Analysis
-
max time kernel
148s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
29/04/2024, 03:29
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
e94b7ba3154acade45a382df08e047e680393f04cafe2b4eaee458e179711240.exe
Resource
win7-20240419-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
e94b7ba3154acade45a382df08e047e680393f04cafe2b4eaee458e179711240.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
e94b7ba3154acade45a382df08e047e680393f04cafe2b4eaee458e179711240.exe
-
Size
280KB
-
MD5
19c1c55d5fb7009d5e5dde32fc8efe92
-
SHA1
0c59f210fe68a4ba308c7b279501f88371090ce4
-
SHA256
e94b7ba3154acade45a382df08e047e680393f04cafe2b4eaee458e179711240
-
SHA512
ee193dd957f052a4273cc5ce0b0dfb744c0f27da282c367f9a0c1fcc5ffca1450c5a5c98dfac02719146efcb0b3f5960e739293bce45bf5647ec48c606f18174
-
SSDEEP
6144:vZq98Jdj4ai/GOORjMmRUoooooooooooooooooooooooooy/G3:Rq9kjFi//OVLCoooooooooooooooooo0
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mcodno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ceodnl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfbhnaho.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Geolea32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojolhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Coelaaoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Joifam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jiakjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lefdpe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nondgn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfkpdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Blmdlhmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gphmeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hgdbhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bafidiio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofelmloo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ahchbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eqonkmdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jcbellac.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnqphi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbfjdn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjlhneio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnclnihj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ofpfnqjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ogeigofa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Flabbihl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qfahhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hdhbam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ifcbodli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nolhan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ahgnke32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbehoa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odobjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ekholjqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nkeelohh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alegac32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emkaol32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfdjhndl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Enfenplo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djnpnc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbqecg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okgnab32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdbhke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lckdanld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lefdpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pimkpfeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Abhimnma.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dolnad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eihfjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Idceea32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbjochdi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aoepcn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhbcfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lefkjkmc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dqelenlc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkijmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mggpgmof.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clcflkic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iqopea32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocnfbo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pflomnkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ibocjk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldnhad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aigaon32.exe -
UPX dump on OEP (original entry point) 64 IoCs
resource yara_rule behavioral1/files/0x000a00000001211e-5.dat UPX behavioral1/files/0x00090000000134f5-25.dat UPX behavioral1/files/0x0008000000013a15-33.dat UPX behavioral1/files/0x0008000000013a85-46.dat UPX behavioral1/files/0x0006000000014525-59.dat UPX behavioral1/files/0x00060000000145d4-79.dat UPX behavioral1/files/0x0006000000014730-86.dat UPX behavioral1/files/0x000600000001475f-100.dat UPX behavioral1/files/0x0006000000014a29-114.dat UPX behavioral1/files/0x0006000000014d0f-127.dat UPX behavioral1/files/0x0006000000015077-141.dat UPX behavioral1/files/0x003a000000013362-155.dat UPX behavioral1/files/0x000600000001543a-168.dat UPX behavioral1/files/0x0006000000015a15-188.dat UPX behavioral1/files/0x0006000000015b72-196.dat UPX behavioral1/files/0x0006000000015c91-210.dat UPX behavioral1/files/0x0006000000015ca9-227.dat UPX behavioral1/files/0x0006000000015cca-234.dat UPX behavioral1/files/0x0006000000015ce1-245.dat UPX behavioral1/files/0x0006000000015cf5-254.dat UPX behavioral1/files/0x0006000000015d13-264.dat UPX behavioral1/files/0x0006000000015d28-273.dat UPX behavioral1/files/0x0006000000015d99-283.dat UPX behavioral1/files/0x0006000000015fbb-293.dat UPX behavioral1/files/0x0006000000016126-306.dat UPX behavioral1/files/0x000600000001640f-315.dat UPX behavioral1/files/0x0006000000016591-326.dat UPX behavioral1/files/0x0006000000016a3a-337.dat UPX behavioral1/files/0x0006000000016c57-348.dat UPX behavioral1/files/0x0006000000016ca1-359.dat UPX behavioral1/files/0x0006000000016cf2-373.dat UPX behavioral1/files/0x0006000000016d10-381.dat UPX behavioral1/files/0x0006000000016d21-393.dat UPX behavioral1/files/0x0006000000016d36-403.dat UPX behavioral1/files/0x0006000000016d46-416.dat UPX behavioral1/files/0x0006000000016d57-425.dat UPX behavioral1/files/0x0006000000016d73-436.dat UPX behavioral1/files/0x0006000000016d7d-449.dat UPX behavioral1/files/0x000600000001708c-458.dat UPX behavioral1/files/0x000600000001738e-470.dat UPX behavioral1/files/0x00060000000173e2-482.dat UPX behavioral1/files/0x0006000000017436-490.dat UPX behavioral1/files/0x0006000000017577-500.dat UPX behavioral1/files/0x00060000000175fd-512.dat UPX behavioral1/files/0x000d000000018689-523.dat UPX behavioral1/files/0x000500000001870e-534.dat UPX behavioral1/files/0x0005000000018749-547.dat UPX behavioral1/files/0x000600000001902f-556.dat UPX behavioral1/files/0x000500000001925a-566.dat UPX behavioral1/files/0x000500000001927b-576.dat UPX behavioral1/files/0x000500000001937a-587.dat UPX behavioral1/files/0x00050000000193b6-598.dat UPX behavioral1/files/0x00050000000193d4-612.dat UPX behavioral1/files/0x00050000000193fd-623.dat UPX behavioral1/files/0x000500000001943a-628.dat UPX behavioral1/files/0x0005000000019539-646.dat UPX behavioral1/files/0x0005000000019618-660.dat UPX behavioral1/files/0x000500000001961d-667.dat UPX behavioral1/files/0x0005000000019621-678.dat UPX behavioral1/files/0x0005000000019625-688.dat UPX behavioral1/files/0x0005000000019629-701.dat UPX behavioral1/files/0x000500000001962d-710.dat UPX behavioral1/files/0x0005000000019631-723.dat UPX behavioral1/files/0x0005000000019634-732.dat UPX -
Executes dropped EXE 64 IoCs
pid Process 1736 Hqbgfd32.exe 2252 Hbbcpg32.exe 2820 Hjmhdi32.exe 2828 Igainn32.exe 1120 Ichico32.exe 2544 Impnldeo.exe 2588 Iigoqe32.exe 2900 Ibocjk32.exe 2432 Infdolgh.exe 1660 Jgnhga32.exe 1620 Jebiaelb.exe 2748 Jklanp32.exe 2112 Jjanolhg.exe 2040 Jegble32.exe 696 Jghknp32.exe 1644 Jmdcfg32.exe 1112 Kikdkh32.exe 444 Kpemgbqf.exe 2284 Kinaqg32.exe 1556 Kmimafop.exe 2184 Knjiin32.exe 1832 Kedaeh32.exe 2308 Kbhbom32.exe 2260 Kibjkgca.exe 2428 Koocdnai.exe 2624 Kanopipl.exe 1576 Lhggmchi.exe 2404 Lmdpejfq.exe 2784 Ldnhad32.exe 1224 Lodlom32.exe 2716 Lgoacojo.exe 2816 Lmiipi32.exe 2660 Lkmjin32.exe 3056 Llnfaffc.exe 2860 Lefkjkmc.exe 1976 Lmnbkinf.exe 2348 Midcpj32.exe 1684 Moalhq32.exe 1584 Migpeiag.exe 2068 Mcodno32.exe 1724 Mhlmgf32.exe 2240 Mlgigdoh.exe 288 Mnieom32.exe 1748 Mhnjle32.exe 1364 Mkmfhacp.exe 1240 Magnek32.exe 984 Mdejaf32.exe 868 Mkobnqan.exe 1788 Nnnojlpa.exe 2620 Nplkfgoe.exe 888 Ncjgbcoi.exe 1800 Njdpomfe.exe 2648 Nlblkhei.exe 2792 Ndjdlffl.exe 1964 Ncmdhb32.exe 2652 Nfkpdn32.exe 2580 Nnbhek32.exe 2484 Nqqdag32.exe 2744 Ncoamb32.exe 2868 Nfmmin32.exe 1908 Nqcagfim.exe 2732 Nbdnoo32.exe 2104 Nmjblg32.exe 2500 Nohnhc32.exe -
Loads dropped DLL 64 IoCs
pid Process 2220 e94b7ba3154acade45a382df08e047e680393f04cafe2b4eaee458e179711240.exe 2220 e94b7ba3154acade45a382df08e047e680393f04cafe2b4eaee458e179711240.exe 1736 Hqbgfd32.exe 1736 Hqbgfd32.exe 2252 Hbbcpg32.exe 2252 Hbbcpg32.exe 2820 Hjmhdi32.exe 2820 Hjmhdi32.exe 2828 Igainn32.exe 2828 Igainn32.exe 1120 Ichico32.exe 1120 Ichico32.exe 2544 Impnldeo.exe 2544 Impnldeo.exe 2588 Iigoqe32.exe 2588 Iigoqe32.exe 2900 Ibocjk32.exe 2900 Ibocjk32.exe 2432 Infdolgh.exe 2432 Infdolgh.exe 1660 Jgnhga32.exe 1660 Jgnhga32.exe 1620 Jebiaelb.exe 1620 Jebiaelb.exe 2748 Jklanp32.exe 2748 Jklanp32.exe 2112 Jjanolhg.exe 2112 Jjanolhg.exe 2040 Jegble32.exe 2040 Jegble32.exe 696 Jghknp32.exe 696 Jghknp32.exe 1644 Jmdcfg32.exe 1644 Jmdcfg32.exe 1112 Kikdkh32.exe 1112 Kikdkh32.exe 444 Kpemgbqf.exe 444 Kpemgbqf.exe 2284 Kinaqg32.exe 2284 Kinaqg32.exe 1556 Kmimafop.exe 1556 Kmimafop.exe 2184 Knjiin32.exe 2184 Knjiin32.exe 1832 Kedaeh32.exe 1832 Kedaeh32.exe 2308 Kbhbom32.exe 2308 Kbhbom32.exe 2260 Kibjkgca.exe 2260 Kibjkgca.exe 2428 Koocdnai.exe 2428 Koocdnai.exe 2624 Kanopipl.exe 2624 Kanopipl.exe 1576 Lhggmchi.exe 1576 Lhggmchi.exe 2404 Lmdpejfq.exe 2404 Lmdpejfq.exe 2784 Ldnhad32.exe 2784 Ldnhad32.exe 1224 Lodlom32.exe 1224 Lodlom32.exe 2716 Lgoacojo.exe 2716 Lgoacojo.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Daabdkdl.dll Koocdnai.exe File created C:\Windows\SysWOW64\Jbfpbmji.dll Aoffmd32.exe File created C:\Windows\SysWOW64\Hpapln32.exe Hhjhkq32.exe File created C:\Windows\SysWOW64\Jbjochdi.exe Jokcgmee.exe File created C:\Windows\SysWOW64\Biamilfj.exe Bbhela32.exe File opened for modification C:\Windows\SysWOW64\Dhnmij32.exe Dglpbbbg.exe File opened for modification C:\Windows\SysWOW64\Cckace32.exe Copfbfjj.exe File created C:\Windows\SysWOW64\Ipjchc32.dll Fphafl32.exe File created C:\Windows\SysWOW64\Gonahjjd.dll Nejiih32.exe File opened for modification C:\Windows\SysWOW64\Pmdjdh32.exe Pjenhm32.exe File opened for modification C:\Windows\SysWOW64\Qpecfc32.exe Pflomnkb.exe File opened for modification C:\Windows\SysWOW64\Dfmdho32.exe Cdlgpgef.exe File opened for modification C:\Windows\SysWOW64\Kcfkfo32.exe Kahojc32.exe File opened for modification C:\Windows\SysWOW64\Lckdanld.exe Kmaled32.exe File opened for modification C:\Windows\SysWOW64\Kmimafop.exe Kinaqg32.exe File opened for modification C:\Windows\SysWOW64\Eiaiqn32.exe Eajaoq32.exe File opened for modification C:\Windows\SysWOW64\Fphafl32.exe Fioija32.exe File opened for modification C:\Windows\SysWOW64\Hahjpbad.exe Hiqbndpb.exe File created C:\Windows\SysWOW64\Jbgbni32.exe Joifam32.exe File created C:\Windows\SysWOW64\Gffoia32.dll Jehkodcm.exe File created C:\Windows\SysWOW64\Pnomcl32.exe Pkpagq32.exe File opened for modification C:\Windows\SysWOW64\Bghjhp32.exe Bpnbkeld.exe File opened for modification C:\Windows\SysWOW64\Nlblkhei.exe Njdpomfe.exe File created C:\Windows\SysWOW64\Bghabf32.exe Balijo32.exe File opened for modification C:\Windows\SysWOW64\Eihfjo32.exe Dcknbh32.exe File created C:\Windows\SysWOW64\Jjhhpp32.dll Cddaphkn.exe File created C:\Windows\SysWOW64\Mledlaqd.dll Dolnad32.exe File created C:\Windows\SysWOW64\Oekngadg.dll Jebiaelb.exe File opened for modification C:\Windows\SysWOW64\Eeqdep32.exe Ebbgid32.exe File created C:\Windows\SysWOW64\Pabakh32.dll Gbnccfpb.exe File created C:\Windows\SysWOW64\Gdamqndn.exe Geolea32.exe File created C:\Windows\SysWOW64\Egllae32.exe Ecqqpgli.exe File created C:\Windows\SysWOW64\Necggg32.dll Igainn32.exe File created C:\Windows\SysWOW64\Eggbcg32.dll Okfencna.exe File created C:\Windows\SysWOW64\Ffkcbgek.exe Fejgko32.exe File created C:\Windows\SysWOW64\Hjlobf32.dll Ncmdhb32.exe File opened for modification C:\Windows\SysWOW64\Nfmmin32.exe Ncoamb32.exe File created C:\Windows\SysWOW64\Qdcbfq32.dll Fmcoja32.exe File opened for modification C:\Windows\SysWOW64\Fhkpmjln.exe Fpdhklkl.exe File created C:\Windows\SysWOW64\Mdpjlajk.exe Mmfbogcn.exe File opened for modification C:\Windows\SysWOW64\Alegac32.exe Aekodi32.exe File created C:\Windows\SysWOW64\Ikeelnol.dll Ojieip32.exe File created C:\Windows\SysWOW64\Ahaloofd.dll Omgaek32.exe File created C:\Windows\SysWOW64\Efjcibje.dll Enkece32.exe File opened for modification C:\Windows\SysWOW64\Fpdhklkl.exe Faagpp32.exe File created C:\Windows\SysWOW64\Jmgogg32.dll Mdkqqa32.exe File created C:\Windows\SysWOW64\Kckmmp32.dll Aehboi32.exe File created C:\Windows\SysWOW64\Mbiiek32.dll Cdlnkmha.exe File created C:\Windows\SysWOW64\Bibckiab.dll Eajaoq32.exe File opened for modification C:\Windows\SysWOW64\Geolea32.exe Gmgdddmq.exe File created C:\Windows\SysWOW64\Ojolhk32.exe Nceclqan.exe File created C:\Windows\SysWOW64\Pklhlael.exe Pimkpfeh.exe File created C:\Windows\SysWOW64\Alpmfdcb.exe Ahdaee32.exe File created C:\Windows\SysWOW64\Ccedfd32.dll Nplkfgoe.exe File created C:\Windows\SysWOW64\Dcknbh32.exe Dmafennb.exe File created C:\Windows\SysWOW64\Ekholjqg.exe Ejgcdb32.exe File created C:\Windows\SysWOW64\Qmicohqm.exe Qimhoi32.exe File opened for modification C:\Windows\SysWOW64\Dfamcogo.exe Dbfabp32.exe File opened for modification C:\Windows\SysWOW64\Bdlblj32.exe Bpafkknm.exe File created C:\Windows\SysWOW64\Bkfjhd32.exe Bdlblj32.exe File created C:\Windows\SysWOW64\Djnpnc32.exe Dgodbh32.exe File opened for modification C:\Windows\SysWOW64\Kkijmm32.exe Kcbakpdo.exe File created C:\Windows\SysWOW64\Jbkpmm32.dll Mpigfa32.exe File created C:\Windows\SysWOW64\Jonpde32.dll Pkpagq32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6040 6016 WerFault.exe 497 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdcbnc32.dll" Ogmfbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cckace32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pabakh32.dll" Gbnccfpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgjcijfp.dll" Cahail32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ebodiofk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kklmionp.dll" Ibocjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikbifehk.dll" Bokphdld.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kpmlkp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Olpdjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohhkga32.dll" Pqkmjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fjaonpnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Obkdonic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdhbbiki.dll" Alenki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Clcflkic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Globlmmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lijjoe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Onbddoog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bbdocc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nolhan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lefdpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nkeelohh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgefik32.dll" Ofhick32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jegble32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Afkbib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fhffaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hgbebiao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hogmmjfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ippdhfji.dll" Ajejgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dhbfdjdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnfhlh32.dll" Cgejac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dhnmij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cngcjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ccfhhffh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gieojq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Idceea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bdgafdfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Afohaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhhaddp.dll" Dhnmij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhofcjea.dll" Dhdcji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nqqdag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cibgai32.dll" Aenbdoii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fjlhneio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbkpmm32.dll" Mpigfa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pflomnkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfjpdigc.dll" Ojfaijcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enbfpg32.dll" Pklhlael.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bdbhke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Necggg32.dll" Igainn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jghknp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcbndm32.dll" Dbpodagk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Facdeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnlilc32.dll" Lbqabkql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eloemi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mmfbogcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Naoniipe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khjjpi32.dll" Bocolb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efjcibje.dll" Enkece32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mamddf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ajejgp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dfdjhndl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oikojfgk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Chbjffad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmiobd32.dll" Impnldeo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nqcagfim.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2220 wrote to memory of 1736 2220 e94b7ba3154acade45a382df08e047e680393f04cafe2b4eaee458e179711240.exe 28 PID 2220 wrote to memory of 1736 2220 e94b7ba3154acade45a382df08e047e680393f04cafe2b4eaee458e179711240.exe 28 PID 2220 wrote to memory of 1736 2220 e94b7ba3154acade45a382df08e047e680393f04cafe2b4eaee458e179711240.exe 28 PID 2220 wrote to memory of 1736 2220 e94b7ba3154acade45a382df08e047e680393f04cafe2b4eaee458e179711240.exe 28 PID 1736 wrote to memory of 2252 1736 Hqbgfd32.exe 29 PID 1736 wrote to memory of 2252 1736 Hqbgfd32.exe 29 PID 1736 wrote to memory of 2252 1736 Hqbgfd32.exe 29 PID 1736 wrote to memory of 2252 1736 Hqbgfd32.exe 29 PID 2252 wrote to memory of 2820 2252 Hbbcpg32.exe 30 PID 2252 wrote to memory of 2820 2252 Hbbcpg32.exe 30 PID 2252 wrote to memory of 2820 2252 Hbbcpg32.exe 30 PID 2252 wrote to memory of 2820 2252 Hbbcpg32.exe 30 PID 2820 wrote to memory of 2828 2820 Hjmhdi32.exe 31 PID 2820 wrote to memory of 2828 2820 Hjmhdi32.exe 31 PID 2820 wrote to memory of 2828 2820 Hjmhdi32.exe 31 PID 2820 wrote to memory of 2828 2820 Hjmhdi32.exe 31 PID 2828 wrote to memory of 1120 2828 Igainn32.exe 32 PID 2828 wrote to memory of 1120 2828 Igainn32.exe 32 PID 2828 wrote to memory of 1120 2828 Igainn32.exe 32 PID 2828 wrote to memory of 1120 2828 Igainn32.exe 32 PID 1120 wrote to memory of 2544 1120 Ichico32.exe 33 PID 1120 wrote to memory of 2544 1120 Ichico32.exe 33 PID 1120 wrote to memory of 2544 1120 Ichico32.exe 33 PID 1120 wrote to memory of 2544 1120 Ichico32.exe 33 PID 2544 wrote to memory of 2588 2544 Impnldeo.exe 34 PID 2544 wrote to memory of 2588 2544 Impnldeo.exe 34 PID 2544 wrote to memory of 2588 2544 Impnldeo.exe 34 PID 2544 wrote to memory of 2588 2544 Impnldeo.exe 34 PID 2588 wrote to memory of 2900 2588 Iigoqe32.exe 35 PID 2588 wrote to memory of 2900 2588 Iigoqe32.exe 35 PID 2588 wrote to memory of 2900 2588 Iigoqe32.exe 35 PID 2588 wrote to memory of 2900 2588 Iigoqe32.exe 35 PID 2900 wrote to memory of 2432 2900 Ibocjk32.exe 36 PID 2900 wrote to memory of 2432 2900 Ibocjk32.exe 36 PID 2900 wrote to memory of 2432 2900 Ibocjk32.exe 36 PID 2900 wrote to memory of 2432 2900 Ibocjk32.exe 36 PID 2432 wrote to memory of 1660 2432 Infdolgh.exe 37 PID 2432 wrote to memory of 1660 2432 Infdolgh.exe 37 PID 2432 wrote to memory of 1660 2432 Infdolgh.exe 37 PID 2432 wrote to memory of 1660 2432 Infdolgh.exe 37 PID 1660 wrote to memory of 1620 1660 Jgnhga32.exe 38 PID 1660 wrote to memory of 1620 1660 Jgnhga32.exe 38 PID 1660 wrote to memory of 1620 1660 Jgnhga32.exe 38 PID 1660 wrote to memory of 1620 1660 Jgnhga32.exe 38 PID 1620 wrote to memory of 2748 1620 Jebiaelb.exe 39 PID 1620 wrote to memory of 2748 1620 Jebiaelb.exe 39 PID 1620 wrote to memory of 2748 1620 Jebiaelb.exe 39 PID 1620 wrote to memory of 2748 1620 Jebiaelb.exe 39 PID 2748 wrote to memory of 2112 2748 Jklanp32.exe 40 PID 2748 wrote to memory of 2112 2748 Jklanp32.exe 40 PID 2748 wrote to memory of 2112 2748 Jklanp32.exe 40 PID 2748 wrote to memory of 2112 2748 Jklanp32.exe 40 PID 2112 wrote to memory of 2040 2112 Jjanolhg.exe 41 PID 2112 wrote to memory of 2040 2112 Jjanolhg.exe 41 PID 2112 wrote to memory of 2040 2112 Jjanolhg.exe 41 PID 2112 wrote to memory of 2040 2112 Jjanolhg.exe 41 PID 2040 wrote to memory of 696 2040 Jegble32.exe 42 PID 2040 wrote to memory of 696 2040 Jegble32.exe 42 PID 2040 wrote to memory of 696 2040 Jegble32.exe 42 PID 2040 wrote to memory of 696 2040 Jegble32.exe 42 PID 696 wrote to memory of 1644 696 Jghknp32.exe 43 PID 696 wrote to memory of 1644 696 Jghknp32.exe 43 PID 696 wrote to memory of 1644 696 Jghknp32.exe 43 PID 696 wrote to memory of 1644 696 Jghknp32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\e94b7ba3154acade45a382df08e047e680393f04cafe2b4eaee458e179711240.exe"C:\Users\Admin\AppData\Local\Temp\e94b7ba3154acade45a382df08e047e680393f04cafe2b4eaee458e179711240.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\Hqbgfd32.exeC:\Windows\system32\Hqbgfd32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\SysWOW64\Hbbcpg32.exeC:\Windows\system32\Hbbcpg32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\SysWOW64\Hjmhdi32.exeC:\Windows\system32\Hjmhdi32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\Igainn32.exeC:\Windows\system32\Igainn32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\Ichico32.exeC:\Windows\system32\Ichico32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\Windows\SysWOW64\Impnldeo.exeC:\Windows\system32\Impnldeo.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\Iigoqe32.exeC:\Windows\system32\Iigoqe32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\Ibocjk32.exeC:\Windows\system32\Ibocjk32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\Infdolgh.exeC:\Windows\system32\Infdolgh.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\Jgnhga32.exeC:\Windows\system32\Jgnhga32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\SysWOW64\Jebiaelb.exeC:\Windows\system32\Jebiaelb.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\Jklanp32.exeC:\Windows\system32\Jklanp32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Jjanolhg.exeC:\Windows\system32\Jjanolhg.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\Jegble32.exeC:\Windows\system32\Jegble32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\Jghknp32.exeC:\Windows\system32\Jghknp32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:696 -
C:\Windows\SysWOW64\Jmdcfg32.exeC:\Windows\system32\Jmdcfg32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1644 -
C:\Windows\SysWOW64\Kikdkh32.exeC:\Windows\system32\Kikdkh32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1112 -
C:\Windows\SysWOW64\Kpemgbqf.exeC:\Windows\system32\Kpemgbqf.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:444 -
C:\Windows\SysWOW64\Kinaqg32.exeC:\Windows\system32\Kinaqg32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2284 -
C:\Windows\SysWOW64\Kmimafop.exeC:\Windows\system32\Kmimafop.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1556 -
C:\Windows\SysWOW64\Knjiin32.exeC:\Windows\system32\Knjiin32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2184 -
C:\Windows\SysWOW64\Kedaeh32.exeC:\Windows\system32\Kedaeh32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1832 -
C:\Windows\SysWOW64\Kbhbom32.exeC:\Windows\system32\Kbhbom32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2308 -
C:\Windows\SysWOW64\Kibjkgca.exeC:\Windows\system32\Kibjkgca.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2260 -
C:\Windows\SysWOW64\Koocdnai.exeC:\Windows\system32\Koocdnai.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2428 -
C:\Windows\SysWOW64\Kanopipl.exeC:\Windows\system32\Kanopipl.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2624 -
C:\Windows\SysWOW64\Lhggmchi.exeC:\Windows\system32\Lhggmchi.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1576 -
C:\Windows\SysWOW64\Lmdpejfq.exeC:\Windows\system32\Lmdpejfq.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2404 -
C:\Windows\SysWOW64\Ldnhad32.exeC:\Windows\system32\Ldnhad32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2784 -
C:\Windows\SysWOW64\Lodlom32.exeC:\Windows\system32\Lodlom32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1224 -
C:\Windows\SysWOW64\Lgoacojo.exeC:\Windows\system32\Lgoacojo.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2716 -
C:\Windows\SysWOW64\Lmiipi32.exeC:\Windows\system32\Lmiipi32.exe33⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Lkmjin32.exeC:\Windows\system32\Lkmjin32.exe34⤵
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\Llnfaffc.exeC:\Windows\system32\Llnfaffc.exe35⤵
- Executes dropped EXE
PID:3056 -
C:\Windows\SysWOW64\Lefkjkmc.exeC:\Windows\system32\Lefkjkmc.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\Lmnbkinf.exeC:\Windows\system32\Lmnbkinf.exe37⤵
- Executes dropped EXE
PID:1976 -
C:\Windows\SysWOW64\Midcpj32.exeC:\Windows\system32\Midcpj32.exe38⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Moalhq32.exeC:\Windows\system32\Moalhq32.exe39⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Migpeiag.exeC:\Windows\system32\Migpeiag.exe40⤵
- Executes dropped EXE
PID:1584 -
C:\Windows\SysWOW64\Mcodno32.exeC:\Windows\system32\Mcodno32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2068 -
C:\Windows\SysWOW64\Mhlmgf32.exeC:\Windows\system32\Mhlmgf32.exe42⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Mlgigdoh.exeC:\Windows\system32\Mlgigdoh.exe43⤵
- Executes dropped EXE
PID:2240 -
C:\Windows\SysWOW64\Mnieom32.exeC:\Windows\system32\Mnieom32.exe44⤵
- Executes dropped EXE
PID:288 -
C:\Windows\SysWOW64\Mhnjle32.exeC:\Windows\system32\Mhnjle32.exe45⤵
- Executes dropped EXE
PID:1748 -
C:\Windows\SysWOW64\Mkmfhacp.exeC:\Windows\system32\Mkmfhacp.exe46⤵
- Executes dropped EXE
PID:1364 -
C:\Windows\SysWOW64\Magnek32.exeC:\Windows\system32\Magnek32.exe47⤵
- Executes dropped EXE
PID:1240 -
C:\Windows\SysWOW64\Mdejaf32.exeC:\Windows\system32\Mdejaf32.exe48⤵
- Executes dropped EXE
PID:984 -
C:\Windows\SysWOW64\Mkobnqan.exeC:\Windows\system32\Mkobnqan.exe49⤵
- Executes dropped EXE
PID:868 -
C:\Windows\SysWOW64\Nnnojlpa.exeC:\Windows\system32\Nnnojlpa.exe50⤵
- Executes dropped EXE
PID:1788 -
C:\Windows\SysWOW64\Nplkfgoe.exeC:\Windows\system32\Nplkfgoe.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2620 -
C:\Windows\SysWOW64\Ncjgbcoi.exeC:\Windows\system32\Ncjgbcoi.exe52⤵
- Executes dropped EXE
PID:888 -
C:\Windows\SysWOW64\Njdpomfe.exeC:\Windows\system32\Njdpomfe.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1800 -
C:\Windows\SysWOW64\Nlblkhei.exeC:\Windows\system32\Nlblkhei.exe54⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Ndjdlffl.exeC:\Windows\system32\Ndjdlffl.exe55⤵
- Executes dropped EXE
PID:2792 -
C:\Windows\SysWOW64\Ncmdhb32.exeC:\Windows\system32\Ncmdhb32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1964 -
C:\Windows\SysWOW64\Nfkpdn32.exeC:\Windows\system32\Nfkpdn32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2652 -
C:\Windows\SysWOW64\Nnbhek32.exeC:\Windows\system32\Nnbhek32.exe58⤵
- Executes dropped EXE
PID:2580 -
C:\Windows\SysWOW64\Nqqdag32.exeC:\Windows\system32\Nqqdag32.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:2484 -
C:\Windows\SysWOW64\Ncoamb32.exeC:\Windows\system32\Ncoamb32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2744 -
C:\Windows\SysWOW64\Nfmmin32.exeC:\Windows\system32\Nfmmin32.exe61⤵
- Executes dropped EXE
PID:2868 -
C:\Windows\SysWOW64\Nqcagfim.exeC:\Windows\system32\Nqcagfim.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:1908 -
C:\Windows\SysWOW64\Nbdnoo32.exeC:\Windows\system32\Nbdnoo32.exe63⤵
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\Nmjblg32.exeC:\Windows\system32\Nmjblg32.exe64⤵
- Executes dropped EXE
PID:2104 -
C:\Windows\SysWOW64\Nohnhc32.exeC:\Windows\system32\Nohnhc32.exe65⤵
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Nccjhafn.exeC:\Windows\system32\Nccjhafn.exe66⤵PID:844
-
C:\Windows\SysWOW64\Nbfjdn32.exeC:\Windows\system32\Nbfjdn32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:812 -
C:\Windows\SysWOW64\Ohqbqhde.exeC:\Windows\system32\Ohqbqhde.exe68⤵PID:1056
-
C:\Windows\SysWOW64\Oojknblb.exeC:\Windows\system32\Oojknblb.exe69⤵PID:1860
-
C:\Windows\SysWOW64\Obigjnkf.exeC:\Windows\system32\Obigjnkf.exe70⤵PID:2464
-
C:\Windows\SysWOW64\Odgcfijj.exeC:\Windows\system32\Odgcfijj.exe71⤵PID:1764
-
C:\Windows\SysWOW64\Oomhcbjp.exeC:\Windows\system32\Oomhcbjp.exe72⤵PID:1512
-
C:\Windows\SysWOW64\Obkdonic.exeC:\Windows\system32\Obkdonic.exe73⤵
- Modifies registry class
PID:2832 -
C:\Windows\SysWOW64\Oiellh32.exeC:\Windows\system32\Oiellh32.exe74⤵PID:2776
-
C:\Windows\SysWOW64\Ojficpfn.exeC:\Windows\system32\Ojficpfn.exe75⤵PID:2628
-
C:\Windows\SysWOW64\Onbddoog.exeC:\Windows\system32\Onbddoog.exe76⤵
- Modifies registry class
PID:2576 -
C:\Windows\SysWOW64\Oqqapjnk.exeC:\Windows\system32\Oqqapjnk.exe77⤵PID:308
-
C:\Windows\SysWOW64\Okfencna.exeC:\Windows\system32\Okfencna.exe78⤵
- Drops file in System32 directory
PID:3044 -
C:\Windows\SysWOW64\Ojieip32.exeC:\Windows\system32\Ojieip32.exe79⤵
- Drops file in System32 directory
PID:2724 -
C:\Windows\SysWOW64\Omgaek32.exeC:\Windows\system32\Omgaek32.exe80⤵
- Drops file in System32 directory
PID:2880 -
C:\Windows\SysWOW64\Ogmfbd32.exeC:\Windows\system32\Ogmfbd32.exe81⤵
- Modifies registry class
PID:2972 -
C:\Windows\SysWOW64\Ofpfnqjp.exeC:\Windows\system32\Ofpfnqjp.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:332 -
C:\Windows\SysWOW64\Ongnonkb.exeC:\Windows\system32\Ongnonkb.exe83⤵PID:1840
-
C:\Windows\SysWOW64\Paejki32.exeC:\Windows\system32\Paejki32.exe84⤵PID:2164
-
C:\Windows\SysWOW64\Pccfge32.exeC:\Windows\system32\Pccfge32.exe85⤵PID:1564
-
C:\Windows\SysWOW64\Pipopl32.exeC:\Windows\system32\Pipopl32.exe86⤵PID:908
-
C:\Windows\SysWOW64\Pmlkpjpj.exeC:\Windows\system32\Pmlkpjpj.exe87⤵PID:2736
-
C:\Windows\SysWOW64\Ppjglfon.exeC:\Windows\system32\Ppjglfon.exe88⤵PID:2168
-
C:\Windows\SysWOW64\Pbiciana.exeC:\Windows\system32\Pbiciana.exe89⤵PID:2944
-
C:\Windows\SysWOW64\Pmnhfjmg.exeC:\Windows\system32\Pmnhfjmg.exe90⤵PID:2688
-
C:\Windows\SysWOW64\Ppmdbe32.exeC:\Windows\system32\Ppmdbe32.exe91⤵PID:2808
-
C:\Windows\SysWOW64\Pfflopdh.exeC:\Windows\system32\Pfflopdh.exe92⤵PID:2676
-
C:\Windows\SysWOW64\Piehkkcl.exeC:\Windows\system32\Piehkkcl.exe93⤵PID:2584
-
C:\Windows\SysWOW64\Plcdgfbo.exeC:\Windows\system32\Plcdgfbo.exe94⤵PID:2892
-
C:\Windows\SysWOW64\Ppoqge32.exeC:\Windows\system32\Ppoqge32.exe95⤵PID:2636
-
C:\Windows\SysWOW64\Pbmmcq32.exeC:\Windows\system32\Pbmmcq32.exe96⤵PID:1156
-
C:\Windows\SysWOW64\Pigeqkai.exeC:\Windows\system32\Pigeqkai.exe97⤵PID:2092
-
C:\Windows\SysWOW64\Ppamme32.exeC:\Windows\system32\Ppamme32.exe98⤵PID:2056
-
C:\Windows\SysWOW64\Pbpjiphi.exeC:\Windows\system32\Pbpjiphi.exe99⤵PID:1484
-
C:\Windows\SysWOW64\Pabjem32.exeC:\Windows\system32\Pabjem32.exe100⤵PID:832
-
C:\Windows\SysWOW64\Pijbfj32.exeC:\Windows\system32\Pijbfj32.exe101⤵PID:1992
-
C:\Windows\SysWOW64\Qlhnbf32.exeC:\Windows\system32\Qlhnbf32.exe102⤵PID:948
-
C:\Windows\SysWOW64\Qnfjna32.exeC:\Windows\system32\Qnfjna32.exe103⤵PID:2996
-
C:\Windows\SysWOW64\Qaefjm32.exeC:\Windows\system32\Qaefjm32.exe104⤵PID:2356
-
C:\Windows\SysWOW64\Qhooggdn.exeC:\Windows\system32\Qhooggdn.exe105⤵PID:2392
-
C:\Windows\SysWOW64\Qnigda32.exeC:\Windows\system32\Qnigda32.exe106⤵PID:2644
-
C:\Windows\SysWOW64\Qagcpljo.exeC:\Windows\system32\Qagcpljo.exe107⤵PID:2852
-
C:\Windows\SysWOW64\Ahakmf32.exeC:\Windows\system32\Ahakmf32.exe108⤵PID:2952
-
C:\Windows\SysWOW64\Ajphib32.exeC:\Windows\system32\Ajphib32.exe109⤵PID:1236
-
C:\Windows\SysWOW64\Amndem32.exeC:\Windows\system32\Amndem32.exe110⤵PID:1876
-
C:\Windows\SysWOW64\Aplpai32.exeC:\Windows\system32\Aplpai32.exe111⤵PID:2016
-
C:\Windows\SysWOW64\Ahchbf32.exeC:\Windows\system32\Ahchbf32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2876 -
C:\Windows\SysWOW64\Aiedjneg.exeC:\Windows\system32\Aiedjneg.exe113⤵PID:2136
-
C:\Windows\SysWOW64\Apomfh32.exeC:\Windows\system32\Apomfh32.exe114⤵PID:1988
-
C:\Windows\SysWOW64\Afiecb32.exeC:\Windows\system32\Afiecb32.exe115⤵PID:604
-
C:\Windows\SysWOW64\Aigaon32.exeC:\Windows\system32\Aigaon32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2012 -
C:\Windows\SysWOW64\Alenki32.exeC:\Windows\system32\Alenki32.exe117⤵
- Modifies registry class
PID:2488 -
C:\Windows\SysWOW64\Afkbib32.exeC:\Windows\system32\Afkbib32.exe118⤵
- Modifies registry class
PID:2672 -
C:\Windows\SysWOW64\Aenbdoii.exeC:\Windows\system32\Aenbdoii.exe119⤵
- Modifies registry class
PID:2772 -
C:\Windows\SysWOW64\Aoffmd32.exeC:\Windows\system32\Aoffmd32.exe120⤵
- Drops file in System32 directory
PID:2924 -
C:\Windows\SysWOW64\Abbbnchb.exeC:\Windows\system32\Abbbnchb.exe121⤵PID:2848
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-