Analysis
-
max time kernel
148s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
15-06-2024 23:07
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
78042a6cea4323b38c91776944d2d5e782a09e2230ac5d3b163a8b9fae8a1a0c.exe
Resource
win7-20240611-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
78042a6cea4323b38c91776944d2d5e782a09e2230ac5d3b163a8b9fae8a1a0c.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
78042a6cea4323b38c91776944d2d5e782a09e2230ac5d3b163a8b9fae8a1a0c.exe
-
Size
128KB
-
MD5
3482b0f01846bfde1ec95beff7020a91
-
SHA1
dffaa7d784cdca3ede9681db741a506883f312e7
-
SHA256
78042a6cea4323b38c91776944d2d5e782a09e2230ac5d3b163a8b9fae8a1a0c
-
SHA512
705aa039acb6d8fb3dc50809b4c9837f7b0f83a3f5faccf4e4bb7580ac92839c4e08ef570b91678d007513b5c8b0ddf1327503cfebbb9b73e661efc41c33ff97
-
SSDEEP
3072:CfTksi5bLxOvQrDu7WflGuTPxwO3FQo7fnEBctcp:CfTksi5bLxOHsG4+O3FF7fPtc
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bhcdaibd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hnagjbdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hlfdkoin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fioija32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffbicfoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gaqcoc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pccfge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ppjglfon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cjlgiqbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Egdilkbf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpfcgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hahjpbad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hacmcfge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ofpfnqjp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbnbobin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dchali32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Emcbkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pccfge32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjpkjond.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fcmgfkeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ghmiam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pjpkjond.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppoqge32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alenki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Flabbihl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdakgibq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekklaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cbnbobin.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddokpmfo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ondajnme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hogmmjfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Paejki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bbdocc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djbiicon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iknnbklc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ebedndfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bhhnli32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgodbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dqhhknjp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eeqdep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fejgko32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Copfbfjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Epdkli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fpdhklkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pfbccp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkfjhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ojkboo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ebbgid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hckcmjep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eeempocb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Djefobmk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmlgonbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Afiecb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgbebiao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcifgjgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ghoegl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ogmfbd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Balijo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epieghdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hejoiedd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hobcak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Geolea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eajaoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gdopkn32.exe -
Executes dropped EXE 64 IoCs
pid Process 2244 Ojficpfn.exe 1388 Ocomlemo.exe 2844 Okfencna.exe 2580 Ojieip32.exe 2964 Ondajnme.exe 2628 Oqcnfjli.exe 1084 Oenifh32.exe 1204 Ogmfbd32.exe 3064 Ofpfnqjp.exe 1068 Ojkboo32.exe 1080 Pminkk32.exe 1176 Paejki32.exe 2548 Pphjgfqq.exe 2124 Pccfge32.exe 1616 Pfbccp32.exe 1184 Pjmodopf.exe 2196 Pipopl32.exe 2104 Paggai32.exe 560 Ppjglfon.exe 1116 Pcfcmd32.exe 1456 Pfdpip32.exe 1032 Pjpkjond.exe 1212 Pmnhfjmg.exe 2028 Ppmdbe32.exe 1820 Pbkpna32.exe 2272 Piehkkcl.exe 2444 Ppoqge32.exe 2840 Pbmmcq32.exe 2808 Qjknnbed.exe 2708 Qaefjm32.exe 2636 Qeqbkkej.exe 2448 Qhooggdn.exe 2600 Qnigda32.exe 2112 Qmlgonbe.exe 2976 Ahakmf32.exe 1816 Aajpelhl.exe 2776 Ahchbf32.exe 1988 Ajbdna32.exe 2116 Aiedjneg.exe 2212 Ampqjm32.exe 1868 Afiecb32.exe 1360 Alenki32.exe 2360 Admemg32.exe 1188 Afkbib32.exe 1064 Amejeljk.exe 2128 Apcfahio.exe 980 Aepojo32.exe 1928 Ahokfj32.exe 984 Bpfcgg32.exe 2156 Bbdocc32.exe 108 Bagpopmj.exe 2072 Bebkpn32.exe 2608 Blmdlhmp.exe 2684 Bbflib32.exe 2812 Bhcdaibd.exe 2968 Bkaqmeah.exe 2624 Bnpmipql.exe 2020 Balijo32.exe 2856 Bdjefj32.exe 1412 Bghabf32.exe 2120 Bnbjopoi.exe 956 Bpafkknm.exe 676 Bhhnli32.exe 1636 Bkfjhd32.exe -
Loads dropped DLL 64 IoCs
pid Process 3056 78042a6cea4323b38c91776944d2d5e782a09e2230ac5d3b163a8b9fae8a1a0c.exe 3056 78042a6cea4323b38c91776944d2d5e782a09e2230ac5d3b163a8b9fae8a1a0c.exe 2244 Ojficpfn.exe 2244 Ojficpfn.exe 1388 Ocomlemo.exe 1388 Ocomlemo.exe 2844 Okfencna.exe 2844 Okfencna.exe 2580 Ojieip32.exe 2580 Ojieip32.exe 2964 Ondajnme.exe 2964 Ondajnme.exe 2628 Oqcnfjli.exe 2628 Oqcnfjli.exe 1084 Oenifh32.exe 1084 Oenifh32.exe 1204 Ogmfbd32.exe 1204 Ogmfbd32.exe 3064 Ofpfnqjp.exe 3064 Ofpfnqjp.exe 1068 Ojkboo32.exe 1068 Ojkboo32.exe 1080 Pminkk32.exe 1080 Pminkk32.exe 1176 Paejki32.exe 1176 Paejki32.exe 2548 Pphjgfqq.exe 2548 Pphjgfqq.exe 2124 Pccfge32.exe 2124 Pccfge32.exe 1616 Pfbccp32.exe 1616 Pfbccp32.exe 1184 Pjmodopf.exe 1184 Pjmodopf.exe 2196 Pipopl32.exe 2196 Pipopl32.exe 2104 Paggai32.exe 2104 Paggai32.exe 560 Ppjglfon.exe 560 Ppjglfon.exe 1116 Pcfcmd32.exe 1116 Pcfcmd32.exe 1456 Pfdpip32.exe 1456 Pfdpip32.exe 1032 Pjpkjond.exe 1032 Pjpkjond.exe 1212 Pmnhfjmg.exe 1212 Pmnhfjmg.exe 2028 Ppmdbe32.exe 2028 Ppmdbe32.exe 1820 Pbkpna32.exe 1820 Pbkpna32.exe 2272 Piehkkcl.exe 2272 Piehkkcl.exe 2444 Ppoqge32.exe 2444 Ppoqge32.exe 2840 Pbmmcq32.exe 2840 Pbmmcq32.exe 2808 Qjknnbed.exe 2808 Qjknnbed.exe 2708 Qaefjm32.exe 2708 Qaefjm32.exe 2636 Qeqbkkej.exe 2636 Qeqbkkej.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ppmcfdad.dll Dfijnd32.exe File opened for modification C:\Windows\SysWOW64\Fmekoalh.exe Fnbkddem.exe File opened for modification C:\Windows\SysWOW64\Gaqcoc32.exe Gobgcg32.exe File created C:\Windows\SysWOW64\Hojopmqk.dll Hgilchkf.exe File created C:\Windows\SysWOW64\Mmqgncdn.dll Djefobmk.exe File created C:\Windows\SysWOW64\Jdnaob32.dll Iknnbklc.exe File created C:\Windows\SysWOW64\Cbnbobin.exe Copfbfjj.exe File opened for modification C:\Windows\SysWOW64\Djnpnc32.exe Dgodbh32.exe File opened for modification C:\Windows\SysWOW64\Copfbfjj.exe Claifkkf.exe File created C:\Windows\SysWOW64\Bnkajj32.dll Fhkpmjln.exe File created C:\Windows\SysWOW64\Qhbpij32.dll Glfhll32.exe File opened for modification C:\Windows\SysWOW64\Hpkjko32.exe Hahjpbad.exe File created C:\Windows\SysWOW64\Hodpgjha.exe Hlfdkoin.exe File created C:\Windows\SysWOW64\Pmnhfjmg.exe Pjpkjond.exe File created C:\Windows\SysWOW64\Fglhobmg.dll Dodonf32.exe File created C:\Windows\SysWOW64\Fioija32.exe Ffpmnf32.exe File created C:\Windows\SysWOW64\Ogmfbd32.exe Oenifh32.exe File created C:\Windows\SysWOW64\Pcfcmd32.exe Ppjglfon.exe File opened for modification C:\Windows\SysWOW64\Amejeljk.exe Afkbib32.exe File opened for modification C:\Windows\SysWOW64\Cobbhfhg.exe Clcflkic.exe File created C:\Windows\SysWOW64\Ebagmn32.dll Djbiicon.exe File opened for modification C:\Windows\SysWOW64\Ojieip32.exe Okfencna.exe File opened for modification C:\Windows\SysWOW64\Ondajnme.exe Ojieip32.exe File created C:\Windows\SysWOW64\Bcgeaj32.dll Pmnhfjmg.exe File created C:\Windows\SysWOW64\Ddokpmfo.exe Cobbhfhg.exe File opened for modification C:\Windows\SysWOW64\Gfefiemq.exe Gbijhg32.exe File created C:\Windows\SysWOW64\Codpklfq.dll Hahjpbad.exe File created C:\Windows\SysWOW64\Blmdlhmp.exe Bebkpn32.exe File created C:\Windows\SysWOW64\Jkjecnop.dll Bkaqmeah.exe File created C:\Windows\SysWOW64\Odbhmo32.dll Ecmkghcl.exe File opened for modification C:\Windows\SysWOW64\Filldb32.exe Fjilieka.exe File created C:\Windows\SysWOW64\Gpekfank.dll Gaemjbcg.exe File opened for modification C:\Windows\SysWOW64\Qaefjm32.exe Qjknnbed.exe File created C:\Windows\SysWOW64\Bnefdp32.exe Bkfjhd32.exe File created C:\Windows\SysWOW64\Pafagk32.dll Dqlafm32.exe File opened for modification C:\Windows\SysWOW64\Djefobmk.exe Dfijnd32.exe File created C:\Windows\SysWOW64\Ffpmnf32.exe Fbdqmghm.exe File created C:\Windows\SysWOW64\Dbnkge32.dll Goddhg32.exe File opened for modification C:\Windows\SysWOW64\Fjilieka.exe Fhkpmjln.exe File created C:\Windows\SysWOW64\Ihoafpmp.exe Ieqeidnl.exe File opened for modification C:\Windows\SysWOW64\Ojficpfn.exe 78042a6cea4323b38c91776944d2d5e782a09e2230ac5d3b163a8b9fae8a1a0c.exe File opened for modification C:\Windows\SysWOW64\Ppjglfon.exe Paggai32.exe File opened for modification C:\Windows\SysWOW64\Qhooggdn.exe Qeqbkkej.exe File created C:\Windows\SysWOW64\Gogangdc.exe Ggpimica.exe File opened for modification C:\Windows\SysWOW64\Hjjddchg.exe Hacmcfge.exe File created C:\Windows\SysWOW64\Cabknqko.dll Hdhbam32.exe File opened for modification C:\Windows\SysWOW64\Hodpgjha.exe Hlfdkoin.exe File created C:\Windows\SysWOW64\Bhhnli32.exe Bpafkknm.exe File opened for modification C:\Windows\SysWOW64\Ccfhhffh.exe Cphlljge.exe File created C:\Windows\SysWOW64\Cbamcl32.dll Claifkkf.exe File opened for modification C:\Windows\SysWOW64\Egdilkbf.exe Eeempocb.exe File created C:\Windows\SysWOW64\Feeiob32.exe Ffbicfoc.exe File created C:\Windows\SysWOW64\Hnojdcfi.exe Hkpnhgge.exe File created C:\Windows\SysWOW64\Piehkkcl.exe Pbkpna32.exe File created C:\Windows\SysWOW64\Lopekk32.dll Ebedndfa.exe File created C:\Windows\SysWOW64\Eeempocb.exe Eajaoq32.exe File opened for modification C:\Windows\SysWOW64\Eeempocb.exe Eajaoq32.exe File created C:\Windows\SysWOW64\Fbdqmghm.exe Fdapak32.exe File created C:\Windows\SysWOW64\Qhooggdn.exe Qeqbkkej.exe File created C:\Windows\SysWOW64\Dobkmdfq.dll Bpfcgg32.exe File created C:\Windows\SysWOW64\Fncann32.dll Dhmcfkme.exe File created C:\Windows\SysWOW64\Dcdooi32.dll Fbdqmghm.exe File opened for modification C:\Windows\SysWOW64\Gogangdc.exe Ggpimica.exe File opened for modification C:\Windows\SysWOW64\Eajaoq32.exe Epieghdk.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3652 3628 WerFault.exe 224 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oqcnfjli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Afkbib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgeceh32.dll" Copfbfjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pafagk32.dll" Dqlafm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjcpjl32.dll" Ghoegl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Moealbej.dll" Qhooggdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ajbdna32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Djefobmk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Okfencna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbdppp32.dll" Oqcnfjli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pccfge32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pfbccp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pfdpip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hobcak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ieqeidnl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qmlgonbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ccfhhffh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ggpimica.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hahjpbad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Djnpnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fmlapp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkjecnop.dll" Bkaqmeah.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eloemi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ghoegl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eflgccbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gpmjak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gieojq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pjmodopf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pmnhfjmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Afkbib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pccobp32.dll" Aepojo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oockje32.dll" Cjbmjplb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chhpdp32.dll" Gldkfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncolgf32.dll" Hgbebiao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hkpnhgge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ahokfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cpjiajeb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dgodbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flcnijgi.dll" Dchali32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ennaieib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ppjglfon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Egdilkbf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Feeiob32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hgdbhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkakief.dll" Ebbgid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdanej32.dll" Fcmgfkeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hmlnoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" 78042a6cea4323b38c91776944d2d5e782a09e2230ac5d3b163a8b9fae8a1a0c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ojkboo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bpfcgg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bghabf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Clcflkic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdcbnc32.dll" Ogmfbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ekklaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaeldika.dll" Ffkcbgek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nopodm32.dll" Filldb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ggpimica.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckggkg32.dll" Qnigda32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aajpelhl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fcmgfkeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fjilieka.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Filldb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ffbicfoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gaqcoc32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3056 wrote to memory of 2244 3056 78042a6cea4323b38c91776944d2d5e782a09e2230ac5d3b163a8b9fae8a1a0c.exe 28 PID 3056 wrote to memory of 2244 3056 78042a6cea4323b38c91776944d2d5e782a09e2230ac5d3b163a8b9fae8a1a0c.exe 28 PID 3056 wrote to memory of 2244 3056 78042a6cea4323b38c91776944d2d5e782a09e2230ac5d3b163a8b9fae8a1a0c.exe 28 PID 3056 wrote to memory of 2244 3056 78042a6cea4323b38c91776944d2d5e782a09e2230ac5d3b163a8b9fae8a1a0c.exe 28 PID 2244 wrote to memory of 1388 2244 Ojficpfn.exe 29 PID 2244 wrote to memory of 1388 2244 Ojficpfn.exe 29 PID 2244 wrote to memory of 1388 2244 Ojficpfn.exe 29 PID 2244 wrote to memory of 1388 2244 Ojficpfn.exe 29 PID 1388 wrote to memory of 2844 1388 Ocomlemo.exe 30 PID 1388 wrote to memory of 2844 1388 Ocomlemo.exe 30 PID 1388 wrote to memory of 2844 1388 Ocomlemo.exe 30 PID 1388 wrote to memory of 2844 1388 Ocomlemo.exe 30 PID 2844 wrote to memory of 2580 2844 Okfencna.exe 31 PID 2844 wrote to memory of 2580 2844 Okfencna.exe 31 PID 2844 wrote to memory of 2580 2844 Okfencna.exe 31 PID 2844 wrote to memory of 2580 2844 Okfencna.exe 31 PID 2580 wrote to memory of 2964 2580 Ojieip32.exe 32 PID 2580 wrote to memory of 2964 2580 Ojieip32.exe 32 PID 2580 wrote to memory of 2964 2580 Ojieip32.exe 32 PID 2580 wrote to memory of 2964 2580 Ojieip32.exe 32 PID 2964 wrote to memory of 2628 2964 Ondajnme.exe 33 PID 2964 wrote to memory of 2628 2964 Ondajnme.exe 33 PID 2964 wrote to memory of 2628 2964 Ondajnme.exe 33 PID 2964 wrote to memory of 2628 2964 Ondajnme.exe 33 PID 2628 wrote to memory of 1084 2628 Oqcnfjli.exe 34 PID 2628 wrote to memory of 1084 2628 Oqcnfjli.exe 34 PID 2628 wrote to memory of 1084 2628 Oqcnfjli.exe 34 PID 2628 wrote to memory of 1084 2628 Oqcnfjli.exe 34 PID 1084 wrote to memory of 1204 1084 Oenifh32.exe 35 PID 1084 wrote to memory of 1204 1084 Oenifh32.exe 35 PID 1084 wrote to memory of 1204 1084 Oenifh32.exe 35 PID 1084 wrote to memory of 1204 1084 Oenifh32.exe 35 PID 1204 wrote to memory of 3064 1204 Ogmfbd32.exe 36 PID 1204 wrote to memory of 3064 1204 Ogmfbd32.exe 36 PID 1204 wrote to memory of 3064 1204 Ogmfbd32.exe 36 PID 1204 wrote to memory of 3064 1204 Ogmfbd32.exe 36 PID 3064 wrote to memory of 1068 3064 Ofpfnqjp.exe 37 PID 3064 wrote to memory of 1068 3064 Ofpfnqjp.exe 37 PID 3064 wrote to memory of 1068 3064 Ofpfnqjp.exe 37 PID 3064 wrote to memory of 1068 3064 Ofpfnqjp.exe 37 PID 1068 wrote to memory of 1080 1068 Ojkboo32.exe 38 PID 1068 wrote to memory of 1080 1068 Ojkboo32.exe 38 PID 1068 wrote to memory of 1080 1068 Ojkboo32.exe 38 PID 1068 wrote to memory of 1080 1068 Ojkboo32.exe 38 PID 1080 wrote to memory of 1176 1080 Pminkk32.exe 39 PID 1080 wrote to memory of 1176 1080 Pminkk32.exe 39 PID 1080 wrote to memory of 1176 1080 Pminkk32.exe 39 PID 1080 wrote to memory of 1176 1080 Pminkk32.exe 39 PID 1176 wrote to memory of 2548 1176 Paejki32.exe 40 PID 1176 wrote to memory of 2548 1176 Paejki32.exe 40 PID 1176 wrote to memory of 2548 1176 Paejki32.exe 40 PID 1176 wrote to memory of 2548 1176 Paejki32.exe 40 PID 2548 wrote to memory of 2124 2548 Pphjgfqq.exe 41 PID 2548 wrote to memory of 2124 2548 Pphjgfqq.exe 41 PID 2548 wrote to memory of 2124 2548 Pphjgfqq.exe 41 PID 2548 wrote to memory of 2124 2548 Pphjgfqq.exe 41 PID 2124 wrote to memory of 1616 2124 Pccfge32.exe 42 PID 2124 wrote to memory of 1616 2124 Pccfge32.exe 42 PID 2124 wrote to memory of 1616 2124 Pccfge32.exe 42 PID 2124 wrote to memory of 1616 2124 Pccfge32.exe 42 PID 1616 wrote to memory of 1184 1616 Pfbccp32.exe 43 PID 1616 wrote to memory of 1184 1616 Pfbccp32.exe 43 PID 1616 wrote to memory of 1184 1616 Pfbccp32.exe 43 PID 1616 wrote to memory of 1184 1616 Pfbccp32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\78042a6cea4323b38c91776944d2d5e782a09e2230ac5d3b163a8b9fae8a1a0c.exe"C:\Users\Admin\AppData\Local\Temp\78042a6cea4323b38c91776944d2d5e782a09e2230ac5d3b163a8b9fae8a1a0c.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\Ojficpfn.exeC:\Windows\system32\Ojficpfn.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\Ocomlemo.exeC:\Windows\system32\Ocomlemo.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Windows\SysWOW64\Okfencna.exeC:\Windows\system32\Okfencna.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\Ojieip32.exeC:\Windows\system32\Ojieip32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\Ondajnme.exeC:\Windows\system32\Ondajnme.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\Oqcnfjli.exeC:\Windows\system32\Oqcnfjli.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Oenifh32.exeC:\Windows\system32\Oenifh32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\SysWOW64\Ogmfbd32.exeC:\Windows\system32\Ogmfbd32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Windows\SysWOW64\Ofpfnqjp.exeC:\Windows\system32\Ofpfnqjp.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SysWOW64\Ojkboo32.exeC:\Windows\system32\Ojkboo32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Windows\SysWOW64\Pminkk32.exeC:\Windows\system32\Pminkk32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Windows\SysWOW64\Paejki32.exeC:\Windows\system32\Paejki32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Windows\SysWOW64\Pphjgfqq.exeC:\Windows\system32\Pphjgfqq.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\Pccfge32.exeC:\Windows\system32\Pccfge32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\Pfbccp32.exeC:\Windows\system32\Pfbccp32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\SysWOW64\Pjmodopf.exeC:\Windows\system32\Pjmodopf.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1184 -
C:\Windows\SysWOW64\Pipopl32.exeC:\Windows\system32\Pipopl32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2196 -
C:\Windows\SysWOW64\Paggai32.exeC:\Windows\system32\Paggai32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2104 -
C:\Windows\SysWOW64\Ppjglfon.exeC:\Windows\system32\Ppjglfon.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:560 -
C:\Windows\SysWOW64\Pcfcmd32.exeC:\Windows\system32\Pcfcmd32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1116 -
C:\Windows\SysWOW64\Pfdpip32.exeC:\Windows\system32\Pfdpip32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1456 -
C:\Windows\SysWOW64\Pjpkjond.exeC:\Windows\system32\Pjpkjond.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1032 -
C:\Windows\SysWOW64\Pmnhfjmg.exeC:\Windows\system32\Pmnhfjmg.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1212 -
C:\Windows\SysWOW64\Ppmdbe32.exeC:\Windows\system32\Ppmdbe32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2028 -
C:\Windows\SysWOW64\Pbkpna32.exeC:\Windows\system32\Pbkpna32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1820 -
C:\Windows\SysWOW64\Piehkkcl.exeC:\Windows\system32\Piehkkcl.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2272 -
C:\Windows\SysWOW64\Ppoqge32.exeC:\Windows\system32\Ppoqge32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2444 -
C:\Windows\SysWOW64\Pbmmcq32.exeC:\Windows\system32\Pbmmcq32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2840 -
C:\Windows\SysWOW64\Qjknnbed.exeC:\Windows\system32\Qjknnbed.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2808 -
C:\Windows\SysWOW64\Qaefjm32.exeC:\Windows\system32\Qaefjm32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2708 -
C:\Windows\SysWOW64\Qeqbkkej.exeC:\Windows\system32\Qeqbkkej.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2636 -
C:\Windows\SysWOW64\Qhooggdn.exeC:\Windows\system32\Qhooggdn.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:2448 -
C:\Windows\SysWOW64\Qnigda32.exeC:\Windows\system32\Qnigda32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:2600 -
C:\Windows\SysWOW64\Qmlgonbe.exeC:\Windows\system32\Qmlgonbe.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2112 -
C:\Windows\SysWOW64\Ahakmf32.exeC:\Windows\system32\Ahakmf32.exe36⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Aajpelhl.exeC:\Windows\system32\Aajpelhl.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:1816 -
C:\Windows\SysWOW64\Ahchbf32.exeC:\Windows\system32\Ahchbf32.exe38⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Ajbdna32.exeC:\Windows\system32\Ajbdna32.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:1988 -
C:\Windows\SysWOW64\Aiedjneg.exeC:\Windows\system32\Aiedjneg.exe40⤵
- Executes dropped EXE
PID:2116 -
C:\Windows\SysWOW64\Ampqjm32.exeC:\Windows\system32\Ampqjm32.exe41⤵
- Executes dropped EXE
PID:2212 -
C:\Windows\SysWOW64\Afiecb32.exeC:\Windows\system32\Afiecb32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1868 -
C:\Windows\SysWOW64\Alenki32.exeC:\Windows\system32\Alenki32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1360 -
C:\Windows\SysWOW64\Admemg32.exeC:\Windows\system32\Admemg32.exe44⤵
- Executes dropped EXE
PID:2360 -
C:\Windows\SysWOW64\Afkbib32.exeC:\Windows\system32\Afkbib32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1188 -
C:\Windows\SysWOW64\Amejeljk.exeC:\Windows\system32\Amejeljk.exe46⤵
- Executes dropped EXE
PID:1064 -
C:\Windows\SysWOW64\Apcfahio.exeC:\Windows\system32\Apcfahio.exe47⤵
- Executes dropped EXE
PID:2128 -
C:\Windows\SysWOW64\Aepojo32.exeC:\Windows\system32\Aepojo32.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:980 -
C:\Windows\SysWOW64\Ahokfj32.exeC:\Windows\system32\Ahokfj32.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:1928 -
C:\Windows\SysWOW64\Bpfcgg32.exeC:\Windows\system32\Bpfcgg32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:984 -
C:\Windows\SysWOW64\Bbdocc32.exeC:\Windows\system32\Bbdocc32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Bagpopmj.exeC:\Windows\system32\Bagpopmj.exe52⤵
- Executes dropped EXE
PID:108 -
C:\Windows\SysWOW64\Bebkpn32.exeC:\Windows\system32\Bebkpn32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2072 -
C:\Windows\SysWOW64\Blmdlhmp.exeC:\Windows\system32\Blmdlhmp.exe54⤵
- Executes dropped EXE
PID:2608 -
C:\Windows\SysWOW64\Bbflib32.exeC:\Windows\system32\Bbflib32.exe55⤵
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\Bhcdaibd.exeC:\Windows\system32\Bhcdaibd.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Bkaqmeah.exeC:\Windows\system32\Bkaqmeah.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2968 -
C:\Windows\SysWOW64\Bnpmipql.exeC:\Windows\system32\Bnpmipql.exe58⤵
- Executes dropped EXE
PID:2624 -
C:\Windows\SysWOW64\Balijo32.exeC:\Windows\system32\Balijo32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Bdjefj32.exeC:\Windows\system32\Bdjefj32.exe60⤵
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Bghabf32.exeC:\Windows\system32\Bghabf32.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:1412 -
C:\Windows\SysWOW64\Bnbjopoi.exeC:\Windows\system32\Bnbjopoi.exe62⤵
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Bpafkknm.exeC:\Windows\system32\Bpafkknm.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:956 -
C:\Windows\SysWOW64\Bhhnli32.exeC:\Windows\system32\Bhhnli32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:676 -
C:\Windows\SysWOW64\Bkfjhd32.exeC:\Windows\system32\Bkfjhd32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1636 -
C:\Windows\SysWOW64\Bnefdp32.exeC:\Windows\system32\Bnefdp32.exe66⤵PID:1060
-
C:\Windows\SysWOW64\Baqbenep.exeC:\Windows\system32\Baqbenep.exe67⤵PID:2544
-
C:\Windows\SysWOW64\Bcaomf32.exeC:\Windows\system32\Bcaomf32.exe68⤵PID:2316
-
C:\Windows\SysWOW64\Cjlgiqbk.exeC:\Windows\system32\Cjlgiqbk.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1292 -
C:\Windows\SysWOW64\Cdakgibq.exeC:\Windows\system32\Cdakgibq.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2368 -
C:\Windows\SysWOW64\Cnippoha.exeC:\Windows\system32\Cnippoha.exe71⤵PID:2208
-
C:\Windows\SysWOW64\Cphlljge.exeC:\Windows\system32\Cphlljge.exe72⤵
- Drops file in System32 directory
PID:1564 -
C:\Windows\SysWOW64\Ccfhhffh.exeC:\Windows\system32\Ccfhhffh.exe73⤵
- Modifies registry class
PID:2704 -
C:\Windows\SysWOW64\Cfeddafl.exeC:\Windows\system32\Cfeddafl.exe74⤵PID:2932
-
C:\Windows\SysWOW64\Chcqpmep.exeC:\Windows\system32\Chcqpmep.exe75⤵PID:2108
-
C:\Windows\SysWOW64\Cpjiajeb.exeC:\Windows\system32\Cpjiajeb.exe76⤵
- Modifies registry class
PID:2956 -
C:\Windows\SysWOW64\Comimg32.exeC:\Windows\system32\Comimg32.exe77⤵PID:2060
-
C:\Windows\SysWOW64\Cfgaiaci.exeC:\Windows\system32\Cfgaiaci.exe78⤵PID:2560
-
C:\Windows\SysWOW64\Cjbmjplb.exeC:\Windows\system32\Cjbmjplb.exe79⤵
- Modifies registry class
PID:1672 -
C:\Windows\SysWOW64\Claifkkf.exeC:\Windows\system32\Claifkkf.exe80⤵
- Drops file in System32 directory
PID:2000 -
C:\Windows\SysWOW64\Copfbfjj.exeC:\Windows\system32\Copfbfjj.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:484 -
C:\Windows\SysWOW64\Cbnbobin.exeC:\Windows\system32\Cbnbobin.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1488 -
C:\Windows\SysWOW64\Chhjkl32.exeC:\Windows\system32\Chhjkl32.exe83⤵PID:568
-
C:\Windows\SysWOW64\Clcflkic.exeC:\Windows\system32\Clcflkic.exe84⤵
- Drops file in System32 directory
- Modifies registry class
PID:3024 -
C:\Windows\SysWOW64\Cobbhfhg.exeC:\Windows\system32\Cobbhfhg.exe85⤵
- Drops file in System32 directory
PID:616 -
C:\Windows\SysWOW64\Ddokpmfo.exeC:\Windows\system32\Ddokpmfo.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1680 -
C:\Windows\SysWOW64\Dhjgal32.exeC:\Windows\system32\Dhjgal32.exe87⤵PID:1912
-
C:\Windows\SysWOW64\Dgmglh32.exeC:\Windows\system32\Dgmglh32.exe88⤵PID:2716
-
C:\Windows\SysWOW64\Dodonf32.exeC:\Windows\system32\Dodonf32.exe89⤵
- Drops file in System32 directory
PID:2724 -
C:\Windows\SysWOW64\Dqelenlc.exeC:\Windows\system32\Dqelenlc.exe90⤵PID:1612
-
C:\Windows\SysWOW64\Dhmcfkme.exeC:\Windows\system32\Dhmcfkme.exe91⤵
- Drops file in System32 directory
PID:1720 -
C:\Windows\SysWOW64\Dgodbh32.exeC:\Windows\system32\Dgodbh32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1740 -
C:\Windows\SysWOW64\Djnpnc32.exeC:\Windows\system32\Djnpnc32.exe93⤵
- Modifies registry class
PID:1580 -
C:\Windows\SysWOW64\Dqhhknjp.exeC:\Windows\system32\Dqhhknjp.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2056 -
C:\Windows\SysWOW64\Ddcdkl32.exeC:\Windows\system32\Ddcdkl32.exe95⤵PID:320
-
C:\Windows\SysWOW64\Dkmmhf32.exeC:\Windows\system32\Dkmmhf32.exe96⤵PID:788
-
C:\Windows\SysWOW64\Dnlidb32.exeC:\Windows\system32\Dnlidb32.exe97⤵PID:1948
-
C:\Windows\SysWOW64\Ddeaalpg.exeC:\Windows\system32\Ddeaalpg.exe98⤵PID:1448
-
C:\Windows\SysWOW64\Dchali32.exeC:\Windows\system32\Dchali32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2476 -
C:\Windows\SysWOW64\Djbiicon.exeC:\Windows\system32\Djbiicon.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2816 -
C:\Windows\SysWOW64\Dnneja32.exeC:\Windows\system32\Dnneja32.exe101⤵PID:2864
-
C:\Windows\SysWOW64\Dqlafm32.exeC:\Windows\system32\Dqlafm32.exe102⤵
- Drops file in System32 directory
- Modifies registry class
PID:2008 -
C:\Windows\SysWOW64\Dcknbh32.exeC:\Windows\system32\Dcknbh32.exe103⤵PID:2952
-
C:\Windows\SysWOW64\Dfijnd32.exeC:\Windows\system32\Dfijnd32.exe104⤵
- Drops file in System32 directory
PID:2012 -
C:\Windows\SysWOW64\Djefobmk.exeC:\Windows\system32\Djefobmk.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1604 -
C:\Windows\SysWOW64\Emcbkn32.exeC:\Windows\system32\Emcbkn32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:940 -
C:\Windows\SysWOW64\Ecmkghcl.exeC:\Windows\system32\Ecmkghcl.exe107⤵
- Drops file in System32 directory
PID:848 -
C:\Windows\SysWOW64\Eflgccbp.exeC:\Windows\system32\Eflgccbp.exe108⤵
- Modifies registry class
PID:780 -
C:\Windows\SysWOW64\Eijcpoac.exeC:\Windows\system32\Eijcpoac.exe109⤵PID:2276
-
C:\Windows\SysWOW64\Ekholjqg.exeC:\Windows\system32\Ekholjqg.exe110⤵PID:1584
-
C:\Windows\SysWOW64\Epdkli32.exeC:\Windows\system32\Epdkli32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1968 -
C:\Windows\SysWOW64\Ebbgid32.exeC:\Windows\system32\Ebbgid32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2728 -
C:\Windows\SysWOW64\Eeqdep32.exeC:\Windows\system32\Eeqdep32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2940 -
C:\Windows\SysWOW64\Emhlfmgj.exeC:\Windows\system32\Emhlfmgj.exe114⤵PID:2744
-
C:\Windows\SysWOW64\Ekklaj32.exeC:\Windows\system32\Ekklaj32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1668 -
C:\Windows\SysWOW64\Ebedndfa.exeC:\Windows\system32\Ebedndfa.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2328 -
C:\Windows\SysWOW64\Eecqjpee.exeC:\Windows\system32\Eecqjpee.exe117⤵PID:948
-
C:\Windows\SysWOW64\Eiomkn32.exeC:\Windows\system32\Eiomkn32.exe118⤵PID:1020
-
C:\Windows\SysWOW64\Elmigj32.exeC:\Windows\system32\Elmigj32.exe119⤵PID:1628
-
C:\Windows\SysWOW64\Epieghdk.exeC:\Windows\system32\Epieghdk.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1760 -
C:\Windows\SysWOW64\Eajaoq32.exeC:\Windows\system32\Eajaoq32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2832
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-