Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
21/05/2024, 02:02
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a1fd1c0c96634b2e7bf313dc875ce676703f8d67a0d0349045cec60ebf1c84f3.exe
Resource
win7-20240220-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
a1fd1c0c96634b2e7bf313dc875ce676703f8d67a0d0349045cec60ebf1c84f3.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
a1fd1c0c96634b2e7bf313dc875ce676703f8d67a0d0349045cec60ebf1c84f3.exe
-
Size
100KB
-
MD5
aff057120dd1d236fb1dbe2bf0813d5a
-
SHA1
c6dc48042c606fc0c4506f2bdb99d7862b4c0869
-
SHA256
a1fd1c0c96634b2e7bf313dc875ce676703f8d67a0d0349045cec60ebf1c84f3
-
SHA512
15e60e489698bbd491d3477a4c197df4976f530c4c367c0c8f057fec398a61552ee0c9b7ec5d0c553e7fb5a519991ee2389416f9e0f55f80d2c96467a38dc306
-
SSDEEP
1536:wRiwE14IxDku2ON+sh150eL3lqTCCp1VLVkrG5OHnYYYYYYYYYYYYYYYYYYYYYYd:ISC3Q/hX0ilqTtP1ur27nuMFR8n5j8YD
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnkmjk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kegnkh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lekhfgfc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkgkbipp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hckcmjep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Henidd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hefipfkg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hacmcfge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Inhdehbj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lodlom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mlgigdoh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqqdag32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okalbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hkpnhgge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hahqjh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ioccco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cndbcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ffpmnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pjmodopf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcmgfkeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gbijhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kpemgbqf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Clcflkic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cndbcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ffnphf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hnandi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jgqemakf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpqclb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kbalnnam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Madapkmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gieojq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mcjkcplm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpeofk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fbdqmghm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kbcicmpj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggpimica.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhncmp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmnbkinf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndjdlffl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ampqjm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flabbihl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gppnaaej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iffeoj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfkkimlh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Njgldmdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pigeqkai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Emeopn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gllhaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ojficpfn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghkllmoi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idceea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hefipfkg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Penfelgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Faagpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fklpik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mnkbdlbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ahakmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ankdiqih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hiqbndpb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gppnaaej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bghabf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fmhheqje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Goddhg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Madapkmp.exe -
Executes dropped EXE 64 IoCs
pid Process 2900 Flgbho32.exe 2672 Fadkpe32.exe 2576 Fhncmp32.exe 2288 Fklpik32.exe 2432 Fbcgjh32.exe 2456 Fafheedg.exe 2312 Febcfd32.exe 860 Fhppbp32.exe 1240 Flllcndm.exe 2192 Fojhoica.exe 1572 Fahdkebe.exe 1876 Fedplc32.exe 2708 Fhbmho32.exe 1616 Gkaidjhe.exe 1624 Gmoepfhi.exe 336 Gpnalagm.exe 656 Gheimogo.exe 1916 Gkceijfb.exe 856 Giffeg32.exe 3056 Gmabeeef.exe 1484 Gppnaaej.exe 892 Gcojnmdn.exe 2908 Ggjfnk32.exe 2084 Gkeboj32.exe 1020 Gmdoke32.exe 1644 Glgofbjn.exe 1048 Gdnghpkq.exe 2608 Gliklahk.exe 2492 Gccdil32.exe 1244 Ggopijha.exe 1368 Gimlefge.exe 1228 Ghplac32.exe 1512 Gllhaa32.exe 2164 Hceqnlnf.exe 2808 Hahqjh32.exe 3040 Hjpike32.exe 2160 Hhbigblm.exe 1612 Hkqecnkq.exe 1912 Holacm32.exe 2380 Hchmdklc.exe 452 Hefipfkg.exe 2964 Hkcbhn32.exe 2120 Hnandi32.exe 3024 Hamjehqk.exe 2220 Hdkfacpo.exe 1620 Hgjbmoob.exe 1536 Hoakolod.exe 1296 Haogkgoh.exe 2552 Hqbgfd32.exe 2820 Hdncgbnl.exe 956 Hglocnmp.exe 1632 Hjkkojlc.exe 1656 Hnfgphdl.exe 2020 Hkjhimcf.exe 2584 Hjmhdi32.exe 2888 Inhdehbj.exe 1428 Iqgqacam.exe 2452 Idblbb32.exe 852 Icemmopa.exe 848 Igainn32.exe 836 Ijoeji32.exe 772 Inkakhpg.exe 704 Imnafd32.exe 324 Iolmbpfe.exe -
Loads dropped DLL 64 IoCs
pid Process 2740 a1fd1c0c96634b2e7bf313dc875ce676703f8d67a0d0349045cec60ebf1c84f3.exe 2740 a1fd1c0c96634b2e7bf313dc875ce676703f8d67a0d0349045cec60ebf1c84f3.exe 2900 Flgbho32.exe 2900 Flgbho32.exe 2672 Fadkpe32.exe 2672 Fadkpe32.exe 2576 Fhncmp32.exe 2576 Fhncmp32.exe 2288 Fklpik32.exe 2288 Fklpik32.exe 2432 Fbcgjh32.exe 2432 Fbcgjh32.exe 2456 Fafheedg.exe 2456 Fafheedg.exe 2312 Febcfd32.exe 2312 Febcfd32.exe 860 Fhppbp32.exe 860 Fhppbp32.exe 1240 Flllcndm.exe 1240 Flllcndm.exe 2192 Fojhoica.exe 2192 Fojhoica.exe 1572 Fahdkebe.exe 1572 Fahdkebe.exe 1876 Fedplc32.exe 1876 Fedplc32.exe 2708 Fhbmho32.exe 2708 Fhbmho32.exe 1616 Gkaidjhe.exe 1616 Gkaidjhe.exe 1624 Gmoepfhi.exe 1624 Gmoepfhi.exe 336 Gpnalagm.exe 336 Gpnalagm.exe 656 Gheimogo.exe 656 Gheimogo.exe 1916 Gkceijfb.exe 1916 Gkceijfb.exe 856 Giffeg32.exe 856 Giffeg32.exe 3056 Gmabeeef.exe 3056 Gmabeeef.exe 1484 Gppnaaej.exe 1484 Gppnaaej.exe 892 Gcojnmdn.exe 892 Gcojnmdn.exe 2908 Ggjfnk32.exe 2908 Ggjfnk32.exe 2084 Gkeboj32.exe 2084 Gkeboj32.exe 1020 Gmdoke32.exe 1020 Gmdoke32.exe 1644 Glgofbjn.exe 1644 Glgofbjn.exe 1048 Gdnghpkq.exe 1048 Gdnghpkq.exe 2608 Gliklahk.exe 2608 Gliklahk.exe 2492 Gccdil32.exe 2492 Gccdil32.exe 1244 Ggopijha.exe 1244 Ggopijha.exe 1368 Gimlefge.exe 1368 Gimlefge.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Glbqfjpp.dll Jinead32.exe File created C:\Windows\SysWOW64\Lgoacojo.exe Lmgmjjdn.exe File created C:\Windows\SysWOW64\Pmdmeemc.dll Plcdgfbo.exe File created C:\Windows\SysWOW64\Bcaomf32.exe Bpcbqk32.exe File opened for modification C:\Windows\SysWOW64\Hdncgbnl.exe Hqbgfd32.exe File created C:\Windows\SysWOW64\Efncicpm.exe Ebbgid32.exe File opened for modification C:\Windows\SysWOW64\Fhffaj32.exe Fehjeo32.exe File opened for modification C:\Windows\SysWOW64\Hggomh32.exe Hckcmjep.exe File created C:\Windows\SysWOW64\Bhahlj32.exe Bebkpn32.exe File created C:\Windows\SysWOW64\Pljpdpao.dll Hgilchkf.exe File opened for modification C:\Windows\SysWOW64\Gkeboj32.exe Ggjfnk32.exe File created C:\Windows\SysWOW64\Mgajhbkg.exe Madapkmp.exe File created C:\Windows\SysWOW64\Ebhepm32.dll Ngfcca32.exe File created C:\Windows\SysWOW64\Fiedkadc.dll Oicpfh32.exe File created C:\Windows\SysWOW64\Lonkjenl.dll Eajaoq32.exe File created C:\Windows\SysWOW64\Njgcpp32.dll Ghmiam32.exe File created C:\Windows\SysWOW64\Oehifjpg.dll Ibapoj32.exe File opened for modification C:\Windows\SysWOW64\Mlgigdoh.exe Mdqafgnf.exe File opened for modification C:\Windows\SysWOW64\Qljkhe32.exe Qhooggdn.exe File created C:\Windows\SysWOW64\Epgnljad.dll Dcfdgiid.exe File created C:\Windows\SysWOW64\Moealbej.dll Qljkhe32.exe File created C:\Windows\SysWOW64\Cfeddafl.exe Coklgg32.exe File created C:\Windows\SysWOW64\Kngjnfgo.dll Fhbmho32.exe File opened for modification C:\Windows\SysWOW64\Hefipfkg.exe Hchmdklc.exe File opened for modification C:\Windows\SysWOW64\Bhcdaibd.exe Bdhhqk32.exe File opened for modification C:\Windows\SysWOW64\Eiaiqn32.exe Eeempocb.exe File opened for modification C:\Windows\SysWOW64\Gpmjak32.exe Ghfbqn32.exe File opened for modification C:\Windows\SysWOW64\Hdkfacpo.exe Hamjehqk.exe File opened for modification C:\Windows\SysWOW64\Lpgele32.exe Limmokib.exe File created C:\Windows\SysWOW64\Emfbll32.dll Limmokib.exe File created C:\Windows\SysWOW64\Difoda32.dll Npnhlg32.exe File created C:\Windows\SysWOW64\Bdhaablp.dll Henidd32.exe File created C:\Windows\SysWOW64\Hnfgphdl.exe Hjkkojlc.exe File created C:\Windows\SysWOW64\Okoomd32.exe Nbfjdn32.exe File opened for modification C:\Windows\SysWOW64\Qjknnbed.exe Qhmbagfa.exe File created C:\Windows\SysWOW64\Hpmgqnfl.exe Hpmgqnfl.exe File created C:\Windows\SysWOW64\Igghmf32.dll Hdncgbnl.exe File created C:\Windows\SysWOW64\Dlcdphdj.dll Chemfl32.exe File opened for modification C:\Windows\SysWOW64\Gogangdc.exe Ggpimica.exe File opened for modification C:\Windows\SysWOW64\Gddifnbk.exe Gphmeo32.exe File opened for modification C:\Windows\SysWOW64\Qhmbagfa.exe Penfelgm.exe File created C:\Windows\SysWOW64\Qhooggdn.exe Qeqbkkej.exe File created C:\Windows\SysWOW64\Ajdadamj.exe Abmibdlh.exe File opened for modification C:\Windows\SysWOW64\Djnpnc32.exe Dkkpbgli.exe File created C:\Windows\SysWOW64\Gliklahk.exe Gdnghpkq.exe File created C:\Windows\SysWOW64\Lgiqojmp.dll Gccdil32.exe File created C:\Windows\SysWOW64\Ndjdlffl.exe Npnhlg32.exe File created C:\Windows\SysWOW64\Nqqdag32.exe Njgldmdc.exe File created C:\Windows\SysWOW64\Gbhfilfi.dll Cjpqdp32.exe File created C:\Windows\SysWOW64\Nobdlg32.dll Dqjepm32.exe File created C:\Windows\SysWOW64\Hojopmqk.dll Hellne32.exe File created C:\Windows\SysWOW64\Icjfhn32.exe Ioojhpdb.exe File created C:\Windows\SysWOW64\Kfoedl32.exe Kbcicmpj.exe File opened for modification C:\Windows\SysWOW64\Lmnbkinf.exe Ldenbcge.exe File created C:\Windows\SysWOW64\Penfelgm.exe Pbpjiphi.exe File opened for modification C:\Windows\SysWOW64\Bbdocc32.exe Bpfcgg32.exe File created C:\Windows\SysWOW64\Maomqp32.dll Cfgaiaci.exe File created C:\Windows\SysWOW64\Dkmmhf32.exe Dcfdgiid.exe File opened for modification C:\Windows\SysWOW64\Hgjbmoob.exe Hdkfacpo.exe File created C:\Windows\SysWOW64\Odjpkihg.exe Obkdonic.exe File created C:\Windows\SysWOW64\Ljpojo32.dll Pmlkpjpj.exe File opened for modification C:\Windows\SysWOW64\Qhooggdn.exe Qeqbkkej.exe File opened for modification C:\Windows\SysWOW64\Iffeoj32.exe Ichico32.exe File created C:\Windows\SysWOW64\Ppoqge32.exe Plcdgfbo.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4684 4992 WerFault.exe 460 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qaefjm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dkhcmgnl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ngfcca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iiikfehq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjlled32.dll" Komfnnck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pndniaop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkcmiimi.dll" Djnpnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apmabjpq.dll" Fklpik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjpnhh32.dll" Pelipl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qeqbkkej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bdjefj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Henidd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ilknfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iddckpim.dll" Pjmodopf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Imnafd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bpfcgg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Chemfl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dhjgal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnbgan32.dll" Hhmepp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hhbigblm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hgjbmoob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glgcjoog.dll" Jbfijjkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjoho32.dll" Jghknp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Omgaek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cfinoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dhjgal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpmkde32.dll" Ghhofmql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehjaok32.dll" Hkqecnkq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liqebf32.dll" Hlfdkoin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hcifgjgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jiiekj32.dll" Hkcbhn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pphjgfqq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qnfjna32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Alhjai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkoginch.dll" Ffkcbgek.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gfefiemq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odpegjpg.dll" Hicodd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node a1fd1c0c96634b2e7bf313dc875ce676703f8d67a0d0349045cec60ebf1c84f3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gccdil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ifhbdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lmdpejfq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fdoclk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hggomh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gcojnmdn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bnpmipql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gphmeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Inkakhpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kcolba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cfbhnaho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ghkllmoi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fhncmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Njiijlbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fiaeoang.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmiihlhk.dll" Flllcndm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkkgcp32.dll" Bhhnli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dkhcmgnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlbpenqj.dll" Lmnbkinf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ankdiqih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Djpmccqq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkfbjneg.dll" Jeplkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dilmgq32.dll" Gcojnmdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Impnldeo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Plahag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Abmibdlh.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2740 wrote to memory of 2900 2740 a1fd1c0c96634b2e7bf313dc875ce676703f8d67a0d0349045cec60ebf1c84f3.exe 28 PID 2740 wrote to memory of 2900 2740 a1fd1c0c96634b2e7bf313dc875ce676703f8d67a0d0349045cec60ebf1c84f3.exe 28 PID 2740 wrote to memory of 2900 2740 a1fd1c0c96634b2e7bf313dc875ce676703f8d67a0d0349045cec60ebf1c84f3.exe 28 PID 2740 wrote to memory of 2900 2740 a1fd1c0c96634b2e7bf313dc875ce676703f8d67a0d0349045cec60ebf1c84f3.exe 28 PID 2900 wrote to memory of 2672 2900 Flgbho32.exe 29 PID 2900 wrote to memory of 2672 2900 Flgbho32.exe 29 PID 2900 wrote to memory of 2672 2900 Flgbho32.exe 29 PID 2900 wrote to memory of 2672 2900 Flgbho32.exe 29 PID 2672 wrote to memory of 2576 2672 Fadkpe32.exe 30 PID 2672 wrote to memory of 2576 2672 Fadkpe32.exe 30 PID 2672 wrote to memory of 2576 2672 Fadkpe32.exe 30 PID 2672 wrote to memory of 2576 2672 Fadkpe32.exe 30 PID 2576 wrote to memory of 2288 2576 Fhncmp32.exe 31 PID 2576 wrote to memory of 2288 2576 Fhncmp32.exe 31 PID 2576 wrote to memory of 2288 2576 Fhncmp32.exe 31 PID 2576 wrote to memory of 2288 2576 Fhncmp32.exe 31 PID 2288 wrote to memory of 2432 2288 Fklpik32.exe 32 PID 2288 wrote to memory of 2432 2288 Fklpik32.exe 32 PID 2288 wrote to memory of 2432 2288 Fklpik32.exe 32 PID 2288 wrote to memory of 2432 2288 Fklpik32.exe 32 PID 2432 wrote to memory of 2456 2432 Fbcgjh32.exe 33 PID 2432 wrote to memory of 2456 2432 Fbcgjh32.exe 33 PID 2432 wrote to memory of 2456 2432 Fbcgjh32.exe 33 PID 2432 wrote to memory of 2456 2432 Fbcgjh32.exe 33 PID 2456 wrote to memory of 2312 2456 Fafheedg.exe 34 PID 2456 wrote to memory of 2312 2456 Fafheedg.exe 34 PID 2456 wrote to memory of 2312 2456 Fafheedg.exe 34 PID 2456 wrote to memory of 2312 2456 Fafheedg.exe 34 PID 2312 wrote to memory of 860 2312 Febcfd32.exe 35 PID 2312 wrote to memory of 860 2312 Febcfd32.exe 35 PID 2312 wrote to memory of 860 2312 Febcfd32.exe 35 PID 2312 wrote to memory of 860 2312 Febcfd32.exe 35 PID 860 wrote to memory of 1240 860 Fhppbp32.exe 36 PID 860 wrote to memory of 1240 860 Fhppbp32.exe 36 PID 860 wrote to memory of 1240 860 Fhppbp32.exe 36 PID 860 wrote to memory of 1240 860 Fhppbp32.exe 36 PID 1240 wrote to memory of 2192 1240 Flllcndm.exe 37 PID 1240 wrote to memory of 2192 1240 Flllcndm.exe 37 PID 1240 wrote to memory of 2192 1240 Flllcndm.exe 37 PID 1240 wrote to memory of 2192 1240 Flllcndm.exe 37 PID 2192 wrote to memory of 1572 2192 Fojhoica.exe 38 PID 2192 wrote to memory of 1572 2192 Fojhoica.exe 38 PID 2192 wrote to memory of 1572 2192 Fojhoica.exe 38 PID 2192 wrote to memory of 1572 2192 Fojhoica.exe 38 PID 1572 wrote to memory of 1876 1572 Fahdkebe.exe 39 PID 1572 wrote to memory of 1876 1572 Fahdkebe.exe 39 PID 1572 wrote to memory of 1876 1572 Fahdkebe.exe 39 PID 1572 wrote to memory of 1876 1572 Fahdkebe.exe 39 PID 1876 wrote to memory of 2708 1876 Fedplc32.exe 40 PID 1876 wrote to memory of 2708 1876 Fedplc32.exe 40 PID 1876 wrote to memory of 2708 1876 Fedplc32.exe 40 PID 1876 wrote to memory of 2708 1876 Fedplc32.exe 40 PID 2708 wrote to memory of 1616 2708 Fhbmho32.exe 41 PID 2708 wrote to memory of 1616 2708 Fhbmho32.exe 41 PID 2708 wrote to memory of 1616 2708 Fhbmho32.exe 41 PID 2708 wrote to memory of 1616 2708 Fhbmho32.exe 41 PID 1616 wrote to memory of 1624 1616 Gkaidjhe.exe 42 PID 1616 wrote to memory of 1624 1616 Gkaidjhe.exe 42 PID 1616 wrote to memory of 1624 1616 Gkaidjhe.exe 42 PID 1616 wrote to memory of 1624 1616 Gkaidjhe.exe 42 PID 1624 wrote to memory of 336 1624 Gmoepfhi.exe 43 PID 1624 wrote to memory of 336 1624 Gmoepfhi.exe 43 PID 1624 wrote to memory of 336 1624 Gmoepfhi.exe 43 PID 1624 wrote to memory of 336 1624 Gmoepfhi.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\a1fd1c0c96634b2e7bf313dc875ce676703f8d67a0d0349045cec60ebf1c84f3.exe"C:\Users\Admin\AppData\Local\Temp\a1fd1c0c96634b2e7bf313dc875ce676703f8d67a0d0349045cec60ebf1c84f3.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\Flgbho32.exeC:\Windows\system32\Flgbho32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\Fadkpe32.exeC:\Windows\system32\Fadkpe32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Fhncmp32.exeC:\Windows\system32\Fhncmp32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\Fklpik32.exeC:\Windows\system32\Fklpik32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\Fbcgjh32.exeC:\Windows\system32\Fbcgjh32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\Fafheedg.exeC:\Windows\system32\Fafheedg.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\Febcfd32.exeC:\Windows\system32\Febcfd32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\SysWOW64\Fhppbp32.exeC:\Windows\system32\Fhppbp32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Windows\SysWOW64\Flllcndm.exeC:\Windows\system32\Flllcndm.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1240 -
C:\Windows\SysWOW64\Fojhoica.exeC:\Windows\system32\Fojhoica.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\Fahdkebe.exeC:\Windows\system32\Fahdkebe.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Windows\SysWOW64\Fedplc32.exeC:\Windows\system32\Fedplc32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Windows\SysWOW64\Fhbmho32.exeC:\Windows\system32\Fhbmho32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Gkaidjhe.exeC:\Windows\system32\Gkaidjhe.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\SysWOW64\Gmoepfhi.exeC:\Windows\system32\Gmoepfhi.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\SysWOW64\Gpnalagm.exeC:\Windows\system32\Gpnalagm.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:336 -
C:\Windows\SysWOW64\Gheimogo.exeC:\Windows\system32\Gheimogo.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:656 -
C:\Windows\SysWOW64\Gkceijfb.exeC:\Windows\system32\Gkceijfb.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1916 -
C:\Windows\SysWOW64\Giffeg32.exeC:\Windows\system32\Giffeg32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:856 -
C:\Windows\SysWOW64\Gmabeeef.exeC:\Windows\system32\Gmabeeef.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3056 -
C:\Windows\SysWOW64\Gppnaaej.exeC:\Windows\system32\Gppnaaej.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1484 -
C:\Windows\SysWOW64\Gcojnmdn.exeC:\Windows\system32\Gcojnmdn.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:892 -
C:\Windows\SysWOW64\Ggjfnk32.exeC:\Windows\system32\Ggjfnk32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2908 -
C:\Windows\SysWOW64\Gkeboj32.exeC:\Windows\system32\Gkeboj32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2084 -
C:\Windows\SysWOW64\Gmdoke32.exeC:\Windows\system32\Gmdoke32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1020 -
C:\Windows\SysWOW64\Glgofbjn.exeC:\Windows\system32\Glgofbjn.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1644 -
C:\Windows\SysWOW64\Gdnghpkq.exeC:\Windows\system32\Gdnghpkq.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1048 -
C:\Windows\SysWOW64\Gliklahk.exeC:\Windows\system32\Gliklahk.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2608 -
C:\Windows\SysWOW64\Gccdil32.exeC:\Windows\system32\Gccdil32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2492 -
C:\Windows\SysWOW64\Ggopijha.exeC:\Windows\system32\Ggopijha.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1244 -
C:\Windows\SysWOW64\Gimlefge.exeC:\Windows\system32\Gimlefge.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1368 -
C:\Windows\SysWOW64\Ghplac32.exeC:\Windows\system32\Ghplac32.exe33⤵
- Executes dropped EXE
PID:1228 -
C:\Windows\SysWOW64\Gllhaa32.exeC:\Windows\system32\Gllhaa32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1512 -
C:\Windows\SysWOW64\Hceqnlnf.exeC:\Windows\system32\Hceqnlnf.exe35⤵
- Executes dropped EXE
PID:2164 -
C:\Windows\SysWOW64\Hahqjh32.exeC:\Windows\system32\Hahqjh32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Hjpike32.exeC:\Windows\system32\Hjpike32.exe37⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Hhbigblm.exeC:\Windows\system32\Hhbigblm.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:2160 -
C:\Windows\SysWOW64\Hkqecnkq.exeC:\Windows\system32\Hkqecnkq.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:1612 -
C:\Windows\SysWOW64\Holacm32.exeC:\Windows\system32\Holacm32.exe40⤵
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\Hchmdklc.exeC:\Windows\system32\Hchmdklc.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2380 -
C:\Windows\SysWOW64\Hefipfkg.exeC:\Windows\system32\Hefipfkg.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:452 -
C:\Windows\SysWOW64\Hkcbhn32.exeC:\Windows\system32\Hkcbhn32.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:2964 -
C:\Windows\SysWOW64\Hnandi32.exeC:\Windows\system32\Hnandi32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Hamjehqk.exeC:\Windows\system32\Hamjehqk.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3024 -
C:\Windows\SysWOW64\Hdkfacpo.exeC:\Windows\system32\Hdkfacpo.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2220 -
C:\Windows\SysWOW64\Hgjbmoob.exeC:\Windows\system32\Hgjbmoob.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:1620 -
C:\Windows\SysWOW64\Hoakolod.exeC:\Windows\system32\Hoakolod.exe48⤵
- Executes dropped EXE
PID:1536 -
C:\Windows\SysWOW64\Haogkgoh.exeC:\Windows\system32\Haogkgoh.exe49⤵
- Executes dropped EXE
PID:1296 -
C:\Windows\SysWOW64\Hqbgfd32.exeC:\Windows\system32\Hqbgfd32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2552 -
C:\Windows\SysWOW64\Hdncgbnl.exeC:\Windows\system32\Hdncgbnl.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2820 -
C:\Windows\SysWOW64\Hglocnmp.exeC:\Windows\system32\Hglocnmp.exe52⤵
- Executes dropped EXE
PID:956 -
C:\Windows\SysWOW64\Hjkkojlc.exeC:\Windows\system32\Hjkkojlc.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1632 -
C:\Windows\SysWOW64\Hnfgphdl.exeC:\Windows\system32\Hnfgphdl.exe54⤵
- Executes dropped EXE
PID:1656 -
C:\Windows\SysWOW64\Hkjhimcf.exeC:\Windows\system32\Hkjhimcf.exe55⤵
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Hjmhdi32.exeC:\Windows\system32\Hjmhdi32.exe56⤵
- Executes dropped EXE
PID:2584 -
C:\Windows\SysWOW64\Inhdehbj.exeC:\Windows\system32\Inhdehbj.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Iqgqacam.exeC:\Windows\system32\Iqgqacam.exe58⤵
- Executes dropped EXE
PID:1428 -
C:\Windows\SysWOW64\Idblbb32.exeC:\Windows\system32\Idblbb32.exe59⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Icemmopa.exeC:\Windows\system32\Icemmopa.exe60⤵
- Executes dropped EXE
PID:852 -
C:\Windows\SysWOW64\Igainn32.exeC:\Windows\system32\Igainn32.exe61⤵
- Executes dropped EXE
PID:848 -
C:\Windows\SysWOW64\Ijoeji32.exeC:\Windows\system32\Ijoeji32.exe62⤵
- Executes dropped EXE
PID:836 -
C:\Windows\SysWOW64\Inkakhpg.exeC:\Windows\system32\Inkakhpg.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:772 -
C:\Windows\SysWOW64\Imnafd32.exeC:\Windows\system32\Imnafd32.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:704 -
C:\Windows\SysWOW64\Iolmbpfe.exeC:\Windows\system32\Iolmbpfe.exe65⤵
- Executes dropped EXE
PID:324 -
C:\Windows\SysWOW64\Ichico32.exeC:\Windows\system32\Ichico32.exe66⤵
- Drops file in System32 directory
PID:2592 -
C:\Windows\SysWOW64\Iffeoj32.exeC:\Windows\system32\Iffeoj32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2524 -
C:\Windows\SysWOW64\Ijaapifk.exeC:\Windows\system32\Ijaapifk.exe68⤵PID:592
-
C:\Windows\SysWOW64\Iidbke32.exeC:\Windows\system32\Iidbke32.exe69⤵PID:1172
-
C:\Windows\SysWOW64\Impnldeo.exeC:\Windows\system32\Impnldeo.exe70⤵
- Modifies registry class
PID:1448 -
C:\Windows\SysWOW64\Ioojhpdb.exeC:\Windows\system32\Ioojhpdb.exe71⤵
- Drops file in System32 directory
PID:2504 -
C:\Windows\SysWOW64\Icjfhn32.exeC:\Windows\system32\Icjfhn32.exe72⤵PID:2824
-
C:\Windows\SysWOW64\Ifhbdj32.exeC:\Windows\system32\Ifhbdj32.exe73⤵
- Modifies registry class
PID:1636 -
C:\Windows\SysWOW64\Ijdnehci.exeC:\Windows\system32\Ijdnehci.exe74⤵PID:1628
-
C:\Windows\SysWOW64\Iigoqe32.exeC:\Windows\system32\Iigoqe32.exe75⤵PID:792
-
C:\Windows\SysWOW64\Imbkadcl.exeC:\Windows\system32\Imbkadcl.exe76⤵PID:608
-
C:\Windows\SysWOW64\Ioagno32.exeC:\Windows\system32\Ioagno32.exe77⤵PID:2580
-
C:\Windows\SysWOW64\Iclcnnji.exeC:\Windows\system32\Iclcnnji.exe78⤵PID:1564
-
C:\Windows\SysWOW64\Ifkojiim.exeC:\Windows\system32\Ifkojiim.exe79⤵PID:2720
-
C:\Windows\SysWOW64\Ienoff32.exeC:\Windows\system32\Ienoff32.exe80⤵PID:276
-
C:\Windows\SysWOW64\Iiikfehq.exeC:\Windows\system32\Iiikfehq.exe81⤵
- Modifies registry class
PID:652 -
C:\Windows\SysWOW64\Ikggbpgd.exeC:\Windows\system32\Ikggbpgd.exe82⤵PID:2700
-
C:\Windows\SysWOW64\Ioccco32.exeC:\Windows\system32\Ioccco32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1864 -
C:\Windows\SysWOW64\Infdolgh.exeC:\Windows\system32\Infdolgh.exe84⤵PID:964
-
C:\Windows\SysWOW64\Ibapoj32.exeC:\Windows\system32\Ibapoj32.exe85⤵
- Drops file in System32 directory
PID:1388 -
C:\Windows\SysWOW64\Jeplkf32.exeC:\Windows\system32\Jeplkf32.exe86⤵
- Modifies registry class
PID:2916 -
C:\Windows\SysWOW64\Jilhldfn.exeC:\Windows\system32\Jilhldfn.exe87⤵PID:2884
-
C:\Windows\SysWOW64\Jgnhga32.exeC:\Windows\system32\Jgnhga32.exe88⤵PID:3044
-
C:\Windows\SysWOW64\Joepio32.exeC:\Windows\system32\Joepio32.exe89⤵PID:2000
-
C:\Windows\SysWOW64\Jnhqdkde.exeC:\Windows\system32\Jnhqdkde.exe90⤵PID:1900
-
C:\Windows\SysWOW64\Jagmpg32.exeC:\Windows\system32\Jagmpg32.exe91⤵PID:2636
-
C:\Windows\SysWOW64\Jebiaelb.exeC:\Windows\system32\Jebiaelb.exe92⤵PID:1324
-
C:\Windows\SysWOW64\Jinead32.exeC:\Windows\system32\Jinead32.exe93⤵
- Drops file in System32 directory
PID:2464 -
C:\Windows\SysWOW64\Jgqemakf.exeC:\Windows\system32\Jgqemakf.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2656 -
C:\Windows\SysWOW64\Jjoailji.exeC:\Windows\system32\Jjoailji.exe95⤵PID:2116
-
C:\Windows\SysWOW64\Jnkmjk32.exeC:\Windows\system32\Jnkmjk32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2616 -
C:\Windows\SysWOW64\Jbfijjkl.exeC:\Windows\system32\Jbfijjkl.exe97⤵
- Modifies registry class
PID:1920 -
C:\Windows\SysWOW64\Jaiiff32.exeC:\Windows\system32\Jaiiff32.exe98⤵PID:1488
-
C:\Windows\SysWOW64\Jcgfbb32.exeC:\Windows\system32\Jcgfbb32.exe99⤵PID:1580
-
C:\Windows\SysWOW64\Jgcabqic.exeC:\Windows\system32\Jgcabqic.exe100⤵PID:2668
-
C:\Windows\SysWOW64\Jegble32.exeC:\Windows\system32\Jegble32.exe101⤵PID:2008
-
C:\Windows\SysWOW64\Jcjbgaog.exeC:\Windows\system32\Jcjbgaog.exe102⤵PID:2676
-
C:\Windows\SysWOW64\Jfhocmnk.exeC:\Windows\system32\Jfhocmnk.exe103⤵PID:1284
-
C:\Windows\SysWOW64\Jnofejom.exeC:\Windows\system32\Jnofejom.exe104⤵PID:1768
-
C:\Windows\SysWOW64\Jmbgpg32.exeC:\Windows\system32\Jmbgpg32.exe105⤵PID:628
-
C:\Windows\SysWOW64\Jancafna.exeC:\Windows\system32\Jancafna.exe106⤵PID:1548
-
C:\Windows\SysWOW64\Jpqclb32.exeC:\Windows\system32\Jpqclb32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2044 -
C:\Windows\SysWOW64\Jghknp32.exeC:\Windows\system32\Jghknp32.exe108⤵
- Modifies registry class
PID:1052 -
C:\Windows\SysWOW64\Jfkkimlh.exeC:\Windows\system32\Jfkkimlh.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:924 -
C:\Windows\SysWOW64\Jiigehkl.exeC:\Windows\system32\Jiigehkl.exe110⤵PID:2832
-
C:\Windows\SysWOW64\Jmdcfg32.exeC:\Windows\system32\Jmdcfg32.exe111⤵PID:2240
-
C:\Windows\SysWOW64\Kappfeln.exeC:\Windows\system32\Kappfeln.exe112⤵PID:800
-
C:\Windows\SysWOW64\Kcolba32.exeC:\Windows\system32\Kcolba32.exe113⤵
- Modifies registry class
PID:2652 -
C:\Windows\SysWOW64\Kbalnnam.exeC:\Windows\system32\Kbalnnam.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2628 -
C:\Windows\SysWOW64\Kfmhol32.exeC:\Windows\system32\Kfmhol32.exe115⤵PID:2516
-
C:\Windows\SysWOW64\Kjhdokbo.exeC:\Windows\system32\Kjhdokbo.exe116⤵PID:2484
-
C:\Windows\SysWOW64\Kikdkh32.exeC:\Windows\system32\Kikdkh32.exe117⤵PID:2024
-
C:\Windows\SysWOW64\Kljqgc32.exeC:\Windows\system32\Kljqgc32.exe118⤵PID:2684
-
C:\Windows\SysWOW64\Kpemgbqf.exeC:\Windows\system32\Kpemgbqf.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1716 -
C:\Windows\SysWOW64\Kcahhq32.exeC:\Windows\system32\Kcahhq32.exe120⤵PID:1812
-
C:\Windows\SysWOW64\Kbcicmpj.exeC:\Windows\system32\Kbcicmpj.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2036
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-