Analysis
-
max time kernel
146s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
03/07/2024, 13:22
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
48b8a07c6f152cccb77a4bcad43676b9b57f5db167f1dbb0dcc4d7df894464bc.exe
Resource
win7-20240419-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
48b8a07c6f152cccb77a4bcad43676b9b57f5db167f1dbb0dcc4d7df894464bc.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
48b8a07c6f152cccb77a4bcad43676b9b57f5db167f1dbb0dcc4d7df894464bc.exe
-
Size
72KB
-
MD5
fcc1d0c13a039c4f80a9a14a8cd4f830
-
SHA1
b6a9c9d4f873d8169eef41952f08965bd600d304
-
SHA256
48b8a07c6f152cccb77a4bcad43676b9b57f5db167f1dbb0dcc4d7df894464bc
-
SHA512
711494155d2d51caa61f2f3097a984f91ab844d3973cefd46ab5b2fe6b58ae5f69e4095d51259d1dd7c01de247df681dc6b4988af613ec48eaf14a6300df70cb
-
SSDEEP
768:g2BsQ4NLmrqd8LXe/Jcbki8IK8YPa39wMYvL4XArk49bp3K5CiCMuavrYuVacyAV:4QrjLVBO3Mm4XAd4ALazPacT
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pfflopdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Admemg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Begeknan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cjndop32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmlapp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggpimica.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nehmdhja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccngld32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eibbcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fejgko32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lijjoe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Maoajf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Anlmmp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abhimnma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dfamcogo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhjgal32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqfffqpm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahgnke32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efaibbij.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qeqbkkej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edkcojga.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebinic32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfqahgpg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olmhdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Blbfjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Afiecb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dogefd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcaomf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Onhgbmfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pmanoifd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Abhimnma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bhkdeggl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppoqge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Afdlhchf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cckace32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fhffaj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkppbl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcadac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dqhhknjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fnpnndgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qlkdkd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gonnhhln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gicbeald.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lecgje32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhbcfa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahdaee32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Filldb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gobgcg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiqbndpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Igihbknb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jkdpanhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mkeimlfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Alegac32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpnbkeld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oddpfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ojahnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pefijfii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aefeijle.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckccgane.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enakbp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cngcjo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgilchkf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cckace32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kiccofna.exe -
Executes dropped EXE 64 IoCs
pid Process 548 Oiellh32.exe 2904 Obnqem32.exe 2996 Ocomlemo.exe 2724 Ojieip32.exe 2652 Oqcnfjli.exe 2792 Ocajbekl.exe 2740 Ongnonkb.exe 2596 Pphjgfqq.exe 1936 Pfbccp32.exe 2320 Pipopl32.exe 1304 Pcfcmd32.exe 2220 Pjpkjond.exe 2480 Plahag32.exe 376 Pfflopdh.exe 2816 Piehkkcl.exe 2264 Ppoqge32.exe 596 Pelipl32.exe 1484 Phjelg32.exe 2496 Plfamfpm.exe 868 Pndniaop.exe 2880 Penfelgm.exe 2024 Qhmbagfa.exe 1056 Qnfjna32.exe 828 Qeqbkkej.exe 1496 Qljkhe32.exe 888 Qjmkcbcb.exe 1584 Qnigda32.exe 1664 Afdlhchf.exe 2920 Aajpelhl.exe 2964 Aplpai32.exe 3020 Ajbdna32.exe 2680 Aiedjneg.exe 2852 Ampqjm32.exe 2744 Afiecb32.exe 2932 Apajlhka.exe 1052 Admemg32.exe 1836 Aiinen32.exe 1388 Amejeljk.exe 2172 Afmonbqk.exe 2472 Ahokfj32.exe 1028 Aljgfioc.exe 2948 Bbdocc32.exe 2272 Bhahlj32.exe 2616 Bokphdld.exe 1620 Beehencq.exe 1804 Bhcdaibd.exe 2708 Bnpmipql.exe 1532 Begeknan.exe 2432 Bghabf32.exe 3040 Bkdmcdoe.exe 2376 Bnbjopoi.exe 2084 Bpafkknm.exe 2840 Bdlblj32.exe 760 Bhhnli32.exe 2992 Bkfjhd32.exe 2868 Bjijdadm.exe 2544 Baqbenep.exe 2772 Bpcbqk32.exe 2592 Bcaomf32.exe 2688 Bcaomf32.exe 2944 Cgmkmecg.exe 1952 Cjlgiqbk.exe 632 Cjlgiqbk.exe 2200 Cngcjo32.exe -
Loads dropped DLL 64 IoCs
pid Process 2068 48b8a07c6f152cccb77a4bcad43676b9b57f5db167f1dbb0dcc4d7df894464bc.exe 2068 48b8a07c6f152cccb77a4bcad43676b9b57f5db167f1dbb0dcc4d7df894464bc.exe 548 Oiellh32.exe 548 Oiellh32.exe 2904 Obnqem32.exe 2904 Obnqem32.exe 2996 Ocomlemo.exe 2996 Ocomlemo.exe 2724 Ojieip32.exe 2724 Ojieip32.exe 2652 Oqcnfjli.exe 2652 Oqcnfjli.exe 2792 Ocajbekl.exe 2792 Ocajbekl.exe 2740 Ongnonkb.exe 2740 Ongnonkb.exe 2596 Pphjgfqq.exe 2596 Pphjgfqq.exe 1936 Pfbccp32.exe 1936 Pfbccp32.exe 2320 Pipopl32.exe 2320 Pipopl32.exe 1304 Pcfcmd32.exe 1304 Pcfcmd32.exe 2220 Pjpkjond.exe 2220 Pjpkjond.exe 2480 Plahag32.exe 2480 Plahag32.exe 376 Pfflopdh.exe 376 Pfflopdh.exe 2816 Piehkkcl.exe 2816 Piehkkcl.exe 2264 Ppoqge32.exe 2264 Ppoqge32.exe 596 Pelipl32.exe 596 Pelipl32.exe 1484 Phjelg32.exe 1484 Phjelg32.exe 2496 Plfamfpm.exe 2496 Plfamfpm.exe 868 Pndniaop.exe 868 Pndniaop.exe 2880 Penfelgm.exe 2880 Penfelgm.exe 2024 Qhmbagfa.exe 2024 Qhmbagfa.exe 1056 Qnfjna32.exe 1056 Qnfjna32.exe 828 Qeqbkkej.exe 828 Qeqbkkej.exe 1496 Qljkhe32.exe 1496 Qljkhe32.exe 888 Qjmkcbcb.exe 888 Qjmkcbcb.exe 1584 Qnigda32.exe 1584 Qnigda32.exe 1664 Afdlhchf.exe 1664 Afdlhchf.exe 2920 Aajpelhl.exe 2920 Aajpelhl.exe 2964 Aplpai32.exe 2964 Aplpai32.exe 3020 Ajbdna32.exe 3020 Ajbdna32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ccahbp32.exe Ckjpacfp.exe File created C:\Windows\SysWOW64\Dbfabp32.exe Dogefd32.exe File created C:\Windows\SysWOW64\Fabnbook.dll Afiecb32.exe File opened for modification C:\Windows\SysWOW64\Amejeljk.exe Aiinen32.exe File opened for modification C:\Windows\SysWOW64\Oklkmnbp.exe Ngpolo32.exe File created C:\Windows\SysWOW64\Pqhpdhcc.exe Pbfpik32.exe File created C:\Windows\SysWOW64\Kfommp32.dll Pamiog32.exe File opened for modification C:\Windows\SysWOW64\Qedhdjnh.exe Qbelgood.exe File opened for modification C:\Windows\SysWOW64\Cdgneh32.exe Cpkbdiqb.exe File opened for modification C:\Windows\SysWOW64\Ongnonkb.exe Ocajbekl.exe File created C:\Windows\SysWOW64\Pglbacld.dll Cfbhnaho.exe File opened for modification C:\Windows\SysWOW64\Dcknbh32.exe Dqlafm32.exe File opened for modification C:\Windows\SysWOW64\Hnojdcfi.exe Hicodd32.exe File created C:\Windows\SysWOW64\Chfpgj32.dll Ohfeog32.exe File created C:\Windows\SysWOW64\Qfjnod32.dll Cddaphkn.exe File opened for modification C:\Windows\SysWOW64\Fidoim32.exe Fjaonpnn.exe File created C:\Windows\SysWOW64\Cnbpqb32.dll Bokphdld.exe File created C:\Windows\SysWOW64\Cfeddafl.exe Ccfhhffh.exe File created C:\Windows\SysWOW64\Lafndg32.exe Lpdbloof.exe File created C:\Windows\SysWOW64\Mbpnanch.exe Mdmmfa32.exe File created C:\Windows\SysWOW64\Jcpclc32.dll Pciifc32.exe File created C:\Windows\SysWOW64\Ebodiofk.exe Ejhlgaeh.exe File created C:\Windows\SysWOW64\Mmnclh32.dll Dkqbaecc.exe File opened for modification C:\Windows\SysWOW64\Qjmkcbcb.exe Qljkhe32.exe File created C:\Windows\SysWOW64\Bcqgok32.dll Feeiob32.exe File created C:\Windows\SysWOW64\Gopkmhjk.exe Glaoalkh.exe File opened for modification C:\Windows\SysWOW64\Iqalka32.exe Incpoe32.exe File opened for modification C:\Windows\SysWOW64\Ahlgfdeq.exe Adpkee32.exe File created C:\Windows\SysWOW64\Efhhaddp.dll Dhnmij32.exe File opened for modification C:\Windows\SysWOW64\Blbfjg32.exe Bidjnkdg.exe File opened for modification C:\Windows\SysWOW64\Egafleqm.exe Ecejkf32.exe File created C:\Windows\SysWOW64\Efncicpm.exe Ebbgid32.exe File created C:\Windows\SysWOW64\Ldahol32.dll Gbkgnfbd.exe File created C:\Windows\SysWOW64\Pacmbbii.dll Idfbkq32.exe File created C:\Windows\SysWOW64\Akodpalp.dll Kfbkmk32.exe File created C:\Windows\SysWOW64\Lbnemk32.exe Lckdanld.exe File opened for modification C:\Windows\SysWOW64\Qbelgood.exe Qpgpkcpp.exe File created C:\Windows\SysWOW64\Dflkdp32.exe Dbpodagk.exe File opened for modification C:\Windows\SysWOW64\Hnagjbdf.exe Hiekid32.exe File created C:\Windows\SysWOW64\Jfcnngnd.exe Jcdbbloa.exe File opened for modification C:\Windows\SysWOW64\Lafndg32.exe Lpdbloof.exe File created C:\Windows\SysWOW64\Lkoacn32.dll Mpdnkb32.exe File created C:\Windows\SysWOW64\Ncdbcl32.dll Amhpnkch.exe File created C:\Windows\SysWOW64\Fkckeh32.exe Fidoim32.exe File opened for modification C:\Windows\SysWOW64\Chemfl32.exe Cfgaiaci.exe File created C:\Windows\SysWOW64\Icbimi32.exe Icbimi32.exe File created C:\Windows\SysWOW64\Mhgmapfi.exe Mdkqqa32.exe File created C:\Windows\SysWOW64\Nncahjgl.exe Noqamn32.exe File created C:\Windows\SysWOW64\Bifjqh32.dll Pimkpfeh.exe File created C:\Windows\SysWOW64\Qlkdkd32.exe Qimhoi32.exe File created C:\Windows\SysWOW64\Bnbjopoi.exe Bkdmcdoe.exe File created C:\Windows\SysWOW64\Pabakh32.dll Gobgcg32.exe File created C:\Windows\SysWOW64\Icmlam32.exe Iqopea32.exe File created C:\Windows\SysWOW64\Idnhde32.dll Qmfgjh32.exe File opened for modification C:\Windows\SysWOW64\Aekodi32.exe Aaobdjof.exe File opened for modification C:\Windows\SysWOW64\Qeqbkkej.exe Qnfjna32.exe File created C:\Windows\SysWOW64\Ambcae32.dll Egdilkbf.exe File created C:\Windows\SysWOW64\Facdeo32.exe Filldb32.exe File opened for modification C:\Windows\SysWOW64\Lmcijcbe.exe Lemaif32.exe File created C:\Windows\SysWOW64\Inqcif32.exe Ijeghgoh.exe File created C:\Windows\SysWOW64\Ldlimbcf.dll Kneicieh.exe File created C:\Windows\SysWOW64\Kclhicjn.dll Bblogakg.exe File opened for modification C:\Windows\SysWOW64\Pklhlael.exe Pimkpfeh.exe File opened for modification C:\Windows\SysWOW64\Ahdaee32.exe Aefeijle.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5604 5504 WerFault.exe 536 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbmfll32.dll" Lhbcfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ofmbnkhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkgklabn.dll" Qbelgood.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbcodmih.dll" Dggcffhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aplpai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iegecigk.dll" Begeknan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdcbfq32.dll" Faokjpfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Inqcif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdekadnf.dll" Jjjacf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckcmac32.dll" Jiakjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kiccofna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nlphkb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Efncicpm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hgdbhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hggomh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odoghjmf.dll" Ijeghgoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpgiom32.dll" Bdeeqehb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Immfnjan.dll" Kfgdhjmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oddpfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ofhick32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oiellh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cfbhnaho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fdapak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jqfffqpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idnhde32.dll" Qmfgjh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Biicik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gpknlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jjlnif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fljdpbcc.dll" Nkgbbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfnbefhd.dll" Njlockkm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fphafl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lldlqakb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bpleef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qonlfkdd.dll" Pfflopdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghkdol32.dll" Cbkeib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ckffgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Memeaofm.dll" Dgmglh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pheafa32.dll" Cfgaiaci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nialog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blopagpd.dll" Dbfabp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kmopod32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kpmlkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mdkqqa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjlcbpdk.dll" Qfokbnip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pipopl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikkbnm32.dll" Fpdhklkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jqfffqpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gffoia32.dll" Jicgpb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Adpkee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bblogakg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkfmal32.dll" Clomqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pacmbbii.dll" Idfbkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bllbijej.dll" Aipddi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khknah32.dll" Fjaonpnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aaaoij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Clilkfnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfmnmlid.dll" Cgcmlcja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdanej32.dll" Fhhcgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hghmjpap.dll" Gonnhhln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ijgdngmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehkdaf32.dll" Pbfpik32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jcbellac.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jbnhng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nchnel32.dll" Oobjaqaj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2068 wrote to memory of 548 2068 48b8a07c6f152cccb77a4bcad43676b9b57f5db167f1dbb0dcc4d7df894464bc.exe 28 PID 2068 wrote to memory of 548 2068 48b8a07c6f152cccb77a4bcad43676b9b57f5db167f1dbb0dcc4d7df894464bc.exe 28 PID 2068 wrote to memory of 548 2068 48b8a07c6f152cccb77a4bcad43676b9b57f5db167f1dbb0dcc4d7df894464bc.exe 28 PID 2068 wrote to memory of 548 2068 48b8a07c6f152cccb77a4bcad43676b9b57f5db167f1dbb0dcc4d7df894464bc.exe 28 PID 548 wrote to memory of 2904 548 Oiellh32.exe 29 PID 548 wrote to memory of 2904 548 Oiellh32.exe 29 PID 548 wrote to memory of 2904 548 Oiellh32.exe 29 PID 548 wrote to memory of 2904 548 Oiellh32.exe 29 PID 2904 wrote to memory of 2996 2904 Obnqem32.exe 30 PID 2904 wrote to memory of 2996 2904 Obnqem32.exe 30 PID 2904 wrote to memory of 2996 2904 Obnqem32.exe 30 PID 2904 wrote to memory of 2996 2904 Obnqem32.exe 30 PID 2996 wrote to memory of 2724 2996 Ocomlemo.exe 31 PID 2996 wrote to memory of 2724 2996 Ocomlemo.exe 31 PID 2996 wrote to memory of 2724 2996 Ocomlemo.exe 31 PID 2996 wrote to memory of 2724 2996 Ocomlemo.exe 31 PID 2724 wrote to memory of 2652 2724 Ojieip32.exe 32 PID 2724 wrote to memory of 2652 2724 Ojieip32.exe 32 PID 2724 wrote to memory of 2652 2724 Ojieip32.exe 32 PID 2724 wrote to memory of 2652 2724 Ojieip32.exe 32 PID 2652 wrote to memory of 2792 2652 Oqcnfjli.exe 33 PID 2652 wrote to memory of 2792 2652 Oqcnfjli.exe 33 PID 2652 wrote to memory of 2792 2652 Oqcnfjli.exe 33 PID 2652 wrote to memory of 2792 2652 Oqcnfjli.exe 33 PID 2792 wrote to memory of 2740 2792 Ocajbekl.exe 34 PID 2792 wrote to memory of 2740 2792 Ocajbekl.exe 34 PID 2792 wrote to memory of 2740 2792 Ocajbekl.exe 34 PID 2792 wrote to memory of 2740 2792 Ocajbekl.exe 34 PID 2740 wrote to memory of 2596 2740 Ongnonkb.exe 35 PID 2740 wrote to memory of 2596 2740 Ongnonkb.exe 35 PID 2740 wrote to memory of 2596 2740 Ongnonkb.exe 35 PID 2740 wrote to memory of 2596 2740 Ongnonkb.exe 35 PID 2596 wrote to memory of 1936 2596 Pphjgfqq.exe 36 PID 2596 wrote to memory of 1936 2596 Pphjgfqq.exe 36 PID 2596 wrote to memory of 1936 2596 Pphjgfqq.exe 36 PID 2596 wrote to memory of 1936 2596 Pphjgfqq.exe 36 PID 1936 wrote to memory of 2320 1936 Pfbccp32.exe 37 PID 1936 wrote to memory of 2320 1936 Pfbccp32.exe 37 PID 1936 wrote to memory of 2320 1936 Pfbccp32.exe 37 PID 1936 wrote to memory of 2320 1936 Pfbccp32.exe 37 PID 2320 wrote to memory of 1304 2320 Pipopl32.exe 38 PID 2320 wrote to memory of 1304 2320 Pipopl32.exe 38 PID 2320 wrote to memory of 1304 2320 Pipopl32.exe 38 PID 2320 wrote to memory of 1304 2320 Pipopl32.exe 38 PID 1304 wrote to memory of 2220 1304 Pcfcmd32.exe 39 PID 1304 wrote to memory of 2220 1304 Pcfcmd32.exe 39 PID 1304 wrote to memory of 2220 1304 Pcfcmd32.exe 39 PID 1304 wrote to memory of 2220 1304 Pcfcmd32.exe 39 PID 2220 wrote to memory of 2480 2220 Pjpkjond.exe 40 PID 2220 wrote to memory of 2480 2220 Pjpkjond.exe 40 PID 2220 wrote to memory of 2480 2220 Pjpkjond.exe 40 PID 2220 wrote to memory of 2480 2220 Pjpkjond.exe 40 PID 2480 wrote to memory of 376 2480 Plahag32.exe 41 PID 2480 wrote to memory of 376 2480 Plahag32.exe 41 PID 2480 wrote to memory of 376 2480 Plahag32.exe 41 PID 2480 wrote to memory of 376 2480 Plahag32.exe 41 PID 376 wrote to memory of 2816 376 Pfflopdh.exe 42 PID 376 wrote to memory of 2816 376 Pfflopdh.exe 42 PID 376 wrote to memory of 2816 376 Pfflopdh.exe 42 PID 376 wrote to memory of 2816 376 Pfflopdh.exe 42 PID 2816 wrote to memory of 2264 2816 Piehkkcl.exe 43 PID 2816 wrote to memory of 2264 2816 Piehkkcl.exe 43 PID 2816 wrote to memory of 2264 2816 Piehkkcl.exe 43 PID 2816 wrote to memory of 2264 2816 Piehkkcl.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\48b8a07c6f152cccb77a4bcad43676b9b57f5db167f1dbb0dcc4d7df894464bc.exe"C:\Users\Admin\AppData\Local\Temp\48b8a07c6f152cccb77a4bcad43676b9b57f5db167f1dbb0dcc4d7df894464bc.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\SysWOW64\Oiellh32.exeC:\Windows\system32\Oiellh32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Windows\SysWOW64\Obnqem32.exeC:\Windows\system32\Obnqem32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\Ocomlemo.exeC:\Windows\system32\Ocomlemo.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\Ojieip32.exeC:\Windows\system32\Ojieip32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Oqcnfjli.exeC:\Windows\system32\Oqcnfjli.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\Ocajbekl.exeC:\Windows\system32\Ocajbekl.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Ongnonkb.exeC:\Windows\system32\Ongnonkb.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\Pphjgfqq.exeC:\Windows\system32\Pphjgfqq.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Pfbccp32.exeC:\Windows\system32\Pfbccp32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Windows\SysWOW64\Pipopl32.exeC:\Windows\system32\Pipopl32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\Pcfcmd32.exeC:\Windows\system32\Pcfcmd32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\SysWOW64\Pjpkjond.exeC:\Windows\system32\Pjpkjond.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\Plahag32.exeC:\Windows\system32\Plahag32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\Pfflopdh.exeC:\Windows\system32\Pfflopdh.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:376 -
C:\Windows\SysWOW64\Piehkkcl.exeC:\Windows\system32\Piehkkcl.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\Ppoqge32.exeC:\Windows\system32\Ppoqge32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2264 -
C:\Windows\SysWOW64\Pelipl32.exeC:\Windows\system32\Pelipl32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:596 -
C:\Windows\SysWOW64\Phjelg32.exeC:\Windows\system32\Phjelg32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1484 -
C:\Windows\SysWOW64\Plfamfpm.exeC:\Windows\system32\Plfamfpm.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2496 -
C:\Windows\SysWOW64\Pndniaop.exeC:\Windows\system32\Pndniaop.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:868 -
C:\Windows\SysWOW64\Penfelgm.exeC:\Windows\system32\Penfelgm.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2880 -
C:\Windows\SysWOW64\Qhmbagfa.exeC:\Windows\system32\Qhmbagfa.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2024 -
C:\Windows\SysWOW64\Qnfjna32.exeC:\Windows\system32\Qnfjna32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1056 -
C:\Windows\SysWOW64\Qeqbkkej.exeC:\Windows\system32\Qeqbkkej.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:828 -
C:\Windows\SysWOW64\Qljkhe32.exeC:\Windows\system32\Qljkhe32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1496 -
C:\Windows\SysWOW64\Qjmkcbcb.exeC:\Windows\system32\Qjmkcbcb.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:888 -
C:\Windows\SysWOW64\Qnigda32.exeC:\Windows\system32\Qnigda32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1584 -
C:\Windows\SysWOW64\Afdlhchf.exeC:\Windows\system32\Afdlhchf.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1664 -
C:\Windows\SysWOW64\Aajpelhl.exeC:\Windows\system32\Aajpelhl.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2920 -
C:\Windows\SysWOW64\Aplpai32.exeC:\Windows\system32\Aplpai32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2964 -
C:\Windows\SysWOW64\Ajbdna32.exeC:\Windows\system32\Ajbdna32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3020 -
C:\Windows\SysWOW64\Aiedjneg.exeC:\Windows\system32\Aiedjneg.exe33⤵
- Executes dropped EXE
PID:2680 -
C:\Windows\SysWOW64\Ampqjm32.exeC:\Windows\system32\Ampqjm32.exe34⤵
- Executes dropped EXE
PID:2852 -
C:\Windows\SysWOW64\Afiecb32.exeC:\Windows\system32\Afiecb32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2744 -
C:\Windows\SysWOW64\Apajlhka.exeC:\Windows\system32\Apajlhka.exe36⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Admemg32.exeC:\Windows\system32\Admemg32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1052 -
C:\Windows\SysWOW64\Aiinen32.exeC:\Windows\system32\Aiinen32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1836 -
C:\Windows\SysWOW64\Amejeljk.exeC:\Windows\system32\Amejeljk.exe39⤵
- Executes dropped EXE
PID:1388 -
C:\Windows\SysWOW64\Afmonbqk.exeC:\Windows\system32\Afmonbqk.exe40⤵
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Ahokfj32.exeC:\Windows\system32\Ahokfj32.exe41⤵
- Executes dropped EXE
PID:2472 -
C:\Windows\SysWOW64\Aljgfioc.exeC:\Windows\system32\Aljgfioc.exe42⤵
- Executes dropped EXE
PID:1028 -
C:\Windows\SysWOW64\Bbdocc32.exeC:\Windows\system32\Bbdocc32.exe43⤵
- Executes dropped EXE
PID:2948 -
C:\Windows\SysWOW64\Bhahlj32.exeC:\Windows\system32\Bhahlj32.exe44⤵
- Executes dropped EXE
PID:2272 -
C:\Windows\SysWOW64\Bokphdld.exeC:\Windows\system32\Bokphdld.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2616 -
C:\Windows\SysWOW64\Beehencq.exeC:\Windows\system32\Beehencq.exe46⤵
- Executes dropped EXE
PID:1620 -
C:\Windows\SysWOW64\Bhcdaibd.exeC:\Windows\system32\Bhcdaibd.exe47⤵
- Executes dropped EXE
PID:1804 -
C:\Windows\SysWOW64\Bnpmipql.exeC:\Windows\system32\Bnpmipql.exe48⤵
- Executes dropped EXE
PID:2708 -
C:\Windows\SysWOW64\Begeknan.exeC:\Windows\system32\Begeknan.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1532 -
C:\Windows\SysWOW64\Bghabf32.exeC:\Windows\system32\Bghabf32.exe50⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Bkdmcdoe.exeC:\Windows\system32\Bkdmcdoe.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3040 -
C:\Windows\SysWOW64\Bnbjopoi.exeC:\Windows\system32\Bnbjopoi.exe52⤵
- Executes dropped EXE
PID:2376 -
C:\Windows\SysWOW64\Bpafkknm.exeC:\Windows\system32\Bpafkknm.exe53⤵
- Executes dropped EXE
PID:2084 -
C:\Windows\SysWOW64\Bdlblj32.exeC:\Windows\system32\Bdlblj32.exe54⤵
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\Bhhnli32.exeC:\Windows\system32\Bhhnli32.exe55⤵
- Executes dropped EXE
PID:760 -
C:\Windows\SysWOW64\Bkfjhd32.exeC:\Windows\system32\Bkfjhd32.exe56⤵
- Executes dropped EXE
PID:2992 -
C:\Windows\SysWOW64\Bjijdadm.exeC:\Windows\system32\Bjijdadm.exe57⤵
- Executes dropped EXE
PID:2868 -
C:\Windows\SysWOW64\Baqbenep.exeC:\Windows\system32\Baqbenep.exe58⤵
- Executes dropped EXE
PID:2544 -
C:\Windows\SysWOW64\Bpcbqk32.exeC:\Windows\system32\Bpcbqk32.exe59⤵
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\Bcaomf32.exeC:\Windows\system32\Bcaomf32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Bcaomf32.exeC:\Windows\system32\Bcaomf32.exe61⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Cgmkmecg.exeC:\Windows\system32\Cgmkmecg.exe62⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Cjlgiqbk.exeC:\Windows\system32\Cjlgiqbk.exe63⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Cjlgiqbk.exeC:\Windows\system32\Cjlgiqbk.exe64⤵
- Executes dropped EXE
PID:632 -
C:\Windows\SysWOW64\Cngcjo32.exeC:\Windows\system32\Cngcjo32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2200 -
C:\Windows\SysWOW64\Cljcelan.exeC:\Windows\system32\Cljcelan.exe66⤵PID:1968
-
C:\Windows\SysWOW64\Cpeofk32.exeC:\Windows\system32\Cpeofk32.exe67⤵PID:908
-
C:\Windows\SysWOW64\Cdakgibq.exeC:\Windows\system32\Cdakgibq.exe68⤵PID:2236
-
C:\Windows\SysWOW64\Cfbhnaho.exeC:\Windows\system32\Cfbhnaho.exe69⤵
- Drops file in System32 directory
- Modifies registry class
PID:780 -
C:\Windows\SysWOW64\Cjndop32.exeC:\Windows\system32\Cjndop32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1476 -
C:\Windows\SysWOW64\Cnippoha.exeC:\Windows\system32\Cnippoha.exe71⤵PID:2492
-
C:\Windows\SysWOW64\Cphlljge.exeC:\Windows\system32\Cphlljge.exe72⤵PID:2344
-
C:\Windows\SysWOW64\Ccfhhffh.exeC:\Windows\system32\Ccfhhffh.exe73⤵
- Drops file in System32 directory
PID:2128 -
C:\Windows\SysWOW64\Cfeddafl.exeC:\Windows\system32\Cfeddafl.exe74⤵PID:2364
-
C:\Windows\SysWOW64\Chcqpmep.exeC:\Windows\system32\Chcqpmep.exe75⤵PID:1628
-
C:\Windows\SysWOW64\Clomqk32.exeC:\Windows\system32\Clomqk32.exe76⤵
- Modifies registry class
PID:812 -
C:\Windows\SysWOW64\Comimg32.exeC:\Windows\system32\Comimg32.exe77⤵PID:2752
-
C:\Windows\SysWOW64\Cbkeib32.exeC:\Windows\system32\Cbkeib32.exe78⤵
- Modifies registry class
PID:2656 -
C:\Windows\SysWOW64\Cfgaiaci.exeC:\Windows\system32\Cfgaiaci.exe79⤵
- Drops file in System32 directory
- Modifies registry class
PID:1260 -
C:\Windows\SysWOW64\Chemfl32.exeC:\Windows\system32\Chemfl32.exe80⤵PID:1180
-
C:\Windows\SysWOW64\Ckdjbh32.exeC:\Windows\system32\Ckdjbh32.exe81⤵PID:1184
-
C:\Windows\SysWOW64\Cckace32.exeC:\Windows\system32\Cckace32.exe82⤵PID:352
-
C:\Windows\SysWOW64\Cckace32.exeC:\Windows\system32\Cckace32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2696 -
C:\Windows\SysWOW64\Cfinoq32.exeC:\Windows\system32\Cfinoq32.exe84⤵PID:2828
-
C:\Windows\SysWOW64\Chhjkl32.exeC:\Windows\system32\Chhjkl32.exe85⤵PID:688
-
C:\Windows\SysWOW64\Clcflkic.exeC:\Windows\system32\Clcflkic.exe86⤵PID:1492
-
C:\Windows\SysWOW64\Ckffgg32.exeC:\Windows\system32\Ckffgg32.exe87⤵
- Modifies registry class
PID:1544 -
C:\Windows\SysWOW64\Cobbhfhg.exeC:\Windows\system32\Cobbhfhg.exe88⤵PID:984
-
C:\Windows\SysWOW64\Dbpodagk.exeC:\Windows\system32\Dbpodagk.exe89⤵
- Drops file in System32 directory
PID:2224 -
C:\Windows\SysWOW64\Dflkdp32.exeC:\Windows\system32\Dflkdp32.exe90⤵PID:2152
-
C:\Windows\SysWOW64\Dhjgal32.exeC:\Windows\system32\Dhjgal32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2960 -
C:\Windows\SysWOW64\Dgmglh32.exeC:\Windows\system32\Dgmglh32.exe92⤵
- Modifies registry class
PID:1284 -
C:\Windows\SysWOW64\Dodonf32.exeC:\Windows\system32\Dodonf32.exe93⤵PID:2704
-
C:\Windows\SysWOW64\Dbbkja32.exeC:\Windows\system32\Dbbkja32.exe94⤵PID:2812
-
C:\Windows\SysWOW64\Dhmcfkme.exeC:\Windows\system32\Dhmcfkme.exe95⤵PID:2072
-
C:\Windows\SysWOW64\Dkkpbgli.exeC:\Windows\system32\Dkkpbgli.exe96⤵PID:2208
-
C:\Windows\SysWOW64\Dbehoa32.exeC:\Windows\system32\Dbehoa32.exe97⤵PID:1608
-
C:\Windows\SysWOW64\Dqhhknjp.exeC:\Windows\system32\Dqhhknjp.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2216 -
C:\Windows\SysWOW64\Ddcdkl32.exeC:\Windows\system32\Ddcdkl32.exe99⤵PID:1320
-
C:\Windows\SysWOW64\Dgaqgh32.exeC:\Windows\system32\Dgaqgh32.exe100⤵PID:2276
-
C:\Windows\SysWOW64\Dkmmhf32.exeC:\Windows\system32\Dkmmhf32.exe101⤵PID:484
-
C:\Windows\SysWOW64\Dnlidb32.exeC:\Windows\system32\Dnlidb32.exe102⤵PID:2036
-
C:\Windows\SysWOW64\Dmoipopd.exeC:\Windows\system32\Dmoipopd.exe103⤵PID:612
-
C:\Windows\SysWOW64\Dchali32.exeC:\Windows\system32\Dchali32.exe104⤵PID:2212
-
C:\Windows\SysWOW64\Dfgmhd32.exeC:\Windows\system32\Dfgmhd32.exe105⤵PID:2116
-
C:\Windows\SysWOW64\Dqlafm32.exeC:\Windows\system32\Dqlafm32.exe106⤵
- Drops file in System32 directory
PID:1788 -
C:\Windows\SysWOW64\Dcknbh32.exeC:\Windows\system32\Dcknbh32.exe107⤵PID:2180
-
C:\Windows\SysWOW64\Dfijnd32.exeC:\Windows\system32\Dfijnd32.exe108⤵PID:2780
-
C:\Windows\SysWOW64\Djefobmk.exeC:\Windows\system32\Djefobmk.exe109⤵PID:2564
-
C:\Windows\SysWOW64\Eihfjo32.exeC:\Windows\system32\Eihfjo32.exe110⤵PID:2560
-
C:\Windows\SysWOW64\Eqonkmdh.exeC:\Windows\system32\Eqonkmdh.exe111⤵PID:308
-
C:\Windows\SysWOW64\Ecmkghcl.exeC:\Windows\system32\Ecmkghcl.exe112⤵PID:2412
-
C:\Windows\SysWOW64\Ejgcdb32.exeC:\Windows\system32\Ejgcdb32.exe113⤵PID:2284
-
C:\Windows\SysWOW64\Emeopn32.exeC:\Windows\system32\Emeopn32.exe114⤵PID:1040
-
C:\Windows\SysWOW64\Ebbgid32.exeC:\Windows\system32\Ebbgid32.exe115⤵
- Drops file in System32 directory
PID:3024 -
C:\Windows\SysWOW64\Efncicpm.exeC:\Windows\system32\Efncicpm.exe116⤵
- Modifies registry class
PID:3056 -
C:\Windows\SysWOW64\Emhlfmgj.exeC:\Windows\system32\Emhlfmgj.exe117⤵PID:2664
-
C:\Windows\SysWOW64\Epfhbign.exeC:\Windows\system32\Epfhbign.exe118⤵PID:2636
-
C:\Windows\SysWOW64\Ebedndfa.exeC:\Windows\system32\Ebedndfa.exe119⤵PID:2556
-
C:\Windows\SysWOW64\Efppoc32.exeC:\Windows\system32\Efppoc32.exe120⤵PID:1980
-
C:\Windows\SysWOW64\Eiomkn32.exeC:\Windows\system32\Eiomkn32.exe121⤵PID:1032
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-