Analysis
-
max time kernel
78s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
10/07/2024, 03:19
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
af74831d9c8e089aca0b932c4412f46226544c94fa4c3874ada390bb8cb00762.exe
Resource
win7-20240705-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
af74831d9c8e089aca0b932c4412f46226544c94fa4c3874ada390bb8cb00762.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
af74831d9c8e089aca0b932c4412f46226544c94fa4c3874ada390bb8cb00762.exe
-
Size
99KB
-
MD5
7a480e23ab6e61cf5cf371860539edee
-
SHA1
a152ee60b795b47369000709f1539e91c81230e0
-
SHA256
af74831d9c8e089aca0b932c4412f46226544c94fa4c3874ada390bb8cb00762
-
SHA512
adb4bd9ea379e225e0934881aee38b583cc67282acf720ae7ffb6b12ee3ab6c18483f85998c929ea6e4710eb4d468b0015200bfbd8b6127d585ddebdb2383891
-
SSDEEP
3072:NprtpQLBB/F0Hzlycgc3HNuJeyzpwoTRBmDRGGurhUI:NdtpQ/d0ocgc3HQcJm7UI
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kaliaphd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Modano32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Edkahbmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eibbqmhd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdooij32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llalgdbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ofjjghik.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfmhfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Igoagpja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nfcdfiob.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obakli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cqfdem32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmhaep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bjjcdp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kikpgk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmojfcdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ghlell32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bfmlgi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gojkecka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gbigao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fhdlbd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmkbfmpf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnecjgch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhpopk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Peapmhnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gcocnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hdcebagp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fjlaod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jnhnmckc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjhahb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jijqeg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edkopifk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bigohejb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lpnobi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Apllml32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dapnfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qajiek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cfemdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dgoakpjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fleihi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Midqiaih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpocno32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gimmpj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjchmclb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Klgpmgod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dnpedghl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hlkekilg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndgdpn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dggcbf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnafop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bkgchckl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aggkdlod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bkgqpjch.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chmlfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gaffja32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aocgll32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibpjaagi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mqoocmcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dgbgon32.exe -
Executes dropped EXE 64 IoCs
pid Process 1204 Afbpnlcd.exe 2252 Akphfbbl.exe 2848 Aehmoh32.exe 2232 Aaondi32.exe 2656 Bnbnnm32.exe 2108 Bjiobnbn.exe 2124 Bfppgohb.exe 2224 Baecehhh.exe 2500 Bpkqfdmp.exe 2988 Cpmmkdkn.exe 2992 Cejfckie.exe 1344 Cobjmq32.exe 2596 Cjikaa32.exe 2280 Cmjdcm32.exe 884 Coiqmp32.exe 2524 Dajiok32.exe 2268 Dkekmp32.exe 1384 Ddmofeam.exe 2404 Dglkba32.exe 1368 Dogpfc32.exe 268 Dhodpidl.exe 2432 Eokiabjf.exe 1992 Edhbjjhn.exe 2000 Ealbcngg.exe 2932 Edkopifk.exe 2832 Encchoml.exe 3024 Edmkei32.exe 2844 Epdljjjm.exe 2900 Ekipgb32.exe 1572 Flkmokoa.exe 2200 Fjomhonj.exe 2104 Fgbnbcmd.exe 2496 Fjajno32.exe 2872 Fhfgokap.exe 3000 Fkdckgpc.exe 448 Fbnkha32.exe 3036 Fdmgdl32.exe 2076 Fmdpejgf.exe 896 Foblaefj.exe 2276 Gfldno32.exe 1520 Gikpjk32.exe 1704 Godhgedg.exe 2172 Gimmpj32.exe 1080 Ggpmkgab.exe 1556 Gnjehaio.exe 3056 Gqhadmhc.exe 2548 Ggbjag32.exe 2316 Gknfaehi.exe 2840 Gnlbnagl.exe 2788 Gqknjlfp.exe 2784 Gfggbcdg.exe 2652 Gnoocq32.exe 1964 Gamkol32.exe 2632 Gggclfkj.exe 1540 Gjephakn.exe 780 Haohel32.exe 2572 Hbqdldhi.exe 2976 Hijmin32.exe 1284 Hliieioi.exe 264 Hfnmbbnp.exe 2176 Himionmc.exe 2220 Hlkekilg.exe 696 Hfajhblm.exe 1880 Hhbfpj32.exe -
Loads dropped DLL 64 IoCs
pid Process 1380 af74831d9c8e089aca0b932c4412f46226544c94fa4c3874ada390bb8cb00762.exe 1380 af74831d9c8e089aca0b932c4412f46226544c94fa4c3874ada390bb8cb00762.exe 1204 Afbpnlcd.exe 1204 Afbpnlcd.exe 2252 Akphfbbl.exe 2252 Akphfbbl.exe 2848 Aehmoh32.exe 2848 Aehmoh32.exe 2232 Aaondi32.exe 2232 Aaondi32.exe 2656 Bnbnnm32.exe 2656 Bnbnnm32.exe 2108 Bjiobnbn.exe 2108 Bjiobnbn.exe 2124 Bfppgohb.exe 2124 Bfppgohb.exe 2224 Baecehhh.exe 2224 Baecehhh.exe 2500 Bpkqfdmp.exe 2500 Bpkqfdmp.exe 2988 Cpmmkdkn.exe 2988 Cpmmkdkn.exe 2992 Cejfckie.exe 2992 Cejfckie.exe 1344 Cobjmq32.exe 1344 Cobjmq32.exe 2596 Cjikaa32.exe 2596 Cjikaa32.exe 2280 Cmjdcm32.exe 2280 Cmjdcm32.exe 884 Coiqmp32.exe 884 Coiqmp32.exe 2524 Dajiok32.exe 2524 Dajiok32.exe 2268 Dkekmp32.exe 2268 Dkekmp32.exe 1384 Ddmofeam.exe 1384 Ddmofeam.exe 2404 Dglkba32.exe 2404 Dglkba32.exe 1368 Dogpfc32.exe 1368 Dogpfc32.exe 268 Dhodpidl.exe 268 Dhodpidl.exe 2432 Eokiabjf.exe 2432 Eokiabjf.exe 1992 Edhbjjhn.exe 1992 Edhbjjhn.exe 2000 Ealbcngg.exe 2000 Ealbcngg.exe 2932 Edkopifk.exe 2932 Edkopifk.exe 2832 Encchoml.exe 2832 Encchoml.exe 3024 Edmkei32.exe 3024 Edmkei32.exe 2844 Epdljjjm.exe 2844 Epdljjjm.exe 2900 Ekipgb32.exe 2900 Ekipgb32.exe 1572 Flkmokoa.exe 1572 Flkmokoa.exe 2200 Fjomhonj.exe 2200 Fjomhonj.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Nojinbej.dll Pddinn32.exe File opened for modification C:\Windows\SysWOW64\Hogddpld.exe Hfookk32.exe File created C:\Windows\SysWOW64\Dogpfc32.exe Dglkba32.exe File created C:\Windows\SysWOW64\Hfajhblm.exe Hlkekilg.exe File opened for modification C:\Windows\SysWOW64\Kmbclj32.exe Kghkppbp.exe File created C:\Windows\SysWOW64\Liibigjq.exe Process not Found File opened for modification C:\Windows\SysWOW64\Oakaheoa.exe Okailkhd.exe File opened for modification C:\Windows\SysWOW64\Hjplao32.exe Hgaoec32.exe File created C:\Windows\SysWOW64\Bnaacb32.dll Pojgnf32.exe File created C:\Windows\SysWOW64\Cfmceomm.exe Cnekcblk.exe File created C:\Windows\SysWOW64\Lnopmegg.exe Lkqdajhc.exe File created C:\Windows\SysWOW64\Lcnhcdkp.exe Lamkllea.exe File opened for modification C:\Windows\SysWOW64\Nmkbfmpf.exe Njmejaqb.exe File opened for modification C:\Windows\SysWOW64\Hfajhblm.exe Hlkekilg.exe File opened for modification C:\Windows\SysWOW64\Nlgfqldf.exe Memncbmj.exe File created C:\Windows\SysWOW64\Mnneabff.exe Mgdmeh32.exe File created C:\Windows\SysWOW64\Chfffk32.exe Cblniaii.exe File created C:\Windows\SysWOW64\Ginefe32.exe Gcdmikma.exe File opened for modification C:\Windows\SysWOW64\Lfonlg32.exe Lqbfdp32.exe File created C:\Windows\SysWOW64\Bnkmakbb.exe Bineidcj.exe File created C:\Windows\SysWOW64\Jgmofbpk.exe Jpcfih32.exe File opened for modification C:\Windows\SysWOW64\Djcpqidc.exe Dpmlcpdm.exe File created C:\Windows\SysWOW64\Lkafib32.exe Lednal32.exe File created C:\Windows\SysWOW64\Ncmjnjgd.dll Dfpcdh32.exe File created C:\Windows\SysWOW64\Ebemnc32.exe Elleai32.exe File created C:\Windows\SysWOW64\Bhoqqojp.dll Mjkmfn32.exe File created C:\Windows\SysWOW64\Nbmcjc32.exe Nqkgbkdj.exe File created C:\Windows\SysWOW64\Opdnaj32.dll Gllabp32.exe File opened for modification C:\Windows\SysWOW64\Dmaoem32.exe Dfhficcn.exe File opened for modification C:\Windows\SysWOW64\Lkoidcaj.exe Lddagi32.exe File created C:\Windows\SysWOW64\Bdcdaglf.dll Ngfhbd32.exe File opened for modification C:\Windows\SysWOW64\Fjomhonj.exe Flkmokoa.exe File created C:\Windows\SysWOW64\Minhfcle.dll Qkbkfh32.exe File created C:\Windows\SysWOW64\Ifpbfc32.dll Gaajfi32.exe File created C:\Windows\SysWOW64\Fagqed32.exe Foidii32.exe File created C:\Windows\SysWOW64\Mofgfk32.dll Nfcoel32.exe File created C:\Windows\SysWOW64\Cdmeekeb.dll Jcnmme32.exe File created C:\Windows\SysWOW64\Iljkofkg.exe Iilocklc.exe File created C:\Windows\SysWOW64\Flbgak32.exe Fehodaqd.exe File opened for modification C:\Windows\SysWOW64\Mknohpqj.exe Mdcfle32.exe File created C:\Windows\SysWOW64\Ppbfmdfo.exe Pihnqj32.exe File created C:\Windows\SysWOW64\Djhldahb.exe Dcnchg32.exe File created C:\Windows\SysWOW64\Ceoinjaa.dll Peooek32.exe File opened for modification C:\Windows\SysWOW64\Lkcqfifp.exe Lqmliqfj.exe File opened for modification C:\Windows\SysWOW64\Lcnhcdkp.exe Lamkllea.exe File created C:\Windows\SysWOW64\Jmhile32.exe Jjimpj32.exe File created C:\Windows\SysWOW64\Bnpdkcam.dll Mdhpgeeg.exe File created C:\Windows\SysWOW64\Mjelbl32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Iflmlfcn.exe Iekpdn32.exe File created C:\Windows\SysWOW64\Iklbhdga.exe Idbjkj32.exe File created C:\Windows\SysWOW64\Nlgqod32.dll Dcnchg32.exe File created C:\Windows\SysWOW64\Bfjijo32.dll Kfnmnojj.exe File created C:\Windows\SysWOW64\Bigmoadp.dll Elbkbh32.exe File created C:\Windows\SysWOW64\Kigidd32.exe Process not Found File created C:\Windows\SysWOW64\Hgaoec32.exe Hmlkhk32.exe File created C:\Windows\SysWOW64\Egdjfo32.exe Edenjc32.exe File created C:\Windows\SysWOW64\Ibmmkaik.exe Ilceog32.exe File created C:\Windows\SysWOW64\Dgiahe32.dll Fpcghl32.exe File opened for modification C:\Windows\SysWOW64\Galfpgpg.exe Gkancm32.exe File created C:\Windows\SysWOW64\Hopgikop.exe Glajmppm.exe File created C:\Windows\SysWOW64\Keekeg32.exe Kbgnil32.exe File created C:\Windows\SysWOW64\Baakem32.exe Bjjcdp32.exe File created C:\Windows\SysWOW64\Bfcqoqeh.exe Bgqqcd32.exe File created C:\Windows\SysWOW64\Hkqiadeq.dll Fgbnbcmd.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4540 4492 Process not Found 1138 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibnoen32.dll" Bnemlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mjeholco.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qhdfdb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jnppei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eepjmp32.dll" Kkglim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcohglnm.dll" Llalgdbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ilceog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ifkfap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfighccb.dll" Pdllci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjcjb32.dll" Polakmbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Iilocklc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Obakli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ekmjanpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnaacb32.dll" Pojgnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnbkca32.dll" Ajjeld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nadann32.dll" Cobjmq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Moahdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nbegonmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klnkaf32.dll" Jiclnpjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mginjnnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gokmnlcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkggja32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eokiabjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Llfcik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkjigh32.dll" Egbffj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Moloidjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nofnglhg.dll" Nhalag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ojnhdn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Egdjfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kommediq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eoqeekme.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Obopobhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pdllci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Apgcbmha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gknfaehi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Emfbgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djqdgfho.dll" Hjnaehgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jijqeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Panfco32.dll" Dbcnpk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kdeehe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pkcfak32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Djcpqidc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmocck32.dll" Mccaodgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fimclh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfemieq.dll" Lqbfdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mekjoc32.dll" Mfhabe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lcnhcdkp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Flkmokoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bmegodpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egcpbc32.dll" Kaillp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcgjcoid.dll" Dhjdjc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ibpjaagi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oiniaboi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ajjeld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbacpl32.dll" Cfpgee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mogcelgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ificlp32.dll" Bnkmakbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jgidnobg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1380 wrote to memory of 1204 1380 af74831d9c8e089aca0b932c4412f46226544c94fa4c3874ada390bb8cb00762.exe 30 PID 1380 wrote to memory of 1204 1380 af74831d9c8e089aca0b932c4412f46226544c94fa4c3874ada390bb8cb00762.exe 30 PID 1380 wrote to memory of 1204 1380 af74831d9c8e089aca0b932c4412f46226544c94fa4c3874ada390bb8cb00762.exe 30 PID 1380 wrote to memory of 1204 1380 af74831d9c8e089aca0b932c4412f46226544c94fa4c3874ada390bb8cb00762.exe 30 PID 1204 wrote to memory of 2252 1204 Afbpnlcd.exe 31 PID 1204 wrote to memory of 2252 1204 Afbpnlcd.exe 31 PID 1204 wrote to memory of 2252 1204 Afbpnlcd.exe 31 PID 1204 wrote to memory of 2252 1204 Afbpnlcd.exe 31 PID 2252 wrote to memory of 2848 2252 Akphfbbl.exe 32 PID 2252 wrote to memory of 2848 2252 Akphfbbl.exe 32 PID 2252 wrote to memory of 2848 2252 Akphfbbl.exe 32 PID 2252 wrote to memory of 2848 2252 Akphfbbl.exe 32 PID 2848 wrote to memory of 2232 2848 Aehmoh32.exe 33 PID 2848 wrote to memory of 2232 2848 Aehmoh32.exe 33 PID 2848 wrote to memory of 2232 2848 Aehmoh32.exe 33 PID 2848 wrote to memory of 2232 2848 Aehmoh32.exe 33 PID 2232 wrote to memory of 2656 2232 Aaondi32.exe 34 PID 2232 wrote to memory of 2656 2232 Aaondi32.exe 34 PID 2232 wrote to memory of 2656 2232 Aaondi32.exe 34 PID 2232 wrote to memory of 2656 2232 Aaondi32.exe 34 PID 2656 wrote to memory of 2108 2656 Bnbnnm32.exe 35 PID 2656 wrote to memory of 2108 2656 Bnbnnm32.exe 35 PID 2656 wrote to memory of 2108 2656 Bnbnnm32.exe 35 PID 2656 wrote to memory of 2108 2656 Bnbnnm32.exe 35 PID 2108 wrote to memory of 2124 2108 Bjiobnbn.exe 36 PID 2108 wrote to memory of 2124 2108 Bjiobnbn.exe 36 PID 2108 wrote to memory of 2124 2108 Bjiobnbn.exe 36 PID 2108 wrote to memory of 2124 2108 Bjiobnbn.exe 36 PID 2124 wrote to memory of 2224 2124 Bfppgohb.exe 37 PID 2124 wrote to memory of 2224 2124 Bfppgohb.exe 37 PID 2124 wrote to memory of 2224 2124 Bfppgohb.exe 37 PID 2124 wrote to memory of 2224 2124 Bfppgohb.exe 37 PID 2224 wrote to memory of 2500 2224 Baecehhh.exe 38 PID 2224 wrote to memory of 2500 2224 Baecehhh.exe 38 PID 2224 wrote to memory of 2500 2224 Baecehhh.exe 38 PID 2224 wrote to memory of 2500 2224 Baecehhh.exe 38 PID 2500 wrote to memory of 2988 2500 Bpkqfdmp.exe 39 PID 2500 wrote to memory of 2988 2500 Bpkqfdmp.exe 39 PID 2500 wrote to memory of 2988 2500 Bpkqfdmp.exe 39 PID 2500 wrote to memory of 2988 2500 Bpkqfdmp.exe 39 PID 2988 wrote to memory of 2992 2988 Cpmmkdkn.exe 40 PID 2988 wrote to memory of 2992 2988 Cpmmkdkn.exe 40 PID 2988 wrote to memory of 2992 2988 Cpmmkdkn.exe 40 PID 2988 wrote to memory of 2992 2988 Cpmmkdkn.exe 40 PID 2992 wrote to memory of 1344 2992 Cejfckie.exe 41 PID 2992 wrote to memory of 1344 2992 Cejfckie.exe 41 PID 2992 wrote to memory of 1344 2992 Cejfckie.exe 41 PID 2992 wrote to memory of 1344 2992 Cejfckie.exe 41 PID 1344 wrote to memory of 2596 1344 Cobjmq32.exe 42 PID 1344 wrote to memory of 2596 1344 Cobjmq32.exe 42 PID 1344 wrote to memory of 2596 1344 Cobjmq32.exe 42 PID 1344 wrote to memory of 2596 1344 Cobjmq32.exe 42 PID 2596 wrote to memory of 2280 2596 Cjikaa32.exe 43 PID 2596 wrote to memory of 2280 2596 Cjikaa32.exe 43 PID 2596 wrote to memory of 2280 2596 Cjikaa32.exe 43 PID 2596 wrote to memory of 2280 2596 Cjikaa32.exe 43 PID 2280 wrote to memory of 884 2280 Cmjdcm32.exe 44 PID 2280 wrote to memory of 884 2280 Cmjdcm32.exe 44 PID 2280 wrote to memory of 884 2280 Cmjdcm32.exe 44 PID 2280 wrote to memory of 884 2280 Cmjdcm32.exe 44 PID 884 wrote to memory of 2524 884 Coiqmp32.exe 45 PID 884 wrote to memory of 2524 884 Coiqmp32.exe 45 PID 884 wrote to memory of 2524 884 Coiqmp32.exe 45 PID 884 wrote to memory of 2524 884 Coiqmp32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\af74831d9c8e089aca0b932c4412f46226544c94fa4c3874ada390bb8cb00762.exe"C:\Users\Admin\AppData\Local\Temp\af74831d9c8e089aca0b932c4412f46226544c94fa4c3874ada390bb8cb00762.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Windows\SysWOW64\Afbpnlcd.exeC:\Windows\system32\Afbpnlcd.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Windows\SysWOW64\Akphfbbl.exeC:\Windows\system32\Akphfbbl.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\SysWOW64\Aehmoh32.exeC:\Windows\system32\Aehmoh32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\Aaondi32.exeC:\Windows\system32\Aaondi32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\SysWOW64\Bnbnnm32.exeC:\Windows\system32\Bnbnnm32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Bjiobnbn.exeC:\Windows\system32\Bjiobnbn.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\Bfppgohb.exeC:\Windows\system32\Bfppgohb.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\Baecehhh.exeC:\Windows\system32\Baecehhh.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\Bpkqfdmp.exeC:\Windows\system32\Bpkqfdmp.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\Cpmmkdkn.exeC:\Windows\system32\Cpmmkdkn.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\Cejfckie.exeC:\Windows\system32\Cejfckie.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\Cobjmq32.exeC:\Windows\system32\Cobjmq32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1344 -
C:\Windows\SysWOW64\Cjikaa32.exeC:\Windows\system32\Cjikaa32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Cmjdcm32.exeC:\Windows\system32\Cmjdcm32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\Coiqmp32.exeC:\Windows\system32\Coiqmp32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:884 -
C:\Windows\SysWOW64\Dajiok32.exeC:\Windows\system32\Dajiok32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2524 -
C:\Windows\SysWOW64\Dkekmp32.exeC:\Windows\system32\Dkekmp32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2268 -
C:\Windows\SysWOW64\Ddmofeam.exeC:\Windows\system32\Ddmofeam.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1384 -
C:\Windows\SysWOW64\Dglkba32.exeC:\Windows\system32\Dglkba32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2404 -
C:\Windows\SysWOW64\Dogpfc32.exeC:\Windows\system32\Dogpfc32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1368 -
C:\Windows\SysWOW64\Dhodpidl.exeC:\Windows\system32\Dhodpidl.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:268 -
C:\Windows\SysWOW64\Eokiabjf.exeC:\Windows\system32\Eokiabjf.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2432 -
C:\Windows\SysWOW64\Edhbjjhn.exeC:\Windows\system32\Edhbjjhn.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1992 -
C:\Windows\SysWOW64\Ealbcngg.exeC:\Windows\system32\Ealbcngg.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2000 -
C:\Windows\SysWOW64\Edkopifk.exeC:\Windows\system32\Edkopifk.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2932 -
C:\Windows\SysWOW64\Encchoml.exeC:\Windows\system32\Encchoml.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2832 -
C:\Windows\SysWOW64\Edmkei32.exeC:\Windows\system32\Edmkei32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3024 -
C:\Windows\SysWOW64\Epdljjjm.exeC:\Windows\system32\Epdljjjm.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2844 -
C:\Windows\SysWOW64\Ekipgb32.exeC:\Windows\system32\Ekipgb32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2900 -
C:\Windows\SysWOW64\Flkmokoa.exeC:\Windows\system32\Flkmokoa.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1572 -
C:\Windows\SysWOW64\Fjomhonj.exeC:\Windows\system32\Fjomhonj.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2200 -
C:\Windows\SysWOW64\Fgbnbcmd.exeC:\Windows\system32\Fgbnbcmd.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2104 -
C:\Windows\SysWOW64\Fjajno32.exeC:\Windows\system32\Fjajno32.exe34⤵
- Executes dropped EXE
PID:2496 -
C:\Windows\SysWOW64\Fhfgokap.exeC:\Windows\system32\Fhfgokap.exe35⤵
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Fkdckgpc.exeC:\Windows\system32\Fkdckgpc.exe36⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Fbnkha32.exeC:\Windows\system32\Fbnkha32.exe37⤵
- Executes dropped EXE
PID:448 -
C:\Windows\SysWOW64\Fdmgdl32.exeC:\Windows\system32\Fdmgdl32.exe38⤵
- Executes dropped EXE
PID:3036 -
C:\Windows\SysWOW64\Fmdpejgf.exeC:\Windows\system32\Fmdpejgf.exe39⤵
- Executes dropped EXE
PID:2076 -
C:\Windows\SysWOW64\Foblaefj.exeC:\Windows\system32\Foblaefj.exe40⤵
- Executes dropped EXE
PID:896 -
C:\Windows\SysWOW64\Gfldno32.exeC:\Windows\system32\Gfldno32.exe41⤵
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\Gikpjk32.exeC:\Windows\system32\Gikpjk32.exe42⤵
- Executes dropped EXE
PID:1520 -
C:\Windows\SysWOW64\Godhgedg.exeC:\Windows\system32\Godhgedg.exe43⤵
- Executes dropped EXE
PID:1704 -
C:\Windows\SysWOW64\Gimmpj32.exeC:\Windows\system32\Gimmpj32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Ggpmkgab.exeC:\Windows\system32\Ggpmkgab.exe45⤵
- Executes dropped EXE
PID:1080 -
C:\Windows\SysWOW64\Gnjehaio.exeC:\Windows\system32\Gnjehaio.exe46⤵
- Executes dropped EXE
PID:1556 -
C:\Windows\SysWOW64\Gqhadmhc.exeC:\Windows\system32\Gqhadmhc.exe47⤵
- Executes dropped EXE
PID:3056 -
C:\Windows\SysWOW64\Ggbjag32.exeC:\Windows\system32\Ggbjag32.exe48⤵
- Executes dropped EXE
PID:2548 -
C:\Windows\SysWOW64\Gknfaehi.exeC:\Windows\system32\Gknfaehi.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:2316 -
C:\Windows\SysWOW64\Gnlbnagl.exeC:\Windows\system32\Gnlbnagl.exe50⤵
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\Gqknjlfp.exeC:\Windows\system32\Gqknjlfp.exe51⤵
- Executes dropped EXE
PID:2788 -
C:\Windows\SysWOW64\Gfggbcdg.exeC:\Windows\system32\Gfggbcdg.exe52⤵
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\Gnoocq32.exeC:\Windows\system32\Gnoocq32.exe53⤵
- Executes dropped EXE
PID:2652 -
C:\Windows\SysWOW64\Gamkol32.exeC:\Windows\system32\Gamkol32.exe54⤵
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Gggclfkj.exeC:\Windows\system32\Gggclfkj.exe55⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\Gjephakn.exeC:\Windows\system32\Gjephakn.exe56⤵
- Executes dropped EXE
PID:1540 -
C:\Windows\SysWOW64\Haohel32.exeC:\Windows\system32\Haohel32.exe57⤵
- Executes dropped EXE
PID:780 -
C:\Windows\SysWOW64\Hbqdldhi.exeC:\Windows\system32\Hbqdldhi.exe58⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Hijmin32.exeC:\Windows\system32\Hijmin32.exe59⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Hliieioi.exeC:\Windows\system32\Hliieioi.exe60⤵
- Executes dropped EXE
PID:1284 -
C:\Windows\SysWOW64\Hfnmbbnp.exeC:\Windows\system32\Hfnmbbnp.exe61⤵
- Executes dropped EXE
PID:264 -
C:\Windows\SysWOW64\Himionmc.exeC:\Windows\system32\Himionmc.exe62⤵
- Executes dropped EXE
PID:2176 -
C:\Windows\SysWOW64\Hlkekilg.exeC:\Windows\system32\Hlkekilg.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2220 -
C:\Windows\SysWOW64\Hfajhblm.exeC:\Windows\system32\Hfajhblm.exe64⤵
- Executes dropped EXE
PID:696 -
C:\Windows\SysWOW64\Hhbfpj32.exeC:\Windows\system32\Hhbfpj32.exe65⤵
- Executes dropped EXE
PID:1880 -
C:\Windows\SysWOW64\Hpinagbm.exeC:\Windows\system32\Hpinagbm.exe66⤵PID:2400
-
C:\Windows\SysWOW64\Hefginae.exeC:\Windows\system32\Hefginae.exe67⤵PID:1064
-
C:\Windows\SysWOW64\Hlpofh32.exeC:\Windows\system32\Hlpofh32.exe68⤵PID:2344
-
C:\Windows\SysWOW64\Hbjgbbpn.exeC:\Windows\system32\Hbjgbbpn.exe69⤵PID:2068
-
C:\Windows\SysWOW64\Hamgno32.exeC:\Windows\system32\Hamgno32.exe70⤵PID:2060
-
C:\Windows\SysWOW64\Ilblkh32.exeC:\Windows\system32\Ilblkh32.exe71⤵PID:1596
-
C:\Windows\SysWOW64\Inqhhc32.exeC:\Windows\system32\Inqhhc32.exe72⤵PID:2216
-
C:\Windows\SysWOW64\Iekpdn32.exeC:\Windows\system32\Iekpdn32.exe73⤵
- Drops file in System32 directory
PID:2088 -
C:\Windows\SysWOW64\Iflmlfcn.exeC:\Windows\system32\Iflmlfcn.exe74⤵PID:2664
-
C:\Windows\SysWOW64\Iocdmccp.exeC:\Windows\system32\Iocdmccp.exe75⤵PID:920
-
C:\Windows\SysWOW64\Iaaaiobc.exeC:\Windows\system32\Iaaaiobc.exe76⤵PID:2644
-
C:\Windows\SysWOW64\Ifniaeqk.exeC:\Windows\system32\Ifniaeqk.exe77⤵PID:2476
-
C:\Windows\SysWOW64\Idbjkj32.exeC:\Windows\system32\Idbjkj32.exe78⤵
- Drops file in System32 directory
PID:2324 -
C:\Windows\SysWOW64\Iklbhdga.exeC:\Windows\system32\Iklbhdga.exe79⤵PID:2732
-
C:\Windows\SysWOW64\Ifcbme32.exeC:\Windows\system32\Ifcbme32.exe80⤵PID:2196
-
C:\Windows\SysWOW64\Ilpkel32.exeC:\Windows\system32\Ilpkel32.exe81⤵PID:1768
-
C:\Windows\SysWOW64\Jongag32.exeC:\Windows\system32\Jongag32.exe82⤵PID:2184
-
C:\Windows\SysWOW64\Jiclnpjg.exeC:\Windows\system32\Jiclnpjg.exe83⤵
- Modifies registry class
PID:1672 -
C:\Windows\SysWOW64\Jlbhjkij.exeC:\Windows\system32\Jlbhjkij.exe84⤵PID:2136
-
C:\Windows\SysWOW64\Jblpge32.exeC:\Windows\system32\Jblpge32.exe85⤵PID:2528
-
C:\Windows\SysWOW64\Jejlca32.exeC:\Windows\system32\Jejlca32.exe86⤵PID:1104
-
C:\Windows\SysWOW64\Jlddpkgh.exeC:\Windows\system32\Jlddpkgh.exe87⤵PID:1636
-
C:\Windows\SysWOW64\Jcnmme32.exeC:\Windows\system32\Jcnmme32.exe88⤵
- Drops file in System32 directory
PID:1132 -
C:\Windows\SysWOW64\Jhkeelml.exeC:\Windows\system32\Jhkeelml.exe89⤵PID:1584
-
C:\Windows\SysWOW64\Jnhnmckc.exeC:\Windows\system32\Jnhnmckc.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2812 -
C:\Windows\SysWOW64\Jdbfjm32.exeC:\Windows\system32\Jdbfjm32.exe91⤵PID:3032
-
C:\Windows\SysWOW64\Jgpbfh32.exeC:\Windows\system32\Jgpbfh32.exe92⤵PID:1908
-
C:\Windows\SysWOW64\Jogjgf32.exeC:\Windows\system32\Jogjgf32.exe93⤵PID:2800
-
C:\Windows\SysWOW64\Jpigonhd.exeC:\Windows\system32\Jpigonhd.exe94⤵PID:2468
-
C:\Windows\SysWOW64\Jhpopk32.exeC:\Windows\system32\Jhpopk32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2472 -
C:\Windows\SysWOW64\Kknklg32.exeC:\Windows\system32\Kknklg32.exe96⤵PID:1996
-
C:\Windows\SysWOW64\Kahciaog.exeC:\Windows\system32\Kahciaog.exe97⤵PID:2160
-
C:\Windows\SysWOW64\Kcipqi32.exeC:\Windows\system32\Kcipqi32.exe98⤵PID:1576
-
C:\Windows\SysWOW64\Kjchmclb.exeC:\Windows\system32\Kjchmclb.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:560 -
C:\Windows\SysWOW64\Kpmpjm32.exeC:\Windows\system32\Kpmpjm32.exe100⤵PID:1532
-
C:\Windows\SysWOW64\Kcllfi32.exeC:\Windows\system32\Kcllfi32.exe101⤵PID:2588
-
C:\Windows\SysWOW64\Kfjibdbf.exeC:\Windows\system32\Kfjibdbf.exe102⤵PID:320
-
C:\Windows\SysWOW64\Kldaon32.exeC:\Windows\system32\Kldaon32.exe103⤵PID:2056
-
C:\Windows\SysWOW64\Kcnilhap.exeC:\Windows\system32\Kcnilhap.exe104⤵PID:1480
-
C:\Windows\SysWOW64\Kjhahb32.exeC:\Windows\system32\Kjhahb32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1592 -
C:\Windows\SysWOW64\Khkadoog.exeC:\Windows\system32\Khkadoog.exe106⤵PID:2756
-
C:\Windows\SysWOW64\Koejqi32.exeC:\Windows\system32\Koejqi32.exe107⤵PID:2744
-
C:\Windows\SysWOW64\Kbcfme32.exeC:\Windows\system32\Kbcfme32.exe108⤵PID:2704
-
C:\Windows\SysWOW64\Kjjnnbfj.exeC:\Windows\system32\Kjjnnbfj.exe109⤵PID:2492
-
C:\Windows\SysWOW64\Klijjnen.exeC:\Windows\system32\Klijjnen.exe110⤵PID:2964
-
C:\Windows\SysWOW64\Kccbgh32.exeC:\Windows\system32\Kccbgh32.exe111⤵PID:1152
-
C:\Windows\SysWOW64\Lfaocc32.exeC:\Windows\system32\Lfaocc32.exe112⤵PID:2188
-
C:\Windows\SysWOW64\Lhpkoo32.exeC:\Windows\system32\Lhpkoo32.exe113⤵PID:2428
-
C:\Windows\SysWOW64\Lojclibo.exeC:\Windows\system32\Lojclibo.exe114⤵PID:548
-
C:\Windows\SysWOW64\Lbhphdab.exeC:\Windows\system32\Lbhphdab.exe115⤵PID:1944
-
C:\Windows\SysWOW64\Lhbhdnio.exeC:\Windows\system32\Lhbhdnio.exe116⤵PID:1496
-
C:\Windows\SysWOW64\Lkqdajhc.exeC:\Windows\system32\Lkqdajhc.exe117⤵
- Drops file in System32 directory
PID:2568 -
C:\Windows\SysWOW64\Lnopmegg.exeC:\Windows\system32\Lnopmegg.exe118⤵PID:1788
-
C:\Windows\SysWOW64\Lqmliqfj.exeC:\Windows\system32\Lqmliqfj.exe119⤵
- Drops file in System32 directory
PID:2936 -
C:\Windows\SysWOW64\Lkcqfifp.exeC:\Windows\system32\Lkcqfifp.exe120⤵PID:2640
-
C:\Windows\SysWOW64\Lbmicc32.exeC:\Windows\system32\Lbmicc32.exe121⤵PID:1948
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-