Analysis
-
max time kernel
147s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
06-07-2024 22:54
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
6aecdcdda1d3f0aa3023beb2f02c0164757068e64e7c235a5f156da5139c78c0.exe
Resource
win7-20240705-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
6aecdcdda1d3f0aa3023beb2f02c0164757068e64e7c235a5f156da5139c78c0.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
6aecdcdda1d3f0aa3023beb2f02c0164757068e64e7c235a5f156da5139c78c0.exe
-
Size
55KB
-
MD5
73311d3f8f11b1900df3ecf7b09d48a9
-
SHA1
1c19db1721fa7e3f6b86541def442b0db31afbee
-
SHA256
6aecdcdda1d3f0aa3023beb2f02c0164757068e64e7c235a5f156da5139c78c0
-
SHA512
fbee91ecd0f61504de3c71a2c02880b80749f08bb80ea80abfe8a3760052db9e1039c47a5eea51dd91a2bcc2d0dd37cf55db4096f766d2d9d05a79b04a5ba238
-
SSDEEP
1536:vjk7y+2YB7K34tlq2s0jrRuo1tCqxihl1/r2f2LD5:v8y+2KtlqCjrAz2kd
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkhenlcd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdjcaf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfidhcbm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggifmgia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Capopb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhaogp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qecejnco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkimgflg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flgiaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieepad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klqmaebl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjngjj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kooimpao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhombc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmnnomnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anepooja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbpendha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gceghn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iikneggd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dehdpnok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhobbqkc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akbkhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edgkap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gninpg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkelhemb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pqfdlmic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dohiefpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jegheghc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hadckp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfeonq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egnjbfqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eiocdand.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehpjmoio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmjhejph.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bickkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjchnclk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Coofoghn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhhagb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmlblq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcmmhmhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emeejpjc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eiocdand.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chigmlml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmkipb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfdmdlaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Caohfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iehejc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Begegn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Henipenb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Goohckob.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaigab32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cecnflpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eojbii32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqbeapqb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmnoapba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hleegpgb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epdafl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhnahl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dghgdg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfcajekc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Angmdoho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Baeepm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfnncb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekgineko.exe -
Executes dropped EXE 64 IoCs
pid Process 3040 Pefmkpbl.exe 2320 Ponadfim.exe 2780 Plbbmjhf.exe 2672 Pekffp32.exe 2988 Pldobjec.exe 2680 Paagkq32.exe 2644 Pgnpcg32.exe 440 Pqfdlmic.exe 2664 Qklhifhi.exe 2868 Qbfqfppe.exe 2912 Qkoeoe32.exe 2952 Qmpafnld.exe 3024 Acjjch32.exe 2416 Aqnjml32.exe 2436 Aiioanpf.exe 2372 Aqpgblqh.exe 392 Aikkgnnc.exe 936 Abcppcdc.exe 1088 Afolpb32.exe 588 Akldhi32.exe 524 Anjqdd32.exe 2224 Aediaoae.exe 992 Aipebm32.exe 2112 Bojmogak.exe 1568 Bnmmjd32.exe 1588 Begegn32.exe 868 Bbkfpb32.exe 2408 Bamfloef.exe 2824 Bkckihel.exe 3048 Bmdgqp32.exe 2116 Bekobn32.exe 2840 Bndckc32.exe 2616 Bcqlcj32.exe 3032 Badlln32.exe 2296 Bccihj32.exe 2504 Cjmaed32.exe 836 Cpjimk32.exe 1908 Cfcajekc.exe 2944 Coofoghn.exe 1276 Cpnchjpa.exe 2368 Capopb32.exe 1996 Chigmlml.exe 564 Chldbl32.exe 2444 Dhnahl32.exe 2528 Dfaachpa.exe 1528 Dohiefpc.exe 1524 Dmkipb32.exe 1820 Dpifln32.exe 1684 Dhqnnk32.exe 2264 Dkojjgfg.exe 2060 Dmmffbek.exe 940 Ddgnbl32.exe 2852 Dbjonicb.exe 2980 Didgkc32.exe 2732 Dlbcgo32.exe 1632 Ddjkhl32.exe 2748 Dghgdg32.exe 2948 Difcpc32.exe 1036 Dmbpaa32.exe 1640 Dcohih32.exe 2984 Dgjdjghf.exe 2088 Eemded32.exe 2392 Eiipfbgj.exe 2956 Elgmbnfn.exe -
Loads dropped DLL 64 IoCs
pid Process 2256 6aecdcdda1d3f0aa3023beb2f02c0164757068e64e7c235a5f156da5139c78c0.exe 2256 6aecdcdda1d3f0aa3023beb2f02c0164757068e64e7c235a5f156da5139c78c0.exe 3040 Pefmkpbl.exe 3040 Pefmkpbl.exe 2320 Ponadfim.exe 2320 Ponadfim.exe 2780 Plbbmjhf.exe 2780 Plbbmjhf.exe 2672 Pekffp32.exe 2672 Pekffp32.exe 2988 Pldobjec.exe 2988 Pldobjec.exe 2680 Paagkq32.exe 2680 Paagkq32.exe 2644 Pgnpcg32.exe 2644 Pgnpcg32.exe 440 Pqfdlmic.exe 440 Pqfdlmic.exe 2664 Qklhifhi.exe 2664 Qklhifhi.exe 2868 Qbfqfppe.exe 2868 Qbfqfppe.exe 2912 Qkoeoe32.exe 2912 Qkoeoe32.exe 2952 Qmpafnld.exe 2952 Qmpafnld.exe 3024 Acjjch32.exe 3024 Acjjch32.exe 2416 Aqnjml32.exe 2416 Aqnjml32.exe 2436 Aiioanpf.exe 2436 Aiioanpf.exe 2372 Aqpgblqh.exe 2372 Aqpgblqh.exe 392 Aikkgnnc.exe 392 Aikkgnnc.exe 936 Abcppcdc.exe 936 Abcppcdc.exe 1088 Afolpb32.exe 1088 Afolpb32.exe 588 Akldhi32.exe 588 Akldhi32.exe 524 Anjqdd32.exe 524 Anjqdd32.exe 2224 Aediaoae.exe 2224 Aediaoae.exe 992 Aipebm32.exe 992 Aipebm32.exe 2112 Bojmogak.exe 2112 Bojmogak.exe 1568 Bnmmjd32.exe 1568 Bnmmjd32.exe 1588 Begegn32.exe 1588 Begegn32.exe 868 Bbkfpb32.exe 868 Bbkfpb32.exe 2408 Bamfloef.exe 2408 Bamfloef.exe 2824 Bkckihel.exe 2824 Bkckihel.exe 3048 Bmdgqp32.exe 3048 Bmdgqp32.exe 2116 Bekobn32.exe 2116 Bekobn32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Iapjad32.exe Iiiapg32.exe File created C:\Windows\SysWOW64\Ibdcnm32.exe Ipefba32.exe File opened for modification C:\Windows\SysWOW64\Jkfncn32.exe Jhhagb32.exe File created C:\Windows\SysWOW64\Emmljodk.exe Egbcne32.exe File created C:\Windows\SysWOW64\Jccind32.dll Gdflepqo.exe File opened for modification C:\Windows\SysWOW64\Iifnpagn.exe Ifhacfhj.exe File created C:\Windows\SysWOW64\Ibfdea32.dll Imbakfcc.exe File opened for modification C:\Windows\SysWOW64\Jelbqg32.exe Jndjoi32.exe File opened for modification C:\Windows\SysWOW64\Ohjofgfo.exe Oelcjkgk.exe File opened for modification C:\Windows\SysWOW64\Angmdoho.exe Ajladp32.exe File opened for modification C:\Windows\SysWOW64\Eljihn32.exe Eikmkbeg.exe File created C:\Windows\SysWOW64\Nlknhnfg.dll Oicfpkci.exe File created C:\Windows\SysWOW64\Adoili32.exe Anepooja.exe File created C:\Windows\SysWOW64\Dephbjgj.dll Qagiio32.exe File created C:\Windows\SysWOW64\Gfnooj32.dll Coofoghn.exe File created C:\Windows\SysWOW64\Hdpbnp32.dll Dgjdjghf.exe File created C:\Windows\SysWOW64\Haldgbkc.exe Hidledja.exe File created C:\Windows\SysWOW64\Hilbfc32.exe Hbajjiml.exe File opened for modification C:\Windows\SysWOW64\Kpoegc32.exe Khgnff32.exe File created C:\Windows\SysWOW64\Afgplmij.dll Mcagma32.exe File opened for modification C:\Windows\SysWOW64\Ghmokomm.exe Gbcgne32.exe File opened for modification C:\Windows\SysWOW64\Difcpc32.exe Dghgdg32.exe File opened for modification C:\Windows\SysWOW64\Enpoje32.exe Egegnk32.exe File opened for modification C:\Windows\SysWOW64\Fgjpijjb.exe Fpphlp32.exe File opened for modification C:\Windows\SysWOW64\Gigllafc.exe Gbmdpg32.exe File created C:\Windows\SysWOW64\Ddlcdi32.dll Nmjhejph.exe File created C:\Windows\SysWOW64\Bcfbbe32.exe Bqhffj32.exe File created C:\Windows\SysWOW64\Dehdpnok.exe Donlcdgn.exe File created C:\Windows\SysWOW64\Phillkdf.dll Ilbnfmhd.exe File created C:\Windows\SysWOW64\Hbglgj32.dll Oejfelin.exe File created C:\Windows\SysWOW64\Oijlpjma.exe Obpccped.exe File opened for modification C:\Windows\SysWOW64\Dhdcfj32.exe Deegjo32.exe File created C:\Windows\SysWOW64\Jnglkj32.dll Begegn32.exe File opened for modification C:\Windows\SysWOW64\Jmigke32.exe Jinkkgeb.exe File created C:\Windows\SysWOW64\Opaggdfa.exe Ohjofgfo.exe File created C:\Windows\SysWOW64\Jnhijfln.dll Oogdiqki.exe File opened for modification C:\Windows\SysWOW64\Akdgmd32.exe Adjoqjfc.exe File created C:\Windows\SysWOW64\Hqojpqdp.exe Hnanceem.exe File opened for modification C:\Windows\SysWOW64\Inqjbhhh.exe Ilbnfmhd.exe File created C:\Windows\SysWOW64\Badbapio.dll Qkoeoe32.exe File opened for modification C:\Windows\SysWOW64\Lgadba32.exe Lbdljk32.exe File opened for modification C:\Windows\SysWOW64\Odcmagip.exe Oeqmek32.exe File opened for modification C:\Windows\SysWOW64\Gaigab32.exe Gnkkeg32.exe File opened for modification C:\Windows\SysWOW64\Haldgbkc.exe Hidledja.exe File opened for modification C:\Windows\SysWOW64\Gbbnkfjq.exe Gjkeii32.exe File created C:\Windows\SysWOW64\Oqjedjbn.dll Akbkhd32.exe File created C:\Windows\SysWOW64\Akldhi32.exe Afolpb32.exe File created C:\Windows\SysWOW64\Painaj32.dll Ipefba32.exe File created C:\Windows\SysWOW64\Immhck32.dll Plfhfiqc.exe File created C:\Windows\SysWOW64\Qffcphem.dll Anjjjn32.exe File opened for modification C:\Windows\SysWOW64\Bciohe32.exe Bomcgfjh.exe File created C:\Windows\SysWOW64\Halmkejm.dll Cpolli32.exe File opened for modification C:\Windows\SysWOW64\Egbcne32.exe Ephkak32.exe File opened for modification C:\Windows\SysWOW64\Hkenmidf.exe Hcnfllcd.exe File created C:\Windows\SysWOW64\Hmhgjahb.exe Hfnomgqe.exe File opened for modification C:\Windows\SysWOW64\Bamfloef.exe Bbkfpb32.exe File created C:\Windows\SysWOW64\Fplcpm32.dll Iiiapg32.exe File opened for modification C:\Windows\SysWOW64\Jdoblckh.exe Jelbqg32.exe File created C:\Windows\SysWOW64\Oqknikcm.dll Afebpmal.exe File opened for modification C:\Windows\SysWOW64\Cpjimk32.exe Cjmaed32.exe File created C:\Windows\SysWOW64\Njiocobg.exe Nbnkomel.exe File created C:\Windows\SysWOW64\Bpehpm32.dll Epmdljal.exe File created C:\Windows\SysWOW64\Fnjkdcii.exe Fklohgie.exe File created C:\Windows\SysWOW64\Fmnoapba.exe Fbhkdgbk.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4624 4420 WerFault.exe 443 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Coofoghn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmmffbek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffiedlhj.dll" Difcpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjdklo32.dll" Fchgnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Goohckob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gceghn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qpfmageg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qkoeoe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eojbii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Genmab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhlelc32.dll" Lkhfhaea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddlcdi32.dll" Nmjhejph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhombc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lijcbcie.dll" Adhbkj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bekobn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dghgdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ekofijic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beklhohi.dll" Fnlhibff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hfqlcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpihinap.dll" Aediaoae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbmdpg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbbedqcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlfaccjd.dll" Cpbiaiin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knhhkkbe.dll" Emmljodk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gjeedcjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apbkag32.dll" Gknhlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdgaibdg.dll" Iehejc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibfkoi32.dll" Flgiaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkmlca32.dll" Gbmdpg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Goadik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ipefba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljdjildq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Obngnphg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgdggg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgnpcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Addklpal.dll" Hchcmnlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpodbo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fklohgie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pgnpcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ffbjpfmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbpaef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlbqjj32.dll" Mfbqol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdecniol.dll" Mpkehbjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Obpccped.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbffalnq.dll" Cflanc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dpiobh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olhdcnjn.dll" Ekgineko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aqpgblqh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klojje32.dll" Epkhfkco.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eohedi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Epnkfq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppmdmcpk.dll" Hilbfc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhnahl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jhhagb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhjjle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chlifcag.dll" Fgpcgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gkkkgkla.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddjkhl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ehpjmoio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Impdeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gflfidpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oijlpjma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aediaoae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgfmmaem.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2256 wrote to memory of 3040 2256 6aecdcdda1d3f0aa3023beb2f02c0164757068e64e7c235a5f156da5139c78c0.exe 29 PID 2256 wrote to memory of 3040 2256 6aecdcdda1d3f0aa3023beb2f02c0164757068e64e7c235a5f156da5139c78c0.exe 29 PID 2256 wrote to memory of 3040 2256 6aecdcdda1d3f0aa3023beb2f02c0164757068e64e7c235a5f156da5139c78c0.exe 29 PID 2256 wrote to memory of 3040 2256 6aecdcdda1d3f0aa3023beb2f02c0164757068e64e7c235a5f156da5139c78c0.exe 29 PID 3040 wrote to memory of 2320 3040 Pefmkpbl.exe 30 PID 3040 wrote to memory of 2320 3040 Pefmkpbl.exe 30 PID 3040 wrote to memory of 2320 3040 Pefmkpbl.exe 30 PID 3040 wrote to memory of 2320 3040 Pefmkpbl.exe 30 PID 2320 wrote to memory of 2780 2320 Ponadfim.exe 31 PID 2320 wrote to memory of 2780 2320 Ponadfim.exe 31 PID 2320 wrote to memory of 2780 2320 Ponadfim.exe 31 PID 2320 wrote to memory of 2780 2320 Ponadfim.exe 31 PID 2780 wrote to memory of 2672 2780 Plbbmjhf.exe 32 PID 2780 wrote to memory of 2672 2780 Plbbmjhf.exe 32 PID 2780 wrote to memory of 2672 2780 Plbbmjhf.exe 32 PID 2780 wrote to memory of 2672 2780 Plbbmjhf.exe 32 PID 2672 wrote to memory of 2988 2672 Pekffp32.exe 33 PID 2672 wrote to memory of 2988 2672 Pekffp32.exe 33 PID 2672 wrote to memory of 2988 2672 Pekffp32.exe 33 PID 2672 wrote to memory of 2988 2672 Pekffp32.exe 33 PID 2988 wrote to memory of 2680 2988 Pldobjec.exe 34 PID 2988 wrote to memory of 2680 2988 Pldobjec.exe 34 PID 2988 wrote to memory of 2680 2988 Pldobjec.exe 34 PID 2988 wrote to memory of 2680 2988 Pldobjec.exe 34 PID 2680 wrote to memory of 2644 2680 Paagkq32.exe 35 PID 2680 wrote to memory of 2644 2680 Paagkq32.exe 35 PID 2680 wrote to memory of 2644 2680 Paagkq32.exe 35 PID 2680 wrote to memory of 2644 2680 Paagkq32.exe 35 PID 2644 wrote to memory of 440 2644 Pgnpcg32.exe 36 PID 2644 wrote to memory of 440 2644 Pgnpcg32.exe 36 PID 2644 wrote to memory of 440 2644 Pgnpcg32.exe 36 PID 2644 wrote to memory of 440 2644 Pgnpcg32.exe 36 PID 440 wrote to memory of 2664 440 Pqfdlmic.exe 37 PID 440 wrote to memory of 2664 440 Pqfdlmic.exe 37 PID 440 wrote to memory of 2664 440 Pqfdlmic.exe 37 PID 440 wrote to memory of 2664 440 Pqfdlmic.exe 37 PID 2664 wrote to memory of 2868 2664 Qklhifhi.exe 38 PID 2664 wrote to memory of 2868 2664 Qklhifhi.exe 38 PID 2664 wrote to memory of 2868 2664 Qklhifhi.exe 38 PID 2664 wrote to memory of 2868 2664 Qklhifhi.exe 38 PID 2868 wrote to memory of 2912 2868 Qbfqfppe.exe 39 PID 2868 wrote to memory of 2912 2868 Qbfqfppe.exe 39 PID 2868 wrote to memory of 2912 2868 Qbfqfppe.exe 39 PID 2868 wrote to memory of 2912 2868 Qbfqfppe.exe 39 PID 2912 wrote to memory of 2952 2912 Qkoeoe32.exe 40 PID 2912 wrote to memory of 2952 2912 Qkoeoe32.exe 40 PID 2912 wrote to memory of 2952 2912 Qkoeoe32.exe 40 PID 2912 wrote to memory of 2952 2912 Qkoeoe32.exe 40 PID 2952 wrote to memory of 3024 2952 Qmpafnld.exe 41 PID 2952 wrote to memory of 3024 2952 Qmpafnld.exe 41 PID 2952 wrote to memory of 3024 2952 Qmpafnld.exe 41 PID 2952 wrote to memory of 3024 2952 Qmpafnld.exe 41 PID 3024 wrote to memory of 2416 3024 Acjjch32.exe 42 PID 3024 wrote to memory of 2416 3024 Acjjch32.exe 42 PID 3024 wrote to memory of 2416 3024 Acjjch32.exe 42 PID 3024 wrote to memory of 2416 3024 Acjjch32.exe 42 PID 2416 wrote to memory of 2436 2416 Aqnjml32.exe 43 PID 2416 wrote to memory of 2436 2416 Aqnjml32.exe 43 PID 2416 wrote to memory of 2436 2416 Aqnjml32.exe 43 PID 2416 wrote to memory of 2436 2416 Aqnjml32.exe 43 PID 2436 wrote to memory of 2372 2436 Aiioanpf.exe 44 PID 2436 wrote to memory of 2372 2436 Aiioanpf.exe 44 PID 2436 wrote to memory of 2372 2436 Aiioanpf.exe 44 PID 2436 wrote to memory of 2372 2436 Aiioanpf.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\6aecdcdda1d3f0aa3023beb2f02c0164757068e64e7c235a5f156da5139c78c0.exe"C:\Users\Admin\AppData\Local\Temp\6aecdcdda1d3f0aa3023beb2f02c0164757068e64e7c235a5f156da5139c78c0.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\SysWOW64\Pefmkpbl.exeC:\Windows\system32\Pefmkpbl.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\Ponadfim.exeC:\Windows\system32\Ponadfim.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\Plbbmjhf.exeC:\Windows\system32\Plbbmjhf.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\Pekffp32.exeC:\Windows\system32\Pekffp32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Pldobjec.exeC:\Windows\system32\Pldobjec.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\Paagkq32.exeC:\Windows\system32\Paagkq32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\Pgnpcg32.exeC:\Windows\system32\Pgnpcg32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Pqfdlmic.exeC:\Windows\system32\Pqfdlmic.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:440 -
C:\Windows\SysWOW64\Qklhifhi.exeC:\Windows\system32\Qklhifhi.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Qbfqfppe.exeC:\Windows\system32\Qbfqfppe.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\Qkoeoe32.exeC:\Windows\system32\Qkoeoe32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\Qmpafnld.exeC:\Windows\system32\Qmpafnld.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\Acjjch32.exeC:\Windows\system32\Acjjch32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\Aqnjml32.exeC:\Windows\system32\Aqnjml32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\Aiioanpf.exeC:\Windows\system32\Aiioanpf.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\SysWOW64\Aqpgblqh.exeC:\Windows\system32\Aqpgblqh.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2372 -
C:\Windows\SysWOW64\Aikkgnnc.exeC:\Windows\system32\Aikkgnnc.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:392 -
C:\Windows\SysWOW64\Abcppcdc.exeC:\Windows\system32\Abcppcdc.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:936 -
C:\Windows\SysWOW64\Afolpb32.exeC:\Windows\system32\Afolpb32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1088 -
C:\Windows\SysWOW64\Akldhi32.exeC:\Windows\system32\Akldhi32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:588 -
C:\Windows\SysWOW64\Anjqdd32.exeC:\Windows\system32\Anjqdd32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:524 -
C:\Windows\SysWOW64\Aediaoae.exeC:\Windows\system32\Aediaoae.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2224 -
C:\Windows\SysWOW64\Aipebm32.exeC:\Windows\system32\Aipebm32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:992 -
C:\Windows\SysWOW64\Bojmogak.exeC:\Windows\system32\Bojmogak.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2112 -
C:\Windows\SysWOW64\Bnmmjd32.exeC:\Windows\system32\Bnmmjd32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1568 -
C:\Windows\SysWOW64\Begegn32.exeC:\Windows\system32\Begegn32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1588 -
C:\Windows\SysWOW64\Bbkfpb32.exeC:\Windows\system32\Bbkfpb32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:868 -
C:\Windows\SysWOW64\Bamfloef.exeC:\Windows\system32\Bamfloef.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2408 -
C:\Windows\SysWOW64\Bkckihel.exeC:\Windows\system32\Bkckihel.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2824 -
C:\Windows\SysWOW64\Bmdgqp32.exeC:\Windows\system32\Bmdgqp32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3048 -
C:\Windows\SysWOW64\Bekobn32.exeC:\Windows\system32\Bekobn32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2116 -
C:\Windows\SysWOW64\Bndckc32.exeC:\Windows\system32\Bndckc32.exe33⤵
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\Bcqlcj32.exeC:\Windows\system32\Bcqlcj32.exe34⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Badlln32.exeC:\Windows\system32\Badlln32.exe35⤵
- Executes dropped EXE
PID:3032 -
C:\Windows\SysWOW64\Bccihj32.exeC:\Windows\system32\Bccihj32.exe36⤵
- Executes dropped EXE
PID:2296 -
C:\Windows\SysWOW64\Cjmaed32.exeC:\Windows\system32\Cjmaed32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2504 -
C:\Windows\SysWOW64\Cpjimk32.exeC:\Windows\system32\Cpjimk32.exe38⤵
- Executes dropped EXE
PID:836 -
C:\Windows\SysWOW64\Cfcajekc.exeC:\Windows\system32\Cfcajekc.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1908 -
C:\Windows\SysWOW64\Coofoghn.exeC:\Windows\system32\Coofoghn.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2944 -
C:\Windows\SysWOW64\Cpnchjpa.exeC:\Windows\system32\Cpnchjpa.exe41⤵
- Executes dropped EXE
PID:1276 -
C:\Windows\SysWOW64\Capopb32.exeC:\Windows\system32\Capopb32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2368 -
C:\Windows\SysWOW64\Chigmlml.exeC:\Windows\system32\Chigmlml.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1996 -
C:\Windows\SysWOW64\Chldbl32.exeC:\Windows\system32\Chldbl32.exe44⤵
- Executes dropped EXE
PID:564 -
C:\Windows\SysWOW64\Dhnahl32.exeC:\Windows\system32\Dhnahl32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2444 -
C:\Windows\SysWOW64\Dfaachpa.exeC:\Windows\system32\Dfaachpa.exe46⤵
- Executes dropped EXE
PID:2528 -
C:\Windows\SysWOW64\Dohiefpc.exeC:\Windows\system32\Dohiefpc.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\Dmkipb32.exeC:\Windows\system32\Dmkipb32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1524 -
C:\Windows\SysWOW64\Dpifln32.exeC:\Windows\system32\Dpifln32.exe49⤵
- Executes dropped EXE
PID:1820 -
C:\Windows\SysWOW64\Dhqnnk32.exeC:\Windows\system32\Dhqnnk32.exe50⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Dkojjgfg.exeC:\Windows\system32\Dkojjgfg.exe51⤵
- Executes dropped EXE
PID:2264 -
C:\Windows\SysWOW64\Dmmffbek.exeC:\Windows\system32\Dmmffbek.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:2060 -
C:\Windows\SysWOW64\Ddgnbl32.exeC:\Windows\system32\Ddgnbl32.exe53⤵
- Executes dropped EXE
PID:940 -
C:\Windows\SysWOW64\Dbjonicb.exeC:\Windows\system32\Dbjonicb.exe54⤵
- Executes dropped EXE
PID:2852 -
C:\Windows\SysWOW64\Didgkc32.exeC:\Windows\system32\Didgkc32.exe55⤵
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\Dlbcgo32.exeC:\Windows\system32\Dlbcgo32.exe56⤵
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\Ddjkhl32.exeC:\Windows\system32\Ddjkhl32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:1632 -
C:\Windows\SysWOW64\Dghgdg32.exeC:\Windows\system32\Dghgdg32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2748 -
C:\Windows\SysWOW64\Difcpc32.exeC:\Windows\system32\Difcpc32.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:2948 -
C:\Windows\SysWOW64\Dmbpaa32.exeC:\Windows\system32\Dmbpaa32.exe60⤵
- Executes dropped EXE
PID:1036 -
C:\Windows\SysWOW64\Dcohih32.exeC:\Windows\system32\Dcohih32.exe61⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Dgjdjghf.exeC:\Windows\system32\Dgjdjghf.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2984 -
C:\Windows\SysWOW64\Eemded32.exeC:\Windows\system32\Eemded32.exe63⤵
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\Eiipfbgj.exeC:\Windows\system32\Eiipfbgj.exe64⤵
- Executes dropped EXE
PID:2392 -
C:\Windows\SysWOW64\Elgmbnfn.exeC:\Windows\system32\Elgmbnfn.exe65⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Epchbm32.exeC:\Windows\system32\Epchbm32.exe66⤵PID:1480
-
C:\Windows\SysWOW64\Ecaeoh32.exeC:\Windows\system32\Ecaeoh32.exe67⤵PID:828
-
C:\Windows\SysWOW64\Eadejede.exeC:\Windows\system32\Eadejede.exe68⤵PID:1472
-
C:\Windows\SysWOW64\Eikmkbeg.exeC:\Windows\system32\Eikmkbeg.exe69⤵
- Drops file in System32 directory
PID:1644 -
C:\Windows\SysWOW64\Eljihn32.exeC:\Windows\system32\Eljihn32.exe70⤵PID:1460
-
C:\Windows\SysWOW64\Eohedi32.exeC:\Windows\system32\Eohedi32.exe71⤵
- Modifies registry class
PID:1808 -
C:\Windows\SysWOW64\Eafapd32.exeC:\Windows\system32\Eafapd32.exe72⤵PID:2052
-
C:\Windows\SysWOW64\Edenlp32.exeC:\Windows\system32\Edenlp32.exe73⤵PID:1696
-
C:\Windows\SysWOW64\Ehpjmoio.exeC:\Windows\system32\Ehpjmoio.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2796 -
C:\Windows\SysWOW64\Ekofijic.exeC:\Windows\system32\Ekofijic.exe75⤵
- Modifies registry class
PID:2280 -
C:\Windows\SysWOW64\Eojbii32.exeC:\Windows\system32\Eojbii32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2348 -
C:\Windows\SysWOW64\Eained32.exeC:\Windows\system32\Eained32.exe77⤵PID:2180
-
C:\Windows\SysWOW64\Edgkap32.exeC:\Windows\system32\Edgkap32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2440 -
C:\Windows\SysWOW64\Egegnk32.exeC:\Windows\system32\Egegnk32.exe79⤵
- Drops file in System32 directory
PID:2928 -
C:\Windows\SysWOW64\Enpoje32.exeC:\Windows\system32\Enpoje32.exe80⤵PID:2920
-
C:\Windows\SysWOW64\Epnkfq32.exeC:\Windows\system32\Epnkfq32.exe81⤵
- Modifies registry class
PID:2036 -
C:\Windows\SysWOW64\Ehechn32.exeC:\Windows\system32\Ehechn32.exe82⤵PID:3012
-
C:\Windows\SysWOW64\Eghcckld.exeC:\Windows\system32\Eghcckld.exe83⤵PID:920
-
C:\Windows\SysWOW64\Ejfpofkh.exeC:\Windows\system32\Ejfpofkh.exe84⤵PID:2012
-
C:\Windows\SysWOW64\Famhqclj.exeC:\Windows\system32\Famhqclj.exe85⤵PID:2492
-
C:\Windows\SysWOW64\Fpphlp32.exeC:\Windows\system32\Fpphlp32.exe86⤵
- Drops file in System32 directory
PID:1248 -
C:\Windows\SysWOW64\Fgjpijjb.exeC:\Windows\system32\Fgjpijjb.exe87⤵PID:2240
-
C:\Windows\SysWOW64\Fjimefie.exeC:\Windows\system32\Fjimefie.exe88⤵PID:2244
-
C:\Windows\SysWOW64\Flgiaa32.exeC:\Windows\system32\Flgiaa32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2720 -
C:\Windows\SysWOW64\Fqbeapqb.exeC:\Windows\system32\Fqbeapqb.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2632 -
C:\Windows\SysWOW64\Fgmmnj32.exeC:\Windows\system32\Fgmmnj32.exe91⤵PID:2432
-
C:\Windows\SysWOW64\Fqeagpop.exeC:\Windows\system32\Fqeagpop.exe92⤵PID:2932
-
C:\Windows\SysWOW64\Fccncknc.exeC:\Windows\system32\Fccncknc.exe93⤵PID:2636
-
C:\Windows\SysWOW64\Ffbjpfmg.exeC:\Windows\system32\Ffbjpfmg.exe94⤵
- Modifies registry class
PID:2108 -
C:\Windows\SysWOW64\Fhpflblk.exeC:\Windows\system32\Fhpflblk.exe95⤵PID:880
-
C:\Windows\SysWOW64\Fmlblq32.exeC:\Windows\system32\Fmlblq32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2964 -
C:\Windows\SysWOW64\Fojnhlch.exeC:\Windows\system32\Fojnhlch.exe97⤵PID:472
-
C:\Windows\SysWOW64\Fbhkdgbk.exeC:\Windows\system32\Fbhkdgbk.exe98⤵
- Drops file in System32 directory
PID:2304 -
C:\Windows\SysWOW64\Fmnoapba.exeC:\Windows\system32\Fmnoapba.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3052 -
C:\Windows\SysWOW64\Fchgnj32.exeC:\Windows\system32\Fchgnj32.exe100⤵
- Modifies registry class
PID:692 -
C:\Windows\SysWOW64\Fdicfbpl.exeC:\Windows\system32\Fdicfbpl.exe101⤵PID:1712
-
C:\Windows\SysWOW64\Gmqlgppo.exeC:\Windows\system32\Gmqlgppo.exe102⤵PID:2828
-
C:\Windows\SysWOW64\Gkclcm32.exeC:\Windows\system32\Gkclcm32.exe103⤵PID:2768
-
C:\Windows\SysWOW64\Goohckob.exeC:\Windows\system32\Goohckob.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2776 -
C:\Windows\SysWOW64\Gbmdpg32.exeC:\Windows\system32\Gbmdpg32.exe105⤵
- Drops file in System32 directory
- Modifies registry class
PID:2624 -
C:\Windows\SysWOW64\Gigllafc.exeC:\Windows\system32\Gigllafc.exe106⤵PID:2848
-
C:\Windows\SysWOW64\Goadik32.exeC:\Windows\system32\Goadik32.exe107⤵
- Modifies registry class
PID:2552 -
C:\Windows\SysWOW64\Gbpaef32.exeC:\Windows\system32\Gbpaef32.exe108⤵
- Modifies registry class
PID:3036 -
C:\Windows\SysWOW64\Genmab32.exeC:\Windows\system32\Genmab32.exe109⤵
- Modifies registry class
PID:996 -
C:\Windows\SysWOW64\Gkhenlcd.exeC:\Windows\system32\Gkhenlcd.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2404 -
C:\Windows\SysWOW64\Gjkeii32.exeC:\Windows\system32\Gjkeii32.exe111⤵
- Drops file in System32 directory
PID:2652 -
C:\Windows\SysWOW64\Gbbnkfjq.exeC:\Windows\system32\Gbbnkfjq.exe112⤵PID:1656
-
C:\Windows\SysWOW64\Gepjgaid.exeC:\Windows\system32\Gepjgaid.exe113⤵PID:112
-
C:\Windows\SysWOW64\Gninpg32.exeC:\Windows\system32\Gninpg32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2156 -
C:\Windows\SysWOW64\Gqgjlb32.exeC:\Windows\system32\Gqgjlb32.exe115⤵PID:2592
-
C:\Windows\SysWOW64\Gceghn32.exeC:\Windows\system32\Gceghn32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2564 -
C:\Windows\SysWOW64\Gfdcdi32.exeC:\Windows\system32\Gfdcdi32.exe117⤵PID:2604
-
C:\Windows\SysWOW64\Gnkkeg32.exeC:\Windows\system32\Gnkkeg32.exe118⤵
- Drops file in System32 directory
PID:1648 -
C:\Windows\SysWOW64\Gaigab32.exeC:\Windows\system32\Gaigab32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1504 -
C:\Windows\SysWOW64\Hchcmnlj.exeC:\Windows\system32\Hchcmnlj.exe120⤵
- Modifies registry class
PID:1812 -
C:\Windows\SysWOW64\Hjbljh32.exeC:\Windows\system32\Hjbljh32.exe121⤵PID:1532
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-