Analysis
-
max time kernel
150s -
max time network
129s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
12/03/2024, 01:08
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
af843099eb67363f9727b6a2a028e3145b536b3bf34b676abdf8d2a63c8e7de2.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
af843099eb67363f9727b6a2a028e3145b536b3bf34b676abdf8d2a63c8e7de2.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
af843099eb67363f9727b6a2a028e3145b536b3bf34b676abdf8d2a63c8e7de2.exe
-
Size
207KB
-
MD5
44d05efdad6fae86e907c7662427f70e
-
SHA1
4b1259dd6a883641ad39d202cd92a5e28108a6e2
-
SHA256
af843099eb67363f9727b6a2a028e3145b536b3bf34b676abdf8d2a63c8e7de2
-
SHA512
5e40d9ce0257a2c9eee8b8245acb6ba0257c53b6dd6a4d6ffe409ebe4007722f7cbd81771719157effe1c5865deecde99be3b7ee9bdbe52b150203309ee723cc
-
SSDEEP
3072:wGuvHmSWf6TGAq+BOezpHw0MX2++9SEVjoSdoxx4KcWmjRrzyAyAtWgoJSWYVo23:xuOyTGAv92EVjj+VPj92d62ASOwj
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clgbno32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlbboiip.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlekia32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fiokbjgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Khiccj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hhhgcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Npojdpef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igijkd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mapccndn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Amkbnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bbmapj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eheecbia.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Libicbma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jlbboiip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kjllab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fbbofjnh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebefgm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmjnak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Naalga32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oidglb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ifffkncm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Knbhlkkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Khlili32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mchoid32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npijoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eolmip32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohkaco32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hijgml32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdbpnk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akqpom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ecnmpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Labkdack.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nlekia32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okoafmkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hbnbkbja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ooclji32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmnlbcfg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad af843099eb67363f9727b6a2a028e3145b536b3bf34b676abdf8d2a63c8e7de2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oaffbqaa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkmeoa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmfnhj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Degiggjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gjbmelgm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnbdko32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecnmpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nianhplq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Enkpahon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mbpipp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ngdifkpi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Incbgnmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hinqgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jlelhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lmjnak32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eckpkamb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nlnnnk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqlicclo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Geeemeif.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hibjbgbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hanogipc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kqiaclhj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ooclji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ogekpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jhdihkcj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkljdj32.exe -
UPX dump on OEP (original entry point) 64 IoCs
resource yara_rule behavioral1/files/0x000b000000012251-5.dat UPX behavioral1/files/0x0033000000015480-23.dat UPX behavioral1/files/0x0007000000015c1e-33.dat UPX behavioral1/files/0x000a000000015c4d-51.dat UPX behavioral1/files/0x000700000001601c-64.dat UPX behavioral1/files/0x0006000000016226-77.dat UPX behavioral1/files/0x0006000000016432-89.dat UPX behavioral1/files/0x00060000000165e5-97.dat UPX behavioral1/files/0x00060000000165e5-101.dat UPX behavioral1/files/0x0006000000016c07-124.dat UPX behavioral1/files/0x0006000000016c5c-137.dat UPX behavioral1/files/0x0006000000016cb1-149.dat UPX behavioral1/files/0x0006000000016ce6-178.dat UPX behavioral1/files/0x0006000000016cf6-197.dat UPX behavioral1/files/0x0006000000016d45-211.dat UPX behavioral1/files/0x0006000000016d6f-227.dat UPX behavioral1/files/0x0006000000016d62-219.dat UPX behavioral1/files/0x00060000000170b5-235.dat UPX behavioral1/files/0x0006000000016d22-203.dat UPX behavioral1/files/0x0006000000016cd2-173.dat UPX behavioral1/files/0x0006000000016cc2-161.dat UPX behavioral1/files/0x0006000000016cb1-148.dat UPX behavioral1/files/0x0006000000016c5c-136.dat UPX behavioral1/files/0x0006000000016c07-121.dat UPX behavioral1/files/0x0006000000016ad6-113.dat UPX behavioral1/files/0x000600000001754f-249.dat UPX behavioral1/files/0x0005000000018683-260.dat UPX behavioral1/files/0x00050000000186ba-276.dat UPX behavioral1/files/0x0006000000018aac-285.dat UPX behavioral1/files/0x0006000000018b08-297.dat UPX behavioral1/files/0x0006000000018b58-307.dat UPX behavioral1/files/0x0006000000018b74-323.dat UPX behavioral1/files/0x0006000000018b95-334.dat UPX behavioral1/files/0x0005000000019151-358.dat UPX behavioral1/files/0x0005000000019330-367.dat UPX behavioral1/files/0x0005000000019389-380.dat UPX behavioral1/files/0x0005000000019431-391.dat UPX behavioral1/files/0x000500000001946e-402.dat UPX behavioral1/files/0x0005000000019489-412.dat UPX behavioral1/files/0x0005000000019494-423.dat UPX behavioral1/files/0x0005000000019509-433.dat UPX behavioral1/files/0x00050000000195a1-443.dat UPX behavioral1/files/0x00050000000195a4-454.dat UPX behavioral1/files/0x00050000000195a7-464.dat UPX behavioral1/files/0x00050000000195ab-474.dat UPX behavioral1/files/0x00050000000195af-487.dat UPX behavioral1/files/0x00050000000195b3-497.dat UPX behavioral1/files/0x00050000000195b7-508.dat UPX behavioral1/files/0x00050000000195bd-518.dat UPX behavioral1/files/0x0005000000019603-528.dat UPX behavioral1/files/0x0005000000019641-538.dat UPX behavioral1/files/0x00050000000196a8-549.dat UPX behavioral1/files/0x00050000000197e7-562.dat UPX behavioral1/files/0x00050000000198bc-573.dat UPX behavioral1/files/0x0005000000019bf4-583.dat UPX behavioral1/files/0x0005000000019bf6-595.dat UPX behavioral1/files/0x0005000000019d5d-605.dat UPX behavioral1/files/0x0005000000019dfa-613.dat UPX behavioral1/files/0x0005000000019fd6-621.dat UPX behavioral1/files/0x000500000001a03e-629.dat UPX behavioral1/files/0x000500000001a0b8-637.dat UPX behavioral1/files/0x000500000001a3aa-645.dat UPX behavioral1/files/0x000500000001a3fa-655.dat UPX behavioral1/files/0x000500000001a402-661.dat UPX -
Executes dropped EXE 64 IoCs
pid Process 2516 Ljffag32.exe 2640 Labkdack.exe 2836 Lmikibio.exe 2664 Ljmlbfhi.exe 2432 Lcfqkl32.exe 2960 Libicbma.exe 2400 Mooaljkh.exe 2720 Mhhfdo32.exe 3008 Mapjmehi.exe 2040 Mlfojn32.exe 300 Mabgcd32.exe 2668 Mlhkpm32.exe 1644 Mholen32.exe 1624 Magqncba.exe 2256 Ngdifkpi.exe 2852 Nckjkl32.exe 2788 Npojdpef.exe 1868 Nlekia32.exe 2020 Nenobfak.exe 436 Ncbplk32.exe 1148 Nljddpfe.exe 776 Okoafmkm.exe 1788 Okdkal32.exe 544 Onecbg32.exe 2356 Pfbelipa.exe 1940 Pjpnbg32.exe 1884 Pjbjhgde.exe 1564 Pbnoliap.exe 2636 Qjnmlk32.exe 2740 Aecaidjl.exe 1088 Bjbcfn32.exe 1108 Behgcf32.exe 2816 Cdanpb32.exe 1776 Clmbddgp.exe 1692 Cckdlnjg.exe 2672 Ddomif32.exe 2796 Dhmfod32.exe 2096 Dgbcpq32.exe 2780 Dpjgifpa.exe 2080 Dkpkfooh.exe 2992 Dpmdofno.exe 3068 Eckpkamb.exe 2108 Ecnmpa32.exe 2160 Elfaifaq.exe 1536 Ecpjfq32.exe 1612 Elhnof32.exe 1772 Ebefgm32.exe 708 Emkkdf32.exe 1552 Ehakigbo.exe 2364 Ekpheb32.exe 2212 Fkbdkb32.exe 2632 Fqomci32.exe 2656 Fmfnhj32.exe 2528 Ffnbaojm.exe 2420 Fqcfnhjb.exe 2596 Ffqofohj.exe 2928 Fiokbjgn.exe 2772 Fafcdh32.exe 2092 Fcdopc32.exe 2936 Gjngmmnp.exe 2500 Gfgegnbb.exe 2524 Gejebk32.exe 1484 Gldmoepi.exe 2016 Gaafhloq.exe -
Loads dropped DLL 64 IoCs
pid Process 2236 af843099eb67363f9727b6a2a028e3145b536b3bf34b676abdf8d2a63c8e7de2.exe 2236 af843099eb67363f9727b6a2a028e3145b536b3bf34b676abdf8d2a63c8e7de2.exe 2516 Ljffag32.exe 2516 Ljffag32.exe 2640 Labkdack.exe 2640 Labkdack.exe 2836 Lmikibio.exe 2836 Lmikibio.exe 2664 Ljmlbfhi.exe 2664 Ljmlbfhi.exe 2432 Lcfqkl32.exe 2432 Lcfqkl32.exe 2960 Libicbma.exe 2960 Libicbma.exe 2400 Mooaljkh.exe 2400 Mooaljkh.exe 2720 Mhhfdo32.exe 2720 Mhhfdo32.exe 3008 Mapjmehi.exe 3008 Mapjmehi.exe 2040 Mlfojn32.exe 2040 Mlfojn32.exe 300 Mabgcd32.exe 300 Mabgcd32.exe 2668 Mlhkpm32.exe 2668 Mlhkpm32.exe 1644 Mholen32.exe 1644 Mholen32.exe 1624 Magqncba.exe 1624 Magqncba.exe 2256 Ngdifkpi.exe 2256 Ngdifkpi.exe 2852 Nckjkl32.exe 2852 Nckjkl32.exe 2788 Npojdpef.exe 2788 Npojdpef.exe 1868 Nlekia32.exe 1868 Nlekia32.exe 2020 Nenobfak.exe 2020 Nenobfak.exe 436 Ncbplk32.exe 436 Ncbplk32.exe 1148 Nljddpfe.exe 1148 Nljddpfe.exe 776 Okoafmkm.exe 776 Okoafmkm.exe 1788 Okdkal32.exe 1788 Okdkal32.exe 544 Onecbg32.exe 544 Onecbg32.exe 2356 Pfbelipa.exe 2356 Pfbelipa.exe 1940 Pjpnbg32.exe 1940 Pjpnbg32.exe 1884 Pjbjhgde.exe 1884 Pjbjhgde.exe 1564 Pbnoliap.exe 1564 Pbnoliap.exe 2636 Qjnmlk32.exe 2636 Qjnmlk32.exe 2740 Aecaidjl.exe 2740 Aecaidjl.exe 1088 Bjbcfn32.exe 1088 Bjbcfn32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Gaafhloq.exe Gldmoepi.exe File opened for modification C:\Windows\SysWOW64\Kqiaclhj.exe Kjoifb32.exe File opened for modification C:\Windows\SysWOW64\Kjoifb32.exe Kdbpnk32.exe File created C:\Windows\SysWOW64\Fkllaj32.dll Bmphhc32.exe File opened for modification C:\Windows\SysWOW64\Behgcf32.exe Bjbcfn32.exe File created C:\Windows\SysWOW64\Gahcqf32.dll Poeipifl.exe File created C:\Windows\SysWOW64\Clgbno32.exe Bfkifhib.exe File opened for modification C:\Windows\SysWOW64\Fcjeon32.exe Fqlicclo.exe File created C:\Windows\SysWOW64\Lohjnf32.exe Lmjnak32.exe File created C:\Windows\SysWOW64\Okdkal32.exe Okoafmkm.exe File created C:\Windows\SysWOW64\Gldmoepi.exe Gejebk32.exe File created C:\Windows\SysWOW64\Dkabpebk.dll Mmadbjkk.exe File created C:\Windows\SysWOW64\Dkpkfooh.exe Dpjgifpa.exe File created C:\Windows\SysWOW64\Fbjilhqa.dll Ooclji32.exe File created C:\Windows\SysWOW64\Hanogipc.exe Hibjbgbh.exe File opened for modification C:\Windows\SysWOW64\Oajlkojn.exe Ookpodkj.exe File opened for modification C:\Windows\SysWOW64\Cckdlnjg.exe Clmbddgp.exe File opened for modification C:\Windows\SysWOW64\Ionefb32.exe Iggned32.exe File opened for modification C:\Windows\SysWOW64\Mlfacfpc.exe Mfihkoal.exe File created C:\Windows\SysWOW64\Nnoiph32.dll Olmcchlg.exe File created C:\Windows\SysWOW64\Ljmlbfhi.exe Lmikibio.exe File created C:\Windows\SysWOW64\Ideimcdd.dll Eckpkamb.exe File created C:\Windows\SysWOW64\Nlnjab32.dll Fhgnge32.exe File created C:\Windows\SysWOW64\Gloiniaa.dll Lohjnf32.exe File created C:\Windows\SysWOW64\Bjfnik32.dll Mlkail32.exe File created C:\Windows\SysWOW64\Hloiib32.exe Hnkion32.exe File opened for modification C:\Windows\SysWOW64\Lmikibio.exe Labkdack.exe File created C:\Windows\SysWOW64\Lhmlombo.dll Akeijlfq.exe File created C:\Windows\SysWOW64\Khlili32.exe Klehgh32.exe File created C:\Windows\SysWOW64\Npdfhhhe.exe Nmejllia.exe File created C:\Windows\SysWOW64\Nljddpfe.exe Ncbplk32.exe File created C:\Windows\SysWOW64\Inaqlm32.dll Ckolek32.exe File opened for modification C:\Windows\SysWOW64\Jdaqmg32.exe Jlelhe32.exe File created C:\Windows\SysWOW64\Kgaebl32.dll Jlckbh32.exe File opened for modification C:\Windows\SysWOW64\Lokgcf32.exe Ljnnko32.exe File created C:\Windows\SysWOW64\Bolejaam.dll Gejebk32.exe File created C:\Windows\SysWOW64\Edclib32.exe Elldgehk.exe File opened for modification C:\Windows\SysWOW64\Hpkldg32.exe Hjndlqal.exe File created C:\Windows\SysWOW64\Bmcopp32.dll Bagkmb32.exe File opened for modification C:\Windows\SysWOW64\Olmcchlg.exe Oagoep32.exe File opened for modification C:\Windows\SysWOW64\Gejebk32.exe Gfgegnbb.exe File created C:\Windows\SysWOW64\Hfbhkb32.exe Hafock32.exe File created C:\Windows\SysWOW64\Hjndlqal.exe Hfbhkb32.exe File created C:\Windows\SysWOW64\Pjpnbg32.exe Pfbelipa.exe File opened for modification C:\Windows\SysWOW64\Ibckfa32.exe Ilicig32.exe File created C:\Windows\SysWOW64\Ofinocal.dll Iggned32.exe File created C:\Windows\SysWOW64\Fbdhfp32.dll Jnnnalph.exe File opened for modification C:\Windows\SysWOW64\Mlpneh32.exe Lgbeoibb.exe File created C:\Windows\SysWOW64\Kjoppjjm.dll Gjbmelgm.exe File opened for modification C:\Windows\SysWOW64\Jlelhe32.exe Ifffkncm.exe File created C:\Windows\SysWOW64\Incbgnmc.exe Igijkd32.exe File created C:\Windows\SysWOW64\Gmbfggdo.exe Gegabegc.exe File created C:\Windows\SysWOW64\Niidma32.dll Lmjnak32.exe File created C:\Windows\SysWOW64\Mholen32.exe Mlhkpm32.exe File opened for modification C:\Windows\SysWOW64\Ngdifkpi.exe Magqncba.exe File created C:\Windows\SysWOW64\Dhlqnh32.dll Hjndlqal.exe File created C:\Windows\SysWOW64\Gfgegnbb.exe Gjngmmnp.exe File created C:\Windows\SysWOW64\Nkhdkgnj.exe Nblpfepo.exe File created C:\Windows\SysWOW64\Fbpbpkpj.exe Foafdoag.exe File opened for modification C:\Windows\SysWOW64\Fgadda32.exe Fofpoo32.exe File created C:\Windows\SysWOW64\Jnnnalph.exe Jkmeoa32.exe File created C:\Windows\SysWOW64\Lnbdko32.exe Lghlndfa.exe File created C:\Windows\SysWOW64\Pkcpei32.exe Pqnlhpfb.exe File created C:\Windows\SysWOW64\Aceaeh32.dll Bmnlbcfg.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojklfdgh.dll" Kdbpnk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cmpdgf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kbgjkn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lneaqn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hldjnhce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hldjnhce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmjppn32.dll" Dpjgifpa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fafcdh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oklnff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oaffbqaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Emkkdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anllfndp.dll" Jgncfcaa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Debplg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehebkmgn.dll" Gcmoda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dglfle32.dll" Mchoid32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ebefgm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jhdihkcj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Npojdpef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pjpnbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnalbmkj.dll" Ieagbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Figicd32.dll" Pdgkco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kofaicon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aepjgc32.dll" Ljffag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aapemc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Idmkdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gegabegc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kbigpn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fmfnhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdnfkg32.dll" Fcdopc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jglgpdcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbhgbm32.dll" Phpjnnki.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aboaff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ookpodkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgecadnb.dll" Mabgcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kganqf32.dll" Pbnoliap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ndpicm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egnkbn32.dll" Pjcckf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pjcckf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cohkpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmpife32.dll" Kbigpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbpfqb32.dll" Nenakoho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Naalga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Acqnnndl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffbnkppp.dll" Badnhbce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dljkcb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dpgcip32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pjpnbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pmdmmalf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kbigpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oiljam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dodnpp32.dll" Namclbil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nkhdkgnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cipdmc32.dll" Hldjnhce.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mabphn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fcjeon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkkcoogp.dll" Nlfmbibo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ffnbaojm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pdgkco32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qjkjle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpgcnh32.dll" Dmdnbecj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcikef32.dll" Mfglep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohniib32.dll" Oehdan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dpmdofno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljajkolc.dll" Hbiaemkk.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2236 wrote to memory of 2516 2236 af843099eb67363f9727b6a2a028e3145b536b3bf34b676abdf8d2a63c8e7de2.exe 28 PID 2236 wrote to memory of 2516 2236 af843099eb67363f9727b6a2a028e3145b536b3bf34b676abdf8d2a63c8e7de2.exe 28 PID 2236 wrote to memory of 2516 2236 af843099eb67363f9727b6a2a028e3145b536b3bf34b676abdf8d2a63c8e7de2.exe 28 PID 2236 wrote to memory of 2516 2236 af843099eb67363f9727b6a2a028e3145b536b3bf34b676abdf8d2a63c8e7de2.exe 28 PID 2516 wrote to memory of 2640 2516 Ljffag32.exe 29 PID 2516 wrote to memory of 2640 2516 Ljffag32.exe 29 PID 2516 wrote to memory of 2640 2516 Ljffag32.exe 29 PID 2516 wrote to memory of 2640 2516 Ljffag32.exe 29 PID 2640 wrote to memory of 2836 2640 Labkdack.exe 30 PID 2640 wrote to memory of 2836 2640 Labkdack.exe 30 PID 2640 wrote to memory of 2836 2640 Labkdack.exe 30 PID 2640 wrote to memory of 2836 2640 Labkdack.exe 30 PID 2836 wrote to memory of 2664 2836 Lmikibio.exe 31 PID 2836 wrote to memory of 2664 2836 Lmikibio.exe 31 PID 2836 wrote to memory of 2664 2836 Lmikibio.exe 31 PID 2836 wrote to memory of 2664 2836 Lmikibio.exe 31 PID 2664 wrote to memory of 2432 2664 Ljmlbfhi.exe 32 PID 2664 wrote to memory of 2432 2664 Ljmlbfhi.exe 32 PID 2664 wrote to memory of 2432 2664 Ljmlbfhi.exe 32 PID 2664 wrote to memory of 2432 2664 Ljmlbfhi.exe 32 PID 2432 wrote to memory of 2960 2432 Lcfqkl32.exe 33 PID 2432 wrote to memory of 2960 2432 Lcfqkl32.exe 33 PID 2432 wrote to memory of 2960 2432 Lcfqkl32.exe 33 PID 2432 wrote to memory of 2960 2432 Lcfqkl32.exe 33 PID 2960 wrote to memory of 2400 2960 Libicbma.exe 34 PID 2960 wrote to memory of 2400 2960 Libicbma.exe 34 PID 2960 wrote to memory of 2400 2960 Libicbma.exe 34 PID 2960 wrote to memory of 2400 2960 Libicbma.exe 34 PID 2400 wrote to memory of 2720 2400 Mooaljkh.exe 35 PID 2400 wrote to memory of 2720 2400 Mooaljkh.exe 35 PID 2400 wrote to memory of 2720 2400 Mooaljkh.exe 35 PID 2400 wrote to memory of 2720 2400 Mooaljkh.exe 35 PID 2720 wrote to memory of 3008 2720 Mhhfdo32.exe 36 PID 2720 wrote to memory of 3008 2720 Mhhfdo32.exe 36 PID 2720 wrote to memory of 3008 2720 Mhhfdo32.exe 36 PID 2720 wrote to memory of 3008 2720 Mhhfdo32.exe 36 PID 3008 wrote to memory of 2040 3008 Mapjmehi.exe 37 PID 3008 wrote to memory of 2040 3008 Mapjmehi.exe 37 PID 3008 wrote to memory of 2040 3008 Mapjmehi.exe 37 PID 3008 wrote to memory of 2040 3008 Mapjmehi.exe 37 PID 2040 wrote to memory of 300 2040 Mlfojn32.exe 38 PID 2040 wrote to memory of 300 2040 Mlfojn32.exe 38 PID 2040 wrote to memory of 300 2040 Mlfojn32.exe 38 PID 2040 wrote to memory of 300 2040 Mlfojn32.exe 38 PID 300 wrote to memory of 2668 300 Mabgcd32.exe 39 PID 300 wrote to memory of 2668 300 Mabgcd32.exe 39 PID 300 wrote to memory of 2668 300 Mabgcd32.exe 39 PID 300 wrote to memory of 2668 300 Mabgcd32.exe 39 PID 2668 wrote to memory of 1644 2668 Mlhkpm32.exe 40 PID 2668 wrote to memory of 1644 2668 Mlhkpm32.exe 40 PID 2668 wrote to memory of 1644 2668 Mlhkpm32.exe 40 PID 2668 wrote to memory of 1644 2668 Mlhkpm32.exe 40 PID 1644 wrote to memory of 1624 1644 Mholen32.exe 41 PID 1644 wrote to memory of 1624 1644 Mholen32.exe 41 PID 1644 wrote to memory of 1624 1644 Mholen32.exe 41 PID 1644 wrote to memory of 1624 1644 Mholen32.exe 41 PID 1624 wrote to memory of 2256 1624 Magqncba.exe 42 PID 1624 wrote to memory of 2256 1624 Magqncba.exe 42 PID 1624 wrote to memory of 2256 1624 Magqncba.exe 42 PID 1624 wrote to memory of 2256 1624 Magqncba.exe 42 PID 2256 wrote to memory of 2852 2256 Ngdifkpi.exe 43 PID 2256 wrote to memory of 2852 2256 Ngdifkpi.exe 43 PID 2256 wrote to memory of 2852 2256 Ngdifkpi.exe 43 PID 2256 wrote to memory of 2852 2256 Ngdifkpi.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\af843099eb67363f9727b6a2a028e3145b536b3bf34b676abdf8d2a63c8e7de2.exe"C:\Users\Admin\AppData\Local\Temp\af843099eb67363f9727b6a2a028e3145b536b3bf34b676abdf8d2a63c8e7de2.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\Ljffag32.exeC:\Windows\system32\Ljffag32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\Labkdack.exeC:\Windows\system32\Labkdack.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Lmikibio.exeC:\Windows\system32\Lmikibio.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\Ljmlbfhi.exeC:\Windows\system32\Ljmlbfhi.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Lcfqkl32.exeC:\Windows\system32\Lcfqkl32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\Libicbma.exeC:\Windows\system32\Libicbma.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\Mooaljkh.exeC:\Windows\system32\Mooaljkh.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\Mhhfdo32.exeC:\Windows\system32\Mhhfdo32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\Mapjmehi.exeC:\Windows\system32\Mapjmehi.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\Mlfojn32.exeC:\Windows\system32\Mlfojn32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\Mabgcd32.exeC:\Windows\system32\Mabgcd32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:300 -
C:\Windows\SysWOW64\Mlhkpm32.exeC:\Windows\system32\Mlhkpm32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\Mholen32.exeC:\Windows\system32\Mholen32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\SysWOW64\Magqncba.exeC:\Windows\system32\Magqncba.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\SysWOW64\Ngdifkpi.exeC:\Windows\system32\Ngdifkpi.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\SysWOW64\Nckjkl32.exeC:\Windows\system32\Nckjkl32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2852 -
C:\Windows\SysWOW64\Npojdpef.exeC:\Windows\system32\Npojdpef.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2788 -
C:\Windows\SysWOW64\Nlekia32.exeC:\Windows\system32\Nlekia32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1868 -
C:\Windows\SysWOW64\Nenobfak.exeC:\Windows\system32\Nenobfak.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2020 -
C:\Windows\SysWOW64\Ncbplk32.exeC:\Windows\system32\Ncbplk32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:436 -
C:\Windows\SysWOW64\Nljddpfe.exeC:\Windows\system32\Nljddpfe.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1148 -
C:\Windows\SysWOW64\Okoafmkm.exeC:\Windows\system32\Okoafmkm.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:776 -
C:\Windows\SysWOW64\Okdkal32.exeC:\Windows\system32\Okdkal32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1788 -
C:\Windows\SysWOW64\Onecbg32.exeC:\Windows\system32\Onecbg32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:544 -
C:\Windows\SysWOW64\Pfbelipa.exeC:\Windows\system32\Pfbelipa.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2356 -
C:\Windows\SysWOW64\Pjpnbg32.exeC:\Windows\system32\Pjpnbg32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1940 -
C:\Windows\SysWOW64\Pjbjhgde.exeC:\Windows\system32\Pjbjhgde.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1884 -
C:\Windows\SysWOW64\Pbnoliap.exeC:\Windows\system32\Pbnoliap.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1564 -
C:\Windows\SysWOW64\Qjnmlk32.exeC:\Windows\system32\Qjnmlk32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2636 -
C:\Windows\SysWOW64\Aecaidjl.exeC:\Windows\system32\Aecaidjl.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2740 -
C:\Windows\SysWOW64\Bjbcfn32.exeC:\Windows\system32\Bjbcfn32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1088 -
C:\Windows\SysWOW64\Behgcf32.exeC:\Windows\system32\Behgcf32.exe33⤵
- Executes dropped EXE
PID:1108 -
C:\Windows\SysWOW64\Cdanpb32.exeC:\Windows\system32\Cdanpb32.exe34⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Clmbddgp.exeC:\Windows\system32\Clmbddgp.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1776 -
C:\Windows\SysWOW64\Cckdlnjg.exeC:\Windows\system32\Cckdlnjg.exe36⤵
- Executes dropped EXE
PID:1692 -
C:\Windows\SysWOW64\Ddomif32.exeC:\Windows\system32\Ddomif32.exe37⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Dhmfod32.exeC:\Windows\system32\Dhmfod32.exe38⤵
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\Dgbcpq32.exeC:\Windows\system32\Dgbcpq32.exe39⤵
- Executes dropped EXE
PID:2096 -
C:\Windows\SysWOW64\Dpjgifpa.exeC:\Windows\system32\Dpjgifpa.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2780 -
C:\Windows\SysWOW64\Dkpkfooh.exeC:\Windows\system32\Dkpkfooh.exe41⤵
- Executes dropped EXE
PID:2080 -
C:\Windows\SysWOW64\Dpmdofno.exeC:\Windows\system32\Dpmdofno.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:2992 -
C:\Windows\SysWOW64\Eckpkamb.exeC:\Windows\system32\Eckpkamb.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3068 -
C:\Windows\SysWOW64\Ecnmpa32.exeC:\Windows\system32\Ecnmpa32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2108 -
C:\Windows\SysWOW64\Elfaifaq.exeC:\Windows\system32\Elfaifaq.exe45⤵
- Executes dropped EXE
PID:2160 -
C:\Windows\SysWOW64\Ecpjfq32.exeC:\Windows\system32\Ecpjfq32.exe46⤵
- Executes dropped EXE
PID:1536 -
C:\Windows\SysWOW64\Elhnof32.exeC:\Windows\system32\Elhnof32.exe47⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Ebefgm32.exeC:\Windows\system32\Ebefgm32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1772 -
C:\Windows\SysWOW64\Emkkdf32.exeC:\Windows\system32\Emkkdf32.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:708 -
C:\Windows\SysWOW64\Ehakigbo.exeC:\Windows\system32\Ehakigbo.exe50⤵
- Executes dropped EXE
PID:1552 -
C:\Windows\SysWOW64\Ekpheb32.exeC:\Windows\system32\Ekpheb32.exe51⤵
- Executes dropped EXE
PID:2364 -
C:\Windows\SysWOW64\Fkbdkb32.exeC:\Windows\system32\Fkbdkb32.exe52⤵
- Executes dropped EXE
PID:2212 -
C:\Windows\SysWOW64\Fqomci32.exeC:\Windows\system32\Fqomci32.exe53⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\Fmfnhj32.exeC:\Windows\system32\Fmfnhj32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2656 -
C:\Windows\SysWOW64\Ffnbaojm.exeC:\Windows\system32\Ffnbaojm.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2528 -
C:\Windows\SysWOW64\Fqcfnhjb.exeC:\Windows\system32\Fqcfnhjb.exe56⤵
- Executes dropped EXE
PID:2420 -
C:\Windows\SysWOW64\Ffqofohj.exeC:\Windows\system32\Ffqofohj.exe57⤵
- Executes dropped EXE
PID:2596 -
C:\Windows\SysWOW64\Fiokbjgn.exeC:\Windows\system32\Fiokbjgn.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Fafcdh32.exeC:\Windows\system32\Fafcdh32.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:2772 -
C:\Windows\SysWOW64\Fcdopc32.exeC:\Windows\system32\Fcdopc32.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:2092 -
C:\Windows\SysWOW64\Gjngmmnp.exeC:\Windows\system32\Gjngmmnp.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2936 -
C:\Windows\SysWOW64\Gfgegnbb.exeC:\Windows\system32\Gfgegnbb.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2500 -
C:\Windows\SysWOW64\Gejebk32.exeC:\Windows\system32\Gejebk32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2524 -
C:\Windows\SysWOW64\Gldmoepi.exeC:\Windows\system32\Gldmoepi.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1484 -
C:\Windows\SysWOW64\Gaafhloq.exeC:\Windows\system32\Gaafhloq.exe65⤵
- Executes dropped EXE
PID:2016 -
C:\Windows\SysWOW64\Ghkndf32.exeC:\Windows\system32\Ghkndf32.exe66⤵PID:1956
-
C:\Windows\SysWOW64\Geoonjeg.exeC:\Windows\system32\Geoonjeg.exe67⤵PID:3020
-
C:\Windows\SysWOW64\Gjlgfaco.exeC:\Windows\system32\Gjlgfaco.exe68⤵PID:1120
-
C:\Windows\SysWOW64\Hafock32.exeC:\Windows\system32\Hafock32.exe69⤵
- Drops file in System32 directory
PID:1072 -
C:\Windows\SysWOW64\Hfbhkb32.exeC:\Windows\system32\Hfbhkb32.exe70⤵
- Drops file in System32 directory
PID:2088 -
C:\Windows\SysWOW64\Hjndlqal.exeC:\Windows\system32\Hjndlqal.exe71⤵
- Drops file in System32 directory
PID:1704 -
C:\Windows\SysWOW64\Hpkldg32.exeC:\Windows\system32\Hpkldg32.exe72⤵PID:2732
-
C:\Windows\SysWOW64\Hhbdee32.exeC:\Windows\system32\Hhbdee32.exe73⤵PID:2988
-
C:\Windows\SysWOW64\Hdiejfej.exeC:\Windows\system32\Hdiejfej.exe74⤵PID:1548
-
C:\Windows\SysWOW64\Hjcmgp32.exeC:\Windows\system32\Hjcmgp32.exe75⤵PID:872
-
C:\Windows\SysWOW64\Hldjnhce.exeC:\Windows\system32\Hldjnhce.exe76⤵
- Modifies registry class
PID:2360 -
C:\Windows\SysWOW64\Hbnbkbja.exeC:\Windows\system32\Hbnbkbja.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:340 -
C:\Windows\SysWOW64\Hihjhl32.exeC:\Windows\system32\Hihjhl32.exe78⤵PID:2140
-
C:\Windows\SysWOW64\Hlffdh32.exeC:\Windows\system32\Hlffdh32.exe79⤵PID:2204
-
C:\Windows\SysWOW64\Hijgml32.exeC:\Windows\system32\Hijgml32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1992 -
C:\Windows\SysWOW64\Ilicig32.exeC:\Windows\system32\Ilicig32.exe81⤵
- Drops file in System32 directory
PID:1684 -
C:\Windows\SysWOW64\Ibckfa32.exeC:\Windows\system32\Ibckfa32.exe82⤵PID:2552
-
C:\Windows\SysWOW64\Ieagbm32.exeC:\Windows\system32\Ieagbm32.exe83⤵
- Modifies registry class
PID:2396 -
C:\Windows\SysWOW64\Ilkpogmm.exeC:\Windows\system32\Ilkpogmm.exe84⤵PID:2644
-
C:\Windows\SysWOW64\Ibehla32.exeC:\Windows\system32\Ibehla32.exe85⤵PID:2536
-
C:\Windows\SysWOW64\Ihbqdh32.exeC:\Windows\system32\Ihbqdh32.exe86⤵PID:2776
-
C:\Windows\SysWOW64\Imoilo32.exeC:\Windows\system32\Imoilo32.exe87⤵PID:1216
-
C:\Windows\SysWOW64\Iefamlak.exeC:\Windows\system32\Iefamlak.exe88⤵PID:1816
-
C:\Windows\SysWOW64\Iggned32.exeC:\Windows\system32\Iggned32.exe89⤵
- Drops file in System32 directory
PID:2480 -
C:\Windows\SysWOW64\Ionefb32.exeC:\Windows\system32\Ionefb32.exe90⤵PID:1804
-
C:\Windows\SysWOW64\Ippbnjni.exeC:\Windows\system32\Ippbnjni.exe91⤵PID:1652
-
C:\Windows\SysWOW64\Igijkd32.exeC:\Windows\system32\Igijkd32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1828 -
C:\Windows\SysWOW64\Incbgnmc.exeC:\Windows\system32\Incbgnmc.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1864 -
C:\Windows\SysWOW64\Idmkdh32.exeC:\Windows\system32\Idmkdh32.exe94⤵
- Modifies registry class
PID:240 -
C:\Windows\SysWOW64\Jglgpdcc.exeC:\Windows\system32\Jglgpdcc.exe95⤵
- Modifies registry class
PID:1236 -
C:\Windows\SysWOW64\Jjjclobg.exeC:\Windows\system32\Jjjclobg.exe96⤵PID:2316
-
C:\Windows\SysWOW64\Jdpgjhbm.exeC:\Windows\system32\Jdpgjhbm.exe97⤵PID:3056
-
C:\Windows\SysWOW64\Jgncfcaa.exeC:\Windows\system32\Jgncfcaa.exe98⤵
- Modifies registry class
PID:1796 -
C:\Windows\SysWOW64\Jgqpkc32.exeC:\Windows\system32\Jgqpkc32.exe99⤵PID:1300
-
C:\Windows\SysWOW64\Jlmicj32.exeC:\Windows\system32\Jlmicj32.exe100⤵PID:1380
-
C:\Windows\SysWOW64\Jcgapdeb.exeC:\Windows\system32\Jcgapdeb.exe101⤵PID:2064
-
C:\Windows\SysWOW64\Jajala32.exeC:\Windows\system32\Jajala32.exe102⤵PID:1508
-
C:\Windows\SysWOW64\Jhdihkcj.exeC:\Windows\system32\Jhdihkcj.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1596 -
C:\Windows\SysWOW64\Jkbfdfbm.exeC:\Windows\system32\Jkbfdfbm.exe104⤵PID:2540
-
C:\Windows\SysWOW64\Jblnaq32.exeC:\Windows\system32\Jblnaq32.exe105⤵PID:2808
-
C:\Windows\SysWOW64\Jlbboiip.exeC:\Windows\system32\Jlbboiip.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2452 -
C:\Windows\SysWOW64\Kbokgpgg.exeC:\Windows\system32\Kbokgpgg.exe107⤵PID:2600
-
C:\Windows\SysWOW64\Kfjggo32.exeC:\Windows\system32\Kfjggo32.exe108⤵PID:2476
-
C:\Windows\SysWOW64\Khiccj32.exeC:\Windows\system32\Khiccj32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2708 -
C:\Windows\SysWOW64\Kbaglpee.exeC:\Windows\system32\Kbaglpee.exe110⤵PID:1944
-
C:\Windows\SysWOW64\Kqdhhm32.exeC:\Windows\system32\Kqdhhm32.exe111⤵PID:764
-
C:\Windows\SysWOW64\Kkileele.exeC:\Windows\system32\Kkileele.exe112⤵PID:2124
-
C:\Windows\SysWOW64\Kjllab32.exeC:\Windows\system32\Kjllab32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2152 -
C:\Windows\SysWOW64\Kdbpnk32.exeC:\Windows\system32\Kdbpnk32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1544 -
C:\Windows\SysWOW64\Kjoifb32.exeC:\Windows\system32\Kjoifb32.exe115⤵
- Drops file in System32 directory
PID:2248 -
C:\Windows\SysWOW64\Kqiaclhj.exeC:\Windows\system32\Kqiaclhj.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1632 -
C:\Windows\SysWOW64\Konndhmb.exeC:\Windows\system32\Konndhmb.exe117⤵PID:1304
-
C:\Windows\SysWOW64\Lfhfab32.exeC:\Windows\system32\Lfhfab32.exe118⤵PID:1800
-
C:\Windows\SysWOW64\Lqmjnk32.exeC:\Windows\system32\Lqmjnk32.exe119⤵PID:2832
-
C:\Windows\SysWOW64\Lihobnap.exeC:\Windows\system32\Lihobnap.exe120⤵PID:2932
-
C:\Windows\SysWOW64\Lgbeoibb.exeC:\Windows\system32\Lgbeoibb.exe121⤵
- Drops file in System32 directory
PID:1748
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-