Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
18/04/2024, 18:05
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
009ae39a4742564b12f3f844c54c9bf5b9dd09ef54ca5f0646e3def154cefe8e.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
009ae39a4742564b12f3f844c54c9bf5b9dd09ef54ca5f0646e3def154cefe8e.exe
Resource
win10v2004-20240412-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
009ae39a4742564b12f3f844c54c9bf5b9dd09ef54ca5f0646e3def154cefe8e.exe
-
Size
256KB
-
MD5
d156b0bdd1558f6983d432ac7e6388b4
-
SHA1
374b12e9b11bde51cd1ae533b394cfdeba844ccd
-
SHA256
009ae39a4742564b12f3f844c54c9bf5b9dd09ef54ca5f0646e3def154cefe8e
-
SHA512
c0572d59caf2245846f5f83b22652592adbda9efd52071eebec6c8fdb5cf71cb9255cba97e6cb60f8c778c515934c3b012053121573563863ac49b7c17346339
-
SSDEEP
3072:20SzxfkcOGviI2VceK3KcWmjRrzqzWspSnocyA5qKcWmjRrzeceKSAxpce7fuFfl:2rMcOGvi3HVpaopOpHVILifyeYVDcfR
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgfqmfde.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifleoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjodjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chfegk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gaqhjggp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chinkndp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdeqhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mplhql32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kamjda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnmeodjc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofgmib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anmmkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhknpmma.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdedak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfiokmkc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afockelf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Leqkeajd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmdbooik.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkedbmab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjlnhi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjoknhbe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Najmjokc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmiikh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aaoaic32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkppchfi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afdkfh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bflagg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecbjkngo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bllbaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdofpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfabnjjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpnihiio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcfggkac.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Halhfe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agiahlkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Injcmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Defajqko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kilpmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onqdhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iomcgl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfbaonae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aimhmkgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkgaglpp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kciaqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pacfjfej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nljofl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oidhlb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlcjhkdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gejopl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iabglnco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdnpeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fllpbldb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Goljqnpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojajin32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhckeeam.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lekehdgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckpbnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Najmjokc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Domdjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkcpql32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbdhgaid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgmcce32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idfaefkd.exe -
UPX dump on OEP (original entry point) 64 IoCs
resource yara_rule behavioral2/files/0x000800000002340d-7.dat UPX behavioral2/memory/2156-8-0x0000000000400000-0x0000000000459000-memory.dmp UPX behavioral2/files/0x0007000000023412-15.dat UPX behavioral2/files/0x0007000000023414-23.dat UPX behavioral2/files/0x0007000000023416-31.dat UPX behavioral2/memory/4452-32-0x0000000000400000-0x0000000000459000-memory.dmp UPX behavioral2/files/0x0007000000023418-39.dat UPX behavioral2/files/0x000700000002341a-47.dat UPX behavioral2/files/0x000700000002341d-55.dat UPX behavioral2/files/0x000700000002341e-63.dat UPX behavioral2/files/0x0007000000023420-71.dat UPX behavioral2/files/0x0007000000023422-79.dat UPX behavioral2/files/0x0007000000023424-88.dat UPX behavioral2/files/0x0007000000023426-96.dat UPX behavioral2/files/0x0007000000023428-104.dat UPX behavioral2/files/0x000700000002342a-112.dat UPX behavioral2/files/0x000700000002342c-120.dat UPX behavioral2/files/0x000700000002342e-129.dat UPX behavioral2/files/0x0007000000023431-136.dat UPX behavioral2/memory/724-138-0x0000000000400000-0x0000000000459000-memory.dmp UPX behavioral2/files/0x0007000000023433-145.dat UPX behavioral2/files/0x0007000000023435-153.dat UPX behavioral2/files/0x0007000000023437-159.dat UPX behavioral2/files/0x0007000000023439-167.dat UPX behavioral2/files/0x0007000000023442-175.dat UPX behavioral2/files/0x0007000000023444-183.dat UPX behavioral2/files/0x0007000000023446-192.dat UPX behavioral2/files/0x0007000000023448-199.dat UPX behavioral2/files/0x000700000002344a-207.dat UPX behavioral2/files/0x000700000002344c-215.dat UPX behavioral2/files/0x000700000002344e-223.dat UPX behavioral2/files/0x0007000000023450-230.dat UPX behavioral2/files/0x0007000000023454-239.dat UPX behavioral2/files/0x0007000000023456-247.dat UPX behavioral2/files/0x0007000000023458-256.dat UPX behavioral2/memory/2196-350-0x0000000000400000-0x0000000000459000-memory.dmp UPX behavioral2/memory/780-356-0x0000000000400000-0x0000000000459000-memory.dmp UPX behavioral2/memory/1044-362-0x0000000000400000-0x0000000000459000-memory.dmp UPX behavioral2/memory/4336-368-0x0000000000400000-0x0000000000459000-memory.dmp UPX behavioral2/memory/1716-374-0x0000000000400000-0x0000000000459000-memory.dmp UPX behavioral2/memory/1536-386-0x0000000000400000-0x0000000000459000-memory.dmp UPX behavioral2/memory/632-392-0x0000000000400000-0x0000000000459000-memory.dmp UPX behavioral2/memory/4048-398-0x0000000000400000-0x0000000000459000-memory.dmp UPX behavioral2/memory/1520-404-0x0000000000400000-0x0000000000459000-memory.dmp UPX behavioral2/memory/1196-410-0x0000000000400000-0x0000000000459000-memory.dmp UPX behavioral2/memory/2320-416-0x0000000000400000-0x0000000000459000-memory.dmp UPX behavioral2/memory/1580-422-0x0000000000400000-0x0000000000459000-memory.dmp UPX behavioral2/memory/3704-428-0x0000000000400000-0x0000000000459000-memory.dmp UPX behavioral2/memory/4684-434-0x0000000000400000-0x0000000000459000-memory.dmp UPX behavioral2/memory/4508-440-0x0000000000400000-0x0000000000459000-memory.dmp UPX behavioral2/memory/1588-446-0x0000000000400000-0x0000000000459000-memory.dmp UPX behavioral2/files/0x00070000000234a0-447.dat UPX behavioral2/memory/2528-452-0x0000000000400000-0x0000000000459000-memory.dmp UPX behavioral2/files/0x00070000000234ac-483.dat UPX behavioral2/files/0x00070000000234b6-513.dat UPX behavioral2/files/0x00070000000234c0-544.dat UPX behavioral2/files/0x0007000000023554-1048.dat UPX behavioral2/files/0x0007000000023562-1093.dat UPX behavioral2/files/0x0007000000023582-1190.dat UPX behavioral2/files/0x000700000002358a-1214.dat UPX behavioral2/files/0x0007000000023590-1232.dat UPX behavioral2/files/0x000700000002359e-1272.dat UPX behavioral2/files/0x00070000000235a8-1301.dat UPX behavioral2/files/0x00070000000235ac-1312.dat UPX -
Executes dropped EXE 64 IoCs
pid Process 2156 Eepjpb32.exe 2536 Fafkecel.exe 4972 Fllpbldb.exe 4452 Ffddka32.exe 3092 Fchddejl.exe 2028 Ffimfqgm.exe 3876 Foabofnn.exe 5052 Gododflk.exe 4856 Ghlcnk32.exe 4480 Gdeqhl32.exe 4692 Gcfqfc32.exe 2716 Gblngpbd.exe 2544 Hflcbngh.exe 4472 Hkikkeeo.exe 1092 Hmhhehlb.exe 2296 Hfqlnm32.exe 724 Hcdmga32.exe 4280 Iefioj32.exe 2376 Ipknlb32.exe 2248 Ipnjab32.exe 1644 Ippggbck.exe 2916 Iikhfg32.exe 3348 Jfoiokfb.exe 2672 Jpgmha32.exe 4272 Jmknaell.exe 1040 Jlpkba32.exe 4348 Jidklf32.exe 3120 Jblpek32.exe 3172 Kiidgeki.exe 4076 Klljnp32.exe 3676 Kedoge32.exe 2984 Klngdpdd.exe 2912 Kbhoqj32.exe 1648 Ldjhpl32.exe 2764 Lekehdgp.exe 4936 Ldleel32.exe 3248 Lenamdem.exe 4552 Lbabgh32.exe 2820 Likjcbkc.exe 1428 Ldanqkki.exe 3448 Lmiciaaj.exe 3068 Lphoelqn.exe 1824 Mipcob32.exe 2896 Megdccmb.exe 1600 Mplhql32.exe 3860 Mgfqmfde.exe 5116 Miemjaci.exe 2196 Mdjagjco.exe 780 Mmbfpp32.exe 1044 Miifeq32.exe 4336 Ncbknfed.exe 1716 Nljofl32.exe 1832 Nebdoa32.exe 1536 Ndcdmikd.exe 632 Ndfqbhia.exe 4048 Nggjdc32.exe 1520 Oponmilc.exe 1196 Opakbi32.exe 2320 Ogkcpbam.exe 1580 Opdghh32.exe 3704 Oqhacgdh.exe 4684 Pfjcgn32.exe 4508 Pmdkch32.exe 1588 Pqbdjfln.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Nbaokj32.dll Ocffempp.exe File created C:\Windows\SysWOW64\Hjchaf32.exe Gnlgleef.exe File created C:\Windows\SysWOW64\Jhghaf32.dll Olfghg32.exe File created C:\Windows\SysWOW64\Ilchfdgp.dll Dkfadkgf.exe File opened for modification C:\Windows\SysWOW64\Megdccmb.exe Mipcob32.exe File created C:\Windows\SysWOW64\Hhdbfa32.dll Bkamdi32.exe File created C:\Windows\SysWOW64\Ffaong32.exe Ffobhg32.exe File opened for modification C:\Windows\SysWOW64\Egbken32.exe Cdhffg32.exe File created C:\Windows\SysWOW64\Fffcpnjo.dll Hqmggi32.exe File created C:\Windows\SysWOW64\Kpgoolbl.exe Jjjggede.exe File created C:\Windows\SysWOW64\Lphoelqn.exe Lmiciaaj.exe File created C:\Windows\SysWOW64\Ndqojdee.dll Nqmfdj32.exe File opened for modification C:\Windows\SysWOW64\Hjchaf32.exe Gnlgleef.exe File opened for modification C:\Windows\SysWOW64\Olfghg32.exe Odoogi32.exe File opened for modification C:\Windows\SysWOW64\Lepleocn.exe Kofdhd32.exe File created C:\Windows\SysWOW64\Fdkdibjp.exe Fkcpql32.exe File created C:\Windows\SysWOW64\Fcpakn32.exe Fdkdibjp.exe File created C:\Windows\SysWOW64\Jcfggkac.exe Jepjhg32.exe File created C:\Windows\SysWOW64\Doojec32.exe Dakikoom.exe File created C:\Windows\SysWOW64\Piaiqlak.exe Pmhkflnj.exe File opened for modification C:\Windows\SysWOW64\Aecialmb.exe Abemep32.exe File created C:\Windows\SysWOW64\Npgmdnlj.dll Ifqoehhl.exe File opened for modification C:\Windows\SysWOW64\Bjhgke32.exe Bhgjcmfi.exe File created C:\Windows\SysWOW64\Flbfjl32.dll Ojajin32.exe File opened for modification C:\Windows\SysWOW64\Npadcfnl.exe Nandhi32.exe File created C:\Windows\SysWOW64\Dnnoip32.exe Process not Found File created C:\Windows\SysWOW64\Dfglfdkb.exe Dnpdegjp.exe File created C:\Windows\SysWOW64\Hhcjcf32.dll Llgcph32.exe File opened for modification C:\Windows\SysWOW64\Qjnkcekm.exe Qcdbfk32.exe File opened for modification C:\Windows\SysWOW64\Nhhldc32.exe Npadcfnl.exe File created C:\Windows\SysWOW64\Ipmgkhgl.dll Jnedgq32.exe File created C:\Windows\SysWOW64\Nfndbnlp.dll Kmpido32.exe File opened for modification C:\Windows\SysWOW64\Fahaplon.exe Fojedapj.exe File created C:\Windows\SysWOW64\Haedpe32.dll Hhknpmma.exe File created C:\Windows\SysWOW64\Cpfoag32.dll Chiblk32.exe File created C:\Windows\SysWOW64\Kkghpa32.dll Hmpnqj32.exe File created C:\Windows\SysWOW64\Iedbcebd.exe Igqbiacj.exe File created C:\Windows\SysWOW64\Bggnijof.exe Bkamdi32.exe File opened for modification C:\Windows\SysWOW64\Feocelll.exe Emhldnkj.exe File created C:\Windows\SysWOW64\Nljofl32.exe Ncbknfed.exe File opened for modification C:\Windows\SysWOW64\Epjajeqo.exe Eipinkib.exe File created C:\Windows\SysWOW64\Ncbknfed.exe Miifeq32.exe File opened for modification C:\Windows\SysWOW64\Lkppchfi.exe Lfddci32.exe File opened for modification C:\Windows\SysWOW64\Almanf32.exe Aecialmb.exe File created C:\Windows\SysWOW64\Dmdhcddh.exe Dfjpfj32.exe File created C:\Windows\SysWOW64\Efcagd32.dll Mmpdhboj.exe File created C:\Windows\SysWOW64\Fimgpahk.dll Ddgplado.exe File created C:\Windows\SysWOW64\Abfmnkfh.dll Igqbiacj.exe File created C:\Windows\SysWOW64\Fkcpql32.exe Egbken32.exe File opened for modification C:\Windows\SysWOW64\Fplnogmb.exe Fefjanml.exe File created C:\Windows\SysWOW64\Cibncf32.dll Gkdhjknm.exe File created C:\Windows\SysWOW64\Nekfnbbc.dll Dngobghg.exe File created C:\Windows\SysWOW64\Qodeajbg.exe Pdmdnadc.exe File created C:\Windows\SysWOW64\Mohpjh32.dll Hepgkohh.exe File created C:\Windows\SysWOW64\Ophjdehd.exe Omjnhiiq.exe File opened for modification C:\Windows\SysWOW64\Fehfljca.exe Fhdfbfdh.exe File created C:\Windows\SysWOW64\Goljqnpd.exe Gdgfce32.exe File opened for modification C:\Windows\SysWOW64\Ahfdjanb.exe Acgolj32.exe File created C:\Windows\SysWOW64\Eibfck32.exe Epjajeqo.exe File created C:\Windows\SysWOW64\Clomci32.dll Jqlefl32.exe File created C:\Windows\SysWOW64\Geplnioe.dll Ffddka32.exe File opened for modification C:\Windows\SysWOW64\Pdnpeh32.exe Onmahojj.exe File created C:\Windows\SysWOW64\Onapdl32.exe Oclkgccf.exe File created C:\Windows\SysWOW64\Ogpfko32.exe Odaiodbp.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6180 7140 Process not Found 1139 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkpqlc32.dll" Fgjhpcmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohhfknjf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddekmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdnpeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jdaaaeqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lenamdem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nkghqo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohkijc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fahaplon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Debbhd32.dll" Efhcbodf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Blqllqqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klmlfi32.dll" Ihmnldib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lennpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajqmddce.dll" Pkgaglpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dccjlblm.dll" Agcdnjcl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lphoelqn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Naaqofgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oonnoglh.dll" Lgbloglj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mgpcohcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbhmepaa.dll" Hcommoin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejoigd32.dll" Jdmgfedl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iddgpk32.dll" Ipflihfq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kaehljpj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmfqngcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hofmaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdglmkeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcoejf32.dll" Mfnhfm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjhkmbho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibdgjl32.dll" Hfefdpfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdbbfadn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jkhgmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jabajbcd.dll" Bqkigp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aocmio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bblnindg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckclhn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Digehphc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpqellmb.dll" Ailabddb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmalne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnhacn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Padkjq32.dll" Biljib32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gnhnaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ceelqcdb.dll" Kbpkkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onogcg32.dll" Kamjda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Almanf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Okpkgm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghlcnk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmofagfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipckmjqi.dll" Dfjpfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Holfoqcm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pbifol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chlaag32.dll" Lpkiph32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djklmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acigfpbp.dll" Qcclld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckclhn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omgabj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngmpcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enqjamin.dll" Jnhpoamf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbodfcj.dll" Anfmjhmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpjjac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Accailfj.dll" Ipmbjgpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kiphjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gblngpbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhghaf32.dll" Olfghg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkikkeeo.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4948 wrote to memory of 2156 4948 009ae39a4742564b12f3f844c54c9bf5b9dd09ef54ca5f0646e3def154cefe8e.exe 83 PID 4948 wrote to memory of 2156 4948 009ae39a4742564b12f3f844c54c9bf5b9dd09ef54ca5f0646e3def154cefe8e.exe 83 PID 4948 wrote to memory of 2156 4948 009ae39a4742564b12f3f844c54c9bf5b9dd09ef54ca5f0646e3def154cefe8e.exe 83 PID 2156 wrote to memory of 2536 2156 Eepjpb32.exe 84 PID 2156 wrote to memory of 2536 2156 Eepjpb32.exe 84 PID 2156 wrote to memory of 2536 2156 Eepjpb32.exe 84 PID 2536 wrote to memory of 4972 2536 Fafkecel.exe 85 PID 2536 wrote to memory of 4972 2536 Fafkecel.exe 85 PID 2536 wrote to memory of 4972 2536 Fafkecel.exe 85 PID 4972 wrote to memory of 4452 4972 Fllpbldb.exe 86 PID 4972 wrote to memory of 4452 4972 Fllpbldb.exe 86 PID 4972 wrote to memory of 4452 4972 Fllpbldb.exe 86 PID 4452 wrote to memory of 3092 4452 Ffddka32.exe 87 PID 4452 wrote to memory of 3092 4452 Ffddka32.exe 87 PID 4452 wrote to memory of 3092 4452 Ffddka32.exe 87 PID 3092 wrote to memory of 2028 3092 Fchddejl.exe 88 PID 3092 wrote to memory of 2028 3092 Fchddejl.exe 88 PID 3092 wrote to memory of 2028 3092 Fchddejl.exe 88 PID 2028 wrote to memory of 3876 2028 Ffimfqgm.exe 89 PID 2028 wrote to memory of 3876 2028 Ffimfqgm.exe 89 PID 2028 wrote to memory of 3876 2028 Ffimfqgm.exe 89 PID 3876 wrote to memory of 5052 3876 Foabofnn.exe 90 PID 3876 wrote to memory of 5052 3876 Foabofnn.exe 90 PID 3876 wrote to memory of 5052 3876 Foabofnn.exe 90 PID 5052 wrote to memory of 4856 5052 Gododflk.exe 91 PID 5052 wrote to memory of 4856 5052 Gododflk.exe 91 PID 5052 wrote to memory of 4856 5052 Gododflk.exe 91 PID 4856 wrote to memory of 4480 4856 Ghlcnk32.exe 94 PID 4856 wrote to memory of 4480 4856 Ghlcnk32.exe 94 PID 4856 wrote to memory of 4480 4856 Ghlcnk32.exe 94 PID 4480 wrote to memory of 4692 4480 Gdeqhl32.exe 95 PID 4480 wrote to memory of 4692 4480 Gdeqhl32.exe 95 PID 4480 wrote to memory of 4692 4480 Gdeqhl32.exe 95 PID 4692 wrote to memory of 2716 4692 Gcfqfc32.exe 96 PID 4692 wrote to memory of 2716 4692 Gcfqfc32.exe 96 PID 4692 wrote to memory of 2716 4692 Gcfqfc32.exe 96 PID 2716 wrote to memory of 2544 2716 Gblngpbd.exe 97 PID 2716 wrote to memory of 2544 2716 Gblngpbd.exe 97 PID 2716 wrote to memory of 2544 2716 Gblngpbd.exe 97 PID 2544 wrote to memory of 4472 2544 Hflcbngh.exe 99 PID 2544 wrote to memory of 4472 2544 Hflcbngh.exe 99 PID 2544 wrote to memory of 4472 2544 Hflcbngh.exe 99 PID 4472 wrote to memory of 1092 4472 Hkikkeeo.exe 100 PID 4472 wrote to memory of 1092 4472 Hkikkeeo.exe 100 PID 4472 wrote to memory of 1092 4472 Hkikkeeo.exe 100 PID 1092 wrote to memory of 2296 1092 Hmhhehlb.exe 101 PID 1092 wrote to memory of 2296 1092 Hmhhehlb.exe 101 PID 1092 wrote to memory of 2296 1092 Hmhhehlb.exe 101 PID 2296 wrote to memory of 724 2296 Hfqlnm32.exe 102 PID 2296 wrote to memory of 724 2296 Hfqlnm32.exe 102 PID 2296 wrote to memory of 724 2296 Hfqlnm32.exe 102 PID 724 wrote to memory of 4280 724 Hcdmga32.exe 103 PID 724 wrote to memory of 4280 724 Hcdmga32.exe 103 PID 724 wrote to memory of 4280 724 Hcdmga32.exe 103 PID 4280 wrote to memory of 2376 4280 Iefioj32.exe 104 PID 4280 wrote to memory of 2376 4280 Iefioj32.exe 104 PID 4280 wrote to memory of 2376 4280 Iefioj32.exe 104 PID 2376 wrote to memory of 2248 2376 Ipknlb32.exe 105 PID 2376 wrote to memory of 2248 2376 Ipknlb32.exe 105 PID 2376 wrote to memory of 2248 2376 Ipknlb32.exe 105 PID 2248 wrote to memory of 1644 2248 Ipnjab32.exe 106 PID 2248 wrote to memory of 1644 2248 Ipnjab32.exe 106 PID 2248 wrote to memory of 1644 2248 Ipnjab32.exe 106 PID 1644 wrote to memory of 2916 1644 Ippggbck.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\009ae39a4742564b12f3f844c54c9bf5b9dd09ef54ca5f0646e3def154cefe8e.exe"C:\Users\Admin\AppData\Local\Temp\009ae39a4742564b12f3f844c54c9bf5b9dd09ef54ca5f0646e3def154cefe8e.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4948 -
C:\Windows\SysWOW64\Eepjpb32.exeC:\Windows\system32\Eepjpb32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\Fafkecel.exeC:\Windows\system32\Fafkecel.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\Fllpbldb.exeC:\Windows\system32\Fllpbldb.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Windows\SysWOW64\Ffddka32.exeC:\Windows\system32\Ffddka32.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4452 -
C:\Windows\SysWOW64\Fchddejl.exeC:\Windows\system32\Fchddejl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3092 -
C:\Windows\SysWOW64\Ffimfqgm.exeC:\Windows\system32\Ffimfqgm.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\Foabofnn.exeC:\Windows\system32\Foabofnn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3876 -
C:\Windows\SysWOW64\Gododflk.exeC:\Windows\system32\Gododflk.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Windows\SysWOW64\Ghlcnk32.exeC:\Windows\system32\Ghlcnk32.exe10⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Windows\SysWOW64\Gdeqhl32.exeC:\Windows\system32\Gdeqhl32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4480 -
C:\Windows\SysWOW64\Gcfqfc32.exeC:\Windows\system32\Gcfqfc32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4692 -
C:\Windows\SysWOW64\Gblngpbd.exeC:\Windows\system32\Gblngpbd.exe13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Hflcbngh.exeC:\Windows\system32\Hflcbngh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\Hkikkeeo.exeC:\Windows\system32\Hkikkeeo.exe15⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4472 -
C:\Windows\SysWOW64\Hmhhehlb.exeC:\Windows\system32\Hmhhehlb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1092 -
C:\Windows\SysWOW64\Hfqlnm32.exeC:\Windows\system32\Hfqlnm32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\SysWOW64\Hcdmga32.exeC:\Windows\system32\Hcdmga32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:724 -
C:\Windows\SysWOW64\Iefioj32.exeC:\Windows\system32\Iefioj32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4280 -
C:\Windows\SysWOW64\Ipknlb32.exeC:\Windows\system32\Ipknlb32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\SysWOW64\Ipnjab32.exeC:\Windows\system32\Ipnjab32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\Ippggbck.exeC:\Windows\system32\Ippggbck.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\SysWOW64\Iikhfg32.exeC:\Windows\system32\Iikhfg32.exe23⤵
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\Jfoiokfb.exeC:\Windows\system32\Jfoiokfb.exe24⤵
- Executes dropped EXE
PID:3348 -
C:\Windows\SysWOW64\Jpgmha32.exeC:\Windows\system32\Jpgmha32.exe25⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Jmknaell.exeC:\Windows\system32\Jmknaell.exe26⤵
- Executes dropped EXE
PID:4272 -
C:\Windows\SysWOW64\Jlpkba32.exeC:\Windows\system32\Jlpkba32.exe27⤵
- Executes dropped EXE
PID:1040 -
C:\Windows\SysWOW64\Jidklf32.exeC:\Windows\system32\Jidklf32.exe28⤵
- Executes dropped EXE
PID:4348 -
C:\Windows\SysWOW64\Jblpek32.exeC:\Windows\system32\Jblpek32.exe29⤵
- Executes dropped EXE
PID:3120 -
C:\Windows\SysWOW64\Kiidgeki.exeC:\Windows\system32\Kiidgeki.exe30⤵
- Executes dropped EXE
PID:3172 -
C:\Windows\SysWOW64\Klljnp32.exeC:\Windows\system32\Klljnp32.exe31⤵
- Executes dropped EXE
PID:4076 -
C:\Windows\SysWOW64\Kedoge32.exeC:\Windows\system32\Kedoge32.exe32⤵
- Executes dropped EXE
PID:3676 -
C:\Windows\SysWOW64\Klngdpdd.exeC:\Windows\system32\Klngdpdd.exe33⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Kbhoqj32.exeC:\Windows\system32\Kbhoqj32.exe34⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Ldjhpl32.exeC:\Windows\system32\Ldjhpl32.exe35⤵
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\Lekehdgp.exeC:\Windows\system32\Lekehdgp.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2764 -
C:\Windows\SysWOW64\Ldleel32.exeC:\Windows\system32\Ldleel32.exe37⤵
- Executes dropped EXE
PID:4936 -
C:\Windows\SysWOW64\Lenamdem.exeC:\Windows\system32\Lenamdem.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:3248 -
C:\Windows\SysWOW64\Lbabgh32.exeC:\Windows\system32\Lbabgh32.exe39⤵
- Executes dropped EXE
PID:4552 -
C:\Windows\SysWOW64\Likjcbkc.exeC:\Windows\system32\Likjcbkc.exe40⤵
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Ldanqkki.exeC:\Windows\system32\Ldanqkki.exe41⤵
- Executes dropped EXE
PID:1428 -
C:\Windows\SysWOW64\Lmiciaaj.exeC:\Windows\system32\Lmiciaaj.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3448 -
C:\Windows\SysWOW64\Lphoelqn.exeC:\Windows\system32\Lphoelqn.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:3068 -
C:\Windows\SysWOW64\Mipcob32.exeC:\Windows\system32\Mipcob32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1824 -
C:\Windows\SysWOW64\Megdccmb.exeC:\Windows\system32\Megdccmb.exe45⤵
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\Mplhql32.exeC:\Windows\system32\Mplhql32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\Mgfqmfde.exeC:\Windows\system32\Mgfqmfde.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3860 -
C:\Windows\SysWOW64\Miemjaci.exeC:\Windows\system32\Miemjaci.exe48⤵
- Executes dropped EXE
PID:5116 -
C:\Windows\SysWOW64\Mdjagjco.exeC:\Windows\system32\Mdjagjco.exe49⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\Mmbfpp32.exeC:\Windows\system32\Mmbfpp32.exe50⤵
- Executes dropped EXE
PID:780 -
C:\Windows\SysWOW64\Miifeq32.exeC:\Windows\system32\Miifeq32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1044 -
C:\Windows\SysWOW64\Ncbknfed.exeC:\Windows\system32\Ncbknfed.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4336 -
C:\Windows\SysWOW64\Nljofl32.exeC:\Windows\system32\Nljofl32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1716 -
C:\Windows\SysWOW64\Nebdoa32.exeC:\Windows\system32\Nebdoa32.exe54⤵
- Executes dropped EXE
PID:1832 -
C:\Windows\SysWOW64\Ndcdmikd.exeC:\Windows\system32\Ndcdmikd.exe55⤵
- Executes dropped EXE
PID:1536 -
C:\Windows\SysWOW64\Ndfqbhia.exeC:\Windows\system32\Ndfqbhia.exe56⤵
- Executes dropped EXE
PID:632 -
C:\Windows\SysWOW64\Nggjdc32.exeC:\Windows\system32\Nggjdc32.exe57⤵
- Executes dropped EXE
PID:4048 -
C:\Windows\SysWOW64\Oponmilc.exeC:\Windows\system32\Oponmilc.exe58⤵
- Executes dropped EXE
PID:1520 -
C:\Windows\SysWOW64\Opakbi32.exeC:\Windows\system32\Opakbi32.exe59⤵
- Executes dropped EXE
PID:1196 -
C:\Windows\SysWOW64\Ogkcpbam.exeC:\Windows\system32\Ogkcpbam.exe60⤵
- Executes dropped EXE
PID:2320 -
C:\Windows\SysWOW64\Opdghh32.exeC:\Windows\system32\Opdghh32.exe61⤵
- Executes dropped EXE
PID:1580 -
C:\Windows\SysWOW64\Oqhacgdh.exeC:\Windows\system32\Oqhacgdh.exe62⤵
- Executes dropped EXE
PID:3704 -
C:\Windows\SysWOW64\Pfjcgn32.exeC:\Windows\system32\Pfjcgn32.exe63⤵
- Executes dropped EXE
PID:4684 -
C:\Windows\SysWOW64\Pmdkch32.exeC:\Windows\system32\Pmdkch32.exe64⤵
- Executes dropped EXE
PID:4508 -
C:\Windows\SysWOW64\Pqbdjfln.exeC:\Windows\system32\Pqbdjfln.exe65⤵
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\Pjjhbl32.exeC:\Windows\system32\Pjjhbl32.exe66⤵PID:2528
-
C:\Windows\SysWOW64\Qnhahj32.exeC:\Windows\system32\Qnhahj32.exe67⤵PID:4036
-
C:\Windows\SysWOW64\Qjoankoi.exeC:\Windows\system32\Qjoankoi.exe68⤵PID:3832
-
C:\Windows\SysWOW64\Anmjcieo.exeC:\Windows\system32\Anmjcieo.exe69⤵PID:1796
-
C:\Windows\SysWOW64\Acjclpcf.exeC:\Windows\system32\Acjclpcf.exe70⤵PID:2432
-
C:\Windows\SysWOW64\Anogiicl.exeC:\Windows\system32\Anogiicl.exe71⤵PID:1444
-
C:\Windows\SysWOW64\Aclpap32.exeC:\Windows\system32\Aclpap32.exe72⤵PID:4488
-
C:\Windows\SysWOW64\Aeklkchg.exeC:\Windows\system32\Aeklkchg.exe73⤵PID:4420
-
C:\Windows\SysWOW64\Ajhddjfn.exeC:\Windows\system32\Ajhddjfn.exe74⤵PID:1420
-
C:\Windows\SysWOW64\Anfmjhmd.exeC:\Windows\system32\Anfmjhmd.exe75⤵
- Modifies registry class
PID:4752 -
C:\Windows\SysWOW64\Bfabnjjp.exeC:\Windows\system32\Bfabnjjp.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2884 -
C:\Windows\SysWOW64\Bchomn32.exeC:\Windows\system32\Bchomn32.exe77⤵PID:680
-
C:\Windows\SysWOW64\Beihma32.exeC:\Windows\system32\Beihma32.exe78⤵PID:1476
-
C:\Windows\SysWOW64\Belebq32.exeC:\Windows\system32\Belebq32.exe79⤵PID:4324
-
C:\Windows\SysWOW64\Cenahpha.exeC:\Windows\system32\Cenahpha.exe80⤵PID:1544
-
C:\Windows\SysWOW64\Cmiflbel.exeC:\Windows\system32\Cmiflbel.exe81⤵PID:4540
-
C:\Windows\SysWOW64\Ceckcp32.exeC:\Windows\system32\Ceckcp32.exe82⤵PID:436
-
C:\Windows\SysWOW64\Cajlhqjp.exeC:\Windows\system32\Cajlhqjp.exe83⤵PID:3592
-
C:\Windows\SysWOW64\Cjbpaf32.exeC:\Windows\system32\Cjbpaf32.exe84⤵PID:4664
-
C:\Windows\SysWOW64\Dhkjej32.exeC:\Windows\system32\Dhkjej32.exe85⤵PID:800
-
C:\Windows\SysWOW64\Daconoae.exeC:\Windows\system32\Daconoae.exe86⤵PID:2620
-
C:\Windows\SysWOW64\Ddakjkqi.exeC:\Windows\system32\Ddakjkqi.exe87⤵PID:1864
-
C:\Windows\SysWOW64\Dogogcpo.exeC:\Windows\system32\Dogogcpo.exe88⤵PID:4492
-
C:\Windows\SysWOW64\Deagdn32.exeC:\Windows\system32\Deagdn32.exe89⤵PID:2556
-
C:\Windows\SysWOW64\Dahhio32.exeC:\Windows\system32\Dahhio32.exe90⤵PID:2368
-
C:\Windows\SysWOW64\Ekpmbddq.exeC:\Windows\system32\Ekpmbddq.exe91⤵PID:5084
-
C:\Windows\SysWOW64\Edhakj32.exeC:\Windows\system32\Edhakj32.exe92⤵PID:3904
-
C:\Windows\SysWOW64\Eonehbjg.exeC:\Windows\system32\Eonehbjg.exe93⤵PID:2252
-
C:\Windows\SysWOW64\Edknqiho.exeC:\Windows\system32\Edknqiho.exe94⤵PID:5140
-
C:\Windows\SysWOW64\Edmjfifl.exeC:\Windows\system32\Edmjfifl.exe95⤵PID:5184
-
C:\Windows\SysWOW64\Emeoooml.exeC:\Windows\system32\Emeoooml.exe96⤵PID:5224
-
C:\Windows\SysWOW64\Ehkclgmb.exeC:\Windows\system32\Ehkclgmb.exe97⤵PID:5268
-
C:\Windows\SysWOW64\Emhldnkj.exeC:\Windows\system32\Emhldnkj.exe98⤵
- Drops file in System32 directory
PID:5308 -
C:\Windows\SysWOW64\Feocelll.exeC:\Windows\system32\Feocelll.exe99⤵PID:5352
-
C:\Windows\SysWOW64\Fddqghpd.exeC:\Windows\system32\Fddqghpd.exe100⤵PID:5396
-
C:\Windows\SysWOW64\Fojedapj.exeC:\Windows\system32\Fojedapj.exe101⤵
- Drops file in System32 directory
PID:5440 -
C:\Windows\SysWOW64\Fahaplon.exeC:\Windows\system32\Fahaplon.exe102⤵
- Modifies registry class
PID:5484 -
C:\Windows\SysWOW64\Fdfmlhna.exeC:\Windows\system32\Fdfmlhna.exe103⤵PID:5524
-
C:\Windows\SysWOW64\Fgeihcme.exeC:\Windows\system32\Fgeihcme.exe104⤵PID:5572
-
C:\Windows\SysWOW64\Folaiqng.exeC:\Windows\system32\Folaiqng.exe105⤵PID:5612
-
C:\Windows\SysWOW64\Fefjfked.exeC:\Windows\system32\Fefjfked.exe106⤵PID:5660
-
C:\Windows\SysWOW64\Fhdfbfdh.exeC:\Windows\system32\Fhdfbfdh.exe107⤵
- Drops file in System32 directory
PID:5708 -
C:\Windows\SysWOW64\Fehfljca.exeC:\Windows\system32\Fehfljca.exe108⤵PID:5752
-
C:\Windows\SysWOW64\Fkeodaai.exeC:\Windows\system32\Fkeodaai.exe109⤵PID:5796
-
C:\Windows\SysWOW64\Gdppbfff.exeC:\Windows\system32\Gdppbfff.exe110⤵PID:5848
-
C:\Windows\SysWOW64\Goedpofl.exeC:\Windows\system32\Goedpofl.exe111⤵PID:5888
-
C:\Windows\SysWOW64\Gnhdkl32.exeC:\Windows\system32\Gnhdkl32.exe112⤵PID:5932
-
C:\Windows\SysWOW64\Gafmaj32.exeC:\Windows\system32\Gafmaj32.exe113⤵PID:5976
-
C:\Windows\SysWOW64\Ghpendjj.exeC:\Windows\system32\Ghpendjj.exe114⤵PID:6016
-
C:\Windows\SysWOW64\Gkobjpin.exeC:\Windows\system32\Gkobjpin.exe115⤵PID:6068
-
C:\Windows\SysWOW64\Gahjgj32.exeC:\Windows\system32\Gahjgj32.exe116⤵PID:6108
-
C:\Windows\SysWOW64\Gdgfce32.exeC:\Windows\system32\Gdgfce32.exe117⤵
- Drops file in System32 directory
PID:5128 -
C:\Windows\SysWOW64\Goljqnpd.exeC:\Windows\system32\Goljqnpd.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5192 -
C:\Windows\SysWOW64\Hffcmh32.exeC:\Windows\system32\Hffcmh32.exe119⤵PID:5256
-
C:\Windows\SysWOW64\Hghoeqmp.exeC:\Windows\system32\Hghoeqmp.exe120⤵PID:5348
-
C:\Windows\SysWOW64\Hoogfnnb.exeC:\Windows\system32\Hoogfnnb.exe121⤵PID:5388
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-