Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
12/05/2024, 18:42
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0c326973360a881727670cc6be6b2aa74d0bc47a510e344339960a9fd8543559.exe
Resource
win7-20240215-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
0c326973360a881727670cc6be6b2aa74d0bc47a510e344339960a9fd8543559.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
0c326973360a881727670cc6be6b2aa74d0bc47a510e344339960a9fd8543559.exe
-
Size
640KB
-
MD5
0e14495ae8ee21ffa947be1363ed85d6
-
SHA1
234f9ce9756db286b7b2cfc9b3b0fb1d64e6b5bf
-
SHA256
0c326973360a881727670cc6be6b2aa74d0bc47a510e344339960a9fd8543559
-
SHA512
c6ecb52f6a098b763c1bad1ecdc94c7c346724f002af4a0998dcd16c9854057b40516d1db40fad8dcd23994d6830a08b7f9481ccd5dabd7358004adb405993ba
-
SSDEEP
12288:NdXHaINIVIIVy2oIvPKiK13fS2hEYM9RIPk:NdXHfNIVIIVy2jU13fS2hEYM9RIPk
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qlkdkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fphafl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkdpanhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Leajdfnm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pqkmjh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pggbla32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Balijo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjjddchg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abmbhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Biicik32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Echfaf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nialog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dflkdp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghhofmql.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohibdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocnfbo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qedhdjnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Copfbfjj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkgkbipp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkkemh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igkdgk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgnamk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnilobkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkndaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pclfkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eiomkn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghfbqn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imfqjbli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfcnngnd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baakhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckccgane.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfgaiaci.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igdogl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfghif32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhfipcid.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obojhlbq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gacpdbej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjlnif32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jehkodcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Filldb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfcnngnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Logbhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhndldcn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Faokjpfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aekodi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecqqpgli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 0c326973360a881727670cc6be6b2aa74d0bc47a510e344339960a9fd8543559.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkgmgmfd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njlockkm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qabcjgkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Endhhp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndkmpe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfoocjfd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbhela32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehgppi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bokphdld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llkbap32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmhodf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajejgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcenlceh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqpgol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hckcmjep.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijgdngmf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfghif32.exe -
Executes dropped EXE 64 IoCs
pid Process 2868 Pfflopdh.exe 2560 Plcdgfbo.exe 1148 Pnbacbac.exe 2380 Qjknnbed.exe 2348 Qecoqk32.exe 2412 Afdlhchf.exe 312 Abmibdlh.exe 2632 Admemg32.exe 2712 Aenbdoii.exe 1780 Bpfcgg32.exe 2272 Bokphdld.exe 2820 Balijo32.exe 1964 Bhfagipa.exe 3060 Bhhnli32.exe 580 Cpeofk32.exe 2716 Ccdlbf32.exe 2252 Cfgaiaci.exe 2932 Chemfl32.exe 1288 Copfbfjj.exe 1300 Cdlnkmha.exe 1652 Cobbhfhg.exe 572 Dflkdp32.exe 2112 Dgmglh32.exe 2100 Ddagfm32.exe 1448 Dgodbh32.exe 2264 Dnilobkm.exe 1544 Dkmmhf32.exe 2556 Djpmccqq.exe 2508 Dchali32.exe 2492 Dfgmhd32.exe 2528 Dmafennb.exe 2860 Dcknbh32.exe 2216 Dfijnd32.exe 2608 Ejgcdb32.exe 1444 Emeopn32.exe 1796 Ecpgmhai.exe 1040 Eilpeooq.exe 1616 Ebedndfa.exe 1468 Eiomkn32.exe 2192 Enkece32.exe 2336 Eajaoq32.exe 776 Eeempocb.exe 560 Eloemi32.exe 1104 Ebinic32.exe 2320 Fckjalhj.exe 688 Flabbihl.exe 2948 Fnpnndgp.exe 760 Faokjpfd.exe 768 Fejgko32.exe 2292 Fjgoce32.exe 3028 Fnbkddem.exe 1900 Fhkpmjln.exe 2464 Ffnphf32.exe 1640 Filldb32.exe 2472 Fdapak32.exe 2896 Fjlhneio.exe 2432 Fphafl32.exe 2680 Fbgmbg32.exe 1756 Fmlapp32.exe 2240 Gpknlk32.exe 1260 Gbijhg32.exe 1664 Ghfbqn32.exe 636 Gpmjak32.exe 1420 Gangic32.exe -
Loads dropped DLL 64 IoCs
pid Process 2152 0c326973360a881727670cc6be6b2aa74d0bc47a510e344339960a9fd8543559.exe 2152 0c326973360a881727670cc6be6b2aa74d0bc47a510e344339960a9fd8543559.exe 2868 Pfflopdh.exe 2868 Pfflopdh.exe 2560 Plcdgfbo.exe 2560 Plcdgfbo.exe 1148 Pnbacbac.exe 1148 Pnbacbac.exe 2380 Qjknnbed.exe 2380 Qjknnbed.exe 2348 Qecoqk32.exe 2348 Qecoqk32.exe 2412 Afdlhchf.exe 2412 Afdlhchf.exe 312 Abmibdlh.exe 312 Abmibdlh.exe 2632 Admemg32.exe 2632 Admemg32.exe 2712 Aenbdoii.exe 2712 Aenbdoii.exe 1780 Bpfcgg32.exe 1780 Bpfcgg32.exe 2272 Bokphdld.exe 2272 Bokphdld.exe 2820 Balijo32.exe 2820 Balijo32.exe 1964 Bhfagipa.exe 1964 Bhfagipa.exe 3060 Bhhnli32.exe 3060 Bhhnli32.exe 580 Cpeofk32.exe 580 Cpeofk32.exe 2716 Ccdlbf32.exe 2716 Ccdlbf32.exe 2252 Cfgaiaci.exe 2252 Cfgaiaci.exe 2932 Chemfl32.exe 2932 Chemfl32.exe 1288 Copfbfjj.exe 1288 Copfbfjj.exe 1300 Cdlnkmha.exe 1300 Cdlnkmha.exe 1652 Cobbhfhg.exe 1652 Cobbhfhg.exe 572 Dflkdp32.exe 572 Dflkdp32.exe 2112 Dgmglh32.exe 2112 Dgmglh32.exe 2100 Ddagfm32.exe 2100 Ddagfm32.exe 1448 Dgodbh32.exe 1448 Dgodbh32.exe 2264 Dnilobkm.exe 2264 Dnilobkm.exe 1544 Dkmmhf32.exe 1544 Dkmmhf32.exe 2556 Djpmccqq.exe 2556 Djpmccqq.exe 2508 Dchali32.exe 2508 Dchali32.exe 2492 Dfgmhd32.exe 2492 Dfgmhd32.exe 2528 Dmafennb.exe 2528 Dmafennb.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Fphafl32.exe Fjlhneio.exe File opened for modification C:\Windows\SysWOW64\Idhopq32.exe Iqmcpahh.exe File opened for modification C:\Windows\SysWOW64\Aidnohbk.exe Aplifb32.exe File opened for modification C:\Windows\SysWOW64\Afohaa32.exe Adpkee32.exe File created C:\Windows\SysWOW64\Fjhlioai.dll Bidjnkdg.exe File created C:\Windows\SysWOW64\Mfacfkje.dll Djhphncm.exe File created C:\Windows\SysWOW64\Edekcace.dll Dcenlceh.exe File created C:\Windows\SysWOW64\Qdcbfq32.dll Faokjpfd.exe File created C:\Windows\SysWOW64\Nnplna32.dll Keoapb32.exe File created C:\Windows\SysWOW64\Kihqkagp.exe Kemejc32.exe File opened for modification C:\Windows\SysWOW64\Ldfgebbe.exe Lecgje32.exe File created C:\Windows\SysWOW64\Qedhdjnh.exe Qfahhm32.exe File opened for modification C:\Windows\SysWOW64\Bpleef32.exe Blpjegfm.exe File created C:\Windows\SysWOW64\Mclgfa32.dll Bpleef32.exe File created C:\Windows\SysWOW64\Egllae32.exe Ecqqpgli.exe File opened for modification C:\Windows\SysWOW64\Enfenplo.exe Egllae32.exe File created C:\Windows\SysWOW64\Lhmjkaoc.exe Leonofpp.exe File created C:\Windows\SysWOW64\Oqideepg.exe Onjgiiad.exe File opened for modification C:\Windows\SysWOW64\Bbhela32.exe Bafidiio.exe File created C:\Windows\SysWOW64\Mmceigep.exe Mgimmm32.exe File created C:\Windows\SysWOW64\Pmdjdh32.exe Pnajilng.exe File created C:\Windows\SysWOW64\Adpkee32.exe Amfcikek.exe File opened for modification C:\Windows\SysWOW64\Cjfccn32.exe Ckccgane.exe File opened for modification C:\Windows\SysWOW64\Idfbkq32.exe Ifcbodli.exe File created C:\Windows\SysWOW64\Bafidiio.exe Bfadgq32.exe File created C:\Windows\SysWOW64\Ejmmiihp.dll Cgcmlcja.exe File created C:\Windows\SysWOW64\Ccngld32.exe Cppkph32.exe File opened for modification C:\Windows\SysWOW64\Gejcjbah.exe Gangic32.exe File created C:\Windows\SysWOW64\Moljch32.dll Qedhdjnh.exe File opened for modification C:\Windows\SysWOW64\Bifgdk32.exe Bekkcljk.exe File created C:\Windows\SysWOW64\Keanebkb.exe Kafbec32.exe File opened for modification C:\Windows\SysWOW64\Mgimmm32.exe Mdkqqa32.exe File opened for modification C:\Windows\SysWOW64\Enhacojl.exe Ejmebq32.exe File opened for modification C:\Windows\SysWOW64\Cpeofk32.exe Bhhnli32.exe File opened for modification C:\Windows\SysWOW64\Dhbfdjdp.exe Dbhnhp32.exe File created C:\Windows\SysWOW64\Kgiaak32.dll Jcbellac.exe File created C:\Windows\SysWOW64\Ojchmpcd.dll Jbgbni32.exe File created C:\Windows\SysWOW64\Jcgogk32.exe Jokcgmee.exe File created C:\Windows\SysWOW64\Nhlhki32.dll Kjqccigf.exe File opened for modification C:\Windows\SysWOW64\Kmaled32.exe Kblhgk32.exe File opened for modification C:\Windows\SysWOW64\Abmbhn32.exe Ajejgp32.exe File created C:\Windows\SysWOW64\Elgkkpon.dll Cnobnmpl.exe File opened for modification C:\Windows\SysWOW64\Eajaoq32.exe Enkece32.exe File opened for modification C:\Windows\SysWOW64\Dcenlceh.exe Dknekeef.exe File created C:\Windows\SysWOW64\Jaegglem.dll Ccngld32.exe File created C:\Windows\SysWOW64\Aabagnfc.dll Ejhlgaeh.exe File created C:\Windows\SysWOW64\Naajoinb.exe Nkgbbo32.exe File created C:\Windows\SysWOW64\Agjiphda.dll Bfenbpec.exe File opened for modification C:\Windows\SysWOW64\Djhphncm.exe Ccngld32.exe File opened for modification C:\Windows\SysWOW64\Ogblbo32.exe Oqideepg.exe File created C:\Windows\SysWOW64\Nlbodgap.dll Copfbfjj.exe File created C:\Windows\SysWOW64\Bfenbpec.exe Bpleef32.exe File created C:\Windows\SysWOW64\Nolhan32.exe Mhbped32.exe File opened for modification C:\Windows\SysWOW64\Gbnccfpb.exe Gkgkbipp.exe File opened for modification C:\Windows\SysWOW64\Hckcmjep.exe Hpmgqnfl.exe File opened for modification C:\Windows\SysWOW64\Hcplhi32.exe Hjhhocjj.exe File created C:\Windows\SysWOW64\Qabcjgkh.exe Pikkiijf.exe File created C:\Windows\SysWOW64\Fbgmbg32.exe Fphafl32.exe File opened for modification C:\Windows\SysWOW64\Jcbellac.exe Jmhmpb32.exe File opened for modification C:\Windows\SysWOW64\Gacpdbej.exe Gmgdddmq.exe File opened for modification C:\Windows\SysWOW64\Fjgoce32.exe Fejgko32.exe File created C:\Windows\SysWOW64\Gpdgnh32.dll Lmolnh32.exe File created C:\Windows\SysWOW64\Hhijaf32.dll Enakbp32.exe File created C:\Windows\SysWOW64\Aenbdoii.exe Admemg32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4000 3588 WerFault.exe 343 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfgaiaci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgpdcgoc.dll" Hicodd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hogmmjfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcpdmj32.dll" Ilknfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjfccn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ccngld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cppkph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eloemi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbgmbg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghfbqn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hogmmjfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpkeqmgm.dll" Pfoocjfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pedleg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffihah32.dll" Cdlnkmha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqiqnfej.dll" Hogmmjfo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igdogl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gojbjm32.dll" Ckjpacfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgpjanje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lbnemk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjlhneio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gaemjbcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hicodd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hlcgeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jepgqikf.dll" Iqmcpahh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlfgbn32.dll" Idklfpon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pcnbablo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hckcmjep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Milokblc.dll" Pciifc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amfcikek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pafagk32.dll" Dmafennb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Delpclld.dll" Mkgfckcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfioffab.dll" Aidnohbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cadhnmnm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gpknlk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gaqcoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpmgqnfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omkepc32.dll" Ndbcpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgpimg32.dll" Bekkcljk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lhmjkaoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clkmne32.dll" Fmpkjkma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjnifgah.dll" Hiekid32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmhmpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jooafm32.dll" Leonofpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogdafiei.dll" Pcnbablo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ffnphf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljefkdjq.dll" Kaklpcoc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cclkfdnc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knjbnh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dggcffhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjjndgdk.dll" Kihqkagp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nialog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Omfkke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcaipkch.dll" Gdamqndn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lollckbk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aibajhdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aekodi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbhela32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epgnljad.dll" Dnilobkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkabadei.dll" Eilpeooq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgplkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bidjnkdg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 0c326973360a881727670cc6be6b2aa74d0bc47a510e344339960a9fd8543559.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ilknfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chpmpg32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2152 wrote to memory of 2868 2152 0c326973360a881727670cc6be6b2aa74d0bc47a510e344339960a9fd8543559.exe 28 PID 2152 wrote to memory of 2868 2152 0c326973360a881727670cc6be6b2aa74d0bc47a510e344339960a9fd8543559.exe 28 PID 2152 wrote to memory of 2868 2152 0c326973360a881727670cc6be6b2aa74d0bc47a510e344339960a9fd8543559.exe 28 PID 2152 wrote to memory of 2868 2152 0c326973360a881727670cc6be6b2aa74d0bc47a510e344339960a9fd8543559.exe 28 PID 2868 wrote to memory of 2560 2868 Pfflopdh.exe 29 PID 2868 wrote to memory of 2560 2868 Pfflopdh.exe 29 PID 2868 wrote to memory of 2560 2868 Pfflopdh.exe 29 PID 2868 wrote to memory of 2560 2868 Pfflopdh.exe 29 PID 2560 wrote to memory of 1148 2560 Plcdgfbo.exe 30 PID 2560 wrote to memory of 1148 2560 Plcdgfbo.exe 30 PID 2560 wrote to memory of 1148 2560 Plcdgfbo.exe 30 PID 2560 wrote to memory of 1148 2560 Plcdgfbo.exe 30 PID 1148 wrote to memory of 2380 1148 Pnbacbac.exe 31 PID 1148 wrote to memory of 2380 1148 Pnbacbac.exe 31 PID 1148 wrote to memory of 2380 1148 Pnbacbac.exe 31 PID 1148 wrote to memory of 2380 1148 Pnbacbac.exe 31 PID 2380 wrote to memory of 2348 2380 Qjknnbed.exe 32 PID 2380 wrote to memory of 2348 2380 Qjknnbed.exe 32 PID 2380 wrote to memory of 2348 2380 Qjknnbed.exe 32 PID 2380 wrote to memory of 2348 2380 Qjknnbed.exe 32 PID 2348 wrote to memory of 2412 2348 Qecoqk32.exe 33 PID 2348 wrote to memory of 2412 2348 Qecoqk32.exe 33 PID 2348 wrote to memory of 2412 2348 Qecoqk32.exe 33 PID 2348 wrote to memory of 2412 2348 Qecoqk32.exe 33 PID 2412 wrote to memory of 312 2412 Afdlhchf.exe 34 PID 2412 wrote to memory of 312 2412 Afdlhchf.exe 34 PID 2412 wrote to memory of 312 2412 Afdlhchf.exe 34 PID 2412 wrote to memory of 312 2412 Afdlhchf.exe 34 PID 312 wrote to memory of 2632 312 Abmibdlh.exe 35 PID 312 wrote to memory of 2632 312 Abmibdlh.exe 35 PID 312 wrote to memory of 2632 312 Abmibdlh.exe 35 PID 312 wrote to memory of 2632 312 Abmibdlh.exe 35 PID 2632 wrote to memory of 2712 2632 Admemg32.exe 36 PID 2632 wrote to memory of 2712 2632 Admemg32.exe 36 PID 2632 wrote to memory of 2712 2632 Admemg32.exe 36 PID 2632 wrote to memory of 2712 2632 Admemg32.exe 36 PID 2712 wrote to memory of 1780 2712 Aenbdoii.exe 37 PID 2712 wrote to memory of 1780 2712 Aenbdoii.exe 37 PID 2712 wrote to memory of 1780 2712 Aenbdoii.exe 37 PID 2712 wrote to memory of 1780 2712 Aenbdoii.exe 37 PID 1780 wrote to memory of 2272 1780 Bpfcgg32.exe 38 PID 1780 wrote to memory of 2272 1780 Bpfcgg32.exe 38 PID 1780 wrote to memory of 2272 1780 Bpfcgg32.exe 38 PID 1780 wrote to memory of 2272 1780 Bpfcgg32.exe 38 PID 2272 wrote to memory of 2820 2272 Bokphdld.exe 39 PID 2272 wrote to memory of 2820 2272 Bokphdld.exe 39 PID 2272 wrote to memory of 2820 2272 Bokphdld.exe 39 PID 2272 wrote to memory of 2820 2272 Bokphdld.exe 39 PID 2820 wrote to memory of 1964 2820 Balijo32.exe 40 PID 2820 wrote to memory of 1964 2820 Balijo32.exe 40 PID 2820 wrote to memory of 1964 2820 Balijo32.exe 40 PID 2820 wrote to memory of 1964 2820 Balijo32.exe 40 PID 1964 wrote to memory of 3060 1964 Bhfagipa.exe 41 PID 1964 wrote to memory of 3060 1964 Bhfagipa.exe 41 PID 1964 wrote to memory of 3060 1964 Bhfagipa.exe 41 PID 1964 wrote to memory of 3060 1964 Bhfagipa.exe 41 PID 3060 wrote to memory of 580 3060 Bhhnli32.exe 42 PID 3060 wrote to memory of 580 3060 Bhhnli32.exe 42 PID 3060 wrote to memory of 580 3060 Bhhnli32.exe 42 PID 3060 wrote to memory of 580 3060 Bhhnli32.exe 42 PID 580 wrote to memory of 2716 580 Cpeofk32.exe 43 PID 580 wrote to memory of 2716 580 Cpeofk32.exe 43 PID 580 wrote to memory of 2716 580 Cpeofk32.exe 43 PID 580 wrote to memory of 2716 580 Cpeofk32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c326973360a881727670cc6be6b2aa74d0bc47a510e344339960a9fd8543559.exe"C:\Users\Admin\AppData\Local\Temp\0c326973360a881727670cc6be6b2aa74d0bc47a510e344339960a9fd8543559.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\Pfflopdh.exeC:\Windows\system32\Pfflopdh.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\Plcdgfbo.exeC:\Windows\system32\Plcdgfbo.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\Pnbacbac.exeC:\Windows\system32\Pnbacbac.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\SysWOW64\Qjknnbed.exeC:\Windows\system32\Qjknnbed.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\Qecoqk32.exeC:\Windows\system32\Qecoqk32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\Afdlhchf.exeC:\Windows\system32\Afdlhchf.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\Abmibdlh.exeC:\Windows\system32\Abmibdlh.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:312 -
C:\Windows\SysWOW64\Admemg32.exeC:\Windows\system32\Admemg32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Aenbdoii.exeC:\Windows\system32\Aenbdoii.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Bpfcgg32.exeC:\Windows\system32\Bpfcgg32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\SysWOW64\Bokphdld.exeC:\Windows\system32\Bokphdld.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\Balijo32.exeC:\Windows\system32\Balijo32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\Bhfagipa.exeC:\Windows\system32\Bhfagipa.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\Bhhnli32.exeC:\Windows\system32\Bhhnli32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\Cpeofk32.exeC:\Windows\system32\Cpeofk32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:580 -
C:\Windows\SysWOW64\Ccdlbf32.exeC:\Windows\system32\Ccdlbf32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2716 -
C:\Windows\SysWOW64\Cfgaiaci.exeC:\Windows\system32\Cfgaiaci.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2252 -
C:\Windows\SysWOW64\Chemfl32.exeC:\Windows\system32\Chemfl32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2932 -
C:\Windows\SysWOW64\Copfbfjj.exeC:\Windows\system32\Copfbfjj.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1288 -
C:\Windows\SysWOW64\Cdlnkmha.exeC:\Windows\system32\Cdlnkmha.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1300 -
C:\Windows\SysWOW64\Cobbhfhg.exeC:\Windows\system32\Cobbhfhg.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1652 -
C:\Windows\SysWOW64\Dflkdp32.exeC:\Windows\system32\Dflkdp32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:572 -
C:\Windows\SysWOW64\Dgmglh32.exeC:\Windows\system32\Dgmglh32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2112 -
C:\Windows\SysWOW64\Ddagfm32.exeC:\Windows\system32\Ddagfm32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2100 -
C:\Windows\SysWOW64\Dgodbh32.exeC:\Windows\system32\Dgodbh32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1448 -
C:\Windows\SysWOW64\Dnilobkm.exeC:\Windows\system32\Dnilobkm.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2264 -
C:\Windows\SysWOW64\Dkmmhf32.exeC:\Windows\system32\Dkmmhf32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1544 -
C:\Windows\SysWOW64\Djpmccqq.exeC:\Windows\system32\Djpmccqq.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2556 -
C:\Windows\SysWOW64\Dchali32.exeC:\Windows\system32\Dchali32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2508 -
C:\Windows\SysWOW64\Dfgmhd32.exeC:\Windows\system32\Dfgmhd32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2492 -
C:\Windows\SysWOW64\Dmafennb.exeC:\Windows\system32\Dmafennb.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2528 -
C:\Windows\SysWOW64\Dcknbh32.exeC:\Windows\system32\Dcknbh32.exe33⤵
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\Dfijnd32.exeC:\Windows\system32\Dfijnd32.exe34⤵
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\Ejgcdb32.exeC:\Windows\system32\Ejgcdb32.exe35⤵
- Executes dropped EXE
PID:2608 -
C:\Windows\SysWOW64\Emeopn32.exeC:\Windows\system32\Emeopn32.exe36⤵
- Executes dropped EXE
PID:1444 -
C:\Windows\SysWOW64\Ecpgmhai.exeC:\Windows\system32\Ecpgmhai.exe37⤵
- Executes dropped EXE
PID:1796 -
C:\Windows\SysWOW64\Eilpeooq.exeC:\Windows\system32\Eilpeooq.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:1040 -
C:\Windows\SysWOW64\Ebedndfa.exeC:\Windows\system32\Ebedndfa.exe39⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Eiomkn32.exeC:\Windows\system32\Eiomkn32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1468 -
C:\Windows\SysWOW64\Enkece32.exeC:\Windows\system32\Enkece32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2192 -
C:\Windows\SysWOW64\Eajaoq32.exeC:\Windows\system32\Eajaoq32.exe42⤵
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\Eeempocb.exeC:\Windows\system32\Eeempocb.exe43⤵
- Executes dropped EXE
PID:776 -
C:\Windows\SysWOW64\Eloemi32.exeC:\Windows\system32\Eloemi32.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:560 -
C:\Windows\SysWOW64\Ebinic32.exeC:\Windows\system32\Ebinic32.exe45⤵
- Executes dropped EXE
PID:1104 -
C:\Windows\SysWOW64\Fckjalhj.exeC:\Windows\system32\Fckjalhj.exe46⤵
- Executes dropped EXE
PID:2320 -
C:\Windows\SysWOW64\Flabbihl.exeC:\Windows\system32\Flabbihl.exe47⤵
- Executes dropped EXE
PID:688 -
C:\Windows\SysWOW64\Fnpnndgp.exeC:\Windows\system32\Fnpnndgp.exe48⤵
- Executes dropped EXE
PID:2948 -
C:\Windows\SysWOW64\Faokjpfd.exeC:\Windows\system32\Faokjpfd.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:760 -
C:\Windows\SysWOW64\Fejgko32.exeC:\Windows\system32\Fejgko32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:768 -
C:\Windows\SysWOW64\Fjgoce32.exeC:\Windows\system32\Fjgoce32.exe51⤵
- Executes dropped EXE
PID:2292 -
C:\Windows\SysWOW64\Fnbkddem.exeC:\Windows\system32\Fnbkddem.exe52⤵
- Executes dropped EXE
PID:3028 -
C:\Windows\SysWOW64\Fhkpmjln.exeC:\Windows\system32\Fhkpmjln.exe53⤵
- Executes dropped EXE
PID:1900 -
C:\Windows\SysWOW64\Ffnphf32.exeC:\Windows\system32\Ffnphf32.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2464 -
C:\Windows\SysWOW64\Filldb32.exeC:\Windows\system32\Filldb32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Fdapak32.exeC:\Windows\system32\Fdapak32.exe56⤵
- Executes dropped EXE
PID:2472 -
C:\Windows\SysWOW64\Fjlhneio.exeC:\Windows\system32\Fjlhneio.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2896 -
C:\Windows\SysWOW64\Fphafl32.exeC:\Windows\system32\Fphafl32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2432 -
C:\Windows\SysWOW64\Fbgmbg32.exeC:\Windows\system32\Fbgmbg32.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:2680 -
C:\Windows\SysWOW64\Fmlapp32.exeC:\Windows\system32\Fmlapp32.exe60⤵
- Executes dropped EXE
PID:1756 -
C:\Windows\SysWOW64\Gpknlk32.exeC:\Windows\system32\Gpknlk32.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:2240 -
C:\Windows\SysWOW64\Gbijhg32.exeC:\Windows\system32\Gbijhg32.exe62⤵
- Executes dropped EXE
PID:1260 -
C:\Windows\SysWOW64\Ghfbqn32.exeC:\Windows\system32\Ghfbqn32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1664 -
C:\Windows\SysWOW64\Gpmjak32.exeC:\Windows\system32\Gpmjak32.exe64⤵
- Executes dropped EXE
PID:636 -
C:\Windows\SysWOW64\Gangic32.exeC:\Windows\system32\Gangic32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1420 -
C:\Windows\SysWOW64\Gejcjbah.exeC:\Windows\system32\Gejcjbah.exe66⤵PID:2784
-
C:\Windows\SysWOW64\Ghhofmql.exeC:\Windows\system32\Ghhofmql.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2256 -
C:\Windows\SysWOW64\Gkgkbipp.exeC:\Windows\system32\Gkgkbipp.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:304 -
C:\Windows\SysWOW64\Gbnccfpb.exeC:\Windows\system32\Gbnccfpb.exe69⤵PID:984
-
C:\Windows\SysWOW64\Gaqcoc32.exeC:\Windows\system32\Gaqcoc32.exe70⤵
- Modifies registry class
PID:2096 -
C:\Windows\SysWOW64\Glfhll32.exeC:\Windows\system32\Glfhll32.exe71⤵PID:1908
-
C:\Windows\SysWOW64\Gkihhhnm.exeC:\Windows\system32\Gkihhhnm.exe72⤵PID:2024
-
C:\Windows\SysWOW64\Gmgdddmq.exeC:\Windows\system32\Gmgdddmq.exe73⤵
- Drops file in System32 directory
PID:2576 -
C:\Windows\SysWOW64\Gacpdbej.exeC:\Windows\system32\Gacpdbej.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2544 -
C:\Windows\SysWOW64\Gdamqndn.exeC:\Windows\system32\Gdamqndn.exe75⤵
- Modifies registry class
PID:2760 -
C:\Windows\SysWOW64\Gkkemh32.exeC:\Windows\system32\Gkkemh32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1052 -
C:\Windows\SysWOW64\Gaemjbcg.exeC:\Windows\system32\Gaemjbcg.exe77⤵
- Modifies registry class
PID:2144 -
C:\Windows\SysWOW64\Gphmeo32.exeC:\Windows\system32\Gphmeo32.exe78⤵PID:2620
-
C:\Windows\SysWOW64\Ghoegl32.exeC:\Windows\system32\Ghoegl32.exe79⤵PID:1532
-
C:\Windows\SysWOW64\Hahjpbad.exeC:\Windows\system32\Hahjpbad.exe80⤵PID:1472
-
C:\Windows\SysWOW64\Hgdbhi32.exeC:\Windows\system32\Hgdbhi32.exe81⤵PID:2204
-
C:\Windows\SysWOW64\Hicodd32.exeC:\Windows\system32\Hicodd32.exe82⤵
- Modifies registry class
PID:588 -
C:\Windows\SysWOW64\Hpmgqnfl.exeC:\Windows\system32\Hpmgqnfl.exe83⤵
- Drops file in System32 directory
- Modifies registry class
PID:2332 -
C:\Windows\SysWOW64\Hckcmjep.exeC:\Windows\system32\Hckcmjep.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1156 -
C:\Windows\SysWOW64\Hiekid32.exeC:\Windows\system32\Hiekid32.exe85⤵
- Modifies registry class
PID:1232 -
C:\Windows\SysWOW64\Hlcgeo32.exeC:\Windows\system32\Hlcgeo32.exe86⤵
- Modifies registry class
PID:2828 -
C:\Windows\SysWOW64\Hgilchkf.exeC:\Windows\system32\Hgilchkf.exe87⤵PID:812
-
C:\Windows\SysWOW64\Hjhhocjj.exeC:\Windows\system32\Hjhhocjj.exe88⤵
- Drops file in System32 directory
PID:2020 -
C:\Windows\SysWOW64\Hcplhi32.exeC:\Windows\system32\Hcplhi32.exe89⤵PID:2580
-
C:\Windows\SysWOW64\Hjjddchg.exeC:\Windows\system32\Hjjddchg.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2516 -
C:\Windows\SysWOW64\Hlhaqogk.exeC:\Windows\system32\Hlhaqogk.exe91⤵PID:2648
-
C:\Windows\SysWOW64\Hogmmjfo.exeC:\Windows\system32\Hogmmjfo.exe92⤵
- Modifies registry class
PID:1572 -
C:\Windows\SysWOW64\Idceea32.exeC:\Windows\system32\Idceea32.exe93⤵PID:2612
-
C:\Windows\SysWOW64\Ilknfn32.exeC:\Windows\system32\Ilknfn32.exe94⤵
- Modifies registry class
PID:2596 -
C:\Windows\SysWOW64\Ifcbodli.exeC:\Windows\system32\Ifcbodli.exe95⤵
- Drops file in System32 directory
PID:2328 -
C:\Windows\SysWOW64\Idfbkq32.exeC:\Windows\system32\Idfbkq32.exe96⤵PID:856
-
C:\Windows\SysWOW64\Igdogl32.exeC:\Windows\system32\Igdogl32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2012 -
C:\Windows\SysWOW64\Iqmcpahh.exeC:\Windows\system32\Iqmcpahh.exe98⤵
- Drops file in System32 directory
- Modifies registry class
PID:816 -
C:\Windows\SysWOW64\Idhopq32.exeC:\Windows\system32\Idhopq32.exe99⤵PID:2080
-
C:\Windows\SysWOW64\Inqcif32.exeC:\Windows\system32\Inqcif32.exe100⤵PID:1740
-
C:\Windows\SysWOW64\Idklfpon.exeC:\Windows\system32\Idklfpon.exe101⤵
- Modifies registry class
PID:1984 -
C:\Windows\SysWOW64\Igihbknb.exeC:\Windows\system32\Igihbknb.exe102⤵PID:1228
-
C:\Windows\SysWOW64\Ijgdngmf.exeC:\Windows\system32\Ijgdngmf.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1708 -
C:\Windows\SysWOW64\Imfqjbli.exeC:\Windows\system32\Imfqjbli.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:908 -
C:\Windows\SysWOW64\Idmhkpml.exeC:\Windows\system32\Idmhkpml.exe105⤵PID:916
-
C:\Windows\SysWOW64\Igkdgk32.exeC:\Windows\system32\Igkdgk32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2188 -
C:\Windows\SysWOW64\Jjjacf32.exeC:\Windows\system32\Jjjacf32.exe107⤵PID:2484
-
C:\Windows\SysWOW64\Jmhmpb32.exeC:\Windows\system32\Jmhmpb32.exe108⤵
- Drops file in System32 directory
- Modifies registry class
PID:2200 -
C:\Windows\SysWOW64\Jcbellac.exeC:\Windows\system32\Jcbellac.exe109⤵
- Drops file in System32 directory
PID:2408 -
C:\Windows\SysWOW64\Jgnamk32.exeC:\Windows\system32\Jgnamk32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2764 -
C:\Windows\SysWOW64\Jjlnif32.exeC:\Windows\system32\Jjlnif32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1692 -
C:\Windows\SysWOW64\Jmjjea32.exeC:\Windows\system32\Jmjjea32.exe112⤵PID:1880
-
C:\Windows\SysWOW64\Jbgbni32.exeC:\Windows\system32\Jbgbni32.exe113⤵
- Drops file in System32 directory
PID:2280 -
C:\Windows\SysWOW64\Jfcnngnd.exeC:\Windows\system32\Jfcnngnd.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1560 -
C:\Windows\SysWOW64\Jmmfkafa.exeC:\Windows\system32\Jmmfkafa.exe115⤵PID:2196
-
C:\Windows\SysWOW64\Jokcgmee.exeC:\Windows\system32\Jokcgmee.exe116⤵
- Drops file in System32 directory
PID:2032 -
C:\Windows\SysWOW64\Jcgogk32.exeC:\Windows\system32\Jcgogk32.exe117⤵PID:320
-
C:\Windows\SysWOW64\Jehkodcm.exeC:\Windows\system32\Jehkodcm.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1704 -
C:\Windows\SysWOW64\Jkbcln32.exeC:\Windows\system32\Jkbcln32.exe119⤵PID:3020
-
C:\Windows\SysWOW64\Jfghif32.exeC:\Windows\system32\Jfghif32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:884 -
C:\Windows\SysWOW64\Jkdpanhg.exeC:\Windows\system32\Jkdpanhg.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2548
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-