Analysis
-
max time kernel
118s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
22/07/2024, 13:09
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b506f48c923c24289a1fd71425408d50N.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
b506f48c923c24289a1fd71425408d50N.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
6 signatures
120 seconds
General
-
Target
b506f48c923c24289a1fd71425408d50N.exe
-
Size
101KB
-
MD5
b506f48c923c24289a1fd71425408d50
-
SHA1
93d2fd3d0d6181bc74f3b3e83632ae61860d6536
-
SHA256
be33173cf57789b9e3df1752b885dbdfa6f99e21798077ced4190c0cb529f113
-
SHA512
b7818ccfff227ff22c2ec90bcd65a571dc2ece39ac59b8d14f78da7662ee2c4893945c3bc99765e67ee01b6ae1094ef82c07c30ffb678ef43e94ac9aa1a78f39
-
SSDEEP
3072:WgSTsN3QM3BduXqbyu0sY7q5AnrHY4vDX:YR4W853Anr44vDX
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpopnejo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmecmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkifdd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kocmim32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nemhhpmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qdlggg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckjamgmk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcjeon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dahifbpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mimgeigj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjjdacik.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cllkin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdpldi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddiibc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipehmebh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jehlkhig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlcibc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omklkkpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdpkbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oopijc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Baojapfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opifnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdmnam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpfdhl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enfgfh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odedge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpegcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eoompl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olkfmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lqejbiim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Napbjjom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckolek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmeolj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfebambf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iedfqeka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obokcqhk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgoime32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdbahpec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffkoai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpphhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ooclji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddblgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfhcoj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iahkpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfkloq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhgnge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgmeid32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clbnhmjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdonhj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eogmcjef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opqoge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knhhaaki.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aeidgbaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehkhaqpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Becpap32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlcibc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ancefgfd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhejnc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njdqka32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aobnniji.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbdlkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cacclpae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgbeiiqe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmhkmm32.exe -
Executes dropped EXE 64 IoCs
pid Process 2796 Jfcqgpfi.exe 2836 Jhamckel.exe 2628 Jajala32.exe 2644 Jhdihkcj.exe 2720 Jonbee32.exe 2356 Jdkjnl32.exe 1680 Jhffnk32.exe 760 Jkebjf32.exe 1164 Kncofa32.exe 1728 Kfjggo32.exe 564 Kglcogeo.exe 2660 Kkgopf32.exe 272 Kbaglpee.exe 2200 Kdpcikdi.exe 3048 Kgnpeg32.exe 2176 Kkileele.exe 1744 Knhhaaki.exe 2328 Kbcdbp32.exe 956 Kdbpnk32.exe 1860 Kgpmjf32.exe 1584 Kklikejc.exe 960 Kjoifb32.exe 2376 Kmmebm32.exe 2392 Kqiaclhj.exe 3028 Kddmdk32.exe 2740 Kgbipf32.exe 2752 Kjaelaok.exe 2856 Kmobhmnn.exe 2824 Kcijeg32.exe 2712 Ljcbaamh.exe 2676 Lopkjhko.exe 648 Lfjcfb32.exe 1292 Ljfogake.exe 576 Lkgkoiqc.exe 1312 Lflplbpi.exe 1896 Liklhmom.exe 1548 Lkihdioa.exe 1288 Lbcpac32.exe 1052 Liminmmk.exe 2076 Lklejh32.exe 2456 Lbemfbdk.exe 1704 Lahmbo32.exe 2484 Llnaoh32.exe 276 Lnlnlc32.exe 2404 Meffhnal.exe 1956 Mgebdipp.exe 2904 Mlpneh32.exe 2128 Meicnm32.exe 1708 Mclcijfd.exe 2428 Mfjoeeeh.exe 2832 Mnaggcej.exe 2732 Mapccndn.exe 3032 Mcnpojca.exe 2648 Mjhhld32.exe 2640 Mikhgqbi.exe 2264 Mabphn32.exe 1996 Mdpldi32.exe 1732 Mjjdacik.exe 2004 Mimemp32.exe 1436 Mmhamoho.exe 1724 Mpgmijgc.exe 1048 Mdbiji32.exe 1280 Mbeiefff.exe 2400 Mioabp32.exe -
Loads dropped DLL 64 IoCs
pid Process 2092 b506f48c923c24289a1fd71425408d50N.exe 2092 b506f48c923c24289a1fd71425408d50N.exe 2796 Jfcqgpfi.exe 2796 Jfcqgpfi.exe 2836 Jhamckel.exe 2836 Jhamckel.exe 2628 Jajala32.exe 2628 Jajala32.exe 2644 Jhdihkcj.exe 2644 Jhdihkcj.exe 2720 Jonbee32.exe 2720 Jonbee32.exe 2356 Jdkjnl32.exe 2356 Jdkjnl32.exe 1680 Jhffnk32.exe 1680 Jhffnk32.exe 760 Jkebjf32.exe 760 Jkebjf32.exe 1164 Kncofa32.exe 1164 Kncofa32.exe 1728 Kfjggo32.exe 1728 Kfjggo32.exe 564 Kglcogeo.exe 564 Kglcogeo.exe 2660 Kkgopf32.exe 2660 Kkgopf32.exe 272 Kbaglpee.exe 272 Kbaglpee.exe 2200 Kdpcikdi.exe 2200 Kdpcikdi.exe 3048 Kgnpeg32.exe 3048 Kgnpeg32.exe 2176 Kkileele.exe 2176 Kkileele.exe 1744 Knhhaaki.exe 1744 Knhhaaki.exe 2328 Kbcdbp32.exe 2328 Kbcdbp32.exe 956 Kdbpnk32.exe 956 Kdbpnk32.exe 1860 Kgpmjf32.exe 1860 Kgpmjf32.exe 1584 Kklikejc.exe 1584 Kklikejc.exe 960 Kjoifb32.exe 960 Kjoifb32.exe 2376 Kmmebm32.exe 2376 Kmmebm32.exe 2392 Kqiaclhj.exe 2392 Kqiaclhj.exe 3028 Kddmdk32.exe 3028 Kddmdk32.exe 2740 Kgbipf32.exe 2740 Kgbipf32.exe 2752 Kjaelaok.exe 2752 Kjaelaok.exe 2856 Kmobhmnn.exe 2856 Kmobhmnn.exe 2824 Kcijeg32.exe 2824 Kcijeg32.exe 2712 Ljcbaamh.exe 2712 Ljcbaamh.exe 2676 Lopkjhko.exe 2676 Lopkjhko.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Opaebkmc.exe Omcifpnp.exe File created C:\Windows\SysWOW64\Cihifg32.dll Ihglhp32.exe File created C:\Windows\SysWOW64\Hnkion32.exe Hllmcc32.exe File created C:\Windows\SysWOW64\Ohpbbo32.dll Jdejhfig.exe File opened for modification C:\Windows\SysWOW64\Dhbhmb32.exe Diphbfdi.exe File created C:\Windows\SysWOW64\Hnaldfli.dll Ednbncmb.exe File created C:\Windows\SysWOW64\Liihgqil.dll Gjojef32.exe File opened for modification C:\Windows\SysWOW64\Pdgmlhha.exe Pplaki32.exe File opened for modification C:\Windows\SysWOW64\Nbhfke32.exe Npijoj32.exe File created C:\Windows\SysWOW64\Fmanal32.dll Diibag32.exe File created C:\Windows\SysWOW64\Nmfqgbmm.exe Nkegeg32.exe File created C:\Windows\SysWOW64\Opplolac.exe Ohidmoaa.exe File opened for modification C:\Windows\SysWOW64\Olmcchlg.exe Oioggmmc.exe File opened for modification C:\Windows\SysWOW64\Bgffhkoj.exe Behilopf.exe File created C:\Windows\SysWOW64\Jeecim32.dll Ghdgfbkl.exe File created C:\Windows\SysWOW64\Goiebopf.dll Iihiphln.exe File opened for modification C:\Windows\SysWOW64\Kgpmjf32.exe Kdbpnk32.exe File created C:\Windows\SysWOW64\Lfjcfb32.exe Lopkjhko.exe File created C:\Windows\SysWOW64\Pafdjmkq.exe Pohhna32.exe File created C:\Windows\SysWOW64\Bqijljfd.exe Bnknoogp.exe File opened for modification C:\Windows\SysWOW64\Mbhlek32.exe Mjaddn32.exe File created C:\Windows\SysWOW64\Npbdcgjh.dll Nlcibc32.exe File opened for modification C:\Windows\SysWOW64\Bnqned32.exe Bjebdfnn.exe File created C:\Windows\SysWOW64\Jioopgef.exe Jedcpi32.exe File created C:\Windows\SysWOW64\Mcjhmcok.exe Mqklqhpg.exe File opened for modification C:\Windows\SysWOW64\Lomgjb32.exe Kgfoie32.exe File opened for modification C:\Windows\SysWOW64\Panaeb32.exe Popeif32.exe File created C:\Windows\SysWOW64\Nmnaak32.dll Klehgh32.exe File opened for modification C:\Windows\SysWOW64\Gcgnnlle.exe Gkpfmnlb.exe File created C:\Windows\SysWOW64\Ejgccq32.dll Ajeeeblb.exe File opened for modification C:\Windows\SysWOW64\Behilopf.exe Bbjmpcab.exe File opened for modification C:\Windows\SysWOW64\Ijnbcmkk.exe Illbhp32.exe File created C:\Windows\SysWOW64\Jialfgcc.exe Jefpeh32.exe File created C:\Windows\SysWOW64\Kdklfe32.exe Jehlkhig.exe File created C:\Windows\SysWOW64\Knmdeioh.exe Kffldlne.exe File created C:\Windows\SysWOW64\Obidifcn.dll Qogbdl32.exe File created C:\Windows\SysWOW64\Nilpge32.dll Pjcmap32.exe File created C:\Windows\SysWOW64\Opihgfop.exe Omklkkpl.exe File created C:\Windows\SysWOW64\Ghmekc32.dll Iaeegh32.exe File created C:\Windows\SysWOW64\Coglpp32.dll Gepafc32.exe File created C:\Windows\SysWOW64\Bkdbhahq.dll Klpdaf32.exe File created C:\Windows\SysWOW64\Lgehno32.exe Lcjlnpmo.exe File created C:\Windows\SysWOW64\Lfoojj32.exe Lnhgim32.exe File created C:\Windows\SysWOW64\Pofkha32.exe Plgolf32.exe File created C:\Windows\SysWOW64\Mogdonoc.dll Mfjoeeeh.exe File created C:\Windows\SysWOW64\Bhdbmf32.dll Qfonkfqd.exe File opened for modification C:\Windows\SysWOW64\Cchbgi32.exe Ceebklai.exe File created C:\Windows\SysWOW64\Qeppdo32.exe Qgmpibam.exe File created C:\Windows\SysWOW64\Komjgdhc.dll Adlcfjgh.exe File created C:\Windows\SysWOW64\Jdhfppnm.dll Dejbqb32.exe File created C:\Windows\SysWOW64\Jpigma32.exe Jhbold32.exe File created C:\Windows\SysWOW64\Mqbbagjo.exe Mmgfqh32.exe File created C:\Windows\SysWOW64\Mcckcbgp.exe Mklcadfn.exe File opened for modification C:\Windows\SysWOW64\Edlfhc32.exe Eamilh32.exe File opened for modification C:\Windows\SysWOW64\Nfidjbdg.exe Nbniid32.exe File opened for modification C:\Windows\SysWOW64\Mfmndn32.exe Mcnbhb32.exe File created C:\Windows\SysWOW64\Mcqombic.exe Mqbbagjo.exe File created C:\Windows\SysWOW64\Ljnnefda.dll Khlili32.exe File created C:\Windows\SysWOW64\Mmmjebjg.dll Loqmba32.exe File opened for modification C:\Windows\SysWOW64\Jgdfdbhk.exe Jdejhfig.exe File created C:\Windows\SysWOW64\Kfbfkmeh.exe Kbgjkn32.exe File created C:\Windows\SysWOW64\Feafacjb.dll Kfbfkmeh.exe File opened for modification C:\Windows\SysWOW64\Khcomhbi.exe Kfebambf.exe File created C:\Windows\SysWOW64\Jinafidh.dll Nfnneb32.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\system32†Dpapaj32.¿xe Dpapaj32.exe File opened for modification C:\Windows\system32†Dpapaj32.¿xe Dpapaj32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 9680 9652 WerFault.exe 1004 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oiffkkbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qqeagm32.dll" Oklnff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbmkli32.dll" Qmgibqjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qgmfchei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekohgi32.dll" Kgclio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbqhfq32.dll" Nhdocl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbmqhd32.dll" Ghajacmo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohncbdbd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbjmpcab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lbfook32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abpcooea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pobghn32.dll" Ckjamgmk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddiibc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddiibc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Omqlpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmmnhb32.dll" Pdonhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nibqqh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjjdacik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jckgicnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Baojapfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbglcb32.dll" Lgchgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akafaiao.dll" Nabopjmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aoagccfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckhdggom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kafbbbmg.dll" Aidphq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fkhgip32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lcfbdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnpincmg.dll" Ifgpnmom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cmbalfem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmlgia32.dll" Hnkion32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgbeiiqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkdhln32.dll" Aakjdo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njfjnpgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njhfcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibcihh32.dll" Bmpkqklh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncniim32.dll" Lqncaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjnjjbbh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nfghdcfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhlfoln.dll" Bflbigdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iapgkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acnckp32.dll" Adcdbl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fnofjfhk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jondnnbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbaglpee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mdpldi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eniclh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdpkbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cljoegei.dll" Lhpglecl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmkplgnq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqbolhmg.dll" Offmipej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omcifpnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dacpkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elemhgkf.dll" Dhbhmb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lnbdko32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lcaiiejc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dlfgcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Khkbbc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mqnifg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ppnnai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdfmggec.dll" Lbemfbdk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Diibag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Knnkpobc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajnpecbj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afffenbp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2092 wrote to memory of 2796 2092 b506f48c923c24289a1fd71425408d50N.exe 30 PID 2092 wrote to memory of 2796 2092 b506f48c923c24289a1fd71425408d50N.exe 30 PID 2092 wrote to memory of 2796 2092 b506f48c923c24289a1fd71425408d50N.exe 30 PID 2092 wrote to memory of 2796 2092 b506f48c923c24289a1fd71425408d50N.exe 30 PID 2796 wrote to memory of 2836 2796 Jfcqgpfi.exe 31 PID 2796 wrote to memory of 2836 2796 Jfcqgpfi.exe 31 PID 2796 wrote to memory of 2836 2796 Jfcqgpfi.exe 31 PID 2796 wrote to memory of 2836 2796 Jfcqgpfi.exe 31 PID 2836 wrote to memory of 2628 2836 Jhamckel.exe 32 PID 2836 wrote to memory of 2628 2836 Jhamckel.exe 32 PID 2836 wrote to memory of 2628 2836 Jhamckel.exe 32 PID 2836 wrote to memory of 2628 2836 Jhamckel.exe 32 PID 2628 wrote to memory of 2644 2628 Jajala32.exe 33 PID 2628 wrote to memory of 2644 2628 Jajala32.exe 33 PID 2628 wrote to memory of 2644 2628 Jajala32.exe 33 PID 2628 wrote to memory of 2644 2628 Jajala32.exe 33 PID 2644 wrote to memory of 2720 2644 Jhdihkcj.exe 34 PID 2644 wrote to memory of 2720 2644 Jhdihkcj.exe 34 PID 2644 wrote to memory of 2720 2644 Jhdihkcj.exe 34 PID 2644 wrote to memory of 2720 2644 Jhdihkcj.exe 34 PID 2720 wrote to memory of 2356 2720 Jonbee32.exe 35 PID 2720 wrote to memory of 2356 2720 Jonbee32.exe 35 PID 2720 wrote to memory of 2356 2720 Jonbee32.exe 35 PID 2720 wrote to memory of 2356 2720 Jonbee32.exe 35 PID 2356 wrote to memory of 1680 2356 Jdkjnl32.exe 36 PID 2356 wrote to memory of 1680 2356 Jdkjnl32.exe 36 PID 2356 wrote to memory of 1680 2356 Jdkjnl32.exe 36 PID 2356 wrote to memory of 1680 2356 Jdkjnl32.exe 36 PID 1680 wrote to memory of 760 1680 Jhffnk32.exe 37 PID 1680 wrote to memory of 760 1680 Jhffnk32.exe 37 PID 1680 wrote to memory of 760 1680 Jhffnk32.exe 37 PID 1680 wrote to memory of 760 1680 Jhffnk32.exe 37 PID 760 wrote to memory of 1164 760 Jkebjf32.exe 38 PID 760 wrote to memory of 1164 760 Jkebjf32.exe 38 PID 760 wrote to memory of 1164 760 Jkebjf32.exe 38 PID 760 wrote to memory of 1164 760 Jkebjf32.exe 38 PID 1164 wrote to memory of 1728 1164 Kncofa32.exe 39 PID 1164 wrote to memory of 1728 1164 Kncofa32.exe 39 PID 1164 wrote to memory of 1728 1164 Kncofa32.exe 39 PID 1164 wrote to memory of 1728 1164 Kncofa32.exe 39 PID 1728 wrote to memory of 564 1728 Kfjggo32.exe 40 PID 1728 wrote to memory of 564 1728 Kfjggo32.exe 40 PID 1728 wrote to memory of 564 1728 Kfjggo32.exe 40 PID 1728 wrote to memory of 564 1728 Kfjggo32.exe 40 PID 564 wrote to memory of 2660 564 Kglcogeo.exe 41 PID 564 wrote to memory of 2660 564 Kglcogeo.exe 41 PID 564 wrote to memory of 2660 564 Kglcogeo.exe 41 PID 564 wrote to memory of 2660 564 Kglcogeo.exe 41 PID 2660 wrote to memory of 272 2660 Kkgopf32.exe 42 PID 2660 wrote to memory of 272 2660 Kkgopf32.exe 42 PID 2660 wrote to memory of 272 2660 Kkgopf32.exe 42 PID 2660 wrote to memory of 272 2660 Kkgopf32.exe 42 PID 272 wrote to memory of 2200 272 Kbaglpee.exe 43 PID 272 wrote to memory of 2200 272 Kbaglpee.exe 43 PID 272 wrote to memory of 2200 272 Kbaglpee.exe 43 PID 272 wrote to memory of 2200 272 Kbaglpee.exe 43 PID 2200 wrote to memory of 3048 2200 Kdpcikdi.exe 44 PID 2200 wrote to memory of 3048 2200 Kdpcikdi.exe 44 PID 2200 wrote to memory of 3048 2200 Kdpcikdi.exe 44 PID 2200 wrote to memory of 3048 2200 Kdpcikdi.exe 44 PID 3048 wrote to memory of 2176 3048 Kgnpeg32.exe 45 PID 3048 wrote to memory of 2176 3048 Kgnpeg32.exe 45 PID 3048 wrote to memory of 2176 3048 Kgnpeg32.exe 45 PID 3048 wrote to memory of 2176 3048 Kgnpeg32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\b506f48c923c24289a1fd71425408d50N.exe"C:\Users\Admin\AppData\Local\Temp\b506f48c923c24289a1fd71425408d50N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\Jfcqgpfi.exeC:\Windows\system32\Jfcqgpfi.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\Jhamckel.exeC:\Windows\system32\Jhamckel.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\Jajala32.exeC:\Windows\system32\Jajala32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Jhdihkcj.exeC:\Windows\system32\Jhdihkcj.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Jonbee32.exeC:\Windows\system32\Jonbee32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\Jdkjnl32.exeC:\Windows\system32\Jdkjnl32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\Jhffnk32.exeC:\Windows\system32\Jhffnk32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\Jkebjf32.exeC:\Windows\system32\Jkebjf32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Windows\SysWOW64\Kncofa32.exeC:\Windows\system32\Kncofa32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Windows\SysWOW64\Kfjggo32.exeC:\Windows\system32\Kfjggo32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\Kglcogeo.exeC:\Windows\system32\Kglcogeo.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:564 -
C:\Windows\SysWOW64\Kkgopf32.exeC:\Windows\system32\Kkgopf32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Kbaglpee.exeC:\Windows\system32\Kbaglpee.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:272 -
C:\Windows\SysWOW64\Kdpcikdi.exeC:\Windows\system32\Kdpcikdi.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\Kgnpeg32.exeC:\Windows\system32\Kgnpeg32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\Kkileele.exeC:\Windows\system32\Kkileele.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2176 -
C:\Windows\SysWOW64\Knhhaaki.exeC:\Windows\system32\Knhhaaki.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1744 -
C:\Windows\SysWOW64\Kbcdbp32.exeC:\Windows\system32\Kbcdbp32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2328 -
C:\Windows\SysWOW64\Kdbpnk32.exeC:\Windows\system32\Kdbpnk32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:956 -
C:\Windows\SysWOW64\Kgpmjf32.exeC:\Windows\system32\Kgpmjf32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1860 -
C:\Windows\SysWOW64\Kklikejc.exeC:\Windows\system32\Kklikejc.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1584 -
C:\Windows\SysWOW64\Kjoifb32.exeC:\Windows\system32\Kjoifb32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:960 -
C:\Windows\SysWOW64\Kmmebm32.exeC:\Windows\system32\Kmmebm32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2376 -
C:\Windows\SysWOW64\Kqiaclhj.exeC:\Windows\system32\Kqiaclhj.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2392 -
C:\Windows\SysWOW64\Kddmdk32.exeC:\Windows\system32\Kddmdk32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3028 -
C:\Windows\SysWOW64\Kgbipf32.exeC:\Windows\system32\Kgbipf32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2740 -
C:\Windows\SysWOW64\Kjaelaok.exeC:\Windows\system32\Kjaelaok.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2752 -
C:\Windows\SysWOW64\Kmobhmnn.exeC:\Windows\system32\Kmobhmnn.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2856 -
C:\Windows\SysWOW64\Kcijeg32.exeC:\Windows\system32\Kcijeg32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2824 -
C:\Windows\SysWOW64\Ljcbaamh.exeC:\Windows\system32\Ljcbaamh.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2712 -
C:\Windows\SysWOW64\Lopkjhko.exeC:\Windows\system32\Lopkjhko.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2676 -
C:\Windows\SysWOW64\Lfjcfb32.exeC:\Windows\system32\Lfjcfb32.exe33⤵
- Executes dropped EXE
PID:648 -
C:\Windows\SysWOW64\Ljfogake.exeC:\Windows\system32\Ljfogake.exe34⤵
- Executes dropped EXE
PID:1292 -
C:\Windows\SysWOW64\Lkgkoiqc.exeC:\Windows\system32\Lkgkoiqc.exe35⤵
- Executes dropped EXE
PID:576 -
C:\Windows\SysWOW64\Lflplbpi.exeC:\Windows\system32\Lflplbpi.exe36⤵
- Executes dropped EXE
PID:1312 -
C:\Windows\SysWOW64\Liklhmom.exeC:\Windows\system32\Liklhmom.exe37⤵
- Executes dropped EXE
PID:1896 -
C:\Windows\SysWOW64\Lkihdioa.exeC:\Windows\system32\Lkihdioa.exe38⤵
- Executes dropped EXE
PID:1548 -
C:\Windows\SysWOW64\Lbcpac32.exeC:\Windows\system32\Lbcpac32.exe39⤵
- Executes dropped EXE
PID:1288 -
C:\Windows\SysWOW64\Liminmmk.exeC:\Windows\system32\Liminmmk.exe40⤵
- Executes dropped EXE
PID:1052 -
C:\Windows\SysWOW64\Lklejh32.exeC:\Windows\system32\Lklejh32.exe41⤵
- Executes dropped EXE
PID:2076 -
C:\Windows\SysWOW64\Lbemfbdk.exeC:\Windows\system32\Lbemfbdk.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:2456 -
C:\Windows\SysWOW64\Lahmbo32.exeC:\Windows\system32\Lahmbo32.exe43⤵
- Executes dropped EXE
PID:1704 -
C:\Windows\SysWOW64\Llnaoh32.exeC:\Windows\system32\Llnaoh32.exe44⤵
- Executes dropped EXE
PID:2484 -
C:\Windows\SysWOW64\Lnlnlc32.exeC:\Windows\system32\Lnlnlc32.exe45⤵
- Executes dropped EXE
PID:276 -
C:\Windows\SysWOW64\Meffhnal.exeC:\Windows\system32\Meffhnal.exe46⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Mgebdipp.exeC:\Windows\system32\Mgebdipp.exe47⤵
- Executes dropped EXE
PID:1956 -
C:\Windows\SysWOW64\Mlpneh32.exeC:\Windows\system32\Mlpneh32.exe48⤵
- Executes dropped EXE
PID:2904 -
C:\Windows\SysWOW64\Meicnm32.exeC:\Windows\system32\Meicnm32.exe49⤵
- Executes dropped EXE
PID:2128 -
C:\Windows\SysWOW64\Mclcijfd.exeC:\Windows\system32\Mclcijfd.exe50⤵
- Executes dropped EXE
PID:1708 -
C:\Windows\SysWOW64\Mfjoeeeh.exeC:\Windows\system32\Mfjoeeeh.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2428 -
C:\Windows\SysWOW64\Mnaggcej.exeC:\Windows\system32\Mnaggcej.exe52⤵
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\Mapccndn.exeC:\Windows\system32\Mapccndn.exe53⤵
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\Mcnpojca.exeC:\Windows\system32\Mcnpojca.exe54⤵
- Executes dropped EXE
PID:3032 -
C:\Windows\SysWOW64\Mjhhld32.exeC:\Windows\system32\Mjhhld32.exe55⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Mikhgqbi.exeC:\Windows\system32\Mikhgqbi.exe56⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Mabphn32.exeC:\Windows\system32\Mabphn32.exe57⤵
- Executes dropped EXE
PID:2264 -
C:\Windows\SysWOW64\Mdpldi32.exeC:\Windows\system32\Mdpldi32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1996 -
C:\Windows\SysWOW64\Mjjdacik.exeC:\Windows\system32\Mjjdacik.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1732 -
C:\Windows\SysWOW64\Mimemp32.exeC:\Windows\system32\Mimemp32.exe60⤵
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Mmhamoho.exeC:\Windows\system32\Mmhamoho.exe61⤵
- Executes dropped EXE
PID:1436 -
C:\Windows\SysWOW64\Mpgmijgc.exeC:\Windows\system32\Mpgmijgc.exe62⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Mdbiji32.exeC:\Windows\system32\Mdbiji32.exe63⤵
- Executes dropped EXE
PID:1048 -
C:\Windows\SysWOW64\Mbeiefff.exeC:\Windows\system32\Mbeiefff.exe64⤵
- Executes dropped EXE
PID:1280 -
C:\Windows\SysWOW64\Mioabp32.exeC:\Windows\system32\Mioabp32.exe65⤵
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Nmkncofl.exeC:\Windows\system32\Nmkncofl.exe66⤵PID:336
-
C:\Windows\SysWOW64\Nlnnnk32.exeC:\Windows\system32\Nlnnnk32.exe67⤵PID:1560
-
C:\Windows\SysWOW64\Npijoj32.exeC:\Windows\system32\Npijoj32.exe68⤵
- Drops file in System32 directory
PID:792 -
C:\Windows\SysWOW64\Nbhfke32.exeC:\Windows\system32\Nbhfke32.exe69⤵PID:2120
-
C:\Windows\SysWOW64\Nfcbldmm.exeC:\Windows\system32\Nfcbldmm.exe70⤵PID:1904
-
C:\Windows\SysWOW64\Nhdocl32.exeC:\Windows\system32\Nhdocl32.exe71⤵
- Modifies registry class
PID:1604 -
C:\Windows\SysWOW64\Nlpkdkkd.exeC:\Windows\system32\Nlpkdkkd.exe72⤵PID:2852
-
C:\Windows\SysWOW64\Noogpfjh.exeC:\Windows\system32\Noogpfjh.exe73⤵PID:2624
-
C:\Windows\SysWOW64\Namclbil.exeC:\Windows\system32\Namclbil.exe74⤵PID:2988
-
C:\Windows\SysWOW64\Nidkmojn.exeC:\Windows\system32\Nidkmojn.exe75⤵PID:1796
-
C:\Windows\SysWOW64\Nkegeg32.exeC:\Windows\system32\Nkegeg32.exe76⤵
- Drops file in System32 directory
PID:600 -
C:\Windows\SysWOW64\Nmfqgbmm.exeC:\Windows\system32\Nmfqgbmm.exe77⤵PID:2036
-
C:\Windows\SysWOW64\Nemhhpmp.exeC:\Windows\system32\Nemhhpmp.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2588 -
C:\Windows\SysWOW64\Ndpicm32.exeC:\Windows\system32\Ndpicm32.exe79⤵PID:2268
-
C:\Windows\SysWOW64\Ngneph32.exeC:\Windows\system32\Ngneph32.exe80⤵PID:2776
-
C:\Windows\SysWOW64\Nmhmlbkk.exeC:\Windows\system32\Nmhmlbkk.exe81⤵PID:2336
-
C:\Windows\SysWOW64\Npgihn32.exeC:\Windows\system32\Npgihn32.exe82⤵PID:1780
-
C:\Windows\SysWOW64\Odbeilbg.exeC:\Windows\system32\Odbeilbg.exe83⤵PID:1800
-
C:\Windows\SysWOW64\Oklnff32.exeC:\Windows\system32\Oklnff32.exe84⤵
- Modifies registry class
PID:2032 -
C:\Windows\SysWOW64\Oaffbqaa.exeC:\Windows\system32\Oaffbqaa.exe85⤵PID:2064
-
C:\Windows\SysWOW64\Opifnm32.exeC:\Windows\system32\Opifnm32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2864 -
C:\Windows\SysWOW64\Ocgbji32.exeC:\Windows\system32\Ocgbji32.exe87⤵PID:2636
-
C:\Windows\SysWOW64\Okojkf32.exeC:\Windows\system32\Okojkf32.exe88⤵PID:3036
-
C:\Windows\SysWOW64\Ommfga32.exeC:\Windows\system32\Ommfga32.exe89⤵PID:1772
-
C:\Windows\SysWOW64\Olpgconp.exeC:\Windows\system32\Olpgconp.exe90⤵PID:1964
-
C:\Windows\SysWOW64\Odgodl32.exeC:\Windows\system32\Odgodl32.exe91⤵PID:1624
-
C:\Windows\SysWOW64\Ogekpg32.exeC:\Windows\system32\Ogekpg32.exe92⤵PID:2884
-
C:\Windows\SysWOW64\Onocmadb.exeC:\Windows\system32\Onocmadb.exe93⤵PID:1816
-
C:\Windows\SysWOW64\Opnpimdf.exeC:\Windows\system32\Opnpimdf.exe94⤵PID:1648
-
C:\Windows\SysWOW64\Ocllehcj.exeC:\Windows\system32\Ocllehcj.exe95⤵PID:344
-
C:\Windows\SysWOW64\Oekhacbn.exeC:\Windows\system32\Oekhacbn.exe96⤵PID:1532
-
C:\Windows\SysWOW64\Ohidmoaa.exeC:\Windows\system32\Ohidmoaa.exe97⤵
- Drops file in System32 directory
PID:3064 -
C:\Windows\SysWOW64\Opplolac.exeC:\Windows\system32\Opplolac.exe98⤵PID:848
-
C:\Windows\SysWOW64\Ooclji32.exeC:\Windows\system32\Ooclji32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:876 -
C:\Windows\SysWOW64\Oaaifdhb.exeC:\Windows\system32\Oaaifdhb.exe100⤵PID:372
-
C:\Windows\SysWOW64\Oihqgbhd.exeC:\Windows\system32\Oihqgbhd.exe101⤵PID:2908
-
C:\Windows\SysWOW64\Ohkaco32.exeC:\Windows\system32\Ohkaco32.exe102⤵PID:2764
-
C:\Windows\SysWOW64\Pkjmoj32.exeC:\Windows\system32\Pkjmoj32.exe103⤵PID:3000
-
C:\Windows\SysWOW64\Poeipifl.exeC:\Windows\system32\Poeipifl.exe104⤵PID:1720
-
C:\Windows\SysWOW64\Pcaepg32.exeC:\Windows\system32\Pcaepg32.exe105⤵PID:1480
-
C:\Windows\SysWOW64\Pdbahpec.exeC:\Windows\system32\Pdbahpec.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2972 -
C:\Windows\SysWOW64\Phnnho32.exeC:\Windows\system32\Phnnho32.exe107⤵PID:2100
-
C:\Windows\SysWOW64\Pkljdj32.exeC:\Windows\system32\Pkljdj32.exe108⤵PID:2432
-
C:\Windows\SysWOW64\Pnjfae32.exeC:\Windows\system32\Pnjfae32.exe109⤵PID:2136
-
C:\Windows\SysWOW64\Peanbblf.exeC:\Windows\system32\Peanbblf.exe110⤵PID:1356
-
C:\Windows\SysWOW64\Pgckjk32.exeC:\Windows\system32\Pgckjk32.exe111⤵PID:1540
-
C:\Windows\SysWOW64\Pojbkh32.exeC:\Windows\system32\Pojbkh32.exe112⤵PID:1952
-
C:\Windows\SysWOW64\Pahogc32.exeC:\Windows\system32\Pahogc32.exe113⤵PID:2780
-
C:\Windows\SysWOW64\Pdgkco32.exeC:\Windows\system32\Pdgkco32.exe114⤵PID:2532
-
C:\Windows\SysWOW64\Pgegok32.exeC:\Windows\system32\Pgegok32.exe115⤵PID:1848
-
C:\Windows\SysWOW64\Pkacpihj.exeC:\Windows\system32\Pkacpihj.exe116⤵PID:2292
-
C:\Windows\SysWOW64\Pakllc32.exeC:\Windows\system32\Pakllc32.exe117⤵PID:2040
-
C:\Windows\SysWOW64\Pqnlhpfb.exeC:\Windows\system32\Pqnlhpfb.exe118⤵PID:1496
-
C:\Windows\SysWOW64\Pclhdl32.exeC:\Windows\system32\Pclhdl32.exe119⤵PID:1044
-
C:\Windows\SysWOW64\Pggdejno.exeC:\Windows\system32\Pggdejno.exe120⤵PID:524
-
C:\Windows\SysWOW64\Pjfpafmb.exeC:\Windows\system32\Pjfpafmb.exe121⤵PID:1700
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-