Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
25/05/2024, 04:53
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e2e022cba76f992dc31c03c60841fe20af2cf7481db8296ed52af0c1f2b3d898.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
e2e022cba76f992dc31c03c60841fe20af2cf7481db8296ed52af0c1f2b3d898.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
e2e022cba76f992dc31c03c60841fe20af2cf7481db8296ed52af0c1f2b3d898.exe
-
Size
104KB
-
MD5
86c75f0147a2596ccd5829c4be14a1c5
-
SHA1
d1b3a54188ac52dd14d3e39fe42c085fdb6e4aea
-
SHA256
e2e022cba76f992dc31c03c60841fe20af2cf7481db8296ed52af0c1f2b3d898
-
SHA512
4eb8ed5e57d646645e5e76169570353ca2908a643d9032123cb364a8adabad3d5ba02b2d55b18564f053b79bb27a2c3078f2b4ea90901b32ce99d7a87bbe5a99
-
SSDEEP
3072:7HePSgHmz9XTTd9gC3qeoQuE+h3+rJM++SYSUZCbCdW:LSS2mRJFRodEcAJN+SYSUZCbX
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ojkboo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Alhjai32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgaqgh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmgdddmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kfbcbd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihoafpmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jonplmcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mmfbogcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cppkph32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igakgfpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mlaeonld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnagjbdf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjjddchg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jfcnngnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Moiklogi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clilkfnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dhnmij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jjbpgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ljkomfjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pbiciana.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dchali32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hlakpp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hacmcfge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ofmbnkhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Omfkke32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mffimglk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mlhkpm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baqbenep.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaqcoc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bocolb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcadac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Djpmccqq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebbgid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iajcde32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlkopcge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Anafhopc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fikejl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdehon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kqqboncb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lndohedg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baildokg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lpdbloof.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnennj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlakpp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nncahjgl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkgbbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pfoocjfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jgfqaiod.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kqqboncb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpmjak32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iqopea32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llkbap32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkommo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijdqna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nlekia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lpphap32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lihmjejl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mhdplq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qpecfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bidjnkdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bifgdk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpbheh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hdqbekcm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inkccpgk.exe -
Executes dropped EXE 64 IoCs
pid Process 2712 Omloag32.exe 2516 Ofdcjm32.exe 2492 Okalbc32.exe 2696 Onphoo32.exe 2556 Odjpkihg.exe 2464 Oghlgdgk.exe 2912 Onbddoog.exe 2660 Oqqapjnk.exe 2632 Okfencna.exe 1760 Omgaek32.exe 2280 Ocajbekl.exe 2452 Ojkboo32.exe 2036 Paejki32.exe 2068 Pgobhcac.exe 2196 Pipopl32.exe 1732 Paggai32.exe 1392 Pbiciana.exe 2784 Pjpkjond.exe 1132 Pmnhfjmg.exe 1720 Pchpbded.exe 2956 Pfflopdh.exe 1452 Pmqdkj32.exe 1664 Ppoqge32.exe 916 Pelipl32.exe 2292 Phjelg32.exe 3012 Pijbfj32.exe 3024 Qnfjna32.exe 2672 Qaefjm32.exe 2520 Qdccfh32.exe 2524 Qmlgonbe.exe 2424 Adeplhib.exe 2112 Ahakmf32.exe 1740 Amndem32.exe 2740 Aplpai32.exe 1840 Ahchbf32.exe 340 Ampqjm32.exe 2788 Apomfh32.exe 2640 Ajdadamj.exe 1672 Apajlhka.exe 2992 Admemg32.exe 2188 Aenbdoii.exe 1052 Alhjai32.exe 2844 Abbbnchb.exe 2356 Afmonbqk.exe 2980 Ailkjmpo.exe 3004 Bpfcgg32.exe 2060 Bbdocc32.exe 1616 Bebkpn32.exe 2316 Bingpmnl.exe 276 Blmdlhmp.exe 2964 Bokphdld.exe 2612 Baildokg.exe 2400 Bdhhqk32.exe 2716 Bloqah32.exe 2408 Bkaqmeah.exe 2620 Bnpmipql.exe 2748 Begeknan.exe 1844 Bhfagipa.exe 1784 Bkdmcdoe.exe 1544 Bnbjopoi.exe 2304 Bpafkknm.exe 2004 Bhhnli32.exe 2616 Bkfjhd32.exe 676 Bjijdadm.exe -
Loads dropped DLL 64 IoCs
pid Process 2476 e2e022cba76f992dc31c03c60841fe20af2cf7481db8296ed52af0c1f2b3d898.exe 2476 e2e022cba76f992dc31c03c60841fe20af2cf7481db8296ed52af0c1f2b3d898.exe 2712 Omloag32.exe 2712 Omloag32.exe 2516 Ofdcjm32.exe 2516 Ofdcjm32.exe 2492 Okalbc32.exe 2492 Okalbc32.exe 2696 Onphoo32.exe 2696 Onphoo32.exe 2556 Odjpkihg.exe 2556 Odjpkihg.exe 2464 Oghlgdgk.exe 2464 Oghlgdgk.exe 2912 Onbddoog.exe 2912 Onbddoog.exe 2660 Oqqapjnk.exe 2660 Oqqapjnk.exe 2632 Okfencna.exe 2632 Okfencna.exe 1760 Omgaek32.exe 1760 Omgaek32.exe 2280 Ocajbekl.exe 2280 Ocajbekl.exe 2452 Ojkboo32.exe 2452 Ojkboo32.exe 2036 Paejki32.exe 2036 Paejki32.exe 2068 Pgobhcac.exe 2068 Pgobhcac.exe 2196 Pipopl32.exe 2196 Pipopl32.exe 1732 Paggai32.exe 1732 Paggai32.exe 1392 Pbiciana.exe 1392 Pbiciana.exe 2784 Pjpkjond.exe 2784 Pjpkjond.exe 1132 Pmnhfjmg.exe 1132 Pmnhfjmg.exe 1720 Pchpbded.exe 1720 Pchpbded.exe 2956 Pfflopdh.exe 2956 Pfflopdh.exe 1452 Pmqdkj32.exe 1452 Pmqdkj32.exe 1664 Ppoqge32.exe 1664 Ppoqge32.exe 916 Pelipl32.exe 916 Pelipl32.exe 2292 Phjelg32.exe 2292 Phjelg32.exe 3012 Pijbfj32.exe 3012 Pijbfj32.exe 3024 Qnfjna32.exe 3024 Qnfjna32.exe 2672 Qaefjm32.exe 2672 Qaefjm32.exe 2520 Qdccfh32.exe 2520 Qdccfh32.exe 2524 Qmlgonbe.exe 2524 Qmlgonbe.exe 2424 Adeplhib.exe 2424 Adeplhib.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Kihqkagp.exe Kaaijdgn.exe File opened for modification C:\Windows\SysWOW64\Alnqqd32.exe Amkpegnj.exe File created C:\Windows\SysWOW64\Kebgia32.exe Kfpgmdog.exe File opened for modification C:\Windows\SysWOW64\Moanaiie.exe Mponel32.exe File created C:\Windows\SysWOW64\Heglio32.exe Homclekn.exe File created C:\Windows\SysWOW64\Enlejpga.dll Jfknbe32.exe File opened for modification C:\Windows\SysWOW64\Bkaqmeah.exe Bloqah32.exe File opened for modification C:\Windows\SysWOW64\Dfijnd32.exe Dcknbh32.exe File created C:\Windows\SysWOW64\Djmccf32.dll Idmhkpml.exe File created C:\Windows\SysWOW64\Joifam32.exe Jqfffqpm.exe File created C:\Windows\SysWOW64\Jbllihbf.exe Jonplmcb.exe File opened for modification C:\Windows\SysWOW64\Lajhofao.exe Lmolnh32.exe File created C:\Windows\SysWOW64\Fealjk32.dll Hdfflm32.exe File created C:\Windows\SysWOW64\Bhlhkl32.dll Kjljhjkl.exe File created C:\Windows\SysWOW64\Kjqccigf.exe Kfegbj32.exe File opened for modification C:\Windows\SysWOW64\Dbhnhp32.exe Dcenlceh.exe File opened for modification C:\Windows\SysWOW64\Bpfcgg32.exe Ailkjmpo.exe File opened for modification C:\Windows\SysWOW64\Ilknfn32.exe Ihoafpmp.exe File created C:\Windows\SysWOW64\Dbehoa32.exe Djnpnc32.exe File opened for modification C:\Windows\SysWOW64\Ffpmnf32.exe Fpfdalii.exe File created C:\Windows\SysWOW64\Cekkkkhe.dll Knjbnh32.exe File created C:\Windows\SysWOW64\Fqmmidel.dll Mmahdggc.exe File opened for modification C:\Windows\SysWOW64\Lbcnhjnj.exe Lpdbloof.exe File created C:\Windows\SysWOW64\Mcaiqm32.dll Omfkke32.exe File opened for modification C:\Windows\SysWOW64\Cnmehnan.exe Ckoilb32.exe File created C:\Windows\SysWOW64\Nhhbld32.dll Gbcfadgl.exe File created C:\Windows\SysWOW64\Lijigk32.dll Hdnepk32.exe File opened for modification C:\Windows\SysWOW64\Lghjel32.exe Leimip32.exe File opened for modification C:\Windows\SysWOW64\Blmdlhmp.exe Bingpmnl.exe File created C:\Windows\SysWOW64\Gfedefbi.dll Dchali32.exe File created C:\Windows\SysWOW64\Ckcmac32.dll Jjojofgn.exe File created C:\Windows\SysWOW64\Afldcl32.dll Kgkafo32.exe File created C:\Windows\SysWOW64\Jchafg32.dll Dpeekh32.exe File created C:\Windows\SysWOW64\Mdpjlajk.exe Mpdnkb32.exe File opened for modification C:\Windows\SysWOW64\Nocnbmoo.exe Nkgbbo32.exe File created C:\Windows\SysWOW64\Gpqpjj32.exe Gmbdnn32.exe File created C:\Windows\SysWOW64\Hhckpk32.exe Hipkdnmf.exe File created C:\Windows\SysWOW64\Aekodi32.exe Anafhopc.exe File created C:\Windows\SysWOW64\Mghohc32.dll Ckafbbph.exe File created C:\Windows\SysWOW64\Dpbheh32.exe Dndlim32.exe File opened for modification C:\Windows\SysWOW64\Dfoqmo32.exe Dcadac32.exe File created C:\Windows\SysWOW64\Galmmc32.dll Dlnbeh32.exe File created C:\Windows\SysWOW64\Olhfdohg.dll Fpngfgle.exe File created C:\Windows\SysWOW64\Jnkpbcjg.exe Jjpcbe32.exe File created C:\Windows\SysWOW64\Nigome32.exe Ngibaj32.exe File created C:\Windows\SysWOW64\Flmefm32.exe Fioija32.exe File opened for modification C:\Windows\SysWOW64\Fddmgjpo.exe Flmefm32.exe File created C:\Windows\SysWOW64\Fehofegb.dll Alnqqd32.exe File opened for modification C:\Windows\SysWOW64\Bifgdk32.exe Bekkcljk.exe File created C:\Windows\SysWOW64\Qagnqken.dll Hgjefg32.exe File opened for modification C:\Windows\SysWOW64\Jfnnha32.exe Jnffgd32.exe File created C:\Windows\SysWOW64\Bpafkknm.exe Bnbjopoi.exe File created C:\Windows\SysWOW64\Aefbii32.dll Lkncmmle.exe File opened for modification C:\Windows\SysWOW64\Hipkdnmf.exe Haiccald.exe File created C:\Windows\SysWOW64\Nmfmhhoj.dll Idnaoohk.exe File opened for modification C:\Windows\SysWOW64\Iamimc32.exe Ioolqh32.exe File opened for modification C:\Windows\SysWOW64\Lgmcqkkh.exe Lpekon32.exe File created C:\Windows\SysWOW64\Lflmci32.exe Lbqabkql.exe File created C:\Windows\SysWOW64\Chfpgj32.dll Ombapedi.exe File opened for modification C:\Windows\SysWOW64\Amfcikek.exe Ajhgmpfg.exe File created C:\Windows\SysWOW64\Bafidiio.exe Bioqclil.exe File opened for modification C:\Windows\SysWOW64\Dndlim32.exe Djhphncm.exe File created C:\Windows\SysWOW64\Doqplo32.dll Hlqdei32.exe File created C:\Windows\SysWOW64\Dekpaqgc.dll Ekholjqg.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 8132 8112 WerFault.exe 766 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndejjf32.dll" Amndem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edfpjabf.dll" Hkfagfop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nplmop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khejeajg.dll" Hobcak32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nialog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qmicohqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpiddoma.dll" Cohigamf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmbckb32.dll" Ndjfeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cbnbobin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lpbefoai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Anafhopc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fddcahee.dll" Ogblbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmfmjjgm.dll" Anojbobe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mkhofjoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Naoniipe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pecomlgc.dll" Mmneda32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fnpnndgp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gmgdddmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kjqccigf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Leimip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lghjel32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kfpgmdog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ngfflj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jofiln32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qmicohqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngbkba32.dll" Ipgbjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jknpfqoh.dll" Mhgmapfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qmfgjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hdnepk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nlcnda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ocajbekl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpefbknb.dll" Baqbenep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpdgnh32.dll" Lajhofao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mifnekbi.dll" Kcakaipc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpooed32.dll" Bhkdeggl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hdildlie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecjlgm32.dll" Inkccpgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alogkm32.dll" Hcplhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Limilm32.dll" Kcfkfo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Heglio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bmpfojmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Habfipdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckcmac32.dll" Jjojofgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iooklook.dll" Aadloj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bfcampgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnfbei32.dll" Dhbfdjdp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eqbddk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mgalqkbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Adeplhib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oddpfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nglknl32.dll" Qpecfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ejkima32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olhfdohg.dll" Fpngfgle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ahchbf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hacmcfge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pjadmnic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ajjcbpdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cppkph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gpncej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cpjiajeb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mdpjlajk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nhfipcid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Iajcde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Llohjo32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2476 wrote to memory of 2712 2476 e2e022cba76f992dc31c03c60841fe20af2cf7481db8296ed52af0c1f2b3d898.exe 28 PID 2476 wrote to memory of 2712 2476 e2e022cba76f992dc31c03c60841fe20af2cf7481db8296ed52af0c1f2b3d898.exe 28 PID 2476 wrote to memory of 2712 2476 e2e022cba76f992dc31c03c60841fe20af2cf7481db8296ed52af0c1f2b3d898.exe 28 PID 2476 wrote to memory of 2712 2476 e2e022cba76f992dc31c03c60841fe20af2cf7481db8296ed52af0c1f2b3d898.exe 28 PID 2712 wrote to memory of 2516 2712 Omloag32.exe 29 PID 2712 wrote to memory of 2516 2712 Omloag32.exe 29 PID 2712 wrote to memory of 2516 2712 Omloag32.exe 29 PID 2712 wrote to memory of 2516 2712 Omloag32.exe 29 PID 2516 wrote to memory of 2492 2516 Ofdcjm32.exe 30 PID 2516 wrote to memory of 2492 2516 Ofdcjm32.exe 30 PID 2516 wrote to memory of 2492 2516 Ofdcjm32.exe 30 PID 2516 wrote to memory of 2492 2516 Ofdcjm32.exe 30 PID 2492 wrote to memory of 2696 2492 Okalbc32.exe 31 PID 2492 wrote to memory of 2696 2492 Okalbc32.exe 31 PID 2492 wrote to memory of 2696 2492 Okalbc32.exe 31 PID 2492 wrote to memory of 2696 2492 Okalbc32.exe 31 PID 2696 wrote to memory of 2556 2696 Onphoo32.exe 32 PID 2696 wrote to memory of 2556 2696 Onphoo32.exe 32 PID 2696 wrote to memory of 2556 2696 Onphoo32.exe 32 PID 2696 wrote to memory of 2556 2696 Onphoo32.exe 32 PID 2556 wrote to memory of 2464 2556 Odjpkihg.exe 33 PID 2556 wrote to memory of 2464 2556 Odjpkihg.exe 33 PID 2556 wrote to memory of 2464 2556 Odjpkihg.exe 33 PID 2556 wrote to memory of 2464 2556 Odjpkihg.exe 33 PID 2464 wrote to memory of 2912 2464 Oghlgdgk.exe 34 PID 2464 wrote to memory of 2912 2464 Oghlgdgk.exe 34 PID 2464 wrote to memory of 2912 2464 Oghlgdgk.exe 34 PID 2464 wrote to memory of 2912 2464 Oghlgdgk.exe 34 PID 2912 wrote to memory of 2660 2912 Onbddoog.exe 35 PID 2912 wrote to memory of 2660 2912 Onbddoog.exe 35 PID 2912 wrote to memory of 2660 2912 Onbddoog.exe 35 PID 2912 wrote to memory of 2660 2912 Onbddoog.exe 35 PID 2660 wrote to memory of 2632 2660 Oqqapjnk.exe 36 PID 2660 wrote to memory of 2632 2660 Oqqapjnk.exe 36 PID 2660 wrote to memory of 2632 2660 Oqqapjnk.exe 36 PID 2660 wrote to memory of 2632 2660 Oqqapjnk.exe 36 PID 2632 wrote to memory of 1760 2632 Okfencna.exe 37 PID 2632 wrote to memory of 1760 2632 Okfencna.exe 37 PID 2632 wrote to memory of 1760 2632 Okfencna.exe 37 PID 2632 wrote to memory of 1760 2632 Okfencna.exe 37 PID 1760 wrote to memory of 2280 1760 Omgaek32.exe 38 PID 1760 wrote to memory of 2280 1760 Omgaek32.exe 38 PID 1760 wrote to memory of 2280 1760 Omgaek32.exe 38 PID 1760 wrote to memory of 2280 1760 Omgaek32.exe 38 PID 2280 wrote to memory of 2452 2280 Ocajbekl.exe 39 PID 2280 wrote to memory of 2452 2280 Ocajbekl.exe 39 PID 2280 wrote to memory of 2452 2280 Ocajbekl.exe 39 PID 2280 wrote to memory of 2452 2280 Ocajbekl.exe 39 PID 2452 wrote to memory of 2036 2452 Ojkboo32.exe 40 PID 2452 wrote to memory of 2036 2452 Ojkboo32.exe 40 PID 2452 wrote to memory of 2036 2452 Ojkboo32.exe 40 PID 2452 wrote to memory of 2036 2452 Ojkboo32.exe 40 PID 2036 wrote to memory of 2068 2036 Paejki32.exe 41 PID 2036 wrote to memory of 2068 2036 Paejki32.exe 41 PID 2036 wrote to memory of 2068 2036 Paejki32.exe 41 PID 2036 wrote to memory of 2068 2036 Paejki32.exe 41 PID 2068 wrote to memory of 2196 2068 Pgobhcac.exe 42 PID 2068 wrote to memory of 2196 2068 Pgobhcac.exe 42 PID 2068 wrote to memory of 2196 2068 Pgobhcac.exe 42 PID 2068 wrote to memory of 2196 2068 Pgobhcac.exe 42 PID 2196 wrote to memory of 1732 2196 Pipopl32.exe 43 PID 2196 wrote to memory of 1732 2196 Pipopl32.exe 43 PID 2196 wrote to memory of 1732 2196 Pipopl32.exe 43 PID 2196 wrote to memory of 1732 2196 Pipopl32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\e2e022cba76f992dc31c03c60841fe20af2cf7481db8296ed52af0c1f2b3d898.exe"C:\Users\Admin\AppData\Local\Temp\e2e022cba76f992dc31c03c60841fe20af2cf7481db8296ed52af0c1f2b3d898.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\Omloag32.exeC:\Windows\system32\Omloag32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Ofdcjm32.exeC:\Windows\system32\Ofdcjm32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\Okalbc32.exeC:\Windows\system32\Okalbc32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\SysWOW64\Onphoo32.exeC:\Windows\system32\Onphoo32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\Odjpkihg.exeC:\Windows\system32\Odjpkihg.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\Oghlgdgk.exeC:\Windows\system32\Oghlgdgk.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\Onbddoog.exeC:\Windows\system32\Onbddoog.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\Oqqapjnk.exeC:\Windows\system32\Oqqapjnk.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Okfencna.exeC:\Windows\system32\Okfencna.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Omgaek32.exeC:\Windows\system32\Omgaek32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\SysWOW64\Ocajbekl.exeC:\Windows\system32\Ocajbekl.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\Ojkboo32.exeC:\Windows\system32\Ojkboo32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\SysWOW64\Paejki32.exeC:\Windows\system32\Paejki32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\SysWOW64\Pgobhcac.exeC:\Windows\system32\Pgobhcac.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\SysWOW64\Pipopl32.exeC:\Windows\system32\Pipopl32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\Paggai32.exeC:\Windows\system32\Paggai32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1732 -
C:\Windows\SysWOW64\Pbiciana.exeC:\Windows\system32\Pbiciana.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1392 -
C:\Windows\SysWOW64\Pjpkjond.exeC:\Windows\system32\Pjpkjond.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2784 -
C:\Windows\SysWOW64\Pmnhfjmg.exeC:\Windows\system32\Pmnhfjmg.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1132 -
C:\Windows\SysWOW64\Pchpbded.exeC:\Windows\system32\Pchpbded.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1720 -
C:\Windows\SysWOW64\Pfflopdh.exeC:\Windows\system32\Pfflopdh.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2956 -
C:\Windows\SysWOW64\Pmqdkj32.exeC:\Windows\system32\Pmqdkj32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1452 -
C:\Windows\SysWOW64\Ppoqge32.exeC:\Windows\system32\Ppoqge32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1664 -
C:\Windows\SysWOW64\Pelipl32.exeC:\Windows\system32\Pelipl32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:916 -
C:\Windows\SysWOW64\Phjelg32.exeC:\Windows\system32\Phjelg32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2292 -
C:\Windows\SysWOW64\Pijbfj32.exeC:\Windows\system32\Pijbfj32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3012 -
C:\Windows\SysWOW64\Qnfjna32.exeC:\Windows\system32\Qnfjna32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3024 -
C:\Windows\SysWOW64\Qaefjm32.exeC:\Windows\system32\Qaefjm32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2672 -
C:\Windows\SysWOW64\Qdccfh32.exeC:\Windows\system32\Qdccfh32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2520 -
C:\Windows\SysWOW64\Qmlgonbe.exeC:\Windows\system32\Qmlgonbe.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2524 -
C:\Windows\SysWOW64\Adeplhib.exeC:\Windows\system32\Adeplhib.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2424 -
C:\Windows\SysWOW64\Ahakmf32.exeC:\Windows\system32\Ahakmf32.exe33⤵
- Executes dropped EXE
PID:2112 -
C:\Windows\SysWOW64\Amndem32.exeC:\Windows\system32\Amndem32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:1740 -
C:\Windows\SysWOW64\Aplpai32.exeC:\Windows\system32\Aplpai32.exe35⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Ahchbf32.exeC:\Windows\system32\Ahchbf32.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:1840 -
C:\Windows\SysWOW64\Ampqjm32.exeC:\Windows\system32\Ampqjm32.exe37⤵
- Executes dropped EXE
PID:340 -
C:\Windows\SysWOW64\Apomfh32.exeC:\Windows\system32\Apomfh32.exe38⤵
- Executes dropped EXE
PID:2788 -
C:\Windows\SysWOW64\Ajdadamj.exeC:\Windows\system32\Ajdadamj.exe39⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Apajlhka.exeC:\Windows\system32\Apajlhka.exe40⤵
- Executes dropped EXE
PID:1672 -
C:\Windows\SysWOW64\Admemg32.exeC:\Windows\system32\Admemg32.exe41⤵
- Executes dropped EXE
PID:2992 -
C:\Windows\SysWOW64\Aenbdoii.exeC:\Windows\system32\Aenbdoii.exe42⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Alhjai32.exeC:\Windows\system32\Alhjai32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1052 -
C:\Windows\SysWOW64\Abbbnchb.exeC:\Windows\system32\Abbbnchb.exe44⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Afmonbqk.exeC:\Windows\system32\Afmonbqk.exe45⤵
- Executes dropped EXE
PID:2356 -
C:\Windows\SysWOW64\Ailkjmpo.exeC:\Windows\system32\Ailkjmpo.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2980 -
C:\Windows\SysWOW64\Bpfcgg32.exeC:\Windows\system32\Bpfcgg32.exe47⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Bbdocc32.exeC:\Windows\system32\Bbdocc32.exe48⤵
- Executes dropped EXE
PID:2060 -
C:\Windows\SysWOW64\Bebkpn32.exeC:\Windows\system32\Bebkpn32.exe49⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Bingpmnl.exeC:\Windows\system32\Bingpmnl.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2316 -
C:\Windows\SysWOW64\Blmdlhmp.exeC:\Windows\system32\Blmdlhmp.exe51⤵
- Executes dropped EXE
PID:276 -
C:\Windows\SysWOW64\Bokphdld.exeC:\Windows\system32\Bokphdld.exe52⤵
- Executes dropped EXE
PID:2964 -
C:\Windows\SysWOW64\Baildokg.exeC:\Windows\system32\Baildokg.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2612 -
C:\Windows\SysWOW64\Bdhhqk32.exeC:\Windows\system32\Bdhhqk32.exe54⤵
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Bloqah32.exeC:\Windows\system32\Bloqah32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2716 -
C:\Windows\SysWOW64\Bkaqmeah.exeC:\Windows\system32\Bkaqmeah.exe56⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Bnpmipql.exeC:\Windows\system32\Bnpmipql.exe57⤵
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Begeknan.exeC:\Windows\system32\Begeknan.exe58⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Bhfagipa.exeC:\Windows\system32\Bhfagipa.exe59⤵
- Executes dropped EXE
PID:1844 -
C:\Windows\SysWOW64\Bkdmcdoe.exeC:\Windows\system32\Bkdmcdoe.exe60⤵
- Executes dropped EXE
PID:1784 -
C:\Windows\SysWOW64\Bnbjopoi.exeC:\Windows\system32\Bnbjopoi.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1544 -
C:\Windows\SysWOW64\Bpafkknm.exeC:\Windows\system32\Bpafkknm.exe62⤵
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Bhhnli32.exeC:\Windows\system32\Bhhnli32.exe63⤵
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Bkfjhd32.exeC:\Windows\system32\Bkfjhd32.exe64⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Bjijdadm.exeC:\Windows\system32\Bjijdadm.exe65⤵
- Executes dropped EXE
PID:676 -
C:\Windows\SysWOW64\Baqbenep.exeC:\Windows\system32\Baqbenep.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1772 -
C:\Windows\SysWOW64\Bdooajdc.exeC:\Windows\system32\Bdooajdc.exe67⤵PID:1160
-
C:\Windows\SysWOW64\Bcaomf32.exeC:\Windows\system32\Bcaomf32.exe68⤵PID:1196
-
C:\Windows\SysWOW64\Cgmkmecg.exeC:\Windows\system32\Cgmkmecg.exe69⤵PID:1276
-
C:\Windows\SysWOW64\Ckignd32.exeC:\Windows\system32\Ckignd32.exe70⤵PID:2256
-
C:\Windows\SysWOW64\Cngcjo32.exeC:\Windows\system32\Cngcjo32.exe71⤵PID:1624
-
C:\Windows\SysWOW64\Cpeofk32.exeC:\Windows\system32\Cpeofk32.exe72⤵PID:1868
-
C:\Windows\SysWOW64\Cgpgce32.exeC:\Windows\system32\Cgpgce32.exe73⤵PID:2820
-
C:\Windows\SysWOW64\Cfbhnaho.exeC:\Windows\system32\Cfbhnaho.exe74⤵PID:2456
-
C:\Windows\SysWOW64\Cllpkl32.exeC:\Windows\system32\Cllpkl32.exe75⤵PID:2460
-
C:\Windows\SysWOW64\Cphlljge.exeC:\Windows\system32\Cphlljge.exe76⤵PID:2736
-
C:\Windows\SysWOW64\Ccfhhffh.exeC:\Windows\system32\Ccfhhffh.exe77⤵PID:1604
-
C:\Windows\SysWOW64\Cjpqdp32.exeC:\Windows\system32\Cjpqdp32.exe78⤵PID:1236
-
C:\Windows\SysWOW64\Clomqk32.exeC:\Windows\system32\Clomqk32.exe79⤵PID:2796
-
C:\Windows\SysWOW64\Cpjiajeb.exeC:\Windows\system32\Cpjiajeb.exe80⤵
- Modifies registry class
PID:1988 -
C:\Windows\SysWOW64\Cciemedf.exeC:\Windows\system32\Cciemedf.exe81⤵PID:1608
-
C:\Windows\SysWOW64\Cfgaiaci.exeC:\Windows\system32\Cfgaiaci.exe82⤵PID:2260
-
C:\Windows\SysWOW64\Cjbmjplb.exeC:\Windows\system32\Cjbmjplb.exe83⤵PID:2340
-
C:\Windows\SysWOW64\Chemfl32.exeC:\Windows\system32\Chemfl32.exe84⤵PID:1540
-
C:\Windows\SysWOW64\Copfbfjj.exeC:\Windows\system32\Copfbfjj.exe85⤵PID:108
-
C:\Windows\SysWOW64\Cbnbobin.exeC:\Windows\system32\Cbnbobin.exe86⤵
- Modifies registry class
PID:2804 -
C:\Windows\SysWOW64\Chhjkl32.exeC:\Windows\system32\Chhjkl32.exe87⤵PID:2540
-
C:\Windows\SysWOW64\Clcflkic.exeC:\Windows\system32\Clcflkic.exe88⤵PID:1940
-
C:\Windows\SysWOW64\Cobbhfhg.exeC:\Windows\system32\Cobbhfhg.exe89⤵PID:2896
-
C:\Windows\SysWOW64\Ddokpmfo.exeC:\Windows\system32\Ddokpmfo.exe90⤵PID:2668
-
C:\Windows\SysWOW64\Dhjgal32.exeC:\Windows\system32\Dhjgal32.exe91⤵PID:2764
-
C:\Windows\SysWOW64\Dgmglh32.exeC:\Windows\system32\Dgmglh32.exe92⤵PID:848
-
C:\Windows\SysWOW64\Dodonf32.exeC:\Windows\system32\Dodonf32.exe93⤵PID:1016
-
C:\Windows\SysWOW64\Dbbkja32.exeC:\Windows\system32\Dbbkja32.exe94⤵PID:2044
-
C:\Windows\SysWOW64\Ddagfm32.exeC:\Windows\system32\Ddagfm32.exe95⤵PID:1768
-
C:\Windows\SysWOW64\Dhmcfkme.exeC:\Windows\system32\Dhmcfkme.exe96⤵PID:2108
-
C:\Windows\SysWOW64\Djnpnc32.exeC:\Windows\system32\Djnpnc32.exe97⤵
- Drops file in System32 directory
PID:3020 -
C:\Windows\SysWOW64\Dbehoa32.exeC:\Windows\system32\Dbehoa32.exe98⤵PID:2976
-
C:\Windows\SysWOW64\Ddcdkl32.exeC:\Windows\system32\Ddcdkl32.exe99⤵PID:1640
-
C:\Windows\SysWOW64\Dgaqgh32.exeC:\Windows\system32\Dgaqgh32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2084 -
C:\Windows\SysWOW64\Djpmccqq.exeC:\Windows\system32\Djpmccqq.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2548 -
C:\Windows\SysWOW64\Dmoipopd.exeC:\Windows\system32\Dmoipopd.exe102⤵PID:2604
-
C:\Windows\SysWOW64\Dqjepm32.exeC:\Windows\system32\Dqjepm32.exe103⤵PID:2144
-
C:\Windows\SysWOW64\Dchali32.exeC:\Windows\system32\Dchali32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2704 -
C:\Windows\SysWOW64\Dfgmhd32.exeC:\Windows\system32\Dfgmhd32.exe105⤵PID:2752
-
C:\Windows\SysWOW64\Djbiicon.exeC:\Windows\system32\Djbiicon.exe106⤵PID:2380
-
C:\Windows\SysWOW64\Dmafennb.exeC:\Windows\system32\Dmafennb.exe107⤵PID:2016
-
C:\Windows\SysWOW64\Dcknbh32.exeC:\Windows\system32\Dcknbh32.exe108⤵
- Drops file in System32 directory
PID:2092 -
C:\Windows\SysWOW64\Dfijnd32.exeC:\Windows\system32\Dfijnd32.exe109⤵PID:2756
-
C:\Windows\SysWOW64\Eihfjo32.exeC:\Windows\system32\Eihfjo32.exe110⤵PID:2104
-
C:\Windows\SysWOW64\Eqonkmdh.exeC:\Windows\system32\Eqonkmdh.exe111⤵PID:992
-
C:\Windows\SysWOW64\Ecmkghcl.exeC:\Windows\system32\Ecmkghcl.exe112⤵PID:2960
-
C:\Windows\SysWOW64\Eflgccbp.exeC:\Windows\system32\Eflgccbp.exe113⤵PID:2360
-
C:\Windows\SysWOW64\Eijcpoac.exeC:\Windows\system32\Eijcpoac.exe114⤵PID:2420
-
C:\Windows\SysWOW64\Ekholjqg.exeC:\Windows\system32\Ekholjqg.exe115⤵
- Drops file in System32 directory
PID:2944 -
C:\Windows\SysWOW64\Ecpgmhai.exeC:\Windows\system32\Ecpgmhai.exe116⤵PID:1260
-
C:\Windows\SysWOW64\Ebbgid32.exeC:\Windows\system32\Ebbgid32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2348 -
C:\Windows\SysWOW64\Efncicpm.exeC:\Windows\system32\Efncicpm.exe118⤵PID:2244
-
C:\Windows\SysWOW64\Emhlfmgj.exeC:\Windows\system32\Emhlfmgj.exe119⤵PID:1420
-
C:\Windows\SysWOW64\Epfhbign.exeC:\Windows\system32\Epfhbign.exe120⤵PID:528
-
C:\Windows\SysWOW64\Efppoc32.exeC:\Windows\system32\Efppoc32.exe121⤵PID:1292
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-