Analysis
-
max time kernel
143s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
20-05-2024 21:54
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
472dc42f9a13ca003ed7dcefcf3a1ae6d5a66e44d768a61ea765705052074a31.exe
Resource
win7-20240215-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
472dc42f9a13ca003ed7dcefcf3a1ae6d5a66e44d768a61ea765705052074a31.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
472dc42f9a13ca003ed7dcefcf3a1ae6d5a66e44d768a61ea765705052074a31.exe
-
Size
192KB
-
MD5
c88ae64d9c8389fecb55dd5b5d75512b
-
SHA1
f170cf0b7395a6073e509f5bb642ed7d167f75c6
-
SHA256
472dc42f9a13ca003ed7dcefcf3a1ae6d5a66e44d768a61ea765705052074a31
-
SHA512
97091ed5a1807356878f6b07b38381b67247887ff6e0b8591edc74ece89b7a3f5ba3d98542fe94249ccb4d5f87b487eda90f6a4410b2a9b32cc743b775bca2de
-
SSDEEP
1536:IONACN9um0e2TT4ObwtcGN87KWhn74N3mB/Oe5lQtpnouy8O6Nuf51TQmQM22Owo:bzum0PZbwtlK2hM/fzc5outkTy27zU
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gaqhjggp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hagnihom.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nofmndkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Foapaa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfmghdpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bgelgi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abmjqe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmedjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gdhjpjjd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cckmklac.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qacameaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kbkdgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ojdgnn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbbkocid.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdghhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Joikdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oqoefand.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmfhjhdm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqdlpmce.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eemgkpef.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkcdfl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilnlom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mbgeqmjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pblajhje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eekjep32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omgabj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knenkbio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oaifpi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aimogakj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppepkmhi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdiglgbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ldnjndpo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfmmajed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pmeoqlpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Naqqmieo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gaepgacn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibaeen32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmfkhmdi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdhjpjjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fejegaao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mabdlk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkjckkcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ffnglc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eflocepa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kicfijal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qmlmjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nqcejcha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Khonkogj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jnjednnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dgplai32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fooclapd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohqpjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nkebee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ihkjno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iqgjmg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hklglk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Edfknb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eikpan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Khnfce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nofmndkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ncjdki32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gddqejni.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lacbpccn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbehienn.exe -
UPX dump on OEP (original entry point) 64 IoCs
resource yara_rule behavioral2/files/0x000800000002326a-6.dat UPX behavioral2/files/0x000800000002326e-14.dat UPX behavioral2/files/0x0008000000023272-17.dat UPX behavioral2/files/0x0007000000023274-30.dat UPX behavioral2/files/0x0007000000023277-38.dat UPX behavioral2/files/0x0007000000023279-46.dat UPX behavioral2/files/0x000700000002327b-54.dat UPX behavioral2/files/0x000700000002327d-62.dat UPX behavioral2/files/0x000700000002327f-70.dat UPX behavioral2/files/0x0007000000023281-78.dat UPX behavioral2/files/0x0007000000023283-86.dat UPX behavioral2/files/0x0007000000023285-94.dat UPX behavioral2/files/0x0007000000023287-102.dat UPX behavioral2/files/0x0007000000023289-110.dat UPX behavioral2/files/0x000700000002328b-117.dat UPX behavioral2/files/0x000700000002328e-126.dat UPX behavioral2/files/0x0007000000023290-129.dat UPX behavioral2/files/0x0007000000023292-142.dat UPX behavioral2/files/0x0007000000023294-150.dat UPX behavioral2/files/0x0007000000023296-158.dat UPX behavioral2/files/0x0007000000023298-166.dat UPX behavioral2/files/0x000700000002329a-175.dat UPX behavioral2/files/0x000700000002329c-182.dat UPX behavioral2/files/0x000700000002329e-190.dat UPX behavioral2/files/0x00070000000232a0-198.dat UPX behavioral2/files/0x00070000000232a2-206.dat UPX behavioral2/files/0x00070000000232a4-214.dat UPX behavioral2/files/0x00070000000232a6-222.dat UPX behavioral2/files/0x00070000000232a8-230.dat UPX behavioral2/files/0x00070000000232aa-238.dat UPX behavioral2/files/0x00070000000232ac-246.dat UPX behavioral2/files/0x00070000000232ae-254.dat UPX behavioral2/files/0x00070000000232b3-269.dat UPX behavioral2/files/0x00070000000232b7-281.dat UPX behavioral2/files/0x00070000000232c5-324.dat UPX behavioral2/files/0x00070000000232e5-420.dat UPX behavioral2/files/0x00070000000232f3-462.dat UPX behavioral2/files/0x00070000000232f7-474.dat UPX behavioral2/files/0x0007000000023322-611.dat UPX behavioral2/files/0x0007000000023328-634.dat UPX behavioral2/files/0x0007000000023332-673.dat UPX behavioral2/files/0x0007000000023340-725.dat UPX behavioral2/files/0x000700000002334d-770.dat UPX behavioral2/files/0x000700000002335d-832.dat UPX behavioral2/files/0x000700000002336b-884.dat UPX behavioral2/files/0x0007000000023373-913.dat UPX behavioral2/files/0x000700000002337f-955.dat UPX behavioral2/files/0x000700000002338f-1011.dat UPX behavioral2/files/0x00070000000233a4-1075.dat UPX behavioral2/files/0x00070000000233b0-1115.dat UPX behavioral2/files/0x00070000000233b8-1143.dat UPX behavioral2/files/0x00070000000233bc-1157.dat UPX behavioral2/files/0x00070000000233d0-1226.dat UPX behavioral2/files/0x00070000000233d6-1248.dat UPX behavioral2/files/0x00070000000233dc-1268.dat UPX behavioral2/files/0x00070000000233f3-1330.dat UPX behavioral2/files/0x000700000002341d-1488.dat UPX behavioral2/files/0x0007000000023423-1511.dat UPX behavioral2/files/0x0007000000023429-1534.dat UPX behavioral2/files/0x000700000002342d-1549.dat UPX behavioral2/files/0x0007000000023431-1563.dat UPX behavioral2/files/0x0007000000023441-1623.dat UPX behavioral2/files/0x000700000002344c-1659.dat UPX behavioral2/files/0x0007000000023455-1693.dat UPX -
Executes dropped EXE 64 IoCs
pid Process 2220 Hfcnpn32.exe 1868 Hpnoncim.exe 4400 Hlepcdoa.exe 4572 Ibaeen32.exe 3304 Iebngial.exe 2076 Imkbnf32.exe 5016 Ickglm32.exe 4684 Jmbhoeid.exe 1820 Jniood32.exe 1328 Jlolpq32.exe 1568 Klahfp32.exe 3656 Koaagkcb.exe 4700 Knenkbio.exe 1248 Kngkqbgl.exe 3368 Lqhdbm32.exe 1976 Lnldla32.exe 3732 Ljeafb32.exe 4560 Mmfkhmdi.exe 2068 Mqdcnl32.exe 3724 Mqfpckhm.exe 4100 Mjodla32.exe 572 Mjaabq32.exe 3580 Mcifkf32.exe 4300 Njfkmphe.exe 2184 Nflkbanj.exe 3968 Nglhld32.exe 4456 Ncchae32.exe 2120 Oaifpi32.exe 1688 Ojdgnn32.exe 232 Oaplqh32.exe 4848 Opeiadfg.exe 4012 Pffgom32.exe 548 Qhhpop32.exe 1772 Qfmmplad.exe 3784 Qacameaj.exe 3348 Adcjop32.exe 2132 Aagkhd32.exe 3592 Adhdjpjf.exe 4744 Aopemh32.exe 2208 Bmeandma.exe 3400 Bkibgh32.exe 4868 Bogkmgba.exe 4092 Bgbpaipl.exe 2612 Bgelgi32.exe 2736 Chdialdl.exe 64 Cammjakm.exe 1724 Ckebcg32.exe 1496 Cglbhhga.exe 5036 Cdpcal32.exe 2148 Cnhgjaml.exe 1556 Cgqlcg32.exe 844 Dpiplm32.exe 1440 Dkndie32.exe 3872 Dgeenfog.exe 540 Dqnjgl32.exe 1964 Doojec32.exe 456 Dgjoif32.exe 4632 Dqbcbkab.exe 3308 Enfckp32.exe 4028 Enhpao32.exe 872 Egaejeej.exe 1544 Ehpadhll.exe 2496 Ebifmm32.exe 4964 Egened32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Okodlgbl.exe Opjponbf.exe File opened for modification C:\Windows\SysWOW64\Fjfgealk.exe Fppchile.exe File created C:\Windows\SysWOW64\Eemeqinf.dll Dgdncplk.exe File opened for modification C:\Windows\SysWOW64\Amkabind.exe Abemep32.exe File created C:\Windows\SysWOW64\Bqbohocd.exe Bgjjoi32.exe File created C:\Windows\SysWOW64\Aobmce32.dll Fkhpfbce.exe File created C:\Windows\SysWOW64\Pdchakoo.exe Pindcboi.exe File created C:\Windows\SysWOW64\Pdfdgbbe.dll Ppnbpg32.exe File opened for modification C:\Windows\SysWOW64\Ickglm32.exe Imkbnf32.exe File opened for modification C:\Windows\SysWOW64\Nmbhgjoi.exe Nalgbi32.exe File created C:\Windows\SysWOW64\Hcpnhpba.dll Jmccnk32.exe File created C:\Windows\SysWOW64\Jicchk32.dll Ledepn32.exe File created C:\Windows\SysWOW64\Iikdpi32.dll Eglbhnkp.exe File created C:\Windows\SysWOW64\Neeifa32.exe Npipnjmm.exe File created C:\Windows\SysWOW64\Lambibap.dll Gpnoigpe.exe File created C:\Windows\SysWOW64\Opepqban.dll Qkfkng32.exe File created C:\Windows\SysWOW64\Bncpjk32.dll Okeklcen.exe File created C:\Windows\SysWOW64\Hgnlgdfg.dll Hcaibo32.exe File opened for modification C:\Windows\SysWOW64\Gkcdfl32.exe Golcak32.exe File created C:\Windows\SysWOW64\Ichnpf32.dll Kdpiqehp.exe File opened for modification C:\Windows\SysWOW64\Pofhbgmn.exe Pdqcenmg.exe File created C:\Windows\SysWOW64\Ngnppfgb.exe Nkgoke32.exe File created C:\Windows\SysWOW64\Klahfp32.exe Jlolpq32.exe File created C:\Windows\SysWOW64\Egoqkpqo.dll Nfnooe32.exe File opened for modification C:\Windows\SysWOW64\Flgadake.exe Femigg32.exe File opened for modification C:\Windows\SysWOW64\Gekeie32.exe Giddddad.exe File opened for modification C:\Windows\SysWOW64\Okcogc32.exe Oeffnl32.exe File created C:\Windows\SysWOW64\Jcgldl32.exe Jmmcgbnf.exe File opened for modification C:\Windows\SysWOW64\Maeaajpl.exe Mfomda32.exe File opened for modification C:\Windows\SysWOW64\Aopemh32.exe Adhdjpjf.exe File opened for modification C:\Windows\SysWOW64\Ddhhbngi.exe Ddekmo32.exe File created C:\Windows\SysWOW64\Pbcelacq.exe Plimpg32.exe File created C:\Windows\SysWOW64\Chimmp32.dll Jglkkiea.exe File created C:\Windows\SysWOW64\Loecgfjf.exe Lnfgmc32.exe File opened for modification C:\Windows\SysWOW64\Bliajd32.exe Bpbpecen.exe File created C:\Windows\SysWOW64\Ggicbe32.exe Gnanioad.exe File created C:\Windows\SysWOW64\Oacdmo32.exe Ngnppfgb.exe File created C:\Windows\SysWOW64\Hcefei32.dll Ioffhn32.exe File opened for modification C:\Windows\SysWOW64\Ekeacmel.exe Emdaee32.exe File created C:\Windows\SysWOW64\Dhobhlgk.dll Mqkijnkp.exe File opened for modification C:\Windows\SysWOW64\Qmlmjq32.exe Pdchakoo.exe File created C:\Windows\SysWOW64\Oooodcci.exe Nbkojo32.exe File created C:\Windows\SysWOW64\Pjphcf32.dll Obgohklm.exe File created C:\Windows\SysWOW64\Jopiom32.exe Jgedjjki.exe File opened for modification C:\Windows\SysWOW64\Gojgkl32.exe Gaffbg32.exe File opened for modification C:\Windows\SysWOW64\Kcgekjgp.exe Kmmmnp32.exe File opened for modification C:\Windows\SysWOW64\Adbkmo32.exe Ppdjpcng.exe File created C:\Windows\SysWOW64\Ojmgggdo.exe Ollgiplp.exe File opened for modification C:\Windows\SysWOW64\Gpnoigpe.exe Gjagapbn.exe File created C:\Windows\SysWOW64\Eflmeb32.dll Chfaenfb.exe File created C:\Windows\SysWOW64\Giplpe32.dll Fikihlmj.exe File created C:\Windows\SysWOW64\Kfcdaehf.exe Kmkpipaf.exe File created C:\Windows\SysWOW64\Llngbabj.exe Llkjmb32.exe File created C:\Windows\SysWOW64\Mjicah32.dll Loopdmpk.exe File opened for modification C:\Windows\SysWOW64\Hfamia32.exe Hmhhpkcj.exe File opened for modification C:\Windows\SysWOW64\Okodlgbl.exe Opjponbf.exe File opened for modification C:\Windows\SysWOW64\Eqbcqnph.exe Eflocepa.exe File created C:\Windows\SysWOW64\Mqfpckhm.exe Mqdcnl32.exe File created C:\Windows\SysWOW64\Fkjmlaac.exe Fkhpfbce.exe File created C:\Windows\SysWOW64\Fefmmcgh.dll Ocgkan32.exe File created C:\Windows\SysWOW64\Ofnnhj32.dll Iophnl32.exe File created C:\Windows\SysWOW64\Iomgjk32.dll Ldlmieaa.exe File opened for modification C:\Windows\SysWOW64\Imkbnf32.exe Iebngial.exe File opened for modification C:\Windows\SysWOW64\Klahfp32.exe Jlolpq32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2384 440 WerFault.exe 911 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Chdialdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khokadah.dll" Bdcmkgmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkhikf32.dll" Pmeoqlpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeflknmj.dll" Jgedjjki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhcajd32.dll" Limpiomm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bgeadjai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jmccnk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Abdfkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dfemdcba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ollgiplp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcafemmh.dll" Aljefena.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qppkhfec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nkgoke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kdeghfhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaalbnpg.dll" Gohapb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jhjcbljf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ibqnkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pencqe32.dll" Pfccogfc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cnbfgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Flcndk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pfenga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Haajpgna.dll" Fmkqknci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Libido32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fkjmlaac.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fnffhgon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcqelbcc.dll" Fjocbhbo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jhhodg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cefnemqj.dll" Acdioc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lennjaej.dll" Jnmglk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Madfepmc.dll" Epgdch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inepckml.dll" Mabdlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eneilj32.dll" Ohmepbki.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cjomldfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lenjfn32.dll" Ijkdkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Amdiei32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fjfgealk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gpmomo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oedlic32.dll" Hjolie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nkjckkcg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Agmehamp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eoladdeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gohapb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mieeka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nohonheg.dll" Nqdlpmce.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iaahjmkn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mcifkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cdaile32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qpioeell.dll" Pdgckg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgkbak32.dll" Becknc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fgjpfqpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bqahmhpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ccigpbga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eemnff32.dll" Jmbhoeid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oqoefand.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gddqejni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lacbpccn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Njfkmphe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bmagch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oacdmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Igghilhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mapgfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Adjnaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqoecpej.dll" Gablgk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oaifpi32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 636 wrote to memory of 2220 636 472dc42f9a13ca003ed7dcefcf3a1ae6d5a66e44d768a61ea765705052074a31.exe 91 PID 636 wrote to memory of 2220 636 472dc42f9a13ca003ed7dcefcf3a1ae6d5a66e44d768a61ea765705052074a31.exe 91 PID 636 wrote to memory of 2220 636 472dc42f9a13ca003ed7dcefcf3a1ae6d5a66e44d768a61ea765705052074a31.exe 91 PID 2220 wrote to memory of 1868 2220 Hfcnpn32.exe 92 PID 2220 wrote to memory of 1868 2220 Hfcnpn32.exe 92 PID 2220 wrote to memory of 1868 2220 Hfcnpn32.exe 92 PID 1868 wrote to memory of 4400 1868 Hpnoncim.exe 93 PID 1868 wrote to memory of 4400 1868 Hpnoncim.exe 93 PID 1868 wrote to memory of 4400 1868 Hpnoncim.exe 93 PID 4400 wrote to memory of 4572 4400 Hlepcdoa.exe 94 PID 4400 wrote to memory of 4572 4400 Hlepcdoa.exe 94 PID 4400 wrote to memory of 4572 4400 Hlepcdoa.exe 94 PID 4572 wrote to memory of 3304 4572 Ibaeen32.exe 95 PID 4572 wrote to memory of 3304 4572 Ibaeen32.exe 95 PID 4572 wrote to memory of 3304 4572 Ibaeen32.exe 95 PID 3304 wrote to memory of 2076 3304 Iebngial.exe 96 PID 3304 wrote to memory of 2076 3304 Iebngial.exe 96 PID 3304 wrote to memory of 2076 3304 Iebngial.exe 96 PID 2076 wrote to memory of 5016 2076 Imkbnf32.exe 97 PID 2076 wrote to memory of 5016 2076 Imkbnf32.exe 97 PID 2076 wrote to memory of 5016 2076 Imkbnf32.exe 97 PID 5016 wrote to memory of 4684 5016 Ickglm32.exe 98 PID 5016 wrote to memory of 4684 5016 Ickglm32.exe 98 PID 5016 wrote to memory of 4684 5016 Ickglm32.exe 98 PID 4684 wrote to memory of 1820 4684 Jmbhoeid.exe 99 PID 4684 wrote to memory of 1820 4684 Jmbhoeid.exe 99 PID 4684 wrote to memory of 1820 4684 Jmbhoeid.exe 99 PID 1820 wrote to memory of 1328 1820 Jniood32.exe 100 PID 1820 wrote to memory of 1328 1820 Jniood32.exe 100 PID 1820 wrote to memory of 1328 1820 Jniood32.exe 100 PID 1328 wrote to memory of 1568 1328 Jlolpq32.exe 101 PID 1328 wrote to memory of 1568 1328 Jlolpq32.exe 101 PID 1328 wrote to memory of 1568 1328 Jlolpq32.exe 101 PID 1568 wrote to memory of 3656 1568 Klahfp32.exe 102 PID 1568 wrote to memory of 3656 1568 Klahfp32.exe 102 PID 1568 wrote to memory of 3656 1568 Klahfp32.exe 102 PID 3656 wrote to memory of 4700 3656 Koaagkcb.exe 103 PID 3656 wrote to memory of 4700 3656 Koaagkcb.exe 103 PID 3656 wrote to memory of 4700 3656 Koaagkcb.exe 103 PID 4700 wrote to memory of 1248 4700 Knenkbio.exe 104 PID 4700 wrote to memory of 1248 4700 Knenkbio.exe 104 PID 4700 wrote to memory of 1248 4700 Knenkbio.exe 104 PID 1248 wrote to memory of 3368 1248 Kngkqbgl.exe 105 PID 1248 wrote to memory of 3368 1248 Kngkqbgl.exe 105 PID 1248 wrote to memory of 3368 1248 Kngkqbgl.exe 105 PID 3368 wrote to memory of 1976 3368 Lqhdbm32.exe 106 PID 3368 wrote to memory of 1976 3368 Lqhdbm32.exe 106 PID 3368 wrote to memory of 1976 3368 Lqhdbm32.exe 106 PID 1976 wrote to memory of 3732 1976 Lnldla32.exe 107 PID 1976 wrote to memory of 3732 1976 Lnldla32.exe 107 PID 1976 wrote to memory of 3732 1976 Lnldla32.exe 107 PID 3732 wrote to memory of 4560 3732 Ljeafb32.exe 108 PID 3732 wrote to memory of 4560 3732 Ljeafb32.exe 108 PID 3732 wrote to memory of 4560 3732 Ljeafb32.exe 108 PID 4560 wrote to memory of 2068 4560 Mmfkhmdi.exe 109 PID 4560 wrote to memory of 2068 4560 Mmfkhmdi.exe 109 PID 4560 wrote to memory of 2068 4560 Mmfkhmdi.exe 109 PID 2068 wrote to memory of 3724 2068 Mqdcnl32.exe 110 PID 2068 wrote to memory of 3724 2068 Mqdcnl32.exe 110 PID 2068 wrote to memory of 3724 2068 Mqdcnl32.exe 110 PID 3724 wrote to memory of 4100 3724 Mqfpckhm.exe 111 PID 3724 wrote to memory of 4100 3724 Mqfpckhm.exe 111 PID 3724 wrote to memory of 4100 3724 Mqfpckhm.exe 111 PID 4100 wrote to memory of 572 4100 Mjodla32.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\472dc42f9a13ca003ed7dcefcf3a1ae6d5a66e44d768a61ea765705052074a31.exe"C:\Users\Admin\AppData\Local\Temp\472dc42f9a13ca003ed7dcefcf3a1ae6d5a66e44d768a61ea765705052074a31.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:636 -
C:\Windows\SysWOW64\Hfcnpn32.exeC:\Windows\system32\Hfcnpn32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\Hpnoncim.exeC:\Windows\system32\Hpnoncim.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Windows\SysWOW64\Hlepcdoa.exeC:\Windows\system32\Hlepcdoa.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4400 -
C:\Windows\SysWOW64\Ibaeen32.exeC:\Windows\system32\Ibaeen32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Windows\SysWOW64\Iebngial.exeC:\Windows\system32\Iebngial.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3304 -
C:\Windows\SysWOW64\Imkbnf32.exeC:\Windows\system32\Imkbnf32.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\SysWOW64\Ickglm32.exeC:\Windows\system32\Ickglm32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Windows\SysWOW64\Jmbhoeid.exeC:\Windows\system32\Jmbhoeid.exe9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4684 -
C:\Windows\SysWOW64\Jniood32.exeC:\Windows\system32\Jniood32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\SysWOW64\Jlolpq32.exeC:\Windows\system32\Jlolpq32.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1328 -
C:\Windows\SysWOW64\Klahfp32.exeC:\Windows\system32\Klahfp32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Windows\SysWOW64\Koaagkcb.exeC:\Windows\system32\Koaagkcb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3656 -
C:\Windows\SysWOW64\Knenkbio.exeC:\Windows\system32\Knenkbio.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4700 -
C:\Windows\SysWOW64\Kngkqbgl.exeC:\Windows\system32\Kngkqbgl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Windows\SysWOW64\Lqhdbm32.exeC:\Windows\system32\Lqhdbm32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3368 -
C:\Windows\SysWOW64\Lnldla32.exeC:\Windows\system32\Lnldla32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\Ljeafb32.exeC:\Windows\system32\Ljeafb32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3732 -
C:\Windows\SysWOW64\Mmfkhmdi.exeC:\Windows\system32\Mmfkhmdi.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4560 -
C:\Windows\SysWOW64\Mqdcnl32.exeC:\Windows\system32\Mqdcnl32.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\SysWOW64\Mqfpckhm.exeC:\Windows\system32\Mqfpckhm.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3724 -
C:\Windows\SysWOW64\Mjodla32.exeC:\Windows\system32\Mjodla32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4100 -
C:\Windows\SysWOW64\Mjaabq32.exeC:\Windows\system32\Mjaabq32.exe23⤵
- Executes dropped EXE
PID:572 -
C:\Windows\SysWOW64\Mcifkf32.exeC:\Windows\system32\Mcifkf32.exe24⤵
- Executes dropped EXE
- Modifies registry class
PID:3580 -
C:\Windows\SysWOW64\Njfkmphe.exeC:\Windows\system32\Njfkmphe.exe25⤵
- Executes dropped EXE
- Modifies registry class
PID:4300 -
C:\Windows\SysWOW64\Nflkbanj.exeC:\Windows\system32\Nflkbanj.exe26⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Nglhld32.exeC:\Windows\system32\Nglhld32.exe27⤵
- Executes dropped EXE
PID:3968 -
C:\Windows\SysWOW64\Ncchae32.exeC:\Windows\system32\Ncchae32.exe28⤵
- Executes dropped EXE
PID:4456 -
C:\Windows\SysWOW64\Oaifpi32.exeC:\Windows\system32\Oaifpi32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2120 -
C:\Windows\SysWOW64\Ojdgnn32.exeC:\Windows\system32\Ojdgnn32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Oaplqh32.exeC:\Windows\system32\Oaplqh32.exe31⤵
- Executes dropped EXE
PID:232 -
C:\Windows\SysWOW64\Opeiadfg.exeC:\Windows\system32\Opeiadfg.exe32⤵
- Executes dropped EXE
PID:4848 -
C:\Windows\SysWOW64\Pffgom32.exeC:\Windows\system32\Pffgom32.exe33⤵
- Executes dropped EXE
PID:4012 -
C:\Windows\SysWOW64\Qhhpop32.exeC:\Windows\system32\Qhhpop32.exe34⤵
- Executes dropped EXE
PID:548 -
C:\Windows\SysWOW64\Qfmmplad.exeC:\Windows\system32\Qfmmplad.exe35⤵
- Executes dropped EXE
PID:1772 -
C:\Windows\SysWOW64\Qacameaj.exeC:\Windows\system32\Qacameaj.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3784 -
C:\Windows\SysWOW64\Adcjop32.exeC:\Windows\system32\Adcjop32.exe37⤵
- Executes dropped EXE
PID:3348 -
C:\Windows\SysWOW64\Aagkhd32.exeC:\Windows\system32\Aagkhd32.exe38⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Adhdjpjf.exeC:\Windows\system32\Adhdjpjf.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3592 -
C:\Windows\SysWOW64\Aopemh32.exeC:\Windows\system32\Aopemh32.exe40⤵
- Executes dropped EXE
PID:4744 -
C:\Windows\SysWOW64\Bmeandma.exeC:\Windows\system32\Bmeandma.exe41⤵
- Executes dropped EXE
PID:2208 -
C:\Windows\SysWOW64\Bkibgh32.exeC:\Windows\system32\Bkibgh32.exe42⤵
- Executes dropped EXE
PID:3400 -
C:\Windows\SysWOW64\Bogkmgba.exeC:\Windows\system32\Bogkmgba.exe43⤵
- Executes dropped EXE
PID:4868 -
C:\Windows\SysWOW64\Bgbpaipl.exeC:\Windows\system32\Bgbpaipl.exe44⤵
- Executes dropped EXE
PID:4092 -
C:\Windows\SysWOW64\Bgelgi32.exeC:\Windows\system32\Bgelgi32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2612 -
C:\Windows\SysWOW64\Chdialdl.exeC:\Windows\system32\Chdialdl.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:2736 -
C:\Windows\SysWOW64\Cammjakm.exeC:\Windows\system32\Cammjakm.exe47⤵
- Executes dropped EXE
PID:64 -
C:\Windows\SysWOW64\Ckebcg32.exeC:\Windows\system32\Ckebcg32.exe48⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Cglbhhga.exeC:\Windows\system32\Cglbhhga.exe49⤵
- Executes dropped EXE
PID:1496 -
C:\Windows\SysWOW64\Cdpcal32.exeC:\Windows\system32\Cdpcal32.exe50⤵
- Executes dropped EXE
PID:5036 -
C:\Windows\SysWOW64\Cnhgjaml.exeC:\Windows\system32\Cnhgjaml.exe51⤵
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\Cgqlcg32.exeC:\Windows\system32\Cgqlcg32.exe52⤵
- Executes dropped EXE
PID:1556 -
C:\Windows\SysWOW64\Dpiplm32.exeC:\Windows\system32\Dpiplm32.exe53⤵
- Executes dropped EXE
PID:844 -
C:\Windows\SysWOW64\Dkndie32.exeC:\Windows\system32\Dkndie32.exe54⤵
- Executes dropped EXE
PID:1440 -
C:\Windows\SysWOW64\Dgeenfog.exeC:\Windows\system32\Dgeenfog.exe55⤵
- Executes dropped EXE
PID:3872 -
C:\Windows\SysWOW64\Dqnjgl32.exeC:\Windows\system32\Dqnjgl32.exe56⤵
- Executes dropped EXE
PID:540 -
C:\Windows\SysWOW64\Doojec32.exeC:\Windows\system32\Doojec32.exe57⤵
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Dgjoif32.exeC:\Windows\system32\Dgjoif32.exe58⤵
- Executes dropped EXE
PID:456 -
C:\Windows\SysWOW64\Dqbcbkab.exeC:\Windows\system32\Dqbcbkab.exe59⤵
- Executes dropped EXE
PID:4632 -
C:\Windows\SysWOW64\Enfckp32.exeC:\Windows\system32\Enfckp32.exe60⤵
- Executes dropped EXE
PID:3308 -
C:\Windows\SysWOW64\Enhpao32.exeC:\Windows\system32\Enhpao32.exe61⤵
- Executes dropped EXE
PID:4028 -
C:\Windows\SysWOW64\Egaejeej.exeC:\Windows\system32\Egaejeej.exe62⤵
- Executes dropped EXE
PID:872 -
C:\Windows\SysWOW64\Ehpadhll.exeC:\Windows\system32\Ehpadhll.exe63⤵
- Executes dropped EXE
PID:1544 -
C:\Windows\SysWOW64\Ebifmm32.exeC:\Windows\system32\Ebifmm32.exe64⤵
- Executes dropped EXE
PID:2496 -
C:\Windows\SysWOW64\Egened32.exeC:\Windows\system32\Egened32.exe65⤵
- Executes dropped EXE
PID:4964 -
C:\Windows\SysWOW64\Fooclapd.exeC:\Windows\system32\Fooclapd.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1452 -
C:\Windows\SysWOW64\Foapaa32.exeC:\Windows\system32\Foapaa32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3352 -
C:\Windows\SysWOW64\Fkhpfbce.exeC:\Windows\system32\Fkhpfbce.exe68⤵
- Drops file in System32 directory
PID:2756 -
C:\Windows\SysWOW64\Fkjmlaac.exeC:\Windows\system32\Fkjmlaac.exe69⤵
- Modifies registry class
PID:1384 -
C:\Windows\SysWOW64\Fkmjaa32.exeC:\Windows\system32\Fkmjaa32.exe70⤵PID:1144
-
C:\Windows\SysWOW64\Fiqjke32.exeC:\Windows\system32\Fiqjke32.exe71⤵PID:4056
-
C:\Windows\SysWOW64\Gbiockdj.exeC:\Windows\system32\Gbiockdj.exe72⤵PID:4712
-
C:\Windows\SysWOW64\Gpmomo32.exeC:\Windows\system32\Gpmomo32.exe73⤵
- Modifies registry class
PID:2316 -
C:\Windows\SysWOW64\Giecfejd.exeC:\Windows\system32\Giecfejd.exe74⤵PID:664
-
C:\Windows\SysWOW64\Gaqhjggp.exeC:\Windows\system32\Gaqhjggp.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4004 -
C:\Windows\SysWOW64\Glfmgp32.exeC:\Windows\system32\Glfmgp32.exe76⤵PID:5128
-
C:\Windows\SysWOW64\Gpdennml.exeC:\Windows\system32\Gpdennml.exe77⤵PID:5172
-
C:\Windows\SysWOW64\Hpfbcn32.exeC:\Windows\system32\Hpfbcn32.exe78⤵PID:5224
-
C:\Windows\SysWOW64\Hhaggp32.exeC:\Windows\system32\Hhaggp32.exe79⤵PID:5292
-
C:\Windows\SysWOW64\Hajkqfoe.exeC:\Windows\system32\Hajkqfoe.exe80⤵PID:5332
-
C:\Windows\SysWOW64\Hehdfdek.exeC:\Windows\system32\Hehdfdek.exe81⤵PID:5384
-
C:\Windows\SysWOW64\Hnbeeiji.exeC:\Windows\system32\Hnbeeiji.exe82⤵PID:5456
-
C:\Windows\SysWOW64\Ihkjno32.exeC:\Windows\system32\Ihkjno32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5520 -
C:\Windows\SysWOW64\Ibqnkh32.exeC:\Windows\system32\Ibqnkh32.exe84⤵
- Modifies registry class
PID:5588 -
C:\Windows\SysWOW64\Ilibdmgp.exeC:\Windows\system32\Ilibdmgp.exe85⤵PID:5640
-
C:\Windows\SysWOW64\Ieagmcmq.exeC:\Windows\system32\Ieagmcmq.exe86⤵PID:5684
-
C:\Windows\SysWOW64\Ibegfglj.exeC:\Windows\system32\Ibegfglj.exe87⤵PID:5732
-
C:\Windows\SysWOW64\Ilnlom32.exeC:\Windows\system32\Ilnlom32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5780 -
C:\Windows\SysWOW64\Ipkdek32.exeC:\Windows\system32\Ipkdek32.exe89⤵PID:5828
-
C:\Windows\SysWOW64\Iamamcop.exeC:\Windows\system32\Iamamcop.exe90⤵PID:5880
-
C:\Windows\SysWOW64\Jhifomdj.exeC:\Windows\system32\Jhifomdj.exe91⤵PID:5936
-
C:\Windows\SysWOW64\Jihbip32.exeC:\Windows\system32\Jihbip32.exe92⤵PID:5984
-
C:\Windows\SysWOW64\Jeocna32.exeC:\Windows\system32\Jeocna32.exe93⤵PID:6028
-
C:\Windows\SysWOW64\Jbccge32.exeC:\Windows\system32\Jbccge32.exe94⤵PID:6076
-
C:\Windows\SysWOW64\Jojdlfeo.exeC:\Windows\system32\Jojdlfeo.exe95⤵PID:6124
-
C:\Windows\SysWOW64\Kpiqfima.exeC:\Windows\system32\Kpiqfima.exe96⤵PID:5160
-
C:\Windows\SysWOW64\Klpakj32.exeC:\Windows\system32\Klpakj32.exe97⤵PID:5272
-
C:\Windows\SysWOW64\Kidben32.exeC:\Windows\system32\Kidben32.exe98⤵PID:5308
-
C:\Windows\SysWOW64\Kifojnol.exeC:\Windows\system32\Kifojnol.exe99⤵PID:5452
-
C:\Windows\SysWOW64\Kiikpnmj.exeC:\Windows\system32\Kiikpnmj.exe100⤵PID:5572
-
C:\Windows\SysWOW64\Kcapicdj.exeC:\Windows\system32\Kcapicdj.exe101⤵PID:5664
-
C:\Windows\SysWOW64\Lhnhajba.exeC:\Windows\system32\Lhnhajba.exe102⤵PID:5740
-
C:\Windows\SysWOW64\Lafmjp32.exeC:\Windows\system32\Lafmjp32.exe103⤵PID:5792
-
C:\Windows\SysWOW64\Lpgmhg32.exeC:\Windows\system32\Lpgmhg32.exe104⤵PID:5888
-
C:\Windows\SysWOW64\Ledepn32.exeC:\Windows\system32\Ledepn32.exe105⤵
- Drops file in System32 directory
PID:5976 -
C:\Windows\SysWOW64\Lomjicei.exeC:\Windows\system32\Lomjicei.exe106⤵PID:6036
-
C:\Windows\SysWOW64\Lhenai32.exeC:\Windows\system32\Lhenai32.exe107⤵PID:6108
-
C:\Windows\SysWOW64\Loofnccf.exeC:\Windows\system32\Loofnccf.exe108⤵PID:5144
-
C:\Windows\SysWOW64\Lhgkgijg.exeC:\Windows\system32\Lhgkgijg.exe109⤵PID:5324
-
C:\Windows\SysWOW64\Loacdc32.exeC:\Windows\system32\Loacdc32.exe110⤵PID:5428
-
C:\Windows\SysWOW64\Mledmg32.exeC:\Windows\system32\Mledmg32.exe111⤵PID:5676
-
C:\Windows\SysWOW64\Mpclce32.exeC:\Windows\system32\Mpclce32.exe112⤵PID:5824
-
C:\Windows\SysWOW64\Mhoahh32.exeC:\Windows\system32\Mhoahh32.exe113⤵PID:5968
-
C:\Windows\SysWOW64\Mbgeqmjp.exeC:\Windows\system32\Mbgeqmjp.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6096 -
C:\Windows\SysWOW64\Mqhfoebo.exeC:\Windows\system32\Mqhfoebo.exe115⤵PID:5180
-
C:\Windows\SysWOW64\Mhckcgpj.exeC:\Windows\system32\Mhckcgpj.exe116⤵PID:5404
-
C:\Windows\SysWOW64\Nhegig32.exeC:\Windows\system32\Nhegig32.exe117⤵PID:5716
-
C:\Windows\SysWOW64\Nfihbk32.exeC:\Windows\system32\Nfihbk32.exe118⤵PID:5920
-
C:\Windows\SysWOW64\Nqoloc32.exeC:\Windows\system32\Nqoloc32.exe119⤵PID:6060
-
C:\Windows\SysWOW64\Njgqhicg.exeC:\Windows\system32\Njgqhicg.exe120⤵PID:5300
-
C:\Windows\SysWOW64\Nfnamjhk.exeC:\Windows\system32\Nfnamjhk.exe121⤵PID:5700
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-