Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 20:38
Static task
static1
Behavioral task
behavioral1
Sample
2484f414e608b586dfc92adeb580ad2011591d6f1af3ef3dae63f70c041a280d.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
2484f414e608b586dfc92adeb580ad2011591d6f1af3ef3dae63f70c041a280d.exe
Resource
win10v2004-20240611-en
General
-
Target
2484f414e608b586dfc92adeb580ad2011591d6f1af3ef3dae63f70c041a280d.exe
-
Size
136KB
-
MD5
27287a7d0a733309ec22b5fe3f24fe67
-
SHA1
f263e00708c442f00a278658249660680f7e3ac2
-
SHA256
2484f414e608b586dfc92adeb580ad2011591d6f1af3ef3dae63f70c041a280d
-
SHA512
8029bf850ef0d6055d9940f067349b3c54ad04e5ea221de85aa1f80262c7a67954cffe5f1981cc5ff8d281e9a61c13fa4b0579b8b0d3862e3d76f01f228d6761
-
SSDEEP
3072:Re0H4hxVDyQ5ovGuw1Pfo11pz7dgWKsi/mjRrz3OT:vYhxVDsvw1Pfo1rHyRsi/GOT
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qnnhhflf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hmioonpn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddgkpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Djdmffnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pecgja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Njfmke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qajadlja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aqncedbp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agoabn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pecgja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aealah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ojllan32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eodlho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dafbne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Edbklofb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dddhpjof.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aackeqeb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhjkdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eflhoigi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obidhaog.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bldgdago.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikbnacmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pnakhkol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pbekne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mcklgm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpaifalo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpmokb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dadlclim.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gifmnpnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oqbamo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Odpjcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aacckjaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pqmjog32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojgbfocc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Apndbici.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgneampk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mgidml32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pqpnombl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bdhfhe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekcpbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ncdgcf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdpmpdbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pdmpje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" 2484f414e608b586dfc92adeb580ad2011591d6f1af3ef3dae63f70c041a280d.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehjdldfl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kipabjil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lpocjdld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ckcgkldl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdhmnlcj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdnidn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Djpnohej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ibojncfj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bopgjmhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fljcmlfd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbhfjljd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pclgkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Anmjcieo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhlocipo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hadkpm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nklfoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nkncdifl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flqimk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kpeiioac.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfdhkhjj.exe -
UPX dump on OEP (original entry point) 64 IoCs
resource yara_rule behavioral2/files/0x000c0000000234f1-7.dat UPX behavioral2/files/0x000700000002353b-14.dat UPX behavioral2/files/0x000700000002353d-23.dat UPX behavioral2/files/0x000700000002353f-30.dat UPX behavioral2/files/0x0007000000023541-38.dat UPX behavioral2/files/0x0007000000023543-46.dat UPX behavioral2/files/0x0007000000023545-55.dat UPX behavioral2/files/0x0007000000023547-62.dat UPX behavioral2/files/0x0007000000023549-70.dat UPX behavioral2/files/0x000700000002354b-78.dat UPX behavioral2/files/0x000700000002354d-86.dat UPX behavioral2/files/0x000700000002354f-94.dat UPX behavioral2/files/0x0007000000023551-102.dat UPX behavioral2/files/0x0007000000023553-110.dat UPX behavioral2/files/0x0007000000023555-118.dat UPX behavioral2/files/0x0007000000023557-127.dat UPX behavioral2/files/0x0007000000023559-135.dat UPX behavioral2/files/0x000700000002355b-142.dat UPX behavioral2/files/0x000700000002355d-150.dat UPX behavioral2/files/0x000700000002355f-159.dat UPX behavioral2/files/0x0007000000023561-166.dat UPX behavioral2/files/0x0007000000023563-174.dat UPX behavioral2/files/0x0007000000023565-182.dat UPX behavioral2/files/0x0007000000023567-190.dat UPX behavioral2/files/0x0008000000023538-198.dat UPX behavioral2/files/0x000700000002356a-206.dat UPX behavioral2/files/0x000700000002356c-214.dat UPX behavioral2/files/0x000700000002356e-222.dat UPX behavioral2/files/0x0007000000023570-230.dat UPX behavioral2/files/0x0007000000023572-238.dat UPX behavioral2/files/0x0007000000023574-246.dat UPX behavioral2/files/0x0007000000023576-254.dat UPX behavioral2/files/0x00070000000235a8-407.dat UPX behavioral2/files/0x00070000000235b0-431.dat UPX behavioral2/files/0x00070000000235d1-521.dat UPX behavioral2/files/0x00070000000235e7-594.dat UPX behavioral2/files/0x00070000000235fa-656.dat UPX behavioral2/files/0x0007000000023602-684.dat UPX behavioral2/files/0x0007000000023616-753.dat UPX behavioral2/files/0x0007000000023626-808.dat UPX behavioral2/files/0x0007000000023634-853.dat UPX behavioral2/files/0x0007000000023640-892.dat UPX behavioral2/files/0x0007000000023654-958.dat UPX behavioral2/files/0x0007000000023668-1025.dat UPX behavioral2/files/0x0007000000023672-1060.dat UPX behavioral2/files/0x0007000000023676-1074.dat UPX behavioral2/files/0x0007000000023682-1116.dat UPX behavioral2/files/0x000700000002368c-1151.dat UPX behavioral2/files/0x0007000000023692-1170.dat UPX behavioral2/files/0x0007000000023698-1190.dat UPX behavioral2/files/0x00070000000236a0-1218.dat UPX behavioral2/files/0x00070000000236aa-1253.dat UPX behavioral2/files/0x00070000000236b0-1274.dat UPX behavioral2/files/0x00070000000236b4-1288.dat UPX behavioral2/files/0x00070000000236bc-1316.dat UPX behavioral2/files/0x00070000000236d2-1392.dat UPX behavioral2/files/0x00070000000236d6-1406.dat UPX behavioral2/files/0x00070000000236da-1421.dat UPX behavioral2/files/0x00070000000236de-1433.dat UPX behavioral2/files/0x00070000000236e2-1446.dat UPX behavioral2/files/0x00070000000236f0-1495.dat UPX behavioral2/files/0x0007000000023700-1550.dat UPX behavioral2/files/0x0007000000023708-1578.dat UPX behavioral2/files/0x000700000002370e-1599.dat UPX -
Executes dropped EXE 64 IoCs
pid Process 1916 Pbpacfmj.exe 1884 Pijjpp32.exe 3456 Plifll32.exe 1348 Paendb32.exe 2284 Pimfep32.exe 4712 Phpfqmio.exe 2384 Pbekne32.exe 1952 Pecgja32.exe 4260 Plmogkoe.exe 2844 Qnlkcfni.exe 3784 Qefdpq32.exe 1100 Qlpllkmc.exe 2372 Qnnhhflf.exe 1648 Qamdda32.exe 5000 Qhfmalbg.exe 3104 Apndbici.exe 100 Aaoaja32.exe 3368 Ahiigkqd.exe 3592 Aaanpa32.exe 4848 Aihfanhg.exe 5012 Aoeniefo.exe 1196 Aackeqeb.exe 2328 Aeoffo32.exe 1860 Apekch32.exe 1104 Aafgkpcp.exe 4100 Aimoln32.exe 4604 Apggihko.exe 712 Abedecjb.exe 396 Aiolam32.exe 4804 Blnhni32.exe 2084 Bbhqjchp.exe 4324 Befmfngc.exe 4500 Blpechop.exe 2572 Booaodnd.exe 2460 Bammlomg.exe 1796 Bidemmnj.exe 1920 Blbaihmn.exe 4040 Boanecla.exe 3144 Baojaoke.exe 3976 Bekfan32.exe 1836 Blennh32.exe 3996 Bockjc32.exe 4944 Baaggo32.exe 3424 Bemcgmak.exe 3132 Bhlocipo.exe 3120 Bpcgdfaa.exe 4232 Bbacqape.exe 2504 Beppmmoi.exe 2032 Chnlihnl.exe 1216 Cpedjf32.exe 1612 Cafpanem.exe 552 Cimhckeo.exe 4008 Clldogdc.exe 564 Cpgqpe32.exe 1812 Ccfmla32.exe 3016 Caimgncj.exe 116 Chbedh32.exe 2920 Cpjmee32.exe 4892 Cakjmm32.exe 4836 Cibank32.exe 2560 Clqnjf32.exe 3468 Ceibclgn.exe 5080 Cidncj32.exe 2376 Coagla32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Blnhni32.exe Aiolam32.exe File created C:\Windows\SysWOW64\Cidncj32.exe Ceibclgn.exe File created C:\Windows\SysWOW64\Bqhimici.dll Fljcmlfd.exe File created C:\Windows\SysWOW64\Ojgbfocc.exe Ocnjidkf.exe File created C:\Windows\SysWOW64\Pjpdme32.dll Hjfihc32.exe File created C:\Windows\SysWOW64\Cdcoim32.exe Caebma32.exe File created C:\Windows\SysWOW64\Mdkhapfj.exe Mamleegg.exe File created C:\Windows\SysWOW64\Nnmopdep.exe Nkncdifl.exe File created C:\Windows\SysWOW64\Lmldgi32.dll Iicbehnq.exe File created C:\Windows\SysWOW64\Bhlocipo.exe Bemcgmak.exe File opened for modification C:\Windows\SysWOW64\Ekcpbj32.exe Elppfmoo.exe File created C:\Windows\SysWOW64\Hfifmnij.exe Hbnjmp32.exe File created C:\Windows\SysWOW64\Bbjiol32.dll Mmnldp32.exe File created C:\Windows\SysWOW64\Cihmlb32.dll Nphhmj32.exe File created C:\Windows\SysWOW64\Ldooifgl.dll Hmdedo32.exe File opened for modification C:\Windows\SysWOW64\Fdialn32.exe Fakdpb32.exe File opened for modification C:\Windows\SysWOW64\Fafkecel.exe Fohoigfh.exe File created C:\Windows\SysWOW64\Hmmblqfc.dll Pdmpje32.exe File created C:\Windows\SysWOW64\Jmmmebhb.dll Aclpap32.exe File created C:\Windows\SysWOW64\Aepefb32.exe Aminee32.exe File created C:\Windows\SysWOW64\Bbacqape.exe Bpcgdfaa.exe File created C:\Windows\SysWOW64\Meknidfo.dll Qbimoo32.exe File created C:\Windows\SysWOW64\Edkdkplj.exe Ecjhcg32.exe File created C:\Windows\SysWOW64\Jeaikh32.exe Icplcpgo.exe File created C:\Windows\SysWOW64\Kqoieqhe.dll Ehgqln32.exe File created C:\Windows\SysWOW64\Gcfqfc32.exe Gkoiefmj.exe File created C:\Windows\SysWOW64\Dnieoofh.dll Cdcoim32.exe File created C:\Windows\SysWOW64\Aaqgek32.exe Ajfoiqll.exe File opened for modification C:\Windows\SysWOW64\Fooeif32.exe Flqimk32.exe File created C:\Windows\SysWOW64\Fcneih32.dll Gbdgfa32.exe File created C:\Windows\SysWOW64\Bnmcjg32.exe Bffkij32.exe File opened for modification C:\Windows\SysWOW64\Boanecla.exe Blbaihmn.exe File opened for modification C:\Windows\SysWOW64\Dphifcoi.exe Djnaji32.exe File created C:\Windows\SysWOW64\Lolncpam.dll Gcekkjcj.exe File opened for modification C:\Windows\SysWOW64\Pghieg32.exe Peimil32.exe File created C:\Windows\SysWOW64\Fpeohm32.dll Hbeqmoji.exe File created C:\Windows\SysWOW64\Ognpebpj.exe Opdghh32.exe File created C:\Windows\SysWOW64\Pbekne32.exe Phpfqmio.exe File created C:\Windows\SysWOW64\Jfffjqdf.exe Jdhine32.exe File created C:\Windows\SysWOW64\Fobdihjo.dll Clbceo32.exe File created C:\Windows\SysWOW64\Hiefcj32.exe Gfgjgo32.exe File opened for modification C:\Windows\SysWOW64\Hbeqmoji.exe Hofdacke.exe File opened for modification C:\Windows\SysWOW64\Ipbdmaah.exe Iihkpg32.exe File created C:\Windows\SysWOW64\Jplifcqp.dll Kpmfddnf.exe File created C:\Windows\SysWOW64\Mjqjih32.exe Lgbnmm32.exe File created C:\Windows\SysWOW64\Fohoigfh.exe Fljcmlfd.exe File created C:\Windows\SysWOW64\Fomhdg32.exe Fhcpgmjf.exe File created C:\Windows\SysWOW64\Gohhpe32.exe Gkmlofol.exe File created C:\Windows\SysWOW64\Megdccmb.exe Mdehlk32.exe File created C:\Windows\SysWOW64\Hleecc32.dll Mdehlk32.exe File opened for modification C:\Windows\SysWOW64\Njljefql.exe Mgnnhk32.exe File created C:\Windows\SysWOW64\Aaanpa32.exe Ahiigkqd.exe File created C:\Windows\SysWOW64\Iindogea.dll Cidncj32.exe File created C:\Windows\SysWOW64\Jbgkimpf.dll Dldpkoil.exe File opened for modification C:\Windows\SysWOW64\Idacmfkj.exe Imgkql32.exe File opened for modification C:\Windows\SysWOW64\Ngmgne32.exe Ndokbi32.exe File opened for modification C:\Windows\SysWOW64\Ofcmfodb.exe Odapnf32.exe File created C:\Windows\SysWOW64\Dqfhilhd.dll Aepefb32.exe File opened for modification C:\Windows\SysWOW64\Hccglh32.exe Hadkpm32.exe File created C:\Windows\SysWOW64\Aifkpk32.dll Qnlkcfni.exe File created C:\Windows\SysWOW64\Jchbak32.dll Lalcng32.exe File created C:\Windows\SysWOW64\Gkoiefmj.exe Ghaliknf.exe File opened for modification C:\Windows\SysWOW64\Jlnnmb32.exe Jioaqfcc.exe File created C:\Windows\SysWOW64\Igjnojdk.dll Pgefeajb.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 13936 13784 WerFault.exe 724 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bemcgmak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qghlmgij.dll" Ghaliknf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cabfga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bammlomg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gcekkjcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ipnalhii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dbaemi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcnoenkc.dll" Bockjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpbjkl32.dll" Fcnejk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Boanecla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocda32.dll" Lcbiao32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bdmpcdfm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Klngdpdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bdhfhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfpbkoql.dll" Oqhacgdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nniadn32.dll" Lphoelqn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idodkeom.dll" Mlhbal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pmannhhj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Caimgncj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Chbedh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jiphkm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kpgfooop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mgkjhe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ngdmod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Efneehef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ocegdjij.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gcojed32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ojllan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bneljh32.dll" Bmngqdpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dhlhjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bejkjg32.dll" Hbanme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nbmelbid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ofeilobp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adfpgmlj.dll" Aiolam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Imdnklfp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ondeac32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oqhacgdh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Elppfmoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fllpbldb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jfaedkdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dapgdeib.dll" Npfkgjdn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hmklen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciiqgjgg.dll" Mgidml32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Onklabip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cbcilkjg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jmpngk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hmcojh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dhhnpjmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcjkaiib.dll" Ajiknpjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Behbag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dkjmlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcdgbkil.dll" Liimncmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bopgjmhe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lbjlfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaokiafg.dll" Cibank32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jqqjmnii.dll" Eflhoigi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jpgdbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmenjlfh.dll" Hobkfd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bebblb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll" Dhfajjoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnelfilp.dll" Mncmjfmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ienanm32.dll" Ceoibflm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfbcpl32.dll" Chbnia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcbifaej.dll" Jeaikh32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4940 wrote to memory of 1916 4940 2484f414e608b586dfc92adeb580ad2011591d6f1af3ef3dae63f70c041a280d.exe 81 PID 4940 wrote to memory of 1916 4940 2484f414e608b586dfc92adeb580ad2011591d6f1af3ef3dae63f70c041a280d.exe 81 PID 4940 wrote to memory of 1916 4940 2484f414e608b586dfc92adeb580ad2011591d6f1af3ef3dae63f70c041a280d.exe 81 PID 1916 wrote to memory of 1884 1916 Pbpacfmj.exe 82 PID 1916 wrote to memory of 1884 1916 Pbpacfmj.exe 82 PID 1916 wrote to memory of 1884 1916 Pbpacfmj.exe 82 PID 1884 wrote to memory of 3456 1884 Pijjpp32.exe 83 PID 1884 wrote to memory of 3456 1884 Pijjpp32.exe 83 PID 1884 wrote to memory of 3456 1884 Pijjpp32.exe 83 PID 3456 wrote to memory of 1348 3456 Plifll32.exe 84 PID 3456 wrote to memory of 1348 3456 Plifll32.exe 84 PID 3456 wrote to memory of 1348 3456 Plifll32.exe 84 PID 1348 wrote to memory of 2284 1348 Paendb32.exe 85 PID 1348 wrote to memory of 2284 1348 Paendb32.exe 85 PID 1348 wrote to memory of 2284 1348 Paendb32.exe 85 PID 2284 wrote to memory of 4712 2284 Pimfep32.exe 86 PID 2284 wrote to memory of 4712 2284 Pimfep32.exe 86 PID 2284 wrote to memory of 4712 2284 Pimfep32.exe 86 PID 4712 wrote to memory of 2384 4712 Phpfqmio.exe 87 PID 4712 wrote to memory of 2384 4712 Phpfqmio.exe 87 PID 4712 wrote to memory of 2384 4712 Phpfqmio.exe 87 PID 2384 wrote to memory of 1952 2384 Pbekne32.exe 88 PID 2384 wrote to memory of 1952 2384 Pbekne32.exe 88 PID 2384 wrote to memory of 1952 2384 Pbekne32.exe 88 PID 1952 wrote to memory of 4260 1952 Pecgja32.exe 89 PID 1952 wrote to memory of 4260 1952 Pecgja32.exe 89 PID 1952 wrote to memory of 4260 1952 Pecgja32.exe 89 PID 4260 wrote to memory of 2844 4260 Plmogkoe.exe 90 PID 4260 wrote to memory of 2844 4260 Plmogkoe.exe 90 PID 4260 wrote to memory of 2844 4260 Plmogkoe.exe 90 PID 2844 wrote to memory of 3784 2844 Qnlkcfni.exe 91 PID 2844 wrote to memory of 3784 2844 Qnlkcfni.exe 91 PID 2844 wrote to memory of 3784 2844 Qnlkcfni.exe 91 PID 3784 wrote to memory of 1100 3784 Qefdpq32.exe 92 PID 3784 wrote to memory of 1100 3784 Qefdpq32.exe 92 PID 3784 wrote to memory of 1100 3784 Qefdpq32.exe 92 PID 1100 wrote to memory of 2372 1100 Qlpllkmc.exe 94 PID 1100 wrote to memory of 2372 1100 Qlpllkmc.exe 94 PID 1100 wrote to memory of 2372 1100 Qlpllkmc.exe 94 PID 2372 wrote to memory of 1648 2372 Qnnhhflf.exe 95 PID 2372 wrote to memory of 1648 2372 Qnnhhflf.exe 95 PID 2372 wrote to memory of 1648 2372 Qnnhhflf.exe 95 PID 1648 wrote to memory of 5000 1648 Qamdda32.exe 96 PID 1648 wrote to memory of 5000 1648 Qamdda32.exe 96 PID 1648 wrote to memory of 5000 1648 Qamdda32.exe 96 PID 5000 wrote to memory of 3104 5000 Qhfmalbg.exe 97 PID 5000 wrote to memory of 3104 5000 Qhfmalbg.exe 97 PID 5000 wrote to memory of 3104 5000 Qhfmalbg.exe 97 PID 3104 wrote to memory of 100 3104 Apndbici.exe 98 PID 3104 wrote to memory of 100 3104 Apndbici.exe 98 PID 3104 wrote to memory of 100 3104 Apndbici.exe 98 PID 100 wrote to memory of 3368 100 Aaoaja32.exe 100 PID 100 wrote to memory of 3368 100 Aaoaja32.exe 100 PID 100 wrote to memory of 3368 100 Aaoaja32.exe 100 PID 3368 wrote to memory of 3592 3368 Ahiigkqd.exe 101 PID 3368 wrote to memory of 3592 3368 Ahiigkqd.exe 101 PID 3368 wrote to memory of 3592 3368 Ahiigkqd.exe 101 PID 3592 wrote to memory of 4848 3592 Aaanpa32.exe 102 PID 3592 wrote to memory of 4848 3592 Aaanpa32.exe 102 PID 3592 wrote to memory of 4848 3592 Aaanpa32.exe 102 PID 4848 wrote to memory of 5012 4848 Aihfanhg.exe 103 PID 4848 wrote to memory of 5012 4848 Aihfanhg.exe 103 PID 4848 wrote to memory of 5012 4848 Aihfanhg.exe 103 PID 5012 wrote to memory of 1196 5012 Aoeniefo.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\2484f414e608b586dfc92adeb580ad2011591d6f1af3ef3dae63f70c041a280d.exe"C:\Users\Admin\AppData\Local\Temp\2484f414e608b586dfc92adeb580ad2011591d6f1af3ef3dae63f70c041a280d.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Windows\SysWOW64\Pbpacfmj.exeC:\Windows\system32\Pbpacfmj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\SysWOW64\Pijjpp32.exeC:\Windows\system32\Pijjpp32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Windows\SysWOW64\Plifll32.exeC:\Windows\system32\Plifll32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3456 -
C:\Windows\SysWOW64\Paendb32.exeC:\Windows\system32\Paendb32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Windows\SysWOW64\Pimfep32.exeC:\Windows\system32\Pimfep32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\SysWOW64\Phpfqmio.exeC:\Windows\system32\Phpfqmio.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4712 -
C:\Windows\SysWOW64\Pbekne32.exeC:\Windows\system32\Pbekne32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\Pecgja32.exeC:\Windows\system32\Pecgja32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\SysWOW64\Plmogkoe.exeC:\Windows\system32\Plmogkoe.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4260 -
C:\Windows\SysWOW64\Qnlkcfni.exeC:\Windows\system32\Qnlkcfni.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\Qefdpq32.exeC:\Windows\system32\Qefdpq32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3784 -
C:\Windows\SysWOW64\Qlpllkmc.exeC:\Windows\system32\Qlpllkmc.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\SysWOW64\Qnnhhflf.exeC:\Windows\system32\Qnnhhflf.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\Qamdda32.exeC:\Windows\system32\Qamdda32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\SysWOW64\Qhfmalbg.exeC:\Windows\system32\Qhfmalbg.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Windows\SysWOW64\Apndbici.exeC:\Windows\system32\Apndbici.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3104 -
C:\Windows\SysWOW64\Aaoaja32.exeC:\Windows\system32\Aaoaja32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:100 -
C:\Windows\SysWOW64\Ahiigkqd.exeC:\Windows\system32\Ahiigkqd.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3368 -
C:\Windows\SysWOW64\Aaanpa32.exeC:\Windows\system32\Aaanpa32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3592 -
C:\Windows\SysWOW64\Aihfanhg.exeC:\Windows\system32\Aihfanhg.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Windows\SysWOW64\Aoeniefo.exeC:\Windows\system32\Aoeniefo.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Windows\SysWOW64\Aackeqeb.exeC:\Windows\system32\Aackeqeb.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1196 -
C:\Windows\SysWOW64\Aeoffo32.exeC:\Windows\system32\Aeoffo32.exe24⤵
- Executes dropped EXE
PID:2328 -
C:\Windows\SysWOW64\Apekch32.exeC:\Windows\system32\Apekch32.exe25⤵
- Executes dropped EXE
PID:1860 -
C:\Windows\SysWOW64\Aafgkpcp.exeC:\Windows\system32\Aafgkpcp.exe26⤵
- Executes dropped EXE
PID:1104 -
C:\Windows\SysWOW64\Aimoln32.exeC:\Windows\system32\Aimoln32.exe27⤵
- Executes dropped EXE
PID:4100 -
C:\Windows\SysWOW64\Apggihko.exeC:\Windows\system32\Apggihko.exe28⤵
- Executes dropped EXE
PID:4604 -
C:\Windows\SysWOW64\Abedecjb.exeC:\Windows\system32\Abedecjb.exe29⤵
- Executes dropped EXE
PID:712 -
C:\Windows\SysWOW64\Aiolam32.exeC:\Windows\system32\Aiolam32.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:396 -
C:\Windows\SysWOW64\Blnhni32.exeC:\Windows\system32\Blnhni32.exe31⤵
- Executes dropped EXE
PID:4804 -
C:\Windows\SysWOW64\Bbhqjchp.exeC:\Windows\system32\Bbhqjchp.exe32⤵
- Executes dropped EXE
PID:2084 -
C:\Windows\SysWOW64\Befmfngc.exeC:\Windows\system32\Befmfngc.exe33⤵
- Executes dropped EXE
PID:4324 -
C:\Windows\SysWOW64\Blpechop.exeC:\Windows\system32\Blpechop.exe34⤵
- Executes dropped EXE
PID:4500 -
C:\Windows\SysWOW64\Booaodnd.exeC:\Windows\system32\Booaodnd.exe35⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Bammlomg.exeC:\Windows\system32\Bammlomg.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:2460 -
C:\Windows\SysWOW64\Bidemmnj.exeC:\Windows\system32\Bidemmnj.exe37⤵
- Executes dropped EXE
PID:1796 -
C:\Windows\SysWOW64\Blbaihmn.exeC:\Windows\system32\Blbaihmn.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1920 -
C:\Windows\SysWOW64\Boanecla.exeC:\Windows\system32\Boanecla.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:4040 -
C:\Windows\SysWOW64\Baojaoke.exeC:\Windows\system32\Baojaoke.exe40⤵
- Executes dropped EXE
PID:3144 -
C:\Windows\SysWOW64\Bekfan32.exeC:\Windows\system32\Bekfan32.exe41⤵
- Executes dropped EXE
PID:3976 -
C:\Windows\SysWOW64\Blennh32.exeC:\Windows\system32\Blennh32.exe42⤵
- Executes dropped EXE
PID:1836 -
C:\Windows\SysWOW64\Bockjc32.exeC:\Windows\system32\Bockjc32.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:3996 -
C:\Windows\SysWOW64\Baaggo32.exeC:\Windows\system32\Baaggo32.exe44⤵
- Executes dropped EXE
PID:4944 -
C:\Windows\SysWOW64\Bemcgmak.exeC:\Windows\system32\Bemcgmak.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3424 -
C:\Windows\SysWOW64\Bhlocipo.exeC:\Windows\system32\Bhlocipo.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3132 -
C:\Windows\SysWOW64\Bpcgdfaa.exeC:\Windows\system32\Bpcgdfaa.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3120 -
C:\Windows\SysWOW64\Bbacqape.exeC:\Windows\system32\Bbacqape.exe48⤵
- Executes dropped EXE
PID:4232 -
C:\Windows\SysWOW64\Beppmmoi.exeC:\Windows\system32\Beppmmoi.exe49⤵
- Executes dropped EXE
PID:2504 -
C:\Windows\SysWOW64\Chnlihnl.exeC:\Windows\system32\Chnlihnl.exe50⤵
- Executes dropped EXE
PID:2032 -
C:\Windows\SysWOW64\Cpedjf32.exeC:\Windows\system32\Cpedjf32.exe51⤵
- Executes dropped EXE
PID:1216 -
C:\Windows\SysWOW64\Cafpanem.exeC:\Windows\system32\Cafpanem.exe52⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Cimhckeo.exeC:\Windows\system32\Cimhckeo.exe53⤵
- Executes dropped EXE
PID:552 -
C:\Windows\SysWOW64\Clldogdc.exeC:\Windows\system32\Clldogdc.exe54⤵
- Executes dropped EXE
PID:4008 -
C:\Windows\SysWOW64\Cpgqpe32.exeC:\Windows\system32\Cpgqpe32.exe55⤵
- Executes dropped EXE
PID:564 -
C:\Windows\SysWOW64\Ccfmla32.exeC:\Windows\system32\Ccfmla32.exe56⤵
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\Caimgncj.exeC:\Windows\system32\Caimgncj.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:3016 -
C:\Windows\SysWOW64\Chbedh32.exeC:\Windows\system32\Chbedh32.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:116 -
C:\Windows\SysWOW64\Cpjmee32.exeC:\Windows\system32\Cpjmee32.exe59⤵
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\Cakjmm32.exeC:\Windows\system32\Cakjmm32.exe60⤵
- Executes dropped EXE
PID:4892 -
C:\Windows\SysWOW64\Cibank32.exeC:\Windows\system32\Cibank32.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:4836 -
C:\Windows\SysWOW64\Clqnjf32.exeC:\Windows\system32\Clqnjf32.exe62⤵
- Executes dropped EXE
PID:2560 -
C:\Windows\SysWOW64\Ceibclgn.exeC:\Windows\system32\Ceibclgn.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3468 -
C:\Windows\SysWOW64\Cidncj32.exeC:\Windows\system32\Cidncj32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5080 -
C:\Windows\SysWOW64\Coagla32.exeC:\Windows\system32\Coagla32.exe65⤵
- Executes dropped EXE
PID:2376 -
C:\Windows\SysWOW64\Cekohk32.exeC:\Windows\system32\Cekohk32.exe66⤵PID:2396
-
C:\Windows\SysWOW64\Dhjkdg32.exeC:\Windows\system32\Dhjkdg32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2408 -
C:\Windows\SysWOW64\Doccaall.exeC:\Windows\system32\Doccaall.exe68⤵PID:1156
-
C:\Windows\SysWOW64\Diihojkb.exeC:\Windows\system32\Diihojkb.exe69⤵PID:1664
-
C:\Windows\SysWOW64\Dhlhjf32.exeC:\Windows\system32\Dhlhjf32.exe70⤵
- Modifies registry class
PID:2788 -
C:\Windows\SysWOW64\Dofpgqji.exeC:\Windows\system32\Dofpgqji.exe71⤵PID:4052
-
C:\Windows\SysWOW64\Dadlclim.exeC:\Windows\system32\Dadlclim.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3948 -
C:\Windows\SysWOW64\Dhnepfpj.exeC:\Windows\system32\Dhnepfpj.exe73⤵PID:2576
-
C:\Windows\SysWOW64\Dohmlp32.exeC:\Windows\system32\Dohmlp32.exe74⤵PID:4452
-
C:\Windows\SysWOW64\Dagiil32.exeC:\Windows\system32\Dagiil32.exe75⤵PID:3396
-
C:\Windows\SysWOW64\Djnaji32.exeC:\Windows\system32\Djnaji32.exe76⤵
- Drops file in System32 directory
PID:3636 -
C:\Windows\SysWOW64\Dphifcoi.exeC:\Windows\system32\Dphifcoi.exe77⤵PID:5028
-
C:\Windows\SysWOW64\Dcfebonm.exeC:\Windows\system32\Dcfebonm.exe78⤵PID:3640
-
C:\Windows\SysWOW64\Djpnohej.exeC:\Windows\system32\Djpnohej.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:860 -
C:\Windows\SysWOW64\Dpjflb32.exeC:\Windows\system32\Dpjflb32.exe80⤵PID:1088
-
C:\Windows\SysWOW64\Dchbhn32.exeC:\Windows\system32\Dchbhn32.exe81⤵PID:732
-
C:\Windows\SysWOW64\Ejbkehcg.exeC:\Windows\system32\Ejbkehcg.exe82⤵PID:3284
-
C:\Windows\SysWOW64\Elagacbk.exeC:\Windows\system32\Elagacbk.exe83⤵PID:2632
-
C:\Windows\SysWOW64\Eckonn32.exeC:\Windows\system32\Eckonn32.exe84⤵PID:3520
-
C:\Windows\SysWOW64\Ejegjh32.exeC:\Windows\system32\Ejegjh32.exe85⤵PID:1852
-
C:\Windows\SysWOW64\Elccfc32.exeC:\Windows\system32\Elccfc32.exe86⤵PID:572
-
C:\Windows\SysWOW64\Eoapbo32.exeC:\Windows\system32\Eoapbo32.exe87⤵PID:1864
-
C:\Windows\SysWOW64\Eflhoigi.exeC:\Windows\system32\Eflhoigi.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5008 -
C:\Windows\SysWOW64\Ehjdldfl.exeC:\Windows\system32\Ehjdldfl.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5112 -
C:\Windows\SysWOW64\Eodlho32.exeC:\Windows\system32\Eodlho32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:924 -
C:\Windows\SysWOW64\Efneehef.exeC:\Windows\system32\Efneehef.exe91⤵
- Modifies registry class
PID:4156 -
C:\Windows\SysWOW64\Elhmablc.exeC:\Windows\system32\Elhmablc.exe92⤵PID:4972
-
C:\Windows\SysWOW64\Eofinnkf.exeC:\Windows\system32\Eofinnkf.exe93⤵PID:5132
-
C:\Windows\SysWOW64\Ebeejijj.exeC:\Windows\system32\Ebeejijj.exe94⤵PID:5180
-
C:\Windows\SysWOW64\Ejlmkgkl.exeC:\Windows\system32\Ejlmkgkl.exe95⤵PID:5224
-
C:\Windows\SysWOW64\Emjjgbjp.exeC:\Windows\system32\Emjjgbjp.exe96⤵PID:5264
-
C:\Windows\SysWOW64\Fbgbpihg.exeC:\Windows\system32\Fbgbpihg.exe97⤵PID:5308
-
C:\Windows\SysWOW64\Ffbnph32.exeC:\Windows\system32\Ffbnph32.exe98⤵PID:5352
-
C:\Windows\SysWOW64\Fqhbmqqg.exeC:\Windows\system32\Fqhbmqqg.exe99⤵PID:5396
-
C:\Windows\SysWOW64\Fcgoilpj.exeC:\Windows\system32\Fcgoilpj.exe100⤵PID:5440
-
C:\Windows\SysWOW64\Ffekegon.exeC:\Windows\system32\Ffekegon.exe101⤵PID:5488
-
C:\Windows\SysWOW64\Fcikolnh.exeC:\Windows\system32\Fcikolnh.exe102⤵PID:5532
-
C:\Windows\SysWOW64\Fifdgblo.exeC:\Windows\system32\Fifdgblo.exe103⤵PID:5576
-
C:\Windows\SysWOW64\Fqmlhpla.exeC:\Windows\system32\Fqmlhpla.exe104⤵PID:5616
-
C:\Windows\SysWOW64\Fbnhphbp.exeC:\Windows\system32\Fbnhphbp.exe105⤵PID:5660
-
C:\Windows\SysWOW64\Fihqmb32.exeC:\Windows\system32\Fihqmb32.exe106⤵PID:5704
-
C:\Windows\SysWOW64\Fobiilai.exeC:\Windows\system32\Fobiilai.exe107⤵PID:5748
-
C:\Windows\SysWOW64\Fcnejk32.exeC:\Windows\system32\Fcnejk32.exe108⤵
- Modifies registry class
PID:5792 -
C:\Windows\SysWOW64\Fflaff32.exeC:\Windows\system32\Fflaff32.exe109⤵PID:5836
-
C:\Windows\SysWOW64\Fijmbb32.exeC:\Windows\system32\Fijmbb32.exe110⤵PID:5880
-
C:\Windows\SysWOW64\Fodeolof.exeC:\Windows\system32\Fodeolof.exe111⤵PID:5928
-
C:\Windows\SysWOW64\Gfnnlffc.exeC:\Windows\system32\Gfnnlffc.exe112⤵PID:5972
-
C:\Windows\SysWOW64\Gqdbiofi.exeC:\Windows\system32\Gqdbiofi.exe113⤵PID:6016
-
C:\Windows\SysWOW64\Gfqjafdq.exeC:\Windows\system32\Gfqjafdq.exe114⤵PID:6060
-
C:\Windows\SysWOW64\Gjlfbd32.exeC:\Windows\system32\Gjlfbd32.exe115⤵PID:6100
-
C:\Windows\SysWOW64\Gmkbnp32.exeC:\Windows\system32\Gmkbnp32.exe116⤵PID:4860
-
C:\Windows\SysWOW64\Gcekkjcj.exeC:\Windows\system32\Gcekkjcj.exe117⤵
- Drops file in System32 directory
- Modifies registry class
PID:5160 -
C:\Windows\SysWOW64\Gjocgdkg.exeC:\Windows\system32\Gjocgdkg.exe118⤵PID:5240
-
C:\Windows\SysWOW64\Gqikdn32.exeC:\Windows\system32\Gqikdn32.exe119⤵PID:5300
-
C:\Windows\SysWOW64\Gfedle32.exeC:\Windows\system32\Gfedle32.exe120⤵PID:5380
-
C:\Windows\SysWOW64\Gqkhjn32.exeC:\Windows\system32\Gqkhjn32.exe121⤵PID:5428
-
C:\Windows\SysWOW64\Gbldaffp.exeC:\Windows\system32\Gbldaffp.exe122⤵PID:5500
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-