Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
19/05/2024, 21:42
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
5426170bcaa6e3dbf866b1968202298bdad3447ca601d3911e165b270ae809af.exe
Resource
win7-20240508-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
5426170bcaa6e3dbf866b1968202298bdad3447ca601d3911e165b270ae809af.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
5426170bcaa6e3dbf866b1968202298bdad3447ca601d3911e165b270ae809af.exe
-
Size
176KB
-
MD5
2bfa18a0411647afe9ef8e51515a1caa
-
SHA1
2b164647d74eaa79b119bff2588b7c602a990ddc
-
SHA256
5426170bcaa6e3dbf866b1968202298bdad3447ca601d3911e165b270ae809af
-
SHA512
bdc2f8e20e27ed298d5c94e6dee7c0dcf0416dc6849860a4ee94d877e52c8e102d38cff4746808e93aaa9ef0fa359ff369d8d43d94d644671655fd9318f0c3da
-
SSDEEP
3072:2KqccIXV6TBFZnIPQarlOGA8d2E2fAYjmjRrz3E3:6cfMtFZIPQRXE2fAEG4
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmmfmbhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgikfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lilanioo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkepnjng.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nceonl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hibljoco.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmnaakne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kipabjil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcpllo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgkhlnbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhcnke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imbaemhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jaimbj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdffocib.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjcgohig.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nafokcol.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqklmpdd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecmlcmhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gppekj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iikopmkd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdcijcke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mamleegg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncldnkae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idacmfkj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Liggbi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dljqpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmoliohh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjolnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hibljoco.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nklfoi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcidfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbckbepg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idofhfmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifopiajn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbmfoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpaghf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgidml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icgqggce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibccic32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpojcf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kipabjil.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mciobn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcklgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmkbnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcnnaikp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Habnjm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfofbd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjbako32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmnjhioc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fflaff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjolnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdemhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fodeolof.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifjfnb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcmofolg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnhfee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dokjbp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dakbckbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjjjle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgdbkohf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hboagf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbhdmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Laalifad.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mglack32.exe -
UPX dump on OEP (original entry point) 64 IoCs
resource yara_rule behavioral2/files/0x000b0000000232f0-7.dat UPX behavioral2/files/0x000700000002340d-15.dat UPX behavioral2/files/0x000700000002340f-24.dat UPX behavioral2/files/0x0007000000023414-40.dat UPX behavioral2/files/0x0007000000023416-48.dat UPX behavioral2/files/0x000700000002341a-63.dat UPX behavioral2/files/0x000700000002341c-66.dat UPX behavioral2/files/0x000700000002341e-81.dat UPX behavioral2/files/0x0007000000023422-96.dat UPX behavioral2/files/0x0007000000023428-119.dat UPX behavioral2/files/0x0007000000023432-159.dat UPX behavioral2/files/0x0007000000023436-175.dat UPX behavioral2/files/0x000700000002343a-186.dat UPX behavioral2/files/0x000700000002343c-199.dat UPX behavioral2/files/0x000700000002344a-247.dat UPX behavioral2/files/0x000700000002346b-343.dat UPX behavioral2/files/0x000700000002347e-409.dat UPX behavioral2/files/0x0003000000021e1b-420.dat UPX behavioral2/files/0x00070000000234cd-662.dat UPX behavioral2/files/0x0007000000023505-848.dat UPX behavioral2/files/0x0007000000023515-903.dat UPX behavioral2/files/0x000700000002362e-1866.dat UPX behavioral2/files/0x000700000002363a-1905.dat UPX behavioral2/files/0x0007000000023646-1945.dat UPX behavioral2/files/0x0007000000023642-1933.dat UPX behavioral2/files/0x0007000000023634-1886.dat UPX behavioral2/files/0x0007000000023624-1831.dat UPX behavioral2/files/0x0007000000023610-1764.dat UPX behavioral2/files/0x00070000000235f6-1677.dat UPX behavioral2/files/0x00070000000235ee-1651.dat UPX behavioral2/files/0x00070000000235de-1601.dat UPX behavioral2/files/0x00070000000235d8-1581.dat UPX behavioral2/files/0x00070000000235d5-1561.dat UPX behavioral2/files/0x00070000000235cc-1523.dat UPX behavioral2/files/0x00070000000235b4-1442.dat UPX behavioral2/files/0x00070000000235a8-1402.dat UPX behavioral2/files/0x0007000000023593-1345.dat UPX behavioral2/files/0x0007000000023589-1312.dat UPX behavioral2/files/0x000700000002357f-1280.dat UPX behavioral2/files/0x0007000000023575-1246.dat UPX behavioral2/files/0x000700000002356f-1228.dat UPX behavioral2/files/0x0007000000023550-1126.dat UPX behavioral2/files/0x000800000002337a-1023.dat UPX behavioral2/files/0x0007000000023526-955.dat UPX behavioral2/files/0x0007000000023511-888.dat UPX behavioral2/files/0x00070000000234f5-797.dat UPX behavioral2/files/0x00070000000234e7-749.dat UPX behavioral2/files/0x00070000000234d9-703.dat UPX behavioral2/files/0x00070000000234c5-635.dat UPX behavioral2/files/0x00070000000234c1-623.dat UPX behavioral2/files/0x000a000000023365-609.dat UPX behavioral2/files/0x00070000000234bb-597.dat UPX behavioral2/files/0x00070000000234b7-585.dat UPX behavioral2/files/0x00070000000234ac-546.dat UPX behavioral2/files/0x00070000000234a8-535.dat UPX behavioral2/files/0x000700000002349e-505.dat UPX behavioral2/files/0x000700000002348c-457.dat UPX behavioral2/files/0x0007000000023486-439.dat UPX behavioral2/files/0x000700000002344e-263.dat UPX behavioral2/files/0x000700000002344c-256.dat UPX behavioral2/files/0x0007000000023448-241.dat UPX behavioral2/files/0x0007000000023444-229.dat UPX behavioral2/files/0x0007000000023442-223.dat UPX behavioral2/files/0x0007000000023440-216.dat UPX -
Executes dropped EXE 64 IoCs
pid Process 4660 Dljqpd32.exe 4328 Dohmlp32.exe 2544 Dagiil32.exe 688 Djnaji32.exe 2164 Dhqaefng.exe 2092 Dphifcoi.exe 1560 Dokjbp32.exe 3320 Daifnk32.exe 644 Dfdbojmq.exe 3540 Dhcnke32.exe 4868 Dpjflb32.exe 4980 Dchbhn32.exe 1796 Dakbckbe.exe 3008 Ejbkehcg.exe 1044 Elagacbk.exe 4064 Eoocmoao.exe 4356 Eckonn32.exe 3264 Efikji32.exe 4544 Ehhgfdho.exe 1752 Epopgbia.exe 3780 Ecmlcmhe.exe 4192 Ehjdldfl.exe 4248 Eqalmafo.exe 5032 Ecphimfb.exe 1412 Ebbidj32.exe 4692 Ejjqeg32.exe 4196 Elhmablc.exe 2548 Eofinnkf.exe 3356 Ebeejijj.exe 4860 Emjjgbjp.exe 3772 Eoifcnid.exe 5004 Ecdbdl32.exe 2872 Ffbnph32.exe 1564 Fjnjqfij.exe 3388 Fmmfmbhn.exe 380 Fokbim32.exe 1836 Fbioei32.exe 4896 Ffekegon.exe 3764 Ficgacna.exe 4864 Fmocba32.exe 2392 Fomonm32.exe 1264 Fcikolnh.exe 3976 Fbllkh32.exe 4068 Fjcclf32.exe 3500 Fmapha32.exe 4176 Fqmlhpla.exe 3132 Fckhdk32.exe 2848 Fbnhphbp.exe 4416 Ffjdqg32.exe 1684 Fihqmb32.exe 4024 Fmclmabe.exe 2888 Fqohnp32.exe 4128 Fobiilai.exe 2856 Fcnejk32.exe 5044 Fflaff32.exe 5048 Fijmbb32.exe 4008 Fmficqpc.exe 1312 Fodeolof.exe 3232 Gcpapkgp.exe 3864 Gfnnlffc.exe 1056 Gjjjle32.exe 1192 Gmhfhp32.exe 1976 Gqdbiofi.exe 2360 Gogbdl32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ogedoeae.dll Eoifcnid.exe File opened for modification C:\Windows\SysWOW64\Dfdbojmq.exe Daifnk32.exe File opened for modification C:\Windows\SysWOW64\Ibccic32.exe Idacmfkj.exe File created C:\Windows\SysWOW64\Jiphkm32.exe Jjmhppqd.exe File created C:\Windows\SysWOW64\Anjekdho.dll Jbhmdbnp.exe File created C:\Windows\SysWOW64\Lfhilofo.dll Ecphimfb.exe File created C:\Windows\SysWOW64\Gbenqg32.exe Gogbdl32.exe File created C:\Windows\SysWOW64\Bkmdbdbp.dll Gjocgdkg.exe File opened for modification C:\Windows\SysWOW64\Lkgdml32.exe Lgkhlnbn.exe File created C:\Windows\SysWOW64\Gpnkgo32.dll Mkepnjng.exe File created C:\Windows\SysWOW64\Mkgmcjld.exe Mglack32.exe File created C:\Windows\SysWOW64\Codhke32.dll Mjjmog32.exe File created C:\Windows\SysWOW64\Mpdelajl.exe Maaepd32.exe File created C:\Windows\SysWOW64\Hndnbj32.dll Fmocba32.exe File created C:\Windows\SysWOW64\Liggbi32.exe Lgikfn32.exe File opened for modification C:\Windows\SysWOW64\Mjeddggd.exe Mkbchk32.exe File opened for modification C:\Windows\SysWOW64\Fobiilai.exe Fqohnp32.exe File created C:\Windows\SysWOW64\Qngfmkdl.dll Ifhiib32.exe File opened for modification C:\Windows\SysWOW64\Hikfip32.exe Hjhfnccl.exe File created C:\Windows\SysWOW64\Ffjdqg32.exe Fbnhphbp.exe File created C:\Windows\SysWOW64\Ibjqcd32.exe Icgqggce.exe File created C:\Windows\SysWOW64\Nilhco32.dll Jangmibi.exe File created C:\Windows\SysWOW64\Lpocjdld.exe Lmqgnhmp.exe File created C:\Windows\SysWOW64\Lnohlokp.dll Mnocof32.exe File created C:\Windows\SysWOW64\Djnaji32.exe Dagiil32.exe File created C:\Windows\SysWOW64\Lcbiao32.exe Ldohebqh.exe File created C:\Windows\SysWOW64\Nkcmohbg.exe Nggqoj32.exe File created C:\Windows\SysWOW64\Icgqggce.exe Ipldfi32.exe File created C:\Windows\SysWOW64\Jbfpobpb.exe Jdcpcf32.exe File opened for modification C:\Windows\SysWOW64\Mamleegg.exe Mnapdf32.exe File created C:\Windows\SysWOW64\Mkepnjng.exe Mgidml32.exe File created C:\Windows\SysWOW64\Nafokcol.exe Nafokcol.exe File created C:\Windows\SysWOW64\Fflaff32.exe Fcnejk32.exe File opened for modification C:\Windows\SysWOW64\Ijkljp32.exe Ifopiajn.exe File created C:\Windows\SysWOW64\Ndninjfg.dll Jagqlj32.exe File created C:\Windows\SysWOW64\Nqjfoc32.dll Kbdmpqcb.exe File created C:\Windows\SysWOW64\Gcgqhjop.dll Lgikfn32.exe File created C:\Windows\SysWOW64\Lpacnb32.dll Gmoliohh.exe File created C:\Windows\SysWOW64\Gjclbc32.exe Gfhqbe32.exe File opened for modification C:\Windows\SysWOW64\Impepm32.exe Iidipnal.exe File opened for modification C:\Windows\SysWOW64\Maohkd32.exe Mjhqjg32.exe File created C:\Windows\SysWOW64\Ebbidj32.exe Ecphimfb.exe File created C:\Windows\SysWOW64\Fqmlhpla.exe Fmapha32.exe File opened for modification C:\Windows\SysWOW64\Ibjqcd32.exe Icgqggce.exe File created C:\Windows\SysWOW64\Mjjmog32.exe Mkgmcjld.exe File created C:\Windows\SysWOW64\Mnfipekh.exe Mnfipekh.exe File opened for modification C:\Windows\SysWOW64\Fbioei32.exe Fokbim32.exe File created C:\Windows\SysWOW64\Maohkd32.exe Mjhqjg32.exe File created C:\Windows\SysWOW64\Ofdhdf32.dll Kgfoan32.exe File opened for modification C:\Windows\SysWOW64\Ficgacna.exe Ffekegon.exe File created C:\Windows\SysWOW64\Hfcpncdk.exe Hbhdmd32.exe File created C:\Windows\SysWOW64\Imbaemhc.exe Iiffen32.exe File created C:\Windows\SysWOW64\Phogofep.dll Ifjfnb32.exe File created C:\Windows\SysWOW64\Jkdnpo32.exe Jfhbppbc.exe File created C:\Windows\SysWOW64\Majopeii.exe Mnocof32.exe File created C:\Windows\SysWOW64\Dlddhggk.dll Nqmhbpba.exe File opened for modification C:\Windows\SysWOW64\Dljqpd32.exe 5426170bcaa6e3dbf866b1968202298bdad3447ca601d3911e165b270ae809af.exe File created C:\Windows\SysWOW64\Dngdgf32.dll Lgkhlnbn.exe File opened for modification C:\Windows\SysWOW64\Mkbchk32.exe Mgghhlhq.exe File created C:\Windows\SysWOW64\Qnoaog32.dll Jiphkm32.exe File opened for modification C:\Windows\SysWOW64\Himcoo32.exe Hjjbcbqj.exe File created C:\Windows\SysWOW64\Gmaioo32.exe Gjclbc32.exe File created C:\Windows\SysWOW64\Denfkg32.dll Hfofbd32.exe File created C:\Windows\SysWOW64\Hbeghene.exe Hccglh32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 8892 8752 WerFault.exe 390 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqjfoc32.dll" Kbdmpqcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbfiep32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpaifalo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 5426170bcaa6e3dbf866b1968202298bdad3447ca601d3911e165b270ae809af.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gjocgdkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehbccoaj.dll" Hcqjfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbcjkf32.dll" Jbmfoa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kcifkp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmoliohh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjolnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Imihfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akanejnd.dll" Kipabjil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hihicplj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dempmq32.dll" Ibmmhdhm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmjqmi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njacpf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhqaefng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckfliccm.dll" Ficgacna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fqmlhpla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Icgqggce.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdhbec32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhcnke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efikji32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ffekegon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jidbflcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diefokle.dll" Gcidfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekipni32.dll" Mglack32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgpagm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll" Nnmopdep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dohmlp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ffbnph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adakia32.dll" Hjfihc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anjekdho.dll" Jbhmdbnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjhqjg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dchbhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpgeph32.dll" Lphfpbdi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndbnboqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Peeafpaf.dll" Gbenqg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hboagf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hjolnb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kajfig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fflaff32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hfcpncdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mgnnhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fckhdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nphqml32.dll" Kaqcbi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdcijcke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Himcoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ichhhi32.dll" Kmegbjgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkihknfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgpagm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibgnfha.dll" Fokbim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmqgnhmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njcpee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node 5426170bcaa6e3dbf866b1968202298bdad3447ca601d3911e165b270ae809af.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppmeid32.dll" Hbeghene.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iakaql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbledndp.dll" Imihfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jchbak32.dll" Lmqgnhmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebeejijj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbpag32.dll" Fomonm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkmdbdbp.dll" Gjocgdkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ifjfnb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkgmcjld.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3148 wrote to memory of 4660 3148 5426170bcaa6e3dbf866b1968202298bdad3447ca601d3911e165b270ae809af.exe 82 PID 3148 wrote to memory of 4660 3148 5426170bcaa6e3dbf866b1968202298bdad3447ca601d3911e165b270ae809af.exe 82 PID 3148 wrote to memory of 4660 3148 5426170bcaa6e3dbf866b1968202298bdad3447ca601d3911e165b270ae809af.exe 82 PID 4660 wrote to memory of 4328 4660 Dljqpd32.exe 83 PID 4660 wrote to memory of 4328 4660 Dljqpd32.exe 83 PID 4660 wrote to memory of 4328 4660 Dljqpd32.exe 83 PID 4328 wrote to memory of 2544 4328 Dohmlp32.exe 84 PID 4328 wrote to memory of 2544 4328 Dohmlp32.exe 84 PID 4328 wrote to memory of 2544 4328 Dohmlp32.exe 84 PID 2544 wrote to memory of 688 2544 Dagiil32.exe 85 PID 2544 wrote to memory of 688 2544 Dagiil32.exe 85 PID 2544 wrote to memory of 688 2544 Dagiil32.exe 85 PID 688 wrote to memory of 2164 688 Djnaji32.exe 86 PID 688 wrote to memory of 2164 688 Djnaji32.exe 86 PID 688 wrote to memory of 2164 688 Djnaji32.exe 86 PID 2164 wrote to memory of 2092 2164 Dhqaefng.exe 87 PID 2164 wrote to memory of 2092 2164 Dhqaefng.exe 87 PID 2164 wrote to memory of 2092 2164 Dhqaefng.exe 87 PID 2092 wrote to memory of 1560 2092 Dphifcoi.exe 88 PID 2092 wrote to memory of 1560 2092 Dphifcoi.exe 88 PID 2092 wrote to memory of 1560 2092 Dphifcoi.exe 88 PID 1560 wrote to memory of 3320 1560 Dokjbp32.exe 89 PID 1560 wrote to memory of 3320 1560 Dokjbp32.exe 89 PID 1560 wrote to memory of 3320 1560 Dokjbp32.exe 89 PID 3320 wrote to memory of 644 3320 Daifnk32.exe 90 PID 3320 wrote to memory of 644 3320 Daifnk32.exe 90 PID 3320 wrote to memory of 644 3320 Daifnk32.exe 90 PID 644 wrote to memory of 3540 644 Dfdbojmq.exe 91 PID 644 wrote to memory of 3540 644 Dfdbojmq.exe 91 PID 644 wrote to memory of 3540 644 Dfdbojmq.exe 91 PID 3540 wrote to memory of 4868 3540 Dhcnke32.exe 92 PID 3540 wrote to memory of 4868 3540 Dhcnke32.exe 92 PID 3540 wrote to memory of 4868 3540 Dhcnke32.exe 92 PID 4868 wrote to memory of 4980 4868 Dpjflb32.exe 93 PID 4868 wrote to memory of 4980 4868 Dpjflb32.exe 93 PID 4868 wrote to memory of 4980 4868 Dpjflb32.exe 93 PID 4980 wrote to memory of 1796 4980 Dchbhn32.exe 94 PID 4980 wrote to memory of 1796 4980 Dchbhn32.exe 94 PID 4980 wrote to memory of 1796 4980 Dchbhn32.exe 94 PID 1796 wrote to memory of 3008 1796 Dakbckbe.exe 95 PID 1796 wrote to memory of 3008 1796 Dakbckbe.exe 95 PID 1796 wrote to memory of 3008 1796 Dakbckbe.exe 95 PID 3008 wrote to memory of 1044 3008 Ejbkehcg.exe 97 PID 3008 wrote to memory of 1044 3008 Ejbkehcg.exe 97 PID 3008 wrote to memory of 1044 3008 Ejbkehcg.exe 97 PID 1044 wrote to memory of 4064 1044 Elagacbk.exe 98 PID 1044 wrote to memory of 4064 1044 Elagacbk.exe 98 PID 1044 wrote to memory of 4064 1044 Elagacbk.exe 98 PID 4064 wrote to memory of 4356 4064 Eoocmoao.exe 99 PID 4064 wrote to memory of 4356 4064 Eoocmoao.exe 99 PID 4064 wrote to memory of 4356 4064 Eoocmoao.exe 99 PID 4356 wrote to memory of 3264 4356 Eckonn32.exe 101 PID 4356 wrote to memory of 3264 4356 Eckonn32.exe 101 PID 4356 wrote to memory of 3264 4356 Eckonn32.exe 101 PID 3264 wrote to memory of 4544 3264 Efikji32.exe 102 PID 3264 wrote to memory of 4544 3264 Efikji32.exe 102 PID 3264 wrote to memory of 4544 3264 Efikji32.exe 102 PID 4544 wrote to memory of 1752 4544 Ehhgfdho.exe 103 PID 4544 wrote to memory of 1752 4544 Ehhgfdho.exe 103 PID 4544 wrote to memory of 1752 4544 Ehhgfdho.exe 103 PID 1752 wrote to memory of 3780 1752 Epopgbia.exe 105 PID 1752 wrote to memory of 3780 1752 Epopgbia.exe 105 PID 1752 wrote to memory of 3780 1752 Epopgbia.exe 105 PID 3780 wrote to memory of 4192 3780 Ecmlcmhe.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\5426170bcaa6e3dbf866b1968202298bdad3447ca601d3911e165b270ae809af.exe"C:\Users\Admin\AppData\Local\Temp\5426170bcaa6e3dbf866b1968202298bdad3447ca601d3911e165b270ae809af.exe"1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3148 -
C:\Windows\SysWOW64\Dljqpd32.exeC:\Windows\system32\Dljqpd32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4660 -
C:\Windows\SysWOW64\Dohmlp32.exeC:\Windows\system32\Dohmlp32.exe3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4328 -
C:\Windows\SysWOW64\Dagiil32.exeC:\Windows\system32\Dagiil32.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\Djnaji32.exeC:\Windows\system32\Djnaji32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:688 -
C:\Windows\SysWOW64\Dhqaefng.exeC:\Windows\system32\Dhqaefng.exe6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\Dphifcoi.exeC:\Windows\system32\Dphifcoi.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\Dokjbp32.exeC:\Windows\system32\Dokjbp32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Windows\SysWOW64\Daifnk32.exeC:\Windows\system32\Daifnk32.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3320 -
C:\Windows\SysWOW64\Dfdbojmq.exeC:\Windows\system32\Dfdbojmq.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:644 -
C:\Windows\SysWOW64\Dhcnke32.exeC:\Windows\system32\Dhcnke32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3540 -
C:\Windows\SysWOW64\Dpjflb32.exeC:\Windows\system32\Dpjflb32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4868 -
C:\Windows\SysWOW64\Dchbhn32.exeC:\Windows\system32\Dchbhn32.exe13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4980 -
C:\Windows\SysWOW64\Dakbckbe.exeC:\Windows\system32\Dakbckbe.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\SysWOW64\Ejbkehcg.exeC:\Windows\system32\Ejbkehcg.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\Elagacbk.exeC:\Windows\system32\Elagacbk.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Windows\SysWOW64\Eoocmoao.exeC:\Windows\system32\Eoocmoao.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4064 -
C:\Windows\SysWOW64\Eckonn32.exeC:\Windows\system32\Eckonn32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4356 -
C:\Windows\SysWOW64\Efikji32.exeC:\Windows\system32\Efikji32.exe19⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3264 -
C:\Windows\SysWOW64\Ehhgfdho.exeC:\Windows\system32\Ehhgfdho.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4544 -
C:\Windows\SysWOW64\Epopgbia.exeC:\Windows\system32\Epopgbia.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\SysWOW64\Ecmlcmhe.exeC:\Windows\system32\Ecmlcmhe.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3780 -
C:\Windows\SysWOW64\Ehjdldfl.exeC:\Windows\system32\Ehjdldfl.exe23⤵
- Executes dropped EXE
PID:4192 -
C:\Windows\SysWOW64\Eqalmafo.exeC:\Windows\system32\Eqalmafo.exe24⤵
- Executes dropped EXE
PID:4248 -
C:\Windows\SysWOW64\Ecphimfb.exeC:\Windows\system32\Ecphimfb.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5032 -
C:\Windows\SysWOW64\Ebbidj32.exeC:\Windows\system32\Ebbidj32.exe26⤵
- Executes dropped EXE
PID:1412 -
C:\Windows\SysWOW64\Ejjqeg32.exeC:\Windows\system32\Ejjqeg32.exe27⤵
- Executes dropped EXE
PID:4692 -
C:\Windows\SysWOW64\Elhmablc.exeC:\Windows\system32\Elhmablc.exe28⤵
- Executes dropped EXE
PID:4196 -
C:\Windows\SysWOW64\Eofinnkf.exeC:\Windows\system32\Eofinnkf.exe29⤵
- Executes dropped EXE
PID:2548 -
C:\Windows\SysWOW64\Ebeejijj.exeC:\Windows\system32\Ebeejijj.exe30⤵
- Executes dropped EXE
- Modifies registry class
PID:3356 -
C:\Windows\SysWOW64\Efpajh32.exeC:\Windows\system32\Efpajh32.exe31⤵PID:5056
-
C:\Windows\SysWOW64\Emjjgbjp.exeC:\Windows\system32\Emjjgbjp.exe32⤵
- Executes dropped EXE
PID:4860 -
C:\Windows\SysWOW64\Eoifcnid.exeC:\Windows\system32\Eoifcnid.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3772 -
C:\Windows\SysWOW64\Ecdbdl32.exeC:\Windows\system32\Ecdbdl32.exe34⤵
- Executes dropped EXE
PID:5004 -
C:\Windows\SysWOW64\Ffbnph32.exeC:\Windows\system32\Ffbnph32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:2872 -
C:\Windows\SysWOW64\Fjnjqfij.exeC:\Windows\system32\Fjnjqfij.exe36⤵
- Executes dropped EXE
PID:1564 -
C:\Windows\SysWOW64\Fmmfmbhn.exeC:\Windows\system32\Fmmfmbhn.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3388 -
C:\Windows\SysWOW64\Fokbim32.exeC:\Windows\system32\Fokbim32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:380 -
C:\Windows\SysWOW64\Fbioei32.exeC:\Windows\system32\Fbioei32.exe39⤵
- Executes dropped EXE
PID:1836 -
C:\Windows\SysWOW64\Ffekegon.exeC:\Windows\system32\Ffekegon.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4896 -
C:\Windows\SysWOW64\Ficgacna.exeC:\Windows\system32\Ficgacna.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:3764 -
C:\Windows\SysWOW64\Fmocba32.exeC:\Windows\system32\Fmocba32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4864 -
C:\Windows\SysWOW64\Fomonm32.exeC:\Windows\system32\Fomonm32.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:2392 -
C:\Windows\SysWOW64\Fcikolnh.exeC:\Windows\system32\Fcikolnh.exe44⤵
- Executes dropped EXE
PID:1264 -
C:\Windows\SysWOW64\Fbllkh32.exeC:\Windows\system32\Fbllkh32.exe45⤵
- Executes dropped EXE
PID:3976 -
C:\Windows\SysWOW64\Fjcclf32.exeC:\Windows\system32\Fjcclf32.exe46⤵
- Executes dropped EXE
PID:4068 -
C:\Windows\SysWOW64\Fmapha32.exeC:\Windows\system32\Fmapha32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3500 -
C:\Windows\SysWOW64\Fqmlhpla.exeC:\Windows\system32\Fqmlhpla.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:4176 -
C:\Windows\SysWOW64\Fckhdk32.exeC:\Windows\system32\Fckhdk32.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:3132 -
C:\Windows\SysWOW64\Fbnhphbp.exeC:\Windows\system32\Fbnhphbp.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2848 -
C:\Windows\SysWOW64\Ffjdqg32.exeC:\Windows\system32\Ffjdqg32.exe51⤵
- Executes dropped EXE
PID:4416 -
C:\Windows\SysWOW64\Fihqmb32.exeC:\Windows\system32\Fihqmb32.exe52⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Fmclmabe.exeC:\Windows\system32\Fmclmabe.exe53⤵
- Executes dropped EXE
PID:4024 -
C:\Windows\SysWOW64\Fqohnp32.exeC:\Windows\system32\Fqohnp32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2888 -
C:\Windows\SysWOW64\Fobiilai.exeC:\Windows\system32\Fobiilai.exe55⤵
- Executes dropped EXE
PID:4128 -
C:\Windows\SysWOW64\Fcnejk32.exeC:\Windows\system32\Fcnejk32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2856 -
C:\Windows\SysWOW64\Fflaff32.exeC:\Windows\system32\Fflaff32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:5044 -
C:\Windows\SysWOW64\Fijmbb32.exeC:\Windows\system32\Fijmbb32.exe58⤵
- Executes dropped EXE
PID:5048 -
C:\Windows\SysWOW64\Fmficqpc.exeC:\Windows\system32\Fmficqpc.exe59⤵
- Executes dropped EXE
PID:4008 -
C:\Windows\SysWOW64\Fodeolof.exeC:\Windows\system32\Fodeolof.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1312 -
C:\Windows\SysWOW64\Gcpapkgp.exeC:\Windows\system32\Gcpapkgp.exe61⤵
- Executes dropped EXE
PID:3232 -
C:\Windows\SysWOW64\Gfnnlffc.exeC:\Windows\system32\Gfnnlffc.exe62⤵
- Executes dropped EXE
PID:3864 -
C:\Windows\SysWOW64\Gjjjle32.exeC:\Windows\system32\Gjjjle32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1056 -
C:\Windows\SysWOW64\Gmhfhp32.exeC:\Windows\system32\Gmhfhp32.exe64⤵
- Executes dropped EXE
PID:1192 -
C:\Windows\SysWOW64\Gqdbiofi.exeC:\Windows\system32\Gqdbiofi.exe65⤵
- Executes dropped EXE
PID:1976 -
C:\Windows\SysWOW64\Gogbdl32.exeC:\Windows\system32\Gogbdl32.exe66⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2360 -
C:\Windows\SysWOW64\Gbenqg32.exeC:\Windows\system32\Gbenqg32.exe67⤵
- Modifies registry class
PID:5020 -
C:\Windows\SysWOW64\Gfqjafdq.exeC:\Windows\system32\Gfqjafdq.exe68⤵PID:3752
-
C:\Windows\SysWOW64\Giofnacd.exeC:\Windows\system32\Giofnacd.exe69⤵PID:2600
-
C:\Windows\SysWOW64\Gmkbnp32.exeC:\Windows\system32\Gmkbnp32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2508 -
C:\Windows\SysWOW64\Gcekkjcj.exeC:\Windows\system32\Gcekkjcj.exe71⤵PID:4964
-
C:\Windows\SysWOW64\Gbgkfg32.exeC:\Windows\system32\Gbgkfg32.exe72⤵PID:724
-
C:\Windows\SysWOW64\Gjocgdkg.exeC:\Windows\system32\Gjocgdkg.exe73⤵
- Drops file in System32 directory
- Modifies registry class
PID:5100 -
C:\Windows\SysWOW64\Giacca32.exeC:\Windows\system32\Giacca32.exe74⤵PID:3276
-
C:\Windows\SysWOW64\Gqikdn32.exeC:\Windows\system32\Gqikdn32.exe75⤵PID:512
-
C:\Windows\SysWOW64\Gidphq32.exeC:\Windows\system32\Gidphq32.exe76⤵PID:1596
-
C:\Windows\SysWOW64\Gmoliohh.exeC:\Windows\system32\Gmoliohh.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2268 -
C:\Windows\SysWOW64\Gpnhekgl.exeC:\Windows\system32\Gpnhekgl.exe78⤵PID:2024
-
C:\Windows\SysWOW64\Gcidfi32.exeC:\Windows\system32\Gcidfi32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1260 -
C:\Windows\SysWOW64\Gfhqbe32.exeC:\Windows\system32\Gfhqbe32.exe80⤵
- Drops file in System32 directory
PID:884 -
C:\Windows\SysWOW64\Gjclbc32.exeC:\Windows\system32\Gjclbc32.exe81⤵
- Drops file in System32 directory
PID:2428 -
C:\Windows\SysWOW64\Gmaioo32.exeC:\Windows\system32\Gmaioo32.exe82⤵PID:1472
-
C:\Windows\SysWOW64\Gameonno.exeC:\Windows\system32\Gameonno.exe83⤵PID:5152
-
C:\Windows\SysWOW64\Gppekj32.exeC:\Windows\system32\Gppekj32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5196 -
C:\Windows\SysWOW64\Hboagf32.exeC:\Windows\system32\Hboagf32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5240 -
C:\Windows\SysWOW64\Hjfihc32.exeC:\Windows\system32\Hjfihc32.exe86⤵
- Modifies registry class
PID:5280 -
C:\Windows\SysWOW64\Hihicplj.exeC:\Windows\system32\Hihicplj.exe87⤵
- Modifies registry class
PID:5320 -
C:\Windows\SysWOW64\Hapaemll.exeC:\Windows\system32\Hapaemll.exe88⤵PID:5360
-
C:\Windows\SysWOW64\Hcnnaikp.exeC:\Windows\system32\Hcnnaikp.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5412 -
C:\Windows\SysWOW64\Hfljmdjc.exeC:\Windows\system32\Hfljmdjc.exe90⤵PID:5448
-
C:\Windows\SysWOW64\Hjhfnccl.exeC:\Windows\system32\Hjhfnccl.exe91⤵
- Drops file in System32 directory
PID:5492 -
C:\Windows\SysWOW64\Hikfip32.exeC:\Windows\system32\Hikfip32.exe92⤵PID:5532
-
C:\Windows\SysWOW64\Habnjm32.exeC:\Windows\system32\Habnjm32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5572 -
C:\Windows\SysWOW64\Hpenfjad.exeC:\Windows\system32\Hpenfjad.exe94⤵PID:5616
-
C:\Windows\SysWOW64\Hcqjfh32.exeC:\Windows\system32\Hcqjfh32.exe95⤵
- Modifies registry class
PID:5660 -
C:\Windows\SysWOW64\Hbckbepg.exeC:\Windows\system32\Hbckbepg.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5704 -
C:\Windows\SysWOW64\Hfofbd32.exeC:\Windows\system32\Hfofbd32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5740 -
C:\Windows\SysWOW64\Hjjbcbqj.exeC:\Windows\system32\Hjjbcbqj.exe98⤵
- Drops file in System32 directory
PID:5784 -
C:\Windows\SysWOW64\Himcoo32.exeC:\Windows\system32\Himcoo32.exe99⤵
- Modifies registry class
PID:5828 -
C:\Windows\SysWOW64\Hadkpm32.exeC:\Windows\system32\Hadkpm32.exe100⤵PID:5872
-
C:\Windows\SysWOW64\Hpgkkioa.exeC:\Windows\system32\Hpgkkioa.exe101⤵PID:5920
-
C:\Windows\SysWOW64\Hccglh32.exeC:\Windows\system32\Hccglh32.exe102⤵
- Drops file in System32 directory
PID:5968 -
C:\Windows\SysWOW64\Hbeghene.exeC:\Windows\system32\Hbeghene.exe103⤵
- Modifies registry class
PID:6020 -
C:\Windows\SysWOW64\Hmklen32.exeC:\Windows\system32\Hmklen32.exe104⤵PID:6056
-
C:\Windows\SysWOW64\Hpihai32.exeC:\Windows\system32\Hpihai32.exe105⤵PID:6104
-
C:\Windows\SysWOW64\Hcedaheh.exeC:\Windows\system32\Hcedaheh.exe106⤵PID:1340
-
C:\Windows\SysWOW64\Hbhdmd32.exeC:\Windows\system32\Hbhdmd32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3984 -
C:\Windows\SysWOW64\Hfcpncdk.exeC:\Windows\system32\Hfcpncdk.exe108⤵
- Modifies registry class
PID:5248 -
C:\Windows\SysWOW64\Hjolnb32.exeC:\Windows\system32\Hjolnb32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5356 -
C:\Windows\SysWOW64\Hibljoco.exeC:\Windows\system32\Hibljoco.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5408 -
C:\Windows\SysWOW64\Haidklda.exeC:\Windows\system32\Haidklda.exe111⤵PID:5540
-
C:\Windows\SysWOW64\Ipldfi32.exeC:\Windows\system32\Ipldfi32.exe112⤵
- Drops file in System32 directory
PID:5648 -
C:\Windows\SysWOW64\Icgqggce.exeC:\Windows\system32\Icgqggce.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5736 -
C:\Windows\SysWOW64\Ibjqcd32.exeC:\Windows\system32\Ibjqcd32.exe114⤵PID:5796
-
C:\Windows\SysWOW64\Iffmccbi.exeC:\Windows\system32\Iffmccbi.exe115⤵PID:5880
-
C:\Windows\SysWOW64\Ijaida32.exeC:\Windows\system32\Ijaida32.exe116⤵PID:5940
-
C:\Windows\SysWOW64\Iidipnal.exeC:\Windows\system32\Iidipnal.exe117⤵
- Drops file in System32 directory
PID:6000 -
C:\Windows\SysWOW64\Impepm32.exeC:\Windows\system32\Impepm32.exe118⤵PID:6068
-
C:\Windows\SysWOW64\Iakaql32.exeC:\Windows\system32\Iakaql32.exe119⤵
- Modifies registry class
PID:6136 -
C:\Windows\SysWOW64\Icjmmg32.exeC:\Windows\system32\Icjmmg32.exe120⤵PID:5376
-
C:\Windows\SysWOW64\Ibmmhdhm.exeC:\Windows\system32\Ibmmhdhm.exe121⤵
- Modifies registry class
PID:5308
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-