Analysis
-
max time kernel
80s -
max time network
100s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
16-06-2024 21:34
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
58ee6938d85e79b1b51d6f4718e9fa3c358eaa9353ae7a3a62ad8e45568110ff.exe
Resource
win7-20240508-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
58ee6938d85e79b1b51d6f4718e9fa3c358eaa9353ae7a3a62ad8e45568110ff.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
58ee6938d85e79b1b51d6f4718e9fa3c358eaa9353ae7a3a62ad8e45568110ff.exe
-
Size
243KB
-
MD5
0fbdc59ca2a7e1cef74056c7ca66e097
-
SHA1
fcec8d36dec850ca3568851d9712432ded4f19ec
-
SHA256
58ee6938d85e79b1b51d6f4718e9fa3c358eaa9353ae7a3a62ad8e45568110ff
-
SHA512
8bb351da8d781dca2814a87305b1645e11de59f3311507297addeb059e14b4c9430efc4c338901a0939268684e8c2c94987ec874ad2332577cf491c76fc38067
-
SSDEEP
3072:iPMcDePJuQkKz8lHXtlU2Nhluy78nwTxyIvXQWBaolfC4VJ62Q:iPpePJuQkKzwdlU2zlNgwTnAWtlhjQ
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qecppkdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epndknin.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glldgljg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngjbaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmjocp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hckeoeno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcbihpel.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khpgckkb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epndknin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpcfmkff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efdjgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibjjhn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pibdmp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abbkcpma.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chghdqbf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eolhbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnnbqnjn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hloqml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qgqeappe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fafdkmap.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lndham32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmofagfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilccoh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nognnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifllil32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgmngglp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmgfda32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lemkcnaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlfnaicd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igcoqocb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpgodhkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpekef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcghch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcebhoii.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkpheidp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbbgnpgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmdqgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbmhlihl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdfjifjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hofdacke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nghekkmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlobkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okjbpglo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhppji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agdhbi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edjgfcec.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aobilkcl.exe -
Detects executables built or packed with MPress PE compressor 64 IoCs
resource yara_rule behavioral2/files/0x0007000000023278-7.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023400-16.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023402-23.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023404-31.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023406-39.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023409-47.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x000700000002340b-56.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x000700000002340d-63.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x000700000002340f-71.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023411-81.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023413-87.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023415-95.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023417-102.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023419-111.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x000700000002341b-119.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000022974-126.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x000700000002341e-134.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023420-143.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023422-151.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023424-152.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x00080000000233fd-166.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023427-175.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023429-181.dat INDICATOR_EXE_Packed_MPress behavioral2/memory/4896-183-0x0000000000400000-0x0000000000467000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/files/0x000b000000022962-190.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x000700000002342c-198.dat INDICATOR_EXE_Packed_MPress behavioral2/memory/4920-203-0x0000000000400000-0x0000000000467000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/files/0x000700000002342e-205.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023430-213.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023432-221.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023434-228.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023436-236.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023438-244.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x000700000002343a-253.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x000700000002343e-267.dat INDICATOR_EXE_Packed_MPress behavioral2/memory/468-288-0x0000000000400000-0x0000000000467000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023450-320.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023454-332.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023458-343.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023464-379.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023470-414.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x000700000002347a-443.dat INDICATOR_EXE_Packed_MPress behavioral2/memory/4932-458-0x0000000000400000-0x0000000000467000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/412-459-0x0000000000400000-0x0000000000467000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/4296-465-0x0000000000400000-0x0000000000467000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023484-472.dat INDICATOR_EXE_Packed_MPress behavioral2/memory/1500-471-0x0000000000400000-0x0000000000467000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/2928-569-0x0000000000400000-0x0000000000467000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/3748-576-0x0000000000400000-0x0000000000467000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/4984-626-0x0000000000400000-0x0000000000467000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/files/0x00070000000234b8-627.dat INDICATOR_EXE_Packed_MPress behavioral2/memory/1984-633-0x0000000000400000-0x0000000000467000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/4508-632-0x0000000000400000-0x0000000000467000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/files/0x00070000000234c8-678.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x00070000000234d4-719.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x00070000000234dc-746.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x00070000000234e0-758.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x00070000000234ee-800.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x00070000000234f4-819.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x00070000000234f8-832.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023500-857.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023514-923.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x000700000002351e-958.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023524-977.dat INDICATOR_EXE_Packed_MPress -
Executes dropped EXE 64 IoCs
pid Process 3964 Nqmhbpba.exe 4304 Nggqoj32.exe 3804 Njfmke32.exe 2928 Nnaikd32.exe 3312 Ondeac32.exe 3280 Ojjffddl.exe 1300 Onfbfc32.exe 2668 Oqdoboli.exe 4252 Okjbpglo.exe 2072 Oqgkhnjf.exe 3496 Ocegdjij.exe 4428 Ojopad32.exe 4984 Obfhba32.exe 4508 Ocgdji32.exe 4792 Onmhgb32.exe 5076 Pjdilcla.exe 1268 Pbkamqmd.exe 232 Pclneicb.exe 4536 Pkceffcd.exe 1676 Pbmncp32.exe 1644 Pndohaqe.exe 1592 Pabkdmpi.exe 4896 Pjkombfj.exe 2808 Pbbgnpgl.exe 4920 Peqcjkfp.exe 860 Pjmlbbdg.exe 2608 Pbddcoei.exe 2328 Qecppkdm.exe 760 Qkmhlekj.exe 212 Qbgqio32.exe 2336 Qeemej32.exe 2524 Qjbena32.exe 4656 Qbimoo32.exe 4860 Acjjfggb.exe 3252 Alabgd32.exe 1812 Anpncp32.exe 468 Aejfpjne.exe 4904 Acmflf32.exe 3028 Ajfoiqll.exe 2588 Aaqgek32.exe 3212 Acocaf32.exe 1920 Alfkbc32.exe 4340 Aacckjaf.exe 5092 Adapgfqj.exe 3756 Alhhhcal.exe 2596 Abbpem32.exe 3488 Adcmmeog.exe 2068 Abemjmgg.exe 2240 Bhaebcen.exe 3636 Bjpaooda.exe 2916 Beeflhdh.exe 3144 Bnnjen32.exe 4760 Balfaiil.exe 992 Bdkcmdhp.exe 2192 Bblckl32.exe 3592 Bejogg32.exe 4884 Bjghpn32.exe 4520 Bbnpqk32.exe 3308 Bemlmgnp.exe 3776 Blfdia32.exe 5100 Cacmah32.exe 1908 Cdainc32.exe 1492 Cklaknjd.exe 3400 Ceaehfjj.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Mmfkhmdi.exe Process not Found File created C:\Windows\SysWOW64\Pdpmpdbd.exe Pmidog32.exe File created C:\Windows\SysWOW64\Mhbmphjm.exe Medqcmki.exe File created C:\Windows\SysWOW64\Mnneheln.dll Hncmmd32.exe File opened for modification C:\Windows\SysWOW64\Njiegl32.exe Nlfelogp.exe File created C:\Windows\SysWOW64\Ilnbicff.exe Process not Found File opened for modification C:\Windows\SysWOW64\Kedoge32.exe Kbfbkj32.exe File opened for modification C:\Windows\SysWOW64\Ohlimd32.exe Oocddono.exe File created C:\Windows\SysWOW64\Aknhkd32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Aekddhcb.exe Process not Found File created C:\Windows\SysWOW64\Lcimdh32.exe Process not Found File created C:\Windows\SysWOW64\Dkodcb32.dll Process not Found File created C:\Windows\SysWOW64\Ggpenegb.dll Process not Found File opened for modification C:\Windows\SysWOW64\Ofeilobp.exe Oddmdf32.exe File created C:\Windows\SysWOW64\Kninjc32.dll Edjgfcec.exe File created C:\Windows\SysWOW64\Bfbghcbm.dll Miaboe32.exe File created C:\Windows\SysWOW64\Ooejohhq.exe Olgncmim.exe File opened for modification C:\Windows\SysWOW64\Kpjgaoqm.exe Process not Found File created C:\Windows\SysWOW64\Hcjnlmph.dll Process not Found File opened for modification C:\Windows\SysWOW64\Dpqodfij.exe Diffglam.exe File opened for modification C:\Windows\SysWOW64\Blgifbil.exe Process not Found File created C:\Windows\SysWOW64\Oohgdhfn.exe Oklkdi32.exe File created C:\Windows\SysWOW64\Epopbo32.dll Process not Found File created C:\Windows\SysWOW64\Fgcqbd32.dll Pndohaqe.exe File created C:\Windows\SysWOW64\Aogmoeik.dll Faihkbci.exe File created C:\Windows\SysWOW64\Hfnhlp32.dll Jmmjgejj.exe File opened for modification C:\Windows\SysWOW64\Aadifclh.exe Anfmjhmd.exe File opened for modification C:\Windows\SysWOW64\Gepmlimi.exe Goedpofl.exe File created C:\Windows\SysWOW64\Dkndie32.exe Process not Found File created C:\Windows\SysWOW64\Iigdfa32.exe Ifihif32.exe File created C:\Windows\SysWOW64\Dimini32.dll Kpbfii32.exe File created C:\Windows\SysWOW64\Fmjaphek.exe Ffpicn32.exe File created C:\Windows\SysWOW64\Iqbbpm32.exe Indfca32.exe File created C:\Windows\SysWOW64\Pdnjmc32.dll Lddgmbpb.exe File opened for modification C:\Windows\SysWOW64\Gohaeo32.exe Ghniielm.exe File opened for modification C:\Windows\SysWOW64\Efhcbodf.exe Edjgfcec.exe File created C:\Windows\SysWOW64\Hiikaj32.dll Neafjdkn.exe File created C:\Windows\SysWOW64\Cikamapb.dll Process not Found File opened for modification C:\Windows\SysWOW64\Dnbakghm.exe Process not Found File created C:\Windows\SysWOW64\Lpneegel.exe Lidmhmnp.exe File created C:\Windows\SysWOW64\Ijfnmc32.exe Ihdafkdg.exe File created C:\Windows\SysWOW64\Lajagj32.exe Knkekn32.exe File opened for modification C:\Windows\SysWOW64\Fmikeaap.exe Ffobhg32.exe File opened for modification C:\Windows\SysWOW64\Bddjpd32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Bcbohigp.exe Amhfkopc.exe File created C:\Windows\SysWOW64\Nolgijpk.exe Niooqcad.exe File created C:\Windows\SysWOW64\Ckmonl32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Pbddcoei.exe Pjmlbbdg.exe File created C:\Windows\SysWOW64\Pdfjifjo.exe Pnlaml32.exe File created C:\Windows\SysWOW64\Gnmnfkia.exe Gojnko32.exe File created C:\Windows\SysWOW64\Lefqkm32.dll Pgkelj32.exe File opened for modification C:\Windows\SysWOW64\Afelhf32.exe Acgolj32.exe File opened for modification C:\Windows\SysWOW64\Hifcgion.exe Process not Found File created C:\Windows\SysWOW64\Abakhdbk.dll Ipjedh32.exe File created C:\Windows\SysWOW64\Nmfgdeof.dll Okjbpglo.exe File opened for modification C:\Windows\SysWOW64\Pndohaqe.exe Pbmncp32.exe File created C:\Windows\SysWOW64\Anfmjhmd.exe Afoeiklb.exe File created C:\Windows\SysWOW64\Bfpjcbmh.dll Lpekef32.exe File created C:\Windows\SysWOW64\Gfameb32.dll Mhicpg32.exe File created C:\Windows\SysWOW64\Eaacilcc.dll Qecppkdm.exe File created C:\Windows\SysWOW64\Fonnop32.exe Fggfnc32.exe File created C:\Windows\SysWOW64\Jgogbgei.exe Jdpkflfe.exe File opened for modification C:\Windows\SysWOW64\Alhhhcal.exe Adapgfqj.exe File created C:\Windows\SysWOW64\Mmpmnl32.exe Process not Found -
Program crash 1 IoCs
pid pid_target Process procid_target 12136 12444 Process not Found 1486 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebnlkf32.dll" Pflibgil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jngjch32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bcbohigp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aoabad32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlleaeff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fngdja32.dll" Oepifi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gijekg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qkmhlekj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iknmla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbdmdpjg.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Addjcmqn.dll" Nqmhbpba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bapiabak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fddqghpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jeekkafl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nofhmj32.dll" Eaqdegaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Miaboe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Binlfp32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knkffk32.dll" Fkalchij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iqipio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cobkhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jpfepf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbmmao32.dll" Gdcliikj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjpaooda.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nplkmckj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhemmlhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agocgbni.dll" Npcoakfp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ocamjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikfhji32.dll" Fpggamqc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Liddbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqnkcp32.dll" Fgbmccpg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfehed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Achhaode.dll" Fdffbake.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmemlfol.dll" Hdmoohbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Comjoclk.dll" Jqhafffk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clgbhl32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcdgpfak.dll" Jedeph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nllbhl32.dll" Dinmhkke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjpbam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiqhki32.dll" Npchgdcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ialjan32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keblci32.dll" Ipknlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdkcmdhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ikejgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Docjlc32.dll" Immapg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqdeld32.dll" Kimnbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kflnfcgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Najceeoo.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3984 wrote to memory of 3964 3984 58ee6938d85e79b1b51d6f4718e9fa3c358eaa9353ae7a3a62ad8e45568110ff.exe 82 PID 3984 wrote to memory of 3964 3984 58ee6938d85e79b1b51d6f4718e9fa3c358eaa9353ae7a3a62ad8e45568110ff.exe 82 PID 3984 wrote to memory of 3964 3984 58ee6938d85e79b1b51d6f4718e9fa3c358eaa9353ae7a3a62ad8e45568110ff.exe 82 PID 3964 wrote to memory of 4304 3964 Nqmhbpba.exe 83 PID 3964 wrote to memory of 4304 3964 Nqmhbpba.exe 83 PID 3964 wrote to memory of 4304 3964 Nqmhbpba.exe 83 PID 4304 wrote to memory of 3804 4304 Nggqoj32.exe 84 PID 4304 wrote to memory of 3804 4304 Nggqoj32.exe 84 PID 4304 wrote to memory of 3804 4304 Nggqoj32.exe 84 PID 3804 wrote to memory of 2928 3804 Njfmke32.exe 87 PID 3804 wrote to memory of 2928 3804 Njfmke32.exe 87 PID 3804 wrote to memory of 2928 3804 Njfmke32.exe 87 PID 2928 wrote to memory of 3312 2928 Nnaikd32.exe 88 PID 2928 wrote to memory of 3312 2928 Nnaikd32.exe 88 PID 2928 wrote to memory of 3312 2928 Nnaikd32.exe 88 PID 3312 wrote to memory of 3280 3312 Ondeac32.exe 90 PID 3312 wrote to memory of 3280 3312 Ondeac32.exe 90 PID 3312 wrote to memory of 3280 3312 Ondeac32.exe 90 PID 3280 wrote to memory of 1300 3280 Ojjffddl.exe 91 PID 3280 wrote to memory of 1300 3280 Ojjffddl.exe 91 PID 3280 wrote to memory of 1300 3280 Ojjffddl.exe 91 PID 1300 wrote to memory of 2668 1300 Onfbfc32.exe 92 PID 1300 wrote to memory of 2668 1300 Onfbfc32.exe 92 PID 1300 wrote to memory of 2668 1300 Onfbfc32.exe 92 PID 2668 wrote to memory of 4252 2668 Oqdoboli.exe 93 PID 2668 wrote to memory of 4252 2668 Oqdoboli.exe 93 PID 2668 wrote to memory of 4252 2668 Oqdoboli.exe 93 PID 4252 wrote to memory of 2072 4252 Okjbpglo.exe 94 PID 4252 wrote to memory of 2072 4252 Okjbpglo.exe 94 PID 4252 wrote to memory of 2072 4252 Okjbpglo.exe 94 PID 2072 wrote to memory of 3496 2072 Oqgkhnjf.exe 95 PID 2072 wrote to memory of 3496 2072 Oqgkhnjf.exe 95 PID 2072 wrote to memory of 3496 2072 Oqgkhnjf.exe 95 PID 3496 wrote to memory of 4428 3496 Ocegdjij.exe 96 PID 3496 wrote to memory of 4428 3496 Ocegdjij.exe 96 PID 3496 wrote to memory of 4428 3496 Ocegdjij.exe 96 PID 4428 wrote to memory of 4984 4428 Ojopad32.exe 97 PID 4428 wrote to memory of 4984 4428 Ojopad32.exe 97 PID 4428 wrote to memory of 4984 4428 Ojopad32.exe 97 PID 4984 wrote to memory of 4508 4984 Obfhba32.exe 98 PID 4984 wrote to memory of 4508 4984 Obfhba32.exe 98 PID 4984 wrote to memory of 4508 4984 Obfhba32.exe 98 PID 4508 wrote to memory of 4792 4508 Ocgdji32.exe 99 PID 4508 wrote to memory of 4792 4508 Ocgdji32.exe 99 PID 4508 wrote to memory of 4792 4508 Ocgdji32.exe 99 PID 4792 wrote to memory of 5076 4792 Onmhgb32.exe 100 PID 4792 wrote to memory of 5076 4792 Onmhgb32.exe 100 PID 4792 wrote to memory of 5076 4792 Onmhgb32.exe 100 PID 5076 wrote to memory of 1268 5076 Pjdilcla.exe 101 PID 5076 wrote to memory of 1268 5076 Pjdilcla.exe 101 PID 5076 wrote to memory of 1268 5076 Pjdilcla.exe 101 PID 1268 wrote to memory of 232 1268 Pbkamqmd.exe 102 PID 1268 wrote to memory of 232 1268 Pbkamqmd.exe 102 PID 1268 wrote to memory of 232 1268 Pbkamqmd.exe 102 PID 232 wrote to memory of 4536 232 Pclneicb.exe 103 PID 232 wrote to memory of 4536 232 Pclneicb.exe 103 PID 232 wrote to memory of 4536 232 Pclneicb.exe 103 PID 4536 wrote to memory of 1676 4536 Pkceffcd.exe 104 PID 4536 wrote to memory of 1676 4536 Pkceffcd.exe 104 PID 4536 wrote to memory of 1676 4536 Pkceffcd.exe 104 PID 1676 wrote to memory of 1644 1676 Pbmncp32.exe 105 PID 1676 wrote to memory of 1644 1676 Pbmncp32.exe 105 PID 1676 wrote to memory of 1644 1676 Pbmncp32.exe 105 PID 1644 wrote to memory of 1592 1644 Pndohaqe.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\58ee6938d85e79b1b51d6f4718e9fa3c358eaa9353ae7a3a62ad8e45568110ff.exe"C:\Users\Admin\AppData\Local\Temp\58ee6938d85e79b1b51d6f4718e9fa3c358eaa9353ae7a3a62ad8e45568110ff.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3984 -
C:\Windows\SysWOW64\Nqmhbpba.exeC:\Windows\system32\Nqmhbpba.exe2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3964 -
C:\Windows\SysWOW64\Nggqoj32.exeC:\Windows\system32\Nggqoj32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4304 -
C:\Windows\SysWOW64\Njfmke32.exeC:\Windows\system32\Njfmke32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3804 -
C:\Windows\SysWOW64\Nnaikd32.exeC:\Windows\system32\Nnaikd32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\Ondeac32.exeC:\Windows\system32\Ondeac32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3312 -
C:\Windows\SysWOW64\Ojjffddl.exeC:\Windows\system32\Ojjffddl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3280 -
C:\Windows\SysWOW64\Onfbfc32.exeC:\Windows\system32\Onfbfc32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Windows\SysWOW64\Oqdoboli.exeC:\Windows\system32\Oqdoboli.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\Okjbpglo.exeC:\Windows\system32\Okjbpglo.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4252 -
C:\Windows\SysWOW64\Oqgkhnjf.exeC:\Windows\system32\Oqgkhnjf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\SysWOW64\Ocegdjij.exeC:\Windows\system32\Ocegdjij.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3496 -
C:\Windows\SysWOW64\Ojopad32.exeC:\Windows\system32\Ojopad32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4428 -
C:\Windows\SysWOW64\Obfhba32.exeC:\Windows\system32\Obfhba32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4984 -
C:\Windows\SysWOW64\Ocgdji32.exeC:\Windows\system32\Ocgdji32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4508 -
C:\Windows\SysWOW64\Onmhgb32.exeC:\Windows\system32\Onmhgb32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4792 -
C:\Windows\SysWOW64\Pjdilcla.exeC:\Windows\system32\Pjdilcla.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Windows\SysWOW64\Pbkamqmd.exeC:\Windows\system32\Pbkamqmd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Windows\SysWOW64\Pclneicb.exeC:\Windows\system32\Pclneicb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:232 -
C:\Windows\SysWOW64\Pkceffcd.exeC:\Windows\system32\Pkceffcd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4536 -
C:\Windows\SysWOW64\Pbmncp32.exeC:\Windows\system32\Pbmncp32.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\SysWOW64\Pndohaqe.exeC:\Windows\system32\Pndohaqe.exe22⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\SysWOW64\Pabkdmpi.exeC:\Windows\system32\Pabkdmpi.exe23⤵
- Executes dropped EXE
PID:1592 -
C:\Windows\SysWOW64\Pjkombfj.exeC:\Windows\system32\Pjkombfj.exe24⤵
- Executes dropped EXE
PID:4896 -
C:\Windows\SysWOW64\Pbbgnpgl.exeC:\Windows\system32\Pbbgnpgl.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Peqcjkfp.exeC:\Windows\system32\Peqcjkfp.exe26⤵
- Executes dropped EXE
PID:4920 -
C:\Windows\SysWOW64\Pjmlbbdg.exeC:\Windows\system32\Pjmlbbdg.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:860 -
C:\Windows\SysWOW64\Pbddcoei.exeC:\Windows\system32\Pbddcoei.exe28⤵
- Executes dropped EXE
PID:2608 -
C:\Windows\SysWOW64\Qecppkdm.exeC:\Windows\system32\Qecppkdm.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2328 -
C:\Windows\SysWOW64\Qkmhlekj.exeC:\Windows\system32\Qkmhlekj.exe30⤵
- Executes dropped EXE
- Modifies registry class
PID:760 -
C:\Windows\SysWOW64\Qbgqio32.exeC:\Windows\system32\Qbgqio32.exe31⤵
- Executes dropped EXE
PID:212 -
C:\Windows\SysWOW64\Qeemej32.exeC:\Windows\system32\Qeemej32.exe32⤵
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\Qjbena32.exeC:\Windows\system32\Qjbena32.exe33⤵
- Executes dropped EXE
PID:2524 -
C:\Windows\SysWOW64\Qbimoo32.exeC:\Windows\system32\Qbimoo32.exe34⤵
- Executes dropped EXE
PID:4656 -
C:\Windows\SysWOW64\Acjjfggb.exeC:\Windows\system32\Acjjfggb.exe35⤵
- Executes dropped EXE
PID:4860 -
C:\Windows\SysWOW64\Alabgd32.exeC:\Windows\system32\Alabgd32.exe36⤵
- Executes dropped EXE
PID:3252 -
C:\Windows\SysWOW64\Anpncp32.exeC:\Windows\system32\Anpncp32.exe37⤵
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\Aejfpjne.exeC:\Windows\system32\Aejfpjne.exe38⤵
- Executes dropped EXE
PID:468 -
C:\Windows\SysWOW64\Acmflf32.exeC:\Windows\system32\Acmflf32.exe39⤵
- Executes dropped EXE
PID:4904 -
C:\Windows\SysWOW64\Ajfoiqll.exeC:\Windows\system32\Ajfoiqll.exe40⤵
- Executes dropped EXE
PID:3028 -
C:\Windows\SysWOW64\Aaqgek32.exeC:\Windows\system32\Aaqgek32.exe41⤵
- Executes dropped EXE
PID:2588 -
C:\Windows\SysWOW64\Acocaf32.exeC:\Windows\system32\Acocaf32.exe42⤵
- Executes dropped EXE
PID:3212 -
C:\Windows\SysWOW64\Alfkbc32.exeC:\Windows\system32\Alfkbc32.exe43⤵
- Executes dropped EXE
PID:1920 -
C:\Windows\SysWOW64\Aacckjaf.exeC:\Windows\system32\Aacckjaf.exe44⤵
- Executes dropped EXE
PID:4340 -
C:\Windows\SysWOW64\Adapgfqj.exeC:\Windows\system32\Adapgfqj.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5092 -
C:\Windows\SysWOW64\Alhhhcal.exeC:\Windows\system32\Alhhhcal.exe46⤵
- Executes dropped EXE
PID:3756 -
C:\Windows\SysWOW64\Abbpem32.exeC:\Windows\system32\Abbpem32.exe47⤵
- Executes dropped EXE
PID:2596 -
C:\Windows\SysWOW64\Adcmmeog.exeC:\Windows\system32\Adcmmeog.exe48⤵
- Executes dropped EXE
PID:3488 -
C:\Windows\SysWOW64\Abemjmgg.exeC:\Windows\system32\Abemjmgg.exe49⤵
- Executes dropped EXE
PID:2068 -
C:\Windows\SysWOW64\Bhaebcen.exeC:\Windows\system32\Bhaebcen.exe50⤵
- Executes dropped EXE
PID:2240 -
C:\Windows\SysWOW64\Bjpaooda.exeC:\Windows\system32\Bjpaooda.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:3636 -
C:\Windows\SysWOW64\Beeflhdh.exeC:\Windows\system32\Beeflhdh.exe52⤵
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\Bnnjen32.exeC:\Windows\system32\Bnnjen32.exe53⤵
- Executes dropped EXE
PID:3144 -
C:\Windows\SysWOW64\Balfaiil.exeC:\Windows\system32\Balfaiil.exe54⤵
- Executes dropped EXE
PID:4760 -
C:\Windows\SysWOW64\Bdkcmdhp.exeC:\Windows\system32\Bdkcmdhp.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:992 -
C:\Windows\SysWOW64\Bblckl32.exeC:\Windows\system32\Bblckl32.exe56⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Bejogg32.exeC:\Windows\system32\Bejogg32.exe57⤵
- Executes dropped EXE
PID:3592 -
C:\Windows\SysWOW64\Bjghpn32.exeC:\Windows\system32\Bjghpn32.exe58⤵
- Executes dropped EXE
PID:4884 -
C:\Windows\SysWOW64\Bbnpqk32.exeC:\Windows\system32\Bbnpqk32.exe59⤵
- Executes dropped EXE
PID:4520 -
C:\Windows\SysWOW64\Bemlmgnp.exeC:\Windows\system32\Bemlmgnp.exe60⤵
- Executes dropped EXE
PID:3308 -
C:\Windows\SysWOW64\Blfdia32.exeC:\Windows\system32\Blfdia32.exe61⤵
- Executes dropped EXE
PID:3776 -
C:\Windows\SysWOW64\Cacmah32.exeC:\Windows\system32\Cacmah32.exe62⤵
- Executes dropped EXE
PID:5100 -
C:\Windows\SysWOW64\Cdainc32.exeC:\Windows\system32\Cdainc32.exe63⤵
- Executes dropped EXE
PID:1908 -
C:\Windows\SysWOW64\Cklaknjd.exeC:\Windows\system32\Cklaknjd.exe64⤵
- Executes dropped EXE
PID:1492 -
C:\Windows\SysWOW64\Ceaehfjj.exeC:\Windows\system32\Ceaehfjj.exe65⤵
- Executes dropped EXE
PID:3400 -
C:\Windows\SysWOW64\Clkndpag.exeC:\Windows\system32\Clkndpag.exe66⤵PID:1244
-
C:\Windows\SysWOW64\Cbefaj32.exeC:\Windows\system32\Cbefaj32.exe67⤵PID:4932
-
C:\Windows\SysWOW64\Cdfbibnb.exeC:\Windows\system32\Cdfbibnb.exe68⤵PID:412
-
C:\Windows\SysWOW64\Clnjjpod.exeC:\Windows\system32\Clnjjpod.exe69⤵PID:4296
-
C:\Windows\SysWOW64\Cajcbgml.exeC:\Windows\system32\Cajcbgml.exe70⤵PID:1500
-
C:\Windows\SysWOW64\Cdiooblp.exeC:\Windows\system32\Cdiooblp.exe71⤵PID:1388
-
C:\Windows\SysWOW64\Conclk32.exeC:\Windows\system32\Conclk32.exe72⤵PID:3204
-
C:\Windows\SysWOW64\Camphf32.exeC:\Windows\system32\Camphf32.exe73⤵PID:4472
-
C:\Windows\SysWOW64\Chghdqbf.exeC:\Windows\system32\Chghdqbf.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1600 -
C:\Windows\SysWOW64\Dbllbibl.exeC:\Windows\system32\Dbllbibl.exe75⤵PID:2980
-
C:\Windows\SysWOW64\Dhidjpqc.exeC:\Windows\system32\Dhidjpqc.exe76⤵PID:2492
-
C:\Windows\SysWOW64\Dboigi32.exeC:\Windows\system32\Dboigi32.exe77⤵PID:3876
-
C:\Windows\SysWOW64\Ddpeoafg.exeC:\Windows\system32\Ddpeoafg.exe78⤵PID:1100
-
C:\Windows\SysWOW64\Dkjmlk32.exeC:\Windows\system32\Dkjmlk32.exe79⤵PID:1560
-
C:\Windows\SysWOW64\Dhnnep32.exeC:\Windows\system32\Dhnnep32.exe80⤵PID:2424
-
C:\Windows\SysWOW64\Dohfbj32.exeC:\Windows\system32\Dohfbj32.exe81⤵PID:4424
-
C:\Windows\SysWOW64\Dafbne32.exeC:\Windows\system32\Dafbne32.exe82⤵PID:3364
-
C:\Windows\SysWOW64\Dhpjkojk.exeC:\Windows\system32\Dhpjkojk.exe83⤵PID:2080
-
C:\Windows\SysWOW64\Dkoggkjo.exeC:\Windows\system32\Dkoggkjo.exe84⤵PID:1704
-
C:\Windows\SysWOW64\Dojcgi32.exeC:\Windows\system32\Dojcgi32.exe85⤵PID:4580
-
C:\Windows\SysWOW64\Dhbgqohi.exeC:\Windows\system32\Dhbgqohi.exe86⤵PID:1964
-
C:\Windows\SysWOW64\Ekacmjgl.exeC:\Windows\system32\Ekacmjgl.exe87⤵PID:3556
-
C:\Windows\SysWOW64\Edihepnm.exeC:\Windows\system32\Edihepnm.exe88⤵PID:3748
-
C:\Windows\SysWOW64\Eeidoc32.exeC:\Windows\system32\Eeidoc32.exe89⤵PID:1380
-
C:\Windows\SysWOW64\Edkdkplj.exeC:\Windows\system32\Edkdkplj.exe90⤵PID:1036
-
C:\Windows\SysWOW64\Ecmeig32.exeC:\Windows\system32\Ecmeig32.exe91⤵PID:2296
-
C:\Windows\SysWOW64\Ednaqo32.exeC:\Windows\system32\Ednaqo32.exe92⤵PID:4916
-
C:\Windows\SysWOW64\Eleiam32.exeC:\Windows\system32\Eleiam32.exe93⤵PID:4284
-
C:\Windows\SysWOW64\Ecoangbg.exeC:\Windows\system32\Ecoangbg.exe94⤵PID:2396
-
C:\Windows\SysWOW64\Eemnjbaj.exeC:\Windows\system32\Eemnjbaj.exe95⤵PID:4552
-
C:\Windows\SysWOW64\Ekjfcipa.exeC:\Windows\system32\Ekjfcipa.exe96⤵PID:4848
-
C:\Windows\SysWOW64\Ecandfpd.exeC:\Windows\system32\Ecandfpd.exe97⤵PID:1984
-
C:\Windows\SysWOW64\Fkmchi32.exeC:\Windows\system32\Fkmchi32.exe98⤵PID:908
-
C:\Windows\SysWOW64\Fcckif32.exeC:\Windows\system32\Fcckif32.exe99⤵PID:3848
-
C:\Windows\SysWOW64\Fdegandp.exeC:\Windows\system32\Fdegandp.exe100⤵PID:3100
-
C:\Windows\SysWOW64\Fllpbldb.exeC:\Windows\system32\Fllpbldb.exe101⤵PID:3372
-
C:\Windows\SysWOW64\Fojlngce.exeC:\Windows\system32\Fojlngce.exe102⤵PID:636
-
C:\Windows\SysWOW64\Faihkbci.exeC:\Windows\system32\Faihkbci.exe103⤵
- Drops file in System32 directory
PID:4664 -
C:\Windows\SysWOW64\Fhcpgmjf.exeC:\Windows\system32\Fhcpgmjf.exe104⤵PID:1792
-
C:\Windows\SysWOW64\Fkalchij.exeC:\Windows\system32\Fkalchij.exe105⤵
- Modifies registry class
PID:4232 -
C:\Windows\SysWOW64\Ffgqqaip.exeC:\Windows\system32\Ffgqqaip.exe106⤵PID:3612
-
C:\Windows\SysWOW64\Fhemmlhc.exeC:\Windows\system32\Fhemmlhc.exe107⤵
- Modifies registry class
PID:4768 -
C:\Windows\SysWOW64\Fooeif32.exeC:\Windows\system32\Fooeif32.exe108⤵PID:5028
-
C:\Windows\SysWOW64\Fckajehi.exeC:\Windows\system32\Fckajehi.exe109⤵PID:1824
-
C:\Windows\SysWOW64\Fhgjblfq.exeC:\Windows\system32\Fhgjblfq.exe110⤵PID:3788
-
C:\Windows\SysWOW64\Fkffog32.exeC:\Windows\system32\Fkffog32.exe111⤵PID:1232
-
C:\Windows\SysWOW64\Fhjfhl32.exeC:\Windows\system32\Fhjfhl32.exe112⤵PID:5124
-
C:\Windows\SysWOW64\Glebhjlg.exeC:\Windows\system32\Glebhjlg.exe113⤵PID:5164
-
C:\Windows\SysWOW64\Gcojed32.exeC:\Windows\system32\Gcojed32.exe114⤵PID:5208
-
C:\Windows\SysWOW64\Gfngap32.exeC:\Windows\system32\Gfngap32.exe115⤵PID:5252
-
C:\Windows\SysWOW64\Glhonj32.exeC:\Windows\system32\Glhonj32.exe116⤵PID:5292
-
C:\Windows\SysWOW64\Gbdgfa32.exeC:\Windows\system32\Gbdgfa32.exe117⤵PID:5332
-
C:\Windows\SysWOW64\Gkmlofol.exeC:\Windows\system32\Gkmlofol.exe118⤵PID:5376
-
C:\Windows\SysWOW64\Gcddpdpo.exeC:\Windows\system32\Gcddpdpo.exe119⤵PID:5412
-
C:\Windows\SysWOW64\Gfbploob.exeC:\Windows\system32\Gfbploob.exe120⤵PID:5452
-
C:\Windows\SysWOW64\Ghaliknf.exeC:\Windows\system32\Ghaliknf.exe121⤵PID:5492
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-