Analysis
-
max time kernel
65s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
13/07/2024, 06:53
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
61821f7fc8506dd90e7b0608d84a1860N.exe
Resource
win7-20240704-en
windows7-x64
7 signatures
120 seconds
Behavioral task
behavioral2
Sample
61821f7fc8506dd90e7b0608d84a1860N.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
6 signatures
120 seconds
General
-
Target
61821f7fc8506dd90e7b0608d84a1860N.exe
-
Size
94KB
-
MD5
61821f7fc8506dd90e7b0608d84a1860
-
SHA1
aaa8eafd457ba3e4c34b07cbfcb7843fba23d270
-
SHA256
d4fd8e4eee3fc726e4e4741ee406c518a6b0647a2457f705d75acde52850edf0
-
SHA512
8f4ab107eb3cd76075af7bbbf2349846b50d7cf6dcb901ebfeac5fdf26edd87a120d2e4180fcdf036df539d800c728d0d956ab099811bda37b8265036c2cab63
-
SSDEEP
1536:0ASe4rUmr876+3ZLAgcL2WsN5HZpHf+AvC4/DUcTS33IUXX7BR9L4DT2EnINs:0K1mr877G2WE5HDX64DrSHIUXX6+ob
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odfjdk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oicbma32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peolmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ehpgha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fdmjmenh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kdgane32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afnfcl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dglkba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ggpmkgab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kjfdcc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klijjnen.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mflgkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qggoeilh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fbqhnqen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Midqiaih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qhdfdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ahoamplo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ilhnjfmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mqlbnnej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Peolmb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhhblgim.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcqcoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nqkgbkdj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjblcl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qgiibp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dogpfc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqkbkicd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Opmhqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Khjkiikl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cmapna32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joenaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hnikmnho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oicbma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hogddpld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ciebdj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgiomabc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmdpejgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lolpah32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbfibj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cogdhpkp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kejahn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pmjaadjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kldchgag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dgiomabc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ekpmad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gjccbb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpipkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nnhobgag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bbolge32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mncfgh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmmlccfp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cinahhff.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljejgp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofbikf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gqmmhdka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Niilmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lgiakjld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kneflplf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mhlcnl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebghkjjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Liboodmk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npcika32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahioobed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aaeiqf32.exe -
Executes dropped EXE 64 IoCs
pid Process 2888 Iencdc32.exe 2948 Iofhmi32.exe 2976 Iainddpg.exe 2724 Jdjgfomh.exe 1636 Jjilde32.exe 1648 Jjkiie32.exe 280 Jcfjhj32.exe 752 Komjmk32.exe 2992 Kkckblgq.exe 2000 Kjihci32.exe 3044 Kmjaddii.exe 1148 Lcffgnnc.exe 1908 Liboodmk.exe 2664 Lckpbm32.exe 2068 Lighjd32.exe 276 Lkhalo32.exe 1696 Mecbjd32.exe 2608 Mcjlap32.exe 864 Mjddnjdf.exe 2576 Mdmhfpkg.exe 364 Npcika32.exe 2636 Nljjqbfp.exe 812 Ninjjf32.exe 1260 Nlocka32.exe 1752 Noplmlok.exe 1716 Okfmbm32.exe 2928 Opebpdad.exe 2956 Ophoecoa.exe 2920 Ocihgo32.exe 2732 Opmhqc32.exe 2808 Pkfiaqgk.exe 2816 Pcmabnhm.exe 2676 Penjdien.exe 3056 Pkmobp32.exe 1632 Pjblcl32.exe 1192 Qgiibp32.exe 2796 Amebjgai.exe 1920 Afnfcl32.exe 1044 Aofklbnj.exe 2076 Aeepjh32.exe 2212 Abiqcm32.exe 2392 Bfncbp32.exe 1504 Bacgohjk.exe 2432 Bgmolb32.exe 928 Bcdpacgl.exe 1308 Behinlkh.exe 2856 Cpmmkdkn.exe 2632 Ciebdj32.exe 1072 Cobjmq32.exe 2980 Cihojiok.exe 2160 Ceoooj32.exe 2936 Cogdhpkp.exe 2904 Chohqebq.exe 2812 Cmlqimph.exe 2008 Dkpabqoa.exe 2268 Dajiok32.exe 1620 Dalfdjdl.exe 1488 Dgiomabc.exe 3016 Dlfgehqk.exe 3024 Dglkba32.exe 2188 Dogpfc32.exe 2236 Eeceim32.exe 1616 Ekpmad32.exe 2484 Eeeanm32.exe -
Loads dropped DLL 64 IoCs
pid Process 2780 61821f7fc8506dd90e7b0608d84a1860N.exe 2780 61821f7fc8506dd90e7b0608d84a1860N.exe 2888 Iencdc32.exe 2888 Iencdc32.exe 2948 Iofhmi32.exe 2948 Iofhmi32.exe 2976 Iainddpg.exe 2976 Iainddpg.exe 2724 Jdjgfomh.exe 2724 Jdjgfomh.exe 1636 Jjilde32.exe 1636 Jjilde32.exe 1648 Jjkiie32.exe 1648 Jjkiie32.exe 280 Jcfjhj32.exe 280 Jcfjhj32.exe 752 Komjmk32.exe 752 Komjmk32.exe 2992 Kkckblgq.exe 2992 Kkckblgq.exe 2000 Kjihci32.exe 2000 Kjihci32.exe 3044 Kmjaddii.exe 3044 Kmjaddii.exe 1148 Lcffgnnc.exe 1148 Lcffgnnc.exe 1908 Liboodmk.exe 1908 Liboodmk.exe 2664 Lckpbm32.exe 2664 Lckpbm32.exe 2068 Lighjd32.exe 2068 Lighjd32.exe 276 Lkhalo32.exe 276 Lkhalo32.exe 1696 Mecbjd32.exe 1696 Mecbjd32.exe 2608 Mcjlap32.exe 2608 Mcjlap32.exe 864 Mjddnjdf.exe 864 Mjddnjdf.exe 2576 Mdmhfpkg.exe 2576 Mdmhfpkg.exe 364 Npcika32.exe 364 Npcika32.exe 2636 Nljjqbfp.exe 2636 Nljjqbfp.exe 812 Ninjjf32.exe 812 Ninjjf32.exe 1260 Nlocka32.exe 1260 Nlocka32.exe 1752 Noplmlok.exe 1752 Noplmlok.exe 1716 Okfmbm32.exe 1716 Okfmbm32.exe 2928 Opebpdad.exe 2928 Opebpdad.exe 2956 Ophoecoa.exe 2956 Ophoecoa.exe 2920 Ocihgo32.exe 2920 Ocihgo32.exe 2732 Opmhqc32.exe 2732 Opmhqc32.exe 2808 Pkfiaqgk.exe 2808 Pkfiaqgk.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Liboodmk.exe Lcffgnnc.exe File opened for modification C:\Windows\SysWOW64\Lkhalo32.exe Lighjd32.exe File created C:\Windows\SysWOW64\Licpdaeg.dll Mdeaim32.exe File created C:\Windows\SysWOW64\Djpmocdn.dll Lkccob32.exe File opened for modification C:\Windows\SysWOW64\Okfmbm32.exe Noplmlok.exe File created C:\Windows\SysWOW64\Dajiok32.exe Dkpabqoa.exe File created C:\Windows\SysWOW64\Ebhkaa32.dll Achikonn.exe File created C:\Windows\SysWOW64\Okoefg32.dll Ohhcokmp.exe File opened for modification C:\Windows\SysWOW64\Pejcab32.exe Oicbma32.exe File opened for modification C:\Windows\SysWOW64\Fdmjmenh.exe Fhfihd32.exe File created C:\Windows\SysWOW64\Nlpcafgp.dll Lhddjngm.exe File created C:\Windows\SysWOW64\Cnogmk32.exe Bgcbja32.exe File created C:\Windows\SysWOW64\Bomink32.dll Idepdhia.exe File created C:\Windows\SysWOW64\Ekaeoj32.dll Pddinn32.exe File opened for modification C:\Windows\SysWOW64\Ebghkjjc.exe Ehbcnajn.exe File created C:\Windows\SysWOW64\Oakmlgcg.dll Fhfihd32.exe File created C:\Windows\SysWOW64\Ldepenep.dll Kejahn32.exe File created C:\Windows\SysWOW64\Pmkkpm32.dll Kldchgag.exe File created C:\Windows\SysWOW64\Kjihci32.exe Kkckblgq.exe File created C:\Windows\SysWOW64\Aeepjh32.exe Aofklbnj.exe File opened for modification C:\Windows\SysWOW64\Fbqhnqen.exe Fmdpejgf.exe File created C:\Windows\SysWOW64\Aopdeh32.dll Kcllfi32.exe File created C:\Windows\SysWOW64\Gckdggfq.dll Lojclibo.exe File opened for modification C:\Windows\SysWOW64\Bgmolb32.exe Bacgohjk.exe File created C:\Windows\SysWOW64\Difplf32.exe Dajlhc32.exe File created C:\Windows\SysWOW64\Mpnifkae.exe Midqiaih.exe File opened for modification C:\Windows\SysWOW64\Nlmiojla.exe Nbddfe32.exe File created C:\Windows\SysWOW64\Bcdbjl32.exe Bfqaph32.exe File opened for modification C:\Windows\SysWOW64\Gnmdfi32.exe Gddpndhp.exe File created C:\Windows\SysWOW64\Ofmhcg32.dll Jhndcd32.exe File created C:\Windows\SysWOW64\Fbqhnqen.exe Fmdpejgf.exe File opened for modification C:\Windows\SysWOW64\Pjpicfdb.exe Pojdem32.exe File created C:\Windows\SysWOW64\Anfggicl.exe Ahioobed.exe File created C:\Windows\SysWOW64\Ocihgo32.exe Ophoecoa.exe File opened for modification C:\Windows\SysWOW64\Amebjgai.exe Qgiibp32.exe File opened for modification C:\Windows\SysWOW64\Oafhmf32.exe Ohncdp32.exe File created C:\Windows\SysWOW64\Ooffmafi.dll Hminbkql.exe File opened for modification C:\Windows\SysWOW64\Jmbnhm32.exe Jdjioh32.exe File opened for modification C:\Windows\SysWOW64\Imkqmh32.exe Ipgpcc32.exe File created C:\Windows\SysWOW64\Mmkcoq32.exe Mqdbjp32.exe File created C:\Windows\SysWOW64\Pjplmhdo.dll Qgdbpi32.exe File created C:\Windows\SysWOW64\Edpbkipf.dll 61821f7fc8506dd90e7b0608d84a1860N.exe File created C:\Windows\SysWOW64\Dmqddn32.dll Lcffgnnc.exe File created C:\Windows\SysWOW64\Ejegcc32.dll Opebpdad.exe File opened for modification C:\Windows\SysWOW64\Cmlqimph.exe Chohqebq.exe File opened for modification C:\Windows\SysWOW64\Ahioobed.exe Afkccffq.exe File created C:\Windows\SysWOW64\Ahllda32.exe Anfggicl.exe File created C:\Windows\SysWOW64\Ehbcnajn.exe Ehpgha32.exe File created C:\Windows\SysWOW64\Fhdaigqo.dll Bcdpacgl.exe File created C:\Windows\SysWOW64\Iadnon32.exe Ihkifi32.exe File created C:\Windows\SysWOW64\Fhncfgdj.dll Iadnon32.exe File created C:\Windows\SysWOW64\Chapbi32.dll Afkccffq.exe File created C:\Windows\SysWOW64\Fqnhcgma.exe Fplknh32.exe File opened for modification C:\Windows\SysWOW64\Qggoeilh.exe Qpmgho32.exe File created C:\Windows\SysWOW64\Bpfioeef.dll Ehbcnajn.exe File created C:\Windows\SysWOW64\Fgpalcog.exe Ekgcbcke.exe File opened for modification C:\Windows\SysWOW64\Lgiakjld.exe Lbmicc32.exe File created C:\Windows\SysWOW64\Pnalga32.dll Qoonqmqf.exe File created C:\Windows\SysWOW64\Biiqmd32.dll Hbafel32.exe File opened for modification C:\Windows\SysWOW64\Ekjikadb.exe Eocieq32.exe File created C:\Windows\SysWOW64\Oelcho32.exe Ohhcokmp.exe File opened for modification C:\Windows\SysWOW64\Ofbikf32.exe Oaeacppk.exe File opened for modification C:\Windows\SysWOW64\Inajql32.exe Iclfccmq.exe File created C:\Windows\SysWOW64\Cobjmq32.exe Ciebdj32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5052 2332 WerFault.exe 388 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oibiaa32.dll" Hehconob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nobjghoh.dll" Klamohhj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oaeacppk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdmlljbm.dll" Jdjgfomh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ibgglfdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lddoopbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nbddfe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Conpdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liecfhhf.dll" Lolpah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mqdbjp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mbmebgpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pjpicfdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qfifmghc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Idepdhia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bbolge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcododfd.dll" Olgboogb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iglkoaad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pjblcl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Okolfkjg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pkcfak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iaipmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nlmiojla.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Icnbic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hnikmnho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jdjioh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lfedlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjbemm32.dll" Neemgp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nljjqbfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnmjempn.dll" Lddoopbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fhnjdfcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ofmiea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jdjgfomh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Knmghb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dhlapc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lflklaoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Njdbefnf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kmjaddii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gjccbb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gamkol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iemlfm32.dll" Joqdfghn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onpbaf32.dll" Papkcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fcbjon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ipgpcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iddacacc.dll" Jcfjhj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pglclk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ekjikadb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjchgpap.dll" Npdkdjhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pddinn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Behinlkh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jmbnhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llloeb32.dll" Gaajfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hkpaoape.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kmmiaknb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Joqdfghn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gfmmanif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epljpl32.dll" Iclfccmq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ojdlkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hemjiblk.dll" Nmmlccfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pglclk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhnpob32.dll" Hgbhibio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phnkdd32.dll" Fplknh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ghmohcbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ofmiea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kjfdcc32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2780 wrote to memory of 2888 2780 61821f7fc8506dd90e7b0608d84a1860N.exe 30 PID 2780 wrote to memory of 2888 2780 61821f7fc8506dd90e7b0608d84a1860N.exe 30 PID 2780 wrote to memory of 2888 2780 61821f7fc8506dd90e7b0608d84a1860N.exe 30 PID 2780 wrote to memory of 2888 2780 61821f7fc8506dd90e7b0608d84a1860N.exe 30 PID 2888 wrote to memory of 2948 2888 Iencdc32.exe 31 PID 2888 wrote to memory of 2948 2888 Iencdc32.exe 31 PID 2888 wrote to memory of 2948 2888 Iencdc32.exe 31 PID 2888 wrote to memory of 2948 2888 Iencdc32.exe 31 PID 2948 wrote to memory of 2976 2948 Iofhmi32.exe 32 PID 2948 wrote to memory of 2976 2948 Iofhmi32.exe 32 PID 2948 wrote to memory of 2976 2948 Iofhmi32.exe 32 PID 2948 wrote to memory of 2976 2948 Iofhmi32.exe 32 PID 2976 wrote to memory of 2724 2976 Iainddpg.exe 33 PID 2976 wrote to memory of 2724 2976 Iainddpg.exe 33 PID 2976 wrote to memory of 2724 2976 Iainddpg.exe 33 PID 2976 wrote to memory of 2724 2976 Iainddpg.exe 33 PID 2724 wrote to memory of 1636 2724 Jdjgfomh.exe 34 PID 2724 wrote to memory of 1636 2724 Jdjgfomh.exe 34 PID 2724 wrote to memory of 1636 2724 Jdjgfomh.exe 34 PID 2724 wrote to memory of 1636 2724 Jdjgfomh.exe 34 PID 1636 wrote to memory of 1648 1636 Jjilde32.exe 35 PID 1636 wrote to memory of 1648 1636 Jjilde32.exe 35 PID 1636 wrote to memory of 1648 1636 Jjilde32.exe 35 PID 1636 wrote to memory of 1648 1636 Jjilde32.exe 35 PID 1648 wrote to memory of 280 1648 Jjkiie32.exe 36 PID 1648 wrote to memory of 280 1648 Jjkiie32.exe 36 PID 1648 wrote to memory of 280 1648 Jjkiie32.exe 36 PID 1648 wrote to memory of 280 1648 Jjkiie32.exe 36 PID 280 wrote to memory of 752 280 Jcfjhj32.exe 37 PID 280 wrote to memory of 752 280 Jcfjhj32.exe 37 PID 280 wrote to memory of 752 280 Jcfjhj32.exe 37 PID 280 wrote to memory of 752 280 Jcfjhj32.exe 37 PID 752 wrote to memory of 2992 752 Komjmk32.exe 38 PID 752 wrote to memory of 2992 752 Komjmk32.exe 38 PID 752 wrote to memory of 2992 752 Komjmk32.exe 38 PID 752 wrote to memory of 2992 752 Komjmk32.exe 38 PID 2992 wrote to memory of 2000 2992 Kkckblgq.exe 39 PID 2992 wrote to memory of 2000 2992 Kkckblgq.exe 39 PID 2992 wrote to memory of 2000 2992 Kkckblgq.exe 39 PID 2992 wrote to memory of 2000 2992 Kkckblgq.exe 39 PID 2000 wrote to memory of 3044 2000 Kjihci32.exe 40 PID 2000 wrote to memory of 3044 2000 Kjihci32.exe 40 PID 2000 wrote to memory of 3044 2000 Kjihci32.exe 40 PID 2000 wrote to memory of 3044 2000 Kjihci32.exe 40 PID 3044 wrote to memory of 1148 3044 Kmjaddii.exe 41 PID 3044 wrote to memory of 1148 3044 Kmjaddii.exe 41 PID 3044 wrote to memory of 1148 3044 Kmjaddii.exe 41 PID 3044 wrote to memory of 1148 3044 Kmjaddii.exe 41 PID 1148 wrote to memory of 1908 1148 Lcffgnnc.exe 42 PID 1148 wrote to memory of 1908 1148 Lcffgnnc.exe 42 PID 1148 wrote to memory of 1908 1148 Lcffgnnc.exe 42 PID 1148 wrote to memory of 1908 1148 Lcffgnnc.exe 42 PID 1908 wrote to memory of 2664 1908 Liboodmk.exe 43 PID 1908 wrote to memory of 2664 1908 Liboodmk.exe 43 PID 1908 wrote to memory of 2664 1908 Liboodmk.exe 43 PID 1908 wrote to memory of 2664 1908 Liboodmk.exe 43 PID 2664 wrote to memory of 2068 2664 Lckpbm32.exe 44 PID 2664 wrote to memory of 2068 2664 Lckpbm32.exe 44 PID 2664 wrote to memory of 2068 2664 Lckpbm32.exe 44 PID 2664 wrote to memory of 2068 2664 Lckpbm32.exe 44 PID 2068 wrote to memory of 276 2068 Lighjd32.exe 45 PID 2068 wrote to memory of 276 2068 Lighjd32.exe 45 PID 2068 wrote to memory of 276 2068 Lighjd32.exe 45 PID 2068 wrote to memory of 276 2068 Lighjd32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\61821f7fc8506dd90e7b0608d84a1860N.exe"C:\Users\Admin\AppData\Local\Temp\61821f7fc8506dd90e7b0608d84a1860N.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\Iencdc32.exeC:\Windows\system32\Iencdc32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\Iofhmi32.exeC:\Windows\system32\Iofhmi32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\Iainddpg.exeC:\Windows\system32\Iainddpg.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\Jdjgfomh.exeC:\Windows\system32\Jdjgfomh.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Jjilde32.exeC:\Windows\system32\Jjilde32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\Jjkiie32.exeC:\Windows\system32\Jjkiie32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\SysWOW64\Jcfjhj32.exeC:\Windows\system32\Jcfjhj32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:280 -
C:\Windows\SysWOW64\Komjmk32.exeC:\Windows\system32\Komjmk32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:752 -
C:\Windows\SysWOW64\Kkckblgq.exeC:\Windows\system32\Kkckblgq.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\Kjihci32.exeC:\Windows\system32\Kjihci32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\SysWOW64\Kmjaddii.exeC:\Windows\system32\Kmjaddii.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\Lcffgnnc.exeC:\Windows\system32\Lcffgnnc.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\SysWOW64\Liboodmk.exeC:\Windows\system32\Liboodmk.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Windows\SysWOW64\Lckpbm32.exeC:\Windows\system32\Lckpbm32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Lighjd32.exeC:\Windows\system32\Lighjd32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\SysWOW64\Lkhalo32.exeC:\Windows\system32\Lkhalo32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:276 -
C:\Windows\SysWOW64\Mecbjd32.exeC:\Windows\system32\Mecbjd32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1696 -
C:\Windows\SysWOW64\Mcjlap32.exeC:\Windows\system32\Mcjlap32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2608 -
C:\Windows\SysWOW64\Mjddnjdf.exeC:\Windows\system32\Mjddnjdf.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:864 -
C:\Windows\SysWOW64\Mdmhfpkg.exeC:\Windows\system32\Mdmhfpkg.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2576 -
C:\Windows\SysWOW64\Npcika32.exeC:\Windows\system32\Npcika32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:364 -
C:\Windows\SysWOW64\Nljjqbfp.exeC:\Windows\system32\Nljjqbfp.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2636 -
C:\Windows\SysWOW64\Ninjjf32.exeC:\Windows\system32\Ninjjf32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:812 -
C:\Windows\SysWOW64\Nlocka32.exeC:\Windows\system32\Nlocka32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1260 -
C:\Windows\SysWOW64\Noplmlok.exeC:\Windows\system32\Noplmlok.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1752 -
C:\Windows\SysWOW64\Okfmbm32.exeC:\Windows\system32\Okfmbm32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1716 -
C:\Windows\SysWOW64\Opebpdad.exeC:\Windows\system32\Opebpdad.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2928 -
C:\Windows\SysWOW64\Ophoecoa.exeC:\Windows\system32\Ophoecoa.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2956 -
C:\Windows\SysWOW64\Ocihgo32.exeC:\Windows\system32\Ocihgo32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2920 -
C:\Windows\SysWOW64\Opmhqc32.exeC:\Windows\system32\Opmhqc32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2732 -
C:\Windows\SysWOW64\Pkfiaqgk.exeC:\Windows\system32\Pkfiaqgk.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2808 -
C:\Windows\SysWOW64\Pcmabnhm.exeC:\Windows\system32\Pcmabnhm.exe33⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Penjdien.exeC:\Windows\system32\Penjdien.exe34⤵
- Executes dropped EXE
PID:2676 -
C:\Windows\SysWOW64\Pkmobp32.exeC:\Windows\system32\Pkmobp32.exe35⤵
- Executes dropped EXE
PID:3056 -
C:\Windows\SysWOW64\Pjblcl32.exeC:\Windows\system32\Pjblcl32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1632 -
C:\Windows\SysWOW64\Qgiibp32.exeC:\Windows\system32\Qgiibp32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1192 -
C:\Windows\SysWOW64\Amebjgai.exeC:\Windows\system32\Amebjgai.exe38⤵
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\Afnfcl32.exeC:\Windows\system32\Afnfcl32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1920 -
C:\Windows\SysWOW64\Aofklbnj.exeC:\Windows\system32\Aofklbnj.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1044 -
C:\Windows\SysWOW64\Aeepjh32.exeC:\Windows\system32\Aeepjh32.exe41⤵
- Executes dropped EXE
PID:2076 -
C:\Windows\SysWOW64\Abiqcm32.exeC:\Windows\system32\Abiqcm32.exe42⤵
- Executes dropped EXE
PID:2212 -
C:\Windows\SysWOW64\Bfncbp32.exeC:\Windows\system32\Bfncbp32.exe43⤵
- Executes dropped EXE
PID:2392 -
C:\Windows\SysWOW64\Bacgohjk.exeC:\Windows\system32\Bacgohjk.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1504 -
C:\Windows\SysWOW64\Bgmolb32.exeC:\Windows\system32\Bgmolb32.exe45⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Bcdpacgl.exeC:\Windows\system32\Bcdpacgl.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:928 -
C:\Windows\SysWOW64\Behinlkh.exeC:\Windows\system32\Behinlkh.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:1308 -
C:\Windows\SysWOW64\Cpmmkdkn.exeC:\Windows\system32\Cpmmkdkn.exe48⤵
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Ciebdj32.exeC:\Windows\system32\Ciebdj32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2632 -
C:\Windows\SysWOW64\Cobjmq32.exeC:\Windows\system32\Cobjmq32.exe50⤵
- Executes dropped EXE
PID:1072 -
C:\Windows\SysWOW64\Cihojiok.exeC:\Windows\system32\Cihojiok.exe51⤵
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\Ceoooj32.exeC:\Windows\system32\Ceoooj32.exe52⤵
- Executes dropped EXE
PID:2160 -
C:\Windows\SysWOW64\Cogdhpkp.exeC:\Windows\system32\Cogdhpkp.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Chohqebq.exeC:\Windows\system32\Chohqebq.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2904 -
C:\Windows\SysWOW64\Cmlqimph.exeC:\Windows\system32\Cmlqimph.exe55⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Dkpabqoa.exeC:\Windows\system32\Dkpabqoa.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2008 -
C:\Windows\SysWOW64\Dajiok32.exeC:\Windows\system32\Dajiok32.exe57⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Dalfdjdl.exeC:\Windows\system32\Dalfdjdl.exe58⤵
- Executes dropped EXE
PID:1620 -
C:\Windows\SysWOW64\Dgiomabc.exeC:\Windows\system32\Dgiomabc.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1488 -
C:\Windows\SysWOW64\Dlfgehqk.exeC:\Windows\system32\Dlfgehqk.exe60⤵
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\Dglkba32.exeC:\Windows\system32\Dglkba32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3024 -
C:\Windows\SysWOW64\Dogpfc32.exeC:\Windows\system32\Dogpfc32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Eeceim32.exeC:\Windows\system32\Eeceim32.exe63⤵
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\Ekpmad32.exeC:\Windows\system32\Ekpmad32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Eeeanm32.exeC:\Windows\system32\Eeeanm32.exe65⤵
- Executes dropped EXE
PID:2484 -
C:\Windows\SysWOW64\Elpjkgip.exeC:\Windows\system32\Elpjkgip.exe66⤵PID:2380
-
C:\Windows\SysWOW64\Enqfco32.exeC:\Windows\system32\Enqfco32.exe67⤵PID:1100
-
C:\Windows\SysWOW64\Ekdglcmh.exeC:\Windows\system32\Ekdglcmh.exe68⤵PID:1588
-
C:\Windows\SysWOW64\Eaooin32.exeC:\Windows\system32\Eaooin32.exe69⤵PID:876
-
C:\Windows\SysWOW64\Ekgcbcke.exeC:\Windows\system32\Ekgcbcke.exe70⤵
- Drops file in System32 directory
PID:2456 -
C:\Windows\SysWOW64\Fgpalcog.exeC:\Windows\system32\Fgpalcog.exe71⤵PID:2844
-
C:\Windows\SysWOW64\Fqkbkicd.exeC:\Windows\system32\Fqkbkicd.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:676 -
C:\Windows\SysWOW64\Fhfgokap.exeC:\Windows\system32\Fhfgokap.exe73⤵PID:2356
-
C:\Windows\SysWOW64\Ffjghppi.exeC:\Windows\system32\Ffjghppi.exe74⤵PID:2768
-
C:\Windows\SysWOW64\Fmdpejgf.exeC:\Windows\system32\Fmdpejgf.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3060 -
C:\Windows\SysWOW64\Fbqhnqen.exeC:\Windows\system32\Fbqhnqen.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1880 -
C:\Windows\SysWOW64\Gngiba32.exeC:\Windows\system32\Gngiba32.exe77⤵PID:1152
-
C:\Windows\SysWOW64\Gimmpj32.exeC:\Windows\system32\Gimmpj32.exe78⤵PID:1836
-
C:\Windows\SysWOW64\Ggpmkgab.exeC:\Windows\system32\Ggpmkgab.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:588 -
C:\Windows\SysWOW64\Gcgnphgf.exeC:\Windows\system32\Gcgnphgf.exe80⤵PID:2216
-
C:\Windows\SysWOW64\Gefjjk32.exeC:\Windows\system32\Gefjjk32.exe81⤵PID:2240
-
C:\Windows\SysWOW64\Gjccbb32.exeC:\Windows\system32\Gjccbb32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2512 -
C:\Windows\SysWOW64\Gamkol32.exeC:\Windows\system32\Gamkol32.exe83⤵
- Modifies registry class
PID:1448 -
C:\Windows\SysWOW64\Hmdldmja.exeC:\Windows\system32\Hmdldmja.exe84⤵PID:2120
-
C:\Windows\SysWOW64\Hflpmb32.exeC:\Windows\system32\Hflpmb32.exe85⤵PID:1832
-
C:\Windows\SysWOW64\Hpdefh32.exeC:\Windows\system32\Hpdefh32.exe86⤵PID:2588
-
C:\Windows\SysWOW64\Heamno32.exeC:\Windows\system32\Heamno32.exe87⤵PID:1068
-
C:\Windows\SysWOW64\Hnjagdlj.exeC:\Windows\system32\Hnjagdlj.exe88⤵PID:1240
-
C:\Windows\SysWOW64\Hecjco32.exeC:\Windows\system32\Hecjco32.exe89⤵PID:2932
-
C:\Windows\SysWOW64\Hajkip32.exeC:\Windows\system32\Hajkip32.exe90⤵PID:2900
-
C:\Windows\SysWOW64\Hhdcejph.exeC:\Windows\system32\Hhdcejph.exe91⤵PID:2868
-
C:\Windows\SysWOW64\Hehconob.exeC:\Windows\system32\Hehconob.exe92⤵
- Modifies registry class
PID:3036 -
C:\Windows\SysWOW64\Idnppjcj.exeC:\Windows\system32\Idnppjcj.exe93⤵PID:2924
-
C:\Windows\SysWOW64\Ihkifi32.exeC:\Windows\system32\Ihkifi32.exe94⤵
- Drops file in System32 directory
PID:1036 -
C:\Windows\SysWOW64\Iadnon32.exeC:\Windows\system32\Iadnon32.exe95⤵
- Drops file in System32 directory
PID:1476 -
C:\Windows\SysWOW64\Ibgglfdl.exeC:\Windows\system32\Ibgglfdl.exe96⤵
- Modifies registry class
PID:1912 -
C:\Windows\SysWOW64\Immkiodb.exeC:\Windows\system32\Immkiodb.exe97⤵PID:1928
-
C:\Windows\SysWOW64\Jhfljm32.exeC:\Windows\system32\Jhfljm32.exe98⤵PID:2136
-
C:\Windows\SysWOW64\Joqdfghn.exeC:\Windows\system32\Joqdfghn.exe99⤵
- Modifies registry class
PID:2572 -
C:\Windows\SysWOW64\Jcnmme32.exeC:\Windows\system32\Jcnmme32.exe100⤵PID:2656
-
C:\Windows\SysWOW64\Jemiiqmh.exeC:\Windows\system32\Jemiiqmh.exe101⤵PID:2468
-
C:\Windows\SysWOW64\Jlgaek32.exeC:\Windows\system32\Jlgaek32.exe102⤵PID:2616
-
C:\Windows\SysWOW64\Joenaf32.exeC:\Windows\system32\Joenaf32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2836 -
C:\Windows\SysWOW64\Jgpbfh32.exeC:\Windows\system32\Jgpbfh32.exe104⤵PID:2824
-
C:\Windows\SysWOW64\Jogjgf32.exeC:\Windows\system32\Jogjgf32.exe105⤵PID:2772
-
C:\Windows\SysWOW64\Jaffca32.exeC:\Windows\system32\Jaffca32.exe106⤵PID:2740
-
C:\Windows\SysWOW64\Jgbolhoa.exeC:\Windows\system32\Jgbolhoa.exe107⤵PID:936
-
C:\Windows\SysWOW64\Knmghb32.exeC:\Windows\system32\Knmghb32.exe108⤵
- Modifies registry class
PID:2988 -
C:\Windows\SysWOW64\Kdgoelnk.exeC:\Windows\system32\Kdgoelnk.exe109⤵PID:2472
-
C:\Windows\SysWOW64\Kcllfi32.exeC:\Windows\system32\Kcllfi32.exe110⤵
- Drops file in System32 directory
PID:2140 -
C:\Windows\SysWOW64\Kjfdcc32.exeC:\Windows\system32\Kjfdcc32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1324 -
C:\Windows\SysWOW64\Kobmkj32.exeC:\Windows\system32\Kobmkj32.exe112⤵PID:1528
-
C:\Windows\SysWOW64\Kpbiempj.exeC:\Windows\system32\Kpbiempj.exe113⤵PID:1932
-
C:\Windows\SysWOW64\Kfobmc32.exeC:\Windows\system32\Kfobmc32.exe114⤵PID:1612
-
C:\Windows\SysWOW64\Klijjnen.exeC:\Windows\system32\Klijjnen.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2952 -
C:\Windows\SysWOW64\Kccbgh32.exeC:\Windows\system32\Kccbgh32.exe116⤵PID:2964
-
C:\Windows\SysWOW64\Lddoopbi.exeC:\Windows\system32\Lddoopbi.exe117⤵
- Modifies registry class
PID:1512 -
C:\Windows\SysWOW64\Lojclibo.exeC:\Windows\system32\Lojclibo.exe118⤵
- Drops file in System32 directory
PID:1732 -
C:\Windows\SysWOW64\Lolpah32.exeC:\Windows\system32\Lolpah32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2476 -
C:\Windows\SysWOW64\Lhddjngm.exeC:\Windows\system32\Lhddjngm.exe120⤵
- Drops file in System32 directory
PID:564 -
C:\Windows\SysWOW64\Lbmicc32.exeC:\Windows\system32\Lbmicc32.exe121⤵
- Drops file in System32 directory
PID:2172
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-