Analysis
-
max time kernel
93s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
09/05/2024, 01:22
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
8d955eadec60d6176fbd7df6532efd4566eb281e2d53c2c6cf0660a3a409af54.exe
Resource
win7-20240221-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
8d955eadec60d6176fbd7df6532efd4566eb281e2d53c2c6cf0660a3a409af54.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
8d955eadec60d6176fbd7df6532efd4566eb281e2d53c2c6cf0660a3a409af54.exe
-
Size
136KB
-
MD5
51ccf32bb2a6adb5bf0bf98ddebfd501
-
SHA1
a953350d46dbd1e456a0162927b18ddfc4ca0517
-
SHA256
8d955eadec60d6176fbd7df6532efd4566eb281e2d53c2c6cf0660a3a409af54
-
SHA512
31250e964dbea95089e15757d503e1a5d10c8ac9f376911f849a7b6d9f1161e19aeb22102da810dfff7a468fd632d44ae3e37c77b8fb1214f968f3069c6710d9
-
SSDEEP
1536:LkHMolYxM+6uyi8NkT3qqEvXFimOI0v0zkA01QSf9ve5XRlKjz0cZ44mjD9r8230:khIJT4XFimZN01x5e5XRlri/mjRrz3OT
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cjpckf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hffcmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eaindh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggnlobej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jnkcogno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eleepoob.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ioambknl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dclkee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Llbidimc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Epagkd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bhdbhcck.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmpjmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hfningai.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmaopfjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifgbnlmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jmpgldhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Beihma32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fijkdmhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neppokal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hhfedm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fdccbl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jknfcofa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecmeig32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbileede.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mplafeil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ljaoeini.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eehicoel.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fkllnbjc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlpeff32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaopfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oigllh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Plagcbdn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qaalblgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dccbbhld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dceohhja.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iigdfa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akqfkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ifgbnlmj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qffbbldm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jgpmmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llcpoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Edknqiho.exe -
UPX dump on OEP (original entry point) 64 IoCs
resource yara_rule behavioral2/files/0x0008000000022f51-6.dat UPX behavioral2/files/0x0008000000023412-14.dat UPX behavioral2/files/0x0007000000023414-22.dat UPX behavioral2/files/0x0007000000023416-30.dat UPX behavioral2/files/0x0007000000023418-39.dat UPX behavioral2/files/0x000700000002341a-46.dat UPX behavioral2/files/0x000700000002341c-54.dat UPX behavioral2/files/0x000700000002341e-62.dat UPX behavioral2/files/0x0007000000023420-70.dat UPX behavioral2/files/0x0007000000023422-78.dat UPX behavioral2/files/0x0007000000023424-86.dat UPX behavioral2/files/0x0007000000023426-94.dat UPX behavioral2/files/0x0007000000023428-102.dat UPX behavioral2/files/0x000700000002342a-110.dat UPX behavioral2/files/0x000700000002342c-118.dat UPX behavioral2/files/0x000700000002342e-126.dat UPX behavioral2/files/0x0007000000023430-134.dat UPX behavioral2/files/0x0007000000023432-142.dat UPX behavioral2/files/0x0007000000023434-150.dat UPX behavioral2/files/0x0007000000023436-158.dat UPX behavioral2/files/0x0007000000023438-166.dat UPX behavioral2/files/0x000700000002343a-174.dat UPX behavioral2/files/0x000700000002343c-177.dat UPX behavioral2/files/0x000700000002343c-182.dat UPX behavioral2/files/0x0008000000023410-190.dat UPX behavioral2/files/0x000700000002343f-198.dat UPX behavioral2/files/0x0007000000023441-206.dat UPX behavioral2/files/0x0007000000023443-214.dat UPX behavioral2/files/0x0008000000023444-222.dat UPX behavioral2/files/0x0007000000023448-230.dat UPX behavioral2/files/0x000700000002344a-238.dat UPX behavioral2/files/0x0005000000022abb-246.dat UPX behavioral2/files/0x000700000002344d-254.dat UPX behavioral2/files/0x000700000002345f-305.dat UPX behavioral2/files/0x0007000000023465-323.dat UPX behavioral2/files/0x0007000000023475-371.dat UPX behavioral2/files/0x000700000002347b-389.dat UPX behavioral2/files/0x0007000000023483-413.dat UPX behavioral2/files/0x0007000000023487-425.dat UPX behavioral2/files/0x0007000000023493-456.dat UPX behavioral2/files/0x0007000000023499-474.dat UPX behavioral2/files/0x00070000000234a3-504.dat UPX behavioral2/files/0x00070000000234ad-534.dat UPX behavioral2/files/0x00070000000234b5-561.dat UPX behavioral2/files/0x00070000000234b9-574.dat UPX behavioral2/files/0x00070000000234bd-587.dat UPX behavioral2/files/0x00070000000234c1-601.dat UPX behavioral2/files/0x00070000000234cb-635.dat UPX behavioral2/files/0x00070000000234cf-649.dat UPX behavioral2/files/0x00070000000234dd-698.dat UPX behavioral2/files/0x00070000000234e3-719.dat UPX behavioral2/files/0x00070000000234e7-733.dat UPX behavioral2/files/0x00070000000234eb-747.dat UPX behavioral2/files/0x00070000000234ef-761.dat UPX behavioral2/files/0x0007000000023501-822.dat UPX behavioral2/files/0x0007000000023511-879.dat UPX behavioral2/files/0x0007000000023517-899.dat UPX behavioral2/files/0x0007000000023519-907.dat UPX behavioral2/files/0x000700000002351d-920.dat UPX behavioral2/files/0x0007000000023527-954.dat UPX behavioral2/files/0x000700000002352f-982.dat UPX behavioral2/files/0x0007000000023541-1045.dat UPX behavioral2/files/0x0007000000023549-1073.dat UPX behavioral2/files/0x0007000000023559-1129.dat UPX -
Executes dropped EXE 64 IoCs
pid Process 116 Ocgdji32.exe 2252 Ojalgcnd.exe 2600 Onmhgb32.exe 4496 Odgqdlnj.exe 2892 Pjdilcla.exe 3300 Pbkamqmd.exe 3052 Pclneicb.exe 4216 Pkceffcd.exe 1420 Pnbbbabh.exe 2888 Pcojkhap.exe 1972 Pkfblfab.exe 5024 Pndohaqe.exe 1164 Pcagphom.exe 4580 Pkhoae32.exe 3184 Pbbgnpgl.exe 2824 Pcccfh32.exe 5040 Pkjlge32.exe 3988 Pbddcoei.exe 2164 Qcepkg32.exe 3604 Qkmhlekj.exe 2912 Qajadlja.exe 1596 Qloebdig.exe 2932 Qbimoo32.exe 4772 Acjjfggb.exe 844 Abkjdnoa.exe 3232 Ahhblemi.exe 4948 Aaqgek32.exe 2968 Alfkbc32.exe 2408 Andgoobc.exe 4692 Adapgfqj.exe 1056 Ajkhdp32.exe 2908 Aaepqjpd.exe 1332 Adcmmeog.exe 4412 Ajneip32.exe 3304 Abemjmgg.exe 4392 Becifhfj.exe 4492 Bhaebcen.exe 2288 Bjpaooda.exe 1524 Bajjli32.exe 2860 Bhdbhcck.exe 532 Behbag32.exe 3152 Bopgjmhe.exe 2284 Bdmpcdfm.exe 2204 Bobcpmfc.exe 4432 Bdolhc32.exe 3536 Boepel32.exe 1060 Chmeobkq.exe 2488 Cafigg32.exe 1356 Cojjqlpk.exe 1204 Chbnia32.exe 4176 Colffknh.exe 4284 Clpgpp32.exe 2976 Cdkldb32.exe 3056 Ckedalaj.exe 4020 Dldpkoil.exe 3748 Doeiljfn.exe 836 Dccbbhld.exe 3320 Deanodkh.exe 4364 Dceohhja.exe 2144 Dedkdcie.exe 1520 Ekacmjgl.exe 2792 Echknh32.exe 3136 Eoolbinc.exe 1076 Eeidoc32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ciepangh.dll Llbidimc.exe File created C:\Windows\SysWOW64\Jadelk32.dll Lbngllob.exe File created C:\Windows\SysWOW64\Chmeobkq.exe Boepel32.exe File created C:\Windows\SysWOW64\Dngjff32.exe Dmennnni.exe File opened for modification C:\Windows\SysWOW64\Gfeaopqo.exe Fnnjmbpm.exe File created C:\Windows\SysWOW64\Jcgmgn32.dll Process not Found File created C:\Windows\SysWOW64\Hlbpmd32.dll Jqglkmlj.exe File created C:\Windows\SysWOW64\Oifdaage.dll Mhilfa32.exe File opened for modification C:\Windows\SysWOW64\Fkllnbjc.exe Fdbdah32.exe File opened for modification C:\Windows\SysWOW64\Hglipp32.exe Hfklhhcl.exe File created C:\Windows\SysWOW64\Pfhkccfn.dll Jkaqnk32.exe File created C:\Windows\SysWOW64\Nmfgbl32.dll Nchjdo32.exe File opened for modification C:\Windows\SysWOW64\Eqdpgk32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Jblmgf32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Fllpbldb.exe Fdegandp.exe File created C:\Windows\SysWOW64\Clkgcdmh.dll Ggqida32.exe File created C:\Windows\SysWOW64\Ebjcajjd.exe Ecgcfm32.exe File created C:\Windows\SysWOW64\Gckdpj32.dll Eidlnd32.exe File created C:\Windows\SysWOW64\Fljcmlfd.exe Eepjpb32.exe File created C:\Windows\SysWOW64\Kggcnoic.exe Kmaopfjm.exe File opened for modification C:\Windows\SysWOW64\Mcjmel32.exe Mmpdhboj.exe File created C:\Windows\SysWOW64\Elkllcbh.dll Dngjff32.exe File created C:\Windows\SysWOW64\Cpkgohbq.dll Process not Found File created C:\Windows\SysWOW64\Qkhnbpne.dll Process not Found File opened for modification C:\Windows\SysWOW64\Aeiofcji.exe Ambgef32.exe File created C:\Windows\SysWOW64\Dlmmaqlm.dll Hildmn32.exe File opened for modification C:\Windows\SysWOW64\Jmpgldhg.exe Jbjcolha.exe File opened for modification C:\Windows\SysWOW64\Bihjfnmm.exe Bggnof32.exe File created C:\Windows\SysWOW64\Bdpaeehj.exe Baadiiif.exe File created C:\Windows\SysWOW64\Glipgf32.exe Geohklaa.exe File opened for modification C:\Windows\SysWOW64\Ojomcopk.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ipknlb32.exe Iefioj32.exe File created C:\Windows\SysWOW64\Iohjlmeg.exe Hgabkoee.exe File created C:\Windows\SysWOW64\Njiegl32.exe Nemmoe32.exe File created C:\Windows\SysWOW64\Iglhgnlj.dll Obcceg32.exe File opened for modification C:\Windows\SysWOW64\Nclbpf32.exe Process not Found File created C:\Windows\SysWOW64\Imhfhnmm.dll Igmagnkg.exe File created C:\Windows\SysWOW64\Ladfllde.dll Hloqml32.exe File opened for modification C:\Windows\SysWOW64\Gihgfk32.exe Gemkelcd.exe File opened for modification C:\Windows\SysWOW64\Jqiipljg.exe Jjopcb32.exe File created C:\Windows\SysWOW64\Gcbpne32.dll Miaboe32.exe File created C:\Windows\SysWOW64\Iipejo32.dll Cabomkll.exe File created C:\Windows\SysWOW64\Jkoepmnk.dll Cmjemflb.exe File created C:\Windows\SysWOW64\Iaheeaan.dll Jioaqfcc.exe File opened for modification C:\Windows\SysWOW64\Jihbip32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ogkcpbam.exe Opakbi32.exe File opened for modification C:\Windows\SysWOW64\Bcjlcn32.exe Bgcknmop.exe File opened for modification C:\Windows\SysWOW64\Jdfjld32.exe Jjafok32.exe File created C:\Windows\SysWOW64\Gidnkkpc.exe Gfeaopqo.exe File opened for modification C:\Windows\SysWOW64\Ggqida32.exe Gdbmhf32.exe File created C:\Windows\SysWOW64\Imqpnq32.dll Process not Found File created C:\Windows\SysWOW64\Pfccogfc.exe Process not Found File created C:\Windows\SysWOW64\Pickil32.dll Okkdic32.exe File created C:\Windows\SysWOW64\Ebnfbcbc.exe Ekdnei32.exe File created C:\Windows\SysWOW64\Lmgfda32.exe Lbabgh32.exe File opened for modification C:\Windows\SysWOW64\Bfkedibe.exe Beihma32.exe File created C:\Windows\SysWOW64\Neclenfo.exe Nnicid32.exe File created C:\Windows\SysWOW64\Hgdlndji.dll Amodep32.exe File opened for modification C:\Windows\SysWOW64\Dflfac32.exe Dndnpf32.exe File created C:\Windows\SysWOW64\Glhimp32.exe Process not Found File created C:\Windows\SysWOW64\Hofdacke.exe Hmhhehlb.exe File opened for modification C:\Windows\SysWOW64\Dahhio32.exe Doilmc32.exe File created C:\Windows\SysWOW64\Cidcnbjk.dll Process not Found File created C:\Windows\SysWOW64\Chgnfq32.dll Process not Found -
Program crash 1 IoCs
pid pid_target Process procid_target 14160 2964 Process not Found 1506 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kbaipkbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Haafcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Inainbcn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lmiciaaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lbnngbbn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Haafcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekbmje32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Goniok32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diadam32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pbddcoei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbohan32.dll" Abemjmgg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kjepjkhf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qqffjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mhilfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifomef32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Clpgpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bopocbcq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gfokoelp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmkdjo32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilnjmilq.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nenqea32.dll" Nilcjp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jiaglp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gbchdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpkbnj32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjhijoaa.dll" Lbabgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cabomkll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkhimi32.dll" Eaindh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khoana32.dll" Nhokljge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pogppn32.dll" Mpnnle32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pjehmfch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iohcia32.dll" Cffmfadl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdblhj32.dll" Flkdfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ekacmjgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipligd32.dll" Hfpecg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ghmbno32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kkmioc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oeoblb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bakgoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ffgqqaip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mbenmk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Heomgj32.dll" Fllpbldb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dahhio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Edhakj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbemjj32.dll" Dannij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpdfhgmd.dll" Mcjmel32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bgeaifia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okilfdgl.dll" Dcogje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilmjim32.dll" Gncchb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Npmagine.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ekgbccni.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jehhaaci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Phcomcng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fijgdejm.dll" Objpoh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Efafgifc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qkmhlekj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Imakkfdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hfklhhcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iangld32.dll" Ijcahd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fdglmkeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqnpfi32.dll" Nlcalieg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2684 wrote to memory of 116 2684 8d955eadec60d6176fbd7df6532efd4566eb281e2d53c2c6cf0660a3a409af54.exe 80 PID 2684 wrote to memory of 116 2684 8d955eadec60d6176fbd7df6532efd4566eb281e2d53c2c6cf0660a3a409af54.exe 80 PID 2684 wrote to memory of 116 2684 8d955eadec60d6176fbd7df6532efd4566eb281e2d53c2c6cf0660a3a409af54.exe 80 PID 116 wrote to memory of 2252 116 Ocgdji32.exe 82 PID 116 wrote to memory of 2252 116 Ocgdji32.exe 82 PID 116 wrote to memory of 2252 116 Ocgdji32.exe 82 PID 2252 wrote to memory of 2600 2252 Ojalgcnd.exe 83 PID 2252 wrote to memory of 2600 2252 Ojalgcnd.exe 83 PID 2252 wrote to memory of 2600 2252 Ojalgcnd.exe 83 PID 2600 wrote to memory of 4496 2600 Onmhgb32.exe 84 PID 2600 wrote to memory of 4496 2600 Onmhgb32.exe 84 PID 2600 wrote to memory of 4496 2600 Onmhgb32.exe 84 PID 4496 wrote to memory of 2892 4496 Odgqdlnj.exe 86 PID 4496 wrote to memory of 2892 4496 Odgqdlnj.exe 86 PID 4496 wrote to memory of 2892 4496 Odgqdlnj.exe 86 PID 2892 wrote to memory of 3300 2892 Pjdilcla.exe 87 PID 2892 wrote to memory of 3300 2892 Pjdilcla.exe 87 PID 2892 wrote to memory of 3300 2892 Pjdilcla.exe 87 PID 3300 wrote to memory of 3052 3300 Pbkamqmd.exe 88 PID 3300 wrote to memory of 3052 3300 Pbkamqmd.exe 88 PID 3300 wrote to memory of 3052 3300 Pbkamqmd.exe 88 PID 3052 wrote to memory of 4216 3052 Pclneicb.exe 89 PID 3052 wrote to memory of 4216 3052 Pclneicb.exe 89 PID 3052 wrote to memory of 4216 3052 Pclneicb.exe 89 PID 4216 wrote to memory of 1420 4216 Pkceffcd.exe 90 PID 4216 wrote to memory of 1420 4216 Pkceffcd.exe 90 PID 4216 wrote to memory of 1420 4216 Pkceffcd.exe 90 PID 1420 wrote to memory of 2888 1420 Pnbbbabh.exe 92 PID 1420 wrote to memory of 2888 1420 Pnbbbabh.exe 92 PID 1420 wrote to memory of 2888 1420 Pnbbbabh.exe 92 PID 2888 wrote to memory of 1972 2888 Pcojkhap.exe 93 PID 2888 wrote to memory of 1972 2888 Pcojkhap.exe 93 PID 2888 wrote to memory of 1972 2888 Pcojkhap.exe 93 PID 1972 wrote to memory of 5024 1972 Pkfblfab.exe 94 PID 1972 wrote to memory of 5024 1972 Pkfblfab.exe 94 PID 1972 wrote to memory of 5024 1972 Pkfblfab.exe 94 PID 5024 wrote to memory of 1164 5024 Pndohaqe.exe 95 PID 5024 wrote to memory of 1164 5024 Pndohaqe.exe 95 PID 5024 wrote to memory of 1164 5024 Pndohaqe.exe 95 PID 1164 wrote to memory of 4580 1164 Pcagphom.exe 96 PID 1164 wrote to memory of 4580 1164 Pcagphom.exe 96 PID 1164 wrote to memory of 4580 1164 Pcagphom.exe 96 PID 4580 wrote to memory of 3184 4580 Pkhoae32.exe 97 PID 4580 wrote to memory of 3184 4580 Pkhoae32.exe 97 PID 4580 wrote to memory of 3184 4580 Pkhoae32.exe 97 PID 3184 wrote to memory of 2824 3184 Pbbgnpgl.exe 98 PID 3184 wrote to memory of 2824 3184 Pbbgnpgl.exe 98 PID 3184 wrote to memory of 2824 3184 Pbbgnpgl.exe 98 PID 2824 wrote to memory of 5040 2824 Pcccfh32.exe 99 PID 2824 wrote to memory of 5040 2824 Pcccfh32.exe 99 PID 2824 wrote to memory of 5040 2824 Pcccfh32.exe 99 PID 5040 wrote to memory of 3988 5040 Pkjlge32.exe 100 PID 5040 wrote to memory of 3988 5040 Pkjlge32.exe 100 PID 5040 wrote to memory of 3988 5040 Pkjlge32.exe 100 PID 3988 wrote to memory of 2164 3988 Pbddcoei.exe 101 PID 3988 wrote to memory of 2164 3988 Pbddcoei.exe 101 PID 3988 wrote to memory of 2164 3988 Pbddcoei.exe 101 PID 2164 wrote to memory of 3604 2164 Qcepkg32.exe 102 PID 2164 wrote to memory of 3604 2164 Qcepkg32.exe 102 PID 2164 wrote to memory of 3604 2164 Qcepkg32.exe 102 PID 3604 wrote to memory of 2912 3604 Qkmhlekj.exe 103 PID 3604 wrote to memory of 2912 3604 Qkmhlekj.exe 103 PID 3604 wrote to memory of 2912 3604 Qkmhlekj.exe 103 PID 2912 wrote to memory of 1596 2912 Qajadlja.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\8d955eadec60d6176fbd7df6532efd4566eb281e2d53c2c6cf0660a3a409af54.exe"C:\Users\Admin\AppData\Local\Temp\8d955eadec60d6176fbd7df6532efd4566eb281e2d53c2c6cf0660a3a409af54.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\Ocgdji32.exeC:\Windows\system32\Ocgdji32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:116 -
C:\Windows\SysWOW64\Ojalgcnd.exeC:\Windows\system32\Ojalgcnd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\SysWOW64\Onmhgb32.exeC:\Windows\system32\Onmhgb32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Odgqdlnj.exeC:\Windows\system32\Odgqdlnj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4496 -
C:\Windows\SysWOW64\Pjdilcla.exeC:\Windows\system32\Pjdilcla.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\Pbkamqmd.exeC:\Windows\system32\Pbkamqmd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3300 -
C:\Windows\SysWOW64\Pclneicb.exeC:\Windows\system32\Pclneicb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\Pkceffcd.exeC:\Windows\system32\Pkceffcd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4216 -
C:\Windows\SysWOW64\Pnbbbabh.exeC:\Windows\system32\Pnbbbabh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Windows\SysWOW64\Pcojkhap.exeC:\Windows\system32\Pcojkhap.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\Pkfblfab.exeC:\Windows\system32\Pkfblfab.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\SysWOW64\Pndohaqe.exeC:\Windows\system32\Pndohaqe.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5024 -
C:\Windows\SysWOW64\Pcagphom.exeC:\Windows\system32\Pcagphom.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Windows\SysWOW64\Pkhoae32.exeC:\Windows\system32\Pkhoae32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4580 -
C:\Windows\SysWOW64\Pbbgnpgl.exeC:\Windows\system32\Pbbgnpgl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3184 -
C:\Windows\SysWOW64\Pcccfh32.exeC:\Windows\system32\Pcccfh32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\Pkjlge32.exeC:\Windows\system32\Pkjlge32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\Windows\SysWOW64\Pbddcoei.exeC:\Windows\system32\Pbddcoei.exe19⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3988 -
C:\Windows\SysWOW64\Qcepkg32.exeC:\Windows\system32\Qcepkg32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\Qkmhlekj.exeC:\Windows\system32\Qkmhlekj.exe21⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3604 -
C:\Windows\SysWOW64\Qajadlja.exeC:\Windows\system32\Qajadlja.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\Qloebdig.exeC:\Windows\system32\Qloebdig.exe23⤵
- Executes dropped EXE
PID:1596 -
C:\Windows\SysWOW64\Qbimoo32.exeC:\Windows\system32\Qbimoo32.exe24⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Acjjfggb.exeC:\Windows\system32\Acjjfggb.exe25⤵
- Executes dropped EXE
PID:4772 -
C:\Windows\SysWOW64\Abkjdnoa.exeC:\Windows\system32\Abkjdnoa.exe26⤵
- Executes dropped EXE
PID:844 -
C:\Windows\SysWOW64\Ahhblemi.exeC:\Windows\system32\Ahhblemi.exe27⤵
- Executes dropped EXE
PID:3232 -
C:\Windows\SysWOW64\Aaqgek32.exeC:\Windows\system32\Aaqgek32.exe28⤵
- Executes dropped EXE
PID:4948 -
C:\Windows\SysWOW64\Alfkbc32.exeC:\Windows\system32\Alfkbc32.exe29⤵
- Executes dropped EXE
PID:2968 -
C:\Windows\SysWOW64\Andgoobc.exeC:\Windows\system32\Andgoobc.exe30⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Adapgfqj.exeC:\Windows\system32\Adapgfqj.exe31⤵
- Executes dropped EXE
PID:4692 -
C:\Windows\SysWOW64\Ajkhdp32.exeC:\Windows\system32\Ajkhdp32.exe32⤵
- Executes dropped EXE
PID:1056 -
C:\Windows\SysWOW64\Aaepqjpd.exeC:\Windows\system32\Aaepqjpd.exe33⤵
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Adcmmeog.exeC:\Windows\system32\Adcmmeog.exe34⤵
- Executes dropped EXE
PID:1332 -
C:\Windows\SysWOW64\Ajneip32.exeC:\Windows\system32\Ajneip32.exe35⤵
- Executes dropped EXE
PID:4412 -
C:\Windows\SysWOW64\Abemjmgg.exeC:\Windows\system32\Abemjmgg.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:3304 -
C:\Windows\SysWOW64\Becifhfj.exeC:\Windows\system32\Becifhfj.exe37⤵
- Executes dropped EXE
PID:4392 -
C:\Windows\SysWOW64\Bhaebcen.exeC:\Windows\system32\Bhaebcen.exe38⤵
- Executes dropped EXE
PID:4492 -
C:\Windows\SysWOW64\Bjpaooda.exeC:\Windows\system32\Bjpaooda.exe39⤵
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Bajjli32.exeC:\Windows\system32\Bajjli32.exe40⤵
- Executes dropped EXE
PID:1524 -
C:\Windows\SysWOW64\Bhdbhcck.exeC:\Windows\system32\Bhdbhcck.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\Behbag32.exeC:\Windows\system32\Behbag32.exe42⤵
- Executes dropped EXE
PID:532 -
C:\Windows\SysWOW64\Bopgjmhe.exeC:\Windows\system32\Bopgjmhe.exe43⤵
- Executes dropped EXE
PID:3152 -
C:\Windows\SysWOW64\Bdmpcdfm.exeC:\Windows\system32\Bdmpcdfm.exe44⤵
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Bobcpmfc.exeC:\Windows\system32\Bobcpmfc.exe45⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Bdolhc32.exeC:\Windows\system32\Bdolhc32.exe46⤵
- Executes dropped EXE
PID:4432 -
C:\Windows\SysWOW64\Boepel32.exeC:\Windows\system32\Boepel32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3536 -
C:\Windows\SysWOW64\Chmeobkq.exeC:\Windows\system32\Chmeobkq.exe48⤵
- Executes dropped EXE
PID:1060 -
C:\Windows\SysWOW64\Cafigg32.exeC:\Windows\system32\Cafigg32.exe49⤵
- Executes dropped EXE
PID:2488 -
C:\Windows\SysWOW64\Cojjqlpk.exeC:\Windows\system32\Cojjqlpk.exe50⤵
- Executes dropped EXE
PID:1356 -
C:\Windows\SysWOW64\Chbnia32.exeC:\Windows\system32\Chbnia32.exe51⤵
- Executes dropped EXE
PID:1204 -
C:\Windows\SysWOW64\Colffknh.exeC:\Windows\system32\Colffknh.exe52⤵
- Executes dropped EXE
PID:4176 -
C:\Windows\SysWOW64\Clpgpp32.exeC:\Windows\system32\Clpgpp32.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:4284 -
C:\Windows\SysWOW64\Cdkldb32.exeC:\Windows\system32\Cdkldb32.exe54⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Ckedalaj.exeC:\Windows\system32\Ckedalaj.exe55⤵
- Executes dropped EXE
PID:3056 -
C:\Windows\SysWOW64\Dldpkoil.exeC:\Windows\system32\Dldpkoil.exe56⤵
- Executes dropped EXE
PID:4020 -
C:\Windows\SysWOW64\Doeiljfn.exeC:\Windows\system32\Doeiljfn.exe57⤵
- Executes dropped EXE
PID:3748 -
C:\Windows\SysWOW64\Dccbbhld.exeC:\Windows\system32\Dccbbhld.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:836 -
C:\Windows\SysWOW64\Deanodkh.exeC:\Windows\system32\Deanodkh.exe59⤵
- Executes dropped EXE
PID:3320 -
C:\Windows\SysWOW64\Dceohhja.exeC:\Windows\system32\Dceohhja.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4364 -
C:\Windows\SysWOW64\Dedkdcie.exeC:\Windows\system32\Dedkdcie.exe61⤵
- Executes dropped EXE
PID:2144 -
C:\Windows\SysWOW64\Ekacmjgl.exeC:\Windows\system32\Ekacmjgl.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:1520 -
C:\Windows\SysWOW64\Echknh32.exeC:\Windows\system32\Echknh32.exe63⤵
- Executes dropped EXE
PID:2792 -
C:\Windows\SysWOW64\Ehedfo32.exeC:\Windows\system32\Ehedfo32.exe64⤵PID:2356
-
C:\Windows\SysWOW64\Eoolbinc.exeC:\Windows\system32\Eoolbinc.exe65⤵
- Executes dropped EXE
PID:3136 -
C:\Windows\SysWOW64\Eeidoc32.exeC:\Windows\system32\Eeidoc32.exe66⤵
- Executes dropped EXE
PID:1076 -
C:\Windows\SysWOW64\Ehgqln32.exeC:\Windows\system32\Ehgqln32.exe67⤵PID:2644
-
C:\Windows\SysWOW64\Ecmeig32.exeC:\Windows\system32\Ecmeig32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:452 -
C:\Windows\SysWOW64\Ehimanbq.exeC:\Windows\system32\Ehimanbq.exe69⤵PID:3716
-
C:\Windows\SysWOW64\Ekhjmiad.exeC:\Windows\system32\Ekhjmiad.exe70⤵PID:2724
-
C:\Windows\SysWOW64\Eemnjbaj.exeC:\Windows\system32\Eemnjbaj.exe71⤵PID:4792
-
C:\Windows\SysWOW64\Elgfgl32.exeC:\Windows\system32\Elgfgl32.exe72⤵PID:2208
-
C:\Windows\SysWOW64\Ecandfpd.exeC:\Windows\system32\Ecandfpd.exe73⤵PID:4624
-
C:\Windows\SysWOW64\Eepjpb32.exeC:\Windows\system32\Eepjpb32.exe74⤵
- Drops file in System32 directory
PID:996 -
C:\Windows\SysWOW64\Fljcmlfd.exeC:\Windows\system32\Fljcmlfd.exe75⤵PID:968
-
C:\Windows\SysWOW64\Fdegandp.exeC:\Windows\system32\Fdegandp.exe76⤵
- Drops file in System32 directory
PID:3128 -
C:\Windows\SysWOW64\Fllpbldb.exeC:\Windows\system32\Fllpbldb.exe77⤵
- Modifies registry class
PID:1884 -
C:\Windows\SysWOW64\Ffddka32.exeC:\Windows\system32\Ffddka32.exe78⤵PID:4460
-
C:\Windows\SysWOW64\Fhcpgmjf.exeC:\Windows\system32\Fhcpgmjf.exe79⤵PID:4660
-
C:\Windows\SysWOW64\Fomhdg32.exeC:\Windows\system32\Fomhdg32.exe80⤵PID:1592
-
C:\Windows\SysWOW64\Ffgqqaip.exeC:\Windows\system32\Ffgqqaip.exe81⤵
- Modifies registry class
PID:1016 -
C:\Windows\SysWOW64\Fhemmlhc.exeC:\Windows\system32\Fhemmlhc.exe82⤵PID:1632
-
C:\Windows\SysWOW64\Ffimfqgm.exeC:\Windows\system32\Ffimfqgm.exe83⤵PID:2656
-
C:\Windows\SysWOW64\Fhgjblfq.exeC:\Windows\system32\Fhgjblfq.exe84⤵PID:1800
-
C:\Windows\SysWOW64\Fbpnkama.exeC:\Windows\system32\Fbpnkama.exe85⤵PID:1032
-
C:\Windows\SysWOW64\Glebhjlg.exeC:\Windows\system32\Glebhjlg.exe86⤵PID:1668
-
C:\Windows\SysWOW64\Gododflk.exeC:\Windows\system32\Gododflk.exe87⤵PID:2896
-
C:\Windows\SysWOW64\Ghlcnk32.exeC:\Windows\system32\Ghlcnk32.exe88⤵PID:1476
-
C:\Windows\SysWOW64\Gofkje32.exeC:\Windows\system32\Gofkje32.exe89⤵PID:1664
-
C:\Windows\SysWOW64\Gfpcgpae.exeC:\Windows\system32\Gfpcgpae.exe90⤵PID:2704
-
C:\Windows\SysWOW64\Gkmlofol.exeC:\Windows\system32\Gkmlofol.exe91⤵PID:4080
-
C:\Windows\SysWOW64\Gcddpdpo.exeC:\Windows\system32\Gcddpdpo.exe92⤵PID:1692
-
C:\Windows\SysWOW64\Gfbploob.exeC:\Windows\system32\Gfbploob.exe93⤵PID:4860
-
C:\Windows\SysWOW64\Gkoiefmj.exeC:\Windows\system32\Gkoiefmj.exe94⤵PID:400
-
C:\Windows\SysWOW64\Gcfqfc32.exeC:\Windows\system32\Gcfqfc32.exe95⤵PID:396
-
C:\Windows\SysWOW64\Gdhmnlcj.exeC:\Windows\system32\Gdhmnlcj.exe96⤵PID:4868
-
C:\Windows\SysWOW64\Gmoeoidl.exeC:\Windows\system32\Gmoeoidl.exe97⤵PID:1556
-
C:\Windows\SysWOW64\Gblngpbd.exeC:\Windows\system32\Gblngpbd.exe98⤵PID:4416
-
C:\Windows\SysWOW64\Hiefcj32.exeC:\Windows\system32\Hiefcj32.exe99⤵PID:4404
-
C:\Windows\SysWOW64\Hopnqdan.exeC:\Windows\system32\Hopnqdan.exe100⤵PID:2440
-
C:\Windows\SysWOW64\Hfifmnij.exeC:\Windows\system32\Hfifmnij.exe101⤵PID:4880
-
C:\Windows\SysWOW64\Hmcojh32.exeC:\Windows\system32\Hmcojh32.exe102⤵PID:1680
-
C:\Windows\SysWOW64\Hobkfd32.exeC:\Windows\system32\Hobkfd32.exe103⤵PID:5112
-
C:\Windows\SysWOW64\Hbpgbo32.exeC:\Windows\system32\Hbpgbo32.exe104⤵PID:976
-
C:\Windows\SysWOW64\Hijooifk.exeC:\Windows\system32\Hijooifk.exe105⤵PID:2560
-
C:\Windows\SysWOW64\Hodgkc32.exeC:\Windows\system32\Hodgkc32.exe106⤵PID:4820
-
C:\Windows\SysWOW64\Hbbdholl.exeC:\Windows\system32\Hbbdholl.exe107⤵PID:1516
-
C:\Windows\SysWOW64\Hmhhehlb.exeC:\Windows\system32\Hmhhehlb.exe108⤵
- Drops file in System32 directory
PID:872 -
C:\Windows\SysWOW64\Hofdacke.exeC:\Windows\system32\Hofdacke.exe109⤵PID:608
-
C:\Windows\SysWOW64\Hecmijim.exeC:\Windows\system32\Hecmijim.exe110⤵PID:5144
-
C:\Windows\SysWOW64\Hmjdjgjo.exeC:\Windows\system32\Hmjdjgjo.exe111⤵PID:5188
-
C:\Windows\SysWOW64\Hbgmcnhf.exeC:\Windows\system32\Hbgmcnhf.exe112⤵PID:5236
-
C:\Windows\SysWOW64\Iefioj32.exeC:\Windows\system32\Iefioj32.exe113⤵
- Drops file in System32 directory
PID:5276 -
C:\Windows\SysWOW64\Ipknlb32.exeC:\Windows\system32\Ipknlb32.exe114⤵PID:5324
-
C:\Windows\SysWOW64\Ifefimom.exeC:\Windows\system32\Ifefimom.exe115⤵PID:5368
-
C:\Windows\SysWOW64\Imoneg32.exeC:\Windows\system32\Imoneg32.exe116⤵PID:5412
-
C:\Windows\SysWOW64\Icifbang.exeC:\Windows\system32\Icifbang.exe117⤵PID:5452
-
C:\Windows\SysWOW64\Ifgbnlmj.exeC:\Windows\system32\Ifgbnlmj.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5492 -
C:\Windows\SysWOW64\Imakkfdg.exeC:\Windows\system32\Imakkfdg.exe119⤵
- Modifies registry class
PID:5536 -
C:\Windows\SysWOW64\Ibnccmbo.exeC:\Windows\system32\Ibnccmbo.exe120⤵PID:5580
-
C:\Windows\SysWOW64\Iihkpg32.exeC:\Windows\system32\Iihkpg32.exe121⤵PID:5624
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-