Analysis
-
max time kernel
146s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
10/07/2024, 01:58
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
97a73484ff5b2a72e8a10a8d1990782b7cdeb956e07f0f1bc3735369f3ea5ab3.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
97a73484ff5b2a72e8a10a8d1990782b7cdeb956e07f0f1bc3735369f3ea5ab3.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
97a73484ff5b2a72e8a10a8d1990782b7cdeb956e07f0f1bc3735369f3ea5ab3.exe
-
Size
79KB
-
MD5
1e580f3ffa10e12bb991db62dfa2315d
-
SHA1
8638c20740ba105cecd556a9ac6cc51d75cb6fea
-
SHA256
97a73484ff5b2a72e8a10a8d1990782b7cdeb956e07f0f1bc3735369f3ea5ab3
-
SHA512
8f47a59b2ed44f7cecd1dfa958fba6c0c1b66314ab9edd73e1df5fcc3ba829f7620ec11f7981ba600d422557ffce04bcc0177764f3c991a0925d553bc6728e41
-
SSDEEP
1536:m7e5glCsxD4Idkj94SoLfmgiRW4Tb81rSRW8L1PlNaDaUir5:xW4dja9LeVZnxR
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kpenogee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ocoodjan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pegalaad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dqjghb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgabomfl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldpfoipj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qepdbpii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aepqac32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njdagbjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pcchoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pabkmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lmikhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nhnhcnkg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmiccl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kfofla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ncaokgmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ojkcfdgh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkhedlbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dmlnbd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpbnijic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apoonnac.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjillfhl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmlnbd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhlkmnmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Blghhahp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jiiimmok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nhlkmnmj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phjgdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Abmkjiqg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qepdbpii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bjillfhl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkflpi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcciiope.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkeeqckl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djpnkhep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Leflapab.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkoepj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bhecnndq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdlpbbmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bkoepj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bnbkgech.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdelik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nkjgiiln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afdmphme.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abadeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Clnnhq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Comkdl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odgennoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Abogpiod.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apchim32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oglgji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Labjcmqf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mocjeedn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pndoqf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dnkjlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kbanfbfk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncaokgmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qjmmkgga.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkdokjdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pceeei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cdlpbbmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dcjpjn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdipnjfb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgclfc32.exe -
Executes dropped EXE 64 IoCs
pid Process 2768 Jfhpkbbj.exe 2288 Jandikbp.exe 2444 Jboapc32.exe 2828 Jiiimmok.exe 2724 Klgeih32.exe 2888 Kbanfbfk.exe 2648 Kfmjfa32.exe 1536 Kpenogee.exe 1480 Kfofla32.exe 2180 Khpccibp.exe 2956 Kpgkef32.exe 2800 Kbfgab32.exe 2100 Khbpii32.exe 2536 Kjaled32.exe 480 Kefpbm32.exe 1500 Kdipnjfb.exe 1720 Kmaego32.exe 2432 Kdlmdi32.exe 1936 Lfjipe32.exe 308 Lkeeqckl.exe 1396 Lpbnijic.exe 2144 Lhjfjhje.exe 576 Lkhbfcii.exe 2016 Lmfnbohm.exe 2132 Labjcmqf.exe 2104 Ldpfoipj.exe 2160 Lmikhn32.exe 2384 Ledplq32.exe 2740 Llnhikkb.exe 2600 Lgclfc32.exe 2772 Leflapab.exe 2756 Libhbo32.exe 2712 Mcjmkdpl.exe 2504 Moanpe32.exe 1996 Mcmiqdnj.exe 2688 Maojlaed.exe 1696 Mlenijej.exe 2056 Mocjeedn.exe 2652 Mdpbnlbe.exe 1544 Mgoojgai.exe 1268 Mkjkkf32.exe 660 Mdbocl32.exe 2176 Mhnkdjhl.exe 1932 Mafpmp32.exe 924 Mdelik32.exe 2260 Nnmqbaeq.exe 1364 Nlpamn32.exe 1708 Nqlmnldd.exe 2072 Ngeekfka.exe 2284 Njdagbjd.exe 2208 Nqnicl32.exe 2856 Nclfpg32.exe 2172 Njfnlahb.exe 2612 Nqpfil32.exe 2152 Ncobeg32.exe 2404 Njikba32.exe 1944 Nhlkmnmj.exe 2548 Nkjgiiln.exe 336 Ncaokgmp.exe 1640 Nbdpfc32.exe 1008 Nhnhcnkg.exe 1044 Nmiccl32.exe 2420 Nohpph32.exe 2788 Nbfllc32.exe -
Loads dropped DLL 64 IoCs
pid Process 2412 97a73484ff5b2a72e8a10a8d1990782b7cdeb956e07f0f1bc3735369f3ea5ab3.exe 2412 97a73484ff5b2a72e8a10a8d1990782b7cdeb956e07f0f1bc3735369f3ea5ab3.exe 2768 Jfhpkbbj.exe 2768 Jfhpkbbj.exe 2288 Jandikbp.exe 2288 Jandikbp.exe 2444 Jboapc32.exe 2444 Jboapc32.exe 2828 Jiiimmok.exe 2828 Jiiimmok.exe 2724 Klgeih32.exe 2724 Klgeih32.exe 2888 Kbanfbfk.exe 2888 Kbanfbfk.exe 2648 Kfmjfa32.exe 2648 Kfmjfa32.exe 1536 Kpenogee.exe 1536 Kpenogee.exe 1480 Kfofla32.exe 1480 Kfofla32.exe 2180 Khpccibp.exe 2180 Khpccibp.exe 2956 Kpgkef32.exe 2956 Kpgkef32.exe 2800 Kbfgab32.exe 2800 Kbfgab32.exe 2100 Khbpii32.exe 2100 Khbpii32.exe 2536 Kjaled32.exe 2536 Kjaled32.exe 480 Kefpbm32.exe 480 Kefpbm32.exe 1500 Kdipnjfb.exe 1500 Kdipnjfb.exe 1720 Kmaego32.exe 1720 Kmaego32.exe 2432 Kdlmdi32.exe 2432 Kdlmdi32.exe 1936 Lfjipe32.exe 1936 Lfjipe32.exe 308 Lkeeqckl.exe 308 Lkeeqckl.exe 1396 Lpbnijic.exe 1396 Lpbnijic.exe 2144 Lhjfjhje.exe 2144 Lhjfjhje.exe 576 Lkhbfcii.exe 576 Lkhbfcii.exe 2016 Lmfnbohm.exe 2016 Lmfnbohm.exe 2132 Labjcmqf.exe 2132 Labjcmqf.exe 2104 Ldpfoipj.exe 2104 Ldpfoipj.exe 2160 Lmikhn32.exe 2160 Lmikhn32.exe 2384 Ledplq32.exe 2384 Ledplq32.exe 2740 Llnhikkb.exe 2740 Llnhikkb.exe 2600 Lgclfc32.exe 2600 Lgclfc32.exe 2772 Leflapab.exe 2772 Leflapab.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Pnofeghe.exe Pmnino32.exe File opened for modification C:\Windows\SysWOW64\Dgmidn32.exe Ddnmhb32.exe File opened for modification C:\Windows\SysWOW64\Kfofla32.exe Kpenogee.exe File opened for modification C:\Windows\SysWOW64\Moanpe32.exe Mcjmkdpl.exe File opened for modification C:\Windows\SysWOW64\Mdbocl32.exe Mkjkkf32.exe File opened for modification C:\Windows\SysWOW64\Nnmqbaeq.exe Mdelik32.exe File created C:\Windows\SysWOW64\Qhldiljp.exe Pabkmb32.exe File created C:\Windows\SysWOW64\Bchngm32.dll Cllaca32.exe File opened for modification C:\Windows\SysWOW64\Dqgjbcoo.exe Dmlnbd32.exe File created C:\Windows\SysWOW64\Kjlbnamj.dll Jboapc32.exe File created C:\Windows\SysWOW64\Kfofla32.exe Kpenogee.exe File opened for modification C:\Windows\SysWOW64\Mdpbnlbe.exe Mocjeedn.exe File created C:\Windows\SysWOW64\Nclfpg32.exe Nqnicl32.exe File opened for modification C:\Windows\SysWOW64\Djnafi32.exe Dkkajlph.exe File created C:\Windows\SysWOW64\Kfmjfa32.exe Kbanfbfk.exe File opened for modification C:\Windows\SysWOW64\Mkjkkf32.exe Mgoojgai.exe File created C:\Windows\SysWOW64\Ibiflmjc.dll Qmkigb32.exe File created C:\Windows\SysWOW64\Jajgam32.dll Dgdoemdi.exe File created C:\Windows\SysWOW64\Naknnfci.dll Dqgjbcoo.exe File created C:\Windows\SysWOW64\Dkkifgpn.dll Kfmjfa32.exe File created C:\Windows\SysWOW64\Nlpamn32.exe Nnmqbaeq.exe File created C:\Windows\SysWOW64\Bkflpi32.exe Bcodol32.exe File created C:\Windows\SysWOW64\Ddnmhb32.exe Dqcqgc32.exe File opened for modification C:\Windows\SysWOW64\Ojfjke32.exe Oghnoi32.exe File opened for modification C:\Windows\SysWOW64\Ocoodjan.exe Oqpbhobj.exe File opened for modification C:\Windows\SysWOW64\Phjgdm32.exe Pigghpeh.exe File created C:\Windows\SysWOW64\Djpnkhep.exe Dgabomfl.exe File created C:\Windows\SysWOW64\Kjdefila.dll Cjnege32.exe File opened for modification C:\Windows\SysWOW64\Cbijkh32.exe Cphncpld.exe File opened for modification C:\Windows\SysWOW64\Njfnlahb.exe Nclfpg32.exe File opened for modification C:\Windows\SysWOW64\Nhlkmnmj.exe Njikba32.exe File created C:\Windows\SysWOW64\Bkkeaimb.dll Aocloj32.exe File opened for modification C:\Windows\SysWOW64\Bcaqdl32.exe Bdopiohb.exe File opened for modification C:\Windows\SysWOW64\Dbmpejph.exe Dcjpjn32.exe File opened for modification C:\Windows\SysWOW64\Lkhbfcii.exe Lhjfjhje.exe File created C:\Windows\SysWOW64\Dnoigakm.dll Moanpe32.exe File opened for modification C:\Windows\SysWOW64\Pigghpeh.exe Pbmoke32.exe File created C:\Windows\SysWOW64\Djnafi32.exe Dkkajlph.exe File created C:\Windows\SysWOW64\Hnibdb32.dll Bnbkgech.exe File opened for modification C:\Windows\SysWOW64\Dffopi32.exe Dgdoemdi.exe File created C:\Windows\SysWOW64\Kleqohdj.dll Jandikbp.exe File created C:\Windows\SysWOW64\Khpccibp.exe Kfofla32.exe File created C:\Windows\SysWOW64\Blckoifq.dll Kdlmdi32.exe File created C:\Windows\SysWOW64\Pfknenql.dll Oghnoi32.exe File created C:\Windows\SysWOW64\Afpefd32.dll Kefpbm32.exe File opened for modification C:\Windows\SysWOW64\Mdelik32.exe Mafpmp32.exe File created C:\Windows\SysWOW64\Mlegmc32.dll Aibjlcli.exe File created C:\Windows\SysWOW64\Iieikd32.dll Qjkpegic.exe File opened for modification C:\Windows\SysWOW64\Bkoepj32.exe Bhqico32.exe File created C:\Windows\SysWOW64\Ceeaqa32.dll Cdlpbbmp.exe File created C:\Windows\SysWOW64\Dkkajlph.exe Dcciiope.exe File created C:\Windows\SysWOW64\Eilmem32.dll Lmikhn32.exe File created C:\Windows\SysWOW64\Oglmdbad.dll Lgclfc32.exe File created C:\Windows\SysWOW64\Mafpmp32.exe Mhnkdjhl.exe File created C:\Windows\SysWOW64\Okfedq32.dll Ogeajjnl.exe File created C:\Windows\SysWOW64\Kdldpa32.dll Djnafi32.exe File created C:\Windows\SysWOW64\Cnddkh32.exe Ckfhom32.exe File created C:\Windows\SysWOW64\Jeachk32.dll Kfofla32.exe File created C:\Windows\SysWOW64\Mcjmkdpl.exe Libhbo32.exe File created C:\Windows\SysWOW64\Lmqbqb32.dll Njikba32.exe File created C:\Windows\SysWOW64\Aibjlcli.exe Afdmphme.exe File opened for modification C:\Windows\SysWOW64\Bkabejfg.exe Bgffdk32.exe File created C:\Windows\SysWOW64\Clqknppe.exe Cfgcaf32.exe File opened for modification C:\Windows\SysWOW64\Kmaego32.exe Kdipnjfb.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4016 3992 WerFault.exe 225 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aaiamamk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bbdakh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bkoepj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cjnege32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciphfblh.dll" Domgcocg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dffopi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kmaego32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfefjpod.dll" Pmnino32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nnmqbaeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpamgobk.dll" Bainld32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bdopiohb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpbioi32.dll" Ddnmhb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kfmjfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kdlmdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcdikk32.dll" Pigghpeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aiipmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oiodai32.dll" Plcfokfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbjjadio.dll" Pnabkgfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bchngm32.dll" Cllaca32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jandikbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iclknd32.dll" Abjnei32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ncobeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Piejbpgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emdikm32.dll" Aigcgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aocloj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Blghhahp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cllaca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mcjmkdpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efibdgle.dll" Mgoojgai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Comkdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fohafo32.dll" Dqlcnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifikp32.dll" Dngaahan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dnkjlg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID 97a73484ff5b2a72e8a10a8d1990782b7cdeb956e07f0f1bc3735369f3ea5ab3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijmahq32.dll" Nkjgiiln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhhjhefb.dll" Plnmcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qepdbpii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bedjmcgp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dmlnbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ioononpl.dll" Djbkahcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Maojlaed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ncaokgmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mocjeedn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bpnkmadn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbmllgcc.dll" Oeibcnmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oghnoi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aekgfdpj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aigcgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhllel32.dll" Lkhbfcii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oljpfqgg.dll" Ledplq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qjmmkgga.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qmkigb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Abogpiod.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Abadeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ophiff32.dll" Clnnhq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ddqinb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnnoim32.dll" Mdelik32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oabonopg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kponlmga.dll" Dbbmaf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Maojlaed.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oqpbhobj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kbanfbfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhohdn32.dll" Lkeeqckl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dqlcnb32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2412 wrote to memory of 2768 2412 97a73484ff5b2a72e8a10a8d1990782b7cdeb956e07f0f1bc3735369f3ea5ab3.exe 29 PID 2412 wrote to memory of 2768 2412 97a73484ff5b2a72e8a10a8d1990782b7cdeb956e07f0f1bc3735369f3ea5ab3.exe 29 PID 2412 wrote to memory of 2768 2412 97a73484ff5b2a72e8a10a8d1990782b7cdeb956e07f0f1bc3735369f3ea5ab3.exe 29 PID 2412 wrote to memory of 2768 2412 97a73484ff5b2a72e8a10a8d1990782b7cdeb956e07f0f1bc3735369f3ea5ab3.exe 29 PID 2768 wrote to memory of 2288 2768 Jfhpkbbj.exe 30 PID 2768 wrote to memory of 2288 2768 Jfhpkbbj.exe 30 PID 2768 wrote to memory of 2288 2768 Jfhpkbbj.exe 30 PID 2768 wrote to memory of 2288 2768 Jfhpkbbj.exe 30 PID 2288 wrote to memory of 2444 2288 Jandikbp.exe 31 PID 2288 wrote to memory of 2444 2288 Jandikbp.exe 31 PID 2288 wrote to memory of 2444 2288 Jandikbp.exe 31 PID 2288 wrote to memory of 2444 2288 Jandikbp.exe 31 PID 2444 wrote to memory of 2828 2444 Jboapc32.exe 32 PID 2444 wrote to memory of 2828 2444 Jboapc32.exe 32 PID 2444 wrote to memory of 2828 2444 Jboapc32.exe 32 PID 2444 wrote to memory of 2828 2444 Jboapc32.exe 32 PID 2828 wrote to memory of 2724 2828 Jiiimmok.exe 33 PID 2828 wrote to memory of 2724 2828 Jiiimmok.exe 33 PID 2828 wrote to memory of 2724 2828 Jiiimmok.exe 33 PID 2828 wrote to memory of 2724 2828 Jiiimmok.exe 33 PID 2724 wrote to memory of 2888 2724 Klgeih32.exe 34 PID 2724 wrote to memory of 2888 2724 Klgeih32.exe 34 PID 2724 wrote to memory of 2888 2724 Klgeih32.exe 34 PID 2724 wrote to memory of 2888 2724 Klgeih32.exe 34 PID 2888 wrote to memory of 2648 2888 Kbanfbfk.exe 35 PID 2888 wrote to memory of 2648 2888 Kbanfbfk.exe 35 PID 2888 wrote to memory of 2648 2888 Kbanfbfk.exe 35 PID 2888 wrote to memory of 2648 2888 Kbanfbfk.exe 35 PID 2648 wrote to memory of 1536 2648 Kfmjfa32.exe 36 PID 2648 wrote to memory of 1536 2648 Kfmjfa32.exe 36 PID 2648 wrote to memory of 1536 2648 Kfmjfa32.exe 36 PID 2648 wrote to memory of 1536 2648 Kfmjfa32.exe 36 PID 1536 wrote to memory of 1480 1536 Kpenogee.exe 37 PID 1536 wrote to memory of 1480 1536 Kpenogee.exe 37 PID 1536 wrote to memory of 1480 1536 Kpenogee.exe 37 PID 1536 wrote to memory of 1480 1536 Kpenogee.exe 37 PID 1480 wrote to memory of 2180 1480 Kfofla32.exe 38 PID 1480 wrote to memory of 2180 1480 Kfofla32.exe 38 PID 1480 wrote to memory of 2180 1480 Kfofla32.exe 38 PID 1480 wrote to memory of 2180 1480 Kfofla32.exe 38 PID 2180 wrote to memory of 2956 2180 Khpccibp.exe 39 PID 2180 wrote to memory of 2956 2180 Khpccibp.exe 39 PID 2180 wrote to memory of 2956 2180 Khpccibp.exe 39 PID 2180 wrote to memory of 2956 2180 Khpccibp.exe 39 PID 2956 wrote to memory of 2800 2956 Kpgkef32.exe 40 PID 2956 wrote to memory of 2800 2956 Kpgkef32.exe 40 PID 2956 wrote to memory of 2800 2956 Kpgkef32.exe 40 PID 2956 wrote to memory of 2800 2956 Kpgkef32.exe 40 PID 2800 wrote to memory of 2100 2800 Kbfgab32.exe 41 PID 2800 wrote to memory of 2100 2800 Kbfgab32.exe 41 PID 2800 wrote to memory of 2100 2800 Kbfgab32.exe 41 PID 2800 wrote to memory of 2100 2800 Kbfgab32.exe 41 PID 2100 wrote to memory of 2536 2100 Khbpii32.exe 42 PID 2100 wrote to memory of 2536 2100 Khbpii32.exe 42 PID 2100 wrote to memory of 2536 2100 Khbpii32.exe 42 PID 2100 wrote to memory of 2536 2100 Khbpii32.exe 42 PID 2536 wrote to memory of 480 2536 Kjaled32.exe 43 PID 2536 wrote to memory of 480 2536 Kjaled32.exe 43 PID 2536 wrote to memory of 480 2536 Kjaled32.exe 43 PID 2536 wrote to memory of 480 2536 Kjaled32.exe 43 PID 480 wrote to memory of 1500 480 Kefpbm32.exe 44 PID 480 wrote to memory of 1500 480 Kefpbm32.exe 44 PID 480 wrote to memory of 1500 480 Kefpbm32.exe 44 PID 480 wrote to memory of 1500 480 Kefpbm32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\97a73484ff5b2a72e8a10a8d1990782b7cdeb956e07f0f1bc3735369f3ea5ab3.exe"C:\Users\Admin\AppData\Local\Temp\97a73484ff5b2a72e8a10a8d1990782b7cdeb956e07f0f1bc3735369f3ea5ab3.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\Jfhpkbbj.exeC:\Windows\system32\Jfhpkbbj.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\Jandikbp.exeC:\Windows\system32\Jandikbp.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\Jboapc32.exeC:\Windows\system32\Jboapc32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\SysWOW64\Jiiimmok.exeC:\Windows\system32\Jiiimmok.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\Klgeih32.exeC:\Windows\system32\Klgeih32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Kbanfbfk.exeC:\Windows\system32\Kbanfbfk.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\Kfmjfa32.exeC:\Windows\system32\Kfmjfa32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\Kpenogee.exeC:\Windows\system32\Kpenogee.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Windows\SysWOW64\Kfofla32.exeC:\Windows\system32\Kfofla32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\SysWOW64\Khpccibp.exeC:\Windows\system32\Khpccibp.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\Kpgkef32.exeC:\Windows\system32\Kpgkef32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\Kbfgab32.exeC:\Windows\system32\Kbfgab32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\Khbpii32.exeC:\Windows\system32\Khbpii32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\Kjaled32.exeC:\Windows\system32\Kjaled32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\Kefpbm32.exeC:\Windows\system32\Kefpbm32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:480 -
C:\Windows\SysWOW64\Kdipnjfb.exeC:\Windows\system32\Kdipnjfb.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1500 -
C:\Windows\SysWOW64\Kmaego32.exeC:\Windows\system32\Kmaego32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1720 -
C:\Windows\SysWOW64\Kdlmdi32.exeC:\Windows\system32\Kdlmdi32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2432 -
C:\Windows\SysWOW64\Lfjipe32.exeC:\Windows\system32\Lfjipe32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1936 -
C:\Windows\SysWOW64\Lkeeqckl.exeC:\Windows\system32\Lkeeqckl.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:308 -
C:\Windows\SysWOW64\Lpbnijic.exeC:\Windows\system32\Lpbnijic.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1396 -
C:\Windows\SysWOW64\Lhjfjhje.exeC:\Windows\system32\Lhjfjhje.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2144 -
C:\Windows\SysWOW64\Lkhbfcii.exeC:\Windows\system32\Lkhbfcii.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:576 -
C:\Windows\SysWOW64\Lmfnbohm.exeC:\Windows\system32\Lmfnbohm.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2016 -
C:\Windows\SysWOW64\Labjcmqf.exeC:\Windows\system32\Labjcmqf.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2132 -
C:\Windows\SysWOW64\Ldpfoipj.exeC:\Windows\system32\Ldpfoipj.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2104 -
C:\Windows\SysWOW64\Lmikhn32.exeC:\Windows\system32\Lmikhn32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2160 -
C:\Windows\SysWOW64\Ledplq32.exeC:\Windows\system32\Ledplq32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2384 -
C:\Windows\SysWOW64\Llnhikkb.exeC:\Windows\system32\Llnhikkb.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2740 -
C:\Windows\SysWOW64\Lgclfc32.exeC:\Windows\system32\Lgclfc32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2600 -
C:\Windows\SysWOW64\Leflapab.exeC:\Windows\system32\Leflapab.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2772 -
C:\Windows\SysWOW64\Libhbo32.exeC:\Windows\system32\Libhbo32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2756 -
C:\Windows\SysWOW64\Mcjmkdpl.exeC:\Windows\system32\Mcjmkdpl.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2712 -
C:\Windows\SysWOW64\Moanpe32.exeC:\Windows\system32\Moanpe32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2504 -
C:\Windows\SysWOW64\Mcmiqdnj.exeC:\Windows\system32\Mcmiqdnj.exe36⤵
- Executes dropped EXE
PID:1996 -
C:\Windows\SysWOW64\Maojlaed.exeC:\Windows\system32\Maojlaed.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:2688 -
C:\Windows\SysWOW64\Mlenijej.exeC:\Windows\system32\Mlenijej.exe38⤵
- Executes dropped EXE
PID:1696 -
C:\Windows\SysWOW64\Mocjeedn.exeC:\Windows\system32\Mocjeedn.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2056 -
C:\Windows\SysWOW64\Mdpbnlbe.exeC:\Windows\system32\Mdpbnlbe.exe40⤵
- Executes dropped EXE
PID:2652 -
C:\Windows\SysWOW64\Mgoojgai.exeC:\Windows\system32\Mgoojgai.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1544 -
C:\Windows\SysWOW64\Mkjkkf32.exeC:\Windows\system32\Mkjkkf32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1268 -
C:\Windows\SysWOW64\Mdbocl32.exeC:\Windows\system32\Mdbocl32.exe43⤵
- Executes dropped EXE
PID:660 -
C:\Windows\SysWOW64\Mhnkdjhl.exeC:\Windows\system32\Mhnkdjhl.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2176 -
C:\Windows\SysWOW64\Mafpmp32.exeC:\Windows\system32\Mafpmp32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1932 -
C:\Windows\SysWOW64\Mdelik32.exeC:\Windows\system32\Mdelik32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:924 -
C:\Windows\SysWOW64\Nnmqbaeq.exeC:\Windows\system32\Nnmqbaeq.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2260 -
C:\Windows\SysWOW64\Nlpamn32.exeC:\Windows\system32\Nlpamn32.exe48⤵
- Executes dropped EXE
PID:1364 -
C:\Windows\SysWOW64\Nqlmnldd.exeC:\Windows\system32\Nqlmnldd.exe49⤵
- Executes dropped EXE
PID:1708 -
C:\Windows\SysWOW64\Ngeekfka.exeC:\Windows\system32\Ngeekfka.exe50⤵
- Executes dropped EXE
PID:2072 -
C:\Windows\SysWOW64\Njdagbjd.exeC:\Windows\system32\Njdagbjd.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Nqnicl32.exeC:\Windows\system32\Nqnicl32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2208 -
C:\Windows\SysWOW64\Nclfpg32.exeC:\Windows\system32\Nclfpg32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2856 -
C:\Windows\SysWOW64\Njfnlahb.exeC:\Windows\system32\Njfnlahb.exe54⤵
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Nqpfil32.exeC:\Windows\system32\Nqpfil32.exe55⤵
- Executes dropped EXE
PID:2612 -
C:\Windows\SysWOW64\Ncobeg32.exeC:\Windows\system32\Ncobeg32.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:2152 -
C:\Windows\SysWOW64\Njikba32.exeC:\Windows\system32\Njikba32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2404 -
C:\Windows\SysWOW64\Nhlkmnmj.exeC:\Windows\system32\Nhlkmnmj.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1944 -
C:\Windows\SysWOW64\Nkjgiiln.exeC:\Windows\system32\Nkjgiiln.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2548 -
C:\Windows\SysWOW64\Ncaokgmp.exeC:\Windows\system32\Ncaokgmp.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:336 -
C:\Windows\SysWOW64\Nbdpfc32.exeC:\Windows\system32\Nbdpfc32.exe61⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Nhnhcnkg.exeC:\Windows\system32\Nhnhcnkg.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1008 -
C:\Windows\SysWOW64\Nmiccl32.exeC:\Windows\system32\Nmiccl32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1044 -
C:\Windows\SysWOW64\Nohpph32.exeC:\Windows\system32\Nohpph32.exe64⤵
- Executes dropped EXE
PID:2420 -
C:\Windows\SysWOW64\Nbfllc32.exeC:\Windows\system32\Nbfllc32.exe65⤵
- Executes dropped EXE
PID:2788 -
C:\Windows\SysWOW64\Oipdhm32.exeC:\Windows\system32\Oipdhm32.exe66⤵PID:264
-
C:\Windows\SysWOW64\Okoqdi32.exeC:\Windows\system32\Okoqdi32.exe67⤵PID:584
-
C:\Windows\SysWOW64\Obiiacpe.exeC:\Windows\system32\Obiiacpe.exe68⤵PID:1632
-
C:\Windows\SysWOW64\Odgennoi.exeC:\Windows\system32\Odgennoi.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1752 -
C:\Windows\SysWOW64\Ogeajjnl.exeC:\Windows\system32\Ogeajjnl.exe70⤵
- Drops file in System32 directory
PID:2736 -
C:\Windows\SysWOW64\Okamjh32.exeC:\Windows\system32\Okamjh32.exe71⤵PID:2752
-
C:\Windows\SysWOW64\Onojfd32.exeC:\Windows\system32\Onojfd32.exe72⤵PID:2224
-
C:\Windows\SysWOW64\Oeibcnmf.exeC:\Windows\system32\Oeibcnmf.exe73⤵
- Modifies registry class
PID:2124 -
C:\Windows\SysWOW64\Oghnoi32.exeC:\Windows\system32\Oghnoi32.exe74⤵
- Drops file in System32 directory
- Modifies registry class
PID:2560 -
C:\Windows\SysWOW64\Ojfjke32.exeC:\Windows\system32\Ojfjke32.exe75⤵PID:560
-
C:\Windows\SysWOW64\Omdfgq32.exeC:\Windows\system32\Omdfgq32.exe76⤵PID:3044
-
C:\Windows\SysWOW64\Oqpbhobj.exeC:\Windows\system32\Oqpbhobj.exe77⤵
- Drops file in System32 directory
- Modifies registry class
PID:2136 -
C:\Windows\SysWOW64\Ocoodjan.exeC:\Windows\system32\Ocoodjan.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1564 -
C:\Windows\SysWOW64\Ofmkpfqa.exeC:\Windows\system32\Ofmkpfqa.exe79⤵PID:3016
-
C:\Windows\SysWOW64\Oabonopg.exeC:\Windows\system32\Oabonopg.exe80⤵
- Modifies registry class
PID:2500 -
C:\Windows\SysWOW64\Ocakjjok.exeC:\Windows\system32\Ocakjjok.exe81⤵PID:2972
-
C:\Windows\SysWOW64\Oglgji32.exeC:\Windows\system32\Oglgji32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1228 -
C:\Windows\SysWOW64\Ojkcfdgh.exeC:\Windows\system32\Ojkcfdgh.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1352 -
C:\Windows\SysWOW64\Oindba32.exeC:\Windows\system32\Oindba32.exe84⤵PID:2844
-
C:\Windows\SysWOW64\Omipbpfl.exeC:\Windows\system32\Omipbpfl.exe85⤵PID:2760
-
C:\Windows\SysWOW64\Pcchoj32.exeC:\Windows\system32\Pcchoj32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2664 -
C:\Windows\SysWOW64\Pbfhkfdc.exeC:\Windows\system32\Pbfhkfdc.exe87⤵PID:1644
-
C:\Windows\SysWOW64\Pfadke32.exeC:\Windows\system32\Pfadke32.exe88⤵PID:2936
-
C:\Windows\SysWOW64\Pipqgq32.exeC:\Windows\system32\Pipqgq32.exe89⤵PID:2632
-
C:\Windows\SysWOW64\Plnmcl32.exeC:\Windows\system32\Plnmcl32.exe90⤵
- Modifies registry class
PID:2792 -
C:\Windows\SysWOW64\Pceeei32.exeC:\Windows\system32\Pceeei32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2204 -
C:\Windows\SysWOW64\Pegalaad.exeC:\Windows\system32\Pegalaad.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1504 -
C:\Windows\SysWOW64\Pmnino32.exeC:\Windows\system32\Pmnino32.exe93⤵
- Drops file in System32 directory
- Modifies registry class
PID:984 -
C:\Windows\SysWOW64\Pnofeghe.exeC:\Windows\system32\Pnofeghe.exe94⤵PID:636
-
C:\Windows\SysWOW64\Pffnfdhg.exeC:\Windows\system32\Pffnfdhg.exe95⤵PID:3036
-
C:\Windows\SysWOW64\Piejbpgk.exeC:\Windows\system32\Piejbpgk.exe96⤵
- Modifies registry class
PID:2188 -
C:\Windows\SysWOW64\Plcfokfn.exeC:\Windows\system32\Plcfokfn.exe97⤵
- Modifies registry class
PID:2340 -
C:\Windows\SysWOW64\Pnabkgfb.exeC:\Windows\system32\Pnabkgfb.exe98⤵
- Modifies registry class
PID:2900 -
C:\Windows\SysWOW64\Pbmoke32.exeC:\Windows\system32\Pbmoke32.exe99⤵
- Drops file in System32 directory
PID:2616 -
C:\Windows\SysWOW64\Pigghpeh.exeC:\Windows\system32\Pigghpeh.exe100⤵
- Drops file in System32 directory
- Modifies registry class
PID:2264 -
C:\Windows\SysWOW64\Phjgdm32.exeC:\Windows\system32\Phjgdm32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1988 -
C:\Windows\SysWOW64\Pndoqf32.exeC:\Windows\system32\Pndoqf32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1560 -
C:\Windows\SysWOW64\Pabkmb32.exeC:\Windows\system32\Pabkmb32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2948 -
C:\Windows\SysWOW64\Qhldiljp.exeC:\Windows\system32\Qhldiljp.exe104⤵PID:1444
-
C:\Windows\SysWOW64\Qjkpegic.exeC:\Windows\system32\Qjkpegic.exe105⤵
- Drops file in System32 directory
PID:1048 -
C:\Windows\SysWOW64\Qmilachg.exeC:\Windows\system32\Qmilachg.exe106⤵PID:1384
-
C:\Windows\SysWOW64\Qepdbpii.exeC:\Windows\system32\Qepdbpii.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2496 -
C:\Windows\SysWOW64\Qfaqji32.exeC:\Windows\system32\Qfaqji32.exe108⤵PID:1420
-
C:\Windows\SysWOW64\Qjmmkgga.exeC:\Windows\system32\Qjmmkgga.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2700 -
C:\Windows\SysWOW64\Qmkigb32.exeC:\Windows\system32\Qmkigb32.exe110⤵
- Drops file in System32 directory
- Modifies registry class
PID:2748 -
C:\Windows\SysWOW64\Qpjecn32.exeC:\Windows\system32\Qpjecn32.exe111⤵PID:2620
-
C:\Windows\SysWOW64\Ahamdk32.exeC:\Windows\system32\Ahamdk32.exe112⤵PID:2588
-
C:\Windows\SysWOW64\Afdmphme.exeC:\Windows\system32\Afdmphme.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:440 -
C:\Windows\SysWOW64\Aibjlcli.exeC:\Windows\system32\Aibjlcli.exe114⤵
- Drops file in System32 directory
PID:2796 -
C:\Windows\SysWOW64\Aaiamamk.exeC:\Windows\system32\Aaiamamk.exe115⤵
- Modifies registry class
PID:1140 -
C:\Windows\SysWOW64\Abjnei32.exeC:\Windows\system32\Abjnei32.exe116⤵
- Modifies registry class
PID:3012 -
C:\Windows\SysWOW64\Affjehkb.exeC:\Windows\system32\Affjehkb.exe117⤵PID:2860
-
C:\Windows\SysWOW64\Ampbbbbo.exeC:\Windows\system32\Ampbbbbo.exe118⤵PID:272
-
C:\Windows\SysWOW64\Apoonnac.exeC:\Windows\system32\Apoonnac.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1624 -
C:\Windows\SysWOW64\Abmkjiqg.exeC:\Windows\system32\Abmkjiqg.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2076 -
C:\Windows\SysWOW64\Aekgfdpj.exeC:\Windows\system32\Aekgfdpj.exe121⤵
- Modifies registry class
PID:2644
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-