Analysis
-
max time kernel
139s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
03/05/2024, 21:37
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
4f0a6289bcf40f6f401a20bd988ebe0625bd1cb95bb94abda84e82a8c1de6db4.exe
Resource
win7-20240221-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
4f0a6289bcf40f6f401a20bd988ebe0625bd1cb95bb94abda84e82a8c1de6db4.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
4f0a6289bcf40f6f401a20bd988ebe0625bd1cb95bb94abda84e82a8c1de6db4.exe
-
Size
176KB
-
MD5
bbdaf8597fd6fcd80472b8ddfa455b31
-
SHA1
bcf8ac01f432b49b7e55015fa9321de549d8f339
-
SHA256
4f0a6289bcf40f6f401a20bd988ebe0625bd1cb95bb94abda84e82a8c1de6db4
-
SHA512
81011bd318de1b575da955aaeacb302eea9ca713307b08487bed432203c19c6c71864745521ebc360e8f65ce0cd93d5f788c6ec566e6b94d8ace5f483b92c89b
-
SSDEEP
3072:B5mP/mBIZiP1I1VyGo1larlOGA8d2E2fAYjmjRrz3E3:BYP/0FP1I1VyGo1lRXE2fAEG4
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pddhbipj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpoalo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eaakpm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iphioh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idhnkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmkkmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbdbjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iklgah32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lckiihok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfbaonae.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcpikkge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epcdqd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paeelgnj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gihgfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ioambknl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eibfck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cabfga32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjepjkhf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gncchb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nggnadib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odoogi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okkdic32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfnbgc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmpcbhji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eggmge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igmagnkg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joffnk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlnipg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hemdlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adndoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfbkpd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhpqaiji.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbhijepa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Maggnali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nihipdhl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpjgaoqm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikaggmii.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmaopfjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnfihkqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdecgbfa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhabbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdaociml.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkllnbjc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnmijq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjbogmdb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gigaka32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmmpfn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpmpnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elnoopdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djgjlelk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kihnmohm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inmpcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nefped32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkjhoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgkmgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhbimf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjmfjj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qachgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbgihaji.exe -
UPX dump on OEP (original entry point) 64 IoCs
resource yara_rule behavioral2/files/0x000c000000023b62-7.dat UPX behavioral2/files/0x000a000000023bbf-15.dat UPX behavioral2/files/0x000a000000023bc1-24.dat UPX behavioral2/files/0x000a000000023bc4-31.dat UPX behavioral2/files/0x000a000000023bc6-39.dat UPX behavioral2/files/0x000a000000023bc8-47.dat UPX behavioral2/files/0x000a000000023bca-55.dat UPX behavioral2/files/0x000a000000023bcc-63.dat UPX behavioral2/files/0x000a000000023bce-71.dat UPX behavioral2/files/0x000a000000023bd0-79.dat UPX behavioral2/files/0x000a000000023bd2-87.dat UPX behavioral2/files/0x000a000000023bd4-96.dat UPX behavioral2/files/0x000a000000023bd6-103.dat UPX behavioral2/files/0x000a000000023bd8-112.dat UPX behavioral2/files/0x000a000000023bda-119.dat UPX behavioral2/files/0x000a000000023bdc-127.dat UPX behavioral2/files/0x000b000000023bde-135.dat UPX behavioral2/files/0x000b000000023be0-143.dat UPX behavioral2/files/0x000e000000023bef-151.dat UPX behavioral2/files/0x0009000000023bfd-160.dat UPX behavioral2/files/0x0009000000023bff-167.dat UPX behavioral2/files/0x0008000000023c05-175.dat UPX behavioral2/files/0x0008000000023c09-183.dat UPX behavioral2/files/0x0008000000023c0b-191.dat UPX behavioral2/files/0x0008000000023c3b-199.dat UPX behavioral2/files/0x000d000000023bbb-207.dat UPX behavioral2/files/0x0008000000023c3e-215.dat UPX behavioral2/files/0x0008000000023c45-224.dat UPX behavioral2/files/0x0008000000023c58-231.dat UPX behavioral2/files/0x0008000000023c5f-241.dat UPX behavioral2/files/0x0008000000023c61-247.dat UPX behavioral2/files/0x0008000000023c63-255.dat UPX behavioral2/files/0x0007000000023d0f-651.dat UPX behavioral2/files/0x0007000000023d32-774.dat UPX behavioral2/files/0x0007000000023d4b-855.dat UPX behavioral2/files/0x0007000000023d5b-909.dat UPX behavioral2/files/0x0007000000023d77-1001.dat UPX behavioral2/files/0x0007000000023d87-1053.dat UPX behavioral2/files/0x0007000000023d95-1100.dat UPX behavioral2/files/0x0007000000023dc3-1262.dat UPX behavioral2/files/0x0007000000023dc9-1281.dat UPX behavioral2/files/0x0007000000023e02-1511.dat UPX behavioral2/files/0x0007000000023e19-1583.dat UPX behavioral2/files/0x0007000000023e1d-1597.dat UPX behavioral2/files/0x0007000000023e21-1611.dat UPX behavioral2/files/0x0007000000023e26-1625.dat UPX behavioral2/files/0x0007000000023e3c-1694.dat UPX behavioral2/files/0x0008000000023df4-1701.dat UPX behavioral2/files/0x0008000000023e2e-1766.dat UPX behavioral2/files/0x0007000000023e50-1780.dat UPX behavioral2/files/0x0007000000023e6a-1867.dat UPX behavioral2/files/0x0007000000023e76-1908.dat UPX behavioral2/files/0x0007000000023e90-1994.dat UPX behavioral2/files/0x0007000000023e96-2015.dat UPX behavioral2/files/0x0007000000023e98-2022.dat UPX behavioral2/files/0x0007000000023e9c-2035.dat UPX behavioral2/files/0x0007000000023ea2-2055.dat UPX behavioral2/files/0x0007000000023eaa-2083.dat UPX behavioral2/files/0x0007000000023eb4-2118.dat UPX behavioral2/files/0x0007000000023ed1-2218.dat UPX behavioral2/files/0x0007000000023ed9-2251.dat UPX behavioral2/files/0x0007000000023ee9-2316.dat UPX behavioral2/files/0x0007000000023eef-2340.dat UPX behavioral2/files/0x0007000000023efd-2389.dat UPX -
Executes dropped EXE 64 IoCs
pid Process 2760 Agoabn32.exe 4132 Bjmnoi32.exe 3580 Bmkjkd32.exe 1524 Bcebhoii.exe 4768 Bfdodjhm.exe 4252 Bnkgeg32.exe 3060 Bchomn32.exe 2304 Bffkij32.exe 2892 Bnmcjg32.exe 2940 Beglgani.exe 3128 Bjddphlq.exe 5036 Bnpppgdj.exe 3100 Banllbdn.exe 4204 Bhhdil32.exe 1128 Bfkedibe.exe 4652 Bapiabak.exe 2664 Chjaol32.exe 4156 Cjinkg32.exe 3448 Cabfga32.exe 2328 Cenahpha.exe 4892 Cjkjpgfi.exe 3192 Cmiflbel.exe 3148 Ceqnmpfo.exe 2720 Cnicfe32.exe 2864 Ceckcp32.exe 2208 Chagok32.exe 5088 Cnkplejl.exe 2292 Ceehho32.exe 2976 Cffdpghg.exe 948 Cnnlaehj.exe 4752 Calhnpgn.exe 4856 Ddjejl32.exe 4356 Djdmffnn.exe 3796 Dmcibama.exe 1780 Dejacond.exe 4720 Djgjlelk.exe 2220 Dobfld32.exe 3272 Daqbip32.exe 4732 Ddonekbl.exe 4496 Dhkjej32.exe 4588 Dkifae32.exe 448 Dodbbdbb.exe 3212 Daconoae.exe 3472 Dhmgki32.exe 4480 Dfpgffpm.exe 872 Dogogcpo.exe 4620 Dmjocp32.exe 4212 Deagdn32.exe 4456 Dddhpjof.exe 368 Dknpmdfc.exe 1912 Doilmc32.exe 3348 Dahhio32.exe 2708 Edfdej32.exe 4164 Egdqae32.exe 3584 Eajeon32.exe 4868 Edhakj32.exe 4992 Eggmge32.exe 4376 Ekbihd32.exe 4272 Ealadnik.exe 3688 Edknqiho.exe 2984 Egijmegb.exe 3096 Ekefmc32.exe 4760 Emcbio32.exe 4364 Edmjfifl.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ienekbld.exe Ifleoe32.exe File created C:\Windows\SysWOW64\Neafjdkn.exe Nklbmllg.exe File created C:\Windows\SysWOW64\Kjeqge32.dll Manmoq32.exe File created C:\Windows\SysWOW64\Ddonekbl.exe Daqbip32.exe File created C:\Windows\SysWOW64\Lhkgoiqe.exe Lihfcm32.exe File created C:\Windows\SysWOW64\Bheffh32.exe Bcinna32.exe File opened for modification C:\Windows\SysWOW64\Hlcjhkdp.exe Hienlpel.exe File created C:\Windows\SysWOW64\Loighj32.exe Kjlopc32.exe File created C:\Windows\SysWOW64\Ahamlm32.dll Gkleeplq.exe File opened for modification C:\Windows\SysWOW64\Loeolc32.exe Lpbopfag.exe File opened for modification C:\Windows\SysWOW64\Ncjginjn.exe Nookip32.exe File opened for modification C:\Windows\SysWOW64\Pddhbipj.exe Peahgl32.exe File opened for modification C:\Windows\SysWOW64\Bfkedibe.exe Bhhdil32.exe File created C:\Windows\SysWOW64\Gjkmhmpl.dll Dhhfedil.exe File created C:\Windows\SysWOW64\Gadqlkep.exe Gnhdkl32.exe File created C:\Windows\SysWOW64\Gphqhffa.dll Ocopdn32.exe File created C:\Windows\SysWOW64\Blgifbil.exe Bemqih32.exe File opened for modification C:\Windows\SysWOW64\Ipjoja32.exe Iipfmggc.exe File created C:\Windows\SysWOW64\Banllbdn.exe Bnpppgdj.exe File created C:\Windows\SysWOW64\Bnhpfjhc.dll Oohgdhfn.exe File created C:\Windows\SysWOW64\Dbpjaeoc.exe Dkfadkgf.exe File opened for modification C:\Windows\SysWOW64\Nopfpgip.exe Mjcngpjh.exe File created C:\Windows\SysWOW64\Ikjllm32.dll Ogcnmc32.exe File created C:\Windows\SysWOW64\Fpnnia32.dll Bchomn32.exe File created C:\Windows\SysWOW64\Hmhloljn.dll Hgabkoee.exe File created C:\Windows\SysWOW64\Mlnipg32.exe Miomdk32.exe File created C:\Windows\SysWOW64\Fmikeaap.exe Ffobhg32.exe File created C:\Windows\SysWOW64\Hegaehem.dll Bdgged32.exe File created C:\Windows\SysWOW64\Jleiba32.dll Jphkkpbp.exe File created C:\Windows\SysWOW64\Onkidm32.exe Ngqagcag.exe File created C:\Windows\SysWOW64\Jqdoem32.exe Jbaojpgb.exe File created C:\Windows\SysWOW64\Qabjcina.dll Gmiclo32.exe File created C:\Windows\SysWOW64\Aknifq32.exe Ahpmjejp.exe File opened for modification C:\Windows\SysWOW64\Onnmdcjm.exe Oloahhki.exe File created C:\Windows\SysWOW64\Aefjii32.exe Aajohjon.exe File opened for modification C:\Windows\SysWOW64\Gnlgleef.exe Gknkpjfb.exe File created C:\Windows\SysWOW64\Liaolo32.dll Bhamkipi.exe File created C:\Windows\SysWOW64\Eidlnd32.exe Ebjcajjd.exe File created C:\Windows\SysWOW64\Iooogokm.dll Kfpcoefj.exe File opened for modification C:\Windows\SysWOW64\Bjmnoi32.exe Agoabn32.exe File created C:\Windows\SysWOW64\Lnldla32.exe Lgbloglj.exe File created C:\Windows\SysWOW64\Ipjoja32.exe Iipfmggc.exe File created C:\Windows\SysWOW64\Eieijp32.dll Jgkmgk32.exe File created C:\Windows\SysWOW64\Jgqpjb32.dll Lidmhmnp.exe File opened for modification C:\Windows\SysWOW64\Mfhfhong.exe Mblkhq32.exe File opened for modification C:\Windows\SysWOW64\Lkchelci.exe Lclpdncg.exe File opened for modification C:\Windows\SysWOW64\Nookip32.exe Nlqomd32.exe File created C:\Windows\SysWOW64\Mdkgabfn.dll Eblimcdf.exe File opened for modification C:\Windows\SysWOW64\Mjcngpjh.exe Mgeakekd.exe File created C:\Windows\SysWOW64\Cmiogmig.dll Fmkgkapm.exe File created C:\Windows\SysWOW64\Bddjpd32.exe Bnkbcj32.exe File opened for modification C:\Windows\SysWOW64\Iipfmggc.exe Ibfnqmpf.exe File created C:\Windows\SysWOW64\Oammoc32.dll Dodbbdbb.exe File created C:\Windows\SysWOW64\Bqdblmhl.exe Aimkjp32.exe File created C:\Windows\SysWOW64\Hhdhon32.exe Hpmpnp32.exe File created C:\Windows\SysWOW64\Kdpmbc32.exe Kmieae32.exe File created C:\Windows\SysWOW64\Ddpapmqq.dll Dfiildio.exe File opened for modification C:\Windows\SysWOW64\Palklf32.exe Process not Found File created C:\Windows\SysWOW64\Ghklce32.exe Gdppbfff.exe File created C:\Windows\SysWOW64\Lpekef32.exe Lhncdi32.exe File opened for modification C:\Windows\SysWOW64\Kpanan32.exe Kjgeedch.exe File created C:\Windows\SysWOW64\Mmalnp32.dll Hgoeep32.exe File opened for modification C:\Windows\SysWOW64\Ienekbld.exe Ifleoe32.exe File created C:\Windows\SysWOW64\Lfebfnqn.dll Gbeejp32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 8568 8360 Process not Found 1209 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjmnoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlbdab32.dll" Lmbhgd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Joiccj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcbbjj32.dll" Eiloco32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcdjbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iocedcbl.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aojlaeei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddnfmqng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgqpjb32.dll" Lidmhmnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dphefd32.dll" Jjmcnbdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oohgdhfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebnfbcbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cedckdaj.dll" Pmiikh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ipjedh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Igigla32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oeokal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpgpgfmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jmbhoeid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gpcfmkff.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knchpiom.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ogjdmbil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fajnfl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kcpjnjii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbbmaq32.dll" Ekbihd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpnihiio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ffobhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjepjkhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcghdkpf.dll" Iidphgcn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mqfpckhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifenan32.dll" Jlolpq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cajdjn32.dll" Knqepc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll" Cmiflbel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Klfjijgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mnpabe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjamidgd.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkifae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpnnle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fopjdidn.dll" Monjjgkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpbfii32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fkllnbjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oekpkigo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehighp32.dll" Igedlh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckilmcgb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iebngial.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmnagpbq.dll" Jbileede.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Malpia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhqihllh.dll" Jfbkpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbbhqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlmgnn32.dll" Bfbaonae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcqjon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpebke32.dll" Jfehed32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dimenegi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmpkadnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mokmdh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfhkccfn.dll" Jnpmjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajcdnd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Majjng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obimmnpq.dll" Pakllc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbflncid.dll" Hckeoeno.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjgchm32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1164 wrote to memory of 2760 1164 4f0a6289bcf40f6f401a20bd988ebe0625bd1cb95bb94abda84e82a8c1de6db4.exe 85 PID 1164 wrote to memory of 2760 1164 4f0a6289bcf40f6f401a20bd988ebe0625bd1cb95bb94abda84e82a8c1de6db4.exe 85 PID 1164 wrote to memory of 2760 1164 4f0a6289bcf40f6f401a20bd988ebe0625bd1cb95bb94abda84e82a8c1de6db4.exe 85 PID 2760 wrote to memory of 4132 2760 Agoabn32.exe 86 PID 2760 wrote to memory of 4132 2760 Agoabn32.exe 86 PID 2760 wrote to memory of 4132 2760 Agoabn32.exe 86 PID 4132 wrote to memory of 3580 4132 Bjmnoi32.exe 87 PID 4132 wrote to memory of 3580 4132 Bjmnoi32.exe 87 PID 4132 wrote to memory of 3580 4132 Bjmnoi32.exe 87 PID 3580 wrote to memory of 1524 3580 Bmkjkd32.exe 88 PID 3580 wrote to memory of 1524 3580 Bmkjkd32.exe 88 PID 3580 wrote to memory of 1524 3580 Bmkjkd32.exe 88 PID 1524 wrote to memory of 4768 1524 Bcebhoii.exe 89 PID 1524 wrote to memory of 4768 1524 Bcebhoii.exe 89 PID 1524 wrote to memory of 4768 1524 Bcebhoii.exe 89 PID 4768 wrote to memory of 4252 4768 Bfdodjhm.exe 90 PID 4768 wrote to memory of 4252 4768 Bfdodjhm.exe 90 PID 4768 wrote to memory of 4252 4768 Bfdodjhm.exe 90 PID 4252 wrote to memory of 3060 4252 Bnkgeg32.exe 91 PID 4252 wrote to memory of 3060 4252 Bnkgeg32.exe 91 PID 4252 wrote to memory of 3060 4252 Bnkgeg32.exe 91 PID 3060 wrote to memory of 2304 3060 Bchomn32.exe 92 PID 3060 wrote to memory of 2304 3060 Bchomn32.exe 92 PID 3060 wrote to memory of 2304 3060 Bchomn32.exe 92 PID 2304 wrote to memory of 2892 2304 Bffkij32.exe 94 PID 2304 wrote to memory of 2892 2304 Bffkij32.exe 94 PID 2304 wrote to memory of 2892 2304 Bffkij32.exe 94 PID 2892 wrote to memory of 2940 2892 Bnmcjg32.exe 95 PID 2892 wrote to memory of 2940 2892 Bnmcjg32.exe 95 PID 2892 wrote to memory of 2940 2892 Bnmcjg32.exe 95 PID 2940 wrote to memory of 3128 2940 Beglgani.exe 97 PID 2940 wrote to memory of 3128 2940 Beglgani.exe 97 PID 2940 wrote to memory of 3128 2940 Beglgani.exe 97 PID 3128 wrote to memory of 5036 3128 Bjddphlq.exe 98 PID 3128 wrote to memory of 5036 3128 Bjddphlq.exe 98 PID 3128 wrote to memory of 5036 3128 Bjddphlq.exe 98 PID 5036 wrote to memory of 3100 5036 Bnpppgdj.exe 99 PID 5036 wrote to memory of 3100 5036 Bnpppgdj.exe 99 PID 5036 wrote to memory of 3100 5036 Bnpppgdj.exe 99 PID 3100 wrote to memory of 4204 3100 Banllbdn.exe 100 PID 3100 wrote to memory of 4204 3100 Banllbdn.exe 100 PID 3100 wrote to memory of 4204 3100 Banllbdn.exe 100 PID 4204 wrote to memory of 1128 4204 Bhhdil32.exe 101 PID 4204 wrote to memory of 1128 4204 Bhhdil32.exe 101 PID 4204 wrote to memory of 1128 4204 Bhhdil32.exe 101 PID 1128 wrote to memory of 4652 1128 Bfkedibe.exe 102 PID 1128 wrote to memory of 4652 1128 Bfkedibe.exe 102 PID 1128 wrote to memory of 4652 1128 Bfkedibe.exe 102 PID 4652 wrote to memory of 2664 4652 Bapiabak.exe 103 PID 4652 wrote to memory of 2664 4652 Bapiabak.exe 103 PID 4652 wrote to memory of 2664 4652 Bapiabak.exe 103 PID 2664 wrote to memory of 4156 2664 Chjaol32.exe 104 PID 2664 wrote to memory of 4156 2664 Chjaol32.exe 104 PID 2664 wrote to memory of 4156 2664 Chjaol32.exe 104 PID 4156 wrote to memory of 3448 4156 Cjinkg32.exe 105 PID 4156 wrote to memory of 3448 4156 Cjinkg32.exe 105 PID 4156 wrote to memory of 3448 4156 Cjinkg32.exe 105 PID 3448 wrote to memory of 2328 3448 Cabfga32.exe 106 PID 3448 wrote to memory of 2328 3448 Cabfga32.exe 106 PID 3448 wrote to memory of 2328 3448 Cabfga32.exe 106 PID 2328 wrote to memory of 4892 2328 Cenahpha.exe 107 PID 2328 wrote to memory of 4892 2328 Cenahpha.exe 107 PID 2328 wrote to memory of 4892 2328 Cenahpha.exe 107 PID 4892 wrote to memory of 3192 4892 Cjkjpgfi.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\4f0a6289bcf40f6f401a20bd988ebe0625bd1cb95bb94abda84e82a8c1de6db4.exe"C:\Users\Admin\AppData\Local\Temp\4f0a6289bcf40f6f401a20bd988ebe0625bd1cb95bb94abda84e82a8c1de6db4.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Windows\SysWOW64\Agoabn32.exeC:\Windows\system32\Agoabn32.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Bjmnoi32.exeC:\Windows\system32\Bjmnoi32.exe3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4132 -
C:\Windows\SysWOW64\Bmkjkd32.exeC:\Windows\system32\Bmkjkd32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3580 -
C:\Windows\SysWOW64\Bcebhoii.exeC:\Windows\system32\Bcebhoii.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Windows\SysWOW64\Bfdodjhm.exeC:\Windows\system32\Bfdodjhm.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Windows\SysWOW64\Bnkgeg32.exeC:\Windows\system32\Bnkgeg32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4252 -
C:\Windows\SysWOW64\Bchomn32.exeC:\Windows\system32\Bchomn32.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\Bffkij32.exeC:\Windows\system32\Bffkij32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\SysWOW64\Bnmcjg32.exeC:\Windows\system32\Bnmcjg32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\Beglgani.exeC:\Windows\system32\Beglgani.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\Bjddphlq.exeC:\Windows\system32\Bjddphlq.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3128 -
C:\Windows\SysWOW64\Bnpppgdj.exeC:\Windows\system32\Bnpppgdj.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5036 -
C:\Windows\SysWOW64\Banllbdn.exeC:\Windows\system32\Banllbdn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3100 -
C:\Windows\SysWOW64\Bhhdil32.exeC:\Windows\system32\Bhhdil32.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4204 -
C:\Windows\SysWOW64\Bfkedibe.exeC:\Windows\system32\Bfkedibe.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1128 -
C:\Windows\SysWOW64\Bapiabak.exeC:\Windows\system32\Bapiabak.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4652 -
C:\Windows\SysWOW64\Chjaol32.exeC:\Windows\system32\Chjaol32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Cjinkg32.exeC:\Windows\system32\Cjinkg32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4156 -
C:\Windows\SysWOW64\Cabfga32.exeC:\Windows\system32\Cabfga32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3448 -
C:\Windows\SysWOW64\Cenahpha.exeC:\Windows\system32\Cenahpha.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\Cjkjpgfi.exeC:\Windows\system32\Cjkjpgfi.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4892 -
C:\Windows\SysWOW64\Cmiflbel.exeC:\Windows\system32\Cmiflbel.exe23⤵
- Executes dropped EXE
- Modifies registry class
PID:3192 -
C:\Windows\SysWOW64\Ceqnmpfo.exeC:\Windows\system32\Ceqnmpfo.exe24⤵
- Executes dropped EXE
PID:3148 -
C:\Windows\SysWOW64\Cnicfe32.exeC:\Windows\system32\Cnicfe32.exe25⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Ceckcp32.exeC:\Windows\system32\Ceckcp32.exe26⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Chagok32.exeC:\Windows\system32\Chagok32.exe27⤵
- Executes dropped EXE
PID:2208 -
C:\Windows\SysWOW64\Cnkplejl.exeC:\Windows\system32\Cnkplejl.exe28⤵
- Executes dropped EXE
PID:5088 -
C:\Windows\SysWOW64\Ceehho32.exeC:\Windows\system32\Ceehho32.exe29⤵
- Executes dropped EXE
PID:2292 -
C:\Windows\SysWOW64\Cffdpghg.exeC:\Windows\system32\Cffdpghg.exe30⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Cnnlaehj.exeC:\Windows\system32\Cnnlaehj.exe31⤵
- Executes dropped EXE
PID:948 -
C:\Windows\SysWOW64\Calhnpgn.exeC:\Windows\system32\Calhnpgn.exe32⤵
- Executes dropped EXE
PID:4752 -
C:\Windows\SysWOW64\Ddjejl32.exeC:\Windows\system32\Ddjejl32.exe33⤵
- Executes dropped EXE
PID:4856 -
C:\Windows\SysWOW64\Djdmffnn.exeC:\Windows\system32\Djdmffnn.exe34⤵
- Executes dropped EXE
PID:4356 -
C:\Windows\SysWOW64\Dmcibama.exeC:\Windows\system32\Dmcibama.exe35⤵
- Executes dropped EXE
PID:3796 -
C:\Windows\SysWOW64\Dejacond.exeC:\Windows\system32\Dejacond.exe36⤵
- Executes dropped EXE
PID:1780 -
C:\Windows\SysWOW64\Djgjlelk.exeC:\Windows\system32\Djgjlelk.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4720 -
C:\Windows\SysWOW64\Dobfld32.exeC:\Windows\system32\Dobfld32.exe38⤵
- Executes dropped EXE
PID:2220 -
C:\Windows\SysWOW64\Daqbip32.exeC:\Windows\system32\Daqbip32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3272 -
C:\Windows\SysWOW64\Ddonekbl.exeC:\Windows\system32\Ddonekbl.exe40⤵
- Executes dropped EXE
PID:4732 -
C:\Windows\SysWOW64\Dhkjej32.exeC:\Windows\system32\Dhkjej32.exe41⤵
- Executes dropped EXE
PID:4496 -
C:\Windows\SysWOW64\Dkifae32.exeC:\Windows\system32\Dkifae32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:4588 -
C:\Windows\SysWOW64\Dodbbdbb.exeC:\Windows\system32\Dodbbdbb.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:448 -
C:\Windows\SysWOW64\Daconoae.exeC:\Windows\system32\Daconoae.exe44⤵
- Executes dropped EXE
PID:3212 -
C:\Windows\SysWOW64\Dhmgki32.exeC:\Windows\system32\Dhmgki32.exe45⤵
- Executes dropped EXE
PID:3472 -
C:\Windows\SysWOW64\Dfpgffpm.exeC:\Windows\system32\Dfpgffpm.exe46⤵
- Executes dropped EXE
PID:4480 -
C:\Windows\SysWOW64\Dogogcpo.exeC:\Windows\system32\Dogogcpo.exe47⤵
- Executes dropped EXE
PID:872 -
C:\Windows\SysWOW64\Dmjocp32.exeC:\Windows\system32\Dmjocp32.exe48⤵
- Executes dropped EXE
PID:4620 -
C:\Windows\SysWOW64\Deagdn32.exeC:\Windows\system32\Deagdn32.exe49⤵
- Executes dropped EXE
PID:4212 -
C:\Windows\SysWOW64\Dddhpjof.exeC:\Windows\system32\Dddhpjof.exe50⤵
- Executes dropped EXE
PID:4456 -
C:\Windows\SysWOW64\Dknpmdfc.exeC:\Windows\system32\Dknpmdfc.exe51⤵
- Executes dropped EXE
PID:368 -
C:\Windows\SysWOW64\Doilmc32.exeC:\Windows\system32\Doilmc32.exe52⤵
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\Dahhio32.exeC:\Windows\system32\Dahhio32.exe53⤵
- Executes dropped EXE
PID:3348 -
C:\Windows\SysWOW64\Edfdej32.exeC:\Windows\system32\Edfdej32.exe54⤵
- Executes dropped EXE
PID:2708 -
C:\Windows\SysWOW64\Egdqae32.exeC:\Windows\system32\Egdqae32.exe55⤵
- Executes dropped EXE
PID:4164 -
C:\Windows\SysWOW64\Ekpmbddq.exeC:\Windows\system32\Ekpmbddq.exe56⤵PID:2960
-
C:\Windows\SysWOW64\Eajeon32.exeC:\Windows\system32\Eajeon32.exe57⤵
- Executes dropped EXE
PID:3584 -
C:\Windows\SysWOW64\Edhakj32.exeC:\Windows\system32\Edhakj32.exe58⤵
- Executes dropped EXE
PID:4868 -
C:\Windows\SysWOW64\Eggmge32.exeC:\Windows\system32\Eggmge32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4992 -
C:\Windows\SysWOW64\Ekbihd32.exeC:\Windows\system32\Ekbihd32.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:4376 -
C:\Windows\SysWOW64\Ealadnik.exeC:\Windows\system32\Ealadnik.exe61⤵
- Executes dropped EXE
PID:4272 -
C:\Windows\SysWOW64\Edknqiho.exeC:\Windows\system32\Edknqiho.exe62⤵
- Executes dropped EXE
PID:3688 -
C:\Windows\SysWOW64\Egijmegb.exeC:\Windows\system32\Egijmegb.exe63⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Ekefmc32.exeC:\Windows\system32\Ekefmc32.exe64⤵
- Executes dropped EXE
PID:3096 -
C:\Windows\SysWOW64\Emcbio32.exeC:\Windows\system32\Emcbio32.exe65⤵
- Executes dropped EXE
PID:4760 -
C:\Windows\SysWOW64\Edmjfifl.exeC:\Windows\system32\Edmjfifl.exe66⤵
- Executes dropped EXE
PID:4364 -
C:\Windows\SysWOW64\Eglgbdep.exeC:\Windows\system32\Eglgbdep.exe67⤵PID:4680
-
C:\Windows\SysWOW64\Ekgbccni.exeC:\Windows\system32\Ekgbccni.exe68⤵PID:2416
-
C:\Windows\SysWOW64\Eaakpm32.exeC:\Windows\system32\Eaakpm32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4884 -
C:\Windows\SysWOW64\Eemgplno.exeC:\Windows\system32\Eemgplno.exe70⤵PID:2116
-
C:\Windows\SysWOW64\Egnchd32.exeC:\Windows\system32\Egnchd32.exe71⤵PID:3784
-
C:\Windows\SysWOW64\Eoekia32.exeC:\Windows\system32\Eoekia32.exe72⤵PID:4464
-
C:\Windows\SysWOW64\Eachem32.exeC:\Windows\system32\Eachem32.exe73⤵PID:3364
-
C:\Windows\SysWOW64\Fdbdah32.exeC:\Windows\system32\Fdbdah32.exe74⤵PID:4116
-
C:\Windows\SysWOW64\Fgppmd32.exeC:\Windows\system32\Fgppmd32.exe75⤵PID:3444
-
C:\Windows\SysWOW64\Fkllnbjc.exeC:\Windows\system32\Fkllnbjc.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4124 -
C:\Windows\SysWOW64\Fafdkmap.exeC:\Windows\system32\Fafdkmap.exe77⤵PID:4324
-
C:\Windows\SysWOW64\Fddqghpd.exeC:\Windows\system32\Fddqghpd.exe78⤵PID:2180
-
C:\Windows\SysWOW64\Fgbmccpg.exeC:\Windows\system32\Fgbmccpg.exe79⤵PID:3756
-
C:\Windows\SysWOW64\Fnmepn32.exeC:\Windows\system32\Fnmepn32.exe80⤵PID:4388
-
C:\Windows\SysWOW64\Fhbimf32.exeC:\Windows\system32\Fhbimf32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4844 -
C:\Windows\SysWOW64\Fgeihcme.exeC:\Windows\system32\Fgeihcme.exe82⤵PID:540
-
C:\Windows\SysWOW64\Folaiqng.exeC:\Windows\system32\Folaiqng.exe83⤵PID:2296
-
C:\Windows\SysWOW64\Fajnfl32.exeC:\Windows\system32\Fajnfl32.exe84⤵
- Modifies registry class
PID:1476 -
C:\Windows\SysWOW64\Fggfnc32.exeC:\Windows\system32\Fggfnc32.exe85⤵PID:1828
-
C:\Windows\SysWOW64\Fnaokmco.exeC:\Windows\system32\Fnaokmco.exe86⤵PID:3152
-
C:\Windows\SysWOW64\Famjkl32.exeC:\Windows\system32\Famjkl32.exe87⤵PID:3600
-
C:\Windows\SysWOW64\Fdkggg32.exeC:\Windows\system32\Fdkggg32.exe88⤵PID:5112
-
C:\Windows\SysWOW64\Fkeodaai.exeC:\Windows\system32\Fkeodaai.exe89⤵PID:5164
-
C:\Windows\SysWOW64\Gaogak32.exeC:\Windows\system32\Gaogak32.exe90⤵PID:5208
-
C:\Windows\SysWOW64\Gdncmghi.exeC:\Windows\system32\Gdncmghi.exe91⤵PID:5260
-
C:\Windows\SysWOW64\Ghipne32.exeC:\Windows\system32\Ghipne32.exe92⤵PID:5304
-
C:\Windows\SysWOW64\Gkglja32.exeC:\Windows\system32\Gkglja32.exe93⤵PID:5352
-
C:\Windows\SysWOW64\Gochjpho.exeC:\Windows\system32\Gochjpho.exe94⤵PID:5396
-
C:\Windows\SysWOW64\Gaadfkgc.exeC:\Windows\system32\Gaadfkgc.exe95⤵PID:5444
-
C:\Windows\SysWOW64\Gdppbfff.exeC:\Windows\system32\Gdppbfff.exe96⤵
- Drops file in System32 directory
PID:5488 -
C:\Windows\SysWOW64\Ghklce32.exeC:\Windows\system32\Ghklce32.exe97⤵PID:5532
-
C:\Windows\SysWOW64\Gkjhoq32.exeC:\Windows\system32\Gkjhoq32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5580 -
C:\Windows\SysWOW64\Gnhdkl32.exeC:\Windows\system32\Gnhdkl32.exe99⤵
- Drops file in System32 directory
PID:5624 -
C:\Windows\SysWOW64\Gadqlkep.exeC:\Windows\system32\Gadqlkep.exe100⤵PID:5668
-
C:\Windows\SysWOW64\Gdbmhf32.exeC:\Windows\system32\Gdbmhf32.exe101⤵PID:5808
-
C:\Windows\SysWOW64\Ggqida32.exeC:\Windows\system32\Ggqida32.exe102⤵PID:5852
-
C:\Windows\SysWOW64\Gkleeplq.exeC:\Windows\system32\Gkleeplq.exe103⤵
- Drops file in System32 directory
PID:5896 -
C:\Windows\SysWOW64\Gnkaalkd.exeC:\Windows\system32\Gnkaalkd.exe104⤵PID:5940
-
C:\Windows\SysWOW64\Gafmaj32.exeC:\Windows\system32\Gafmaj32.exe105⤵PID:5984
-
C:\Windows\SysWOW64\Gddinf32.exeC:\Windows\system32\Gddinf32.exe106⤵PID:6024
-
C:\Windows\SysWOW64\Ghpendjj.exeC:\Windows\system32\Ghpendjj.exe107⤵PID:6068
-
C:\Windows\SysWOW64\Ggcfja32.exeC:\Windows\system32\Ggcfja32.exe108⤵PID:6116
-
C:\Windows\SysWOW64\Gojnko32.exeC:\Windows\system32\Gojnko32.exe109⤵PID:5152
-
C:\Windows\SysWOW64\Gnmnfkia.exeC:\Windows\system32\Gnmnfkia.exe110⤵PID:5216
-
C:\Windows\SysWOW64\Gfdfgiid.exeC:\Windows\system32\Gfdfgiid.exe111⤵PID:5288
-
C:\Windows\SysWOW64\Ghbbcd32.exeC:\Windows\system32\Ghbbcd32.exe112⤵PID:5336
-
C:\Windows\SysWOW64\Gkaopp32.exeC:\Windows\system32\Gkaopp32.exe113⤵PID:5420
-
C:\Windows\SysWOW64\Hnoklk32.exeC:\Windows\system32\Hnoklk32.exe114⤵PID:5496
-
C:\Windows\SysWOW64\Hffcmh32.exeC:\Windows\system32\Hffcmh32.exe115⤵PID:5564
-
C:\Windows\SysWOW64\Hkckeo32.exeC:\Windows\system32\Hkckeo32.exe116⤵PID:5652
-
C:\Windows\SysWOW64\Hbmcbime.exeC:\Windows\system32\Hbmcbime.exe117⤵PID:5716
-
C:\Windows\SysWOW64\Hdlpneli.exeC:\Windows\system32\Hdlpneli.exe118⤵PID:5776
-
C:\Windows\SysWOW64\Hhgloc32.exeC:\Windows\system32\Hhgloc32.exe119⤵PID:5828
-
C:\Windows\SysWOW64\Hkehkocf.exeC:\Windows\system32\Hkehkocf.exe120⤵PID:5880
-
C:\Windows\SysWOW64\Hnddgjbj.exeC:\Windows\system32\Hnddgjbj.exe121⤵PID:5972
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-