb32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2116 -
C:\Windows\SysWOW64\Jnmjok32.exeC:\Windows\system32\Jnmjok32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:108 -
C:\Windows\SysWOW64\Jakfkfpc.exeC:\Windows\system32\Jakfkfpc.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2412 -
C:\Windows\SysWOW64\Jgenhp32.exeC:\Windows\system32\Jgenhp32.exe33⤵
- Executes dropped EXE
PID:2764 -
C:\Windows\SysWOW64\Jjdkdl32.exeC:\Windows\system32\Jjdkdl32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:356 -
C:\Windows\SysWOW64\Jmbgpg32.exeC:\Windows\system32\Jmbgpg32.exe35⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Jancafna.exeC:\Windows\system32\Jancafna.exe36⤵
- Executes dropped EXE
PID:1008 -
C:\Windows\SysWOW64\Jclomamd.exeC:\Windows\system32\Jclomamd.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1252 -
C:\Windows\SysWOW64\Jfkkimlh.exeC:\Windows\system32\Jfkkimlh.exe38⤵
- Executes dropped EXE
PID:2252 -
C:\Windows\SysWOW64\Jiigehkl.exeC:\Windows\system32\Jiigehkl.exe39⤵
- Executes dropped EXE
PID:2444 -
C:\Windows\SysWOW64\Kappfeln.exeC:\Windows\system32\Kappfeln.exe40⤵
- Executes dropped EXE
PID:712 -
C:\Windows\SysWOW64\Kcolba32.exeC:\Windows\system32\Kcolba32.exe41⤵
- Executes dropped EXE
PID:1352 -
C:\Windows\SysWOW64\Kfmhol32.exeC:\Windows\system32\Kfmhol32.exe42⤵
- Executes dropped EXE
PID:2788 -
C:\Windows\SysWOW64\Kmgpkfab.exeC:\Windows\system32\Kmgpkfab.exe43⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Kljqgc32.exeC:\Windows\system32\Kljqgc32.exe44⤵
- Executes dropped EXE
PID:1312 -
C:\Windows\SysWOW64\Kpemgbqf.exeC:\Windows\system32\Kpemgbqf.exe45⤵
- Executes dropped EXE
PID:1484 -
C:\Windows\SysWOW64\Kbcicmpj.exeC:\Windows\system32\Kbcicmpj.exe46⤵
- Executes dropped EXE
PID:240 -
C:\Windows\SysWOW64\Kebepion.exeC:\Windows\system32\Kebepion.exe47⤵
- Executes dropped EXE
PID:764 -
C:\Windows\SysWOW64\Kmimafop.exeC:\Windows\system32\Kmimafop.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2652 -
C:\Windows\SysWOW64\Kphimanc.exeC:\Windows\system32\Kphimanc.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2676 -
C:\Windows\SysWOW64\Kbfeimng.exeC:\Windows\system32\Kbfeimng.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:2960 -
C:\Windows\SysWOW64\Kedaeh32.exeC:\Windows\system32\Kedaeh32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2348 -
C:\Windows\SysWOW64\Khcnad32.exeC:\Windows\system32\Khcnad32.exe52⤵
- Executes dropped EXE
PID:1032 -
C:\Windows\SysWOW64\Kpjfba32.exeC:\Windows\system32\Kpjfba32.exe53⤵
- Executes dropped EXE
PID:2588 -
C:\Windows\SysWOW64\Komfnnck.exeC:\Windows\system32\Komfnnck.exe54⤵
- Executes dropped EXE
PID:2124 -
C:\Windows\SysWOW64\Kakbjibo.exeC:\Windows\system32\Kakbjibo.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:1832 -
C:\Windows\SysWOW64\Kibjkgca.exeC:\Windows\system32\Kibjkgca.exe56⤵
- Executes dropped EXE
PID:1656 -
C:\Windows\SysWOW64\Klqfhbbe.exeC:\Windows\system32\Klqfhbbe.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1512 -
C:\Windows\SysWOW64\Koocdnai.exeC:\Windows\system32\Koocdnai.exe58⤵
- Executes dropped EXE
PID:1400 -
C:\Windows\SysWOW64\Kanopipl.exeC:\Windows\system32\Kanopipl.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Kdlkld32.exeC:\Windows\system32\Kdlkld32.exe60⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Llccmb32.exeC:\Windows\system32\Llccmb32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1824 -
C:\Windows\SysWOW64\Lmdpejfq.exeC:\Windows\system32\Lmdpejfq.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Lekhfgfc.exeC:\Windows\system32\Lekhfgfc.exe63⤵
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\Ldnhad32.exeC:\Windows\system32\Ldnhad32.exe64⤵
- Executes dropped EXE
PID:2128 -
C:\Windows\SysWOW64\Lfmdnp32.exeC:\Windows\system32\Lfmdnp32.exe65⤵
- Executes dropped EXE
PID:792 -
C:\Windows\SysWOW64\Lodlom32.exeC:\Windows\system32\Lodlom32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2472 -
C:\Windows\SysWOW64\Labhkh32.exeC:\Windows\system32\Labhkh32.exe67⤵PID:556
-
C:\Windows\SysWOW64\Ldqegd32.exeC:\Windows\system32\Ldqegd32.exe68⤵
- Drops file in System32 directory
PID:1564 -
C:\Windows\SysWOW64\Lhlqhb32.exeC:\Windows\system32\Lhlqhb32.exe69⤵
- Modifies registry class
PID:2536 -
C:\Windows\SysWOW64\Lkkmdn32.exeC:\Windows\system32\Lkkmdn32.exe70⤵PID:3000
-
C:\Windows\SysWOW64\Lmiipi32.exeC:\Windows\system32\Lmiipi32.exe71⤵
- Drops file in System32 directory
PID:3060 -
C:\Windows\SysWOW64\Ladeqhjd.exeC:\Windows\system32\Ladeqhjd.exe72⤵PID:2076
-
C:\Windows\SysWOW64\Lpgele32.exeC:\Windows\system32\Lpgele32.exe73⤵
- Modifies registry class
PID:2544 -
C:\Windows\SysWOW64\Ldcamcih.exeC:\Windows\system32\Ldcamcih.exe74⤵
- Drops file in System32 directory
PID:2204 -
C:\Windows\SysWOW64\Lganiohl.exeC:\Windows\system32\Lganiohl.exe75⤵PID:1464
-
C:\Windows\SysWOW64\Lkmjin32.exeC:\Windows\system32\Lkmjin32.exe76⤵PID:1552
-
C:\Windows\SysWOW64\Lipjejgp.exeC:\Windows\system32\Lipjejgp.exe77⤵
- Modifies registry class
PID:2904 -
C:\Windows\SysWOW64\Llnfaffc.exeC:\Windows\system32\Llnfaffc.exe78⤵PID:2736
-
C:\Windows\SysWOW64\Lpjbad32.exeC:\Windows\system32\Lpjbad32.exe79⤵PID:1668
-
C:\Windows\SysWOW64\Lchnnp32.exeC:\Windows\system32\Lchnnp32.exe80⤵PID:268
-
C:\Windows\SysWOW64\Lgdjnofi.exeC:\Windows\system32\Lgdjnofi.exe81⤵PID:2492
-
C:\Windows\SysWOW64\Libgjj32.exeC:\Windows\system32\Libgjj32.exe82⤵PID:2184
-
C:\Windows\SysWOW64\Lmnbkinf.exeC:\Windows\system32\Lmnbkinf.exe83⤵PID:1836
-
C:\Windows\SysWOW64\Llqcfe32.exeC:\Windows\system32\Llqcfe32.exe84⤵PID:1736
-
C:\Windows\SysWOW64\Loooca32.exeC:\Windows\system32\Loooca32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1780 -
C:\Windows\SysWOW64\Mgfgdn32.exeC:\Windows\system32\Mgfgdn32.exe86⤵PID:2748
-
C:\Windows\SysWOW64\Meigpkka.exeC:\Windows\system32\Meigpkka.exe87⤵
- Modifies registry class
PID:2540 -
C:\Windows\SysWOW64\Midcpj32.exeC:\Windows\system32\Midcpj32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1964 -
C:\Windows\SysWOW64\Mhgclfje.exeC:\Windows\system32\Mhgclfje.exe89⤵PID:2664
-
C:\Windows\SysWOW64\Mlcple32.exeC:\Windows\system32\Mlcple32.exe90⤵
- Drops file in System32 directory
PID:1796 -
C:\Windows\SysWOW64\Moalhq32.exeC:\Windows\system32\Moalhq32.exe91⤵PID:2772
-
C:\Windows\SysWOW64\Maphdl32.exeC:\Windows\system32\Maphdl32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2600 -
C:\Windows\SysWOW64\Migpeiag.exeC:\Windows\system32\Migpeiag.exe93⤵PID:1096
-
C:\Windows\SysWOW64\Mhjpaf32.exeC:\Windows\system32\Mhjpaf32.exe94⤵PID:1408
-
C:\Windows\SysWOW64\Mochnppo.exeC:\Windows\system32\Mochnppo.exe95⤵PID:1608
-
C:\Windows\SysWOW64\Mabejlob.exeC:\Windows\system32\Mabejlob.exe96⤵
- Drops file in System32 directory
PID:2804 -
C:\Windows\SysWOW64\Menakj32.exeC:\Windows\system32\Menakj32.exe97⤵PID:848
-
C:\Windows\SysWOW64\Mhlmgf32.exeC:\Windows\system32\Mhlmgf32.exe98⤵
- Drops file in System32 directory
PID:1884 -
C:\Windows\SysWOW64\Mlgigdoh.exeC:\Windows\system32\Mlgigdoh.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2892 -
C:\Windows\SysWOW64\Mofecpnl.exeC:\Windows\system32\Mofecpnl.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1508 -
C:\Windows\SysWOW64\Madapkmp.exeC:\Windows\system32\Madapkmp.exe101⤵PID:1652
-
C:\Windows\SysWOW64\Mdcnlglc.exeC:\Windows\system32\Mdcnlglc.exe102⤵PID:2768
-
C:\Windows\SysWOW64\Mkmfhacp.exeC:\Windows\system32\Mkmfhacp.exe103⤵PID:2656
-
C:\Windows\SysWOW64\Mnkbdlbd.exeC:\Windows\system32\Mnkbdlbd.exe104⤵PID:824
-
C:\Windows\SysWOW64\Magnek32.exeC:\Windows\system32\Magnek32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2424 -
C:\Windows\SysWOW64\Mdejaf32.exeC:\Windows\system32\Mdejaf32.exe106⤵PID:1612
-
C:\Windows\SysWOW64\Mhqfbebj.exeC:\Windows\system32\Mhqfbebj.exe107⤵PID:2668
-
C:\Windows\SysWOW64\Mkobnqan.exeC:\Windows\system32\Mkobnqan.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2660 -
C:\Windows\SysWOW64\Njbcim32.exeC:\Windows\system32\Njbcim32.exe109⤵PID:352
-
C:\Windows\SysWOW64\Naikkk32.exeC:\Windows\system32\Naikkk32.exe110⤵PID:2296
-
C:\Windows\SysWOW64\Nplkfgoe.exeC:\Windows\system32\Nplkfgoe.exe111⤵PID:2284
-
C:\Windows\SysWOW64\Ndgggf32.exeC:\Windows\system32\Ndgggf32.exe112⤵PID:648
-
C:\Windows\SysWOW64\Ncjgbcoi.exeC:\Windows\system32\Ncjgbcoi.exe113⤵
- Drops file in System32 directory
PID:2784 -
C:\Windows\SysWOW64\Nkaocp32.exeC:\Windows\system32\Nkaocp32.exe114⤵PID:1544
-
C:\Windows\SysWOW64\Njdpomfe.exeC:\Windows\system32\Njdpomfe.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1560 -
C:\Windows\SysWOW64\Nlblkhei.exeC:\Windows\system32\Nlblkhei.exe116⤵PID:2756
-
C:\Windows\SysWOW64\Npnhlg32.exeC:\Windows\system32\Npnhlg32.exe117⤵PID:2592
-
C:\Windows\SysWOW64\Ndjdlffl.exeC:\Windows\system32\Ndjdlffl.exe118⤵
- Drops file in System32 directory
PID:1348 -
C:\Windows\SysWOW64\Ncmdhb32.exeC:\Windows\system32\Ncmdhb32.exe119⤵PID:2212
-
C:\Windows\SysWOW64\Nfkpdn32.exeC:\Windows\system32\Nfkpdn32.exe120⤵PID:604
-
C:\Windows\SysWOW64\Nfkpdn32.exeC:\Windows\system32\Nfkpdn32.exe121⤵PID:1804
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-