Analysis
-
max time kernel
148s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
09/05/2024, 06:22
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f6478c1233ca61cf0da62415ac72b662f264fee1299a62ed1780f334cd047470.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
f6478c1233ca61cf0da62415ac72b662f264fee1299a62ed1780f334cd047470.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
f6478c1233ca61cf0da62415ac72b662f264fee1299a62ed1780f334cd047470.exe
-
Size
1.6MB
-
MD5
c3d66de0da0b89366f3af16c35c1e695
-
SHA1
84f08b344fbb8b984c90511e340b5b8d92c9511f
-
SHA256
f6478c1233ca61cf0da62415ac72b662f264fee1299a62ed1780f334cd047470
-
SHA512
a01c5a58678f91d8beb86ea1ac0c6bc074eca362fcf6c966d9f0c374fe072ac128d7b25cccdf978715459a21698690bf06d9ab6e3c9e06d4cb6b84cf560a879b
-
SSDEEP
24576:Kf5h3q5hrq5h3q5hFw75h3q5hrq5h3q5hs:i
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flmefm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkeimlfm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odhfob32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbdnko32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mimemp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmkncofl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dldhdc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Micklk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oejcpf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcqlkjae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdbepm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chkmkacq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnpciaef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcdgmimg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbpbmkan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhbkpgbf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fooembgb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hklhae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmpnhdfc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcbabpcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pohhna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifdlng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adipfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkeimlfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bilmcf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iphecepe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agdmdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdcifi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjcabmga.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdeeqehb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egjpkffe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mooaljkh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekpheb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fioija32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kofopj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enfgfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mimpkcdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nqokpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qoeamo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Baefnmml.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckbpqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdjefj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdjpeifj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olkfmi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oococb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekhkjm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkggmldl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldahkaij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlilqbgp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meccii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jocflgga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkbgckgd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aficjnpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjqmig32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbhmnkjf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnbjlpom.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gqdefddb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mciabmlo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odmckcmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fppaej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jedehaea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqilooij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cepfgdnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcqlkjae.exe -
Executes dropped EXE 64 IoCs
pid Process 2244 Bebkpn32.exe 3068 Bdjefj32.exe 1996 Ccfhhffh.exe 2876 Chcqpmep.exe 2456 Dgdmmgpj.exe 2444 Dfijnd32.exe 2080 Fnpnndgp.exe 2828 Fpfdalii.exe 3012 Fbdqmghm.exe 1608 Fioija32.exe 2764 Flmefm32.exe 2500 Ihankokm.exe 1196 Jfqahgpg.exe 2064 Jifdebic.exe 1796 Kgbggnhc.exe 268 Kifpdelo.exe 1716 Lojomkdn.exe 300 Mkeimlfm.exe 452 Mbpnanch.exe 2160 Meagci32.exe 1524 Meccii32.exe 1584 Mlmlecec.exe 3048 Ncjqhmkm.exe 352 Nhfipcid.exe 1972 Npdjje32.exe 312 Njlockkm.exe 1032 Ndbcpd32.exe 1572 Ogblbo32.exe 1284 Oonafa32.exe 2112 Ogeigofa.exe 2720 Onhgbmfb.exe 2872 Pfoocjfd.exe 2568 Pbhmnkjf.exe 2600 Pjcabmga.exe 1588 Pnajilng.exe 2968 Pflomnkb.exe 2668 Qcbllb32.exe 2988 Apimacnn.exe 1964 Ahgnke32.exe 2856 Anafhopc.exe 2196 Aoepcn32.exe 1336 Bpgljfbl.exe 1804 Bdeeqehb.exe 2672 Bkommo32.exe 1468 Bblogakg.exe 1852 Bppoqeja.exe 572 Cadhnmnm.exe 2304 Cdbdjhmp.exe 1768 Cgcmlcja.exe 2884 Cojema32.exe 620 Cdikkg32.exe 2216 Cghggc32.exe 2936 Djhphncm.exe 1604 Doehqead.exe 1668 Dbfabp32.exe 2572 Djmicm32.exe 2108 Dcenlceh.exe 2708 Dkqbaecc.exe 2452 Ddigjkid.exe 2520 Egjpkffe.exe 1596 Eqbddk32.exe 2848 Emieil32.exe 1948 Egoife32.exe 2800 Ejobhppq.exe -
Loads dropped DLL 64 IoCs
pid Process 2020 f6478c1233ca61cf0da62415ac72b662f264fee1299a62ed1780f334cd047470.exe 2020 f6478c1233ca61cf0da62415ac72b662f264fee1299a62ed1780f334cd047470.exe 2244 Bebkpn32.exe 2244 Bebkpn32.exe 3068 Bdjefj32.exe 3068 Bdjefj32.exe 1996 Ccfhhffh.exe 1996 Ccfhhffh.exe 2876 Chcqpmep.exe 2876 Chcqpmep.exe 2456 Dgdmmgpj.exe 2456 Dgdmmgpj.exe 2444 Dfijnd32.exe 2444 Dfijnd32.exe 2080 Fnpnndgp.exe 2080 Fnpnndgp.exe 2828 Fpfdalii.exe 2828 Fpfdalii.exe 3012 Fbdqmghm.exe 3012 Fbdqmghm.exe 1608 Fioija32.exe 1608 Fioija32.exe 2764 Flmefm32.exe 2764 Flmefm32.exe 2500 Ihankokm.exe 2500 Ihankokm.exe 1196 Jfqahgpg.exe 1196 Jfqahgpg.exe 2064 Jifdebic.exe 2064 Jifdebic.exe 1796 Kgbggnhc.exe 1796 Kgbggnhc.exe 268 Kifpdelo.exe 268 Kifpdelo.exe 1716 Lojomkdn.exe 1716 Lojomkdn.exe 300 Mkeimlfm.exe 300 Mkeimlfm.exe 452 Mbpnanch.exe 452 Mbpnanch.exe 2160 Meagci32.exe 2160 Meagci32.exe 1524 Meccii32.exe 1524 Meccii32.exe 1584 Mlmlecec.exe 1584 Mlmlecec.exe 3048 Ncjqhmkm.exe 3048 Ncjqhmkm.exe 352 Nhfipcid.exe 352 Nhfipcid.exe 1972 Npdjje32.exe 1972 Npdjje32.exe 312 Njlockkm.exe 312 Njlockkm.exe 1032 Ndbcpd32.exe 1032 Ndbcpd32.exe 1572 Ogblbo32.exe 1572 Ogblbo32.exe 1284 Oonafa32.exe 1284 Oonafa32.exe 2112 Ogeigofa.exe 2112 Ogeigofa.exe 2720 Onhgbmfb.exe 2720 Onhgbmfb.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Efjlgmlf.exe Egglkp32.exe File created C:\Windows\SysWOW64\Dkadjn32.exe Daipqhdg.exe File opened for modification C:\Windows\SysWOW64\Cjlheehe.exe Cgkocj32.exe File opened for modification C:\Windows\SysWOW64\Dmjqpdje.exe Dhmhhmlm.exe File created C:\Windows\SysWOW64\Knfndjdp.exe Kdnild32.exe File created C:\Windows\SysWOW64\Hbqoqbho.exe Hdkape32.exe File created C:\Windows\SysWOW64\Enfgfh32.exe Ekhkjm32.exe File opened for modification C:\Windows\SysWOW64\Jelfdc32.exe Jbnjhh32.exe File created C:\Windows\SysWOW64\Mehoblpm.dll Qhkipdeb.exe File created C:\Windows\SysWOW64\Bfabnl32.exe Baefnmml.exe File created C:\Windows\SysWOW64\Bodgdaah.dll Dcccpl32.exe File created C:\Windows\SysWOW64\Kgbggnhc.exe Jifdebic.exe File created C:\Windows\SysWOW64\Ikmpacaf.dll Ehkhaqpk.exe File created C:\Windows\SysWOW64\Paknelgk.exe Pkoicb32.exe File created C:\Windows\SysWOW64\Jelfdc32.exe Jbnjhh32.exe File opened for modification C:\Windows\SysWOW64\Gaagcpdl.exe Glbaei32.exe File created C:\Windows\SysWOW64\Iddpheep.dll Jfaeme32.exe File created C:\Windows\SysWOW64\Flmefm32.exe Fioija32.exe File opened for modification C:\Windows\SysWOW64\Qcbllb32.exe Pflomnkb.exe File created C:\Windows\SysWOW64\Jocflgga.exe Ijdqna32.exe File opened for modification C:\Windows\SysWOW64\Bbgnak32.exe Bmhideol.exe File created C:\Windows\SysWOW64\Hfbhkb32.exe Gligjd32.exe File opened for modification C:\Windows\SysWOW64\Ljnnko32.exe Lqejbiim.exe File created C:\Windows\SysWOW64\Jialfgcc.exe Jefpeh32.exe File created C:\Windows\SysWOW64\Onfoin32.exe Ndqkleln.exe File created C:\Windows\SysWOW64\Dnpciaef.exe Calcpm32.exe File opened for modification C:\Windows\SysWOW64\Khjgel32.exe Kdnkdmec.exe File opened for modification C:\Windows\SysWOW64\Bpgljfbl.exe Aoepcn32.exe File opened for modification C:\Windows\SysWOW64\Mjqmig32.exe Lgpdglhn.exe File opened for modification C:\Windows\SysWOW64\Fpfdalii.exe Fnpnndgp.exe File created C:\Windows\SysWOW64\Edfpjabf.dll Hoamgd32.exe File created C:\Windows\SysWOW64\Lmpanl32.dll Bilmcf32.exe File created C:\Windows\SysWOW64\Jmiiak32.dll Gacbmk32.exe File created C:\Windows\SysWOW64\Bfeeehni.dll Jpdnbbah.exe File opened for modification C:\Windows\SysWOW64\Nfahomfd.exe Mbcoio32.exe File created C:\Windows\SysWOW64\Efljhq32.exe Eldiehbk.exe File created C:\Windows\SysWOW64\Hnlfhkoa.dll Obdojcef.exe File opened for modification C:\Windows\SysWOW64\Klhgfq32.exe Kenoifpb.exe File created C:\Windows\SysWOW64\Qoeamo32.exe Qkielpdf.exe File opened for modification C:\Windows\SysWOW64\Jcqlkjae.exe Jabponba.exe File opened for modification C:\Windows\SysWOW64\Ahebaiac.exe Aomnhd32.exe File created C:\Windows\SysWOW64\Adipfd32.exe Apmcefmf.exe File opened for modification C:\Windows\SysWOW64\Homclekn.exe Hipkdnmf.exe File created C:\Windows\SysWOW64\Mlfacfpc.exe Miehak32.exe File opened for modification C:\Windows\SysWOW64\Pcljmdmj.exe Paknelgk.exe File created C:\Windows\SysWOW64\Codebccd.dll Qhilkege.exe File opened for modification C:\Windows\SysWOW64\Kofopj32.exe Kqqboncb.exe File opened for modification C:\Windows\SysWOW64\Bnldjekl.exe Bkklhjnk.exe File opened for modification C:\Windows\SysWOW64\Olbfagca.exe Ofcqcp32.exe File created C:\Windows\SysWOW64\Jmhjff32.dll Eaebeoan.exe File opened for modification C:\Windows\SysWOW64\Jdflqo32.exe Jagpdd32.exe File created C:\Windows\SysWOW64\Pdlkggmp.dll Laleof32.exe File created C:\Windows\SysWOW64\Eojdkn32.dll Hijgml32.exe File opened for modification C:\Windows\SysWOW64\Mjhhld32.exe Mmdgbp32.exe File created C:\Windows\SysWOW64\Olkfmi32.exe Nenakoho.exe File created C:\Windows\SysWOW64\Hifhgh32.dll Mbcoio32.exe File created C:\Windows\SysWOW64\Jlhkgm32.exe Jhmofo32.exe File opened for modification C:\Windows\SysWOW64\Ciagojda.exe Cbgobp32.exe File created C:\Windows\SysWOW64\Cogbjdmj.dll Ijdqna32.exe File opened for modification C:\Windows\SysWOW64\Onbgmg32.exe Odhfob32.exe File created C:\Windows\SysWOW64\Bmhideol.exe Bilmcf32.exe File opened for modification C:\Windows\SysWOW64\Fdjidgfa.exe Fbjpblip.exe File created C:\Windows\SysWOW64\Hgjood32.dll Idknoi32.exe File created C:\Windows\SysWOW64\Gmhfmm32.dll Nhgkil32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2680 3740 WerFault.exe 703 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahgegngf.dll" Fgadda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkfmcc32.dll" Gqahqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmjoqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jlhkgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mehoblpm.dll" Qhkipdeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hbofmcij.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fioija32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onhgbmfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abphal32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Llnaoh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fkbgckgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gkalhgfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjoomoin.dll" Kgpmjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jllqplnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nncojg32.dll" Igmbgk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ciokijfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfakep32.dll" Ciokijfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjmbgl32.dll" Njlockkm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ciqcmiei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjjnan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mnifja32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aebmjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Meccii32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hoamgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhjmfnok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iddpheep.dll" Jfaeme32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dngabk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdcifi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eommkfoh.dll" Mhfjjdjf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjihmmbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Paocnkph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pkoicb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jllqplnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nkpegi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdmnam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Agdmdg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fcphnm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gqahqd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mffimglk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcohbnpe.dll" Bhdgjb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndqkleln.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nppofado.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Khjgel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ikldqile.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfijnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ioolqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpnmgdli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mqnifg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Opialpld.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbgnak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkfnnoge.dll" Pgcmbcih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgcmbcih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldmopa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hiioin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onbgmg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jglgpdcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hopjqipp.dll" Ohcdhi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eikfdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odifibfn.dll" Fgjjad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcgbb32.dll" Jcciqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hoamgd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Idknoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fclelk32.dll" Findhdcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pejmfqan.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2020 wrote to memory of 2244 2020 f6478c1233ca61cf0da62415ac72b662f264fee1299a62ed1780f334cd047470.exe 28 PID 2020 wrote to memory of 2244 2020 f6478c1233ca61cf0da62415ac72b662f264fee1299a62ed1780f334cd047470.exe 28 PID 2020 wrote to memory of 2244 2020 f6478c1233ca61cf0da62415ac72b662f264fee1299a62ed1780f334cd047470.exe 28 PID 2020 wrote to memory of 2244 2020 f6478c1233ca61cf0da62415ac72b662f264fee1299a62ed1780f334cd047470.exe 28 PID 2244 wrote to memory of 3068 2244 Bebkpn32.exe 29 PID 2244 wrote to memory of 3068 2244 Bebkpn32.exe 29 PID 2244 wrote to memory of 3068 2244 Bebkpn32.exe 29 PID 2244 wrote to memory of 3068 2244 Bebkpn32.exe 29 PID 3068 wrote to memory of 1996 3068 Bdjefj32.exe 30 PID 3068 wrote to memory of 1996 3068 Bdjefj32.exe 30 PID 3068 wrote to memory of 1996 3068 Bdjefj32.exe 30 PID 3068 wrote to memory of 1996 3068 Bdjefj32.exe 30 PID 1996 wrote to memory of 2876 1996 Ccfhhffh.exe 31 PID 1996 wrote to memory of 2876 1996 Ccfhhffh.exe 31 PID 1996 wrote to memory of 2876 1996 Ccfhhffh.exe 31 PID 1996 wrote to memory of 2876 1996 Ccfhhffh.exe 31 PID 2876 wrote to memory of 2456 2876 Chcqpmep.exe 32 PID 2876 wrote to memory of 2456 2876 Chcqpmep.exe 32 PID 2876 wrote to memory of 2456 2876 Chcqpmep.exe 32 PID 2876 wrote to memory of 2456 2876 Chcqpmep.exe 32 PID 2456 wrote to memory of 2444 2456 Dgdmmgpj.exe 33 PID 2456 wrote to memory of 2444 2456 Dgdmmgpj.exe 33 PID 2456 wrote to memory of 2444 2456 Dgdmmgpj.exe 33 PID 2456 wrote to memory of 2444 2456 Dgdmmgpj.exe 33 PID 2444 wrote to memory of 2080 2444 Dfijnd32.exe 34 PID 2444 wrote to memory of 2080 2444 Dfijnd32.exe 34 PID 2444 wrote to memory of 2080 2444 Dfijnd32.exe 34 PID 2444 wrote to memory of 2080 2444 Dfijnd32.exe 34 PID 2080 wrote to memory of 2828 2080 Fnpnndgp.exe 35 PID 2080 wrote to memory of 2828 2080 Fnpnndgp.exe 35 PID 2080 wrote to memory of 2828 2080 Fnpnndgp.exe 35 PID 2080 wrote to memory of 2828 2080 Fnpnndgp.exe 35 PID 2828 wrote to memory of 3012 2828 Fpfdalii.exe 36 PID 2828 wrote to memory of 3012 2828 Fpfdalii.exe 36 PID 2828 wrote to memory of 3012 2828 Fpfdalii.exe 36 PID 2828 wrote to memory of 3012 2828 Fpfdalii.exe 36 PID 3012 wrote to memory of 1608 3012 Fbdqmghm.exe 37 PID 3012 wrote to memory of 1608 3012 Fbdqmghm.exe 37 PID 3012 wrote to memory of 1608 3012 Fbdqmghm.exe 37 PID 3012 wrote to memory of 1608 3012 Fbdqmghm.exe 37 PID 1608 wrote to memory of 2764 1608 Fioija32.exe 38 PID 1608 wrote to memory of 2764 1608 Fioija32.exe 38 PID 1608 wrote to memory of 2764 1608 Fioija32.exe 38 PID 1608 wrote to memory of 2764 1608 Fioija32.exe 38 PID 2764 wrote to memory of 2500 2764 Flmefm32.exe 39 PID 2764 wrote to memory of 2500 2764 Flmefm32.exe 39 PID 2764 wrote to memory of 2500 2764 Flmefm32.exe 39 PID 2764 wrote to memory of 2500 2764 Flmefm32.exe 39 PID 2500 wrote to memory of 1196 2500 Ihankokm.exe 40 PID 2500 wrote to memory of 1196 2500 Ihankokm.exe 40 PID 2500 wrote to memory of 1196 2500 Ihankokm.exe 40 PID 2500 wrote to memory of 1196 2500 Ihankokm.exe 40 PID 1196 wrote to memory of 2064 1196 Jfqahgpg.exe 41 PID 1196 wrote to memory of 2064 1196 Jfqahgpg.exe 41 PID 1196 wrote to memory of 2064 1196 Jfqahgpg.exe 41 PID 1196 wrote to memory of 2064 1196 Jfqahgpg.exe 41 PID 2064 wrote to memory of 1796 2064 Jifdebic.exe 42 PID 2064 wrote to memory of 1796 2064 Jifdebic.exe 42 PID 2064 wrote to memory of 1796 2064 Jifdebic.exe 42 PID 2064 wrote to memory of 1796 2064 Jifdebic.exe 42 PID 1796 wrote to memory of 268 1796 Kgbggnhc.exe 43 PID 1796 wrote to memory of 268 1796 Kgbggnhc.exe 43 PID 1796 wrote to memory of 268 1796 Kgbggnhc.exe 43 PID 1796 wrote to memory of 268 1796 Kgbggnhc.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\f6478c1233ca61cf0da62415ac72b662f264fee1299a62ed1780f334cd047470.exe"C:\Users\Admin\AppData\Local\Temp\f6478c1233ca61cf0da62415ac72b662f264fee1299a62ed1780f334cd047470.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\SysWOW64\Bebkpn32.exeC:\Windows\system32\Bebkpn32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\Bdjefj32.exeC:\Windows\system32\Bdjefj32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\SysWOW64\Ccfhhffh.exeC:\Windows\system32\Ccfhhffh.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\Chcqpmep.exeC:\Windows\system32\Chcqpmep.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\Dgdmmgpj.exeC:\Windows\system32\Dgdmmgpj.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\Dfijnd32.exeC:\Windows\system32\Dfijnd32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\SysWOW64\Fnpnndgp.exeC:\Windows\system32\Fnpnndgp.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\SysWOW64\Fpfdalii.exeC:\Windows\system32\Fpfdalii.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\Fbdqmghm.exeC:\Windows\system32\Fbdqmghm.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\Fioija32.exeC:\Windows\system32\Fioija32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Windows\SysWOW64\Flmefm32.exeC:\Windows\system32\Flmefm32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\Ihankokm.exeC:\Windows\system32\Ihankokm.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\Jfqahgpg.exeC:\Windows\system32\Jfqahgpg.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Windows\SysWOW64\Jifdebic.exeC:\Windows\system32\Jifdebic.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\Kgbggnhc.exeC:\Windows\system32\Kgbggnhc.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\SysWOW64\Kifpdelo.exeC:\Windows\system32\Kifpdelo.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:268 -
C:\Windows\SysWOW64\Lojomkdn.exeC:\Windows\system32\Lojomkdn.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1716 -
C:\Windows\SysWOW64\Mkeimlfm.exeC:\Windows\system32\Mkeimlfm.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:300 -
C:\Windows\SysWOW64\Mbpnanch.exeC:\Windows\system32\Mbpnanch.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:452 -
C:\Windows\SysWOW64\Meagci32.exeC:\Windows\system32\Meagci32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2160 -
C:\Windows\SysWOW64\Meccii32.exeC:\Windows\system32\Meccii32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1524 -
C:\Windows\SysWOW64\Mlmlecec.exeC:\Windows\system32\Mlmlecec.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1584 -
C:\Windows\SysWOW64\Ncjqhmkm.exeC:\Windows\system32\Ncjqhmkm.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3048 -
C:\Windows\SysWOW64\Nhfipcid.exeC:\Windows\system32\Nhfipcid.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:352 -
C:\Windows\SysWOW64\Npdjje32.exeC:\Windows\system32\Npdjje32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1972 -
C:\Windows\SysWOW64\Njlockkm.exeC:\Windows\system32\Njlockkm.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:312 -
C:\Windows\SysWOW64\Ndbcpd32.exeC:\Windows\system32\Ndbcpd32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1032 -
C:\Windows\SysWOW64\Ogblbo32.exeC:\Windows\system32\Ogblbo32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1572 -
C:\Windows\SysWOW64\Oonafa32.exeC:\Windows\system32\Oonafa32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1284 -
C:\Windows\SysWOW64\Ogeigofa.exeC:\Windows\system32\Ogeigofa.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2112 -
C:\Windows\SysWOW64\Onhgbmfb.exeC:\Windows\system32\Onhgbmfb.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2720 -
C:\Windows\SysWOW64\Pfoocjfd.exeC:\Windows\system32\Pfoocjfd.exe33⤵
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Pbhmnkjf.exeC:\Windows\system32\Pbhmnkjf.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2568 -
C:\Windows\SysWOW64\Pjcabmga.exeC:\Windows\system32\Pjcabmga.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Pnajilng.exeC:\Windows\system32\Pnajilng.exe36⤵
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\Pflomnkb.exeC:\Windows\system32\Pflomnkb.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2968 -
C:\Windows\SysWOW64\Qcbllb32.exeC:\Windows\system32\Qcbllb32.exe38⤵
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Apimacnn.exeC:\Windows\system32\Apimacnn.exe39⤵
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\Ahgnke32.exeC:\Windows\system32\Ahgnke32.exe40⤵
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Anafhopc.exeC:\Windows\system32\Anafhopc.exe41⤵
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Aoepcn32.exeC:\Windows\system32\Aoepcn32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2196 -
C:\Windows\SysWOW64\Bpgljfbl.exeC:\Windows\system32\Bpgljfbl.exe43⤵
- Executes dropped EXE
PID:1336 -
C:\Windows\SysWOW64\Bdeeqehb.exeC:\Windows\system32\Bdeeqehb.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1804 -
C:\Windows\SysWOW64\Bkommo32.exeC:\Windows\system32\Bkommo32.exe45⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Bblogakg.exeC:\Windows\system32\Bblogakg.exe46⤵
- Executes dropped EXE
PID:1468 -
C:\Windows\SysWOW64\Bppoqeja.exeC:\Windows\system32\Bppoqeja.exe47⤵
- Executes dropped EXE
PID:1852 -
C:\Windows\SysWOW64\Cadhnmnm.exeC:\Windows\system32\Cadhnmnm.exe48⤵
- Executes dropped EXE
PID:572 -
C:\Windows\SysWOW64\Cdbdjhmp.exeC:\Windows\system32\Cdbdjhmp.exe49⤵
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Cgcmlcja.exeC:\Windows\system32\Cgcmlcja.exe50⤵
- Executes dropped EXE
PID:1768 -
C:\Windows\SysWOW64\Cojema32.exeC:\Windows\system32\Cojema32.exe51⤵
- Executes dropped EXE
PID:2884 -
C:\Windows\SysWOW64\Cdikkg32.exeC:\Windows\system32\Cdikkg32.exe52⤵
- Executes dropped EXE
PID:620 -
C:\Windows\SysWOW64\Cghggc32.exeC:\Windows\system32\Cghggc32.exe53⤵
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\Djhphncm.exeC:\Windows\system32\Djhphncm.exe54⤵
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Doehqead.exeC:\Windows\system32\Doehqead.exe55⤵
- Executes dropped EXE
PID:1604 -
C:\Windows\SysWOW64\Dpeekh32.exeC:\Windows\system32\Dpeekh32.exe56⤵PID:1280
-
C:\Windows\SysWOW64\Dbfabp32.exeC:\Windows\system32\Dbfabp32.exe57⤵
- Executes dropped EXE
PID:1668 -
C:\Windows\SysWOW64\Djmicm32.exeC:\Windows\system32\Djmicm32.exe58⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Dcenlceh.exeC:\Windows\system32\Dcenlceh.exe59⤵
- Executes dropped EXE
PID:2108 -
C:\Windows\SysWOW64\Dkqbaecc.exeC:\Windows\system32\Dkqbaecc.exe60⤵
- Executes dropped EXE
PID:2708 -
C:\Windows\SysWOW64\Ddigjkid.exeC:\Windows\system32\Ddigjkid.exe61⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Egjpkffe.exeC:\Windows\system32\Egjpkffe.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2520 -
C:\Windows\SysWOW64\Eqbddk32.exeC:\Windows\system32\Eqbddk32.exe63⤵
- Executes dropped EXE
PID:1596 -
C:\Windows\SysWOW64\Emieil32.exeC:\Windows\system32\Emieil32.exe64⤵
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\Egoife32.exeC:\Windows\system32\Egoife32.exe65⤵
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\Ejobhppq.exeC:\Windows\system32\Ejobhppq.exe66⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Emnndlod.exeC:\Windows\system32\Emnndlod.exe67⤵PID:1944
-
C:\Windows\SysWOW64\Fbmcbbki.exeC:\Windows\system32\Fbmcbbki.exe68⤵PID:1392
-
C:\Windows\SysWOW64\Figlolbf.exeC:\Windows\system32\Figlolbf.exe69⤵PID:1792
-
C:\Windows\SysWOW64\Fpcqaf32.exeC:\Windows\system32\Fpcqaf32.exe70⤵PID:2816
-
C:\Windows\SysWOW64\Fnfamcoj.exeC:\Windows\system32\Fnfamcoj.exe71⤵PID:988
-
C:\Windows\SysWOW64\Fagjnn32.exeC:\Windows\system32\Fagjnn32.exe72⤵PID:616
-
C:\Windows\SysWOW64\Fllnlg32.exeC:\Windows\system32\Fllnlg32.exe73⤵PID:1512
-
C:\Windows\SysWOW64\Fjongcbl.exeC:\Windows\system32\Fjongcbl.exe74⤵PID:108
-
C:\Windows\SysWOW64\Gmpgio32.exeC:\Windows\system32\Gmpgio32.exe75⤵PID:2916
-
C:\Windows\SysWOW64\Gdjpeifj.exeC:\Windows\system32\Gdjpeifj.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2008 -
C:\Windows\SysWOW64\Gfjhgdck.exeC:\Windows\system32\Gfjhgdck.exe77⤵PID:2576
-
C:\Windows\SysWOW64\Gohjaf32.exeC:\Windows\system32\Gohjaf32.exe78⤵PID:2860
-
C:\Windows\SysWOW64\Gfobbc32.exeC:\Windows\system32\Gfobbc32.exe79⤵PID:2540
-
C:\Windows\SysWOW64\Hipkdnmf.exeC:\Windows\system32\Hipkdnmf.exe80⤵
- Drops file in System32 directory
PID:2544 -
C:\Windows\SysWOW64\Homclekn.exeC:\Windows\system32\Homclekn.exe81⤵PID:1620
-
C:\Windows\SysWOW64\Hakphqja.exeC:\Windows\system32\Hakphqja.exe82⤵PID:2532
-
C:\Windows\SysWOW64\Hanlnp32.exeC:\Windows\system32\Hanlnp32.exe83⤵PID:2608
-
C:\Windows\SysWOW64\Hgjefg32.exeC:\Windows\system32\Hgjefg32.exe84⤵PID:2632
-
C:\Windows\SysWOW64\Hoamgd32.exeC:\Windows\system32\Hoamgd32.exe85⤵
- Drops file in System32 directory
- Modifies registry class
PID:2192 -
C:\Windows\SysWOW64\Hmdmcanc.exeC:\Windows\system32\Hmdmcanc.exe86⤵PID:2528
-
C:\Windows\SysWOW64\Hpbiommg.exeC:\Windows\system32\Hpbiommg.exe87⤵PID:1472
-
C:\Windows\SysWOW64\Inkccpgk.exeC:\Windows\system32\Inkccpgk.exe88⤵PID:2144
-
C:\Windows\SysWOW64\Iompkh32.exeC:\Windows\system32\Iompkh32.exe89⤵PID:1340
-
C:\Windows\SysWOW64\Ioolqh32.exeC:\Windows\system32\Ioolqh32.exe90⤵
- Modifies registry class
PID:884 -
C:\Windows\SysWOW64\Ijdqna32.exeC:\Windows\system32\Ijdqna32.exe91⤵
- Drops file in System32 directory
PID:2924 -
C:\Windows\SysWOW64\Jocflgga.exeC:\Windows\system32\Jocflgga.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2100 -
C:\Windows\SysWOW64\Jdpndnei.exeC:\Windows\system32\Jdpndnei.exe93⤵PID:2380
-
C:\Windows\SysWOW64\Jnkpbcjg.exeC:\Windows\system32\Jnkpbcjg.exe94⤵PID:1244
-
C:\Windows\SysWOW64\Jqilooij.exeC:\Windows\system32\Jqilooij.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2596 -
C:\Windows\SysWOW64\Jcjdpj32.exeC:\Windows\system32\Jcjdpj32.exe96⤵PID:2976
-
C:\Windows\SysWOW64\Jjdmmdnh.exeC:\Windows\system32\Jjdmmdnh.exe97⤵PID:2472
-
C:\Windows\SysWOW64\Jqnejn32.exeC:\Windows\system32\Jqnejn32.exe98⤵PID:2752
-
C:\Windows\SysWOW64\Kjfjbdle.exeC:\Windows\system32\Kjfjbdle.exe99⤵PID:2664
-
C:\Windows\SysWOW64\Kqqboncb.exeC:\Windows\system32\Kqqboncb.exe100⤵
- Drops file in System32 directory
PID:2284 -
C:\Windows\SysWOW64\Kofopj32.exeC:\Windows\system32\Kofopj32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1800 -
C:\Windows\SysWOW64\Kgcpjmcb.exeC:\Windows\system32\Kgcpjmcb.exe102⤵PID:1404
-
C:\Windows\SysWOW64\Kegqdqbl.exeC:\Windows\system32\Kegqdqbl.exe103⤵PID:596
-
C:\Windows\SysWOW64\Lanaiahq.exeC:\Windows\system32\Lanaiahq.exe104⤵PID:2068
-
C:\Windows\SysWOW64\Lghjel32.exeC:\Windows\system32\Lghjel32.exe105⤵PID:768
-
C:\Windows\SysWOW64\Ljffag32.exeC:\Windows\system32\Ljffag32.exe106⤵PID:1352
-
C:\Windows\SysWOW64\Lmgocb32.exeC:\Windows\system32\Lmgocb32.exe107⤵PID:2032
-
C:\Windows\SysWOW64\Lphhenhc.exeC:\Windows\system32\Lphhenhc.exe108⤵PID:1936
-
C:\Windows\SysWOW64\Lbfdaigg.exeC:\Windows\system32\Lbfdaigg.exe109⤵PID:2236
-
C:\Windows\SysWOW64\Mmneda32.exeC:\Windows\system32\Mmneda32.exe110⤵PID:2620
-
C:\Windows\SysWOW64\Mooaljkh.exeC:\Windows\system32\Mooaljkh.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1664 -
C:\Windows\SysWOW64\Mffimglk.exeC:\Windows\system32\Mffimglk.exe112⤵
- Modifies registry class
PID:2604 -
C:\Windows\SysWOW64\Mapjmehi.exeC:\Windows\system32\Mapjmehi.exe113⤵PID:2492
-
C:\Windows\SysWOW64\Mhloponc.exeC:\Windows\system32\Mhloponc.exe114⤵PID:1128
-
C:\Windows\SysWOW64\Mdcpdp32.exeC:\Windows\system32\Mdcpdp32.exe115⤵PID:1956
-
C:\Windows\SysWOW64\Mmldme32.exeC:\Windows\system32\Mmldme32.exe116⤵PID:784
-
C:\Windows\SysWOW64\Nkpegi32.exeC:\Windows\system32\Nkpegi32.exe117⤵
- Modifies registry class
PID:1492 -
C:\Windows\SysWOW64\Nmpnhdfc.exeC:\Windows\system32\Nmpnhdfc.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2260 -
C:\Windows\SysWOW64\Ndjfeo32.exeC:\Windows\system32\Ndjfeo32.exe119⤵PID:1096
-
C:\Windows\SysWOW64\Ncmfqkdj.exeC:\Windows\system32\Ncmfqkdj.exe120⤵PID:1252
-
C:\Windows\SysWOW64\Nenobfak.exeC:\Windows\system32\Nenobfak.exe121⤵PID:1928
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-