Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
22/04/2024, 23:50
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
78031fe944b1274c80ffc667359033bc388d261e65f466ee87c0d51f6989b9a7.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
78031fe944b1274c80ffc667359033bc388d261e65f466ee87c0d51f6989b9a7.exe
Resource
win10v2004-20240412-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
78031fe944b1274c80ffc667359033bc388d261e65f466ee87c0d51f6989b9a7.exe
-
Size
128KB
-
MD5
eff58c0b02eafc282f4bf6c1c7680b30
-
SHA1
db51deecee65a51dc0cf509b0c12037eeaadc51c
-
SHA256
78031fe944b1274c80ffc667359033bc388d261e65f466ee87c0d51f6989b9a7
-
SHA512
29b49e31d54d321cd63210c322de9e0818801cfc4aa6ac4f80ee60d61fefcb689c5990b283794eff0c6309025cc3cd7e8a6344077bd2e1dc0eba8845fccb3de9
-
SSDEEP
1536:F29ciWG16SiGGgQklUzmQjILQ9FKGXllUDtM60TD4ruhiZlrQIFiglF9xZ95Q:Y9ciWG167gQcMFKG7UDd0pCrQIFdFtLQ
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eplkpgnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmpkjkma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbgnak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhfcpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eqonkmdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmjjea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnlqnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cadhnmnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Leljop32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epdkli32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Filldb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmlnoc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpcmpijk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chcqpmep.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgmglh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkgmgmfd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kifpdelo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cljcelan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cciemedf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdpjlajk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blbfjg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhneehek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdehon32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhmbagfa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfgdhjmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eplkpgnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gffoldhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpmgqnfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhbcfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhigphio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ganpomec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcojjmea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbkameaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aaloddnn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eloemi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkclhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndpfkdmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obafnlpn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dojald32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhckpk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pelipl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amcpie32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpfaocal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjhhocjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imfqjbli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkgmgmfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmaled32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obcccl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncmfqkdj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knpemf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Beehencq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdapak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dknekeef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfdjhndl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emkaol32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkolkk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnpmipql.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejobhppq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojolhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfikmh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afiglkle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Beehencq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjbmjplb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Meagci32.exe -
Executes dropped EXE 64 IoCs
pid Process 2976 Pfbccp32.exe 2552 Paggai32.exe 2736 Ppjglfon.exe 2172 Pcfcmd32.exe 2468 Pbiciana.exe 2448 Pjpkjond.exe 2496 Plahag32.exe 2672 Pbkpna32.exe 3040 Pfflopdh.exe 1964 Piehkkcl.exe 1568 Ppoqge32.exe 1644 Pnbacbac.exe 1256 Pbmmcq32.exe 2296 Pelipl32.exe 1736 Phjelg32.exe 2832 Ppamme32.exe 808 Pndniaop.exe 1504 Pbpjiphi.exe 856 Pabjem32.exe 1928 Pijbfj32.exe 2312 Qhmbagfa.exe 1688 Qlhnbf32.exe 1068 Qnfjna32.exe 112 Qaefjm32.exe 2228 Qeqbkkej.exe 2936 Qdccfh32.exe 2096 Qmlgonbe.exe 2548 Qagcpljo.exe 1984 Qecoqk32.exe 2616 Ahakmf32.exe 2908 Afdlhchf.exe 2920 Ankdiqih.exe 2800 Amndem32.exe 276 Aplpai32.exe 2776 Adhlaggp.exe 320 Affhncfc.exe 2512 Affhncfc.exe 2388 Ajbdna32.exe 2284 Ampqjm32.exe 2304 Apomfh32.exe 2620 Abmibdlh.exe 1100 Ajdadamj.exe 1160 Ambmpmln.exe 2012 Alenki32.exe 1968 Admemg32.exe 1416 Abpfhcje.exe 928 Afkbib32.exe 2180 Aenbdoii.exe 1728 Aiinen32.exe 1524 Abbbnchb.exe 2788 Afmonbqk.exe 2480 Aepojo32.exe 2608 Ahokfj32.exe 2720 Aljgfioc.exe 2352 Boiccdnf.exe 1840 Bbdocc32.exe 2324 Bagpopmj.exe 644 Bingpmnl.exe 2660 Bhahlj32.exe 1648 Bkodhe32.exe 2328 Bbflib32.exe 576 Beehencq.exe 2948 Bhcdaibd.exe 1612 Bloqah32.exe -
Loads dropped DLL 64 IoCs
pid Process 2868 78031fe944b1274c80ffc667359033bc388d261e65f466ee87c0d51f6989b9a7.exe 2868 78031fe944b1274c80ffc667359033bc388d261e65f466ee87c0d51f6989b9a7.exe 2976 Pfbccp32.exe 2976 Pfbccp32.exe 2552 Paggai32.exe 2552 Paggai32.exe 2736 Ppjglfon.exe 2736 Ppjglfon.exe 2172 Pcfcmd32.exe 2172 Pcfcmd32.exe 2468 Pbiciana.exe 2468 Pbiciana.exe 2448 Pjpkjond.exe 2448 Pjpkjond.exe 2496 Plahag32.exe 2496 Plahag32.exe 2672 Pbkpna32.exe 2672 Pbkpna32.exe 3040 Pfflopdh.exe 3040 Pfflopdh.exe 1964 Piehkkcl.exe 1964 Piehkkcl.exe 1568 Ppoqge32.exe 1568 Ppoqge32.exe 1644 Pnbacbac.exe 1644 Pnbacbac.exe 1256 Pbmmcq32.exe 1256 Pbmmcq32.exe 2296 Pelipl32.exe 2296 Pelipl32.exe 1736 Phjelg32.exe 1736 Phjelg32.exe 2832 Ppamme32.exe 2832 Ppamme32.exe 808 Pndniaop.exe 808 Pndniaop.exe 1504 Pbpjiphi.exe 1504 Pbpjiphi.exe 856 Pabjem32.exe 856 Pabjem32.exe 1928 Pijbfj32.exe 1928 Pijbfj32.exe 2312 Qhmbagfa.exe 2312 Qhmbagfa.exe 1688 Qlhnbf32.exe 1688 Qlhnbf32.exe 1068 Qnfjna32.exe 1068 Qnfjna32.exe 112 Qaefjm32.exe 112 Qaefjm32.exe 2228 Qeqbkkej.exe 2228 Qeqbkkej.exe 2936 Qdccfh32.exe 2936 Qdccfh32.exe 2096 Qmlgonbe.exe 2096 Qmlgonbe.exe 2548 Qagcpljo.exe 2548 Qagcpljo.exe 1984 Qecoqk32.exe 1984 Qecoqk32.exe 2616 Ahakmf32.exe 2616 Ahakmf32.exe 2908 Afdlhchf.exe 2908 Afdlhchf.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Effcma32.exe Ebjglbml.exe File created C:\Windows\SysWOW64\Gcopbn32.dll Lapnnafn.exe File created C:\Windows\SysWOW64\Agdjkogm.exe Achojp32.exe File created C:\Windows\SysWOW64\Emieil32.exe Enfenplo.exe File created C:\Windows\SysWOW64\Ooghhh32.dll Ghkllmoi.exe File created C:\Windows\SysWOW64\Ocindg32.dll Ngpolo32.exe File created C:\Windows\SysWOW64\Bejdiffp.exe Baohhgnf.exe File created C:\Windows\SysWOW64\Bpjiammk.dll Afkbib32.exe File created C:\Windows\SysWOW64\Fhkpmjln.exe Fmekoalh.exe File created C:\Windows\SysWOW64\Iebpge32.dll Gaqcoc32.exe File created C:\Windows\SysWOW64\Hpocfncj.exe Hlcgeo32.exe File opened for modification C:\Windows\SysWOW64\Hpocfncj.exe Hlcgeo32.exe File opened for modification C:\Windows\SysWOW64\Joplbl32.exe Jkdpanhg.exe File opened for modification C:\Windows\SysWOW64\Qedhdjnh.exe Qfahhm32.exe File created C:\Windows\SysWOW64\Bghjhp32.exe Bpnbkeld.exe File created C:\Windows\SysWOW64\Alihbgdo.dll Bkfjhd32.exe File opened for modification C:\Windows\SysWOW64\Maedhd32.exe Mmihhelk.exe File opened for modification C:\Windows\SysWOW64\Boiccdnf.exe Aljgfioc.exe File opened for modification C:\Windows\SysWOW64\Kmjfdejp.exe Kjljhjkl.exe File created C:\Windows\SysWOW64\Lapnnafn.exe Lmebnb32.exe File opened for modification C:\Windows\SysWOW64\Legmbd32.exe Lfdmggnm.exe File created C:\Windows\SysWOW64\Pienahqb.dll Aenbdoii.exe File created C:\Windows\SysWOW64\Bnpmipql.exe Bommnc32.exe File opened for modification C:\Windows\SysWOW64\Kmopod32.exe Kiccofna.exe File opened for modification C:\Windows\SysWOW64\Bhigphio.exe Bghjhp32.exe File opened for modification C:\Windows\SysWOW64\Cppkph32.exe Cldooj32.exe File created C:\Windows\SysWOW64\Lmkgjhfn.dll Pnbacbac.exe File created C:\Windows\SysWOW64\Moiklogi.exe Mlkopcge.exe File created C:\Windows\SysWOW64\Emjjdbdn.dll Njlockkm.exe File created C:\Windows\SysWOW64\Alhmjbhj.exe Amelne32.exe File created C:\Windows\SysWOW64\Cifmcd32.dll Becnhgmg.exe File opened for modification C:\Windows\SysWOW64\Dcfdgiid.exe Ddcdkl32.exe File opened for modification C:\Windows\SysWOW64\Almjnp32.dll Mbkmlh32.exe File opened for modification C:\Windows\SysWOW64\Ddeaalpg.exe Dqjepm32.exe File opened for modification C:\Windows\SysWOW64\Ojcecjee.exe Ofhick32.exe File created C:\Windows\SysWOW64\Igdaoinc.dll Adnopfoj.exe File created C:\Windows\SysWOW64\Bdacap32.dll Eojnkg32.exe File created C:\Windows\SysWOW64\Biafnecn.exe Bajomhbl.exe File created C:\Windows\SysWOW64\Jgidao32.exe Jifdebic.exe File created C:\Windows\SysWOW64\Qaefjm32.exe Qnfjna32.exe File created C:\Windows\SysWOW64\Pdamlbjc.dll Qmlgonbe.exe File created C:\Windows\SysWOW64\Bpgljfbl.exe Aadloj32.exe File created C:\Windows\SysWOW64\Jpfdhnai.dll Jgagfi32.exe File created C:\Windows\SysWOW64\Ocdmaj32.exe Oohqqlei.exe File created C:\Windows\SysWOW64\Qiladcdh.exe Qeaedd32.exe File opened for modification C:\Windows\SysWOW64\Behgcf32.exe Bbikgk32.exe File opened for modification C:\Windows\SysWOW64\Piehkkcl.exe Pfflopdh.exe File opened for modification C:\Windows\SysWOW64\Kkijmm32.exe Kcbakpdo.exe File created C:\Windows\SysWOW64\Dqlcpbbm.dll Lldlqakb.exe File opened for modification C:\Windows\SysWOW64\Nhdlkdkg.exe Nialog32.exe File opened for modification C:\Windows\SysWOW64\Aaobdjof.exe Abmbhn32.exe File created C:\Windows\SysWOW64\Kicmdo32.exe Kegqdqbl.exe File created C:\Windows\SysWOW64\Ioijbj32.exe Iknnbklc.exe File created C:\Windows\SysWOW64\Hhehek32.exe Hdildlie.exe File created C:\Windows\SysWOW64\Gamgjj32.dll Heihnoph.exe File opened for modification C:\Windows\SysWOW64\Iefhhbef.exe Ichllgfb.exe File opened for modification C:\Windows\SysWOW64\Okanklik.exe Oeeecekc.exe File created C:\Windows\SysWOW64\Bpodeegi.dll Pmlmic32.exe File created C:\Windows\SysWOW64\Gbkgnfbd.exe Gopkmhjk.exe File opened for modification C:\Windows\SysWOW64\Najdnj32.exe Nolhan32.exe File opened for modification C:\Windows\SysWOW64\Oohqqlei.exe Nljddpfe.exe File created C:\Windows\SysWOW64\Pndniaop.exe Ppamme32.exe File created C:\Windows\SysWOW64\Lefdpe32.exe Lajhofao.exe File created C:\Windows\SysWOW64\Endhhp32.exe Ejhlgaeh.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 8572 8356 WerFault.exe 956 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eqpgol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lcojjmea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pknmbn32.dll" Admemg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgdqfpma.dll" Cllpkl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cldooj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpbbidem.dll" Ndkmpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghmnek32.dll" Ajpjakhc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Affhncfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddokpmfo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nehmdhja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmfmjjgm.dll" Abjebn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfknbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mdcpdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmoipopd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kemedbfd.dll" Mgljbm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfoocjfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdikkg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efcfga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pnlqnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abjebn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aadloj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epjomppp.dll" Djklnnaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgllco32.dll" Enhacojl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qmlgonbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeqjnho.dll" Dnlidb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Idceea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opacnnhp.dll" Blaopqpo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gffoldhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cljiflem.dll" Kjfjbdle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amelne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdqmicng.dll" Najdnj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bpgljfbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aijpnfif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gaqcoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hckcmjep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ikddbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpebiecm.dll" Ichllgfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbkameaf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oohqqlei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddflckmp.dll" Bgknheej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efkdgmla.dll" Aamfnkai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gamgjj32.dll" Heihnoph.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Figlolbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpinomjo.dll" Fglipi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Keednado.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkolkk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qngmgjeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooghhh32.dll" Ghkllmoi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pgeefbhm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emkaol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbonaf32.dll" Cbgjqo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Maoajf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ojolhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hloopaak.dll" Kiqpop32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node 78031fe944b1274c80ffc667359033bc388d261e65f466ee87c0d51f6989b9a7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcmbeioh.dll" Pjpkjond.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jcbellac.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ecejkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Glgaok32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndhipoob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Affhncfc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Boiccdnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmmlmd32.dll" Abphal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihlfca32.dll" Kbidgeci.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2868 wrote to memory of 2976 2868 78031fe944b1274c80ffc667359033bc388d261e65f466ee87c0d51f6989b9a7.exe 28 PID 2868 wrote to memory of 2976 2868 78031fe944b1274c80ffc667359033bc388d261e65f466ee87c0d51f6989b9a7.exe 28 PID 2868 wrote to memory of 2976 2868 78031fe944b1274c80ffc667359033bc388d261e65f466ee87c0d51f6989b9a7.exe 28 PID 2868 wrote to memory of 2976 2868 78031fe944b1274c80ffc667359033bc388d261e65f466ee87c0d51f6989b9a7.exe 28 PID 2976 wrote to memory of 2552 2976 Pfbccp32.exe 29 PID 2976 wrote to memory of 2552 2976 Pfbccp32.exe 29 PID 2976 wrote to memory of 2552 2976 Pfbccp32.exe 29 PID 2976 wrote to memory of 2552 2976 Pfbccp32.exe 29 PID 2552 wrote to memory of 2736 2552 Paggai32.exe 30 PID 2552 wrote to memory of 2736 2552 Paggai32.exe 30 PID 2552 wrote to memory of 2736 2552 Paggai32.exe 30 PID 2552 wrote to memory of 2736 2552 Paggai32.exe 30 PID 2736 wrote to memory of 2172 2736 Ppjglfon.exe 31 PID 2736 wrote to memory of 2172 2736 Ppjglfon.exe 31 PID 2736 wrote to memory of 2172 2736 Ppjglfon.exe 31 PID 2736 wrote to memory of 2172 2736 Ppjglfon.exe 31 PID 2172 wrote to memory of 2468 2172 Pcfcmd32.exe 32 PID 2172 wrote to memory of 2468 2172 Pcfcmd32.exe 32 PID 2172 wrote to memory of 2468 2172 Pcfcmd32.exe 32 PID 2172 wrote to memory of 2468 2172 Pcfcmd32.exe 32 PID 2468 wrote to memory of 2448 2468 Pbiciana.exe 33 PID 2468 wrote to memory of 2448 2468 Pbiciana.exe 33 PID 2468 wrote to memory of 2448 2468 Pbiciana.exe 33 PID 2468 wrote to memory of 2448 2468 Pbiciana.exe 33 PID 2448 wrote to memory of 2496 2448 Pjpkjond.exe 34 PID 2448 wrote to memory of 2496 2448 Pjpkjond.exe 34 PID 2448 wrote to memory of 2496 2448 Pjpkjond.exe 34 PID 2448 wrote to memory of 2496 2448 Pjpkjond.exe 34 PID 2496 wrote to memory of 2672 2496 Plahag32.exe 35 PID 2496 wrote to memory of 2672 2496 Plahag32.exe 35 PID 2496 wrote to memory of 2672 2496 Plahag32.exe 35 PID 2496 wrote to memory of 2672 2496 Plahag32.exe 35 PID 2672 wrote to memory of 3040 2672 Pbkpna32.exe 36 PID 2672 wrote to memory of 3040 2672 Pbkpna32.exe 36 PID 2672 wrote to memory of 3040 2672 Pbkpna32.exe 36 PID 2672 wrote to memory of 3040 2672 Pbkpna32.exe 36 PID 3040 wrote to memory of 1964 3040 Pfflopdh.exe 37 PID 3040 wrote to memory of 1964 3040 Pfflopdh.exe 37 PID 3040 wrote to memory of 1964 3040 Pfflopdh.exe 37 PID 3040 wrote to memory of 1964 3040 Pfflopdh.exe 37 PID 1964 wrote to memory of 1568 1964 Piehkkcl.exe 38 PID 1964 wrote to memory of 1568 1964 Piehkkcl.exe 38 PID 1964 wrote to memory of 1568 1964 Piehkkcl.exe 38 PID 1964 wrote to memory of 1568 1964 Piehkkcl.exe 38 PID 1568 wrote to memory of 1644 1568 Ppoqge32.exe 39 PID 1568 wrote to memory of 1644 1568 Ppoqge32.exe 39 PID 1568 wrote to memory of 1644 1568 Ppoqge32.exe 39 PID 1568 wrote to memory of 1644 1568 Ppoqge32.exe 39 PID 1644 wrote to memory of 1256 1644 Pnbacbac.exe 40 PID 1644 wrote to memory of 1256 1644 Pnbacbac.exe 40 PID 1644 wrote to memory of 1256 1644 Pnbacbac.exe 40 PID 1644 wrote to memory of 1256 1644 Pnbacbac.exe 40 PID 1256 wrote to memory of 2296 1256 Pbmmcq32.exe 41 PID 1256 wrote to memory of 2296 1256 Pbmmcq32.exe 41 PID 1256 wrote to memory of 2296 1256 Pbmmcq32.exe 41 PID 1256 wrote to memory of 2296 1256 Pbmmcq32.exe 41 PID 2296 wrote to memory of 1736 2296 Pelipl32.exe 42 PID 2296 wrote to memory of 1736 2296 Pelipl32.exe 42 PID 2296 wrote to memory of 1736 2296 Pelipl32.exe 42 PID 2296 wrote to memory of 1736 2296 Pelipl32.exe 42 PID 1736 wrote to memory of 2832 1736 Phjelg32.exe 43 PID 1736 wrote to memory of 2832 1736 Phjelg32.exe 43 PID 1736 wrote to memory of 2832 1736 Phjelg32.exe 43 PID 1736 wrote to memory of 2832 1736 Phjelg32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\78031fe944b1274c80ffc667359033bc388d261e65f466ee87c0d51f6989b9a7.exe"C:\Users\Admin\AppData\Local\Temp\78031fe944b1274c80ffc667359033bc388d261e65f466ee87c0d51f6989b9a7.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\Pfbccp32.exeC:\Windows\system32\Pfbccp32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\Paggai32.exeC:\Windows\system32\Paggai32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\Ppjglfon.exeC:\Windows\system32\Ppjglfon.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Pcfcmd32.exeC:\Windows\system32\Pcfcmd32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\Pbiciana.exeC:\Windows\system32\Pbiciana.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\Pjpkjond.exeC:\Windows\system32\Pjpkjond.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\SysWOW64\Plahag32.exeC:\Windows\system32\Plahag32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\Pbkpna32.exeC:\Windows\system32\Pbkpna32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Pfflopdh.exeC:\Windows\system32\Pfflopdh.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\Piehkkcl.exeC:\Windows\system32\Piehkkcl.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\Ppoqge32.exeC:\Windows\system32\Ppoqge32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Windows\SysWOW64\Pnbacbac.exeC:\Windows\system32\Pnbacbac.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\SysWOW64\Pbmmcq32.exeC:\Windows\system32\Pbmmcq32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1256 -
C:\Windows\SysWOW64\Pelipl32.exeC:\Windows\system32\Pelipl32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\SysWOW64\Phjelg32.exeC:\Windows\system32\Phjelg32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\SysWOW64\Ppamme32.exeC:\Windows\system32\Ppamme32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2832 -
C:\Windows\SysWOW64\Pndniaop.exeC:\Windows\system32\Pndniaop.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:808 -
C:\Windows\SysWOW64\Pbpjiphi.exeC:\Windows\system32\Pbpjiphi.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1504 -
C:\Windows\SysWOW64\Pabjem32.exeC:\Windows\system32\Pabjem32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:856 -
C:\Windows\SysWOW64\Pijbfj32.exeC:\Windows\system32\Pijbfj32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1928 -
C:\Windows\SysWOW64\Qhmbagfa.exeC:\Windows\system32\Qhmbagfa.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2312 -
C:\Windows\SysWOW64\Qlhnbf32.exeC:\Windows\system32\Qlhnbf32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1688 -
C:\Windows\SysWOW64\Qnfjna32.exeC:\Windows\system32\Qnfjna32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1068 -
C:\Windows\SysWOW64\Qaefjm32.exeC:\Windows\system32\Qaefjm32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:112 -
C:\Windows\SysWOW64\Qeqbkkej.exeC:\Windows\system32\Qeqbkkej.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2228 -
C:\Windows\SysWOW64\Qdccfh32.exeC:\Windows\system32\Qdccfh32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2936 -
C:\Windows\SysWOW64\Qmlgonbe.exeC:\Windows\system32\Qmlgonbe.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2096 -
C:\Windows\SysWOW64\Qagcpljo.exeC:\Windows\system32\Qagcpljo.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2548 -
C:\Windows\SysWOW64\Qecoqk32.exeC:\Windows\system32\Qecoqk32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1984 -
C:\Windows\SysWOW64\Ahakmf32.exeC:\Windows\system32\Ahakmf32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2616 -
C:\Windows\SysWOW64\Afdlhchf.exeC:\Windows\system32\Afdlhchf.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2908 -
C:\Windows\SysWOW64\Ankdiqih.exeC:\Windows\system32\Ankdiqih.exe33⤵
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\Amndem32.exeC:\Windows\system32\Amndem32.exe34⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Aplpai32.exeC:\Windows\system32\Aplpai32.exe35⤵
- Executes dropped EXE
PID:276 -
C:\Windows\SysWOW64\Adhlaggp.exeC:\Windows\system32\Adhlaggp.exe36⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Affhncfc.exeC:\Windows\system32\Affhncfc.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:320 -
C:\Windows\SysWOW64\Affhncfc.exeC:\Windows\system32\Affhncfc.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:2512 -
C:\Windows\SysWOW64\Ajbdna32.exeC:\Windows\system32\Ajbdna32.exe39⤵
- Executes dropped EXE
PID:2388 -
C:\Windows\SysWOW64\Ampqjm32.exeC:\Windows\system32\Ampqjm32.exe40⤵
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Apomfh32.exeC:\Windows\system32\Apomfh32.exe41⤵
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Abmibdlh.exeC:\Windows\system32\Abmibdlh.exe42⤵
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Ajdadamj.exeC:\Windows\system32\Ajdadamj.exe43⤵
- Executes dropped EXE
PID:1100 -
C:\Windows\SysWOW64\Ambmpmln.exeC:\Windows\system32\Ambmpmln.exe44⤵
- Executes dropped EXE
PID:1160 -
C:\Windows\SysWOW64\Alenki32.exeC:\Windows\system32\Alenki32.exe45⤵
- Executes dropped EXE
PID:2012 -
C:\Windows\SysWOW64\Admemg32.exeC:\Windows\system32\Admemg32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:1968 -
C:\Windows\SysWOW64\Abpfhcje.exeC:\Windows\system32\Abpfhcje.exe47⤵
- Executes dropped EXE
PID:1416 -
C:\Windows\SysWOW64\Afkbib32.exeC:\Windows\system32\Afkbib32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:928 -
C:\Windows\SysWOW64\Aenbdoii.exeC:\Windows\system32\Aenbdoii.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2180 -
C:\Windows\SysWOW64\Aiinen32.exeC:\Windows\system32\Aiinen32.exe50⤵
- Executes dropped EXE
PID:1728 -
C:\Windows\SysWOW64\Abbbnchb.exeC:\Windows\system32\Abbbnchb.exe51⤵
- Executes dropped EXE
PID:1524 -
C:\Windows\SysWOW64\Afmonbqk.exeC:\Windows\system32\Afmonbqk.exe52⤵
- Executes dropped EXE
PID:2788 -
C:\Windows\SysWOW64\Aepojo32.exeC:\Windows\system32\Aepojo32.exe53⤵
- Executes dropped EXE
PID:2480 -
C:\Windows\SysWOW64\Ahokfj32.exeC:\Windows\system32\Ahokfj32.exe54⤵
- Executes dropped EXE
PID:2608 -
C:\Windows\SysWOW64\Aljgfioc.exeC:\Windows\system32\Aljgfioc.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2720 -
C:\Windows\SysWOW64\Boiccdnf.exeC:\Windows\system32\Boiccdnf.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:2352 -
C:\Windows\SysWOW64\Bbdocc32.exeC:\Windows\system32\Bbdocc32.exe57⤵
- Executes dropped EXE
PID:1840 -
C:\Windows\SysWOW64\Bagpopmj.exeC:\Windows\system32\Bagpopmj.exe58⤵
- Executes dropped EXE
PID:2324 -
C:\Windows\SysWOW64\Bingpmnl.exeC:\Windows\system32\Bingpmnl.exe59⤵
- Executes dropped EXE
PID:644 -
C:\Windows\SysWOW64\Bhahlj32.exeC:\Windows\system32\Bhahlj32.exe60⤵
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\Bkodhe32.exeC:\Windows\system32\Bkodhe32.exe61⤵
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\Bbflib32.exeC:\Windows\system32\Bbflib32.exe62⤵
- Executes dropped EXE
PID:2328 -
C:\Windows\SysWOW64\Beehencq.exeC:\Windows\system32\Beehencq.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:576 -
C:\Windows\SysWOW64\Bhcdaibd.exeC:\Windows\system32\Bhcdaibd.exe64⤵
- Executes dropped EXE
PID:2948 -
C:\Windows\SysWOW64\Bloqah32.exeC:\Windows\system32\Bloqah32.exe65⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Bommnc32.exeC:\Windows\system32\Bommnc32.exe66⤵
- Drops file in System32 directory
PID:2516 -
C:\Windows\SysWOW64\Bnpmipql.exeC:\Windows\system32\Bnpmipql.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2784 -
C:\Windows\SysWOW64\Begeknan.exeC:\Windows\system32\Begeknan.exe68⤵PID:1924
-
C:\Windows\SysWOW64\Bdjefj32.exeC:\Windows\system32\Bdjefj32.exe69⤵PID:2340
-
C:\Windows\SysWOW64\Bhfagipa.exeC:\Windows\system32\Bhfagipa.exe70⤵PID:2292
-
C:\Windows\SysWOW64\Bkdmcdoe.exeC:\Windows\system32\Bkdmcdoe.exe71⤵PID:2700
-
C:\Windows\SysWOW64\Bopicc32.exeC:\Windows\system32\Bopicc32.exe72⤵PID:2472
-
C:\Windows\SysWOW64\Banepo32.exeC:\Windows\system32\Banepo32.exe73⤵PID:2748
-
C:\Windows\SysWOW64\Bdlblj32.exeC:\Windows\system32\Bdlblj32.exe74⤵PID:1956
-
C:\Windows\SysWOW64\Bgknheej.exeC:\Windows\system32\Bgknheej.exe75⤵
- Modifies registry class
PID:2792 -
C:\Windows\SysWOW64\Bkfjhd32.exeC:\Windows\system32\Bkfjhd32.exe76⤵
- Drops file in System32 directory
PID:2020 -
C:\Windows\SysWOW64\Bjijdadm.exeC:\Windows\system32\Bjijdadm.exe77⤵PID:632
-
C:\Windows\SysWOW64\Bpcbqk32.exeC:\Windows\system32\Bpcbqk32.exe78⤵PID:1316
-
C:\Windows\SysWOW64\Bcaomf32.exeC:\Windows\system32\Bcaomf32.exe79⤵PID:3064
-
C:\Windows\SysWOW64\Cgmkmecg.exeC:\Windows\system32\Cgmkmecg.exe80⤵PID:2980
-
C:\Windows\SysWOW64\Ckignd32.exeC:\Windows\system32\Ckignd32.exe81⤵PID:2560
-
C:\Windows\SysWOW64\Cjlgiqbk.exeC:\Windows\system32\Cjlgiqbk.exe82⤵PID:824
-
C:\Windows\SysWOW64\Cljcelan.exeC:\Windows\system32\Cljcelan.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1744 -
C:\Windows\SysWOW64\Cpeofk32.exeC:\Windows\system32\Cpeofk32.exe84⤵PID:2028
-
C:\Windows\SysWOW64\Cdakgibq.exeC:\Windows\system32\Cdakgibq.exe85⤵PID:3008
-
C:\Windows\SysWOW64\Ccdlbf32.exeC:\Windows\system32\Ccdlbf32.exe86⤵PID:2580
-
C:\Windows\SysWOW64\Cgpgce32.exeC:\Windows\system32\Cgpgce32.exe87⤵PID:1764
-
C:\Windows\SysWOW64\Cjndop32.exeC:\Windows\system32\Cjndop32.exe88⤵PID:2664
-
C:\Windows\SysWOW64\Cnippoha.exeC:\Windows\system32\Cnippoha.exe89⤵PID:1880
-
C:\Windows\SysWOW64\Cllpkl32.exeC:\Windows\system32\Cllpkl32.exe90⤵
- Modifies registry class
PID:2452 -
C:\Windows\SysWOW64\Cphlljge.exeC:\Windows\system32\Cphlljge.exe91⤵PID:2684
-
C:\Windows\SysWOW64\Cgbdhd32.exeC:\Windows\system32\Cgbdhd32.exe92⤵PID:2732
-
C:\Windows\SysWOW64\Cfeddafl.exeC:\Windows\system32\Cfeddafl.exe93⤵PID:1976
-
C:\Windows\SysWOW64\Cjpqdp32.exeC:\Windows\system32\Cjpqdp32.exe94⤵PID:980
-
C:\Windows\SysWOW64\Chcqpmep.exeC:\Windows\system32\Chcqpmep.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2076 -
C:\Windows\SysWOW64\Clomqk32.exeC:\Windows\system32\Clomqk32.exe96⤵PID:688
-
C:\Windows\SysWOW64\Comimg32.exeC:\Windows\system32\Comimg32.exe97⤵PID:1320
-
C:\Windows\SysWOW64\Cciemedf.exeC:\Windows\system32\Cciemedf.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2280 -
C:\Windows\SysWOW64\Cbkeib32.exeC:\Windows\system32\Cbkeib32.exe99⤵PID:1828
-
C:\Windows\SysWOW64\Cjbmjplb.exeC:\Windows\system32\Cjbmjplb.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2796 -
C:\Windows\SysWOW64\Chemfl32.exeC:\Windows\system32\Chemfl32.exe101⤵PID:1052
-
C:\Windows\SysWOW64\Claifkkf.exeC:\Windows\system32\Claifkkf.exe102⤵PID:1776
-
C:\Windows\SysWOW64\Copfbfjj.exeC:\Windows\system32\Copfbfjj.exe103⤵PID:1584
-
C:\Windows\SysWOW64\Cckace32.exeC:\Windows\system32\Cckace32.exe104⤵PID:1496
-
C:\Windows\SysWOW64\Cfinoq32.exeC:\Windows\system32\Cfinoq32.exe105⤵PID:2716
-
C:\Windows\SysWOW64\Cdlnkmha.exeC:\Windows\system32\Cdlnkmha.exe106⤵PID:2844
-
C:\Windows\SysWOW64\Clcflkic.exeC:\Windows\system32\Clcflkic.exe107⤵PID:472
-
C:\Windows\SysWOW64\Ckffgg32.exeC:\Windows\system32\Ckffgg32.exe108⤵PID:2036
-
C:\Windows\SysWOW64\Dbpodagk.exeC:\Windows\system32\Dbpodagk.exe109⤵PID:1636
-
C:\Windows\SysWOW64\Dflkdp32.exeC:\Windows\system32\Dflkdp32.exe110⤵PID:1600
-
C:\Windows\SysWOW64\Ddokpmfo.exeC:\Windows\system32\Ddokpmfo.exe111⤵
- Modifies registry class
PID:3068 -
C:\Windows\SysWOW64\Dhjgal32.exeC:\Windows\system32\Dhjgal32.exe112⤵PID:1616
-
C:\Windows\SysWOW64\Dgmglh32.exeC:\Windows\system32\Dgmglh32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1712 -
C:\Windows\SysWOW64\Dkhcmgnl.exeC:\Windows\system32\Dkhcmgnl.exe114⤵PID:2932
-
C:\Windows\SysWOW64\Dngoibmo.exeC:\Windows\system32\Dngoibmo.exe115⤵PID:2164
-
C:\Windows\SysWOW64\Dbbkja32.exeC:\Windows\system32\Dbbkja32.exe116⤵PID:1664
-
C:\Windows\SysWOW64\Dqelenlc.exeC:\Windows\system32\Dqelenlc.exe117⤵PID:2332
-
C:\Windows\SysWOW64\Ddagfm32.exeC:\Windows\system32\Ddagfm32.exe118⤵PID:2492
-
C:\Windows\SysWOW64\Dhmcfkme.exeC:\Windows\system32\Dhmcfkme.exe119⤵PID:2764
-
C:\Windows\SysWOW64\Dgodbh32.exeC:\Windows\system32\Dgodbh32.exe120⤵PID:720
-
C:\Windows\SysWOW64\Djnpnc32.exeC:\Windows\system32\Djnpnc32.exe121⤵PID:1868
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-