Analysis
-
max time kernel
148s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
03/05/2024, 21:37
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
4f0a6289bcf40f6f401a20bd988ebe0625bd1cb95bb94abda84e82a8c1de6db4.exe
Resource
win7-20240221-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
4f0a6289bcf40f6f401a20bd988ebe0625bd1cb95bb94abda84e82a8c1de6db4.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
4f0a6289bcf40f6f401a20bd988ebe0625bd1cb95bb94abda84e82a8c1de6db4.exe
-
Size
176KB
-
MD5
bbdaf8597fd6fcd80472b8ddfa455b31
-
SHA1
bcf8ac01f432b49b7e55015fa9321de549d8f339
-
SHA256
4f0a6289bcf40f6f401a20bd988ebe0625bd1cb95bb94abda84e82a8c1de6db4
-
SHA512
81011bd318de1b575da955aaeacb302eea9ca713307b08487bed432203c19c6c71864745521ebc360e8f65ce0cd93d5f788c6ec566e6b94d8ace5f483b92c89b
-
SSDEEP
3072:B5mP/mBIZiP1I1VyGo1larlOGA8d2E2fAYjmjRrz3E3:BYP/0FP1I1VyGo1lRXE2fAEG4
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaihob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glnkcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkdemk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idekbgji.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npjlhcmd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpgfmeag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lekjal32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gihnkejd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npmphinm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apedah32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hghdjn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmfmojcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nchipb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eccpoo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipeaco32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anogijnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apppkekc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcpgdhpp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmficl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nobpmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aficjnpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkcplien.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhdqma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhkopj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enneln32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gagmbkik.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljbipolj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmmbqegc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aoagccfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkkfgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcdhgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpqlemaj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijkocg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcofid32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aeenapck.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhikae32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iaeegh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfnneb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amcbankf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnflke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gibkmgcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjijkmbi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Almihjlj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oeaqig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chlgid32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jahbmlil.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amoibc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gehiioaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qmcclolh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eeldkonl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oplgeoea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhjhdp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmklak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhkeohhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifolhann.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjlgle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qqfkln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljkaeo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfhkhd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opodknco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmjomogn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Difnaqih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdiefffn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdpehd32.exe -
UPX dump on OEP (original entry point) 64 IoCs
resource yara_rule behavioral1/files/0x000e000000015a98-5.dat UPX behavioral1/files/0x0008000000015c87-27.dat UPX behavioral1/files/0x0007000000015d88-34.dat UPX behavioral1/files/0x00080000000167db-50.dat UPX behavioral1/files/0x0006000000018ae8-62.dat UPX behavioral1/files/0x0006000000018b33-77.dat UPX behavioral1/files/0x0006000000018b42-90.dat UPX behavioral1/files/0x0010000000015c5d-104.dat UPX behavioral1/files/0x0006000000018b73-118.dat UPX behavioral1/files/0x0006000000018ba2-131.dat UPX behavioral1/files/0x00050000000192c9-145.dat UPX behavioral1/files/0x000500000001931b-164.dat UPX behavioral1/files/0x0005000000019368-171.dat UPX behavioral1/files/0x000500000001939b-191.dat UPX behavioral1/files/0x0005000000019410-198.dat UPX behavioral1/files/0x000500000001946f-211.dat UPX behavioral1/files/0x00040000000194dc-245.dat UPX behavioral1/files/0x00050000000194ef-266.dat UPX behavioral1/files/0x0005000000019521-288.dat UPX behavioral1/files/0x000500000001959e-308.dat UPX behavioral1/files/0x00050000000195a7-329.dat UPX behavioral1/files/0x00050000000195a9-343.dat UPX behavioral1/files/0x00050000000195a4-319.dat UPX behavioral1/files/0x00050000000195ba-351.dat UPX behavioral1/files/0x0005000000019646-363.dat UPX behavioral1/files/0x000500000001996e-372.dat UPX behavioral1/files/0x0005000000019bd7-383.dat UPX behavioral1/files/0x0005000000019bef-394.dat UPX behavioral1/files/0x0005000000019d59-417.dat UPX behavioral1/files/0x0005000000019ce6-407.dat UPX behavioral1/files/0x0005000000019f60-427.dat UPX behavioral1/files/0x000500000001a013-440.dat UPX behavioral1/files/0x000500000001a2d0-451.dat UPX behavioral1/files/0x000500000001a3c2-461.dat UPX behavioral1/files/0x0005000000019570-299.dat UPX behavioral1/files/0x00050000000194f4-278.dat UPX behavioral1/files/0x00050000000194ea-259.dat UPX behavioral1/files/0x00040000000194d6-237.dat UPX behavioral1/files/0x0005000000019485-227.dat UPX behavioral1/files/0x000500000001a3c8-474.dat UPX behavioral1/files/0x000500000001a3d4-484.dat UPX behavioral1/files/0x000500000001a429-496.dat UPX behavioral1/files/0x000500000001a431-506.dat UPX behavioral1/files/0x000500000001a43b-517.dat UPX behavioral1/files/0x000500000001a443-527.dat UPX behavioral1/files/0x000500000001a447-537.dat UPX behavioral1/files/0x000500000001a44b-547.dat UPX behavioral1/files/0x000500000001a44f-558.dat UPX behavioral1/files/0x000500000001a453-571.dat UPX behavioral1/files/0x000500000001a457-583.dat UPX behavioral1/files/0x000500000001a45b-593.dat UPX behavioral1/files/0x000500000001a45f-603.dat UPX behavioral1/files/0x000500000001a463-614.dat UPX behavioral1/files/0x000500000001a467-625.dat UPX behavioral1/files/0x000500000001a46c-636.dat UPX behavioral1/files/0x000500000001a470-646.dat UPX behavioral1/files/0x000500000001a474-656.dat UPX behavioral1/files/0x000500000001a479-665.dat UPX behavioral1/files/0x000500000001a47d-674.dat UPX behavioral1/files/0x000500000001a484-688.dat UPX behavioral1/files/0x000500000001a489-702.dat UPX behavioral1/files/0x000500000001a543-716.dat UPX behavioral1/files/0x000500000001ad1c-729.dat UPX behavioral1/files/0x000500000001c288-741.dat UPX -
Executes dropped EXE 64 IoCs
pid Process 3040 Bcjqdmla.exe 2480 Bpqain32.exe 2528 Chnbcpmn.exe 2712 Cafgle32.exe 1776 Ckolek32.exe 2952 Cpnaca32.exe 1112 Dkfbfjdf.exe 1856 Ddnfop32.exe 2680 Dcccpl32.exe 1228 Daipqhdg.exe 1972 Degiggjm.exe 1656 Enbnkigh.exe 1352 Ehgbhbgn.exe 1408 Eabcggll.exe 2468 Eccpoo32.exe 2928 Egahen32.exe 2960 Fchijone.exe 3056 Fqlicclo.exe 1368 Fjdnlhco.exe 972 Fdnolfon.exe 1068 Ffmkfifa.exe 320 Fofpoo32.exe 820 Fgadda32.exe 2272 Gqiimfam.exe 1632 Gkomjo32.exe 2348 Ggfnopfg.exe 3004 Gnpflj32.exe 1600 Gcmoda32.exe 3028 Gfmgelil.exe 2880 Gbdhjm32.exe 2548 Hllmcc32.exe 1696 Hipmmg32.exe 2428 Hloiib32.exe 588 Hanogipc.exe 2352 Hjfcpo32.exe 2636 Hdoghdmd.exe 1804 Ihmpobck.exe 752 Iaeegh32.exe 2344 Idfnicfl.exe 680 Ieigfk32.exe 2972 Ioakoq32.exe 2732 Jaijak32.exe 1436 Jgfcja32.exe 2744 Jlckbh32.exe 1984 Kjglkm32.exe 1544 Kpcqnf32.exe 1712 Kcamjb32.exe 1744 Khoebi32.exe 2192 Kbgjkn32.exe 1660 Kllnhg32.exe 1916 Khcomhbi.exe 2900 Lnpgeopa.exe 868 Lghlndfa.exe 1604 Lbnpkmfg.exe 2508 Lkfddc32.exe 2716 Ldoimh32.exe 2620 Ljkaeo32.exe 2496 Lmjnak32.exe 2408 Liqoflfh.exe 1196 Lqhfhigj.exe 2672 Micklk32.exe 1796 Mbkpeake.exe 1848 Mnbpjb32.exe 1440 Mgjebg32.exe -
Loads dropped DLL 64 IoCs
pid Process 2872 4f0a6289bcf40f6f401a20bd988ebe0625bd1cb95bb94abda84e82a8c1de6db4.exe 2872 4f0a6289bcf40f6f401a20bd988ebe0625bd1cb95bb94abda84e82a8c1de6db4.exe 3040 Bcjqdmla.exe 3040 Bcjqdmla.exe 2480 Bpqain32.exe 2480 Bpqain32.exe 2528 Chnbcpmn.exe 2528 Chnbcpmn.exe 2712 Cafgle32.exe 2712 Cafgle32.exe 1776 Ckolek32.exe 1776 Ckolek32.exe 2952 Cpnaca32.exe 2952 Cpnaca32.exe 1112 Dkfbfjdf.exe 1112 Dkfbfjdf.exe 1856 Ddnfop32.exe 1856 Ddnfop32.exe 2680 Dcccpl32.exe 2680 Dcccpl32.exe 1228 Daipqhdg.exe 1228 Daipqhdg.exe 1972 Degiggjm.exe 1972 Degiggjm.exe 1656 Enbnkigh.exe 1656 Enbnkigh.exe 1352 Ehgbhbgn.exe 1352 Ehgbhbgn.exe 1408 Eabcggll.exe 1408 Eabcggll.exe 2468 Eccpoo32.exe 2468 Eccpoo32.exe 2928 Egahen32.exe 2928 Egahen32.exe 2960 Fchijone.exe 2960 Fchijone.exe 3056 Fqlicclo.exe 3056 Fqlicclo.exe 1368 Fjdnlhco.exe 1368 Fjdnlhco.exe 972 Fdnolfon.exe 972 Fdnolfon.exe 1068 Ffmkfifa.exe 1068 Ffmkfifa.exe 320 Fofpoo32.exe 320 Fofpoo32.exe 820 Fgadda32.exe 820 Fgadda32.exe 2272 Gqiimfam.exe 2272 Gqiimfam.exe 1632 Gkomjo32.exe 1632 Gkomjo32.exe 2348 Ggfnopfg.exe 2348 Ggfnopfg.exe 3004 Gnpflj32.exe 3004 Gnpflj32.exe 1600 Gcmoda32.exe 1600 Gcmoda32.exe 3028 Gfmgelil.exe 3028 Gfmgelil.exe 2880 Gbdhjm32.exe 2880 Gbdhjm32.exe 2548 Hllmcc32.exe 2548 Hllmcc32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Pdnnln32.dll Aeghng32.exe File created C:\Windows\SysWOW64\Bplnpkga.dll Enpban32.exe File created C:\Windows\SysWOW64\Jchkhe32.dll Goocenaa.exe File created C:\Windows\SysWOW64\Iojopp32.exe Idekbgji.exe File created C:\Windows\SysWOW64\Nkkndgbj.dll Ollqllod.exe File created C:\Windows\SysWOW64\Bhcool32.dll Dhpgfeao.exe File created C:\Windows\SysWOW64\Apefjqob.exe Qdofep32.exe File opened for modification C:\Windows\SysWOW64\Qgfkchmp.exe Pkojoghl.exe File opened for modification C:\Windows\SysWOW64\Oemhjlha.exe Nobpmb32.exe File created C:\Windows\SysWOW64\Odohol32.dll Ooicid32.exe File created C:\Windows\SysWOW64\Qggpmn32.dll Iakgefqe.exe File opened for modification C:\Windows\SysWOW64\Jjnhhjjk.exe Jeqopcld.exe File opened for modification C:\Windows\SysWOW64\Bkpeci32.exe Bbgqjdce.exe File created C:\Windows\SysWOW64\Odchbe32.exe Ndqkleln.exe File opened for modification C:\Windows\SysWOW64\Fabmmejd.exe Fhjhdp32.exe File opened for modification C:\Windows\SysWOW64\Dpmgao32.exe Cgdciiod.exe File created C:\Windows\SysWOW64\Ecoihm32.exe Ebnmpemq.exe File created C:\Windows\SysWOW64\Ohlhijgh.dll Kjbclamj.exe File created C:\Windows\SysWOW64\Bcjcme32.exe Bieopm32.exe File created C:\Windows\SysWOW64\Ffpfeq32.dll Gconbj32.exe File created C:\Windows\SysWOW64\Eghoka32.dll Kjhcag32.exe File created C:\Windows\SysWOW64\Ejdphkml.dll Mobaef32.exe File opened for modification C:\Windows\SysWOW64\Ihmpobck.exe Hdoghdmd.exe File created C:\Windows\SysWOW64\Ocmbnbgf.dll Qkibcg32.exe File created C:\Windows\SysWOW64\Fphoebme.dll Cbgmigeq.exe File created C:\Windows\SysWOW64\Bleoal32.dll Hfcjdkpg.exe File opened for modification C:\Windows\SysWOW64\Jfliim32.exe Jpbalb32.exe File created C:\Windows\SysWOW64\Nbklpemb.dll Ofhjopbg.exe File created C:\Windows\SysWOW64\Kbbobkol.exe Kenoifpb.exe File opened for modification C:\Windows\SysWOW64\Bngfmhbj.exe Bdobdc32.exe File created C:\Windows\SysWOW64\Lnpgeopa.exe Khcomhbi.exe File opened for modification C:\Windows\SysWOW64\Ecnoijbd.exe Emagacdm.exe File opened for modification C:\Windows\SysWOW64\Gpjkeoha.exe Fepjea32.exe File created C:\Windows\SysWOW64\Dcbnpgkh.exe Djjjga32.exe File created C:\Windows\SysWOW64\Nnokahip.exe Nfdfmfle.exe File opened for modification C:\Windows\SysWOW64\Gpacogjm.exe Geloanjg.exe File created C:\Windows\SysWOW64\Nphghn32.exe Ngpcohbm.exe File opened for modification C:\Windows\SysWOW64\Kmklak32.exe Kccgheib.exe File created C:\Windows\SysWOW64\Diggcodj.dll Nanfqo32.exe File created C:\Windows\SysWOW64\Ipbimmel.dll Gbdhjm32.exe File opened for modification C:\Windows\SysWOW64\Lmjnak32.exe Ljkaeo32.exe File created C:\Windows\SysWOW64\Lbhnia32.dll Bcjcme32.exe File created C:\Windows\SysWOW64\Jaephc32.dll Flclam32.exe File created C:\Windows\SysWOW64\Ahpbkd32.exe Aognbnkm.exe File opened for modification C:\Windows\SysWOW64\Honnki32.exe Hmpaom32.exe File created C:\Windows\SysWOW64\Iocgfhhc.exe Hjfnnajl.exe File created C:\Windows\SysWOW64\Hkogpn32.exe Hnkffi32.exe File opened for modification C:\Windows\SysWOW64\Kjglkm32.exe Jlckbh32.exe File created C:\Windows\SysWOW64\Nallalep.exe Njbdea32.exe File opened for modification C:\Windows\SysWOW64\Gaihob32.exe Gkoobhhg.exe File opened for modification C:\Windows\SysWOW64\Ppmgfb32.exe Ponklpcg.exe File created C:\Windows\SysWOW64\Flnlkgjq.exe Ehpcehcj.exe File opened for modification C:\Windows\SysWOW64\Mbhlek32.exe Lbfook32.exe File created C:\Windows\SysWOW64\Gljmpigg.dll Mhfjjdjf.exe File created C:\Windows\SysWOW64\Opilhdhd.dll Ponklpcg.exe File created C:\Windows\SysWOW64\Cmfmojcb.exe Bqolji32.exe File created C:\Windows\SysWOW64\Fhglop32.exe Fnogfk32.exe File created C:\Windows\SysWOW64\Gdflgo32.exe Glkgcmbg.exe File created C:\Windows\SysWOW64\Jpbalb32.exe Ihglhp32.exe File opened for modification C:\Windows\SysWOW64\Deenjpcd.exe Dokfme32.exe File created C:\Windows\SysWOW64\Pnalcc32.dll Hgciff32.exe File opened for modification C:\Windows\SysWOW64\Iadbqlmh.exe Iemalkgd.exe File created C:\Windows\SysWOW64\Ijampgde.exe Iokhcodo.exe File created C:\Windows\SysWOW64\Nhpabdqd.exe Nogmin32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4664 1544 WerFault.exe 894 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbonaedo.dll" Hmpaom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfaqfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ojpaeq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fejifdab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhchihim.dll" Hflndjin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Danpemej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnkdfakf.dll" Ekdchf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dnkhfnck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeelon32.dll" Bbqkeioh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lekjal32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hnheohcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebappk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpngmb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chlgid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hgfooe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmnlhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkhabhbn.dll" Bkklhjnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aebmjo32.dll" Hfegij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bngfmhbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mphajbdq.dll" Fhglop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggmaao32.dll" Nlldmimi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjfcpo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjnhhjjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihlnih32.dll" Bhkeohhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfmkbebl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ljkaeo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oeindm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilkekm32.dll" Lhhkapeh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nkkmgncb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pejkoijd.dll" Kjhfjpdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aehngihn.dll" Qkghgpfi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qpniokan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cabaec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Anjlebjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ammbof32.dll" Oefjdgjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Giolnomh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpmmdhad.dll" Lhoohgdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfgjdlme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Piaincdp.dll" Dkfbfjdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kllnhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcnllk32.dll" Emoldlmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eickphoo.dll" Glpepj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mieiglio.dll" Fbipdi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qekbgbpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ooofcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oemhjlha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Booiep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jmocbnop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbboiknb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gfmgelil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qaipli32.dll" Nfnneb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdfddadf.dll" Emagacdm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nbjeinje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnoegakl.dll" Elcpbigl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njeelc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gedjkeaj.dll" Hbaaik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epbahp32.dll" Ijnkifgp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Genlgnhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mlahdkjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlaecdec.dll" Peqhgmdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lghlndfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpfplo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iacoff32.dll" Glbaei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jijokbfp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2872 wrote to memory of 3040 2872 4f0a6289bcf40f6f401a20bd988ebe0625bd1cb95bb94abda84e82a8c1de6db4.exe 28 PID 2872 wrote to memory of 3040 2872 4f0a6289bcf40f6f401a20bd988ebe0625bd1cb95bb94abda84e82a8c1de6db4.exe 28 PID 2872 wrote to memory of 3040 2872 4f0a6289bcf40f6f401a20bd988ebe0625bd1cb95bb94abda84e82a8c1de6db4.exe 28 PID 2872 wrote to memory of 3040 2872 4f0a6289bcf40f6f401a20bd988ebe0625bd1cb95bb94abda84e82a8c1de6db4.exe 28 PID 3040 wrote to memory of 2480 3040 Bcjqdmla.exe 29 PID 3040 wrote to memory of 2480 3040 Bcjqdmla.exe 29 PID 3040 wrote to memory of 2480 3040 Bcjqdmla.exe 29 PID 3040 wrote to memory of 2480 3040 Bcjqdmla.exe 29 PID 2480 wrote to memory of 2528 2480 Bpqain32.exe 30 PID 2480 wrote to memory of 2528 2480 Bpqain32.exe 30 PID 2480 wrote to memory of 2528 2480 Bpqain32.exe 30 PID 2480 wrote to memory of 2528 2480 Bpqain32.exe 30 PID 2528 wrote to memory of 2712 2528 Chnbcpmn.exe 31 PID 2528 wrote to memory of 2712 2528 Chnbcpmn.exe 31 PID 2528 wrote to memory of 2712 2528 Chnbcpmn.exe 31 PID 2528 wrote to memory of 2712 2528 Chnbcpmn.exe 31 PID 2712 wrote to memory of 1776 2712 Cafgle32.exe 32 PID 2712 wrote to memory of 1776 2712 Cafgle32.exe 32 PID 2712 wrote to memory of 1776 2712 Cafgle32.exe 32 PID 2712 wrote to memory of 1776 2712 Cafgle32.exe 32 PID 1776 wrote to memory of 2952 1776 Ckolek32.exe 33 PID 1776 wrote to memory of 2952 1776 Ckolek32.exe 33 PID 1776 wrote to memory of 2952 1776 Ckolek32.exe 33 PID 1776 wrote to memory of 2952 1776 Ckolek32.exe 33 PID 2952 wrote to memory of 1112 2952 Cpnaca32.exe 34 PID 2952 wrote to memory of 1112 2952 Cpnaca32.exe 34 PID 2952 wrote to memory of 1112 2952 Cpnaca32.exe 34 PID 2952 wrote to memory of 1112 2952 Cpnaca32.exe 34 PID 1112 wrote to memory of 1856 1112 Dkfbfjdf.exe 35 PID 1112 wrote to memory of 1856 1112 Dkfbfjdf.exe 35 PID 1112 wrote to memory of 1856 1112 Dkfbfjdf.exe 35 PID 1112 wrote to memory of 1856 1112 Dkfbfjdf.exe 35 PID 1856 wrote to memory of 2680 1856 Ddnfop32.exe 36 PID 1856 wrote to memory of 2680 1856 Ddnfop32.exe 36 PID 1856 wrote to memory of 2680 1856 Ddnfop32.exe 36 PID 1856 wrote to memory of 2680 1856 Ddnfop32.exe 36 PID 2680 wrote to memory of 1228 2680 Dcccpl32.exe 37 PID 2680 wrote to memory of 1228 2680 Dcccpl32.exe 37 PID 2680 wrote to memory of 1228 2680 Dcccpl32.exe 37 PID 2680 wrote to memory of 1228 2680 Dcccpl32.exe 37 PID 1228 wrote to memory of 1972 1228 Daipqhdg.exe 38 PID 1228 wrote to memory of 1972 1228 Daipqhdg.exe 38 PID 1228 wrote to memory of 1972 1228 Daipqhdg.exe 38 PID 1228 wrote to memory of 1972 1228 Daipqhdg.exe 38 PID 1972 wrote to memory of 1656 1972 Degiggjm.exe 39 PID 1972 wrote to memory of 1656 1972 Degiggjm.exe 39 PID 1972 wrote to memory of 1656 1972 Degiggjm.exe 39 PID 1972 wrote to memory of 1656 1972 Degiggjm.exe 39 PID 1656 wrote to memory of 1352 1656 Enbnkigh.exe 40 PID 1656 wrote to memory of 1352 1656 Enbnkigh.exe 40 PID 1656 wrote to memory of 1352 1656 Enbnkigh.exe 40 PID 1656 wrote to memory of 1352 1656 Enbnkigh.exe 40 PID 1352 wrote to memory of 1408 1352 Ehgbhbgn.exe 41 PID 1352 wrote to memory of 1408 1352 Ehgbhbgn.exe 41 PID 1352 wrote to memory of 1408 1352 Ehgbhbgn.exe 41 PID 1352 wrote to memory of 1408 1352 Ehgbhbgn.exe 41 PID 1408 wrote to memory of 2468 1408 Eabcggll.exe 42 PID 1408 wrote to memory of 2468 1408 Eabcggll.exe 42 PID 1408 wrote to memory of 2468 1408 Eabcggll.exe 42 PID 1408 wrote to memory of 2468 1408 Eabcggll.exe 42 PID 2468 wrote to memory of 2928 2468 Eccpoo32.exe 43 PID 2468 wrote to memory of 2928 2468 Eccpoo32.exe 43 PID 2468 wrote to memory of 2928 2468 Eccpoo32.exe 43 PID 2468 wrote to memory of 2928 2468 Eccpoo32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\4f0a6289bcf40f6f401a20bd988ebe0625bd1cb95bb94abda84e82a8c1de6db4.exe"C:\Users\Admin\AppData\Local\Temp\4f0a6289bcf40f6f401a20bd988ebe0625bd1cb95bb94abda84e82a8c1de6db4.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\Bcjqdmla.exeC:\Windows\system32\Bcjqdmla.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\Bpqain32.exeC:\Windows\system32\Bpqain32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\Chnbcpmn.exeC:\Windows\system32\Chnbcpmn.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\Cafgle32.exeC:\Windows\system32\Cafgle32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Ckolek32.exeC:\Windows\system32\Ckolek32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Windows\SysWOW64\Cpnaca32.exeC:\Windows\system32\Cpnaca32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\Dkfbfjdf.exeC:\Windows\system32\Dkfbfjdf.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1112 -
C:\Windows\SysWOW64\Ddnfop32.exeC:\Windows\system32\Ddnfop32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Windows\SysWOW64\Dcccpl32.exeC:\Windows\system32\Dcccpl32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\Daipqhdg.exeC:\Windows\system32\Daipqhdg.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Windows\SysWOW64\Degiggjm.exeC:\Windows\system32\Degiggjm.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\SysWOW64\Enbnkigh.exeC:\Windows\system32\Enbnkigh.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\Ehgbhbgn.exeC:\Windows\system32\Ehgbhbgn.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Windows\SysWOW64\Eabcggll.exeC:\Windows\system32\Eabcggll.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Windows\SysWOW64\Eccpoo32.exeC:\Windows\system32\Eccpoo32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\Egahen32.exeC:\Windows\system32\Egahen32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2928 -
C:\Windows\SysWOW64\Fchijone.exeC:\Windows\system32\Fchijone.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2960 -
C:\Windows\SysWOW64\Fqlicclo.exeC:\Windows\system32\Fqlicclo.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3056 -
C:\Windows\SysWOW64\Fjdnlhco.exeC:\Windows\system32\Fjdnlhco.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1368 -
C:\Windows\SysWOW64\Fdnolfon.exeC:\Windows\system32\Fdnolfon.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:972 -
C:\Windows\SysWOW64\Ffmkfifa.exeC:\Windows\system32\Ffmkfifa.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1068 -
C:\Windows\SysWOW64\Fofpoo32.exeC:\Windows\system32\Fofpoo32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:320 -
C:\Windows\SysWOW64\Fgadda32.exeC:\Windows\system32\Fgadda32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:820 -
C:\Windows\SysWOW64\Gqiimfam.exeC:\Windows\system32\Gqiimfam.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2272 -
C:\Windows\SysWOW64\Gkomjo32.exeC:\Windows\system32\Gkomjo32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1632 -
C:\Windows\SysWOW64\Ggfnopfg.exeC:\Windows\system32\Ggfnopfg.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2348 -
C:\Windows\SysWOW64\Gnpflj32.exeC:\Windows\system32\Gnpflj32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3004 -
C:\Windows\SysWOW64\Gcmoda32.exeC:\Windows\system32\Gcmoda32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1600 -
C:\Windows\SysWOW64\Gfmgelil.exeC:\Windows\system32\Gfmgelil.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3028 -
C:\Windows\SysWOW64\Gbdhjm32.exeC:\Windows\system32\Gbdhjm32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2880 -
C:\Windows\SysWOW64\Hllmcc32.exeC:\Windows\system32\Hllmcc32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2548 -
C:\Windows\SysWOW64\Hipmmg32.exeC:\Windows\system32\Hipmmg32.exe33⤵
- Executes dropped EXE
PID:1696 -
C:\Windows\SysWOW64\Hloiib32.exeC:\Windows\system32\Hloiib32.exe34⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Hanogipc.exeC:\Windows\system32\Hanogipc.exe35⤵
- Executes dropped EXE
PID:588 -
C:\Windows\SysWOW64\Hjfcpo32.exeC:\Windows\system32\Hjfcpo32.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:2352 -
C:\Windows\SysWOW64\Hdoghdmd.exeC:\Windows\system32\Hdoghdmd.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2636 -
C:\Windows\SysWOW64\Ihmpobck.exeC:\Windows\system32\Ihmpobck.exe38⤵
- Executes dropped EXE
PID:1804 -
C:\Windows\SysWOW64\Iaeegh32.exeC:\Windows\system32\Iaeegh32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:752 -
C:\Windows\SysWOW64\Idfnicfl.exeC:\Windows\system32\Idfnicfl.exe40⤵
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Ieigfk32.exeC:\Windows\system32\Ieigfk32.exe41⤵
- Executes dropped EXE
PID:680 -
C:\Windows\SysWOW64\Ioakoq32.exeC:\Windows\system32\Ioakoq32.exe42⤵
- Executes dropped EXE
PID:2972 -
C:\Windows\SysWOW64\Jaijak32.exeC:\Windows\system32\Jaijak32.exe43⤵
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\Jgfcja32.exeC:\Windows\system32\Jgfcja32.exe44⤵
- Executes dropped EXE
PID:1436 -
C:\Windows\SysWOW64\Jlckbh32.exeC:\Windows\system32\Jlckbh32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2744 -
C:\Windows\SysWOW64\Kjglkm32.exeC:\Windows\system32\Kjglkm32.exe46⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Kpcqnf32.exeC:\Windows\system32\Kpcqnf32.exe47⤵
- Executes dropped EXE
PID:1544 -
C:\Windows\SysWOW64\Kcamjb32.exeC:\Windows\system32\Kcamjb32.exe48⤵
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\Khoebi32.exeC:\Windows\system32\Khoebi32.exe49⤵
- Executes dropped EXE
PID:1744 -
C:\Windows\SysWOW64\Kbgjkn32.exeC:\Windows\system32\Kbgjkn32.exe50⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Kllnhg32.exeC:\Windows\system32\Kllnhg32.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:1660 -
C:\Windows\SysWOW64\Khcomhbi.exeC:\Windows\system32\Khcomhbi.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1916 -
C:\Windows\SysWOW64\Lnpgeopa.exeC:\Windows\system32\Lnpgeopa.exe53⤵
- Executes dropped EXE
PID:2900 -
C:\Windows\SysWOW64\Lghlndfa.exeC:\Windows\system32\Lghlndfa.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:868 -
C:\Windows\SysWOW64\Lbnpkmfg.exeC:\Windows\system32\Lbnpkmfg.exe55⤵
- Executes dropped EXE
PID:1604 -
C:\Windows\SysWOW64\Lkfddc32.exeC:\Windows\system32\Lkfddc32.exe56⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Ldoimh32.exeC:\Windows\system32\Ldoimh32.exe57⤵
- Executes dropped EXE
PID:2716 -
C:\Windows\SysWOW64\Ljkaeo32.exeC:\Windows\system32\Ljkaeo32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2620 -
C:\Windows\SysWOW64\Lmjnak32.exeC:\Windows\system32\Lmjnak32.exe59⤵
- Executes dropped EXE
PID:2496 -
C:\Windows\SysWOW64\Liqoflfh.exeC:\Windows\system32\Liqoflfh.exe60⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Lqhfhigj.exeC:\Windows\system32\Lqhfhigj.exe61⤵
- Executes dropped EXE
PID:1196 -
C:\Windows\SysWOW64\Micklk32.exeC:\Windows\system32\Micklk32.exe62⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Mbkpeake.exeC:\Windows\system32\Mbkpeake.exe63⤵
- Executes dropped EXE
PID:1796 -
C:\Windows\SysWOW64\Mnbpjb32.exeC:\Windows\system32\Mnbpjb32.exe64⤵
- Executes dropped EXE
PID:1848 -
C:\Windows\SysWOW64\Mgjebg32.exeC:\Windows\system32\Mgjebg32.exe65⤵
- Executes dropped EXE
PID:1440 -
C:\Windows\SysWOW64\Mijamjnm.exeC:\Windows\system32\Mijamjnm.exe66⤵PID:1396
-
C:\Windows\SysWOW64\Mhonngce.exeC:\Windows\system32\Mhonngce.exe67⤵PID:1188
-
C:\Windows\SysWOW64\Necogkbo.exeC:\Windows\system32\Necogkbo.exe68⤵PID:432
-
C:\Windows\SysWOW64\Nfdkoc32.exeC:\Windows\system32\Nfdkoc32.exe69⤵PID:1628
-
C:\Windows\SysWOW64\Npmphinm.exeC:\Windows\system32\Npmphinm.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1096 -
C:\Windows\SysWOW64\Nhdhif32.exeC:\Windows\system32\Nhdhif32.exe71⤵PID:2032
-
C:\Windows\SysWOW64\Njbdea32.exeC:\Windows\system32\Njbdea32.exe72⤵
- Drops file in System32 directory
PID:2908 -
C:\Windows\SysWOW64\Nallalep.exeC:\Windows\system32\Nallalep.exe73⤵PID:2516
-
C:\Windows\SysWOW64\Nigafnck.exeC:\Windows\system32\Nigafnck.exe74⤵PID:2484
-
C:\Windows\SysWOW64\Nlfmbibo.exeC:\Windows\system32\Nlfmbibo.exe75⤵PID:2944
-
C:\Windows\SysWOW64\Ndmecgba.exeC:\Windows\system32\Ndmecgba.exe76⤵PID:1872
-
C:\Windows\SysWOW64\Nmejllia.exeC:\Windows\system32\Nmejllia.exe77⤵PID:2420
-
C:\Windows\SysWOW64\Nfnneb32.exeC:\Windows\system32\Nfnneb32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2204 -
C:\Windows\SysWOW64\Ooicid32.exeC:\Windows\system32\Ooicid32.exe79⤵
- Drops file in System32 directory
PID:2440 -
C:\Windows\SysWOW64\Oioggmmc.exeC:\Windows\system32\Oioggmmc.exe80⤵PID:2688
-
C:\Windows\SysWOW64\Ookpodkj.exeC:\Windows\system32\Ookpodkj.exe81⤵PID:2148
-
C:\Windows\SysWOW64\Oeehln32.exeC:\Windows\system32\Oeehln32.exe82⤵PID:1664
-
C:\Windows\SysWOW64\Okbpde32.exeC:\Windows\system32\Okbpde32.exe83⤵PID:1684
-
C:\Windows\SysWOW64\Oonldcih.exeC:\Windows\system32\Oonldcih.exe84⤵PID:1700
-
C:\Windows\SysWOW64\Okdmjdol.exeC:\Windows\system32\Okdmjdol.exe85⤵PID:2156
-
C:\Windows\SysWOW64\Odmabj32.exeC:\Windows\system32\Odmabj32.exe86⤵PID:2980
-
C:\Windows\SysWOW64\Okgjodmi.exeC:\Windows\system32\Okgjodmi.exe87⤵PID:3000
-
C:\Windows\SysWOW64\Pdonhj32.exeC:\Windows\system32\Pdonhj32.exe88⤵PID:1672
-
C:\Windows\SysWOW64\Pgnjde32.exeC:\Windows\system32\Pgnjde32.exe89⤵PID:2996
-
C:\Windows\SysWOW64\Pmgbao32.exeC:\Windows\system32\Pmgbao32.exe90⤵PID:2220
-
C:\Windows\SysWOW64\Pdakniag.exeC:\Windows\system32\Pdakniag.exe91⤵PID:1208
-
C:\Windows\SysWOW64\Plmpblnb.exeC:\Windows\system32\Plmpblnb.exe92⤵PID:532
-
C:\Windows\SysWOW64\Pcghof32.exeC:\Windows\system32\Pcghof32.exe93⤵PID:1816
-
C:\Windows\SysWOW64\Plolgk32.exeC:\Windows\system32\Plolgk32.exe94⤵PID:2536
-
C:\Windows\SysWOW64\Palepb32.exeC:\Windows\system32\Palepb32.exe95⤵PID:2600
-
C:\Windows\SysWOW64\Pkdihhag.exeC:\Windows\system32\Pkdihhag.exe96⤵PID:1472
-
C:\Windows\SysWOW64\Panaeb32.exeC:\Windows\system32\Panaeb32.exe97⤵PID:1648
-
C:\Windows\SysWOW64\Qkffng32.exeC:\Windows\system32\Qkffng32.exe98⤵PID:2136
-
C:\Windows\SysWOW64\Qkibcg32.exeC:\Windows\system32\Qkibcg32.exe99⤵
- Drops file in System32 directory
PID:940 -
C:\Windows\SysWOW64\Qqfkln32.exeC:\Windows\system32\Qqfkln32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:784 -
C:\Windows\SysWOW64\Anjlebjc.exeC:\Windows\system32\Anjlebjc.exe101⤵
- Modifies registry class
PID:1680 -
C:\Windows\SysWOW64\Agbpnh32.exeC:\Windows\system32\Agbpnh32.exe102⤵PID:2912
-
C:\Windows\SysWOW64\Anlhkbhq.exeC:\Windows\system32\Anlhkbhq.exe103⤵PID:3052
-
C:\Windows\SysWOW64\Aqjdgmgd.exeC:\Windows\system32\Aqjdgmgd.exe104⤵PID:2196
-
C:\Windows\SysWOW64\Agdmdg32.exeC:\Windows\system32\Agdmdg32.exe105⤵PID:1092
-
C:\Windows\SysWOW64\Aopahjll.exeC:\Windows\system32\Aopahjll.exe106⤵PID:1080
-
C:\Windows\SysWOW64\Amcbankf.exeC:\Windows\system32\Amcbankf.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2036 -
C:\Windows\SysWOW64\Abpjjeim.exeC:\Windows\system32\Abpjjeim.exe108⤵PID:1740
-
C:\Windows\SysWOW64\Bcpgdhpp.exeC:\Windows\system32\Bcpgdhpp.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2584 -
C:\Windows\SysWOW64\Bkklhjnk.exeC:\Windows\system32\Bkklhjnk.exe110⤵
- Modifies registry class
PID:2436 -
C:\Windows\SysWOW64\Bfqpecma.exeC:\Windows\system32\Bfqpecma.exe111⤵PID:2888
-
C:\Windows\SysWOW64\Bgblmk32.exeC:\Windows\system32\Bgblmk32.exe112⤵PID:1552
-
C:\Windows\SysWOW64\Bbgqjdce.exeC:\Windows\system32\Bbgqjdce.exe113⤵
- Drops file in System32 directory
PID:2120 -
C:\Windows\SysWOW64\Bkpeci32.exeC:\Windows\system32\Bkpeci32.exe114⤵PID:2320
-
C:\Windows\SysWOW64\Cgkocj32.exeC:\Windows\system32\Cgkocj32.exe115⤵PID:2112
-
C:\Windows\SysWOW64\Cacclpae.exeC:\Windows\system32\Cacclpae.exe116⤵PID:1516
-
C:\Windows\SysWOW64\Cjlheehe.exeC:\Windows\system32\Cjlheehe.exe117⤵PID:892
-
C:\Windows\SysWOW64\Cpiqmlfm.exeC:\Windows\system32\Cpiqmlfm.exe118⤵PID:2024
-
C:\Windows\SysWOW64\Cbgmigeq.exeC:\Windows\system32\Cbgmigeq.exe119⤵
- Drops file in System32 directory
PID:2288 -
C:\Windows\SysWOW64\Cpkmcldj.exeC:\Windows\system32\Cpkmcldj.exe120⤵PID:2708
-
C:\Windows\SysWOW64\Cbiiog32.exeC:\Windows\system32\Cbiiog32.exe121⤵PID:2956
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-