Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
03/07/2024, 22:31
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
61d0f505bf7b7e263dee066639daf262c09aa94b9d4b378c7e56f04ad61851a5.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
61d0f505bf7b7e263dee066639daf262c09aa94b9d4b378c7e56f04ad61851a5.exe
Resource
win10v2004-20240611-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
61d0f505bf7b7e263dee066639daf262c09aa94b9d4b378c7e56f04ad61851a5.exe
-
Size
59KB
-
MD5
3a1bdfbe5ce632ff147eac1ca782f649
-
SHA1
7a3d0967978cfb004a35fabb289ccc2c96f7c55f
-
SHA256
61d0f505bf7b7e263dee066639daf262c09aa94b9d4b378c7e56f04ad61851a5
-
SHA512
a56761d637f62ded91c68e7602e251bedaacc236f68d9a1d292287921d538ebbdee5507f7776ef28a1df8e617a90e6ae2eb905d7c785ec8a107a5985a5aaf882
-
SSDEEP
768:rxZAyEibUNDkwG/QUmqW4NtSRmXXZa4gPkPPSSSpz0uZ/1H5Vw5nf1fZMEBFELv8:dXEQUOH/Qyr8mRvUT0NCyVso
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oqcnfjli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chcqpmep.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gobgcg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paejki32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cobbhfhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eiomkn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Affhncfc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpmjak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oqndkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afkbib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnpmipql.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gogangdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhmcfkme.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eiomkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gaemjbcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdhbam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hogmmjfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abmibdlh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjpqdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbnbobin.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddeaalpg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecpgmhai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmlnoc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhmbagfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aigaon32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjijdadm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckignd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qbbfopeg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjndop32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hggomh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hellne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hodpgjha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gieojq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghhofmql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omloag32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phjelg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qdccfh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkgkbipp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgbebiao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekklaj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogjimd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppmdbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dqelenlc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efncicpm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flabbihl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjilieka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnbacbac.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ailkjmpo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnilobkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dqhhknjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfdpip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ampqjm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgaqgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfflopdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djbiicon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlcgeo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppmdbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdakgibq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddokpmfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghhofmql.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaemjbcg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpocfncj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odegpj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ondajnme.exe -
Executes dropped EXE 64 IoCs
pid Process 1716 Nbdnoo32.exe 2292 Nmjblg32.exe 2712 Nbfjdn32.exe 2576 Odegpj32.exe 2500 Omloag32.exe 2472 Onmkio32.exe 3008 Odgcfijj.exe 2636 Ogfpbeim.exe 2956 Onphoo32.exe 884 Oqndkj32.exe 2764 Oiellh32.exe 2520 Okchhc32.exe 2780 Onbddoog.exe 1512 Oqqapjnk.exe 2052 Oelmai32.exe 2164 Ogjimd32.exe 596 Okfencna.exe 1296 Ojieip32.exe 584 Ondajnme.exe 1868 Omgaek32.exe 1108 Oqcnfjli.exe 1944 Ofpfnqjp.exe 1996 Ojkboo32.exe 1300 Paejki32.exe 1020 Pphjgfqq.exe 2268 Pfbccp32.exe 1592 Pipopl32.exe 2108 Ppjglfon.exe 1948 Pfdpip32.exe 2612 Pmnhfjmg.exe 2768 Ppmdbe32.exe 2504 Pfflopdh.exe 1888 Pmqdkj32.exe 3000 Pnbacbac.exe 2848 Pfiidobe.exe 2972 Phjelg32.exe 1972 Pndniaop.exe 304 Pabjem32.exe 2828 Qhmbagfa.exe 2556 Qbbfopeg.exe 1228 Qeqbkkej.exe 2860 Qdccfh32.exe 788 Qljkhe32.exe 3056 Qnigda32.exe 2384 Qecoqk32.exe 828 Ahakmf32.exe 2432 Ankdiqih.exe 1536 Aplpai32.exe 1540 Affhncfc.exe 1616 Ampqjm32.exe 1332 Aalmklfi.exe 1168 Adjigg32.exe 2028 Abmibdlh.exe 2552 Afiecb32.exe 2884 Aigaon32.exe 2680 Alenki32.exe 2756 Apajlhka.exe 2492 Admemg32.exe 2988 Afkbib32.exe 3004 Amejeljk.exe 2840 Alhjai32.exe 2792 Abbbnchb.exe 1200 Afmonbqk.exe 1704 Ailkjmpo.exe -
Loads dropped DLL 64 IoCs
pid Process 912 61d0f505bf7b7e263dee066639daf262c09aa94b9d4b378c7e56f04ad61851a5.exe 912 61d0f505bf7b7e263dee066639daf262c09aa94b9d4b378c7e56f04ad61851a5.exe 1716 Nbdnoo32.exe 1716 Nbdnoo32.exe 2292 Nmjblg32.exe 2292 Nmjblg32.exe 2712 Nbfjdn32.exe 2712 Nbfjdn32.exe 2576 Odegpj32.exe 2576 Odegpj32.exe 2500 Omloag32.exe 2500 Omloag32.exe 2472 Onmkio32.exe 2472 Onmkio32.exe 3008 Odgcfijj.exe 3008 Odgcfijj.exe 2636 Ogfpbeim.exe 2636 Ogfpbeim.exe 2956 Onphoo32.exe 2956 Onphoo32.exe 884 Oqndkj32.exe 884 Oqndkj32.exe 2764 Oiellh32.exe 2764 Oiellh32.exe 2520 Okchhc32.exe 2520 Okchhc32.exe 2780 Onbddoog.exe 2780 Onbddoog.exe 1512 Oqqapjnk.exe 1512 Oqqapjnk.exe 2052 Oelmai32.exe 2052 Oelmai32.exe 2164 Ogjimd32.exe 2164 Ogjimd32.exe 596 Okfencna.exe 596 Okfencna.exe 1296 Ojieip32.exe 1296 Ojieip32.exe 584 Ondajnme.exe 584 Ondajnme.exe 1868 Omgaek32.exe 1868 Omgaek32.exe 1108 Oqcnfjli.exe 1108 Oqcnfjli.exe 1944 Ofpfnqjp.exe 1944 Ofpfnqjp.exe 1996 Ojkboo32.exe 1996 Ojkboo32.exe 1300 Paejki32.exe 1300 Paejki32.exe 1020 Pphjgfqq.exe 1020 Pphjgfqq.exe 2268 Pfbccp32.exe 2268 Pfbccp32.exe 1592 Pipopl32.exe 1592 Pipopl32.exe 2108 Ppjglfon.exe 2108 Ppjglfon.exe 1948 Pfdpip32.exe 1948 Pfdpip32.exe 2612 Pmnhfjmg.exe 2612 Pmnhfjmg.exe 2768 Ppmdbe32.exe 2768 Ppmdbe32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Gbijhg32.exe Globlmmj.exe File opened for modification C:\Windows\SysWOW64\Iagfoe32.exe Inljnfkg.exe File created C:\Windows\SysWOW64\Qnigda32.exe Qljkhe32.exe File opened for modification C:\Windows\SysWOW64\Bloqah32.exe Beehencq.exe File created C:\Windows\SysWOW64\Cgqjffca.dll Ejgcdb32.exe File created C:\Windows\SysWOW64\Mncnkh32.dll Gbkgnfbd.exe File opened for modification C:\Windows\SysWOW64\Gkkemh32.exe Ghmiam32.exe File created C:\Windows\SysWOW64\Fhdclk32.dll Odegpj32.exe File created C:\Windows\SysWOW64\Ofpfnqjp.exe Oqcnfjli.exe File opened for modification C:\Windows\SysWOW64\Hggomh32.exe Hdhbam32.exe File created C:\Windows\SysWOW64\Ilknfn32.exe Ieqeidnl.exe File created C:\Windows\SysWOW64\Boiccdnf.exe Ailkjmpo.exe File opened for modification C:\Windows\SysWOW64\Beehencq.exe Bbflib32.exe File created C:\Windows\SysWOW64\Pndaof32.dll Phjelg32.exe File created C:\Windows\SysWOW64\Affhncfc.exe Aplpai32.exe File created C:\Windows\SysWOW64\Gbkgnfbd.exe Gpmjak32.exe File created C:\Windows\SysWOW64\Odgcfijj.exe Onmkio32.exe File created C:\Windows\SysWOW64\Egdgmmje.dll Oqqapjnk.exe File opened for modification C:\Windows\SysWOW64\Cobbhfhg.exe Ckffgg32.exe File created C:\Windows\SysWOW64\Ipdljffa.dll Dbpodagk.exe File created C:\Windows\SysWOW64\Lkoabpeg.dll Gangic32.exe File opened for modification C:\Windows\SysWOW64\Hjjddchg.exe Henidd32.exe File created C:\Windows\SysWOW64\Moealbej.dll Qljkhe32.exe File created C:\Windows\SysWOW64\Ampqjm32.exe Affhncfc.exe File opened for modification C:\Windows\SysWOW64\Djbiicon.exe Dfgmhd32.exe File created C:\Windows\SysWOW64\Ebedndfa.exe Epfhbign.exe File created C:\Windows\SysWOW64\Fmekoalh.exe Fejgko32.exe File created C:\Windows\SysWOW64\Polebcgg.dll Hacmcfge.exe File created C:\Windows\SysWOW64\Iknnbklc.exe Ilknfn32.exe File created C:\Windows\SysWOW64\Iagfoe32.exe Inljnfkg.exe File created C:\Windows\SysWOW64\Abbbnchb.exe Alhjai32.exe File created C:\Windows\SysWOW64\Ahcfok32.dll Dnilobkm.exe File created C:\Windows\SysWOW64\Qinopgfb.dll Bjijdadm.exe File created C:\Windows\SysWOW64\Jfcfmmpb.dll Afmonbqk.exe File created C:\Windows\SysWOW64\Dobkmdfq.dll Boiccdnf.exe File created C:\Windows\SysWOW64\Pofgpn32.dll Qbbfopeg.exe File created C:\Windows\SysWOW64\Ecmkghcl.exe Eqonkmdh.exe File created C:\Windows\SysWOW64\Hkkalk32.exe Hjjddchg.exe File opened for modification C:\Windows\SysWOW64\Odegpj32.exe Nbfjdn32.exe File opened for modification C:\Windows\SysWOW64\Ppmdbe32.exe Pmnhfjmg.exe File created C:\Windows\SysWOW64\Bjijdadm.exe Bpafkknm.exe File created C:\Windows\SysWOW64\Mdeced32.dll Dkkpbgli.exe File created C:\Windows\SysWOW64\Eloemi32.exe Eiaiqn32.exe File opened for modification C:\Windows\SysWOW64\Glaoalkh.exe Gegfdb32.exe File opened for modification C:\Windows\SysWOW64\Okchhc32.exe Oiellh32.exe File created C:\Windows\SysWOW64\Gfhemi32.dll Ailkjmpo.exe File created C:\Windows\SysWOW64\Cfeoofge.dll Eihfjo32.exe File opened for modification C:\Windows\SysWOW64\Eiaiqn32.exe Ebgacddo.exe File opened for modification C:\Windows\SysWOW64\Pipopl32.exe Pfbccp32.exe File created C:\Windows\SysWOW64\Cdakgibq.exe Cngcjo32.exe File created C:\Windows\SysWOW64\Ddokpmfo.exe Dbpodagk.exe File opened for modification C:\Windows\SysWOW64\Hmlnoc32.exe Hiqbndpb.exe File created C:\Windows\SysWOW64\Ikeelnol.dll Ondajnme.exe File created C:\Windows\SysWOW64\Lhbjkfod.dll Ojkboo32.exe File created C:\Windows\SysWOW64\Afiecb32.exe Abmibdlh.exe File created C:\Windows\SysWOW64\Aigaon32.exe Afiecb32.exe File created C:\Windows\SysWOW64\Bghabf32.exe Bdjefj32.exe File created C:\Windows\SysWOW64\Dekpaqgc.dll Eijcpoac.exe File created C:\Windows\SysWOW64\Ebinic32.exe Eloemi32.exe File created C:\Windows\SysWOW64\Ocjcidbb.dll Gbijhg32.exe File created C:\Windows\SysWOW64\Lphhoacd.dll Ogfpbeim.exe File created C:\Windows\SysWOW64\Eggbcg32.dll Okfencna.exe File created C:\Windows\SysWOW64\Hellne32.exe Hgilchkf.exe File opened for modification C:\Windows\SysWOW64\Gdamqndn.exe Geolea32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3228 3188 WerFault.exe 243 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afiecb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bghabf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dqhhknjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eqonkmdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjilieka.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkpnhgge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahakmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhekfh32.dll" Ampqjm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hggomh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ankdiqih.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efppoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmhheqje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gegfdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chhpdp32.dll" Gkgkbipp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hnagjbdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmmhnnlm.dll" Ofpfnqjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ppjglfon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Henidd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqpofkjo.dll" Ilknfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahcfok32.dll" Dnilobkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdcbfq32.dll" Fmcoja32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qdccfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdeced32.dll" Dkkpbgli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elgpfqll.dll" Qeqbkkej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omeope32.dll" Chhjkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onphoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfbccp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgcampld.dll" Eeqdep32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eloemi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gangic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ofpfnqjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjndop32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eihfjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ongbcmlc.dll" Fejgko32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbdqmghm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gddifnbk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adjigg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Coklgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gkihhhnm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hellne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoflni32.dll" Comimg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbidmekh.dll" Elmigj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaqlckoi.dll" Coklgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfedefbi.dll" Dchali32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ealnephf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Okfencna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pphjgfqq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mghjoa32.dll" Dhmcfkme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emhlfmgj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oelmai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bebkpn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhjgal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgqjffca.dll" Ejgcdb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fjilieka.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hnojdcfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ailkjmpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkfmal32.dll" Chcqpmep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfbccp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkkpbgli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnkajj32.dll" Ffnphf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 61d0f505bf7b7e263dee066639daf262c09aa94b9d4b378c7e56f04ad61851a5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gooqhm32.dll" Omloag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hggomh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ogfpbeim.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 912 wrote to memory of 1716 912 61d0f505bf7b7e263dee066639daf262c09aa94b9d4b378c7e56f04ad61851a5.exe 28 PID 912 wrote to memory of 1716 912 61d0f505bf7b7e263dee066639daf262c09aa94b9d4b378c7e56f04ad61851a5.exe 28 PID 912 wrote to memory of 1716 912 61d0f505bf7b7e263dee066639daf262c09aa94b9d4b378c7e56f04ad61851a5.exe 28 PID 912 wrote to memory of 1716 912 61d0f505bf7b7e263dee066639daf262c09aa94b9d4b378c7e56f04ad61851a5.exe 28 PID 1716 wrote to memory of 2292 1716 Nbdnoo32.exe 29 PID 1716 wrote to memory of 2292 1716 Nbdnoo32.exe 29 PID 1716 wrote to memory of 2292 1716 Nbdnoo32.exe 29 PID 1716 wrote to memory of 2292 1716 Nbdnoo32.exe 29 PID 2292 wrote to memory of 2712 2292 Nmjblg32.exe 30 PID 2292 wrote to memory of 2712 2292 Nmjblg32.exe 30 PID 2292 wrote to memory of 2712 2292 Nmjblg32.exe 30 PID 2292 wrote to memory of 2712 2292 Nmjblg32.exe 30 PID 2712 wrote to memory of 2576 2712 Nbfjdn32.exe 31 PID 2712 wrote to memory of 2576 2712 Nbfjdn32.exe 31 PID 2712 wrote to memory of 2576 2712 Nbfjdn32.exe 31 PID 2712 wrote to memory of 2576 2712 Nbfjdn32.exe 31 PID 2576 wrote to memory of 2500 2576 Odegpj32.exe 32 PID 2576 wrote to memory of 2500 2576 Odegpj32.exe 32 PID 2576 wrote to memory of 2500 2576 Odegpj32.exe 32 PID 2576 wrote to memory of 2500 2576 Odegpj32.exe 32 PID 2500 wrote to memory of 2472 2500 Omloag32.exe 33 PID 2500 wrote to memory of 2472 2500 Omloag32.exe 33 PID 2500 wrote to memory of 2472 2500 Omloag32.exe 33 PID 2500 wrote to memory of 2472 2500 Omloag32.exe 33 PID 2472 wrote to memory of 3008 2472 Onmkio32.exe 34 PID 2472 wrote to memory of 3008 2472 Onmkio32.exe 34 PID 2472 wrote to memory of 3008 2472 Onmkio32.exe 34 PID 2472 wrote to memory of 3008 2472 Onmkio32.exe 34 PID 3008 wrote to memory of 2636 3008 Odgcfijj.exe 35 PID 3008 wrote to memory of 2636 3008 Odgcfijj.exe 35 PID 3008 wrote to memory of 2636 3008 Odgcfijj.exe 35 PID 3008 wrote to memory of 2636 3008 Odgcfijj.exe 35 PID 2636 wrote to memory of 2956 2636 Ogfpbeim.exe 36 PID 2636 wrote to memory of 2956 2636 Ogfpbeim.exe 36 PID 2636 wrote to memory of 2956 2636 Ogfpbeim.exe 36 PID 2636 wrote to memory of 2956 2636 Ogfpbeim.exe 36 PID 2956 wrote to memory of 884 2956 Onphoo32.exe 37 PID 2956 wrote to memory of 884 2956 Onphoo32.exe 37 PID 2956 wrote to memory of 884 2956 Onphoo32.exe 37 PID 2956 wrote to memory of 884 2956 Onphoo32.exe 37 PID 884 wrote to memory of 2764 884 Oqndkj32.exe 38 PID 884 wrote to memory of 2764 884 Oqndkj32.exe 38 PID 884 wrote to memory of 2764 884 Oqndkj32.exe 38 PID 884 wrote to memory of 2764 884 Oqndkj32.exe 38 PID 2764 wrote to memory of 2520 2764 Oiellh32.exe 39 PID 2764 wrote to memory of 2520 2764 Oiellh32.exe 39 PID 2764 wrote to memory of 2520 2764 Oiellh32.exe 39 PID 2764 wrote to memory of 2520 2764 Oiellh32.exe 39 PID 2520 wrote to memory of 2780 2520 Okchhc32.exe 40 PID 2520 wrote to memory of 2780 2520 Okchhc32.exe 40 PID 2520 wrote to memory of 2780 2520 Okchhc32.exe 40 PID 2520 wrote to memory of 2780 2520 Okchhc32.exe 40 PID 2780 wrote to memory of 1512 2780 Onbddoog.exe 41 PID 2780 wrote to memory of 1512 2780 Onbddoog.exe 41 PID 2780 wrote to memory of 1512 2780 Onbddoog.exe 41 PID 2780 wrote to memory of 1512 2780 Onbddoog.exe 41 PID 1512 wrote to memory of 2052 1512 Oqqapjnk.exe 42 PID 1512 wrote to memory of 2052 1512 Oqqapjnk.exe 42 PID 1512 wrote to memory of 2052 1512 Oqqapjnk.exe 42 PID 1512 wrote to memory of 2052 1512 Oqqapjnk.exe 42 PID 2052 wrote to memory of 2164 2052 Oelmai32.exe 43 PID 2052 wrote to memory of 2164 2052 Oelmai32.exe 43 PID 2052 wrote to memory of 2164 2052 Oelmai32.exe 43 PID 2052 wrote to memory of 2164 2052 Oelmai32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\61d0f505bf7b7e263dee066639daf262c09aa94b9d4b378c7e56f04ad61851a5.exe"C:\Users\Admin\AppData\Local\Temp\61d0f505bf7b7e263dee066639daf262c09aa94b9d4b378c7e56f04ad61851a5.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:912 -
C:\Windows\SysWOW64\Nbdnoo32.exeC:\Windows\system32\Nbdnoo32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\SysWOW64\Nmjblg32.exeC:\Windows\system32\Nmjblg32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\Nbfjdn32.exeC:\Windows\system32\Nbfjdn32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Odegpj32.exeC:\Windows\system32\Odegpj32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\Omloag32.exeC:\Windows\system32\Omloag32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\Onmkio32.exeC:\Windows\system32\Onmkio32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\Odgcfijj.exeC:\Windows\system32\Odgcfijj.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\Ogfpbeim.exeC:\Windows\system32\Ogfpbeim.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\Onphoo32.exeC:\Windows\system32\Onphoo32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\Oqndkj32.exeC:\Windows\system32\Oqndkj32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:884 -
C:\Windows\SysWOW64\Oiellh32.exeC:\Windows\system32\Oiellh32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\Okchhc32.exeC:\Windows\system32\Okchhc32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\Onbddoog.exeC:\Windows\system32\Onbddoog.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\Oqqapjnk.exeC:\Windows\system32\Oqqapjnk.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\SysWOW64\Oelmai32.exeC:\Windows\system32\Oelmai32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\Ogjimd32.exeC:\Windows\system32\Ogjimd32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2164 -
C:\Windows\SysWOW64\Okfencna.exeC:\Windows\system32\Okfencna.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:596 -
C:\Windows\SysWOW64\Ojieip32.exeC:\Windows\system32\Ojieip32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1296 -
C:\Windows\SysWOW64\Ondajnme.exeC:\Windows\system32\Ondajnme.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:584 -
C:\Windows\SysWOW64\Omgaek32.exeC:\Windows\system32\Omgaek32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1868 -
C:\Windows\SysWOW64\Oqcnfjli.exeC:\Windows\system32\Oqcnfjli.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1108 -
C:\Windows\SysWOW64\Ofpfnqjp.exeC:\Windows\system32\Ofpfnqjp.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1944 -
C:\Windows\SysWOW64\Ojkboo32.exeC:\Windows\system32\Ojkboo32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1996 -
C:\Windows\SysWOW64\Paejki32.exeC:\Windows\system32\Paejki32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1300 -
C:\Windows\SysWOW64\Pphjgfqq.exeC:\Windows\system32\Pphjgfqq.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1020 -
C:\Windows\SysWOW64\Pfbccp32.exeC:\Windows\system32\Pfbccp32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2268 -
C:\Windows\SysWOW64\Pipopl32.exeC:\Windows\system32\Pipopl32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1592 -
C:\Windows\SysWOW64\Ppjglfon.exeC:\Windows\system32\Ppjglfon.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2108 -
C:\Windows\SysWOW64\Pfdpip32.exeC:\Windows\system32\Pfdpip32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1948 -
C:\Windows\SysWOW64\Pmnhfjmg.exeC:\Windows\system32\Pmnhfjmg.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2612 -
C:\Windows\SysWOW64\Ppmdbe32.exeC:\Windows\system32\Ppmdbe32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2768 -
C:\Windows\SysWOW64\Pfflopdh.exeC:\Windows\system32\Pfflopdh.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2504 -
C:\Windows\SysWOW64\Pmqdkj32.exeC:\Windows\system32\Pmqdkj32.exe34⤵
- Executes dropped EXE
PID:1888 -
C:\Windows\SysWOW64\Pnbacbac.exeC:\Windows\system32\Pnbacbac.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Pfiidobe.exeC:\Windows\system32\Pfiidobe.exe36⤵
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\Phjelg32.exeC:\Windows\system32\Phjelg32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2972 -
C:\Windows\SysWOW64\Pndniaop.exeC:\Windows\system32\Pndniaop.exe38⤵
- Executes dropped EXE
PID:1972 -
C:\Windows\SysWOW64\Pabjem32.exeC:\Windows\system32\Pabjem32.exe39⤵
- Executes dropped EXE
PID:304 -
C:\Windows\SysWOW64\Qhmbagfa.exeC:\Windows\system32\Qhmbagfa.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Qbbfopeg.exeC:\Windows\system32\Qbbfopeg.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2556 -
C:\Windows\SysWOW64\Qeqbkkej.exeC:\Windows\system32\Qeqbkkej.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:1228 -
C:\Windows\SysWOW64\Qdccfh32.exeC:\Windows\system32\Qdccfh32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2860 -
C:\Windows\SysWOW64\Qljkhe32.exeC:\Windows\system32\Qljkhe32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:788 -
C:\Windows\SysWOW64\Qnigda32.exeC:\Windows\system32\Qnigda32.exe45⤵
- Executes dropped EXE
PID:3056 -
C:\Windows\SysWOW64\Qecoqk32.exeC:\Windows\system32\Qecoqk32.exe46⤵
- Executes dropped EXE
PID:2384 -
C:\Windows\SysWOW64\Ahakmf32.exeC:\Windows\system32\Ahakmf32.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:828 -
C:\Windows\SysWOW64\Ankdiqih.exeC:\Windows\system32\Ankdiqih.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:2432 -
C:\Windows\SysWOW64\Aplpai32.exeC:\Windows\system32\Aplpai32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1536 -
C:\Windows\SysWOW64\Affhncfc.exeC:\Windows\system32\Affhncfc.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1540 -
C:\Windows\SysWOW64\Ampqjm32.exeC:\Windows\system32\Ampqjm32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1616 -
C:\Windows\SysWOW64\Aalmklfi.exeC:\Windows\system32\Aalmklfi.exe52⤵
- Executes dropped EXE
PID:1332 -
C:\Windows\SysWOW64\Adjigg32.exeC:\Windows\system32\Adjigg32.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:1168 -
C:\Windows\SysWOW64\Abmibdlh.exeC:\Windows\system32\Abmibdlh.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2028 -
C:\Windows\SysWOW64\Afiecb32.exeC:\Windows\system32\Afiecb32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2552 -
C:\Windows\SysWOW64\Aigaon32.exeC:\Windows\system32\Aigaon32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2884 -
C:\Windows\SysWOW64\Alenki32.exeC:\Windows\system32\Alenki32.exe57⤵
- Executes dropped EXE
PID:2680 -
C:\Windows\SysWOW64\Apajlhka.exeC:\Windows\system32\Apajlhka.exe58⤵
- Executes dropped EXE
PID:2756 -
C:\Windows\SysWOW64\Admemg32.exeC:\Windows\system32\Admemg32.exe59⤵
- Executes dropped EXE
PID:2492 -
C:\Windows\SysWOW64\Afkbib32.exeC:\Windows\system32\Afkbib32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\Amejeljk.exeC:\Windows\system32\Amejeljk.exe61⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Alhjai32.exeC:\Windows\system32\Alhjai32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2840 -
C:\Windows\SysWOW64\Abbbnchb.exeC:\Windows\system32\Abbbnchb.exe63⤵
- Executes dropped EXE
PID:2792 -
C:\Windows\SysWOW64\Afmonbqk.exeC:\Windows\system32\Afmonbqk.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1200 -
C:\Windows\SysWOW64\Ailkjmpo.exeC:\Windows\system32\Ailkjmpo.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1704 -
C:\Windows\SysWOW64\Boiccdnf.exeC:\Windows\system32\Boiccdnf.exe66⤵
- Drops file in System32 directory
PID:2812 -
C:\Windows\SysWOW64\Bbdocc32.exeC:\Windows\system32\Bbdocc32.exe67⤵PID:1812
-
C:\Windows\SysWOW64\Bebkpn32.exeC:\Windows\system32\Bebkpn32.exe68⤵
- Modifies registry class
PID:1016 -
C:\Windows\SysWOW64\Bhahlj32.exeC:\Windows\system32\Bhahlj32.exe69⤵PID:1648
-
C:\Windows\SysWOW64\Bokphdld.exeC:\Windows\system32\Bokphdld.exe70⤵PID:2904
-
C:\Windows\SysWOW64\Bbflib32.exeC:\Windows\system32\Bbflib32.exe71⤵
- Drops file in System32 directory
PID:1172 -
C:\Windows\SysWOW64\Beehencq.exeC:\Windows\system32\Beehencq.exe72⤵
- Drops file in System32 directory
PID:2408 -
C:\Windows\SysWOW64\Bloqah32.exeC:\Windows\system32\Bloqah32.exe73⤵PID:1040
-
C:\Windows\SysWOW64\Bkaqmeah.exeC:\Windows\system32\Bkaqmeah.exe74⤵PID:3028
-
C:\Windows\SysWOW64\Bnpmipql.exeC:\Windows\system32\Bnpmipql.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2540 -
C:\Windows\SysWOW64\Begeknan.exeC:\Windows\system32\Begeknan.exe76⤵PID:3068
-
C:\Windows\SysWOW64\Bdjefj32.exeC:\Windows\system32\Bdjefj32.exe77⤵
- Drops file in System32 directory
PID:2468 -
C:\Windows\SysWOW64\Bghabf32.exeC:\Windows\system32\Bghabf32.exe78⤵
- Modifies registry class
PID:2532 -
C:\Windows\SysWOW64\Bnbjopoi.exeC:\Windows\system32\Bnbjopoi.exe79⤵PID:1960
-
C:\Windows\SysWOW64\Banepo32.exeC:\Windows\system32\Banepo32.exe80⤵PID:2968
-
C:\Windows\SysWOW64\Bpafkknm.exeC:\Windows\system32\Bpafkknm.exe81⤵
- Drops file in System32 directory
PID:1976 -
C:\Windows\SysWOW64\Bjijdadm.exeC:\Windows\system32\Bjijdadm.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1520 -
C:\Windows\SysWOW64\Bpcbqk32.exeC:\Windows\system32\Bpcbqk32.exe83⤵PID:1280
-
C:\Windows\SysWOW64\Bdooajdc.exeC:\Windows\system32\Bdooajdc.exe84⤵PID:2296
-
C:\Windows\SysWOW64\Ckignd32.exeC:\Windows\system32\Ckignd32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1828 -
C:\Windows\SysWOW64\Cngcjo32.exeC:\Windows\system32\Cngcjo32.exe86⤵
- Drops file in System32 directory
PID:2900 -
C:\Windows\SysWOW64\Cdakgibq.exeC:\Windows\system32\Cdakgibq.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2132 -
C:\Windows\SysWOW64\Cgpgce32.exeC:\Windows\system32\Cgpgce32.exe88⤵PID:1340
-
C:\Windows\SysWOW64\Cjndop32.exeC:\Windows\system32\Cjndop32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2416 -
C:\Windows\SysWOW64\Cllpkl32.exeC:\Windows\system32\Cllpkl32.exe90⤵PID:1596
-
C:\Windows\SysWOW64\Coklgg32.exeC:\Windows\system32\Coklgg32.exe91⤵
- Modifies registry class
PID:2660 -
C:\Windows\SysWOW64\Cgbdhd32.exeC:\Windows\system32\Cgbdhd32.exe92⤵PID:2844
-
C:\Windows\SysWOW64\Cjpqdp32.exeC:\Windows\system32\Cjpqdp32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2744 -
C:\Windows\SysWOW64\Chcqpmep.exeC:\Windows\system32\Chcqpmep.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1580 -
C:\Windows\SysWOW64\Comimg32.exeC:\Windows\system32\Comimg32.exe95⤵
- Modifies registry class
PID:2700 -
C:\Windows\SysWOW64\Cbkeib32.exeC:\Windows\system32\Cbkeib32.exe96⤵PID:1632
-
C:\Windows\SysWOW64\Cjbmjplb.exeC:\Windows\system32\Cjbmjplb.exe97⤵PID:1456
-
C:\Windows\SysWOW64\Claifkkf.exeC:\Windows\system32\Claifkkf.exe98⤵PID:1524
-
C:\Windows\SysWOW64\Copfbfjj.exeC:\Windows\system32\Copfbfjj.exe99⤵PID:384
-
C:\Windows\SysWOW64\Cbnbobin.exeC:\Windows\system32\Cbnbobin.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:968 -
C:\Windows\SysWOW64\Chhjkl32.exeC:\Windows\system32\Chhjkl32.exe101⤵
- Modifies registry class
PID:2180 -
C:\Windows\SysWOW64\Ckffgg32.exeC:\Windows\system32\Ckffgg32.exe102⤵
- Drops file in System32 directory
PID:1832 -
C:\Windows\SysWOW64\Cobbhfhg.exeC:\Windows\system32\Cobbhfhg.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2160 -
C:\Windows\SysWOW64\Dbpodagk.exeC:\Windows\system32\Dbpodagk.exe104⤵
- Drops file in System32 directory
PID:928 -
C:\Windows\SysWOW64\Ddokpmfo.exeC:\Windows\system32\Ddokpmfo.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1612 -
C:\Windows\SysWOW64\Dhjgal32.exeC:\Windows\system32\Dhjgal32.exe106⤵
- Modifies registry class
PID:2308 -
C:\Windows\SysWOW64\Dodonf32.exeC:\Windows\system32\Dodonf32.exe107⤵PID:2684
-
C:\Windows\SysWOW64\Dngoibmo.exeC:\Windows\system32\Dngoibmo.exe108⤵PID:2736
-
C:\Windows\SysWOW64\Dqelenlc.exeC:\Windows\system32\Dqelenlc.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2992 -
C:\Windows\SysWOW64\Dhmcfkme.exeC:\Windows\system32\Dhmcfkme.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2824 -
C:\Windows\SysWOW64\Dkkpbgli.exeC:\Windows\system32\Dkkpbgli.exe111⤵
- Drops file in System32 directory
- Modifies registry class
PID:2664 -
C:\Windows\SysWOW64\Dnilobkm.exeC:\Windows\system32\Dnilobkm.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1664 -
C:\Windows\SysWOW64\Dqhhknjp.exeC:\Windows\system32\Dqhhknjp.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2276 -
C:\Windows\SysWOW64\Dcfdgiid.exeC:\Windows\system32\Dcfdgiid.exe114⤵PID:1312
-
C:\Windows\SysWOW64\Dgaqgh32.exeC:\Windows\system32\Dgaqgh32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2784 -
C:\Windows\SysWOW64\Djpmccqq.exeC:\Windows\system32\Djpmccqq.exe116⤵PID:2100
-
C:\Windows\SysWOW64\Dnlidb32.exeC:\Windows\system32\Dnlidb32.exe117⤵PID:2940
-
C:\Windows\SysWOW64\Dmoipopd.exeC:\Windows\system32\Dmoipopd.exe118⤵PID:3060
-
C:\Windows\SysWOW64\Ddeaalpg.exeC:\Windows\system32\Ddeaalpg.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1712 -
C:\Windows\SysWOW64\Dchali32.exeC:\Windows\system32\Dchali32.exe120⤵
- Modifies registry class
PID:2456 -
C:\Windows\SysWOW64\Dfgmhd32.exeC:\Windows\system32\Dfgmhd32.exe121⤵
- Drops file in System32 directory
PID:2344
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-