Analysis
-
max time kernel
70s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
07-07-2024 01:41
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0a450e1eaa54a23ce31bcda015a37960.exe
Resource
win7-20240704-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
0a450e1eaa54a23ce31bcda015a37960.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
0a450e1eaa54a23ce31bcda015a37960.exe
-
Size
123KB
-
MD5
0a450e1eaa54a23ce31bcda015a37960
-
SHA1
a03b99813ed387ac5ff50f95c33c54ec2ee78285
-
SHA256
b0b3fa7a85b46efebe80a777968d0166f57a46e53ecb6b15ee435318ae90b591
-
SHA512
bf0ff9f9f5a0d1205d986e84d3b8b58406cf15bb3734a6251117584bcb922eb6741f6290e2ecb13c9f795a6c7ee3120a56c8db48c9c5fc218c4ff6b215bc1e74
-
SSDEEP
3072:STCTtrzGotx/yW+ZDGUs+7pZVRYSa9rR85DEn5k7r8:STCTtvGotx/MfsQV4rQD85k/8
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iceiibef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lbjlnd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqbfdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gcankb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jffhec32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onbkle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Odgqoa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdoeipjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qeglqpaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Galfpgpg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhekodik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jidngh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cmjoaofc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iefchacp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fpojlp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfonlg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmkcoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ghnfci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nbodpo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aoamoefh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nlgfqldf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eigpmjqg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iaegbmlq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jcdmbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lpcmlnnp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnjagdlj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qeglqpaj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gilhpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fcaaloed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dfegjknm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmijgn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnmlpd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glhhgahg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gefjjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lkcqfifp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlgfqldf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmegodpi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnilfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Phhmeehg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbljgpja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Poddphee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hnlnmd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfcnfh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igdndl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Baajji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dalfdjdl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbkdgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bmjjmbgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Feeilbhg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdjioh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iapfmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ffhkcpal.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfhabe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbgela32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgbnbcmd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfchgflg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meidib32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkmfpabp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Laknfmgd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Coiqmp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbigao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jfkbqcam.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnmdfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mcendc32.exe -
Executes dropped EXE 64 IoCs
pid Process 2984 Jcdmbk32.exe 2936 Jhqeka32.exe 2920 Klonqpbi.exe 2872 Kqqdjceh.exe 2712 Kjihci32.exe 2268 Kjnanhhc.exe 1080 Liboodmk.exe 1732 Lndqbk32.exe 2684 Lpcmlnnp.exe 1472 Meeopdhb.exe 3000 Mnncii32.exe 564 Mhfhaoec.exe 112 Nfmahkhh.exe 2184 Neekogkm.exe 2892 Ndjhpcoe.exe 1040 Opcejd32.exe 2380 Oiljcj32.exe 2272 Ophoecoa.exe 848 Olopjddf.exe 2592 Ogddhmdl.exe 2084 Phhmeehg.exe 1748 Penjdien.exe 1264 Pkkblp32.exe 1576 Pjppmlhm.exe 2852 Qqldpfmh.exe 2960 Qgiibp32.exe 2828 Ajibckpc.exe 2868 Acbglq32.exe 2808 Abgdnm32.exe 2276 Bcmjpd32.exe 2736 Baajji32.exe 2792 Bmhkojab.exe 1404 Bmjhdi32.exe 2476 Bfblmofp.exe 636 Bpkqfdmp.exe 1836 Behinlkh.exe 1268 Cbljgpja.exe 1044 Chhbpfhi.exe 1908 Cbnfmo32.exe 2180 Clfkfeno.exe 2416 Caccnllf.exe 2548 Ckkhga32.exe 2064 Cddlpg32.exe 1720 Coiqmp32.exe 1460 Dfdeab32.exe 2480 Dajiok32.exe 2640 Dggbgadf.exe 2644 Dalfdjdl.exe 1068 Ddkbqfcp.exe 1600 Dlfgehqk.exe 2820 Denknngk.exe 2904 Dpdpkfga.exe 3040 Dlkqpg32.exe 2832 Eeceim32.exe 328 Ekpmad32.exe 2676 Eajennij.exe 2080 Ekbjgd32.exe 2596 Encchoml.exe 1628 Ekgcbcke.exe 3012 Epdljjjm.exe 1228 Fgbnbcmd.exe 1996 Ffhkcpal.exe 2212 Fkdckgpc.exe 696 Ffjghppi.exe -
Loads dropped DLL 64 IoCs
pid Process 1900 0a450e1eaa54a23ce31bcda015a37960.exe 1900 0a450e1eaa54a23ce31bcda015a37960.exe 2984 Jcdmbk32.exe 2984 Jcdmbk32.exe 2936 Jhqeka32.exe 2936 Jhqeka32.exe 2920 Klonqpbi.exe 2920 Klonqpbi.exe 2872 Kqqdjceh.exe 2872 Kqqdjceh.exe 2712 Kjihci32.exe 2712 Kjihci32.exe 2268 Kjnanhhc.exe 2268 Kjnanhhc.exe 1080 Liboodmk.exe 1080 Liboodmk.exe 1732 Lndqbk32.exe 1732 Lndqbk32.exe 2684 Lpcmlnnp.exe 2684 Lpcmlnnp.exe 1472 Meeopdhb.exe 1472 Meeopdhb.exe 3000 Mnncii32.exe 3000 Mnncii32.exe 564 Mhfhaoec.exe 564 Mhfhaoec.exe 112 Nfmahkhh.exe 112 Nfmahkhh.exe 2184 Neekogkm.exe 2184 Neekogkm.exe 2892 Ndjhpcoe.exe 2892 Ndjhpcoe.exe 1040 Opcejd32.exe 1040 Opcejd32.exe 2380 Oiljcj32.exe 2380 Oiljcj32.exe 2272 Ophoecoa.exe 2272 Ophoecoa.exe 848 Olopjddf.exe 848 Olopjddf.exe 2592 Ogddhmdl.exe 2592 Ogddhmdl.exe 2084 Phhmeehg.exe 2084 Phhmeehg.exe 1748 Penjdien.exe 1748 Penjdien.exe 1264 Pkkblp32.exe 1264 Pkkblp32.exe 1576 Pjppmlhm.exe 1576 Pjppmlhm.exe 2852 Qqldpfmh.exe 2852 Qqldpfmh.exe 2960 Qgiibp32.exe 2960 Qgiibp32.exe 2828 Ajibckpc.exe 2828 Ajibckpc.exe 2868 Acbglq32.exe 2868 Acbglq32.exe 2808 Abgdnm32.exe 2808 Abgdnm32.exe 2276 Bcmjpd32.exe 2276 Bcmjpd32.exe 2736 Baajji32.exe 2736 Baajji32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Bigohejb.exe Aonjpp32.exe File opened for modification C:\Windows\SysWOW64\Iaegbmlq.exe Ilhnjfmi.exe File created C:\Windows\SysWOW64\Egcpbc32.dll Kphpdhdh.exe File opened for modification C:\Windows\SysWOW64\Gemfghek.exe Fldbnb32.exe File created C:\Windows\SysWOW64\Lkccob32.exe Laknfmgd.exe File created C:\Windows\SysWOW64\Caldepec.dll Aniffaim.exe File opened for modification C:\Windows\SysWOW64\Galfpgpg.exe Glongpao.exe File created C:\Windows\SysWOW64\Hminbkql.exe Henjnica.exe File created C:\Windows\SysWOW64\Dogbolep.exe Dbqajk32.exe File opened for modification C:\Windows\SysWOW64\Oiljcj32.exe Opcejd32.exe File created C:\Windows\SysWOW64\Lgocca32.dll Mfhabe32.exe File opened for modification C:\Windows\SysWOW64\Eigpmjqg.exe Ecmhqp32.exe File created C:\Windows\SysWOW64\Jkdalb32.exe Jdjioh32.exe File created C:\Windows\SysWOW64\Phabdmgq.exe Pmlngdhk.exe File opened for modification C:\Windows\SysWOW64\Fcgdjmlo.exe Fgqcel32.exe File created C:\Windows\SysWOW64\Lijfkjba.dll Fldbnb32.exe File opened for modification C:\Windows\SysWOW64\Lccepqdo.exe Kadhen32.exe File created C:\Windows\SysWOW64\Caqpgp32.dll Ofmiea32.exe File opened for modification C:\Windows\SysWOW64\Kjjnnbfj.exe Kcqfahom.exe File opened for modification C:\Windows\SysWOW64\Oafjfokk.exe Oljanhmc.exe File opened for modification C:\Windows\SysWOW64\Ohcohh32.exe Ojoood32.exe File created C:\Windows\SysWOW64\Glongpao.exe Gaiijgbi.exe File created C:\Windows\SysWOW64\Fkdckgpc.exe Ffhkcpal.exe File created C:\Windows\SysWOW64\Hamgno32.exe Hlpofh32.exe File created C:\Windows\SysWOW64\Ipfnjkgk.exe Ifniaeqk.exe File created C:\Windows\SysWOW64\Qeophqkd.dll Mfchgflg.exe File created C:\Windows\SysWOW64\Hgimkf32.dll Oheieo32.exe File opened for modification C:\Windows\SysWOW64\Jffhec32.exe Iaipmm32.exe File created C:\Windows\SysWOW64\Qhbpfk32.dll Jlgcncli.exe File opened for modification C:\Windows\SysWOW64\Chhbpfhi.exe Cbljgpja.exe File created C:\Windows\SysWOW64\Fgbnbcmd.exe Epdljjjm.exe File created C:\Windows\SysWOW64\Aonjpp32.exe Afffgjma.exe File opened for modification C:\Windows\SysWOW64\Cmimif32.exe Cjhdgk32.exe File created C:\Windows\SysWOW64\Goekpm32.exe Gemfghek.exe File opened for modification C:\Windows\SysWOW64\Kfcadq32.exe Jafilj32.exe File created C:\Windows\SysWOW64\Mchjjo32.dll Pdnihiad.exe File created C:\Windows\SysWOW64\Kgbjdd32.dll Encchoml.exe File opened for modification C:\Windows\SysWOW64\Ghnfci32.exe Gcankb32.exe File created C:\Windows\SysWOW64\Hcfceeff.exe Hjmolp32.exe File created C:\Windows\SysWOW64\Peaibajp.exe Plheil32.exe File created C:\Windows\SysWOW64\Klgpmgod.exe Kppohf32.exe File created C:\Windows\SysWOW64\Cghmni32.exe Cjdmee32.exe File created C:\Windows\SysWOW64\Deimaa32.exe Dpmeij32.exe File created C:\Windows\SysWOW64\Dnfkefad.exe Dcaghm32.exe File created C:\Windows\SysWOW64\Hgpeimhf.exe Hqemlbqi.exe File opened for modification C:\Windows\SysWOW64\Indnqb32.exe Ieligmho.exe File created C:\Windows\SysWOW64\Cmeffp32.exe Cghmni32.exe File created C:\Windows\SysWOW64\Lqbfdp32.exe Lkemli32.exe File created C:\Windows\SysWOW64\Jamaoo32.dll Njammhei.exe File created C:\Windows\SysWOW64\Hccllbjf.dll Kommediq.exe File created C:\Windows\SysWOW64\Jjpajqqn.dll Eehqme32.exe File created C:\Windows\SysWOW64\Dnjekdon.dll Hflpmb32.exe File created C:\Windows\SysWOW64\Lfonlg32.exe Lqbfdp32.exe File opened for modification C:\Windows\SysWOW64\Gfmmanif.exe Fkdlaplh.exe File opened for modification C:\Windows\SysWOW64\Kneflplf.exe Khhndi32.exe File opened for modification C:\Windows\SysWOW64\Lcmopepp.exe Ljejgp32.exe File created C:\Windows\SysWOW64\Clfkfeno.exe Cbnfmo32.exe File created C:\Windows\SysWOW64\Pihmimaj.dll Hminbkql.exe File created C:\Windows\SysWOW64\Aoamoefh.exe Qeihfp32.exe File opened for modification C:\Windows\SysWOW64\Anfjpa32.exe Adnegldo.exe File opened for modification C:\Windows\SysWOW64\Cfmjoe32.exe Cmeffp32.exe File created C:\Windows\SysWOW64\Ipijpkei.exe Iklbhdga.exe File created C:\Windows\SysWOW64\Gnoaliln.exe Gcimop32.exe File opened for modification C:\Windows\SysWOW64\Dkolblkk.exe Cccgni32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2664 4144 WerFault.exe 472 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iindag32.dll" Qqldpfmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpoibb32.dll" Imfeip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjdfqh32.dll" Lkemli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdmfml32.dll" Dofilm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgdqaf32.dll" Hiblmldn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Damgll32.dll" Ljejgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kppohf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hamgno32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kcqfahom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqmepa32.dll" Aonjpp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hjmolp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kphpdhdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gcapckod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gilhpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Liboodmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glfiinip.dll" Lpcmlnnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Afffgjma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eagbnh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nbddfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlpaod32.dll" Oacdmpan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nkhhie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kikakd32.dll" Ehjbaooe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hmlmacfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ckkhga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mcghajkq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mlejkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ahllda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgmhbloc.dll" Cngfqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deoipl32.dll" Fhdlbd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cmeffp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ophoecoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Foohqdql.dll" Ffjghppi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Khjkiikl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqffpm32.dll" Mlejkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlhfem32.dll" Fkdlaplh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lobpmfmi.dll" Jkdalb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cofdbh32.dll" Bgcdcjpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Feeilbhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Opcejd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pceqfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgfbojek.dll" Gfmmanif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkhppp32.dll" Nbddfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdcedhee.dll" Acbieing.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pmbdfolj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nlgfqldf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oacdmpan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Flmecm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oiljcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eecpggap.dll" Phhmeehg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqkdjkoi.dll" Dhggdcgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Khhndi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fldbnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faolhkaf.dll" Ohcohh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mlejkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppehbh32.dll" Dogbolep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dogbolep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iggbdb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jocceo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bhngbm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Effidg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Chhbpfhi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kommediq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cbqekhmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Himionmc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1900 wrote to memory of 2984 1900 0a450e1eaa54a23ce31bcda015a37960.exe 30 PID 1900 wrote to memory of 2984 1900 0a450e1eaa54a23ce31bcda015a37960.exe 30 PID 1900 wrote to memory of 2984 1900 0a450e1eaa54a23ce31bcda015a37960.exe 30 PID 1900 wrote to memory of 2984 1900 0a450e1eaa54a23ce31bcda015a37960.exe 30 PID 2984 wrote to memory of 2936 2984 Jcdmbk32.exe 31 PID 2984 wrote to memory of 2936 2984 Jcdmbk32.exe 31 PID 2984 wrote to memory of 2936 2984 Jcdmbk32.exe 31 PID 2984 wrote to memory of 2936 2984 Jcdmbk32.exe 31 PID 2936 wrote to memory of 2920 2936 Jhqeka32.exe 32 PID 2936 wrote to memory of 2920 2936 Jhqeka32.exe 32 PID 2936 wrote to memory of 2920 2936 Jhqeka32.exe 32 PID 2936 wrote to memory of 2920 2936 Jhqeka32.exe 32 PID 2920 wrote to memory of 2872 2920 Klonqpbi.exe 33 PID 2920 wrote to memory of 2872 2920 Klonqpbi.exe 33 PID 2920 wrote to memory of 2872 2920 Klonqpbi.exe 33 PID 2920 wrote to memory of 2872 2920 Klonqpbi.exe 33 PID 2872 wrote to memory of 2712 2872 Kqqdjceh.exe 34 PID 2872 wrote to memory of 2712 2872 Kqqdjceh.exe 34 PID 2872 wrote to memory of 2712 2872 Kqqdjceh.exe 34 PID 2872 wrote to memory of 2712 2872 Kqqdjceh.exe 34 PID 2712 wrote to memory of 2268 2712 Kjihci32.exe 35 PID 2712 wrote to memory of 2268 2712 Kjihci32.exe 35 PID 2712 wrote to memory of 2268 2712 Kjihci32.exe 35 PID 2712 wrote to memory of 2268 2712 Kjihci32.exe 35 PID 2268 wrote to memory of 1080 2268 Kjnanhhc.exe 36 PID 2268 wrote to memory of 1080 2268 Kjnanhhc.exe 36 PID 2268 wrote to memory of 1080 2268 Kjnanhhc.exe 36 PID 2268 wrote to memory of 1080 2268 Kjnanhhc.exe 36 PID 1080 wrote to memory of 1732 1080 Liboodmk.exe 37 PID 1080 wrote to memory of 1732 1080 Liboodmk.exe 37 PID 1080 wrote to memory of 1732 1080 Liboodmk.exe 37 PID 1080 wrote to memory of 1732 1080 Liboodmk.exe 37 PID 1732 wrote to memory of 2684 1732 Lndqbk32.exe 38 PID 1732 wrote to memory of 2684 1732 Lndqbk32.exe 38 PID 1732 wrote to memory of 2684 1732 Lndqbk32.exe 38 PID 1732 wrote to memory of 2684 1732 Lndqbk32.exe 38 PID 2684 wrote to memory of 1472 2684 Lpcmlnnp.exe 39 PID 2684 wrote to memory of 1472 2684 Lpcmlnnp.exe 39 PID 2684 wrote to memory of 1472 2684 Lpcmlnnp.exe 39 PID 2684 wrote to memory of 1472 2684 Lpcmlnnp.exe 39 PID 1472 wrote to memory of 3000 1472 Meeopdhb.exe 40 PID 1472 wrote to memory of 3000 1472 Meeopdhb.exe 40 PID 1472 wrote to memory of 3000 1472 Meeopdhb.exe 40 PID 1472 wrote to memory of 3000 1472 Meeopdhb.exe 40 PID 3000 wrote to memory of 564 3000 Mnncii32.exe 41 PID 3000 wrote to memory of 564 3000 Mnncii32.exe 41 PID 3000 wrote to memory of 564 3000 Mnncii32.exe 41 PID 3000 wrote to memory of 564 3000 Mnncii32.exe 41 PID 564 wrote to memory of 112 564 Mhfhaoec.exe 42 PID 564 wrote to memory of 112 564 Mhfhaoec.exe 42 PID 564 wrote to memory of 112 564 Mhfhaoec.exe 42 PID 564 wrote to memory of 112 564 Mhfhaoec.exe 42 PID 112 wrote to memory of 2184 112 Nfmahkhh.exe 43 PID 112 wrote to memory of 2184 112 Nfmahkhh.exe 43 PID 112 wrote to memory of 2184 112 Nfmahkhh.exe 43 PID 112 wrote to memory of 2184 112 Nfmahkhh.exe 43 PID 2184 wrote to memory of 2892 2184 Neekogkm.exe 44 PID 2184 wrote to memory of 2892 2184 Neekogkm.exe 44 PID 2184 wrote to memory of 2892 2184 Neekogkm.exe 44 PID 2184 wrote to memory of 2892 2184 Neekogkm.exe 44 PID 2892 wrote to memory of 1040 2892 Ndjhpcoe.exe 45 PID 2892 wrote to memory of 1040 2892 Ndjhpcoe.exe 45 PID 2892 wrote to memory of 1040 2892 Ndjhpcoe.exe 45 PID 2892 wrote to memory of 1040 2892 Ndjhpcoe.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a450e1eaa54a23ce31bcda015a37960.exe"C:\Users\Admin\AppData\Local\Temp\0a450e1eaa54a23ce31bcda015a37960.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Windows\SysWOW64\Jcdmbk32.exeC:\Windows\system32\Jcdmbk32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\Jhqeka32.exeC:\Windows\system32\Jhqeka32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\Klonqpbi.exeC:\Windows\system32\Klonqpbi.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Kqqdjceh.exeC:\Windows\system32\Kqqdjceh.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\Kjihci32.exeC:\Windows\system32\Kjihci32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Kjnanhhc.exeC:\Windows\system32\Kjnanhhc.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\SysWOW64\Liboodmk.exeC:\Windows\system32\Liboodmk.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Windows\SysWOW64\Lndqbk32.exeC:\Windows\system32\Lndqbk32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\SysWOW64\Lpcmlnnp.exeC:\Windows\system32\Lpcmlnnp.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\Meeopdhb.exeC:\Windows\system32\Meeopdhb.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Windows\SysWOW64\Mnncii32.exeC:\Windows\system32\Mnncii32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\Mhfhaoec.exeC:\Windows\system32\Mhfhaoec.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:564 -
C:\Windows\SysWOW64\Nfmahkhh.exeC:\Windows\system32\Nfmahkhh.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:112 -
C:\Windows\SysWOW64\Neekogkm.exeC:\Windows\system32\Neekogkm.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\Ndjhpcoe.exeC:\Windows\system32\Ndjhpcoe.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\Opcejd32.exeC:\Windows\system32\Opcejd32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1040 -
C:\Windows\SysWOW64\Oiljcj32.exeC:\Windows\system32\Oiljcj32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2380 -
C:\Windows\SysWOW64\Ophoecoa.exeC:\Windows\system32\Ophoecoa.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2272 -
C:\Windows\SysWOW64\Olopjddf.exeC:\Windows\system32\Olopjddf.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:848 -
C:\Windows\SysWOW64\Ogddhmdl.exeC:\Windows\system32\Ogddhmdl.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2592 -
C:\Windows\SysWOW64\Phhmeehg.exeC:\Windows\system32\Phhmeehg.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2084 -
C:\Windows\SysWOW64\Penjdien.exeC:\Windows\system32\Penjdien.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1748 -
C:\Windows\SysWOW64\Pkkblp32.exeC:\Windows\system32\Pkkblp32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1264 -
C:\Windows\SysWOW64\Pjppmlhm.exeC:\Windows\system32\Pjppmlhm.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1576 -
C:\Windows\SysWOW64\Qqldpfmh.exeC:\Windows\system32\Qqldpfmh.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2852 -
C:\Windows\SysWOW64\Qgiibp32.exeC:\Windows\system32\Qgiibp32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2960 -
C:\Windows\SysWOW64\Ajibckpc.exeC:\Windows\system32\Ajibckpc.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2828 -
C:\Windows\SysWOW64\Acbglq32.exeC:\Windows\system32\Acbglq32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2868 -
C:\Windows\SysWOW64\Abgdnm32.exeC:\Windows\system32\Abgdnm32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2808 -
C:\Windows\SysWOW64\Bcmjpd32.exeC:\Windows\system32\Bcmjpd32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2276 -
C:\Windows\SysWOW64\Baajji32.exeC:\Windows\system32\Baajji32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2736 -
C:\Windows\SysWOW64\Bmhkojab.exeC:\Windows\system32\Bmhkojab.exe33⤵
- Executes dropped EXE
PID:2792 -
C:\Windows\SysWOW64\Bmjhdi32.exeC:\Windows\system32\Bmjhdi32.exe34⤵
- Executes dropped EXE
PID:1404 -
C:\Windows\SysWOW64\Bfblmofp.exeC:\Windows\system32\Bfblmofp.exe35⤵
- Executes dropped EXE
PID:2476 -
C:\Windows\SysWOW64\Bpkqfdmp.exeC:\Windows\system32\Bpkqfdmp.exe36⤵
- Executes dropped EXE
PID:636 -
C:\Windows\SysWOW64\Behinlkh.exeC:\Windows\system32\Behinlkh.exe37⤵
- Executes dropped EXE
PID:1836 -
C:\Windows\SysWOW64\Cbljgpja.exeC:\Windows\system32\Cbljgpja.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1268 -
C:\Windows\SysWOW64\Chhbpfhi.exeC:\Windows\system32\Chhbpfhi.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:1044 -
C:\Windows\SysWOW64\Cbnfmo32.exeC:\Windows\system32\Cbnfmo32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1908 -
C:\Windows\SysWOW64\Clfkfeno.exeC:\Windows\system32\Clfkfeno.exe41⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Caccnllf.exeC:\Windows\system32\Caccnllf.exe42⤵
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\Ckkhga32.exeC:\Windows\system32\Ckkhga32.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:2548 -
C:\Windows\SysWOW64\Cddlpg32.exeC:\Windows\system32\Cddlpg32.exe44⤵
- Executes dropped EXE
PID:2064 -
C:\Windows\SysWOW64\Coiqmp32.exeC:\Windows\system32\Coiqmp32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Dfdeab32.exeC:\Windows\system32\Dfdeab32.exe46⤵
- Executes dropped EXE
PID:1460 -
C:\Windows\SysWOW64\Dajiok32.exeC:\Windows\system32\Dajiok32.exe47⤵
- Executes dropped EXE
PID:2480 -
C:\Windows\SysWOW64\Dggbgadf.exeC:\Windows\system32\Dggbgadf.exe48⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Dalfdjdl.exeC:\Windows\system32\Dalfdjdl.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2644 -
C:\Windows\SysWOW64\Ddkbqfcp.exeC:\Windows\system32\Ddkbqfcp.exe50⤵
- Executes dropped EXE
PID:1068 -
C:\Windows\SysWOW64\Dlfgehqk.exeC:\Windows\system32\Dlfgehqk.exe51⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\Denknngk.exeC:\Windows\system32\Denknngk.exe52⤵
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Dpdpkfga.exeC:\Windows\system32\Dpdpkfga.exe53⤵
- Executes dropped EXE
PID:2904 -
C:\Windows\SysWOW64\Dlkqpg32.exeC:\Windows\system32\Dlkqpg32.exe54⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Eeceim32.exeC:\Windows\system32\Eeceim32.exe55⤵
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\Ekpmad32.exeC:\Windows\system32\Ekpmad32.exe56⤵
- Executes dropped EXE
PID:328 -
C:\Windows\SysWOW64\Eajennij.exeC:\Windows\system32\Eajennij.exe57⤵
- Executes dropped EXE
PID:2676 -
C:\Windows\SysWOW64\Ekbjgd32.exeC:\Windows\system32\Ekbjgd32.exe58⤵
- Executes dropped EXE
PID:2080 -
C:\Windows\SysWOW64\Encchoml.exeC:\Windows\system32\Encchoml.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2596 -
C:\Windows\SysWOW64\Ekgcbcke.exeC:\Windows\system32\Ekgcbcke.exe60⤵
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\Epdljjjm.exeC:\Windows\system32\Epdljjjm.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3012 -
C:\Windows\SysWOW64\Fgbnbcmd.exeC:\Windows\system32\Fgbnbcmd.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1228 -
C:\Windows\SysWOW64\Ffhkcpal.exeC:\Windows\system32\Ffhkcpal.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1996 -
C:\Windows\SysWOW64\Fkdckgpc.exeC:\Windows\system32\Fkdckgpc.exe64⤵
- Executes dropped EXE
PID:2212 -
C:\Windows\SysWOW64\Ffjghppi.exeC:\Windows\system32\Ffjghppi.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:696 -
C:\Windows\SysWOW64\Foblaefj.exeC:\Windows\system32\Foblaefj.exe66⤵PID:1280
-
C:\Windows\SysWOW64\Gkimff32.exeC:\Windows\system32\Gkimff32.exe67⤵PID:2484
-
C:\Windows\SysWOW64\Ggpmkgab.exeC:\Windows\system32\Ggpmkgab.exe68⤵PID:1120
-
C:\Windows\SysWOW64\Gednek32.exeC:\Windows\system32\Gednek32.exe69⤵PID:2656
-
C:\Windows\SysWOW64\Gjqfmb32.exeC:\Windows\system32\Gjqfmb32.exe70⤵PID:2632
-
C:\Windows\SysWOW64\Gefjjk32.exeC:\Windows\system32\Gefjjk32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2324 -
C:\Windows\SysWOW64\Gppkkikh.exeC:\Windows\system32\Gppkkikh.exe72⤵PID:1716
-
C:\Windows\SysWOW64\Gihpcn32.exeC:\Windows\system32\Gihpcn32.exe73⤵PID:1604
-
C:\Windows\SysWOW64\Hflpmb32.exeC:\Windows\system32\Hflpmb32.exe74⤵
- Drops file in System32 directory
PID:2412 -
C:\Windows\SysWOW64\Hcpqfgol.exeC:\Windows\system32\Hcpqfgol.exe75⤵PID:2800
-
C:\Windows\SysWOW64\Himionmc.exeC:\Windows\system32\Himionmc.exe76⤵
- Modifies registry class
PID:852 -
C:\Windows\SysWOW64\Hnjagdlj.exeC:\Windows\system32\Hnjagdlj.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3048 -
C:\Windows\SysWOW64\Hiofdmkq.exeC:\Windows\system32\Hiofdmkq.exe78⤵PID:960
-
C:\Windows\SysWOW64\Hnlnmd32.exeC:\Windows\system32\Hnlnmd32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2096 -
C:\Windows\SysWOW64\Hlpofh32.exeC:\Windows\system32\Hlpofh32.exe80⤵
- Drops file in System32 directory
PID:1440 -
C:\Windows\SysWOW64\Hamgno32.exeC:\Windows\system32\Hamgno32.exe81⤵
- Modifies registry class
PID:2004 -
C:\Windows\SysWOW64\Ihgpkinf.exeC:\Windows\system32\Ihgpkinf.exe82⤵PID:1276
-
C:\Windows\SysWOW64\Iekpdn32.exeC:\Windows\system32\Iekpdn32.exe83⤵PID:2428
-
C:\Windows\SysWOW64\Imfeip32.exeC:\Windows\system32\Imfeip32.exe84⤵
- Modifies registry class
PID:1368 -
C:\Windows\SysWOW64\Ifniaeqk.exeC:\Windows\system32\Ifniaeqk.exe85⤵
- Drops file in System32 directory
PID:1324 -
C:\Windows\SysWOW64\Ipfnjkgk.exeC:\Windows\system32\Ipfnjkgk.exe86⤵PID:2204
-
C:\Windows\SysWOW64\Iklbhdga.exeC:\Windows\system32\Iklbhdga.exe87⤵
- Drops file in System32 directory
PID:1272 -
C:\Windows\SysWOW64\Ipijpkei.exeC:\Windows\system32\Ipijpkei.exe88⤵PID:2328
-
C:\Windows\SysWOW64\Iefchacp.exeC:\Windows\system32\Iefchacp.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2116 -
C:\Windows\SysWOW64\Jgeobdkc.exeC:\Windows\system32\Jgeobdkc.exe90⤵PID:2440
-
C:\Windows\SysWOW64\Jpndkj32.exeC:\Windows\system32\Jpndkj32.exe91⤵PID:1952
-
C:\Windows\SysWOW64\Jejlca32.exeC:\Windows\system32\Jejlca32.exe92⤵PID:2228
-
C:\Windows\SysWOW64\Jnhnmckc.exeC:\Windows\system32\Jnhnmckc.exe93⤵PID:2908
-
C:\Windows\SysWOW64\Jklnggjm.exeC:\Windows\system32\Jklnggjm.exe94⤵PID:2748
-
C:\Windows\SysWOW64\Kpkcdn32.exeC:\Windows\system32\Kpkcdn32.exe95⤵PID:2232
-
C:\Windows\SysWOW64\Kjchmclb.exeC:\Windows\system32\Kjchmclb.exe96⤵PID:1488
-
C:\Windows\SysWOW64\Kdilkllh.exeC:\Windows\system32\Kdilkllh.exe97⤵PID:2060
-
C:\Windows\SysWOW64\Kppmpmal.exeC:\Windows\system32\Kppmpmal.exe98⤵PID:3044
-
C:\Windows\SysWOW64\Kjhahb32.exeC:\Windows\system32\Kjhahb32.exe99⤵PID:572
-
C:\Windows\SysWOW64\Kcqfahom.exeC:\Windows\system32\Kcqfahom.exe100⤵
- Drops file in System32 directory
- Modifies registry class
PID:1704 -
C:\Windows\SysWOW64\Kjjnnbfj.exeC:\Windows\system32\Kjjnnbfj.exe101⤵PID:276
-
C:\Windows\SysWOW64\Kogffida.exeC:\Windows\system32\Kogffida.exe102⤵PID:1696
-
C:\Windows\SysWOW64\Lddoopbi.exeC:\Windows\system32\Lddoopbi.exe103⤵PID:1056
-
C:\Windows\SysWOW64\Lnmcge32.exeC:\Windows\system32\Lnmcge32.exe104⤵PID:2252
-
C:\Windows\SysWOW64\Lhbhdnio.exeC:\Windows\system32\Lhbhdnio.exe105⤵PID:2012
-
C:\Windows\SysWOW64\Lbjlnd32.exeC:\Windows\system32\Lbjlnd32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2788 -
C:\Windows\SysWOW64\Lkcqfifp.exeC:\Windows\system32\Lkcqfifp.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2964 -
C:\Windows\SysWOW64\Lqpiopdh.exeC:\Windows\system32\Lqpiopdh.exe108⤵PID:2940
-
C:\Windows\SysWOW64\Lkemli32.exeC:\Windows\system32\Lkemli32.exe109⤵
- Drops file in System32 directory
- Modifies registry class
PID:2760 -
C:\Windows\SysWOW64\Lqbfdp32.exeC:\Windows\system32\Lqbfdp32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2776 -
C:\Windows\SysWOW64\Lfonlg32.exeC:\Windows\system32\Lfonlg32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2092 -
C:\Windows\SysWOW64\Mogcelgm.exeC:\Windows\system32\Mogcelgm.exe112⤵PID:2000
-
C:\Windows\SysWOW64\Mmkcoq32.exeC:\Windows\system32\Mmkcoq32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1004 -
C:\Windows\SysWOW64\Mfchgflg.exeC:\Windows\system32\Mfchgflg.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2208 -
C:\Windows\SysWOW64\Mcghajkq.exeC:\Windows\system32\Mcghajkq.exe115⤵
- Modifies registry class
PID:2240 -
C:\Windows\SysWOW64\Meidib32.exeC:\Windows\system32\Meidib32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1816 -
C:\Windows\SysWOW64\Mlbmem32.exeC:\Windows\system32\Mlbmem32.exe117⤵PID:2344
-
C:\Windows\SysWOW64\Mfhabe32.exeC:\Windows\system32\Mfhabe32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2468 -
C:\Windows\SysWOW64\Mlejkl32.exeC:\Windows\system32\Mlejkl32.exe119⤵
- Modifies registry class
PID:2160 -
C:\Windows\SysWOW64\Niijdq32.exeC:\Windows\system32\Niijdq32.exe120⤵PID:2256
-
C:\Windows\SysWOW64\Nlgfqldf.exeC:\Windows\system32\Nlgfqldf.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2264
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-