Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
01-05-2024 00:16
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
84d6b52519439ac5a38ec137a968b6d386478feb5d158fd90eb1cc855f615108.exe
Resource
win7-20240419-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
84d6b52519439ac5a38ec137a968b6d386478feb5d158fd90eb1cc855f615108.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
84d6b52519439ac5a38ec137a968b6d386478feb5d158fd90eb1cc855f615108.exe
-
Size
243KB
-
MD5
4be7b30ca1fc83250e466b73a1cf4457
-
SHA1
6d0bd145bf235203bd435220e9d57efdd608eb4e
-
SHA256
84d6b52519439ac5a38ec137a968b6d386478feb5d158fd90eb1cc855f615108
-
SHA512
80f118f186ba192bc3bc366cc149124bb8b469c1b7a8d392a277733be887879ded0c715cc7b8d4b6f757e679ec5b6b4f6f2f61330f34a20356ce0f9d57d9b199
-
SSDEEP
3072:L4+5eD9U8kj176Kz8lHXtlU2Nhluy78nwTxyIvXQWBaolfC4VJ62Q:L4hDa8kR76KzwdlU2zlNgwTnAWtlhjQ
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pqdqof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpcfkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnhdkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgjgne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plcdiabk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Micoed32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oidhlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmcolgbj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Foqkdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjcmebie.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mldhfpib.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgekbljc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acfhad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfpcgpae.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olfobjbg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlpeff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oemefcap.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emhldnkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkglja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Majjng32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Diccgfpd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlhbal32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qgcbgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fagjfflb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kaehljpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abemjmgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eabbjc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cndikf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkglja32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdhbec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edihepnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Locbfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nknobkje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njacpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Likcilhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbddfmgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfaqhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Daconoae.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kngcje32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfbibikg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocdjpmac.exe -
Detects executables built or packed with MPress PE compressor 64 IoCs
resource yara_rule behavioral2/memory/3156-5-0x0000000000400000-0x0000000000467000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/files/0x000d000000023b99-7.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x000a000000023ba0-16.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x000a000000023ba2-24.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x000a000000023ba4-31.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x000a000000023ba7-39.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x000a000000023ba9-47.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x000a000000023bab-55.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x000a000000023bad-63.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x000a000000023baf-72.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0031000000023bb1-79.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x000a000000023bb3-87.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x000a000000023bb5-96.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x000a000000023bb7-104.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x000a000000023bb9-111.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x000a000000023bbb-119.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x000a000000023bbd-126.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x000b000000023b9d-134.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x000a000000023bc0-142.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x000a000000023bc2-151.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x000a000000023bc4-158.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x000a000000023bc6-166.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x000a000000023bc9-174.dat INDICATOR_EXE_Packed_MPress behavioral2/memory/3940-180-0x0000000000400000-0x0000000000467000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/files/0x000a000000023bcb-182.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x000a000000023bcd-191.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x000a000000023bcf-198.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x000a000000023bd1-201.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x000a000000023bd3-213.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x000a000000023bd5-221.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x000a000000023bd7-229.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x000a000000023bd9-237.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x000b000000023bdb-245.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x000a000000023be4-253.dat INDICATOR_EXE_Packed_MPress behavioral2/memory/5052-266-0x0000000000400000-0x0000000000467000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/2724-272-0x0000000000400000-0x0000000000467000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/files/0x0008000000023c04-273.dat INDICATOR_EXE_Packed_MPress behavioral2/memory/4612-278-0x0000000000400000-0x0000000000467000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/1468-284-0x0000000000400000-0x0000000000467000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/2784-290-0x0000000000400000-0x0000000000467000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/4028-296-0x0000000000400000-0x0000000000467000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/540-302-0x0000000000400000-0x0000000000467000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/1776-308-0x0000000000400000-0x0000000000467000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/4652-314-0x0000000000400000-0x0000000000467000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/1140-320-0x0000000000400000-0x0000000000467000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/4848-331-0x0000000000400000-0x0000000000467000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/2288-332-0x0000000000400000-0x0000000000467000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/files/0x0008000000023c7b-333.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0020000000023a34-439.dat INDICATOR_EXE_Packed_MPress behavioral2/memory/880-467-0x0000000000400000-0x0000000000467000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/1224-482-0x0000000000400000-0x0000000000467000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/5004-554-0x0000000000400000-0x0000000000467000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/4008-580-0x0000000000400000-0x0000000000467000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023cda-588.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023ce2-615.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023cec-649.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023cf8-687.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023d08-739.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023d3f-904.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023d9f-1192.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023dd5-1342.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023ddb-1358.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023ddf-1370.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023de7-1394.dat INDICATOR_EXE_Packed_MPress -
Executes dropped EXE 64 IoCs
pid Process 5004 Hmklen32.exe 1404 Hcedaheh.exe 4616 Haidklda.exe 4648 Impepm32.exe 3472 Ifhiib32.exe 4008 Iannfk32.exe 4012 Ifjfnb32.exe 3456 Idofhfmm.exe 2732 Ifmcdblq.exe 5012 Iikopmkd.exe 1668 Ipegmg32.exe 4668 Iinlemia.exe 1716 Jaedgjjd.exe 2756 Jmkdlkph.exe 2596 Jdemhe32.exe 1548 Jibeql32.exe 4160 Jbkjjblm.exe 1248 Jjbako32.exe 2492 Jmpngk32.exe 3740 Jdjfcecp.exe 2400 Jpaghf32.exe 3940 Jbocea32.exe 1464 Kmegbjgn.exe 3944 Kkihknfg.exe 1232 Kacphh32.exe 4588 Kinemkko.exe 3236 Kphmie32.exe 5040 Kgbefoji.exe 3672 Kdffocib.exe 4376 Kmnjhioc.exe 4548 Kdhbec32.exe 1416 Lalcng32.exe 2564 Lgikfn32.exe 5052 Liggbi32.exe 2724 Lpappc32.exe 4612 Lkgdml32.exe 1468 Laalifad.exe 2784 Lkiqbl32.exe 4028 Laciofpa.exe 540 Ldaeka32.exe 1776 Ljnnch32.exe 4652 Lphfpbdi.exe 1140 Lgbnmm32.exe 4848 Mjqjih32.exe 2288 Mdfofakp.exe 100 Mgekbljc.exe 4064 Majopeii.exe 3440 Mcklgm32.exe 4128 Mnapdf32.exe 4340 Mdkhapfj.exe 4988 Mcnhmm32.exe 3400 Mkepnjng.exe 4256 Maohkd32.exe 2544 Mglack32.exe 2260 Mjjmog32.exe 2264 Maaepd32.exe 2020 Mdpalp32.exe 1072 Nkjjij32.exe 3064 Nnhfee32.exe 3288 Ndbnboqb.exe 1628 Nklfoi32.exe 2696 Njogjfoj.exe 2088 Nqiogp32.exe 3208 Ngcgcjnc.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Fdijbg32.exe Fnobem32.exe File opened for modification C:\Windows\SysWOW64\Dmalne32.exe Dblgpl32.exe File opened for modification C:\Windows\SysWOW64\Aednci32.exe Process not Found File created C:\Windows\SysWOW64\Chpada32.exe Cddecc32.exe File created C:\Windows\SysWOW64\Hbbdholl.exe Hflcbngh.exe File created C:\Windows\SysWOW64\Idjlpc32.exe Inpccihl.exe File created C:\Windows\SysWOW64\Iocedcbl.dll Process not Found File opened for modification C:\Windows\SysWOW64\Cogddd32.exe Process not Found File created C:\Windows\SysWOW64\Okgoadbf.dll Ceehho32.exe File opened for modification C:\Windows\SysWOW64\Kbddfmgl.exe Kjmmepfj.exe File opened for modification C:\Windows\SysWOW64\Lghcocol.exe Lejgch32.exe File opened for modification C:\Windows\SysWOW64\Ahqddk32.exe Qaflgago.exe File opened for modification C:\Windows\SysWOW64\Ebejfk32.exe Dpgnjo32.exe File created C:\Windows\SysWOW64\Chlcgfff.dll Process not Found File opened for modification C:\Windows\SysWOW64\Ibgdlg32.exe Process not Found File created C:\Windows\SysWOW64\Omfekbdh.exe Process not Found File opened for modification C:\Windows\SysWOW64\Gdjibj32.exe Fmpqfq32.exe File created C:\Windows\SysWOW64\Ilnpcnol.dll Kmieae32.exe File created C:\Windows\SysWOW64\Flbfjl32.dll Process not Found File created C:\Windows\SysWOW64\Modpib32.exe Process not Found File created C:\Windows\SysWOW64\Eofbch32.exe Elgfgl32.exe File created C:\Windows\SysWOW64\Jmehcnhg.dll Icifbang.exe File opened for modification C:\Windows\SysWOW64\Hhgloc32.exe Hbmcbime.exe File opened for modification C:\Windows\SysWOW64\Ojnblg32.exe Ocdjpmac.exe File opened for modification C:\Windows\SysWOW64\Bpkdjofm.exe Process not Found File opened for modification C:\Windows\SysWOW64\Fbgbnkfm.exe Process not Found File created C:\Windows\SysWOW64\Ibegfglj.exe Process not Found File opened for modification C:\Windows\SysWOW64\Eahobg32.exe Process not Found File created C:\Windows\SysWOW64\Dcdepb32.dll Gkdhjknm.exe File created C:\Windows\SysWOW64\Phincl32.exe Papfgbmg.exe File created C:\Windows\SysWOW64\Qfghnikc.dll Process not Found File created C:\Windows\SysWOW64\Cbbnpg32.exe Process not Found File created C:\Windows\SysWOW64\Clbcapmm.dll Ocbddc32.exe File created C:\Windows\SysWOW64\Cmfclm32.exe Cflkpblf.exe File created C:\Windows\SysWOW64\Minqeaad.dll Process not Found File created C:\Windows\SysWOW64\Ngqagcag.exe Process not Found File opened for modification C:\Windows\SysWOW64\Egegjn32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Becifhfj.exe Abemjmgg.exe File opened for modification C:\Windows\SysWOW64\Hpomcp32.exe Hnaqgd32.exe File created C:\Windows\SysWOW64\Dokmlmhl.dll Hlcjhkdp.exe File created C:\Windows\SysWOW64\Jpehef32.dll Process not Found File created C:\Windows\SysWOW64\Obhehh32.dll Process not Found File created C:\Windows\SysWOW64\Becbkfdh.dll Colffknh.exe File created C:\Windows\SysWOW64\Mlmlcjoo.dll Iqbbpm32.exe File created C:\Windows\SysWOW64\Aaopkj32.dll Bjicdmmd.exe File created C:\Windows\SysWOW64\Aqjpajgi.dll Process not Found File created C:\Windows\SysWOW64\Fdfmlhna.exe Fnmepn32.exe File created C:\Windows\SysWOW64\Aidoeq32.dll Kefdbo32.exe File created C:\Windows\SysWOW64\Iohcia32.dll Cgcmjd32.exe File created C:\Windows\SysWOW64\Hfhgkmpj.exe Process not Found File opened for modification C:\Windows\SysWOW64\Fdialn32.exe Fomhdg32.exe File created C:\Windows\SysWOW64\Lihpif32.exe Lnbklm32.exe File created C:\Windows\SysWOW64\Fmpbqoqg.dll Cjnffjkl.exe File created C:\Windows\SysWOW64\Ekiidlll.dll Laalifad.exe File opened for modification C:\Windows\SysWOW64\Fojlngce.exe Fllpbldb.exe File created C:\Windows\SysWOW64\Nocedmfn.dll Lbgalmej.exe File opened for modification C:\Windows\SysWOW64\Mjneln32.exe Mhoipb32.exe File opened for modification C:\Windows\SysWOW64\Oeoblb32.exe Olgncmim.exe File created C:\Windows\SysWOW64\Fffhifdk.exe Fdglmkeg.exe File created C:\Windows\SysWOW64\Boeebnhp.exe Process not Found File created C:\Windows\SysWOW64\Likjcbkc.exe Lpcfkm32.exe File opened for modification C:\Windows\SysWOW64\Aggegh32.exe Aqmlknnd.exe File opened for modification C:\Windows\SysWOW64\Bihjfnmm.exe Bfjnjcni.exe File opened for modification C:\Windows\SysWOW64\Lcmodajm.exe Process not Found -
Program crash 1 IoCs
pid pid_target Process procid_target 6444 15740 Process not Found 1844 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpdlhkad.dll" Eejjjl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afeknhab.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkkdmeko.dll" Fhcpgmjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iejpiq32.dll" Aflaie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnoeha32.dll" Hhdhon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lijiaonm.dll" Hcedaheh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnkmnide.dll" Podmkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dikihe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iibjhgbi.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll" Mglack32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flioncbc.dll" Doeiljfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmipecpd.dll" Fllpbldb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngdmod32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Llbidimc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gnlgleef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khlaie32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibcllpfj.dll" Jkkjmlan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdkpma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gengje32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eaqdegaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmflgn32.dll" Fielph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fielph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Niooqcad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajneip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnambi32.dll" Dafbne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pokhgc32.dll" Hglipp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgbbpbop.dll" Dabhdinj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Accimdgp.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhnkg32.dll" Balpgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ankkea32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdabcm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hhiajmod.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjpaooda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pinnnm32.dll" Lhmmjbkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jofabneq.dll" Nemmoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ocbddc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbbond32.dll" Mjneln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aanfno32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clbidkde.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ablmdkdf.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jclnjo32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fllpbldb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmnoof32.dll" Gmoeoidl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odjafd32.dll" Nhpiafnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgeaifia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hipfji32.dll" Blmacb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghmbno32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3156 wrote to memory of 5004 3156 84d6b52519439ac5a38ec137a968b6d386478feb5d158fd90eb1cc855f615108.exe 84 PID 3156 wrote to memory of 5004 3156 84d6b52519439ac5a38ec137a968b6d386478feb5d158fd90eb1cc855f615108.exe 84 PID 3156 wrote to memory of 5004 3156 84d6b52519439ac5a38ec137a968b6d386478feb5d158fd90eb1cc855f615108.exe 84 PID 5004 wrote to memory of 1404 5004 Hmklen32.exe 85 PID 5004 wrote to memory of 1404 5004 Hmklen32.exe 85 PID 5004 wrote to memory of 1404 5004 Hmklen32.exe 85 PID 1404 wrote to memory of 4616 1404 Hcedaheh.exe 86 PID 1404 wrote to memory of 4616 1404 Hcedaheh.exe 86 PID 1404 wrote to memory of 4616 1404 Hcedaheh.exe 86 PID 4616 wrote to memory of 4648 4616 Haidklda.exe 87 PID 4616 wrote to memory of 4648 4616 Haidklda.exe 87 PID 4616 wrote to memory of 4648 4616 Haidklda.exe 87 PID 4648 wrote to memory of 3472 4648 Impepm32.exe 88 PID 4648 wrote to memory of 3472 4648 Impepm32.exe 88 PID 4648 wrote to memory of 3472 4648 Impepm32.exe 88 PID 3472 wrote to memory of 4008 3472 Ifhiib32.exe 89 PID 3472 wrote to memory of 4008 3472 Ifhiib32.exe 89 PID 3472 wrote to memory of 4008 3472 Ifhiib32.exe 89 PID 4008 wrote to memory of 4012 4008 Iannfk32.exe 90 PID 4008 wrote to memory of 4012 4008 Iannfk32.exe 90 PID 4008 wrote to memory of 4012 4008 Iannfk32.exe 90 PID 4012 wrote to memory of 3456 4012 Ifjfnb32.exe 91 PID 4012 wrote to memory of 3456 4012 Ifjfnb32.exe 91 PID 4012 wrote to memory of 3456 4012 Ifjfnb32.exe 91 PID 3456 wrote to memory of 2732 3456 Idofhfmm.exe 92 PID 3456 wrote to memory of 2732 3456 Idofhfmm.exe 92 PID 3456 wrote to memory of 2732 3456 Idofhfmm.exe 92 PID 2732 wrote to memory of 5012 2732 Ifmcdblq.exe 94 PID 2732 wrote to memory of 5012 2732 Ifmcdblq.exe 94 PID 2732 wrote to memory of 5012 2732 Ifmcdblq.exe 94 PID 5012 wrote to memory of 1668 5012 Iikopmkd.exe 95 PID 5012 wrote to memory of 1668 5012 Iikopmkd.exe 95 PID 5012 wrote to memory of 1668 5012 Iikopmkd.exe 95 PID 1668 wrote to memory of 4668 1668 Ipegmg32.exe 96 PID 1668 wrote to memory of 4668 1668 Ipegmg32.exe 96 PID 1668 wrote to memory of 4668 1668 Ipegmg32.exe 96 PID 4668 wrote to memory of 1716 4668 Iinlemia.exe 97 PID 4668 wrote to memory of 1716 4668 Iinlemia.exe 97 PID 4668 wrote to memory of 1716 4668 Iinlemia.exe 97 PID 1716 wrote to memory of 2756 1716 Jaedgjjd.exe 98 PID 1716 wrote to memory of 2756 1716 Jaedgjjd.exe 98 PID 1716 wrote to memory of 2756 1716 Jaedgjjd.exe 98 PID 2756 wrote to memory of 2596 2756 Jmkdlkph.exe 100 PID 2756 wrote to memory of 2596 2756 Jmkdlkph.exe 100 PID 2756 wrote to memory of 2596 2756 Jmkdlkph.exe 100 PID 2596 wrote to memory of 1548 2596 Jdemhe32.exe 101 PID 2596 wrote to memory of 1548 2596 Jdemhe32.exe 101 PID 2596 wrote to memory of 1548 2596 Jdemhe32.exe 101 PID 1548 wrote to memory of 4160 1548 Jibeql32.exe 102 PID 1548 wrote to memory of 4160 1548 Jibeql32.exe 102 PID 1548 wrote to memory of 4160 1548 Jibeql32.exe 102 PID 4160 wrote to memory of 1248 4160 Jbkjjblm.exe 103 PID 4160 wrote to memory of 1248 4160 Jbkjjblm.exe 103 PID 4160 wrote to memory of 1248 4160 Jbkjjblm.exe 103 PID 1248 wrote to memory of 2492 1248 Jjbako32.exe 104 PID 1248 wrote to memory of 2492 1248 Jjbako32.exe 104 PID 1248 wrote to memory of 2492 1248 Jjbako32.exe 104 PID 2492 wrote to memory of 3740 2492 Jmpngk32.exe 105 PID 2492 wrote to memory of 3740 2492 Jmpngk32.exe 105 PID 2492 wrote to memory of 3740 2492 Jmpngk32.exe 105 PID 3740 wrote to memory of 2400 3740 Jdjfcecp.exe 107 PID 3740 wrote to memory of 2400 3740 Jdjfcecp.exe 107 PID 3740 wrote to memory of 2400 3740 Jdjfcecp.exe 107 PID 2400 wrote to memory of 3940 2400 Jpaghf32.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\84d6b52519439ac5a38ec137a968b6d386478feb5d158fd90eb1cc855f615108.exe"C:\Users\Admin\AppData\Local\Temp\84d6b52519439ac5a38ec137a968b6d386478feb5d158fd90eb1cc855f615108.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3156 -
C:\Windows\SysWOW64\Hmklen32.exeC:\Windows\system32\Hmklen32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Windows\SysWOW64\Hcedaheh.exeC:\Windows\system32\Hcedaheh.exe3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Windows\SysWOW64\Haidklda.exeC:\Windows\system32\Haidklda.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4616 -
C:\Windows\SysWOW64\Impepm32.exeC:\Windows\system32\Impepm32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4648 -
C:\Windows\SysWOW64\Ifhiib32.exeC:\Windows\system32\Ifhiib32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3472 -
C:\Windows\SysWOW64\Iannfk32.exeC:\Windows\system32\Iannfk32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4008 -
C:\Windows\SysWOW64\Ifjfnb32.exeC:\Windows\system32\Ifjfnb32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4012 -
C:\Windows\SysWOW64\Idofhfmm.exeC:\Windows\system32\Idofhfmm.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3456 -
C:\Windows\SysWOW64\Ifmcdblq.exeC:\Windows\system32\Ifmcdblq.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Iikopmkd.exeC:\Windows\system32\Iikopmkd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Windows\SysWOW64\Ipegmg32.exeC:\Windows\system32\Ipegmg32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Windows\SysWOW64\Iinlemia.exeC:\Windows\system32\Iinlemia.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4668 -
C:\Windows\SysWOW64\Jaedgjjd.exeC:\Windows\system32\Jaedgjjd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\SysWOW64\Jmkdlkph.exeC:\Windows\system32\Jmkdlkph.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Jdemhe32.exeC:\Windows\system32\Jdemhe32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Jibeql32.exeC:\Windows\system32\Jibeql32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Windows\SysWOW64\Jbkjjblm.exeC:\Windows\system32\Jbkjjblm.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4160 -
C:\Windows\SysWOW64\Jjbako32.exeC:\Windows\system32\Jjbako32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Windows\SysWOW64\Jmpngk32.exeC:\Windows\system32\Jmpngk32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\SysWOW64\Jdjfcecp.exeC:\Windows\system32\Jdjfcecp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3740 -
C:\Windows\SysWOW64\Jpaghf32.exeC:\Windows\system32\Jpaghf32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\Jbocea32.exeC:\Windows\system32\Jbocea32.exe23⤵
- Executes dropped EXE
PID:3940 -
C:\Windows\SysWOW64\Kmegbjgn.exeC:\Windows\system32\Kmegbjgn.exe24⤵
- Executes dropped EXE
PID:1464 -
C:\Windows\SysWOW64\Kkihknfg.exeC:\Windows\system32\Kkihknfg.exe25⤵
- Executes dropped EXE
PID:3944 -
C:\Windows\SysWOW64\Kacphh32.exeC:\Windows\system32\Kacphh32.exe26⤵
- Executes dropped EXE
PID:1232 -
C:\Windows\SysWOW64\Kinemkko.exeC:\Windows\system32\Kinemkko.exe27⤵
- Executes dropped EXE
PID:4588 -
C:\Windows\SysWOW64\Kphmie32.exeC:\Windows\system32\Kphmie32.exe28⤵
- Executes dropped EXE
PID:3236 -
C:\Windows\SysWOW64\Kgbefoji.exeC:\Windows\system32\Kgbefoji.exe29⤵
- Executes dropped EXE
PID:5040 -
C:\Windows\SysWOW64\Kdffocib.exeC:\Windows\system32\Kdffocib.exe30⤵
- Executes dropped EXE
PID:3672 -
C:\Windows\SysWOW64\Kmnjhioc.exeC:\Windows\system32\Kmnjhioc.exe31⤵
- Executes dropped EXE
PID:4376 -
C:\Windows\SysWOW64\Kdhbec32.exeC:\Windows\system32\Kdhbec32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4548 -
C:\Windows\SysWOW64\Lalcng32.exeC:\Windows\system32\Lalcng32.exe33⤵
- Executes dropped EXE
PID:1416 -
C:\Windows\SysWOW64\Lgikfn32.exeC:\Windows\system32\Lgikfn32.exe34⤵
- Executes dropped EXE
PID:2564 -
C:\Windows\SysWOW64\Liggbi32.exeC:\Windows\system32\Liggbi32.exe35⤵
- Executes dropped EXE
PID:5052 -
C:\Windows\SysWOW64\Lpappc32.exeC:\Windows\system32\Lpappc32.exe36⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Lkgdml32.exeC:\Windows\system32\Lkgdml32.exe37⤵
- Executes dropped EXE
PID:4612 -
C:\Windows\SysWOW64\Laalifad.exeC:\Windows\system32\Laalifad.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1468 -
C:\Windows\SysWOW64\Lkiqbl32.exeC:\Windows\system32\Lkiqbl32.exe39⤵
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\Laciofpa.exeC:\Windows\system32\Laciofpa.exe40⤵
- Executes dropped EXE
PID:4028 -
C:\Windows\SysWOW64\Ldaeka32.exeC:\Windows\system32\Ldaeka32.exe41⤵
- Executes dropped EXE
PID:540 -
C:\Windows\SysWOW64\Ljnnch32.exeC:\Windows\system32\Ljnnch32.exe42⤵
- Executes dropped EXE
PID:1776 -
C:\Windows\SysWOW64\Lphfpbdi.exeC:\Windows\system32\Lphfpbdi.exe43⤵
- Executes dropped EXE
PID:4652 -
C:\Windows\SysWOW64\Lgbnmm32.exeC:\Windows\system32\Lgbnmm32.exe44⤵
- Executes dropped EXE
PID:1140 -
C:\Windows\SysWOW64\Mjqjih32.exeC:\Windows\system32\Mjqjih32.exe45⤵
- Executes dropped EXE
PID:4848 -
C:\Windows\SysWOW64\Mdfofakp.exeC:\Windows\system32\Mdfofakp.exe46⤵
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Mgekbljc.exeC:\Windows\system32\Mgekbljc.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:100 -
C:\Windows\SysWOW64\Majopeii.exeC:\Windows\system32\Majopeii.exe48⤵
- Executes dropped EXE
PID:4064 -
C:\Windows\SysWOW64\Mcklgm32.exeC:\Windows\system32\Mcklgm32.exe49⤵
- Executes dropped EXE
PID:3440 -
C:\Windows\SysWOW64\Mnapdf32.exeC:\Windows\system32\Mnapdf32.exe50⤵
- Executes dropped EXE
PID:4128 -
C:\Windows\SysWOW64\Mdkhapfj.exeC:\Windows\system32\Mdkhapfj.exe51⤵
- Executes dropped EXE
PID:4340 -
C:\Windows\SysWOW64\Mcnhmm32.exeC:\Windows\system32\Mcnhmm32.exe52⤵
- Executes dropped EXE
PID:4988 -
C:\Windows\SysWOW64\Mkepnjng.exeC:\Windows\system32\Mkepnjng.exe53⤵
- Executes dropped EXE
PID:3400 -
C:\Windows\SysWOW64\Maohkd32.exeC:\Windows\system32\Maohkd32.exe54⤵
- Executes dropped EXE
PID:4256 -
C:\Windows\SysWOW64\Mglack32.exeC:\Windows\system32\Mglack32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2544 -
C:\Windows\SysWOW64\Mjjmog32.exeC:\Windows\system32\Mjjmog32.exe56⤵
- Executes dropped EXE
PID:2260 -
C:\Windows\SysWOW64\Maaepd32.exeC:\Windows\system32\Maaepd32.exe57⤵
- Executes dropped EXE
PID:2264 -
C:\Windows\SysWOW64\Mdpalp32.exeC:\Windows\system32\Mdpalp32.exe58⤵
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Nkjjij32.exeC:\Windows\system32\Nkjjij32.exe59⤵
- Executes dropped EXE
PID:1072 -
C:\Windows\SysWOW64\Nnhfee32.exeC:\Windows\system32\Nnhfee32.exe60⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Ndbnboqb.exeC:\Windows\system32\Ndbnboqb.exe61⤵
- Executes dropped EXE
PID:3288 -
C:\Windows\SysWOW64\Nklfoi32.exeC:\Windows\system32\Nklfoi32.exe62⤵
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\Njogjfoj.exeC:\Windows\system32\Njogjfoj.exe63⤵
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\Nqiogp32.exeC:\Windows\system32\Nqiogp32.exe64⤵
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\Ngcgcjnc.exeC:\Windows\system32\Ngcgcjnc.exe65⤵
- Executes dropped EXE
PID:3208 -
C:\Windows\SysWOW64\Njacpf32.exeC:\Windows\system32\Njacpf32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4176 -
C:\Windows\SysWOW64\Nqklmpdd.exeC:\Windows\system32\Nqklmpdd.exe67⤵PID:3492
-
C:\Windows\SysWOW64\Ncihikcg.exeC:\Windows\system32\Ncihikcg.exe68⤵PID:3704
-
C:\Windows\SysWOW64\Nkqpjidj.exeC:\Windows\system32\Nkqpjidj.exe69⤵PID:880
-
C:\Windows\SysWOW64\Nnolfdcn.exeC:\Windows\system32\Nnolfdcn.exe70⤵PID:3280
-
C:\Windows\SysWOW64\Nqmhbpba.exeC:\Windows\system32\Nqmhbpba.exe71⤵PID:1224
-
C:\Windows\SysWOW64\Ncldnkae.exeC:\Windows\system32\Ncldnkae.exe72⤵PID:4804
-
C:\Windows\SysWOW64\Njfmke32.exeC:\Windows\system32\Njfmke32.exe73⤵PID:4520
-
C:\Windows\SysWOW64\Nbmelbid.exeC:\Windows\system32\Nbmelbid.exe74⤵PID:2612
-
C:\Windows\SysWOW64\Nqpego32.exeC:\Windows\system32\Nqpego32.exe75⤵PID:3912
-
C:\Windows\SysWOW64\Ogjmdigk.exeC:\Windows\system32\Ogjmdigk.exe76⤵PID:4508
-
C:\Windows\SysWOW64\Ondeac32.exeC:\Windows\system32\Ondeac32.exe77⤵PID:4068
-
C:\Windows\SysWOW64\Odnnnnfe.exeC:\Windows\system32\Odnnnnfe.exe78⤵PID:4528
-
C:\Windows\SysWOW64\Obangb32.exeC:\Windows\system32\Obangb32.exe79⤵PID:2340
-
C:\Windows\SysWOW64\Odpjcm32.exeC:\Windows\system32\Odpjcm32.exe80⤵PID:3980
-
C:\Windows\SysWOW64\Ogogoi32.exeC:\Windows\system32\Ogogoi32.exe81⤵PID:4844
-
C:\Windows\SysWOW64\Okjbpglo.exeC:\Windows\system32\Okjbpglo.exe82⤵PID:3148
-
C:\Windows\SysWOW64\Odbgim32.exeC:\Windows\system32\Odbgim32.exe83⤵PID:884
-
C:\Windows\SysWOW64\Ogaceh32.exeC:\Windows\system32\Ogaceh32.exe84⤵PID:5060
-
C:\Windows\SysWOW64\Onklabip.exeC:\Windows\system32\Onklabip.exe85⤵PID:5196
-
C:\Windows\SysWOW64\Oqihnn32.exeC:\Windows\system32\Oqihnn32.exe86⤵PID:5236
-
C:\Windows\SysWOW64\Ogcpjhoq.exeC:\Windows\system32\Ogcpjhoq.exe87⤵PID:5320
-
C:\Windows\SysWOW64\Onmhgb32.exeC:\Windows\system32\Onmhgb32.exe88⤵PID:5360
-
C:\Windows\SysWOW64\Oqkdcn32.exeC:\Windows\system32\Oqkdcn32.exe89⤵PID:5412
-
C:\Windows\SysWOW64\Pqnaim32.exeC:\Windows\system32\Pqnaim32.exe90⤵PID:5476
-
C:\Windows\SysWOW64\Pclneicb.exeC:\Windows\system32\Pclneicb.exe91⤵PID:5520
-
C:\Windows\SysWOW64\Pcojkhap.exeC:\Windows\system32\Pcojkhap.exe92⤵PID:5564
-
C:\Windows\SysWOW64\Pabkdmpi.exeC:\Windows\system32\Pabkdmpi.exe93⤵PID:5608
-
C:\Windows\SysWOW64\Pcagphom.exeC:\Windows\system32\Pcagphom.exe94⤵PID:5648
-
C:\Windows\SysWOW64\Paegjl32.exeC:\Windows\system32\Paegjl32.exe95⤵PID:5692
-
C:\Windows\SysWOW64\Pbddcoei.exeC:\Windows\system32\Pbddcoei.exe96⤵PID:5736
-
C:\Windows\SysWOW64\Qcepkg32.exeC:\Windows\system32\Qcepkg32.exe97⤵PID:5780
-
C:\Windows\SysWOW64\Qnkdhpjn.exeC:\Windows\system32\Qnkdhpjn.exe98⤵PID:5820
-
C:\Windows\SysWOW64\Qeemej32.exeC:\Windows\system32\Qeemej32.exe99⤵PID:5864
-
C:\Windows\SysWOW64\Qjbena32.exeC:\Windows\system32\Qjbena32.exe100⤵PID:5904
-
C:\Windows\SysWOW64\Qbimoo32.exeC:\Windows\system32\Qbimoo32.exe101⤵PID:5952
-
C:\Windows\SysWOW64\Aegikj32.exeC:\Windows\system32\Aegikj32.exe102⤵PID:5992
-
C:\Windows\SysWOW64\Agffge32.exeC:\Windows\system32\Agffge32.exe103⤵PID:6036
-
C:\Windows\SysWOW64\Alabgd32.exeC:\Windows\system32\Alabgd32.exe104⤵PID:6076
-
C:\Windows\SysWOW64\Anpncp32.exeC:\Windows\system32\Anpncp32.exe105⤵PID:6116
-
C:\Windows\SysWOW64\Acmflf32.exeC:\Windows\system32\Acmflf32.exe106⤵PID:5128
-
C:\Windows\SysWOW64\Ajfoiqll.exeC:\Windows\system32\Ajfoiqll.exe107⤵PID:5164
-
C:\Windows\SysWOW64\Anbkio32.exeC:\Windows\system32\Anbkio32.exe108⤵PID:5264
-
C:\Windows\SysWOW64\Aaqgek32.exeC:\Windows\system32\Aaqgek32.exe109⤵PID:5444
-
C:\Windows\SysWOW64\Acocaf32.exeC:\Windows\system32\Acocaf32.exe110⤵PID:5492
-
C:\Windows\SysWOW64\Ahkobekf.exeC:\Windows\system32\Ahkobekf.exe111⤵PID:5556
-
C:\Windows\SysWOW64\Ajiknpjj.exeC:\Windows\system32\Ajiknpjj.exe112⤵PID:5624
-
C:\Windows\SysWOW64\Andgoobc.exeC:\Windows\system32\Andgoobc.exe113⤵PID:5700
-
C:\Windows\SysWOW64\Adapgfqj.exeC:\Windows\system32\Adapgfqj.exe114⤵PID:5768
-
C:\Windows\SysWOW64\Alhhhcal.exeC:\Windows\system32\Alhhhcal.exe115⤵PID:5840
-
C:\Windows\SysWOW64\Angddopp.exeC:\Windows\system32\Angddopp.exe116⤵PID:5900
-
C:\Windows\SysWOW64\Abbpem32.exeC:\Windows\system32\Abbpem32.exe117⤵PID:5976
-
C:\Windows\SysWOW64\Aealah32.exeC:\Windows\system32\Aealah32.exe118⤵PID:6056
-
C:\Windows\SysWOW64\Ahoimd32.exeC:\Windows\system32\Ahoimd32.exe119⤵PID:6124
-
C:\Windows\SysWOW64\Ajneip32.exeC:\Windows\system32\Ajneip32.exe120⤵
- Modifies registry class
PID:5192 -
C:\Windows\SysWOW64\Abemjmgg.exeC:\Windows\system32\Abemjmgg.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5348
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-