Analysis
-
max time kernel
122s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
05/07/2024, 21:18
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4a0700aa685c11189ea7438179f9db0c90c08652bba2f098d50f5a7099d0e506.exe
Resource
win7-20240704-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
4a0700aa685c11189ea7438179f9db0c90c08652bba2f098d50f5a7099d0e506.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
4a0700aa685c11189ea7438179f9db0c90c08652bba2f098d50f5a7099d0e506.exe
-
Size
161KB
-
MD5
bd84cf428e76c51ebf0860e53973be08
-
SHA1
4aced2bb44ec37f09e8f9468a82ab1de8a7b7b58
-
SHA256
4a0700aa685c11189ea7438179f9db0c90c08652bba2f098d50f5a7099d0e506
-
SHA512
c835aa7c297d9f1e7b448ae0aba1a7060c4c5fbfd1d06f0be8ec531aeee079fad5656024925007b22993930b7f0e497a2805534c0a1cbd9a330fb322e803fb3f
-
SSDEEP
3072:IoYr6EEZiWRt/to6/kvLxZ42kmVwtCJXeex7rrIRZK8K8/kv:vlRt/S6/kvLxZ1kmVwtmeetrIyR
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpmooind.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hplbamdf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ambhpljg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ilhlan32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjikaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bllomg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nknkeg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fabmmejd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgobpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hbccklmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nkhhie32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfaalh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ffiepg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bacgohjk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nalnmahf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blipno32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekfaij32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aebjaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Celpqbon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofbikf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Migdig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Holldk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nmbmii32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oldooi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lenffl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpoaheja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eehndm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Egikle32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpocno32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmkmlk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlohmonb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpaqmnap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mlmjgnaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bbocak32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijqjgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gnicoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aodqok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mkibjgli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baajji32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgcpkldh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Almihjlj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppkmjlca.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilkpac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hbgjmcba.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfkjgm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdapcg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blaobmkq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Infjfblm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nloedjin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Emjhmipi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cfcmlg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddhcbnnn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdmhcp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkibjgli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnijnjbh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acemeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fhccoe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfppfcmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jibpghbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfpnnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lbmicc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ofmgmhgh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Janihlcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lgbdpena.exe -
Executes dropped EXE 64 IoCs
pid Process 1892 Jibnop32.exe 2216 Klcgpkhh.exe 2740 Khjgel32.exe 2072 Khldkllj.exe 2648 Kpgionie.exe 2584 Kfaalh32.exe 2304 Kgcnahoo.exe 2768 Llbconkd.exe 1056 Lifcib32.exe 2848 Liipnb32.exe 2104 Lklikj32.exe 2940 Mkofaj32.exe 1192 Mgegfk32.exe 1996 Mjfphf32.exe 980 Mqbejp32.exe 2896 Mlieoqgg.exe 1236 Nfbjhf32.exe 2860 Nbhkmg32.exe 2924 Nffccejb.exe 2912 Nkclkl32.exe 1580 Njhilimb.exe 2044 Omiand32.exe 2388 Ocefpnom.exe 2188 Ojblbgdg.exe 2744 Opodknco.exe 2132 Ombddbah.exe 2932 Pbomli32.exe 2556 Phledp32.exe 928 Ppcmfn32.exe 2856 Pljnkodm.exe 364 Pbdfgilj.exe 1072 Pmnghfhi.exe 2528 Pfflql32.exe 1240 Pfhhflmg.exe 2836 Qigebglj.exe 832 Qboikm32.exe 2672 Qmenhe32.exe 1012 Qdofep32.exe 2336 Afmbak32.exe 1820 Amgjnepn.exe 3060 Aohgfm32.exe 2960 Ainkcf32.exe 896 Abfoll32.exe 1688 Alodeacc.exe 2120 Aeghng32.exe 924 Akdafn32.exe 628 Aeiecfga.exe 2904 Akfnkmei.exe 1948 Bfiabjjm.exe 2660 Ccmblnif.exe 1640 Cdnncfoe.exe 2112 Cbbomjnn.exe 2384 Cgogealf.exe 944 Cbdkbjkl.exe 576 Ckmpkpbl.exe 892 Cqjhcfpc.exe 2108 Ckomqopi.exe 2248 Cnnimkom.exe 1088 Ddhaie32.exe 1220 Dfinam32.exe 2368 Dqobnf32.exe 1660 Dfkjgm32.exe 1908 Dqaode32.exe 1512 Djicmk32.exe -
Loads dropped DLL 64 IoCs
pid Process 2436 4a0700aa685c11189ea7438179f9db0c90c08652bba2f098d50f5a7099d0e506.exe 2436 4a0700aa685c11189ea7438179f9db0c90c08652bba2f098d50f5a7099d0e506.exe 1892 Jibnop32.exe 1892 Jibnop32.exe 2216 Klcgpkhh.exe 2216 Klcgpkhh.exe 2740 Khjgel32.exe 2740 Khjgel32.exe 2072 Khldkllj.exe 2072 Khldkllj.exe 2648 Kpgionie.exe 2648 Kpgionie.exe 2584 Kfaalh32.exe 2584 Kfaalh32.exe 2304 Kgcnahoo.exe 2304 Kgcnahoo.exe 2768 Llbconkd.exe 2768 Llbconkd.exe 1056 Lifcib32.exe 1056 Lifcib32.exe 2848 Liipnb32.exe 2848 Liipnb32.exe 2104 Lklikj32.exe 2104 Lklikj32.exe 2940 Mkofaj32.exe 2940 Mkofaj32.exe 1192 Mgegfk32.exe 1192 Mgegfk32.exe 1996 Mjfphf32.exe 1996 Mjfphf32.exe 980 Mqbejp32.exe 980 Mqbejp32.exe 2896 Mlieoqgg.exe 2896 Mlieoqgg.exe 1236 Nfbjhf32.exe 1236 Nfbjhf32.exe 2860 Nbhkmg32.exe 2860 Nbhkmg32.exe 2924 Nffccejb.exe 2924 Nffccejb.exe 2912 Nkclkl32.exe 2912 Nkclkl32.exe 1580 Njhilimb.exe 1580 Njhilimb.exe 2044 Omiand32.exe 2044 Omiand32.exe 2332 Ochcem32.exe 2332 Ochcem32.exe 2188 Ojblbgdg.exe 2188 Ojblbgdg.exe 2744 Opodknco.exe 2744 Opodknco.exe 2132 Ombddbah.exe 2132 Ombddbah.exe 2932 Pbomli32.exe 2932 Pbomli32.exe 2556 Phledp32.exe 2556 Phledp32.exe 928 Ppcmfn32.exe 928 Ppcmfn32.exe 2856 Pljnkodm.exe 2856 Pljnkodm.exe 364 Pbdfgilj.exe 364 Pbdfgilj.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Fnahibcg.dll Golgon32.exe File created C:\Windows\SysWOW64\Leialh32.dll Iagchmjn.exe File created C:\Windows\SysWOW64\Gleqdb32.exe Gkedjo32.exe File created C:\Windows\SysWOW64\Knfopnkk.exe Kenjgi32.exe File created C:\Windows\SysWOW64\Mmijgm32.dll Jaonji32.exe File created C:\Windows\SysWOW64\Kkaolm32.exe Kfdfdf32.exe File opened for modification C:\Windows\SysWOW64\Dpdpkfga.exe Dcpoab32.exe File opened for modification C:\Windows\SysWOW64\Mlejkl32.exe Mnaiah32.exe File created C:\Windows\SysWOW64\Dgoakpjn.exe Dendcg32.exe File opened for modification C:\Windows\SysWOW64\Cfekkgla.exe Bmmgbbeq.exe File opened for modification C:\Windows\SysWOW64\Lhimji32.exe Lmalgq32.exe File created C:\Windows\SysWOW64\Kkfokdde.dll Nopaoj32.exe File created C:\Windows\SysWOW64\Bafhff32.exe Blipno32.exe File created C:\Windows\SysWOW64\Dlmfob32.dll Lefikg32.exe File opened for modification C:\Windows\SysWOW64\Qamjmh32.exe Qakmghbm.exe File opened for modification C:\Windows\SysWOW64\Eipjmk32.exe Ddcadd32.exe File created C:\Windows\SysWOW64\Dlfobc32.dll Hgobpd32.exe File opened for modification C:\Windows\SysWOW64\Mfngbq32.exe Lodoefed.exe File opened for modification C:\Windows\SysWOW64\Cbdkbjkl.exe Cgogealf.exe File created C:\Windows\SysWOW64\Icipkhcj.dll Lpapgnpb.exe File created C:\Windows\SysWOW64\Iiaoip32.exe Ipijpkei.exe File opened for modification C:\Windows\SysWOW64\Mnaiah32.exe Meidib32.exe File created C:\Windows\SysWOW64\Nkhhie32.exe Moahdd32.exe File opened for modification C:\Windows\SysWOW64\Nffcebdd.exe Nqijmkfm.exe File opened for modification C:\Windows\SysWOW64\Maoalb32.exe Miclhpjp.exe File created C:\Windows\SysWOW64\Aphdkpjd.dll Mhhiiloh.exe File created C:\Windows\SysWOW64\Hkclkc32.dll Ekbhnkhf.exe File created C:\Windows\SysWOW64\Kicqkb32.dll Kkaolm32.exe File created C:\Windows\SysWOW64\Lqgjkbop.exe Kfbemi32.exe File created C:\Windows\SysWOW64\Qamjmh32.exe Qakmghbm.exe File created C:\Windows\SysWOW64\Qboikm32.exe Qigebglj.exe File created C:\Windows\SysWOW64\Kafano32.dll Iemalkgd.exe File created C:\Windows\SysWOW64\Mohhea32.exe Lepclldc.exe File created C:\Windows\SysWOW64\Qakmghbm.exe Plneoace.exe File created C:\Windows\SysWOW64\Pjkkeqgf.dll Qlbnja32.exe File opened for modification C:\Windows\SysWOW64\Bdmhcp32.exe Bncpffdn.exe File created C:\Windows\SysWOW64\Ljlkmo32.dll Gddpndhp.exe File created C:\Windows\SysWOW64\Majcoepi.exe Mnkfcjqe.exe File created C:\Windows\SysWOW64\Lgocca32.dll Mnaiah32.exe File created C:\Windows\SysWOW64\Eocmkdfd.dll Ocpfkh32.exe File opened for modification C:\Windows\SysWOW64\Binikb32.exe Bpfebmia.exe File created C:\Windows\SysWOW64\Mejoei32.exe Mpngmb32.exe File created C:\Windows\SysWOW64\Alggph32.dll Kbppdfmk.exe File created C:\Windows\SysWOW64\Ndiaem32.exe Njammhei.exe File created C:\Windows\SysWOW64\Bjanfl32.exe Bedene32.exe File opened for modification C:\Windows\SysWOW64\Lkffohon.exe Lckbkfbb.exe File created C:\Windows\SysWOW64\Ihnjmf32.exe Ikjjda32.exe File created C:\Windows\SysWOW64\Manljd32.exe Migdig32.exe File created C:\Windows\SysWOW64\Bgfhfhcl.dll Fadagl32.exe File opened for modification C:\Windows\SysWOW64\Gielchpp.exe Gkaljdaf.exe File created C:\Windows\SysWOW64\Hiehbl32.exe Hbkpfa32.exe File created C:\Windows\SysWOW64\Objbia32.dll Hkmaed32.exe File created C:\Windows\SysWOW64\Iifpfl32.dll Ojceef32.exe File created C:\Windows\SysWOW64\Mmmloaog.dll Ajjgei32.exe File opened for modification C:\Windows\SysWOW64\Llhocfnb.exe Lenffl32.exe File created C:\Windows\SysWOW64\Opnqffif.dll Ghaeoe32.exe File created C:\Windows\SysWOW64\Maabcc32.exe Mlejkl32.exe File created C:\Windows\SysWOW64\Aaeiqf32.exe Ahmehqna.exe File created C:\Windows\SysWOW64\Jbdhhp32.dll Khldkllj.exe File opened for modification C:\Windows\SysWOW64\Aohgfm32.exe Amgjnepn.exe File created C:\Windows\SysWOW64\Feiepkmi.dll Fdfmpc32.exe File created C:\Windows\SysWOW64\Flhbifkd.dll Haemloni.exe File opened for modification C:\Windows\SysWOW64\Jmlobg32.exe Johoic32.exe File created C:\Windows\SysWOW64\Fcfohlmg.exe Fqffgapf.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2964 2696 WerFault.exe 926 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fadagl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afqnmm32.dll" Qigebglj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jnemfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Adblnnbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agcmideg.dll" Binikb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dchpnd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eiimci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aohgfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jqbbhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbdcfl32.dll" Ajgfnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jaffca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lqbfdp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aokfpjai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Akdafn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kggedf32.dll" Jnlbgq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dngdfinb.dll" Pkhdnh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mqbejp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nopaoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnfmhdpb.dll" Mnijnjbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Egdjfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnnnpo32.dll" Opodknco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lalieb32.dll" Kigibh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhdaigqo.dll" Bmldji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbokplfi.dll" Egikle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pamibjoj.dll" Lhpkoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Obopobhe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Igbqdlea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pqplqile.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hjkbfpah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfile32.dll" Infjfblm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bjnjfffm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pbpoebgc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qbmhdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olbfgj32.dll" Hndoifdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hnflnfbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aonjnmnj.dll" Kqqdjceh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mfdjpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dcbjni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inmfkm32.dll" Ajibckpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mfngbq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aidpiiop.dll" Cgkanomj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gddpndhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lpgqlc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dicann32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qqbife32.dll" Ppgdjqna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fhccoe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nalnmahf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Llbconkd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pimkbbpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgkqcb32.dll" Cnabffeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogoicfml.dll" Kbcddlnd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aiqjao32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hqkmahpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjejch32.dll" Fhjoof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Llkbcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bmlbaqfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpfbjp32.dll" Fbpfeh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ionehnbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Akfnkmei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ccmblnif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dpfkeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pbgefa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjakil32.dll" Ajdego32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fnmjpk32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2436 wrote to memory of 1892 2436 4a0700aa685c11189ea7438179f9db0c90c08652bba2f098d50f5a7099d0e506.exe 30 PID 2436 wrote to memory of 1892 2436 4a0700aa685c11189ea7438179f9db0c90c08652bba2f098d50f5a7099d0e506.exe 30 PID 2436 wrote to memory of 1892 2436 4a0700aa685c11189ea7438179f9db0c90c08652bba2f098d50f5a7099d0e506.exe 30 PID 2436 wrote to memory of 1892 2436 4a0700aa685c11189ea7438179f9db0c90c08652bba2f098d50f5a7099d0e506.exe 30 PID 1892 wrote to memory of 2216 1892 Jibnop32.exe 31 PID 1892 wrote to memory of 2216 1892 Jibnop32.exe 31 PID 1892 wrote to memory of 2216 1892 Jibnop32.exe 31 PID 1892 wrote to memory of 2216 1892 Jibnop32.exe 31 PID 2216 wrote to memory of 2740 2216 Klcgpkhh.exe 32 PID 2216 wrote to memory of 2740 2216 Klcgpkhh.exe 32 PID 2216 wrote to memory of 2740 2216 Klcgpkhh.exe 32 PID 2216 wrote to memory of 2740 2216 Klcgpkhh.exe 32 PID 2740 wrote to memory of 2072 2740 Khjgel32.exe 33 PID 2740 wrote to memory of 2072 2740 Khjgel32.exe 33 PID 2740 wrote to memory of 2072 2740 Khjgel32.exe 33 PID 2740 wrote to memory of 2072 2740 Khjgel32.exe 33 PID 2072 wrote to memory of 2648 2072 Khldkllj.exe 34 PID 2072 wrote to memory of 2648 2072 Khldkllj.exe 34 PID 2072 wrote to memory of 2648 2072 Khldkllj.exe 34 PID 2072 wrote to memory of 2648 2072 Khldkllj.exe 34 PID 2648 wrote to memory of 2584 2648 Kpgionie.exe 35 PID 2648 wrote to memory of 2584 2648 Kpgionie.exe 35 PID 2648 wrote to memory of 2584 2648 Kpgionie.exe 35 PID 2648 wrote to memory of 2584 2648 Kpgionie.exe 35 PID 2584 wrote to memory of 2304 2584 Kfaalh32.exe 36 PID 2584 wrote to memory of 2304 2584 Kfaalh32.exe 36 PID 2584 wrote to memory of 2304 2584 Kfaalh32.exe 36 PID 2584 wrote to memory of 2304 2584 Kfaalh32.exe 36 PID 2304 wrote to memory of 2768 2304 Kgcnahoo.exe 37 PID 2304 wrote to memory of 2768 2304 Kgcnahoo.exe 37 PID 2304 wrote to memory of 2768 2304 Kgcnahoo.exe 37 PID 2304 wrote to memory of 2768 2304 Kgcnahoo.exe 37 PID 2768 wrote to memory of 1056 2768 Llbconkd.exe 38 PID 2768 wrote to memory of 1056 2768 Llbconkd.exe 38 PID 2768 wrote to memory of 1056 2768 Llbconkd.exe 38 PID 2768 wrote to memory of 1056 2768 Llbconkd.exe 38 PID 1056 wrote to memory of 2848 1056 Lifcib32.exe 39 PID 1056 wrote to memory of 2848 1056 Lifcib32.exe 39 PID 1056 wrote to memory of 2848 1056 Lifcib32.exe 39 PID 1056 wrote to memory of 2848 1056 Lifcib32.exe 39 PID 2848 wrote to memory of 2104 2848 Liipnb32.exe 40 PID 2848 wrote to memory of 2104 2848 Liipnb32.exe 40 PID 2848 wrote to memory of 2104 2848 Liipnb32.exe 40 PID 2848 wrote to memory of 2104 2848 Liipnb32.exe 40 PID 2104 wrote to memory of 2940 2104 Lklikj32.exe 41 PID 2104 wrote to memory of 2940 2104 Lklikj32.exe 41 PID 2104 wrote to memory of 2940 2104 Lklikj32.exe 41 PID 2104 wrote to memory of 2940 2104 Lklikj32.exe 41 PID 2940 wrote to memory of 1192 2940 Mkofaj32.exe 42 PID 2940 wrote to memory of 1192 2940 Mkofaj32.exe 42 PID 2940 wrote to memory of 1192 2940 Mkofaj32.exe 42 PID 2940 wrote to memory of 1192 2940 Mkofaj32.exe 42 PID 1192 wrote to memory of 1996 1192 Mgegfk32.exe 43 PID 1192 wrote to memory of 1996 1192 Mgegfk32.exe 43 PID 1192 wrote to memory of 1996 1192 Mgegfk32.exe 43 PID 1192 wrote to memory of 1996 1192 Mgegfk32.exe 43 PID 1996 wrote to memory of 980 1996 Mjfphf32.exe 44 PID 1996 wrote to memory of 980 1996 Mjfphf32.exe 44 PID 1996 wrote to memory of 980 1996 Mjfphf32.exe 44 PID 1996 wrote to memory of 980 1996 Mjfphf32.exe 44 PID 980 wrote to memory of 2896 980 Mqbejp32.exe 45 PID 980 wrote to memory of 2896 980 Mqbejp32.exe 45 PID 980 wrote to memory of 2896 980 Mqbejp32.exe 45 PID 980 wrote to memory of 2896 980 Mqbejp32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\4a0700aa685c11189ea7438179f9db0c90c08652bba2f098d50f5a7099d0e506.exe"C:\Users\Admin\AppData\Local\Temp\4a0700aa685c11189ea7438179f9db0c90c08652bba2f098d50f5a7099d0e506.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\SysWOW64\Jibnop32.exeC:\Windows\system32\Jibnop32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Windows\SysWOW64\Klcgpkhh.exeC:\Windows\system32\Klcgpkhh.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\Khjgel32.exeC:\Windows\system32\Khjgel32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\Khldkllj.exeC:\Windows\system32\Khldkllj.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\SysWOW64\Kpgionie.exeC:\Windows\system32\Kpgionie.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\Kfaalh32.exeC:\Windows\system32\Kfaalh32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\Kgcnahoo.exeC:\Windows\system32\Kgcnahoo.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\SysWOW64\Llbconkd.exeC:\Windows\system32\Llbconkd.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\Lifcib32.exeC:\Windows\system32\Lifcib32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Windows\SysWOW64\Liipnb32.exeC:\Windows\system32\Liipnb32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\Lklikj32.exeC:\Windows\system32\Lklikj32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\Mkofaj32.exeC:\Windows\system32\Mkofaj32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\Mgegfk32.exeC:\Windows\system32\Mgegfk32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Windows\SysWOW64\Mjfphf32.exeC:\Windows\system32\Mjfphf32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\Mqbejp32.exeC:\Windows\system32\Mqbejp32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:980 -
C:\Windows\SysWOW64\Mlieoqgg.exeC:\Windows\system32\Mlieoqgg.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2896 -
C:\Windows\SysWOW64\Nfbjhf32.exeC:\Windows\system32\Nfbjhf32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1236 -
C:\Windows\SysWOW64\Nbhkmg32.exeC:\Windows\system32\Nbhkmg32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2860 -
C:\Windows\SysWOW64\Nffccejb.exeC:\Windows\system32\Nffccejb.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2924 -
C:\Windows\SysWOW64\Nkclkl32.exeC:\Windows\system32\Nkclkl32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2912 -
C:\Windows\SysWOW64\Njhilimb.exeC:\Windows\system32\Njhilimb.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1580 -
C:\Windows\SysWOW64\Omiand32.exeC:\Windows\system32\Omiand32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2044 -
C:\Windows\SysWOW64\Ocefpnom.exeC:\Windows\system32\Ocefpnom.exe24⤵
- Executes dropped EXE
PID:2388 -
C:\Windows\SysWOW64\Ochcem32.exeC:\Windows\system32\Ochcem32.exe25⤵
- Loads dropped DLL
PID:2332 -
C:\Windows\SysWOW64\Ojblbgdg.exeC:\Windows\system32\Ojblbgdg.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2188 -
C:\Windows\SysWOW64\Opodknco.exeC:\Windows\system32\Opodknco.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2744 -
C:\Windows\SysWOW64\Ombddbah.exeC:\Windows\system32\Ombddbah.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2132 -
C:\Windows\SysWOW64\Pbomli32.exeC:\Windows\system32\Pbomli32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2932 -
C:\Windows\SysWOW64\Phledp32.exeC:\Windows\system32\Phledp32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2556 -
C:\Windows\SysWOW64\Ppcmfn32.exeC:\Windows\system32\Ppcmfn32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:928 -
C:\Windows\SysWOW64\Pljnkodm.exeC:\Windows\system32\Pljnkodm.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2856 -
C:\Windows\SysWOW64\Pbdfgilj.exeC:\Windows\system32\Pbdfgilj.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
PID:364 -
C:\Windows\SysWOW64\Pmnghfhi.exeC:\Windows\system32\Pmnghfhi.exe34⤵
- Executes dropped EXE
PID:1072 -
C:\Windows\SysWOW64\Pfflql32.exeC:\Windows\system32\Pfflql32.exe35⤵
- Executes dropped EXE
PID:2528 -
C:\Windows\SysWOW64\Pfhhflmg.exeC:\Windows\system32\Pfhhflmg.exe36⤵
- Executes dropped EXE
PID:1240 -
C:\Windows\SysWOW64\Qigebglj.exeC:\Windows\system32\Qigebglj.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2836 -
C:\Windows\SysWOW64\Qboikm32.exeC:\Windows\system32\Qboikm32.exe38⤵
- Executes dropped EXE
PID:832 -
C:\Windows\SysWOW64\Qmenhe32.exeC:\Windows\system32\Qmenhe32.exe39⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Qdofep32.exeC:\Windows\system32\Qdofep32.exe40⤵
- Executes dropped EXE
PID:1012 -
C:\Windows\SysWOW64\Afmbak32.exeC:\Windows\system32\Afmbak32.exe41⤵
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\Amgjnepn.exeC:\Windows\system32\Amgjnepn.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1820 -
C:\Windows\SysWOW64\Aohgfm32.exeC:\Windows\system32\Aohgfm32.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:3060 -
C:\Windows\SysWOW64\Ainkcf32.exeC:\Windows\system32\Ainkcf32.exe44⤵
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\Abfoll32.exeC:\Windows\system32\Abfoll32.exe45⤵
- Executes dropped EXE
PID:896 -
C:\Windows\SysWOW64\Alodeacc.exeC:\Windows\system32\Alodeacc.exe46⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Aeghng32.exeC:\Windows\system32\Aeghng32.exe47⤵
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Akdafn32.exeC:\Windows\system32\Akdafn32.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:924 -
C:\Windows\SysWOW64\Aeiecfga.exeC:\Windows\system32\Aeiecfga.exe49⤵
- Executes dropped EXE
PID:628 -
C:\Windows\SysWOW64\Akfnkmei.exeC:\Windows\system32\Akfnkmei.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:2904 -
C:\Windows\SysWOW64\Bfiabjjm.exeC:\Windows\system32\Bfiabjjm.exe51⤵
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\Ccmblnif.exeC:\Windows\system32\Ccmblnif.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:2660 -
C:\Windows\SysWOW64\Cdnncfoe.exeC:\Windows\system32\Cdnncfoe.exe53⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Cbbomjnn.exeC:\Windows\system32\Cbbomjnn.exe54⤵
- Executes dropped EXE
PID:2112 -
C:\Windows\SysWOW64\Cgogealf.exeC:\Windows\system32\Cgogealf.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2384 -
C:\Windows\SysWOW64\Cbdkbjkl.exeC:\Windows\system32\Cbdkbjkl.exe56⤵
- Executes dropped EXE
PID:944 -
C:\Windows\SysWOW64\Ckmpkpbl.exeC:\Windows\system32\Ckmpkpbl.exe57⤵
- Executes dropped EXE
PID:576 -
C:\Windows\SysWOW64\Cqjhcfpc.exeC:\Windows\system32\Cqjhcfpc.exe58⤵
- Executes dropped EXE
PID:892 -
C:\Windows\SysWOW64\Ckomqopi.exeC:\Windows\system32\Ckomqopi.exe59⤵
- Executes dropped EXE
PID:2108 -
C:\Windows\SysWOW64\Cnnimkom.exeC:\Windows\system32\Cnnimkom.exe60⤵
- Executes dropped EXE
PID:2248 -
C:\Windows\SysWOW64\Ddhaie32.exeC:\Windows\system32\Ddhaie32.exe61⤵
- Executes dropped EXE
PID:1088 -
C:\Windows\SysWOW64\Dfinam32.exeC:\Windows\system32\Dfinam32.exe62⤵
- Executes dropped EXE
PID:1220 -
C:\Windows\SysWOW64\Dqobnf32.exeC:\Windows\system32\Dqobnf32.exe63⤵
- Executes dropped EXE
PID:2368 -
C:\Windows\SysWOW64\Dfkjgm32.exeC:\Windows\system32\Dfkjgm32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Dqaode32.exeC:\Windows\system32\Dqaode32.exe65⤵
- Executes dropped EXE
PID:1908 -
C:\Windows\SysWOW64\Djicmk32.exeC:\Windows\system32\Djicmk32.exe66⤵
- Executes dropped EXE
PID:1512 -
C:\Windows\SysWOW64\Dpfkeb32.exeC:\Windows\system32\Dpfkeb32.exe67⤵
- Modifies registry class
PID:2984 -
C:\Windows\SysWOW64\Decdmi32.exeC:\Windows\system32\Decdmi32.exe68⤵PID:1576
-
C:\Windows\SysWOW64\Dmjlof32.exeC:\Windows\system32\Dmjlof32.exe69⤵PID:2316
-
C:\Windows\SysWOW64\Dnkhfnck.exeC:\Windows\system32\Dnkhfnck.exe70⤵PID:976
-
C:\Windows\SysWOW64\Diqmcgca.exeC:\Windows\system32\Diqmcgca.exe71⤵PID:2696
-
C:\Windows\SysWOW64\Epkepakn.exeC:\Windows\system32\Epkepakn.exe72⤵PID:2512
-
C:\Windows\SysWOW64\Ealahi32.exeC:\Windows\system32\Ealahi32.exe73⤵PID:820
-
C:\Windows\SysWOW64\Enpban32.exeC:\Windows\system32\Enpban32.exe74⤵PID:2784
-
C:\Windows\SysWOW64\Ecmjid32.exeC:\Windows\system32\Ecmjid32.exe75⤵PID:1724
-
C:\Windows\SysWOW64\Enbogmnc.exeC:\Windows\system32\Enbogmnc.exe76⤵PID:2036
-
C:\Windows\SysWOW64\Ehkcpc32.exeC:\Windows\system32\Ehkcpc32.exe77⤵PID:1592
-
C:\Windows\SysWOW64\Emgkhj32.exeC:\Windows\system32\Emgkhj32.exe78⤵PID:1092
-
C:\Windows\SysWOW64\Ecadddjh.exeC:\Windows\system32\Ecadddjh.exe79⤵PID:1720
-
C:\Windows\SysWOW64\Emjhmipi.exeC:\Windows\system32\Emjhmipi.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:564 -
C:\Windows\SysWOW64\Ebfqfpop.exeC:\Windows\system32\Ebfqfpop.exe81⤵PID:3028
-
C:\Windows\SysWOW64\Fmlecinf.exeC:\Windows\system32\Fmlecinf.exe82⤵PID:824
-
C:\Windows\SysWOW64\Fdfmpc32.exeC:\Windows\system32\Fdfmpc32.exe83⤵
- Drops file in System32 directory
PID:1520 -
C:\Windows\SysWOW64\Ficehj32.exeC:\Windows\system32\Ficehj32.exe84⤵PID:2164
-
C:\Windows\SysWOW64\Fopnpaba.exeC:\Windows\system32\Fopnpaba.exe85⤵PID:1288
-
C:\Windows\SysWOW64\Fiebnjbg.exeC:\Windows\system32\Fiebnjbg.exe86⤵PID:1916
-
C:\Windows\SysWOW64\Fpokjd32.exeC:\Windows\system32\Fpokjd32.exe87⤵PID:1664
-
C:\Windows\SysWOW64\Fbngfo32.exeC:\Windows\system32\Fbngfo32.exe88⤵PID:2320
-
C:\Windows\SysWOW64\Fhjoof32.exeC:\Windows\system32\Fhjoof32.exe89⤵
- Modifies registry class
PID:2636 -
C:\Windows\SysWOW64\Fbpclofe.exeC:\Windows\system32\Fbpclofe.exe90⤵PID:968
-
C:\Windows\SysWOW64\Fdapcg32.exeC:\Windows\system32\Fdapcg32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2076 -
C:\Windows\SysWOW64\Fkkhpadq.exeC:\Windows\system32\Fkkhpadq.exe92⤵PID:2580
-
C:\Windows\SysWOW64\Gaeqmk32.exeC:\Windows\system32\Gaeqmk32.exe93⤵PID:2760
-
C:\Windows\SysWOW64\Ggbieb32.exeC:\Windows\system32\Ggbieb32.exe94⤵PID:2092
-
C:\Windows\SysWOW64\Ghaeoe32.exeC:\Windows\system32\Ghaeoe32.exe95⤵
- Drops file in System32 directory
PID:2400 -
C:\Windows\SysWOW64\Gmnngl32.exeC:\Windows\system32\Gmnngl32.exe96⤵PID:2688
-
C:\Windows\SysWOW64\Ggfbpaeo.exeC:\Windows\system32\Ggfbpaeo.exe97⤵PID:1460
-
C:\Windows\SysWOW64\Gmqkml32.exeC:\Windows\system32\Gmqkml32.exe98⤵PID:2236
-
C:\Windows\SysWOW64\Gcmcebkc.exeC:\Windows\system32\Gcmcebkc.exe99⤵PID:2156
-
C:\Windows\SysWOW64\Gigkbm32.exeC:\Windows\system32\Gigkbm32.exe100⤵PID:1972
-
C:\Windows\SysWOW64\Gpacogjm.exeC:\Windows\system32\Gpacogjm.exe101⤵PID:1376
-
C:\Windows\SysWOW64\Hhmhcigh.exeC:\Windows\system32\Hhmhcigh.exe102⤵PID:2684
-
C:\Windows\SysWOW64\Hofqpc32.exeC:\Windows\system32\Hofqpc32.exe103⤵PID:2496
-
C:\Windows\SysWOW64\Haemloni.exeC:\Windows\system32\Haemloni.exe104⤵
- Drops file in System32 directory
PID:1124 -
C:\Windows\SysWOW64\Hkmaed32.exeC:\Windows\system32\Hkmaed32.exe105⤵
- Drops file in System32 directory
PID:2348 -
C:\Windows\SysWOW64\Hecebm32.exeC:\Windows\system32\Hecebm32.exe106⤵PID:1668
-
C:\Windows\SysWOW64\Hlmnogkl.exeC:\Windows\system32\Hlmnogkl.exe107⤵PID:2776
-
C:\Windows\SysWOW64\Hajfgnjc.exeC:\Windows\system32\Hajfgnjc.exe108⤵PID:2700
-
C:\Windows\SysWOW64\Hkbkpcpd.exeC:\Windows\system32\Hkbkpcpd.exe109⤵PID:2956
-
C:\Windows\SysWOW64\Hhfkihon.exeC:\Windows\system32\Hhfkihon.exe110⤵PID:2872
-
C:\Windows\SysWOW64\Iqapnjli.exeC:\Windows\system32\Iqapnjli.exe111⤵PID:1292
-
C:\Windows\SysWOW64\Ijidfpci.exeC:\Windows\system32\Ijidfpci.exe112⤵PID:1276
-
C:\Windows\SysWOW64\Idohdhbo.exeC:\Windows\system32\Idohdhbo.exe113⤵PID:3044
-
C:\Windows\SysWOW64\Ijlaloaf.exeC:\Windows\system32\Ijlaloaf.exe114⤵PID:2816
-
C:\Windows\SysWOW64\Ioiidfon.exeC:\Windows\system32\Ioiidfon.exe115⤵PID:2524
-
C:\Windows\SysWOW64\Immjnj32.exeC:\Windows\system32\Immjnj32.exe116⤵PID:2232
-
C:\Windows\SysWOW64\Ijqjgo32.exeC:\Windows\system32\Ijqjgo32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2532 -
C:\Windows\SysWOW64\Iomcpe32.exeC:\Windows\system32\Iomcpe32.exe118⤵PID:2300
-
C:\Windows\SysWOW64\Iifghk32.exeC:\Windows\system32\Iifghk32.exe119⤵PID:1108
-
C:\Windows\SysWOW64\Jfjhbo32.exeC:\Windows\system32\Jfjhbo32.exe120⤵PID:872
-
C:\Windows\SysWOW64\Jgkdigfa.exeC:\Windows\system32\Jgkdigfa.exe121⤵PID:932
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-