Analysis
-
max time kernel
59s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
10/07/2024, 06:36
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e880a1b49741ab3dfc9d5a31b5f05139b90a591bcded9c2cfb40383056236308.exe
Resource
win7-20240705-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
e880a1b49741ab3dfc9d5a31b5f05139b90a591bcded9c2cfb40383056236308.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
e880a1b49741ab3dfc9d5a31b5f05139b90a591bcded9c2cfb40383056236308.exe
-
Size
89KB
-
MD5
4fb049d2bf095860fe5ddd56619287ba
-
SHA1
20835ade8b72d83871424a0acade4e6bf6cd7e27
-
SHA256
e880a1b49741ab3dfc9d5a31b5f05139b90a591bcded9c2cfb40383056236308
-
SHA512
c5ea55597c69189b2f631299de2ef498e883c83d76510f8a9b973f9c8020b756a78c1348bdb6eaddca7044c0cb684f5ece9e66144be3058b4cdfb3c7b07e5cb4
-
SSDEEP
1536:gQY+9BtECGALN88iZYkGsLvdHsRoa3nz60CQ5XelMRnHxRRQzD68a+VMKKTRVGFv:gp+9sCGCW8iZdLvdo3O0CQDRHxReyr4r
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmloigln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dcojbm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pojdem32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppiapp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kfenjq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qamleagn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Boolhikf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cappnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fdlqjf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afcbgd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbooen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Khnqbhdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bipaodah.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieqbbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bbapgknp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aekelo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mcknjidn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eehqme32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnpedghl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Epjdbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gicpnhbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mchadifq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lndlamke.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qkcdigpa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ginefe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ieligmho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kmbclj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oegflcbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fhfihd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldikbhfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cgjjdijo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Didgig32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edhkpcdb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmjicn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jnojjp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjbpoeoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fdjddf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlhjijpe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebhani32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kkqhbf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mffdmfjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Naokbq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khkdmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Afcbgd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgnfpm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eigpmjqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lfedlb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dofilm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emncci32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkmfpabp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mpaoojjb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofbikf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkljfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ahllda32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmbkid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pmlngdhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eabeal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fnplgl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcbedm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggppdpif.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agmacgcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fillabde.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khkadoog.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dadehh32.exe -
Executes dropped EXE 64 IoCs
pid Process 2604 Kkqhbf32.exe 2192 Klbdiokf.exe 2864 Knaqcabh.exe 2788 Kobmkj32.exe 408 Khkadoog.exe 2672 Khmnio32.exe 2180 Kkljfj32.exe 944 Lddoopbi.exe 2412 Lolpah32.exe 2044 Lnambeed.exe 3064 Ldnbeokn.exe 576 Lglnajjb.exe 2152 Mmkcoq32.exe 476 Mcekkkmc.exe 2488 Mffdmfjd.exe 1916 Mifmoa32.exe 1160 Mpqekkob.exe 2208 Nnhobgag.exe 2020 Njopgh32.exe 1988 Njammhei.exe 2240 Nakeib32.exe 1632 Oppbjn32.exe 1892 Obonfj32.exe 1552 Omdbdb32.exe 1444 Obcgaill.exe 2956 Ohppjpkc.exe 2936 Ohbmppia.exe 2200 Olnipn32.exe 2656 Okailkhd.exe 2724 Phgfko32.exe 948 Pkebgj32.exe 772 Pkholjam.exe 1280 Plildb32.exe 1196 Pdpcep32.exe 2976 Pojdem32.exe 3020 Pedmbg32.exe 1100 Phbinc32.exe 2892 Ppiapp32.exe 2144 Qchmll32.exe 312 Qhdfdb32.exe 1128 Qoonqmqf.exe 896 Qcjjakip.exe 1992 Qdkfic32.exe 2416 Qlbnja32.exe 1996 Andkbien.exe 1264 Afkccffq.exe 2472 Ahioobed.exe 1832 Anfggicl.exe 448 Aqddcdbo.exe 1200 Ahllda32.exe 2808 Agolpnjl.exe 1260 Ajmhljip.exe 2664 Aqgqid32.exe 2424 Acemeo32.exe 1112 Ajoebigm.exe 1648 Aqimoc32.exe 2560 Anmnhhmd.exe 1968 Aqljdclg.exe 2624 Agebam32.exe 588 Bjdnmi32.exe 632 Bmbkid32.exe 2204 Boqgep32.exe 2148 Bbocak32.exe 1124 Bjfkbhae.exe -
Loads dropped DLL 64 IoCs
pid Process 1212 e880a1b49741ab3dfc9d5a31b5f05139b90a591bcded9c2cfb40383056236308.exe 1212 e880a1b49741ab3dfc9d5a31b5f05139b90a591bcded9c2cfb40383056236308.exe 2604 Kkqhbf32.exe 2604 Kkqhbf32.exe 2192 Klbdiokf.exe 2192 Klbdiokf.exe 2864 Knaqcabh.exe 2864 Knaqcabh.exe 2788 Kobmkj32.exe 2788 Kobmkj32.exe 408 Khkadoog.exe 408 Khkadoog.exe 2672 Khmnio32.exe 2672 Khmnio32.exe 2180 Kkljfj32.exe 2180 Kkljfj32.exe 944 Lddoopbi.exe 944 Lddoopbi.exe 2412 Lolpah32.exe 2412 Lolpah32.exe 2044 Lnambeed.exe 2044 Lnambeed.exe 3064 Ldnbeokn.exe 3064 Ldnbeokn.exe 576 Lglnajjb.exe 576 Lglnajjb.exe 2152 Mmkcoq32.exe 2152 Mmkcoq32.exe 476 Mcekkkmc.exe 476 Mcekkkmc.exe 2488 Mffdmfjd.exe 2488 Mffdmfjd.exe 1916 Mifmoa32.exe 1916 Mifmoa32.exe 1160 Mpqekkob.exe 1160 Mpqekkob.exe 2208 Nnhobgag.exe 2208 Nnhobgag.exe 2020 Njopgh32.exe 2020 Njopgh32.exe 1988 Njammhei.exe 1988 Njammhei.exe 2240 Nakeib32.exe 2240 Nakeib32.exe 1632 Oppbjn32.exe 1632 Oppbjn32.exe 1892 Obonfj32.exe 1892 Obonfj32.exe 1552 Omdbdb32.exe 1552 Omdbdb32.exe 1444 Obcgaill.exe 1444 Obcgaill.exe 2956 Ohppjpkc.exe 2956 Ohppjpkc.exe 2936 Ohbmppia.exe 2936 Ohbmppia.exe 2200 Olnipn32.exe 2200 Olnipn32.exe 2656 Okailkhd.exe 2656 Okailkhd.exe 2724 Phgfko32.exe 2724 Phgfko32.exe 948 Pkebgj32.exe 948 Pkebgj32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ldcnnnje.dll Fhifmcfa.exe File created C:\Windows\SysWOW64\Jgjgfacn.dll Oiiilm32.exe File opened for modification C:\Windows\SysWOW64\Ppcmhj32.exe Piiekp32.exe File opened for modification C:\Windows\SysWOW64\Dippfplg.exe Dfbdje32.exe File created C:\Windows\SysWOW64\Gjgbck32.dll Dippfplg.exe File created C:\Windows\SysWOW64\Kkqhbf32.exe e880a1b49741ab3dfc9d5a31b5f05139b90a591bcded9c2cfb40383056236308.exe File created C:\Windows\SysWOW64\Hhaiooop.dll Peaibajp.exe File opened for modification C:\Windows\SysWOW64\Copljmpo.exe Ckdpinhf.exe File created C:\Windows\SysWOW64\Abfcdgde.dll Hqemlbqi.exe File opened for modification C:\Windows\SysWOW64\Hogddpld.exe Hklhca32.exe File created C:\Windows\SysWOW64\Dohjfpmp.dll Jjjdjp32.exe File created C:\Windows\SysWOW64\Annpaq32.exe Agchdfmk.exe File created C:\Windows\SysWOW64\Mcegqmpg.dll Mjbiac32.exe File created C:\Windows\SysWOW64\Qndhopgo.dll Mpaoojjb.exe File created C:\Windows\SysWOW64\Pmfala32.dll Kekkkm32.exe File created C:\Windows\SysWOW64\Kcahjqfa.exe Kpblne32.exe File opened for modification C:\Windows\SysWOW64\Eiimci32.exe Eabeal32.exe File created C:\Windows\SysWOW64\Koebjmbk.dll Fokofpif.exe File created C:\Windows\SysWOW64\Mhlcnl32.exe Mbbkabdh.exe File opened for modification C:\Windows\SysWOW64\Oljanhmc.exe Oepianef.exe File opened for modification C:\Windows\SysWOW64\Ppqqbjkm.exe Pmbdfolj.exe File created C:\Windows\SysWOW64\Epjbienl.exe Emkfmioh.exe File created C:\Windows\SysWOW64\Hjbhgolp.exe Hbkpfa32.exe File opened for modification C:\Windows\SysWOW64\Peaibajp.exe Pmjaadjm.exe File opened for modification C:\Windows\SysWOW64\Mhpigk32.exe Mfamko32.exe File opened for modification C:\Windows\SysWOW64\Lcieef32.exe Lomidgkl.exe File opened for modification C:\Windows\SysWOW64\Lhjghlng.exe Lcmopepp.exe File created C:\Windows\SysWOW64\Ppmkilbp.exe Oegflcbj.exe File opened for modification C:\Windows\SysWOW64\Cbfeam32.exe Cllmdcej.exe File opened for modification C:\Windows\SysWOW64\Jpfcohfk.exe Jepoao32.exe File opened for modification C:\Windows\SysWOW64\Mkqbhf32.exe Mhbflj32.exe File opened for modification C:\Windows\SysWOW64\Nmjicn32.exe Nfppfcmj.exe File created C:\Windows\SysWOW64\Mjhlcioh.dll Dogbolep.exe File created C:\Windows\SysWOW64\Ecmmbajg.dll Pedokpcm.exe File created C:\Windows\SysWOW64\Bkjdpp32.exe Beplcfmd.exe File opened for modification C:\Windows\SysWOW64\Eoalpaaa.exe Egfglocf.exe File created C:\Windows\SysWOW64\Icjmpd32.exe Ilceog32.exe File created C:\Windows\SysWOW64\Leaallcb.exe Lccepqdo.exe File created C:\Windows\SysWOW64\Gckdggfq.dll Lddoopbi.exe File created C:\Windows\SysWOW64\Jepoao32.exe Jdobjgqg.exe File opened for modification C:\Windows\SysWOW64\Lnlmmo32.exe Lfedlb32.exe File opened for modification C:\Windows\SysWOW64\Cedbmi32.exe Cbfeam32.exe File opened for modification C:\Windows\SysWOW64\Gmloigln.exe Gfbfln32.exe File created C:\Windows\SysWOW64\Qenpjecb.dll Ofklpa32.exe File created C:\Windows\SysWOW64\Idjfdadn.dll Lgejidgn.exe File opened for modification C:\Windows\SysWOW64\Nndhpqma.exe Mkelcenm.exe File created C:\Windows\SysWOW64\Nffpfe32.dll Pmijgn32.exe File created C:\Windows\SysWOW64\Aimkeb32.exe Agonig32.exe File created C:\Windows\SysWOW64\Didlinpd.dll Aimkeb32.exe File opened for modification C:\Windows\SysWOW64\Agolpnjl.exe Ahllda32.exe File created C:\Windows\SysWOW64\Fbmcblai.dll Agebam32.exe File created C:\Windows\SysWOW64\Pcfjelcc.dll Fghppa32.exe File created C:\Windows\SysWOW64\Ckkmkh32.dll Hggeeo32.exe File opened for modification C:\Windows\SysWOW64\Jafilj32.exe Johlpoij.exe File created C:\Windows\SysWOW64\Cmgpcg32.exe Ccolja32.exe File opened for modification C:\Windows\SysWOW64\Edhkpcdb.exe Emncci32.exe File opened for modification C:\Windows\SysWOW64\Fdjddf32.exe Fnplgl32.exe File created C:\Windows\SysWOW64\Kdoiblpd.dll Cmmcae32.exe File created C:\Windows\SysWOW64\Mhdcbjal.exe Mffgfo32.exe File created C:\Windows\SysWOW64\Mckahlgg.dll Gmjbchnq.exe File created C:\Windows\SysWOW64\Lphlck32.exe Lllpclnk.exe File opened for modification C:\Windows\SysWOW64\Plfhdlfb.exe Pelpgb32.exe File opened for modification C:\Windows\SysWOW64\Jidngh32.exe Jffakm32.exe File opened for modification C:\Windows\SysWOW64\Lppkgi32.exe Ljfckodo.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6204 7104 WerFault.exe 689 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfllpb32.dll" Gafcahil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ldndng32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Olnipn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgnqdb32.dll" Pedmbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfhjpckd.dll" Cmgpcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Copljmpo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kdeehe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcinbihe.dll" Kocodbpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Annpaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fhccoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfcnmmom.dll" Mnlilb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dmopge32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Khkdmh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dnbbjf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lomidgkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Libghd32.dll" Nglmifca.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ppiapp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fhlogo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mheohk32.dll" Jmpqbnmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eddkbl32.dll" Mbbkabdh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mnfhfmhc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mkqbhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Koocqj32.dll" Fkbadifn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpggcbki.dll" Emceag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kplfmfmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnaacb32.dll" Pojgnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcelqihb.dll" Dcojbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbgdlq32.dll" Gdmcbojl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cbfeam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eocieq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knngob32.dll" Ibbffq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkkleb32.dll" Ahllda32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bohoogbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faefoo32.dll" Kokppd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Abjcleqm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cfekkgla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lllihf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enckek32.dll" Fhaibnim.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aglhph32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cneiki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jafilj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Blejgm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hancef32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cghkepdm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qggoeilh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djjafk32.dll" Cgkanomj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cmjoaofc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfffhk32.dll" Faljqcmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bjdnmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bjlnaghp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dienco32.dll" Akfaof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cjfgalcq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fnplgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkgpdidf.dll" Fdlqjf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hgbhibio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fillabde.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hpjgdf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Apgcbmha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfbgen32.dll" Ginefe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inofameg.dll" Hqhiab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkfomk32.dll" Bklaepbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mdcdcmai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eecgafkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Klbfbg32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1212 wrote to memory of 2604 1212 e880a1b49741ab3dfc9d5a31b5f05139b90a591bcded9c2cfb40383056236308.exe 30 PID 1212 wrote to memory of 2604 1212 e880a1b49741ab3dfc9d5a31b5f05139b90a591bcded9c2cfb40383056236308.exe 30 PID 1212 wrote to memory of 2604 1212 e880a1b49741ab3dfc9d5a31b5f05139b90a591bcded9c2cfb40383056236308.exe 30 PID 1212 wrote to memory of 2604 1212 e880a1b49741ab3dfc9d5a31b5f05139b90a591bcded9c2cfb40383056236308.exe 30 PID 2604 wrote to memory of 2192 2604 Kkqhbf32.exe 31 PID 2604 wrote to memory of 2192 2604 Kkqhbf32.exe 31 PID 2604 wrote to memory of 2192 2604 Kkqhbf32.exe 31 PID 2604 wrote to memory of 2192 2604 Kkqhbf32.exe 31 PID 2192 wrote to memory of 2864 2192 Klbdiokf.exe 32 PID 2192 wrote to memory of 2864 2192 Klbdiokf.exe 32 PID 2192 wrote to memory of 2864 2192 Klbdiokf.exe 32 PID 2192 wrote to memory of 2864 2192 Klbdiokf.exe 32 PID 2864 wrote to memory of 2788 2864 Knaqcabh.exe 33 PID 2864 wrote to memory of 2788 2864 Knaqcabh.exe 33 PID 2864 wrote to memory of 2788 2864 Knaqcabh.exe 33 PID 2864 wrote to memory of 2788 2864 Knaqcabh.exe 33 PID 2788 wrote to memory of 408 2788 Kobmkj32.exe 34 PID 2788 wrote to memory of 408 2788 Kobmkj32.exe 34 PID 2788 wrote to memory of 408 2788 Kobmkj32.exe 34 PID 2788 wrote to memory of 408 2788 Kobmkj32.exe 34 PID 408 wrote to memory of 2672 408 Khkadoog.exe 35 PID 408 wrote to memory of 2672 408 Khkadoog.exe 35 PID 408 wrote to memory of 2672 408 Khkadoog.exe 35 PID 408 wrote to memory of 2672 408 Khkadoog.exe 35 PID 2672 wrote to memory of 2180 2672 Khmnio32.exe 36 PID 2672 wrote to memory of 2180 2672 Khmnio32.exe 36 PID 2672 wrote to memory of 2180 2672 Khmnio32.exe 36 PID 2672 wrote to memory of 2180 2672 Khmnio32.exe 36 PID 2180 wrote to memory of 944 2180 Kkljfj32.exe 37 PID 2180 wrote to memory of 944 2180 Kkljfj32.exe 37 PID 2180 wrote to memory of 944 2180 Kkljfj32.exe 37 PID 2180 wrote to memory of 944 2180 Kkljfj32.exe 37 PID 944 wrote to memory of 2412 944 Lddoopbi.exe 38 PID 944 wrote to memory of 2412 944 Lddoopbi.exe 38 PID 944 wrote to memory of 2412 944 Lddoopbi.exe 38 PID 944 wrote to memory of 2412 944 Lddoopbi.exe 38 PID 2412 wrote to memory of 2044 2412 Lolpah32.exe 39 PID 2412 wrote to memory of 2044 2412 Lolpah32.exe 39 PID 2412 wrote to memory of 2044 2412 Lolpah32.exe 39 PID 2412 wrote to memory of 2044 2412 Lolpah32.exe 39 PID 2044 wrote to memory of 3064 2044 Lnambeed.exe 40 PID 2044 wrote to memory of 3064 2044 Lnambeed.exe 40 PID 2044 wrote to memory of 3064 2044 Lnambeed.exe 40 PID 2044 wrote to memory of 3064 2044 Lnambeed.exe 40 PID 3064 wrote to memory of 576 3064 Ldnbeokn.exe 41 PID 3064 wrote to memory of 576 3064 Ldnbeokn.exe 41 PID 3064 wrote to memory of 576 3064 Ldnbeokn.exe 41 PID 3064 wrote to memory of 576 3064 Ldnbeokn.exe 41 PID 576 wrote to memory of 2152 576 Lglnajjb.exe 42 PID 576 wrote to memory of 2152 576 Lglnajjb.exe 42 PID 576 wrote to memory of 2152 576 Lglnajjb.exe 42 PID 576 wrote to memory of 2152 576 Lglnajjb.exe 42 PID 2152 wrote to memory of 476 2152 Mmkcoq32.exe 43 PID 2152 wrote to memory of 476 2152 Mmkcoq32.exe 43 PID 2152 wrote to memory of 476 2152 Mmkcoq32.exe 43 PID 2152 wrote to memory of 476 2152 Mmkcoq32.exe 43 PID 476 wrote to memory of 2488 476 Mcekkkmc.exe 44 PID 476 wrote to memory of 2488 476 Mcekkkmc.exe 44 PID 476 wrote to memory of 2488 476 Mcekkkmc.exe 44 PID 476 wrote to memory of 2488 476 Mcekkkmc.exe 44 PID 2488 wrote to memory of 1916 2488 Mffdmfjd.exe 45 PID 2488 wrote to memory of 1916 2488 Mffdmfjd.exe 45 PID 2488 wrote to memory of 1916 2488 Mffdmfjd.exe 45 PID 2488 wrote to memory of 1916 2488 Mffdmfjd.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\e880a1b49741ab3dfc9d5a31b5f05139b90a591bcded9c2cfb40383056236308.exe"C:\Users\Admin\AppData\Local\Temp\e880a1b49741ab3dfc9d5a31b5f05139b90a591bcded9c2cfb40383056236308.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Windows\SysWOW64\Kkqhbf32.exeC:\Windows\system32\Kkqhbf32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\Klbdiokf.exeC:\Windows\system32\Klbdiokf.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\Knaqcabh.exeC:\Windows\system32\Knaqcabh.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\Kobmkj32.exeC:\Windows\system32\Kobmkj32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\Khkadoog.exeC:\Windows\system32\Khkadoog.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:408 -
C:\Windows\SysWOW64\Khmnio32.exeC:\Windows\system32\Khmnio32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Kkljfj32.exeC:\Windows\system32\Kkljfj32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\Lddoopbi.exeC:\Windows\system32\Lddoopbi.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:944 -
C:\Windows\SysWOW64\Lolpah32.exeC:\Windows\system32\Lolpah32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\Lnambeed.exeC:\Windows\system32\Lnambeed.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\Ldnbeokn.exeC:\Windows\system32\Ldnbeokn.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SysWOW64\Lglnajjb.exeC:\Windows\system32\Lglnajjb.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:576 -
C:\Windows\SysWOW64\Mmkcoq32.exeC:\Windows\system32\Mmkcoq32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\Mcekkkmc.exeC:\Windows\system32\Mcekkkmc.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:476 -
C:\Windows\SysWOW64\Mffdmfjd.exeC:\Windows\system32\Mffdmfjd.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SysWOW64\Mifmoa32.exeC:\Windows\system32\Mifmoa32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1916 -
C:\Windows\SysWOW64\Mpqekkob.exeC:\Windows\system32\Mpqekkob.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1160 -
C:\Windows\SysWOW64\Nnhobgag.exeC:\Windows\system32\Nnhobgag.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2208 -
C:\Windows\SysWOW64\Njopgh32.exeC:\Windows\system32\Njopgh32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2020 -
C:\Windows\SysWOW64\Njammhei.exeC:\Windows\system32\Njammhei.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1988 -
C:\Windows\SysWOW64\Nakeib32.exeC:\Windows\system32\Nakeib32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2240 -
C:\Windows\SysWOW64\Oppbjn32.exeC:\Windows\system32\Oppbjn32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1632 -
C:\Windows\SysWOW64\Obonfj32.exeC:\Windows\system32\Obonfj32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1892 -
C:\Windows\SysWOW64\Omdbdb32.exeC:\Windows\system32\Omdbdb32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1552 -
C:\Windows\SysWOW64\Obcgaill.exeC:\Windows\system32\Obcgaill.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1444 -
C:\Windows\SysWOW64\Ohppjpkc.exeC:\Windows\system32\Ohppjpkc.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2956 -
C:\Windows\SysWOW64\Ohbmppia.exeC:\Windows\system32\Ohbmppia.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2936 -
C:\Windows\SysWOW64\Olnipn32.exeC:\Windows\system32\Olnipn32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2200 -
C:\Windows\SysWOW64\Okailkhd.exeC:\Windows\system32\Okailkhd.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2656 -
C:\Windows\SysWOW64\Phgfko32.exeC:\Windows\system32\Phgfko32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2724 -
C:\Windows\SysWOW64\Pkebgj32.exeC:\Windows\system32\Pkebgj32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:948 -
C:\Windows\SysWOW64\Pkholjam.exeC:\Windows\system32\Pkholjam.exe33⤵
- Executes dropped EXE
PID:772 -
C:\Windows\SysWOW64\Plildb32.exeC:\Windows\system32\Plildb32.exe34⤵
- Executes dropped EXE
PID:1280 -
C:\Windows\SysWOW64\Pdpcep32.exeC:\Windows\system32\Pdpcep32.exe35⤵
- Executes dropped EXE
PID:1196 -
C:\Windows\SysWOW64\Pojdem32.exeC:\Windows\system32\Pojdem32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Pedmbg32.exeC:\Windows\system32\Pedmbg32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:3020 -
C:\Windows\SysWOW64\Phbinc32.exeC:\Windows\system32\Phbinc32.exe38⤵
- Executes dropped EXE
PID:1100 -
C:\Windows\SysWOW64\Ppiapp32.exeC:\Windows\system32\Ppiapp32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2892 -
C:\Windows\SysWOW64\Qchmll32.exeC:\Windows\system32\Qchmll32.exe40⤵
- Executes dropped EXE
PID:2144 -
C:\Windows\SysWOW64\Qhdfdb32.exeC:\Windows\system32\Qhdfdb32.exe41⤵
- Executes dropped EXE
PID:312 -
C:\Windows\SysWOW64\Qoonqmqf.exeC:\Windows\system32\Qoonqmqf.exe42⤵
- Executes dropped EXE
PID:1128 -
C:\Windows\SysWOW64\Qcjjakip.exeC:\Windows\system32\Qcjjakip.exe43⤵
- Executes dropped EXE
PID:896 -
C:\Windows\SysWOW64\Qdkfic32.exeC:\Windows\system32\Qdkfic32.exe44⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Qlbnja32.exeC:\Windows\system32\Qlbnja32.exe45⤵
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\Andkbien.exeC:\Windows\system32\Andkbien.exe46⤵
- Executes dropped EXE
PID:1996 -
C:\Windows\SysWOW64\Afkccffq.exeC:\Windows\system32\Afkccffq.exe47⤵
- Executes dropped EXE
PID:1264 -
C:\Windows\SysWOW64\Ahioobed.exeC:\Windows\system32\Ahioobed.exe48⤵
- Executes dropped EXE
PID:2472 -
C:\Windows\SysWOW64\Anfggicl.exeC:\Windows\system32\Anfggicl.exe49⤵
- Executes dropped EXE
PID:1832 -
C:\Windows\SysWOW64\Aqddcdbo.exeC:\Windows\system32\Aqddcdbo.exe50⤵
- Executes dropped EXE
PID:448 -
C:\Windows\SysWOW64\Ahllda32.exeC:\Windows\system32\Ahllda32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1200 -
C:\Windows\SysWOW64\Agolpnjl.exeC:\Windows\system32\Agolpnjl.exe52⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Ajmhljip.exeC:\Windows\system32\Ajmhljip.exe53⤵
- Executes dropped EXE
PID:1260 -
C:\Windows\SysWOW64\Aqgqid32.exeC:\Windows\system32\Aqgqid32.exe54⤵
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\Acemeo32.exeC:\Windows\system32\Acemeo32.exe55⤵
- Executes dropped EXE
PID:2424 -
C:\Windows\SysWOW64\Ajoebigm.exeC:\Windows\system32\Ajoebigm.exe56⤵
- Executes dropped EXE
PID:1112 -
C:\Windows\SysWOW64\Aqimoc32.exeC:\Windows\system32\Aqimoc32.exe57⤵
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\Anmnhhmd.exeC:\Windows\system32\Anmnhhmd.exe58⤵
- Executes dropped EXE
PID:2560 -
C:\Windows\SysWOW64\Aqljdclg.exeC:\Windows\system32\Aqljdclg.exe59⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Agebam32.exeC:\Windows\system32\Agebam32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2624 -
C:\Windows\SysWOW64\Bjdnmi32.exeC:\Windows\system32\Bjdnmi32.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:588 -
C:\Windows\SysWOW64\Bmbkid32.exeC:\Windows\system32\Bmbkid32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:632 -
C:\Windows\SysWOW64\Boqgep32.exeC:\Windows\system32\Boqgep32.exe63⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Bbocak32.exeC:\Windows\system32\Bbocak32.exe64⤵
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\Bjfkbhae.exeC:\Windows\system32\Bjfkbhae.exe65⤵
- Executes dropped EXE
PID:1124 -
C:\Windows\SysWOW64\Bmegodpi.exeC:\Windows\system32\Bmegodpi.exe66⤵PID:1448
-
C:\Windows\SysWOW64\Bocckoom.exeC:\Windows\system32\Bocckoom.exe67⤵PID:2916
-
C:\Windows\SysWOW64\Bbapgknp.exeC:\Windows\system32\Bbapgknp.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1324 -
C:\Windows\SysWOW64\Beplcfmd.exeC:\Windows\system32\Beplcfmd.exe69⤵
- Drops file in System32 directory
PID:1060 -
C:\Windows\SysWOW64\Bkjdpp32.exeC:\Windows\system32\Bkjdpp32.exe70⤵PID:1468
-
C:\Windows\SysWOW64\Bineidcj.exeC:\Windows\system32\Bineidcj.exe71⤵PID:1656
-
C:\Windows\SysWOW64\Bklaepbn.exeC:\Windows\system32\Bklaepbn.exe72⤵
- Modifies registry class
PID:1436 -
C:\Windows\SysWOW64\Bnkmakbb.exeC:\Windows\system32\Bnkmakbb.exe73⤵PID:2868
-
C:\Windows\SysWOW64\Bipaodah.exeC:\Windows\system32\Bipaodah.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2964 -
C:\Windows\SysWOW64\Bnmjgkpo.exeC:\Windows\system32\Bnmjgkpo.exe75⤵PID:2716
-
C:\Windows\SysWOW64\Cakfcfoc.exeC:\Windows\system32\Cakfcfoc.exe76⤵PID:2116
-
C:\Windows\SysWOW64\Cjdkllec.exeC:\Windows\system32\Cjdkllec.exe77⤵PID:2064
-
C:\Windows\SysWOW64\Cancif32.exeC:\Windows\system32\Cancif32.exe78⤵PID:2384
-
C:\Windows\SysWOW64\Cghkepdm.exeC:\Windows\system32\Cghkepdm.exe79⤵
- Modifies registry class
PID:3024 -
C:\Windows\SysWOW64\Cjfgalcq.exeC:\Windows\system32\Cjfgalcq.exe80⤵
- Modifies registry class
PID:2316 -
C:\Windows\SysWOW64\Cappnf32.exeC:\Windows\system32\Cappnf32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:584 -
C:\Windows\SysWOW64\Ccolja32.exeC:\Windows\system32\Ccolja32.exe82⤵
- Drops file in System32 directory
PID:2136 -
C:\Windows\SysWOW64\Cmgpcg32.exeC:\Windows\system32\Cmgpcg32.exe83⤵
- Modifies registry class
PID:884 -
C:\Windows\SysWOW64\Cpemob32.exeC:\Windows\system32\Cpemob32.exe84⤵PID:1688
-
C:\Windows\SysWOW64\Cbcikn32.exeC:\Windows\system32\Cbcikn32.exe85⤵PID:2540
-
C:\Windows\SysWOW64\Cjkamk32.exeC:\Windows\system32\Cjkamk32.exe86⤵PID:2992
-
C:\Windows\SysWOW64\Cllmdcej.exeC:\Windows\system32\Cllmdcej.exe87⤵
- Drops file in System32 directory
PID:2620 -
C:\Windows\SysWOW64\Cbfeam32.exeC:\Windows\system32\Cbfeam32.exe88⤵
- Drops file in System32 directory
- Modifies registry class
PID:1944 -
C:\Windows\SysWOW64\Cedbmi32.exeC:\Windows\system32\Cedbmi32.exe89⤵PID:2568
-
C:\Windows\SysWOW64\Cipnng32.exeC:\Windows\system32\Cipnng32.exe90⤵PID:2988
-
C:\Windows\SysWOW64\Dlnjjc32.exeC:\Windows\system32\Dlnjjc32.exe91⤵PID:748
-
C:\Windows\SysWOW64\Dfdngl32.exeC:\Windows\system32\Dfdngl32.exe92⤵PID:2828
-
C:\Windows\SysWOW64\Dhekodik.exeC:\Windows\system32\Dhekodik.exe93⤵PID:2684
-
C:\Windows\SysWOW64\Dplbpaim.exeC:\Windows\system32\Dplbpaim.exe94⤵PID:2388
-
C:\Windows\SysWOW64\Dbkolmia.exeC:\Windows\system32\Dbkolmia.exe95⤵PID:2580
-
C:\Windows\SysWOW64\Didgig32.exeC:\Windows\system32\Didgig32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2196 -
C:\Windows\SysWOW64\Dhggdcgh.exeC:\Windows\system32\Dhggdcgh.exe97⤵PID:1940
-
C:\Windows\SysWOW64\Doapanne.exeC:\Windows\system32\Doapanne.exe98⤵PID:1232
-
C:\Windows\SysWOW64\Daplmimi.exeC:\Windows\system32\Daplmimi.exe99⤵PID:2912
-
C:\Windows\SysWOW64\Dhjdjc32.exeC:\Windows\system32\Dhjdjc32.exe100⤵PID:2092
-
C:\Windows\SysWOW64\Dmgmbj32.exeC:\Windows\system32\Dmgmbj32.exe101⤵PID:2528
-
C:\Windows\SysWOW64\Ddqeodjj.exeC:\Windows\system32\Ddqeodjj.exe102⤵PID:1696
-
C:\Windows\SysWOW64\Dhlapc32.exeC:\Windows\system32\Dhlapc32.exe103⤵PID:2996
-
C:\Windows\SysWOW64\Dofilm32.exeC:\Windows\system32\Dofilm32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1700 -
C:\Windows\SysWOW64\Dadehh32.exeC:\Windows\system32\Dadehh32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2616 -
C:\Windows\SysWOW64\Emkfmioh.exeC:\Windows\system32\Emkfmioh.exe106⤵
- Drops file in System32 directory
PID:2392 -
C:\Windows\SysWOW64\Epjbienl.exeC:\Windows\system32\Epjbienl.exe107⤵PID:3004
-
C:\Windows\SysWOW64\Echoepmo.exeC:\Windows\system32\Echoepmo.exe108⤵PID:2820
-
C:\Windows\SysWOW64\Ekofgnna.exeC:\Windows\system32\Ekofgnna.exe109⤵PID:1076
-
C:\Windows\SysWOW64\Emncci32.exeC:\Windows\system32\Emncci32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2876 -
C:\Windows\SysWOW64\Edhkpcdb.exeC:\Windows\system32\Edhkpcdb.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1684 -
C:\Windows\SysWOW64\Egfglocf.exeC:\Windows\system32\Egfglocf.exe112⤵
- Drops file in System32 directory
PID:2888 -
C:\Windows\SysWOW64\Eoalpaaa.exeC:\Windows\system32\Eoalpaaa.exe113⤵PID:1620
-
C:\Windows\SysWOW64\Ecmhqp32.exeC:\Windows\system32\Ecmhqp32.exe114⤵PID:1452
-
C:\Windows\SysWOW64\Eigpmjqg.exeC:\Windows\system32\Eigpmjqg.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1532 -
C:\Windows\SysWOW64\Epqhjdhc.exeC:\Windows\system32\Epqhjdhc.exe116⤵PID:2300
-
C:\Windows\SysWOW64\Eocieq32.exeC:\Windows\system32\Eocieq32.exe117⤵
- Modifies registry class
PID:1268 -
C:\Windows\SysWOW64\Eabeal32.exeC:\Windows\system32\Eabeal32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1568 -
C:\Windows\SysWOW64\Eiimci32.exeC:\Windows\system32\Eiimci32.exe119⤵PID:2968
-
C:\Windows\SysWOW64\Ekjikadb.exeC:\Windows\system32\Ekjikadb.exe120⤵PID:2772
-
C:\Windows\SysWOW64\Fcaaloed.exeC:\Windows\system32\Fcaaloed.exe121⤵PID:2728
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-