Analysis
-
max time kernel
48s -
max time network
53s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
28-10-2022 22:46
Static task
static1
Behavioral task
behavioral1
Sample
d0694af6981a8146489c905027771567f1e811ad4e113f11a2f15ea31d9ed445.exe
Resource
win7-20220901-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
d0694af6981a8146489c905027771567f1e811ad4e113f11a2f15ea31d9ed445.exe
Resource
win10v2004-20220901-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
d0694af6981a8146489c905027771567f1e811ad4e113f11a2f15ea31d9ed445.exe
-
Size
51KB
-
MD5
0c74e95a670c3ea7d0dbbb209329f880
-
SHA1
112a0f1d8791a7f8e624bab0b20087e80419aa63
-
SHA256
d0694af6981a8146489c905027771567f1e811ad4e113f11a2f15ea31d9ed445
-
SHA512
7005794182db6d1569e46ef99dda9bb2a6ed79a1622110954221068f8808951993f680d765ab49949e92699feb1e0a3960f114f76f393fe32e94a43beb0f2abb
-
SSDEEP
768:VhcdmIii2YFh0T3ORqon1ip6uP+b2K5oOmnxM7AHUzz/1H5:VhY28q3ORqvguE20oOm8MUzB
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phabclnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkbkdgkq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deecfe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnqnph32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpkmnoon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gglfid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlmompif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbmmjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phabclnp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clpfnbhc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcjkjpbl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpaaea32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahckgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adjllpdm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imojgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iblbon32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad d0694af6981a8146489c905027771567f1e811ad4e113f11a2f15ea31d9ed445.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfoldf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajiajf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgigdo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hakpbhjl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihgadeab.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfmcpcfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcmpiiil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akddij32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hljnob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfgdojci.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Encepgko.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnahlk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdkodabc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbajfmij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Calhlbbo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Diocadjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmofejcn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdkqhejg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbinpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agkdnkan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffojfmnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgokkadg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olanhlaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pagjfbgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfmcpcfk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjokqodb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iakmallh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkblnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gqafbcnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Folkkomb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfdcam32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcmpiiil.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efomgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hagggi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjokqodb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjbipcdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qgmedg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjgkdm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gabnmjbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imojgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehkmmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jihgag32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nodhpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkmaih32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chdccm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkofemdq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajiajf32.exe -
Executes dropped EXE 64 IoCs
pid Process 1532 Bbhffiog.exe 1304 Bdkodabc.exe 672 Bappmeam.exe 364 Cjhdfkhm.exe 1912 Cpdlnbfd.exe 1724 Cimagg32.exe 1472 Cfaaqllo.exe 1640 Cbhbem32.exe 1476 Clpfnbhc.exe 1536 Cfeklkhi.exe 316 Clbcdb32.exe 1704 Daolli32.exe 824 Dlepia32.exe 2044 Daahah32.exe 1956 Dkjmjn32.exe 1952 Depahg32.exe 1668 Dnkfli32.exe 440 Dkofemdq.exe 1628 Dcjkjpbl.exe 852 Eclhpopi.exe 1256 Ehkmmf32.exe 896 Efomgj32.exe 2024 Eccnpnja.exe 1148 Ekobdqgl.exe 1728 Folkkomb.exe 468 Fdidcflj.exe 660 Fnahlk32.exe 1736 Fdkqhejg.exe 1692 Fjhialho.exe 1488 Fmgemh32.exe 1716 Ffojfmnc.exe 1284 Fognoc32.exe 1672 Ffafkmkp.exe 1752 Fqgkif32.exe 856 Gfdcam32.exe 1480 Golgjbpn.exe 1056 Geipbine.exe 596 Gkchoc32.exe 820 Gekmgi32.exe 948 Gpaaea32.exe 1772 Gabnmjbg.exe 1048 Gglfid32.exe 1920 Gbajfmij.exe 2040 Gccfne32.exe 2016 Hljnob32.exe 916 Hnhkkn32.exe 1856 Hagggi32.exe 964 Hcecdd32.exe 928 Hjokqodb.exe 1364 Hpldie32.exe 1568 Hjahfn32.exe 1696 Hakpbhjl.exe 1596 Hbmmjq32.exe 1764 Higegkgg.exe 1196 Hpqmde32.exe 368 Hemfllmk.exe 1624 Hpcjidla.exe 748 Iepbakki.exe 1020 Iebogk32.exe 1708 Ibfpqo32.exe 1296 Iakmallh.exe 1248 Iheenfcd.exe 1156 Ihgadeab.exe 1324 Ikfnpaqe.exe -
Loads dropped DLL 64 IoCs
pid Process 1288 d0694af6981a8146489c905027771567f1e811ad4e113f11a2f15ea31d9ed445.exe 1288 d0694af6981a8146489c905027771567f1e811ad4e113f11a2f15ea31d9ed445.exe 1532 Bbhffiog.exe 1532 Bbhffiog.exe 1304 Bdkodabc.exe 1304 Bdkodabc.exe 672 Bappmeam.exe 672 Bappmeam.exe 364 Cjhdfkhm.exe 364 Cjhdfkhm.exe 1912 Cpdlnbfd.exe 1912 Cpdlnbfd.exe 1724 Cimagg32.exe 1724 Cimagg32.exe 1472 Cfaaqllo.exe 1472 Cfaaqllo.exe 1640 Cbhbem32.exe 1640 Cbhbem32.exe 1476 Clpfnbhc.exe 1476 Clpfnbhc.exe 1536 Cfeklkhi.exe 1536 Cfeklkhi.exe 316 Clbcdb32.exe 316 Clbcdb32.exe 1704 Daolli32.exe 1704 Daolli32.exe 824 Dlepia32.exe 824 Dlepia32.exe 2044 Daahah32.exe 2044 Daahah32.exe 1956 Dkjmjn32.exe 1956 Dkjmjn32.exe 1952 Depahg32.exe 1952 Depahg32.exe 1668 Dnkfli32.exe 1668 Dnkfli32.exe 440 Dkofemdq.exe 440 Dkofemdq.exe 1628 Dcjkjpbl.exe 1628 Dcjkjpbl.exe 852 Eclhpopi.exe 852 Eclhpopi.exe 1256 Ehkmmf32.exe 1256 Ehkmmf32.exe 896 Efomgj32.exe 896 Efomgj32.exe 2024 Eccnpnja.exe 2024 Eccnpnja.exe 1148 Ekobdqgl.exe 1148 Ekobdqgl.exe 1728 Folkkomb.exe 1728 Folkkomb.exe 468 Fdidcflj.exe 468 Fdidcflj.exe 660 Fnahlk32.exe 660 Fnahlk32.exe 1736 Fdkqhejg.exe 1736 Fdkqhejg.exe 1692 Fjhialho.exe 1692 Fjhialho.exe 1488 Fmgemh32.exe 1488 Fmgemh32.exe 1716 Ffojfmnc.exe 1716 Ffojfmnc.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Leeaglfe.exe Lohhoehn.exe File opened for modification C:\Windows\SysWOW64\Ogdfpebo.exe Obhjog32.exe File created C:\Windows\SysWOW64\Bcfonk32.exe Bniffd32.exe File opened for modification C:\Windows\SysWOW64\Cdfkmo32.exe Cbeoefpj.exe File created C:\Windows\SysWOW64\Jagekdkb.dll Cfgdojci.exe File created C:\Windows\SysWOW64\Fakkkfph.dll Gnqnph32.exe File opened for modification C:\Windows\SysWOW64\Dkofemdq.exe Dnkfli32.exe File created C:\Windows\SysWOW64\Loeimbnb.dll Iebogk32.exe File created C:\Windows\SysWOW64\Jlccendc.dll Cbpejg32.exe File created C:\Windows\SysWOW64\Dhcpbq32.exe Deecfe32.exe File created C:\Windows\SysWOW64\Ekgeikjh.exe Edmmma32.exe File opened for modification C:\Windows\SysWOW64\Jpmbbebb.exe Jmofejcn.exe File opened for modification C:\Windows\SysWOW64\Eccnpnja.exe Efomgj32.exe File created C:\Windows\SysWOW64\Oiglgp32.exe Ooagig32.exe File created C:\Windows\SysWOW64\Mcjflp32.dll Pagjfbgc.exe File created C:\Windows\SysWOW64\Ljoacd32.dll Qlhagomi.exe File opened for modification C:\Windows\SysWOW64\Inecjk32.exe Ifnkinon.exe File opened for modification C:\Windows\SysWOW64\Ifbedm32.exe Iddhha32.exe File created C:\Windows\SysWOW64\Jeohfhih.exe Jbqljmje.exe File created C:\Windows\SysWOW64\Pmccdgei.dll Jdbhae32.exe File created C:\Windows\SysWOW64\Gfdcam32.exe Fqgkif32.exe File opened for modification C:\Windows\SysWOW64\Nbfajdjm.exe Mllinj32.exe File created C:\Windows\SysWOW64\Jhpahc32.exe Jddegenq.exe File created C:\Windows\SysWOW64\Lbdhfa32.exe Koccebjg.exe File created C:\Windows\SysWOW64\Emhmeo32.dll Mcadig32.exe File created C:\Windows\SysWOW64\Deecfe32.exe Dokkikhi.exe File created C:\Windows\SysWOW64\Kbgngj32.dll Ephgma32.exe File opened for modification C:\Windows\SysWOW64\Imojgg32.exe Iehaei32.exe File created C:\Windows\SysWOW64\Kcnkcqoc.exe Kldcgf32.exe File created C:\Windows\SysWOW64\Eghkbdqe.dll Bappmeam.exe File opened for modification C:\Windows\SysWOW64\Iheenfcd.exe Iakmallh.exe File created C:\Windows\SysWOW64\Higbbcjl.dll Enjkqf32.exe File opened for modification C:\Windows\SysWOW64\Kgldjoei.exe Koelhaeg.exe File opened for modification C:\Windows\SysWOW64\Bmjjla32.exe Bjknpf32.exe File opened for modification C:\Windows\SysWOW64\Bgonij32.exe Beaamo32.exe File created C:\Windows\SysWOW64\Kdifnmfe.dll Beaamo32.exe File created C:\Windows\SysWOW64\Mcfjfg32.dll Bihqaamo.exe File created C:\Windows\SysWOW64\Lqhpkk32.dll Hfchej32.exe File created C:\Windows\SysWOW64\Andiml32.dll Iafllf32.exe File opened for modification C:\Windows\SysWOW64\Kaeejmbh.exe Koghnabd.exe File created C:\Windows\SysWOW64\Higegkgg.exe Hbmmjq32.exe File created C:\Windows\SysWOW64\Aomcdife.exe Ahckgo32.exe File opened for modification C:\Windows\SysWOW64\Gnqnph32.exe Gqjqaddc.exe File created C:\Windows\SysWOW64\Ndifbiob.dll Hbepok32.exe File created C:\Windows\SysWOW64\Hemoae32.exe Hmfgqh32.exe File created C:\Windows\SysWOW64\Bkafffhi.dll Oiglgp32.exe File created C:\Windows\SysWOW64\Qnoiianl.dll Dfpgeikn.exe File opened for modification C:\Windows\SysWOW64\Abpikd32.exe Ajiajf32.exe File created C:\Windows\SysWOW64\Iopdhmea.dll Eejmadka.exe File created C:\Windows\SysWOW64\Hbepok32.exe Hcbpdokl.exe File opened for modification C:\Windows\SysWOW64\Hbepok32.exe Hcbpdokl.exe File created C:\Windows\SysWOW64\Hnikeo32.dll Kgldjoei.exe File created C:\Windows\SysWOW64\Jfnilcnn.dll d0694af6981a8146489c905027771567f1e811ad4e113f11a2f15ea31d9ed445.exe File created C:\Windows\SysWOW64\Mjfckb32.exe Mejjbk32.exe File created C:\Windows\SysWOW64\Koiikcln.dll Qcoloi32.exe File created C:\Windows\SysWOW64\Dmciac32.exe Chfpim32.exe File created C:\Windows\SysWOW64\Dbpaikfk.exe Dmciac32.exe File opened for modification C:\Windows\SysWOW64\Jmofejcn.exe Jkqjio32.exe File opened for modification C:\Windows\SysWOW64\Khmpag32.exe Kgldjoei.exe File created C:\Windows\SysWOW64\Elkecg32.dll Hcecdd32.exe File created C:\Windows\SysWOW64\Ijglmpkh.dll Nhefhj32.exe File created C:\Windows\SysWOW64\Jhbdhihb.exe Jgahpabd.exe File created C:\Windows\SysWOW64\Malamm32.exe Mjbipcdl.exe File created C:\Windows\SysWOW64\Mejjbk32.exe Mnpbfakc.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3628 3620 WerFault.exe 301 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jamfal32.dll" Hpcjidla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jhbdhihb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olehcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bcaeclgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oiglgp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pokjpf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cijmgakl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdfkmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hemfllmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jolkhjqq.dll" Malamm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikblhg32.dll" Nopnedmn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofaijfda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hnqjolce.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kaeejmbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oiomlg32.dll" Paifla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Moflkn32.dll" Bldphnoe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Doiodkjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Diocadjb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bappmeam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpdlnbfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cbhbem32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Daahah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jkicipjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbqljmje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kiegkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Himidp32.dll" Jpgpcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dpdbcoed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ipmfcb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hhinha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkajjhpo.dll" Kcnkcqoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bappmeam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcdplodh.dll" Eccnpnja.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkkedh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Clkfil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglndhcd.dll" Hnhkkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mahnem32.dll" Dpdbcoed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ifnkinon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hagggi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ooagig32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ekdidllk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hlbncpdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dafpkg32.dll" Ooagig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cbpejg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idpklc32.dll" Heheffme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jheamifp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olckml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjnqfgjp.dll" Pnbdfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olokjqfn.dll" Abnlfdcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jadhij32.dll" Iddhha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgefhk32.dll" Ippbhbmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gglfid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Leeaglfe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Palcaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chfpim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpipipap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jdfamdln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhkgaj32.dll" Hemfllmk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jckekbff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fanjaklh.dll" Doiodkjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmljqplm.dll" Fngkjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqdlhejj.dll" Gmhggd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhinha32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jkqjio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iepbakki.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1288 wrote to memory of 1532 1288 d0694af6981a8146489c905027771567f1e811ad4e113f11a2f15ea31d9ed445.exe 27 PID 1288 wrote to memory of 1532 1288 d0694af6981a8146489c905027771567f1e811ad4e113f11a2f15ea31d9ed445.exe 27 PID 1288 wrote to memory of 1532 1288 d0694af6981a8146489c905027771567f1e811ad4e113f11a2f15ea31d9ed445.exe 27 PID 1288 wrote to memory of 1532 1288 d0694af6981a8146489c905027771567f1e811ad4e113f11a2f15ea31d9ed445.exe 27 PID 1532 wrote to memory of 1304 1532 Bbhffiog.exe 28 PID 1532 wrote to memory of 1304 1532 Bbhffiog.exe 28 PID 1532 wrote to memory of 1304 1532 Bbhffiog.exe 28 PID 1532 wrote to memory of 1304 1532 Bbhffiog.exe 28 PID 1304 wrote to memory of 672 1304 Bdkodabc.exe 29 PID 1304 wrote to memory of 672 1304 Bdkodabc.exe 29 PID 1304 wrote to memory of 672 1304 Bdkodabc.exe 29 PID 1304 wrote to memory of 672 1304 Bdkodabc.exe 29 PID 672 wrote to memory of 364 672 Bappmeam.exe 30 PID 672 wrote to memory of 364 672 Bappmeam.exe 30 PID 672 wrote to memory of 364 672 Bappmeam.exe 30 PID 672 wrote to memory of 364 672 Bappmeam.exe 30 PID 364 wrote to memory of 1912 364 Cjhdfkhm.exe 31 PID 364 wrote to memory of 1912 364 Cjhdfkhm.exe 31 PID 364 wrote to memory of 1912 364 Cjhdfkhm.exe 31 PID 364 wrote to memory of 1912 364 Cjhdfkhm.exe 31 PID 1912 wrote to memory of 1724 1912 Cpdlnbfd.exe 32 PID 1912 wrote to memory of 1724 1912 Cpdlnbfd.exe 32 PID 1912 wrote to memory of 1724 1912 Cpdlnbfd.exe 32 PID 1912 wrote to memory of 1724 1912 Cpdlnbfd.exe 32 PID 1724 wrote to memory of 1472 1724 Cimagg32.exe 33 PID 1724 wrote to memory of 1472 1724 Cimagg32.exe 33 PID 1724 wrote to memory of 1472 1724 Cimagg32.exe 33 PID 1724 wrote to memory of 1472 1724 Cimagg32.exe 33 PID 1472 wrote to memory of 1640 1472 Cfaaqllo.exe 34 PID 1472 wrote to memory of 1640 1472 Cfaaqllo.exe 34 PID 1472 wrote to memory of 1640 1472 Cfaaqllo.exe 34 PID 1472 wrote to memory of 1640 1472 Cfaaqllo.exe 34 PID 1640 wrote to memory of 1476 1640 Cbhbem32.exe 35 PID 1640 wrote to memory of 1476 1640 Cbhbem32.exe 35 PID 1640 wrote to memory of 1476 1640 Cbhbem32.exe 35 PID 1640 wrote to memory of 1476 1640 Cbhbem32.exe 35 PID 1476 wrote to memory of 1536 1476 Clpfnbhc.exe 36 PID 1476 wrote to memory of 1536 1476 Clpfnbhc.exe 36 PID 1476 wrote to memory of 1536 1476 Clpfnbhc.exe 36 PID 1476 wrote to memory of 1536 1476 Clpfnbhc.exe 36 PID 1536 wrote to memory of 316 1536 Cfeklkhi.exe 37 PID 1536 wrote to memory of 316 1536 Cfeklkhi.exe 37 PID 1536 wrote to memory of 316 1536 Cfeklkhi.exe 37 PID 1536 wrote to memory of 316 1536 Cfeklkhi.exe 37 PID 316 wrote to memory of 1704 316 Clbcdb32.exe 38 PID 316 wrote to memory of 1704 316 Clbcdb32.exe 38 PID 316 wrote to memory of 1704 316 Clbcdb32.exe 38 PID 316 wrote to memory of 1704 316 Clbcdb32.exe 38 PID 1704 wrote to memory of 824 1704 Daolli32.exe 39 PID 1704 wrote to memory of 824 1704 Daolli32.exe 39 PID 1704 wrote to memory of 824 1704 Daolli32.exe 39 PID 1704 wrote to memory of 824 1704 Daolli32.exe 39 PID 824 wrote to memory of 2044 824 Dlepia32.exe 40 PID 824 wrote to memory of 2044 824 Dlepia32.exe 40 PID 824 wrote to memory of 2044 824 Dlepia32.exe 40 PID 824 wrote to memory of 2044 824 Dlepia32.exe 40 PID 2044 wrote to memory of 1956 2044 Daahah32.exe 41 PID 2044 wrote to memory of 1956 2044 Daahah32.exe 41 PID 2044 wrote to memory of 1956 2044 Daahah32.exe 41 PID 2044 wrote to memory of 1956 2044 Daahah32.exe 41 PID 1956 wrote to memory of 1952 1956 Dkjmjn32.exe 42 PID 1956 wrote to memory of 1952 1956 Dkjmjn32.exe 42 PID 1956 wrote to memory of 1952 1956 Dkjmjn32.exe 42 PID 1956 wrote to memory of 1952 1956 Dkjmjn32.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\d0694af6981a8146489c905027771567f1e811ad4e113f11a2f15ea31d9ed445.exe"C:\Users\Admin\AppData\Local\Temp\d0694af6981a8146489c905027771567f1e811ad4e113f11a2f15ea31d9ed445.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1288 -
C:\Windows\SysWOW64\Bbhffiog.exeC:\Windows\system32\Bbhffiog.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\SysWOW64\Bdkodabc.exeC:\Windows\system32\Bdkodabc.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\SysWOW64\Bappmeam.exeC:\Windows\system32\Bappmeam.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:672 -
C:\Windows\SysWOW64\Cjhdfkhm.exeC:\Windows\system32\Cjhdfkhm.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:364 -
C:\Windows\SysWOW64\Cpdlnbfd.exeC:\Windows\system32\Cpdlnbfd.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\SysWOW64\Cimagg32.exeC:\Windows\system32\Cimagg32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\SysWOW64\Cfaaqllo.exeC:\Windows\system32\Cfaaqllo.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Windows\SysWOW64\Cbhbem32.exeC:\Windows\system32\Cbhbem32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\SysWOW64\Clpfnbhc.exeC:\Windows\system32\Clpfnbhc.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Windows\SysWOW64\Cfeklkhi.exeC:\Windows\system32\Cfeklkhi.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Windows\SysWOW64\Clbcdb32.exeC:\Windows\system32\Clbcdb32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:316 -
C:\Windows\SysWOW64\Daolli32.exeC:\Windows\system32\Daolli32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\SysWOW64\Dlepia32.exeC:\Windows\system32\Dlepia32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:824 -
C:\Windows\SysWOW64\Daahah32.exeC:\Windows\system32\Daahah32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\Dkjmjn32.exeC:\Windows\system32\Dkjmjn32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\Depahg32.exeC:\Windows\system32\Depahg32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1952 -
C:\Windows\SysWOW64\Dnkfli32.exeC:\Windows\system32\Dnkfli32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1668 -
C:\Windows\SysWOW64\Dkofemdq.exeC:\Windows\system32\Dkofemdq.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:440 -
C:\Windows\SysWOW64\Dcjkjpbl.exeC:\Windows\system32\Dcjkjpbl.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1628 -
C:\Windows\SysWOW64\Eclhpopi.exeC:\Windows\system32\Eclhpopi.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:852 -
C:\Windows\SysWOW64\Ehkmmf32.exeC:\Windows\system32\Ehkmmf32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1256 -
C:\Windows\SysWOW64\Efomgj32.exeC:\Windows\system32\Efomgj32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:896 -
C:\Windows\SysWOW64\Eccnpnja.exeC:\Windows\system32\Eccnpnja.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2024 -
C:\Windows\SysWOW64\Ekobdqgl.exeC:\Windows\system32\Ekobdqgl.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1148 -
C:\Windows\SysWOW64\Folkkomb.exeC:\Windows\system32\Folkkomb.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1728 -
C:\Windows\SysWOW64\Fdidcflj.exeC:\Windows\system32\Fdidcflj.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:468 -
C:\Windows\SysWOW64\Fnahlk32.exeC:\Windows\system32\Fnahlk32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:660 -
C:\Windows\SysWOW64\Fdkqhejg.exeC:\Windows\system32\Fdkqhejg.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1736 -
C:\Windows\SysWOW64\Fjhialho.exeC:\Windows\system32\Fjhialho.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1692 -
C:\Windows\SysWOW64\Fmgemh32.exeC:\Windows\system32\Fmgemh32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1488 -
C:\Windows\SysWOW64\Ffojfmnc.exeC:\Windows\system32\Ffojfmnc.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1716 -
C:\Windows\SysWOW64\Fognoc32.exeC:\Windows\system32\Fognoc32.exe33⤵
- Executes dropped EXE
PID:1284 -
C:\Windows\SysWOW64\Ffafkmkp.exeC:\Windows\system32\Ffafkmkp.exe34⤵
- Executes dropped EXE
PID:1672 -
C:\Windows\SysWOW64\Fqgkif32.exeC:\Windows\system32\Fqgkif32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1752 -
C:\Windows\SysWOW64\Gfdcam32.exeC:\Windows\system32\Gfdcam32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:856 -
C:\Windows\SysWOW64\Golgjbpn.exeC:\Windows\system32\Golgjbpn.exe37⤵
- Executes dropped EXE
PID:1480 -
C:\Windows\SysWOW64\Geipbine.exeC:\Windows\system32\Geipbine.exe38⤵
- Executes dropped EXE
PID:1056 -
C:\Windows\SysWOW64\Gkchoc32.exeC:\Windows\system32\Gkchoc32.exe39⤵
- Executes dropped EXE
PID:596 -
C:\Windows\SysWOW64\Gekmgi32.exeC:\Windows\system32\Gekmgi32.exe40⤵
- Executes dropped EXE
PID:820 -
C:\Windows\SysWOW64\Gpaaea32.exeC:\Windows\system32\Gpaaea32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:948 -
C:\Windows\SysWOW64\Gabnmjbg.exeC:\Windows\system32\Gabnmjbg.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1772 -
C:\Windows\SysWOW64\Gglfid32.exeC:\Windows\system32\Gglfid32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1048 -
C:\Windows\SysWOW64\Gbajfmij.exeC:\Windows\system32\Gbajfmij.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1920 -
C:\Windows\SysWOW64\Gccfne32.exeC:\Windows\system32\Gccfne32.exe45⤵
- Executes dropped EXE
PID:2040 -
C:\Windows\SysWOW64\Hljnob32.exeC:\Windows\system32\Hljnob32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2016 -
C:\Windows\SysWOW64\Hnhkkn32.exeC:\Windows\system32\Hnhkkn32.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:916 -
C:\Windows\SysWOW64\Hagggi32.exeC:\Windows\system32\Hagggi32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1856 -
C:\Windows\SysWOW64\Hcecdd32.exeC:\Windows\system32\Hcecdd32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:964 -
C:\Windows\SysWOW64\Hjokqodb.exeC:\Windows\system32\Hjokqodb.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:928 -
C:\Windows\SysWOW64\Hpldie32.exeC:\Windows\system32\Hpldie32.exe51⤵
- Executes dropped EXE
PID:1364 -
C:\Windows\SysWOW64\Hjahfn32.exeC:\Windows\system32\Hjahfn32.exe52⤵
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\Hakpbhjl.exeC:\Windows\system32\Hakpbhjl.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1696 -
C:\Windows\SysWOW64\Hbmmjq32.exeC:\Windows\system32\Hbmmjq32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1596 -
C:\Windows\SysWOW64\Higegkgg.exeC:\Windows\system32\Higegkgg.exe55⤵
- Executes dropped EXE
PID:1764 -
C:\Windows\SysWOW64\Hpqmde32.exeC:\Windows\system32\Hpqmde32.exe56⤵
- Executes dropped EXE
PID:1196 -
C:\Windows\SysWOW64\Hemfllmk.exeC:\Windows\system32\Hemfllmk.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:368 -
C:\Windows\SysWOW64\Hpcjidla.exeC:\Windows\system32\Hpcjidla.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:1624 -
C:\Windows\SysWOW64\Iepbakki.exeC:\Windows\system32\Iepbakki.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:748 -
C:\Windows\SysWOW64\Iebogk32.exeC:\Windows\system32\Iebogk32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1020 -
C:\Windows\SysWOW64\Ibfpqo32.exeC:\Windows\system32\Ibfpqo32.exe61⤵
- Executes dropped EXE
PID:1708 -
C:\Windows\SysWOW64\Iakmallh.exeC:\Windows\system32\Iakmallh.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1296 -
C:\Windows\SysWOW64\Iheenfcd.exeC:\Windows\system32\Iheenfcd.exe63⤵
- Executes dropped EXE
PID:1248 -
C:\Windows\SysWOW64\Ihgadeab.exeC:\Windows\system32\Ihgadeab.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1156 -
C:\Windows\SysWOW64\Ikfnpaqe.exeC:\Windows\system32\Ikfnpaqe.exe65⤵
- Executes dropped EXE
PID:1324 -
C:\Windows\SysWOW64\Jmggbl32.exeC:\Windows\system32\Jmggbl32.exe66⤵PID:2004
-
C:\Windows\SysWOW64\Jgokkadg.exeC:\Windows\system32\Jgokkadg.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1352 -
C:\Windows\SysWOW64\Jpgpcg32.exeC:\Windows\system32\Jpgpcg32.exe68⤵
- Modifies registry class
PID:1052 -
C:\Windows\SysWOW64\Jgahpabd.exeC:\Windows\system32\Jgahpabd.exe69⤵
- Drops file in System32 directory
PID:1896 -
C:\Windows\SysWOW64\Jhbdhihb.exeC:\Windows\system32\Jhbdhihb.exe70⤵
- Modifies registry class
PID:1192 -
C:\Windows\SysWOW64\Jefeangl.exeC:\Windows\system32\Jefeangl.exe71⤵PID:1608
-
C:\Windows\SysWOW64\Jheamifp.exeC:\Windows\system32\Jheamifp.exe72⤵
- Modifies registry class
PID:1124 -
C:\Windows\SysWOW64\Jckekbff.exeC:\Windows\system32\Jckekbff.exe73⤵
- Modifies registry class
PID:1584 -
C:\Windows\SysWOW64\Keknlm32.exeC:\Windows\system32\Keknlm32.exe74⤵PID:568
-
C:\Windows\SysWOW64\Koccebjg.exeC:\Windows\system32\Koccebjg.exe75⤵
- Drops file in System32 directory
PID:1604 -
C:\Windows\SysWOW64\Lbdhfa32.exeC:\Windows\system32\Lbdhfa32.exe76⤵PID:1456
-
C:\Windows\SysWOW64\Lohhoehn.exeC:\Windows\system32\Lohhoehn.exe77⤵
- Drops file in System32 directory
PID:1940 -
C:\Windows\SysWOW64\Leeaglfe.exeC:\Windows\system32\Leeaglfe.exe78⤵
- Modifies registry class
PID:1560 -
C:\Windows\SysWOW64\Mjbipcdl.exeC:\Windows\system32\Mjbipcdl.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1756 -
C:\Windows\SysWOW64\Malamm32.exeC:\Windows\system32\Malamm32.exe80⤵
- Modifies registry class
PID:2052 -
C:\Windows\SysWOW64\Mgfjigcf.exeC:\Windows\system32\Mgfjigcf.exe81⤵PID:2060
-
C:\Windows\SysWOW64\Mnpbfakc.exeC:\Windows\system32\Mnpbfakc.exe82⤵
- Drops file in System32 directory
PID:2068 -
C:\Windows\SysWOW64\Mejjbk32.exeC:\Windows\system32\Mejjbk32.exe83⤵
- Drops file in System32 directory
PID:2076 -
C:\Windows\SysWOW64\Mjfckb32.exeC:\Windows\system32\Mjfckb32.exe84⤵PID:2084
-
C:\Windows\SysWOW64\Maqkglhd.exeC:\Windows\system32\Maqkglhd.exe85⤵PID:2092
-
C:\Windows\SysWOW64\Mfmcpcfk.exeC:\Windows\system32\Mfmcpcfk.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2100 -
C:\Windows\SysWOW64\Machml32.exeC:\Windows\system32\Machml32.exe87⤵PID:2108
-
C:\Windows\SysWOW64\Mcadig32.exeC:\Windows\system32\Mcadig32.exe88⤵
- Drops file in System32 directory
PID:2116 -
C:\Windows\SysWOW64\Minlan32.exeC:\Windows\system32\Minlan32.exe89⤵PID:2124
-
C:\Windows\SysWOW64\Mllinj32.exeC:\Windows\system32\Mllinj32.exe90⤵
- Drops file in System32 directory
PID:2132 -
C:\Windows\SysWOW64\Nbfajdjm.exeC:\Windows\system32\Nbfajdjm.exe91⤵PID:2140
-
C:\Windows\SysWOW64\Nmlehmib.exeC:\Windows\system32\Nmlehmib.exe92⤵PID:2148
-
C:\Windows\SysWOW64\Nbinpc32.exeC:\Windows\system32\Nbinpc32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2156 -
C:\Windows\SysWOW64\Nhefhj32.exeC:\Windows\system32\Nhefhj32.exe94⤵
- Drops file in System32 directory
PID:2164 -
C:\Windows\SysWOW64\Nopnedmn.exeC:\Windows\system32\Nopnedmn.exe95⤵
- Modifies registry class
PID:2172 -
C:\Windows\SysWOW64\Nankaplb.exeC:\Windows\system32\Nankaplb.exe96⤵PID:2180
-
C:\Windows\SysWOW64\Nhhcnj32.exeC:\Windows\system32\Nhhcnj32.exe97⤵PID:2188
-
C:\Windows\SysWOW64\Nobkjdkl.exeC:\Windows\system32\Nobkjdkl.exe98⤵PID:2196
-
C:\Windows\SysWOW64\Nelcgnch.exeC:\Windows\system32\Nelcgnch.exe99⤵PID:2212
-
C:\Windows\SysWOW64\Nhjpcjbl.exeC:\Windows\system32\Nhjpcjbl.exe100⤵PID:2224
-
C:\Windows\SysWOW64\Nodhpd32.exeC:\Windows\system32\Nodhpd32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2240 -
C:\Windows\SysWOW64\Nmghlqpc.exeC:\Windows\system32\Nmghlqpc.exe102⤵PID:2256
-
C:\Windows\SysWOW64\Nenpmnqf.exeC:\Windows\system32\Nenpmnqf.exe103⤵PID:2280
-
C:\Windows\SysWOW64\Nfoldf32.exeC:\Windows\system32\Nfoldf32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2300 -
C:\Windows\SysWOW64\Oofdec32.exeC:\Windows\system32\Oofdec32.exe105⤵PID:2316
-
C:\Windows\SysWOW64\Oaeqaofj.exeC:\Windows\system32\Oaeqaofj.exe106⤵PID:2332
-
C:\Windows\SysWOW64\Odcmnjen.exeC:\Windows\system32\Odcmnjen.exe107⤵PID:2360
-
C:\Windows\SysWOW64\Ofaijfda.exeC:\Windows\system32\Ofaijfda.exe108⤵
- Modifies registry class
PID:2376 -
C:\Windows\SysWOW64\Oipeface.exeC:\Windows\system32\Oipeface.exe109⤵PID:2392
-
C:\Windows\SysWOW64\Obhjog32.exeC:\Windows\system32\Obhjog32.exe110⤵
- Drops file in System32 directory
PID:2408 -
C:\Windows\SysWOW64\Ogdfpebo.exeC:\Windows\system32\Ogdfpebo.exe111⤵PID:2432
-
C:\Windows\SysWOW64\Olanhlaf.exeC:\Windows\system32\Olanhlaf.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2448 -
C:\Windows\SysWOW64\Opljhk32.exeC:\Windows\system32\Opljhk32.exe113⤵PID:2496
-
C:\Windows\SysWOW64\Olckml32.exeC:\Windows\system32\Olckml32.exe114⤵
- Modifies registry class
PID:2516 -
C:\Windows\SysWOW64\Ooagig32.exeC:\Windows\system32\Ooagig32.exe115⤵
- Drops file in System32 directory
- Modifies registry class
PID:2540 -
C:\Windows\SysWOW64\Oiglgp32.exeC:\Windows\system32\Oiglgp32.exe116⤵
- Drops file in System32 directory
- Modifies registry class
PID:2556 -
C:\Windows\SysWOW64\Olehcl32.exeC:\Windows\system32\Olehcl32.exe117⤵
- Modifies registry class
PID:2588 -
C:\Windows\SysWOW64\Oabpkbkh.exeC:\Windows\system32\Oabpkbkh.exe118⤵PID:2616
-
C:\Windows\SysWOW64\Pkkedh32.exeC:\Windows\system32\Pkkedh32.exe119⤵
- Modifies registry class
PID:2644 -
C:\Windows\SysWOW64\Pepiaa32.exeC:\Windows\system32\Pepiaa32.exe120⤵PID:2672
-
C:\Windows\SysWOW64\Pkmaih32.exeC:\Windows\system32\Pkmaih32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2704
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-