Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
10/07/2024, 03:25
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b21025f6e381c09bdbccc118a3691308030ac3330c3393bf9fdda0d0488db92a.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
b21025f6e381c09bdbccc118a3691308030ac3330c3393bf9fdda0d0488db92a.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
b21025f6e381c09bdbccc118a3691308030ac3330c3393bf9fdda0d0488db92a.exe
-
Size
272KB
-
MD5
66995219af81575c90b28bc0e46c3902
-
SHA1
3f09be37080dcc8be334dc39f3b031b4bdc1ec4d
-
SHA256
b21025f6e381c09bdbccc118a3691308030ac3330c3393bf9fdda0d0488db92a
-
SHA512
6f00507b9d189755db79e1744bbe54b4a88468127b3ddd4832c436ca1d5018cf1098d4e7ec0a1659dbedcfb20e89d20298c209401c5b3f5bec76d2cbd9d461fe
-
SSDEEP
6144:N4dEla39bSR0xZKL2bWGRdA6sQc/Yp7TVX3J/1awbWGRdA6sQc/YRuEuT:N4dNbSwwL2bWGRdA6sQhPbWGRdA6sQxW
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmmcpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkjnnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mqpflg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnimiblo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fplllkdc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghacfmic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpafapbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcdlhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkcilc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neqnqofm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bofgii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iliebpfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifolhann.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jplfkjbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnjbeh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncinap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkhbgbkc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkebafoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkebafoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgdfdbhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njbdea32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcpgdhpp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkggmldl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khldkllj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iebldo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkecij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acfmcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnnhngjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hinbppna.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfehhn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aihfap32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbhhdnlh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odedge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pofkha32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpjkeoha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpopnejo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Neqnqofm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkmhnjlh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gncldi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pioeoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhbpkh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Koaclfgl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olmcchlg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pejmfqan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpmjhk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adfbpega.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlnmel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcopdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kglehp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plbkfdba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mqehjecl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cqfbjhgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Demaoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eogmcjef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcnkhmdp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgpdglhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acicla32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdiogq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcmdnfad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jelfdc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmnqje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnecigcp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nknimnap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpdkpiik.exe -
Executes dropped EXE 64 IoCs
pid Process 1444 Ibkkjp32.exe 2656 Iiecgjba.exe 1064 Jabdql32.exe 2988 Jofejpmc.exe 2736 Joiappkp.exe 2756 Jgdfdbhk.exe 2608 Jnnnalph.exe 2280 Jgfcja32.exe 2912 Jnpkflne.exe 1472 Kfkpknkq.exe 808 Kcopdb32.exe 2012 Kpcqnf32.exe 2128 Kjleflod.exe 1896 Kbgjkn32.exe 1284 Kkoncdcp.exe 2556 Lqhfhigj.exe 792 Miehak32.exe 1088 Mpopnejo.exe 1656 Macilmnk.exe 868 Mgmahg32.exe 2520 Meabakda.exe 2412 Necogkbo.exe 308 Nhakcfab.exe 344 Najpll32.exe 1888 Njbdea32.exe 2024 Nbpeoc32.exe 2268 Nlhjhi32.exe 2768 Npdfhhhe.exe 2784 Neqnqofm.exe 2796 Oagoep32.exe 1800 Olmcchlg.exe 672 Odhhgkib.exe 264 Okbpde32.exe 2836 Omqlpp32.exe 2576 Oehdan32.exe 2648 Ohhmcinf.exe 304 Ppcbgkka.exe 2336 Pincfpoo.exe 2956 Pphkbj32.exe 2124 Pcghof32.exe 2332 Piqpkpml.exe 1832 Plolgk32.exe 1724 Palepb32.exe 1980 Pegqpacp.exe 1720 Pkdihhag.exe 1524 Pckajebj.exe 2508 Pejmfqan.exe 2396 Qobbofgn.exe 2292 Qfljkp32.exe 1672 Qhjfgl32.exe 2140 Qngopb32.exe 2424 Qqfkln32.exe 2852 Agpcihcf.exe 1152 Ajnpecbj.exe 1464 Adcdbl32.exe 2328 Agbpnh32.exe 2652 Anlhkbhq.exe 2116 Adfqgl32.exe 2468 Agdmdg32.exe 2028 Ajcipc32.exe 1356 Amaelomh.exe 2080 Aggiigmn.exe 2076 Aihfap32.exe 956 Aqonbm32.exe -
Loads dropped DLL 64 IoCs
pid Process 1484 b21025f6e381c09bdbccc118a3691308030ac3330c3393bf9fdda0d0488db92a.exe 1484 b21025f6e381c09bdbccc118a3691308030ac3330c3393bf9fdda0d0488db92a.exe 1444 Ibkkjp32.exe 1444 Ibkkjp32.exe 2656 Iiecgjba.exe 2656 Iiecgjba.exe 1064 Jabdql32.exe 1064 Jabdql32.exe 2988 Jofejpmc.exe 2988 Jofejpmc.exe 2736 Joiappkp.exe 2736 Joiappkp.exe 2756 Jgdfdbhk.exe 2756 Jgdfdbhk.exe 2608 Jnnnalph.exe 2608 Jnnnalph.exe 2280 Jgfcja32.exe 2280 Jgfcja32.exe 2912 Jnpkflne.exe 2912 Jnpkflne.exe 1472 Kfkpknkq.exe 1472 Kfkpknkq.exe 808 Kcopdb32.exe 808 Kcopdb32.exe 2012 Kpcqnf32.exe 2012 Kpcqnf32.exe 2128 Kjleflod.exe 2128 Kjleflod.exe 1896 Kbgjkn32.exe 1896 Kbgjkn32.exe 1284 Kkoncdcp.exe 1284 Kkoncdcp.exe 2556 Lqhfhigj.exe 2556 Lqhfhigj.exe 792 Miehak32.exe 792 Miehak32.exe 1088 Mpopnejo.exe 1088 Mpopnejo.exe 1656 Macilmnk.exe 1656 Macilmnk.exe 868 Mgmahg32.exe 868 Mgmahg32.exe 2520 Meabakda.exe 2520 Meabakda.exe 2412 Necogkbo.exe 2412 Necogkbo.exe 308 Nhakcfab.exe 308 Nhakcfab.exe 344 Najpll32.exe 344 Najpll32.exe 316 Nbniid32.exe 316 Nbniid32.exe 2024 Nbpeoc32.exe 2024 Nbpeoc32.exe 2268 Nlhjhi32.exe 2268 Nlhjhi32.exe 2768 Npdfhhhe.exe 2768 Npdfhhhe.exe 2784 Neqnqofm.exe 2784 Neqnqofm.exe 2796 Oagoep32.exe 2796 Oagoep32.exe 1800 Olmcchlg.exe 1800 Olmcchlg.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Locjhqpa.exe Lkgngb32.exe File created C:\Windows\SysWOW64\Dmijfmfi.exe Debadpeg.exe File created C:\Windows\SysWOW64\Idgglb32.exe Ijnbcmkk.exe File opened for modification C:\Windows\SysWOW64\Necogkbo.exe Meabakda.exe File opened for modification C:\Windows\SysWOW64\Fkecij32.exe Fcnkhmdp.exe File created C:\Windows\SysWOW64\Nijjkf32.dll Obeacl32.exe File created C:\Windows\SysWOW64\Hembkl32.dll Ibkkjp32.exe File created C:\Windows\SysWOW64\Adkqmpip.dll Iefcfe32.exe File opened for modification C:\Windows\SysWOW64\Eabepp32.exe Eeldkonl.exe File created C:\Windows\SysWOW64\Ofnpnkgf.exe Ncpdbohb.exe File opened for modification C:\Windows\SysWOW64\Adaiee32.exe Aacmij32.exe File opened for modification C:\Windows\SysWOW64\Hmbndmkb.exe Hfhfhbce.exe File created C:\Windows\SysWOW64\Pdmjki32.dll Eoiiijcc.exe File created C:\Windows\SysWOW64\Eabepp32.exe Eeldkonl.exe File opened for modification C:\Windows\SysWOW64\Gaihob32.exe Ghacfmic.exe File created C:\Windows\SysWOW64\Lclicpkm.exe Llbqfe32.exe File created C:\Windows\SysWOW64\Mpelaf32.dll Emifeqid.exe File opened for modification C:\Windows\SysWOW64\Ggkibhjf.exe Gmeeepjp.exe File created C:\Windows\SysWOW64\Ncinap32.exe Nmofdf32.exe File created C:\Windows\SysWOW64\Kkoncdcp.exe Kbgjkn32.exe File opened for modification C:\Windows\SysWOW64\Hhkopj32.exe Hdpcokdo.exe File created C:\Windows\SysWOW64\Kigndekn.exe Kbmfgk32.exe File created C:\Windows\SysWOW64\Cfpldf32.exe Cacclpae.exe File opened for modification C:\Windows\SysWOW64\Ohncbdbd.exe Njjcip32.exe File created C:\Windows\SysWOW64\Dhmcaf32.dll Lkggmldl.exe File opened for modification C:\Windows\SysWOW64\Nknimnap.exe Ndcapd32.exe File created C:\Windows\SysWOW64\Adcdbl32.exe Ajnpecbj.exe File created C:\Windows\SysWOW64\Llbqfe32.exe Lgehno32.exe File opened for modification C:\Windows\SysWOW64\Bqgmfkhg.exe Bjmeiq32.exe File created C:\Windows\SysWOW64\Lljpjchg.exe Lgngbmjp.exe File opened for modification C:\Windows\SysWOW64\Dklddhka.exe Ddblgn32.exe File created C:\Windows\SysWOW64\Oqbfik32.dll Dahifbpk.exe File created C:\Windows\SysWOW64\Bnapnm32.exe Bjedmo32.exe File opened for modification C:\Windows\SysWOW64\Cmmcpi32.exe Cbgobp32.exe File created C:\Windows\SysWOW64\Hlbhgd32.dll Odhhgkib.exe File created C:\Windows\SysWOW64\Kddomchg.exe Kklkcn32.exe File opened for modification C:\Windows\SysWOW64\Qdlggg32.exe Pleofj32.exe File created C:\Windows\SysWOW64\Gonale32.exe Ghdiokbq.exe File created C:\Windows\SysWOW64\Jjjkclbf.dll Oehdan32.exe File created C:\Windows\SysWOW64\Jmnqje32.exe Jfdhmk32.exe File opened for modification C:\Windows\SysWOW64\Locjhqpa.exe Lkgngb32.exe File created C:\Windows\SysWOW64\Kilgoe32.exe Kgnkci32.exe File opened for modification C:\Windows\SysWOW64\Ldahkaij.exe Lljpjchg.exe File created C:\Windows\SysWOW64\Epaqjmil.dll Odmckcmq.exe File created C:\Windows\SysWOW64\Kpafapbk.exe Kigndekn.exe File created C:\Windows\SysWOW64\Efedga32.exe Dhbdleol.exe File created C:\Windows\SysWOW64\Gojhafnb.exe Gpggei32.exe File opened for modification C:\Windows\SysWOW64\Jbhebfck.exe Jlnmel32.exe File created C:\Windows\SysWOW64\Aklabp32.exe Adaiee32.exe File created C:\Windows\SysWOW64\Dmjqpdje.exe Dklddhka.exe File opened for modification C:\Windows\SysWOW64\Knhjjj32.exe Kkjnnn32.exe File opened for modification C:\Windows\SysWOW64\Pkoicb32.exe Pdeqfhjd.exe File opened for modification C:\Windows\SysWOW64\Bnapnm32.exe Bjedmo32.exe File opened for modification C:\Windows\SysWOW64\Demaoj32.exe Dboeco32.exe File created C:\Windows\SysWOW64\Kfkpknkq.exe Jnpkflne.exe File created C:\Windows\SysWOW64\Jdnmma32.exe Jmdepg32.exe File created C:\Windows\SysWOW64\Lmmnpb32.dll Fhjmfnok.exe File created C:\Windows\SysWOW64\Acnlgajg.exe Alddjg32.exe File created C:\Windows\SysWOW64\Ngjhpb32.dll Dgbeiiqe.exe File created C:\Windows\SysWOW64\Cegoqlof.exe Clojhf32.exe File opened for modification C:\Windows\SysWOW64\Pdjjag32.exe Pmpbdm32.exe File opened for modification C:\Windows\SysWOW64\Odedge32.exe Ojmpooah.exe File created C:\Windows\SysWOW64\Faphfl32.dll Igceej32.exe File created C:\Windows\SysWOW64\Agbpnh32.exe Adcdbl32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7016 6984 WerFault.exe 667 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmihbe32.dll" Jelfdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lkggmldl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgcmiq32.dll" Iediin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bflbigdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gaihob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmamle32.dll" Oehgjfhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phblkn32.dll" Kpgionie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doknlmcm.dll" Dhkkbmnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gqcnln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kejjjbbm.dll" Plmbkd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifgpnmom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjfnomde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fadndbci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oiggco32.dll" Njnmbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lclknm32.dll" Bdhleh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmjqpdje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fcbecl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmfbpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijphofem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hfjbmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kndkfpje.dll" Ikldqile.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgjkfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jinafidh.dll" Npdfhhhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqojbd32.dll" Hpnkbpdd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olbogqoe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifmocb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfodfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qkfocaki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Obgnhkkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejebfdmb.dll" Ifgpnmom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Klmqapci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmmcpi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dadbdkld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efjmbaba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqdodila.dll" Epbbkf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qgmpibam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cqfbjhgf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aacmij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmfpmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kioljfll.dll" Npbklabl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fghiml32.dll" Djjjga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajnpecbj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kigndekn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aonalffc.dll" Hmdkjmip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iogpag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndcapd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klcjnl32.dll" Ohbikbkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjnpem32.dll" Gjifodii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Inojhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njjkajop.dll" Kbmfgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jnpkflne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cceell32.dll" Qgmpibam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egmpofck.dll" Demaoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daadna32.dll" Hclfag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iahghfmb.dll" Hinbppna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fofndb32.dll" Bjedmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mflgih32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aaejojjq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fofbhgde.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghacfmic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imldmnjj.dll" Edlafebn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfomeb32.dll" Gojhafnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lclicpkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igbnok32.dll" Dadbdkld.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1484 wrote to memory of 1444 1484 b21025f6e381c09bdbccc118a3691308030ac3330c3393bf9fdda0d0488db92a.exe 30 PID 1484 wrote to memory of 1444 1484 b21025f6e381c09bdbccc118a3691308030ac3330c3393bf9fdda0d0488db92a.exe 30 PID 1484 wrote to memory of 1444 1484 b21025f6e381c09bdbccc118a3691308030ac3330c3393bf9fdda0d0488db92a.exe 30 PID 1484 wrote to memory of 1444 1484 b21025f6e381c09bdbccc118a3691308030ac3330c3393bf9fdda0d0488db92a.exe 30 PID 1444 wrote to memory of 2656 1444 Ibkkjp32.exe 31 PID 1444 wrote to memory of 2656 1444 Ibkkjp32.exe 31 PID 1444 wrote to memory of 2656 1444 Ibkkjp32.exe 31 PID 1444 wrote to memory of 2656 1444 Ibkkjp32.exe 31 PID 2656 wrote to memory of 1064 2656 Iiecgjba.exe 32 PID 2656 wrote to memory of 1064 2656 Iiecgjba.exe 32 PID 2656 wrote to memory of 1064 2656 Iiecgjba.exe 32 PID 2656 wrote to memory of 1064 2656 Iiecgjba.exe 32 PID 1064 wrote to memory of 2988 1064 Jabdql32.exe 33 PID 1064 wrote to memory of 2988 1064 Jabdql32.exe 33 PID 1064 wrote to memory of 2988 1064 Jabdql32.exe 33 PID 1064 wrote to memory of 2988 1064 Jabdql32.exe 33 PID 2988 wrote to memory of 2736 2988 Jofejpmc.exe 34 PID 2988 wrote to memory of 2736 2988 Jofejpmc.exe 34 PID 2988 wrote to memory of 2736 2988 Jofejpmc.exe 34 PID 2988 wrote to memory of 2736 2988 Jofejpmc.exe 34 PID 2736 wrote to memory of 2756 2736 Joiappkp.exe 35 PID 2736 wrote to memory of 2756 2736 Joiappkp.exe 35 PID 2736 wrote to memory of 2756 2736 Joiappkp.exe 35 PID 2736 wrote to memory of 2756 2736 Joiappkp.exe 35 PID 2756 wrote to memory of 2608 2756 Jgdfdbhk.exe 36 PID 2756 wrote to memory of 2608 2756 Jgdfdbhk.exe 36 PID 2756 wrote to memory of 2608 2756 Jgdfdbhk.exe 36 PID 2756 wrote to memory of 2608 2756 Jgdfdbhk.exe 36 PID 2608 wrote to memory of 2280 2608 Jnnnalph.exe 37 PID 2608 wrote to memory of 2280 2608 Jnnnalph.exe 37 PID 2608 wrote to memory of 2280 2608 Jnnnalph.exe 37 PID 2608 wrote to memory of 2280 2608 Jnnnalph.exe 37 PID 2280 wrote to memory of 2912 2280 Jgfcja32.exe 38 PID 2280 wrote to memory of 2912 2280 Jgfcja32.exe 38 PID 2280 wrote to memory of 2912 2280 Jgfcja32.exe 38 PID 2280 wrote to memory of 2912 2280 Jgfcja32.exe 38 PID 2912 wrote to memory of 1472 2912 Jnpkflne.exe 39 PID 2912 wrote to memory of 1472 2912 Jnpkflne.exe 39 PID 2912 wrote to memory of 1472 2912 Jnpkflne.exe 39 PID 2912 wrote to memory of 1472 2912 Jnpkflne.exe 39 PID 1472 wrote to memory of 808 1472 Kfkpknkq.exe 40 PID 1472 wrote to memory of 808 1472 Kfkpknkq.exe 40 PID 1472 wrote to memory of 808 1472 Kfkpknkq.exe 40 PID 1472 wrote to memory of 808 1472 Kfkpknkq.exe 40 PID 808 wrote to memory of 2012 808 Kcopdb32.exe 41 PID 808 wrote to memory of 2012 808 Kcopdb32.exe 41 PID 808 wrote to memory of 2012 808 Kcopdb32.exe 41 PID 808 wrote to memory of 2012 808 Kcopdb32.exe 41 PID 2012 wrote to memory of 2128 2012 Kpcqnf32.exe 42 PID 2012 wrote to memory of 2128 2012 Kpcqnf32.exe 42 PID 2012 wrote to memory of 2128 2012 Kpcqnf32.exe 42 PID 2012 wrote to memory of 2128 2012 Kpcqnf32.exe 42 PID 2128 wrote to memory of 1896 2128 Kjleflod.exe 43 PID 2128 wrote to memory of 1896 2128 Kjleflod.exe 43 PID 2128 wrote to memory of 1896 2128 Kjleflod.exe 43 PID 2128 wrote to memory of 1896 2128 Kjleflod.exe 43 PID 1896 wrote to memory of 1284 1896 Kbgjkn32.exe 44 PID 1896 wrote to memory of 1284 1896 Kbgjkn32.exe 44 PID 1896 wrote to memory of 1284 1896 Kbgjkn32.exe 44 PID 1896 wrote to memory of 1284 1896 Kbgjkn32.exe 44 PID 1284 wrote to memory of 2556 1284 Kkoncdcp.exe 45 PID 1284 wrote to memory of 2556 1284 Kkoncdcp.exe 45 PID 1284 wrote to memory of 2556 1284 Kkoncdcp.exe 45 PID 1284 wrote to memory of 2556 1284 Kkoncdcp.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\b21025f6e381c09bdbccc118a3691308030ac3330c3393bf9fdda0d0488db92a.exe"C:\Users\Admin\AppData\Local\Temp\b21025f6e381c09bdbccc118a3691308030ac3330c3393bf9fdda0d0488db92a.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\SysWOW64\Ibkkjp32.exeC:\Windows\system32\Ibkkjp32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Windows\SysWOW64\Iiecgjba.exeC:\Windows\system32\Iiecgjba.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Jabdql32.exeC:\Windows\system32\Jabdql32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\SysWOW64\Jofejpmc.exeC:\Windows\system32\Jofejpmc.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\Joiappkp.exeC:\Windows\system32\Joiappkp.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Jgdfdbhk.exeC:\Windows\system32\Jgdfdbhk.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Jnnnalph.exeC:\Windows\system32\Jnnnalph.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Jgfcja32.exeC:\Windows\system32\Jgfcja32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\Jnpkflne.exeC:\Windows\system32\Jnpkflne.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\Kfkpknkq.exeC:\Windows\system32\Kfkpknkq.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Windows\SysWOW64\Kcopdb32.exeC:\Windows\system32\Kcopdb32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:808 -
C:\Windows\SysWOW64\Kpcqnf32.exeC:\Windows\system32\Kpcqnf32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\Kjleflod.exeC:\Windows\system32\Kjleflod.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\Kbgjkn32.exeC:\Windows\system32\Kbgjkn32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\SysWOW64\Kkoncdcp.exeC:\Windows\system32\Kkoncdcp.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Windows\SysWOW64\Lqhfhigj.exeC:\Windows\system32\Lqhfhigj.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2556 -
C:\Windows\SysWOW64\Miehak32.exeC:\Windows\system32\Miehak32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:792 -
C:\Windows\SysWOW64\Mpopnejo.exeC:\Windows\system32\Mpopnejo.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1088 -
C:\Windows\SysWOW64\Macilmnk.exeC:\Windows\system32\Macilmnk.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1656 -
C:\Windows\SysWOW64\Mgmahg32.exeC:\Windows\system32\Mgmahg32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:868 -
C:\Windows\SysWOW64\Meabakda.exeC:\Windows\system32\Meabakda.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2520 -
C:\Windows\SysWOW64\Necogkbo.exeC:\Windows\system32\Necogkbo.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2412 -
C:\Windows\SysWOW64\Nhakcfab.exeC:\Windows\system32\Nhakcfab.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:308 -
C:\Windows\SysWOW64\Najpll32.exeC:\Windows\system32\Najpll32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:344 -
C:\Windows\SysWOW64\Njbdea32.exeC:\Windows\system32\Njbdea32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1888 -
C:\Windows\SysWOW64\Nbniid32.exeC:\Windows\system32\Nbniid32.exe27⤵
- Loads dropped DLL
PID:316 -
C:\Windows\SysWOW64\Nbpeoc32.exeC:\Windows\system32\Nbpeoc32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2024 -
C:\Windows\SysWOW64\Nlhjhi32.exeC:\Windows\system32\Nlhjhi32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2268 -
C:\Windows\SysWOW64\Npdfhhhe.exeC:\Windows\system32\Npdfhhhe.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2768 -
C:\Windows\SysWOW64\Neqnqofm.exeC:\Windows\system32\Neqnqofm.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2784 -
C:\Windows\SysWOW64\Oagoep32.exeC:\Windows\system32\Oagoep32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2796 -
C:\Windows\SysWOW64\Olmcchlg.exeC:\Windows\system32\Olmcchlg.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1800 -
C:\Windows\SysWOW64\Odhhgkib.exeC:\Windows\system32\Odhhgkib.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:672 -
C:\Windows\SysWOW64\Okbpde32.exeC:\Windows\system32\Okbpde32.exe35⤵
- Executes dropped EXE
PID:264 -
C:\Windows\SysWOW64\Omqlpp32.exeC:\Windows\system32\Omqlpp32.exe36⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Oehdan32.exeC:\Windows\system32\Oehdan32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2576 -
C:\Windows\SysWOW64\Ohhmcinf.exeC:\Windows\system32\Ohhmcinf.exe38⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Ppcbgkka.exeC:\Windows\system32\Ppcbgkka.exe39⤵
- Executes dropped EXE
PID:304 -
C:\Windows\SysWOW64\Pincfpoo.exeC:\Windows\system32\Pincfpoo.exe40⤵
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\Pphkbj32.exeC:\Windows\system32\Pphkbj32.exe41⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Pcghof32.exeC:\Windows\system32\Pcghof32.exe42⤵
- Executes dropped EXE
PID:2124 -
C:\Windows\SysWOW64\Piqpkpml.exeC:\Windows\system32\Piqpkpml.exe43⤵
- Executes dropped EXE
PID:2332 -
C:\Windows\SysWOW64\Plolgk32.exeC:\Windows\system32\Plolgk32.exe44⤵
- Executes dropped EXE
PID:1832 -
C:\Windows\SysWOW64\Palepb32.exeC:\Windows\system32\Palepb32.exe45⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Pegqpacp.exeC:\Windows\system32\Pegqpacp.exe46⤵
- Executes dropped EXE
PID:1980 -
C:\Windows\SysWOW64\Pkdihhag.exeC:\Windows\system32\Pkdihhag.exe47⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Pckajebj.exeC:\Windows\system32\Pckajebj.exe48⤵
- Executes dropped EXE
PID:1524 -
C:\Windows\SysWOW64\Pejmfqan.exeC:\Windows\system32\Pejmfqan.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Qobbofgn.exeC:\Windows\system32\Qobbofgn.exe50⤵
- Executes dropped EXE
PID:2396 -
C:\Windows\SysWOW64\Qfljkp32.exeC:\Windows\system32\Qfljkp32.exe51⤵
- Executes dropped EXE
PID:2292 -
C:\Windows\SysWOW64\Qhjfgl32.exeC:\Windows\system32\Qhjfgl32.exe52⤵
- Executes dropped EXE
PID:1672 -
C:\Windows\SysWOW64\Qngopb32.exeC:\Windows\system32\Qngopb32.exe53⤵
- Executes dropped EXE
PID:2140 -
C:\Windows\SysWOW64\Qqfkln32.exeC:\Windows\system32\Qqfkln32.exe54⤵
- Executes dropped EXE
PID:2424 -
C:\Windows\SysWOW64\Agpcihcf.exeC:\Windows\system32\Agpcihcf.exe55⤵
- Executes dropped EXE
PID:2852 -
C:\Windows\SysWOW64\Ajnpecbj.exeC:\Windows\system32\Ajnpecbj.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1152 -
C:\Windows\SysWOW64\Adcdbl32.exeC:\Windows\system32\Adcdbl32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1464 -
C:\Windows\SysWOW64\Agbpnh32.exeC:\Windows\system32\Agbpnh32.exe58⤵
- Executes dropped EXE
PID:2328 -
C:\Windows\SysWOW64\Anlhkbhq.exeC:\Windows\system32\Anlhkbhq.exe59⤵
- Executes dropped EXE
PID:2652 -
C:\Windows\SysWOW64\Adfqgl32.exeC:\Windows\system32\Adfqgl32.exe60⤵
- Executes dropped EXE
PID:2116 -
C:\Windows\SysWOW64\Agdmdg32.exeC:\Windows\system32\Agdmdg32.exe61⤵
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\Ajcipc32.exeC:\Windows\system32\Ajcipc32.exe62⤵
- Executes dropped EXE
PID:2028 -
C:\Windows\SysWOW64\Amaelomh.exeC:\Windows\system32\Amaelomh.exe63⤵
- Executes dropped EXE
PID:1356 -
C:\Windows\SysWOW64\Aggiigmn.exeC:\Windows\system32\Aggiigmn.exe64⤵
- Executes dropped EXE
PID:2080 -
C:\Windows\SysWOW64\Aihfap32.exeC:\Windows\system32\Aihfap32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2076 -
C:\Windows\SysWOW64\Aqonbm32.exeC:\Windows\system32\Aqonbm32.exe66⤵
- Executes dropped EXE
PID:956 -
C:\Windows\SysWOW64\Aflfjc32.exeC:\Windows\system32\Aflfjc32.exe67⤵PID:780
-
C:\Windows\SysWOW64\Amfognic.exeC:\Windows\system32\Amfognic.exe68⤵PID:852
-
C:\Windows\SysWOW64\Bcpgdhpp.exeC:\Windows\system32\Bcpgdhpp.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2532 -
C:\Windows\SysWOW64\Beackp32.exeC:\Windows\system32\Beackp32.exe70⤵PID:2940
-
C:\Windows\SysWOW64\Bmhkmm32.exeC:\Windows\system32\Bmhkmm32.exe71⤵PID:1544
-
C:\Windows\SysWOW64\Bofgii32.exeC:\Windows\system32\Bofgii32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2008 -
C:\Windows\SysWOW64\Biolanld.exeC:\Windows\system32\Biolanld.exe73⤵PID:2316
-
C:\Windows\SysWOW64\Bkmhnjlh.exeC:\Windows\system32\Bkmhnjlh.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2476 -
C:\Windows\SysWOW64\Bbgqjdce.exeC:\Windows\system32\Bbgqjdce.exe75⤵PID:1312
-
C:\Windows\SysWOW64\Biaign32.exeC:\Windows\system32\Biaign32.exe76⤵PID:2664
-
C:\Windows\SysWOW64\Bkpeci32.exeC:\Windows\system32\Bkpeci32.exe77⤵PID:2296
-
C:\Windows\SysWOW64\Bammlq32.exeC:\Windows\system32\Bammlq32.exe78⤵PID:1060
-
C:\Windows\SysWOW64\Behilopf.exeC:\Windows\system32\Behilopf.exe79⤵PID:2084
-
C:\Windows\SysWOW64\Bgffhkoj.exeC:\Windows\system32\Bgffhkoj.exe80⤵PID:284
-
C:\Windows\SysWOW64\Bnqned32.exeC:\Windows\system32\Bnqned32.exe81⤵PID:648
-
C:\Windows\SysWOW64\Bejfao32.exeC:\Windows\system32\Bejfao32.exe82⤵PID:1560
-
C:\Windows\SysWOW64\Bflbigdb.exeC:\Windows\system32\Bflbigdb.exe83⤵
- Modifies registry class
PID:1836 -
C:\Windows\SysWOW64\Cnckjddd.exeC:\Windows\system32\Cnckjddd.exe84⤵PID:1556
-
C:\Windows\SysWOW64\Cpdgbm32.exeC:\Windows\system32\Cpdgbm32.exe85⤵PID:3004
-
C:\Windows\SysWOW64\Cgkocj32.exeC:\Windows\system32\Cgkocj32.exe86⤵PID:2376
-
C:\Windows\SysWOW64\Cmhglq32.exeC:\Windows\system32\Cmhglq32.exe87⤵PID:2760
-
C:\Windows\SysWOW64\Cacclpae.exeC:\Windows\system32\Cacclpae.exe88⤵
- Drops file in System32 directory
PID:2704 -
C:\Windows\SysWOW64\Cfpldf32.exeC:\Windows\system32\Cfpldf32.exe89⤵PID:2972
-
C:\Windows\SysWOW64\Cmjdaqgi.exeC:\Windows\system32\Cmjdaqgi.exe90⤵PID:2616
-
C:\Windows\SysWOW64\Cpiqmlfm.exeC:\Windows\system32\Cpiqmlfm.exe91⤵PID:2672
-
C:\Windows\SysWOW64\Cfcijf32.exeC:\Windows\system32\Cfcijf32.exe92⤵PID:2588
-
C:\Windows\SysWOW64\Cmmagpef.exeC:\Windows\system32\Cmmagpef.exe93⤵PID:1528
-
C:\Windows\SysWOW64\Cnnnnh32.exeC:\Windows\system32\Cnnnnh32.exe94⤵PID:1592
-
C:\Windows\SysWOW64\Cfeepelg.exeC:\Windows\system32\Cfeepelg.exe95⤵PID:1548
-
C:\Windows\SysWOW64\Cicalakk.exeC:\Windows\system32\Cicalakk.exe96⤵PID:2992
-
C:\Windows\SysWOW64\Cpmjhk32.exeC:\Windows\system32\Cpmjhk32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1824 -
C:\Windows\SysWOW64\Cblfdg32.exeC:\Windows\system32\Cblfdg32.exe98⤵PID:2540
-
C:\Windows\SysWOW64\Dejbqb32.exeC:\Windows\system32\Dejbqb32.exe99⤵PID:1396
-
C:\Windows\SysWOW64\Dhiomn32.exeC:\Windows\system32\Dhiomn32.exe100⤵PID:1184
-
C:\Windows\SysWOW64\Dobgihgp.exeC:\Windows\system32\Dobgihgp.exe101⤵PID:3020
-
C:\Windows\SysWOW64\Daacecfc.exeC:\Windows\system32\Daacecfc.exe102⤵PID:2724
-
C:\Windows\SysWOW64\Dhkkbmnp.exeC:\Windows\system32\Dhkkbmnp.exe103⤵
- Modifies registry class
PID:2584 -
C:\Windows\SysWOW64\Dmhdkdlg.exeC:\Windows\system32\Dmhdkdlg.exe104⤵PID:2604
-
C:\Windows\SysWOW64\Deollamj.exeC:\Windows\system32\Deollamj.exe105⤵PID:2228
-
C:\Windows\SysWOW64\Ddblgn32.exeC:\Windows\system32\Ddblgn32.exe106⤵
- Drops file in System32 directory
PID:2888 -
C:\Windows\SysWOW64\Dklddhka.exeC:\Windows\system32\Dklddhka.exe107⤵
- Drops file in System32 directory
PID:2792 -
C:\Windows\SysWOW64\Dmjqpdje.exeC:\Windows\system32\Dmjqpdje.exe108⤵
- Modifies registry class
PID:2208 -
C:\Windows\SysWOW64\Dphmloih.exeC:\Windows\system32\Dphmloih.exe109⤵PID:1028
-
C:\Windows\SysWOW64\Dgbeiiqe.exeC:\Windows\system32\Dgbeiiqe.exe110⤵
- Drops file in System32 directory
PID:2064 -
C:\Windows\SysWOW64\Diaaeepi.exeC:\Windows\system32\Diaaeepi.exe111⤵PID:324
-
C:\Windows\SysWOW64\Dahifbpk.exeC:\Windows\system32\Dahifbpk.exe112⤵
- Drops file in System32 directory
PID:2452 -
C:\Windows\SysWOW64\Dbifnj32.exeC:\Windows\system32\Dbifnj32.exe113⤵PID:732
-
C:\Windows\SysWOW64\Dicnkdnf.exeC:\Windows\system32\Dicnkdnf.exe114⤵PID:1744
-
C:\Windows\SysWOW64\Elajgpmj.exeC:\Windows\system32\Elajgpmj.exe115⤵PID:1572
-
C:\Windows\SysWOW64\Eejopecj.exeC:\Windows\system32\Eejopecj.exe116⤵PID:1840
-
C:\Windows\SysWOW64\Eldglp32.exeC:\Windows\system32\Eldglp32.exe117⤵PID:2740
-
C:\Windows\SysWOW64\Ecnoijbd.exeC:\Windows\system32\Ecnoijbd.exe118⤵PID:2752
-
C:\Windows\SysWOW64\Eihgfd32.exeC:\Windows\system32\Eihgfd32.exe119⤵PID:2632
-
C:\Windows\SysWOW64\Ehkhaqpk.exeC:\Windows\system32\Ehkhaqpk.exe120⤵PID:3064
-
C:\Windows\SysWOW64\Eoepnk32.exeC:\Windows\system32\Eoepnk32.exe121⤵PID:1944
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-