Analysis
-
max time kernel
146s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
06/07/2024, 21:44
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
530eff053d4fe303cf46ab979dc215851852b3a1f7c6d095c66f7b23f9f08c90.exe
Resource
win7-20240705-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
530eff053d4fe303cf46ab979dc215851852b3a1f7c6d095c66f7b23f9f08c90.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
530eff053d4fe303cf46ab979dc215851852b3a1f7c6d095c66f7b23f9f08c90.exe
-
Size
790KB
-
MD5
d28727224091237c54b8aff660dfb921
-
SHA1
de8c60c02f5587e81d89361a7b2d96f0b58d4e4d
-
SHA256
530eff053d4fe303cf46ab979dc215851852b3a1f7c6d095c66f7b23f9f08c90
-
SHA512
8cad0addfc2a02c06fc33a62620f29a75f5e45815aaf92b1b4da56fa0bc2b7306b10bd3dc12591b89a83cc961e48cf8eab7d7bc426f8a4bcb70762db1e4e4776
-
SSDEEP
12288:S6SevfFB24lwR45FB24lJ87g7/VycgE81lgxaa79y:lSevfPLPEoIlg17o
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gfoeel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oekehomj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pehebbbh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odcimipf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qgfkchmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qldjdlgb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efoifiep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kjkbpp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckhpejbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ekghcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iaaekl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lepclldc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ojndpqpq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kmiolk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nanfqo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahfgbkpl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adblnnbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cjoilfek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ddbmcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ihiabfhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ifpnaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aejglo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Beldao32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llcehg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ladgkmlj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhmmcjjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Befnbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cdngip32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fedfgejh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Habili32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbhhkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nnlhab32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkgldm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jndflk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mdoccg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nedifo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fhjhdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ecjgio32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpicbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ihbdhepp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmnlhg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohjkcile.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Camnge32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Goocenaa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibillk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ajipkb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Padccpal.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccqhdmbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Llcehg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Poacighp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iafofkkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qijdqp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pcbookpp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abnopj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dqinhcoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gampaipe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihnjmf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nknkeg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhklna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gidhbgag.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Empomd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enhaeldn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jjfmem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kaekljjo.exe -
Executes dropped EXE 64 IoCs
pid Process 2184 Kjepaa32.exe 2764 Klfmijae.exe 2808 Kcmdjgbh.exe 2684 Khojcj32.exe 2596 Khagijcd.exe 2988 Ldhgnk32.exe 2452 Lbbnjgik.exe 2388 Lkifkdjm.exe 2704 Lmhbgpia.exe 2732 Lcdjpfgh.exe 1836 Mecglbfl.exe 1992 Monhjgkj.exe 1248 Nddcimag.exe 2164 Nknkeg32.exe 3028 Nnlhab32.exe 1804 Ndfpnl32.exe 844 Nqpmimbe.exe 1508 Ncnjeh32.exe 1796 Oiahnnji.exe 824 Okpdjjil.exe 976 Ojceef32.exe 2396 Objmgd32.exe 708 Ockinl32.exe 1920 Oekehomj.exe 1712 Pgibdjln.exe 1600 Pmfjmake.exe 2648 Ppdfimji.exe 2132 Pfnoegaf.exe 2564 Pimkbbpi.exe 2960 Padccpal.exe 2888 Pcbookpp.exe 1040 Pfqlkfoc.exe 2908 Piadma32.exe 2824 Pnnmeh32.exe 1792 Pehebbbh.exe 2216 Phgannal.exe 872 Qpniokan.exe 2128 Qblfkgqb.exe 2084 Qldjdlgb.exe 2176 Qbobaf32.exe 332 Ajjgei32.exe 1976 Amhcad32.exe 1960 Adblnnbk.exe 2476 Ahpddmia.exe 892 Ammmlcgi.exe 2116 Abjeejep.exe 1932 Apnfno32.exe 1488 Ablbjj32.exe 2628 Aejnfe32.exe 1160 Amafgc32.exe 1984 Aldfcpjn.exe 2688 Abnopj32.exe 2516 Bfjkphjd.exe 2572 Blgcio32.exe 2668 Boeoek32.exe 2832 Baclaf32.exe 1292 Bhndnpnp.exe 584 Blipno32.exe 2920 Bafhff32.exe 2420 Blkmdodf.exe 928 Bceeqi32.exe 980 Bdfahaaa.exe 1408 Bnofaf32.exe 3068 Befnbd32.exe -
Loads dropped DLL 64 IoCs
pid Process 2976 530eff053d4fe303cf46ab979dc215851852b3a1f7c6d095c66f7b23f9f08c90.exe 2976 530eff053d4fe303cf46ab979dc215851852b3a1f7c6d095c66f7b23f9f08c90.exe 2184 Kjepaa32.exe 2184 Kjepaa32.exe 2764 Klfmijae.exe 2764 Klfmijae.exe 2808 Kcmdjgbh.exe 2808 Kcmdjgbh.exe 2684 Khojcj32.exe 2684 Khojcj32.exe 2596 Khagijcd.exe 2596 Khagijcd.exe 2988 Ldhgnk32.exe 2988 Ldhgnk32.exe 2452 Lbbnjgik.exe 2452 Lbbnjgik.exe 2388 Lkifkdjm.exe 2388 Lkifkdjm.exe 2704 Lmhbgpia.exe 2704 Lmhbgpia.exe 2732 Lcdjpfgh.exe 2732 Lcdjpfgh.exe 1836 Mecglbfl.exe 1836 Mecglbfl.exe 1992 Monhjgkj.exe 1992 Monhjgkj.exe 1248 Nddcimag.exe 1248 Nddcimag.exe 2164 Nknkeg32.exe 2164 Nknkeg32.exe 3028 Nnlhab32.exe 3028 Nnlhab32.exe 1804 Ndfpnl32.exe 1804 Ndfpnl32.exe 844 Nqpmimbe.exe 844 Nqpmimbe.exe 1508 Ncnjeh32.exe 1508 Ncnjeh32.exe 1796 Oiahnnji.exe 1796 Oiahnnji.exe 824 Okpdjjil.exe 824 Okpdjjil.exe 976 Ojceef32.exe 976 Ojceef32.exe 2396 Objmgd32.exe 2396 Objmgd32.exe 708 Ockinl32.exe 708 Ockinl32.exe 1920 Oekehomj.exe 1920 Oekehomj.exe 1712 Pgibdjln.exe 1712 Pgibdjln.exe 1600 Pmfjmake.exe 1600 Pmfjmake.exe 2648 Ppdfimji.exe 2648 Ppdfimji.exe 2132 Pfnoegaf.exe 2132 Pfnoegaf.exe 2564 Pimkbbpi.exe 2564 Pimkbbpi.exe 2960 Padccpal.exe 2960 Padccpal.exe 2888 Pcbookpp.exe 2888 Pcbookpp.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Kghmhegc.exe Kolhdbjh.exe File opened for modification C:\Windows\SysWOW64\Lkmldbcj.exe Lljkif32.exe File opened for modification C:\Windows\SysWOW64\Adblnnbk.exe Amhcad32.exe File created C:\Windows\SysWOW64\Ijimli32.exe Iaaekl32.exe File created C:\Windows\SysWOW64\Coindgbi.exe Cgbfcjag.exe File created C:\Windows\SysWOW64\Pfqlkfoc.exe Pcbookpp.exe File created C:\Windows\SysWOW64\Hpgfmeag.exe Hmijajbd.exe File created C:\Windows\SysWOW64\Hafbghhj.exe Hpgfmeag.exe File opened for modification C:\Windows\SysWOW64\Kjkbpp32.exe Klhbdclg.exe File opened for modification C:\Windows\SysWOW64\Lpldcfmd.exe Liblfl32.exe File opened for modification C:\Windows\SysWOW64\Ojkhjabc.exe Ogmkne32.exe File created C:\Windows\SysWOW64\Cfaqfh32.exe Cdpdnpif.exe File created C:\Windows\SysWOW64\Glnkcc32.exe Gipngg32.exe File created C:\Windows\SysWOW64\Ehameajg.dll Gbhcpmkm.exe File created C:\Windows\SysWOW64\Fopako32.dll Idghhf32.exe File created C:\Windows\SysWOW64\Pdleiobf.dll Ljbipolj.exe File opened for modification C:\Windows\SysWOW64\Ojndpqpq.exe Odqlhjbi.exe File created C:\Windows\SysWOW64\Aejnfe32.exe Ablbjj32.exe File created C:\Windows\SysWOW64\Doqkpl32.exe Dhgccbhp.exe File opened for modification C:\Windows\SysWOW64\Dhklna32.exe Ddppmclb.exe File opened for modification C:\Windows\SysWOW64\Qnpcpa32.exe Qjdgpcmd.exe File created C:\Windows\SysWOW64\Idlmjnop.dll Ihbdhepp.exe File created C:\Windows\SysWOW64\Aeenapck.exe Afbnec32.exe File created C:\Windows\SysWOW64\Cmpbigma.dll Bjiljf32.exe File created C:\Windows\SysWOW64\Fhoedaep.dll Emgdmc32.exe File opened for modification C:\Windows\SysWOW64\Hplphd32.exe Hpicbe32.exe File opened for modification C:\Windows\SysWOW64\Mcofid32.exe Mdlfngcc.exe File created C:\Windows\SysWOW64\Nhjdcghg.dll Oqgmmk32.exe File opened for modification C:\Windows\SysWOW64\Bhndnpnp.exe Baclaf32.exe File opened for modification C:\Windows\SysWOW64\Jojloc32.exe Jkopndcb.exe File created C:\Windows\SysWOW64\Qaqlbmbn.exe Qijdqp32.exe File created C:\Windows\SysWOW64\Ahfgbkpl.exe Abinjdad.exe File created C:\Windows\SysWOW64\Bldpiifb.exe Ahhchk32.exe File created C:\Windows\SysWOW64\Gllnnc32.exe Gimaah32.exe File opened for modification C:\Windows\SysWOW64\Liblfl32.exe Lfdpjp32.exe File created C:\Windows\SysWOW64\Amhcad32.exe Ajjgei32.exe File created C:\Windows\SysWOW64\Ncaean32.dll Fpemhb32.exe File created C:\Windows\SysWOW64\Koiillaq.dll Lfhiepbn.exe File created C:\Windows\SysWOW64\Nelafe32.dll Boobki32.exe File created C:\Windows\SysWOW64\Ikggmnae.dll Dlpbna32.exe File created C:\Windows\SysWOW64\Fkcjcede.dll Gimaah32.exe File opened for modification C:\Windows\SysWOW64\Jjfmem32.exe Jkcmjpma.exe File created C:\Windows\SysWOW64\Ebinok32.dll Nanfqo32.exe File opened for modification C:\Windows\SysWOW64\Ldhgnk32.exe Khagijcd.exe File created C:\Windows\SysWOW64\Opdnkeqd.dll Okpdjjil.exe File created C:\Windows\SysWOW64\Fikeom32.dll Mecglbfl.exe File opened for modification C:\Windows\SysWOW64\Goapjnoo.exe Gidhbgag.exe File created C:\Windows\SysWOW64\Empomd32.exe Enmnahnm.exe File opened for modification C:\Windows\SysWOW64\Gpjfcali.exe Glnkcc32.exe File created C:\Windows\SysWOW64\Emokgnoa.dll Lpckce32.exe File opened for modification C:\Windows\SysWOW64\Padccpal.exe Pimkbbpi.exe File created C:\Windows\SysWOW64\Abnopj32.exe Aldfcpjn.exe File opened for modification C:\Windows\SysWOW64\Gekhgh32.exe Goapjnoo.exe File created C:\Windows\SysWOW64\Colojben.dll Gkhaooec.exe File opened for modification C:\Windows\SysWOW64\Qjdgpcmd.exe Qgfkchmp.exe File created C:\Windows\SysWOW64\Enkcccnb.dll Adblnnbk.exe File opened for modification C:\Windows\SysWOW64\Dlpbna32.exe Cffjagko.exe File created C:\Windows\SysWOW64\Opnphfdp.dll Fedfgejh.exe File created C:\Windows\SysWOW64\Ilifndlo.exe Ihnjmf32.exe File created C:\Windows\SysWOW64\Mghfdcdi.exe Mheeif32.exe File opened for modification C:\Windows\SysWOW64\Ndlbmk32.exe Nanfqo32.exe File created C:\Windows\SysWOW64\Ggkben32.dll Opccallb.exe File opened for modification C:\Windows\SysWOW64\Bfjkphjd.exe Abnopj32.exe File created C:\Windows\SysWOW64\Kmpnop32.dll Fbfjkj32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ppdfimji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jgmjdaqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kllpgcjb.dll" Mheeif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bnofaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fikelhib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ikapdqoc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Peqhgmdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Abinjdad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Chmibmlo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fjaoplho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfhkkc32.dll" Kepgmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lakfjp32.dll" Lpldcfmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgnapb32.dll" Lchqcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adjgmhgl.dll" Ndfpnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pnnmeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inngpj32.dll" Abgaeddg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bhmmcjjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bflpbe32.dll" Pfnoegaf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jjfmem32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lpanne32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mdlfngcc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qjdgpcmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Baqhapdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kjepaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Efmlqigc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccdhdn32.dll" Goapjnoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebmjec32.dll" Knikfnih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ihnjmf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jbhhkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lpldcfmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kabgha32.dll" Dhklna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acpchmhl.dll" Dklepmal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nphpng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckobac32.dll" Hkjnenbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hpicbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdnipekj.dll" Pcmoie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dkgldm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gfabkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gibkmgcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Knikfnih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mecglbfl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dgnminke.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Egpena32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Glnkcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdfqnhjl.dll" Nqpmimbe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Phgannal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpcafg32.dll" Abnopj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fiakeijo.dll" Egpena32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ljbipolj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hakhbifq.dll" Cniajdkg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pimkbbpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bafhff32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Epqgopbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gekhgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jjfmem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nikkkn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Obnbpb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bdodmlcm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bafhff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nelafe32.dll" Boobki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hmijajbd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hghdjn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qcjoci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbnlnmnm.dll" Lkifkdjm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2976 wrote to memory of 2184 2976 530eff053d4fe303cf46ab979dc215851852b3a1f7c6d095c66f7b23f9f08c90.exe 30 PID 2976 wrote to memory of 2184 2976 530eff053d4fe303cf46ab979dc215851852b3a1f7c6d095c66f7b23f9f08c90.exe 30 PID 2976 wrote to memory of 2184 2976 530eff053d4fe303cf46ab979dc215851852b3a1f7c6d095c66f7b23f9f08c90.exe 30 PID 2976 wrote to memory of 2184 2976 530eff053d4fe303cf46ab979dc215851852b3a1f7c6d095c66f7b23f9f08c90.exe 30 PID 2184 wrote to memory of 2764 2184 Kjepaa32.exe 31 PID 2184 wrote to memory of 2764 2184 Kjepaa32.exe 31 PID 2184 wrote to memory of 2764 2184 Kjepaa32.exe 31 PID 2184 wrote to memory of 2764 2184 Kjepaa32.exe 31 PID 2764 wrote to memory of 2808 2764 Klfmijae.exe 32 PID 2764 wrote to memory of 2808 2764 Klfmijae.exe 32 PID 2764 wrote to memory of 2808 2764 Klfmijae.exe 32 PID 2764 wrote to memory of 2808 2764 Klfmijae.exe 32 PID 2808 wrote to memory of 2684 2808 Kcmdjgbh.exe 33 PID 2808 wrote to memory of 2684 2808 Kcmdjgbh.exe 33 PID 2808 wrote to memory of 2684 2808 Kcmdjgbh.exe 33 PID 2808 wrote to memory of 2684 2808 Kcmdjgbh.exe 33 PID 2684 wrote to memory of 2596 2684 Khojcj32.exe 34 PID 2684 wrote to memory of 2596 2684 Khojcj32.exe 34 PID 2684 wrote to memory of 2596 2684 Khojcj32.exe 34 PID 2684 wrote to memory of 2596 2684 Khojcj32.exe 34 PID 2596 wrote to memory of 2988 2596 Khagijcd.exe 35 PID 2596 wrote to memory of 2988 2596 Khagijcd.exe 35 PID 2596 wrote to memory of 2988 2596 Khagijcd.exe 35 PID 2596 wrote to memory of 2988 2596 Khagijcd.exe 35 PID 2988 wrote to memory of 2452 2988 Ldhgnk32.exe 36 PID 2988 wrote to memory of 2452 2988 Ldhgnk32.exe 36 PID 2988 wrote to memory of 2452 2988 Ldhgnk32.exe 36 PID 2988 wrote to memory of 2452 2988 Ldhgnk32.exe 36 PID 2452 wrote to memory of 2388 2452 Lbbnjgik.exe 37 PID 2452 wrote to memory of 2388 2452 Lbbnjgik.exe 37 PID 2452 wrote to memory of 2388 2452 Lbbnjgik.exe 37 PID 2452 wrote to memory of 2388 2452 Lbbnjgik.exe 37 PID 2388 wrote to memory of 2704 2388 Lkifkdjm.exe 38 PID 2388 wrote to memory of 2704 2388 Lkifkdjm.exe 38 PID 2388 wrote to memory of 2704 2388 Lkifkdjm.exe 38 PID 2388 wrote to memory of 2704 2388 Lkifkdjm.exe 38 PID 2704 wrote to memory of 2732 2704 Lmhbgpia.exe 39 PID 2704 wrote to memory of 2732 2704 Lmhbgpia.exe 39 PID 2704 wrote to memory of 2732 2704 Lmhbgpia.exe 39 PID 2704 wrote to memory of 2732 2704 Lmhbgpia.exe 39 PID 2732 wrote to memory of 1836 2732 Lcdjpfgh.exe 40 PID 2732 wrote to memory of 1836 2732 Lcdjpfgh.exe 40 PID 2732 wrote to memory of 1836 2732 Lcdjpfgh.exe 40 PID 2732 wrote to memory of 1836 2732 Lcdjpfgh.exe 40 PID 1836 wrote to memory of 1992 1836 Mecglbfl.exe 41 PID 1836 wrote to memory of 1992 1836 Mecglbfl.exe 41 PID 1836 wrote to memory of 1992 1836 Mecglbfl.exe 41 PID 1836 wrote to memory of 1992 1836 Mecglbfl.exe 41 PID 1992 wrote to memory of 1248 1992 Monhjgkj.exe 42 PID 1992 wrote to memory of 1248 1992 Monhjgkj.exe 42 PID 1992 wrote to memory of 1248 1992 Monhjgkj.exe 42 PID 1992 wrote to memory of 1248 1992 Monhjgkj.exe 42 PID 1248 wrote to memory of 2164 1248 Nddcimag.exe 43 PID 1248 wrote to memory of 2164 1248 Nddcimag.exe 43 PID 1248 wrote to memory of 2164 1248 Nddcimag.exe 43 PID 1248 wrote to memory of 2164 1248 Nddcimag.exe 43 PID 2164 wrote to memory of 3028 2164 Nknkeg32.exe 44 PID 2164 wrote to memory of 3028 2164 Nknkeg32.exe 44 PID 2164 wrote to memory of 3028 2164 Nknkeg32.exe 44 PID 2164 wrote to memory of 3028 2164 Nknkeg32.exe 44 PID 3028 wrote to memory of 1804 3028 Nnlhab32.exe 45 PID 3028 wrote to memory of 1804 3028 Nnlhab32.exe 45 PID 3028 wrote to memory of 1804 3028 Nnlhab32.exe 45 PID 3028 wrote to memory of 1804 3028 Nnlhab32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\530eff053d4fe303cf46ab979dc215851852b3a1f7c6d095c66f7b23f9f08c90.exe"C:\Users\Admin\AppData\Local\Temp\530eff053d4fe303cf46ab979dc215851852b3a1f7c6d095c66f7b23f9f08c90.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\Kjepaa32.exeC:\Windows\system32\Kjepaa32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\Klfmijae.exeC:\Windows\system32\Klfmijae.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\Kcmdjgbh.exeC:\Windows\system32\Kcmdjgbh.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\Khojcj32.exeC:\Windows\system32\Khojcj32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\Khagijcd.exeC:\Windows\system32\Khagijcd.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Ldhgnk32.exeC:\Windows\system32\Ldhgnk32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\Lbbnjgik.exeC:\Windows\system32\Lbbnjgik.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\SysWOW64\Lkifkdjm.exeC:\Windows\system32\Lkifkdjm.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\Lmhbgpia.exeC:\Windows\system32\Lmhbgpia.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Lcdjpfgh.exeC:\Windows\system32\Lcdjpfgh.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Mecglbfl.exeC:\Windows\system32\Mecglbfl.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Windows\SysWOW64\Monhjgkj.exeC:\Windows\system32\Monhjgkj.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\SysWOW64\Nddcimag.exeC:\Windows\system32\Nddcimag.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Windows\SysWOW64\Nknkeg32.exeC:\Windows\system32\Nknkeg32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\Nnlhab32.exeC:\Windows\system32\Nnlhab32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\SysWOW64\Ndfpnl32.exeC:\Windows\system32\Ndfpnl32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1804 -
C:\Windows\SysWOW64\Nqpmimbe.exeC:\Windows\system32\Nqpmimbe.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:844 -
C:\Windows\SysWOW64\Ncnjeh32.exeC:\Windows\system32\Ncnjeh32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1508 -
C:\Windows\SysWOW64\Oiahnnji.exeC:\Windows\system32\Oiahnnji.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1796 -
C:\Windows\SysWOW64\Okpdjjil.exeC:\Windows\system32\Okpdjjil.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:824 -
C:\Windows\SysWOW64\Ojceef32.exeC:\Windows\system32\Ojceef32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:976 -
C:\Windows\SysWOW64\Objmgd32.exeC:\Windows\system32\Objmgd32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2396 -
C:\Windows\SysWOW64\Ockinl32.exeC:\Windows\system32\Ockinl32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:708 -
C:\Windows\SysWOW64\Oekehomj.exeC:\Windows\system32\Oekehomj.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1920 -
C:\Windows\SysWOW64\Pgibdjln.exeC:\Windows\system32\Pgibdjln.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1712 -
C:\Windows\SysWOW64\Pmfjmake.exeC:\Windows\system32\Pmfjmake.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1600 -
C:\Windows\SysWOW64\Ppdfimji.exeC:\Windows\system32\Ppdfimji.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2648 -
C:\Windows\SysWOW64\Pfnoegaf.exeC:\Windows\system32\Pfnoegaf.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2132 -
C:\Windows\SysWOW64\Pimkbbpi.exeC:\Windows\system32\Pimkbbpi.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2564 -
C:\Windows\SysWOW64\Padccpal.exeC:\Windows\system32\Padccpal.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2960 -
C:\Windows\SysWOW64\Pcbookpp.exeC:\Windows\system32\Pcbookpp.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2888 -
C:\Windows\SysWOW64\Pfqlkfoc.exeC:\Windows\system32\Pfqlkfoc.exe33⤵
- Executes dropped EXE
PID:1040 -
C:\Windows\SysWOW64\Piadma32.exeC:\Windows\system32\Piadma32.exe34⤵
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Pnnmeh32.exeC:\Windows\system32\Pnnmeh32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:2824 -
C:\Windows\SysWOW64\Pehebbbh.exeC:\Windows\system32\Pehebbbh.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1792 -
C:\Windows\SysWOW64\Phgannal.exeC:\Windows\system32\Phgannal.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:2216 -
C:\Windows\SysWOW64\Qpniokan.exeC:\Windows\system32\Qpniokan.exe38⤵
- Executes dropped EXE
PID:872 -
C:\Windows\SysWOW64\Qblfkgqb.exeC:\Windows\system32\Qblfkgqb.exe39⤵
- Executes dropped EXE
PID:2128 -
C:\Windows\SysWOW64\Qldjdlgb.exeC:\Windows\system32\Qldjdlgb.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2084 -
C:\Windows\SysWOW64\Qbobaf32.exeC:\Windows\system32\Qbobaf32.exe41⤵
- Executes dropped EXE
PID:2176 -
C:\Windows\SysWOW64\Ajjgei32.exeC:\Windows\system32\Ajjgei32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:332 -
C:\Windows\SysWOW64\Amhcad32.exeC:\Windows\system32\Amhcad32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1976 -
C:\Windows\SysWOW64\Adblnnbk.exeC:\Windows\system32\Adblnnbk.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1960 -
C:\Windows\SysWOW64\Ahpddmia.exeC:\Windows\system32\Ahpddmia.exe45⤵
- Executes dropped EXE
PID:2476 -
C:\Windows\SysWOW64\Ammmlcgi.exeC:\Windows\system32\Ammmlcgi.exe46⤵
- Executes dropped EXE
PID:892 -
C:\Windows\SysWOW64\Abjeejep.exeC:\Windows\system32\Abjeejep.exe47⤵
- Executes dropped EXE
PID:2116 -
C:\Windows\SysWOW64\Apnfno32.exeC:\Windows\system32\Apnfno32.exe48⤵
- Executes dropped EXE
PID:1932 -
C:\Windows\SysWOW64\Ablbjj32.exeC:\Windows\system32\Ablbjj32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1488 -
C:\Windows\SysWOW64\Aejnfe32.exeC:\Windows\system32\Aejnfe32.exe50⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Amafgc32.exeC:\Windows\system32\Amafgc32.exe51⤵
- Executes dropped EXE
PID:1160 -
C:\Windows\SysWOW64\Aldfcpjn.exeC:\Windows\system32\Aldfcpjn.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1984 -
C:\Windows\SysWOW64\Abnopj32.exeC:\Windows\system32\Abnopj32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2688 -
C:\Windows\SysWOW64\Bfjkphjd.exeC:\Windows\system32\Bfjkphjd.exe54⤵
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Blgcio32.exeC:\Windows\system32\Blgcio32.exe55⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Boeoek32.exeC:\Windows\system32\Boeoek32.exe56⤵
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Baclaf32.exeC:\Windows\system32\Baclaf32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2832 -
C:\Windows\SysWOW64\Bhndnpnp.exeC:\Windows\system32\Bhndnpnp.exe58⤵
- Executes dropped EXE
PID:1292 -
C:\Windows\SysWOW64\Blipno32.exeC:\Windows\system32\Blipno32.exe59⤵
- Executes dropped EXE
PID:584 -
C:\Windows\SysWOW64\Bafhff32.exeC:\Windows\system32\Bafhff32.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:2920 -
C:\Windows\SysWOW64\Blkmdodf.exeC:\Windows\system32\Blkmdodf.exe61⤵
- Executes dropped EXE
PID:2420 -
C:\Windows\SysWOW64\Bceeqi32.exeC:\Windows\system32\Bceeqi32.exe62⤵
- Executes dropped EXE
PID:928 -
C:\Windows\SysWOW64\Bdfahaaa.exeC:\Windows\system32\Bdfahaaa.exe63⤵
- Executes dropped EXE
PID:980 -
C:\Windows\SysWOW64\Bnofaf32.exeC:\Windows\system32\Bnofaf32.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:1408 -
C:\Windows\SysWOW64\Befnbd32.exeC:\Windows\system32\Befnbd32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3068 -
C:\Windows\SysWOW64\Bdinnqon.exeC:\Windows\system32\Bdinnqon.exe66⤵PID:328
-
C:\Windows\SysWOW64\Bggjjlnb.exeC:\Windows\system32\Bggjjlnb.exe67⤵PID:2108
-
C:\Windows\SysWOW64\Boobki32.exeC:\Windows\system32\Boobki32.exe68⤵
- Drops file in System32 directory
- Modifies registry class
PID:2932 -
C:\Windows\SysWOW64\Camnge32.exeC:\Windows\system32\Camnge32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1928 -
C:\Windows\SysWOW64\Cppobaeb.exeC:\Windows\system32\Cppobaeb.exe70⤵PID:1100
-
C:\Windows\SysWOW64\Chggdoee.exeC:\Windows\system32\Chggdoee.exe71⤵PID:2644
-
C:\Windows\SysWOW64\Cgjgol32.exeC:\Windows\system32\Cgjgol32.exe72⤵PID:1080
-
C:\Windows\SysWOW64\Cjhckg32.exeC:\Windows\system32\Cjhckg32.exe73⤵PID:2268
-
C:\Windows\SysWOW64\Caokmd32.exeC:\Windows\system32\Caokmd32.exe74⤵PID:2828
-
C:\Windows\SysWOW64\Cdngip32.exeC:\Windows\system32\Cdngip32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1372 -
C:\Windows\SysWOW64\Ccqhdmbc.exeC:\Windows\system32\Ccqhdmbc.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2848 -
C:\Windows\SysWOW64\Ckhpejbf.exeC:\Windows\system32\Ckhpejbf.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2676 -
C:\Windows\SysWOW64\Clilmbhd.exeC:\Windows\system32\Clilmbhd.exe78⤵PID:2308
-
C:\Windows\SysWOW64\Cdpdnpif.exeC:\Windows\system32\Cdpdnpif.exe79⤵
- Drops file in System32 directory
PID:2588 -
C:\Windows\SysWOW64\Cfaqfh32.exeC:\Windows\system32\Cfaqfh32.exe80⤵PID:1336
-
C:\Windows\SysWOW64\Cnhhge32.exeC:\Windows\system32\Cnhhge32.exe81⤵PID:1612
-
C:\Windows\SysWOW64\Clkicbfa.exeC:\Windows\system32\Clkicbfa.exe82⤵PID:2188
-
C:\Windows\SysWOW64\Cceapl32.exeC:\Windows\system32\Cceapl32.exe83⤵PID:2156
-
C:\Windows\SysWOW64\Cgqmpkfg.exeC:\Windows\system32\Cgqmpkfg.exe84⤵PID:2660
-
C:\Windows\SysWOW64\Cjoilfek.exeC:\Windows\system32\Cjoilfek.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2520 -
C:\Windows\SysWOW64\Ccgnelll.exeC:\Windows\system32\Ccgnelll.exe86⤵PID:1996
-
C:\Windows\SysWOW64\Cffjagko.exeC:\Windows\system32\Cffjagko.exe87⤵
- Drops file in System32 directory
PID:2780 -
C:\Windows\SysWOW64\Dlpbna32.exeC:\Windows\system32\Dlpbna32.exe88⤵
- Drops file in System32 directory
PID:2956 -
C:\Windows\SysWOW64\Dhgccbhp.exeC:\Windows\system32\Dhgccbhp.exe89⤵
- Drops file in System32 directory
PID:1704 -
C:\Windows\SysWOW64\Doqkpl32.exeC:\Windows\system32\Doqkpl32.exe90⤵PID:1340
-
C:\Windows\SysWOW64\Ddmchcnd.exeC:\Windows\system32\Ddmchcnd.exe91⤵PID:2180
-
C:\Windows\SysWOW64\Dhiphb32.exeC:\Windows\system32\Dhiphb32.exe92⤵PID:2484
-
C:\Windows\SysWOW64\Dkgldm32.exeC:\Windows\system32\Dkgldm32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1860 -
C:\Windows\SysWOW64\Ddppmclb.exeC:\Windows\system32\Ddppmclb.exe94⤵
- Drops file in System32 directory
PID:1936 -
C:\Windows\SysWOW64\Dhklna32.exeC:\Windows\system32\Dhklna32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2264 -
C:\Windows\SysWOW64\Dgnminke.exeC:\Windows\system32\Dgnminke.exe96⤵
- Modifies registry class
PID:2752 -
C:\Windows\SysWOW64\Ddbmcb32.exeC:\Windows\system32\Ddbmcb32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2448 -
C:\Windows\SysWOW64\Dgqion32.exeC:\Windows\system32\Dgqion32.exe98⤵PID:2916
-
C:\Windows\SysWOW64\Dklepmal.exeC:\Windows\system32\Dklepmal.exe99⤵
- Modifies registry class
PID:2720 -
C:\Windows\SysWOW64\Dmmbge32.exeC:\Windows\system32\Dmmbge32.exe100⤵PID:1964
-
C:\Windows\SysWOW64\Dqinhcoc.exeC:\Windows\system32\Dqinhcoc.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:960 -
C:\Windows\SysWOW64\Enmnahnm.exeC:\Windows\system32\Enmnahnm.exe102⤵
- Drops file in System32 directory
PID:2868 -
C:\Windows\SysWOW64\Empomd32.exeC:\Windows\system32\Empomd32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1088 -
C:\Windows\SysWOW64\Ecjgio32.exeC:\Windows\system32\Ecjgio32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:572 -
C:\Windows\SysWOW64\Egebjmdn.exeC:\Windows\system32\Egebjmdn.exe105⤵PID:1288
-
C:\Windows\SysWOW64\Ejcofica.exeC:\Windows\system32\Ejcofica.exe106⤵PID:2560
-
C:\Windows\SysWOW64\Embkbdce.exeC:\Windows\system32\Embkbdce.exe107⤵PID:2548
-
C:\Windows\SysWOW64\Epqgopbi.exeC:\Windows\system32\Epqgopbi.exe108⤵
- Modifies registry class
PID:2248 -
C:\Windows\SysWOW64\Ebockkal.exeC:\Windows\system32\Ebockkal.exe109⤵PID:1512
-
C:\Windows\SysWOW64\Ejfllhao.exeC:\Windows\system32\Ejfllhao.exe110⤵PID:1952
-
C:\Windows\SysWOW64\Eiilge32.exeC:\Windows\system32\Eiilge32.exe111⤵PID:2856
-
C:\Windows\SysWOW64\Ekghcq32.exeC:\Windows\system32\Ekghcq32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3032 -
C:\Windows\SysWOW64\Ecnpdnho.exeC:\Windows\system32\Ecnpdnho.exe113⤵PID:2016
-
C:\Windows\SysWOW64\Efmlqigc.exeC:\Windows\system32\Efmlqigc.exe114⤵
- Modifies registry class
PID:1700 -
C:\Windows\SysWOW64\Emgdmc32.exeC:\Windows\system32\Emgdmc32.exe115⤵
- Drops file in System32 directory
PID:896 -
C:\Windows\SysWOW64\Elieipej.exeC:\Windows\system32\Elieipej.exe116⤵PID:2884
-
C:\Windows\SysWOW64\Enhaeldn.exeC:\Windows\system32\Enhaeldn.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2532 -
C:\Windows\SysWOW64\Efoifiep.exeC:\Windows\system32\Efoifiep.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2624 -
C:\Windows\SysWOW64\Egpena32.exeC:\Windows\system32\Egpena32.exe119⤵
- Modifies registry class
PID:308 -
C:\Windows\SysWOW64\Fbfjkj32.exeC:\Windows\system32\Fbfjkj32.exe120⤵
- Drops file in System32 directory
PID:2212 -
C:\Windows\SysWOW64\Fedfgejh.exeC:\Windows\system32\Fedfgejh.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1680
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-