Analysis
-
max time kernel
121s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
08-07-2024 04:38
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d0d736a35a250d1e230c097fd70c9a73d793f9dbb986e8c11e92ee15587d2fba.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
d0d736a35a250d1e230c097fd70c9a73d793f9dbb986e8c11e92ee15587d2fba.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
d0d736a35a250d1e230c097fd70c9a73d793f9dbb986e8c11e92ee15587d2fba.exe
-
Size
89KB
-
MD5
789bcb361da0b77d436586949b658b4d
-
SHA1
909e8d7f48abd328801e4ce7f538acb8458ba285
-
SHA256
d0d736a35a250d1e230c097fd70c9a73d793f9dbb986e8c11e92ee15587d2fba
-
SHA512
9b70295d7bd85d09a9af580f58f966efa373d69223387fe8e37c7cf30252ee757286aaccec5eada7a53ea533adb019854f3c33f31f5bb13553e471428a12361f
-
SSDEEP
1536:jqKUmaZkVfIrWQLvilUNX7JFDMQ7CcXlExkg8F:MuVfIHzilq7L7CcXlakgw
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qfahhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Chbjffad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Habfipdj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbkeib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ecpgmhai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpapln32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjongcbl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Naajoinb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onmdoioa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Anlmmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ejgcdb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofhick32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cohigamf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Plcdgfbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dqelenlc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Djefobmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ldfgebbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bmmiij32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lphhenhc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flgeqgog.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjmaaddo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fcefji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gdniqh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kofopj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Epfhbign.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eecqjpee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ddigjkid.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lclnemgd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdlhjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Chemfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mgnfhlin.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkpagq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Niebhf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhmcfkme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eccmffjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hbfbgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ofelmloo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fenmdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gfjhgdck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ogjimd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lojomkdn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogblbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bpgljfbl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cahail32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iefhhbef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmnhfjmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Maoajf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgnfhlin.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epfhbign.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajejgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kmjojo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hakphqja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hpmgqnfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jfqahgpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lpbefoai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jhljdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Libicbma.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkndaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckjpacfp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbamma32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqdipqbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dggcffhg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmpkjkma.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilncom32.exe -
Executes dropped EXE 64 IoCs
pid Process 2664 Onbddoog.exe 2624 Ogjimd32.exe 2596 Omgaek32.exe 2672 Ofpfnqjp.exe 2648 Paejki32.exe 2268 Pgobhcac.exe 1600 Pmlkpjpj.exe 1368 Pfdpip32.exe 2576 Pmnhfjmg.exe 1744 Pbkpna32.exe 1928 Peiljl32.exe 2080 Plcdgfbo.exe 676 Pelipl32.exe 2692 Ppamme32.exe 1616 Penfelgm.exe 2756 Qhmbagfa.exe 1524 Qhooggdn.exe 452 Qjmkcbcb.exe 2312 Qagcpljo.exe 1200 Adeplhib.exe 2072 Amndem32.exe 940 Ahchbf32.exe 2856 Ajbdna32.exe 2752 Aiedjneg.exe 1456 Afiecb32.exe 2188 Apajlhka.exe 1548 Abpfhcje.exe 2496 Aiinen32.exe 2600 Aoffmd32.exe 2636 Ailkjmpo.exe 2532 Bebkpn32.exe 2376 Bhahlj32.exe 2308 Bhcdaibd.exe 1956 Bommnc32.exe 2436 Begeknan.exe 1220 Bhfagipa.exe 2016 Banepo32.exe 2004 Bkfjhd32.exe 1692 Baqbenep.exe 2700 Bcaomf32.exe 276 Ckignd32.exe 1572 Cljcelan.exe 1424 Cdakgibq.exe 2332 Cllpkl32.exe 2772 Coklgg32.exe 3016 Cgbdhd32.exe 1284 Chcqpmep.exe 912 Comimg32.exe 2860 Cbkeib32.exe 1680 Cjbmjplb.exe 1500 Chemfl32.exe 2516 Ckdjbh32.exe 2632 Copfbfjj.exe 2608 Cbnbobin.exe 2400 Cdlnkmha.exe 2368 Ckffgg32.exe 2816 Cndbcc32.exe 1764 Ddokpmfo.exe 1748 Dhjgal32.exe 1844 Dodonf32.exe 1472 Dngoibmo.exe 2036 Dqelenlc.exe 2704 Dhmcfkme.exe 844 Djnpnc32.exe -
Loads dropped DLL 64 IoCs
pid Process 2176 d0d736a35a250d1e230c097fd70c9a73d793f9dbb986e8c11e92ee15587d2fba.exe 2176 d0d736a35a250d1e230c097fd70c9a73d793f9dbb986e8c11e92ee15587d2fba.exe 2664 Onbddoog.exe 2664 Onbddoog.exe 2624 Ogjimd32.exe 2624 Ogjimd32.exe 2596 Omgaek32.exe 2596 Omgaek32.exe 2672 Ofpfnqjp.exe 2672 Ofpfnqjp.exe 2648 Paejki32.exe 2648 Paejki32.exe 2268 Pgobhcac.exe 2268 Pgobhcac.exe 1600 Pmlkpjpj.exe 1600 Pmlkpjpj.exe 1368 Pfdpip32.exe 1368 Pfdpip32.exe 2576 Pmnhfjmg.exe 2576 Pmnhfjmg.exe 1744 Pbkpna32.exe 1744 Pbkpna32.exe 1928 Peiljl32.exe 1928 Peiljl32.exe 2080 Plcdgfbo.exe 2080 Plcdgfbo.exe 676 Pelipl32.exe 676 Pelipl32.exe 2692 Ppamme32.exe 2692 Ppamme32.exe 1616 Penfelgm.exe 1616 Penfelgm.exe 2756 Qhmbagfa.exe 2756 Qhmbagfa.exe 1524 Qhooggdn.exe 1524 Qhooggdn.exe 452 Qjmkcbcb.exe 452 Qjmkcbcb.exe 2312 Qagcpljo.exe 2312 Qagcpljo.exe 1200 Adeplhib.exe 1200 Adeplhib.exe 2072 Amndem32.exe 2072 Amndem32.exe 940 Ahchbf32.exe 940 Ahchbf32.exe 2856 Ajbdna32.exe 2856 Ajbdna32.exe 2752 Aiedjneg.exe 2752 Aiedjneg.exe 1456 Afiecb32.exe 1456 Afiecb32.exe 2188 Apajlhka.exe 2188 Apajlhka.exe 1548 Abpfhcje.exe 1548 Abpfhcje.exe 2496 Aiinen32.exe 2496 Aiinen32.exe 2600 Aoffmd32.exe 2600 Aoffmd32.exe 2636 Ailkjmpo.exe 2636 Ailkjmpo.exe 2532 Bebkpn32.exe 2532 Bebkpn32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Hdlhjl32.exe Hanlnp32.exe File created C:\Windows\SysWOW64\Kbelde32.dll Lfdmggnm.exe File created C:\Windows\SysWOW64\Banepo32.exe Bhfagipa.exe File created C:\Windows\SysWOW64\Lldlqakb.exe Kifpdelo.exe File created C:\Windows\SysWOW64\Gogcek32.dll Ebmgcohn.exe File opened for modification C:\Windows\SysWOW64\Fidoim32.exe Effcma32.exe File opened for modification C:\Windows\SysWOW64\Jmjjea32.exe Jfqahgpg.exe File created C:\Windows\SysWOW64\Apmabnaj.dll Pcnbablo.exe File created C:\Windows\SysWOW64\Padajbnl.dll Knklagmb.exe File created C:\Windows\SysWOW64\Fejgko32.exe Fjdbnf32.exe File created C:\Windows\SysWOW64\Gpknlk32.exe Fiaeoang.exe File created C:\Windows\SysWOW64\Kokbpahm.dll Kcfkfo32.exe File opened for modification C:\Windows\SysWOW64\Niebhf32.exe Ngfflj32.exe File created C:\Windows\SysWOW64\Aefeijle.exe Afcenm32.exe File created C:\Windows\SysWOW64\Dkqbaecc.exe Ddgjdk32.exe File created C:\Windows\SysWOW64\Libicbma.exe Lfdmggnm.exe File created C:\Windows\SysWOW64\Hpenlb32.dll Ckffgg32.exe File opened for modification C:\Windows\SysWOW64\Lijjoe32.exe Lbqabkql.exe File created C:\Windows\SysWOW64\Mkcggqfg.dll Hmdmcanc.exe File opened for modification C:\Windows\SysWOW64\Cohigamf.exe Clilkfnb.exe File created C:\Windows\SysWOW64\Fkahhbbj.dll Dbehoa32.exe File created C:\Windows\SysWOW64\Nbpiak32.dll Lojomkdn.exe File created C:\Windows\SysWOW64\Lanaiahq.exe Knpemf32.exe File created C:\Windows\SysWOW64\Jfnnha32.exe Jocflgga.exe File created C:\Windows\SysWOW64\Peiljl32.exe Pbkpna32.exe File opened for modification C:\Windows\SysWOW64\Fbdjbaea.exe Fjmaaddo.exe File created C:\Windows\SysWOW64\Pjehnpjo.dll Gdllkhdg.exe File opened for modification C:\Windows\SysWOW64\Cjbmjplb.exe Cbkeib32.exe File created C:\Windows\SysWOW64\Iaeldika.dll Fhhcgj32.exe File created C:\Windows\SysWOW64\Gdamqndn.exe Geolea32.exe File created C:\Windows\SysWOW64\Mmldme32.exe Mkmhaj32.exe File created C:\Windows\SysWOW64\Qagcpljo.exe Qjmkcbcb.exe File opened for modification C:\Windows\SysWOW64\Omfkke32.exe Ofmbnkhg.exe File created C:\Windows\SysWOW64\Egahmk32.dll Okikfagn.exe File created C:\Windows\SysWOW64\Ogjimd32.exe Onbddoog.exe File opened for modification C:\Windows\SysWOW64\Qjmkcbcb.exe Qhooggdn.exe File created C:\Windows\SysWOW64\Jqgoiokm.exe Jnicmdli.exe File created C:\Windows\SysWOW64\Kneicieh.exe Kgkafo32.exe File created C:\Windows\SysWOW64\Fjngcolf.dll Lbfdaigg.exe File created C:\Windows\SysWOW64\Okikfagn.exe Omfkke32.exe File opened for modification C:\Windows\SysWOW64\Bebkpn32.exe Ailkjmpo.exe File opened for modification C:\Windows\SysWOW64\Hdildlie.exe Hakphqja.exe File opened for modification C:\Windows\SysWOW64\Ngpolo32.exe Ndbcpd32.exe File created C:\Windows\SysWOW64\Obafnlpn.exe Oobjaqaj.exe File created C:\Windows\SysWOW64\Hdihmjpf.dll Ajhgmpfg.exe File created C:\Windows\SysWOW64\Behnnm32.exe Bbjbaa32.exe File created C:\Windows\SysWOW64\Lqamandk.dll Amndem32.exe File created C:\Windows\SysWOW64\Cabknqko.dll Hpmgqnfl.exe File created C:\Windows\SysWOW64\Nnmphi32.dll Nlphkb32.exe File opened for modification C:\Windows\SysWOW64\Ipgbjl32.exe Inifnq32.exe File created C:\Windows\SysWOW64\Incbogkn.dll Nmnace32.exe File opened for modification C:\Windows\SysWOW64\Eeqdep32.exe Ecpgmhai.exe File created C:\Windows\SysWOW64\Ionkallc.dll Ombapedi.exe File created C:\Windows\SysWOW64\Bgmlpbdc.dll Pnjdhmdo.exe File created C:\Windows\SysWOW64\Ginnnooi.exe Gfobbc32.exe File created C:\Windows\SysWOW64\Kgcampld.dll Eeqdep32.exe File opened for modification C:\Windows\SysWOW64\Bghjhp32.exe Bmpfojmp.exe File created C:\Windows\SysWOW64\Icmegf32.exe Ioaifhid.exe File opened for modification C:\Windows\SysWOW64\Afcenm32.exe Anlmmp32.exe File opened for modification C:\Windows\SysWOW64\Dolnad32.exe Dkqbaecc.exe File opened for modification C:\Windows\SysWOW64\Bhigphio.exe Bekkcljk.exe File created C:\Windows\SysWOW64\Dbhnhp32.exe Djmicm32.exe File created C:\Windows\SysWOW64\Figlolbf.exe Fekpnn32.exe File created C:\Windows\SysWOW64\Ifiacd32.dll Fncdgcqm.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5312 5300 WerFault.exe 573 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ahikqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Egoife32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bhndldcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bioqclil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ebmgcohn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fpcqaf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iipgcaob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqmmidel.dll" Mggpgmof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mcegmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nodgel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaaldl32.dll" Fbamma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ifkacb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nldjnfaf.dll" Iccbqh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ioaifhid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkoacn32.dll" Mlibjc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kfgdhjmk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Igakgfpn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Djklnnaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkfeekif.dll" Gfobbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Miooigfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdacap32.dll" Eojnkg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ilncom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ejgcdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lbqabkql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cddaphkn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lmebnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nigome32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Naajoinb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obojmk32.dll" Hdildlie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bagmdc32.dll" Aiedjneg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gdniqh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jfnnha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lopekk32.dll" Ebedndfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhghcb32.dll" Fcefji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enlejpga.dll" Jghmfhmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Knpemf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Amhpnkch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fogilika.dll" Ccngld32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Peiljl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bhahlj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Anojbobe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kaldcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fjilieka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gljilnja.dll" Pciifc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mncnkh32.dll" Glaoalkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gabqfggi.dll" Lmgocb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lcfqkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Adeplhib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pqkmjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bhndldcn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ihgainbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ennaieib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Facdeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgoboqcm.dll" Ngpolo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdobjm32.dll" Gnmgmbhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kiqpop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ecpgmhai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffdiejho.dll" Bemgilhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekgednng.dll" Ecejkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmqgncdn.dll" Djefobmk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Igdogl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fncdgcqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bhfagipa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ccngld32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2176 wrote to memory of 2664 2176 d0d736a35a250d1e230c097fd70c9a73d793f9dbb986e8c11e92ee15587d2fba.exe 28 PID 2176 wrote to memory of 2664 2176 d0d736a35a250d1e230c097fd70c9a73d793f9dbb986e8c11e92ee15587d2fba.exe 28 PID 2176 wrote to memory of 2664 2176 d0d736a35a250d1e230c097fd70c9a73d793f9dbb986e8c11e92ee15587d2fba.exe 28 PID 2176 wrote to memory of 2664 2176 d0d736a35a250d1e230c097fd70c9a73d793f9dbb986e8c11e92ee15587d2fba.exe 28 PID 2664 wrote to memory of 2624 2664 Onbddoog.exe 29 PID 2664 wrote to memory of 2624 2664 Onbddoog.exe 29 PID 2664 wrote to memory of 2624 2664 Onbddoog.exe 29 PID 2664 wrote to memory of 2624 2664 Onbddoog.exe 29 PID 2624 wrote to memory of 2596 2624 Ogjimd32.exe 30 PID 2624 wrote to memory of 2596 2624 Ogjimd32.exe 30 PID 2624 wrote to memory of 2596 2624 Ogjimd32.exe 30 PID 2624 wrote to memory of 2596 2624 Ogjimd32.exe 30 PID 2596 wrote to memory of 2672 2596 Omgaek32.exe 31 PID 2596 wrote to memory of 2672 2596 Omgaek32.exe 31 PID 2596 wrote to memory of 2672 2596 Omgaek32.exe 31 PID 2596 wrote to memory of 2672 2596 Omgaek32.exe 31 PID 2672 wrote to memory of 2648 2672 Ofpfnqjp.exe 32 PID 2672 wrote to memory of 2648 2672 Ofpfnqjp.exe 32 PID 2672 wrote to memory of 2648 2672 Ofpfnqjp.exe 32 PID 2672 wrote to memory of 2648 2672 Ofpfnqjp.exe 32 PID 2648 wrote to memory of 2268 2648 Paejki32.exe 33 PID 2648 wrote to memory of 2268 2648 Paejki32.exe 33 PID 2648 wrote to memory of 2268 2648 Paejki32.exe 33 PID 2648 wrote to memory of 2268 2648 Paejki32.exe 33 PID 2268 wrote to memory of 1600 2268 Pgobhcac.exe 34 PID 2268 wrote to memory of 1600 2268 Pgobhcac.exe 34 PID 2268 wrote to memory of 1600 2268 Pgobhcac.exe 34 PID 2268 wrote to memory of 1600 2268 Pgobhcac.exe 34 PID 1600 wrote to memory of 1368 1600 Pmlkpjpj.exe 35 PID 1600 wrote to memory of 1368 1600 Pmlkpjpj.exe 35 PID 1600 wrote to memory of 1368 1600 Pmlkpjpj.exe 35 PID 1600 wrote to memory of 1368 1600 Pmlkpjpj.exe 35 PID 1368 wrote to memory of 2576 1368 Pfdpip32.exe 36 PID 1368 wrote to memory of 2576 1368 Pfdpip32.exe 36 PID 1368 wrote to memory of 2576 1368 Pfdpip32.exe 36 PID 1368 wrote to memory of 2576 1368 Pfdpip32.exe 36 PID 2576 wrote to memory of 1744 2576 Pmnhfjmg.exe 37 PID 2576 wrote to memory of 1744 2576 Pmnhfjmg.exe 37 PID 2576 wrote to memory of 1744 2576 Pmnhfjmg.exe 37 PID 2576 wrote to memory of 1744 2576 Pmnhfjmg.exe 37 PID 1744 wrote to memory of 1928 1744 Pbkpna32.exe 38 PID 1744 wrote to memory of 1928 1744 Pbkpna32.exe 38 PID 1744 wrote to memory of 1928 1744 Pbkpna32.exe 38 PID 1744 wrote to memory of 1928 1744 Pbkpna32.exe 38 PID 1928 wrote to memory of 2080 1928 Peiljl32.exe 39 PID 1928 wrote to memory of 2080 1928 Peiljl32.exe 39 PID 1928 wrote to memory of 2080 1928 Peiljl32.exe 39 PID 1928 wrote to memory of 2080 1928 Peiljl32.exe 39 PID 2080 wrote to memory of 676 2080 Plcdgfbo.exe 40 PID 2080 wrote to memory of 676 2080 Plcdgfbo.exe 40 PID 2080 wrote to memory of 676 2080 Plcdgfbo.exe 40 PID 2080 wrote to memory of 676 2080 Plcdgfbo.exe 40 PID 676 wrote to memory of 2692 676 Pelipl32.exe 41 PID 676 wrote to memory of 2692 676 Pelipl32.exe 41 PID 676 wrote to memory of 2692 676 Pelipl32.exe 41 PID 676 wrote to memory of 2692 676 Pelipl32.exe 41 PID 2692 wrote to memory of 1616 2692 Ppamme32.exe 42 PID 2692 wrote to memory of 1616 2692 Ppamme32.exe 42 PID 2692 wrote to memory of 1616 2692 Ppamme32.exe 42 PID 2692 wrote to memory of 1616 2692 Ppamme32.exe 42 PID 1616 wrote to memory of 2756 1616 Penfelgm.exe 43 PID 1616 wrote to memory of 2756 1616 Penfelgm.exe 43 PID 1616 wrote to memory of 2756 1616 Penfelgm.exe 43 PID 1616 wrote to memory of 2756 1616 Penfelgm.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\d0d736a35a250d1e230c097fd70c9a73d793f9dbb986e8c11e92ee15587d2fba.exe"C:\Users\Admin\AppData\Local\Temp\d0d736a35a250d1e230c097fd70c9a73d793f9dbb986e8c11e92ee15587d2fba.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\SysWOW64\Onbddoog.exeC:\Windows\system32\Onbddoog.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Ogjimd32.exeC:\Windows\system32\Ogjimd32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\Omgaek32.exeC:\Windows\system32\Omgaek32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Ofpfnqjp.exeC:\Windows\system32\Ofpfnqjp.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Paejki32.exeC:\Windows\system32\Paejki32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\Pgobhcac.exeC:\Windows\system32\Pgobhcac.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\SysWOW64\Pmlkpjpj.exeC:\Windows\system32\Pmlkpjpj.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Windows\SysWOW64\Pfdpip32.exeC:\Windows\system32\Pfdpip32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\SysWOW64\Pmnhfjmg.exeC:\Windows\system32\Pmnhfjmg.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\Pbkpna32.exeC:\Windows\system32\Pbkpna32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\Peiljl32.exeC:\Windows\system32\Peiljl32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\SysWOW64\Plcdgfbo.exeC:\Windows\system32\Plcdgfbo.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\SysWOW64\Pelipl32.exeC:\Windows\system32\Pelipl32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:676 -
C:\Windows\SysWOW64\Ppamme32.exeC:\Windows\system32\Ppamme32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Penfelgm.exeC:\Windows\system32\Penfelgm.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\SysWOW64\Qhmbagfa.exeC:\Windows\system32\Qhmbagfa.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2756 -
C:\Windows\SysWOW64\Qhooggdn.exeC:\Windows\system32\Qhooggdn.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1524 -
C:\Windows\SysWOW64\Qjmkcbcb.exeC:\Windows\system32\Qjmkcbcb.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:452 -
C:\Windows\SysWOW64\Qagcpljo.exeC:\Windows\system32\Qagcpljo.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2312 -
C:\Windows\SysWOW64\Adeplhib.exeC:\Windows\system32\Adeplhib.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1200 -
C:\Windows\SysWOW64\Amndem32.exeC:\Windows\system32\Amndem32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2072 -
C:\Windows\SysWOW64\Ahchbf32.exeC:\Windows\system32\Ahchbf32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:940 -
C:\Windows\SysWOW64\Ajbdna32.exeC:\Windows\system32\Ajbdna32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2856 -
C:\Windows\SysWOW64\Aiedjneg.exeC:\Windows\system32\Aiedjneg.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2752 -
C:\Windows\SysWOW64\Afiecb32.exeC:\Windows\system32\Afiecb32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1456 -
C:\Windows\SysWOW64\Apajlhka.exeC:\Windows\system32\Apajlhka.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2188 -
C:\Windows\SysWOW64\Abpfhcje.exeC:\Windows\system32\Abpfhcje.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1548 -
C:\Windows\SysWOW64\Aiinen32.exeC:\Windows\system32\Aiinen32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2496 -
C:\Windows\SysWOW64\Aoffmd32.exeC:\Windows\system32\Aoffmd32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2600 -
C:\Windows\SysWOW64\Ailkjmpo.exeC:\Windows\system32\Ailkjmpo.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2636 -
C:\Windows\SysWOW64\Bebkpn32.exeC:\Windows\system32\Bebkpn32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2532 -
C:\Windows\SysWOW64\Bhahlj32.exeC:\Windows\system32\Bhahlj32.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:2376 -
C:\Windows\SysWOW64\Bhcdaibd.exeC:\Windows\system32\Bhcdaibd.exe34⤵
- Executes dropped EXE
PID:2308 -
C:\Windows\SysWOW64\Bommnc32.exeC:\Windows\system32\Bommnc32.exe35⤵
- Executes dropped EXE
PID:1956 -
C:\Windows\SysWOW64\Begeknan.exeC:\Windows\system32\Begeknan.exe36⤵
- Executes dropped EXE
PID:2436 -
C:\Windows\SysWOW64\Bhfagipa.exeC:\Windows\system32\Bhfagipa.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1220 -
C:\Windows\SysWOW64\Banepo32.exeC:\Windows\system32\Banepo32.exe38⤵
- Executes dropped EXE
PID:2016 -
C:\Windows\SysWOW64\Bkfjhd32.exeC:\Windows\system32\Bkfjhd32.exe39⤵
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Baqbenep.exeC:\Windows\system32\Baqbenep.exe40⤵
- Executes dropped EXE
PID:1692 -
C:\Windows\SysWOW64\Bcaomf32.exeC:\Windows\system32\Bcaomf32.exe41⤵
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\Ckignd32.exeC:\Windows\system32\Ckignd32.exe42⤵
- Executes dropped EXE
PID:276 -
C:\Windows\SysWOW64\Cljcelan.exeC:\Windows\system32\Cljcelan.exe43⤵
- Executes dropped EXE
PID:1572 -
C:\Windows\SysWOW64\Cdakgibq.exeC:\Windows\system32\Cdakgibq.exe44⤵
- Executes dropped EXE
PID:1424 -
C:\Windows\SysWOW64\Cllpkl32.exeC:\Windows\system32\Cllpkl32.exe45⤵
- Executes dropped EXE
PID:2332 -
C:\Windows\SysWOW64\Coklgg32.exeC:\Windows\system32\Coklgg32.exe46⤵
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\Cgbdhd32.exeC:\Windows\system32\Cgbdhd32.exe47⤵
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\Chcqpmep.exeC:\Windows\system32\Chcqpmep.exe48⤵
- Executes dropped EXE
PID:1284 -
C:\Windows\SysWOW64\Comimg32.exeC:\Windows\system32\Comimg32.exe49⤵
- Executes dropped EXE
PID:912 -
C:\Windows\SysWOW64\Cbkeib32.exeC:\Windows\system32\Cbkeib32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2860 -
C:\Windows\SysWOW64\Cjbmjplb.exeC:\Windows\system32\Cjbmjplb.exe51⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Chemfl32.exeC:\Windows\system32\Chemfl32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1500 -
C:\Windows\SysWOW64\Ckdjbh32.exeC:\Windows\system32\Ckdjbh32.exe53⤵
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Copfbfjj.exeC:\Windows\system32\Copfbfjj.exe54⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\Cbnbobin.exeC:\Windows\system32\Cbnbobin.exe55⤵
- Executes dropped EXE
PID:2608 -
C:\Windows\SysWOW64\Cdlnkmha.exeC:\Windows\system32\Cdlnkmha.exe56⤵
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Ckffgg32.exeC:\Windows\system32\Ckffgg32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2368 -
C:\Windows\SysWOW64\Cndbcc32.exeC:\Windows\system32\Cndbcc32.exe58⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Ddokpmfo.exeC:\Windows\system32\Ddokpmfo.exe59⤵
- Executes dropped EXE
PID:1764 -
C:\Windows\SysWOW64\Dhjgal32.exeC:\Windows\system32\Dhjgal32.exe60⤵
- Executes dropped EXE
PID:1748 -
C:\Windows\SysWOW64\Dodonf32.exeC:\Windows\system32\Dodonf32.exe61⤵
- Executes dropped EXE
PID:1844 -
C:\Windows\SysWOW64\Dngoibmo.exeC:\Windows\system32\Dngoibmo.exe62⤵
- Executes dropped EXE
PID:1472 -
C:\Windows\SysWOW64\Dqelenlc.exeC:\Windows\system32\Dqelenlc.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2036 -
C:\Windows\SysWOW64\Dhmcfkme.exeC:\Windows\system32\Dhmcfkme.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Djnpnc32.exeC:\Windows\system32\Djnpnc32.exe65⤵
- Executes dropped EXE
PID:844 -
C:\Windows\SysWOW64\Dbehoa32.exeC:\Windows\system32\Dbehoa32.exe66⤵
- Drops file in System32 directory
PID:1060 -
C:\Windows\SysWOW64\Dcfdgiid.exeC:\Windows\system32\Dcfdgiid.exe67⤵PID:3012
-
C:\Windows\SysWOW64\Dkmmhf32.exeC:\Windows\system32\Dkmmhf32.exe68⤵PID:1248
-
C:\Windows\SysWOW64\Djpmccqq.exeC:\Windows\system32\Djpmccqq.exe69⤵PID:1864
-
C:\Windows\SysWOW64\Dmoipopd.exeC:\Windows\system32\Dmoipopd.exe70⤵PID:1740
-
C:\Windows\SysWOW64\Dgdmmgpj.exeC:\Windows\system32\Dgdmmgpj.exe71⤵PID:904
-
C:\Windows\SysWOW64\Djbiicon.exeC:\Windows\system32\Djbiicon.exe72⤵PID:1672
-
C:\Windows\SysWOW64\Dqlafm32.exeC:\Windows\system32\Dqlafm32.exe73⤵PID:2960
-
C:\Windows\SysWOW64\Dcknbh32.exeC:\Windows\system32\Dcknbh32.exe74⤵PID:2372
-
C:\Windows\SysWOW64\Djefobmk.exeC:\Windows\system32\Djefobmk.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2468 -
C:\Windows\SysWOW64\Emcbkn32.exeC:\Windows\system32\Emcbkn32.exe76⤵PID:2432
-
C:\Windows\SysWOW64\Eqonkmdh.exeC:\Windows\system32\Eqonkmdh.exe77⤵PID:1052
-
C:\Windows\SysWOW64\Ebpkce32.exeC:\Windows\system32\Ebpkce32.exe78⤵PID:2000
-
C:\Windows\SysWOW64\Ejgcdb32.exeC:\Windows\system32\Ejgcdb32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1800 -
C:\Windows\SysWOW64\Ekholjqg.exeC:\Windows\system32\Ekholjqg.exe80⤵PID:876
-
C:\Windows\SysWOW64\Ecpgmhai.exeC:\Windows\system32\Ecpgmhai.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:300 -
C:\Windows\SysWOW64\Eeqdep32.exeC:\Windows\system32\Eeqdep32.exe82⤵
- Drops file in System32 directory
PID:2676 -
C:\Windows\SysWOW64\Emhlfmgj.exeC:\Windows\system32\Emhlfmgj.exe83⤵PID:1628
-
C:\Windows\SysWOW64\Epfhbign.exeC:\Windows\system32\Epfhbign.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2916 -
C:\Windows\SysWOW64\Ebedndfa.exeC:\Windows\system32\Ebedndfa.exe85⤵
- Modifies registry class
PID:1884 -
C:\Windows\SysWOW64\Eecqjpee.exeC:\Windows\system32\Eecqjpee.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2888 -
C:\Windows\SysWOW64\Egamfkdh.exeC:\Windows\system32\Egamfkdh.exe87⤵PID:2788
-
C:\Windows\SysWOW64\Enkece32.exeC:\Windows\system32\Enkece32.exe88⤵PID:2180
-
C:\Windows\SysWOW64\Eiaiqn32.exeC:\Windows\system32\Eiaiqn32.exe89⤵PID:2012
-
C:\Windows\SysWOW64\Eloemi32.exeC:\Windows\system32\Eloemi32.exe90⤵PID:2284
-
C:\Windows\SysWOW64\Ennaieib.exeC:\Windows\system32\Ennaieib.exe91⤵
- Modifies registry class
PID:2524 -
C:\Windows\SysWOW64\Ealnephf.exeC:\Windows\system32\Ealnephf.exe92⤵PID:2528
-
C:\Windows\SysWOW64\Fckjalhj.exeC:\Windows\system32\Fckjalhj.exe93⤵PID:2272
-
C:\Windows\SysWOW64\Fjdbnf32.exeC:\Windows\system32\Fjdbnf32.exe94⤵
- Drops file in System32 directory
PID:1276 -
C:\Windows\SysWOW64\Fejgko32.exeC:\Windows\system32\Fejgko32.exe95⤵PID:1728
-
C:\Windows\SysWOW64\Fhhcgj32.exeC:\Windows\system32\Fhhcgj32.exe96⤵
- Drops file in System32 directory
PID:1784 -
C:\Windows\SysWOW64\Fnbkddem.exeC:\Windows\system32\Fnbkddem.exe97⤵PID:1948
-
C:\Windows\SysWOW64\Faagpp32.exeC:\Windows\system32\Faagpp32.exe98⤵PID:552
-
C:\Windows\SysWOW64\Fhkpmjln.exeC:\Windows\system32\Fhkpmjln.exe99⤵PID:2100
-
C:\Windows\SysWOW64\Fjilieka.exeC:\Windows\system32\Fjilieka.exe100⤵
- Modifies registry class
PID:1560 -
C:\Windows\SysWOW64\Facdeo32.exeC:\Windows\system32\Facdeo32.exe101⤵
- Modifies registry class
PID:1292 -
C:\Windows\SysWOW64\Fbdqmghm.exeC:\Windows\system32\Fbdqmghm.exe102⤵PID:1848
-
C:\Windows\SysWOW64\Fmjejphb.exeC:\Windows\system32\Fmjejphb.exe103⤵PID:1264
-
C:\Windows\SysWOW64\Fphafl32.exeC:\Windows\system32\Fphafl32.exe104⤵PID:2064
-
C:\Windows\SysWOW64\Ffbicfoc.exeC:\Windows\system32\Ffbicfoc.exe105⤵PID:1576
-
C:\Windows\SysWOW64\Fiaeoang.exeC:\Windows\system32\Fiaeoang.exe106⤵
- Drops file in System32 directory
PID:2476 -
C:\Windows\SysWOW64\Gpknlk32.exeC:\Windows\system32\Gpknlk32.exe107⤵PID:3064
-
C:\Windows\SysWOW64\Gbijhg32.exeC:\Windows\system32\Gbijhg32.exe108⤵PID:2444
-
C:\Windows\SysWOW64\Gicbeald.exeC:\Windows\system32\Gicbeald.exe109⤵PID:548
-
C:\Windows\SysWOW64\Glaoalkh.exeC:\Windows\system32\Glaoalkh.exe110⤵
- Modifies registry class
PID:768 -
C:\Windows\SysWOW64\Gangic32.exeC:\Windows\system32\Gangic32.exe111⤵PID:2712
-
C:\Windows\SysWOW64\Gieojq32.exeC:\Windows\system32\Gieojq32.exe112⤵PID:1920
-
C:\Windows\SysWOW64\Gkgkbipp.exeC:\Windows\system32\Gkgkbipp.exe113⤵PID:3068
-
C:\Windows\SysWOW64\Gbnccfpb.exeC:\Windows\system32\Gbnccfpb.exe114⤵PID:1820
-
C:\Windows\SysWOW64\Gdopkn32.exeC:\Windows\system32\Gdopkn32.exe115⤵PID:924
-
C:\Windows\SysWOW64\Ghkllmoi.exeC:\Windows\system32\Ghkllmoi.exe116⤵PID:3036
-
C:\Windows\SysWOW64\Gkihhhnm.exeC:\Windows\system32\Gkihhhnm.exe117⤵PID:2620
-
C:\Windows\SysWOW64\Gmgdddmq.exeC:\Windows\system32\Gmgdddmq.exe118⤵PID:2484
-
C:\Windows\SysWOW64\Geolea32.exeC:\Windows\system32\Geolea32.exe119⤵
- Drops file in System32 directory
PID:2296 -
C:\Windows\SysWOW64\Gdamqndn.exeC:\Windows\system32\Gdamqndn.exe120⤵PID:1964
-
C:\Windows\SysWOW64\Ggpimica.exeC:\Windows\system32\Ggpimica.exe121⤵PID:1380
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-