Analysis
-
max time kernel
94s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
11/04/2024, 02:34
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
c5d92936c2c848b1c02737065484b90bfa62dc00e00ce243b2c81bbe6d055168.exe
Resource
win7-20240221-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
c5d92936c2c848b1c02737065484b90bfa62dc00e00ce243b2c81bbe6d055168.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
c5d92936c2c848b1c02737065484b90bfa62dc00e00ce243b2c81bbe6d055168.exe
-
Size
192KB
-
MD5
2cfe6bbbd3547a42676d63099a3def83
-
SHA1
0efe111af15a96eca0a5b768438d10185f306850
-
SHA256
c5d92936c2c848b1c02737065484b90bfa62dc00e00ce243b2c81bbe6d055168
-
SHA512
1e71658362dae30cffa191075ebc425ab9e0f11afc1426dce4507591a7e642bdd5bfb9e8b8d5f87f65b56681a781323003eaa6438351535408ec23b84737530e
-
SSDEEP
3072:XpfR9dtk4DhQ62WDaUyIwAVjoutkTy27zU:5fRfJ2WDxpwAVjoSkTl7zU
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdhbec32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhkhibmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fhcpgmjf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opakbi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocpgod32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djlddi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gqikdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ckedalaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lbabgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cmlcbbcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dmefhako.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dogogcpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ffekegon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gifmnpnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ehedfo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfckahdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lebkhc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdfkolkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Goiojk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nnaikd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcgbco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nljofl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nlmllkja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Njqmepik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nggjdc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnhmng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bblckl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cknnpm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijdeiaio.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlednamo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibccic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fkmchi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jeaikh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgkjhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pbpjhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pkjlge32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocnjidkf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdaldd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Maohkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Njfmke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ddgkpp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlbgha32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceehho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jaimbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eoocmoao.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hikfip32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcedaheh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odpjcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Icplcpgo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfpnph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Baaggo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaqgek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bbifelba.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhgjblfq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mdhdajea.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baicac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ecdbdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hmklen32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkfkfohj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cdfbibnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Edpnfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gcidfi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdmegp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Okolkg32.exe -
UPX dump on OEP (original entry point) 52 IoCs
resource yara_rule behavioral2/files/0x000b00000002316c-6.dat UPX behavioral2/files/0x00070000000231f1-14.dat UPX behavioral2/files/0x00070000000231f3-22.dat UPX behavioral2/files/0x00070000000231f5-30.dat UPX behavioral2/files/0x00070000000231f7-38.dat UPX behavioral2/files/0x00070000000231f9-46.dat UPX behavioral2/files/0x00070000000231fb-54.dat UPX behavioral2/files/0x00070000000231fd-62.dat UPX behavioral2/files/0x00070000000231ff-71.dat UPX behavioral2/files/0x0007000000023201-78.dat UPX behavioral2/files/0x0007000000023203-86.dat UPX behavioral2/files/0x0007000000023205-94.dat UPX behavioral2/files/0x0007000000023207-103.dat UPX behavioral2/files/0x0007000000023209-110.dat UPX behavioral2/files/0x000700000002320b-118.dat UPX behavioral2/files/0x000700000002320d-126.dat UPX behavioral2/files/0x000700000002320f-134.dat UPX behavioral2/files/0x0007000000023211-142.dat UPX behavioral2/files/0x0007000000023213-150.dat UPX behavioral2/files/0x0007000000023215-158.dat UPX behavioral2/files/0x0007000000023217-166.dat UPX behavioral2/files/0x0007000000023219-174.dat UPX behavioral2/files/0x000a00000002316d-182.dat UPX behavioral2/files/0x000700000002321c-190.dat UPX behavioral2/files/0x000700000002321e-198.dat UPX behavioral2/files/0x0007000000023221-206.dat UPX behavioral2/files/0x0007000000023223-214.dat UPX behavioral2/files/0x0007000000023225-223.dat UPX behavioral2/files/0x0007000000023227-231.dat UPX behavioral2/files/0x0007000000023229-239.dat UPX behavioral2/files/0x000700000002322b-246.dat UPX behavioral2/files/0x000700000002322d-255.dat UPX behavioral2/files/0x000700000002324b-341.dat UPX behavioral2/files/0x0007000000023253-365.dat UPX behavioral2/files/0x0007000000023348-1164.dat UPX behavioral2/files/0x0007000000023378-1314.dat UPX behavioral2/files/0x0007000000023386-1359.dat UPX behavioral2/files/0x0007000000023449-2000.dat UPX behavioral2/files/0x0007000000023488-2196.dat UPX behavioral2/files/0x00070000000234e4-2494.dat UPX behavioral2/files/0x00070000000235b7-3154.dat UPX behavioral2/files/0x000700000002361d-3463.dat UPX behavioral2/files/0x000700000002362b-3498.dat UPX behavioral2/files/0x0007000000023637-3528.dat UPX behavioral2/files/0x000700000002363f-3548.dat UPX behavioral2/files/0x0007000000023649-3573.dat UPX behavioral2/files/0x000700000002365b-3618.dat UPX behavioral2/files/0x000700000002366f-3668.dat UPX behavioral2/files/0x0007000000023679-3693.dat UPX behavioral2/files/0x0007000000023685-3723.dat UPX behavioral2/files/0x000700000002368d-3743.dat UPX behavioral2/files/0x0007000000023691-3753.dat UPX -
Executes dropped EXE 64 IoCs
pid Process 1316 Blpechop.exe 4336 Booaodnd.exe 2056 Behiln32.exe 4980 Bhgehi32.exe 4928 Bpnnig32.exe 1680 Bbljeb32.exe 3528 Bifbbllg.exe 5044 Bpqjofcd.exe 4180 Baaggo32.exe 3180 Biiohl32.exe 3676 Blgkdg32.exe 4280 Boegpc32.exe 4852 Beppmmoi.exe 5020 Clihig32.exe 1332 Ceblbm32.exe 3928 Cpgqpe32.exe 2804 Caimgncj.exe 4572 Cipehkcl.exe 4736 Cpjmee32.exe 4268 Cefemliq.exe 724 Chebighd.exe 3836 Cpljkdig.exe 4696 Camfbm32.exe 552 Chgoogfa.exe 1360 Coagla32.exe 744 Dhjkdg32.exe 1408 Denlnk32.exe 4872 Dpcpkc32.exe 3588 Dcalgo32.exe 2192 Djlddi32.exe 3152 Dpemacql.exe 1040 Dohmlp32.exe 5048 Debeijoc.exe 3272 Djnaji32.exe 3492 Dhqaefng.exe 2488 Dcfebonm.exe 2448 Djpnohej.exe 1472 Dpjflb32.exe 2472 Efgodj32.exe 2676 Elagacbk.exe 2464 Eoocmoao.exe 1152 Ebnoikqb.exe 1136 Ejegjh32.exe 4396 Ehhgfdho.exe 2088 Epopgbia.exe 1300 Ecmlcmhe.exe 3320 Ecphimfb.exe 980 Ejjqeg32.exe 456 Eofinnkf.exe 3228 Efpajh32.exe 4608 Ecdbdl32.exe 2332 Ffbnph32.exe 4748 Fbioei32.exe 5032 Ffekegon.exe 2528 Fqkocpod.exe 2024 Ffggkgmk.exe 2244 Fmapha32.exe 3196 Fopldmcl.exe 1972 Fbnhphbp.exe 4108 Fjepaecb.exe 1280 Fmclmabe.exe 2420 Fobiilai.exe 1600 Fflaff32.exe 824 Fmficqpc.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Debdld32.dll Opakbi32.exe File opened for modification C:\Windows\SysWOW64\Qmmnjfnl.exe Qjoankoi.exe File opened for modification C:\Windows\SysWOW64\Dahode32.exe Dkoggkjo.exe File created C:\Windows\SysWOW64\Imllie32.dll Kbfbkj32.exe File created C:\Windows\SysWOW64\Eiojlkkj.dll Anogiicl.exe File created C:\Windows\SysWOW64\Bdghlnlo.dll Ebnoikqb.exe File created C:\Windows\SysWOW64\Hikfip32.exe Hfljmdjc.exe File created C:\Windows\SysWOW64\Jdjfcecp.exe Jaljgidl.exe File created C:\Windows\SysWOW64\Fbegho32.dll Bdolhc32.exe File created C:\Windows\SysWOW64\Aihbcp32.dll Mlampmdo.exe File opened for modification C:\Windows\SysWOW64\Njciko32.exe Ngdmod32.exe File created C:\Windows\SysWOW64\Gfcgge32.exe Gcekkjcj.exe File opened for modification C:\Windows\SysWOW64\Kipkhdeq.exe Kfankifm.exe File created C:\Windows\SysWOW64\Klqcioba.exe Kfckahdj.exe File created C:\Windows\SysWOW64\Jlingkpe.dll Ngpccdlj.exe File opened for modification C:\Windows\SysWOW64\Caebma32.exe Cnffqf32.exe File created C:\Windows\SysWOW64\Ffpmlcim.dll Cjpckf32.exe File opened for modification C:\Windows\SysWOW64\Ncnadk32.exe Nnaikd32.exe File opened for modification C:\Windows\SysWOW64\Iefioj32.exe Hkmefd32.exe File opened for modification C:\Windows\SysWOW64\Jeklag32.exe Jcioiood.exe File created C:\Windows\SysWOW64\Fhccdhqf.dll Kfankifm.exe File created C:\Windows\SysWOW64\Ejfenk32.dll Pcijeb32.exe File opened for modification C:\Windows\SysWOW64\Agoabn32.exe Aepefb32.exe File created C:\Windows\SysWOW64\Oqkdcn32.exe Onmhgb32.exe File opened for modification C:\Windows\SysWOW64\Ocbddc32.exe Opdghh32.exe File opened for modification C:\Windows\SysWOW64\Bclhhnca.exe Banllbdn.exe File created C:\Windows\SysWOW64\Gefncbmc.dll Lcdegnep.exe File created C:\Windows\SysWOW64\Hnfmbf32.dll Mdpalp32.exe File created C:\Windows\SysWOW64\Mgkjhe32.exe Mdmnlj32.exe File created C:\Windows\SysWOW64\Acmflf32.exe Aanjpk32.exe File created C:\Windows\SysWOW64\Phfkqkek.dll Ahkobekf.exe File created C:\Windows\SysWOW64\Pgioqq32.exe Pdkcde32.exe File created C:\Windows\SysWOW64\Bdhfhe32.exe Bjpaooda.exe File created C:\Windows\SysWOW64\Clbceo32.exe Chghdqbf.exe File created C:\Windows\SysWOW64\Eleiam32.exe Eekaebcm.exe File created C:\Windows\SysWOW64\Gfkfpo32.dll Kdgljmcd.exe File opened for modification C:\Windows\SysWOW64\Cegdnopg.exe Cmqmma32.exe File opened for modification C:\Windows\SysWOW64\Jeaikh32.exe Icplcpgo.exe File created C:\Windows\SysWOW64\Qekdppan.dll Jjbako32.exe File created C:\Windows\SysWOW64\Iljnde32.dll Jkfkfohj.exe File created C:\Windows\SysWOW64\Mdkhapfj.exe Mamleegg.exe File opened for modification C:\Windows\SysWOW64\Bobcpmfc.exe Bhikcb32.exe File created C:\Windows\SysWOW64\Eocqqdjh.dll Daaicfgd.exe File created C:\Windows\SysWOW64\Dkjmlk32.exe Dlgmpogj.exe File created C:\Windows\SysWOW64\Nnbnoffm.dll Jcioiood.exe File created C:\Windows\SysWOW64\Bmpcfdmg.exe Bgcknmop.exe File created C:\Windows\SysWOW64\Ijfboafl.exe Icljbg32.exe File created C:\Windows\SysWOW64\Kepelfam.exe Kpbmco32.exe File created C:\Windows\SysWOW64\Dbnamnpl.dll Pggbkagp.exe File created C:\Windows\SysWOW64\Qchnlc32.dll Hccglh32.exe File opened for modification C:\Windows\SysWOW64\Kkbkamnl.exe Kdhbec32.exe File created C:\Windows\SysWOW64\Kmmfbg32.dll Lbabgh32.exe File created C:\Windows\SysWOW64\Iblilb32.dll Fmclmabe.exe File opened for modification C:\Windows\SysWOW64\Jbocea32.exe Jpaghf32.exe File created C:\Windows\SysWOW64\Ckedalaj.exe Clbceo32.exe File created C:\Windows\SysWOW64\Mdmnlj32.exe Mlefklpj.exe File opened for modification C:\Windows\SysWOW64\Fjepaecb.exe Fbnhphbp.exe File created C:\Windows\SysWOW64\Hdgpjm32.dll Haidklda.exe File opened for modification C:\Windows\SysWOW64\Pnbbbabh.exe Pjffbc32.exe File opened for modification C:\Windows\SysWOW64\Pjhbgb32.exe Pgjfkg32.exe File opened for modification C:\Windows\SysWOW64\Ejjqeg32.exe Ecphimfb.exe File opened for modification C:\Windows\SysWOW64\Kbapjafe.exe Kpccnefa.exe File created C:\Windows\SysWOW64\Cnkfcl32.dll Gmjlcj32.exe File created C:\Windows\SysWOW64\Fmclmabe.exe Fjepaecb.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 14120 14020 WerFault.exe 703 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edgbbfnk.dll" Kdeoemeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Chokikeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Elagacbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jaimbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jplmmfmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Njfmke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mjjmog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aanjpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bnnjen32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ffkjlp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hcnnaikp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pcjapi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoqimi32.dll" Qddfkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pglanoaq.dll" Impepm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kmjqmi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pbddcoei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maghgl32.dll" Aeklkchg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dkkcge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pkjlge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Megkhf32.dll" Blpnib32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ogkcpbam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll" Cjpckf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Biiohl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpnkgo32.dll" Mgidml32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Llgjjnlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhqeiena.dll" Bgehcmmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bhaebcen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Clpgpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igoedk32.dll" Elppfmoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flpafo32.dll" Kpbmco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jlednamo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojmmkpmf.dll" Kdaldd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Echknh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elcmjaol.dll" Pjhlml32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qmmnjfnl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nepgjaeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bclhhnca.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ondeac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hopnqdan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoecnk32.dll" Kiidgeki.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mdckfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmgabj32.dll" Oqfdnhfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmlgol32.dll" Jpaghf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblgaie.dll" Kbapjafe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gkkojgao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ocnjidkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mjqjih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Peimil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjqehkaf.dll" Ddpeoafg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gohhpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Daekdooc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nqfbaq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qgallfcq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aaqgek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Daqbip32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kdaldd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnapla32.dll" Ldohebqh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Boepel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blfiei32.dll" Pcppfaka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgpmhl32.dll" Ifefimom.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ngdmod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Donfhp32.dll" Ocbddc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Belebq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fcmnpe32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1704 wrote to memory of 1316 1704 c5d92936c2c848b1c02737065484b90bfa62dc00e00ce243b2c81bbe6d055168.exe 87 PID 1704 wrote to memory of 1316 1704 c5d92936c2c848b1c02737065484b90bfa62dc00e00ce243b2c81bbe6d055168.exe 87 PID 1704 wrote to memory of 1316 1704 c5d92936c2c848b1c02737065484b90bfa62dc00e00ce243b2c81bbe6d055168.exe 87 PID 1316 wrote to memory of 4336 1316 Blpechop.exe 88 PID 1316 wrote to memory of 4336 1316 Blpechop.exe 88 PID 1316 wrote to memory of 4336 1316 Blpechop.exe 88 PID 4336 wrote to memory of 2056 4336 Booaodnd.exe 89 PID 4336 wrote to memory of 2056 4336 Booaodnd.exe 89 PID 4336 wrote to memory of 2056 4336 Booaodnd.exe 89 PID 2056 wrote to memory of 4980 2056 Behiln32.exe 90 PID 2056 wrote to memory of 4980 2056 Behiln32.exe 90 PID 2056 wrote to memory of 4980 2056 Behiln32.exe 90 PID 4980 wrote to memory of 4928 4980 Bhgehi32.exe 91 PID 4980 wrote to memory of 4928 4980 Bhgehi32.exe 91 PID 4980 wrote to memory of 4928 4980 Bhgehi32.exe 91 PID 4928 wrote to memory of 1680 4928 Bpnnig32.exe 92 PID 4928 wrote to memory of 1680 4928 Bpnnig32.exe 92 PID 4928 wrote to memory of 1680 4928 Bpnnig32.exe 92 PID 1680 wrote to memory of 3528 1680 Bbljeb32.exe 93 PID 1680 wrote to memory of 3528 1680 Bbljeb32.exe 93 PID 1680 wrote to memory of 3528 1680 Bbljeb32.exe 93 PID 3528 wrote to memory of 5044 3528 Bifbbllg.exe 94 PID 3528 wrote to memory of 5044 3528 Bifbbllg.exe 94 PID 3528 wrote to memory of 5044 3528 Bifbbllg.exe 94 PID 5044 wrote to memory of 4180 5044 Bpqjofcd.exe 95 PID 5044 wrote to memory of 4180 5044 Bpqjofcd.exe 95 PID 5044 wrote to memory of 4180 5044 Bpqjofcd.exe 95 PID 4180 wrote to memory of 3180 4180 Baaggo32.exe 96 PID 4180 wrote to memory of 3180 4180 Baaggo32.exe 96 PID 4180 wrote to memory of 3180 4180 Baaggo32.exe 96 PID 3180 wrote to memory of 3676 3180 Biiohl32.exe 97 PID 3180 wrote to memory of 3676 3180 Biiohl32.exe 97 PID 3180 wrote to memory of 3676 3180 Biiohl32.exe 97 PID 3676 wrote to memory of 4280 3676 Blgkdg32.exe 98 PID 3676 wrote to memory of 4280 3676 Blgkdg32.exe 98 PID 3676 wrote to memory of 4280 3676 Blgkdg32.exe 98 PID 4280 wrote to memory of 4852 4280 Boegpc32.exe 99 PID 4280 wrote to memory of 4852 4280 Boegpc32.exe 99 PID 4280 wrote to memory of 4852 4280 Boegpc32.exe 99 PID 4852 wrote to memory of 5020 4852 Beppmmoi.exe 100 PID 4852 wrote to memory of 5020 4852 Beppmmoi.exe 100 PID 4852 wrote to memory of 5020 4852 Beppmmoi.exe 100 PID 5020 wrote to memory of 1332 5020 Clihig32.exe 101 PID 5020 wrote to memory of 1332 5020 Clihig32.exe 101 PID 5020 wrote to memory of 1332 5020 Clihig32.exe 101 PID 1332 wrote to memory of 3928 1332 Ceblbm32.exe 102 PID 1332 wrote to memory of 3928 1332 Ceblbm32.exe 102 PID 1332 wrote to memory of 3928 1332 Ceblbm32.exe 102 PID 3928 wrote to memory of 2804 3928 Cpgqpe32.exe 103 PID 3928 wrote to memory of 2804 3928 Cpgqpe32.exe 103 PID 3928 wrote to memory of 2804 3928 Cpgqpe32.exe 103 PID 2804 wrote to memory of 4572 2804 Caimgncj.exe 104 PID 2804 wrote to memory of 4572 2804 Caimgncj.exe 104 PID 2804 wrote to memory of 4572 2804 Caimgncj.exe 104 PID 4572 wrote to memory of 4736 4572 Cipehkcl.exe 105 PID 4572 wrote to memory of 4736 4572 Cipehkcl.exe 105 PID 4572 wrote to memory of 4736 4572 Cipehkcl.exe 105 PID 4736 wrote to memory of 4268 4736 Cpjmee32.exe 106 PID 4736 wrote to memory of 4268 4736 Cpjmee32.exe 106 PID 4736 wrote to memory of 4268 4736 Cpjmee32.exe 106 PID 4268 wrote to memory of 724 4268 Cefemliq.exe 107 PID 4268 wrote to memory of 724 4268 Cefemliq.exe 107 PID 4268 wrote to memory of 724 4268 Cefemliq.exe 107 PID 724 wrote to memory of 3836 724 Chebighd.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\c5d92936c2c848b1c02737065484b90bfa62dc00e00ce243b2c81bbe6d055168.exe"C:\Users\Admin\AppData\Local\Temp\c5d92936c2c848b1c02737065484b90bfa62dc00e00ce243b2c81bbe6d055168.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\SysWOW64\Blpechop.exeC:\Windows\system32\Blpechop.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Windows\SysWOW64\Booaodnd.exeC:\Windows\system32\Booaodnd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4336 -
C:\Windows\SysWOW64\Behiln32.exeC:\Windows\system32\Behiln32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\Bhgehi32.exeC:\Windows\system32\Bhgehi32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4980 -
C:\Windows\SysWOW64\Bpnnig32.exeC:\Windows\system32\Bpnnig32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4928 -
C:\Windows\SysWOW64\Bbljeb32.exeC:\Windows\system32\Bbljeb32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\Bifbbllg.exeC:\Windows\system32\Bifbbllg.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3528 -
C:\Windows\SysWOW64\Bpqjofcd.exeC:\Windows\system32\Bpqjofcd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5044 -
C:\Windows\SysWOW64\Baaggo32.exeC:\Windows\system32\Baaggo32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4180 -
C:\Windows\SysWOW64\Biiohl32.exeC:\Windows\system32\Biiohl32.exe11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3180 -
C:\Windows\SysWOW64\Blgkdg32.exeC:\Windows\system32\Blgkdg32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3676 -
C:\Windows\SysWOW64\Boegpc32.exeC:\Windows\system32\Boegpc32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4280 -
C:\Windows\SysWOW64\Beppmmoi.exeC:\Windows\system32\Beppmmoi.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4852 -
C:\Windows\SysWOW64\Clihig32.exeC:\Windows\system32\Clihig32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5020 -
C:\Windows\SysWOW64\Ceblbm32.exeC:\Windows\system32\Ceblbm32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1332 -
C:\Windows\SysWOW64\Cpgqpe32.exeC:\Windows\system32\Cpgqpe32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3928 -
C:\Windows\SysWOW64\Caimgncj.exeC:\Windows\system32\Caimgncj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\Cipehkcl.exeC:\Windows\system32\Cipehkcl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Windows\SysWOW64\Cpjmee32.exeC:\Windows\system32\Cpjmee32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4736 -
C:\Windows\SysWOW64\Cefemliq.exeC:\Windows\system32\Cefemliq.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4268 -
C:\Windows\SysWOW64\Chebighd.exeC:\Windows\system32\Chebighd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:724 -
C:\Windows\SysWOW64\Cpljkdig.exeC:\Windows\system32\Cpljkdig.exe23⤵
- Executes dropped EXE
PID:3836 -
C:\Windows\SysWOW64\Camfbm32.exeC:\Windows\system32\Camfbm32.exe24⤵
- Executes dropped EXE
PID:4696 -
C:\Windows\SysWOW64\Chgoogfa.exeC:\Windows\system32\Chgoogfa.exe25⤵
- Executes dropped EXE
PID:552 -
C:\Windows\SysWOW64\Coagla32.exeC:\Windows\system32\Coagla32.exe26⤵
- Executes dropped EXE
PID:1360 -
C:\Windows\SysWOW64\Dhjkdg32.exeC:\Windows\system32\Dhjkdg32.exe27⤵
- Executes dropped EXE
PID:744 -
C:\Windows\SysWOW64\Denlnk32.exeC:\Windows\system32\Denlnk32.exe28⤵
- Executes dropped EXE
PID:1408 -
C:\Windows\SysWOW64\Dpcpkc32.exeC:\Windows\system32\Dpcpkc32.exe29⤵
- Executes dropped EXE
PID:4872 -
C:\Windows\SysWOW64\Dcalgo32.exeC:\Windows\system32\Dcalgo32.exe30⤵
- Executes dropped EXE
PID:3588 -
C:\Windows\SysWOW64\Djlddi32.exeC:\Windows\system32\Djlddi32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Dpemacql.exeC:\Windows\system32\Dpemacql.exe32⤵
- Executes dropped EXE
PID:3152 -
C:\Windows\SysWOW64\Dohmlp32.exeC:\Windows\system32\Dohmlp32.exe33⤵
- Executes dropped EXE
PID:1040 -
C:\Windows\SysWOW64\Debeijoc.exeC:\Windows\system32\Debeijoc.exe34⤵
- Executes dropped EXE
PID:5048 -
C:\Windows\SysWOW64\Djnaji32.exeC:\Windows\system32\Djnaji32.exe35⤵
- Executes dropped EXE
PID:3272 -
C:\Windows\SysWOW64\Dhqaefng.exeC:\Windows\system32\Dhqaefng.exe36⤵
- Executes dropped EXE
PID:3492 -
C:\Windows\SysWOW64\Dcfebonm.exeC:\Windows\system32\Dcfebonm.exe37⤵
- Executes dropped EXE
PID:2488 -
C:\Windows\SysWOW64\Djpnohej.exeC:\Windows\system32\Djpnohej.exe38⤵
- Executes dropped EXE
PID:2448 -
C:\Windows\SysWOW64\Dpjflb32.exeC:\Windows\system32\Dpjflb32.exe39⤵
- Executes dropped EXE
PID:1472 -
C:\Windows\SysWOW64\Efgodj32.exeC:\Windows\system32\Efgodj32.exe40⤵
- Executes dropped EXE
PID:2472 -
C:\Windows\SysWOW64\Elagacbk.exeC:\Windows\system32\Elagacbk.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:2676 -
C:\Windows\SysWOW64\Eoocmoao.exeC:\Windows\system32\Eoocmoao.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2464 -
C:\Windows\SysWOW64\Ebnoikqb.exeC:\Windows\system32\Ebnoikqb.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1152 -
C:\Windows\SysWOW64\Ejegjh32.exeC:\Windows\system32\Ejegjh32.exe44⤵
- Executes dropped EXE
PID:1136 -
C:\Windows\SysWOW64\Ehhgfdho.exeC:\Windows\system32\Ehhgfdho.exe45⤵
- Executes dropped EXE
PID:4396 -
C:\Windows\SysWOW64\Epopgbia.exeC:\Windows\system32\Epopgbia.exe46⤵
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\Ecmlcmhe.exeC:\Windows\system32\Ecmlcmhe.exe47⤵
- Executes dropped EXE
PID:1300 -
C:\Windows\SysWOW64\Ecphimfb.exeC:\Windows\system32\Ecphimfb.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3320 -
C:\Windows\SysWOW64\Ejjqeg32.exeC:\Windows\system32\Ejjqeg32.exe49⤵
- Executes dropped EXE
PID:980 -
C:\Windows\SysWOW64\Eofinnkf.exeC:\Windows\system32\Eofinnkf.exe50⤵
- Executes dropped EXE
PID:456 -
C:\Windows\SysWOW64\Efpajh32.exeC:\Windows\system32\Efpajh32.exe51⤵
- Executes dropped EXE
PID:3228 -
C:\Windows\SysWOW64\Ecdbdl32.exeC:\Windows\system32\Ecdbdl32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4608 -
C:\Windows\SysWOW64\Ffbnph32.exeC:\Windows\system32\Ffbnph32.exe53⤵
- Executes dropped EXE
PID:2332 -
C:\Windows\SysWOW64\Fbioei32.exeC:\Windows\system32\Fbioei32.exe54⤵
- Executes dropped EXE
PID:4748 -
C:\Windows\SysWOW64\Ffekegon.exeC:\Windows\system32\Ffekegon.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5032 -
C:\Windows\SysWOW64\Fqkocpod.exeC:\Windows\system32\Fqkocpod.exe56⤵
- Executes dropped EXE
PID:2528 -
C:\Windows\SysWOW64\Ffggkgmk.exeC:\Windows\system32\Ffggkgmk.exe57⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Fmapha32.exeC:\Windows\system32\Fmapha32.exe58⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Fopldmcl.exeC:\Windows\system32\Fopldmcl.exe59⤵
- Executes dropped EXE
PID:3196 -
C:\Windows\SysWOW64\Fbnhphbp.exeC:\Windows\system32\Fbnhphbp.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1972 -
C:\Windows\SysWOW64\Fjepaecb.exeC:\Windows\system32\Fjepaecb.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4108 -
C:\Windows\SysWOW64\Fmclmabe.exeC:\Windows\system32\Fmclmabe.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1280 -
C:\Windows\SysWOW64\Fobiilai.exeC:\Windows\system32\Fobiilai.exe63⤵
- Executes dropped EXE
PID:2420 -
C:\Windows\SysWOW64\Fflaff32.exeC:\Windows\system32\Fflaff32.exe64⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\Fmficqpc.exeC:\Windows\system32\Fmficqpc.exe65⤵
- Executes dropped EXE
PID:824 -
C:\Windows\SysWOW64\Fodeolof.exeC:\Windows\system32\Fodeolof.exe66⤵PID:1480
-
C:\Windows\SysWOW64\Gfnnlffc.exeC:\Windows\system32\Gfnnlffc.exe67⤵PID:4796
-
C:\Windows\SysWOW64\Gqdbiofi.exeC:\Windows\system32\Gqdbiofi.exe68⤵PID:4592
-
C:\Windows\SysWOW64\Gcbnejem.exeC:\Windows\system32\Gcbnejem.exe69⤵PID:1428
-
C:\Windows\SysWOW64\Gjlfbd32.exeC:\Windows\system32\Gjlfbd32.exe70⤵PID:1644
-
C:\Windows\SysWOW64\Giofnacd.exeC:\Windows\system32\Giofnacd.exe71⤵PID:4540
-
C:\Windows\SysWOW64\Goiojk32.exeC:\Windows\system32\Goiojk32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5056 -
C:\Windows\SysWOW64\Gcekkjcj.exeC:\Windows\system32\Gcekkjcj.exe73⤵
- Drops file in System32 directory
PID:4792 -
C:\Windows\SysWOW64\Gfcgge32.exeC:\Windows\system32\Gfcgge32.exe74⤵PID:3984
-
C:\Windows\SysWOW64\Giacca32.exeC:\Windows\system32\Giacca32.exe75⤵PID:3216
-
C:\Windows\SysWOW64\Gqikdn32.exeC:\Windows\system32\Gqikdn32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:768 -
C:\Windows\SysWOW64\Gpklpkio.exeC:\Windows\system32\Gpklpkio.exe77⤵PID:848
-
C:\Windows\SysWOW64\Gjapmdid.exeC:\Windows\system32\Gjapmdid.exe78⤵PID:876
-
C:\Windows\SysWOW64\Gmoliohh.exeC:\Windows\system32\Gmoliohh.exe79⤵PID:392
-
C:\Windows\SysWOW64\Gcidfi32.exeC:\Windows\system32\Gcidfi32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3736 -
C:\Windows\SysWOW64\Gifmnpnl.exeC:\Windows\system32\Gifmnpnl.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1968 -
C:\Windows\SysWOW64\Gameonno.exeC:\Windows\system32\Gameonno.exe82⤵PID:2468
-
C:\Windows\SysWOW64\Gppekj32.exeC:\Windows\system32\Gppekj32.exe83⤵PID:3564
-
C:\Windows\SysWOW64\Hfjmgdlf.exeC:\Windows\system32\Hfjmgdlf.exe84⤵PID:4104
-
C:\Windows\SysWOW64\Hihicplj.exeC:\Windows\system32\Hihicplj.exe85⤵PID:2852
-
C:\Windows\SysWOW64\Hapaemll.exeC:\Windows\system32\Hapaemll.exe86⤵PID:3096
-
C:\Windows\SysWOW64\Hcnnaikp.exeC:\Windows\system32\Hcnnaikp.exe87⤵
- Modifies registry class
PID:3076 -
C:\Windows\SysWOW64\Hfljmdjc.exeC:\Windows\system32\Hfljmdjc.exe88⤵
- Drops file in System32 directory
PID:4048 -
C:\Windows\SysWOW64\Hikfip32.exeC:\Windows\system32\Hikfip32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2572 -
C:\Windows\SysWOW64\Habnjm32.exeC:\Windows\system32\Habnjm32.exe90⤵PID:4344
-
C:\Windows\SysWOW64\Hcqjfh32.exeC:\Windows\system32\Hcqjfh32.exe91⤵PID:4404
-
C:\Windows\SysWOW64\Hbckbepg.exeC:\Windows\system32\Hbckbepg.exe92⤵PID:4812
-
C:\Windows\SysWOW64\Himcoo32.exeC:\Windows\system32\Himcoo32.exe93⤵PID:4044
-
C:\Windows\SysWOW64\Hadkpm32.exeC:\Windows\system32\Hadkpm32.exe94⤵PID:4536
-
C:\Windows\SysWOW64\Hccglh32.exeC:\Windows\system32\Hccglh32.exe95⤵
- Drops file in System32 directory
PID:5104 -
C:\Windows\SysWOW64\Hfachc32.exeC:\Windows\system32\Hfachc32.exe96⤵PID:1464
-
C:\Windows\SysWOW64\Hmklen32.exeC:\Windows\system32\Hmklen32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5100 -
C:\Windows\SysWOW64\Hcedaheh.exeC:\Windows\system32\Hcedaheh.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3692 -
C:\Windows\SysWOW64\Hfcpncdk.exeC:\Windows\system32\Hfcpncdk.exe99⤵PID:2308
-
C:\Windows\SysWOW64\Hibljoco.exeC:\Windows\system32\Hibljoco.exe100⤵PID:3776
-
C:\Windows\SysWOW64\Haidklda.exeC:\Windows\system32\Haidklda.exe101⤵
- Drops file in System32 directory
PID:468 -
C:\Windows\SysWOW64\Ibjqcd32.exeC:\Windows\system32\Ibjqcd32.exe102⤵PID:2596
-
C:\Windows\SysWOW64\Ijaida32.exeC:\Windows\system32\Ijaida32.exe103⤵PID:1572
-
C:\Windows\SysWOW64\Impepm32.exeC:\Windows\system32\Impepm32.exe104⤵
- Modifies registry class
PID:1660 -
C:\Windows\SysWOW64\Icjmmg32.exeC:\Windows\system32\Icjmmg32.exe105⤵PID:5148
-
C:\Windows\SysWOW64\Ifhiib32.exeC:\Windows\system32\Ifhiib32.exe106⤵PID:5204
-
C:\Windows\SysWOW64\Ijdeiaio.exeC:\Windows\system32\Ijdeiaio.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5240 -
C:\Windows\SysWOW64\Ipqnahgf.exeC:\Windows\system32\Ipqnahgf.exe108⤵PID:5300
-
C:\Windows\SysWOW64\Icljbg32.exeC:\Windows\system32\Icljbg32.exe109⤵
- Drops file in System32 directory
PID:5336 -
C:\Windows\SysWOW64\Ijfboafl.exeC:\Windows\system32\Ijfboafl.exe110⤵PID:5384
-
C:\Windows\SysWOW64\Imdnklfp.exeC:\Windows\system32\Imdnklfp.exe111⤵PID:5424
-
C:\Windows\SysWOW64\Ipckgh32.exeC:\Windows\system32\Ipckgh32.exe112⤵PID:5468
-
C:\Windows\SysWOW64\Idofhfmm.exeC:\Windows\system32\Idofhfmm.exe113⤵PID:5512
-
C:\Windows\SysWOW64\Ijhodq32.exeC:\Windows\system32\Ijhodq32.exe114⤵PID:5556
-
C:\Windows\SysWOW64\Iabgaklg.exeC:\Windows\system32\Iabgaklg.exe115⤵PID:5604
-
C:\Windows\SysWOW64\Ibccic32.exeC:\Windows\system32\Ibccic32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5644 -
C:\Windows\SysWOW64\Ijkljp32.exeC:\Windows\system32\Ijkljp32.exe117⤵PID:5684
-
C:\Windows\SysWOW64\Iinlemia.exeC:\Windows\system32\Iinlemia.exe118⤵PID:5728
-
C:\Windows\SysWOW64\Jaedgjjd.exeC:\Windows\system32\Jaedgjjd.exe119⤵PID:5768
-
C:\Windows\SysWOW64\Jdcpcf32.exeC:\Windows\system32\Jdcpcf32.exe120⤵PID:5804
-
C:\Windows\SysWOW64\Jjmhppqd.exeC:\Windows\system32\Jjmhppqd.exe121⤵PID:5852
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-