Analysis
-
max time kernel
28s -
max time network
39s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
11-03-2024 02:13
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
fe86ff239d906f579b5a5111706838dfa1bdc4fc0530c4f6d1483028e952188c.exe
Resource
win7-20240221-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
fe86ff239d906f579b5a5111706838dfa1bdc4fc0530c4f6d1483028e952188c.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
fe86ff239d906f579b5a5111706838dfa1bdc4fc0530c4f6d1483028e952188c.exe
-
Size
173KB
-
MD5
2cf649b59dd1368d8d49b6cb4e88ef84
-
SHA1
4a65f444d72954bbcae631db98071e8dd437338a
-
SHA256
fe86ff239d906f579b5a5111706838dfa1bdc4fc0530c4f6d1483028e952188c
-
SHA512
98fd9e3c61675c1ea7750c73dc9a898cb6575acdc95e9dbc4f07f2e12ccbc6c17dec370346aafc0ad5aac36f7ef432b680b6a887af752d0aa10b24d5b0ee41db
-
SSDEEP
3072:142APh9GR6jVHFAB+s/vacknVwNtvSO06+ebX:AJQR6jVHFlsHhYyNtvSO0e
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhcpgmjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhqaefng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfolbmje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aeiofcji.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipckgh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbimoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkopnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aqkgpedc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bagflcje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jaedgjjd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dephckaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jplmmfmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjcgohig.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnapdf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajfoiqll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddbbeade.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkmlofol.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aogkoedl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmgbnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nqfbaq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahkobekf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdpalp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmkdlkph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncfdie32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cafpanem.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Helfik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blgkdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjpeepnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcjapi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Befmfngc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbkjjblm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aanjpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehnglm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcmnpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gokdeeec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfachc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbdmpqcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgmcqggf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anpncp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bobcpmfc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddbbeade.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flceckoj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfolbmje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chphoh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkopnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cefemliq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjlfbd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbfpobpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkidenlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dafbne32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdegandp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfkaag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpladg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgbefoji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnlhfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehekqe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcbiao32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dadeieea.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekjfcipa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdfjifjo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djdmffnn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jangmibi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jiikak32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glebhjlg.exe -
Detects executables built or packed with MPress PE compressor 64 IoCs
resource yara_rule behavioral2/files/0x000700000001e59e-7.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x00070000000231f7-15.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x00070000000231f9-23.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x00070000000231fb-31.dat INDICATOR_EXE_Packed_MPress behavioral2/memory/3464-32-0x0000000000400000-0x0000000000455000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/files/0x00070000000231fd-39.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x00070000000231ff-47.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023205-72.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023207-79.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023209-87.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x000700000002320b-96.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x000700000002320d-103.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x000700000002320f-111.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023211-118.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023211-119.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023213-126.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023213-125.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023215-135.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023215-134.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023217-143.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023219-150.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x000700000002321b-159.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x000700000002321d-166.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x000700000002321f-175.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023221-182.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023223-190.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023225-199.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023227-206.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023229-215.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x000700000002322b-222.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x000700000002322d-230.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x000700000002322f-238.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023231-247.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x00080000000231f4-253.dat INDICATOR_EXE_Packed_MPress behavioral2/memory/2528-271-0x0000000000400000-0x0000000000455000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/files/0x000700000002323a-274.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023240-290.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x000700000002320f-112.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023203-64.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023201-56.dat INDICATOR_EXE_Packed_MPress behavioral2/memory/1616-346-0x0000000000400000-0x0000000000455000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/4548-382-0x0000000000400000-0x0000000000455000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/1948-392-0x0000000000400000-0x0000000000455000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/2984-410-0x0000000000400000-0x0000000000455000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/3244-412-0x0000000000400000-0x0000000000455000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/2444-418-0x0000000000400000-0x0000000000455000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/2296-450-0x0000000000400000-0x0000000000455000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/1200-462-0x0000000000400000-0x0000000000455000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/1844-468-0x0000000000400000-0x0000000000455000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/908-474-0x0000000000400000-0x0000000000455000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/files/0x00070000000232e0-759.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x000700000002338d-1257.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x00070000000233db-1482.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023454-1813.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x00070000000234dc-2201.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023563-2597.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x00070000000235a5-2802.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x00070000000235af-2832.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x00070000000235f8-3041.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023606-3078.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x000700000002360a-3089.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023610-3103.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023616-3118.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023618-3124.dat INDICATOR_EXE_Packed_MPress -
Executes dropped EXE 64 IoCs
pid Process 4408 Aoqenf32.exe 3140 Aejmkpaq.exe 2400 Ahiigkqd.exe 3464 Appahiag.exe 4068 Aemjpp32.exe 2944 Aihfanhg.exe 744 Algbmjgk.exe 4916 Apbnnh32.exe 3200 Abqjjd32.exe 832 Aackeqeb.exe 3480 Aikbfnfd.exe 3572 Aliobieh.exe 2416 Aogkoedl.exe 3028 Abcgoc32.exe 1736 Aimoln32.exe 1256 Ahppgjjl.exe 4292 Alkkhi32.exe 3476 Aojhdd32.exe 1632 Aahdqp32.exe 5020 Aiolam32.exe 968 Blnhni32.exe 4348 Bbhqjchp.exe 4444 Befmfngc.exe 2380 Bibigmpl.exe 60 Blpechop.exe 4796 Bpladg32.exe 3064 Bbjmpb32.exe 4360 Bammlomg.exe 2956 Bhgehi32.exe 3368 Boanecla.exe 3268 Bbljeb32.exe 3276 Bhibni32.exe 1968 Blennh32.exe 2528 Bockjc32.exe 4800 Bbofkbbh.exe 5024 Biiohl32.exe 4636 Bhlocipo.exe 1664 Blgkdg32.exe 4092 Boegpc32.exe 1824 Bbacqape.exe 4876 Beppmmoi.exe 3964 Chnlihnl.exe 4828 Cpedjf32.exe 1452 Cohdebfi.exe 540 Cafpanem.exe 804 Cimhckeo.exe 1616 Chphoh32.exe 4276 Clldogdc.exe 3120 Ccfmla32.exe 3056 Caimgncj.exe 2624 Cipehkcl.exe 4972 Clnadfbp.exe 3896 Cpjmee32.exe 4548 Cchiaqjm.exe 1948 Cefemliq.exe 2800 Clqnjf32.exe 5000 Cpljkdig.exe 2984 Ceibclgn.exe 3244 Cidncj32.exe 2444 Clckpf32.exe 4244 Ccmclp32.exe 3848 Cekohk32.exe 5116 Dhjkdg32.exe 3880 Dpacfd32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ioeeep32.dll Aealah32.exe File created C:\Windows\SysWOW64\Pengdk32.exe Pabkdmpi.exe File created C:\Windows\SysWOW64\Dokfjo32.dll Qgallfcq.exe File created C:\Windows\SysWOW64\Pjdilcla.exe Pgemphmn.exe File created C:\Windows\SysWOW64\Mjmcmj32.dll Pqpnombl.exe File opened for modification C:\Windows\SysWOW64\Gkmlofol.exe Ghopckpi.exe File created C:\Windows\SysWOW64\Njacpf32.exe Ngcgcjnc.exe File created C:\Windows\SysWOW64\Nngndc32.dll Gbiaapdf.exe File opened for modification C:\Windows\SysWOW64\Hioiji32.exe Hfqlnm32.exe File created C:\Windows\SysWOW64\Dhfajjoj.exe Cegdnopg.exe File opened for modification C:\Windows\SysWOW64\Elhmablc.exe Ejjqeg32.exe File opened for modification C:\Windows\SysWOW64\Ijhodq32.exe Idofhfmm.exe File created C:\Windows\SysWOW64\Pghdbegp.dll Andgoobc.exe File created C:\Windows\SysWOW64\Npcoakfp.exe Mgkjhe32.exe File created C:\Windows\SysWOW64\Jbocea32.exe Jdmcidam.exe File opened for modification C:\Windows\SysWOW64\Ocegdjij.exe Oqgkhnjf.exe File opened for modification C:\Windows\SysWOW64\Fcckif32.exe Fkmchi32.exe File opened for modification C:\Windows\SysWOW64\Mjcgohig.exe Mkpgck32.exe File created C:\Windows\SysWOW64\Pohdbiic.dll Oqbamo32.exe File created C:\Windows\SysWOW64\Adapgfqj.exe Aeopki32.exe File created C:\Windows\SysWOW64\Chpada32.exe Cafigg32.exe File created C:\Windows\SysWOW64\Bagcnd32.dll Mdckfk32.exe File created C:\Windows\SysWOW64\Dbcojmgm.dll Ahiigkqd.exe File opened for modification C:\Windows\SysWOW64\Eqciba32.exe Elhmablc.exe File opened for modification C:\Windows\SysWOW64\Hbbdholl.exe Hodgkc32.exe File opened for modification C:\Windows\SysWOW64\Ncdgcf32.exe Nngokoej.exe File created C:\Windows\SysWOW64\Oqkdcn32.exe Onmhgb32.exe File created C:\Windows\SysWOW64\Gdeqhl32.exe Gbgdlq32.exe File created C:\Windows\SysWOW64\Chmeobkq.exe Cdainc32.exe File opened for modification C:\Windows\SysWOW64\Eckonn32.exe Eoocmoao.exe File created C:\Windows\SysWOW64\Kdopod32.exe Kaqcbi32.exe File created C:\Windows\SysWOW64\Bcobhnfc.dll Pbkamqmd.exe File opened for modification C:\Windows\SysWOW64\Qecppkdm.exe Pbddcoei.exe File created C:\Windows\SysWOW64\Eoocmoao.exe Elagacbk.exe File opened for modification C:\Windows\SysWOW64\Fopldmcl.exe Fqmlhpla.exe File created C:\Windows\SysWOW64\Nbmelbid.exe Njfmke32.exe File created C:\Windows\SysWOW64\Feibedlp.dll Ageolo32.exe File created C:\Windows\SysWOW64\Kogbodfe.dll Aihfanhg.exe File created C:\Windows\SysWOW64\Lcbiao32.exe Lnepih32.exe File created C:\Windows\SysWOW64\Lkiqbl32.exe Lcbiao32.exe File opened for modification C:\Windows\SysWOW64\Fojlngce.exe Fkopnh32.exe File created C:\Windows\SysWOW64\Mpaifalo.exe Mjhqjg32.exe File created C:\Windows\SysWOW64\Mjjmog32.exe Mglack32.exe File opened for modification C:\Windows\SysWOW64\Heocnk32.exe Hcmgfbhd.exe File created C:\Windows\SysWOW64\Ncdgcf32.exe Nngokoej.exe File opened for modification C:\Windows\SysWOW64\Iannfk32.exe Ijdeiaio.exe File opened for modification C:\Windows\SysWOW64\Kbdmpqcb.exe Kdaldd32.exe File created C:\Windows\SysWOW64\Jnngob32.dll Lddbqa32.exe File created C:\Windows\SysWOW64\Kmdigkkd.dll Mnlfigcc.exe File opened for modification C:\Windows\SysWOW64\Cajcbgml.exe Colffknh.exe File opened for modification C:\Windows\SysWOW64\Jimekgff.exe Ibcmom32.exe File opened for modification C:\Windows\SysWOW64\Aimoln32.exe Abcgoc32.exe File created C:\Windows\SysWOW64\Offdjb32.dll Lpocjdld.exe File created C:\Windows\SysWOW64\Ecppdbpl.dll Jangmibi.exe File opened for modification C:\Windows\SysWOW64\Mnlfigcc.exe Mjqjih32.exe File opened for modification C:\Windows\SysWOW64\Pgemphmn.exe Pcjapi32.exe File created C:\Windows\SysWOW64\Bnnjen32.exe Blpnib32.exe File created C:\Windows\SysWOW64\Jehocmdp.dll Dpemacql.exe File created C:\Windows\SysWOW64\Domfgpca.exe Dlojkddn.exe File created C:\Windows\SysWOW64\Mnkhmbin.dll Mdhdajea.exe File created C:\Windows\SysWOW64\Fibbmq32.dll Neeqea32.exe File created C:\Windows\SysWOW64\Jaedgjjd.exe Iinlemia.exe File created C:\Windows\SysWOW64\Hcmgfbhd.exe Hmcojh32.exe File created C:\Windows\SysWOW64\Ncldnkae.exe Nqmhbpba.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 14580 14492 WerFault.exe 736 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmljla32.dll" Cpljkdig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfcibe32.dll" Bdolhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efpmmmoo.dll" Ckedalaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pacghh32.dll" Iemppiab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Liddbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbopfj32.dll" Dcdimopp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abpcon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Angddopp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Klljnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onjegled.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddonekbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hfcpncdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbhfihj.dll" Mciobn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nklfoi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ncianepl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjpeepnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbllbm32.dll" Pbmncp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khkaedic.dll" Gokdeeec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnicfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pckgbakk.dll" Jpgdbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jibeql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jidbflcj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljnnch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acjoke32.dll" Pgjfkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omocan32.dll" Cabfga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeakme32.dll" Bbjmpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjebnamp.dll" Ejgdpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilaidmmo.dll" Gcbnejem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nqfbaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmogab32.dll" Dhkapp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gblngpbd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cohdebfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Becifhfj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdainc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nngndc32.dll" Gbiaapdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpeohm32.dll" Hfqlnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Blgkdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Daifnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jimekgff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnjgghdi.dll" Amgapeea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npfhbbpk.dll" Ddmhja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkbjnl32.dll" Habnjm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oboaabga.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofnckp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlnldg32.dll" Bbacqape.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbmebabl.dll" Ijdeiaio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onmhgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehabgbnk.dll" Bpladg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aodldljj.dll" Cpjmee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gjclbc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcllonma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kiljkifg.dll" Mlcifmbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qqijje32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eqciba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Okolkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Docmgjhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjpckf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bockjc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbacqape.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhaebcen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lnepih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbcbgk32.dll" Eeidoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onhhamgg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddmaok32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4612 wrote to memory of 4408 4612 fe86ff239d906f579b5a5111706838dfa1bdc4fc0530c4f6d1483028e952188c.exe 89 PID 4612 wrote to memory of 4408 4612 fe86ff239d906f579b5a5111706838dfa1bdc4fc0530c4f6d1483028e952188c.exe 89 PID 4612 wrote to memory of 4408 4612 fe86ff239d906f579b5a5111706838dfa1bdc4fc0530c4f6d1483028e952188c.exe 89 PID 4408 wrote to memory of 3140 4408 Aoqenf32.exe 90 PID 4408 wrote to memory of 3140 4408 Aoqenf32.exe 90 PID 4408 wrote to memory of 3140 4408 Aoqenf32.exe 90 PID 3140 wrote to memory of 2400 3140 Aejmkpaq.exe 91 PID 3140 wrote to memory of 2400 3140 Aejmkpaq.exe 91 PID 3140 wrote to memory of 2400 3140 Aejmkpaq.exe 91 PID 2400 wrote to memory of 3464 2400 Ahiigkqd.exe 92 PID 2400 wrote to memory of 3464 2400 Ahiigkqd.exe 92 PID 2400 wrote to memory of 3464 2400 Ahiigkqd.exe 92 PID 3464 wrote to memory of 4068 3464 Appahiag.exe 93 PID 3464 wrote to memory of 4068 3464 Appahiag.exe 93 PID 3464 wrote to memory of 4068 3464 Appahiag.exe 93 PID 4068 wrote to memory of 2944 4068 Aemjpp32.exe 94 PID 4068 wrote to memory of 2944 4068 Aemjpp32.exe 94 PID 4068 wrote to memory of 2944 4068 Aemjpp32.exe 94 PID 2944 wrote to memory of 744 2944 Aihfanhg.exe 95 PID 2944 wrote to memory of 744 2944 Aihfanhg.exe 95 PID 2944 wrote to memory of 744 2944 Aihfanhg.exe 95 PID 744 wrote to memory of 4916 744 Algbmjgk.exe 96 PID 744 wrote to memory of 4916 744 Algbmjgk.exe 96 PID 744 wrote to memory of 4916 744 Algbmjgk.exe 96 PID 4916 wrote to memory of 3200 4916 Apbnnh32.exe 97 PID 4916 wrote to memory of 3200 4916 Apbnnh32.exe 97 PID 4916 wrote to memory of 3200 4916 Apbnnh32.exe 97 PID 3200 wrote to memory of 832 3200 Abqjjd32.exe 98 PID 3200 wrote to memory of 832 3200 Abqjjd32.exe 98 PID 3200 wrote to memory of 832 3200 Abqjjd32.exe 98 PID 832 wrote to memory of 3480 832 Aackeqeb.exe 99 PID 832 wrote to memory of 3480 832 Aackeqeb.exe 99 PID 832 wrote to memory of 3480 832 Aackeqeb.exe 99 PID 3480 wrote to memory of 3572 3480 Aikbfnfd.exe 100 PID 3480 wrote to memory of 3572 3480 Aikbfnfd.exe 100 PID 3480 wrote to memory of 3572 3480 Aikbfnfd.exe 100 PID 3572 wrote to memory of 2416 3572 Aliobieh.exe 101 PID 3572 wrote to memory of 2416 3572 Aliobieh.exe 101 PID 3572 wrote to memory of 2416 3572 Aliobieh.exe 101 PID 2416 wrote to memory of 3028 2416 Aogkoedl.exe 102 PID 2416 wrote to memory of 3028 2416 Aogkoedl.exe 102 PID 2416 wrote to memory of 3028 2416 Aogkoedl.exe 102 PID 3028 wrote to memory of 1736 3028 Abcgoc32.exe 103 PID 3028 wrote to memory of 1736 3028 Abcgoc32.exe 103 PID 3028 wrote to memory of 1736 3028 Abcgoc32.exe 103 PID 1736 wrote to memory of 1256 1736 Aimoln32.exe 104 PID 1736 wrote to memory of 1256 1736 Aimoln32.exe 104 PID 1736 wrote to memory of 1256 1736 Aimoln32.exe 104 PID 1256 wrote to memory of 4292 1256 Ahppgjjl.exe 105 PID 1256 wrote to memory of 4292 1256 Ahppgjjl.exe 105 PID 1256 wrote to memory of 4292 1256 Ahppgjjl.exe 105 PID 4292 wrote to memory of 3476 4292 Alkkhi32.exe 106 PID 4292 wrote to memory of 3476 4292 Alkkhi32.exe 106 PID 4292 wrote to memory of 3476 4292 Alkkhi32.exe 106 PID 3476 wrote to memory of 1632 3476 Aojhdd32.exe 107 PID 3476 wrote to memory of 1632 3476 Aojhdd32.exe 107 PID 3476 wrote to memory of 1632 3476 Aojhdd32.exe 107 PID 1632 wrote to memory of 5020 1632 Aahdqp32.exe 108 PID 1632 wrote to memory of 5020 1632 Aahdqp32.exe 108 PID 1632 wrote to memory of 5020 1632 Aahdqp32.exe 108 PID 5020 wrote to memory of 968 5020 Aiolam32.exe 109 PID 5020 wrote to memory of 968 5020 Aiolam32.exe 109 PID 5020 wrote to memory of 968 5020 Aiolam32.exe 109 PID 968 wrote to memory of 4348 968 Blnhni32.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\fe86ff239d906f579b5a5111706838dfa1bdc4fc0530c4f6d1483028e952188c.exe"C:\Users\Admin\AppData\Local\Temp\fe86ff239d906f579b5a5111706838dfa1bdc4fc0530c4f6d1483028e952188c.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4612 -
C:\Windows\SysWOW64\Aoqenf32.exeC:\Windows\system32\Aoqenf32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4408 -
C:\Windows\SysWOW64\Aejmkpaq.exeC:\Windows\system32\Aejmkpaq.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3140 -
C:\Windows\SysWOW64\Ahiigkqd.exeC:\Windows\system32\Ahiigkqd.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\Appahiag.exeC:\Windows\system32\Appahiag.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3464 -
C:\Windows\SysWOW64\Aemjpp32.exeC:\Windows\system32\Aemjpp32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4068 -
C:\Windows\SysWOW64\Aihfanhg.exeC:\Windows\system32\Aihfanhg.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\Algbmjgk.exeC:\Windows\system32\Algbmjgk.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:744 -
C:\Windows\SysWOW64\Apbnnh32.exeC:\Windows\system32\Apbnnh32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4916 -
C:\Windows\SysWOW64\Abqjjd32.exeC:\Windows\system32\Abqjjd32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3200 -
C:\Windows\SysWOW64\Aackeqeb.exeC:\Windows\system32\Aackeqeb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Windows\SysWOW64\Aikbfnfd.exeC:\Windows\system32\Aikbfnfd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3480 -
C:\Windows\SysWOW64\Aliobieh.exeC:\Windows\system32\Aliobieh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3572 -
C:\Windows\SysWOW64\Aogkoedl.exeC:\Windows\system32\Aogkoedl.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\Abcgoc32.exeC:\Windows\system32\Abcgoc32.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\SysWOW64\Aimoln32.exeC:\Windows\system32\Aimoln32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\SysWOW64\Ahppgjjl.exeC:\Windows\system32\Ahppgjjl.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1256 -
C:\Windows\SysWOW64\Alkkhi32.exeC:\Windows\system32\Alkkhi32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4292 -
C:\Windows\SysWOW64\Aojhdd32.exeC:\Windows\system32\Aojhdd32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3476 -
C:\Windows\SysWOW64\Aahdqp32.exeC:\Windows\system32\Aahdqp32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\SysWOW64\Aiolam32.exeC:\Windows\system32\Aiolam32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5020 -
C:\Windows\SysWOW64\Blnhni32.exeC:\Windows\system32\Blnhni32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:968 -
C:\Windows\SysWOW64\Bbhqjchp.exeC:\Windows\system32\Bbhqjchp.exe23⤵
- Executes dropped EXE
PID:4348 -
C:\Windows\SysWOW64\Befmfngc.exeC:\Windows\system32\Befmfngc.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4444 -
C:\Windows\SysWOW64\Bibigmpl.exeC:\Windows\system32\Bibigmpl.exe25⤵
- Executes dropped EXE
PID:2380 -
C:\Windows\SysWOW64\Blpechop.exeC:\Windows\system32\Blpechop.exe26⤵
- Executes dropped EXE
PID:60 -
C:\Windows\SysWOW64\Bpladg32.exeC:\Windows\system32\Bpladg32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4796 -
C:\Windows\SysWOW64\Bbjmpb32.exeC:\Windows\system32\Bbjmpb32.exe28⤵
- Executes dropped EXE
- Modifies registry class
PID:3064 -
C:\Windows\SysWOW64\Bammlomg.exeC:\Windows\system32\Bammlomg.exe29⤵
- Executes dropped EXE
PID:4360 -
C:\Windows\SysWOW64\Bhgehi32.exeC:\Windows\system32\Bhgehi32.exe30⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Boanecla.exeC:\Windows\system32\Boanecla.exe31⤵
- Executes dropped EXE
PID:3368 -
C:\Windows\SysWOW64\Bbljeb32.exeC:\Windows\system32\Bbljeb32.exe32⤵
- Executes dropped EXE
PID:3268 -
C:\Windows\SysWOW64\Bhibni32.exeC:\Windows\system32\Bhibni32.exe33⤵
- Executes dropped EXE
PID:3276 -
C:\Windows\SysWOW64\Blennh32.exeC:\Windows\system32\Blennh32.exe34⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Bockjc32.exeC:\Windows\system32\Bockjc32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:2528 -
C:\Windows\SysWOW64\Bbofkbbh.exeC:\Windows\system32\Bbofkbbh.exe36⤵
- Executes dropped EXE
PID:4800 -
C:\Windows\SysWOW64\Biiohl32.exeC:\Windows\system32\Biiohl32.exe37⤵
- Executes dropped EXE
PID:5024 -
C:\Windows\SysWOW64\Bhlocipo.exeC:\Windows\system32\Bhlocipo.exe38⤵
- Executes dropped EXE
PID:4636 -
C:\Windows\SysWOW64\Blgkdg32.exeC:\Windows\system32\Blgkdg32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1664 -
C:\Windows\SysWOW64\Boegpc32.exeC:\Windows\system32\Boegpc32.exe40⤵
- Executes dropped EXE
PID:4092 -
C:\Windows\SysWOW64\Bbacqape.exeC:\Windows\system32\Bbacqape.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:1824 -
C:\Windows\SysWOW64\Beppmmoi.exeC:\Windows\system32\Beppmmoi.exe42⤵
- Executes dropped EXE
PID:4876 -
C:\Windows\SysWOW64\Chnlihnl.exeC:\Windows\system32\Chnlihnl.exe43⤵
- Executes dropped EXE
PID:3964 -
C:\Windows\SysWOW64\Cpedjf32.exeC:\Windows\system32\Cpedjf32.exe44⤵
- Executes dropped EXE
PID:4828 -
C:\Windows\SysWOW64\Cohdebfi.exeC:\Windows\system32\Cohdebfi.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:1452 -
C:\Windows\SysWOW64\Cafpanem.exeC:\Windows\system32\Cafpanem.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:540 -
C:\Windows\SysWOW64\Cimhckeo.exeC:\Windows\system32\Cimhckeo.exe47⤵
- Executes dropped EXE
PID:804 -
C:\Windows\SysWOW64\Chphoh32.exeC:\Windows\system32\Chphoh32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Clldogdc.exeC:\Windows\system32\Clldogdc.exe49⤵
- Executes dropped EXE
PID:4276 -
C:\Windows\SysWOW64\Ccfmla32.exeC:\Windows\system32\Ccfmla32.exe50⤵
- Executes dropped EXE
PID:3120 -
C:\Windows\SysWOW64\Caimgncj.exeC:\Windows\system32\Caimgncj.exe51⤵
- Executes dropped EXE
PID:3056 -
C:\Windows\SysWOW64\Cipehkcl.exeC:\Windows\system32\Cipehkcl.exe52⤵
- Executes dropped EXE
PID:2624 -
C:\Windows\SysWOW64\Clnadfbp.exeC:\Windows\system32\Clnadfbp.exe53⤵
- Executes dropped EXE
PID:4972 -
C:\Windows\SysWOW64\Cpjmee32.exeC:\Windows\system32\Cpjmee32.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:3896 -
C:\Windows\SysWOW64\Cchiaqjm.exeC:\Windows\system32\Cchiaqjm.exe55⤵
- Executes dropped EXE
PID:4548 -
C:\Windows\SysWOW64\Cefemliq.exeC:\Windows\system32\Cefemliq.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\Clqnjf32.exeC:\Windows\system32\Clqnjf32.exe57⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Cpljkdig.exeC:\Windows\system32\Cpljkdig.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:5000 -
C:\Windows\SysWOW64\Ceibclgn.exeC:\Windows\system32\Ceibclgn.exe59⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Cidncj32.exeC:\Windows\system32\Cidncj32.exe60⤵
- Executes dropped EXE
PID:3244 -
C:\Windows\SysWOW64\Clckpf32.exeC:\Windows\system32\Clckpf32.exe61⤵
- Executes dropped EXE
PID:2444 -
C:\Windows\SysWOW64\Ccmclp32.exeC:\Windows\system32\Ccmclp32.exe62⤵
- Executes dropped EXE
PID:4244 -
C:\Windows\SysWOW64\Cekohk32.exeC:\Windows\system32\Cekohk32.exe63⤵
- Executes dropped EXE
PID:3848 -
C:\Windows\SysWOW64\Dhjkdg32.exeC:\Windows\system32\Dhjkdg32.exe64⤵
- Executes dropped EXE
PID:5116 -
C:\Windows\SysWOW64\Dpacfd32.exeC:\Windows\system32\Dpacfd32.exe65⤵
- Executes dropped EXE
PID:3880 -
C:\Windows\SysWOW64\Dcopbp32.exeC:\Windows\system32\Dcopbp32.exe66⤵PID:2296
-
C:\Windows\SysWOW64\Denlnk32.exeC:\Windows\system32\Denlnk32.exe67⤵PID:4012
-
C:\Windows\SysWOW64\Dhlhjf32.exeC:\Windows\system32\Dhlhjf32.exe68⤵PID:1200
-
C:\Windows\SysWOW64\Dlgdkeje.exeC:\Windows\system32\Dlgdkeje.exe69⤵PID:1844
-
C:\Windows\SysWOW64\Dofpgqji.exeC:\Windows\system32\Dofpgqji.exe70⤵PID:3568
-
C:\Windows\SysWOW64\Dcalgo32.exeC:\Windows\system32\Dcalgo32.exe71⤵PID:908
-
C:\Windows\SysWOW64\Dephckaf.exeC:\Windows\system32\Dephckaf.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4892 -
C:\Windows\SysWOW64\Dhnepfpj.exeC:\Windows\system32\Dhnepfpj.exe73⤵PID:4560
-
C:\Windows\SysWOW64\Dpemacql.exeC:\Windows\system32\Dpemacql.exe74⤵
- Drops file in System32 directory
PID:4352 -
C:\Windows\SysWOW64\Dcdimopp.exeC:\Windows\system32\Dcdimopp.exe75⤵
- Modifies registry class
PID:3840 -
C:\Windows\SysWOW64\Dhqaefng.exeC:\Windows\system32\Dhqaefng.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4240 -
C:\Windows\SysWOW64\Dokjbp32.exeC:\Windows\system32\Dokjbp32.exe77⤵PID:1564
-
C:\Windows\SysWOW64\Daifnk32.exeC:\Windows\system32\Daifnk32.exe78⤵
- Modifies registry class
PID:1048 -
C:\Windows\SysWOW64\Djpnohej.exeC:\Windows\system32\Djpnohej.exe79⤵PID:5136
-
C:\Windows\SysWOW64\Dlojkddn.exeC:\Windows\system32\Dlojkddn.exe80⤵
- Drops file in System32 directory
PID:5180 -
C:\Windows\SysWOW64\Domfgpca.exeC:\Windows\system32\Domfgpca.exe81⤵PID:5216
-
C:\Windows\SysWOW64\Dakbckbe.exeC:\Windows\system32\Dakbckbe.exe82⤵PID:5256
-
C:\Windows\SysWOW64\Efgodj32.exeC:\Windows\system32\Efgodj32.exe83⤵PID:5304
-
C:\Windows\SysWOW64\Ehekqe32.exeC:\Windows\system32\Ehekqe32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5344 -
C:\Windows\SysWOW64\Elagacbk.exeC:\Windows\system32\Elagacbk.exe85⤵
- Drops file in System32 directory
PID:5380 -
C:\Windows\SysWOW64\Eoocmoao.exeC:\Windows\system32\Eoocmoao.exe86⤵
- Drops file in System32 directory
PID:5424 -
C:\Windows\SysWOW64\Eckonn32.exeC:\Windows\system32\Eckonn32.exe87⤵PID:5464
-
C:\Windows\SysWOW64\Efikji32.exeC:\Windows\system32\Efikji32.exe88⤵PID:5508
-
C:\Windows\SysWOW64\Ejegjh32.exeC:\Windows\system32\Ejegjh32.exe89⤵PID:5548
-
C:\Windows\SysWOW64\Ehhgfdho.exeC:\Windows\system32\Ehhgfdho.exe90⤵PID:5592
-
C:\Windows\SysWOW64\Eoapbo32.exeC:\Windows\system32\Eoapbo32.exe91⤵PID:5624
-
C:\Windows\SysWOW64\Ebploj32.exeC:\Windows\system32\Ebploj32.exe92⤵PID:5676
-
C:\Windows\SysWOW64\Ejgdpg32.exeC:\Windows\system32\Ejgdpg32.exe93⤵
- Modifies registry class
PID:5716 -
C:\Windows\SysWOW64\Eleplc32.exeC:\Windows\system32\Eleplc32.exe94⤵PID:5756
-
C:\Windows\SysWOW64\Eqalmafo.exeC:\Windows\system32\Eqalmafo.exe95⤵PID:5800
-
C:\Windows\SysWOW64\Eodlho32.exeC:\Windows\system32\Eodlho32.exe96⤵PID:5836
-
C:\Windows\SysWOW64\Ecphimfb.exeC:\Windows\system32\Ecphimfb.exe97⤵PID:5880
-
C:\Windows\SysWOW64\Ejjqeg32.exeC:\Windows\system32\Ejjqeg32.exe98⤵
- Drops file in System32 directory
PID:5916 -
C:\Windows\SysWOW64\Elhmablc.exeC:\Windows\system32\Elhmablc.exe99⤵
- Drops file in System32 directory
PID:5964 -
C:\Windows\SysWOW64\Eqciba32.exeC:\Windows\system32\Eqciba32.exe100⤵
- Modifies registry class
PID:6004 -
C:\Windows\SysWOW64\Ecbenm32.exeC:\Windows\system32\Ecbenm32.exe101⤵PID:6052
-
C:\Windows\SysWOW64\Efpajh32.exeC:\Windows\system32\Efpajh32.exe102⤵PID:6096
-
C:\Windows\SysWOW64\Ehonfc32.exeC:\Windows\system32\Ehonfc32.exe103⤵PID:6140
-
C:\Windows\SysWOW64\Eqfeha32.exeC:\Windows\system32\Eqfeha32.exe104⤵PID:5168
-
C:\Windows\SysWOW64\Eoifcnid.exeC:\Windows\system32\Eoifcnid.exe105⤵PID:5240
-
C:\Windows\SysWOW64\Ecdbdl32.exeC:\Windows\system32\Ecdbdl32.exe106⤵PID:5296
-
C:\Windows\SysWOW64\Fmmfmbhn.exeC:\Windows\system32\Fmmfmbhn.exe107⤵PID:5364
-
C:\Windows\SysWOW64\Fokbim32.exeC:\Windows\system32\Fokbim32.exe108⤵PID:5460
-
C:\Windows\SysWOW64\Fcgoilpj.exeC:\Windows\system32\Fcgoilpj.exe109⤵PID:5528
-
C:\Windows\SysWOW64\Fbioei32.exeC:\Windows\system32\Fbioei32.exe110⤵PID:5608
-
C:\Windows\SysWOW64\Fjqgff32.exeC:\Windows\system32\Fjqgff32.exe111⤵PID:5664
-
C:\Windows\SysWOW64\Fmocba32.exeC:\Windows\system32\Fmocba32.exe112⤵PID:5728
-
C:\Windows\SysWOW64\Fomonm32.exeC:\Windows\system32\Fomonm32.exe113⤵PID:5808
-
C:\Windows\SysWOW64\Fbllkh32.exeC:\Windows\system32\Fbllkh32.exe114⤵PID:5868
-
C:\Windows\SysWOW64\Fjcclf32.exeC:\Windows\system32\Fjcclf32.exe115⤵PID:5948
-
C:\Windows\SysWOW64\Fifdgblo.exeC:\Windows\system32\Fifdgblo.exe116⤵PID:5992
-
C:\Windows\SysWOW64\Fqmlhpla.exeC:\Windows\system32\Fqmlhpla.exe117⤵
- Drops file in System32 directory
PID:6076 -
C:\Windows\SysWOW64\Fopldmcl.exeC:\Windows\system32\Fopldmcl.exe118⤵PID:6124
-
C:\Windows\SysWOW64\Fbnhphbp.exeC:\Windows\system32\Fbnhphbp.exe119⤵PID:5204
-
C:\Windows\SysWOW64\Fjepaecb.exeC:\Windows\system32\Fjepaecb.exe120⤵PID:5320
-
C:\Windows\SysWOW64\Fmclmabe.exeC:\Windows\system32\Fmclmabe.exe121⤵PID:5456
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-