Analysis
-
max time kernel
149s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
08/05/2024, 23:23
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
6453cc1e3a35f94d9da1dffcfca45303f072e5d41547396c1651b9e83a786fcf.exe
Resource
win7-20240221-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
6453cc1e3a35f94d9da1dffcfca45303f072e5d41547396c1651b9e83a786fcf.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
6453cc1e3a35f94d9da1dffcfca45303f072e5d41547396c1651b9e83a786fcf.exe
-
Size
207KB
-
MD5
aa811d60c2cfe86e6f315a063ee1aa8c
-
SHA1
af9dafb89654cffc14c90ef4be1ec5c4d1a8d8cd
-
SHA256
6453cc1e3a35f94d9da1dffcfca45303f072e5d41547396c1651b9e83a786fcf
-
SHA512
25ef6caad494c0767acf20a0bc662b787557cbba8f0c9a1b1bf8232a646e86a08d4e3a954dbdf79bdd6c069e4ca4454c4cc59d228ca6423ff2ddc0ec2910f77c
-
SSDEEP
3072:s1mcEhPCKZZDUjMb7VjoSdoxx4KcWmjRrzyAyAtWgoJSWYVo2ASOvojoS:s1m3h5gW7Vjj+VPj92d62ASOwj
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pjhlml32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjmehkqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Anpncp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Doeiljfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pclgkb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpebpm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npjebj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcdegnep.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdkldb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dccbbhld.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdcbom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bagflcje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Danecp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kipabjil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nnhfee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cehkhecb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Delnin32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odpjcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gdhmnlcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jpppnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bnmcjg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Beihma32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceehho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dodbbdbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mahbje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mdpalp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dddojq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olmeci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qcgffqei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Deagdn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnjbke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Opakbi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqfdnhfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Chcddk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhocqigp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pqmjog32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmkjkd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Caebma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Miemjaci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mdmnlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Olmeci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dadeieea.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcckif32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbbkaako.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qdbiedpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ceehho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dhkapp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lekehdgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oqfdnhfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ddjejl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nilcjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cmnpgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Calhnpgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lpebpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mgddhf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obangb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Chpada32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eoaihhlp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npfkgjdn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfnjafap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Daaicfgd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icifbang.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ieolehop.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojoign32.exe -
Detects Windows executables referencing non-Windows User-Agents 1 IoCs
resource yara_rule behavioral2/memory/2720-614-0x0000000000400000-0x000000000045B000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA -
UPX dump on OEP (original entry point) 64 IoCs
resource yara_rule behavioral2/files/0x000800000002328e-6.dat UPX behavioral2/files/0x0008000000023428-13.dat UPX behavioral2/files/0x000700000002342a-22.dat UPX behavioral2/files/0x000700000002342c-25.dat UPX behavioral2/files/0x000700000002342c-30.dat UPX behavioral2/files/0x000700000002342e-39.dat UPX behavioral2/files/0x0007000000023430-46.dat UPX behavioral2/files/0x0007000000023432-54.dat UPX behavioral2/files/0x0007000000023434-62.dat UPX behavioral2/files/0x0007000000023436-70.dat UPX behavioral2/files/0x0007000000023438-78.dat UPX behavioral2/files/0x000700000002343a-86.dat UPX behavioral2/memory/1644-87-0x0000000000400000-0x000000000045B000-memory.dmp UPX behavioral2/files/0x000700000002343c-94.dat UPX behavioral2/files/0x000700000002343e-102.dat UPX behavioral2/files/0x0007000000023440-105.dat UPX behavioral2/files/0x0007000000023441-118.dat UPX behavioral2/files/0x0007000000023443-126.dat UPX behavioral2/files/0x0007000000023445-134.dat UPX behavioral2/files/0x0007000000023448-137.dat UPX behavioral2/files/0x0007000000023448-142.dat UPX behavioral2/files/0x0008000000023447-150.dat UPX behavioral2/files/0x000700000002344c-157.dat UPX behavioral2/files/0x000700000002344e-166.dat UPX behavioral2/files/0x0007000000023450-174.dat UPX behavioral2/files/0x0007000000023452-182.dat UPX behavioral2/files/0x0008000000023454-190.dat UPX behavioral2/files/0x0007000000023457-198.dat UPX behavioral2/files/0x0007000000023459-206.dat UPX behavioral2/files/0x000a000000023392-214.dat UPX behavioral2/files/0x000700000002345c-222.dat UPX behavioral2/files/0x000900000002338e-230.dat UPX behavioral2/files/0x000700000002345f-238.dat UPX behavioral2/files/0x0007000000023461-246.dat UPX behavioral2/files/0x0007000000023463-254.dat UPX behavioral2/memory/1500-265-0x0000000000400000-0x000000000045B000-memory.dmp UPX behavioral2/memory/4468-277-0x0000000000400000-0x000000000045B000-memory.dmp UPX behavioral2/files/0x000700000002347f-332.dat UPX behavioral2/memory/4644-348-0x0000000000400000-0x000000000045B000-memory.dmp UPX behavioral2/files/0x0007000000023485-349.dat UPX behavioral2/memory/432-354-0x0000000000400000-0x000000000045B000-memory.dmp UPX behavioral2/memory/5028-360-0x0000000000400000-0x000000000045B000-memory.dmp UPX behavioral2/memory/1532-366-0x0000000000400000-0x000000000045B000-memory.dmp UPX behavioral2/files/0x000700000002348b-368.dat UPX behavioral2/memory/1652-372-0x0000000000400000-0x000000000045B000-memory.dmp UPX behavioral2/memory/3764-378-0x0000000000400000-0x000000000045B000-memory.dmp UPX behavioral2/memory/1968-388-0x0000000000400000-0x000000000045B000-memory.dmp UPX behavioral2/memory/3032-390-0x0000000000400000-0x000000000045B000-memory.dmp UPX behavioral2/memory/428-485-0x0000000000400000-0x000000000045B000-memory.dmp UPX behavioral2/memory/5108-504-0x0000000000400000-0x000000000045B000-memory.dmp UPX behavioral2/memory/772-511-0x0000000000400000-0x000000000045B000-memory.dmp UPX behavioral2/files/0x00070000000234b6-528.dat UPX behavioral2/files/0x00070000000234bc-549.dat UPX behavioral2/memory/2208-587-0x0000000000400000-0x000000000045B000-memory.dmp UPX behavioral2/files/0x00080000000234c6-622.dat UPX behavioral2/files/0x00070000000234f1-727.dat UPX behavioral2/files/0x0007000000023519-854.dat UPX behavioral2/files/0x0007000000023523-887.dat UPX behavioral2/files/0x0007000000023527-901.dat UPX behavioral2/files/0x0007000000023535-944.dat UPX behavioral2/files/0x000700000002353b-965.dat UPX behavioral2/files/0x0007000000023541-986.dat UPX behavioral2/files/0x000700000002354b-1020.dat UPX behavioral2/files/0x000700000002354f-1034.dat UPX -
Executes dropped EXE 64 IoCs
pid Process 1312 Kbfiep32.exe 3044 Kipabjil.exe 4764 Kagichjo.exe 1452 Kckbqpnj.exe 2436 Kkbkamnl.exe 4620 Lgikfn32.exe 1584 Ldmlpbbj.exe 2208 Lkgdml32.exe 3944 Lcbiao32.exe 3228 Laciofpa.exe 1644 Lcdegnep.exe 4372 Lphfpbdi.exe 3716 Lknjmkdo.exe 4856 Mahbje32.exe 4768 Mkpgck32.exe 5036 Mdiklqhm.exe 940 Mkbchk32.exe 1496 Mgidml32.exe 3252 Mpaifalo.exe 4904 Mjjmog32.exe 1252 Mdpalp32.exe 4600 Nnhfee32.exe 1016 Nceonl32.exe 4628 Nnjbke32.exe 2744 Ncgkcl32.exe 4552 Nnmopdep.exe 3516 Ndghmo32.exe 4176 Nkqpjidj.exe 2444 Nggqoj32.exe 4532 Nqpego32.exe 3232 Ncnadk32.exe 4512 Oboaabga.exe 1500 Odnnnnfe.exe 1448 Okhfjh32.exe 4468 Obangb32.exe 640 Odpjcm32.exe 3448 Okjbpglo.exe 4168 Ojmcld32.exe 4576 Obdkma32.exe 4928 Ogaceh32.exe 4624 Ojopad32.exe 3640 Odednmpm.exe 2028 Okolkg32.exe 3216 Oqkdcn32.exe 3956 Pcjapi32.exe 8 Pjdilcla.exe 1120 Pclneicb.exe 4644 Pkceffcd.exe 432 Pnbbbabh.exe 5028 Pcojkhap.exe 1532 Pkfblfab.exe 1652 Pabkdmpi.exe 3764 Pjkombfj.exe 1968 Peqcjkfp.exe 3032 Pgopffec.exe 4160 Pjmlbbdg.exe 1744 Pagdol32.exe 3392 Qcepkg32.exe 4424 Qjpiha32.exe 1216 Qbgqio32.exe 3160 Qeemej32.exe 4000 Qgciaf32.exe 3292 Qbimoo32.exe 4044 Aegikj32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Gohibf32.dll Cklaknjd.exe File created C:\Windows\SysWOW64\Imakkfdg.exe Icifbang.exe File opened for modification C:\Windows\SysWOW64\Pnonbk32.exe Pfhfan32.exe File created C:\Windows\SysWOW64\Dnqmalhn.dll Daolnf32.exe File created C:\Windows\SysWOW64\Jlgbon32.dll Lbjlfi32.exe File created C:\Windows\SysWOW64\Aeiofcji.exe Afhohlbj.exe File opened for modification C:\Windows\SysWOW64\Ogaceh32.exe Obdkma32.exe File created C:\Windows\SysWOW64\Bdhfhe32.exe Bbgipldd.exe File created C:\Windows\SysWOW64\Nnhfee32.exe Mdpalp32.exe File created C:\Windows\SysWOW64\Gfbploob.exe Gmjlcj32.exe File created C:\Windows\SysWOW64\Mipcob32.exe Mbfkbhpa.exe File created C:\Windows\SysWOW64\Ncbknfed.exe Mlhbal32.exe File opened for modification C:\Windows\SysWOW64\Agglboim.exe Aeiofcji.exe File created C:\Windows\SysWOW64\Ckmllpik.dll Cjmgfgdf.exe File created C:\Windows\SysWOW64\Copfjgjf.dll Qbimoo32.exe File created C:\Windows\SysWOW64\Dkgqfl32.exe Dhidjpqc.exe File created C:\Windows\SysWOW64\Inlekh32.dll Ehljfnpn.exe File created C:\Windows\SysWOW64\Gkkojgao.exe Gbbkaako.exe File opened for modification C:\Windows\SysWOW64\Ojllan32.exe Ocbddc32.exe File created C:\Windows\SysWOW64\Clncadfb.dll Ocdqjceo.exe File created C:\Windows\SysWOW64\Pjmehkqk.exe Pdpmpdbd.exe File created C:\Windows\SysWOW64\Nilcjp32.exe Nepgjaeg.exe File created C:\Windows\SysWOW64\Odgdacjh.dll Nepgjaeg.exe File created C:\Windows\SysWOW64\Mglncdoj.dll Aabmqd32.exe File created C:\Windows\SysWOW64\Imbajm32.dll Bcoenmao.exe File opened for modification C:\Windows\SysWOW64\Chokikeb.exe Caebma32.exe File opened for modification C:\Windows\SysWOW64\Cdfkolkf.exe Cnicfe32.exe File created C:\Windows\SysWOW64\Kkbkamnl.exe Kckbqpnj.exe File opened for modification C:\Windows\SysWOW64\Lcdegnep.exe Laciofpa.exe File created C:\Windows\SysWOW64\Fhpdhp32.dll Mjjmog32.exe File opened for modification C:\Windows\SysWOW64\Peqcjkfp.exe Pjkombfj.exe File created C:\Windows\SysWOW64\Behbag32.exe Blpnib32.exe File created C:\Windows\SysWOW64\Jfcibe32.dll Bhkhibmc.exe File opened for modification C:\Windows\SysWOW64\Olmeci32.exe Ojoign32.exe File created C:\Windows\SysWOW64\Elfana32.dll Aealah32.exe File created C:\Windows\SysWOW64\Deoaid32.exe Dadeieea.exe File created C:\Windows\SysWOW64\Oolpjdob.dll Lpqiemge.exe File created C:\Windows\SysWOW64\Njkoaebi.dll Obdkma32.exe File opened for modification C:\Windows\SysWOW64\Doeiljfn.exe Dkjmlk32.exe File created C:\Windows\SysWOW64\Qadpibkg.dll Dedkdcie.exe File opened for modification C:\Windows\SysWOW64\Cfdhkhjj.exe Cdfkolkf.exe File created C:\Windows\SysWOW64\Cojjqlpk.exe Cknnpm32.exe File created C:\Windows\SysWOW64\Aainof32.dll Ednaqo32.exe File created C:\Windows\SysWOW64\Memcpg32.dll Jehokgge.exe File opened for modification C:\Windows\SysWOW64\Chcddk32.exe Ceehho32.exe File created C:\Windows\SysWOW64\Blpnib32.exe Bdhfhe32.exe File created C:\Windows\SysWOW64\Bhikcb32.exe Bblckl32.exe File opened for modification C:\Windows\SysWOW64\Daolnf32.exe Dbllbibl.exe File created C:\Windows\SysWOW64\Gmlhii32.exe Gfbploob.exe File created C:\Windows\SysWOW64\Ingapb32.dll Jlbgha32.exe File created C:\Windows\SysWOW64\Djgjlelk.exe Ddmaok32.exe File created C:\Windows\SysWOW64\Mkbchk32.exe Mdiklqhm.exe File created C:\Windows\SysWOW64\Aacckjaf.exe Andgoobc.exe File opened for modification C:\Windows\SysWOW64\Ddmhja32.exe Daolnf32.exe File created C:\Windows\SysWOW64\Edkdkplj.exe Eeidoc32.exe File created C:\Windows\SysWOW64\Cfpnph32.exe Cenahpha.exe File opened for modification C:\Windows\SysWOW64\Bhikcb32.exe Bblckl32.exe File created C:\Windows\SysWOW64\Gdhmnlcj.exe Gcfqfc32.exe File opened for modification C:\Windows\SysWOW64\Ldmlpbbj.exe Lgikfn32.exe File created C:\Windows\SysWOW64\Nffbangm.dll Jcgbco32.exe File created C:\Windows\SysWOW64\Pnjknp32.dll Ncbknfed.exe File opened for modification C:\Windows\SysWOW64\Delnin32.exe Dmefhako.exe File created C:\Windows\SysWOW64\Gifhkeje.dll Daconoae.exe File opened for modification C:\Windows\SysWOW64\Mdiklqhm.exe Mkpgck32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 8644 9196 WerFault.exe 428 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jehokgge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Acqimo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Delnin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djhgpa32.dll" Eoaihhlp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Foabofnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkomqm32.dll" Gmjlcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkblkg32.dll" Ipbdmaah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kihgme32.dll" Alkdnboj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cdainc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aqppkd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mjjmog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Edihepnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apignbdf.dll" Foabofnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfaklh32.dll" Kemhff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pabkdmpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aegikj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ceehho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Edkdkplj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lbabgh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mbfkbhpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Miemjaci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ahmlgd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bkidenlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ienanm32.dll" Bkidenlg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dlijfneg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Olcbmj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Beeoaapl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlpijopg.dll" Cahfmgoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Deoaid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhbbhk32.dll" Klimip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnnobj32.dll" Ahkobekf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cbcilkjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Beihma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Danecp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lkgdml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiecmmbf.dll" Lbmhlihl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qmkadgpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Calhnpgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll" Dfnjafap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aegikj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ekacmjgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leedqpci.dll" Llcpoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecaobgnf.dll" Mipcob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcinbcgc.dll" Ifefimom.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bmbplc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ojllan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjgfjhqm.dll" Pclgkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll" Daconoae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aeopki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cefoce32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dadeieea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chmhoe32.dll" Ojjolnaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mahbje32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Deanodkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Npjebj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppaaagol.dll" 6453cc1e3a35f94d9da1dffcfca45303f072e5d41547396c1651b9e83a786fcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Andgoobc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ahmlgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cdiooblp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dedkdcie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ocbddc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lphfpbdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nnjbke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elfana32.dll" Aealah32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4596 wrote to memory of 1312 4596 6453cc1e3a35f94d9da1dffcfca45303f072e5d41547396c1651b9e83a786fcf.exe 80 PID 4596 wrote to memory of 1312 4596 6453cc1e3a35f94d9da1dffcfca45303f072e5d41547396c1651b9e83a786fcf.exe 80 PID 4596 wrote to memory of 1312 4596 6453cc1e3a35f94d9da1dffcfca45303f072e5d41547396c1651b9e83a786fcf.exe 80 PID 1312 wrote to memory of 3044 1312 Kbfiep32.exe 81 PID 1312 wrote to memory of 3044 1312 Kbfiep32.exe 81 PID 1312 wrote to memory of 3044 1312 Kbfiep32.exe 81 PID 3044 wrote to memory of 4764 3044 Kipabjil.exe 82 PID 3044 wrote to memory of 4764 3044 Kipabjil.exe 82 PID 3044 wrote to memory of 4764 3044 Kipabjil.exe 82 PID 4764 wrote to memory of 1452 4764 Kagichjo.exe 83 PID 4764 wrote to memory of 1452 4764 Kagichjo.exe 83 PID 4764 wrote to memory of 1452 4764 Kagichjo.exe 83 PID 1452 wrote to memory of 2436 1452 Kckbqpnj.exe 84 PID 1452 wrote to memory of 2436 1452 Kckbqpnj.exe 84 PID 1452 wrote to memory of 2436 1452 Kckbqpnj.exe 84 PID 2436 wrote to memory of 4620 2436 Kkbkamnl.exe 86 PID 2436 wrote to memory of 4620 2436 Kkbkamnl.exe 86 PID 2436 wrote to memory of 4620 2436 Kkbkamnl.exe 86 PID 4620 wrote to memory of 1584 4620 Lgikfn32.exe 88 PID 4620 wrote to memory of 1584 4620 Lgikfn32.exe 88 PID 4620 wrote to memory of 1584 4620 Lgikfn32.exe 88 PID 1584 wrote to memory of 2208 1584 Ldmlpbbj.exe 89 PID 1584 wrote to memory of 2208 1584 Ldmlpbbj.exe 89 PID 1584 wrote to memory of 2208 1584 Ldmlpbbj.exe 89 PID 2208 wrote to memory of 3944 2208 Lkgdml32.exe 90 PID 2208 wrote to memory of 3944 2208 Lkgdml32.exe 90 PID 2208 wrote to memory of 3944 2208 Lkgdml32.exe 90 PID 3944 wrote to memory of 3228 3944 Lcbiao32.exe 92 PID 3944 wrote to memory of 3228 3944 Lcbiao32.exe 92 PID 3944 wrote to memory of 3228 3944 Lcbiao32.exe 92 PID 3228 wrote to memory of 1644 3228 Laciofpa.exe 93 PID 3228 wrote to memory of 1644 3228 Laciofpa.exe 93 PID 3228 wrote to memory of 1644 3228 Laciofpa.exe 93 PID 1644 wrote to memory of 4372 1644 Lcdegnep.exe 94 PID 1644 wrote to memory of 4372 1644 Lcdegnep.exe 94 PID 1644 wrote to memory of 4372 1644 Lcdegnep.exe 94 PID 4372 wrote to memory of 3716 4372 Lphfpbdi.exe 95 PID 4372 wrote to memory of 3716 4372 Lphfpbdi.exe 95 PID 4372 wrote to memory of 3716 4372 Lphfpbdi.exe 95 PID 3716 wrote to memory of 4856 3716 Lknjmkdo.exe 96 PID 3716 wrote to memory of 4856 3716 Lknjmkdo.exe 96 PID 3716 wrote to memory of 4856 3716 Lknjmkdo.exe 96 PID 4856 wrote to memory of 4768 4856 Mahbje32.exe 97 PID 4856 wrote to memory of 4768 4856 Mahbje32.exe 97 PID 4856 wrote to memory of 4768 4856 Mahbje32.exe 97 PID 4768 wrote to memory of 5036 4768 Mkpgck32.exe 98 PID 4768 wrote to memory of 5036 4768 Mkpgck32.exe 98 PID 4768 wrote to memory of 5036 4768 Mkpgck32.exe 98 PID 5036 wrote to memory of 940 5036 Mdiklqhm.exe 99 PID 5036 wrote to memory of 940 5036 Mdiklqhm.exe 99 PID 5036 wrote to memory of 940 5036 Mdiklqhm.exe 99 PID 940 wrote to memory of 1496 940 Mkbchk32.exe 100 PID 940 wrote to memory of 1496 940 Mkbchk32.exe 100 PID 940 wrote to memory of 1496 940 Mkbchk32.exe 100 PID 1496 wrote to memory of 3252 1496 Mgidml32.exe 101 PID 1496 wrote to memory of 3252 1496 Mgidml32.exe 101 PID 1496 wrote to memory of 3252 1496 Mgidml32.exe 101 PID 3252 wrote to memory of 4904 3252 Mpaifalo.exe 102 PID 3252 wrote to memory of 4904 3252 Mpaifalo.exe 102 PID 3252 wrote to memory of 4904 3252 Mpaifalo.exe 102 PID 4904 wrote to memory of 1252 4904 Mjjmog32.exe 103 PID 4904 wrote to memory of 1252 4904 Mjjmog32.exe 103 PID 4904 wrote to memory of 1252 4904 Mjjmog32.exe 103 PID 1252 wrote to memory of 4600 1252 Mdpalp32.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\6453cc1e3a35f94d9da1dffcfca45303f072e5d41547396c1651b9e83a786fcf.exe"C:\Users\Admin\AppData\Local\Temp\6453cc1e3a35f94d9da1dffcfca45303f072e5d41547396c1651b9e83a786fcf.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Windows\SysWOW64\Kbfiep32.exeC:\Windows\system32\Kbfiep32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Windows\SysWOW64\Kipabjil.exeC:\Windows\system32\Kipabjil.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\Kagichjo.exeC:\Windows\system32\Kagichjo.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4764 -
C:\Windows\SysWOW64\Kckbqpnj.exeC:\Windows\system32\Kckbqpnj.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Windows\SysWOW64\Kkbkamnl.exeC:\Windows\system32\Kkbkamnl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\SysWOW64\Lgikfn32.exeC:\Windows\system32\Lgikfn32.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\Windows\SysWOW64\Ldmlpbbj.exeC:\Windows\system32\Ldmlpbbj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\SysWOW64\Lkgdml32.exeC:\Windows\system32\Lkgdml32.exe9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\Lcbiao32.exeC:\Windows\system32\Lcbiao32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3944 -
C:\Windows\SysWOW64\Laciofpa.exeC:\Windows\system32\Laciofpa.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3228 -
C:\Windows\SysWOW64\Lcdegnep.exeC:\Windows\system32\Lcdegnep.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\SysWOW64\Lphfpbdi.exeC:\Windows\system32\Lphfpbdi.exe13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4372 -
C:\Windows\SysWOW64\Lknjmkdo.exeC:\Windows\system32\Lknjmkdo.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3716 -
C:\Windows\SysWOW64\Mahbje32.exeC:\Windows\system32\Mahbje32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Windows\SysWOW64\Mkpgck32.exeC:\Windows\system32\Mkpgck32.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Windows\SysWOW64\Mdiklqhm.exeC:\Windows\system32\Mdiklqhm.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5036 -
C:\Windows\SysWOW64\Mkbchk32.exeC:\Windows\system32\Mkbchk32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:940 -
C:\Windows\SysWOW64\Mgidml32.exeC:\Windows\system32\Mgidml32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Windows\SysWOW64\Mpaifalo.exeC:\Windows\system32\Mpaifalo.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3252 -
C:\Windows\SysWOW64\Mjjmog32.exeC:\Windows\system32\Mjjmog32.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4904 -
C:\Windows\SysWOW64\Mdpalp32.exeC:\Windows\system32\Mdpalp32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Windows\SysWOW64\Nnhfee32.exeC:\Windows\system32\Nnhfee32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4600 -
C:\Windows\SysWOW64\Nceonl32.exeC:\Windows\system32\Nceonl32.exe24⤵
- Executes dropped EXE
PID:1016 -
C:\Windows\SysWOW64\Nnjbke32.exeC:\Windows\system32\Nnjbke32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4628 -
C:\Windows\SysWOW64\Ncgkcl32.exeC:\Windows\system32\Ncgkcl32.exe26⤵
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Nnmopdep.exeC:\Windows\system32\Nnmopdep.exe27⤵
- Executes dropped EXE
PID:4552 -
C:\Windows\SysWOW64\Ndghmo32.exeC:\Windows\system32\Ndghmo32.exe28⤵
- Executes dropped EXE
PID:3516 -
C:\Windows\SysWOW64\Nkqpjidj.exeC:\Windows\system32\Nkqpjidj.exe29⤵
- Executes dropped EXE
PID:4176 -
C:\Windows\SysWOW64\Nggqoj32.exeC:\Windows\system32\Nggqoj32.exe30⤵
- Executes dropped EXE
PID:2444 -
C:\Windows\SysWOW64\Nqpego32.exeC:\Windows\system32\Nqpego32.exe31⤵
- Executes dropped EXE
PID:4532 -
C:\Windows\SysWOW64\Ncnadk32.exeC:\Windows\system32\Ncnadk32.exe32⤵
- Executes dropped EXE
PID:3232 -
C:\Windows\SysWOW64\Oboaabga.exeC:\Windows\system32\Oboaabga.exe33⤵
- Executes dropped EXE
PID:4512 -
C:\Windows\SysWOW64\Odnnnnfe.exeC:\Windows\system32\Odnnnnfe.exe34⤵
- Executes dropped EXE
PID:1500 -
C:\Windows\SysWOW64\Okhfjh32.exeC:\Windows\system32\Okhfjh32.exe35⤵
- Executes dropped EXE
PID:1448 -
C:\Windows\SysWOW64\Obangb32.exeC:\Windows\system32\Obangb32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4468 -
C:\Windows\SysWOW64\Odpjcm32.exeC:\Windows\system32\Odpjcm32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:640 -
C:\Windows\SysWOW64\Okjbpglo.exeC:\Windows\system32\Okjbpglo.exe38⤵
- Executes dropped EXE
PID:3448 -
C:\Windows\SysWOW64\Ojmcld32.exeC:\Windows\system32\Ojmcld32.exe39⤵
- Executes dropped EXE
PID:4168 -
C:\Windows\SysWOW64\Obdkma32.exeC:\Windows\system32\Obdkma32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4576 -
C:\Windows\SysWOW64\Ogaceh32.exeC:\Windows\system32\Ogaceh32.exe41⤵
- Executes dropped EXE
PID:4928 -
C:\Windows\SysWOW64\Ojopad32.exeC:\Windows\system32\Ojopad32.exe42⤵
- Executes dropped EXE
PID:4624 -
C:\Windows\SysWOW64\Odednmpm.exeC:\Windows\system32\Odednmpm.exe43⤵
- Executes dropped EXE
PID:3640 -
C:\Windows\SysWOW64\Okolkg32.exeC:\Windows\system32\Okolkg32.exe44⤵
- Executes dropped EXE
PID:2028 -
C:\Windows\SysWOW64\Oqkdcn32.exeC:\Windows\system32\Oqkdcn32.exe45⤵
- Executes dropped EXE
PID:3216 -
C:\Windows\SysWOW64\Pcjapi32.exeC:\Windows\system32\Pcjapi32.exe46⤵
- Executes dropped EXE
PID:3956 -
C:\Windows\SysWOW64\Pjdilcla.exeC:\Windows\system32\Pjdilcla.exe47⤵
- Executes dropped EXE
PID:8 -
C:\Windows\SysWOW64\Pclneicb.exeC:\Windows\system32\Pclneicb.exe48⤵
- Executes dropped EXE
PID:1120 -
C:\Windows\SysWOW64\Pkceffcd.exeC:\Windows\system32\Pkceffcd.exe49⤵
- Executes dropped EXE
PID:4644 -
C:\Windows\SysWOW64\Pnbbbabh.exeC:\Windows\system32\Pnbbbabh.exe50⤵
- Executes dropped EXE
PID:432 -
C:\Windows\SysWOW64\Pcojkhap.exeC:\Windows\system32\Pcojkhap.exe51⤵
- Executes dropped EXE
PID:5028 -
C:\Windows\SysWOW64\Pkfblfab.exeC:\Windows\system32\Pkfblfab.exe52⤵
- Executes dropped EXE
PID:1532 -
C:\Windows\SysWOW64\Pabkdmpi.exeC:\Windows\system32\Pabkdmpi.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:1652 -
C:\Windows\SysWOW64\Pjkombfj.exeC:\Windows\system32\Pjkombfj.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3764 -
C:\Windows\SysWOW64\Peqcjkfp.exeC:\Windows\system32\Peqcjkfp.exe55⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Pgopffec.exeC:\Windows\system32\Pgopffec.exe56⤵
- Executes dropped EXE
PID:3032 -
C:\Windows\SysWOW64\Pjmlbbdg.exeC:\Windows\system32\Pjmlbbdg.exe57⤵
- Executes dropped EXE
PID:4160 -
C:\Windows\SysWOW64\Pagdol32.exeC:\Windows\system32\Pagdol32.exe58⤵
- Executes dropped EXE
PID:1744 -
C:\Windows\SysWOW64\Qcepkg32.exeC:\Windows\system32\Qcepkg32.exe59⤵
- Executes dropped EXE
PID:3392 -
C:\Windows\SysWOW64\Qjpiha32.exeC:\Windows\system32\Qjpiha32.exe60⤵
- Executes dropped EXE
PID:4424 -
C:\Windows\SysWOW64\Qbgqio32.exeC:\Windows\system32\Qbgqio32.exe61⤵
- Executes dropped EXE
PID:1216 -
C:\Windows\SysWOW64\Qeemej32.exeC:\Windows\system32\Qeemej32.exe62⤵
- Executes dropped EXE
PID:3160 -
C:\Windows\SysWOW64\Qgciaf32.exeC:\Windows\system32\Qgciaf32.exe63⤵
- Executes dropped EXE
PID:4000 -
C:\Windows\SysWOW64\Qbimoo32.exeC:\Windows\system32\Qbimoo32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3292 -
C:\Windows\SysWOW64\Aegikj32.exeC:\Windows\system32\Aegikj32.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:4044 -
C:\Windows\SysWOW64\Alabgd32.exeC:\Windows\system32\Alabgd32.exe66⤵PID:3440
-
C:\Windows\SysWOW64\Anpncp32.exeC:\Windows\system32\Anpncp32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2844 -
C:\Windows\SysWOW64\Aanjpk32.exeC:\Windows\system32\Aanjpk32.exe68⤵PID:2944
-
C:\Windows\SysWOW64\Ahhblemi.exeC:\Windows\system32\Ahhblemi.exe69⤵PID:876
-
C:\Windows\SysWOW64\Ajfoiqll.exeC:\Windows\system32\Ajfoiqll.exe70⤵PID:4528
-
C:\Windows\SysWOW64\Aaqgek32.exeC:\Windows\system32\Aaqgek32.exe71⤵PID:4844
-
C:\Windows\SysWOW64\Aelcfilb.exeC:\Windows\system32\Aelcfilb.exe72⤵PID:428
-
C:\Windows\SysWOW64\Ahkobekf.exeC:\Windows\system32\Ahkobekf.exe73⤵
- Modifies registry class
PID:1256 -
C:\Windows\SysWOW64\Andgoobc.exeC:\Windows\system32\Andgoobc.exe74⤵
- Drops file in System32 directory
- Modifies registry class
PID:2616 -
C:\Windows\SysWOW64\Aacckjaf.exeC:\Windows\system32\Aacckjaf.exe75⤵PID:5108
-
C:\Windows\SysWOW64\Aeopki32.exeC:\Windows\system32\Aeopki32.exe76⤵
- Modifies registry class
PID:3560 -
C:\Windows\SysWOW64\Ahmlgd32.exeC:\Windows\system32\Ahmlgd32.exe77⤵
- Modifies registry class
PID:772 -
C:\Windows\SysWOW64\Abbpem32.exeC:\Windows\system32\Abbpem32.exe78⤵PID:752
-
C:\Windows\SysWOW64\Aealah32.exeC:\Windows\system32\Aealah32.exe79⤵
- Drops file in System32 directory
- Modifies registry class
PID:1544 -
C:\Windows\SysWOW64\Alkdnboj.exeC:\Windows\system32\Alkdnboj.exe80⤵
- Modifies registry class
PID:3016 -
C:\Windows\SysWOW64\Ajneip32.exeC:\Windows\system32\Ajneip32.exe81⤵PID:4924
-
C:\Windows\SysWOW64\Bjpaooda.exeC:\Windows\system32\Bjpaooda.exe82⤵PID:3444
-
C:\Windows\SysWOW64\Bbgipldd.exeC:\Windows\system32\Bbgipldd.exe83⤵
- Drops file in System32 directory
PID:2400 -
C:\Windows\SysWOW64\Bdhfhe32.exeC:\Windows\system32\Bdhfhe32.exe84⤵
- Drops file in System32 directory
PID:3224 -
C:\Windows\SysWOW64\Blpnib32.exeC:\Windows\system32\Blpnib32.exe85⤵
- Drops file in System32 directory
PID:1980 -
C:\Windows\SysWOW64\Behbag32.exeC:\Windows\system32\Behbag32.exe86⤵PID:4360
-
C:\Windows\SysWOW64\Bdkcmdhp.exeC:\Windows\system32\Bdkcmdhp.exe87⤵PID:3704
-
C:\Windows\SysWOW64\Bblckl32.exeC:\Windows\system32\Bblckl32.exe88⤵
- Drops file in System32 directory
PID:700 -
C:\Windows\SysWOW64\Bhikcb32.exeC:\Windows\system32\Bhikcb32.exe89⤵PID:852
-
C:\Windows\SysWOW64\Baaplhef.exeC:\Windows\system32\Baaplhef.exe90⤵PID:4312
-
C:\Windows\SysWOW64\Bemlmgnp.exeC:\Windows\system32\Bemlmgnp.exe91⤵PID:2420
-
C:\Windows\SysWOW64\Bhkhibmc.exeC:\Windows\system32\Bhkhibmc.exe92⤵
- Drops file in System32 directory
PID:2488 -
C:\Windows\SysWOW64\Bkidenlg.exeC:\Windows\system32\Bkidenlg.exe93⤵
- Modifies registry class
PID:2720 -
C:\Windows\SysWOW64\Cdainc32.exeC:\Windows\system32\Cdainc32.exe94⤵
- Modifies registry class
PID:1440 -
C:\Windows\SysWOW64\Cklaknjd.exeC:\Windows\system32\Cklaknjd.exe95⤵
- Drops file in System32 directory
PID:4028 -
C:\Windows\SysWOW64\Cbcilkjg.exeC:\Windows\system32\Cbcilkjg.exe96⤵
- Modifies registry class
PID:5140 -
C:\Windows\SysWOW64\Chpada32.exeC:\Windows\system32\Chpada32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5180 -
C:\Windows\SysWOW64\Cknnpm32.exeC:\Windows\system32\Cknnpm32.exe98⤵
- Drops file in System32 directory
PID:5224 -
C:\Windows\SysWOW64\Cojjqlpk.exeC:\Windows\system32\Cojjqlpk.exe99⤵PID:5264
-
C:\Windows\SysWOW64\Cahfmgoo.exeC:\Windows\system32\Cahfmgoo.exe100⤵
- Modifies registry class
PID:5304 -
C:\Windows\SysWOW64\Cecbmf32.exeC:\Windows\system32\Cecbmf32.exe101⤵PID:5340
-
C:\Windows\SysWOW64\Clnjjpod.exeC:\Windows\system32\Clnjjpod.exe102⤵PID:5388
-
C:\Windows\SysWOW64\Colffknh.exeC:\Windows\system32\Colffknh.exe103⤵PID:5428
-
C:\Windows\SysWOW64\Cbgbgj32.exeC:\Windows\system32\Cbgbgj32.exe104⤵PID:5464
-
C:\Windows\SysWOW64\Cefoce32.exeC:\Windows\system32\Cefoce32.exe105⤵
- Modifies registry class
PID:5512 -
C:\Windows\SysWOW64\Cdiooblp.exeC:\Windows\system32\Cdiooblp.exe106⤵
- Modifies registry class
PID:5552 -
C:\Windows\SysWOW64\Clpgpp32.exeC:\Windows\system32\Clpgpp32.exe107⤵PID:5596
-
C:\Windows\SysWOW64\Ckcgkldl.exeC:\Windows\system32\Ckcgkldl.exe108⤵PID:5636
-
C:\Windows\SysWOW64\Cbjoljdo.exeC:\Windows\system32\Cbjoljdo.exe109⤵PID:5680
-
C:\Windows\SysWOW64\Cehkhecb.exeC:\Windows\system32\Cehkhecb.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5716 -
C:\Windows\SysWOW64\Cdkldb32.exeC:\Windows\system32\Cdkldb32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5756 -
C:\Windows\SysWOW64\Clbceo32.exeC:\Windows\system32\Clbceo32.exe112⤵PID:5796
-
C:\Windows\SysWOW64\Dbllbibl.exeC:\Windows\system32\Dbllbibl.exe113⤵
- Drops file in System32 directory
PID:5840 -
C:\Windows\SysWOW64\Daolnf32.exeC:\Windows\system32\Daolnf32.exe114⤵
- Drops file in System32 directory
PID:5880 -
C:\Windows\SysWOW64\Ddmhja32.exeC:\Windows\system32\Ddmhja32.exe115⤵PID:5920
-
C:\Windows\SysWOW64\Dhidjpqc.exeC:\Windows\system32\Dhidjpqc.exe116⤵
- Drops file in System32 directory
PID:5956 -
C:\Windows\SysWOW64\Dkgqfl32.exeC:\Windows\system32\Dkgqfl32.exe117⤵PID:6000
-
C:\Windows\SysWOW64\Docmgjhp.exeC:\Windows\system32\Docmgjhp.exe118⤵PID:6044
-
C:\Windows\SysWOW64\Daaicfgd.exeC:\Windows\system32\Daaicfgd.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6088 -
C:\Windows\SysWOW64\Ddpeoafg.exeC:\Windows\system32\Ddpeoafg.exe120⤵PID:6128
-
C:\Windows\SysWOW64\Dhkapp32.exeC:\Windows\system32\Dhkapp32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5164
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-