Analysis
-
max time kernel
119s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
22/05/2024, 23:08
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
540913fbf0e5569ebacbdb11ae2af9a872774a201eafac6495ee74be77f4378d.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
540913fbf0e5569ebacbdb11ae2af9a872774a201eafac6495ee74be77f4378d.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
540913fbf0e5569ebacbdb11ae2af9a872774a201eafac6495ee74be77f4378d.exe
-
Size
128KB
-
MD5
06b32d0257c43e58762c0cfb40da7870
-
SHA1
214c07bd2af41a506c8e1ef0d97facb0c84ec0ad
-
SHA256
540913fbf0e5569ebacbdb11ae2af9a872774a201eafac6495ee74be77f4378d
-
SHA512
ef44c4943719f703f23db64e97a91d1f99571d839c7ad9dfe7ac9b9509c4510f4150c8fac0280d488aaa74474f11342be78690356f544d86a120e38e1cd983e1
-
SSDEEP
3072:HP+Bql16Y62Y6wjON72eA07DxSvITW/cbFGS9n:EqucRAYhCw9n
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pidfdofi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gfabkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ejlnjg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gieommdc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjgjpi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihlnhffh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Joekimld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Diibag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lnjldf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pfbfhm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjjaikoa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjnlikic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Laackgka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jojnglco.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmeebpkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pfando32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pkjmoj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnknoogp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Feggob32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfkjgm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nipefmkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kdjceb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lenioenj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Flfkoeoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pkojoghl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebicee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Efhenccl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kbdmeoob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ieponofk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Loaokjjg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blchcpko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Plolgk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgdiho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ofqmcj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngeljh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ainmlomf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdlpnamm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpanne32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjffbhnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jfieigio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eppefg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jegdgj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bafkookd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neohqicc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ckhbnb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkklhjnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Objaha32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eeiheo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfmqmgbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fgjjad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ccpqjfnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mfglep32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njfjnpgp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jeqopcld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pffgonbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hhhgcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Obgnhkkh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cceapl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ikgkei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mlelda32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efhenccl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Boobki32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eifobe32.exe -
Executes dropped EXE 64 IoCs
pid Process 2412 Opplolac.exe 2956 Pkjmoj32.exe 2524 Pojbkh32.exe 2512 Pnopldgn.exe 2468 Pjfpafmb.exe 2796 Pdldnomh.exe 112 Qcqaok32.exe 372 Accnekon.exe 2772 Amkbnp32.exe 2008 Akqpom32.exe 2000 Aidphq32.exe 1540 Anahqh32.exe 2628 Akeijlfq.exe 764 Ajjfkh32.exe 2256 Bgnfdm32.exe 2972 Bmkomchi.exe 3008 Bgqcjlhp.exe 3020 Bplhnoej.exe 1316 Bbjdjjdn.exe 2824 Blchcpko.exe 1656 Bigimdjh.exe 2892 Bbonei32.exe 2660 Chlfnp32.exe 880 Cikbhc32.exe 804 Cbdgqimc.exe 1684 Ckolek32.exe 1608 Cakqgeoi.exe 2616 Diibag32.exe 2480 Depbfhpe.exe 2440 Debplg32.exe 2492 Dhbhmb32.exe 2604 Dchmkkkj.exe 2344 Eoompl32.exe 2608 Eoajel32.exe 2188 Egokonjc.exe 2840 Edclib32.exe 2816 Fchijone.exe 1960 Foafdoag.exe 2432 Fmegncpp.exe 1912 Fgohna32.exe 1164 Gmpjagfa.exe 2740 Gmbfggdo.exe 580 Gmecmg32.exe 2940 Gcokiaji.exe 2204 Gmgpbf32.exe 1532 Hinqgg32.exe 2732 Hnkion32.exe 2020 Hfbaql32.exe 2708 Hbiaemkk.exe 2108 Hhejnc32.exe 2164 Hbknkl32.exe 1624 Hhhgcc32.exe 1596 Hmeolj32.exe 2424 Hdoghdmd.exe 2340 Idadnd32.exe 2368 Imiigiab.exe 2712 Idcacc32.exe 1364 Iipiljgf.exe 2700 Ipjahd32.exe 2220 Iegjqk32.exe 2584 Ioooiack.exe 1600 Ihhcbf32.exe 1120 Jodhdp32.exe 2632 Jdaqmg32.exe -
Loads dropped DLL 64 IoCs
pid Process 2304 540913fbf0e5569ebacbdb11ae2af9a872774a201eafac6495ee74be77f4378d.exe 2304 540913fbf0e5569ebacbdb11ae2af9a872774a201eafac6495ee74be77f4378d.exe 2412 Opplolac.exe 2412 Opplolac.exe 2956 Pkjmoj32.exe 2956 Pkjmoj32.exe 2524 Pojbkh32.exe 2524 Pojbkh32.exe 2512 Pnopldgn.exe 2512 Pnopldgn.exe 2468 Pjfpafmb.exe 2468 Pjfpafmb.exe 2796 Pdldnomh.exe 2796 Pdldnomh.exe 112 Qcqaok32.exe 112 Qcqaok32.exe 372 Accnekon.exe 372 Accnekon.exe 2772 Amkbnp32.exe 2772 Amkbnp32.exe 2008 Akqpom32.exe 2008 Akqpom32.exe 2000 Aidphq32.exe 2000 Aidphq32.exe 1540 Anahqh32.exe 1540 Anahqh32.exe 2628 Akeijlfq.exe 2628 Akeijlfq.exe 764 Ajjfkh32.exe 764 Ajjfkh32.exe 2256 Bgnfdm32.exe 2256 Bgnfdm32.exe 2972 Bmkomchi.exe 2972 Bmkomchi.exe 3008 Bgqcjlhp.exe 3008 Bgqcjlhp.exe 3020 Bplhnoej.exe 3020 Bplhnoej.exe 1316 Bbjdjjdn.exe 1316 Bbjdjjdn.exe 2824 Blchcpko.exe 2824 Blchcpko.exe 1656 Bigimdjh.exe 1656 Bigimdjh.exe 2892 Bbonei32.exe 2892 Bbonei32.exe 2660 Chlfnp32.exe 2660 Chlfnp32.exe 880 Cikbhc32.exe 880 Cikbhc32.exe 804 Cbdgqimc.exe 804 Cbdgqimc.exe 1684 Ckolek32.exe 1684 Ckolek32.exe 1588 Cfhiplmp.exe 1588 Cfhiplmp.exe 2616 Diibag32.exe 2616 Diibag32.exe 2480 Depbfhpe.exe 2480 Depbfhpe.exe 2440 Debplg32.exe 2440 Debplg32.exe 2492 Dhbhmb32.exe 2492 Dhbhmb32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Hgapag32.dll Lljpjchg.exe File created C:\Windows\SysWOW64\Pkkkap32.dll Mgbaml32.exe File created C:\Windows\SysWOW64\Mhcfjnhm.exe Mkofaj32.exe File created C:\Windows\SysWOW64\Nhjpke32.dll Jlhhndno.exe File opened for modification C:\Windows\SysWOW64\Cgaoic32.exe Cmikpngk.exe File opened for modification C:\Windows\SysWOW64\Cikbhc32.exe Chlfnp32.exe File created C:\Windows\SysWOW64\Mcjdhh32.dll Fcnkhmdp.exe File created C:\Windows\SysWOW64\Ncbdnb32.dll Ikjhki32.exe File opened for modification C:\Windows\SysWOW64\Fdlpnamm.exe Fmbgageq.exe File created C:\Windows\SysWOW64\Cophjpne.dll Iohbjpkb.exe File created C:\Windows\SysWOW64\Ahbekjcf.exe Apgagg32.exe File created C:\Windows\SysWOW64\Nfgjml32.exe Nnleiipc.exe File created C:\Windows\SysWOW64\Gonakpgj.dll Ppcmfn32.exe File created C:\Windows\SysWOW64\Cdklmlof.dll Iadbqlmh.exe File opened for modification C:\Windows\SysWOW64\Eabepp32.exe Ehjqgjmp.exe File created C:\Windows\SysWOW64\Hilkhl32.dll Felekcop.exe File created C:\Windows\SysWOW64\Dmddik32.dll Momapqgn.exe File created C:\Windows\SysWOW64\Ckchcc32.exe Bdipfi32.exe File created C:\Windows\SysWOW64\Gnhheo32.dll Ficehj32.exe File opened for modification C:\Windows\SysWOW64\Bedhgj32.exe Bllcnega.exe File opened for modification C:\Windows\SysWOW64\Njeelc32.exe Nladco32.exe File opened for modification C:\Windows\SysWOW64\Mcofid32.exe Mmbnam32.exe File created C:\Windows\SysWOW64\Gbhbdi32.exe Fmkilb32.exe File created C:\Windows\SysWOW64\Ijcngenj.exe Iakino32.exe File opened for modification C:\Windows\SysWOW64\Hibidc32.exe Hdeall32.exe File created C:\Windows\SysWOW64\Aaogad32.dll Npolmh32.exe File created C:\Windows\SysWOW64\Cdgjcl32.dll Ealahi32.exe File opened for modification C:\Windows\SysWOW64\Mecbjd32.exe Mljnaocd.exe File opened for modification C:\Windows\SysWOW64\Gecpnp32.exe Fimoiopk.exe File created C:\Windows\SysWOW64\Mkhanokh.dll Ahhchk32.exe File opened for modification C:\Windows\SysWOW64\Copjdhib.exe Cbiiog32.exe File opened for modification C:\Windows\SysWOW64\Cpohhk32.exe Bopknhjd.exe File opened for modification C:\Windows\SysWOW64\Bbhccm32.exe Bddbjhlp.exe File created C:\Windows\SysWOW64\Dnnnlokd.dll Bfgdmjlp.exe File created C:\Windows\SysWOW64\Jmaebf32.dll Jeqopcld.exe File created C:\Windows\SysWOW64\Ninlepim.dll Mkofaj32.exe File opened for modification C:\Windows\SysWOW64\Dekeeonn.exe Dkeahf32.exe File opened for modification C:\Windows\SysWOW64\Ikgkei32.exe Hclfag32.exe File opened for modification C:\Windows\SysWOW64\Kgcnahoo.exe Kageia32.exe File opened for modification C:\Windows\SysWOW64\Depbfhpe.exe Diibag32.exe File created C:\Windows\SysWOW64\Imgnjb32.exe Haqnea32.exe File opened for modification C:\Windows\SysWOW64\Mdadjd32.exe Mhjcec32.exe File opened for modification C:\Windows\SysWOW64\Hmeolj32.exe Hhhgcc32.exe File created C:\Windows\SysWOW64\Nhaiccmq.dll Alodeacc.exe File created C:\Windows\SysWOW64\Fkfcmj32.dll Pmhgba32.exe File opened for modification C:\Windows\SysWOW64\Caokmd32.exe Boobki32.exe File created C:\Windows\SysWOW64\Gdnibjgk.dll Dfkhndca.exe File created C:\Windows\SysWOW64\Moeodd32.dll Lgabgl32.exe File created C:\Windows\SysWOW64\Enjoliob.dll Fnmjpk32.exe File opened for modification C:\Windows\SysWOW64\Ckhbnb32.exe Ckfeic32.exe File created C:\Windows\SysWOW64\Fiqhbk32.dll Aoojnc32.exe File created C:\Windows\SysWOW64\Lfnkaj32.dll Kfidqb32.exe File created C:\Windows\SysWOW64\Jlaeab32.exe Ionehnbm.exe File created C:\Windows\SysWOW64\Hfaqbh32.exe Hnflnfbm.exe File created C:\Windows\SysWOW64\Dafikqcd.dll Abinjdad.exe File opened for modification C:\Windows\SysWOW64\Qlggjlep.exe Qemomb32.exe File created C:\Windows\SysWOW64\Mdepmh32.exe Mbdcepcm.exe File created C:\Windows\SysWOW64\Pmnonj32.dll Ckmbdh32.exe File created C:\Windows\SysWOW64\Hiqaih32.dll Ghoijebj.exe File created C:\Windows\SysWOW64\Hpbdmo32.exe Hcdnhoac.exe File created C:\Windows\SysWOW64\Ahemgiea.dll Eeojcmfi.exe File created C:\Windows\SysWOW64\Lnfhal32.dll Klmbjh32.exe File opened for modification C:\Windows\SysWOW64\Eqkjmcmq.exe Ejabqi32.exe File created C:\Windows\SysWOW64\Acnckp32.dll Adcdbl32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1928 1648 Process not Found 1063 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogmnad32.dll" Dmcfngde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nikkkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekbglc32.dll" Lhklha32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Necogkbo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cbiiog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mdadjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eejjnhgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kbmafngi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkokcp32.dll" Joekimld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nflchkii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ecnpdnho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chbegkhg.dll" Mdepmh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mhjcec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llkcqmgj.dll" Ndmecgba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldfkhk32.dll" Dknajh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Edfbaabj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ogohdeam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hklhae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhefgd32.dll" Gbjpem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Iaaekl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oajlkojn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pblmdj32.dll" Gcjmmdbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mihgebkh.dll" Cbpbgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kppegfpa.dll" Bhdjno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fjhdpk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mgjebg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Koaclfgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igooceih.dll" Qnqjkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ammmlcgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohnaohff.dll" Hajhpgag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohniib32.dll" Oalhqohl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pfqlkfoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ieomef32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jegdgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgnigi32.dll" Kflcok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcoljb32.dll" Mcofid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pckajebj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pldebkhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pjjmonac.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ckmbdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mfglep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogqhpm32.dll" Objaha32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Calcpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fkkhpadq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pmhgba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lboiol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhmbnh32.dll" Kdjceb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajbnaedb.dll" Mnkfcjqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dglfle32.dll" Mkaghg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jqbbhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pkfghh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgpdil32.dll" Pdndggcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llbncmgg.dll" Kpafapbk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Paaddgkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhjcpj32.dll" Ckhfpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhoedaep.dll" Eepmlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pnopldgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ohfqmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ciohqa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jbjpom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fahhnn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fpcblkje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mmpcdfem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Chlfnp32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2304 wrote to memory of 2412 2304 540913fbf0e5569ebacbdb11ae2af9a872774a201eafac6495ee74be77f4378d.exe 28 PID 2304 wrote to memory of 2412 2304 540913fbf0e5569ebacbdb11ae2af9a872774a201eafac6495ee74be77f4378d.exe 28 PID 2304 wrote to memory of 2412 2304 540913fbf0e5569ebacbdb11ae2af9a872774a201eafac6495ee74be77f4378d.exe 28 PID 2304 wrote to memory of 2412 2304 540913fbf0e5569ebacbdb11ae2af9a872774a201eafac6495ee74be77f4378d.exe 28 PID 2412 wrote to memory of 2956 2412 Opplolac.exe 29 PID 2412 wrote to memory of 2956 2412 Opplolac.exe 29 PID 2412 wrote to memory of 2956 2412 Opplolac.exe 29 PID 2412 wrote to memory of 2956 2412 Opplolac.exe 29 PID 2956 wrote to memory of 2524 2956 Pkjmoj32.exe 30 PID 2956 wrote to memory of 2524 2956 Pkjmoj32.exe 30 PID 2956 wrote to memory of 2524 2956 Pkjmoj32.exe 30 PID 2956 wrote to memory of 2524 2956 Pkjmoj32.exe 30 PID 2524 wrote to memory of 2512 2524 Pojbkh32.exe 31 PID 2524 wrote to memory of 2512 2524 Pojbkh32.exe 31 PID 2524 wrote to memory of 2512 2524 Pojbkh32.exe 31 PID 2524 wrote to memory of 2512 2524 Pojbkh32.exe 31 PID 2512 wrote to memory of 2468 2512 Pnopldgn.exe 32 PID 2512 wrote to memory of 2468 2512 Pnopldgn.exe 32 PID 2512 wrote to memory of 2468 2512 Pnopldgn.exe 32 PID 2512 wrote to memory of 2468 2512 Pnopldgn.exe 32 PID 2468 wrote to memory of 2796 2468 Pjfpafmb.exe 33 PID 2468 wrote to memory of 2796 2468 Pjfpafmb.exe 33 PID 2468 wrote to memory of 2796 2468 Pjfpafmb.exe 33 PID 2468 wrote to memory of 2796 2468 Pjfpafmb.exe 33 PID 2796 wrote to memory of 112 2796 Pdldnomh.exe 34 PID 2796 wrote to memory of 112 2796 Pdldnomh.exe 34 PID 2796 wrote to memory of 112 2796 Pdldnomh.exe 34 PID 2796 wrote to memory of 112 2796 Pdldnomh.exe 34 PID 112 wrote to memory of 372 112 Qcqaok32.exe 35 PID 112 wrote to memory of 372 112 Qcqaok32.exe 35 PID 112 wrote to memory of 372 112 Qcqaok32.exe 35 PID 112 wrote to memory of 372 112 Qcqaok32.exe 35 PID 372 wrote to memory of 2772 372 Accnekon.exe 36 PID 372 wrote to memory of 2772 372 Accnekon.exe 36 PID 372 wrote to memory of 2772 372 Accnekon.exe 36 PID 372 wrote to memory of 2772 372 Accnekon.exe 36 PID 2772 wrote to memory of 2008 2772 Amkbnp32.exe 37 PID 2772 wrote to memory of 2008 2772 Amkbnp32.exe 37 PID 2772 wrote to memory of 2008 2772 Amkbnp32.exe 37 PID 2772 wrote to memory of 2008 2772 Amkbnp32.exe 37 PID 2008 wrote to memory of 2000 2008 Akqpom32.exe 38 PID 2008 wrote to memory of 2000 2008 Akqpom32.exe 38 PID 2008 wrote to memory of 2000 2008 Akqpom32.exe 38 PID 2008 wrote to memory of 2000 2008 Akqpom32.exe 38 PID 2000 wrote to memory of 1540 2000 Aidphq32.exe 39 PID 2000 wrote to memory of 1540 2000 Aidphq32.exe 39 PID 2000 wrote to memory of 1540 2000 Aidphq32.exe 39 PID 2000 wrote to memory of 1540 2000 Aidphq32.exe 39 PID 1540 wrote to memory of 2628 1540 Anahqh32.exe 40 PID 1540 wrote to memory of 2628 1540 Anahqh32.exe 40 PID 1540 wrote to memory of 2628 1540 Anahqh32.exe 40 PID 1540 wrote to memory of 2628 1540 Anahqh32.exe 40 PID 2628 wrote to memory of 764 2628 Akeijlfq.exe 41 PID 2628 wrote to memory of 764 2628 Akeijlfq.exe 41 PID 2628 wrote to memory of 764 2628 Akeijlfq.exe 41 PID 2628 wrote to memory of 764 2628 Akeijlfq.exe 41 PID 764 wrote to memory of 2256 764 Ajjfkh32.exe 42 PID 764 wrote to memory of 2256 764 Ajjfkh32.exe 42 PID 764 wrote to memory of 2256 764 Ajjfkh32.exe 42 PID 764 wrote to memory of 2256 764 Ajjfkh32.exe 42 PID 2256 wrote to memory of 2972 2256 Bgnfdm32.exe 43 PID 2256 wrote to memory of 2972 2256 Bgnfdm32.exe 43 PID 2256 wrote to memory of 2972 2256 Bgnfdm32.exe 43 PID 2256 wrote to memory of 2972 2256 Bgnfdm32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\540913fbf0e5569ebacbdb11ae2af9a872774a201eafac6495ee74be77f4378d.exe"C:\Users\Admin\AppData\Local\Temp\540913fbf0e5569ebacbdb11ae2af9a872774a201eafac6495ee74be77f4378d.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\SysWOW64\Opplolac.exeC:\Windows\system32\Opplolac.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\Pkjmoj32.exeC:\Windows\system32\Pkjmoj32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\Pojbkh32.exeC:\Windows\system32\Pojbkh32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\Pnopldgn.exeC:\Windows\system32\Pnopldgn.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\Pjfpafmb.exeC:\Windows\system32\Pjfpafmb.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\Pdldnomh.exeC:\Windows\system32\Pdldnomh.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\Qcqaok32.exeC:\Windows\system32\Qcqaok32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:112 -
C:\Windows\SysWOW64\Accnekon.exeC:\Windows\system32\Accnekon.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:372 -
C:\Windows\SysWOW64\Amkbnp32.exeC:\Windows\system32\Amkbnp32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Akqpom32.exeC:\Windows\system32\Akqpom32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\Aidphq32.exeC:\Windows\system32\Aidphq32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\SysWOW64\Anahqh32.exeC:\Windows\system32\Anahqh32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Windows\SysWOW64\Akeijlfq.exeC:\Windows\system32\Akeijlfq.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Ajjfkh32.exeC:\Windows\system32\Ajjfkh32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Windows\SysWOW64\Bgnfdm32.exeC:\Windows\system32\Bgnfdm32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\SysWOW64\Bmkomchi.exeC:\Windows\system32\Bmkomchi.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2972 -
C:\Windows\SysWOW64\Bgqcjlhp.exeC:\Windows\system32\Bgqcjlhp.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3008 -
C:\Windows\SysWOW64\Bplhnoej.exeC:\Windows\system32\Bplhnoej.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3020 -
C:\Windows\SysWOW64\Bbjdjjdn.exeC:\Windows\system32\Bbjdjjdn.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1316 -
C:\Windows\SysWOW64\Blchcpko.exeC:\Windows\system32\Blchcpko.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2824 -
C:\Windows\SysWOW64\Bigimdjh.exeC:\Windows\system32\Bigimdjh.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1656 -
C:\Windows\SysWOW64\Bbonei32.exeC:\Windows\system32\Bbonei32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2892 -
C:\Windows\SysWOW64\Chlfnp32.exeC:\Windows\system32\Chlfnp32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2660 -
C:\Windows\SysWOW64\Cikbhc32.exeC:\Windows\system32\Cikbhc32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:880 -
C:\Windows\SysWOW64\Cbdgqimc.exeC:\Windows\system32\Cbdgqimc.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:804 -
C:\Windows\SysWOW64\Ckolek32.exeC:\Windows\system32\Ckolek32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1684 -
C:\Windows\SysWOW64\Cakqgeoi.exeC:\Windows\system32\Cakqgeoi.exe28⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\Cfhiplmp.exeC:\Windows\system32\Cfhiplmp.exe29⤵
- Loads dropped DLL
PID:1588 -
C:\Windows\SysWOW64\Diibag32.exeC:\Windows\system32\Diibag32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2616 -
C:\Windows\SysWOW64\Depbfhpe.exeC:\Windows\system32\Depbfhpe.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2480 -
C:\Windows\SysWOW64\Debplg32.exeC:\Windows\system32\Debplg32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2440 -
C:\Windows\SysWOW64\Dhbhmb32.exeC:\Windows\system32\Dhbhmb32.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2492 -
C:\Windows\SysWOW64\Dchmkkkj.exeC:\Windows\system32\Dchmkkkj.exe34⤵
- Executes dropped EXE
PID:2604 -
C:\Windows\SysWOW64\Eoompl32.exeC:\Windows\system32\Eoompl32.exe35⤵
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Eoajel32.exeC:\Windows\system32\Eoajel32.exe36⤵
- Executes dropped EXE
PID:2608 -
C:\Windows\SysWOW64\Egokonjc.exeC:\Windows\system32\Egokonjc.exe37⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Edclib32.exeC:\Windows\system32\Edclib32.exe38⤵
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\Fchijone.exeC:\Windows\system32\Fchijone.exe39⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Foafdoag.exeC:\Windows\system32\Foafdoag.exe40⤵
- Executes dropped EXE
PID:1960 -
C:\Windows\SysWOW64\Fmegncpp.exeC:\Windows\system32\Fmegncpp.exe41⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Fgohna32.exeC:\Windows\system32\Fgohna32.exe42⤵
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\Gmpjagfa.exeC:\Windows\system32\Gmpjagfa.exe43⤵
- Executes dropped EXE
PID:1164 -
C:\Windows\SysWOW64\Gmbfggdo.exeC:\Windows\system32\Gmbfggdo.exe44⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Gmecmg32.exeC:\Windows\system32\Gmecmg32.exe45⤵
- Executes dropped EXE
PID:580 -
C:\Windows\SysWOW64\Gcokiaji.exeC:\Windows\system32\Gcokiaji.exe46⤵
- Executes dropped EXE
PID:2940 -
C:\Windows\SysWOW64\Gmgpbf32.exeC:\Windows\system32\Gmgpbf32.exe47⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Hinqgg32.exeC:\Windows\system32\Hinqgg32.exe48⤵
- Executes dropped EXE
PID:1532 -
C:\Windows\SysWOW64\Hnkion32.exeC:\Windows\system32\Hnkion32.exe49⤵
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\Hfbaql32.exeC:\Windows\system32\Hfbaql32.exe50⤵
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Hbiaemkk.exeC:\Windows\system32\Hbiaemkk.exe51⤵
- Executes dropped EXE
PID:2708 -
C:\Windows\SysWOW64\Hhejnc32.exeC:\Windows\system32\Hhejnc32.exe52⤵
- Executes dropped EXE
PID:2108 -
C:\Windows\SysWOW64\Hbknkl32.exeC:\Windows\system32\Hbknkl32.exe53⤵
- Executes dropped EXE
PID:2164 -
C:\Windows\SysWOW64\Hhhgcc32.exeC:\Windows\system32\Hhhgcc32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1624 -
C:\Windows\SysWOW64\Hmeolj32.exeC:\Windows\system32\Hmeolj32.exe55⤵
- Executes dropped EXE
PID:1596 -
C:\Windows\SysWOW64\Hdoghdmd.exeC:\Windows\system32\Hdoghdmd.exe56⤵
- Executes dropped EXE
PID:2424 -
C:\Windows\SysWOW64\Idadnd32.exeC:\Windows\system32\Idadnd32.exe57⤵
- Executes dropped EXE
PID:2340 -
C:\Windows\SysWOW64\Imiigiab.exeC:\Windows\system32\Imiigiab.exe58⤵
- Executes dropped EXE
PID:2368 -
C:\Windows\SysWOW64\Idcacc32.exeC:\Windows\system32\Idcacc32.exe59⤵
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\Iipiljgf.exeC:\Windows\system32\Iipiljgf.exe60⤵
- Executes dropped EXE
PID:1364 -
C:\Windows\SysWOW64\Ipjahd32.exeC:\Windows\system32\Ipjahd32.exe61⤵
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\Iegjqk32.exeC:\Windows\system32\Iegjqk32.exe62⤵
- Executes dropped EXE
PID:2220 -
C:\Windows\SysWOW64\Ioooiack.exeC:\Windows\system32\Ioooiack.exe63⤵
- Executes dropped EXE
PID:2584 -
C:\Windows\SysWOW64\Ihhcbf32.exeC:\Windows\system32\Ihhcbf32.exe64⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\Jodhdp32.exeC:\Windows\system32\Jodhdp32.exe65⤵
- Executes dropped EXE
PID:1120 -
C:\Windows\SysWOW64\Jdaqmg32.exeC:\Windows\system32\Jdaqmg32.exe66⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\Jlhhndno.exeC:\Windows\system32\Jlhhndno.exe67⤵
- Drops file in System32 directory
PID:1100 -
C:\Windows\SysWOW64\Jhoice32.exeC:\Windows\system32\Jhoice32.exe68⤵PID:436
-
C:\Windows\SysWOW64\Jnkakl32.exeC:\Windows\system32\Jnkakl32.exe69⤵PID:2952
-
C:\Windows\SysWOW64\Jhafhe32.exeC:\Windows\system32\Jhafhe32.exe70⤵PID:2292
-
C:\Windows\SysWOW64\Jnnnalph.exeC:\Windows\system32\Jnnnalph.exe71⤵PID:1296
-
C:\Windows\SysWOW64\Jgfcja32.exeC:\Windows\system32\Jgfcja32.exe72⤵PID:1112
-
C:\Windows\SysWOW64\Jlckbh32.exeC:\Windows\system32\Jlckbh32.exe73⤵PID:2976
-
C:\Windows\SysWOW64\Kghpoa32.exeC:\Windows\system32\Kghpoa32.exe74⤵PID:2168
-
C:\Windows\SysWOW64\Klehgh32.exeC:\Windows\system32\Klehgh32.exe75⤵PID:2904
-
C:\Windows\SysWOW64\Kgkleabc.exeC:\Windows\system32\Kgkleabc.exe76⤵PID:2568
-
C:\Windows\SysWOW64\Klhemhpk.exeC:\Windows\system32\Klhemhpk.exe77⤵PID:2360
-
C:\Windows\SysWOW64\Kbdmeoob.exeC:\Windows\system32\Kbdmeoob.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2012 -
C:\Windows\SysWOW64\Kljabgnh.exeC:\Windows\system32\Kljabgnh.exe79⤵PID:1632
-
C:\Windows\SysWOW64\Kbgjkn32.exeC:\Windows\system32\Kbgjkn32.exe80⤵PID:2316
-
C:\Windows\SysWOW64\Kkoncdcp.exeC:\Windows\system32\Kkoncdcp.exe81⤵PID:2932
-
C:\Windows\SysWOW64\Kdhcli32.exeC:\Windows\system32\Kdhcli32.exe82⤵PID:1888
-
C:\Windows\SysWOW64\Lomgjb32.exeC:\Windows\system32\Lomgjb32.exe83⤵PID:1688
-
C:\Windows\SysWOW64\Lhelbh32.exeC:\Windows\system32\Lhelbh32.exe84⤵PID:864
-
C:\Windows\SysWOW64\Lnbdko32.exeC:\Windows\system32\Lnbdko32.exe85⤵PID:2276
-
C:\Windows\SysWOW64\Ljieppcb.exeC:\Windows\system32\Ljieppcb.exe86⤵PID:2236
-
C:\Windows\SysWOW64\Ldoimh32.exeC:\Windows\system32\Ldoimh32.exe87⤵PID:468
-
C:\Windows\SysWOW64\Lmjnak32.exeC:\Windows\system32\Lmjnak32.exe88⤵PID:584
-
C:\Windows\SysWOW64\Lqhfhigj.exeC:\Windows\system32\Lqhfhigj.exe89⤵PID:2032
-
C:\Windows\SysWOW64\Mkaghg32.exeC:\Windows\system32\Mkaghg32.exe90⤵
- Modifies registry class
PID:1068 -
C:\Windows\SysWOW64\Mfglep32.exeC:\Windows\system32\Mfglep32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2112 -
C:\Windows\SysWOW64\Mkddnf32.exeC:\Windows\system32\Mkddnf32.exe92⤵PID:2748
-
C:\Windows\SysWOW64\Mgjebg32.exeC:\Windows\system32\Mgjebg32.exe93⤵
- Modifies registry class
PID:2088 -
C:\Windows\SysWOW64\Macilmnk.exeC:\Windows\system32\Macilmnk.exe94⤵PID:1704
-
C:\Windows\SysWOW64\Mngjeamd.exeC:\Windows\system32\Mngjeamd.exe95⤵PID:2784
-
C:\Windows\SysWOW64\Mjnjjbbh.exeC:\Windows\system32\Mjnjjbbh.exe96⤵PID:2228
-
C:\Windows\SysWOW64\Necogkbo.exeC:\Windows\system32\Necogkbo.exe97⤵
- Modifies registry class
PID:2452 -
C:\Windows\SysWOW64\Nnkcpq32.exeC:\Windows\system32\Nnkcpq32.exe98⤵PID:816
-
C:\Windows\SysWOW64\Ndhlhg32.exeC:\Windows\system32\Ndhlhg32.exe99⤵PID:2808
-
C:\Windows\SysWOW64\Njbdea32.exeC:\Windows\system32\Njbdea32.exe100⤵PID:2652
-
C:\Windows\SysWOW64\Npolmh32.exeC:\Windows\system32\Npolmh32.exe101⤵
- Drops file in System32 directory
PID:1620 -
C:\Windows\SysWOW64\Nigafnck.exeC:\Windows\system32\Nigafnck.exe102⤵PID:1084
-
C:\Windows\SysWOW64\Ndmecgba.exeC:\Windows\system32\Ndmecgba.exe103⤵
- Modifies registry class
PID:2296 -
C:\Windows\SysWOW64\Nenakoho.exeC:\Windows\system32\Nenakoho.exe104⤵PID:2744
-
C:\Windows\SysWOW64\Npdfhhhe.exeC:\Windows\system32\Npdfhhhe.exe105⤵PID:1568
-
C:\Windows\SysWOW64\Oiljam32.exeC:\Windows\system32\Oiljam32.exe106⤵PID:2100
-
C:\Windows\SysWOW64\Ooicid32.exeC:\Windows\system32\Ooicid32.exe107⤵PID:1072
-
C:\Windows\SysWOW64\Ohagbj32.exeC:\Windows\system32\Ohagbj32.exe108⤵PID:2096
-
C:\Windows\SysWOW64\Oajlkojn.exeC:\Windows\system32\Oajlkojn.exe109⤵
- Modifies registry class
PID:1584 -
C:\Windows\SysWOW64\Olophhjd.exeC:\Windows\system32\Olophhjd.exe110⤵PID:2464
-
C:\Windows\SysWOW64\Oalhqohl.exeC:\Windows\system32\Oalhqohl.exe111⤵
- Modifies registry class
PID:2444 -
C:\Windows\SysWOW64\Ohfqmi32.exeC:\Windows\system32\Ohfqmi32.exe112⤵
- Modifies registry class
PID:2844 -
C:\Windows\SysWOW64\Oopijc32.exeC:\Windows\system32\Oopijc32.exe113⤵PID:2668
-
C:\Windows\SysWOW64\Pnjofo32.exeC:\Windows\system32\Pnjofo32.exe114⤵PID:1640
-
C:\Windows\SysWOW64\Pphkbj32.exeC:\Windows\system32\Pphkbj32.exe115⤵PID:1192
-
C:\Windows\SysWOW64\Pgbdodnh.exeC:\Windows\system32\Pgbdodnh.exe116⤵PID:2288
-
C:\Windows\SysWOW64\Plolgk32.exeC:\Windows\system32\Plolgk32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1472 -
C:\Windows\SysWOW64\Palepb32.exeC:\Windows\system32\Palepb32.exe118⤵PID:1156
-
C:\Windows\SysWOW64\Phfmllbd.exeC:\Windows\system32\Phfmllbd.exe119⤵PID:1612
-
C:\Windows\SysWOW64\Pckajebj.exeC:\Windows\system32\Pckajebj.exe120⤵
- Modifies registry class
PID:2060 -
C:\Windows\SysWOW64\Pldebkhj.exeC:\Windows\system32\Pldebkhj.exe121⤵
- Modifies registry class
PID:2704
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-