Analysis
-
max time kernel
119s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
09-04-2024 19:05
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
051eba86155865043a89584f014b83f5.exe
Resource
win7-20240220-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
051eba86155865043a89584f014b83f5.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
051eba86155865043a89584f014b83f5.exe
-
Size
79KB
-
MD5
051eba86155865043a89584f014b83f5
-
SHA1
78e73031aec9a34c6ed07b1864ace05eaf4190ee
-
SHA256
e13f628d55ad9d32024f4677cd20ca27808e383493c0bd5a02cbb2343b018449
-
SHA512
6b05daa2ae9056a34bb08af1db613ff58e2ad86af117f21658b703af266d16b81bd45cdd8ca9cdd9fc03e9e08f08224b4821821a6068d0889470f195480dbe5a
-
SSDEEP
1536:9Y5C0vTGKWAHVIQlmUOJKGYyAwkMsAF1UExiFkSIgiItKq9v6DK:9W6KWAHVIQlROYHbxAXUExixtBtKq9vV
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Affhncfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbflib32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nejiih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgimmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Moiklogi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfffnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbfjdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eiomkn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnbkddem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhmepp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjlqhoba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfenbpec.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhmbagfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enihne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jonplmcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aaaoij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Limfed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nolhan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhbfdjdp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkfjhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlfdkoin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmmcjehm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbnemk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nocnbmoo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qedhdjnh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfadgq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chpmpg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oicpfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aigaon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbkgnfbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldidkbpb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epdkli32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkgkbipp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ioijbj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgdjnofi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnqphi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkgbbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aidnohbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eplkpgnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Feeiob32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkkemh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofmbnkhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dookgcij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igkdgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjjacf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfcnngnd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkclhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qagcpljo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgaqgh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdapak32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gogangdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eqbddk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekhhadmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejobhppq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abpfhcje.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nglfapnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngpolo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dndlim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjdfmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Meigpkka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dchali32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ioijbj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boqbfb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqbddk32.exe -
Executes dropped EXE 64 IoCs
pid Process 2248 Lpeifeca.exe 2528 Lkkmdn32.exe 2388 Limmokib.exe 2732 Ldcamcih.exe 2576 Ldcamcih.exe 2412 Lkmjin32.exe 2328 Lipjejgp.exe 2368 Llnfaffc.exe 2716 Ldenbcge.exe 2100 Lgdjnofi.exe 1564 Libgjj32.exe 1132 Llqcfe32.exe 1280 Lplogdmj.exe 1964 Mgfgdn32.exe 2216 Meigpkka.exe 2188 Mhgclfje.exe 1408 Mlcple32.exe 1712 Moalhq32.exe 2004 Mcmhiojk.exe 3032 Mekdekin.exe 2344 Migpeiag.exe 1312 Mlelaeqk.exe 1796 Mcodno32.exe 240 Mdqafgnf.exe 1928 Mlgigdoh.exe 880 Mofecpnl.exe 2596 Madapkmp.exe 1500 Mkmfhacp.exe 2620 Mnkbdlbd.exe 2492 Magnek32.exe 2332 Mdejaf32.exe 1976 Mhqfbebj.exe 2864 Njbcim32.exe 396 Nnnojlpa.exe 1752 Nplkfgoe.exe 1552 Ncjgbcoi.exe 2128 Ngfcca32.exe 1688 Nkaocp32.exe 2196 Nnplpl32.exe 2060 Nlblkhei.exe 1484 Ndjdlffl.exe 1452 Ncmdhb32.exe 1148 Nghphaeo.exe 2880 Njgldmdc.exe 2752 Nnbhek32.exe 2956 Nleiqhcg.exe 1924 Nqqdag32.exe 900 Nocemcbj.exe 2348 Ncoamb32.exe 2284 Nfmmin32.exe 2524 Njiijlbp.exe 284 Nlgefh32.exe 2616 Nlgefh32.exe 1544 Nqcagfim.exe 2612 Nofabc32.exe 856 Ncancbha.exe 2452 Nfpjomgd.exe 2584 Njkfpl32.exe 2704 Nhnfkigh.exe 2268 Nbfjdn32.exe 2800 Ofbfdmeb.exe 840 Ohqbqhde.exe 2192 Omloag32.exe 1588 Okoomd32.exe -
Loads dropped DLL 64 IoCs
pid Process 1620 051eba86155865043a89584f014b83f5.exe 1620 051eba86155865043a89584f014b83f5.exe 2248 Lpeifeca.exe 2248 Lpeifeca.exe 2528 Lkkmdn32.exe 2528 Lkkmdn32.exe 2388 Limmokib.exe 2388 Limmokib.exe 2732 Ldcamcih.exe 2732 Ldcamcih.exe 2576 Ldcamcih.exe 2576 Ldcamcih.exe 2412 Lkmjin32.exe 2412 Lkmjin32.exe 2328 Lipjejgp.exe 2328 Lipjejgp.exe 2368 Llnfaffc.exe 2368 Llnfaffc.exe 2716 Ldenbcge.exe 2716 Ldenbcge.exe 2100 Lgdjnofi.exe 2100 Lgdjnofi.exe 1564 Libgjj32.exe 1564 Libgjj32.exe 1132 Llqcfe32.exe 1132 Llqcfe32.exe 1280 Lplogdmj.exe 1280 Lplogdmj.exe 1964 Mgfgdn32.exe 1964 Mgfgdn32.exe 2216 Meigpkka.exe 2216 Meigpkka.exe 2188 Mhgclfje.exe 2188 Mhgclfje.exe 1408 Mlcple32.exe 1408 Mlcple32.exe 1712 Moalhq32.exe 1712 Moalhq32.exe 2004 Mcmhiojk.exe 2004 Mcmhiojk.exe 3032 Mekdekin.exe 3032 Mekdekin.exe 2344 Migpeiag.exe 2344 Migpeiag.exe 1312 Mlelaeqk.exe 1312 Mlelaeqk.exe 1796 Mcodno32.exe 1796 Mcodno32.exe 240 Mdqafgnf.exe 240 Mdqafgnf.exe 1928 Mlgigdoh.exe 1928 Mlgigdoh.exe 880 Mofecpnl.exe 880 Mofecpnl.exe 2596 Madapkmp.exe 2596 Madapkmp.exe 1500 Mkmfhacp.exe 1500 Mkmfhacp.exe 2620 Mnkbdlbd.exe 2620 Mnkbdlbd.exe 2492 Magnek32.exe 2492 Magnek32.exe 2332 Mdejaf32.exe 2332 Mdejaf32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Oiahfd32.dll Ahokfj32.exe File opened for modification C:\Windows\SysWOW64\Hjhhocjj.exe Hcnpbi32.exe File created C:\Windows\SysWOW64\Jooclokl.dll Kmmcjehm.exe File opened for modification C:\Windows\SysWOW64\Lojomkdn.exe Llkbap32.exe File created C:\Windows\SysWOW64\Mlkopcge.exe Mmhodf32.exe File created C:\Windows\SysWOW64\Nkkgfioo.dll Nncahjgl.exe File created C:\Windows\SysWOW64\Ncmdhb32.exe Ndjdlffl.exe File created C:\Windows\SysWOW64\Aimcgn32.dll Ajphib32.exe File created C:\Windows\SysWOW64\Bfjpdigc.dll Omdneebf.exe File created C:\Windows\SysWOW64\Dglpkenb.dll Cclkfdnc.exe File opened for modification C:\Windows\SysWOW64\Ckignd32.exe Bcaomf32.exe File created C:\Windows\SysWOW64\Bahbme32.dll Joifam32.exe File created C:\Windows\SysWOW64\Ekhhadmk.exe Egllae32.exe File opened for modification C:\Windows\SysWOW64\Enfenplo.exe Ejkima32.exe File opened for modification C:\Windows\SysWOW64\Ocajbekl.exe Oqcnfjli.exe File created C:\Windows\SysWOW64\Ahakmf32.exe Adeplhib.exe File created C:\Windows\SysWOW64\Glfhll32.exe Gdopkn32.exe File created C:\Windows\SysWOW64\Dlnbeh32.exe Dhbfdjdp.exe File created C:\Windows\SysWOW64\Gclcefmh.dll Cdakgibq.exe File opened for modification C:\Windows\SysWOW64\Gdopkn32.exe Gelppaof.exe File opened for modification C:\Windows\SysWOW64\Fdoclk32.exe Fpdhklkl.exe File created C:\Windows\SysWOW64\Bmfmjjgm.dll Abjebn32.exe File created C:\Windows\SysWOW64\Kmmcjehm.exe Kcdnao32.exe File created C:\Windows\SysWOW64\Lkppbl32.exe Lhbcfa32.exe File opened for modification C:\Windows\SysWOW64\Nondgn32.exe Nkbhgojk.exe File created C:\Windows\SysWOW64\Nghphaeo.exe Ncmdhb32.exe File opened for modification C:\Windows\SysWOW64\Icpigm32.exe Iqalka32.exe File created C:\Windows\SysWOW64\Ncgdbmmp.exe Nolhan32.exe File created C:\Windows\SysWOW64\Aafminbq.dll Bmpfojmp.exe File opened for modification C:\Windows\SysWOW64\Dkmmhf32.exe Dgaqgh32.exe File opened for modification C:\Windows\SysWOW64\Fmjejphb.exe Ffpmnf32.exe File opened for modification C:\Windows\SysWOW64\Ebmgcohn.exe Dookgcij.exe File opened for modification C:\Windows\SysWOW64\Eqpgol32.exe Ebmgcohn.exe File created C:\Windows\SysWOW64\Khejeajg.dll Hobcak32.exe File opened for modification C:\Windows\SysWOW64\Lbqabkql.exe Loeebl32.exe File created C:\Windows\SysWOW64\Oqhiplaj.dll Ahikqd32.exe File created C:\Windows\SysWOW64\Dmkmmi32.dll Eplkpgnh.exe File created C:\Windows\SysWOW64\Fmekoalh.exe Fnbkddem.exe File created C:\Windows\SysWOW64\Qlidlf32.dll Fphafl32.exe File opened for modification C:\Windows\SysWOW64\Lplogdmj.exe Llqcfe32.exe File created C:\Windows\SysWOW64\Ompoljfn.dll Obnqem32.exe File opened for modification C:\Windows\SysWOW64\Ncmdhb32.exe Ndjdlffl.exe File created C:\Windows\SysWOW64\Ldlimbcf.dll Kjjmbj32.exe File opened for modification C:\Windows\SysWOW64\Kaceodek.exe Kjjmbj32.exe File created C:\Windows\SysWOW64\Qcjfoqkg.dll Anojbobe.exe File created C:\Windows\SysWOW64\Ikbkhq32.dll Jonplmcb.exe File created C:\Windows\SysWOW64\Fogilika.dll Dgjclbdi.exe File created C:\Windows\SysWOW64\Moljch32.dll Qedhdjnh.exe File created C:\Windows\SysWOW64\Cpnojioo.exe Cnobnmpl.exe File created C:\Windows\SysWOW64\Dfgmhd32.exe Dgdmmgpj.exe File created C:\Windows\SysWOW64\Ebbgid32.exe Epdkli32.exe File created C:\Windows\SysWOW64\Loeebl32.exe Lbnemk32.exe File opened for modification C:\Windows\SysWOW64\Abpfhcje.exe Admemg32.exe File created C:\Windows\SysWOW64\Igkdgk32.exe Icpigm32.exe File opened for modification C:\Windows\SysWOW64\Gonnhhln.exe Gpknlk32.exe File created C:\Windows\SysWOW64\Obmhdd32.dll Peiepfgg.exe File created C:\Windows\SysWOW64\Opbnpqjl.dll Odjpkihg.exe File created C:\Windows\SysWOW64\Moealbej.dll Qjmkcbcb.exe File created C:\Windows\SysWOW64\Iecenlqh.dll Bafidiio.exe File created C:\Windows\SysWOW64\Lliflp32.exe Lliflp32.exe File opened for modification C:\Windows\SysWOW64\Pbfpik32.exe Pnjdhmdo.exe File opened for modification C:\Windows\SysWOW64\Jmjjea32.exe Jfqahgpg.exe File opened for modification C:\Windows\SysWOW64\Akigbbni.dll Ccngld32.exe File opened for modification C:\Windows\SysWOW64\Migpeiag.exe Mekdekin.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7040 7008 WerFault.exe 698 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njgpdbgm.dll" Nlgefh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hnojdcfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oopnlacm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bblogakg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlgefh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjqipbka.dll" Bhahlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkoabpeg.dll" Gejcjbah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oiogaqdb.dll" Hjhhocjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pacmbbii.dll" Ihankokm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oddpfc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nqqdag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddcdkl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Enkece32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndbcpd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ppbfpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ofpfnqjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Epdkli32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fckjalhj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hckcmjep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohkgmi32.dll" Mijfnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lghniakc.dll" Onjgiiad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnpqjl.dll" Odjpkihg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qhmbagfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fcmgfkeg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpkjko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bakbapml.dll" Nondgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iifjjk32.dll" Dccagcgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dggcffhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mlcple32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pcfcmd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmceigep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckccgane.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djklnnaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abofbl32.dll" Fjaonpnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mofecpnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lhbcfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Egafleqm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fjaonpnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgeadcbc.dll" Amndem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iknqdmpf.dll" Idhopq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Keoapb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohfeog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgobhcac.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajphib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebagmn32.dll" Dfgmhd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dcknbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eihfjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjljhjkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpdnkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nblnkb32.dll" Ojfaijcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iifjjk32.dll" Dpeekh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmnhfjmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nondgn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Npdjje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ojfaijcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edgoiebg.dll" Plcdgfbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlgohm32.dll" Ealnephf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pbfpik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apmmjh32.dll" Bmmiij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Endhhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Limmokib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njdfjjia.dll" Ocomlemo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjojofgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olkbjhpi.dll" Clilkfnb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1620 wrote to memory of 2248 1620 051eba86155865043a89584f014b83f5.exe 28 PID 1620 wrote to memory of 2248 1620 051eba86155865043a89584f014b83f5.exe 28 PID 1620 wrote to memory of 2248 1620 051eba86155865043a89584f014b83f5.exe 28 PID 1620 wrote to memory of 2248 1620 051eba86155865043a89584f014b83f5.exe 28 PID 2248 wrote to memory of 2528 2248 Lpeifeca.exe 29 PID 2248 wrote to memory of 2528 2248 Lpeifeca.exe 29 PID 2248 wrote to memory of 2528 2248 Lpeifeca.exe 29 PID 2248 wrote to memory of 2528 2248 Lpeifeca.exe 29 PID 2528 wrote to memory of 2388 2528 Lkkmdn32.exe 30 PID 2528 wrote to memory of 2388 2528 Lkkmdn32.exe 30 PID 2528 wrote to memory of 2388 2528 Lkkmdn32.exe 30 PID 2528 wrote to memory of 2388 2528 Lkkmdn32.exe 30 PID 2388 wrote to memory of 2732 2388 Limmokib.exe 31 PID 2388 wrote to memory of 2732 2388 Limmokib.exe 31 PID 2388 wrote to memory of 2732 2388 Limmokib.exe 31 PID 2388 wrote to memory of 2732 2388 Limmokib.exe 31 PID 2732 wrote to memory of 2576 2732 Ldcamcih.exe 32 PID 2732 wrote to memory of 2576 2732 Ldcamcih.exe 32 PID 2732 wrote to memory of 2576 2732 Ldcamcih.exe 32 PID 2732 wrote to memory of 2576 2732 Ldcamcih.exe 32 PID 2576 wrote to memory of 2412 2576 Ldcamcih.exe 33 PID 2576 wrote to memory of 2412 2576 Ldcamcih.exe 33 PID 2576 wrote to memory of 2412 2576 Ldcamcih.exe 33 PID 2576 wrote to memory of 2412 2576 Ldcamcih.exe 33 PID 2412 wrote to memory of 2328 2412 Lkmjin32.exe 34 PID 2412 wrote to memory of 2328 2412 Lkmjin32.exe 34 PID 2412 wrote to memory of 2328 2412 Lkmjin32.exe 34 PID 2412 wrote to memory of 2328 2412 Lkmjin32.exe 34 PID 2328 wrote to memory of 2368 2328 Lipjejgp.exe 35 PID 2328 wrote to memory of 2368 2328 Lipjejgp.exe 35 PID 2328 wrote to memory of 2368 2328 Lipjejgp.exe 35 PID 2328 wrote to memory of 2368 2328 Lipjejgp.exe 35 PID 2368 wrote to memory of 2716 2368 Llnfaffc.exe 36 PID 2368 wrote to memory of 2716 2368 Llnfaffc.exe 36 PID 2368 wrote to memory of 2716 2368 Llnfaffc.exe 36 PID 2368 wrote to memory of 2716 2368 Llnfaffc.exe 36 PID 2716 wrote to memory of 2100 2716 Ldenbcge.exe 37 PID 2716 wrote to memory of 2100 2716 Ldenbcge.exe 37 PID 2716 wrote to memory of 2100 2716 Ldenbcge.exe 37 PID 2716 wrote to memory of 2100 2716 Ldenbcge.exe 37 PID 2100 wrote to memory of 1564 2100 Lgdjnofi.exe 38 PID 2100 wrote to memory of 1564 2100 Lgdjnofi.exe 38 PID 2100 wrote to memory of 1564 2100 Lgdjnofi.exe 38 PID 2100 wrote to memory of 1564 2100 Lgdjnofi.exe 38 PID 1564 wrote to memory of 1132 1564 Libgjj32.exe 39 PID 1564 wrote to memory of 1132 1564 Libgjj32.exe 39 PID 1564 wrote to memory of 1132 1564 Libgjj32.exe 39 PID 1564 wrote to memory of 1132 1564 Libgjj32.exe 39 PID 1132 wrote to memory of 1280 1132 Llqcfe32.exe 40 PID 1132 wrote to memory of 1280 1132 Llqcfe32.exe 40 PID 1132 wrote to memory of 1280 1132 Llqcfe32.exe 40 PID 1132 wrote to memory of 1280 1132 Llqcfe32.exe 40 PID 1280 wrote to memory of 1964 1280 Lplogdmj.exe 41 PID 1280 wrote to memory of 1964 1280 Lplogdmj.exe 41 PID 1280 wrote to memory of 1964 1280 Lplogdmj.exe 41 PID 1280 wrote to memory of 1964 1280 Lplogdmj.exe 41 PID 1964 wrote to memory of 2216 1964 Mgfgdn32.exe 42 PID 1964 wrote to memory of 2216 1964 Mgfgdn32.exe 42 PID 1964 wrote to memory of 2216 1964 Mgfgdn32.exe 42 PID 1964 wrote to memory of 2216 1964 Mgfgdn32.exe 42 PID 2216 wrote to memory of 2188 2216 Meigpkka.exe 43 PID 2216 wrote to memory of 2188 2216 Meigpkka.exe 43 PID 2216 wrote to memory of 2188 2216 Meigpkka.exe 43 PID 2216 wrote to memory of 2188 2216 Meigpkka.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\051eba86155865043a89584f014b83f5.exe"C:\Users\Admin\AppData\Local\Temp\051eba86155865043a89584f014b83f5.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\Lpeifeca.exeC:\Windows\system32\Lpeifeca.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\Lkkmdn32.exeC:\Windows\system32\Lkkmdn32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\Limmokib.exeC:\Windows\system32\Limmokib.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\Ldcamcih.exeC:\Windows\system32\Ldcamcih.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Ldcamcih.exeC:\Windows\system32\Ldcamcih.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\Lkmjin32.exeC:\Windows\system32\Lkmjin32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\Lipjejgp.exeC:\Windows\system32\Lipjejgp.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\Llnfaffc.exeC:\Windows\system32\Llnfaffc.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\Ldenbcge.exeC:\Windows\system32\Ldenbcge.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Lgdjnofi.exeC:\Windows\system32\Lgdjnofi.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\Libgjj32.exeC:\Windows\system32\Libgjj32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Windows\SysWOW64\Llqcfe32.exeC:\Windows\system32\Llqcfe32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1132 -
C:\Windows\SysWOW64\Lplogdmj.exeC:\Windows\system32\Lplogdmj.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Windows\SysWOW64\Mgfgdn32.exeC:\Windows\system32\Mgfgdn32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\Meigpkka.exeC:\Windows\system32\Meigpkka.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\Mhgclfje.exeC:\Windows\system32\Mhgclfje.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2188 -
C:\Windows\SysWOW64\Mlcple32.exeC:\Windows\system32\Mlcple32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1408 -
C:\Windows\SysWOW64\Moalhq32.exeC:\Windows\system32\Moalhq32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1712 -
C:\Windows\SysWOW64\Mcmhiojk.exeC:\Windows\system32\Mcmhiojk.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2004 -
C:\Windows\SysWOW64\Mekdekin.exeC:\Windows\system32\Mekdekin.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:3032 -
C:\Windows\SysWOW64\Migpeiag.exeC:\Windows\system32\Migpeiag.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2344 -
C:\Windows\SysWOW64\Mlelaeqk.exeC:\Windows\system32\Mlelaeqk.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1312 -
C:\Windows\SysWOW64\Mcodno32.exeC:\Windows\system32\Mcodno32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1796 -
C:\Windows\SysWOW64\Mdqafgnf.exeC:\Windows\system32\Mdqafgnf.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:240 -
C:\Windows\SysWOW64\Mlgigdoh.exeC:\Windows\system32\Mlgigdoh.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1928 -
C:\Windows\SysWOW64\Mofecpnl.exeC:\Windows\system32\Mofecpnl.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:880 -
C:\Windows\SysWOW64\Madapkmp.exeC:\Windows\system32\Madapkmp.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2596 -
C:\Windows\SysWOW64\Mkmfhacp.exeC:\Windows\system32\Mkmfhacp.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1500 -
C:\Windows\SysWOW64\Mnkbdlbd.exeC:\Windows\system32\Mnkbdlbd.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2620 -
C:\Windows\SysWOW64\Magnek32.exeC:\Windows\system32\Magnek32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2492 -
C:\Windows\SysWOW64\Mdejaf32.exeC:\Windows\system32\Mdejaf32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2332 -
C:\Windows\SysWOW64\Mhqfbebj.exeC:\Windows\system32\Mhqfbebj.exe33⤵
- Executes dropped EXE
PID:1976 -
C:\Windows\SysWOW64\Njbcim32.exeC:\Windows\system32\Njbcim32.exe34⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Nnnojlpa.exeC:\Windows\system32\Nnnojlpa.exe35⤵
- Executes dropped EXE
PID:396 -
C:\Windows\SysWOW64\Nplkfgoe.exeC:\Windows\system32\Nplkfgoe.exe36⤵
- Executes dropped EXE
PID:1752 -
C:\Windows\SysWOW64\Ncjgbcoi.exeC:\Windows\system32\Ncjgbcoi.exe37⤵
- Executes dropped EXE
PID:1552 -
C:\Windows\SysWOW64\Ngfcca32.exeC:\Windows\system32\Ngfcca32.exe38⤵
- Executes dropped EXE
PID:2128 -
C:\Windows\SysWOW64\Nkaocp32.exeC:\Windows\system32\Nkaocp32.exe39⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Nnplpl32.exeC:\Windows\system32\Nnplpl32.exe40⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\Nlblkhei.exeC:\Windows\system32\Nlblkhei.exe41⤵
- Executes dropped EXE
PID:2060 -
C:\Windows\SysWOW64\Ndjdlffl.exeC:\Windows\system32\Ndjdlffl.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1484 -
C:\Windows\SysWOW64\Ncmdhb32.exeC:\Windows\system32\Ncmdhb32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1452 -
C:\Windows\SysWOW64\Nghphaeo.exeC:\Windows\system32\Nghphaeo.exe44⤵
- Executes dropped EXE
PID:1148 -
C:\Windows\SysWOW64\Njgldmdc.exeC:\Windows\system32\Njgldmdc.exe45⤵
- Executes dropped EXE
PID:2880 -
C:\Windows\SysWOW64\Nnbhek32.exeC:\Windows\system32\Nnbhek32.exe46⤵
- Executes dropped EXE
PID:2752 -
C:\Windows\SysWOW64\Nleiqhcg.exeC:\Windows\system32\Nleiqhcg.exe47⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Nqqdag32.exeC:\Windows\system32\Nqqdag32.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:1924 -
C:\Windows\SysWOW64\Nocemcbj.exeC:\Windows\system32\Nocemcbj.exe49⤵
- Executes dropped EXE
PID:900 -
C:\Windows\SysWOW64\Ncoamb32.exeC:\Windows\system32\Ncoamb32.exe50⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Nfmmin32.exeC:\Windows\system32\Nfmmin32.exe51⤵
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Njiijlbp.exeC:\Windows\system32\Njiijlbp.exe52⤵
- Executes dropped EXE
PID:2524 -
C:\Windows\SysWOW64\Nlgefh32.exeC:\Windows\system32\Nlgefh32.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:284 -
C:\Windows\SysWOW64\Nlgefh32.exeC:\Windows\system32\Nlgefh32.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2616 -
C:\Windows\SysWOW64\Nqcagfim.exeC:\Windows\system32\Nqcagfim.exe55⤵
- Executes dropped EXE
PID:1544 -
C:\Windows\SysWOW64\Nofabc32.exeC:\Windows\system32\Nofabc32.exe56⤵
- Executes dropped EXE
PID:2612 -
C:\Windows\SysWOW64\Ncancbha.exeC:\Windows\system32\Ncancbha.exe57⤵
- Executes dropped EXE
PID:856 -
C:\Windows\SysWOW64\Nfpjomgd.exeC:\Windows\system32\Nfpjomgd.exe58⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Njkfpl32.exeC:\Windows\system32\Njkfpl32.exe59⤵
- Executes dropped EXE
PID:2584 -
C:\Windows\SysWOW64\Nhnfkigh.exeC:\Windows\system32\Nhnfkigh.exe60⤵
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Nbfjdn32.exeC:\Windows\system32\Nbfjdn32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Ofbfdmeb.exeC:\Windows\system32\Ofbfdmeb.exe62⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Ohqbqhde.exeC:\Windows\system32\Ohqbqhde.exe63⤵
- Executes dropped EXE
PID:840 -
C:\Windows\SysWOW64\Omloag32.exeC:\Windows\system32\Omloag32.exe64⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Okoomd32.exeC:\Windows\system32\Okoomd32.exe65⤵
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\Oojknblb.exeC:\Windows\system32\Oojknblb.exe66⤵PID:632
-
C:\Windows\SysWOW64\Onmkio32.exeC:\Windows\system32\Onmkio32.exe67⤵PID:1728
-
C:\Windows\SysWOW64\Ofdcjm32.exeC:\Windows\system32\Ofdcjm32.exe68⤵PID:1348
-
C:\Windows\SysWOW64\Oicpfh32.exeC:\Windows\system32\Oicpfh32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:992 -
C:\Windows\SysWOW64\Ogfpbeim.exeC:\Windows\system32\Ogfpbeim.exe70⤵PID:1292
-
C:\Windows\SysWOW64\Oomhcbjp.exeC:\Windows\system32\Oomhcbjp.exe71⤵PID:320
-
C:\Windows\SysWOW64\Oqndkj32.exeC:\Windows\system32\Oqndkj32.exe72⤵PID:3036
-
C:\Windows\SysWOW64\Odjpkihg.exeC:\Windows\system32\Odjpkihg.exe73⤵
- Drops file in System32 directory
- Modifies registry class
PID:1696 -
C:\Windows\SysWOW64\Oiellh32.exeC:\Windows\system32\Oiellh32.exe74⤵PID:2252
-
C:\Windows\SysWOW64\Okchhc32.exeC:\Windows\system32\Okchhc32.exe75⤵PID:2168
-
C:\Windows\SysWOW64\Ojficpfn.exeC:\Windows\system32\Ojficpfn.exe76⤵PID:2588
-
C:\Windows\SysWOW64\Obnqem32.exeC:\Windows\system32\Obnqem32.exe77⤵
- Drops file in System32 directory
PID:2692 -
C:\Windows\SysWOW64\Oqqapjnk.exeC:\Windows\system32\Oqqapjnk.exe78⤵PID:2632
-
C:\Windows\SysWOW64\Ocomlemo.exeC:\Windows\system32\Ocomlemo.exe79⤵
- Modifies registry class
PID:2660 -
C:\Windows\SysWOW64\Ogjimd32.exeC:\Windows\system32\Ogjimd32.exe80⤵PID:3044
-
C:\Windows\SysWOW64\Ojieip32.exeC:\Windows\system32\Ojieip32.exe81⤵PID:2736
-
C:\Windows\SysWOW64\Ondajnme.exeC:\Windows\system32\Ondajnme.exe82⤵PID:2640
-
C:\Windows\SysWOW64\Oqcnfjli.exeC:\Windows\system32\Oqcnfjli.exe83⤵
- Drops file in System32 directory
PID:1520 -
C:\Windows\SysWOW64\Ocajbekl.exeC:\Windows\system32\Ocajbekl.exe84⤵PID:1584
-
C:\Windows\SysWOW64\Ofpfnqjp.exeC:\Windows\system32\Ofpfnqjp.exe85⤵
- Modifies registry class
PID:268 -
C:\Windows\SysWOW64\Ofpfnqjp.exeC:\Windows\system32\Ofpfnqjp.exe86⤵PID:1128
-
C:\Windows\SysWOW64\Ojkboo32.exeC:\Windows\system32\Ojkboo32.exe87⤵PID:1576
-
C:\Windows\SysWOW64\Pminkk32.exeC:\Windows\system32\Pminkk32.exe88⤵PID:2468
-
C:\Windows\SysWOW64\Pphjgfqq.exeC:\Windows\system32\Pphjgfqq.exe89⤵PID:2756
-
C:\Windows\SysWOW64\Pgobhcac.exeC:\Windows\system32\Pgobhcac.exe90⤵
- Modifies registry class
PID:2304 -
C:\Windows\SysWOW64\Pcfcmd32.exeC:\Windows\system32\Pcfcmd32.exe91⤵
- Modifies registry class
PID:2164 -
C:\Windows\SysWOW64\Pjpkjond.exeC:\Windows\system32\Pjpkjond.exe92⤵PID:2084
-
C:\Windows\SysWOW64\Pmnhfjmg.exeC:\Windows\system32\Pmnhfjmg.exe93⤵
- Modifies registry class
PID:2988 -
C:\Windows\SysWOW64\Plahag32.exeC:\Windows\system32\Plahag32.exe94⤵PID:668
-
C:\Windows\SysWOW64\Pbkpna32.exeC:\Windows\system32\Pbkpna32.exe95⤵PID:2712
-
C:\Windows\SysWOW64\Pmqdkj32.exeC:\Windows\system32\Pmqdkj32.exe96⤵PID:944
-
C:\Windows\SysWOW64\Plcdgfbo.exeC:\Windows\system32\Plcdgfbo.exe97⤵
- Modifies registry class
PID:688 -
C:\Windows\SysWOW64\Pnbacbac.exeC:\Windows\system32\Pnbacbac.exe98⤵PID:2132
-
C:\Windows\SysWOW64\Pfiidobe.exeC:\Windows\system32\Pfiidobe.exe99⤵PID:2684
-
C:\Windows\SysWOW64\Pelipl32.exeC:\Windows\system32\Pelipl32.exe100⤵PID:2496
-
C:\Windows\SysWOW64\Phjelg32.exeC:\Windows\system32\Phjelg32.exe101⤵PID:1616
-
C:\Windows\SysWOW64\Plfamfpm.exeC:\Windows\system32\Plfamfpm.exe102⤵PID:2916
-
C:\Windows\SysWOW64\Pndniaop.exeC:\Windows\system32\Pndniaop.exe103⤵PID:2096
-
C:\Windows\SysWOW64\Pabjem32.exeC:\Windows\system32\Pabjem32.exe104⤵PID:2760
-
C:\Windows\SysWOW64\Penfelgm.exeC:\Windows\system32\Penfelgm.exe105⤵PID:1632
-
C:\Windows\SysWOW64\Qhmbagfa.exeC:\Windows\system32\Qhmbagfa.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2272 -
C:\Windows\SysWOW64\Qjknnbed.exeC:\Windows\system32\Qjknnbed.exe107⤵PID:1236
-
C:\Windows\SysWOW64\Qdccfh32.exeC:\Windows\system32\Qdccfh32.exe108⤵PID:912
-
C:\Windows\SysWOW64\Qhooggdn.exeC:\Windows\system32\Qhooggdn.exe109⤵PID:2140
-
C:\Windows\SysWOW64\Qjmkcbcb.exeC:\Windows\system32\Qjmkcbcb.exe110⤵
- Drops file in System32 directory
PID:560 -
C:\Windows\SysWOW64\Qnigda32.exeC:\Windows\system32\Qnigda32.exe111⤵PID:1628
-
C:\Windows\SysWOW64\Qagcpljo.exeC:\Windows\system32\Qagcpljo.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1940 -
C:\Windows\SysWOW64\Adeplhib.exeC:\Windows\system32\Adeplhib.exe113⤵
- Drops file in System32 directory
PID:2280 -
C:\Windows\SysWOW64\Ahakmf32.exeC:\Windows\system32\Ahakmf32.exe114⤵PID:328
-
C:\Windows\SysWOW64\Ajphib32.exeC:\Windows\system32\Ajphib32.exe115⤵
- Drops file in System32 directory
- Modifies registry class
PID:2228 -
C:\Windows\SysWOW64\Ankdiqih.exeC:\Windows\system32\Ankdiqih.exe116⤵PID:2480
-
C:\Windows\SysWOW64\Amndem32.exeC:\Windows\system32\Amndem32.exe117⤵
- Modifies registry class
PID:2884 -
C:\Windows\SysWOW64\Aajpelhl.exeC:\Windows\system32\Aajpelhl.exe118⤵PID:1532
-
C:\Windows\SysWOW64\Ahchbf32.exeC:\Windows\system32\Ahchbf32.exe119⤵PID:2136
-
C:\Windows\SysWOW64\Affhncfc.exeC:\Windows\system32\Affhncfc.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2340 -
C:\Windows\SysWOW64\Aiedjneg.exeC:\Windows\system32\Aiedjneg.exe121⤵PID:1676
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-