Analysis
-
max time kernel
143s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
19/05/2024, 21:42
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
5426170bcaa6e3dbf866b1968202298bdad3447ca601d3911e165b270ae809af.exe
Resource
win7-20240508-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
5426170bcaa6e3dbf866b1968202298bdad3447ca601d3911e165b270ae809af.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
5426170bcaa6e3dbf866b1968202298bdad3447ca601d3911e165b270ae809af.exe
-
Size
176KB
-
MD5
2bfa18a0411647afe9ef8e51515a1caa
-
SHA1
2b164647d74eaa79b119bff2588b7c602a990ddc
-
SHA256
5426170bcaa6e3dbf866b1968202298bdad3447ca601d3911e165b270ae809af
-
SHA512
bdc2f8e20e27ed298d5c94e6dee7c0dcf0416dc6849860a4ee94d877e52c8e102d38cff4746808e93aaa9ef0fa359ff369d8d43d94d644671655fd9318f0c3da
-
SSDEEP
3072:2KqccIXV6TBFZnIPQarlOGA8d2E2fAYjmjRrz3E3:6cfMtFZIPQRXE2fAEG4
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opifnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhiffc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpqnhadq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihoafpmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcbellac.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Naimccpo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcmgfkeg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kifpdelo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfadgq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hanlnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Affdle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glbqje32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Behnnm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akqpom32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iccbqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbgmbg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkpgfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cinfhigl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekfndmfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lndohedg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blkioa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpcjnabn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Keanebkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onjgiiad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opplolac.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcjeon32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Albjlcao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qiladcdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gblifo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fddmgjpo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lldlqakb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Febfomdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljkomfjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kopokehd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlbgikia.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cljcelan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epieghdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjjmbj32.exe -
UPX dump on OEP (original entry point) 64 IoCs
resource yara_rule behavioral1/files/0x000a000000012286-5.dat UPX behavioral1/files/0x000800000001489f-26.dat UPX behavioral1/files/0x0007000000014b5c-34.dat UPX behavioral1/files/0x0009000000015065-48.dat UPX behavioral1/files/0x0007000000015d3b-61.dat UPX behavioral1/files/0x0006000000015d73-75.dat UPX behavioral1/files/0x0006000000015d83-88.dat UPX behavioral1/files/0x0006000000015d9f-108.dat UPX behavioral1/files/0x0006000000015e1d-115.dat UPX behavioral1/files/0x0006000000015fef-128.dat UPX behavioral1/files/0x000600000001615c-141.dat UPX behavioral1/files/0x0006000000016455-154.dat UPX behavioral1/files/0x00060000000165e1-167.dat UPX behavioral1/files/0x0006000000016a8a-180.dat UPX behavioral1/files/0x000a000000014723-194.dat UPX behavioral1/files/0x0006000000016c78-208.dat UPX behavioral1/files/0x0006000000016ceb-224.dat UPX behavioral1/files/0x0006000000016d2a-231.dat UPX behavioral1/files/0x0006000000016d3b-240.dat UPX behavioral1/files/0x0006000000016d4b-250.dat UPX behavioral1/files/0x0006000000016d64-260.dat UPX behavioral1/files/0x0006000000016d6f-267.dat UPX behavioral1/files/0x0006000000016d9f-278.dat UPX behavioral1/files/0x0006000000016dc8-286.dat UPX behavioral1/files/0x0006000000016ddc-298.dat UPX behavioral1/files/0x00060000000171d7-306.dat UPX behavioral1/files/0x00060000000173ca-317.dat UPX behavioral1/files/0x00060000000173f9-328.dat UPX behavioral1/files/0x0014000000018668-341.dat UPX behavioral1/files/0x000500000001870e-350.dat UPX behavioral1/files/0x000500000001871f-361.dat UPX behavioral1/files/0x0005000000018784-372.dat UPX behavioral1/files/0x000500000001879e-384.dat UPX behavioral1/files/0x0006000000018b86-394.dat UPX behavioral1/files/0x0006000000018bed-405.dat UPX behavioral1/files/0x0005000000019314-416.dat UPX behavioral1/files/0x00050000000193d9-427.dat UPX behavioral1/files/0x00050000000193ff-438.dat UPX behavioral1/files/0x000500000001942b-451.dat UPX behavioral1/files/0x0005000000019470-460.dat UPX behavioral1/files/0x00050000000194b3-471.dat UPX behavioral1/files/0x000500000001952d-482.dat UPX behavioral1/files/0x0005000000019627-493.dat UPX behavioral1/files/0x000500000001962b-501.dat UPX behavioral1/files/0x000500000001962f-515.dat UPX behavioral1/files/0x0005000000019635-527.dat UPX behavioral1/files/0x000500000001963b-537.dat UPX behavioral1/files/0x000500000001963f-540.dat UPX behavioral1/files/0x0005000000019641-558.dat UPX behavioral1/files/0x0005000000019643-569.dat UPX behavioral1/files/0x00050000000196bf-580.dat UPX behavioral1/files/0x000500000001970d-595.dat UPX behavioral1/files/0x0005000000019859-604.dat UPX behavioral1/files/0x000500000001991d-616.dat UPX behavioral1/files/0x0005000000019afe-625.dat UPX behavioral1/files/0x0005000000019c6c-639.dat UPX behavioral1/files/0x0005000000019d63-650.dat UPX behavioral1/files/0x0005000000019dd5-661.dat UPX behavioral1/files/0x0005000000019f31-669.dat UPX behavioral1/files/0x000500000001a05a-679.dat UPX behavioral1/files/0x000500000001a0c1-689.dat UPX behavioral1/files/0x000500000001a3de-698.dat UPX behavioral1/files/0x000500000001a473-708.dat UPX behavioral1/files/0x000500000001a47b-722.dat UPX -
Executes dropped EXE 64 IoCs
pid Process 1400 Abbbnchb.exe 1516 Bpfcgg32.exe 2728 Bhahlj32.exe 2664 Baildokg.exe 2640 Bkaqmeah.exe 2696 Balijo32.exe 2736 Bopicc32.exe 2636 Bpafkknm.exe 1316 Bnefdp32.exe 2804 Bcaomf32.exe 2028 Cljcelan.exe 548 Cgpgce32.exe 1712 Cllpkl32.exe 1624 Ccfhhffh.exe 3064 Cpjiajeb.exe 2136 Cjbmjplb.exe 568 Copfbfjj.exe 752 Cbnbobin.exe 1392 Chhjkl32.exe 1380 Cobbhfhg.exe 1848 Dflkdp32.exe 844 Ddokpmfo.exe 3040 Dkhcmgnl.exe 1256 Dqelenlc.exe 2248 Dhmcfkme.exe 3012 Dnilobkm.exe 1560 Dcfdgiid.exe 2936 Dgaqgh32.exe 2412 Ddeaalpg.exe 2360 Dgdmmgpj.exe 2108 Dfgmhd32.exe 1280 Dnneja32.exe 2544 Dcknbh32.exe 2572 Djefobmk.exe 3032 Emcbkn32.exe 1996 Epaogi32.exe 1060 Ebpkce32.exe 2008 Emeopn32.exe 1456 Efncicpm.exe 304 Eilpeooq.exe 2940 Emhlfmgj.exe 2824 Eecqjpee.exe 2120 Epieghdk.exe 1740 Ebgacddo.exe 1100 Eloemi32.exe 1528 Ennaieib.exe 3016 Ebinic32.exe 1252 Fhffaj32.exe 3020 Flabbihl.exe 2468 Fmcoja32.exe 2044 Faokjpfd.exe 2932 Fhhcgj32.exe 2188 Fjgoce32.exe 2660 Fnbkddem.exe 2648 Faagpp32.exe 2616 Fdoclk32.exe 2628 Fhkpmjln.exe 2948 Filldb32.exe 1696 Facdeo32.exe 1952 Fpfdalii.exe 2488 Ffpmnf32.exe 1760 Fioija32.exe 1544 Flmefm32.exe 1620 Flmefm32.exe -
Loads dropped DLL 64 IoCs
pid Process 2428 5426170bcaa6e3dbf866b1968202298bdad3447ca601d3911e165b270ae809af.exe 2428 5426170bcaa6e3dbf866b1968202298bdad3447ca601d3911e165b270ae809af.exe 1400 Abbbnchb.exe 1400 Abbbnchb.exe 1516 Bpfcgg32.exe 1516 Bpfcgg32.exe 2728 Bhahlj32.exe 2728 Bhahlj32.exe 2664 Baildokg.exe 2664 Baildokg.exe 2640 Bkaqmeah.exe 2640 Bkaqmeah.exe 2696 Balijo32.exe 2696 Balijo32.exe 2736 Bopicc32.exe 2736 Bopicc32.exe 2636 Bpafkknm.exe 2636 Bpafkknm.exe 1316 Bnefdp32.exe 1316 Bnefdp32.exe 2804 Bcaomf32.exe 2804 Bcaomf32.exe 2028 Cljcelan.exe 2028 Cljcelan.exe 548 Cgpgce32.exe 548 Cgpgce32.exe 1712 Cllpkl32.exe 1712 Cllpkl32.exe 1624 Ccfhhffh.exe 1624 Ccfhhffh.exe 3064 Cpjiajeb.exe 3064 Cpjiajeb.exe 2136 Cjbmjplb.exe 2136 Cjbmjplb.exe 568 Copfbfjj.exe 568 Copfbfjj.exe 752 Cbnbobin.exe 752 Cbnbobin.exe 1392 Chhjkl32.exe 1392 Chhjkl32.exe 1380 Cobbhfhg.exe 1380 Cobbhfhg.exe 1848 Dflkdp32.exe 1848 Dflkdp32.exe 844 Ddokpmfo.exe 844 Ddokpmfo.exe 3040 Dkhcmgnl.exe 3040 Dkhcmgnl.exe 1256 Dqelenlc.exe 1256 Dqelenlc.exe 2248 Dhmcfkme.exe 2248 Dhmcfkme.exe 3012 Dnilobkm.exe 3012 Dnilobkm.exe 1560 Dcfdgiid.exe 1560 Dcfdgiid.exe 2936 Dgaqgh32.exe 2936 Dgaqgh32.exe 2412 Ddeaalpg.exe 2412 Ddeaalpg.exe 2360 Dgdmmgpj.exe 2360 Dgdmmgpj.exe 2108 Dfgmhd32.exe 2108 Dfgmhd32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Lcaiiejc.exe Process not Found File created C:\Windows\SysWOW64\Pbagipfi.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ioliqbjn.exe Ihbqdh32.exe File opened for modification C:\Windows\SysWOW64\Mfglep32.exe Process not Found File created C:\Windows\SysWOW64\Mbnipnaf.dll Hojgfemq.exe File created C:\Windows\SysWOW64\Lnbnfb32.dll Process not Found File created C:\Windows\SysWOW64\Pcdhbgoc.dll Process not Found File created C:\Windows\SysWOW64\Opifnm32.exe Oionacqo.exe File created C:\Windows\SysWOW64\Binbknik.dll Process not Found File opened for modification C:\Windows\SysWOW64\Phnnho32.exe Peoalc32.exe File opened for modification C:\Windows\SysWOW64\Mmdgbp32.exe Mnaggcej.exe File created C:\Windows\SysWOW64\Fjlcglnk.dll Process not Found File opened for modification C:\Windows\SysWOW64\Gpncej32.exe Gmpgio32.exe File created C:\Windows\SysWOW64\Kqdhhm32.exe Knekla32.exe File opened for modification C:\Windows\SysWOW64\Noacef32.exe Nlbgikia.exe File opened for modification C:\Windows\SysWOW64\Ogcnkgoh.exe Odebolpe.exe File created C:\Windows\SysWOW64\Fhkpmjln.exe Fdoclk32.exe File opened for modification C:\Windows\SysWOW64\Ioijbj32.exe Ihoafpmp.exe File opened for modification C:\Windows\SysWOW64\Eoajel32.exe Ekfndmfb.exe File opened for modification C:\Windows\SysWOW64\Glfhll32.exe Ghkllmoi.exe File created C:\Windows\SysWOW64\Fpkeqmgm.dll Obcccl32.exe File opened for modification C:\Windows\SysWOW64\Ebmgcohn.exe Dookgcij.exe File created C:\Windows\SysWOW64\Mlpneh32.exe Mcifdj32.exe File created C:\Windows\SysWOW64\Cpqhdl32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Kkeecogo.exe Process not Found File created C:\Windows\SysWOW64\Ahebaiac.exe Process not Found File created C:\Windows\SysWOW64\Ebpkce32.exe Epaogi32.exe File created C:\Windows\SysWOW64\Opakbgif.dll Chlfnp32.exe File created C:\Windows\SysWOW64\Klhemhpk.exe Process not Found File opened for modification C:\Windows\SysWOW64\Pdakniag.exe Process not Found File created C:\Windows\SysWOW64\Fncmmmma.exe Fgiepced.exe File created C:\Windows\SysWOW64\Njjcip32.exe Process not Found File created C:\Windows\SysWOW64\Fhgpia32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Hgbebiao.exe Gddifnbk.exe File opened for modification C:\Windows\SysWOW64\Pedleg32.exe Pnjdhmdo.exe File opened for modification C:\Windows\SysWOW64\Nallalep.exe Process not Found File created C:\Windows\SysWOW64\Eemngplg.dll Process not Found File opened for modification C:\Windows\SysWOW64\Eelkeeah.exe Process not Found File opened for modification C:\Windows\SysWOW64\Fddmgjpo.exe Flmefm32.exe File opened for modification C:\Windows\SysWOW64\Lldlqakb.exe Kifpdelo.exe File created C:\Windows\SysWOW64\Meccii32.exe Moiklogi.exe File opened for modification C:\Windows\SysWOW64\Hkhnle32.exe Hhjapjmi.exe File created C:\Windows\SysWOW64\Iodahd32.dll Iccbqh32.exe File created C:\Windows\SysWOW64\Lfkeokjp.exe Process not Found File opened for modification C:\Windows\SysWOW64\Mkqqnq32.exe Process not Found File created C:\Windows\SysWOW64\Bhapci32.dll Process not Found File created C:\Windows\SysWOW64\Kjnfniii.exe Kfbkmk32.exe File created C:\Windows\SysWOW64\Cbppnbhm.exe Process not Found File opened for modification C:\Windows\SysWOW64\Gljnej32.exe Gikaio32.exe File created C:\Windows\SysWOW64\Hbleeb32.exe Hpmiig32.exe File opened for modification C:\Windows\SysWOW64\Dinklffl.exe Debplg32.exe File opened for modification C:\Windows\SysWOW64\Odobjg32.exe Ocnfbo32.exe File opened for modification C:\Windows\SysWOW64\Aqhhanig.exe Process not Found File created C:\Windows\SysWOW64\Kopokehd.exe Jkebjf32.exe File created C:\Windows\SysWOW64\Jfcnngnd.exe Joifam32.exe File opened for modification C:\Windows\SysWOW64\Hlngpjlj.exe Hipkdnmf.exe File created C:\Windows\SysWOW64\Iccbqh32.exe Hpefdl32.exe File opened for modification C:\Windows\SysWOW64\Domqjm32.exe Dkadjn32.exe File created C:\Windows\SysWOW64\Kpdjaecc.exe Process not Found File opened for modification C:\Windows\SysWOW64\Jcbellac.exe Jqdipqbp.exe File created C:\Windows\SysWOW64\Dgdfdnfj.dll Process not Found File opened for modification C:\Windows\SysWOW64\Jpigma32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Anccmo32.exe Alegac32.exe File opened for modification C:\Windows\SysWOW64\Aehboi32.exe Abjebn32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 852 4216 Process not Found 1586 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qggfio32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Baildokg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpkjko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjldghjm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abphal32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnjdhmdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Boegfb32.dll" Nehomq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obkefk32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjpbahga.dll" Kjjmbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddlfji32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihkcje32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olndbg32.dll" Faagpp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gaqcoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mghohc32.dll" Chbjffad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Echfaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpbdnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diceon32.dll" Ndemjoae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmjqcc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Noemqe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ioiepeog.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdnndane.dll" Hnjplo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbqmnm32.dll" Ecfldoph.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gaqomeke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hlccdboi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hcifgjgc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jicgpb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkommo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Okoafmkm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akmjfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chqoipkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Coalledf.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lbqabkql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhofcjea.dll" Dhdcji32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amqccfed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmfhfajb.dll" Oionacqo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Febhomkh.dll" Goddhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmkgnjmo.dll" Pcnejk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bagkmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ogekpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckndebll.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dqelenlc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjoifb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agkfljge.dll" Hkcdafqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ifkacb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cddjebgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdhqpd32.dll" Lipecm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmegncpp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jqnejn32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2428 wrote to memory of 1400 2428 5426170bcaa6e3dbf866b1968202298bdad3447ca601d3911e165b270ae809af.exe 28 PID 2428 wrote to memory of 1400 2428 5426170bcaa6e3dbf866b1968202298bdad3447ca601d3911e165b270ae809af.exe 28 PID 2428 wrote to memory of 1400 2428 5426170bcaa6e3dbf866b1968202298bdad3447ca601d3911e165b270ae809af.exe 28 PID 2428 wrote to memory of 1400 2428 5426170bcaa6e3dbf866b1968202298bdad3447ca601d3911e165b270ae809af.exe 28 PID 1400 wrote to memory of 1516 1400 Abbbnchb.exe 29 PID 1400 wrote to memory of 1516 1400 Abbbnchb.exe 29 PID 1400 wrote to memory of 1516 1400 Abbbnchb.exe 29 PID 1400 wrote to memory of 1516 1400 Abbbnchb.exe 29 PID 1516 wrote to memory of 2728 1516 Bpfcgg32.exe 30 PID 1516 wrote to memory of 2728 1516 Bpfcgg32.exe 30 PID 1516 wrote to memory of 2728 1516 Bpfcgg32.exe 30 PID 1516 wrote to memory of 2728 1516 Bpfcgg32.exe 30 PID 2728 wrote to memory of 2664 2728 Bhahlj32.exe 31 PID 2728 wrote to memory of 2664 2728 Bhahlj32.exe 31 PID 2728 wrote to memory of 2664 2728 Bhahlj32.exe 31 PID 2728 wrote to memory of 2664 2728 Bhahlj32.exe 31 PID 2664 wrote to memory of 2640 2664 Baildokg.exe 32 PID 2664 wrote to memory of 2640 2664 Baildokg.exe 32 PID 2664 wrote to memory of 2640 2664 Baildokg.exe 32 PID 2664 wrote to memory of 2640 2664 Baildokg.exe 32 PID 2640 wrote to memory of 2696 2640 Bkaqmeah.exe 33 PID 2640 wrote to memory of 2696 2640 Bkaqmeah.exe 33 PID 2640 wrote to memory of 2696 2640 Bkaqmeah.exe 33 PID 2640 wrote to memory of 2696 2640 Bkaqmeah.exe 33 PID 2696 wrote to memory of 2736 2696 Balijo32.exe 34 PID 2696 wrote to memory of 2736 2696 Balijo32.exe 34 PID 2696 wrote to memory of 2736 2696 Balijo32.exe 34 PID 2696 wrote to memory of 2736 2696 Balijo32.exe 34 PID 2736 wrote to memory of 2636 2736 Bopicc32.exe 35 PID 2736 wrote to memory of 2636 2736 Bopicc32.exe 35 PID 2736 wrote to memory of 2636 2736 Bopicc32.exe 35 PID 2736 wrote to memory of 2636 2736 Bopicc32.exe 35 PID 2636 wrote to memory of 1316 2636 Bpafkknm.exe 36 PID 2636 wrote to memory of 1316 2636 Bpafkknm.exe 36 PID 2636 wrote to memory of 1316 2636 Bpafkknm.exe 36 PID 2636 wrote to memory of 1316 2636 Bpafkknm.exe 36 PID 1316 wrote to memory of 2804 1316 Bnefdp32.exe 37 PID 1316 wrote to memory of 2804 1316 Bnefdp32.exe 37 PID 1316 wrote to memory of 2804 1316 Bnefdp32.exe 37 PID 1316 wrote to memory of 2804 1316 Bnefdp32.exe 37 PID 2804 wrote to memory of 2028 2804 Bcaomf32.exe 38 PID 2804 wrote to memory of 2028 2804 Bcaomf32.exe 38 PID 2804 wrote to memory of 2028 2804 Bcaomf32.exe 38 PID 2804 wrote to memory of 2028 2804 Bcaomf32.exe 38 PID 2028 wrote to memory of 548 2028 Cljcelan.exe 39 PID 2028 wrote to memory of 548 2028 Cljcelan.exe 39 PID 2028 wrote to memory of 548 2028 Cljcelan.exe 39 PID 2028 wrote to memory of 548 2028 Cljcelan.exe 39 PID 548 wrote to memory of 1712 548 Cgpgce32.exe 40 PID 548 wrote to memory of 1712 548 Cgpgce32.exe 40 PID 548 wrote to memory of 1712 548 Cgpgce32.exe 40 PID 548 wrote to memory of 1712 548 Cgpgce32.exe 40 PID 1712 wrote to memory of 1624 1712 Cllpkl32.exe 41 PID 1712 wrote to memory of 1624 1712 Cllpkl32.exe 41 PID 1712 wrote to memory of 1624 1712 Cllpkl32.exe 41 PID 1712 wrote to memory of 1624 1712 Cllpkl32.exe 41 PID 1624 wrote to memory of 3064 1624 Ccfhhffh.exe 42 PID 1624 wrote to memory of 3064 1624 Ccfhhffh.exe 42 PID 1624 wrote to memory of 3064 1624 Ccfhhffh.exe 42 PID 1624 wrote to memory of 3064 1624 Ccfhhffh.exe 42 PID 3064 wrote to memory of 2136 3064 Cpjiajeb.exe 43 PID 3064 wrote to memory of 2136 3064 Cpjiajeb.exe 43 PID 3064 wrote to memory of 2136 3064 Cpjiajeb.exe 43 PID 3064 wrote to memory of 2136 3064 Cpjiajeb.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\5426170bcaa6e3dbf866b1968202298bdad3447ca601d3911e165b270ae809af.exe"C:\Users\Admin\AppData\Local\Temp\5426170bcaa6e3dbf866b1968202298bdad3447ca601d3911e165b270ae809af.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\Abbbnchb.exeC:\Windows\system32\Abbbnchb.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Windows\SysWOW64\Bpfcgg32.exeC:\Windows\system32\Bpfcgg32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\SysWOW64\Bhahlj32.exeC:\Windows\system32\Bhahlj32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Baildokg.exeC:\Windows\system32\Baildokg.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Bkaqmeah.exeC:\Windows\system32\Bkaqmeah.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Balijo32.exeC:\Windows\system32\Balijo32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\Bopicc32.exeC:\Windows\system32\Bopicc32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Bpafkknm.exeC:\Windows\system32\Bpafkknm.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\Bnefdp32.exeC:\Windows\system32\Bnefdp32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Windows\SysWOW64\Bcaomf32.exeC:\Windows\system32\Bcaomf32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\Cljcelan.exeC:\Windows\system32\Cljcelan.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\Cgpgce32.exeC:\Windows\system32\Cgpgce32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Windows\SysWOW64\Cllpkl32.exeC:\Windows\system32\Cllpkl32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\SysWOW64\Ccfhhffh.exeC:\Windows\system32\Ccfhhffh.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\SysWOW64\Cpjiajeb.exeC:\Windows\system32\Cpjiajeb.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SysWOW64\Cjbmjplb.exeC:\Windows\system32\Cjbmjplb.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2136 -
C:\Windows\SysWOW64\Copfbfjj.exeC:\Windows\system32\Copfbfjj.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:568 -
C:\Windows\SysWOW64\Cbnbobin.exeC:\Windows\system32\Cbnbobin.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:752 -
C:\Windows\SysWOW64\Chhjkl32.exeC:\Windows\system32\Chhjkl32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1392 -
C:\Windows\SysWOW64\Cobbhfhg.exeC:\Windows\system32\Cobbhfhg.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1380 -
C:\Windows\SysWOW64\Dflkdp32.exeC:\Windows\system32\Dflkdp32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1848 -
C:\Windows\SysWOW64\Ddokpmfo.exeC:\Windows\system32\Ddokpmfo.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:844 -
C:\Windows\SysWOW64\Dkhcmgnl.exeC:\Windows\system32\Dkhcmgnl.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3040 -
C:\Windows\SysWOW64\Dqelenlc.exeC:\Windows\system32\Dqelenlc.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1256 -
C:\Windows\SysWOW64\Dhmcfkme.exeC:\Windows\system32\Dhmcfkme.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2248 -
C:\Windows\SysWOW64\Dnilobkm.exeC:\Windows\system32\Dnilobkm.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3012 -
C:\Windows\SysWOW64\Dcfdgiid.exeC:\Windows\system32\Dcfdgiid.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1560 -
C:\Windows\SysWOW64\Dgaqgh32.exeC:\Windows\system32\Dgaqgh32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2936 -
C:\Windows\SysWOW64\Ddeaalpg.exeC:\Windows\system32\Ddeaalpg.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2412 -
C:\Windows\SysWOW64\Dgdmmgpj.exeC:\Windows\system32\Dgdmmgpj.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2360 -
C:\Windows\SysWOW64\Dfgmhd32.exeC:\Windows\system32\Dfgmhd32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2108 -
C:\Windows\SysWOW64\Dnneja32.exeC:\Windows\system32\Dnneja32.exe33⤵
- Executes dropped EXE
PID:1280 -
C:\Windows\SysWOW64\Dcknbh32.exeC:\Windows\system32\Dcknbh32.exe34⤵
- Executes dropped EXE
PID:2544 -
C:\Windows\SysWOW64\Djefobmk.exeC:\Windows\system32\Djefobmk.exe35⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Emcbkn32.exeC:\Windows\system32\Emcbkn32.exe36⤵
- Executes dropped EXE
PID:3032 -
C:\Windows\SysWOW64\Epaogi32.exeC:\Windows\system32\Epaogi32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1996 -
C:\Windows\SysWOW64\Ebpkce32.exeC:\Windows\system32\Ebpkce32.exe38⤵
- Executes dropped EXE
PID:1060 -
C:\Windows\SysWOW64\Emeopn32.exeC:\Windows\system32\Emeopn32.exe39⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Efncicpm.exeC:\Windows\system32\Efncicpm.exe40⤵
- Executes dropped EXE
PID:1456 -
C:\Windows\SysWOW64\Eilpeooq.exeC:\Windows\system32\Eilpeooq.exe41⤵
- Executes dropped EXE
PID:304 -
C:\Windows\SysWOW64\Emhlfmgj.exeC:\Windows\system32\Emhlfmgj.exe42⤵
- Executes dropped EXE
PID:2940 -
C:\Windows\SysWOW64\Eecqjpee.exeC:\Windows\system32\Eecqjpee.exe43⤵
- Executes dropped EXE
PID:2824 -
C:\Windows\SysWOW64\Epieghdk.exeC:\Windows\system32\Epieghdk.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Ebgacddo.exeC:\Windows\system32\Ebgacddo.exe45⤵
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\Eloemi32.exeC:\Windows\system32\Eloemi32.exe46⤵
- Executes dropped EXE
PID:1100 -
C:\Windows\SysWOW64\Ennaieib.exeC:\Windows\system32\Ennaieib.exe47⤵
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\Ebinic32.exeC:\Windows\system32\Ebinic32.exe48⤵
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\Fhffaj32.exeC:\Windows\system32\Fhffaj32.exe49⤵
- Executes dropped EXE
PID:1252 -
C:\Windows\SysWOW64\Flabbihl.exeC:\Windows\system32\Flabbihl.exe50⤵
- Executes dropped EXE
PID:3020 -
C:\Windows\SysWOW64\Fmcoja32.exeC:\Windows\system32\Fmcoja32.exe51⤵
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\Faokjpfd.exeC:\Windows\system32\Faokjpfd.exe52⤵
- Executes dropped EXE
PID:2044 -
C:\Windows\SysWOW64\Fcmgfkeg.exeC:\Windows\system32\Fcmgfkeg.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3052 -
C:\Windows\SysWOW64\Fhhcgj32.exeC:\Windows\system32\Fhhcgj32.exe54⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Fjgoce32.exeC:\Windows\system32\Fjgoce32.exe55⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Fnbkddem.exeC:\Windows\system32\Fnbkddem.exe56⤵
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\Faagpp32.exeC:\Windows\system32\Faagpp32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:2648 -
C:\Windows\SysWOW64\Fdoclk32.exeC:\Windows\system32\Fdoclk32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2616 -
C:\Windows\SysWOW64\Fhkpmjln.exeC:\Windows\system32\Fhkpmjln.exe59⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Filldb32.exeC:\Windows\system32\Filldb32.exe60⤵
- Executes dropped EXE
PID:2948 -
C:\Windows\SysWOW64\Facdeo32.exeC:\Windows\system32\Facdeo32.exe61⤵
- Executes dropped EXE
PID:1696 -
C:\Windows\SysWOW64\Fpfdalii.exeC:\Windows\system32\Fpfdalii.exe62⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Ffpmnf32.exeC:\Windows\system32\Ffpmnf32.exe63⤵
- Executes dropped EXE
PID:2488 -
C:\Windows\SysWOW64\Fioija32.exeC:\Windows\system32\Fioija32.exe64⤵
- Executes dropped EXE
PID:1760 -
C:\Windows\SysWOW64\Flmefm32.exeC:\Windows\system32\Flmefm32.exe65⤵
- Executes dropped EXE
PID:1544 -
C:\Windows\SysWOW64\Flmefm32.exeC:\Windows\system32\Flmefm32.exe66⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1620 -
C:\Windows\SysWOW64\Fddmgjpo.exeC:\Windows\system32\Fddmgjpo.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2844 -
C:\Windows\SysWOW64\Fbgmbg32.exeC:\Windows\system32\Fbgmbg32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2324 -
C:\Windows\SysWOW64\Feeiob32.exeC:\Windows\system32\Feeiob32.exe69⤵PID:572
-
C:\Windows\SysWOW64\Fmlapp32.exeC:\Windows\system32\Fmlapp32.exe70⤵PID:1708
-
C:\Windows\SysWOW64\Gpknlk32.exeC:\Windows\system32\Gpknlk32.exe71⤵PID:1648
-
C:\Windows\SysWOW64\Gbijhg32.exeC:\Windows\system32\Gbijhg32.exe72⤵PID:1304
-
C:\Windows\SysWOW64\Gicbeald.exeC:\Windows\system32\Gicbeald.exe73⤵PID:3056
-
C:\Windows\SysWOW64\Ghfbqn32.exeC:\Windows\system32\Ghfbqn32.exe74⤵PID:1704
-
C:\Windows\SysWOW64\Gpmjak32.exeC:\Windows\system32\Gpmjak32.exe75⤵PID:1592
-
C:\Windows\SysWOW64\Gangic32.exeC:\Windows\system32\Gangic32.exe76⤵PID:3028
-
C:\Windows\SysWOW64\Gieojq32.exeC:\Windows\system32\Gieojq32.exe77⤵PID:2756
-
C:\Windows\SysWOW64\Gkgkbipp.exeC:\Windows\system32\Gkgkbipp.exe78⤵PID:2772
-
C:\Windows\SysWOW64\Gobgcg32.exeC:\Windows\system32\Gobgcg32.exe79⤵PID:2592
-
C:\Windows\SysWOW64\Gaqcoc32.exeC:\Windows\system32\Gaqcoc32.exe80⤵
- Modifies registry class
PID:1800 -
C:\Windows\SysWOW64\Ghkllmoi.exeC:\Windows\system32\Ghkllmoi.exe81⤵
- Drops file in System32 directory
PID:2256 -
C:\Windows\SysWOW64\Glfhll32.exeC:\Windows\system32\Glfhll32.exe82⤵PID:1776
-
C:\Windows\SysWOW64\Goddhg32.exeC:\Windows\system32\Goddhg32.exe83⤵
- Modifies registry class
PID:2268 -
C:\Windows\SysWOW64\Gmgdddmq.exeC:\Windows\system32\Gmgdddmq.exe84⤵PID:1144
-
C:\Windows\SysWOW64\Gdamqndn.exeC:\Windows\system32\Gdamqndn.exe85⤵PID:1404
-
C:\Windows\SysWOW64\Gogangdc.exeC:\Windows\system32\Gogangdc.exe86⤵PID:1628
-
C:\Windows\SysWOW64\Gddifnbk.exeC:\Windows\system32\Gddifnbk.exe87⤵
- Drops file in System32 directory
PID:2280 -
C:\Windows\SysWOW64\Hgbebiao.exeC:\Windows\system32\Hgbebiao.exe88⤵PID:1744
-
C:\Windows\SysWOW64\Hknach32.exeC:\Windows\system32\Hknach32.exe89⤵PID:1588
-
C:\Windows\SysWOW64\Hmlnoc32.exeC:\Windows\system32\Hmlnoc32.exe90⤵PID:2796
-
C:\Windows\SysWOW64\Hpkjko32.exeC:\Windows\system32\Hpkjko32.exe91⤵
- Modifies registry class
PID:1300 -
C:\Windows\SysWOW64\Hcifgjgc.exeC:\Windows\system32\Hcifgjgc.exe92⤵
- Modifies registry class
PID:1152 -
C:\Windows\SysWOW64\Hkpnhgge.exeC:\Windows\system32\Hkpnhgge.exe93⤵PID:2852
-
C:\Windows\SysWOW64\Hicodd32.exeC:\Windows\system32\Hicodd32.exe94⤵PID:1796
-
C:\Windows\SysWOW64\Hpmgqnfl.exeC:\Windows\system32\Hpmgqnfl.exe95⤵PID:1812
-
C:\Windows\SysWOW64\Hckcmjep.exeC:\Windows\system32\Hckcmjep.exe96⤵PID:1724
-
C:\Windows\SysWOW64\Hejoiedd.exeC:\Windows\system32\Hejoiedd.exe97⤵PID:1564
-
C:\Windows\SysWOW64\Hnagjbdf.exeC:\Windows\system32\Hnagjbdf.exe98⤵PID:2320
-
C:\Windows\SysWOW64\Hpocfncj.exeC:\Windows\system32\Hpocfncj.exe99⤵PID:2056
-
C:\Windows\SysWOW64\Hcnpbi32.exeC:\Windows\system32\Hcnpbi32.exe100⤵PID:2032
-
C:\Windows\SysWOW64\Hellne32.exeC:\Windows\system32\Hellne32.exe101⤵PID:892
-
C:\Windows\SysWOW64\Hhjhkq32.exeC:\Windows\system32\Hhjhkq32.exe102⤵PID:556
-
C:\Windows\SysWOW64\Hlfdkoin.exeC:\Windows\system32\Hlfdkoin.exe103⤵PID:1272
-
C:\Windows\SysWOW64\Hodpgjha.exeC:\Windows\system32\Hodpgjha.exe104⤵PID:2984
-
C:\Windows\SysWOW64\Henidd32.exeC:\Windows\system32\Henidd32.exe105⤵PID:2860
-
C:\Windows\SysWOW64\Hhmepp32.exeC:\Windows\system32\Hhmepp32.exe106⤵PID:2988
-
C:\Windows\SysWOW64\Hlhaqogk.exeC:\Windows\system32\Hlhaqogk.exe107⤵PID:2788
-
C:\Windows\SysWOW64\Iaeiieeb.exeC:\Windows\system32\Iaeiieeb.exe108⤵PID:2568
-
C:\Windows\SysWOW64\Ieqeidnl.exeC:\Windows\system32\Ieqeidnl.exe109⤵PID:2684
-
C:\Windows\SysWOW64\Ihoafpmp.exeC:\Windows\system32\Ihoafpmp.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2752 -
C:\Windows\SysWOW64\Ioijbj32.exeC:\Windows\system32\Ioijbj32.exe111⤵PID:1572
-
C:\Windows\SysWOW64\Inljnfkg.exeC:\Windows\system32\Inljnfkg.exe112⤵PID:1076
-
C:\Windows\SysWOW64\Ifcbodli.exeC:\Windows\system32\Ifcbodli.exe113⤵PID:1684
-
C:\Windows\SysWOW64\Ihankokm.exeC:\Windows\system32\Ihankokm.exe114⤵PID:2368
-
C:\Windows\SysWOW64\Ikpjgkjq.exeC:\Windows\system32\Ikpjgkjq.exe115⤵PID:2192
-
C:\Windows\SysWOW64\Iajcde32.exeC:\Windows\system32\Iajcde32.exe116⤵PID:2928
-
C:\Windows\SysWOW64\Idhopq32.exeC:\Windows\system32\Idhopq32.exe117⤵PID:2740
-
C:\Windows\SysWOW64\Ihdkao32.exeC:\Windows\system32\Ihdkao32.exe118⤵PID:2680
-
C:\Windows\SysWOW64\Ijeghgoh.exeC:\Windows\system32\Ijeghgoh.exe119⤵PID:2960
-
C:\Windows\SysWOW64\Inqcif32.exeC:\Windows\system32\Inqcif32.exe120⤵PID:2492
-
C:\Windows\SysWOW64\Iqopea32.exeC:\Windows\system32\Iqopea32.exe121⤵PID:2308
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-