Analysis
-
max time kernel
148s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
20/05/2024, 06:15
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c262943a3567ac0393797b9e21e6a1ab67345af3b17d52348fe47d2f4aac075f.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
c262943a3567ac0393797b9e21e6a1ab67345af3b17d52348fe47d2f4aac075f.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
c262943a3567ac0393797b9e21e6a1ab67345af3b17d52348fe47d2f4aac075f.exe
-
Size
63KB
-
MD5
d3a2311ccb26c5e5b9f04838cec67eb0
-
SHA1
8d113d513ce501cacd78decd3508a765144c6bb8
-
SHA256
c262943a3567ac0393797b9e21e6a1ab67345af3b17d52348fe47d2f4aac075f
-
SHA512
8285e8e8d1ed20141c97c4fd19049cd9b023b5c8f5cb055b72b76d09822b05e7ac039d9408e14e15d1b9f57f0abfb99a03c4945e9873518ace573e018fc711e2
-
SSDEEP
1536:D40KIBkm0jn8FAE6tj6m5IYcQH1juIZo:D4JIKm0AAE6tjoQH1juIZo
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omkjbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohiffh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpqnhadq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibfaopoi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anlhkbhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plgolf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apgagg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpfmmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfmgelil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iibfajdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qnebjc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jliohkak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olgmcmgh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gegabegc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oanefo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkifdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hebdfind.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hapklimq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcopdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcbncfjd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hneeilgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knfndjdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdcmbgkj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfglep32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mngjeamd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohfqmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hebnlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knkgpi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcaepg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbdmeoob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dogpdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbagipfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acfmcc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibckfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iefcfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kaompi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nameek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acfmcc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqnifg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omioekbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lohccp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfcbldmm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Namclbil.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opkccm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlafnbal.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajcipc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Famope32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpnmgdli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apedah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akfkbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dobgihgp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbifnj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdqlajbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlafnbal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hneeilgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nibqqh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njfjnpgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfoghakb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agolnbok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnfddp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jonbee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhffnk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oaaifdhb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dchmkkkj.exe -
Executes dropped EXE 64 IoCs
pid Process 2216 Hflkaq32.exe 2844 Ibckfa32.exe 2488 Iknpkd32.exe 2696 Ikpmpc32.exe 2548 Idiaii32.exe 2152 Inafbooe.exe 2100 Idknoi32.exe 528 Incbgnmc.exe 1052 Jkgcab32.exe 964 Jliohkak.exe 2032 Jjmpbopd.exe 2044 Jpfhoi32.exe 2284 Jfcqgpfi.exe 1112 Jcgapdeb.exe 2584 Jonbee32.exe 2748 Jhffnk32.exe 2724 Kbokgpgg.exe 1636 Kkgopf32.exe 1136 Kqdhhm32.exe 1484 Kkileele.exe 976 Kdbpnk32.exe 1972 Kklikejc.exe 568 Kddmdk32.exe 1740 Kjaelaok.exe 2732 Kgefefnd.exe 1332 Lqmjnk32.exe 2236 Lbogfcjc.exe 1496 Leopgo32.exe 2128 Lkihdioa.exe 2440 Liminmmk.exe 2464 Lnjafd32.exe 2504 Ljabkeaf.exe 2492 Mcifdj32.exe 372 Mnojacgm.exe 576 Mhgoji32.exe 552 Mapccndn.exe 624 Mhilph32.exe 1616 Mfoiqe32.exe 1912 Mpgmijgc.exe 1952 Medeaaej.exe 800 Npijoj32.exe 2428 Nfcbldmm.exe 1276 Namclbil.exe 2664 Nkegeg32.exe 2028 Naopaa32.exe 1564 Nkhdkgnj.exe 2512 Ngneph32.exe 1084 Nmhmlbkk.exe 3000 Odbeilbg.exe 1196 Omkjbb32.exe 1536 Ocgbji32.exe 2092 Oiakgcnl.exe 2084 Opkccm32.exe 3064 Ogekpg32.exe 2568 Opnpimdf.exe 2460 Ocllehcj.exe 2080 Oifdbb32.exe 2552 Ooclji32.exe 1312 Oaaifdhb.exe 2780 Olgmcmgh.exe 2856 Pcaepg32.exe 2764 Bbmapj32.exe 1688 Cohkpj32.exe 2788 Cdecha32.exe -
Loads dropped DLL 64 IoCs
pid Process 2804 c262943a3567ac0393797b9e21e6a1ab67345af3b17d52348fe47d2f4aac075f.exe 2804 c262943a3567ac0393797b9e21e6a1ab67345af3b17d52348fe47d2f4aac075f.exe 2216 Hflkaq32.exe 2216 Hflkaq32.exe 2844 Ibckfa32.exe 2844 Ibckfa32.exe 2488 Iknpkd32.exe 2488 Iknpkd32.exe 2696 Ikpmpc32.exe 2696 Ikpmpc32.exe 2548 Idiaii32.exe 2548 Idiaii32.exe 2152 Inafbooe.exe 2152 Inafbooe.exe 2100 Idknoi32.exe 2100 Idknoi32.exe 528 Incbgnmc.exe 528 Incbgnmc.exe 1052 Jkgcab32.exe 1052 Jkgcab32.exe 964 Jliohkak.exe 964 Jliohkak.exe 2032 Jjmpbopd.exe 2032 Jjmpbopd.exe 2044 Jpfhoi32.exe 2044 Jpfhoi32.exe 2284 Jfcqgpfi.exe 2284 Jfcqgpfi.exe 1112 Jcgapdeb.exe 1112 Jcgapdeb.exe 2584 Jonbee32.exe 2584 Jonbee32.exe 2748 Jhffnk32.exe 2748 Jhffnk32.exe 2724 Kbokgpgg.exe 2724 Kbokgpgg.exe 1636 Kkgopf32.exe 1636 Kkgopf32.exe 1136 Kqdhhm32.exe 1136 Kqdhhm32.exe 1484 Kkileele.exe 1484 Kkileele.exe 976 Kdbpnk32.exe 976 Kdbpnk32.exe 1972 Kklikejc.exe 1972 Kklikejc.exe 568 Kddmdk32.exe 568 Kddmdk32.exe 1740 Kjaelaok.exe 1740 Kjaelaok.exe 2732 Kgefefnd.exe 2732 Kgefefnd.exe 1332 Lqmjnk32.exe 1332 Lqmjnk32.exe 1716 Lobgoh32.exe 1716 Lobgoh32.exe 1496 Leopgo32.exe 1496 Leopgo32.exe 2128 Lkihdioa.exe 2128 Lkihdioa.exe 2440 Liminmmk.exe 2440 Liminmmk.exe 2464 Lnjafd32.exe 2464 Lnjafd32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Iknpkd32.exe Ibckfa32.exe File created C:\Windows\SysWOW64\Acfdnihk.exe Ajnpecbj.exe File opened for modification C:\Windows\SysWOW64\Naopaa32.exe Nkegeg32.exe File created C:\Windows\SysWOW64\Kjoppjjm.dll Gnmifk32.exe File created C:\Windows\SysWOW64\Mfjgooni.dll Ekfndmfb.exe File created C:\Windows\SysWOW64\Jgdfdbhk.exe Jnkakl32.exe File created C:\Windows\SysWOW64\Afoddn32.dll Oaqbln32.exe File created C:\Windows\SysWOW64\Dhmhhmlm.exe Dmhdkdlg.exe File created C:\Windows\SysWOW64\Lgfeei32.dll Jialfgcc.exe File created C:\Windows\SysWOW64\Jcgapdeb.exe Jfcqgpfi.exe File opened for modification C:\Windows\SysWOW64\Dhplhc32.exe Dohgomgf.exe File created C:\Windows\SysWOW64\Fjfikeqd.dll Fkecij32.exe File created C:\Windows\SysWOW64\Bmlael32.exe Bgoime32.exe File created C:\Windows\SysWOW64\Epbfmd32.exe Ekfndmfb.exe File opened for modification C:\Windows\SysWOW64\Oanefo32.exe Okdmjdol.exe File created C:\Windows\SysWOW64\Nlnpgd32.exe Nedhjj32.exe File opened for modification C:\Windows\SysWOW64\Bkegah32.exe Bfioia32.exe File created C:\Windows\SysWOW64\Aedcngmm.dll Ppfomk32.exe File created C:\Windows\SysWOW64\Ajhaomoi.dll Lkjjma32.exe File created C:\Windows\SysWOW64\Bbclbi32.dll Cmpdgf32.exe File created C:\Windows\SysWOW64\Ajcipc32.exe Aciqcifh.exe File opened for modification C:\Windows\SysWOW64\Hneeilgj.exe Hihlqeib.exe File created C:\Windows\SysWOW64\Dbojdmcd.exe Dpqnhadq.exe File created C:\Windows\SysWOW64\Dmdnbecj.exe Dbojdmcd.exe File created C:\Windows\SysWOW64\Klehgh32.exe Kdjccf32.exe File created C:\Windows\SysWOW64\Piqpkpml.exe Poklngnf.exe File created C:\Windows\SysWOW64\Ocllehcj.exe Opnpimdf.exe File opened for modification C:\Windows\SysWOW64\Pomhcg32.exe Piqpkpml.exe File created C:\Windows\SysWOW64\Ckbjaopk.dll Behilopf.exe File created C:\Windows\SysWOW64\Iacpmi32.dll Ohiffh32.exe File created C:\Windows\SysWOW64\Pojecajj.exe Pkmlmbcd.exe File created C:\Windows\SysWOW64\Ohfqmi32.exe Oalhqohl.exe File created C:\Windows\SysWOW64\Mdignc32.dll Amcbankf.exe File created C:\Windows\SysWOW64\Bbjmpcab.exe Bnldjekl.exe File created C:\Windows\SysWOW64\Miidam32.dll Cmhglq32.exe File created C:\Windows\SysWOW64\Hebnlb32.exe Golbnm32.exe File created C:\Windows\SysWOW64\Jdcmbgkj.exe Jhlmmfef.exe File created C:\Windows\SysWOW64\Ifkloned.dll Qhjfgl32.exe File created C:\Windows\SysWOW64\Pdgmlhha.exe Pojecajj.exe File created C:\Windows\SysWOW64\Ahgofi32.exe Anbkipok.exe File created C:\Windows\SysWOW64\Lloeec32.dll Boogmgkl.exe File created C:\Windows\SysWOW64\Kjaelaok.exe Kddmdk32.exe File created C:\Windows\SysWOW64\Cmpdgf32.exe Cdgpnqpo.exe File created C:\Windows\SysWOW64\Ibfaopoi.exe Imiigiab.exe File opened for modification C:\Windows\SysWOW64\Mdghaf32.exe Mjaddn32.exe File opened for modification C:\Windows\SysWOW64\Cpfmmf32.exe Cepipm32.exe File created C:\Windows\SysWOW64\Nefamd32.dll Cepipm32.exe File created C:\Windows\SysWOW64\Jliohkak.exe Jkgcab32.exe File opened for modification C:\Windows\SysWOW64\Kgefefnd.exe Kjaelaok.exe File created C:\Windows\SysWOW64\Djehli32.dll Kbokgpgg.exe File created C:\Windows\SysWOW64\Cjoffbmm.dll Elnqmd32.exe File created C:\Windows\SysWOW64\Ldkkdd32.dll Aggiigmn.exe File created C:\Windows\SysWOW64\Cmmagpef.exe Ccdmnj32.exe File opened for modification C:\Windows\SysWOW64\Lcjlnpmo.exe Knmdeioh.exe File opened for modification C:\Windows\SysWOW64\Lldmleam.exe Lfkeokjp.exe File created C:\Windows\SysWOW64\Paodbg32.dll Nhjjgd32.exe File created C:\Windows\SysWOW64\Fkllaj32.dll Pcaepg32.exe File created C:\Windows\SysWOW64\Gfmgelil.exe Gpcoib32.exe File created C:\Windows\SysWOW64\Kmhflfhh.dll Khkbbc32.exe File created C:\Windows\SysWOW64\Hqjpab32.dll Agolnbok.exe File created C:\Windows\SysWOW64\Idadnd32.exe Hndlem32.exe File opened for modification C:\Windows\SysWOW64\Aggiigmn.exe Ajcipc32.exe File opened for modification C:\Windows\SysWOW64\Jaoqqflp.exe Ihglhp32.exe File opened for modification C:\Windows\SysWOW64\Lcofio32.exe Lldmleam.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5052 5020 WerFault.exe 365 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dedlag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iibfajdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Elfcbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnoefj32.dll" Napbjjom.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Opglafab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfjljina.dll" Naopaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjeeidhg.dll" Oibmpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmgbdm32.dll" Pkmlmbcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nibqqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbjdoj32.dll" Nfcbldmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fkecij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kqdhhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhbhmb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Acfdnihk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akabgebj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bceibfgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Godonkii.dll" Bjpaop32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmnnkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edaimkbc.dll" Kgefefnd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fofpoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohpbbo32.dll" Jnkakl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jgdfdbhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oaqbln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ejkkfjkj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibmgpoia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jdcmbgkj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oaqbln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbmapj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doknlmcm.dll" Demofaol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jnnnalph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hfbaql32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pincfpoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Agolnbok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cncfcj32.dll" Iknpkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfknbfkf.dll" Ljabkeaf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pcbncfjd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmgfqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kalpeaik.dll" Jhffnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nedhjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obahbj32.dll" Bdqlajbb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhbhmb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmgkgeah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmhgjdli.dll" Hpkompgg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ihbcmaje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Alqnah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbgffb32.dll" Kkileele.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gcheib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hlafnbal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oanefo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Apgagg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjbndpmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oedcmfgb.dll" Kqdhhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baleem32.dll" Bimoloog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgblmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hnjbeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifmnalja.dll" Oiakgcnl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jhffnk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Medeaaej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odbeilbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Baojapfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhpemm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcgoqc32.dll" Jfcqgpfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Khkbbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mapecq32.dll" Oanefo32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2804 wrote to memory of 2216 2804 c262943a3567ac0393797b9e21e6a1ab67345af3b17d52348fe47d2f4aac075f.exe 28 PID 2804 wrote to memory of 2216 2804 c262943a3567ac0393797b9e21e6a1ab67345af3b17d52348fe47d2f4aac075f.exe 28 PID 2804 wrote to memory of 2216 2804 c262943a3567ac0393797b9e21e6a1ab67345af3b17d52348fe47d2f4aac075f.exe 28 PID 2804 wrote to memory of 2216 2804 c262943a3567ac0393797b9e21e6a1ab67345af3b17d52348fe47d2f4aac075f.exe 28 PID 2216 wrote to memory of 2844 2216 Hflkaq32.exe 29 PID 2216 wrote to memory of 2844 2216 Hflkaq32.exe 29 PID 2216 wrote to memory of 2844 2216 Hflkaq32.exe 29 PID 2216 wrote to memory of 2844 2216 Hflkaq32.exe 29 PID 2844 wrote to memory of 2488 2844 Ibckfa32.exe 30 PID 2844 wrote to memory of 2488 2844 Ibckfa32.exe 30 PID 2844 wrote to memory of 2488 2844 Ibckfa32.exe 30 PID 2844 wrote to memory of 2488 2844 Ibckfa32.exe 30 PID 2488 wrote to memory of 2696 2488 Iknpkd32.exe 31 PID 2488 wrote to memory of 2696 2488 Iknpkd32.exe 31 PID 2488 wrote to memory of 2696 2488 Iknpkd32.exe 31 PID 2488 wrote to memory of 2696 2488 Iknpkd32.exe 31 PID 2696 wrote to memory of 2548 2696 Ikpmpc32.exe 32 PID 2696 wrote to memory of 2548 2696 Ikpmpc32.exe 32 PID 2696 wrote to memory of 2548 2696 Ikpmpc32.exe 32 PID 2696 wrote to memory of 2548 2696 Ikpmpc32.exe 32 PID 2548 wrote to memory of 2152 2548 Idiaii32.exe 33 PID 2548 wrote to memory of 2152 2548 Idiaii32.exe 33 PID 2548 wrote to memory of 2152 2548 Idiaii32.exe 33 PID 2548 wrote to memory of 2152 2548 Idiaii32.exe 33 PID 2152 wrote to memory of 2100 2152 Inafbooe.exe 34 PID 2152 wrote to memory of 2100 2152 Inafbooe.exe 34 PID 2152 wrote to memory of 2100 2152 Inafbooe.exe 34 PID 2152 wrote to memory of 2100 2152 Inafbooe.exe 34 PID 2100 wrote to memory of 528 2100 Idknoi32.exe 35 PID 2100 wrote to memory of 528 2100 Idknoi32.exe 35 PID 2100 wrote to memory of 528 2100 Idknoi32.exe 35 PID 2100 wrote to memory of 528 2100 Idknoi32.exe 35 PID 528 wrote to memory of 1052 528 Incbgnmc.exe 36 PID 528 wrote to memory of 1052 528 Incbgnmc.exe 36 PID 528 wrote to memory of 1052 528 Incbgnmc.exe 36 PID 528 wrote to memory of 1052 528 Incbgnmc.exe 36 PID 1052 wrote to memory of 964 1052 Jkgcab32.exe 37 PID 1052 wrote to memory of 964 1052 Jkgcab32.exe 37 PID 1052 wrote to memory of 964 1052 Jkgcab32.exe 37 PID 1052 wrote to memory of 964 1052 Jkgcab32.exe 37 PID 964 wrote to memory of 2032 964 Jliohkak.exe 38 PID 964 wrote to memory of 2032 964 Jliohkak.exe 38 PID 964 wrote to memory of 2032 964 Jliohkak.exe 38 PID 964 wrote to memory of 2032 964 Jliohkak.exe 38 PID 2032 wrote to memory of 2044 2032 Jjmpbopd.exe 39 PID 2032 wrote to memory of 2044 2032 Jjmpbopd.exe 39 PID 2032 wrote to memory of 2044 2032 Jjmpbopd.exe 39 PID 2032 wrote to memory of 2044 2032 Jjmpbopd.exe 39 PID 2044 wrote to memory of 2284 2044 Jpfhoi32.exe 40 PID 2044 wrote to memory of 2284 2044 Jpfhoi32.exe 40 PID 2044 wrote to memory of 2284 2044 Jpfhoi32.exe 40 PID 2044 wrote to memory of 2284 2044 Jpfhoi32.exe 40 PID 2284 wrote to memory of 1112 2284 Jfcqgpfi.exe 41 PID 2284 wrote to memory of 1112 2284 Jfcqgpfi.exe 41 PID 2284 wrote to memory of 1112 2284 Jfcqgpfi.exe 41 PID 2284 wrote to memory of 1112 2284 Jfcqgpfi.exe 41 PID 1112 wrote to memory of 2584 1112 Jcgapdeb.exe 42 PID 1112 wrote to memory of 2584 1112 Jcgapdeb.exe 42 PID 1112 wrote to memory of 2584 1112 Jcgapdeb.exe 42 PID 1112 wrote to memory of 2584 1112 Jcgapdeb.exe 42 PID 2584 wrote to memory of 2748 2584 Jonbee32.exe 43 PID 2584 wrote to memory of 2748 2584 Jonbee32.exe 43 PID 2584 wrote to memory of 2748 2584 Jonbee32.exe 43 PID 2584 wrote to memory of 2748 2584 Jonbee32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\c262943a3567ac0393797b9e21e6a1ab67345af3b17d52348fe47d2f4aac075f.exe"C:\Users\Admin\AppData\Local\Temp\c262943a3567ac0393797b9e21e6a1ab67345af3b17d52348fe47d2f4aac075f.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\Hflkaq32.exeC:\Windows\system32\Hflkaq32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\Ibckfa32.exeC:\Windows\system32\Ibckfa32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\Iknpkd32.exeC:\Windows\system32\Iknpkd32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SysWOW64\Ikpmpc32.exeC:\Windows\system32\Ikpmpc32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\Idiaii32.exeC:\Windows\system32\Idiaii32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\Inafbooe.exeC:\Windows\system32\Inafbooe.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\Idknoi32.exeC:\Windows\system32\Idknoi32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\Incbgnmc.exeC:\Windows\system32\Incbgnmc.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:528 -
C:\Windows\SysWOW64\Jkgcab32.exeC:\Windows\system32\Jkgcab32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\SysWOW64\Jliohkak.exeC:\Windows\system32\Jliohkak.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Windows\SysWOW64\Jjmpbopd.exeC:\Windows\system32\Jjmpbopd.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\Jpfhoi32.exeC:\Windows\system32\Jpfhoi32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\Jfcqgpfi.exeC:\Windows\system32\Jfcqgpfi.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\SysWOW64\Jcgapdeb.exeC:\Windows\system32\Jcgapdeb.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1112 -
C:\Windows\SysWOW64\Jonbee32.exeC:\Windows\system32\Jonbee32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\Jhffnk32.exeC:\Windows\system32\Jhffnk32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2748 -
C:\Windows\SysWOW64\Kbokgpgg.exeC:\Windows\system32\Kbokgpgg.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2724 -
C:\Windows\SysWOW64\Kkgopf32.exeC:\Windows\system32\Kkgopf32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1636 -
C:\Windows\SysWOW64\Kqdhhm32.exeC:\Windows\system32\Kqdhhm32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1136 -
C:\Windows\SysWOW64\Kkileele.exeC:\Windows\system32\Kkileele.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1484 -
C:\Windows\SysWOW64\Kdbpnk32.exeC:\Windows\system32\Kdbpnk32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:976 -
C:\Windows\SysWOW64\Kklikejc.exeC:\Windows\system32\Kklikejc.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1972 -
C:\Windows\SysWOW64\Kddmdk32.exeC:\Windows\system32\Kddmdk32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:568 -
C:\Windows\SysWOW64\Kjaelaok.exeC:\Windows\system32\Kjaelaok.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1740 -
C:\Windows\SysWOW64\Kgefefnd.exeC:\Windows\system32\Kgefefnd.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2732 -
C:\Windows\SysWOW64\Lqmjnk32.exeC:\Windows\system32\Lqmjnk32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1332 -
C:\Windows\SysWOW64\Lbogfcjc.exeC:\Windows\system32\Lbogfcjc.exe28⤵
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\Lobgoh32.exeC:\Windows\system32\Lobgoh32.exe29⤵
- Loads dropped DLL
PID:1716 -
C:\Windows\SysWOW64\Leopgo32.exeC:\Windows\system32\Leopgo32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1496 -
C:\Windows\SysWOW64\Lkihdioa.exeC:\Windows\system32\Lkihdioa.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2128 -
C:\Windows\SysWOW64\Liminmmk.exeC:\Windows\system32\Liminmmk.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2440 -
C:\Windows\SysWOW64\Lnjafd32.exeC:\Windows\system32\Lnjafd32.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2464 -
C:\Windows\SysWOW64\Ljabkeaf.exeC:\Windows\system32\Ljabkeaf.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:2504 -
C:\Windows\SysWOW64\Mcifdj32.exeC:\Windows\system32\Mcifdj32.exe35⤵
- Executes dropped EXE
PID:2492 -
C:\Windows\SysWOW64\Mnojacgm.exeC:\Windows\system32\Mnojacgm.exe36⤵
- Executes dropped EXE
PID:372 -
C:\Windows\SysWOW64\Mhgoji32.exeC:\Windows\system32\Mhgoji32.exe37⤵
- Executes dropped EXE
PID:576 -
C:\Windows\SysWOW64\Mapccndn.exeC:\Windows\system32\Mapccndn.exe38⤵
- Executes dropped EXE
PID:552 -
C:\Windows\SysWOW64\Mhilph32.exeC:\Windows\system32\Mhilph32.exe39⤵
- Executes dropped EXE
PID:624 -
C:\Windows\SysWOW64\Mfoiqe32.exeC:\Windows\system32\Mfoiqe32.exe40⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Mpgmijgc.exeC:\Windows\system32\Mpgmijgc.exe41⤵
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\Medeaaej.exeC:\Windows\system32\Medeaaej.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:1952 -
C:\Windows\SysWOW64\Npijoj32.exeC:\Windows\system32\Npijoj32.exe43⤵
- Executes dropped EXE
PID:800 -
C:\Windows\SysWOW64\Nfcbldmm.exeC:\Windows\system32\Nfcbldmm.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2428 -
C:\Windows\SysWOW64\Namclbil.exeC:\Windows\system32\Namclbil.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1276 -
C:\Windows\SysWOW64\Nkegeg32.exeC:\Windows\system32\Nkegeg32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2664 -
C:\Windows\SysWOW64\Naopaa32.exeC:\Windows\system32\Naopaa32.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:2028 -
C:\Windows\SysWOW64\Nkhdkgnj.exeC:\Windows\system32\Nkhdkgnj.exe48⤵
- Executes dropped EXE
PID:1564 -
C:\Windows\SysWOW64\Ngneph32.exeC:\Windows\system32\Ngneph32.exe49⤵
- Executes dropped EXE
PID:2512 -
C:\Windows\SysWOW64\Nmhmlbkk.exeC:\Windows\system32\Nmhmlbkk.exe50⤵
- Executes dropped EXE
PID:1084 -
C:\Windows\SysWOW64\Odbeilbg.exeC:\Windows\system32\Odbeilbg.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:3000 -
C:\Windows\SysWOW64\Omkjbb32.exeC:\Windows\system32\Omkjbb32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1196 -
C:\Windows\SysWOW64\Ocgbji32.exeC:\Windows\system32\Ocgbji32.exe53⤵
- Executes dropped EXE
PID:1536 -
C:\Windows\SysWOW64\Oiakgcnl.exeC:\Windows\system32\Oiakgcnl.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2092 -
C:\Windows\SysWOW64\Opkccm32.exeC:\Windows\system32\Opkccm32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2084 -
C:\Windows\SysWOW64\Ogekpg32.exeC:\Windows\system32\Ogekpg32.exe56⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Opnpimdf.exeC:\Windows\system32\Opnpimdf.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2568 -
C:\Windows\SysWOW64\Ocllehcj.exeC:\Windows\system32\Ocllehcj.exe58⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Oifdbb32.exeC:\Windows\system32\Oifdbb32.exe59⤵
- Executes dropped EXE
PID:2080 -
C:\Windows\SysWOW64\Ooclji32.exeC:\Windows\system32\Ooclji32.exe60⤵
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\Oaaifdhb.exeC:\Windows\system32\Oaaifdhb.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1312 -
C:\Windows\SysWOW64\Olgmcmgh.exeC:\Windows\system32\Olgmcmgh.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Pcaepg32.exeC:\Windows\system32\Pcaepg32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2856 -
C:\Windows\SysWOW64\Bbmapj32.exeC:\Windows\system32\Bbmapj32.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:2764 -
C:\Windows\SysWOW64\Cohkpj32.exeC:\Windows\system32\Cohkpj32.exe65⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Cdecha32.exeC:\Windows\system32\Cdecha32.exe66⤵
- Executes dropped EXE
PID:2788 -
C:\Windows\SysWOW64\Cojhejbh.exeC:\Windows\system32\Cojhejbh.exe67⤵PID:884
-
C:\Windows\SysWOW64\Cdgpnqpo.exeC:\Windows\system32\Cdgpnqpo.exe68⤵
- Drops file in System32 directory
PID:1772 -
C:\Windows\SysWOW64\Cmpdgf32.exeC:\Windows\system32\Cmpdgf32.exe69⤵
- Drops file in System32 directory
PID:2140 -
C:\Windows\SysWOW64\Cpnaca32.exeC:\Windows\system32\Cpnaca32.exe70⤵PID:2912
-
C:\Windows\SysWOW64\Cfhiplmp.exeC:\Windows\system32\Cfhiplmp.exe71⤵PID:1620
-
C:\Windows\SysWOW64\Dpqnhadq.exeC:\Windows\system32\Dpqnhadq.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:632 -
C:\Windows\SysWOW64\Dbojdmcd.exeC:\Windows\system32\Dbojdmcd.exe73⤵
- Drops file in System32 directory
PID:1580 -
C:\Windows\SysWOW64\Dmdnbecj.exeC:\Windows\system32\Dmdnbecj.exe74⤵PID:1608
-
C:\Windows\SysWOW64\Dbafjlaa.exeC:\Windows\system32\Dbafjlaa.exe75⤵PID:2424
-
C:\Windows\SysWOW64\Dmgkgeah.exeC:\Windows\system32\Dmgkgeah.exe76⤵
- Modifies registry class
PID:1588 -
C:\Windows\SysWOW64\Dohgomgf.exeC:\Windows\system32\Dohgomgf.exe77⤵
- Drops file in System32 directory
PID:2520 -
C:\Windows\SysWOW64\Dhplhc32.exeC:\Windows\system32\Dhplhc32.exe78⤵PID:2660
-
C:\Windows\SysWOW64\Dpgcip32.exeC:\Windows\system32\Dpgcip32.exe79⤵PID:2772
-
C:\Windows\SysWOW64\Dedlag32.exeC:\Windows\system32\Dedlag32.exe80⤵
- Modifies registry class
PID:2312 -
C:\Windows\SysWOW64\Dhbhmb32.exeC:\Windows\system32\Dhbhmb32.exe81⤵
- Modifies registry class
PID:2172 -
C:\Windows\SysWOW64\Dchmkkkj.exeC:\Windows\system32\Dchmkkkj.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2136 -
C:\Windows\SysWOW64\Eheecbia.exeC:\Windows\system32\Eheecbia.exe83⤵PID:1488
-
C:\Windows\SysWOW64\Enbnkigh.exeC:\Windows\system32\Enbnkigh.exe84⤵PID:2652
-
C:\Windows\SysWOW64\Ehgbhbgn.exeC:\Windows\system32\Ehgbhbgn.exe85⤵PID:1656
-
C:\Windows\SysWOW64\Ekfndmfb.exeC:\Windows\system32\Ekfndmfb.exe86⤵
- Drops file in System32 directory
PID:2132 -
C:\Windows\SysWOW64\Epbfmd32.exeC:\Windows\system32\Epbfmd32.exe87⤵PID:2916
-
C:\Windows\SysWOW64\Ejkkfjkj.exeC:\Windows\system32\Ejkkfjkj.exe88⤵
- Modifies registry class
PID:808 -
C:\Windows\SysWOW64\Epecbd32.exeC:\Windows\system32\Epecbd32.exe89⤵PID:2884
-
C:\Windows\SysWOW64\Eniclh32.exeC:\Windows\system32\Eniclh32.exe90⤵PID:2976
-
C:\Windows\SysWOW64\Ecfldoph.exeC:\Windows\system32\Ecfldoph.exe91⤵PID:1596
-
C:\Windows\SysWOW64\Elnqmd32.exeC:\Windows\system32\Elnqmd32.exe92⤵
- Drops file in System32 directory
PID:2268 -
C:\Windows\SysWOW64\Fgcejm32.exeC:\Windows\system32\Fgcejm32.exe93⤵PID:1764
-
C:\Windows\SysWOW64\Fqlicclo.exeC:\Windows\system32\Fqlicclo.exe94⤵PID:3056
-
C:\Windows\SysWOW64\Fbmfkkbm.exeC:\Windows\system32\Fbmfkkbm.exe95⤵PID:2932
-
C:\Windows\SysWOW64\Fhgnge32.exeC:\Windows\system32\Fhgnge32.exe96⤵PID:2776
-
C:\Windows\SysWOW64\Foafdoag.exeC:\Windows\system32\Foafdoag.exe97⤵PID:1660
-
C:\Windows\SysWOW64\Fhikme32.exeC:\Windows\system32\Fhikme32.exe98⤵PID:112
-
C:\Windows\SysWOW64\Fnfcel32.exeC:\Windows\system32\Fnfcel32.exe99⤵PID:1184
-
C:\Windows\SysWOW64\Fofpoo32.exeC:\Windows\system32\Fofpoo32.exe100⤵
- Modifies registry class
PID:2012 -
C:\Windows\SysWOW64\Fqglggcp.exeC:\Windows\system32\Fqglggcp.exe101⤵PID:1008
-
C:\Windows\SysWOW64\Gbfiaj32.exeC:\Windows\system32\Gbfiaj32.exe102⤵PID:956
-
C:\Windows\SysWOW64\Gcheib32.exeC:\Windows\system32\Gcheib32.exe103⤵
- Modifies registry class
PID:2384 -
C:\Windows\SysWOW64\Gnmifk32.exeC:\Windows\system32\Gnmifk32.exe104⤵
- Drops file in System32 directory
PID:2256 -
C:\Windows\SysWOW64\Gegabegc.exeC:\Windows\system32\Gegabegc.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1700 -
C:\Windows\SysWOW64\Gjdjklek.exeC:\Windows\system32\Gjdjklek.exe106⤵PID:2644
-
C:\Windows\SysWOW64\Gpabcbdb.exeC:\Windows\system32\Gpabcbdb.exe107⤵PID:1752
-
C:\Windows\SysWOW64\Gjfgqk32.exeC:\Windows\system32\Gjfgqk32.exe108⤵PID:1692
-
C:\Windows\SysWOW64\Gpcoib32.exeC:\Windows\system32\Gpcoib32.exe109⤵
- Drops file in System32 directory
PID:3004 -
C:\Windows\SysWOW64\Gfmgelil.exeC:\Windows\system32\Gfmgelil.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2380 -
C:\Windows\SysWOW64\Gmgpbf32.exeC:\Windows\system32\Gmgpbf32.exe111⤵PID:2396
-
C:\Windows\SysWOW64\Hebdfind.exeC:\Windows\system32\Hebdfind.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2444 -
C:\Windows\SysWOW64\Hphidanj.exeC:\Windows\system32\Hphidanj.exe113⤵PID:1540
-
C:\Windows\SysWOW64\Hfbaql32.exeC:\Windows\system32\Hfbaql32.exe114⤵
- Modifies registry class
PID:936 -
C:\Windows\SysWOW64\Hloiib32.exeC:\Windows\system32\Hloiib32.exe115⤵PID:1108
-
C:\Windows\SysWOW64\Halbai32.exeC:\Windows\system32\Halbai32.exe116⤵PID:2000
-
C:\Windows\SysWOW64\Hlafnbal.exeC:\Windows\system32\Hlafnbal.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2908 -
C:\Windows\SysWOW64\Hbknkl32.exeC:\Windows\system32\Hbknkl32.exe118⤵PID:840
-
C:\Windows\SysWOW64\Heikgh32.exeC:\Windows\system32\Heikgh32.exe119⤵PID:2824
-
C:\Windows\SysWOW64\Hnbopmnm.exeC:\Windows\system32\Hnbopmnm.exe120⤵PID:1392
-
C:\Windows\SysWOW64\Hapklimq.exeC:\Windows\system32\Hapklimq.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2692
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-