Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
09/03/2024, 20:43
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
09d0776e86d7a40a3a02848bdbd895e22b16e997b1ad5a41e15da745e46a44db.exe
Resource
win7-20240221-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
09d0776e86d7a40a3a02848bdbd895e22b16e997b1ad5a41e15da745e46a44db.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
09d0776e86d7a40a3a02848bdbd895e22b16e997b1ad5a41e15da745e46a44db.exe
-
Size
439KB
-
MD5
adb30375235d2c7e5416b40d307b6aa8
-
SHA1
d0223d39fa3f87b753d7883036d3ce322e1d8c53
-
SHA256
09d0776e86d7a40a3a02848bdbd895e22b16e997b1ad5a41e15da745e46a44db
-
SHA512
52b56b69dfd47ba1760db8624913f58ac82efa919d6c1bc6c28a5dfa26614dd5d0efa99c6e6ccead21363f9a2db4aa8e4cd21192f7f3d499682cde16330b8fba
-
SSDEEP
12288:rKPMwONtDp9V3PeKm2OPeKm22Vtp90NtmVtp90NtXONt:AuDpLpEkpEY
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkijmm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lahkigca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpkbdiqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abbbnchb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfgaiaci.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihoafpmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jifdebic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnhkcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocimgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdapak32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gicbeald.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnajilng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcnbablo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oddpfc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adhlaggp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnclnihj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfokbnip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afiecb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hogmmjfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kifpdelo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oklkmnbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdikkg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpbheh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dookgcij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbpjiphi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpmgqnfl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldidkbpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mijfnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nondgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlbeqb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onjgiiad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpgpkcpp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgfgdn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdooajdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpiipf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnemdecl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbgbni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpbefoai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lijjoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mppepcfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkeimlfm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccfhhffh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egamfkdh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndmjedoi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npdjje32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afohaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccahbp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbkknojp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epaogi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmfbogcn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hodpgjha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbqecg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjaonpnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlblkhei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghoegl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fddmgjpo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdhbam32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iajcde32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocimgp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgjclbdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dliijipn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjndop32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebgacddo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lihmjejl.exe -
Detects executables packed with ConfuserEx Mod 64 IoCs
resource yara_rule behavioral1/files/0x000a000000012255-5.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x002d0000000144e9-19.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x0007000000014817-33.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x0009000000014b12-52.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x0006000000015c7c-59.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x0006000000015c9c-78.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x0006000000015cad-87.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x0006000000015cc1-100.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/memory/3044-113-0x0000000000400000-0x000000000049A000-memory.dmp INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x0006000000015cdb-115.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x002c00000001450b-133.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/memory/2768-143-0x0000000000400000-0x000000000049A000-memory.dmp INDICATOR_EXE_Packed_ConfuserEx behavioral1/memory/2864-141-0x0000000000400000-0x000000000049A000-memory.dmp INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x0006000000015d06-145.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x0006000000015d6e-163.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x0006000000015f9e-182.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/memory/1792-188-0x0000000000400000-0x000000000049A000-memory.dmp INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x00060000000160f8-194.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/memory/1804-176-0x0000000000400000-0x000000000049A000-memory.dmp INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x0006000000016411-205.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x0006000000016411-208.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x0006000000016411-207.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x0006000000016411-213.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x0006000000016597-224.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x0006000000016597-221.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/memory/1500-233-0x0000000000400000-0x000000000049A000-memory.dmp INDICATOR_EXE_Packed_ConfuserEx behavioral1/memory/1252-231-0x0000000000400000-0x000000000049A000-memory.dmp INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x0006000000016a45-236.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x0006000000016c26-247.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x0006000000016c7a-258.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x0006000000016cc9-269.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x0006000000016ced-280.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/memory/700-268-0x0000000000400000-0x000000000049A000-memory.dmp INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x0006000000016cfe-290.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x0006000000016d0e-301.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x0006000000016d1f-312.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x0006000000016d3b-323.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x0006000000016d44-332.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x0006000000016d67-343.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x0006000000017060-354.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x0006000000017384-363.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x0006000000017458-373.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x0006000000017474-386.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x0031000000018649-396.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x0005000000018664-409.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x00050000000186cf-417.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x0005000000018717-431.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x0005000000018765-441.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x0006000000018ffa-453.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x0005000000019233-463.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x0005000000019260-475.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x0005000000019383-486.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x00050000000193a1-496.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x00050000000193eb-507.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x0005000000019410-516.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x000500000001942d-526.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x000500000001955a-537.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x00050000000195e2-547.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x00050000000195e6-556.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x00050000000195ea-567.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x00050000000195ee-577.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x00050000000195f2-587.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x00050000000195f5-596.dat INDICATOR_EXE_Packed_ConfuserEx behavioral1/files/0x00050000000195f8-606.dat INDICATOR_EXE_Packed_ConfuserEx -
Executes dropped EXE 64 IoCs
pid Process 2952 Klqfhbbe.exe 1632 Kdlkld32.exe 2568 Ldnhad32.exe 2596 Ldqegd32.exe 2624 Lbfahp32.exe 2552 Lpjbad32.exe 2560 Mgfgdn32.exe 3044 Maphdl32.exe 2864 Mlelaeqk.exe 2768 Mhlmgf32.exe 2776 Mhnjle32.exe 1804 Ndgggf32.exe 1792 Nlblkhei.exe 2192 Nghphaeo.exe 1252 Nhlifi32.exe 1500 Nccjhafn.exe 2036 Okalbc32.exe 1280 Obnqem32.exe 700 Okfencna.exe 1372 Ofpfnqjp.exe 2340 Pphjgfqq.exe 2316 Pfbccp32.exe 1040 Pbiciana.exe 996 Pbkpna32.exe 2184 Pelipl32.exe 2152 Pbpjiphi.exe 3064 Qhmbagfa.exe 2356 Qaefjm32.exe 2664 Qmlgonbe.exe 2644 Qecoqk32.exe 2756 Ahakmf32.exe 3048 Adhlaggp.exe 2992 Ampqjm32.exe 3040 Abmibdlh.exe 2984 Afiecb32.exe 2024 Apajlhka.exe 2780 Aiinen32.exe 2840 Abbbnchb.exe 1440 Ailkjmpo.exe 1476 Bpfcgg32.exe 2536 Bebkpn32.exe 1696 Bhahlj32.exe 596 Bbflib32.exe 816 Bhcdaibd.exe 1536 Bommnc32.exe 1136 Bdjefj32.exe 2168 Bghabf32.exe 2252 Bnbjopoi.exe 1784 Bpafkknm.exe 1244 Bgknheej.exe 2928 Bjijdadm.exe 2004 Bdooajdc.exe 1708 Cgmkmecg.exe 280 Cngcjo32.exe 2308 Cgpgce32.exe 2092 Cjndop32.exe 2464 Ccfhhffh.exe 2436 Clomqk32.exe 2612 Comimg32.exe 1348 Cfgaiaci.exe 812 Cdlnkmha.exe 2720 Ckffgg32.exe 2384 Cobbhfhg.exe 1428 Dbpodagk.exe -
Loads dropped DLL 64 IoCs
pid Process 2936 09d0776e86d7a40a3a02848bdbd895e22b16e997b1ad5a41e15da745e46a44db.exe 2936 09d0776e86d7a40a3a02848bdbd895e22b16e997b1ad5a41e15da745e46a44db.exe 2952 Klqfhbbe.exe 2952 Klqfhbbe.exe 1632 Kdlkld32.exe 1632 Kdlkld32.exe 2568 Ldnhad32.exe 2568 Ldnhad32.exe 2596 Ldqegd32.exe 2596 Ldqegd32.exe 2624 Lbfahp32.exe 2624 Lbfahp32.exe 2552 Lpjbad32.exe 2552 Lpjbad32.exe 2560 Mgfgdn32.exe 2560 Mgfgdn32.exe 3044 Maphdl32.exe 3044 Maphdl32.exe 2864 Mlelaeqk.exe 2864 Mlelaeqk.exe 2768 Mhlmgf32.exe 2768 Mhlmgf32.exe 2776 Mhnjle32.exe 2776 Mhnjle32.exe 1804 Ndgggf32.exe 1804 Ndgggf32.exe 1792 Nlblkhei.exe 1792 Nlblkhei.exe 2192 Nghphaeo.exe 2192 Nghphaeo.exe 1252 Nhlifi32.exe 1252 Nhlifi32.exe 1500 Nccjhafn.exe 1500 Nccjhafn.exe 2036 Okalbc32.exe 2036 Okalbc32.exe 1280 Obnqem32.exe 1280 Obnqem32.exe 700 Okfencna.exe 700 Okfencna.exe 1372 Ofpfnqjp.exe 1372 Ofpfnqjp.exe 2340 Pphjgfqq.exe 2340 Pphjgfqq.exe 2316 Pfbccp32.exe 2316 Pfbccp32.exe 1040 Pbiciana.exe 1040 Pbiciana.exe 996 Pbkpna32.exe 996 Pbkpna32.exe 2184 Pelipl32.exe 2184 Pelipl32.exe 2152 Pbpjiphi.exe 2152 Pbpjiphi.exe 3064 Qhmbagfa.exe 3064 Qhmbagfa.exe 2356 Qaefjm32.exe 2356 Qaefjm32.exe 2664 Qmlgonbe.exe 2664 Qmlgonbe.exe 2644 Qecoqk32.exe 2644 Qecoqk32.exe 2756 Ahakmf32.exe 2756 Ahakmf32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Lonkjenl.dll Ebgacddo.exe File created C:\Windows\SysWOW64\Ekelld32.exe Ehgppi32.exe File opened for modification C:\Windows\SysWOW64\Endhhp32.exe Ekelld32.exe File created C:\Windows\SysWOW64\Bqdgkecq.dll Lkppbl32.exe File created C:\Windows\SysWOW64\Igmdobgi.dll Bpiipf32.exe File created C:\Windows\SysWOW64\Qmhccl32.dll Behnnm32.exe File opened for modification C:\Windows\SysWOW64\Jjjacf32.exe Ifnechbj.exe File created C:\Windows\SysWOW64\Kjcpii32.exe Kcihlong.exe File created C:\Windows\SysWOW64\Kifpdelo.exe Kjcpii32.exe File created C:\Windows\SysWOW64\Lckdanld.exe Kmaled32.exe File opened for modification C:\Windows\SysWOW64\Fdapak32.exe Facdeo32.exe File opened for modification C:\Windows\SysWOW64\Alpmfdcb.exe Abhimnma.exe File created C:\Windows\SysWOW64\Ajfaqa32.dll Dfamcogo.exe File created C:\Windows\SysWOW64\Abbbnchb.exe Aiinen32.exe File created C:\Windows\SysWOW64\Dlmfmihf.dll Jcgogk32.exe File created C:\Windows\SysWOW64\Aelcmdee.dll Qedhdjnh.exe File created C:\Windows\SysWOW64\Ednpej32.exe Eqbddk32.exe File opened for modification C:\Windows\SysWOW64\Mgljbm32.exe Mbpnanch.exe File opened for modification C:\Windows\SysWOW64\Lpjbad32.exe Lbfahp32.exe File created C:\Windows\SysWOW64\Gkkemh32.exe Ghmiam32.exe File opened for modification C:\Windows\SysWOW64\Kfbkmk32.exe Kcdnao32.exe File created C:\Windows\SysWOW64\Kcihlong.exe Kpmlkp32.exe File opened for modification C:\Windows\SysWOW64\Oghiae32.dll Dhbfdjdp.exe File created C:\Windows\SysWOW64\Ndgggf32.exe Mhnjle32.exe File created C:\Windows\SysWOW64\Iklgpmjo.dll Cgmkmecg.exe File opened for modification C:\Windows\SysWOW64\Filldb32.exe Fdoclk32.exe File created C:\Windows\SysWOW64\Ldidkbpb.exe Lefdpe32.exe File created C:\Windows\SysWOW64\Dnoillim.dll Ecpgmhai.exe File created C:\Windows\SysWOW64\Efppoc32.exe Ebedndfa.exe File created C:\Windows\SysWOW64\Pcefke32.dll Ldidkbpb.exe File created C:\Windows\SysWOW64\Cnkicn32.exe Clilkfnb.exe File created C:\Windows\SysWOW64\Ecpgmhai.exe Ejgcdb32.exe File created C:\Windows\SysWOW64\Pcnbablo.exe Papfegmk.exe File opened for modification C:\Windows\SysWOW64\Olpdjf32.exe Ogblbo32.exe File opened for modification C:\Windows\SysWOW64\Bmpfojmp.exe Behnnm32.exe File opened for modification C:\Windows\SysWOW64\Ccahbp32.exe Ckjpacfp.exe File created C:\Windows\SysWOW64\Jkpgfn32.exe Jbgbni32.exe File opened for modification C:\Windows\SysWOW64\Logbhl32.exe Lijjoe32.exe File opened for modification C:\Windows\SysWOW64\Oqideepg.exe Onjgiiad.exe File created C:\Windows\SysWOW64\Ogdafiei.dll Pcnbablo.exe File opened for modification C:\Windows\SysWOW64\Dbkknojp.exe Dolnad32.exe File created C:\Windows\SysWOW64\Goipbehm.dll Ifnechbj.exe File created C:\Windows\SysWOW64\Lmcijcbe.exe Lihmjejl.exe File created C:\Windows\SysWOW64\Jbkpmm32.dll Mlmlecec.exe File opened for modification C:\Windows\SysWOW64\Haloha32.dll Bhigphio.exe File created C:\Windows\SysWOW64\Obnqem32.exe Okalbc32.exe File created C:\Windows\SysWOW64\Dqlcpbbm.dll Lckdanld.exe File created C:\Windows\SysWOW64\Ccnnibig.dll Anafhopc.exe File opened for modification C:\Windows\SysWOW64\Ckoilb32.exe Chpmpg32.exe File created C:\Windows\SysWOW64\Fiedkadc.dll Nccjhafn.exe File opened for modification C:\Windows\SysWOW64\Hggomh32.exe Hdhbam32.exe File created C:\Windows\SysWOW64\Emdipg32.dll Jnemdecl.exe File opened for modification C:\Windows\SysWOW64\Blpjegfm.exe Biamilfj.exe File created C:\Windows\SysWOW64\Qlidlf32.dll Ffpmnf32.exe File created C:\Windows\SysWOW64\Miooigfo.exe Mgqcmlgl.exe File created C:\Windows\SysWOW64\Iopodh32.dll Mpbaebdd.exe File opened for modification C:\Windows\SysWOW64\Anafhopc.exe Albjlcao.exe File created C:\Windows\SysWOW64\Bfenbpec.exe Blpjegfm.exe File created C:\Windows\SysWOW64\Okfencna.exe Obnqem32.exe File created C:\Windows\SysWOW64\Pfbccp32.exe Pphjgfqq.exe File opened for modification C:\Windows\SysWOW64\Pbpjiphi.exe Pelipl32.exe File created C:\Windows\SysWOW64\Hggomh32.exe Hdhbam32.exe File created C:\Windows\SysWOW64\Ailkjmpo.exe Abbbnchb.exe File created C:\Windows\SysWOW64\Lpdhmlbj.dll Egamfkdh.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4336 4240 WerFault.exe 399 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bibkki32.dll" Leajdfnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbbecd32.dll" Npdjje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbgpffch.dll" Cppkph32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Epaogi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Idhopq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnpbep32.dll" Jfqahgpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flmpfjke.dll" Kahojc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkkgcp32.dll" Bpafkknm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afldcl32.dll" Kaaijdgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gicbeald.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Obnqem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlmfmihf.dll" Jcgogk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aefbii32.dll" Lkncmmle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgmkloid.dll" Nacgdhlp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fddmgjpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Miooigfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mapmaj32.dll" Maphdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkabadei.dll" Emhlfmgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnmehnan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpkbdiqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgcampld.dll" Eilpeooq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liqebf32.dll" Hhjhkq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lbfahp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gokfbfnk.dll" Naoniipe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckjpacfp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Enhacojl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bommnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkahhbbj.dll" Dqhhknjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mgnfhlin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pbpjiphi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmoipopd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgjclbdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Clilkfnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cpkbdiqb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhbfdjdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Enfenplo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eilpeooq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Egamfkdh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hlcgeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcpclc32.dll" Pefijfii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iaeiieeb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lflmci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eppmppld.dll" Mgnfhlin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nacgdhlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kodppf32.dll" Pbpjiphi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfgaiaci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dqhhknjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Henidd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qpgpkcpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Biamilfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfqahgpg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Doehqead.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbadbn32.dll" Eccmffjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onhgbmfb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pgioaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbhela32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhnakg32.dll" Ldqegd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdoclk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghoegl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkeimlfm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdooajdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iimfgo32.dll" Bdbhke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hjhhocjj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jqfffqpm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2936 wrote to memory of 2952 2936 09d0776e86d7a40a3a02848bdbd895e22b16e997b1ad5a41e15da745e46a44db.exe 28 PID 2936 wrote to memory of 2952 2936 09d0776e86d7a40a3a02848bdbd895e22b16e997b1ad5a41e15da745e46a44db.exe 28 PID 2936 wrote to memory of 2952 2936 09d0776e86d7a40a3a02848bdbd895e22b16e997b1ad5a41e15da745e46a44db.exe 28 PID 2936 wrote to memory of 2952 2936 09d0776e86d7a40a3a02848bdbd895e22b16e997b1ad5a41e15da745e46a44db.exe 28 PID 2952 wrote to memory of 1632 2952 Klqfhbbe.exe 29 PID 2952 wrote to memory of 1632 2952 Klqfhbbe.exe 29 PID 2952 wrote to memory of 1632 2952 Klqfhbbe.exe 29 PID 2952 wrote to memory of 1632 2952 Klqfhbbe.exe 29 PID 1632 wrote to memory of 2568 1632 Kdlkld32.exe 30 PID 1632 wrote to memory of 2568 1632 Kdlkld32.exe 30 PID 1632 wrote to memory of 2568 1632 Kdlkld32.exe 30 PID 1632 wrote to memory of 2568 1632 Kdlkld32.exe 30 PID 2568 wrote to memory of 2596 2568 Ldnhad32.exe 31 PID 2568 wrote to memory of 2596 2568 Ldnhad32.exe 31 PID 2568 wrote to memory of 2596 2568 Ldnhad32.exe 31 PID 2568 wrote to memory of 2596 2568 Ldnhad32.exe 31 PID 2596 wrote to memory of 2624 2596 Ldqegd32.exe 32 PID 2596 wrote to memory of 2624 2596 Ldqegd32.exe 32 PID 2596 wrote to memory of 2624 2596 Ldqegd32.exe 32 PID 2596 wrote to memory of 2624 2596 Ldqegd32.exe 32 PID 2624 wrote to memory of 2552 2624 Lbfahp32.exe 33 PID 2624 wrote to memory of 2552 2624 Lbfahp32.exe 33 PID 2624 wrote to memory of 2552 2624 Lbfahp32.exe 33 PID 2624 wrote to memory of 2552 2624 Lbfahp32.exe 33 PID 2552 wrote to memory of 2560 2552 Lpjbad32.exe 34 PID 2552 wrote to memory of 2560 2552 Lpjbad32.exe 34 PID 2552 wrote to memory of 2560 2552 Lpjbad32.exe 34 PID 2552 wrote to memory of 2560 2552 Lpjbad32.exe 34 PID 2560 wrote to memory of 3044 2560 Mgfgdn32.exe 35 PID 2560 wrote to memory of 3044 2560 Mgfgdn32.exe 35 PID 2560 wrote to memory of 3044 2560 Mgfgdn32.exe 35 PID 2560 wrote to memory of 3044 2560 Mgfgdn32.exe 35 PID 3044 wrote to memory of 2864 3044 Maphdl32.exe 36 PID 3044 wrote to memory of 2864 3044 Maphdl32.exe 36 PID 3044 wrote to memory of 2864 3044 Maphdl32.exe 36 PID 3044 wrote to memory of 2864 3044 Maphdl32.exe 36 PID 2864 wrote to memory of 2768 2864 Mlelaeqk.exe 37 PID 2864 wrote to memory of 2768 2864 Mlelaeqk.exe 37 PID 2864 wrote to memory of 2768 2864 Mlelaeqk.exe 37 PID 2864 wrote to memory of 2768 2864 Mlelaeqk.exe 37 PID 2768 wrote to memory of 2776 2768 Mhlmgf32.exe 38 PID 2768 wrote to memory of 2776 2768 Mhlmgf32.exe 38 PID 2768 wrote to memory of 2776 2768 Mhlmgf32.exe 38 PID 2768 wrote to memory of 2776 2768 Mhlmgf32.exe 38 PID 2776 wrote to memory of 1804 2776 Mhnjle32.exe 39 PID 2776 wrote to memory of 1804 2776 Mhnjle32.exe 39 PID 2776 wrote to memory of 1804 2776 Mhnjle32.exe 39 PID 2776 wrote to memory of 1804 2776 Mhnjle32.exe 39 PID 1804 wrote to memory of 1792 1804 Ndgggf32.exe 40 PID 1804 wrote to memory of 1792 1804 Ndgggf32.exe 40 PID 1804 wrote to memory of 1792 1804 Ndgggf32.exe 40 PID 1804 wrote to memory of 1792 1804 Ndgggf32.exe 40 PID 1792 wrote to memory of 2192 1792 Nlblkhei.exe 41 PID 1792 wrote to memory of 2192 1792 Nlblkhei.exe 41 PID 1792 wrote to memory of 2192 1792 Nlblkhei.exe 41 PID 1792 wrote to memory of 2192 1792 Nlblkhei.exe 41 PID 2192 wrote to memory of 1252 2192 Nghphaeo.exe 42 PID 2192 wrote to memory of 1252 2192 Nghphaeo.exe 42 PID 2192 wrote to memory of 1252 2192 Nghphaeo.exe 42 PID 2192 wrote to memory of 1252 2192 Nghphaeo.exe 42 PID 1252 wrote to memory of 1500 1252 Nhlifi32.exe 43 PID 1252 wrote to memory of 1500 1252 Nhlifi32.exe 43 PID 1252 wrote to memory of 1500 1252 Nhlifi32.exe 43 PID 1252 wrote to memory of 1500 1252 Nhlifi32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\09d0776e86d7a40a3a02848bdbd895e22b16e997b1ad5a41e15da745e46a44db.exe"C:\Users\Admin\AppData\Local\Temp\09d0776e86d7a40a3a02848bdbd895e22b16e997b1ad5a41e15da745e46a44db.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\Klqfhbbe.exeC:\Windows\system32\Klqfhbbe.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\Kdlkld32.exeC:\Windows\system32\Kdlkld32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\SysWOW64\Ldnhad32.exeC:\Windows\system32\Ldnhad32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\Ldqegd32.exeC:\Windows\system32\Ldqegd32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Lbfahp32.exeC:\Windows\system32\Lbfahp32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\Lpjbad32.exeC:\Windows\system32\Lpjbad32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\Mgfgdn32.exeC:\Windows\system32\Mgfgdn32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\Maphdl32.exeC:\Windows\system32\Maphdl32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\Mlelaeqk.exeC:\Windows\system32\Mlelaeqk.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\Mhlmgf32.exeC:\Windows\system32\Mhlmgf32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\Mhnjle32.exeC:\Windows\system32\Mhnjle32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\Ndgggf32.exeC:\Windows\system32\Ndgggf32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\SysWOW64\Nlblkhei.exeC:\Windows\system32\Nlblkhei.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\SysWOW64\Nghphaeo.exeC:\Windows\system32\Nghphaeo.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\Nhlifi32.exeC:\Windows\system32\Nhlifi32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Windows\SysWOW64\Nccjhafn.exeC:\Windows\system32\Nccjhafn.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1500 -
C:\Windows\SysWOW64\Okalbc32.exeC:\Windows\system32\Okalbc32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2036 -
C:\Windows\SysWOW64\Obnqem32.exeC:\Windows\system32\Obnqem32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1280 -
C:\Windows\SysWOW64\Okfencna.exeC:\Windows\system32\Okfencna.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:700 -
C:\Windows\SysWOW64\Ofpfnqjp.exeC:\Windows\system32\Ofpfnqjp.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1372 -
C:\Windows\SysWOW64\Pphjgfqq.exeC:\Windows\system32\Pphjgfqq.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2340 -
C:\Windows\SysWOW64\Pfbccp32.exeC:\Windows\system32\Pfbccp32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2316 -
C:\Windows\SysWOW64\Pbiciana.exeC:\Windows\system32\Pbiciana.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1040 -
C:\Windows\SysWOW64\Pbkpna32.exeC:\Windows\system32\Pbkpna32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:996 -
C:\Windows\SysWOW64\Pelipl32.exeC:\Windows\system32\Pelipl32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2184 -
C:\Windows\SysWOW64\Pbpjiphi.exeC:\Windows\system32\Pbpjiphi.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2152 -
C:\Windows\SysWOW64\Qhmbagfa.exeC:\Windows\system32\Qhmbagfa.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3064 -
C:\Windows\SysWOW64\Qaefjm32.exeC:\Windows\system32\Qaefjm32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2356 -
C:\Windows\SysWOW64\Qmlgonbe.exeC:\Windows\system32\Qmlgonbe.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2664 -
C:\Windows\SysWOW64\Qecoqk32.exeC:\Windows\system32\Qecoqk32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2644 -
C:\Windows\SysWOW64\Ahakmf32.exeC:\Windows\system32\Ahakmf32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2756 -
C:\Windows\SysWOW64\Adhlaggp.exeC:\Windows\system32\Adhlaggp.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\Ampqjm32.exeC:\Windows\system32\Ampqjm32.exe34⤵
- Executes dropped EXE
PID:2992 -
C:\Windows\SysWOW64\Abmibdlh.exeC:\Windows\system32\Abmibdlh.exe35⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Afiecb32.exeC:\Windows\system32\Afiecb32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Apajlhka.exeC:\Windows\system32\Apajlhka.exe37⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Aiinen32.exeC:\Windows\system32\Aiinen32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2780 -
C:\Windows\SysWOW64\Abbbnchb.exeC:\Windows\system32\Abbbnchb.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2840 -
C:\Windows\SysWOW64\Ailkjmpo.exeC:\Windows\system32\Ailkjmpo.exe40⤵
- Executes dropped EXE
PID:1440 -
C:\Windows\SysWOW64\Bpfcgg32.exeC:\Windows\system32\Bpfcgg32.exe41⤵
- Executes dropped EXE
PID:1476 -
C:\Windows\SysWOW64\Bebkpn32.exeC:\Windows\system32\Bebkpn32.exe42⤵
- Executes dropped EXE
PID:2536 -
C:\Windows\SysWOW64\Bhahlj32.exeC:\Windows\system32\Bhahlj32.exe43⤵
- Executes dropped EXE
PID:1696 -
C:\Windows\SysWOW64\Bbflib32.exeC:\Windows\system32\Bbflib32.exe44⤵
- Executes dropped EXE
PID:596 -
C:\Windows\SysWOW64\Bhcdaibd.exeC:\Windows\system32\Bhcdaibd.exe45⤵
- Executes dropped EXE
PID:816 -
C:\Windows\SysWOW64\Bommnc32.exeC:\Windows\system32\Bommnc32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:1536 -
C:\Windows\SysWOW64\Bdjefj32.exeC:\Windows\system32\Bdjefj32.exe47⤵
- Executes dropped EXE
PID:1136 -
C:\Windows\SysWOW64\Bghabf32.exeC:\Windows\system32\Bghabf32.exe48⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Bnbjopoi.exeC:\Windows\system32\Bnbjopoi.exe49⤵
- Executes dropped EXE
PID:2252 -
C:\Windows\SysWOW64\Bpafkknm.exeC:\Windows\system32\Bpafkknm.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:1784 -
C:\Windows\SysWOW64\Bgknheej.exeC:\Windows\system32\Bgknheej.exe51⤵
- Executes dropped EXE
PID:1244 -
C:\Windows\SysWOW64\Bjijdadm.exeC:\Windows\system32\Bjijdadm.exe52⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Bdooajdc.exeC:\Windows\system32\Bdooajdc.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2004 -
C:\Windows\SysWOW64\Cgmkmecg.exeC:\Windows\system32\Cgmkmecg.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1708 -
C:\Windows\SysWOW64\Cngcjo32.exeC:\Windows\system32\Cngcjo32.exe55⤵
- Executes dropped EXE
PID:280 -
C:\Windows\SysWOW64\Cgpgce32.exeC:\Windows\system32\Cgpgce32.exe56⤵
- Executes dropped EXE
PID:2308 -
C:\Windows\SysWOW64\Cjndop32.exeC:\Windows\system32\Cjndop32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2092 -
C:\Windows\SysWOW64\Ccfhhffh.exeC:\Windows\system32\Ccfhhffh.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2464 -
C:\Windows\SysWOW64\Clomqk32.exeC:\Windows\system32\Clomqk32.exe59⤵
- Executes dropped EXE
PID:2436 -
C:\Windows\SysWOW64\Comimg32.exeC:\Windows\system32\Comimg32.exe60⤵
- Executes dropped EXE
PID:2612 -
C:\Windows\SysWOW64\Cfgaiaci.exeC:\Windows\system32\Cfgaiaci.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1348 -
C:\Windows\SysWOW64\Cdlnkmha.exeC:\Windows\system32\Cdlnkmha.exe62⤵
- Executes dropped EXE
PID:812 -
C:\Windows\SysWOW64\Ckffgg32.exeC:\Windows\system32\Ckffgg32.exe63⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Cobbhfhg.exeC:\Windows\system32\Cobbhfhg.exe64⤵
- Executes dropped EXE
PID:2384 -
C:\Windows\SysWOW64\Dbpodagk.exeC:\Windows\system32\Dbpodagk.exe65⤵
- Executes dropped EXE
PID:1428 -
C:\Windows\SysWOW64\Dkhcmgnl.exeC:\Windows\system32\Dkhcmgnl.exe66⤵PID:2908
-
C:\Windows\SysWOW64\Dngoibmo.exeC:\Windows\system32\Dngoibmo.exe67⤵PID:2180
-
C:\Windows\SysWOW64\Ddagfm32.exeC:\Windows\system32\Ddagfm32.exe68⤵PID:1932
-
C:\Windows\SysWOW64\Dgodbh32.exeC:\Windows\system32\Dgodbh32.exe69⤵PID:1856
-
C:\Windows\SysWOW64\Dkkpbgli.exeC:\Windows\system32\Dkkpbgli.exe70⤵PID:1584
-
C:\Windows\SysWOW64\Dnilobkm.exeC:\Windows\system32\Dnilobkm.exe71⤵PID:1152
-
C:\Windows\SysWOW64\Dqhhknjp.exeC:\Windows\system32\Dqhhknjp.exe72⤵
- Modifies registry class
PID:1888 -
C:\Windows\SysWOW64\Dcfdgiid.exeC:\Windows\system32\Dcfdgiid.exe73⤵PID:1956
-
C:\Windows\SysWOW64\Djpmccqq.exeC:\Windows\system32\Djpmccqq.exe74⤵PID:1772
-
C:\Windows\SysWOW64\Dmoipopd.exeC:\Windows\system32\Dmoipopd.exe75⤵
- Modifies registry class
PID:2344 -
C:\Windows\SysWOW64\Dchali32.exeC:\Windows\system32\Dchali32.exe76⤵PID:2204
-
C:\Windows\SysWOW64\Dfgmhd32.exeC:\Windows\system32\Dfgmhd32.exe77⤵PID:1496
-
C:\Windows\SysWOW64\Dnneja32.exeC:\Windows\system32\Dnneja32.exe78⤵PID:1936
-
C:\Windows\SysWOW64\Dfijnd32.exeC:\Windows\system32\Dfijnd32.exe79⤵PID:300
-
C:\Windows\SysWOW64\Eihfjo32.exeC:\Windows\system32\Eihfjo32.exe80⤵PID:2076
-
C:\Windows\SysWOW64\Epaogi32.exeC:\Windows\system32\Epaogi32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2444 -
C:\Windows\SysWOW64\Ebpkce32.exeC:\Windows\system32\Ebpkce32.exe82⤵PID:2744
-
C:\Windows\SysWOW64\Ejgcdb32.exeC:\Windows\system32\Ejgcdb32.exe83⤵
- Drops file in System32 directory
PID:2660 -
C:\Windows\SysWOW64\Ecpgmhai.exeC:\Windows\system32\Ecpgmhai.exe84⤵
- Drops file in System32 directory
PID:1556 -
C:\Windows\SysWOW64\Eilpeooq.exeC:\Windows\system32\Eilpeooq.exe85⤵
- Modifies registry class
PID:1796 -
C:\Windows\SysWOW64\Emhlfmgj.exeC:\Windows\system32\Emhlfmgj.exe86⤵
- Modifies registry class
PID:2704 -
C:\Windows\SysWOW64\Ebedndfa.exeC:\Windows\system32\Ebedndfa.exe87⤵
- Drops file in System32 directory
PID:2476 -
C:\Windows\SysWOW64\Efppoc32.exeC:\Windows\system32\Efppoc32.exe88⤵PID:2832
-
C:\Windows\SysWOW64\Egamfkdh.exeC:\Windows\system32\Egamfkdh.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:840 -
C:\Windows\SysWOW64\Epieghdk.exeC:\Windows\system32\Epieghdk.exe90⤵PID:2808
-
C:\Windows\SysWOW64\Ebgacddo.exeC:\Windows\system32\Ebgacddo.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:632 -
C:\Windows\SysWOW64\Eeempocb.exeC:\Windows\system32\Eeempocb.exe92⤵PID:1732
-
C:\Windows\SysWOW64\Egdilkbf.exeC:\Windows\system32\Egdilkbf.exe93⤵PID:336
-
C:\Windows\SysWOW64\Ejbfhfaj.exeC:\Windows\system32\Ejbfhfaj.exe94⤵PID:2112
-
C:\Windows\SysWOW64\Ealnephf.exeC:\Windows\system32\Ealnephf.exe95⤵PID:640
-
C:\Windows\SysWOW64\Fckjalhj.exeC:\Windows\system32\Fckjalhj.exe96⤵PID:2404
-
C:\Windows\SysWOW64\Fhffaj32.exeC:\Windows\system32\Fhffaj32.exe97⤵PID:320
-
C:\Windows\SysWOW64\Fnpnndgp.exeC:\Windows\system32\Fnpnndgp.exe98⤵PID:1060
-
C:\Windows\SysWOW64\Fcmgfkeg.exeC:\Windows\system32\Fcmgfkeg.exe99⤵PID:472
-
C:\Windows\SysWOW64\Ffkcbgek.exeC:\Windows\system32\Ffkcbgek.exe100⤵PID:2212
-
C:\Windows\SysWOW64\Fnbkddem.exeC:\Windows\system32\Fnbkddem.exe101⤵PID:1968
-
C:\Windows\SysWOW64\Fdoclk32.exeC:\Windows\system32\Fdoclk32.exe102⤵
- Drops file in System32 directory
- Modifies registry class
PID:1984 -
C:\Windows\SysWOW64\Filldb32.exeC:\Windows\system32\Filldb32.exe103⤵PID:2020
-
C:\Windows\SysWOW64\Facdeo32.exeC:\Windows\system32\Facdeo32.exe104⤵
- Drops file in System32 directory
PID:1720 -
C:\Windows\SysWOW64\Fdapak32.exeC:\Windows\system32\Fdapak32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2556 -
C:\Windows\SysWOW64\Ffpmnf32.exeC:\Windows\system32\Ffpmnf32.exe106⤵
- Drops file in System32 directory
PID:2460 -
C:\Windows\SysWOW64\Fddmgjpo.exeC:\Windows\system32\Fddmgjpo.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2448 -
C:\Windows\SysWOW64\Fiaeoang.exeC:\Windows\system32\Fiaeoang.exe108⤵PID:3000
-
C:\Windows\SysWOW64\Gpknlk32.exeC:\Windows\system32\Gpknlk32.exe109⤵PID:2944
-
C:\Windows\SysWOW64\Gicbeald.exeC:\Windows\system32\Gicbeald.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2860 -
C:\Windows\SysWOW64\Glaoalkh.exeC:\Windows\system32\Glaoalkh.exe111⤵PID:2540
-
C:\Windows\SysWOW64\Gangic32.exeC:\Windows\system32\Gangic32.exe112⤵PID:2028
-
C:\Windows\SysWOW64\Ghhofmql.exeC:\Windows\system32\Ghhofmql.exe113⤵PID:1352
-
C:\Windows\SysWOW64\Gobgcg32.exeC:\Windows\system32\Gobgcg32.exe114⤵PID:1780
-
C:\Windows\SysWOW64\Gacpdbej.exeC:\Windows\system32\Gacpdbej.exe115⤵PID:1852
-
C:\Windows\SysWOW64\Gdamqndn.exeC:\Windows\system32\Gdamqndn.exe116⤵PID:2052
-
C:\Windows\SysWOW64\Ghmiam32.exeC:\Windows\system32\Ghmiam32.exe117⤵
- Drops file in System32 directory
PID:780 -
C:\Windows\SysWOW64\Gkkemh32.exeC:\Windows\system32\Gkkemh32.exe118⤵PID:1876
-
C:\Windows\SysWOW64\Gphmeo32.exeC:\Windows\system32\Gphmeo32.exe119⤵PID:1572
-
C:\Windows\SysWOW64\Gddifnbk.exeC:\Windows\system32\Gddifnbk.exe120⤵PID:888
-
C:\Windows\SysWOW64\Ghoegl32.exeC:\Windows\system32\Ghoegl32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1568
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-