Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25/12/2023, 05:53
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0981ac6a48ad9625f0b5740ec5a84b31.exe
Resource
win7-20231215-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
0981ac6a48ad9625f0b5740ec5a84b31.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
0981ac6a48ad9625f0b5740ec5a84b31.exe
-
Size
220KB
-
MD5
0981ac6a48ad9625f0b5740ec5a84b31
-
SHA1
7b8e8dc05a5d59211da5633bf365842f812bdbbe
-
SHA256
b5ec22495683d41e0e0fa8b807d61a0b955768884b2322e41b1a2b60d7379db1
-
SHA512
b270bac57a31f46948cdd2527090704c25a98763c24597df67682719c618a55d176c05a59bfadf9cd4100b4033ff28f965a7e0301e6dec2f16286067992f1805
-
SSDEEP
3072:jGbtyOEiLCc065GV0mgFfGOpxek7clJidvFryKQhEc065GV0mgFfGO:jGbzLCc0AegJ9pglJYGEc0AegJ9
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibmgpoia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmadbjkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edaalk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpfehq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdhpgeeg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kncaojfb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhlgmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbkqdepm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmpcca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbqjqehd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epmahmcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnlfjjpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dppigchi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmdgipkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nonqca32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgbiggof.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oonldcih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpgobc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phknlfem.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpidki32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkjpncii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfjbdn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emilqb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhmfgdch.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aeokdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njbdea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dogpdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pljnkodm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blejgm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mknohpqj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jodhdp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccbbachm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjacjifm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hblgnkdh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbimkpmm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgcbhd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahpbkd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ciagojda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bknmok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blejgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehmdgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnjoco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aolihc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkidclbb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pejejkhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkefcc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khghgchk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmegjdad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpnkopeh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogliemkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oqomkimg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baefnmml.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcpgdhpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flhmfbim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjacjifm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcldhnkk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdeqfhjd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgllgedi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjhabndo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmhkin32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 0981ac6a48ad9625f0b5740ec5a84b31.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfpeeqig.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pldebkhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnacpffh.exe -
Executes dropped EXE 64 IoCs
pid Process 1376 Aboaff32.exe 2388 Bfagpiam.exe 2784 Bpjkiogm.exe 2988 Baigca32.exe 2952 Bcjqdmla.exe 2576 Cadjgf32.exe 3068 Cdecha32.exe 1920 Cdjmcpnl.exe 2912 Dpegcq32.exe 2968 Dojddmec.exe 2208 Ddiibc32.exe 1396 Edlfhc32.exe 2808 Enfgfh32.exe 1524 Elldgehk.exe 2480 Elnqmd32.exe 380 Fqlicclo.exe 1516 Fcmben32.exe 2068 Fbbofjnh.exe 964 Fbdlkj32.exe 1828 Gjpqpl32.exe 968 Gqlebf32.exe 1660 Gpabcbdb.exe 1124 Giiglhjb.exe 2024 Gcokiaji.exe 1780 Gcahoqhf.exe 896 Hinqgg32.exe 3028 Halbai32.exe 1604 Hbknkl32.exe 2712 Hdoghdmd.exe 2800 Idadnd32.exe 2840 Iiecgjba.exe 2600 Ibmgpoia.exe 2740 Jodhdp32.exe 2136 Jhlmmfef.exe 2648 Jdcmbgkj.exe 2324 Jhafhe32.exe 1928 Jaijak32.exe 2904 Jgfcja32.exe 2960 Kfkpknkq.exe 1224 Kgkleabc.exe 1984 Kfpifm32.exe 1756 Kbgjkn32.exe 1588 Kfebambf.exe 1560 Kgfoie32.exe 1636 Lkdhoc32.exe 1384 Ldllgiek.exe 2468 Ldoimh32.exe 2828 Lfpeeqig.exe 2344 Ljnnko32.exe 2456 Lcfbdd32.exe 1888 Mpmcielb.exe 1552 Mmadbjkk.exe 2868 Mbpipp32.exe 1664 Mgmahg32.exe 804 Meabakda.exe 2856 Mjnjjbbh.exe 876 Nmnclmoj.exe 852 Njbdea32.exe 1100 Nfidjbdg.exe 1600 Nmcmgm32.exe 2980 Nbpeoc32.exe 1908 Nlhjhi32.exe 2088 Nbbbdcgi.exe 2964 Olkfmi32.exe -
Loads dropped DLL 64 IoCs
pid Process 1976 0981ac6a48ad9625f0b5740ec5a84b31.exe 1976 0981ac6a48ad9625f0b5740ec5a84b31.exe 1376 Aboaff32.exe 1376 Aboaff32.exe 2388 Bfagpiam.exe 2388 Bfagpiam.exe 2784 Bpjkiogm.exe 2784 Bpjkiogm.exe 2988 Baigca32.exe 2988 Baigca32.exe 2952 Bcjqdmla.exe 2952 Bcjqdmla.exe 2576 Cadjgf32.exe 2576 Cadjgf32.exe 3068 Cdecha32.exe 3068 Cdecha32.exe 1920 Cdjmcpnl.exe 1920 Cdjmcpnl.exe 2912 Dpegcq32.exe 2912 Dpegcq32.exe 2968 Dojddmec.exe 2968 Dojddmec.exe 2208 Ddiibc32.exe 2208 Ddiibc32.exe 1396 Edlfhc32.exe 1396 Edlfhc32.exe 2808 Enfgfh32.exe 2808 Enfgfh32.exe 1524 Elldgehk.exe 1524 Elldgehk.exe 2480 Elnqmd32.exe 2480 Elnqmd32.exe 380 Fqlicclo.exe 380 Fqlicclo.exe 1516 Fcmben32.exe 1516 Fcmben32.exe 2068 Fbbofjnh.exe 2068 Fbbofjnh.exe 964 Fbdlkj32.exe 964 Fbdlkj32.exe 1828 Gjpqpl32.exe 1828 Gjpqpl32.exe 968 Gqlebf32.exe 968 Gqlebf32.exe 1660 Gpabcbdb.exe 1660 Gpabcbdb.exe 1124 Giiglhjb.exe 1124 Giiglhjb.exe 2024 Gcokiaji.exe 2024 Gcokiaji.exe 1780 Gcahoqhf.exe 1780 Gcahoqhf.exe 896 Hinqgg32.exe 896 Hinqgg32.exe 3028 Halbai32.exe 3028 Halbai32.exe 1604 Hbknkl32.exe 1604 Hbknkl32.exe 2712 Hdoghdmd.exe 2712 Hdoghdmd.exe 2800 Idadnd32.exe 2800 Idadnd32.exe 2840 Iiecgjba.exe 2840 Iiecgjba.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ldllgiek.exe Lkdhoc32.exe File created C:\Windows\SysWOW64\Onkhggej.dll Baoopndk.exe File created C:\Windows\SysWOW64\Dahapj32.dll Pdeqfhjd.exe File created C:\Windows\SysWOW64\Opfjnm32.dll Cgjjdijo.exe File created C:\Windows\SysWOW64\Hopgikop.exe Gdjblboj.exe File opened for modification C:\Windows\SysWOW64\Dogpdg32.exe Doecog32.exe File created C:\Windows\SysWOW64\Cddoqj32.dll Mjkgjl32.exe File created C:\Windows\SysWOW64\Gcdmikma.exe Gpfpmonn.exe File opened for modification C:\Windows\SysWOW64\Dfkhndca.exe Dnpciaef.exe File created C:\Windows\SysWOW64\Ogliemkk.exe Nqbaic32.exe File opened for modification C:\Windows\SysWOW64\Kobhillo.exe Kopldl32.exe File created C:\Windows\SysWOW64\Hcelfiph.dll Mfjann32.exe File created C:\Windows\SysWOW64\Ckmcef32.dll Pnbojmmp.exe File created C:\Windows\SysWOW64\Fmdpgmhn.dll Mbqkiind.exe File created C:\Windows\SysWOW64\Jjfkgcdc.dll Djcbib32.exe File created C:\Windows\SysWOW64\Mneaacno.exe Mejmmqpd.exe File created C:\Windows\SysWOW64\Plkchdiq.exe Pddlggin.exe File created C:\Windows\SysWOW64\Maljaabb.dll Amcbankf.exe File created C:\Windows\SysWOW64\Knqcbd32.dll Mqbbagjo.exe File created C:\Windows\SysWOW64\Dmmmfc32.exe Dhpemm32.exe File created C:\Windows\SysWOW64\Okbkmi32.dll Eigbfb32.exe File opened for modification C:\Windows\SysWOW64\Lhmjha32.exe Koeeoljm.exe File created C:\Windows\SysWOW64\Ddfjak32.exe Dgbiggof.exe File created C:\Windows\SysWOW64\Imlmlm32.dll Nbpeoc32.exe File created C:\Windows\SysWOW64\Qknbpmpk.dll Cbiiog32.exe File created C:\Windows\SysWOW64\Nfdgghho.dll Pepcelel.exe File created C:\Windows\SysWOW64\Bknjfb32.exe Baefnmml.exe File created C:\Windows\SysWOW64\Piaebfcm.dll Nfcoel32.exe File created C:\Windows\SysWOW64\Pfapejnp.dll Plolgk32.exe File created C:\Windows\SysWOW64\Jclcfm32.dll Gblkoham.exe File created C:\Windows\SysWOW64\Feggob32.exe Eipgjaoi.exe File created C:\Windows\SysWOW64\Odecai32.dll Ifbphh32.exe File created C:\Windows\SysWOW64\Bcpgdhpp.exe Amcbankf.exe File created C:\Windows\SysWOW64\Khpjqgjc.dll Alihaioe.exe File created C:\Windows\SysWOW64\Dclbgadl.dll Nhookh32.exe File opened for modification C:\Windows\SysWOW64\Dnjoco32.exe Dcdkef32.exe File created C:\Windows\SysWOW64\Gknfqppk.dll Peeoidik.exe File created C:\Windows\SysWOW64\Ibmgpoia.exe Iiecgjba.exe File opened for modification C:\Windows\SysWOW64\Difnaqih.exe Clbnhmjo.exe File opened for modification C:\Windows\SysWOW64\Ggmldj32.exe Gpccgppq.exe File created C:\Windows\SysWOW64\Nibqqh32.exe Nbhhdnlh.exe File opened for modification C:\Windows\SysWOW64\Mimpkcdn.exe Modlbmmn.exe File opened for modification C:\Windows\SysWOW64\Kkjpggkn.exe Kenhopmf.exe File created C:\Windows\SysWOW64\Ohodnlfk.dll Kopldl32.exe File opened for modification C:\Windows\SysWOW64\Ckilmfke.exe Cldolj32.exe File created C:\Windows\SysWOW64\Npjlhcmd.exe Mpgobc32.exe File created C:\Windows\SysWOW64\Jmdgipkk.exe Ieibdnnp.exe File created C:\Windows\SysWOW64\Kbpbmkan.exe Iionacad.exe File created C:\Windows\SysWOW64\Mjcjog32.exe Mjqmig32.exe File created C:\Windows\SysWOW64\Lelmei32.exe Lldhldpg.exe File created C:\Windows\SysWOW64\Kgckfd32.dll Bpjkiogm.exe File opened for modification C:\Windows\SysWOW64\Halbai32.exe Hinqgg32.exe File created C:\Windows\SysWOW64\Icqieocn.dll Jmcpqfba.exe File opened for modification C:\Windows\SysWOW64\Emifeqid.exe Edaalk32.exe File created C:\Windows\SysWOW64\Iglhhc32.dll Kmqmod32.exe File created C:\Windows\SysWOW64\Jjpdmi32.exe Jeclebja.exe File opened for modification C:\Windows\SysWOW64\Fgocmc32.exe Fijbco32.exe File opened for modification C:\Windows\SysWOW64\Jedcpi32.exe Jpgjgboe.exe File opened for modification C:\Windows\SysWOW64\Elacliin.exe Domccejd.exe File opened for modification C:\Windows\SysWOW64\Oiffkkbk.exe Ooabmbbe.exe File created C:\Windows\SysWOW64\Bocndipc.dll Bjomoo32.exe File created C:\Windows\SysWOW64\Laenqg32.exe Lhmjha32.exe File created C:\Windows\SysWOW64\Lqicio32.dll Colegflh.exe File created C:\Windows\SysWOW64\Kgkleabc.exe Kfkpknkq.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4312 4996 WerFault.exe 701 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jmdepg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iipejmko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbimkpmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bcobdgoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkdqjn32.dll" Cmpgpond.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlekjpbi.dll" Kenhopmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nfidjbdg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Npjlhcmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odecai32.dll" Ifbphh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kajiigba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qhilkege.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Olkfmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hfepod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dcdkef32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fkcilc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gelpjgll.dll" Aeiecfga.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aihjpman.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ecfnmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jhdegn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fanhpabf.dll" Dlcfnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhlogo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cbdiia32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgpdglhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Klocba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpohakbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmfpeb32.dll" Fkecij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gifclb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjkgjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppiidm32.dll" Bcpimq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfioia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hljaigmo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pldebkhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Angldo32.dll" Flapkmlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dekdikhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eplpdepa.dll" Jipaip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ojlkonpb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmnclmoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fohlogok.dll" Hgpjhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jidmcq32.dll" Cfmhdpnc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bknjfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Goejop32.dll" Ldllgiek.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gglbfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfnekb32.dll" Ojnhdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgglgc32.dll" Kfkpknkq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oagoep32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iahceq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deimbclh.dll" Nbeedh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oecmogln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ogliemkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnjfjc32.dll" Mejmmqpd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgkleabc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmadbjkk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmhglq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gncldi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfefmpeo.dll" Boljgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njboon32.dll" Icncgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jilmkffb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aeokdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqgggnne.dll" Pehcij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhcgiiek.dll" Qhilkege.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohopde32.dll" Hfiofefm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aolihc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dclbgadl.dll" Nhookh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nibmdpam.dll" Cdbqflae.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1976 wrote to memory of 1376 1976 0981ac6a48ad9625f0b5740ec5a84b31.exe 28 PID 1976 wrote to memory of 1376 1976 0981ac6a48ad9625f0b5740ec5a84b31.exe 28 PID 1976 wrote to memory of 1376 1976 0981ac6a48ad9625f0b5740ec5a84b31.exe 28 PID 1976 wrote to memory of 1376 1976 0981ac6a48ad9625f0b5740ec5a84b31.exe 28 PID 1376 wrote to memory of 2388 1376 Aboaff32.exe 29 PID 1376 wrote to memory of 2388 1376 Aboaff32.exe 29 PID 1376 wrote to memory of 2388 1376 Aboaff32.exe 29 PID 1376 wrote to memory of 2388 1376 Aboaff32.exe 29 PID 2388 wrote to memory of 2784 2388 Bfagpiam.exe 30 PID 2388 wrote to memory of 2784 2388 Bfagpiam.exe 30 PID 2388 wrote to memory of 2784 2388 Bfagpiam.exe 30 PID 2388 wrote to memory of 2784 2388 Bfagpiam.exe 30 PID 2784 wrote to memory of 2988 2784 Bpjkiogm.exe 31 PID 2784 wrote to memory of 2988 2784 Bpjkiogm.exe 31 PID 2784 wrote to memory of 2988 2784 Bpjkiogm.exe 31 PID 2784 wrote to memory of 2988 2784 Bpjkiogm.exe 31 PID 2988 wrote to memory of 2952 2988 Baigca32.exe 32 PID 2988 wrote to memory of 2952 2988 Baigca32.exe 32 PID 2988 wrote to memory of 2952 2988 Baigca32.exe 32 PID 2988 wrote to memory of 2952 2988 Baigca32.exe 32 PID 2952 wrote to memory of 2576 2952 Bcjqdmla.exe 33 PID 2952 wrote to memory of 2576 2952 Bcjqdmla.exe 33 PID 2952 wrote to memory of 2576 2952 Bcjqdmla.exe 33 PID 2952 wrote to memory of 2576 2952 Bcjqdmla.exe 33 PID 2576 wrote to memory of 3068 2576 Cadjgf32.exe 34 PID 2576 wrote to memory of 3068 2576 Cadjgf32.exe 34 PID 2576 wrote to memory of 3068 2576 Cadjgf32.exe 34 PID 2576 wrote to memory of 3068 2576 Cadjgf32.exe 34 PID 3068 wrote to memory of 1920 3068 Cdecha32.exe 35 PID 3068 wrote to memory of 1920 3068 Cdecha32.exe 35 PID 3068 wrote to memory of 1920 3068 Cdecha32.exe 35 PID 3068 wrote to memory of 1920 3068 Cdecha32.exe 35 PID 1920 wrote to memory of 2912 1920 Cdjmcpnl.exe 36 PID 1920 wrote to memory of 2912 1920 Cdjmcpnl.exe 36 PID 1920 wrote to memory of 2912 1920 Cdjmcpnl.exe 36 PID 1920 wrote to memory of 2912 1920 Cdjmcpnl.exe 36 PID 2912 wrote to memory of 2968 2912 Dpegcq32.exe 37 PID 2912 wrote to memory of 2968 2912 Dpegcq32.exe 37 PID 2912 wrote to memory of 2968 2912 Dpegcq32.exe 37 PID 2912 wrote to memory of 2968 2912 Dpegcq32.exe 37 PID 2968 wrote to memory of 2208 2968 Dojddmec.exe 38 PID 2968 wrote to memory of 2208 2968 Dojddmec.exe 38 PID 2968 wrote to memory of 2208 2968 Dojddmec.exe 38 PID 2968 wrote to memory of 2208 2968 Dojddmec.exe 38 PID 2208 wrote to memory of 1396 2208 Ddiibc32.exe 39 PID 2208 wrote to memory of 1396 2208 Ddiibc32.exe 39 PID 2208 wrote to memory of 1396 2208 Ddiibc32.exe 39 PID 2208 wrote to memory of 1396 2208 Ddiibc32.exe 39 PID 1396 wrote to memory of 2808 1396 Edlfhc32.exe 40 PID 1396 wrote to memory of 2808 1396 Edlfhc32.exe 40 PID 1396 wrote to memory of 2808 1396 Edlfhc32.exe 40 PID 1396 wrote to memory of 2808 1396 Edlfhc32.exe 40 PID 2808 wrote to memory of 1524 2808 Enfgfh32.exe 41 PID 2808 wrote to memory of 1524 2808 Enfgfh32.exe 41 PID 2808 wrote to memory of 1524 2808 Enfgfh32.exe 41 PID 2808 wrote to memory of 1524 2808 Enfgfh32.exe 41 PID 1524 wrote to memory of 2480 1524 Elldgehk.exe 42 PID 1524 wrote to memory of 2480 1524 Elldgehk.exe 42 PID 1524 wrote to memory of 2480 1524 Elldgehk.exe 42 PID 1524 wrote to memory of 2480 1524 Elldgehk.exe 42 PID 2480 wrote to memory of 380 2480 Elnqmd32.exe 43 PID 2480 wrote to memory of 380 2480 Elnqmd32.exe 43 PID 2480 wrote to memory of 380 2480 Elnqmd32.exe 43 PID 2480 wrote to memory of 380 2480 Elnqmd32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\0981ac6a48ad9625f0b5740ec5a84b31.exe"C:\Users\Admin\AppData\Local\Temp\0981ac6a48ad9625f0b5740ec5a84b31.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\Aboaff32.exeC:\Windows\system32\Aboaff32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Windows\SysWOW64\Bfagpiam.exeC:\Windows\system32\Bfagpiam.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\Bpjkiogm.exeC:\Windows\system32\Bpjkiogm.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\Baigca32.exeC:\Windows\system32\Baigca32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\Bcjqdmla.exeC:\Windows\system32\Bcjqdmla.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\Cadjgf32.exeC:\Windows\system32\Cadjgf32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\Cdecha32.exeC:\Windows\system32\Cdecha32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\SysWOW64\Cdjmcpnl.exeC:\Windows\system32\Cdjmcpnl.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\SysWOW64\Dpegcq32.exeC:\Windows\system32\Dpegcq32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\Dojddmec.exeC:\Windows\system32\Dojddmec.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\Ddiibc32.exeC:\Windows\system32\Ddiibc32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\Edlfhc32.exeC:\Windows\system32\Edlfhc32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1396 -
C:\Windows\SysWOW64\Enfgfh32.exeC:\Windows\system32\Enfgfh32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\Elldgehk.exeC:\Windows\system32\Elldgehk.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Windows\SysWOW64\Elnqmd32.exeC:\Windows\system32\Elnqmd32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\Fqlicclo.exeC:\Windows\system32\Fqlicclo.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:380 -
C:\Windows\SysWOW64\Fcmben32.exeC:\Windows\system32\Fcmben32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1516 -
C:\Windows\SysWOW64\Fbbofjnh.exeC:\Windows\system32\Fbbofjnh.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2068 -
C:\Windows\SysWOW64\Fbdlkj32.exeC:\Windows\system32\Fbdlkj32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:964 -
C:\Windows\SysWOW64\Gjpqpl32.exeC:\Windows\system32\Gjpqpl32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1828 -
C:\Windows\SysWOW64\Gqlebf32.exeC:\Windows\system32\Gqlebf32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:968 -
C:\Windows\SysWOW64\Gpabcbdb.exeC:\Windows\system32\Gpabcbdb.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1660 -
C:\Windows\SysWOW64\Giiglhjb.exeC:\Windows\system32\Giiglhjb.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1124 -
C:\Windows\SysWOW64\Gcokiaji.exeC:\Windows\system32\Gcokiaji.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2024 -
C:\Windows\SysWOW64\Gcahoqhf.exeC:\Windows\system32\Gcahoqhf.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1780 -
C:\Windows\SysWOW64\Hinqgg32.exeC:\Windows\system32\Hinqgg32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:896 -
C:\Windows\SysWOW64\Halbai32.exeC:\Windows\system32\Halbai32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3028 -
C:\Windows\SysWOW64\Hbknkl32.exeC:\Windows\system32\Hbknkl32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1604 -
C:\Windows\SysWOW64\Hdoghdmd.exeC:\Windows\system32\Hdoghdmd.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2712 -
C:\Windows\SysWOW64\Idadnd32.exeC:\Windows\system32\Idadnd32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2800 -
C:\Windows\SysWOW64\Iiecgjba.exeC:\Windows\system32\Iiecgjba.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2840 -
C:\Windows\SysWOW64\Ibmgpoia.exeC:\Windows\system32\Ibmgpoia.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Jodhdp32.exeC:\Windows\system32\Jodhdp32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Jhlmmfef.exeC:\Windows\system32\Jhlmmfef.exe35⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Jdcmbgkj.exeC:\Windows\system32\Jdcmbgkj.exe36⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Jhafhe32.exeC:\Windows\system32\Jhafhe32.exe37⤵
- Executes dropped EXE
PID:2324 -
C:\Windows\SysWOW64\Jaijak32.exeC:\Windows\system32\Jaijak32.exe38⤵
- Executes dropped EXE
PID:1928 -
C:\Windows\SysWOW64\Jgfcja32.exeC:\Windows\system32\Jgfcja32.exe39⤵
- Executes dropped EXE
PID:2904 -
C:\Windows\SysWOW64\Kfkpknkq.exeC:\Windows\system32\Kfkpknkq.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2960 -
C:\Windows\SysWOW64\Kgkleabc.exeC:\Windows\system32\Kgkleabc.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:1224 -
C:\Windows\SysWOW64\Kfpifm32.exeC:\Windows\system32\Kfpifm32.exe42⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Kbgjkn32.exeC:\Windows\system32\Kbgjkn32.exe43⤵
- Executes dropped EXE
PID:1756 -
C:\Windows\SysWOW64\Kfebambf.exeC:\Windows\system32\Kfebambf.exe44⤵
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\Kgfoie32.exeC:\Windows\system32\Kgfoie32.exe45⤵
- Executes dropped EXE
PID:1560 -
C:\Windows\SysWOW64\Lkdhoc32.exeC:\Windows\system32\Lkdhoc32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1636 -
C:\Windows\SysWOW64\Ldllgiek.exeC:\Windows\system32\Ldllgiek.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:1384 -
C:\Windows\SysWOW64\Ldoimh32.exeC:\Windows\system32\Ldoimh32.exe48⤵
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\Lfpeeqig.exeC:\Windows\system32\Lfpeeqig.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Ljnnko32.exeC:\Windows\system32\Ljnnko32.exe50⤵
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Lcfbdd32.exeC:\Windows\system32\Lcfbdd32.exe51⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Mpmcielb.exeC:\Windows\system32\Mpmcielb.exe52⤵
- Executes dropped EXE
PID:1888 -
C:\Windows\SysWOW64\Mmadbjkk.exeC:\Windows\system32\Mmadbjkk.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1552 -
C:\Windows\SysWOW64\Mbpipp32.exeC:\Windows\system32\Mbpipp32.exe54⤵
- Executes dropped EXE
PID:2868 -
C:\Windows\SysWOW64\Mgmahg32.exeC:\Windows\system32\Mgmahg32.exe55⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\Meabakda.exeC:\Windows\system32\Meabakda.exe56⤵
- Executes dropped EXE
PID:804 -
C:\Windows\SysWOW64\Mjnjjbbh.exeC:\Windows\system32\Mjnjjbbh.exe57⤵
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Nmnclmoj.exeC:\Windows\system32\Nmnclmoj.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:876 -
C:\Windows\SysWOW64\Njbdea32.exeC:\Windows\system32\Njbdea32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:852 -
C:\Windows\SysWOW64\Nfidjbdg.exeC:\Windows\system32\Nfidjbdg.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:1100 -
C:\Windows\SysWOW64\Nmcmgm32.exeC:\Windows\system32\Nmcmgm32.exe61⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\Nbpeoc32.exeC:\Windows\system32\Nbpeoc32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2980 -
C:\Windows\SysWOW64\Nlhjhi32.exeC:\Windows\system32\Nlhjhi32.exe63⤵
- Executes dropped EXE
PID:1908 -
C:\Windows\SysWOW64\Nbbbdcgi.exeC:\Windows\system32\Nbbbdcgi.exe64⤵
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\Olkfmi32.exeC:\Windows\system32\Olkfmi32.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:2964 -
C:\Windows\SysWOW64\Oagoep32.exeC:\Windows\system32\Oagoep32.exe66⤵
- Modifies registry class
PID:2824 -
C:\Windows\SysWOW64\Ohagbj32.exeC:\Windows\system32\Ohagbj32.exe67⤵PID:2572
-
C:\Windows\SysWOW64\Ohcdhi32.exeC:\Windows\system32\Ohcdhi32.exe68⤵PID:2584
-
C:\Windows\SysWOW64\Oonldcih.exeC:\Windows\system32\Oonldcih.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2616 -
C:\Windows\SysWOW64\Ohfqmi32.exeC:\Windows\system32\Ohfqmi32.exe70⤵PID:572
-
C:\Windows\SysWOW64\Ogknoe32.exeC:\Windows\system32\Ogknoe32.exe71⤵PID:2888
-
C:\Windows\SysWOW64\Pdonhj32.exeC:\Windows\system32\Pdonhj32.exe72⤵PID:2956
-
C:\Windows\SysWOW64\Pmgbao32.exeC:\Windows\system32\Pmgbao32.exe73⤵PID:1312
-
C:\Windows\SysWOW64\Pecgea32.exeC:\Windows\system32\Pecgea32.exe74⤵PID:2180
-
C:\Windows\SysWOW64\Pcghof32.exeC:\Windows\system32\Pcghof32.exe75⤵PID:1684
-
C:\Windows\SysWOW64\Plolgk32.exeC:\Windows\system32\Plolgk32.exe76⤵
- Drops file in System32 directory
PID:1540 -
C:\Windows\SysWOW64\Palepb32.exeC:\Windows\system32\Palepb32.exe77⤵PID:1528
-
C:\Windows\SysWOW64\Plaimk32.exeC:\Windows\system32\Plaimk32.exe78⤵PID:2356
-
C:\Windows\SysWOW64\Panaeb32.exeC:\Windows\system32\Panaeb32.exe79⤵PID:2436
-
C:\Windows\SysWOW64\Pldebkhj.exeC:\Windows\system32\Pldebkhj.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2328 -
C:\Windows\SysWOW64\Qnebjc32.exeC:\Windows\system32\Qnebjc32.exe81⤵PID:2336
-
C:\Windows\SysWOW64\Qgmfchei.exeC:\Windows\system32\Qgmfchei.exe82⤵PID:1548
-
C:\Windows\SysWOW64\Qdaglmcb.exeC:\Windows\system32\Qdaglmcb.exe83⤵PID:1800
-
C:\Windows\SysWOW64\Aknlofim.exeC:\Windows\system32\Aknlofim.exe84⤵PID:1916
-
C:\Windows\SysWOW64\Aqjdgmgd.exeC:\Windows\system32\Aqjdgmgd.exe85⤵PID:2404
-
C:\Windows\SysWOW64\Ajcipc32.exeC:\Windows\system32\Ajcipc32.exe86⤵PID:2028
-
C:\Windows\SysWOW64\Ackmih32.exeC:\Windows\system32\Ackmih32.exe87⤵PID:2280
-
C:\Windows\SysWOW64\Afjjed32.exeC:\Windows\system32\Afjjed32.exe88⤵PID:1612
-
C:\Windows\SysWOW64\Amcbankf.exeC:\Windows\system32\Amcbankf.exe89⤵
- Drops file in System32 directory
PID:1712 -
C:\Windows\SysWOW64\Bcpgdhpp.exeC:\Windows\system32\Bcpgdhpp.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2816 -
C:\Windows\SysWOW64\Bejfao32.exeC:\Windows\system32\Bejfao32.exe91⤵PID:1792
-
C:\Windows\SysWOW64\Cmhglq32.exeC:\Windows\system32\Cmhglq32.exe92⤵
- Modifies registry class
PID:2580 -
C:\Windows\SysWOW64\Cbiiog32.exeC:\Windows\system32\Cbiiog32.exe93⤵
- Drops file in System32 directory
PID:2804 -
C:\Windows\SysWOW64\Clbnhmjo.exeC:\Windows\system32\Clbnhmjo.exe94⤵
- Drops file in System32 directory
PID:3032 -
C:\Windows\SysWOW64\Difnaqih.exeC:\Windows\system32\Difnaqih.exe95⤵PID:2624
-
C:\Windows\SysWOW64\Dobgihgp.exeC:\Windows\system32\Dobgihgp.exe96⤵PID:1648
-
C:\Windows\SysWOW64\Demofaol.exeC:\Windows\system32\Demofaol.exe97⤵PID:2748
-
C:\Windows\SysWOW64\Doecog32.exeC:\Windows\system32\Doecog32.exe98⤵
- Drops file in System32 directory
PID:2972 -
C:\Windows\SysWOW64\Dogpdg32.exeC:\Windows\system32\Dogpdg32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1708 -
C:\Windows\SysWOW64\Dhpemm32.exeC:\Windows\system32\Dhpemm32.exe100⤵
- Drops file in System32 directory
PID:1632 -
C:\Windows\SysWOW64\Dmmmfc32.exeC:\Windows\system32\Dmmmfc32.exe101⤵PID:2492
-
C:\Windows\SysWOW64\Dmojkc32.exeC:\Windows\system32\Dmojkc32.exe102⤵PID:3000
-
C:\Windows\SysWOW64\Eejopecj.exeC:\Windows\system32\Eejopecj.exe103⤵PID:788
-
C:\Windows\SysWOW64\Eppcmncq.exeC:\Windows\system32\Eppcmncq.exe104⤵PID:2428
-
C:\Windows\SysWOW64\Elfcbo32.exeC:\Windows\system32\Elfcbo32.exe105⤵PID:2364
-
C:\Windows\SysWOW64\Ehmdgp32.exeC:\Windows\system32\Ehmdgp32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1652 -
C:\Windows\SysWOW64\Eogmcjef.exeC:\Windows\system32\Eogmcjef.exe107⤵PID:2396
-
C:\Windows\SysWOW64\Eddeladm.exeC:\Windows\system32\Eddeladm.exe108⤵PID:1388
-
C:\Windows\SysWOW64\Enlidg32.exeC:\Windows\system32\Enlidg32.exe109⤵PID:1244
-
C:\Windows\SysWOW64\Eecafd32.exeC:\Windows\system32\Eecafd32.exe110⤵PID:1944
-
C:\Windows\SysWOW64\Folfoj32.exeC:\Windows\system32\Folfoj32.exe111⤵PID:3056
-
C:\Windows\SysWOW64\Fggkcl32.exeC:\Windows\system32\Fggkcl32.exe112⤵PID:2860
-
C:\Windows\SysWOW64\Fnacpffh.exeC:\Windows\system32\Fnacpffh.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2776 -
C:\Windows\SysWOW64\Fdkklp32.exeC:\Windows\system32\Fdkklp32.exe114⤵PID:2704
-
C:\Windows\SysWOW64\Fkecij32.exeC:\Windows\system32\Fkecij32.exe115⤵
- Modifies registry class
PID:2508 -
C:\Windows\SysWOW64\Fdmhbplb.exeC:\Windows\system32\Fdmhbplb.exe116⤵PID:2124
-
C:\Windows\SysWOW64\Flhmfbim.exeC:\Windows\system32\Flhmfbim.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1508 -
C:\Windows\SysWOW64\Fcbecl32.exeC:\Windows\system32\Fcbecl32.exe118⤵PID:2932
-
C:\Windows\SysWOW64\Fhomkcoa.exeC:\Windows\system32\Fhomkcoa.exe119⤵PID:1996
-
C:\Windows\SysWOW64\Gceailog.exeC:\Windows\system32\Gceailog.exe120⤵PID:2512
-
C:\Windows\SysWOW64\Gdhkfd32.exeC:\Windows\system32\Gdhkfd32.exe121⤵PID:1512
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-