Analysis
-
max time kernel
146s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
27-03-2024 23:04
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
a47e4ebd2344a34ba400c4bb3369f6930ab6a2b2f9356b68ae9034098e415f28.exe
Resource
win7-20231129-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
a47e4ebd2344a34ba400c4bb3369f6930ab6a2b2f9356b68ae9034098e415f28.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
a47e4ebd2344a34ba400c4bb3369f6930ab6a2b2f9356b68ae9034098e415f28.exe
-
Size
448KB
-
MD5
d756044cdd4d165c3e64238e01fd131c
-
SHA1
342674c35fa79437666233d43405f0595f491874
-
SHA256
a47e4ebd2344a34ba400c4bb3369f6930ab6a2b2f9356b68ae9034098e415f28
-
SHA512
dd5b9cd5d95f5b95f41bf5be8f59999c225974e95a7d1732890c88d1a749b5b60861ab4cd29b4d9b47738822f75974ee0b77e10d36d3761ca9bf3ed6696dff25
-
SSDEEP
6144:cSMKIaUCxiLUmKyIxLDXXoq9FJZCUmKyIxL:cfg9832XXf9Do3
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lgmngglp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjpckf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lbqklb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkcfid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oeaoab32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdbdah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ngdfdmdi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahcajk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Difpmfna.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahgcjddh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pcbmka32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egijmegb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eaonjngh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fdkggg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohlimd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdhkcb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcpahpmd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecgcfm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjpobg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cceddf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eplnpeol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kcpahpmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Elppfmoo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfjhkjle.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egdqae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Chiigadc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cajlhqjp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qohpkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ahcajk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Coknoaic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mlefklpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cgjjdf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fibojhim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aodogdmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ldipha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jcgbco32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Feapkk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knippe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dmfeidbe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alkijdci.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bogkmgba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Flnlhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aqppkd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eachem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lieccf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdehlk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcbmka32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Locbfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gfpcgpae.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nklbmllg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inmgmijo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hajpbckl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cggimh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhclmp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmhale32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bjfaeh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dknpmdfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cfqmpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dckdjomg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmggfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jdaaaeqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ppjgoaoj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohghgodi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdjbiheb.exe -
UPX dump on OEP (original entry point) 64 IoCs
resource yara_rule behavioral2/files/0x000a0000000231f9-6.dat UPX behavioral2/files/0x0007000000023200-14.dat UPX behavioral2/files/0x0007000000023202-22.dat UPX behavioral2/files/0x0007000000023204-30.dat UPX behavioral2/files/0x0007000000023207-38.dat UPX behavioral2/files/0x00080000000231fd-46.dat UPX behavioral2/files/0x000700000002320a-55.dat UPX behavioral2/files/0x000700000002320c-62.dat UPX behavioral2/files/0x000b000000023122-70.dat UPX behavioral2/files/0x0007000000023210-73.dat UPX behavioral2/files/0x0007000000023212-86.dat UPX behavioral2/files/0x0007000000023214-89.dat UPX behavioral2/files/0x0007000000023216-102.dat UPX behavioral2/files/0x000a000000023121-111.dat UPX behavioral2/files/0x000c00000002311e-119.dat UPX behavioral2/memory/2796-132-0x0000000000400000-0x0000000000460000-memory.dmp UPX behavioral2/files/0x000700000002321a-126.dat UPX behavioral2/files/0x000700000002321c-134.dat UPX behavioral2/files/0x000700000002321e-142.dat UPX behavioral2/memory/1512-144-0x0000000000400000-0x0000000000460000-memory.dmp UPX behavioral2/files/0x0007000000023220-151.dat UPX behavioral2/files/0x0007000000023222-159.dat UPX behavioral2/files/0x00030000000006e3-166.dat UPX behavioral2/files/0x0003000000000717-173.dat UPX behavioral2/files/0x000700000001d9fd-182.dat UPX behavioral2/files/0x000a00000001da98-185.dat UPX behavioral2/files/0x000a00000001da98-190.dat UPX behavioral2/files/0x000f00000001daeb-199.dat UPX behavioral2/files/0x001300000001dafb-207.dat UPX behavioral2/files/0x000600000001e0b6-215.dat UPX behavioral2/memory/3268-208-0x0000000000400000-0x0000000000460000-memory.dmp UPX behavioral2/files/0x000300000001e0ce-224.dat UPX behavioral2/files/0x000300000001e0d0-230.dat UPX behavioral2/files/0x000200000001e5a1-238.dat UPX behavioral2/files/0x000200000001e5a3-247.dat UPX behavioral2/files/0x000200000001e5a5-255.dat UPX behavioral2/memory/4224-272-0x0000000000400000-0x0000000000460000-memory.dmp UPX behavioral2/memory/3456-286-0x0000000000400000-0x0000000000460000-memory.dmp UPX behavioral2/files/0x000700000002322a-322.dat UPX behavioral2/memory/4556-410-0x0000000000400000-0x0000000000460000-memory.dmp UPX behavioral2/memory/4244-422-0x0000000000400000-0x0000000000460000-memory.dmp UPX behavioral2/memory/2956-434-0x0000000000400000-0x0000000000460000-memory.dmp UPX behavioral2/memory/1632-446-0x0000000000400000-0x0000000000460000-memory.dmp UPX behavioral2/files/0x000700000002325b-453.dat UPX behavioral2/files/0x0007000000023277-536.dat UPX behavioral2/files/0x0007000000023290-612.dat UPX behavioral2/files/0x0007000000023298-638.dat UPX behavioral2/files/0x00070000000232a8-689.dat UPX behavioral2/files/0x00070000000232ba-746.dat UPX behavioral2/files/0x00070000000232db-852.dat UPX behavioral2/files/0x00070000000232f9-940.dat UPX behavioral2/files/0x0007000000023327-1091.dat UPX behavioral2/files/0x0007000000023354-1211.dat UPX behavioral2/files/0x0007000000023370-1288.dat UPX behavioral2/files/0x0009000000023374-1305.dat UPX behavioral2/files/0x0007000000023385-1344.dat UPX behavioral2/files/0x0007000000023390-1378.dat UPX behavioral2/files/0x00070000000233a0-1426.dat UPX behavioral2/files/0x00070000000233c8-1546.dat UPX behavioral2/files/0x00070000000233dc-1611.dat UPX behavioral2/files/0x00070000000233f6-1695.dat UPX behavioral2/files/0x0007000000023418-1802.dat UPX behavioral2/files/0x0007000000023420-1826.dat UPX behavioral2/files/0x0007000000023424-1836.dat UPX -
Executes dropped EXE 64 IoCs
pid Process 1704 Cecbmf32.exe 4456 Conclk32.exe 2352 Daolnf32.exe 4968 Dboigi32.exe 1348 Dadeieea.exe 4364 Dafbne32.exe 2376 Dhpjkojk.exe 2364 Dojcgi32.exe 1388 Elppfmoo.exe 2020 Ekemhj32.exe 2244 Ehljfnpn.exe 724 Fohoigfh.exe 4728 Fkopnh32.exe 1052 Flnlhk32.exe 4028 Ffgqqaip.exe 2796 Fbnafb32.exe 1840 Flceckoj.exe 1512 Glhonj32.exe 3468 Gfpcgpae.exe 4272 Gmjlcj32.exe 2604 Gfgjgo32.exe 3436 Hopnqdan.exe 4856 Hbpgbo32.exe 440 Hkkhqd32.exe 708 Hmjdjgjo.exe 3268 Hbgmcnhf.exe 4964 Ikpaldog.exe 4252 Ifefimom.exe 5032 Ifjodl32.exe 2840 Icplcpgo.exe 448 Jmhale32.exe 4376 Jmknaell.exe 2008 Jcefno32.exe 4224 Jmmjgejj.exe 3208 Jcgbco32.exe 216 Jfeopj32.exe 3456 Jmpgldhg.exe 4948 Jblpek32.exe 2188 Jeklag32.exe 4820 Jmbdbd32.exe 2168 Jpppnp32.exe 2300 Kfjhkjle.exe 4424 Klgqcqkl.exe 4892 Kbaipkbi.exe 2004 Kpeiioac.exe 2500 Kfoafi32.exe 3636 Kimnbd32.exe 4124 Kdcbom32.exe 4384 Klngdpdd.exe 1004 Kfckahdj.exe 1900 Kmncnb32.exe 64 Lbjlfi32.exe 4840 Lbmhlihl.exe 1732 Lpqiemge.exe 2716 Lfkaag32.exe 452 Lpcfkm32.exe 1712 Lgmngglp.exe 4556 Lpebpm32.exe 4068 Lgokmgjm.exe 4244 Lmiciaaj.exe 5088 Mdckfk32.exe 2956 Mipcob32.exe 732 Mdehlk32.exe 1632 Mibpda32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Jfpojead.exe Ikfabm32.exe File created C:\Windows\SysWOW64\Plpjoe32.exe Pefabkej.exe File created C:\Windows\SysWOW64\Mgmodn32.dll Bdmmeo32.exe File created C:\Windows\SysWOW64\Jfeopj32.exe Jcgbco32.exe File opened for modification C:\Windows\SysWOW64\Dmcibama.exe Cajlhqjp.exe File created C:\Windows\SysWOW64\Hminmc32.dll Lhkgoiqe.exe File opened for modification C:\Windows\SysWOW64\Ohlimd32.exe Oocddono.exe File created C:\Windows\SysWOW64\Kaehljpj.exe Kkhpdcab.exe File created C:\Windows\SysWOW64\Efafgifc.exe Ebejfk32.exe File created C:\Windows\SysWOW64\Gdkkfn32.dll Lgokmgjm.exe File created C:\Windows\SysWOW64\Ifndpaoq.dll Ncfdie32.exe File created C:\Windows\SysWOW64\Fbnafb32.exe Ffgqqaip.exe File created C:\Windows\SysWOW64\Olaafabl.dll Cnaaib32.exe File opened for modification C:\Windows\SysWOW64\Jpkphjeb.exe Jfbkpd32.exe File created C:\Windows\SysWOW64\Qoifflkg.exe Podmkm32.exe File created C:\Windows\SysWOW64\Jcebldil.dll Nafjjf32.exe File created C:\Windows\SysWOW64\Fpgfkbgm.dll Oeoblb32.exe File created C:\Windows\SysWOW64\Epcdqd32.exe Eidbij32.exe File opened for modification C:\Windows\SysWOW64\Gafmaj32.exe Gohaeo32.exe File opened for modification C:\Windows\SysWOW64\Jjjpnlbd.exe Idkkpf32.exe File opened for modification C:\Windows\SysWOW64\Hdjbiheb.exe Hmpjmn32.exe File opened for modification C:\Windows\SysWOW64\Pdmkhgho.exe Plbfdekd.exe File created C:\Windows\SysWOW64\Qamhhedg.dll Kpeiioac.exe File created C:\Windows\SysWOW64\Ndhkdnkh.dll Bclhhnca.exe File created C:\Windows\SysWOW64\Ioopml32.exe Idgojc32.exe File created C:\Windows\SysWOW64\Flioncbc.dll Dboigi32.exe File created C:\Windows\SysWOW64\Flceckoj.exe Fbnafb32.exe File created C:\Windows\SysWOW64\Biogppeg.exe Bqdblmhl.exe File created C:\Windows\SysWOW64\Qlgene32.dll Ceckcp32.exe File opened for modification C:\Windows\SysWOW64\Fdkggg32.exe Fnaokmco.exe File opened for modification C:\Windows\SysWOW64\Lpebpm32.exe Lgmngglp.exe File opened for modification C:\Windows\SysWOW64\Ebhglj32.exe Emkndc32.exe File opened for modification C:\Windows\SysWOW64\Fhbimf32.exe Fedmqk32.exe File opened for modification C:\Windows\SysWOW64\Ncofplba.exe Nlcalieg.exe File opened for modification C:\Windows\SysWOW64\Dhclmp32.exe Dfdpad32.exe File opened for modification C:\Windows\SysWOW64\Pqknig32.exe Pnlaml32.exe File created C:\Windows\SysWOW64\Pcbmka32.exe Pqdqof32.exe File created C:\Windows\SysWOW64\Ofgjophm.dll Gmggfp32.exe File created C:\Windows\SysWOW64\Nmigoagp.exe Nlhkgi32.exe File opened for modification C:\Windows\SysWOW64\Nlnbgddc.exe Ncfmno32.exe File created C:\Windows\SysWOW64\Ochpdn32.dll Pgioqq32.exe File opened for modification C:\Windows\SysWOW64\Fibojhim.exe Fdffbake.exe File created C:\Windows\SysWOW64\Jffldcca.dll Dadeieea.exe File created C:\Windows\SysWOW64\Fmlneg32.exe Facqkg32.exe File opened for modification C:\Windows\SysWOW64\Jknfcofa.exe Jddnfd32.exe File created C:\Windows\SysWOW64\Cmlihfed.dll Meiaib32.exe File opened for modification C:\Windows\SysWOW64\Fgbmccpg.exe Feapkk32.exe File created C:\Windows\SysWOW64\Jcgmgn32.dll Opeiadfg.exe File created C:\Windows\SysWOW64\Knghil32.dll Eagaoh32.exe File created C:\Windows\SysWOW64\Egdeookg.dll Mnnkgl32.exe File created C:\Windows\SysWOW64\Olgncmim.exe Oboijgbl.exe File created C:\Windows\SysWOW64\Oklkdi32.exe Oeoblb32.exe File created C:\Windows\SysWOW64\Abbkcpma.exe Aodogdmn.exe File opened for modification C:\Windows\SysWOW64\Fohoigfh.exe Ehljfnpn.exe File opened for modification C:\Windows\SysWOW64\Ikokan32.exe Inkjhi32.exe File opened for modification C:\Windows\SysWOW64\Ikbfgppo.exe Ipmbjgpi.exe File created C:\Windows\SysWOW64\Khddfdcl.dll Edknqiho.exe File created C:\Windows\SysWOW64\Cjaifp32.exe Cceddf32.exe File created C:\Windows\SysWOW64\Mhoipb32.exe Lbpdblmo.exe File created C:\Windows\SysWOW64\Lpebpm32.exe Lgmngglp.exe File opened for modification C:\Windows\SysWOW64\Adfnofpd.exe Alkijdci.exe File created C:\Windows\SysWOW64\Pocehodm.dll Ggeboaob.exe File created C:\Windows\SysWOW64\Bedgjgkg.exe Bhpfqcln.exe File opened for modification C:\Windows\SysWOW64\Beeoaapl.exe Bfdodjhm.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7088 5592 WerFault.exe 637 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocgmoc32.dll" Afinioip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dhclmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlklhm32.dll" Ajckij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkqipob.dll" Belebq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jglklggl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dkfadkgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhcfaai.dll" Kechmoil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mehjol32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Plejdkmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Algpao32.dll" Jbileede.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gafian32.dll" Plagcbdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lehagi32.dll" Fdffbake.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Angdnk32.dll" Dmohno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll" Cdabcm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cikglnkj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mnnkgl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ibnligoc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ecgcfm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Idgojc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mioodgbj.dll" Bqdblmhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pahpfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngqpijkf.dll" Cihclh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Panhbfep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Daolnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mcpnhfhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jknfcofa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Igdnabjh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kqpoakco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Niehpfnk.dll" Cmhigf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Difpmfna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gfgjgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kdcbom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ioopml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhqeiena.dll" Beeoaapl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kijjbofj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlphicca.dll" Fnmepn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fgjccb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciggeb32.dll" Blnoga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fimgpahk.dll" Dhclmp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pmdkch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pacmhc32.dll" Fnobem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aakebqbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oqkclhkh.dll" Gohaeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jjlmclqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hoogfnnb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dmennnni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ffgqqaip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkkceedp.dll" Ebommi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dokmlmhl.dll" Hmpjmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oboijgbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ahpmjejp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amdomd32.dll" Cnfaohbj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gfdfgiid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdgmickl.dll" Pmoiqneg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fofdocoe.dll" Dmennnni.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ikpaldog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ikpaldog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cabfga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcbknkol.dll" Lbqklb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mblcnj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ipmbjgpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mjpbam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bgbpaipl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bppfmigl.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4988 wrote to memory of 1704 4988 a47e4ebd2344a34ba400c4bb3369f6930ab6a2b2f9356b68ae9034098e415f28.exe 86 PID 4988 wrote to memory of 1704 4988 a47e4ebd2344a34ba400c4bb3369f6930ab6a2b2f9356b68ae9034098e415f28.exe 86 PID 4988 wrote to memory of 1704 4988 a47e4ebd2344a34ba400c4bb3369f6930ab6a2b2f9356b68ae9034098e415f28.exe 86 PID 1704 wrote to memory of 4456 1704 Cecbmf32.exe 87 PID 1704 wrote to memory of 4456 1704 Cecbmf32.exe 87 PID 1704 wrote to memory of 4456 1704 Cecbmf32.exe 87 PID 4456 wrote to memory of 2352 4456 Conclk32.exe 89 PID 4456 wrote to memory of 2352 4456 Conclk32.exe 89 PID 4456 wrote to memory of 2352 4456 Conclk32.exe 89 PID 2352 wrote to memory of 4968 2352 Daolnf32.exe 90 PID 2352 wrote to memory of 4968 2352 Daolnf32.exe 90 PID 2352 wrote to memory of 4968 2352 Daolnf32.exe 90 PID 4968 wrote to memory of 1348 4968 Dboigi32.exe 91 PID 4968 wrote to memory of 1348 4968 Dboigi32.exe 91 PID 4968 wrote to memory of 1348 4968 Dboigi32.exe 91 PID 1348 wrote to memory of 4364 1348 Dadeieea.exe 92 PID 1348 wrote to memory of 4364 1348 Dadeieea.exe 92 PID 1348 wrote to memory of 4364 1348 Dadeieea.exe 92 PID 4364 wrote to memory of 2376 4364 Dafbne32.exe 93 PID 4364 wrote to memory of 2376 4364 Dafbne32.exe 93 PID 4364 wrote to memory of 2376 4364 Dafbne32.exe 93 PID 2376 wrote to memory of 2364 2376 Dhpjkojk.exe 94 PID 2376 wrote to memory of 2364 2376 Dhpjkojk.exe 94 PID 2376 wrote to memory of 2364 2376 Dhpjkojk.exe 94 PID 2364 wrote to memory of 1388 2364 Dojcgi32.exe 95 PID 2364 wrote to memory of 1388 2364 Dojcgi32.exe 95 PID 2364 wrote to memory of 1388 2364 Dojcgi32.exe 95 PID 1388 wrote to memory of 2020 1388 Elppfmoo.exe 96 PID 1388 wrote to memory of 2020 1388 Elppfmoo.exe 96 PID 1388 wrote to memory of 2020 1388 Elppfmoo.exe 96 PID 2020 wrote to memory of 2244 2020 Ekemhj32.exe 97 PID 2020 wrote to memory of 2244 2020 Ekemhj32.exe 97 PID 2020 wrote to memory of 2244 2020 Ekemhj32.exe 97 PID 2244 wrote to memory of 724 2244 Ehljfnpn.exe 98 PID 2244 wrote to memory of 724 2244 Ehljfnpn.exe 98 PID 2244 wrote to memory of 724 2244 Ehljfnpn.exe 98 PID 724 wrote to memory of 4728 724 Fohoigfh.exe 99 PID 724 wrote to memory of 4728 724 Fohoigfh.exe 99 PID 724 wrote to memory of 4728 724 Fohoigfh.exe 99 PID 4728 wrote to memory of 1052 4728 Fkopnh32.exe 100 PID 4728 wrote to memory of 1052 4728 Fkopnh32.exe 100 PID 4728 wrote to memory of 1052 4728 Fkopnh32.exe 100 PID 1052 wrote to memory of 4028 1052 Flnlhk32.exe 101 PID 1052 wrote to memory of 4028 1052 Flnlhk32.exe 101 PID 1052 wrote to memory of 4028 1052 Flnlhk32.exe 101 PID 4028 wrote to memory of 2796 4028 Ffgqqaip.exe 102 PID 4028 wrote to memory of 2796 4028 Ffgqqaip.exe 102 PID 4028 wrote to memory of 2796 4028 Ffgqqaip.exe 102 PID 2796 wrote to memory of 1840 2796 Fbnafb32.exe 103 PID 2796 wrote to memory of 1840 2796 Fbnafb32.exe 103 PID 2796 wrote to memory of 1840 2796 Fbnafb32.exe 103 PID 1840 wrote to memory of 1512 1840 Flceckoj.exe 104 PID 1840 wrote to memory of 1512 1840 Flceckoj.exe 104 PID 1840 wrote to memory of 1512 1840 Flceckoj.exe 104 PID 1512 wrote to memory of 3468 1512 Glhonj32.exe 105 PID 1512 wrote to memory of 3468 1512 Glhonj32.exe 105 PID 1512 wrote to memory of 3468 1512 Glhonj32.exe 105 PID 3468 wrote to memory of 4272 3468 Gfpcgpae.exe 106 PID 3468 wrote to memory of 4272 3468 Gfpcgpae.exe 106 PID 3468 wrote to memory of 4272 3468 Gfpcgpae.exe 106 PID 4272 wrote to memory of 2604 4272 Gmjlcj32.exe 107 PID 4272 wrote to memory of 2604 4272 Gmjlcj32.exe 107 PID 4272 wrote to memory of 2604 4272 Gmjlcj32.exe 107 PID 2604 wrote to memory of 3436 2604 Gfgjgo32.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\a47e4ebd2344a34ba400c4bb3369f6930ab6a2b2f9356b68ae9034098e415f28.exe"C:\Users\Admin\AppData\Local\Temp\a47e4ebd2344a34ba400c4bb3369f6930ab6a2b2f9356b68ae9034098e415f28.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\Windows\SysWOW64\Cecbmf32.exeC:\Windows\system32\Cecbmf32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\SysWOW64\Conclk32.exeC:\Windows\system32\Conclk32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4456 -
C:\Windows\SysWOW64\Daolnf32.exeC:\Windows\system32\Daolnf32.exe4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\Dboigi32.exeC:\Windows\system32\Dboigi32.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Windows\SysWOW64\Dadeieea.exeC:\Windows\system32\Dadeieea.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Windows\SysWOW64\Dafbne32.exeC:\Windows\system32\Dafbne32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4364 -
C:\Windows\SysWOW64\Dhpjkojk.exeC:\Windows\system32\Dhpjkojk.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\SysWOW64\Dojcgi32.exeC:\Windows\system32\Dojcgi32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\Elppfmoo.exeC:\Windows\system32\Elppfmoo.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Windows\SysWOW64\Ekemhj32.exeC:\Windows\system32\Ekemhj32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\SysWOW64\Ehljfnpn.exeC:\Windows\system32\Ehljfnpn.exe12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\Fohoigfh.exeC:\Windows\system32\Fohoigfh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:724 -
C:\Windows\SysWOW64\Fkopnh32.exeC:\Windows\system32\Fkopnh32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4728 -
C:\Windows\SysWOW64\Flnlhk32.exeC:\Windows\system32\Flnlhk32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\SysWOW64\Ffgqqaip.exeC:\Windows\system32\Ffgqqaip.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4028 -
C:\Windows\SysWOW64\Fbnafb32.exeC:\Windows\system32\Fbnafb32.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\Flceckoj.exeC:\Windows\system32\Flceckoj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1840 -
C:\Windows\SysWOW64\Glhonj32.exeC:\Windows\system32\Glhonj32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\SysWOW64\Gfpcgpae.exeC:\Windows\system32\Gfpcgpae.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3468 -
C:\Windows\SysWOW64\Gmjlcj32.exeC:\Windows\system32\Gmjlcj32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4272 -
C:\Windows\SysWOW64\Gfgjgo32.exeC:\Windows\system32\Gfgjgo32.exe22⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\Hopnqdan.exeC:\Windows\system32\Hopnqdan.exe23⤵
- Executes dropped EXE
PID:3436 -
C:\Windows\SysWOW64\Hbpgbo32.exeC:\Windows\system32\Hbpgbo32.exe24⤵
- Executes dropped EXE
PID:4856 -
C:\Windows\SysWOW64\Hkkhqd32.exeC:\Windows\system32\Hkkhqd32.exe25⤵
- Executes dropped EXE
PID:440 -
C:\Windows\SysWOW64\Hmjdjgjo.exeC:\Windows\system32\Hmjdjgjo.exe26⤵
- Executes dropped EXE
PID:708 -
C:\Windows\SysWOW64\Hbgmcnhf.exeC:\Windows\system32\Hbgmcnhf.exe27⤵
- Executes dropped EXE
PID:3268 -
C:\Windows\SysWOW64\Ikpaldog.exeC:\Windows\system32\Ikpaldog.exe28⤵
- Executes dropped EXE
- Modifies registry class
PID:4964 -
C:\Windows\SysWOW64\Ifefimom.exeC:\Windows\system32\Ifefimom.exe29⤵
- Executes dropped EXE
PID:4252 -
C:\Windows\SysWOW64\Ifjodl32.exeC:\Windows\system32\Ifjodl32.exe30⤵
- Executes dropped EXE
PID:5032 -
C:\Windows\SysWOW64\Icplcpgo.exeC:\Windows\system32\Icplcpgo.exe31⤵
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\Jmhale32.exeC:\Windows\system32\Jmhale32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:448 -
C:\Windows\SysWOW64\Jmknaell.exeC:\Windows\system32\Jmknaell.exe33⤵
- Executes dropped EXE
PID:4376 -
C:\Windows\SysWOW64\Jcefno32.exeC:\Windows\system32\Jcefno32.exe34⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Jmmjgejj.exeC:\Windows\system32\Jmmjgejj.exe35⤵
- Executes dropped EXE
PID:4224 -
C:\Windows\SysWOW64\Jcgbco32.exeC:\Windows\system32\Jcgbco32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3208 -
C:\Windows\SysWOW64\Jfeopj32.exeC:\Windows\system32\Jfeopj32.exe37⤵
- Executes dropped EXE
PID:216 -
C:\Windows\SysWOW64\Jmpgldhg.exeC:\Windows\system32\Jmpgldhg.exe38⤵
- Executes dropped EXE
PID:3456 -
C:\Windows\SysWOW64\Jblpek32.exeC:\Windows\system32\Jblpek32.exe39⤵
- Executes dropped EXE
PID:4948 -
C:\Windows\SysWOW64\Jeklag32.exeC:\Windows\system32\Jeklag32.exe40⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Jmbdbd32.exeC:\Windows\system32\Jmbdbd32.exe41⤵
- Executes dropped EXE
PID:4820 -
C:\Windows\SysWOW64\Jpppnp32.exeC:\Windows\system32\Jpppnp32.exe42⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Kfjhkjle.exeC:\Windows\system32\Kfjhkjle.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Klgqcqkl.exeC:\Windows\system32\Klgqcqkl.exe44⤵
- Executes dropped EXE
PID:4424 -
C:\Windows\SysWOW64\Kbaipkbi.exeC:\Windows\system32\Kbaipkbi.exe45⤵
- Executes dropped EXE
PID:4892 -
C:\Windows\SysWOW64\Kpeiioac.exeC:\Windows\system32\Kpeiioac.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2004 -
C:\Windows\SysWOW64\Kfoafi32.exeC:\Windows\system32\Kfoafi32.exe47⤵
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Kimnbd32.exeC:\Windows\system32\Kimnbd32.exe48⤵
- Executes dropped EXE
PID:3636 -
C:\Windows\SysWOW64\Kdcbom32.exeC:\Windows\system32\Kdcbom32.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:4124 -
C:\Windows\SysWOW64\Klngdpdd.exeC:\Windows\system32\Klngdpdd.exe50⤵
- Executes dropped EXE
PID:4384 -
C:\Windows\SysWOW64\Kfckahdj.exeC:\Windows\system32\Kfckahdj.exe51⤵
- Executes dropped EXE
PID:1004 -
C:\Windows\SysWOW64\Kmncnb32.exeC:\Windows\system32\Kmncnb32.exe52⤵
- Executes dropped EXE
PID:1900 -
C:\Windows\SysWOW64\Lbjlfi32.exeC:\Windows\system32\Lbjlfi32.exe53⤵
- Executes dropped EXE
PID:64 -
C:\Windows\SysWOW64\Lbmhlihl.exeC:\Windows\system32\Lbmhlihl.exe54⤵
- Executes dropped EXE
PID:4840 -
C:\Windows\SysWOW64\Lpqiemge.exeC:\Windows\system32\Lpqiemge.exe55⤵
- Executes dropped EXE
PID:1732 -
C:\Windows\SysWOW64\Lfkaag32.exeC:\Windows\system32\Lfkaag32.exe56⤵
- Executes dropped EXE
PID:2716 -
C:\Windows\SysWOW64\Lpcfkm32.exeC:\Windows\system32\Lpcfkm32.exe57⤵
- Executes dropped EXE
PID:452 -
C:\Windows\SysWOW64\Lgmngglp.exeC:\Windows\system32\Lgmngglp.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1712 -
C:\Windows\SysWOW64\Lpebpm32.exeC:\Windows\system32\Lpebpm32.exe59⤵
- Executes dropped EXE
PID:4556 -
C:\Windows\SysWOW64\Lgokmgjm.exeC:\Windows\system32\Lgokmgjm.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4068 -
C:\Windows\SysWOW64\Lmiciaaj.exeC:\Windows\system32\Lmiciaaj.exe61⤵
- Executes dropped EXE
PID:4244 -
C:\Windows\SysWOW64\Mdckfk32.exeC:\Windows\system32\Mdckfk32.exe62⤵
- Executes dropped EXE
PID:5088 -
C:\Windows\SysWOW64\Mipcob32.exeC:\Windows\system32\Mipcob32.exe63⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Mdehlk32.exeC:\Windows\system32\Mdehlk32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:732 -
C:\Windows\SysWOW64\Mibpda32.exeC:\Windows\system32\Mibpda32.exe65⤵
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\Mdhdajea.exeC:\Windows\system32\Mdhdajea.exe66⤵PID:5048
-
C:\Windows\SysWOW64\Meiaib32.exeC:\Windows\system32\Meiaib32.exe67⤵
- Drops file in System32 directory
PID:4316 -
C:\Windows\SysWOW64\Mgimcebb.exeC:\Windows\system32\Mgimcebb.exe68⤵PID:3464
-
C:\Windows\SysWOW64\Migjoaaf.exeC:\Windows\system32\Migjoaaf.exe69⤵PID:2212
-
C:\Windows\SysWOW64\Mlefklpj.exeC:\Windows\system32\Mlefklpj.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:800 -
C:\Windows\SysWOW64\Mcpnhfhf.exeC:\Windows\system32\Mcpnhfhf.exe71⤵
- Modifies registry class
PID:1700 -
C:\Windows\SysWOW64\Npcoakfp.exeC:\Windows\system32\Npcoakfp.exe72⤵PID:3780
-
C:\Windows\SysWOW64\Nngokoej.exeC:\Windows\system32\Nngokoej.exe73⤵PID:1744
-
C:\Windows\SysWOW64\Njnpppkn.exeC:\Windows\system32\Njnpppkn.exe74⤵PID:1944
-
C:\Windows\SysWOW64\Ncfdie32.exeC:\Windows\system32\Ncfdie32.exe75⤵
- Drops file in System32 directory
PID:5132 -
C:\Windows\SysWOW64\Nloiakho.exeC:\Windows\system32\Nloiakho.exe76⤵PID:5172
-
C:\Windows\SysWOW64\Njciko32.exeC:\Windows\system32\Njciko32.exe77⤵PID:5212
-
C:\Windows\SysWOW64\Nckndeni.exeC:\Windows\system32\Nckndeni.exe78⤵PID:5252
-
C:\Windows\SysWOW64\Ocpgod32.exeC:\Windows\system32\Ocpgod32.exe79⤵PID:5304
-
C:\Windows\SysWOW64\Olhlhjpd.exeC:\Windows\system32\Olhlhjpd.exe80⤵PID:5344
-
C:\Windows\SysWOW64\Odapnf32.exeC:\Windows\system32\Odapnf32.exe81⤵PID:5388
-
C:\Windows\SysWOW64\Ocgmpccl.exeC:\Windows\system32\Ocgmpccl.exe82⤵PID:5428
-
C:\Windows\SysWOW64\Pnlaml32.exeC:\Windows\system32\Pnlaml32.exe83⤵
- Drops file in System32 directory
PID:5468 -
C:\Windows\SysWOW64\Pqknig32.exeC:\Windows\system32\Pqknig32.exe84⤵PID:5508
-
C:\Windows\SysWOW64\Pfhfan32.exeC:\Windows\system32\Pfhfan32.exe85⤵PID:5552
-
C:\Windows\SysWOW64\Pmannhhj.exeC:\Windows\system32\Pmannhhj.exe86⤵PID:5588
-
C:\Windows\SysWOW64\Pjeoglgc.exeC:\Windows\system32\Pjeoglgc.exe87⤵PID:5628
-
C:\Windows\SysWOW64\Pmdkch32.exeC:\Windows\system32\Pmdkch32.exe88⤵
- Modifies registry class
PID:5676 -
C:\Windows\SysWOW64\Pgioqq32.exeC:\Windows\system32\Pgioqq32.exe89⤵
- Drops file in System32 directory
PID:5724 -
C:\Windows\SysWOW64\Pqdqof32.exeC:\Windows\system32\Pqdqof32.exe90⤵
- Drops file in System32 directory
PID:5776 -
C:\Windows\SysWOW64\Pcbmka32.exeC:\Windows\system32\Pcbmka32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5832 -
C:\Windows\SysWOW64\Pfaigm32.exeC:\Windows\system32\Pfaigm32.exe92⤵PID:5880
-
C:\Windows\SysWOW64\Qqfmde32.exeC:\Windows\system32\Qqfmde32.exe93⤵PID:5924
-
C:\Windows\SysWOW64\Qjoankoi.exeC:\Windows\system32\Qjoankoi.exe94⤵PID:5968
-
C:\Windows\SysWOW64\Qcgffqei.exeC:\Windows\system32\Qcgffqei.exe95⤵PID:6020
-
C:\Windows\SysWOW64\Acjclpcf.exeC:\Windows\system32\Acjclpcf.exe96⤵PID:6060
-
C:\Windows\SysWOW64\Ajckij32.exeC:\Windows\system32\Ajckij32.exe97⤵
- Modifies registry class
PID:6100 -
C:\Windows\SysWOW64\Aqppkd32.exeC:\Windows\system32\Aqppkd32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1740 -
C:\Windows\SysWOW64\Acnlgp32.exeC:\Windows\system32\Acnlgp32.exe99⤵PID:5180
-
C:\Windows\SysWOW64\Ajhddjfn.exeC:\Windows\system32\Ajhddjfn.exe100⤵PID:5244
-
C:\Windows\SysWOW64\Aabmqd32.exeC:\Windows\system32\Aabmqd32.exe101⤵PID:4904
-
C:\Windows\SysWOW64\Bfabnjjp.exeC:\Windows\system32\Bfabnjjp.exe102⤵PID:5396
-
C:\Windows\SysWOW64\Bfdodjhm.exeC:\Windows\system32\Bfdodjhm.exe103⤵
- Drops file in System32 directory
PID:5452 -
C:\Windows\SysWOW64\Beeoaapl.exeC:\Windows\system32\Beeoaapl.exe104⤵
- Modifies registry class
PID:5548 -
C:\Windows\SysWOW64\Bjddphlq.exeC:\Windows\system32\Bjddphlq.exe105⤵PID:5612
-
C:\Windows\SysWOW64\Bclhhnca.exeC:\Windows\system32\Bclhhnca.exe106⤵
- Drops file in System32 directory
PID:5668 -
C:\Windows\SysWOW64\Bjfaeh32.exeC:\Windows\system32\Bjfaeh32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5764 -
C:\Windows\SysWOW64\Belebq32.exeC:\Windows\system32\Belebq32.exe108⤵
- Modifies registry class
PID:5844 -
C:\Windows\SysWOW64\Cabfga32.exeC:\Windows\system32\Cabfga32.exe109⤵
- Modifies registry class
PID:5920 -
C:\Windows\SysWOW64\Cdabcm32.exeC:\Windows\system32\Cdabcm32.exe110⤵
- Modifies registry class
PID:5960 -
C:\Windows\SysWOW64\Ceckcp32.exeC:\Windows\system32\Ceckcp32.exe111⤵
- Drops file in System32 directory
PID:1264 -
C:\Windows\SysWOW64\Chagok32.exeC:\Windows\system32\Chagok32.exe112⤵PID:876
-
C:\Windows\SysWOW64\Cjpckf32.exeC:\Windows\system32\Cjpckf32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3368 -
C:\Windows\SysWOW64\Cajlhqjp.exeC:\Windows\system32\Cajlhqjp.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:6004 -
C:\Windows\SysWOW64\Dmcibama.exeC:\Windows\system32\Dmcibama.exe115⤵PID:6092
-
C:\Windows\SysWOW64\Dejacond.exeC:\Windows\system32\Dejacond.exe116⤵PID:5152
-
C:\Windows\SysWOW64\Dobfld32.exeC:\Windows\system32\Dobfld32.exe117⤵PID:5260
-
C:\Windows\SysWOW64\Delnin32.exeC:\Windows\system32\Delnin32.exe118⤵PID:5336
-
C:\Windows\SysWOW64\Deokon32.exeC:\Windows\system32\Deokon32.exe119⤵PID:5504
-
C:\Windows\SysWOW64\Dhmgki32.exeC:\Windows\system32\Dhmgki32.exe120⤵PID:5604
-
C:\Windows\SysWOW64\Deagdn32.exeC:\Windows\system32\Deagdn32.exe121⤵PID:5740
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-