Analysis
-
max time kernel
137s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
22/04/2024, 01:55
Static task
static1
3 signatures
Behavioral task
behavioral1
Sample
af6d71b8168b9b574be7b6eddc4ca5474e6e994793597880f5fa6ddff425f78f.exe
Resource
win7-20240221-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
af6d71b8168b9b574be7b6eddc4ca5474e6e994793597880f5fa6ddff425f78f.exe
Resource
win10v2004-20240412-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
af6d71b8168b9b574be7b6eddc4ca5474e6e994793597880f5fa6ddff425f78f.exe
-
Size
163KB
-
MD5
28bd654518e55cf2d4509e2d4348fd40
-
SHA1
17bb1405e1bfe48f62f822a60e25db1531b219c4
-
SHA256
af6d71b8168b9b574be7b6eddc4ca5474e6e994793597880f5fa6ddff425f78f
-
SHA512
f5d7572b7a94b5a778bd4d361c1fcbdf2ceefb6569580fa96450f2cdbe17ac1febd993e4bfcca78f0c478448115eb9f4dc0f6df3fdb05b5ff854f728077b5c68
-
SSDEEP
1536:PgwdMAbhFvD3bwlVW6a5THucPq5/jjBlProNVU4qNVUrk/9QbfBr+7GwKrPAsqNy:DpFrSWhbucP+/jjBltOrWKDBr+yJb
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgnnln32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kaklpcoc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Loeebl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Albjlcao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmfjha32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Globlmmj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekhhadmk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmqdkj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnennj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anojbobe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ealnephf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebbgid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oqkqkdne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojfaijcc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kegnkh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fllnlg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npojdpef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qdccfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llnofpcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eqbddk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnplpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egafleqm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gopkmhjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncmfqkdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgalqkbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cppkph32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqgnokip.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plfamfpm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbdonb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egllae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apomfh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbbkja32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efncicpm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgplkb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfenbpec.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfamcogo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meppiblm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pelipl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idklfpon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddeaalpg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhqbkhch.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkmfhacp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpgljfbl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nigome32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Libgjj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfobbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmolnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdopkn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omfkke32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmimafop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kebgia32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lapnnafn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngkogj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpphap32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddagfm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egjpkffe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcfqkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kphimanc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghmiam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmlnoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abhimnma.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbpgggol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbpgggol.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngdifkpi.exe -
Detects executables built or packed with MPress PE compressor 64 IoCs
resource yara_rule behavioral1/files/0x000b00000001223a-5.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0034000000014701-20.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0007000000015023-53.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0007000000014c25-39.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0007000000015cb9-64.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000015cca-73.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000015cec-83.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000015d06-95.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000015d6e-107.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000015f9e-128.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00060000000160f8-136.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016411-149.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016597-159.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016a45-179.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016c26-189.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016c7a-205.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016cc9-217.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016cfe-230.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016d0e-238.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016d1f-252.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016ced-226.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016d44-273.dat INDICATOR_EXE_Packed_MPress behavioral1/memory/2912-271-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016d3b-263.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016d67-285.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000017060-297.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000017384-307.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x003400000001470b-330.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000017458-322.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001922d-406.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019250-419.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019316-430.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001876e-391.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001938d-441.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00050000000193fa-463.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001941a-474.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00050000000194e3-484.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001959f-497.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00050000000195e8-519.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00050000000195ec-531.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00050000000195f0-542.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00050000000195f4-552.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00050000000195f6-563.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00050000000195fa-573.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019686-594.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00050000000195fe-583.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019809-615.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019d96-657.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019ecf-667.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019c8d-645.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a013-679.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a07f-688.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a321-699.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a42c-709.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a43b-731.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a488-742.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a4aa-764.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a49c-751.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a434-720.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019c2d-635.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019995-624.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a4b2-772.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019752-605.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a4b6-780.dat INDICATOR_EXE_Packed_MPress -
UPX dump on OEP (original entry point) 64 IoCs
resource yara_rule behavioral1/files/0x000b00000001223a-5.dat UPX behavioral1/files/0x0034000000014701-20.dat UPX behavioral1/files/0x0007000000015023-53.dat UPX behavioral1/files/0x0007000000014c25-39.dat UPX behavioral1/files/0x0007000000015cb9-64.dat UPX behavioral1/files/0x0006000000015cca-73.dat UPX behavioral1/files/0x0006000000015cec-83.dat UPX behavioral1/files/0x0006000000015d06-95.dat UPX behavioral1/files/0x0006000000015d6e-107.dat UPX behavioral1/files/0x0006000000015f9e-128.dat UPX behavioral1/files/0x00060000000160f8-136.dat UPX behavioral1/files/0x0006000000016411-149.dat UPX behavioral1/files/0x0006000000016597-159.dat UPX behavioral1/files/0x0006000000016a45-179.dat UPX behavioral1/files/0x0006000000016c26-189.dat UPX behavioral1/files/0x0006000000016c7a-205.dat UPX behavioral1/files/0x0006000000016cc9-217.dat UPX behavioral1/files/0x0006000000016cfe-230.dat UPX behavioral1/files/0x0006000000016d0e-238.dat UPX behavioral1/files/0x0006000000016d1f-252.dat UPX behavioral1/files/0x0006000000016ced-226.dat UPX behavioral1/files/0x0006000000016d44-273.dat UPX behavioral1/files/0x0006000000016d3b-263.dat UPX behavioral1/files/0x0006000000016d67-285.dat UPX behavioral1/files/0x0006000000017060-297.dat UPX behavioral1/files/0x0006000000017384-307.dat UPX behavioral1/files/0x003400000001470b-330.dat UPX behavioral1/files/0x0006000000017458-322.dat UPX behavioral1/memory/2676-400-0x0000000000400000-0x0000000000453000-memory.dmp UPX behavioral1/files/0x000500000001922d-406.dat UPX behavioral1/files/0x0005000000019250-419.dat UPX behavioral1/files/0x0005000000019316-430.dat UPX behavioral1/files/0x000500000001876e-391.dat UPX behavioral1/files/0x000500000001938d-441.dat UPX behavioral1/files/0x00050000000193fa-463.dat UPX behavioral1/files/0x000500000001941a-474.dat UPX behavioral1/files/0x00050000000194e3-484.dat UPX behavioral1/files/0x000500000001959f-497.dat UPX behavioral1/files/0x00050000000195e8-519.dat UPX behavioral1/files/0x00050000000195ec-531.dat UPX behavioral1/files/0x00050000000195f0-542.dat UPX behavioral1/files/0x00050000000195f4-552.dat UPX behavioral1/files/0x00050000000195f6-563.dat UPX behavioral1/files/0x00050000000195fa-573.dat UPX behavioral1/files/0x0005000000019686-594.dat UPX behavioral1/files/0x00050000000195fe-583.dat UPX behavioral1/files/0x0005000000019809-615.dat UPX behavioral1/files/0x0005000000019d96-657.dat UPX behavioral1/files/0x0005000000019ecf-667.dat UPX behavioral1/files/0x0005000000019c8d-645.dat UPX behavioral1/files/0x000500000001a013-679.dat UPX behavioral1/files/0x000500000001a07f-688.dat UPX behavioral1/files/0x000500000001a321-699.dat UPX behavioral1/files/0x000500000001a42c-709.dat UPX behavioral1/files/0x000500000001a43b-731.dat UPX behavioral1/files/0x000500000001a488-742.dat UPX behavioral1/files/0x000500000001a4aa-764.dat UPX behavioral1/files/0x000500000001a49c-751.dat UPX behavioral1/files/0x000500000001a434-720.dat UPX behavioral1/files/0x0005000000019c2d-635.dat UPX behavioral1/files/0x0005000000019995-624.dat UPX behavioral1/files/0x000500000001a4b2-772.dat UPX behavioral1/files/0x0005000000019752-605.dat UPX behavioral1/files/0x000500000001a4b6-780.dat UPX -
Executes dropped EXE 64 IoCs
pid Process 2648 Kjhdokbo.exe 2568 Kljqgc32.exe 2064 Kfoedl32.exe 2464 Kinaqg32.exe 2476 Kmimafop.exe 1712 Kphimanc.exe 1504 Kedaeh32.exe 2624 Kipnfged.exe 2256 Komfnnck.exe 1016 Kakbjibo.exe 2096 Kegnkh32.exe 1688 Khekgc32.exe 2276 Koocdnai.exe 2100 Keikqhhe.exe 2308 Llccmb32.exe 2040 Loapim32.exe 1408 Ldnhad32.exe 1808 Lfmdnp32.exe 380 Lkhpnnej.exe 2912 Lmgmjjdn.exe 1128 Labhkh32.exe 1708 Ldqegd32.exe 776 Lhlqhb32.exe 752 Lgoacojo.exe 2192 Lpgele32.exe 1588 Ldcamcih.exe 2720 Lbfahp32.exe 2508 Lpjbad32.exe 2612 Libgjj32.exe 2656 Llqcfe32.exe 2820 Lplogdmj.exe 1444 Mcjkcplm.exe 2432 Mgfgdn32.exe 2676 Midcpj32.exe 2080 Mhgclfje.exe 2108 Maphdl32.exe 1560 Mhjpaf32.exe 864 Mochnppo.exe 2460 Mcodno32.exe 1244 Menakj32.exe 324 Mdqafgnf.exe 488 Mlgigdoh.exe 2072 Mlgigdoh.exe 540 Mkjica32.exe 336 Mnieom32.exe 2964 Madapkmp.exe 1268 Mepnpj32.exe 344 Mhnjle32.exe 572 Mkmfhacp.exe 1620 Mnkbdlbd.exe 2468 Mpjoqhah.exe 1980 Mdejaf32.exe 2412 Mgcgmb32.exe 2036 Mkobnqan.exe 2816 Nnnojlpa.exe 628 Naikkk32.exe 2596 Nplkfgoe.exe 1824 Ncjgbcoi.exe 2488 Ngfcca32.exe 2288 Nkaocp32.exe 1684 Nnplpl32.exe 2184 Npnhlg32.exe 832 Ndjdlffl.exe 2028 Ncmdhb32.exe -
Loads dropped DLL 64 IoCs
pid Process 1912 af6d71b8168b9b574be7b6eddc4ca5474e6e994793597880f5fa6ddff425f78f.exe 1912 af6d71b8168b9b574be7b6eddc4ca5474e6e994793597880f5fa6ddff425f78f.exe 2648 Kjhdokbo.exe 2648 Kjhdokbo.exe 2568 Kljqgc32.exe 2568 Kljqgc32.exe 2064 Kfoedl32.exe 2064 Kfoedl32.exe 2464 Kinaqg32.exe 2464 Kinaqg32.exe 2476 Kmimafop.exe 2476 Kmimafop.exe 1712 Kphimanc.exe 1712 Kphimanc.exe 1504 Kedaeh32.exe 1504 Kedaeh32.exe 2624 Kipnfged.exe 2624 Kipnfged.exe 2256 Komfnnck.exe 2256 Komfnnck.exe 1016 Kakbjibo.exe 1016 Kakbjibo.exe 2096 Kegnkh32.exe 2096 Kegnkh32.exe 1688 Khekgc32.exe 1688 Khekgc32.exe 2276 Koocdnai.exe 2276 Koocdnai.exe 2100 Keikqhhe.exe 2100 Keikqhhe.exe 2308 Llccmb32.exe 2308 Llccmb32.exe 2040 Loapim32.exe 2040 Loapim32.exe 1408 Ldnhad32.exe 1408 Ldnhad32.exe 1808 Lfmdnp32.exe 1808 Lfmdnp32.exe 380 Lkhpnnej.exe 380 Lkhpnnej.exe 2912 Lmgmjjdn.exe 2912 Lmgmjjdn.exe 1128 Labhkh32.exe 1128 Labhkh32.exe 1708 Ldqegd32.exe 1708 Ldqegd32.exe 776 Lhlqhb32.exe 776 Lhlqhb32.exe 752 Lgoacojo.exe 752 Lgoacojo.exe 2192 Lpgele32.exe 2192 Lpgele32.exe 1588 Ldcamcih.exe 1588 Ldcamcih.exe 2720 Lbfahp32.exe 2720 Lbfahp32.exe 2508 Lpjbad32.exe 2508 Lpjbad32.exe 2612 Libgjj32.exe 2612 Libgjj32.exe 2656 Llqcfe32.exe 2656 Llqcfe32.exe 2820 Lplogdmj.exe 2820 Lplogdmj.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Pdehna32.dll Ncancbha.exe File created C:\Windows\SysWOW64\Bibckiab.dll Eeempocb.exe File created C:\Windows\SysWOW64\Idklfpon.exe Iqopea32.exe File opened for modification C:\Windows\SysWOW64\Mmhodf32.exe Mimbdhhb.exe File created C:\Windows\SysWOW64\Eeoffcnl.dll Papfegmk.exe File created C:\Windows\SysWOW64\Ghcoqh32.exe Gdgcpi32.exe File opened for modification C:\Windows\SysWOW64\Jkdpanhg.exe Jgidao32.exe File opened for modification C:\Windows\SysWOW64\Ofhick32.exe Oonafa32.exe File created C:\Windows\SysWOW64\Ebmgcohn.exe Enakbp32.exe File created C:\Windows\SysWOW64\Pmdgmd32.dll Emieil32.exe File created C:\Windows\SysWOW64\Ndjfeo32.exe Npojdpef.exe File created C:\Windows\SysWOW64\Qdccfh32.exe Qeqbkkej.exe File created C:\Windows\SysWOW64\Odbhmo32.dll Ebpkce32.exe File created C:\Windows\SysWOW64\Icbimi32.exe Hogmmjfo.exe File created C:\Windows\SysWOW64\Dhcebp32.dll Jjjacf32.exe File created C:\Windows\SysWOW64\Keoapb32.exe Kbqecg32.exe File opened for modification C:\Windows\SysWOW64\Ojfaijcc.exe Obojhlbq.exe File opened for modification C:\Windows\SysWOW64\Pnomcl32.exe Pkpagq32.exe File created C:\Windows\SysWOW64\Qbelgood.exe Qcbllb32.exe File opened for modification C:\Windows\SysWOW64\Eqgnokip.exe Emkaol32.exe File created C:\Windows\SysWOW64\Fibkpd32.dll Nibebfpl.exe File created C:\Windows\SysWOW64\Amdgnl32.dll Nqqdag32.exe File created C:\Windows\SysWOW64\Plahag32.exe Plahag32.exe File created C:\Windows\SysWOW64\Epfhbign.exe Emhlfmgj.exe File created C:\Windows\SysWOW64\Hkpnhgge.exe Hgdbhi32.exe File created C:\Windows\SysWOW64\Fjkhohik.dll Obcccl32.exe File created C:\Windows\SysWOW64\Gfhladfn.exe Gdjpeifj.exe File opened for modification C:\Windows\SysWOW64\Kedaeh32.exe Kphimanc.exe File created C:\Windows\SysWOW64\Qhegaocb.dll Maphdl32.exe File opened for modification C:\Windows\SysWOW64\Lemaif32.exe Lfjqnjkh.exe File created C:\Windows\SysWOW64\Oqaedifk.dll Nekbmgcn.exe File opened for modification C:\Windows\SysWOW64\Niikceid.exe Ngkogj32.exe File opened for modification C:\Windows\SysWOW64\Ckdjbh32.exe Cjbmjplb.exe File created C:\Windows\SysWOW64\Bdeeqehb.exe Bafidiio.exe File created C:\Windows\SysWOW64\Dhnmij32.exe Dhnmij32.exe File created C:\Windows\SysWOW64\Ghbaee32.dll Jmbiipml.exe File created C:\Windows\SysWOW64\Eeempocb.exe Eajaoq32.exe File opened for modification C:\Windows\SysWOW64\Hodpgjha.exe Hpapln32.exe File created C:\Windows\SysWOW64\Hjacko32.dll Kmopod32.exe File created C:\Windows\SysWOW64\Pnlqnl32.exe Pjadmnic.exe File created C:\Windows\SysWOW64\Bekkcljk.exe Bghjhp32.exe File created C:\Windows\SysWOW64\Fiihdlpc.exe Fenmdm32.exe File created C:\Windows\SysWOW64\Lapnnafn.exe Lmebnb32.exe File opened for modification C:\Windows\SysWOW64\Nbdnoo32.exe Ncancbha.exe File created C:\Windows\SysWOW64\Goipbehm.dll Ifnechbj.exe File opened for modification C:\Windows\SysWOW64\Leonofpp.exe Lbqabkql.exe File created C:\Windows\SysWOW64\Anccmo32.exe Ajhgmpfg.exe File created C:\Windows\SysWOW64\Dfgmhd32.exe Dgdmmgpj.exe File created C:\Windows\SysWOW64\Faigdn32.exe Fmmkcoap.exe File opened for modification C:\Windows\SysWOW64\Kklpekno.exe Kmjojo32.exe File opened for modification C:\Windows\SysWOW64\Qhmbagfa.exe Pijbfj32.exe File created C:\Windows\SysWOW64\Cpeofk32.exe Cngcjo32.exe File created C:\Windows\SysWOW64\Edkcojga.exe Edkcojga.exe File created C:\Windows\SysWOW64\Dlcdphdj.dll Cjbmjplb.exe File created C:\Windows\SysWOW64\Pmdoik32.dll Epaogi32.exe File created C:\Windows\SysWOW64\Jondlhmp.dll Gacpdbej.exe File created C:\Windows\SysWOW64\Nhiffc32.exe Nejiih32.exe File created C:\Windows\SysWOW64\Bipikqbi.dll Jcmafj32.exe File created C:\Windows\SysWOW64\Fmmkcoap.exe Fjongcbl.exe File created C:\Windows\SysWOW64\Ajlgdf32.dll Koocdnai.exe File created C:\Windows\SysWOW64\Ejgcdb32.exe Eflgccbp.exe File created C:\Windows\SysWOW64\Pfabenjd.dll Gmjaic32.exe File created C:\Windows\SysWOW64\Ikbkhq32.dll Jonplmcb.exe File created C:\Windows\SysWOW64\Mbbcbk32.dll Ikkjbe32.exe -
Program crash 1 IoCs
pid pid_target Process 8784 8744 WerFault.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgeceh32.dll" Copfbfjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liqebf32.dll" Hpapln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfcampgf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpmapm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Llqcfe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndjdlffl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikeogmlj.dll" Bghabf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jkpgfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Odobjg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ooeggp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebpkk32.dll" Caknol32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlgigdoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Filldb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfqahgpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpajdp32.dll" Odobjg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onhgbmfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qpgpkcpp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iheddndj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnlmhpjh.dll" Mlfojn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aimcgn32.dll" Afdlhchf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hghmjpap.dll" Gbijhg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gicbeald.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfidj32.dll" Egllae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhgnia32.dll" Efcfga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokjlf32.dll" Hiknhbcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpelbgel.dll" Jjpcbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cljiflem.dll" Kjfjbdle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Adjigg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofpfnqjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdlblj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eeempocb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgidao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kinaqg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Limfed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehkdaf32.dll" Pnjdhmdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fcefji32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ioaifhid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kphimanc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehkhilpb.dll" Ndkmpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhhbld32.dll" Gbcfadgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ipllekdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mphcda32.dll" Kipnfged.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmmcjehm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdkjlm32.dll" Nkbhgojk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocindg32.dll" Nacgdhlp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mponel32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iqalka32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkmfhacp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fejgko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndabhn32.dll" Hlakpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecmkgokh.dll" Hogmmjfo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbjbaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbokmqie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbkknojp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcodno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Keednado.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fepiimfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhgclfje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnnojlpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdmaibnf.dll" Chcqpmep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dflkdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcbndm32.dll" Ddokpmfo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Faagpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ollfnfje.dll" Jqfffqpm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1912 wrote to memory of 2648 1912 af6d71b8168b9b574be7b6eddc4ca5474e6e994793597880f5fa6ddff425f78f.exe 28 PID 1912 wrote to memory of 2648 1912 af6d71b8168b9b574be7b6eddc4ca5474e6e994793597880f5fa6ddff425f78f.exe 28 PID 1912 wrote to memory of 2648 1912 af6d71b8168b9b574be7b6eddc4ca5474e6e994793597880f5fa6ddff425f78f.exe 28 PID 1912 wrote to memory of 2648 1912 af6d71b8168b9b574be7b6eddc4ca5474e6e994793597880f5fa6ddff425f78f.exe 28 PID 2648 wrote to memory of 2568 2648 Kjhdokbo.exe 29 PID 2648 wrote to memory of 2568 2648 Kjhdokbo.exe 29 PID 2648 wrote to memory of 2568 2648 Kjhdokbo.exe 29 PID 2648 wrote to memory of 2568 2648 Kjhdokbo.exe 29 PID 2568 wrote to memory of 2064 2568 Kljqgc32.exe 30 PID 2568 wrote to memory of 2064 2568 Kljqgc32.exe 30 PID 2568 wrote to memory of 2064 2568 Kljqgc32.exe 30 PID 2568 wrote to memory of 2064 2568 Kljqgc32.exe 30 PID 2064 wrote to memory of 2464 2064 Kfoedl32.exe 31 PID 2064 wrote to memory of 2464 2064 Kfoedl32.exe 31 PID 2064 wrote to memory of 2464 2064 Kfoedl32.exe 31 PID 2064 wrote to memory of 2464 2064 Kfoedl32.exe 31 PID 2464 wrote to memory of 2476 2464 Kinaqg32.exe 32 PID 2464 wrote to memory of 2476 2464 Kinaqg32.exe 32 PID 2464 wrote to memory of 2476 2464 Kinaqg32.exe 32 PID 2464 wrote to memory of 2476 2464 Kinaqg32.exe 32 PID 2476 wrote to memory of 1712 2476 Kmimafop.exe 33 PID 2476 wrote to memory of 1712 2476 Kmimafop.exe 33 PID 2476 wrote to memory of 1712 2476 Kmimafop.exe 33 PID 2476 wrote to memory of 1712 2476 Kmimafop.exe 33 PID 1712 wrote to memory of 1504 1712 Kphimanc.exe 34 PID 1712 wrote to memory of 1504 1712 Kphimanc.exe 34 PID 1712 wrote to memory of 1504 1712 Kphimanc.exe 34 PID 1712 wrote to memory of 1504 1712 Kphimanc.exe 34 PID 1504 wrote to memory of 2624 1504 Kedaeh32.exe 35 PID 1504 wrote to memory of 2624 1504 Kedaeh32.exe 35 PID 1504 wrote to memory of 2624 1504 Kedaeh32.exe 35 PID 1504 wrote to memory of 2624 1504 Kedaeh32.exe 35 PID 2624 wrote to memory of 2256 2624 Kipnfged.exe 36 PID 2624 wrote to memory of 2256 2624 Kipnfged.exe 36 PID 2624 wrote to memory of 2256 2624 Kipnfged.exe 36 PID 2624 wrote to memory of 2256 2624 Kipnfged.exe 36 PID 2256 wrote to memory of 1016 2256 Komfnnck.exe 37 PID 2256 wrote to memory of 1016 2256 Komfnnck.exe 37 PID 2256 wrote to memory of 1016 2256 Komfnnck.exe 37 PID 2256 wrote to memory of 1016 2256 Komfnnck.exe 37 PID 1016 wrote to memory of 2096 1016 Kakbjibo.exe 38 PID 1016 wrote to memory of 2096 1016 Kakbjibo.exe 38 PID 1016 wrote to memory of 2096 1016 Kakbjibo.exe 38 PID 1016 wrote to memory of 2096 1016 Kakbjibo.exe 38 PID 2096 wrote to memory of 1688 2096 Kegnkh32.exe 39 PID 2096 wrote to memory of 1688 2096 Kegnkh32.exe 39 PID 2096 wrote to memory of 1688 2096 Kegnkh32.exe 39 PID 2096 wrote to memory of 1688 2096 Kegnkh32.exe 39 PID 1688 wrote to memory of 2276 1688 Khekgc32.exe 40 PID 1688 wrote to memory of 2276 1688 Khekgc32.exe 40 PID 1688 wrote to memory of 2276 1688 Khekgc32.exe 40 PID 1688 wrote to memory of 2276 1688 Khekgc32.exe 40 PID 2276 wrote to memory of 2100 2276 Koocdnai.exe 41 PID 2276 wrote to memory of 2100 2276 Koocdnai.exe 41 PID 2276 wrote to memory of 2100 2276 Koocdnai.exe 41 PID 2276 wrote to memory of 2100 2276 Koocdnai.exe 41 PID 2100 wrote to memory of 2308 2100 Keikqhhe.exe 42 PID 2100 wrote to memory of 2308 2100 Keikqhhe.exe 42 PID 2100 wrote to memory of 2308 2100 Keikqhhe.exe 42 PID 2100 wrote to memory of 2308 2100 Keikqhhe.exe 42 PID 2308 wrote to memory of 2040 2308 Llccmb32.exe 43 PID 2308 wrote to memory of 2040 2308 Llccmb32.exe 43 PID 2308 wrote to memory of 2040 2308 Llccmb32.exe 43 PID 2308 wrote to memory of 2040 2308 Llccmb32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\af6d71b8168b9b574be7b6eddc4ca5474e6e994793597880f5fa6ddff425f78f.exe"C:\Users\Admin\AppData\Local\Temp\af6d71b8168b9b574be7b6eddc4ca5474e6e994793597880f5fa6ddff425f78f.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\SysWOW64\Kjhdokbo.exeC:\Windows\system32\Kjhdokbo.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\Kljqgc32.exeC:\Windows\system32\Kljqgc32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\Kfoedl32.exeC:\Windows\system32\Kfoedl32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\Kinaqg32.exeC:\Windows\system32\Kinaqg32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\Kmimafop.exeC:\Windows\system32\Kmimafop.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\Kphimanc.exeC:\Windows\system32\Kphimanc.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\SysWOW64\Kedaeh32.exeC:\Windows\system32\Kedaeh32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\SysWOW64\Kipnfged.exeC:\Windows\system32\Kipnfged.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\Komfnnck.exeC:\Windows\system32\Komfnnck.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\SysWOW64\Kakbjibo.exeC:\Windows\system32\Kakbjibo.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1016 -
C:\Windows\SysWOW64\Kegnkh32.exeC:\Windows\system32\Kegnkh32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\Khekgc32.exeC:\Windows\system32\Khekgc32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\Koocdnai.exeC:\Windows\system32\Koocdnai.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\Keikqhhe.exeC:\Windows\system32\Keikqhhe.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\Llccmb32.exeC:\Windows\system32\Llccmb32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\SysWOW64\Loapim32.exeC:\Windows\system32\Loapim32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2040 -
C:\Windows\SysWOW64\Ldnhad32.exeC:\Windows\system32\Ldnhad32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1408 -
C:\Windows\SysWOW64\Lfmdnp32.exeC:\Windows\system32\Lfmdnp32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1808 -
C:\Windows\SysWOW64\Lkhpnnej.exeC:\Windows\system32\Lkhpnnej.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:380 -
C:\Windows\SysWOW64\Lmgmjjdn.exeC:\Windows\system32\Lmgmjjdn.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2912 -
C:\Windows\SysWOW64\Labhkh32.exeC:\Windows\system32\Labhkh32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1128 -
C:\Windows\SysWOW64\Ldqegd32.exeC:\Windows\system32\Ldqegd32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1708 -
C:\Windows\SysWOW64\Lhlqhb32.exeC:\Windows\system32\Lhlqhb32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:776 -
C:\Windows\SysWOW64\Lgoacojo.exeC:\Windows\system32\Lgoacojo.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:752 -
C:\Windows\SysWOW64\Lpgele32.exeC:\Windows\system32\Lpgele32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2192 -
C:\Windows\SysWOW64\Ldcamcih.exeC:\Windows\system32\Ldcamcih.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1588 -
C:\Windows\SysWOW64\Lbfahp32.exeC:\Windows\system32\Lbfahp32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2720 -
C:\Windows\SysWOW64\Lpjbad32.exeC:\Windows\system32\Lpjbad32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2508 -
C:\Windows\SysWOW64\Libgjj32.exeC:\Windows\system32\Libgjj32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2612 -
C:\Windows\SysWOW64\Llqcfe32.exeC:\Windows\system32\Llqcfe32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2656 -
C:\Windows\SysWOW64\Lplogdmj.exeC:\Windows\system32\Lplogdmj.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2820 -
C:\Windows\SysWOW64\Mcjkcplm.exeC:\Windows\system32\Mcjkcplm.exe33⤵
- Executes dropped EXE
PID:1444 -
C:\Windows\SysWOW64\Mgfgdn32.exeC:\Windows\system32\Mgfgdn32.exe34⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Midcpj32.exeC:\Windows\system32\Midcpj32.exe35⤵
- Executes dropped EXE
PID:2676 -
C:\Windows\SysWOW64\Mhgclfje.exeC:\Windows\system32\Mhgclfje.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:2080 -
C:\Windows\SysWOW64\Maphdl32.exeC:\Windows\system32\Maphdl32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2108 -
C:\Windows\SysWOW64\Mhjpaf32.exeC:\Windows\system32\Mhjpaf32.exe38⤵
- Executes dropped EXE
PID:1560 -
C:\Windows\SysWOW64\Mochnppo.exeC:\Windows\system32\Mochnppo.exe39⤵
- Executes dropped EXE
PID:864 -
C:\Windows\SysWOW64\Mcodno32.exeC:\Windows\system32\Mcodno32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:2460 -
C:\Windows\SysWOW64\Menakj32.exeC:\Windows\system32\Menakj32.exe41⤵
- Executes dropped EXE
PID:1244 -
C:\Windows\SysWOW64\Mdqafgnf.exeC:\Windows\system32\Mdqafgnf.exe42⤵
- Executes dropped EXE
PID:324 -
C:\Windows\SysWOW64\Mlgigdoh.exeC:\Windows\system32\Mlgigdoh.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:488 -
C:\Windows\SysWOW64\Mlgigdoh.exeC:\Windows\system32\Mlgigdoh.exe44⤵
- Executes dropped EXE
PID:2072 -
C:\Windows\SysWOW64\Mkjica32.exeC:\Windows\system32\Mkjica32.exe45⤵
- Executes dropped EXE
PID:540 -
C:\Windows\SysWOW64\Mnieom32.exeC:\Windows\system32\Mnieom32.exe46⤵
- Executes dropped EXE
PID:336 -
C:\Windows\SysWOW64\Madapkmp.exeC:\Windows\system32\Madapkmp.exe47⤵
- Executes dropped EXE
PID:2964 -
C:\Windows\SysWOW64\Mepnpj32.exeC:\Windows\system32\Mepnpj32.exe48⤵
- Executes dropped EXE
PID:1268 -
C:\Windows\SysWOW64\Mhnjle32.exeC:\Windows\system32\Mhnjle32.exe49⤵
- Executes dropped EXE
PID:344 -
C:\Windows\SysWOW64\Mkmfhacp.exeC:\Windows\system32\Mkmfhacp.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:572 -
C:\Windows\SysWOW64\Mnkbdlbd.exeC:\Windows\system32\Mnkbdlbd.exe51⤵
- Executes dropped EXE
PID:1620 -
C:\Windows\SysWOW64\Mpjoqhah.exeC:\Windows\system32\Mpjoqhah.exe52⤵
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\Mdejaf32.exeC:\Windows\system32\Mdejaf32.exe53⤵
- Executes dropped EXE
PID:1980 -
C:\Windows\SysWOW64\Mgcgmb32.exeC:\Windows\system32\Mgcgmb32.exe54⤵
- Executes dropped EXE
PID:2412 -
C:\Windows\SysWOW64\Mkobnqan.exeC:\Windows\system32\Mkobnqan.exe55⤵
- Executes dropped EXE
PID:2036 -
C:\Windows\SysWOW64\Nnnojlpa.exeC:\Windows\system32\Nnnojlpa.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:2816 -
C:\Windows\SysWOW64\Naikkk32.exeC:\Windows\system32\Naikkk32.exe57⤵
- Executes dropped EXE
PID:628 -
C:\Windows\SysWOW64\Nplkfgoe.exeC:\Windows\system32\Nplkfgoe.exe58⤵
- Executes dropped EXE
PID:2596 -
C:\Windows\SysWOW64\Ncjgbcoi.exeC:\Windows\system32\Ncjgbcoi.exe59⤵
- Executes dropped EXE
PID:1824 -
C:\Windows\SysWOW64\Ngfcca32.exeC:\Windows\system32\Ngfcca32.exe60⤵
- Executes dropped EXE
PID:2488 -
C:\Windows\SysWOW64\Nkaocp32.exeC:\Windows\system32\Nkaocp32.exe61⤵
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Nnplpl32.exeC:\Windows\system32\Nnplpl32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Npnhlg32.exeC:\Windows\system32\Npnhlg32.exe63⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Ndjdlffl.exeC:\Windows\system32\Ndjdlffl.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:832 -
C:\Windows\SysWOW64\Ncmdhb32.exeC:\Windows\system32\Ncmdhb32.exe65⤵
- Executes dropped EXE
PID:2028 -
C:\Windows\SysWOW64\Nghphaeo.exeC:\Windows\system32\Nghphaeo.exe66⤵PID:2692
-
C:\Windows\SysWOW64\Nfkpdn32.exeC:\Windows\system32\Nfkpdn32.exe67⤵PID:700
-
C:\Windows\SysWOW64\Njgldmdc.exeC:\Windows\system32\Njgldmdc.exe68⤵PID:1664
-
C:\Windows\SysWOW64\Nleiqhcg.exeC:\Windows\system32\Nleiqhcg.exe69⤵PID:1480
-
C:\Windows\SysWOW64\Nqqdag32.exeC:\Windows\system32\Nqqdag32.exe70⤵
- Drops file in System32 directory
PID:1264 -
C:\Windows\SysWOW64\Nocemcbj.exeC:\Windows\system32\Nocemcbj.exe71⤵PID:3056
-
C:\Windows\SysWOW64\Ngkmnacm.exeC:\Windows\system32\Ngkmnacm.exe72⤵PID:2788
-
C:\Windows\SysWOW64\Nfmmin32.exeC:\Windows\system32\Nfmmin32.exe73⤵PID:2872
-
C:\Windows\SysWOW64\Njiijlbp.exeC:\Windows\system32\Njiijlbp.exe74⤵PID:2944
-
C:\Windows\SysWOW64\Nlgefh32.exeC:\Windows\system32\Nlgefh32.exe75⤵PID:1412
-
C:\Windows\SysWOW64\Nofabc32.exeC:\Windows\system32\Nofabc32.exe76⤵PID:2608
-
C:\Windows\SysWOW64\Ncancbha.exeC:\Windows\system32\Ncancbha.exe77⤵
- Drops file in System32 directory
PID:2988 -
C:\Windows\SysWOW64\Nbdnoo32.exeC:\Windows\system32\Nbdnoo32.exe78⤵PID:2360
-
C:\Windows\SysWOW64\Njkfpl32.exeC:\Windows\system32\Njkfpl32.exe79⤵PID:2340
-
C:\Windows\SysWOW64\Nhnfkigh.exeC:\Windows\system32\Nhnfkigh.exe80⤵PID:2512
-
C:\Windows\SysWOW64\Nmjblg32.exeC:\Windows\system32\Nmjblg32.exe81⤵PID:2628
-
C:\Windows\SysWOW64\Nkmbgdfl.exeC:\Windows\system32\Nkmbgdfl.exe82⤵PID:2116
-
C:\Windows\SysWOW64\Nbfjdn32.exeC:\Windows\system32\Nbfjdn32.exe83⤵PID:1820
-
C:\Windows\SysWOW64\Ofbfdmeb.exeC:\Windows\system32\Ofbfdmeb.exe84⤵PID:1232
-
C:\Windows\SysWOW64\Omloag32.exeC:\Windows\system32\Omloag32.exe85⤵PID:1548
-
C:\Windows\SysWOW64\Okoomd32.exeC:\Windows\system32\Okoomd32.exe86⤵PID:3024
-
C:\Windows\SysWOW64\Ofdcjm32.exeC:\Windows\system32\Ofdcjm32.exe87⤵PID:1596
-
C:\Windows\SysWOW64\Oicpfh32.exeC:\Windows\system32\Oicpfh32.exe88⤵PID:2044
-
C:\Windows\SysWOW64\Ogfpbeim.exeC:\Windows\system32\Ogfpbeim.exe89⤵PID:1564
-
C:\Windows\SysWOW64\Oomhcbjp.exeC:\Windows\system32\Oomhcbjp.exe90⤵PID:284
-
C:\Windows\SysWOW64\Obkdonic.exeC:\Windows\system32\Obkdonic.exe91⤵PID:292
-
C:\Windows\SysWOW64\Oqndkj32.exeC:\Windows\system32\Oqndkj32.exe92⤵PID:1604
-
C:\Windows\SysWOW64\Oiellh32.exeC:\Windows\system32\Oiellh32.exe93⤵PID:912
-
C:\Windows\SysWOW64\Oghlgdgk.exeC:\Windows\system32\Oghlgdgk.exe94⤵PID:1888
-
C:\Windows\SysWOW64\Ojficpfn.exeC:\Windows\system32\Ojficpfn.exe95⤵PID:1916
-
C:\Windows\SysWOW64\Obnqem32.exeC:\Windows\system32\Obnqem32.exe96⤵PID:1532
-
C:\Windows\SysWOW64\Ocomlemo.exeC:\Windows\system32\Ocomlemo.exe97⤵PID:1680
-
C:\Windows\SysWOW64\Ogjimd32.exeC:\Windows\system32\Ogjimd32.exe98⤵PID:2632
-
C:\Windows\SysWOW64\Ondajnme.exeC:\Windows\system32\Ondajnme.exe99⤵PID:2400
-
C:\Windows\SysWOW64\Omgaek32.exeC:\Windows\system32\Omgaek32.exe100⤵PID:1544
-
C:\Windows\SysWOW64\Oenifh32.exeC:\Windows\system32\Oenifh32.exe101⤵PID:2528
-
C:\Windows\SysWOW64\Ocajbekl.exeC:\Windows\system32\Ocajbekl.exe102⤵PID:276
-
C:\Windows\SysWOW64\Ofpfnqjp.exeC:\Windows\system32\Ofpfnqjp.exe103⤵
- Modifies registry class
PID:2796 -
C:\Windows\SysWOW64\Ofpfnqjp.exeC:\Windows\system32\Ofpfnqjp.exe104⤵PID:2808
-
C:\Windows\SysWOW64\Ojkboo32.exeC:\Windows\system32\Ojkboo32.exe105⤵PID:1460
-
C:\Windows\SysWOW64\Pminkk32.exeC:\Windows\system32\Pminkk32.exe106⤵PID:2484
-
C:\Windows\SysWOW64\Pphjgfqq.exeC:\Windows\system32\Pphjgfqq.exe107⤵PID:1652
-
C:\Windows\SysWOW64\Pccfge32.exeC:\Windows\system32\Pccfge32.exe108⤵PID:2736
-
C:\Windows\SysWOW64\Pipopl32.exeC:\Windows\system32\Pipopl32.exe109⤵PID:448
-
C:\Windows\SysWOW64\Pmlkpjpj.exeC:\Windows\system32\Pmlkpjpj.exe110⤵PID:2940
-
C:\Windows\SysWOW64\Ppjglfon.exeC:\Windows\system32\Ppjglfon.exe111⤵PID:2928
-
C:\Windows\SysWOW64\Pcfcmd32.exeC:\Windows\system32\Pcfcmd32.exe112⤵PID:1616
-
C:\Windows\SysWOW64\Pfdpip32.exeC:\Windows\system32\Pfdpip32.exe113⤵PID:2152
-
C:\Windows\SysWOW64\Piblek32.exeC:\Windows\system32\Piblek32.exe114⤵PID:2828
-
C:\Windows\SysWOW64\Plahag32.exeC:\Windows\system32\Plahag32.exe115⤵
- Drops file in System32 directory
PID:2520 -
C:\Windows\SysWOW64\Plahag32.exeC:\Windows\system32\Plahag32.exe116⤵PID:1524
-
C:\Windows\SysWOW64\Ppmdbe32.exeC:\Windows\system32\Ppmdbe32.exe117⤵PID:1728
-
C:\Windows\SysWOW64\Pbkpna32.exeC:\Windows\system32\Pbkpna32.exe118⤵PID:2272
-
C:\Windows\SysWOW64\Pmqdkj32.exeC:\Windows\system32\Pmqdkj32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2252 -
C:\Windows\SysWOW64\Plcdgfbo.exeC:\Windows\system32\Plcdgfbo.exe120⤵PID:2700
-
C:\Windows\SysWOW64\Pfiidobe.exeC:\Windows\system32\Pfiidobe.exe121⤵PID:1812
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-