Analysis
-
max time kernel
141s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
05/07/2024, 23:26
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
18183519d0fd461af72a5dd1c40a0a60.exe
Resource
win7-20240705-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
18183519d0fd461af72a5dd1c40a0a60.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
18183519d0fd461af72a5dd1c40a0a60.exe
-
Size
448KB
-
MD5
18183519d0fd461af72a5dd1c40a0a60
-
SHA1
de0d307396885f060d43f6e5ad7807a92006f7de
-
SHA256
eea2ce840a6cf83d0c145c9d74419c5a386d7c2a934320d21166479701ba17d8
-
SHA512
753082c0d7018bb287513ac7811a9da2d651396aa7bdca4f2b47c02fe7b82bf1a4f95911da1fde5c2c8754edc916b237d92ccd6f4c8b5ac6e9ee9fa8d04e1de9
-
SSDEEP
6144:mAkohDxrADoqZQ8SeNpgdyuH1lZfRo0V8JcgE+ezpg1xrlo9:mAvEDoqW87g7/VycgE81lm
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpmpjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fhqfie32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmloigln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Janihlcf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcknjidn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Naokbq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oacdmpan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgelahmn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppcmhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qkcdigpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mqgahh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekmjanpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fdjddf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgnaekil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eoqeekme.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Panpgn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebhani32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcpbpk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipimic32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdjpmi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnpieceq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fkmfpabp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bgnaekil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mginjnnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kommediq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Npieoi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cncmei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cncmei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgnfpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eleobngo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oakaheoa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohbmppia.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fofekp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gqkqbe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eibikc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lfckhc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gghloe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ilceog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgaqohql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Paemac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Epbamc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ofmiea32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apeflmjc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bineidcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fholmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Plneoace.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bbocak32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Echoepmo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qkbkfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eponmmaj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmbenc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kabobo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmjicn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ncjcnfcn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfjiod32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbmnjenb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hkkaik32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hqhiab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ajaagi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olnipn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnbhmlkk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omjeba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cafbmdbh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifahpnfl.exe -
Executes dropped EXE 64 IoCs
pid Process 2992 Iaaaiobc.exe 2784 Imhanp32.exe 2792 Ilmool32.exe 2904 Ibgglfdl.exe 2808 Jehpna32.exe 2692 Jblpge32.exe 1060 Jocalffk.exe 2108 Jhnbklji.exe 944 Jklnggjm.exe 1096 Jnjjcbiq.exe 1760 Knmghb32.exe 1068 Kpkcdn32.exe 2012 Kgelahmn.exe 840 Kjchmclb.exe 284 Kpmpjm32.exe 1112 Kjfdcc32.exe 940 Lfckhc32.exe 1848 Ldfldpqf.exe 1884 Lgehpk32.exe 632 Lggdfk32.exe 1876 Lnambeed.exe 2600 Lqpiopdh.exe 304 Lcneklck.exe 2376 Lgiakjld.exe 1680 Lncjhd32.exe 2744 Lcpbpk32.exe 3004 Lglnajjb.exe 2668 Mcbofk32.exe 2752 Mjmgbe32.exe 2968 Mmkcoq32.exe 2636 Mqfooonp.exe 1392 Mfchgflg.exe 2100 Mmmpdp32.exe 1048 Mpllpl32.exe 1176 Mbjhlg32.exe 1924 Meidib32.exe 1412 Mlbmem32.exe 2816 Mpnifkae.exe 2952 Mekanbol.exe 1964 Mginjnnp.exe 1428 Mpqekkob.exe 376 Maabcc32.exe 2084 Niijdq32.exe 1720 Nadoiccn.exe 464 Nepkia32.exe 2280 Nhngem32.exe 2996 Njlcah32.exe 2748 Nnhobgag.exe 2508 Nafknbqk.exe 2264 Ndehjnpo.exe 2956 Nnjlhg32.exe 2164 Nplhooec.exe 1568 Ndgdpn32.exe 2436 Nfeqli32.exe 2932 Nmpiicdm.exe 2204 Npneeocq.exe 2188 Ndiaem32.exe 2772 Nfhmai32.exe 1552 Njcibgcf.exe 2072 Nmbenc32.exe 2608 Odlnkmjg.exe 1992 Obonfj32.exe 1072 Oemjbe32.exe 2232 Oiifcdhn.exe -
Loads dropped DLL 64 IoCs
pid Process 3064 18183519d0fd461af72a5dd1c40a0a60.exe 3064 18183519d0fd461af72a5dd1c40a0a60.exe 2992 Iaaaiobc.exe 2992 Iaaaiobc.exe 2784 Imhanp32.exe 2784 Imhanp32.exe 2792 Ilmool32.exe 2792 Ilmool32.exe 2904 Ibgglfdl.exe 2904 Ibgglfdl.exe 2808 Jehpna32.exe 2808 Jehpna32.exe 2692 Jblpge32.exe 2692 Jblpge32.exe 1060 Jocalffk.exe 1060 Jocalffk.exe 2108 Jhnbklji.exe 2108 Jhnbklji.exe 944 Jklnggjm.exe 944 Jklnggjm.exe 1096 Jnjjcbiq.exe 1096 Jnjjcbiq.exe 1760 Knmghb32.exe 1760 Knmghb32.exe 1068 Kpkcdn32.exe 1068 Kpkcdn32.exe 2012 Kgelahmn.exe 2012 Kgelahmn.exe 840 Kjchmclb.exe 840 Kjchmclb.exe 284 Kpmpjm32.exe 284 Kpmpjm32.exe 1112 Kjfdcc32.exe 1112 Kjfdcc32.exe 940 Lfckhc32.exe 940 Lfckhc32.exe 1848 Ldfldpqf.exe 1848 Ldfldpqf.exe 1884 Lgehpk32.exe 1884 Lgehpk32.exe 632 Lggdfk32.exe 632 Lggdfk32.exe 1876 Lnambeed.exe 1876 Lnambeed.exe 2600 Lqpiopdh.exe 2600 Lqpiopdh.exe 304 Lcneklck.exe 304 Lcneklck.exe 2376 Lgiakjld.exe 2376 Lgiakjld.exe 1680 Lncjhd32.exe 1680 Lncjhd32.exe 2744 Lcpbpk32.exe 2744 Lcpbpk32.exe 3004 Lglnajjb.exe 3004 Lglnajjb.exe 2668 Mcbofk32.exe 2668 Mcbofk32.exe 2752 Mjmgbe32.exe 2752 Mjmgbe32.exe 2968 Mmkcoq32.exe 2968 Mmkcoq32.exe 2636 Mqfooonp.exe 2636 Mqfooonp.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Mpqekkob.exe Mginjnnp.exe File created C:\Windows\SysWOW64\Lcmopepp.exe Lhhjcmpj.exe File created C:\Windows\SysWOW64\Oeldjogm.dll Ccileljk.exe File created C:\Windows\SysWOW64\Eoqeekme.exe Edkahbmo.exe File created C:\Windows\SysWOW64\Gcljdpke.exe Gmbagf32.exe File created C:\Windows\SysWOW64\Mhdcbjal.exe Mdigakic.exe File opened for modification C:\Windows\SysWOW64\Hnecjgch.exe Hhhkbqea.exe File opened for modification C:\Windows\SysWOW64\Ccjbobnf.exe Cegbce32.exe File opened for modification C:\Windows\SysWOW64\Ccolja32.exe Cappnf32.exe File created C:\Windows\SysWOW64\Gilikd32.dll Kabobo32.exe File created C:\Windows\SysWOW64\Ahllnc32.dll Mgaqohql.exe File created C:\Windows\SysWOW64\Nicfnn32.exe Nbinad32.exe File opened for modification C:\Windows\SysWOW64\Dmopge32.exe Dgbgon32.exe File created C:\Windows\SysWOW64\Cfllpb32.dll Gcgpiq32.exe File created C:\Windows\SysWOW64\Bqhmkq32.dll Njjieace.exe File created C:\Windows\SysWOW64\Lqpiopdh.exe Lnambeed.exe File created C:\Windows\SysWOW64\Ffecai32.dll Ljbmbpkb.exe File opened for modification C:\Windows\SysWOW64\Llfcik32.exe Lflklaoc.exe File created C:\Windows\SysWOW64\Anaeppkc.dll Bfcnfh32.exe File created C:\Windows\SysWOW64\Iiodliep.exe Ifahpnfl.exe File created C:\Windows\SysWOW64\Njjieace.exe Niilmi32.exe File opened for modification C:\Windows\SysWOW64\Hnimeg32.exe Hkkaik32.exe File created C:\Windows\SysWOW64\Hebhjc32.dll Mdcdcmai.exe File created C:\Windows\SysWOW64\Ncejcg32.exe Ndbjgjqh.exe File created C:\Windows\SysWOW64\Bapejd32.exe Bpnibl32.exe File opened for modification C:\Windows\SysWOW64\Emilqb32.exe Dhmchljg.exe File created C:\Windows\SysWOW64\Obeapbcg.dll Paemac32.exe File created C:\Windows\SysWOW64\Ionqcpbl.dll Cngfqi32.exe File created C:\Windows\SysWOW64\Ghmohcbl.exe Gdbchd32.exe File opened for modification C:\Windows\SysWOW64\Koelibnh.exe Klgpmgod.exe File opened for modification C:\Windows\SysWOW64\Fdjfmolo.exe Fpojlp32.exe File opened for modification C:\Windows\SysWOW64\Agaifnhi.exe Adbmjbif.exe File created C:\Windows\SysWOW64\Aphijpjj.dll Echoepmo.exe File opened for modification C:\Windows\SysWOW64\Hajdniep.exe Hmnhnk32.exe File created C:\Windows\SysWOW64\Iaipmm32.exe Ijphqbpo.exe File created C:\Windows\SysWOW64\Jjbpfopf.dll Ojnelefl.exe File opened for modification C:\Windows\SysWOW64\Ipimic32.exe Iiodliep.exe File opened for modification C:\Windows\SysWOW64\Kfcadq32.exe Kdeehe32.exe File opened for modification C:\Windows\SysWOW64\Mqfooonp.exe Mmkcoq32.exe File created C:\Windows\SysWOW64\Lepapf32.dll Njlcah32.exe File created C:\Windows\SysWOW64\Bkghjq32.exe Biikne32.exe File opened for modification C:\Windows\SysWOW64\Lqpiopdh.exe Lnambeed.exe File created C:\Windows\SysWOW64\Cpgieb32.exe Cmimif32.exe File created C:\Windows\SysWOW64\Didgig32.exe Doocln32.exe File created C:\Windows\SysWOW64\Lcfhpf32.exe Lllpclnk.exe File created C:\Windows\SysWOW64\Pejcab32.exe Pbkgegad.exe File opened for modification C:\Windows\SysWOW64\Bbfibj32.exe Bphmfo32.exe File opened for modification C:\Windows\SysWOW64\Bapejd32.exe Bpnibl32.exe File created C:\Windows\SysWOW64\Fqqdigko.exe Fnbhmlkk.exe File opened for modification C:\Windows\SysWOW64\Ghnfci32.exe Gcankb32.exe File opened for modification C:\Windows\SysWOW64\Cncmei32.exe Cejhld32.exe File created C:\Windows\SysWOW64\Apjpglfn.exe Akmgoehg.exe File created C:\Windows\SysWOW64\Omdkhjjg.dll Cofohkgi.exe File created C:\Windows\SysWOW64\Nchoilen.dll Nnjlhg32.exe File opened for modification C:\Windows\SysWOW64\Nbinad32.exe Neemgp32.exe File created C:\Windows\SysWOW64\Bnqcaffa.exe Ahdkhp32.exe File created C:\Windows\SysWOW64\Aikbjbjh.dll Niijdq32.exe File opened for modification C:\Windows\SysWOW64\Ppegdapd.exe Pikohg32.exe File created C:\Windows\SysWOW64\Nobjghoh.dll Kopikdgn.exe File opened for modification C:\Windows\SysWOW64\Ndpmbjbk.exe Njjieace.exe File created C:\Windows\SysWOW64\Dqffpm32.dll Maabcc32.exe File opened for modification C:\Windows\SysWOW64\Odlnkmjg.exe Nmbenc32.exe File opened for modification C:\Windows\SysWOW64\Bjfkbhae.exe Bbocak32.exe File created C:\Windows\SysWOW64\Gmceaapm.dll Biikne32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7592 7568 WerFault.exe 728 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ilceog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nmeohnil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qncmki32.dll" Egljjmkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caklgd32.dll" Falakjag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iaaaiobc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqggmb32.dll" Hbkpfa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bineidcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mnilfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdcadn32.dll" Bjnjfffm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihefej32.dll" Imidgh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aniffaim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nafknbqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oahdce32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fcmdpcle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hminbkql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjeace32.dll" Kdooij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pmgnan32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qhdfdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Coiege32.dll" Doocln32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Adbmjbif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Boolhikf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lncjhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaffon32.dll" Oikcicfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpnbgh32.dll" Klgpmgod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncpcapia.dll" Oaiglnih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fbbcdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjbpfopf.dll" Ojnelefl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajabpehm.dll" Annpaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aojbpoih.dll" Bnkpjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gllabp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ilmool32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kaieai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Apeflmjc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nnhobgag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Elgioe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qhgbibgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpaem32.dll" Ngoinfao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpolmb32.dll" Eecgafkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhgkde32.dll" Qpjchicb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdaibo32.dll" Ccaipaho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kennjb32.dll" Bncpffdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afobkm32.dll" Ofefqf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aogmdk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bgcdcjpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Miijkkno.dll" Gojkecka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kjlgaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijinin32.dll" Hajdniep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bgfdjfkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dccbefif.dll" Goodpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hfbckagm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jonqfq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mhdcbjal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bnhqll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cegbce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hkhbkc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iclfccmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Imdjlida.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ofmiea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dcojbm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Obonfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bphmfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klnigglg.dll" Qlpadaac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maonll32.dll" Iiekkdjo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bbapgknp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3064 wrote to memory of 2992 3064 18183519d0fd461af72a5dd1c40a0a60.exe 30 PID 3064 wrote to memory of 2992 3064 18183519d0fd461af72a5dd1c40a0a60.exe 30 PID 3064 wrote to memory of 2992 3064 18183519d0fd461af72a5dd1c40a0a60.exe 30 PID 3064 wrote to memory of 2992 3064 18183519d0fd461af72a5dd1c40a0a60.exe 30 PID 2992 wrote to memory of 2784 2992 Iaaaiobc.exe 31 PID 2992 wrote to memory of 2784 2992 Iaaaiobc.exe 31 PID 2992 wrote to memory of 2784 2992 Iaaaiobc.exe 31 PID 2992 wrote to memory of 2784 2992 Iaaaiobc.exe 31 PID 2784 wrote to memory of 2792 2784 Imhanp32.exe 32 PID 2784 wrote to memory of 2792 2784 Imhanp32.exe 32 PID 2784 wrote to memory of 2792 2784 Imhanp32.exe 32 PID 2784 wrote to memory of 2792 2784 Imhanp32.exe 32 PID 2792 wrote to memory of 2904 2792 Ilmool32.exe 33 PID 2792 wrote to memory of 2904 2792 Ilmool32.exe 33 PID 2792 wrote to memory of 2904 2792 Ilmool32.exe 33 PID 2792 wrote to memory of 2904 2792 Ilmool32.exe 33 PID 2904 wrote to memory of 2808 2904 Ibgglfdl.exe 34 PID 2904 wrote to memory of 2808 2904 Ibgglfdl.exe 34 PID 2904 wrote to memory of 2808 2904 Ibgglfdl.exe 34 PID 2904 wrote to memory of 2808 2904 Ibgglfdl.exe 34 PID 2808 wrote to memory of 2692 2808 Jehpna32.exe 35 PID 2808 wrote to memory of 2692 2808 Jehpna32.exe 35 PID 2808 wrote to memory of 2692 2808 Jehpna32.exe 35 PID 2808 wrote to memory of 2692 2808 Jehpna32.exe 35 PID 2692 wrote to memory of 1060 2692 Jblpge32.exe 36 PID 2692 wrote to memory of 1060 2692 Jblpge32.exe 36 PID 2692 wrote to memory of 1060 2692 Jblpge32.exe 36 PID 2692 wrote to memory of 1060 2692 Jblpge32.exe 36 PID 1060 wrote to memory of 2108 1060 Jocalffk.exe 37 PID 1060 wrote to memory of 2108 1060 Jocalffk.exe 37 PID 1060 wrote to memory of 2108 1060 Jocalffk.exe 37 PID 1060 wrote to memory of 2108 1060 Jocalffk.exe 37 PID 2108 wrote to memory of 944 2108 Jhnbklji.exe 38 PID 2108 wrote to memory of 944 2108 Jhnbklji.exe 38 PID 2108 wrote to memory of 944 2108 Jhnbklji.exe 38 PID 2108 wrote to memory of 944 2108 Jhnbklji.exe 38 PID 944 wrote to memory of 1096 944 Jklnggjm.exe 39 PID 944 wrote to memory of 1096 944 Jklnggjm.exe 39 PID 944 wrote to memory of 1096 944 Jklnggjm.exe 39 PID 944 wrote to memory of 1096 944 Jklnggjm.exe 39 PID 1096 wrote to memory of 1760 1096 Jnjjcbiq.exe 40 PID 1096 wrote to memory of 1760 1096 Jnjjcbiq.exe 40 PID 1096 wrote to memory of 1760 1096 Jnjjcbiq.exe 40 PID 1096 wrote to memory of 1760 1096 Jnjjcbiq.exe 40 PID 1760 wrote to memory of 1068 1760 Knmghb32.exe 41 PID 1760 wrote to memory of 1068 1760 Knmghb32.exe 41 PID 1760 wrote to memory of 1068 1760 Knmghb32.exe 41 PID 1760 wrote to memory of 1068 1760 Knmghb32.exe 41 PID 1068 wrote to memory of 2012 1068 Kpkcdn32.exe 42 PID 1068 wrote to memory of 2012 1068 Kpkcdn32.exe 42 PID 1068 wrote to memory of 2012 1068 Kpkcdn32.exe 42 PID 1068 wrote to memory of 2012 1068 Kpkcdn32.exe 42 PID 2012 wrote to memory of 840 2012 Kgelahmn.exe 43 PID 2012 wrote to memory of 840 2012 Kgelahmn.exe 43 PID 2012 wrote to memory of 840 2012 Kgelahmn.exe 43 PID 2012 wrote to memory of 840 2012 Kgelahmn.exe 43 PID 840 wrote to memory of 284 840 Kjchmclb.exe 44 PID 840 wrote to memory of 284 840 Kjchmclb.exe 44 PID 840 wrote to memory of 284 840 Kjchmclb.exe 44 PID 840 wrote to memory of 284 840 Kjchmclb.exe 44 PID 284 wrote to memory of 1112 284 Kpmpjm32.exe 45 PID 284 wrote to memory of 1112 284 Kpmpjm32.exe 45 PID 284 wrote to memory of 1112 284 Kpmpjm32.exe 45 PID 284 wrote to memory of 1112 284 Kpmpjm32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\18183519d0fd461af72a5dd1c40a0a60.exe"C:\Users\Admin\AppData\Local\Temp\18183519d0fd461af72a5dd1c40a0a60.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SysWOW64\Iaaaiobc.exeC:\Windows\system32\Iaaaiobc.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\Imhanp32.exeC:\Windows\system32\Imhanp32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\Ilmool32.exeC:\Windows\system32\Ilmool32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Ibgglfdl.exeC:\Windows\system32\Ibgglfdl.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\Jehpna32.exeC:\Windows\system32\Jehpna32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\Jblpge32.exeC:\Windows\system32\Jblpge32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Jocalffk.exeC:\Windows\system32\Jocalffk.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Windows\SysWOW64\Jhnbklji.exeC:\Windows\system32\Jhnbklji.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\Jklnggjm.exeC:\Windows\system32\Jklnggjm.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:944 -
C:\Windows\SysWOW64\Jnjjcbiq.exeC:\Windows\system32\Jnjjcbiq.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\SysWOW64\Knmghb32.exeC:\Windows\system32\Knmghb32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\SysWOW64\Kpkcdn32.exeC:\Windows\system32\Kpkcdn32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Windows\SysWOW64\Kgelahmn.exeC:\Windows\system32\Kgelahmn.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\Kjchmclb.exeC:\Windows\system32\Kjchmclb.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Windows\SysWOW64\Kpmpjm32.exeC:\Windows\system32\Kpmpjm32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:284 -
C:\Windows\SysWOW64\Kjfdcc32.exeC:\Windows\system32\Kjfdcc32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1112 -
C:\Windows\SysWOW64\Lfckhc32.exeC:\Windows\system32\Lfckhc32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:940 -
C:\Windows\SysWOW64\Ldfldpqf.exeC:\Windows\system32\Ldfldpqf.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1848 -
C:\Windows\SysWOW64\Lgehpk32.exeC:\Windows\system32\Lgehpk32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1884 -
C:\Windows\SysWOW64\Lggdfk32.exeC:\Windows\system32\Lggdfk32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:632 -
C:\Windows\SysWOW64\Lnambeed.exeC:\Windows\system32\Lnambeed.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1876 -
C:\Windows\SysWOW64\Lqpiopdh.exeC:\Windows\system32\Lqpiopdh.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2600 -
C:\Windows\SysWOW64\Lcneklck.exeC:\Windows\system32\Lcneklck.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:304 -
C:\Windows\SysWOW64\Lgiakjld.exeC:\Windows\system32\Lgiakjld.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2376 -
C:\Windows\SysWOW64\Lncjhd32.exeC:\Windows\system32\Lncjhd32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1680 -
C:\Windows\SysWOW64\Lcpbpk32.exeC:\Windows\system32\Lcpbpk32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2744 -
C:\Windows\SysWOW64\Lglnajjb.exeC:\Windows\system32\Lglnajjb.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3004 -
C:\Windows\SysWOW64\Mcbofk32.exeC:\Windows\system32\Mcbofk32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2668 -
C:\Windows\SysWOW64\Mjmgbe32.exeC:\Windows\system32\Mjmgbe32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2752 -
C:\Windows\SysWOW64\Mmkcoq32.exeC:\Windows\system32\Mmkcoq32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2968 -
C:\Windows\SysWOW64\Mqfooonp.exeC:\Windows\system32\Mqfooonp.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2636 -
C:\Windows\SysWOW64\Mfchgflg.exeC:\Windows\system32\Mfchgflg.exe33⤵
- Executes dropped EXE
PID:1392 -
C:\Windows\SysWOW64\Mmmpdp32.exeC:\Windows\system32\Mmmpdp32.exe34⤵
- Executes dropped EXE
PID:2100 -
C:\Windows\SysWOW64\Mpllpl32.exeC:\Windows\system32\Mpllpl32.exe35⤵
- Executes dropped EXE
PID:1048 -
C:\Windows\SysWOW64\Mbjhlg32.exeC:\Windows\system32\Mbjhlg32.exe36⤵
- Executes dropped EXE
PID:1176 -
C:\Windows\SysWOW64\Meidib32.exeC:\Windows\system32\Meidib32.exe37⤵
- Executes dropped EXE
PID:1924 -
C:\Windows\SysWOW64\Mlbmem32.exeC:\Windows\system32\Mlbmem32.exe38⤵
- Executes dropped EXE
PID:1412 -
C:\Windows\SysWOW64\Mpnifkae.exeC:\Windows\system32\Mpnifkae.exe39⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Mekanbol.exeC:\Windows\system32\Mekanbol.exe40⤵
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\Mginjnnp.exeC:\Windows\system32\Mginjnnp.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1964 -
C:\Windows\SysWOW64\Mpqekkob.exeC:\Windows\system32\Mpqekkob.exe42⤵
- Executes dropped EXE
PID:1428 -
C:\Windows\SysWOW64\Maabcc32.exeC:\Windows\system32\Maabcc32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:376 -
C:\Windows\SysWOW64\Niijdq32.exeC:\Windows\system32\Niijdq32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2084 -
C:\Windows\SysWOW64\Nadoiccn.exeC:\Windows\system32\Nadoiccn.exe45⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Nepkia32.exeC:\Windows\system32\Nepkia32.exe46⤵
- Executes dropped EXE
PID:464 -
C:\Windows\SysWOW64\Nhngem32.exeC:\Windows\system32\Nhngem32.exe47⤵
- Executes dropped EXE
PID:2280 -
C:\Windows\SysWOW64\Njlcah32.exeC:\Windows\system32\Njlcah32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2996 -
C:\Windows\SysWOW64\Nnhobgag.exeC:\Windows\system32\Nnhobgag.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:2748 -
C:\Windows\SysWOW64\Nafknbqk.exeC:\Windows\system32\Nafknbqk.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:2508 -
C:\Windows\SysWOW64\Ndehjnpo.exeC:\Windows\system32\Ndehjnpo.exe51⤵
- Executes dropped EXE
PID:2264 -
C:\Windows\SysWOW64\Nnjlhg32.exeC:\Windows\system32\Nnjlhg32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2956 -
C:\Windows\SysWOW64\Nplhooec.exeC:\Windows\system32\Nplhooec.exe53⤵
- Executes dropped EXE
PID:2164 -
C:\Windows\SysWOW64\Ndgdpn32.exeC:\Windows\system32\Ndgdpn32.exe54⤵
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\Nfeqli32.exeC:\Windows\system32\Nfeqli32.exe55⤵
- Executes dropped EXE
PID:2436 -
C:\Windows\SysWOW64\Nmpiicdm.exeC:\Windows\system32\Nmpiicdm.exe56⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Npneeocq.exeC:\Windows\system32\Npneeocq.exe57⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Ndiaem32.exeC:\Windows\system32\Ndiaem32.exe58⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Nfhmai32.exeC:\Windows\system32\Nfhmai32.exe59⤵
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\Njcibgcf.exeC:\Windows\system32\Njcibgcf.exe60⤵
- Executes dropped EXE
PID:1552 -
C:\Windows\SysWOW64\Nmbenc32.exeC:\Windows\system32\Nmbenc32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2072 -
C:\Windows\SysWOW64\Odlnkmjg.exeC:\Windows\system32\Odlnkmjg.exe62⤵
- Executes dropped EXE
PID:2608 -
C:\Windows\SysWOW64\Obonfj32.exeC:\Windows\system32\Obonfj32.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:1992 -
C:\Windows\SysWOW64\Oemjbe32.exeC:\Windows\system32\Oemjbe32.exe64⤵
- Executes dropped EXE
PID:1072 -
C:\Windows\SysWOW64\Oiifcdhn.exeC:\Windows\system32\Oiifcdhn.exe65⤵
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\Olgboogb.exeC:\Windows\system32\Olgboogb.exe66⤵PID:1508
-
C:\Windows\SysWOW64\Ooeolkff.exeC:\Windows\system32\Ooeolkff.exe67⤵PID:572
-
C:\Windows\SysWOW64\Ofmgmhgh.exeC:\Windows\system32\Ofmgmhgh.exe68⤵PID:2356
-
C:\Windows\SysWOW64\Oikcicfl.exeC:\Windows\system32\Oikcicfl.exe69⤵
- Modifies registry class
PID:2832 -
C:\Windows\SysWOW64\Olioeoeo.exeC:\Windows\system32\Olioeoeo.exe70⤵PID:1664
-
C:\Windows\SysWOW64\Oebdndlp.exeC:\Windows\system32\Oebdndlp.exe71⤵PID:3060
-
C:\Windows\SysWOW64\Oimpnc32.exeC:\Windows\system32\Oimpnc32.exe72⤵PID:2696
-
C:\Windows\SysWOW64\Oojhfj32.exeC:\Windows\system32\Oojhfj32.exe73⤵PID:1088
-
C:\Windows\SysWOW64\Oahdce32.exeC:\Windows\system32\Oahdce32.exe74⤵
- Modifies registry class
PID:1248 -
C:\Windows\SysWOW64\Odgqoa32.exeC:\Windows\system32\Odgqoa32.exe75⤵PID:2008
-
C:\Windows\SysWOW64\Ohbmppia.exeC:\Windows\system32\Ohbmppia.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2024 -
C:\Windows\SysWOW64\Olnipn32.exeC:\Windows\system32\Olnipn32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2088 -
C:\Windows\SysWOW64\Oolelj32.exeC:\Windows\system32\Oolelj32.exe78⤵PID:2704
-
C:\Windows\SysWOW64\Oakaheoa.exeC:\Windows\system32\Oakaheoa.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:956 -
C:\Windows\SysWOW64\Odimdqne.exeC:\Windows\system32\Odimdqne.exe80⤵PID:1520
-
C:\Windows\SysWOW64\Pkcfak32.exeC:\Windows\system32\Pkcfak32.exe81⤵PID:1928
-
C:\Windows\SysWOW64\Pmabmf32.exeC:\Windows\system32\Pmabmf32.exe82⤵PID:2224
-
C:\Windows\SysWOW64\Pamnnemo.exeC:\Windows\system32\Pamnnemo.exe83⤵PID:2416
-
C:\Windows\SysWOW64\Pdljjplb.exeC:\Windows\system32\Pdljjplb.exe84⤵PID:2304
-
C:\Windows\SysWOW64\Pkebgj32.exeC:\Windows\system32\Pkebgj32.exe85⤵PID:2916
-
C:\Windows\SysWOW64\Pihbbgjj.exeC:\Windows\system32\Pihbbgjj.exe86⤵PID:2236
-
C:\Windows\SysWOW64\Pmdocf32.exeC:\Windows\system32\Pmdocf32.exe87⤵PID:2644
-
C:\Windows\SysWOW64\Pcagkmaj.exeC:\Windows\system32\Pcagkmaj.exe88⤵PID:2192
-
C:\Windows\SysWOW64\Pglclk32.exeC:\Windows\system32\Pglclk32.exe89⤵PID:2252
-
C:\Windows\SysWOW64\Pikohg32.exeC:\Windows\system32\Pikohg32.exe90⤵
- Drops file in System32 directory
PID:1336 -
C:\Windows\SysWOW64\Ppegdapd.exeC:\Windows\system32\Ppegdapd.exe91⤵PID:1684
-
C:\Windows\SysWOW64\Pdpcep32.exeC:\Windows\system32\Pdpcep32.exe92⤵PID:2476
-
C:\Windows\SysWOW64\Pgopak32.exeC:\Windows\system32\Pgopak32.exe93⤵PID:2152
-
C:\Windows\SysWOW64\Pllhib32.exeC:\Windows\system32\Pllhib32.exe94⤵PID:2392
-
C:\Windows\SysWOW64\Pojdem32.exeC:\Windows\system32\Pojdem32.exe95⤵PID:2068
-
C:\Windows\SysWOW64\Pceqfl32.exeC:\Windows\system32\Pceqfl32.exe96⤵PID:2320
-
C:\Windows\SysWOW64\Pedmbg32.exeC:\Windows\system32\Pedmbg32.exe97⤵PID:2868
-
C:\Windows\SysWOW64\Plneoace.exeC:\Windows\system32\Plneoace.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:932 -
C:\Windows\SysWOW64\Polakmbi.exeC:\Windows\system32\Polakmbi.exe99⤵PID:2064
-
C:\Windows\SysWOW64\Qakmghbm.exeC:\Windows\system32\Qakmghbm.exe100⤵PID:2888
-
C:\Windows\SysWOW64\Qefihg32.exeC:\Windows\system32\Qefihg32.exe101⤵PID:2944
-
C:\Windows\SysWOW64\Qhdfdb32.exeC:\Windows\system32\Qhdfdb32.exe102⤵
- Modifies registry class
PID:2028 -
C:\Windows\SysWOW64\Qlpadaac.exeC:\Windows\system32\Qlpadaac.exe103⤵
- Modifies registry class
PID:2864 -
C:\Windows\SysWOW64\Qcjjakip.exeC:\Windows\system32\Qcjjakip.exe104⤵PID:1692
-
C:\Windows\SysWOW64\Qfifmghc.exeC:\Windows\system32\Qfifmghc.exe105⤵PID:2348
-
C:\Windows\SysWOW64\Qhgbibgg.exeC:\Windows\system32\Qhgbibgg.exe106⤵
- Modifies registry class
PID:1120 -
C:\Windows\SysWOW64\Qkeofnfk.exeC:\Windows\system32\Qkeofnfk.exe107⤵PID:988
-
C:\Windows\SysWOW64\Adncoc32.exeC:\Windows\system32\Adncoc32.exe108⤵PID:2884
-
C:\Windows\SysWOW64\Ahioobed.exeC:\Windows\system32\Ahioobed.exe109⤵PID:2592
-
C:\Windows\SysWOW64\Akhkkmdh.exeC:\Windows\system32\Akhkkmdh.exe110⤵PID:2924
-
C:\Windows\SysWOW64\Aocgll32.exeC:\Windows\system32\Aocgll32.exe111⤵PID:2332
-
C:\Windows\SysWOW64\Abachg32.exeC:\Windows\system32\Abachg32.exe112⤵PID:2328
-
C:\Windows\SysWOW64\Aqddcdbo.exeC:\Windows\system32\Aqddcdbo.exe113⤵PID:2324
-
C:\Windows\SysWOW64\Ahllda32.exeC:\Windows\system32\Ahllda32.exe114⤵PID:2056
-
C:\Windows\SysWOW64\Akjham32.exeC:\Windows\system32\Akjham32.exe115⤵PID:2132
-
C:\Windows\SysWOW64\Anhdmh32.exeC:\Windows\system32\Anhdmh32.exe116⤵PID:2596
-
C:\Windows\SysWOW64\Abdpngjb.exeC:\Windows\system32\Abdpngjb.exe117⤵PID:2052
-
C:\Windows\SysWOW64\Adbmjbif.exeC:\Windows\system32\Adbmjbif.exe118⤵
- Drops file in System32 directory
- Modifies registry class
PID:788 -
C:\Windows\SysWOW64\Agaifnhi.exeC:\Windows\system32\Agaifnhi.exe119⤵PID:2196
-
C:\Windows\SysWOW64\Adeiobgc.exeC:\Windows\system32\Adeiobgc.exe120⤵PID:2672
-
C:\Windows\SysWOW64\Achikonn.exeC:\Windows\system32\Achikonn.exe121⤵PID:1036
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-