Analysis
-
max time kernel
42s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
23/07/2024, 00:03
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
32353850d25eabcb324cd0e15bd28d30N.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
120 seconds
Behavioral task
behavioral2
Sample
32353850d25eabcb324cd0e15bd28d30N.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
6 signatures
120 seconds
General
-
Target
32353850d25eabcb324cd0e15bd28d30N.exe
-
Size
80KB
-
MD5
32353850d25eabcb324cd0e15bd28d30
-
SHA1
15c54798b125a7db2bdc206214bc7bf9a0c9efde
-
SHA256
11ae27ae08bb00983ee6bf31c59eefe471eeb4b059c80c7c768e3bf0ea623f76
-
SHA512
326b021ec32f669a6a6014f7a6f015ccf12aee4ecd76f1a3373a8b5fd4d38c531178c2a2e0f7852b0cc437812fc61ff302fe4f7a1f01cdf8845d27d0d472636e
-
SSDEEP
1536:1yf18tZ0HPsZxPh9qP4UsLL+iDd1l7F187FeJuqnhCN:If1xHPs/HqP4UihL7z87FeJLCN
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hphljkfk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Licbca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pqdend32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dgclpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Igjckcbo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhgonj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jqjdon32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpihog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpmfoodb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhdpjaga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fmffhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ikkoagjo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbljmd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bakgmgpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Doqmjaac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iedmhlqf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jfffmo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddgljced.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hoflpbmo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijklmn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cioohh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fpliec32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iniebmfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ndfbia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ocbekmpi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onhihepp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eoefea32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iapghlbe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Heedbbdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gdchifik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iccqedfa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkcjlhdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dclikp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gigjch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lafpipoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Docjpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Haiagm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bdbfpafn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cmkkhfmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ghlgdecf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chiedc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Efakhk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhebij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ilfbpk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckjnfobi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqdong32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Heedbbdb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idojon32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljnebe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aimfcedl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Befcne32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Behpcefk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bmhncg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pafacd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ihgcof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iackhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fpecddpi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhmhpm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajcpgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fjhjlm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkldli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nogmkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ohdkop32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlgjie32.exe -
Executes dropped EXE 64 IoCs
pid Process 1488 Hopibdfd.exe 756 Hanenoeh.exe 2624 Hdmajkdl.exe 2572 Hkgjge32.exe 2612 Hpcbol32.exe 3024 Hhkjpi32.exe 2396 Hkifld32.exe 2548 Hacoio32.exe 2436 Hcdkagga.exe 2932 Hkkcbdhc.exe 2664 Hnjonpgg.exe 1692 Hphljkfk.exe 2648 Heedbbdb.exe 444 Hnllcoed.exe 1964 Iomhkgkb.exe 2144 Igdqmeke.exe 2864 Ihfmdm32.exe 992 Ipmeej32.exe 2076 Iopeagip.exe 2328 Iejnna32.exe 1096 Ilcfjkgj.exe 844 Ikfffh32.exe 1504 Icnngeof.exe 1316 Idojon32.exe 2208 Ilfbpk32.exe 1484 Iackhb32.exe 1596 Ikkoagjo.exe 2992 Iogkaf32.exe 2560 Idcdjmao.exe 2516 Jgbpfhpc.exe 3068 Jbgdcapi.exe 2480 Jqjdon32.exe 2740 Jgdmkhnp.exe 2380 Jnnehb32.exe 2536 Jqmadn32.exe 952 Jggiah32.exe 1372 Jjefmc32.exe 2448 Jmcbio32.exe 276 Jgiffg32.exe 1948 Jijbnppi.exe 2828 Jmfoon32.exe 2168 Jbbgge32.exe 2456 Jjjohbgl.exe 1640 Jofhqiec.exe 1788 Kbedmedg.exe 944 Kecpipck.exe 2256 Knldaf32.exe 2916 Kefmnp32.exe 1572 Kgdijk32.exe 2272 Kpkali32.exe 2824 Knnagehi.exe 2568 Kamncagl.exe 2600 Kehidp32.exe 2984 Kicednho.exe 2840 Kkbbqjgb.exe 2376 Kjeblf32.exe 1520 Kbljmd32.exe 2464 Kejfio32.exe 2460 Kcmfeldm.exe 2724 Kldofi32.exe 2796 Knckbe32.exe 2728 Kmeknakn.exe 2868 Kaagnp32.exe 2124 Ljjkgfig.exe -
Loads dropped DLL 64 IoCs
pid Process 2876 32353850d25eabcb324cd0e15bd28d30N.exe 2876 32353850d25eabcb324cd0e15bd28d30N.exe 1488 Hopibdfd.exe 1488 Hopibdfd.exe 756 Hanenoeh.exe 756 Hanenoeh.exe 2624 Hdmajkdl.exe 2624 Hdmajkdl.exe 2572 Hkgjge32.exe 2572 Hkgjge32.exe 2612 Hpcbol32.exe 2612 Hpcbol32.exe 3024 Hhkjpi32.exe 3024 Hhkjpi32.exe 2396 Hkifld32.exe 2396 Hkifld32.exe 2548 Hacoio32.exe 2548 Hacoio32.exe 2436 Hcdkagga.exe 2436 Hcdkagga.exe 2932 Hkkcbdhc.exe 2932 Hkkcbdhc.exe 2664 Hnjonpgg.exe 2664 Hnjonpgg.exe 1692 Hphljkfk.exe 1692 Hphljkfk.exe 2648 Heedbbdb.exe 2648 Heedbbdb.exe 444 Hnllcoed.exe 444 Hnllcoed.exe 1964 Iomhkgkb.exe 1964 Iomhkgkb.exe 2144 Igdqmeke.exe 2144 Igdqmeke.exe 2864 Ihfmdm32.exe 2864 Ihfmdm32.exe 992 Ipmeej32.exe 992 Ipmeej32.exe 2076 Iopeagip.exe 2076 Iopeagip.exe 2328 Iejnna32.exe 2328 Iejnna32.exe 1096 Ilcfjkgj.exe 1096 Ilcfjkgj.exe 844 Ikfffh32.exe 844 Ikfffh32.exe 1504 Icnngeof.exe 1504 Icnngeof.exe 1316 Idojon32.exe 1316 Idojon32.exe 2208 Ilfbpk32.exe 2208 Ilfbpk32.exe 1484 Iackhb32.exe 1484 Iackhb32.exe 1596 Ikkoagjo.exe 1596 Ikkoagjo.exe 2992 Iogkaf32.exe 2992 Iogkaf32.exe 2560 Idcdjmao.exe 2560 Idcdjmao.exe 2516 Jgbpfhpc.exe 2516 Jgbpfhpc.exe 3068 Jbgdcapi.exe 3068 Jbgdcapi.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Gnmold32.dll Lbijgg32.exe File created C:\Windows\SysWOW64\Qjacai32.exe Qgbfen32.exe File created C:\Windows\SysWOW64\Acnqen32.exe Algida32.exe File created C:\Windows\SysWOW64\Enjcfm32.exe Eklgjbca.exe File opened for modification C:\Windows\SysWOW64\Ilfbpk32.exe Idojon32.exe File created C:\Windows\SysWOW64\Caomgjnk.exe Coqaknog.exe File created C:\Windows\SysWOW64\Kknbenkh.dll Chiedc32.exe File created C:\Windows\SysWOW64\Cnfnlk32.exe Ckgapo32.exe File created C:\Windows\SysWOW64\Olbqfb32.dll Edghighp.exe File opened for modification C:\Windows\SysWOW64\Gbmbgngb.exe Gnaffpoi.exe File created C:\Windows\SysWOW64\Kjdnqckh.dll Jjpehn32.exe File created C:\Windows\SysWOW64\Dpnioi32.dll Ipmeej32.exe File created C:\Windows\SysWOW64\Ohdkop32.exe Nefncd32.exe File created C:\Windows\SysWOW64\Anjnllbd.exe Allbpqcp.exe File opened for modification C:\Windows\SysWOW64\Igmppcpm.exe Icadpd32.exe File opened for modification C:\Windows\SysWOW64\Knnagehi.exe Kpkali32.exe File created C:\Windows\SysWOW64\Lagknhgp.dll Behpcefk.exe File created C:\Windows\SysWOW64\Egchocif.exe Eddlcgjb.exe File created C:\Windows\SysWOW64\Lcghjj32.dll Hbfalpab.exe File opened for modification C:\Windows\SysWOW64\Lmhhcaik.exe Ljjkgfig.exe File created C:\Windows\SysWOW64\Nglhghgj.exe Noepfkgh.exe File created C:\Windows\SysWOW64\Ddbbod32.exe Cadfbi32.exe File created C:\Windows\SysWOW64\Gghcjdmg.dll Ebccal32.exe File created C:\Windows\SysWOW64\Iegjnkod.exe Iaknmm32.exe File opened for modification C:\Windows\SysWOW64\Lfpllg32.exe Lcbppk32.exe File created C:\Windows\SysWOW64\Hkifld32.exe Hhkjpi32.exe File created C:\Windows\SysWOW64\Mahinb32.exe Mmlmmdga.exe File created C:\Windows\SysWOW64\Lmhhcaik.exe Ljjkgfig.exe File created C:\Windows\SysWOW64\Lfbibfmi.exe Lcdmekne.exe File opened for modification C:\Windows\SysWOW64\Onhihepp.exe Ojlmgg32.exe File created C:\Windows\SysWOW64\Imoqbo32.dll Abcngkmp.exe File opened for modification C:\Windows\SysWOW64\Bhiiepcl.exe Bpbadcbj.exe File created C:\Windows\SysWOW64\Mcldnd32.dll Fmnmih32.exe File created C:\Windows\SysWOW64\Hebqbl32.exe Hafdbmjp.exe File created C:\Windows\SysWOW64\Hjmjmk32.dll Idojon32.exe File created C:\Windows\SysWOW64\Ioonfaed.exe Ighfecdb.exe File opened for modification C:\Windows\SysWOW64\Ihcidgpj.exe Iedmhlqf.exe File created C:\Windows\SysWOW64\Nndhfngb.dll Hbagaa32.exe File created C:\Windows\SysWOW64\Iankbldh.exe Ioonfaed.exe File opened for modification C:\Windows\SysWOW64\Ipedihgm.exe Infhmmhi.exe File opened for modification C:\Windows\SysWOW64\Lcdmekne.exe Lafpipoa.exe File created C:\Windows\SysWOW64\Jficbn32.exe Jbmgapgc.exe File created C:\Windows\SysWOW64\Joeaefka.dll Pobhfl32.exe File created C:\Windows\SysWOW64\Kecpipck.exe Kbedmedg.exe File created C:\Windows\SysWOW64\Nfcmbjlm.dll Nogmkk32.exe File opened for modification C:\Windows\SysWOW64\Kodkcbje.dll Okecak32.exe File opened for modification C:\Windows\SysWOW64\Bmhncg32.exe Bimbbhgh.exe File created C:\Windows\SysWOW64\Jnpioe32.dll Fibqhibd.exe File opened for modification C:\Windows\SysWOW64\Ghlgdecf.exe Gdpkdf32.exe File created C:\Windows\SysWOW64\Kcleaanm.dll Jnnehb32.exe File created C:\Windows\SysWOW64\Gchfgkcp.dll Cleaebna.exe File created C:\Windows\SysWOW64\Dfjegl32.exe Dfjegl32.exe File created C:\Windows\SysWOW64\Qnjbmh32.exe Qjofljho.exe File opened for modification C:\Windows\SysWOW64\Ilcfjkgj.exe Iejnna32.exe File created C:\Windows\SysWOW64\Anapcg32.dll Ohajic32.exe File created C:\Windows\SysWOW64\Icemeqoi.dll Pmpcoabe.exe File opened for modification C:\Windows\SysWOW64\Hmbbcjic.exe Hiffbl32.exe File created C:\Windows\SysWOW64\Ioocfn32.dll 32353850d25eabcb324cd0e15bd28d30N.exe File opened for modification C:\Windows\SysWOW64\Fpjlpclc.exe Flnpoe32.exe File opened for modification C:\Windows\SysWOW64\Gdpkdf32.exe Genkhidc.exe File created C:\Windows\SysWOW64\Igpkhjlc.dll Iapghlbe.exe File opened for modification C:\Windows\SysWOW64\Hkkcbdhc.exe Hcdkagga.exe File opened for modification C:\Windows\SysWOW64\Chdlidjm.exe Cefpmiji.exe File opened for modification C:\Windows\SysWOW64\Efakhk32.exe Enjcfm32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4688 4408 WerFault.exe 449 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpqamg32.dll" Ekqqea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hoflpbmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgcodfll.dll" Jgaikb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iiahci32.dll" Jmfoon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcmpkcpl.dll" Kgdijk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ajelmiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcpodaao.dll" Bjclfmfe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Boadlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mihkoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmfccjei.dll" Ahbcda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jomnpdjb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hacoio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ocphembl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kheeallp.dll" Bdkpob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebjgol32.dll" Colgpo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Glefpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbbhdlgk.dll" Jficbn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Idojon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibdhlmil.dll" Jbgdcapi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cphmegmd.dll" Coejfn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fcckjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hikpnkme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Heedbbdb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jjjohbgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhfcnkcn.dll" Cbhcankf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iigkka32.dll" Hiffbl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jookedhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppepdplg.dll" Gmipmlan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kkbbqjgb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lcdmekne.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mhpeem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dajjck32.dll" Cdnicemo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Edbonh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kecpipck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abehhc32.dll" Ajelmiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ahbcda32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hmdohj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmiapobg.dll" Hacoio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejidna32.dll" Kamncagl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qmmbhegc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gjjcqpbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Idjjih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ebkibk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmoehh32.dll" Fjhjlm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gnfoao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doelpf32.dll" Gdpkdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ihgcof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ocphembl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pbaebh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghdjjgdp.dll" Cidhcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ebccal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppdpkopc.dll" Fffabman.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iomhkgkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klhegdbg.dll" Kefmnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jehmda32.dll" Ijmibn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cbhcankf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dnkggjpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjeecj32.dll" Dldndf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nhpadpke.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Onhihepp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Amalcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppopgcbc.dll" Bhdpjaga.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Baoahf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egglnnil.dll" Gncblo32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2876 wrote to memory of 1488 2876 32353850d25eabcb324cd0e15bd28d30N.exe 29 PID 2876 wrote to memory of 1488 2876 32353850d25eabcb324cd0e15bd28d30N.exe 29 PID 2876 wrote to memory of 1488 2876 32353850d25eabcb324cd0e15bd28d30N.exe 29 PID 2876 wrote to memory of 1488 2876 32353850d25eabcb324cd0e15bd28d30N.exe 29 PID 1488 wrote to memory of 756 1488 Hopibdfd.exe 30 PID 1488 wrote to memory of 756 1488 Hopibdfd.exe 30 PID 1488 wrote to memory of 756 1488 Hopibdfd.exe 30 PID 1488 wrote to memory of 756 1488 Hopibdfd.exe 30 PID 756 wrote to memory of 2624 756 Hanenoeh.exe 31 PID 756 wrote to memory of 2624 756 Hanenoeh.exe 31 PID 756 wrote to memory of 2624 756 Hanenoeh.exe 31 PID 756 wrote to memory of 2624 756 Hanenoeh.exe 31 PID 2624 wrote to memory of 2572 2624 Hdmajkdl.exe 32 PID 2624 wrote to memory of 2572 2624 Hdmajkdl.exe 32 PID 2624 wrote to memory of 2572 2624 Hdmajkdl.exe 32 PID 2624 wrote to memory of 2572 2624 Hdmajkdl.exe 32 PID 2572 wrote to memory of 2612 2572 Hkgjge32.exe 33 PID 2572 wrote to memory of 2612 2572 Hkgjge32.exe 33 PID 2572 wrote to memory of 2612 2572 Hkgjge32.exe 33 PID 2572 wrote to memory of 2612 2572 Hkgjge32.exe 33 PID 2612 wrote to memory of 3024 2612 Hpcbol32.exe 34 PID 2612 wrote to memory of 3024 2612 Hpcbol32.exe 34 PID 2612 wrote to memory of 3024 2612 Hpcbol32.exe 34 PID 2612 wrote to memory of 3024 2612 Hpcbol32.exe 34 PID 3024 wrote to memory of 2396 3024 Hhkjpi32.exe 35 PID 3024 wrote to memory of 2396 3024 Hhkjpi32.exe 35 PID 3024 wrote to memory of 2396 3024 Hhkjpi32.exe 35 PID 3024 wrote to memory of 2396 3024 Hhkjpi32.exe 35 PID 2396 wrote to memory of 2548 2396 Hkifld32.exe 36 PID 2396 wrote to memory of 2548 2396 Hkifld32.exe 36 PID 2396 wrote to memory of 2548 2396 Hkifld32.exe 36 PID 2396 wrote to memory of 2548 2396 Hkifld32.exe 36 PID 2548 wrote to memory of 2436 2548 Hacoio32.exe 37 PID 2548 wrote to memory of 2436 2548 Hacoio32.exe 37 PID 2548 wrote to memory of 2436 2548 Hacoio32.exe 37 PID 2548 wrote to memory of 2436 2548 Hacoio32.exe 37 PID 2436 wrote to memory of 2932 2436 Hcdkagga.exe 38 PID 2436 wrote to memory of 2932 2436 Hcdkagga.exe 38 PID 2436 wrote to memory of 2932 2436 Hcdkagga.exe 38 PID 2436 wrote to memory of 2932 2436 Hcdkagga.exe 38 PID 2932 wrote to memory of 2664 2932 Hkkcbdhc.exe 39 PID 2932 wrote to memory of 2664 2932 Hkkcbdhc.exe 39 PID 2932 wrote to memory of 2664 2932 Hkkcbdhc.exe 39 PID 2932 wrote to memory of 2664 2932 Hkkcbdhc.exe 39 PID 2664 wrote to memory of 1692 2664 Hnjonpgg.exe 40 PID 2664 wrote to memory of 1692 2664 Hnjonpgg.exe 40 PID 2664 wrote to memory of 1692 2664 Hnjonpgg.exe 40 PID 2664 wrote to memory of 1692 2664 Hnjonpgg.exe 40 PID 1692 wrote to memory of 2648 1692 Hphljkfk.exe 41 PID 1692 wrote to memory of 2648 1692 Hphljkfk.exe 41 PID 1692 wrote to memory of 2648 1692 Hphljkfk.exe 41 PID 1692 wrote to memory of 2648 1692 Hphljkfk.exe 41 PID 2648 wrote to memory of 444 2648 Heedbbdb.exe 42 PID 2648 wrote to memory of 444 2648 Heedbbdb.exe 42 PID 2648 wrote to memory of 444 2648 Heedbbdb.exe 42 PID 2648 wrote to memory of 444 2648 Heedbbdb.exe 42 PID 444 wrote to memory of 1964 444 Hnllcoed.exe 43 PID 444 wrote to memory of 1964 444 Hnllcoed.exe 43 PID 444 wrote to memory of 1964 444 Hnllcoed.exe 43 PID 444 wrote to memory of 1964 444 Hnllcoed.exe 43 PID 1964 wrote to memory of 2144 1964 Iomhkgkb.exe 44 PID 1964 wrote to memory of 2144 1964 Iomhkgkb.exe 44 PID 1964 wrote to memory of 2144 1964 Iomhkgkb.exe 44 PID 1964 wrote to memory of 2144 1964 Iomhkgkb.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\32353850d25eabcb324cd0e15bd28d30N.exe"C:\Users\Admin\AppData\Local\Temp\32353850d25eabcb324cd0e15bd28d30N.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\Hopibdfd.exeC:\Windows\system32\Hopibdfd.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Windows\SysWOW64\Hanenoeh.exeC:\Windows\system32\Hanenoeh.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Windows\SysWOW64\Hdmajkdl.exeC:\Windows\system32\Hdmajkdl.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\Hkgjge32.exeC:\Windows\system32\Hkgjge32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\Hpcbol32.exeC:\Windows\system32\Hpcbol32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\Hhkjpi32.exeC:\Windows\system32\Hhkjpi32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\Hkifld32.exeC:\Windows\system32\Hkifld32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\SysWOW64\Hacoio32.exeC:\Windows\system32\Hacoio32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\Hcdkagga.exeC:\Windows\system32\Hcdkagga.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\SysWOW64\Hkkcbdhc.exeC:\Windows\system32\Hkkcbdhc.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\Hnjonpgg.exeC:\Windows\system32\Hnjonpgg.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Hphljkfk.exeC:\Windows\system32\Hphljkfk.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\SysWOW64\Heedbbdb.exeC:\Windows\system32\Heedbbdb.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\Hnllcoed.exeC:\Windows\system32\Hnllcoed.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:444 -
C:\Windows\SysWOW64\Iomhkgkb.exeC:\Windows\system32\Iomhkgkb.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\Igdqmeke.exeC:\Windows\system32\Igdqmeke.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2144 -
C:\Windows\SysWOW64\Ihfmdm32.exeC:\Windows\system32\Ihfmdm32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2864 -
C:\Windows\SysWOW64\Ipmeej32.exeC:\Windows\system32\Ipmeej32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:992 -
C:\Windows\SysWOW64\Iopeagip.exeC:\Windows\system32\Iopeagip.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2076 -
C:\Windows\SysWOW64\Iejnna32.exeC:\Windows\system32\Iejnna32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2328 -
C:\Windows\SysWOW64\Ilcfjkgj.exeC:\Windows\system32\Ilcfjkgj.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1096 -
C:\Windows\SysWOW64\Ikfffh32.exeC:\Windows\system32\Ikfffh32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:844 -
C:\Windows\SysWOW64\Icnngeof.exeC:\Windows\system32\Icnngeof.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1504 -
C:\Windows\SysWOW64\Idojon32.exeC:\Windows\system32\Idojon32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1316 -
C:\Windows\SysWOW64\Ilfbpk32.exeC:\Windows\system32\Ilfbpk32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2208 -
C:\Windows\SysWOW64\Iackhb32.exeC:\Windows\system32\Iackhb32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1484 -
C:\Windows\SysWOW64\Ikkoagjo.exeC:\Windows\system32\Ikkoagjo.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1596 -
C:\Windows\SysWOW64\Iogkaf32.exeC:\Windows\system32\Iogkaf32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2992 -
C:\Windows\SysWOW64\Idcdjmao.exeC:\Windows\system32\Idcdjmao.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2560 -
C:\Windows\SysWOW64\Jgbpfhpc.exeC:\Windows\system32\Jgbpfhpc.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2516 -
C:\Windows\SysWOW64\Jbgdcapi.exeC:\Windows\system32\Jbgdcapi.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3068 -
C:\Windows\SysWOW64\Jqjdon32.exeC:\Windows\system32\Jqjdon32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2480 -
C:\Windows\SysWOW64\Jgdmkhnp.exeC:\Windows\system32\Jgdmkhnp.exe34⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Jnnehb32.exeC:\Windows\system32\Jnnehb32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2380 -
C:\Windows\SysWOW64\Jqmadn32.exeC:\Windows\system32\Jqmadn32.exe36⤵
- Executes dropped EXE
PID:2536 -
C:\Windows\SysWOW64\Jggiah32.exeC:\Windows\system32\Jggiah32.exe37⤵
- Executes dropped EXE
PID:952 -
C:\Windows\SysWOW64\Jjefmc32.exeC:\Windows\system32\Jjefmc32.exe38⤵
- Executes dropped EXE
PID:1372 -
C:\Windows\SysWOW64\Jmcbio32.exeC:\Windows\system32\Jmcbio32.exe39⤵
- Executes dropped EXE
PID:2448 -
C:\Windows\SysWOW64\Jgiffg32.exeC:\Windows\system32\Jgiffg32.exe40⤵
- Executes dropped EXE
PID:276 -
C:\Windows\SysWOW64\Jijbnppi.exeC:\Windows\system32\Jijbnppi.exe41⤵
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\Jmfoon32.exeC:\Windows\system32\Jmfoon32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:2828 -
C:\Windows\SysWOW64\Jbbgge32.exeC:\Windows\system32\Jbbgge32.exe43⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Jjjohbgl.exeC:\Windows\system32\Jjjohbgl.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:2456 -
C:\Windows\SysWOW64\Jofhqiec.exeC:\Windows\system32\Jofhqiec.exe45⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Kbedmedg.exeC:\Windows\system32\Kbedmedg.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1788 -
C:\Windows\SysWOW64\Kecpipck.exeC:\Windows\system32\Kecpipck.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:944 -
C:\Windows\SysWOW64\Knldaf32.exeC:\Windows\system32\Knldaf32.exe48⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\Kefmnp32.exeC:\Windows\system32\Kefmnp32.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:2916 -
C:\Windows\SysWOW64\Kgdijk32.exeC:\Windows\system32\Kgdijk32.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:1572 -
C:\Windows\SysWOW64\Kpkali32.exeC:\Windows\system32\Kpkali32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2272 -
C:\Windows\SysWOW64\Knnagehi.exeC:\Windows\system32\Knnagehi.exe52⤵
- Executes dropped EXE
PID:2824 -
C:\Windows\SysWOW64\Kamncagl.exeC:\Windows\system32\Kamncagl.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:2568 -
C:\Windows\SysWOW64\Kehidp32.exeC:\Windows\system32\Kehidp32.exe54⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Kicednho.exeC:\Windows\system32\Kicednho.exe55⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Kkbbqjgb.exeC:\Windows\system32\Kkbbqjgb.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:2840 -
C:\Windows\SysWOW64\Kjeblf32.exeC:\Windows\system32\Kjeblf32.exe57⤵
- Executes dropped EXE
PID:2376 -
C:\Windows\SysWOW64\Kbljmd32.exeC:\Windows\system32\Kbljmd32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1520 -
C:\Windows\SysWOW64\Kejfio32.exeC:\Windows\system32\Kejfio32.exe59⤵
- Executes dropped EXE
PID:2464 -
C:\Windows\SysWOW64\Kcmfeldm.exeC:\Windows\system32\Kcmfeldm.exe60⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Kldofi32.exeC:\Windows\system32\Kldofi32.exe61⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Knckbe32.exeC:\Windows\system32\Knckbe32.exe62⤵
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\Kmeknakn.exeC:\Windows\system32\Kmeknakn.exe63⤵
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\Kaagnp32.exeC:\Windows\system32\Kaagnp32.exe64⤵
- Executes dropped EXE
PID:2868 -
C:\Windows\SysWOW64\Ljjkgfig.exeC:\Windows\system32\Ljjkgfig.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2124 -
C:\Windows\SysWOW64\Lmhhcaik.exeC:\Windows\system32\Lmhhcaik.exe66⤵PID:1172
-
C:\Windows\SysWOW64\Lcbppk32.exeC:\Windows\system32\Lcbppk32.exe67⤵
- Drops file in System32 directory
PID:1836 -
C:\Windows\SysWOW64\Lfpllg32.exeC:\Windows\system32\Lfpllg32.exe68⤵PID:2276
-
C:\Windows\SysWOW64\Lafpipoa.exeC:\Windows\system32\Lafpipoa.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:996 -
C:\Windows\SysWOW64\Lcdmekne.exeC:\Windows\system32\Lcdmekne.exe70⤵
- Drops file in System32 directory
- Modifies registry class
PID:2100 -
C:\Windows\SysWOW64\Lfbibfmi.exeC:\Windows\system32\Lfbibfmi.exe71⤵PID:2576
-
C:\Windows\SysWOW64\Ljnebe32.exeC:\Windows\system32\Ljnebe32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2064 -
C:\Windows\SysWOW64\Llpajmkq.exeC:\Windows\system32\Llpajmkq.exe73⤵PID:2356
-
C:\Windows\SysWOW64\Lpkmkl32.exeC:\Windows\system32\Lpkmkl32.exe74⤵PID:2960
-
C:\Windows\SysWOW64\Lbijgg32.exeC:\Windows\system32\Lbijgg32.exe75⤵
- Drops file in System32 directory
PID:1240 -
C:\Windows\SysWOW64\Lfeegfkf.exeC:\Windows\system32\Lfeegfkf.exe76⤵PID:1300
-
C:\Windows\SysWOW64\Licbca32.exeC:\Windows\system32\Licbca32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2720 -
C:\Windows\SysWOW64\Llbnpm32.exeC:\Windows\system32\Llbnpm32.exe78⤵PID:2852
-
C:\Windows\SysWOW64\Lblflgqk.exeC:\Windows\system32\Lblflgqk.exe79⤵PID:576
-
C:\Windows\SysWOW64\Lejbhbpn.exeC:\Windows\system32\Lejbhbpn.exe80⤵PID:2224
-
C:\Windows\SysWOW64\Lldkem32.exeC:\Windows\system32\Lldkem32.exe81⤵PID:804
-
C:\Windows\SysWOW64\Lobgah32.exeC:\Windows\system32\Lobgah32.exe82⤵PID:1736
-
C:\Windows\SysWOW64\Mihkoa32.exeC:\Windows\system32\Mihkoa32.exe83⤵
- Modifies registry class
PID:1344 -
C:\Windows\SysWOW64\Mlfgkleh.exeC:\Windows\system32\Mlfgkleh.exe84⤵PID:692
-
C:\Windows\SysWOW64\Mbqpgf32.exeC:\Windows\system32\Mbqpgf32.exe85⤵PID:2284
-
C:\Windows\SysWOW64\Mdbloobc.exeC:\Windows\system32\Mdbloobc.exe86⤵PID:2844
-
C:\Windows\SysWOW64\Mhmhpm32.exeC:\Windows\system32\Mhmhpm32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3004 -
C:\Windows\SysWOW64\Mkldli32.exeC:\Windows\system32\Mkldli32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2956 -
C:\Windows\SysWOW64\Mmjqhd32.exeC:\Windows\system32\Mmjqhd32.exe89⤵PID:2180
-
C:\Windows\SysWOW64\Meaiia32.exeC:\Windows\system32\Meaiia32.exe90⤵PID:1148
-
C:\Windows\SysWOW64\Mhpeem32.exeC:\Windows\system32\Mhpeem32.exe91⤵
- Modifies registry class
PID:2732 -
C:\Windows\SysWOW64\Mgbeqjpd.exeC:\Windows\system32\Mgbeqjpd.exe92⤵PID:2704
-
C:\Windows\SysWOW64\Mmlmmdga.exeC:\Windows\system32\Mmlmmdga.exe93⤵
- Drops file in System32 directory
PID:2400 -
C:\Windows\SysWOW64\Mahinb32.exeC:\Windows\system32\Mahinb32.exe94⤵PID:2336
-
C:\Windows\SysWOW64\Mpkjjofe.exeC:\Windows\system32\Mpkjjofe.exe95⤵PID:2808
-
C:\Windows\SysWOW64\Mhbakmgg.exeC:\Windows\system32\Mhbakmgg.exe96⤵PID:1996
-
C:\Windows\SysWOW64\Mgebfi32.exeC:\Windows\system32\Mgebfi32.exe97⤵PID:1392
-
C:\Windows\SysWOW64\Micnbe32.exeC:\Windows\system32\Micnbe32.exe98⤵PID:1684
-
C:\Windows\SysWOW64\Majfcb32.exeC:\Windows\system32\Majfcb32.exe99⤵PID:1680
-
C:\Windows\SysWOW64\Mpmfoodb.exeC:\Windows\system32\Mpmfoodb.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2492 -
C:\Windows\SysWOW64\Mggoli32.exeC:\Windows\system32\Mggoli32.exe101⤵PID:2488
-
C:\Windows\SysWOW64\Mkcjlhdh.exeC:\Windows\system32\Mkcjlhdh.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2800 -
C:\Windows\SysWOW64\Mmaghc32.exeC:\Windows\system32\Mmaghc32.exe103⤵PID:2384
-
C:\Windows\SysWOW64\Nppceo32.exeC:\Windows\system32\Nppceo32.exe104⤵PID:2248
-
C:\Windows\SysWOW64\Ngikaijm.exeC:\Windows\system32\Ngikaijm.exe105⤵PID:2636
-
C:\Windows\SysWOW64\Nelkme32.exeC:\Windows\system32\Nelkme32.exe106⤵PID:1968
-
C:\Windows\SysWOW64\Nlfdjphd.exeC:\Windows\system32\Nlfdjphd.exe107⤵PID:2152
-
C:\Windows\SysWOW64\Noepfkgh.exeC:\Windows\system32\Noepfkgh.exe108⤵
- Drops file in System32 directory
PID:1568 -
C:\Windows\SysWOW64\Nglhghgj.exeC:\Windows\system32\Nglhghgj.exe109⤵PID:912
-
C:\Windows\SysWOW64\Nijdcdgn.exeC:\Windows\system32\Nijdcdgn.exe110⤵PID:768
-
C:\Windows\SysWOW64\Nogmkk32.exeC:\Windows\system32\Nogmkk32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1764 -
C:\Windows\SysWOW64\Naeigf32.exeC:\Windows\system32\Naeigf32.exe112⤵PID:2496
-
C:\Windows\SysWOW64\Nhpadpke.exeC:\Windows\system32\Nhpadpke.exe113⤵
- Modifies registry class
PID:2432 -
C:\Windows\SysWOW64\Nlkmeo32.exeC:\Windows\system32\Nlkmeo32.exe114⤵PID:2716
-
C:\Windows\SysWOW64\Nceeaikk.exeC:\Windows\system32\Nceeaikk.exe115⤵PID:932
-
C:\Windows\SysWOW64\Necandjo.exeC:\Windows\system32\Necandjo.exe116⤵PID:2820
-
C:\Windows\SysWOW64\Ndfbia32.exeC:\Windows\system32\Ndfbia32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:988 -
C:\Windows\SysWOW64\Nlmjjo32.exeC:\Windows\system32\Nlmjjo32.exe118⤵PID:1032
-
C:\Windows\SysWOW64\Nolffjap.exeC:\Windows\system32\Nolffjap.exe119⤵PID:1292
-
C:\Windows\SysWOW64\Najbbepc.exeC:\Windows\system32\Najbbepc.exe120⤵PID:3048
-
C:\Windows\SysWOW64\Nefncd32.exeC:\Windows\system32\Nefncd32.exe121⤵
- Drops file in System32 directory
PID:2524
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-