Analysis
-
max time kernel
141s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
30/04/2024, 02:51
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ce46ce8541ef1c0266aa1d68fa775a53c66237fe81ab111abacda4325de18604.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
ce46ce8541ef1c0266aa1d68fa775a53c66237fe81ab111abacda4325de18604.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
ce46ce8541ef1c0266aa1d68fa775a53c66237fe81ab111abacda4325de18604.exe
-
Size
256KB
-
MD5
233a4c3e64fe6486997dcdd5a38362d2
-
SHA1
720a995378850dd917c82c9a3a364d56edbf2fa9
-
SHA256
ce46ce8541ef1c0266aa1d68fa775a53c66237fe81ab111abacda4325de18604
-
SHA512
cda8e2a6a28a4662401a54795ecc4f9cd003ddeb0c6ac5bbfe49fde7a8f0fc92c237a0b9d180d5394d724b5cb1c29abf3275616e944c59324912ba5be46ca6c4
-
SSDEEP
6144:pnI6hJbTlSTYaT15f7o+STYaT15fAK8yL:pnI6nATYapJoTYapz8yL
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhfjjdjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kaholp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfppgohb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjpkqonj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnnaoe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnafnopi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mclebc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glijnmdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgaoic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlgdhcmb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onocon32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olopjddf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpkqfdmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjlemlnk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfippfej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbchkime.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbmkfh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmepanje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmglajcd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmeeepjp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Difqji32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhcebj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdnkanfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnkfcjqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbfobllj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mobomnoq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkkhpadq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifgklp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdfjnkne.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neekogkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcckcbgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihbdhepp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qghgigkn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mobomnoq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pelnniga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pqphnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibkkjp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qackpado.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pchbmigj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmelpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipabfcdm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jidbifmb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kekiphge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmclmm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmfjmake.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knkgpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhfjjdjf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kglfcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbkchj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jikeeh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkgahoel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbimkpmm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnabffeo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggkibhjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iokahhac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aeccdila.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Heliepmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjoklkie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfcodkcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efmlqigc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Konndhmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omcifpnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpjbgh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpgcip32.exe -
Executes dropped EXE 64 IoCs
pid Process 1288 Gicdnj32.exe 2680 Gifaciae.exe 2540 Gacbmk32.exe 2500 Hahlhkhi.exe 2684 Hfgafadm.exe 2668 Hppfog32.exe 2996 Iaelanmg.exe 1788 Iajemnia.exe 744 Ionefb32.exe 1328 Jnhlbn32.exe 2328 Jkbfdfbm.exe 1944 Jhffnk32.exe 1744 Kqdhhm32.exe 2788 Konndhmb.exe 1324 Lopkjhko.exe 2432 Lgpiij32.exe 2492 Lipecm32.exe 1764 Mpbdnk32.exe 992 Mikhgqbi.exe 1956 Mlkail32.exe 3032 Noljjglk.exe 2108 Nfcbldmm.exe 1216 Noacef32.exe 2268 Ohnaik32.exe 2764 Oiakgcnl.exe 2252 Oghhfg32.exe 2576 Ohidmoaa.exe 2980 Oemegc32.exe 2616 Plijimee.exe 2632 Pddnnp32.exe 2640 Pnopldgn.exe 2360 Pkcpei32.exe 2820 Pqphnp32.exe 1548 Qfmafg32.exe 1636 Qmifhq32.exe 1240 Afajafoa.exe 1796 Abhkfg32.exe 2020 Amnocpdk.exe 1308 Abkhkgbb.exe 2332 Aggpdnpj.exe 968 Aapemc32.exe 2452 Ancefgfd.exe 2756 Agljom32.exe 2940 Bmibgd32.exe 2892 Bgnfdm32.exe 1980 Bmkomchi.exe 1972 Bfccei32.exe 1948 Bbjdjjdn.exe 2904 Bpnddn32.exe 2184 Bekmle32.exe 880 Bncaekhp.exe 1320 Cemjae32.exe 2072 Cbajkiof.exe 1680 Cohkpj32.exe 2604 Cojhejbh.exe 2744 Chcloo32.exe 2496 Cfhiplmp.exe 2624 Ddliip32.exe 664 Dmdnbecj.exe 2004 Dmgkgeah.exe 1616 Debplg32.exe 2344 Dpgcip32.exe 1864 Dedlag32.exe 1268 Dchmkkkj.exe -
Loads dropped DLL 64 IoCs
pid Process 2168 ce46ce8541ef1c0266aa1d68fa775a53c66237fe81ab111abacda4325de18604.exe 2168 ce46ce8541ef1c0266aa1d68fa775a53c66237fe81ab111abacda4325de18604.exe 1288 Gicdnj32.exe 1288 Gicdnj32.exe 2680 Gifaciae.exe 2680 Gifaciae.exe 2540 Gacbmk32.exe 2540 Gacbmk32.exe 2500 Hahlhkhi.exe 2500 Hahlhkhi.exe 2684 Hfgafadm.exe 2684 Hfgafadm.exe 2668 Hppfog32.exe 2668 Hppfog32.exe 2996 Iaelanmg.exe 2996 Iaelanmg.exe 1788 Iajemnia.exe 1788 Iajemnia.exe 744 Ionefb32.exe 744 Ionefb32.exe 1328 Jnhlbn32.exe 1328 Jnhlbn32.exe 2328 Jkbfdfbm.exe 2328 Jkbfdfbm.exe 1944 Jhffnk32.exe 1944 Jhffnk32.exe 1744 Kqdhhm32.exe 1744 Kqdhhm32.exe 2788 Konndhmb.exe 2788 Konndhmb.exe 1324 Lopkjhko.exe 1324 Lopkjhko.exe 2432 Lgpiij32.exe 2432 Lgpiij32.exe 2492 Lipecm32.exe 2492 Lipecm32.exe 1764 Mpbdnk32.exe 1764 Mpbdnk32.exe 992 Mikhgqbi.exe 992 Mikhgqbi.exe 1956 Mlkail32.exe 1956 Mlkail32.exe 3032 Noljjglk.exe 3032 Noljjglk.exe 2108 Nfcbldmm.exe 2108 Nfcbldmm.exe 1216 Noacef32.exe 1216 Noacef32.exe 2268 Ohnaik32.exe 2268 Ohnaik32.exe 1508 Olpgconp.exe 1508 Olpgconp.exe 2252 Oghhfg32.exe 2252 Oghhfg32.exe 2576 Ohidmoaa.exe 2576 Ohidmoaa.exe 2980 Oemegc32.exe 2980 Oemegc32.exe 2616 Plijimee.exe 2616 Plijimee.exe 2632 Pddnnp32.exe 2632 Pddnnp32.exe 2640 Pnopldgn.exe 2640 Pnopldgn.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Pnopldgn.exe Pddnnp32.exe File created C:\Windows\SysWOW64\Qklpempi.dll Najpll32.exe File opened for modification C:\Windows\SysWOW64\Ojpomh32.exe Ocefpnom.exe File created C:\Windows\SysWOW64\Jfhmqaaj.dll Kmaphmln.exe File created C:\Windows\SysWOW64\Iekcqo32.dll Lmfgkh32.exe File created C:\Windows\SysWOW64\Jglgoc32.dll Bbfgiabg.exe File opened for modification C:\Windows\SysWOW64\Nlefhcnc.exe Nnafnopi.exe File created C:\Windows\SysWOW64\Hmbndmkb.exe Hgeelf32.exe File opened for modification C:\Windows\SysWOW64\Jmgfgham.exe Jgjmoace.exe File opened for modification C:\Windows\SysWOW64\Jfddkmch.exe Jojloc32.exe File created C:\Windows\SysWOW64\Haenec32.dll Gjbqjiem.exe File created C:\Windows\SysWOW64\Hpdbmooo.exe Heonpf32.exe File opened for modification C:\Windows\SysWOW64\Hmqieh32.exe Hkbmil32.exe File opened for modification C:\Windows\SysWOW64\Lekcffem.exe Lggbmbfc.exe File opened for modification C:\Windows\SysWOW64\Homdhjai.exe Hnnhngjf.exe File created C:\Windows\SysWOW64\Phehko32.exe Peeoidik.exe File created C:\Windows\SysWOW64\Fpnehm32.dll Boemlbpk.exe File created C:\Windows\SysWOW64\Jngilalk.exe Jacibm32.exe File created C:\Windows\SysWOW64\Amoaeb32.dll Jacibm32.exe File created C:\Windows\SysWOW64\Jkcgmf32.dll Ckchcc32.exe File created C:\Windows\SysWOW64\Pincfpoo.exe Omcifpnp.exe File created C:\Windows\SysWOW64\Coecokqd.dll Ngdjaofc.exe File created C:\Windows\SysWOW64\Mmgofm32.dll Hdhbci32.exe File created C:\Windows\SysWOW64\Jbekkd32.dll Lfippfej.exe File created C:\Windows\SysWOW64\Lhhkobjh.dll Mgnfji32.exe File opened for modification C:\Windows\SysWOW64\Ecjibgdh.exe Egchmfnd.exe File opened for modification C:\Windows\SysWOW64\Aknlofim.exe Aqhhanig.exe File created C:\Windows\SysWOW64\Hqgggnne.dll Pbigmn32.exe File created C:\Windows\SysWOW64\Ljnqdhga.exe Lljpjchg.exe File opened for modification C:\Windows\SysWOW64\Klecfkff.exe Jnofgg32.exe File created C:\Windows\SysWOW64\Agiidifg.dll Ipabfcdm.exe File created C:\Windows\SysWOW64\Ndmecgba.exe Nbniid32.exe File opened for modification C:\Windows\SysWOW64\Jhbold32.exe Jojkco32.exe File created C:\Windows\SysWOW64\Phohmbjf.dll Ofiopaap.exe File created C:\Windows\SysWOW64\Agefobee.dll Pofomolo.exe File opened for modification C:\Windows\SysWOW64\Cejfckie.exe Claake32.exe File created C:\Windows\SysWOW64\Mlfacfpc.exe Mnbpjb32.exe File created C:\Windows\SysWOW64\Gghmmilh.exe Ggdcbi32.exe File created C:\Windows\SysWOW64\Ijidfpci.exe Hnbcaome.exe File created C:\Windows\SysWOW64\Neccdc32.dll Jhkclc32.exe File opened for modification C:\Windows\SysWOW64\Pglacbbo.exe Pqbifhjb.exe File created C:\Windows\SysWOW64\Bgepiehf.dll Qmifhq32.exe File created C:\Windows\SysWOW64\Hdhkdkaa.dll Hqfaldbo.exe File opened for modification C:\Windows\SysWOW64\Icdeee32.exe Igmepdbc.exe File created C:\Windows\SysWOW64\Idcoaaei.dll Bbchkime.exe File created C:\Windows\SysWOW64\Jggdmb32.dll Bphaglgo.exe File created C:\Windows\SysWOW64\Ogfdej32.dll Eapfagno.exe File opened for modification C:\Windows\SysWOW64\Kpieengb.exe Kfaalh32.exe File created C:\Windows\SysWOW64\Amogaa32.dll Qanmcdlm.exe File opened for modification C:\Windows\SysWOW64\Kmficl32.exe Kflafbak.exe File created C:\Windows\SysWOW64\Joildhiq.dll Ihiabfhk.exe File opened for modification C:\Windows\SysWOW64\Iigcobid.exe Hpoofm32.exe File created C:\Windows\SysWOW64\Jkbfdfbm.exe Jnhlbn32.exe File created C:\Windows\SysWOW64\Olfcfe32.dll Jdnmma32.exe File created C:\Windows\SysWOW64\Emfenggg.dll Nnnbni32.exe File created C:\Windows\SysWOW64\Mgnfji32.exe Maanab32.exe File created C:\Windows\SysWOW64\Jqoljf32.dll Oiokholk.exe File created C:\Windows\SysWOW64\Lpcmlnnp.exe Lbplciof.exe File opened for modification C:\Windows\SysWOW64\Pelnniga.exe Pkfiaqgk.exe File created C:\Windows\SysWOW64\Jnqjhh32.dll Ebklic32.exe File created C:\Windows\SysWOW64\Jflomd32.dll Ggkibhjf.exe File created C:\Windows\SysWOW64\Npabemib.dll Bihgmdih.exe File opened for modification C:\Windows\SysWOW64\Hpdbmooo.exe Heonpf32.exe File created C:\Windows\SysWOW64\Mlkail32.exe Mikhgqbi.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1568 2704 WerFault.exe 1038 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmnnkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glffke32.dll" Eakooqih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kabgha32.dll" Dbadagln.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpkmehol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olkfmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfdkid32.dll" Nefdpjkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijibng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajdmngfm.dll" Jeclebja.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Edpoeoea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbnooiab.dll" Gepafc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jojkco32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pegnglnm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkbmil32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djdgic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bomlppdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckpoih32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljcbcngi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Helgmg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jikeeh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebialmjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djjeedhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncnlnaim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Occeip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffeejokj.dll" Kbppdfmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Boghbgla.dll" Neekogkm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oagoep32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hqkmplen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ggkqmoma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doejph32.dll" Ckhpejbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgfcop32.dll" Dkmncl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plcflp32.dll" Jdlclo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmemoe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gacbmk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aqhhanig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fkqlgc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndafcmci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Apnfno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Enngdgim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfjhpemb.dll" Nfcbldmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jehlkhig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pchbmigj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hppfog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eaqkcimg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iinhdmma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iamfdo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Epfhde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lekfhb32.dll" Bmjhdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dllbljej.dll" Hhejnc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbjlhpkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfaalh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aokckm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbjcpc32.dll" Ninhamne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ejohdbok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Flclam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jeclebja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Apilcoho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgepiehf.dll" Qmifhq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pleofj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgjgol32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckhpejbf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dooqceid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpbdnk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bccmmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijqoilii.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2168 wrote to memory of 1288 2168 ce46ce8541ef1c0266aa1d68fa775a53c66237fe81ab111abacda4325de18604.exe 28 PID 2168 wrote to memory of 1288 2168 ce46ce8541ef1c0266aa1d68fa775a53c66237fe81ab111abacda4325de18604.exe 28 PID 2168 wrote to memory of 1288 2168 ce46ce8541ef1c0266aa1d68fa775a53c66237fe81ab111abacda4325de18604.exe 28 PID 2168 wrote to memory of 1288 2168 ce46ce8541ef1c0266aa1d68fa775a53c66237fe81ab111abacda4325de18604.exe 28 PID 1288 wrote to memory of 2680 1288 Gicdnj32.exe 29 PID 1288 wrote to memory of 2680 1288 Gicdnj32.exe 29 PID 1288 wrote to memory of 2680 1288 Gicdnj32.exe 29 PID 1288 wrote to memory of 2680 1288 Gicdnj32.exe 29 PID 2680 wrote to memory of 2540 2680 Gifaciae.exe 30 PID 2680 wrote to memory of 2540 2680 Gifaciae.exe 30 PID 2680 wrote to memory of 2540 2680 Gifaciae.exe 30 PID 2680 wrote to memory of 2540 2680 Gifaciae.exe 30 PID 2540 wrote to memory of 2500 2540 Gacbmk32.exe 31 PID 2540 wrote to memory of 2500 2540 Gacbmk32.exe 31 PID 2540 wrote to memory of 2500 2540 Gacbmk32.exe 31 PID 2540 wrote to memory of 2500 2540 Gacbmk32.exe 31 PID 2500 wrote to memory of 2684 2500 Hahlhkhi.exe 32 PID 2500 wrote to memory of 2684 2500 Hahlhkhi.exe 32 PID 2500 wrote to memory of 2684 2500 Hahlhkhi.exe 32 PID 2500 wrote to memory of 2684 2500 Hahlhkhi.exe 32 PID 2684 wrote to memory of 2668 2684 Hfgafadm.exe 33 PID 2684 wrote to memory of 2668 2684 Hfgafadm.exe 33 PID 2684 wrote to memory of 2668 2684 Hfgafadm.exe 33 PID 2684 wrote to memory of 2668 2684 Hfgafadm.exe 33 PID 2668 wrote to memory of 2996 2668 Hppfog32.exe 34 PID 2668 wrote to memory of 2996 2668 Hppfog32.exe 34 PID 2668 wrote to memory of 2996 2668 Hppfog32.exe 34 PID 2668 wrote to memory of 2996 2668 Hppfog32.exe 34 PID 2996 wrote to memory of 1788 2996 Iaelanmg.exe 35 PID 2996 wrote to memory of 1788 2996 Iaelanmg.exe 35 PID 2996 wrote to memory of 1788 2996 Iaelanmg.exe 35 PID 2996 wrote to memory of 1788 2996 Iaelanmg.exe 35 PID 1788 wrote to memory of 744 1788 Iajemnia.exe 36 PID 1788 wrote to memory of 744 1788 Iajemnia.exe 36 PID 1788 wrote to memory of 744 1788 Iajemnia.exe 36 PID 1788 wrote to memory of 744 1788 Iajemnia.exe 36 PID 744 wrote to memory of 1328 744 Ionefb32.exe 37 PID 744 wrote to memory of 1328 744 Ionefb32.exe 37 PID 744 wrote to memory of 1328 744 Ionefb32.exe 37 PID 744 wrote to memory of 1328 744 Ionefb32.exe 37 PID 1328 wrote to memory of 2328 1328 Jnhlbn32.exe 38 PID 1328 wrote to memory of 2328 1328 Jnhlbn32.exe 38 PID 1328 wrote to memory of 2328 1328 Jnhlbn32.exe 38 PID 1328 wrote to memory of 2328 1328 Jnhlbn32.exe 38 PID 2328 wrote to memory of 1944 2328 Jkbfdfbm.exe 39 PID 2328 wrote to memory of 1944 2328 Jkbfdfbm.exe 39 PID 2328 wrote to memory of 1944 2328 Jkbfdfbm.exe 39 PID 2328 wrote to memory of 1944 2328 Jkbfdfbm.exe 39 PID 1944 wrote to memory of 1744 1944 Jhffnk32.exe 40 PID 1944 wrote to memory of 1744 1944 Jhffnk32.exe 40 PID 1944 wrote to memory of 1744 1944 Jhffnk32.exe 40 PID 1944 wrote to memory of 1744 1944 Jhffnk32.exe 40 PID 1744 wrote to memory of 2788 1744 Kqdhhm32.exe 41 PID 1744 wrote to memory of 2788 1744 Kqdhhm32.exe 41 PID 1744 wrote to memory of 2788 1744 Kqdhhm32.exe 41 PID 1744 wrote to memory of 2788 1744 Kqdhhm32.exe 41 PID 2788 wrote to memory of 1324 2788 Konndhmb.exe 42 PID 2788 wrote to memory of 1324 2788 Konndhmb.exe 42 PID 2788 wrote to memory of 1324 2788 Konndhmb.exe 42 PID 2788 wrote to memory of 1324 2788 Konndhmb.exe 42 PID 1324 wrote to memory of 2432 1324 Lopkjhko.exe 43 PID 1324 wrote to memory of 2432 1324 Lopkjhko.exe 43 PID 1324 wrote to memory of 2432 1324 Lopkjhko.exe 43 PID 1324 wrote to memory of 2432 1324 Lopkjhko.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\ce46ce8541ef1c0266aa1d68fa775a53c66237fe81ab111abacda4325de18604.exe"C:\Users\Admin\AppData\Local\Temp\ce46ce8541ef1c0266aa1d68fa775a53c66237fe81ab111abacda4325de18604.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\Gicdnj32.exeC:\Windows\system32\Gicdnj32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1288 -
C:\Windows\SysWOW64\Gifaciae.exeC:\Windows\system32\Gifaciae.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\Gacbmk32.exeC:\Windows\system32\Gacbmk32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\Hahlhkhi.exeC:\Windows\system32\Hahlhkhi.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\Hfgafadm.exeC:\Windows\system32\Hfgafadm.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\Hppfog32.exeC:\Windows\system32\Hppfog32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\Iaelanmg.exeC:\Windows\system32\Iaelanmg.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\Iajemnia.exeC:\Windows\system32\Iajemnia.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\SysWOW64\Ionefb32.exeC:\Windows\system32\Ionefb32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:744 -
C:\Windows\SysWOW64\Jnhlbn32.exeC:\Windows\system32\Jnhlbn32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1328 -
C:\Windows\SysWOW64\Jkbfdfbm.exeC:\Windows\system32\Jkbfdfbm.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\Jhffnk32.exeC:\Windows\system32\Jhffnk32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\SysWOW64\Kqdhhm32.exeC:\Windows\system32\Kqdhhm32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\Konndhmb.exeC:\Windows\system32\Konndhmb.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\Lopkjhko.exeC:\Windows\system32\Lopkjhko.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\SysWOW64\Lgpiij32.exeC:\Windows\system32\Lgpiij32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2432 -
C:\Windows\SysWOW64\Lipecm32.exeC:\Windows\system32\Lipecm32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2492 -
C:\Windows\SysWOW64\Mpbdnk32.exeC:\Windows\system32\Mpbdnk32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1764 -
C:\Windows\SysWOW64\Mikhgqbi.exeC:\Windows\system32\Mikhgqbi.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:992 -
C:\Windows\SysWOW64\Mlkail32.exeC:\Windows\system32\Mlkail32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1956 -
C:\Windows\SysWOW64\Noljjglk.exeC:\Windows\system32\Noljjglk.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3032 -
C:\Windows\SysWOW64\Nfcbldmm.exeC:\Windows\system32\Nfcbldmm.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2108 -
C:\Windows\SysWOW64\Noacef32.exeC:\Windows\system32\Noacef32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1216 -
C:\Windows\SysWOW64\Ohnaik32.exeC:\Windows\system32\Ohnaik32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2268 -
C:\Windows\SysWOW64\Oiakgcnl.exeC:\Windows\system32\Oiakgcnl.exe26⤵
- Executes dropped EXE
PID:2764 -
C:\Windows\SysWOW64\Olpgconp.exeC:\Windows\system32\Olpgconp.exe27⤵
- Loads dropped DLL
PID:1508 -
C:\Windows\SysWOW64\Oghhfg32.exeC:\Windows\system32\Oghhfg32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2252 -
C:\Windows\SysWOW64\Ohidmoaa.exeC:\Windows\system32\Ohidmoaa.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2576 -
C:\Windows\SysWOW64\Oemegc32.exeC:\Windows\system32\Oemegc32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2980 -
C:\Windows\SysWOW64\Plijimee.exeC:\Windows\system32\Plijimee.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2616 -
C:\Windows\SysWOW64\Pddnnp32.exeC:\Windows\system32\Pddnnp32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2632 -
C:\Windows\SysWOW64\Pnopldgn.exeC:\Windows\system32\Pnopldgn.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2640 -
C:\Windows\SysWOW64\Pkcpei32.exeC:\Windows\system32\Pkcpei32.exe34⤵
- Executes dropped EXE
PID:2360 -
C:\Windows\SysWOW64\Pqphnp32.exeC:\Windows\system32\Pqphnp32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Qfmafg32.exeC:\Windows\system32\Qfmafg32.exe36⤵
- Executes dropped EXE
PID:1548 -
C:\Windows\SysWOW64\Qmifhq32.exeC:\Windows\system32\Qmifhq32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1636 -
C:\Windows\SysWOW64\Afajafoa.exeC:\Windows\system32\Afajafoa.exe38⤵
- Executes dropped EXE
PID:1240 -
C:\Windows\SysWOW64\Abhkfg32.exeC:\Windows\system32\Abhkfg32.exe39⤵
- Executes dropped EXE
PID:1796 -
C:\Windows\SysWOW64\Amnocpdk.exeC:\Windows\system32\Amnocpdk.exe40⤵
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Abkhkgbb.exeC:\Windows\system32\Abkhkgbb.exe41⤵
- Executes dropped EXE
PID:1308 -
C:\Windows\SysWOW64\Aggpdnpj.exeC:\Windows\system32\Aggpdnpj.exe42⤵
- Executes dropped EXE
PID:2332 -
C:\Windows\SysWOW64\Aapemc32.exeC:\Windows\system32\Aapemc32.exe43⤵
- Executes dropped EXE
PID:968 -
C:\Windows\SysWOW64\Ancefgfd.exeC:\Windows\system32\Ancefgfd.exe44⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Agljom32.exeC:\Windows\system32\Agljom32.exe45⤵
- Executes dropped EXE
PID:2756 -
C:\Windows\SysWOW64\Bmibgd32.exeC:\Windows\system32\Bmibgd32.exe46⤵
- Executes dropped EXE
PID:2940 -
C:\Windows\SysWOW64\Bgnfdm32.exeC:\Windows\system32\Bgnfdm32.exe47⤵
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Bmkomchi.exeC:\Windows\system32\Bmkomchi.exe48⤵
- Executes dropped EXE
PID:1980 -
C:\Windows\SysWOW64\Bfccei32.exeC:\Windows\system32\Bfccei32.exe49⤵
- Executes dropped EXE
PID:1972 -
C:\Windows\SysWOW64\Bbjdjjdn.exeC:\Windows\system32\Bbjdjjdn.exe50⤵
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\Bpnddn32.exeC:\Windows\system32\Bpnddn32.exe51⤵
- Executes dropped EXE
PID:2904 -
C:\Windows\SysWOW64\Bekmle32.exeC:\Windows\system32\Bekmle32.exe52⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Bncaekhp.exeC:\Windows\system32\Bncaekhp.exe53⤵
- Executes dropped EXE
PID:880 -
C:\Windows\SysWOW64\Cemjae32.exeC:\Windows\system32\Cemjae32.exe54⤵
- Executes dropped EXE
PID:1320 -
C:\Windows\SysWOW64\Cbajkiof.exeC:\Windows\system32\Cbajkiof.exe55⤵
- Executes dropped EXE
PID:2072 -
C:\Windows\SysWOW64\Cohkpj32.exeC:\Windows\system32\Cohkpj32.exe56⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Cojhejbh.exeC:\Windows\system32\Cojhejbh.exe57⤵
- Executes dropped EXE
PID:2604 -
C:\Windows\SysWOW64\Chcloo32.exeC:\Windows\system32\Chcloo32.exe58⤵
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Cfhiplmp.exeC:\Windows\system32\Cfhiplmp.exe59⤵
- Executes dropped EXE
PID:2496 -
C:\Windows\SysWOW64\Ddliip32.exeC:\Windows\system32\Ddliip32.exe60⤵
- Executes dropped EXE
PID:2624 -
C:\Windows\SysWOW64\Dmdnbecj.exeC:\Windows\system32\Dmdnbecj.exe61⤵
- Executes dropped EXE
PID:664 -
C:\Windows\SysWOW64\Dmgkgeah.exeC:\Windows\system32\Dmgkgeah.exe62⤵
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Debplg32.exeC:\Windows\system32\Debplg32.exe63⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Dpgcip32.exeC:\Windows\system32\Dpgcip32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Dedlag32.exeC:\Windows\system32\Dedlag32.exe65⤵
- Executes dropped EXE
PID:1864 -
C:\Windows\SysWOW64\Dchmkkkj.exeC:\Windows\system32\Dchmkkkj.exe66⤵
- Executes dropped EXE
PID:1268 -
C:\Windows\SysWOW64\Eoompl32.exeC:\Windows\system32\Eoompl32.exe67⤵PID:1632
-
C:\Windows\SysWOW64\Eamilh32.exeC:\Windows\system32\Eamilh32.exe68⤵PID:1752
-
C:\Windows\SysWOW64\Eapfagno.exeC:\Windows\system32\Eapfagno.exe69⤵
- Drops file in System32 directory
PID:1784 -
C:\Windows\SysWOW64\Ekhkjm32.exeC:\Windows\system32\Ekhkjm32.exe70⤵PID:3024
-
C:\Windows\SysWOW64\Eccpoo32.exeC:\Windows\system32\Eccpoo32.exe71⤵PID:1248
-
C:\Windows\SysWOW64\Ejmhkiig.exeC:\Windows\system32\Ejmhkiig.exe72⤵PID:684
-
C:\Windows\SysWOW64\Elnqmd32.exeC:\Windows\system32\Elnqmd32.exe73⤵PID:960
-
C:\Windows\SysWOW64\Fffefjmi.exeC:\Windows\system32\Fffefjmi.exe74⤵PID:1960
-
C:\Windows\SysWOW64\Fcjeon32.exeC:\Windows\system32\Fcjeon32.exe75⤵PID:2696
-
C:\Windows\SysWOW64\Fmcjhdbc.exeC:\Windows\system32\Fmcjhdbc.exe76⤵PID:1720
-
C:\Windows\SysWOW64\Fdnolfon.exeC:\Windows\system32\Fdnolfon.exe77⤵PID:2776
-
C:\Windows\SysWOW64\Fkhgip32.exeC:\Windows\system32\Fkhgip32.exe78⤵PID:1696
-
C:\Windows\SysWOW64\Fkjdopeh.exeC:\Windows\system32\Fkjdopeh.exe79⤵PID:2100
-
C:\Windows\SysWOW64\Fbdlkj32.exeC:\Windows\system32\Fbdlkj32.exe80⤵PID:2552
-
C:\Windows\SysWOW64\Gbfiaj32.exeC:\Windows\system32\Gbfiaj32.exe81⤵PID:2660
-
C:\Windows\SysWOW64\Gfhnjm32.exeC:\Windows\system32\Gfhnjm32.exe82⤵PID:2388
-
C:\Windows\SysWOW64\Gjfgqk32.exeC:\Windows\system32\Gjfgqk32.exe83⤵PID:2516
-
C:\Windows\SysWOW64\Gcokiaji.exeC:\Windows\system32\Gcokiaji.exe84⤵PID:1528
-
C:\Windows\SysWOW64\Gpelnb32.exeC:\Windows\system32\Gpelnb32.exe85⤵PID:2340
-
C:\Windows\SysWOW64\Hinqgg32.exeC:\Windows\system32\Hinqgg32.exe86⤵PID:1996
-
C:\Windows\SysWOW64\Hnkion32.exeC:\Windows\system32\Hnkion32.exe87⤵PID:916
-
C:\Windows\SysWOW64\Hpjeialg.exeC:\Windows\system32\Hpjeialg.exe88⤵PID:1044
-
C:\Windows\SysWOW64\Hhejnc32.exeC:\Windows\system32\Hhejnc32.exe89⤵
- Modifies registry class
PID:1904 -
C:\Windows\SysWOW64\Hdlkcdog.exeC:\Windows\system32\Hdlkcdog.exe90⤵PID:1708
-
C:\Windows\SysWOW64\Helgmg32.exeC:\Windows\system32\Helgmg32.exe91⤵
- Modifies registry class
PID:624 -
C:\Windows\SysWOW64\Hmglajcd.exeC:\Windows\system32\Hmglajcd.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2948 -
C:\Windows\SysWOW64\Iaeegh32.exeC:\Windows\system32\Iaeegh32.exe93⤵PID:896
-
C:\Windows\SysWOW64\Ifampo32.exeC:\Windows\system32\Ifampo32.exe94⤵PID:2796
-
C:\Windows\SysWOW64\Ilofhffj.exeC:\Windows\system32\Ilofhffj.exe95⤵PID:2860
-
C:\Windows\SysWOW64\Imnbbi32.exeC:\Windows\system32\Imnbbi32.exe96⤵PID:1576
-
C:\Windows\SysWOW64\Ibkkjp32.exeC:\Windows\system32\Ibkkjp32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2536 -
C:\Windows\SysWOW64\Ilcoce32.exeC:\Windows\system32\Ilcoce32.exe98⤵PID:2652
-
C:\Windows\SysWOW64\Ielclkhe.exeC:\Windows\system32\Ielclkhe.exe99⤵PID:2032
-
C:\Windows\SysWOW64\Jabdql32.exeC:\Windows\system32\Jabdql32.exe100⤵PID:2444
-
C:\Windows\SysWOW64\Jofejpmc.exeC:\Windows\system32\Jofejpmc.exe101⤵PID:2888
-
C:\Windows\SysWOW64\Jgaiobjn.exeC:\Windows\system32\Jgaiobjn.exe102⤵PID:2336
-
C:\Windows\SysWOW64\Jnkakl32.exeC:\Windows\system32\Jnkakl32.exe103⤵PID:2040
-
C:\Windows\SysWOW64\Jhafhe32.exeC:\Windows\system32\Jhafhe32.exe104⤵PID:2228
-
C:\Windows\SysWOW64\Jckgicnp.exeC:\Windows\system32\Jckgicnp.exe105⤵PID:2572
-
C:\Windows\SysWOW64\Jnpkflne.exeC:\Windows\system32\Jnpkflne.exe106⤵PID:2096
-
C:\Windows\SysWOW64\Kcmcoblm.exeC:\Windows\system32\Kcmcoblm.exe107⤵PID:820
-
C:\Windows\SysWOW64\Knbhlkkc.exeC:\Windows\system32\Knbhlkkc.exe108⤵PID:2752
-
C:\Windows\SysWOW64\Kjihalag.exeC:\Windows\system32\Kjihalag.exe109⤵PID:2068
-
C:\Windows\SysWOW64\Kofaicon.exeC:\Windows\system32\Kofaicon.exe110⤵PID:2792
-
C:\Windows\SysWOW64\Kohnoc32.exeC:\Windows\system32\Kohnoc32.exe111⤵PID:2240
-
C:\Windows\SysWOW64\Khabghdl.exeC:\Windows\system32\Khabghdl.exe112⤵PID:2872
-
C:\Windows\SysWOW64\Lkakicam.exeC:\Windows\system32\Lkakicam.exe113⤵PID:1668
-
C:\Windows\SysWOW64\Lhelbh32.exeC:\Windows\system32\Lhelbh32.exe114⤵PID:2556
-
C:\Windows\SysWOW64\Lqqpgj32.exeC:\Windows\system32\Lqqpgj32.exe115⤵PID:2580
-
C:\Windows\SysWOW64\Lkfddc32.exeC:\Windows\system32\Lkfddc32.exe116⤵PID:1096
-
C:\Windows\SysWOW64\Lgmeid32.exeC:\Windows\system32\Lgmeid32.exe117⤵PID:1816
-
C:\Windows\SysWOW64\Lqejbiim.exeC:\Windows\system32\Lqejbiim.exe118⤵PID:928
-
C:\Windows\SysWOW64\Lokgcf32.exeC:\Windows\system32\Lokgcf32.exe119⤵PID:2748
-
C:\Windows\SysWOW64\Mjpkqonj.exeC:\Windows\system32\Mjpkqonj.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1092 -
C:\Windows\SysWOW64\Mfglep32.exeC:\Windows\system32\Mfglep32.exe121⤵PID:1860
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-