Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
16-06-2024 19:21
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1f4f2c97c08e2e1b3cfbd37c7f13986fcd8e07b859c4ab72024c6e13c7ad5234.exe
Resource
win7-20240611-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
1f4f2c97c08e2e1b3cfbd37c7f13986fcd8e07b859c4ab72024c6e13c7ad5234.exe
Resource
win10v2004-20240611-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
1f4f2c97c08e2e1b3cfbd37c7f13986fcd8e07b859c4ab72024c6e13c7ad5234.exe
-
Size
108KB
-
MD5
cd3f95c2510a065752a6f826a04e58c3
-
SHA1
95f7f271660e079d56628a2f9b04224fc25841be
-
SHA256
1f4f2c97c08e2e1b3cfbd37c7f13986fcd8e07b859c4ab72024c6e13c7ad5234
-
SHA512
f02ff2f1f396c5d3ba944aa98b7fb6b1edf609a12d3aa27c0161d243c28b4ad0e046752028fa2f6dfe46d9a580f9558231a1b92827c8ee0798c0dba77122d862
-
SSDEEP
1536:q+AqGhYPp41vKbj2UnYWw3uq+MwB+rjm8NiIqhn3HQ8BawTj2wQ3K:q3qGh6gv8nYJcUjmOiBn3w8BdTj2h3K
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gphmeo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiqbndpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajphib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebgacddo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjdbnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghmiam32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pelipl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajdadamj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Baildokg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emcbkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gacpdbej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgaqgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blmdlhmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cllpkl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecpgmhai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbnccfpb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghmiam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpocfncj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afmonbqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgknheej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcfdgiid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eiaiqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enihne32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eloemi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgilchkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plahag32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajphib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmjejphb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idceea32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhjhkq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okfencna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plcdgfbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eqonkmdh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eiaiqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Henidd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmjaic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Affhncfc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dqelenlc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doobajme.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmekoalh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjilieka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djbiicon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhhcgj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djbiicon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flabbihl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdamqndn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gelppaof.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpocfncj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkaqmeah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Begeknan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gonnhhln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afdlhchf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjndop32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhooggdn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckignd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmjaic32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Affhncfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbnbobin.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epdkli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gaemjbcg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpkjko32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogmfbd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgknheej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egamfkdh.exe -
Executes dropped EXE 64 IoCs
pid Process 2404 Odgcfijj.exe 2276 Onphoo32.exe 2764 Oiellh32.exe 2704 Onbddoog.exe 1172 Oelmai32.exe 2536 Okfencna.exe 2592 Ondajnme.exe 2912 Oqcnfjli.exe 2136 Ogmfbd32.exe 1908 Ojkboo32.exe 2784 Paejki32.exe 2728 Pgobhcac.exe 2888 Pjmodopf.exe 1548 Paggai32.exe 2120 Pbiciana.exe 3024 Pjpkjond.exe 320 Plahag32.exe 1020 Pbkpna32.exe 2028 Pfflopdh.exe 376 Plcdgfbo.exe 2504 Pnbacbac.exe 1268 Pfiidobe.exe 1556 Pelipl32.exe 1660 Pigeqkai.exe 1732 Penfelgm.exe 1600 Qbbfopeg.exe 2724 Qhooggdn.exe 2692 Qnigda32.exe 2700 Qecoqk32.exe 2576 Afdlhchf.exe 2588 Ajphib32.exe 2600 Amndem32.exe 1248 Aplpai32.exe 2780 Affhncfc.exe 2984 Affhncfc.exe 2128 Aiedjneg.exe 1592 Ajdadamj.exe 2604 Abpfhcje.exe 2916 Aenbdoii.exe 1536 Amejeljk.exe 1208 Alhjai32.exe 3028 Afmonbqk.exe 2524 Boiccdnf.exe 596 Bagpopmj.exe 912 Blmdlhmp.exe 828 Baildokg.exe 1500 Bhcdaibd.exe 1832 Bkaqmeah.exe 2368 Bommnc32.exe 2196 Begeknan.exe 1608 Bdjefj32.exe 2648 Bghabf32.exe 2760 Bkdmcdoe.exe 2980 Bnbjopoi.exe 2656 Bpafkknm.exe 2832 Bdlblj32.exe 2844 Bgknheej.exe 2072 Bkfjhd32.exe 2900 Baqbenep.exe 1976 Bpcbqk32.exe 2908 Bcaomf32.exe 2080 Ckignd32.exe 2824 Cjlgiqbk.exe 1084 Cpeofk32.exe -
Loads dropped DLL 64 IoCs
pid Process 1700 1f4f2c97c08e2e1b3cfbd37c7f13986fcd8e07b859c4ab72024c6e13c7ad5234.exe 1700 1f4f2c97c08e2e1b3cfbd37c7f13986fcd8e07b859c4ab72024c6e13c7ad5234.exe 2404 Odgcfijj.exe 2404 Odgcfijj.exe 2276 Onphoo32.exe 2276 Onphoo32.exe 2764 Oiellh32.exe 2764 Oiellh32.exe 2704 Onbddoog.exe 2704 Onbddoog.exe 1172 Oelmai32.exe 1172 Oelmai32.exe 2536 Okfencna.exe 2536 Okfencna.exe 2592 Ondajnme.exe 2592 Ondajnme.exe 2912 Oqcnfjli.exe 2912 Oqcnfjli.exe 2136 Ogmfbd32.exe 2136 Ogmfbd32.exe 1908 Ojkboo32.exe 1908 Ojkboo32.exe 2784 Paejki32.exe 2784 Paejki32.exe 2728 Pgobhcac.exe 2728 Pgobhcac.exe 2888 Pjmodopf.exe 2888 Pjmodopf.exe 1548 Paggai32.exe 1548 Paggai32.exe 2120 Pbiciana.exe 2120 Pbiciana.exe 3024 Pjpkjond.exe 3024 Pjpkjond.exe 320 Plahag32.exe 320 Plahag32.exe 1020 Pbkpna32.exe 1020 Pbkpna32.exe 2028 Pfflopdh.exe 2028 Pfflopdh.exe 376 Plcdgfbo.exe 376 Plcdgfbo.exe 2504 Pnbacbac.exe 2504 Pnbacbac.exe 1268 Pfiidobe.exe 1268 Pfiidobe.exe 1556 Pelipl32.exe 1556 Pelipl32.exe 1660 Pigeqkai.exe 1660 Pigeqkai.exe 1732 Penfelgm.exe 1732 Penfelgm.exe 1600 Qbbfopeg.exe 1600 Qbbfopeg.exe 2724 Qhooggdn.exe 2724 Qhooggdn.exe 2692 Qnigda32.exe 2692 Qnigda32.exe 2700 Qecoqk32.exe 2700 Qecoqk32.exe 2576 Afdlhchf.exe 2576 Afdlhchf.exe 2588 Ajphib32.exe 2588 Ajphib32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Aiedjneg.exe Affhncfc.exe File created C:\Windows\SysWOW64\Bghabf32.exe Bdjefj32.exe File created C:\Windows\SysWOW64\Bmeohn32.dll Bpcbqk32.exe File created C:\Windows\SysWOW64\Fmcoja32.exe Fjdbnf32.exe File created C:\Windows\SysWOW64\Fejgko32.exe Fmcoja32.exe File created C:\Windows\SysWOW64\Olndbg32.dll Fmekoalh.exe File created C:\Windows\SysWOW64\Ihomanac.dll Begeknan.exe File created C:\Windows\SysWOW64\Lpicol32.dll Cjlgiqbk.exe File created C:\Windows\SysWOW64\Djbiicon.exe Dgdmmgpj.exe File created C:\Windows\SysWOW64\Ohbepi32.dll Fmhheqje.exe File created C:\Windows\SysWOW64\Pljpdpao.dll Hgilchkf.exe File created C:\Windows\SysWOW64\Pbiciana.exe Paggai32.exe File opened for modification C:\Windows\SysWOW64\Ebedndfa.exe Enihne32.exe File created C:\Windows\SysWOW64\Fmhheqje.exe Fjilieka.exe File opened for modification C:\Windows\SysWOW64\Hlfdkoin.exe Hhjhkq32.exe File created C:\Windows\SysWOW64\Liqebf32.dll Hlfdkoin.exe File created C:\Windows\SysWOW64\Pjmodopf.exe Pgobhcac.exe File opened for modification C:\Windows\SysWOW64\Pbiciana.exe Paggai32.exe File opened for modification C:\Windows\SysWOW64\Pigeqkai.exe Pelipl32.exe File created C:\Windows\SysWOW64\Fjlhneio.exe Fpfdalii.exe File created C:\Windows\SysWOW64\Bhpdae32.dll Hdhbam32.exe File created C:\Windows\SysWOW64\Ghmiam32.exe Gdamqndn.exe File opened for modification C:\Windows\SysWOW64\Hellne32.exe Hgilchkf.exe File created C:\Windows\SysWOW64\Aplpai32.exe Amndem32.exe File opened for modification C:\Windows\SysWOW64\Dbpodagk.exe Ckffgg32.exe File created C:\Windows\SysWOW64\Dcfdgiid.exe Dqhhknjp.exe File created C:\Windows\SysWOW64\Fdoclk32.exe Fmekoalh.exe File created C:\Windows\SysWOW64\Ocjcidbb.dll Gbijhg32.exe File created C:\Windows\SysWOW64\Cmmhnnlm.dll Ogmfbd32.exe File created C:\Windows\SysWOW64\Oomkin32.dll Paggai32.exe File created C:\Windows\SysWOW64\Bkdmcdoe.exe Bghabf32.exe File created C:\Windows\SysWOW64\Deokcq32.dll Bpafkknm.exe File opened for modification C:\Windows\SysWOW64\Hdhbam32.exe Hpmgqnfl.exe File created C:\Windows\SysWOW64\Hlfdkoin.exe Hhjhkq32.exe File opened for modification C:\Windows\SysWOW64\Fdoclk32.exe Fmekoalh.exe File created C:\Windows\SysWOW64\Gonnhhln.exe Globlmmj.exe File created C:\Windows\SysWOW64\Bgpokk32.dll Pnbacbac.exe File created C:\Windows\SysWOW64\Jhnaid32.dll Penfelgm.exe File opened for modification C:\Windows\SysWOW64\Qnigda32.exe Qhooggdn.exe File created C:\Windows\SysWOW64\Bommnc32.exe Bkaqmeah.exe File created C:\Windows\SysWOW64\Dkhcmgnl.exe Dgmglh32.exe File created C:\Windows\SysWOW64\Bibckiab.dll Eajaoq32.exe File created C:\Windows\SysWOW64\Hojopmqk.dll Hjhhocjj.exe File created C:\Windows\SysWOW64\Higdqfol.dll Pigeqkai.exe File created C:\Windows\SysWOW64\Djnpnc32.exe Dgodbh32.exe File created C:\Windows\SysWOW64\Odbhmo32.dll Ecmkghcl.exe File created C:\Windows\SysWOW64\Eajaoq32.exe Ebgacddo.exe File created C:\Windows\SysWOW64\Bcqgok32.dll Ffbicfoc.exe File created C:\Windows\SysWOW64\Hepmggig.dll Hggomh32.exe File created C:\Windows\SysWOW64\Glamna32.dll 1f4f2c97c08e2e1b3cfbd37c7f13986fcd8e07b859c4ab72024c6e13c7ad5234.exe File created C:\Windows\SysWOW64\Ealffeej.dll Pfiidobe.exe File opened for modification C:\Windows\SysWOW64\Djpmccqq.exe Dgaqgh32.exe File created C:\Windows\SysWOW64\Fjilieka.exe Fhkpmjln.exe File opened for modification C:\Windows\SysWOW64\Glfhll32.exe Ghkllmoi.exe File opened for modification C:\Windows\SysWOW64\Iagfoe32.exe Ioijbj32.exe File opened for modification C:\Windows\SysWOW64\Onphoo32.exe Odgcfijj.exe File opened for modification C:\Windows\SysWOW64\Egamfkdh.exe Eiomkn32.exe File created C:\Windows\SysWOW64\Gmgdddmq.exe Gkihhhnm.exe File opened for modification C:\Windows\SysWOW64\Hiqbndpb.exe Hgbebiao.exe File created C:\Windows\SysWOW64\Iaeiieeb.exe Icbimi32.exe File opened for modification C:\Windows\SysWOW64\Idceea32.exe Iaeiieeb.exe File created C:\Windows\SysWOW64\Bagpopmj.exe Boiccdnf.exe File opened for modification C:\Windows\SysWOW64\Bommnc32.exe Bkaqmeah.exe File opened for modification C:\Windows\SysWOW64\Clomqk32.exe Chcqpmep.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4004 3980 WerFault.exe 233 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pelipl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbnbobin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpmgqnfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdcbfq32.dll" Fmcoja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elpbcapg.dll" Gmgdddmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdhbam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhmepp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Moealbej.dll" Qhooggdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipghqomc.dll" Ajphib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qinopgfb.dll" Baqbenep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeccgbbh.dll" Fjilieka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njgcpp32.dll" Ghmiam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dbpodagk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dqelenlc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ealnephf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdopkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikeogmlj.dll" Bghabf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Clomqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeqjnho.dll" Djpmccqq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clnlnhop.dll" Egamfkdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpfdalii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gacpdbej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Affhncfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iegecigk.dll" Bdjefj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddagfm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbijhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fncann32.dll" Ddagfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glpjaf32.dll" Eijcpoac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkojpojq.dll" Ecpgmhai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ekklaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hiqbndpb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onphoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbdijd32.dll" Qbbfopeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndejjf32.dll" Amndem32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fjdbnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oecbjjic.dll" Globlmmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ggpimica.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qbbfopeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bommnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebagmn32.dll" Djbiicon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Flabbihl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgnijonn.dll" Ilknfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dqelenlc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dqhhknjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlgohm32.dll" Ealnephf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Baqbenep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flcnijgi.dll" Dgdmmgpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gadkgl32.dll" Fehjeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gacpdbej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpocfncj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Blmdlhmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdjefj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mocaac32.dll" Bkdmcdoe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmjejphb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghkllmoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hodpgjha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ogmfbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfqpfb32.dll" Affhncfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nejeco32.dll" Comimg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Comimg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocjcidbb.dll" Gbijhg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Henidd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hgdbhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eiaiqn32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1700 wrote to memory of 2404 1700 1f4f2c97c08e2e1b3cfbd37c7f13986fcd8e07b859c4ab72024c6e13c7ad5234.exe 28 PID 1700 wrote to memory of 2404 1700 1f4f2c97c08e2e1b3cfbd37c7f13986fcd8e07b859c4ab72024c6e13c7ad5234.exe 28 PID 1700 wrote to memory of 2404 1700 1f4f2c97c08e2e1b3cfbd37c7f13986fcd8e07b859c4ab72024c6e13c7ad5234.exe 28 PID 1700 wrote to memory of 2404 1700 1f4f2c97c08e2e1b3cfbd37c7f13986fcd8e07b859c4ab72024c6e13c7ad5234.exe 28 PID 2404 wrote to memory of 2276 2404 Odgcfijj.exe 29 PID 2404 wrote to memory of 2276 2404 Odgcfijj.exe 29 PID 2404 wrote to memory of 2276 2404 Odgcfijj.exe 29 PID 2404 wrote to memory of 2276 2404 Odgcfijj.exe 29 PID 2276 wrote to memory of 2764 2276 Onphoo32.exe 30 PID 2276 wrote to memory of 2764 2276 Onphoo32.exe 30 PID 2276 wrote to memory of 2764 2276 Onphoo32.exe 30 PID 2276 wrote to memory of 2764 2276 Onphoo32.exe 30 PID 2764 wrote to memory of 2704 2764 Oiellh32.exe 31 PID 2764 wrote to memory of 2704 2764 Oiellh32.exe 31 PID 2764 wrote to memory of 2704 2764 Oiellh32.exe 31 PID 2764 wrote to memory of 2704 2764 Oiellh32.exe 31 PID 2704 wrote to memory of 1172 2704 Onbddoog.exe 32 PID 2704 wrote to memory of 1172 2704 Onbddoog.exe 32 PID 2704 wrote to memory of 1172 2704 Onbddoog.exe 32 PID 2704 wrote to memory of 1172 2704 Onbddoog.exe 32 PID 1172 wrote to memory of 2536 1172 Oelmai32.exe 33 PID 1172 wrote to memory of 2536 1172 Oelmai32.exe 33 PID 1172 wrote to memory of 2536 1172 Oelmai32.exe 33 PID 1172 wrote to memory of 2536 1172 Oelmai32.exe 33 PID 2536 wrote to memory of 2592 2536 Okfencna.exe 34 PID 2536 wrote to memory of 2592 2536 Okfencna.exe 34 PID 2536 wrote to memory of 2592 2536 Okfencna.exe 34 PID 2536 wrote to memory of 2592 2536 Okfencna.exe 34 PID 2592 wrote to memory of 2912 2592 Ondajnme.exe 35 PID 2592 wrote to memory of 2912 2592 Ondajnme.exe 35 PID 2592 wrote to memory of 2912 2592 Ondajnme.exe 35 PID 2592 wrote to memory of 2912 2592 Ondajnme.exe 35 PID 2912 wrote to memory of 2136 2912 Oqcnfjli.exe 36 PID 2912 wrote to memory of 2136 2912 Oqcnfjli.exe 36 PID 2912 wrote to memory of 2136 2912 Oqcnfjli.exe 36 PID 2912 wrote to memory of 2136 2912 Oqcnfjli.exe 36 PID 2136 wrote to memory of 1908 2136 Ogmfbd32.exe 37 PID 2136 wrote to memory of 1908 2136 Ogmfbd32.exe 37 PID 2136 wrote to memory of 1908 2136 Ogmfbd32.exe 37 PID 2136 wrote to memory of 1908 2136 Ogmfbd32.exe 37 PID 1908 wrote to memory of 2784 1908 Ojkboo32.exe 38 PID 1908 wrote to memory of 2784 1908 Ojkboo32.exe 38 PID 1908 wrote to memory of 2784 1908 Ojkboo32.exe 38 PID 1908 wrote to memory of 2784 1908 Ojkboo32.exe 38 PID 2784 wrote to memory of 2728 2784 Paejki32.exe 39 PID 2784 wrote to memory of 2728 2784 Paejki32.exe 39 PID 2784 wrote to memory of 2728 2784 Paejki32.exe 39 PID 2784 wrote to memory of 2728 2784 Paejki32.exe 39 PID 2728 wrote to memory of 2888 2728 Pgobhcac.exe 40 PID 2728 wrote to memory of 2888 2728 Pgobhcac.exe 40 PID 2728 wrote to memory of 2888 2728 Pgobhcac.exe 40 PID 2728 wrote to memory of 2888 2728 Pgobhcac.exe 40 PID 2888 wrote to memory of 1548 2888 Pjmodopf.exe 41 PID 2888 wrote to memory of 1548 2888 Pjmodopf.exe 41 PID 2888 wrote to memory of 1548 2888 Pjmodopf.exe 41 PID 2888 wrote to memory of 1548 2888 Pjmodopf.exe 41 PID 1548 wrote to memory of 2120 1548 Paggai32.exe 42 PID 1548 wrote to memory of 2120 1548 Paggai32.exe 42 PID 1548 wrote to memory of 2120 1548 Paggai32.exe 42 PID 1548 wrote to memory of 2120 1548 Paggai32.exe 42 PID 2120 wrote to memory of 3024 2120 Pbiciana.exe 43 PID 2120 wrote to memory of 3024 2120 Pbiciana.exe 43 PID 2120 wrote to memory of 3024 2120 Pbiciana.exe 43 PID 2120 wrote to memory of 3024 2120 Pbiciana.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\1f4f2c97c08e2e1b3cfbd37c7f13986fcd8e07b859c4ab72024c6e13c7ad5234.exe"C:\Users\Admin\AppData\Local\Temp\1f4f2c97c08e2e1b3cfbd37c7f13986fcd8e07b859c4ab72024c6e13c7ad5234.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\Odgcfijj.exeC:\Windows\system32\Odgcfijj.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\Onphoo32.exeC:\Windows\system32\Onphoo32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\Oiellh32.exeC:\Windows\system32\Oiellh32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\Onbddoog.exeC:\Windows\system32\Onbddoog.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Oelmai32.exeC:\Windows\system32\Oelmai32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\Windows\SysWOW64\Okfencna.exeC:\Windows\system32\Okfencna.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\Ondajnme.exeC:\Windows\system32\Ondajnme.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\Oqcnfjli.exeC:\Windows\system32\Oqcnfjli.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\Ogmfbd32.exeC:\Windows\system32\Ogmfbd32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\SysWOW64\Ojkboo32.exeC:\Windows\system32\Ojkboo32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Windows\SysWOW64\Paejki32.exeC:\Windows\system32\Paejki32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\Pgobhcac.exeC:\Windows\system32\Pgobhcac.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Pjmodopf.exeC:\Windows\system32\Pjmodopf.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\Paggai32.exeC:\Windows\system32\Paggai32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Windows\SysWOW64\Pbiciana.exeC:\Windows\system32\Pbiciana.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\Pjpkjond.exeC:\Windows\system32\Pjpkjond.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3024 -
C:\Windows\SysWOW64\Plahag32.exeC:\Windows\system32\Plahag32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:320 -
C:\Windows\SysWOW64\Pbkpna32.exeC:\Windows\system32\Pbkpna32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1020 -
C:\Windows\SysWOW64\Pfflopdh.exeC:\Windows\system32\Pfflopdh.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2028 -
C:\Windows\SysWOW64\Plcdgfbo.exeC:\Windows\system32\Plcdgfbo.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:376 -
C:\Windows\SysWOW64\Pnbacbac.exeC:\Windows\system32\Pnbacbac.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2504 -
C:\Windows\SysWOW64\Pfiidobe.exeC:\Windows\system32\Pfiidobe.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1268 -
C:\Windows\SysWOW64\Pelipl32.exeC:\Windows\system32\Pelipl32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1556 -
C:\Windows\SysWOW64\Pigeqkai.exeC:\Windows\system32\Pigeqkai.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1660 -
C:\Windows\SysWOW64\Penfelgm.exeC:\Windows\system32\Penfelgm.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1732 -
C:\Windows\SysWOW64\Qbbfopeg.exeC:\Windows\system32\Qbbfopeg.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1600 -
C:\Windows\SysWOW64\Qhooggdn.exeC:\Windows\system32\Qhooggdn.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2724 -
C:\Windows\SysWOW64\Qnigda32.exeC:\Windows\system32\Qnigda32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2692 -
C:\Windows\SysWOW64\Qecoqk32.exeC:\Windows\system32\Qecoqk32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2700 -
C:\Windows\SysWOW64\Afdlhchf.exeC:\Windows\system32\Afdlhchf.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2576 -
C:\Windows\SysWOW64\Ajphib32.exeC:\Windows\system32\Ajphib32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2588 -
C:\Windows\SysWOW64\Amndem32.exeC:\Windows\system32\Amndem32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2600 -
C:\Windows\SysWOW64\Aplpai32.exeC:\Windows\system32\Aplpai32.exe34⤵
- Executes dropped EXE
PID:1248 -
C:\Windows\SysWOW64\Affhncfc.exeC:\Windows\system32\Affhncfc.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Affhncfc.exeC:\Windows\system32\Affhncfc.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2984 -
C:\Windows\SysWOW64\Aiedjneg.exeC:\Windows\system32\Aiedjneg.exe37⤵
- Executes dropped EXE
PID:2128 -
C:\Windows\SysWOW64\Ajdadamj.exeC:\Windows\system32\Ajdadamj.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1592 -
C:\Windows\SysWOW64\Abpfhcje.exeC:\Windows\system32\Abpfhcje.exe39⤵
- Executes dropped EXE
PID:2604 -
C:\Windows\SysWOW64\Aenbdoii.exeC:\Windows\system32\Aenbdoii.exe40⤵
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\Amejeljk.exeC:\Windows\system32\Amejeljk.exe41⤵
- Executes dropped EXE
PID:1536 -
C:\Windows\SysWOW64\Alhjai32.exeC:\Windows\system32\Alhjai32.exe42⤵
- Executes dropped EXE
PID:1208 -
C:\Windows\SysWOW64\Afmonbqk.exeC:\Windows\system32\Afmonbqk.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3028 -
C:\Windows\SysWOW64\Boiccdnf.exeC:\Windows\system32\Boiccdnf.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2524 -
C:\Windows\SysWOW64\Bagpopmj.exeC:\Windows\system32\Bagpopmj.exe45⤵
- Executes dropped EXE
PID:596 -
C:\Windows\SysWOW64\Blmdlhmp.exeC:\Windows\system32\Blmdlhmp.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:912 -
C:\Windows\SysWOW64\Baildokg.exeC:\Windows\system32\Baildokg.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:828 -
C:\Windows\SysWOW64\Bhcdaibd.exeC:\Windows\system32\Bhcdaibd.exe48⤵
- Executes dropped EXE
PID:1500 -
C:\Windows\SysWOW64\Bkaqmeah.exeC:\Windows\system32\Bkaqmeah.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1832 -
C:\Windows\SysWOW64\Bommnc32.exeC:\Windows\system32\Bommnc32.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:2368 -
C:\Windows\SysWOW64\Begeknan.exeC:\Windows\system32\Begeknan.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2196 -
C:\Windows\SysWOW64\Bdjefj32.exeC:\Windows\system32\Bdjefj32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1608 -
C:\Windows\SysWOW64\Bghabf32.exeC:\Windows\system32\Bghabf32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2648 -
C:\Windows\SysWOW64\Bkdmcdoe.exeC:\Windows\system32\Bkdmcdoe.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2760 -
C:\Windows\SysWOW64\Bnbjopoi.exeC:\Windows\system32\Bnbjopoi.exe55⤵
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\Bpafkknm.exeC:\Windows\system32\Bpafkknm.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2656 -
C:\Windows\SysWOW64\Bdlblj32.exeC:\Windows\system32\Bdlblj32.exe57⤵
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\Bgknheej.exeC:\Windows\system32\Bgknheej.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Bkfjhd32.exeC:\Windows\system32\Bkfjhd32.exe59⤵
- Executes dropped EXE
PID:2072 -
C:\Windows\SysWOW64\Baqbenep.exeC:\Windows\system32\Baqbenep.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:2900 -
C:\Windows\SysWOW64\Bpcbqk32.exeC:\Windows\system32\Bpcbqk32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1976 -
C:\Windows\SysWOW64\Bcaomf32.exeC:\Windows\system32\Bcaomf32.exe62⤵
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Ckignd32.exeC:\Windows\system32\Ckignd32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2080 -
C:\Windows\SysWOW64\Cjlgiqbk.exeC:\Windows\system32\Cjlgiqbk.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2824 -
C:\Windows\SysWOW64\Cpeofk32.exeC:\Windows\system32\Cpeofk32.exe65⤵
- Executes dropped EXE
PID:1084 -
C:\Windows\SysWOW64\Cdakgibq.exeC:\Windows\system32\Cdakgibq.exe66⤵PID:788
-
C:\Windows\SysWOW64\Cgpgce32.exeC:\Windows\system32\Cgpgce32.exe67⤵PID:2332
-
C:\Windows\SysWOW64\Cjndop32.exeC:\Windows\system32\Cjndop32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1996 -
C:\Windows\SysWOW64\Cllpkl32.exeC:\Windows\system32\Cllpkl32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1124 -
C:\Windows\SysWOW64\Coklgg32.exeC:\Windows\system32\Coklgg32.exe70⤵PID:2460
-
C:\Windows\SysWOW64\Chcqpmep.exeC:\Windows\system32\Chcqpmep.exe71⤵
- Drops file in System32 directory
PID:1612 -
C:\Windows\SysWOW64\Clomqk32.exeC:\Windows\system32\Clomqk32.exe72⤵
- Modifies registry class
PID:2688 -
C:\Windows\SysWOW64\Comimg32.exeC:\Windows\system32\Comimg32.exe73⤵
- Modifies registry class
PID:2828 -
C:\Windows\SysWOW64\Cciemedf.exeC:\Windows\system32\Cciemedf.exe74⤵PID:1956
-
C:\Windows\SysWOW64\Cfgaiaci.exeC:\Windows\system32\Cfgaiaci.exe75⤵PID:2264
-
C:\Windows\SysWOW64\Cjbmjplb.exeC:\Windows\system32\Cjbmjplb.exe76⤵PID:1272
-
C:\Windows\SysWOW64\Ckdjbh32.exeC:\Windows\system32\Ckdjbh32.exe77⤵PID:1688
-
C:\Windows\SysWOW64\Cckace32.exeC:\Windows\system32\Cckace32.exe78⤵PID:2808
-
C:\Windows\SysWOW64\Cbnbobin.exeC:\Windows\system32\Cbnbobin.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:316 -
C:\Windows\SysWOW64\Cdlnkmha.exeC:\Windows\system32\Cdlnkmha.exe80⤵PID:2116
-
C:\Windows\SysWOW64\Ckffgg32.exeC:\Windows\system32\Ckffgg32.exe81⤵
- Drops file in System32 directory
PID:1464 -
C:\Windows\SysWOW64\Dbpodagk.exeC:\Windows\system32\Dbpodagk.exe82⤵
- Modifies registry class
PID:2212 -
C:\Windows\SysWOW64\Ddokpmfo.exeC:\Windows\system32\Ddokpmfo.exe83⤵PID:1820
-
C:\Windows\SysWOW64\Dgmglh32.exeC:\Windows\system32\Dgmglh32.exe84⤵
- Drops file in System32 directory
PID:1744 -
C:\Windows\SysWOW64\Dkhcmgnl.exeC:\Windows\system32\Dkhcmgnl.exe85⤵PID:2156
-
C:\Windows\SysWOW64\Dngoibmo.exeC:\Windows\system32\Dngoibmo.exe86⤵PID:2440
-
C:\Windows\SysWOW64\Dqelenlc.exeC:\Windows\system32\Dqelenlc.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2748 -
C:\Windows\SysWOW64\Ddagfm32.exeC:\Windows\system32\Ddagfm32.exe88⤵
- Modifies registry class
PID:2548 -
C:\Windows\SysWOW64\Dgodbh32.exeC:\Windows\system32\Dgodbh32.exe89⤵
- Drops file in System32 directory
PID:2556 -
C:\Windows\SysWOW64\Djnpnc32.exeC:\Windows\system32\Djnpnc32.exe90⤵PID:1760
-
C:\Windows\SysWOW64\Dbehoa32.exeC:\Windows\system32\Dbehoa32.exe91⤵PID:2296
-
C:\Windows\SysWOW64\Dqhhknjp.exeC:\Windows\system32\Dqhhknjp.exe92⤵
- Drops file in System32 directory
- Modifies registry class
PID:1988 -
C:\Windows\SysWOW64\Dcfdgiid.exeC:\Windows\system32\Dcfdgiid.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2800 -
C:\Windows\SysWOW64\Dgaqgh32.exeC:\Windows\system32\Dgaqgh32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1968 -
C:\Windows\SysWOW64\Djpmccqq.exeC:\Windows\system32\Djpmccqq.exe95⤵
- Modifies registry class
PID:632 -
C:\Windows\SysWOW64\Dmoipopd.exeC:\Windows\system32\Dmoipopd.exe96⤵PID:2308
-
C:\Windows\SysWOW64\Dchali32.exeC:\Windows\system32\Dchali32.exe97⤵PID:560
-
C:\Windows\SysWOW64\Dgdmmgpj.exeC:\Windows\system32\Dgdmmgpj.exe98⤵
- Drops file in System32 directory
- Modifies registry class
PID:2176 -
C:\Windows\SysWOW64\Djbiicon.exeC:\Windows\system32\Djbiicon.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:844 -
C:\Windows\SysWOW64\Dnneja32.exeC:\Windows\system32\Dnneja32.exe100⤵PID:2152
-
C:\Windows\SysWOW64\Dqlafm32.exeC:\Windows\system32\Dqlafm32.exe101⤵PID:2940
-
C:\Windows\SysWOW64\Doobajme.exeC:\Windows\system32\Doobajme.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2772 -
C:\Windows\SysWOW64\Djefobmk.exeC:\Windows\system32\Djefobmk.exe103⤵PID:2756
-
C:\Windows\SysWOW64\Emcbkn32.exeC:\Windows\system32\Emcbkn32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2584 -
C:\Windows\SysWOW64\Eqonkmdh.exeC:\Windows\system32\Eqonkmdh.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:760 -
C:\Windows\SysWOW64\Ecmkghcl.exeC:\Windows\system32\Ecmkghcl.exe106⤵
- Drops file in System32 directory
PID:2644 -
C:\Windows\SysWOW64\Eflgccbp.exeC:\Windows\system32\Eflgccbp.exe107⤵PID:2924
-
C:\Windows\SysWOW64\Eflgccbp.exeC:\Windows\system32\Eflgccbp.exe108⤵PID:1524
-
C:\Windows\SysWOW64\Ejgcdb32.exeC:\Windows\system32\Ejgcdb32.exe109⤵PID:1540
-
C:\Windows\SysWOW64\Eijcpoac.exeC:\Windows\system32\Eijcpoac.exe110⤵
- Modifies registry class
PID:1812 -
C:\Windows\SysWOW64\Epdkli32.exeC:\Windows\system32\Epdkli32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1016 -
C:\Windows\SysWOW64\Ecpgmhai.exeC:\Windows\system32\Ecpgmhai.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1948 -
C:\Windows\SysWOW64\Efncicpm.exeC:\Windows\system32\Efncicpm.exe113⤵PID:1628
-
C:\Windows\SysWOW64\Ekklaj32.exeC:\Windows\system32\Ekklaj32.exe114⤵
- Modifies registry class
PID:1916 -
C:\Windows\SysWOW64\Epfhbign.exeC:\Windows\system32\Epfhbign.exe115⤵PID:2032
-
C:\Windows\SysWOW64\Enihne32.exeC:\Windows\system32\Enihne32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2820 -
C:\Windows\SysWOW64\Ebedndfa.exeC:\Windows\system32\Ebedndfa.exe117⤵PID:2620
-
C:\Windows\SysWOW64\Eecqjpee.exeC:\Windows\system32\Eecqjpee.exe118⤵PID:1680
-
C:\Windows\SysWOW64\Eiomkn32.exeC:\Windows\system32\Eiomkn32.exe119⤵
- Drops file in System32 directory
PID:2872 -
C:\Windows\SysWOW64\Egamfkdh.exeC:\Windows\system32\Egamfkdh.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:332 -
C:\Windows\SysWOW64\Ebgacddo.exeC:\Windows\system32\Ebgacddo.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2340
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-