Analysis
-
max time kernel
82s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
19-03-2024 19:55
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
4ae5a39dba5aacf22b6111b6d0798a9f602b92e5dd7c7dbf20f42653c669f0b4.exe
Resource
win7-20240221-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
4ae5a39dba5aacf22b6111b6d0798a9f602b92e5dd7c7dbf20f42653c669f0b4.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
4ae5a39dba5aacf22b6111b6d0798a9f602b92e5dd7c7dbf20f42653c669f0b4.exe
-
Size
430KB
-
MD5
1ce0e3f72e88b91fc221dbea33d9b2fd
-
SHA1
c817563462926517562df14095cdd28c1befbca0
-
SHA256
4ae5a39dba5aacf22b6111b6d0798a9f602b92e5dd7c7dbf20f42653c669f0b4
-
SHA512
0183a4867720c50c3ed51136bcc0db003cde36e7ee6260c90b1d69e50eba742be58b79fde73916b7d40491e9c336fed7db227c372491134d338e0a04c746e63b
-
SSDEEP
3072:8Hola2uVAURfE+HAokWmvEie0RFz3yE2ZwVh16Mz7GFD0AlWsnzj:Sola2uRs+HLlD0rN2ZwVht740Psz
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkicjgnn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afboah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfhadc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmjaphek.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogefqeaj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anncek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjopbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgccinoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Moipoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcfjfqah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jflnafno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehklmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgcamf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iqpclh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpnfge32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Maaoaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mklpof32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akopoi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbqiak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbkbkbfo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pflibgil.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfcjfk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Incdem32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epbkhhel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgjpfqpi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ophjdehd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdpbon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bimach32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmnhcb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjebiq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmdlflki.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhafcd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emlenj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkmioc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eojeodga.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcjiff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmkjig32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfmghdpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmnhcb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icqmncof.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdbbfadn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jqglkmlj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eohhie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Incdem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlphbnoe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocknbglo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgpplf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcimfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iggjga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmbiackg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbgqdb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eegqldqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Poagma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlogfd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ignnjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fipbdikp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Objpoh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dflmlj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnhidk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hqmggi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfmghdpl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eplnpeol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qadoba32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iahlcaol.exe -
UPX dump on OEP (original entry point) 57 IoCs
resource yara_rule behavioral2/files/0x0008000000022745-7.dat UPX behavioral2/files/0x0007000000023247-15.dat UPX behavioral2/files/0x0007000000023249-23.dat UPX behavioral2/files/0x0007000000023249-25.dat UPX behavioral2/files/0x000700000002324a-31.dat UPX behavioral2/files/0x000700000002324c-39.dat UPX behavioral2/files/0x000700000002324e-48.dat UPX behavioral2/files/0x0007000000023250-55.dat UPX behavioral2/files/0x0007000000023252-63.dat UPX behavioral2/files/0x0007000000023254-71.dat UPX behavioral2/files/0x0007000000023256-79.dat UPX behavioral2/files/0x0007000000023258-88.dat UPX behavioral2/files/0x000700000002325a-96.dat UPX behavioral2/files/0x000700000002325c-104.dat UPX behavioral2/files/0x000700000002325e-112.dat UPX behavioral2/files/0x0007000000023260-120.dat UPX behavioral2/files/0x0007000000023262-128.dat UPX behavioral2/files/0x0007000000023264-136.dat UPX behavioral2/files/0x0007000000023266-144.dat UPX behavioral2/files/0x0007000000023268-152.dat UPX behavioral2/files/0x000700000002326a-160.dat UPX behavioral2/files/0x000700000002326c-169.dat UPX behavioral2/files/0x000700000002326e-176.dat UPX behavioral2/files/0x0007000000023271-184.dat UPX behavioral2/files/0x0007000000023273-193.dat UPX behavioral2/files/0x0007000000023275-200.dat UPX behavioral2/files/0x0007000000023277-208.dat UPX behavioral2/files/0x000700000002327a-217.dat UPX behavioral2/files/0x000700000002327c-224.dat UPX behavioral2/files/0x000700000002327e-232.dat UPX behavioral2/files/0x0007000000023280-241.dat UPX behavioral2/files/0x0007000000023282-249.dat UPX behavioral2/files/0x0007000000023284-256.dat UPX behavioral2/files/0x0007000000023286-264.dat UPX behavioral2/files/0x0007000000023377-1044.dat UPX behavioral2/files/0x00070000000233e9-1432.dat UPX behavioral2/files/0x0007000000023430-1641.dat UPX behavioral2/files/0x0008000000023498-1995.dat UPX behavioral2/files/0x00070000000234a9-2008.dat UPX behavioral2/files/0x00080000000234b9-2063.dat UPX behavioral2/files/0x00070000000234d3-2151.dat UPX behavioral2/files/0x000700000002352b-2458.dat UPX behavioral2/files/0x00070000000235c0-4018.dat UPX behavioral2/files/0x00070000000235d0-4068.dat UPX behavioral2/files/0x00070000000235fc-4209.dat UPX behavioral2/files/0x0007000000023602-4227.dat UPX behavioral2/files/0x0007000000023654-4502.dat UPX behavioral2/files/0x0007000000023730-5270.dat UPX behavioral2/files/0x000700000002377d-5523.dat UPX behavioral2/files/0x0007000000023928-6962.dat UPX behavioral2/files/0x00070000000239bc-7465.dat UPX behavioral2/files/0x00070000000239cc-7500.dat UPX behavioral2/files/0x00070000000239ee-7580.dat UPX behavioral2/files/0x00070000000239fb-7640.dat UPX behavioral2/files/0x0007000000023a0b-7666.dat UPX behavioral2/files/0x0007000000023a1b-7691.dat UPX behavioral2/files/0x0007000000023a36-7746.dat UPX -
Executes dropped EXE 64 IoCs
pid Process 2092 Ibnligoc.exe 2900 Iijaka32.exe 4080 Jkkjmlan.exe 3216 Jfpojead.exe 2336 Joiccj32.exe 4536 Jfbkpd32.exe 4860 Jfgdkd32.exe 4572 Kgknhl32.exe 1412 Kflnfcgg.exe 3296 Kbekqdjh.exe 4652 Kfcdfbqo.exe 3260 Lpkiph32.exe 4952 Lfhnaa32.exe 3588 Lflgmqhd.exe 4736 Mimpolee.exe 3120 Molelb32.exe 4264 Midfokpm.exe 1056 Mblkhq32.exe 4624 Noehba32.exe 1584 Niklpj32.exe 1192 Nohehq32.exe 3704 Niniei32.exe 2976 Opogbbig.exe 4984 Oekpkigo.exe 848 Oocddono.exe 4456 Ogmijllo.exe 3772 Opemca32.exe 4816 Ocffempp.exe 4820 Pcicklnn.exe 4628 Pgflqkdd.exe 5024 Pflibgil.exe 3840 Pfnegggi.exe 2912 Qfpbmfdf.exe 3792 Acgolj32.exe 4988 Acilajpk.exe 3220 Ahfdjanb.exe 3460 Aggegh32.exe 2672 Amcmpodi.exe 4616 Agiamhdo.exe 3380 Aijnep32.exe 228 Aodfajaj.exe 1236 Afnnnd32.exe 4920 Bqdblmhl.exe 2248 Bjlgdc32.exe 2264 Bqfoamfj.exe 5020 Bjodjb32.exe 2360 Bgbdcgld.exe 4300 Bqkill32.exe 3952 Bfhadc32.exe 628 Bqmeal32.exe 4440 Bihjfnmm.exe 2860 Ccnncgmc.exe 1552 Cikglnkj.exe 3208 Cpeohh32.exe 2300 Ccchof32.exe 3572 Cjmpkqqj.exe 3416 Cceddf32.exe 1476 Cpleig32.exe 4928 Cffmfadl.exe 3608 Dakacjdb.exe 2044 Dfhjkabi.exe 3276 Dmbbhkjf.exe 736 Dmdonkgc.exe 4364 Dhjckcgi.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Pdofpb32.exe Pnenchoc.exe File created C:\Windows\SysWOW64\Dmbbhkjf.exe Dfhjkabi.exe File created C:\Windows\SysWOW64\Jbiejoaj.exe Jgcamf32.exe File created C:\Windows\SysWOW64\Cmncbodd.dll Ohkbbn32.exe File created C:\Windows\SysWOW64\Opkpck32.dll Hibafp32.exe File created C:\Windows\SysWOW64\Mmnhcb32.exe Mjokgg32.exe File opened for modification C:\Windows\SysWOW64\Edakimoo.exe Eljchpnl.exe File created C:\Windows\SysWOW64\Mnailf32.dll Odfcjc32.exe File created C:\Windows\SysWOW64\Nondlbmd.dll Bhldpj32.exe File created C:\Windows\SysWOW64\Bakpfm32.dll Okailj32.exe File created C:\Windows\SysWOW64\Ibnligoc.exe 4ae5a39dba5aacf22b6111b6d0798a9f602b92e5dd7c7dbf20f42653c669f0b4.exe File created C:\Windows\SysWOW64\Cpjdachc.dll Dfoplpla.exe File opened for modification C:\Windows\SysWOW64\Jjmcnbdm.exe Jhlgfj32.exe File opened for modification C:\Windows\SysWOW64\Gpgind32.exe Gfjkjo32.exe File created C:\Windows\SysWOW64\Jaepkejo.dll Clgmkbna.exe File opened for modification C:\Windows\SysWOW64\Ifckkhfi.exe Ioicnn32.exe File created C:\Windows\SysWOW64\Foadqnoo.dll Bbbkbbkg.exe File opened for modification C:\Windows\SysWOW64\Jaefne32.exe Jnfjbj32.exe File opened for modification C:\Windows\SysWOW64\Afnnnd32.exe Aodfajaj.exe File opened for modification C:\Windows\SysWOW64\Gnlgleef.exe Gknkpjfb.exe File created C:\Windows\SysWOW64\Hjhalefe.exe Hhfedm32.exe File created C:\Windows\SysWOW64\Kqpoakco.exe Knbbep32.exe File created C:\Windows\SysWOW64\Dbcmakpl.exe Dlieda32.exe File created C:\Windows\SysWOW64\Nlfnaicd.exe Ncofplba.exe File created C:\Windows\SysWOW64\Fgpplf32.exe Fdadpk32.exe File opened for modification C:\Windows\SysWOW64\Meadlo32.exe Mmjlkb32.exe File created C:\Windows\SysWOW64\Cofaon32.dll Glchjedc.exe File opened for modification C:\Windows\SysWOW64\Pkedbmab.exe Pdklebje.exe File created C:\Windows\SysWOW64\Gphgbafl.exe Ginnfgop.exe File created C:\Windows\SysWOW64\Hehkajig.exe Hoobdp32.exe File created C:\Windows\SysWOW64\Afockelf.exe Qjffpe32.exe File created C:\Windows\SysWOW64\Aolphl32.dll Epffbd32.exe File created C:\Windows\SysWOW64\Blknpdho.exe Bimach32.exe File created C:\Windows\SysWOW64\Kdjenh32.dll Mklpof32.exe File created C:\Windows\SysWOW64\Qimdklek.dll Ihmnldib.exe File created C:\Windows\SysWOW64\Jhgcicoj.dll Pflibgil.exe File created C:\Windows\SysWOW64\Knhcpa32.dll Okgaijaj.exe File opened for modification C:\Windows\SysWOW64\Bkmmaeap.exe Bjlpjm32.exe File opened for modification C:\Windows\SysWOW64\Manmoq32.exe Mnpabe32.exe File created C:\Windows\SysWOW64\Jkjpda32.dll Imkbnf32.exe File created C:\Windows\SysWOW64\Nhcbidcd.exe Nmnnlk32.exe File created C:\Windows\SysWOW64\Jbnopbdl.exe Jhejgl32.exe File created C:\Windows\SysWOW64\Knbbep32.exe Kkcfid32.exe File created C:\Windows\SysWOW64\Noeahkfc.exe Nihipdhl.exe File opened for modification C:\Windows\SysWOW64\Bjlpjm32.exe Bbdhiojo.exe File created C:\Windows\SysWOW64\Bmabggdm.exe Bfgjjm32.exe File created C:\Windows\SysWOW64\Nccmog32.dll Nipffmmg.exe File opened for modification C:\Windows\SysWOW64\Afeban32.exe Apkjddke.exe File created C:\Windows\SysWOW64\Kfcdfbqo.exe Kbekqdjh.exe File created C:\Windows\SysWOW64\Gknkpjfb.exe Gphgbafl.exe File created C:\Windows\SysWOW64\Idajkk32.dll Hhfedm32.exe File opened for modification C:\Windows\SysWOW64\Jhlgfj32.exe Jbaojpgb.exe File created C:\Windows\SysWOW64\Ahcajk32.exe Acfhad32.exe File opened for modification C:\Windows\SysWOW64\Mkadfj32.exe Megljppl.exe File opened for modification C:\Windows\SysWOW64\Kaopoj32.exe Eahobg32.exe File created C:\Windows\SysWOW64\Bkcjjhgp.exe Bqnemp32.exe File created C:\Windows\SysWOW64\Gknkkmmj.exe Geabbfoc.exe File created C:\Windows\SysWOW64\Bpajnp32.dll Jqglkmlj.exe File created C:\Windows\SysWOW64\Dlcmgqdd.exe Dgfdojfm.exe File created C:\Windows\SysWOW64\Inicjl32.dll Jegohe32.exe File opened for modification C:\Windows\SysWOW64\Hlogfd32.exe Hfeoijbi.exe File opened for modification C:\Windows\SysWOW64\Fehplggn.exe Flpkcbqm.exe File opened for modification C:\Windows\SysWOW64\Hipdpbgf.exe Hahlnefd.exe File created C:\Windows\SysWOW64\Bnffda32.dll Djcoai32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6712 8704 Process not Found 1412 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ikcmbfcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbaojpgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkbnla32.dll" Bgbpaipl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpjjmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nijfhn32.dll" Fefcgh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iocchhof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjhked32.dll" Ibnligoc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knmpbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejqmmlpm.dll" Mfhgcbfo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgjgne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahcajk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Famnbgil.dll" Acdioc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bcnleb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fgfmeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ehailbaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcaihm32.dll" Mnlnbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cepadh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cefked32.dll" Qbkcek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cofaon32.dll" Glchjedc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kfaglf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alnjhe32.dll" Bilcol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfmdccgi.dll" Dhcfleff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcppfn32.dll" Noehba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebpqjmpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cejaobel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iinqbn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ankgpk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afboah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kalhafbk.dll" Nlphbnoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fipbdikp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aidomjaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mqhali32.dll" Lhogamih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Geabbfoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpkiph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgaljo32.dll" Hgnlmdcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofdnkcof.dll" Pgcbbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eflceb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Imfmgcdn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lplaaiqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhclmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iljpgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdaif32.dll" Foqdem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohpfbb32.dll" Kqdaadln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aceomp32.dll" Kfhnme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajmkad32.dll" Ophjdehd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eecfah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pifnhpmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkbdql32.dll" Ocknbglo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkebqokl.dll" Aidomjaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ellpmolj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ccnncgmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cikglnkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gigheh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oidhlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fccfqqkf.dll" Bjlpjm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfgjjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kggcnoic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lobjni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgppmg32.dll" Opogbbig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doljemai.dll" Jfmekm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bilcol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghbkdald.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Egpgehnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mkohaj32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4220 wrote to memory of 2092 4220 4ae5a39dba5aacf22b6111b6d0798a9f602b92e5dd7c7dbf20f42653c669f0b4.exe 88 PID 4220 wrote to memory of 2092 4220 4ae5a39dba5aacf22b6111b6d0798a9f602b92e5dd7c7dbf20f42653c669f0b4.exe 88 PID 4220 wrote to memory of 2092 4220 4ae5a39dba5aacf22b6111b6d0798a9f602b92e5dd7c7dbf20f42653c669f0b4.exe 88 PID 2092 wrote to memory of 2900 2092 Ibnligoc.exe 90 PID 2092 wrote to memory of 2900 2092 Ibnligoc.exe 90 PID 2092 wrote to memory of 2900 2092 Ibnligoc.exe 90 PID 2900 wrote to memory of 4080 2900 Iijaka32.exe 91 PID 2900 wrote to memory of 4080 2900 Iijaka32.exe 91 PID 2900 wrote to memory of 4080 2900 Iijaka32.exe 91 PID 4080 wrote to memory of 3216 4080 Jkkjmlan.exe 92 PID 4080 wrote to memory of 3216 4080 Jkkjmlan.exe 92 PID 4080 wrote to memory of 3216 4080 Jkkjmlan.exe 92 PID 3216 wrote to memory of 2336 3216 Jfpojead.exe 93 PID 3216 wrote to memory of 2336 3216 Jfpojead.exe 93 PID 3216 wrote to memory of 2336 3216 Jfpojead.exe 93 PID 2336 wrote to memory of 4536 2336 Joiccj32.exe 94 PID 2336 wrote to memory of 4536 2336 Joiccj32.exe 94 PID 2336 wrote to memory of 4536 2336 Joiccj32.exe 94 PID 4536 wrote to memory of 4860 4536 Jfbkpd32.exe 95 PID 4536 wrote to memory of 4860 4536 Jfbkpd32.exe 95 PID 4536 wrote to memory of 4860 4536 Jfbkpd32.exe 95 PID 4860 wrote to memory of 4572 4860 Jfgdkd32.exe 96 PID 4860 wrote to memory of 4572 4860 Jfgdkd32.exe 96 PID 4860 wrote to memory of 4572 4860 Jfgdkd32.exe 96 PID 4572 wrote to memory of 1412 4572 Kgknhl32.exe 98 PID 4572 wrote to memory of 1412 4572 Kgknhl32.exe 98 PID 4572 wrote to memory of 1412 4572 Kgknhl32.exe 98 PID 1412 wrote to memory of 3296 1412 Kflnfcgg.exe 99 PID 1412 wrote to memory of 3296 1412 Kflnfcgg.exe 99 PID 1412 wrote to memory of 3296 1412 Kflnfcgg.exe 99 PID 3296 wrote to memory of 4652 3296 Kbekqdjh.exe 100 PID 3296 wrote to memory of 4652 3296 Kbekqdjh.exe 100 PID 3296 wrote to memory of 4652 3296 Kbekqdjh.exe 100 PID 4652 wrote to memory of 3260 4652 Kfcdfbqo.exe 101 PID 4652 wrote to memory of 3260 4652 Kfcdfbqo.exe 101 PID 4652 wrote to memory of 3260 4652 Kfcdfbqo.exe 101 PID 3260 wrote to memory of 4952 3260 Lpkiph32.exe 102 PID 3260 wrote to memory of 4952 3260 Lpkiph32.exe 102 PID 3260 wrote to memory of 4952 3260 Lpkiph32.exe 102 PID 4952 wrote to memory of 3588 4952 Lfhnaa32.exe 103 PID 4952 wrote to memory of 3588 4952 Lfhnaa32.exe 103 PID 4952 wrote to memory of 3588 4952 Lfhnaa32.exe 103 PID 3588 wrote to memory of 4736 3588 Lflgmqhd.exe 104 PID 3588 wrote to memory of 4736 3588 Lflgmqhd.exe 104 PID 3588 wrote to memory of 4736 3588 Lflgmqhd.exe 104 PID 4736 wrote to memory of 3120 4736 Mimpolee.exe 105 PID 4736 wrote to memory of 3120 4736 Mimpolee.exe 105 PID 4736 wrote to memory of 3120 4736 Mimpolee.exe 105 PID 3120 wrote to memory of 4264 3120 Molelb32.exe 106 PID 3120 wrote to memory of 4264 3120 Molelb32.exe 106 PID 3120 wrote to memory of 4264 3120 Molelb32.exe 106 PID 4264 wrote to memory of 1056 4264 Midfokpm.exe 107 PID 4264 wrote to memory of 1056 4264 Midfokpm.exe 107 PID 4264 wrote to memory of 1056 4264 Midfokpm.exe 107 PID 1056 wrote to memory of 4624 1056 Mblkhq32.exe 108 PID 1056 wrote to memory of 4624 1056 Mblkhq32.exe 108 PID 1056 wrote to memory of 4624 1056 Mblkhq32.exe 108 PID 4624 wrote to memory of 1584 4624 Noehba32.exe 109 PID 4624 wrote to memory of 1584 4624 Noehba32.exe 109 PID 4624 wrote to memory of 1584 4624 Noehba32.exe 109 PID 1584 wrote to memory of 1192 1584 Niklpj32.exe 110 PID 1584 wrote to memory of 1192 1584 Niklpj32.exe 110 PID 1584 wrote to memory of 1192 1584 Niklpj32.exe 110 PID 1192 wrote to memory of 3704 1192 Nohehq32.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\4ae5a39dba5aacf22b6111b6d0798a9f602b92e5dd7c7dbf20f42653c669f0b4.exe"C:\Users\Admin\AppData\Local\Temp\4ae5a39dba5aacf22b6111b6d0798a9f602b92e5dd7c7dbf20f42653c669f0b4.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4220 -
C:\Windows\SysWOW64\Ibnligoc.exeC:\Windows\system32\Ibnligoc.exe2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\Iijaka32.exeC:\Windows\system32\Iijaka32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\Jkkjmlan.exeC:\Windows\system32\Jkkjmlan.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4080 -
C:\Windows\SysWOW64\Jfpojead.exeC:\Windows\system32\Jfpojead.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3216 -
C:\Windows\SysWOW64\Joiccj32.exeC:\Windows\system32\Joiccj32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\Jfbkpd32.exeC:\Windows\system32\Jfbkpd32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4536 -
C:\Windows\SysWOW64\Jfgdkd32.exeC:\Windows\system32\Jfgdkd32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4860 -
C:\Windows\SysWOW64\Kgknhl32.exeC:\Windows\system32\Kgknhl32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Windows\SysWOW64\Kflnfcgg.exeC:\Windows\system32\Kflnfcgg.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Windows\SysWOW64\Kbekqdjh.exeC:\Windows\system32\Kbekqdjh.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3296 -
C:\Windows\SysWOW64\Kfcdfbqo.exeC:\Windows\system32\Kfcdfbqo.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4652 -
C:\Windows\SysWOW64\Lpkiph32.exeC:\Windows\system32\Lpkiph32.exe13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3260 -
C:\Windows\SysWOW64\Lfhnaa32.exeC:\Windows\system32\Lfhnaa32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\Windows\SysWOW64\Lflgmqhd.exeC:\Windows\system32\Lflgmqhd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3588 -
C:\Windows\SysWOW64\Mimpolee.exeC:\Windows\system32\Mimpolee.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4736 -
C:\Windows\SysWOW64\Molelb32.exeC:\Windows\system32\Molelb32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3120 -
C:\Windows\SysWOW64\Midfokpm.exeC:\Windows\system32\Midfokpm.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4264 -
C:\Windows\SysWOW64\Mblkhq32.exeC:\Windows\system32\Mblkhq32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Windows\SysWOW64\Noehba32.exeC:\Windows\system32\Noehba32.exe20⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4624 -
C:\Windows\SysWOW64\Niklpj32.exeC:\Windows\system32\Niklpj32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\SysWOW64\Nohehq32.exeC:\Windows\system32\Nohehq32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Windows\SysWOW64\Niniei32.exeC:\Windows\system32\Niniei32.exe23⤵
- Executes dropped EXE
PID:3704 -
C:\Windows\SysWOW64\Nookip32.exeC:\Windows\system32\Nookip32.exe24⤵PID:4348
-
C:\Windows\SysWOW64\Opogbbig.exeC:\Windows\system32\Opogbbig.exe25⤵
- Executes dropped EXE
- Modifies registry class
PID:2976 -
C:\Windows\SysWOW64\Oekpkigo.exeC:\Windows\system32\Oekpkigo.exe26⤵
- Executes dropped EXE
PID:4984 -
C:\Windows\SysWOW64\Oocddono.exeC:\Windows\system32\Oocddono.exe27⤵
- Executes dropped EXE
PID:848 -
C:\Windows\SysWOW64\Ogmijllo.exeC:\Windows\system32\Ogmijllo.exe28⤵
- Executes dropped EXE
PID:4456 -
C:\Windows\SysWOW64\Opemca32.exeC:\Windows\system32\Opemca32.exe29⤵
- Executes dropped EXE
PID:3772 -
C:\Windows\SysWOW64\Ocffempp.exeC:\Windows\system32\Ocffempp.exe30⤵
- Executes dropped EXE
PID:4816 -
C:\Windows\SysWOW64\Pcicklnn.exeC:\Windows\system32\Pcicklnn.exe31⤵
- Executes dropped EXE
PID:4820 -
C:\Windows\SysWOW64\Pgflqkdd.exeC:\Windows\system32\Pgflqkdd.exe32⤵
- Executes dropped EXE
PID:4628 -
C:\Windows\SysWOW64\Pflibgil.exeC:\Windows\system32\Pflibgil.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:5024 -
C:\Windows\SysWOW64\Pfnegggi.exeC:\Windows\system32\Pfnegggi.exe34⤵
- Executes dropped EXE
PID:3840 -
C:\Windows\SysWOW64\Qfpbmfdf.exeC:\Windows\system32\Qfpbmfdf.exe35⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Acgolj32.exeC:\Windows\system32\Acgolj32.exe36⤵
- Executes dropped EXE
PID:3792 -
C:\Windows\SysWOW64\Acilajpk.exeC:\Windows\system32\Acilajpk.exe37⤵
- Executes dropped EXE
PID:4988 -
C:\Windows\SysWOW64\Ahfdjanb.exeC:\Windows\system32\Ahfdjanb.exe38⤵
- Executes dropped EXE
PID:3220 -
C:\Windows\SysWOW64\Aggegh32.exeC:\Windows\system32\Aggegh32.exe39⤵
- Executes dropped EXE
PID:3460 -
C:\Windows\SysWOW64\Amcmpodi.exeC:\Windows\system32\Amcmpodi.exe40⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Agiamhdo.exeC:\Windows\system32\Agiamhdo.exe41⤵
- Executes dropped EXE
PID:4616 -
C:\Windows\SysWOW64\Aijnep32.exeC:\Windows\system32\Aijnep32.exe42⤵
- Executes dropped EXE
PID:3380 -
C:\Windows\SysWOW64\Aodfajaj.exeC:\Windows\system32\Aodfajaj.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:228 -
C:\Windows\SysWOW64\Afnnnd32.exeC:\Windows\system32\Afnnnd32.exe44⤵
- Executes dropped EXE
PID:1236 -
C:\Windows\SysWOW64\Bqdblmhl.exeC:\Windows\system32\Bqdblmhl.exe45⤵
- Executes dropped EXE
PID:4920 -
C:\Windows\SysWOW64\Bjlgdc32.exeC:\Windows\system32\Bjlgdc32.exe46⤵
- Executes dropped EXE
PID:2248 -
C:\Windows\SysWOW64\Bqfoamfj.exeC:\Windows\system32\Bqfoamfj.exe47⤵
- Executes dropped EXE
PID:2264 -
C:\Windows\SysWOW64\Bjodjb32.exeC:\Windows\system32\Bjodjb32.exe48⤵
- Executes dropped EXE
PID:5020 -
C:\Windows\SysWOW64\Bgbdcgld.exeC:\Windows\system32\Bgbdcgld.exe49⤵
- Executes dropped EXE
PID:2360 -
C:\Windows\SysWOW64\Bqkill32.exeC:\Windows\system32\Bqkill32.exe50⤵
- Executes dropped EXE
PID:4300 -
C:\Windows\SysWOW64\Bfhadc32.exeC:\Windows\system32\Bfhadc32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3952 -
C:\Windows\SysWOW64\Bqmeal32.exeC:\Windows\system32\Bqmeal32.exe52⤵
- Executes dropped EXE
PID:628 -
C:\Windows\SysWOW64\Bihjfnmm.exeC:\Windows\system32\Bihjfnmm.exe53⤵
- Executes dropped EXE
PID:4440 -
C:\Windows\SysWOW64\Ccnncgmc.exeC:\Windows\system32\Ccnncgmc.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2860 -
C:\Windows\SysWOW64\Cikglnkj.exeC:\Windows\system32\Cikglnkj.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:1552 -
C:\Windows\SysWOW64\Cpeohh32.exeC:\Windows\system32\Cpeohh32.exe56⤵
- Executes dropped EXE
PID:3208 -
C:\Windows\SysWOW64\Ccchof32.exeC:\Windows\system32\Ccchof32.exe57⤵
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Cjmpkqqj.exeC:\Windows\system32\Cjmpkqqj.exe58⤵
- Executes dropped EXE
PID:3572 -
C:\Windows\SysWOW64\Cceddf32.exeC:\Windows\system32\Cceddf32.exe59⤵
- Executes dropped EXE
PID:3416 -
C:\Windows\SysWOW64\Cpleig32.exeC:\Windows\system32\Cpleig32.exe60⤵
- Executes dropped EXE
PID:1476 -
C:\Windows\SysWOW64\Cffmfadl.exeC:\Windows\system32\Cffmfadl.exe61⤵
- Executes dropped EXE
PID:4928 -
C:\Windows\SysWOW64\Dakacjdb.exeC:\Windows\system32\Dakacjdb.exe62⤵
- Executes dropped EXE
PID:3608 -
C:\Windows\SysWOW64\Dfhjkabi.exeC:\Windows\system32\Dfhjkabi.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2044 -
C:\Windows\SysWOW64\Dmbbhkjf.exeC:\Windows\system32\Dmbbhkjf.exe64⤵
- Executes dropped EXE
PID:3276 -
C:\Windows\SysWOW64\Dmdonkgc.exeC:\Windows\system32\Dmdonkgc.exe65⤵
- Executes dropped EXE
PID:736 -
C:\Windows\SysWOW64\Dhjckcgi.exeC:\Windows\system32\Dhjckcgi.exe66⤵
- Executes dropped EXE
PID:4364 -
C:\Windows\SysWOW64\Dmglcj32.exeC:\Windows\system32\Dmglcj32.exe67⤵PID:3116
-
C:\Windows\SysWOW64\Dpehof32.exeC:\Windows\system32\Dpehof32.exe68⤵PID:4944
-
C:\Windows\SysWOW64\Dfoplpla.exeC:\Windows\system32\Dfoplpla.exe69⤵
- Drops file in System32 directory
PID:1844 -
C:\Windows\SysWOW64\Dpgeee32.exeC:\Windows\system32\Dpgeee32.exe70⤵PID:1696
-
C:\Windows\SysWOW64\Dfamapjo.exeC:\Windows\system32\Dfamapjo.exe71⤵PID:392
-
C:\Windows\SysWOW64\Emlenj32.exeC:\Windows\system32\Emlenj32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1692 -
C:\Windows\SysWOW64\Ehailbaa.exeC:\Windows\system32\Ehailbaa.exe73⤵
- Modifies registry class
PID:2140 -
C:\Windows\SysWOW64\Emnbdioi.exeC:\Windows\system32\Emnbdioi.exe74⤵PID:4124
-
C:\Windows\SysWOW64\Eplnpeol.exeC:\Windows\system32\Eplnpeol.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4532 -
C:\Windows\SysWOW64\Efffmo32.exeC:\Windows\system32\Efffmo32.exe76⤵PID:5040
-
C:\Windows\SysWOW64\Efhcbodf.exeC:\Windows\system32\Efhcbodf.exe77⤵PID:2328
-
C:\Windows\SysWOW64\Embkoi32.exeC:\Windows\system32\Embkoi32.exe78⤵PID:5084
-
C:\Windows\SysWOW64\Ehhpla32.exeC:\Windows\system32\Ehhpla32.exe79⤵PID:4576
-
C:\Windows\SysWOW64\Ejflhm32.exeC:\Windows\system32\Ejflhm32.exe80⤵PID:4368
-
C:\Windows\SysWOW64\Emehdh32.exeC:\Windows\system32\Emehdh32.exe81⤵PID:4516
-
C:\Windows\SysWOW64\Edopabqn.exeC:\Windows\system32\Edopabqn.exe82⤵PID:764
-
C:\Windows\SysWOW64\Filiii32.exeC:\Windows\system32\Filiii32.exe83⤵PID:3820
-
C:\Windows\SysWOW64\Facqkg32.exeC:\Windows\system32\Facqkg32.exe84⤵PID:5148
-
C:\Windows\SysWOW64\Fkkeclfh.exeC:\Windows\system32\Fkkeclfh.exe85⤵PID:5192
-
C:\Windows\SysWOW64\Fmjaphek.exeC:\Windows\system32\Fmjaphek.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5244 -
C:\Windows\SysWOW64\Fhofmq32.exeC:\Windows\system32\Fhofmq32.exe87⤵PID:5300
-
C:\Windows\SysWOW64\Fipbdikp.exeC:\Windows\system32\Fipbdikp.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5348 -
C:\Windows\SysWOW64\Fpjjac32.exeC:\Windows\system32\Fpjjac32.exe89⤵PID:5424
-
C:\Windows\SysWOW64\Fibojhim.exeC:\Windows\system32\Fibojhim.exe90⤵PID:5464
-
C:\Windows\SysWOW64\Fpmggb32.exeC:\Windows\system32\Fpmggb32.exe91⤵PID:5548
-
C:\Windows\SysWOW64\Ggilil32.exeC:\Windows\system32\Ggilil32.exe92⤵PID:5596
-
C:\Windows\SysWOW64\Gigheh32.exeC:\Windows\system32\Gigheh32.exe93⤵
- Modifies registry class
PID:5640 -
C:\Windows\SysWOW64\Gaopfe32.exeC:\Windows\system32\Gaopfe32.exe94⤵PID:5692
-
C:\Windows\SysWOW64\Ggkiol32.exeC:\Windows\system32\Ggkiol32.exe95⤵PID:5728
-
C:\Windows\SysWOW64\Gmeakf32.exeC:\Windows\system32\Gmeakf32.exe96⤵PID:5792
-
C:\Windows\SysWOW64\Gpcmga32.exeC:\Windows\system32\Gpcmga32.exe97⤵PID:5856
-
C:\Windows\SysWOW64\Ggnedlao.exeC:\Windows\system32\Ggnedlao.exe98⤵PID:5924
-
C:\Windows\SysWOW64\Gnhnaf32.exeC:\Windows\system32\Gnhnaf32.exe99⤵PID:5972
-
C:\Windows\SysWOW64\Gpfjma32.exeC:\Windows\system32\Gpfjma32.exe100⤵PID:6024
-
C:\Windows\SysWOW64\Ggpbjkpl.exeC:\Windows\system32\Ggpbjkpl.exe101⤵PID:6068
-
C:\Windows\SysWOW64\Ginnfgop.exeC:\Windows\system32\Ginnfgop.exe102⤵
- Drops file in System32 directory
PID:6108 -
C:\Windows\SysWOW64\Gphgbafl.exeC:\Windows\system32\Gphgbafl.exe103⤵
- Drops file in System32 directory
PID:5132 -
C:\Windows\SysWOW64\Gknkpjfb.exeC:\Windows\system32\Gknkpjfb.exe104⤵
- Drops file in System32 directory
PID:5204 -
C:\Windows\SysWOW64\Gnlgleef.exeC:\Windows\system32\Gnlgleef.exe105⤵PID:5328
-
C:\Windows\SysWOW64\Gdfoio32.exeC:\Windows\system32\Gdfoio32.exe106⤵PID:5388
-
C:\Windows\SysWOW64\Hgelek32.exeC:\Windows\system32\Hgelek32.exe107⤵PID:5516
-
C:\Windows\SysWOW64\Hnodaecc.exeC:\Windows\system32\Hnodaecc.exe108⤵PID:5620
-
C:\Windows\SysWOW64\Hdilnojp.exeC:\Windows\system32\Hdilnojp.exe109⤵PID:5676
-
C:\Windows\SysWOW64\Hgghjjid.exeC:\Windows\system32\Hgghjjid.exe110⤵PID:5776
-
C:\Windows\SysWOW64\Hammhcij.exeC:\Windows\system32\Hammhcij.exe111⤵PID:5900
-
C:\Windows\SysWOW64\Hhfedm32.exeC:\Windows\system32\Hhfedm32.exe112⤵
- Drops file in System32 directory
PID:5984 -
C:\Windows\SysWOW64\Hjhalefe.exeC:\Windows\system32\Hjhalefe.exe113⤵PID:6052
-
C:\Windows\SysWOW64\Hhiajmod.exeC:\Windows\system32\Hhiajmod.exe114⤵PID:6140
-
C:\Windows\SysWOW64\Hjjnae32.exeC:\Windows\system32\Hjjnae32.exe115⤵PID:5232
-
C:\Windows\SysWOW64\Haafcb32.exeC:\Windows\system32\Haafcb32.exe116⤵PID:5380
-
C:\Windows\SysWOW64\Hdpbon32.exeC:\Windows\system32\Hdpbon32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5524 -
C:\Windows\SysWOW64\Hgnoki32.exeC:\Windows\system32\Hgnoki32.exe118⤵PID:5668
-
C:\Windows\SysWOW64\Hnhghcki.exeC:\Windows\system32\Hnhghcki.exe119⤵PID:5836
-
C:\Windows\SysWOW64\Idbodn32.exeC:\Windows\system32\Idbodn32.exe120⤵PID:5968
-
C:\Windows\SysWOW64\Iklgah32.exeC:\Windows\system32\Iklgah32.exe121⤵PID:5140
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-