Analysis
-
max time kernel
146s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
01/07/2024, 03:39
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
ded5e8f88df5b691bf260cd7bd93e64ea3a9190d8cf436aceadb529fe71cec50.exe
Resource
win7-20240419-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
ded5e8f88df5b691bf260cd7bd93e64ea3a9190d8cf436aceadb529fe71cec50.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
ded5e8f88df5b691bf260cd7bd93e64ea3a9190d8cf436aceadb529fe71cec50.exe
-
Size
88KB
-
MD5
2da19abb8c240fdf112e15db5c382d07
-
SHA1
08639292e60a14839dc8b358e5af86b128e1fd28
-
SHA256
ded5e8f88df5b691bf260cd7bd93e64ea3a9190d8cf436aceadb529fe71cec50
-
SHA512
88fea8fb2df2c663f68894f01c18668dd3bb9e21ca6fb801917b9cbea67616cb3bd7bc07b2d354855778b09c8e25d1571408acf943cfbe8ae54bb927380f01de
-
SSDEEP
1536:RGq04a1oLTnTEEtC6lFCcsKME4q/mp/Ws7iFyAvQpqqXRp4rnouy8L:cH4iIlF2DBWYiFy7oqhp4zoutL
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hlppno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Joqafgni.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apmhiq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egnajocq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fnhbmgmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mdghhb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Daollh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oeehkn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dijbno32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipoheakj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nopfpgip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Amnlme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Apodoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Biiobo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iapjgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Llqjbhdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Koljgppp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okfbgiij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eiloco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Emoadlfo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkmjaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hkohchko.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhpgca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mglfplgk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlhkgi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljceqb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bklomh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nchhfild.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofdqcc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmeoqlpl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnohlgep.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Galoohke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ocdgahag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nlhkgi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbkkik32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajmladbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iipfmggc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Akblfj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnphoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kfpcoefj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nflkbanj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqlfhjig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bjhkmbho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pfiddm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eqlfhjig.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbonoghb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lfbped32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Egnajocq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qihoak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fpgpgfmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lckiihok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qfmmplad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Glfmgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mohbjkgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pfojdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ejjaqk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgmjmjnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lflbkcll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kkbkmqed.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngndaccj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehlhih32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhhdnf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddhomdje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ofhknodl.exe -
UPX dump on OEP (original entry point) 64 IoCs
resource yara_rule behavioral2/files/0x0008000000023257-6.dat UPX behavioral2/files/0x000800000002325b-14.dat UPX behavioral2/files/0x000700000002325f-22.dat UPX behavioral2/files/0x0007000000023261-30.dat UPX behavioral2/files/0x0007000000023263-34.dat UPX behavioral2/files/0x0007000000023263-38.dat UPX behavioral2/files/0x0007000000023267-50.dat UPX behavioral2/files/0x0007000000023267-56.dat UPX behavioral2/files/0x0007000000023269-64.dat UPX behavioral2/files/0x000700000002326b-70.dat UPX behavioral2/files/0x000700000002326d-74.dat UPX behavioral2/files/0x000700000002326f-88.dat UPX behavioral2/files/0x0007000000023273-103.dat UPX behavioral2/files/0x0007000000023275-112.dat UPX behavioral2/files/0x0007000000023271-95.dat UPX behavioral2/files/0x0007000000023277-120.dat UPX behavioral2/files/0x0007000000023279-121.dat UPX behavioral2/files/0x000700000002327b-134.dat UPX behavioral2/files/0x000700000002327f-146.dat UPX behavioral2/files/0x000700000002327f-150.dat UPX behavioral2/files/0x0007000000023281-159.dat UPX behavioral2/files/0x0007000000023283-168.dat UPX behavioral2/files/0x000700000002327d-143.dat UPX behavioral2/files/0x0007000000023285-174.dat UPX behavioral2/files/0x0007000000023287-182.dat UPX behavioral2/files/0x0007000000023265-47.dat UPX behavioral2/files/0x000700000002328a-185.dat UPX behavioral2/files/0x000700000002328a-190.dat UPX behavioral2/files/0x000700000002328c-198.dat UPX behavioral2/files/0x000700000002328e-201.dat UPX behavioral2/files/0x000700000002328e-206.dat UPX behavioral2/files/0x0007000000023290-214.dat UPX behavioral2/files/0x0007000000023292-222.dat UPX behavioral2/files/0x0007000000023294-225.dat UPX behavioral2/files/0x0007000000023294-230.dat UPX behavioral2/files/0x0007000000023296-238.dat UPX behavioral2/files/0x0007000000023298-246.dat UPX behavioral2/files/0x000700000002329a-255.dat UPX behavioral2/files/0x000700000002329e-263.dat UPX behavioral2/files/0x00070000000232a2-275.dat UPX behavioral2/files/0x00070000000232aa-300.dat UPX behavioral2/files/0x00070000000232b4-330.dat UPX behavioral2/files/0x00070000000232ba-348.dat UPX behavioral2/files/0x00070000000232c7-383.dat UPX behavioral2/files/0x00070000000232e3-467.dat UPX behavioral2/files/0x00070000000232f9-534.dat UPX behavioral2/files/0x0007000000023301-560.dat UPX behavioral2/files/0x0007000000023305-574.dat UPX behavioral2/files/0x000700000002330b-596.dat UPX behavioral2/files/0x0007000000023317-638.dat UPX behavioral2/files/0x000700000002331b-651.dat UPX behavioral2/files/0x0007000000023333-738.dat UPX behavioral2/files/0x000700000002333f-786.dat UPX behavioral2/files/0x0007000000023347-816.dat UPX behavioral2/files/0x000700000002334b-832.dat UPX behavioral2/files/0x0007000000023353-863.dat UPX behavioral2/files/0x000700000002335b-893.dat UPX behavioral2/files/0x0007000000023361-915.dat UPX behavioral2/files/0x0007000000023369-945.dat UPX behavioral2/files/0x000700000002336d-960.dat UPX behavioral2/files/0x0007000000023371-975.dat UPX behavioral2/files/0x0007000000023377-997.dat UPX behavioral2/files/0x000700000002337b-1010.dat UPX behavioral2/files/0x0007000000023391-1087.dat UPX -
Executes dropped EXE 64 IoCs
pid Process 3180 Lnohlgep.exe 1544 Lqpamb32.exe 788 Ljhefhha.exe 1364 Mglfplgk.exe 3468 Mminhceb.exe 2760 Mkjnfkma.exe 1860 Maggnali.exe 5072 Mkmkkjko.exe 4040 Maiccajf.exe 228 Mjahlgpf.exe 3144 Mgehfkop.exe 2812 Manmoq32.exe 1664 Nlcalieg.exe 3632 Ncofplba.exe 4920 Nndjndbh.exe 3872 Nlhkgi32.exe 3704 Nccokk32.exe 4080 Nagpeo32.exe 2960 Nlmdbh32.exe 4452 Oeehkn32.exe 3924 Oalipoiq.exe 1288 Ojdnid32.exe 5076 Ohhnbhok.exe 2516 Blielbfi.exe 3456 Bakgoh32.exe 4424 Cdlqqcnl.exe 4604 Cdnmfclj.exe 1532 Cfnjpfcl.exe 4828 Cdbfab32.exe 4748 Cohkokgj.exe 5088 Dmlkhofd.exe 3828 Dbicpfdk.exe 4624 Dkahilkl.exe 1340 Dkceokii.exe 2280 Ddligq32.exe 3992 Dijbno32.exe 624 Eiloco32.exe 4220 Ebdcld32.exe 4388 Ekmhejao.exe 1540 Efblbbqd.exe 1468 Ebimgcfi.exe 2340 Emoadlfo.exe 3392 Eblimcdf.exe 3328 Emanjldl.exe 4772 Enbjad32.exe 4244 Fihnomjp.exe 3940 Fneggdhg.exe 2164 Fijkdmhn.exe 3572 Fngcmcfe.exe 4036 Fimhjl32.exe 4380 Fpgpgfmh.exe 3192 Fiodpl32.exe 4504 Fnlmhc32.exe 5068 Fpkibf32.exe 3464 Gfjkjo32.exe 1548 Gmdcfidg.exe 2772 Gbalopbn.exe 3524 Glipgf32.exe 2648 Geaepk32.exe 4756 Gojiiafp.exe 4420 Hipmfjee.exe 944 Hpiecd32.exe 1944 Hibjli32.exe 3472 Hoobdp32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ljhefhha.exe Lqpamb32.exe File created C:\Windows\SysWOW64\Oanjomjp.dll Nlhkgi32.exe File created C:\Windows\SysWOW64\Pijmiq32.dll Kpanan32.exe File created C:\Windows\SysWOW64\Mapppn32.exe Ljdkll32.exe File created C:\Windows\SysWOW64\Epdime32.exe Ejjaqk32.exe File opened for modification C:\Windows\SysWOW64\Dkahilkl.exe Dbicpfdk.exe File created C:\Windows\SysWOW64\Hkdoio32.dll Iefgbh32.exe File opened for modification C:\Windows\SysWOW64\Omfekbdh.exe Ocnabm32.exe File created C:\Windows\SysWOW64\Pfccogfc.exe Ppikbm32.exe File created C:\Windows\SysWOW64\Ggpcfd32.dll Ebimgcfi.exe File created C:\Windows\SysWOW64\Cikamapb.dll Hfhgkmpj.exe File opened for modification C:\Windows\SysWOW64\Boenhgdd.exe Bgnffj32.exe File opened for modification C:\Windows\SysWOW64\Mlhqcgnk.exe Mpapnfhg.exe File created C:\Windows\SysWOW64\Mjbaohka.dll Dphiaffa.exe File opened for modification C:\Windows\SysWOW64\Aealll32.exe Acppddig.exe File created C:\Windows\SysWOW64\Nhhdnf32.exe Noppeaed.exe File opened for modification C:\Windows\SysWOW64\Pcbdcf32.exe Pilpfm32.exe File created C:\Windows\SysWOW64\Mhpbkngk.dll Nlmdbh32.exe File created C:\Windows\SysWOW64\Ofhknodl.exe Opnbae32.exe File opened for modification C:\Windows\SysWOW64\Cpmapodj.exe Boldhf32.exe File opened for modification C:\Windows\SysWOW64\Affikdfn.exe Amnebo32.exe File created C:\Windows\SysWOW64\Mghekd32.dll Lddble32.exe File opened for modification C:\Windows\SysWOW64\Jpcapp32.exe Jcoaglhk.exe File created C:\Windows\SysWOW64\Blqhpg32.dll Onkidm32.exe File created C:\Windows\SysWOW64\Ekellcop.dll Ehndnh32.exe File opened for modification C:\Windows\SysWOW64\Fneggdhg.exe Fihnomjp.exe File opened for modification C:\Windows\SysWOW64\Kpanan32.exe Kjgeedch.exe File created C:\Windows\SysWOW64\Hodbhp32.dll Ngqagcag.exe File opened for modification C:\Windows\SysWOW64\Filapfbo.exe Fdnhih32.exe File created C:\Windows\SysWOW64\Ilkoim32.exe Ieagmcmq.exe File opened for modification C:\Windows\SysWOW64\Nfpghccm.exe Nhlfoodc.exe File opened for modification C:\Windows\SysWOW64\Bakgoh32.exe Blielbfi.exe File created C:\Windows\SysWOW64\Baaelkfn.dll Fngcmcfe.exe File created C:\Windows\SysWOW64\Jokkgl32.exe Jgpfbjlo.exe File created C:\Windows\SysWOW64\Mkiongah.dll Fdnhih32.exe File created C:\Windows\SysWOW64\Ipdbmgdb.dll Llqjbhdc.exe File created C:\Windows\SysWOW64\Llgmeiqa.dll Maiccajf.exe File created C:\Windows\SysWOW64\Iomoenej.exe Iipfmggc.exe File created C:\Windows\SysWOW64\Jpcapp32.exe Jcoaglhk.exe File opened for modification C:\Windows\SysWOW64\Aagkhd32.exe Afbgkl32.exe File created C:\Windows\SysWOW64\Ahkdgl32.dll Dcnlnaom.exe File created C:\Windows\SysWOW64\Qifbll32.exe Pcijce32.exe File opened for modification C:\Windows\SysWOW64\Maiccajf.exe Mkmkkjko.exe File created C:\Windows\SysWOW64\Jgqjbf32.dll Mfqlfb32.exe File opened for modification C:\Windows\SysWOW64\Pcfmneaa.exe Pmmeak32.exe File created C:\Windows\SysWOW64\Dbicpfdk.exe Dmlkhofd.exe File created C:\Windows\SysWOW64\Npdpachh.dll Dijbno32.exe File opened for modification C:\Windows\SysWOW64\Ckjknfnh.exe Chkobkod.exe File opened for modification C:\Windows\SysWOW64\Ddgibkpc.exe Ckjknfnh.exe File created C:\Windows\SysWOW64\Jooeqo32.dll Indkpcdk.exe File created C:\Windows\SysWOW64\Caekaaoh.dll Maaekg32.exe File created C:\Windows\SysWOW64\Ckjooo32.dll Hmpcbhji.exe File created C:\Windows\SysWOW64\Lckiihok.exe Ljceqb32.exe File created C:\Windows\SysWOW64\Cpmapodj.exe Boldhf32.exe File created C:\Windows\SysWOW64\Jpbjfjci.exe Jihbip32.exe File opened for modification C:\Windows\SysWOW64\Lhbkac32.exe Lojfin32.exe File opened for modification C:\Windows\SysWOW64\Lkcccn32.exe Lajokiaa.exe File created C:\Windows\SysWOW64\Kocgbend.exe Kekbjo32.exe File opened for modification C:\Windows\SysWOW64\Lepleocn.exe Kofdhd32.exe File created C:\Windows\SysWOW64\Anjkcakk.dll Koljgppp.exe File created C:\Windows\SysWOW64\Nndjndbh.exe Ncofplba.exe File opened for modification C:\Windows\SysWOW64\Gbalopbn.exe Gmdcfidg.exe File created C:\Windows\SysWOW64\Ojnkocdc.dll Mogcihaj.exe File opened for modification C:\Windows\SysWOW64\Enpfan32.exe Egened32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kfpcoefj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imffkelf.dll" Ebdlangb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ieagmcmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mhanngbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cdnmfclj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pdhkcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bobabg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Koljgppp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kkbkmqed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Onkidm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fkmjaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jocnlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daqfhf32.dll" Cmbgdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohjckodg.dll" Ddhomdje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hbiapb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgoikbje.dll" Ochamg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mkjnfkma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Klcekpdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmpockdl.dll" Afbgkl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Paihlpfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kialcj32.dll" Pcfmneaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dbicpfdk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ombcji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mbibfm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pblajhje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fnhbmgmk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gcjdam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Blielbfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Giljfddl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Obgohklm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fjocbhbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edpabila.dll" Gcqjal32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Phonha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnijfj32.dll" Egened32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Defbaa32.dll" Lomjicei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgbfjmkq.dll" Mbibfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enfhldel.dll" Qmdblp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fenpmnno.dll" Offnhpfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cikamapb.dll" Hfhgkmpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbhfhgch.dll" Kgkfnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fckjejfe.dll" Gkaclqkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ofgdcipq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfajnjho.dll" Amnebo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cimhefgb.dll" Qifbll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fngcmcfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baaelkfn.dll" Fngcmcfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nopfpgip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Akblfj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qamago32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kdffjgpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lojfin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Emoadlfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clpchk32.dll" Jafdcbge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ncqlkemc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Libmeq32.dll" Gghdaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hgapmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hejjanpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mfqlfb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iipfmggc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Domdocba.dll" Bknlbhhe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dcnlnaom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmplqd32.dll" Lfeljd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Njjdho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Panhbfep.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3232 wrote to memory of 3180 3232 ded5e8f88df5b691bf260cd7bd93e64ea3a9190d8cf436aceadb529fe71cec50.exe 91 PID 3232 wrote to memory of 3180 3232 ded5e8f88df5b691bf260cd7bd93e64ea3a9190d8cf436aceadb529fe71cec50.exe 91 PID 3232 wrote to memory of 3180 3232 ded5e8f88df5b691bf260cd7bd93e64ea3a9190d8cf436aceadb529fe71cec50.exe 91 PID 3180 wrote to memory of 1544 3180 Lnohlgep.exe 92 PID 3180 wrote to memory of 1544 3180 Lnohlgep.exe 92 PID 3180 wrote to memory of 1544 3180 Lnohlgep.exe 92 PID 1544 wrote to memory of 788 1544 Lqpamb32.exe 93 PID 1544 wrote to memory of 788 1544 Lqpamb32.exe 93 PID 1544 wrote to memory of 788 1544 Lqpamb32.exe 93 PID 788 wrote to memory of 1364 788 Ljhefhha.exe 94 PID 788 wrote to memory of 1364 788 Ljhefhha.exe 94 PID 788 wrote to memory of 1364 788 Ljhefhha.exe 94 PID 1364 wrote to memory of 3468 1364 Mglfplgk.exe 95 PID 1364 wrote to memory of 3468 1364 Mglfplgk.exe 95 PID 1364 wrote to memory of 3468 1364 Mglfplgk.exe 95 PID 3468 wrote to memory of 2760 3468 Mminhceb.exe 96 PID 3468 wrote to memory of 2760 3468 Mminhceb.exe 96 PID 3468 wrote to memory of 2760 3468 Mminhceb.exe 96 PID 2760 wrote to memory of 1860 2760 Mkjnfkma.exe 97 PID 2760 wrote to memory of 1860 2760 Mkjnfkma.exe 97 PID 2760 wrote to memory of 1860 2760 Mkjnfkma.exe 97 PID 1860 wrote to memory of 5072 1860 Maggnali.exe 98 PID 1860 wrote to memory of 5072 1860 Maggnali.exe 98 PID 1860 wrote to memory of 5072 1860 Maggnali.exe 98 PID 5072 wrote to memory of 4040 5072 Mkmkkjko.exe 99 PID 5072 wrote to memory of 4040 5072 Mkmkkjko.exe 99 PID 5072 wrote to memory of 4040 5072 Mkmkkjko.exe 99 PID 4040 wrote to memory of 228 4040 Maiccajf.exe 100 PID 4040 wrote to memory of 228 4040 Maiccajf.exe 100 PID 4040 wrote to memory of 228 4040 Maiccajf.exe 100 PID 228 wrote to memory of 3144 228 Mjahlgpf.exe 101 PID 228 wrote to memory of 3144 228 Mjahlgpf.exe 101 PID 228 wrote to memory of 3144 228 Mjahlgpf.exe 101 PID 3144 wrote to memory of 2812 3144 Mgehfkop.exe 102 PID 3144 wrote to memory of 2812 3144 Mgehfkop.exe 102 PID 3144 wrote to memory of 2812 3144 Mgehfkop.exe 102 PID 2812 wrote to memory of 1664 2812 Manmoq32.exe 103 PID 2812 wrote to memory of 1664 2812 Manmoq32.exe 103 PID 2812 wrote to memory of 1664 2812 Manmoq32.exe 103 PID 1664 wrote to memory of 3632 1664 Nlcalieg.exe 104 PID 1664 wrote to memory of 3632 1664 Nlcalieg.exe 104 PID 1664 wrote to memory of 3632 1664 Nlcalieg.exe 104 PID 3632 wrote to memory of 4920 3632 Ncofplba.exe 105 PID 3632 wrote to memory of 4920 3632 Ncofplba.exe 105 PID 3632 wrote to memory of 4920 3632 Ncofplba.exe 105 PID 4920 wrote to memory of 3872 4920 Nndjndbh.exe 106 PID 4920 wrote to memory of 3872 4920 Nndjndbh.exe 106 PID 4920 wrote to memory of 3872 4920 Nndjndbh.exe 106 PID 3872 wrote to memory of 3704 3872 Nlhkgi32.exe 107 PID 3872 wrote to memory of 3704 3872 Nlhkgi32.exe 107 PID 3872 wrote to memory of 3704 3872 Nlhkgi32.exe 107 PID 3704 wrote to memory of 4080 3704 Nccokk32.exe 108 PID 3704 wrote to memory of 4080 3704 Nccokk32.exe 108 PID 3704 wrote to memory of 4080 3704 Nccokk32.exe 108 PID 4080 wrote to memory of 2960 4080 Nagpeo32.exe 109 PID 4080 wrote to memory of 2960 4080 Nagpeo32.exe 109 PID 4080 wrote to memory of 2960 4080 Nagpeo32.exe 109 PID 2960 wrote to memory of 4452 2960 Nlmdbh32.exe 110 PID 2960 wrote to memory of 4452 2960 Nlmdbh32.exe 110 PID 2960 wrote to memory of 4452 2960 Nlmdbh32.exe 110 PID 4452 wrote to memory of 3924 4452 Oeehkn32.exe 111 PID 4452 wrote to memory of 3924 4452 Oeehkn32.exe 111 PID 4452 wrote to memory of 3924 4452 Oeehkn32.exe 111 PID 3924 wrote to memory of 1288 3924 Oalipoiq.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\ded5e8f88df5b691bf260cd7bd93e64ea3a9190d8cf436aceadb529fe71cec50.exe"C:\Users\Admin\AppData\Local\Temp\ded5e8f88df5b691bf260cd7bd93e64ea3a9190d8cf436aceadb529fe71cec50.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3232 -
C:\Windows\SysWOW64\Lnohlgep.exeC:\Windows\system32\Lnohlgep.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3180 -
C:\Windows\SysWOW64\Lqpamb32.exeC:\Windows\system32\Lqpamb32.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\SysWOW64\Ljhefhha.exeC:\Windows\system32\Ljhefhha.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:788 -
C:\Windows\SysWOW64\Mglfplgk.exeC:\Windows\system32\Mglfplgk.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Windows\SysWOW64\Mminhceb.exeC:\Windows\system32\Mminhceb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3468 -
C:\Windows\SysWOW64\Mkjnfkma.exeC:\Windows\system32\Mkjnfkma.exe7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Maggnali.exeC:\Windows\system32\Maggnali.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\SysWOW64\Mkmkkjko.exeC:\Windows\system32\Mkmkkjko.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\Windows\SysWOW64\Maiccajf.exeC:\Windows\system32\Maiccajf.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4040 -
C:\Windows\SysWOW64\Mjahlgpf.exeC:\Windows\system32\Mjahlgpf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:228 -
C:\Windows\SysWOW64\Mgehfkop.exeC:\Windows\system32\Mgehfkop.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3144 -
C:\Windows\SysWOW64\Manmoq32.exeC:\Windows\system32\Manmoq32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\Nlcalieg.exeC:\Windows\system32\Nlcalieg.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\SysWOW64\Ncofplba.exeC:\Windows\system32\Ncofplba.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3632 -
C:\Windows\SysWOW64\Nndjndbh.exeC:\Windows\system32\Nndjndbh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Windows\SysWOW64\Nlhkgi32.exeC:\Windows\system32\Nlhkgi32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3872 -
C:\Windows\SysWOW64\Nccokk32.exeC:\Windows\system32\Nccokk32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3704 -
C:\Windows\SysWOW64\Nagpeo32.exeC:\Windows\system32\Nagpeo32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4080 -
C:\Windows\SysWOW64\Nlmdbh32.exeC:\Windows\system32\Nlmdbh32.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\Oeehkn32.exeC:\Windows\system32\Oeehkn32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4452 -
C:\Windows\SysWOW64\Oalipoiq.exeC:\Windows\system32\Oalipoiq.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3924 -
C:\Windows\SysWOW64\Ojdnid32.exeC:\Windows\system32\Ojdnid32.exe23⤵
- Executes dropped EXE
PID:1288 -
C:\Windows\SysWOW64\Ohhnbhok.exeC:\Windows\system32\Ohhnbhok.exe24⤵
- Executes dropped EXE
PID:5076 -
C:\Windows\SysWOW64\Blielbfi.exeC:\Windows\system32\Blielbfi.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2516 -
C:\Windows\SysWOW64\Bakgoh32.exeC:\Windows\system32\Bakgoh32.exe26⤵
- Executes dropped EXE
PID:3456 -
C:\Windows\SysWOW64\Cdlqqcnl.exeC:\Windows\system32\Cdlqqcnl.exe27⤵
- Executes dropped EXE
PID:4424 -
C:\Windows\SysWOW64\Cdnmfclj.exeC:\Windows\system32\Cdnmfclj.exe28⤵
- Executes dropped EXE
- Modifies registry class
PID:4604 -
C:\Windows\SysWOW64\Cfnjpfcl.exeC:\Windows\system32\Cfnjpfcl.exe29⤵
- Executes dropped EXE
PID:1532 -
C:\Windows\SysWOW64\Cdbfab32.exeC:\Windows\system32\Cdbfab32.exe30⤵
- Executes dropped EXE
PID:4828 -
C:\Windows\SysWOW64\Cohkokgj.exeC:\Windows\system32\Cohkokgj.exe31⤵
- Executes dropped EXE
PID:4748 -
C:\Windows\SysWOW64\Dmlkhofd.exeC:\Windows\system32\Dmlkhofd.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5088 -
C:\Windows\SysWOW64\Dbicpfdk.exeC:\Windows\system32\Dbicpfdk.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3828 -
C:\Windows\SysWOW64\Dkahilkl.exeC:\Windows\system32\Dkahilkl.exe34⤵
- Executes dropped EXE
PID:4624 -
C:\Windows\SysWOW64\Dkceokii.exeC:\Windows\system32\Dkceokii.exe35⤵
- Executes dropped EXE
PID:1340 -
C:\Windows\SysWOW64\Ddligq32.exeC:\Windows\system32\Ddligq32.exe36⤵
- Executes dropped EXE
PID:2280 -
C:\Windows\SysWOW64\Dijbno32.exeC:\Windows\system32\Dijbno32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3992 -
C:\Windows\SysWOW64\Eiloco32.exeC:\Windows\system32\Eiloco32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:624 -
C:\Windows\SysWOW64\Ebdcld32.exeC:\Windows\system32\Ebdcld32.exe39⤵
- Executes dropped EXE
PID:4220 -
C:\Windows\SysWOW64\Ekmhejao.exeC:\Windows\system32\Ekmhejao.exe40⤵
- Executes dropped EXE
PID:4388 -
C:\Windows\SysWOW64\Efblbbqd.exeC:\Windows\system32\Efblbbqd.exe41⤵
- Executes dropped EXE
PID:1540 -
C:\Windows\SysWOW64\Ebimgcfi.exeC:\Windows\system32\Ebimgcfi.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1468 -
C:\Windows\SysWOW64\Emoadlfo.exeC:\Windows\system32\Emoadlfo.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2340 -
C:\Windows\SysWOW64\Eblimcdf.exeC:\Windows\system32\Eblimcdf.exe44⤵
- Executes dropped EXE
PID:3392 -
C:\Windows\SysWOW64\Emanjldl.exeC:\Windows\system32\Emanjldl.exe45⤵
- Executes dropped EXE
PID:3328 -
C:\Windows\SysWOW64\Enbjad32.exeC:\Windows\system32\Enbjad32.exe46⤵
- Executes dropped EXE
PID:4772 -
C:\Windows\SysWOW64\Fihnomjp.exeC:\Windows\system32\Fihnomjp.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4244 -
C:\Windows\SysWOW64\Fneggdhg.exeC:\Windows\system32\Fneggdhg.exe48⤵
- Executes dropped EXE
PID:3940 -
C:\Windows\SysWOW64\Fijkdmhn.exeC:\Windows\system32\Fijkdmhn.exe49⤵
- Executes dropped EXE
PID:2164 -
C:\Windows\SysWOW64\Fngcmcfe.exeC:\Windows\system32\Fngcmcfe.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3572 -
C:\Windows\SysWOW64\Fimhjl32.exeC:\Windows\system32\Fimhjl32.exe51⤵
- Executes dropped EXE
PID:4036 -
C:\Windows\SysWOW64\Fpgpgfmh.exeC:\Windows\system32\Fpgpgfmh.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4380 -
C:\Windows\SysWOW64\Fiodpl32.exeC:\Windows\system32\Fiodpl32.exe53⤵
- Executes dropped EXE
PID:3192 -
C:\Windows\SysWOW64\Fnlmhc32.exeC:\Windows\system32\Fnlmhc32.exe54⤵
- Executes dropped EXE
PID:4504 -
C:\Windows\SysWOW64\Fpkibf32.exeC:\Windows\system32\Fpkibf32.exe55⤵
- Executes dropped EXE
PID:5068 -
C:\Windows\SysWOW64\Gfjkjo32.exeC:\Windows\system32\Gfjkjo32.exe56⤵
- Executes dropped EXE
PID:3464 -
C:\Windows\SysWOW64\Gmdcfidg.exeC:\Windows\system32\Gmdcfidg.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1548 -
C:\Windows\SysWOW64\Gbalopbn.exeC:\Windows\system32\Gbalopbn.exe58⤵
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\Glipgf32.exeC:\Windows\system32\Glipgf32.exe59⤵
- Executes dropped EXE
PID:3524 -
C:\Windows\SysWOW64\Geaepk32.exeC:\Windows\system32\Geaepk32.exe60⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Gojiiafp.exeC:\Windows\system32\Gojiiafp.exe61⤵
- Executes dropped EXE
PID:4756 -
C:\Windows\SysWOW64\Hipmfjee.exeC:\Windows\system32\Hipmfjee.exe62⤵
- Executes dropped EXE
PID:4420 -
C:\Windows\SysWOW64\Hpiecd32.exeC:\Windows\system32\Hpiecd32.exe63⤵
- Executes dropped EXE
PID:944 -
C:\Windows\SysWOW64\Hibjli32.exeC:\Windows\system32\Hibjli32.exe64⤵
- Executes dropped EXE
PID:1944 -
C:\Windows\SysWOW64\Hoobdp32.exeC:\Windows\system32\Hoobdp32.exe65⤵
- Executes dropped EXE
PID:3472 -
C:\Windows\SysWOW64\Hmpcbhji.exeC:\Windows\system32\Hmpcbhji.exe66⤵
- Drops file in System32 directory
PID:1948 -
C:\Windows\SysWOW64\Hfhgkmpj.exeC:\Windows\system32\Hfhgkmpj.exe67⤵
- Drops file in System32 directory
- Modifies registry class
PID:1352 -
C:\Windows\SysWOW64\Hlepcdoa.exeC:\Windows\system32\Hlepcdoa.exe68⤵PID:4892
-
C:\Windows\SysWOW64\Hfjdqmng.exeC:\Windows\system32\Hfjdqmng.exe69⤵PID:4108
-
C:\Windows\SysWOW64\Hlglidlo.exeC:\Windows\system32\Hlglidlo.exe70⤵PID:2244
-
C:\Windows\SysWOW64\Ibaeen32.exeC:\Windows\system32\Ibaeen32.exe71⤵PID:2640
-
C:\Windows\SysWOW64\Imgicgca.exeC:\Windows\system32\Imgicgca.exe72⤵PID:1496
-
C:\Windows\SysWOW64\Iipfmggc.exeC:\Windows\system32\Iipfmggc.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:4560 -
C:\Windows\SysWOW64\Iomoenej.exeC:\Windows\system32\Iomoenej.exe74⤵PID:3368
-
C:\Windows\SysWOW64\Iefgbh32.exeC:\Windows\system32\Iefgbh32.exe75⤵
- Drops file in System32 directory
PID:772 -
C:\Windows\SysWOW64\Iplkpa32.exeC:\Windows\system32\Iplkpa32.exe76⤵PID:4428
-
C:\Windows\SysWOW64\Iidphgcn.exeC:\Windows\system32\Iidphgcn.exe77⤵PID:2248
-
C:\Windows\SysWOW64\Ipoheakj.exeC:\Windows\system32\Ipoheakj.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5052 -
C:\Windows\SysWOW64\Jiglnf32.exeC:\Windows\system32\Jiglnf32.exe79⤵PID:4576
-
C:\Windows\SysWOW64\Jcoaglhk.exeC:\Windows\system32\Jcoaglhk.exe80⤵
- Drops file in System32 directory
PID:4964 -
C:\Windows\SysWOW64\Jpcapp32.exeC:\Windows\system32\Jpcapp32.exe81⤵PID:2324
-
C:\Windows\SysWOW64\Jgmjmjnb.exeC:\Windows\system32\Jgmjmjnb.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4168 -
C:\Windows\SysWOW64\Jljbeali.exeC:\Windows\system32\Jljbeali.exe83⤵PID:5132
-
C:\Windows\SysWOW64\Jgpfbjlo.exeC:\Windows\system32\Jgpfbjlo.exe84⤵
- Drops file in System32 directory
PID:5176 -
C:\Windows\SysWOW64\Jokkgl32.exeC:\Windows\system32\Jokkgl32.exe85⤵PID:5220
-
C:\Windows\SysWOW64\Jjpode32.exeC:\Windows\system32\Jjpode32.exe86⤵PID:5264
-
C:\Windows\SysWOW64\Kcidmkpq.exeC:\Windows\system32\Kcidmkpq.exe87⤵PID:5308
-
C:\Windows\SysWOW64\Knnhjcog.exeC:\Windows\system32\Knnhjcog.exe88⤵PID:5352
-
C:\Windows\SysWOW64\Kckqbj32.exeC:\Windows\system32\Kckqbj32.exe89⤵PID:5396
-
C:\Windows\SysWOW64\Klcekpdo.exeC:\Windows\system32\Klcekpdo.exe90⤵
- Modifies registry class
PID:5440 -
C:\Windows\SysWOW64\Kcmmhj32.exeC:\Windows\system32\Kcmmhj32.exe91⤵PID:5484
-
C:\Windows\SysWOW64\Kjgeedch.exeC:\Windows\system32\Kjgeedch.exe92⤵
- Drops file in System32 directory
PID:5528 -
C:\Windows\SysWOW64\Kpanan32.exeC:\Windows\system32\Kpanan32.exe93⤵
- Drops file in System32 directory
PID:5572 -
C:\Windows\SysWOW64\Kgkfnh32.exeC:\Windows\system32\Kgkfnh32.exe94⤵
- Modifies registry class
PID:5620 -
C:\Windows\SysWOW64\Klhnfo32.exeC:\Windows\system32\Klhnfo32.exe95⤵PID:5664
-
C:\Windows\SysWOW64\Kcbfcigf.exeC:\Windows\system32\Kcbfcigf.exe96⤵PID:5708
-
C:\Windows\SysWOW64\Kfpcoefj.exeC:\Windows\system32\Kfpcoefj.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5752 -
C:\Windows\SysWOW64\Lcdciiec.exeC:\Windows\system32\Lcdciiec.exe98⤵PID:5796
-
C:\Windows\SysWOW64\Lfbped32.exeC:\Windows\system32\Lfbped32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5840 -
C:\Windows\SysWOW64\Llmhaold.exeC:\Windows\system32\Llmhaold.exe100⤵PID:5884
-
C:\Windows\SysWOW64\Lokdnjkg.exeC:\Windows\system32\Lokdnjkg.exe101⤵PID:5928
-
C:\Windows\SysWOW64\Lfeljd32.exeC:\Windows\system32\Lfeljd32.exe102⤵
- Modifies registry class
PID:5972 -
C:\Windows\SysWOW64\Lnldla32.exeC:\Windows\system32\Lnldla32.exe103⤵PID:6016
-
C:\Windows\SysWOW64\Ljceqb32.exeC:\Windows\system32\Ljceqb32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:6060 -
C:\Windows\SysWOW64\Lckiihok.exeC:\Windows\system32\Lckiihok.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6108 -
C:\Windows\SysWOW64\Lmdnbn32.exeC:\Windows\system32\Lmdnbn32.exe106⤵PID:4668
-
C:\Windows\SysWOW64\Lcnfohmi.exeC:\Windows\system32\Lcnfohmi.exe107⤵PID:5212
-
C:\Windows\SysWOW64\Lflbkcll.exeC:\Windows\system32\Lflbkcll.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5292 -
C:\Windows\SysWOW64\Mmfkhmdi.exeC:\Windows\system32\Mmfkhmdi.exe109⤵PID:5360
-
C:\Windows\SysWOW64\Mgloefco.exeC:\Windows\system32\Mgloefco.exe110⤵PID:5424
-
C:\Windows\SysWOW64\Mmhgmmbf.exeC:\Windows\system32\Mmhgmmbf.exe111⤵PID:5492
-
C:\Windows\SysWOW64\Mogcihaj.exeC:\Windows\system32\Mogcihaj.exe112⤵
- Drops file in System32 directory
PID:5556 -
C:\Windows\SysWOW64\Mfqlfb32.exeC:\Windows\system32\Mfqlfb32.exe113⤵
- Drops file in System32 directory
- Modifies registry class
PID:5628 -
C:\Windows\SysWOW64\Moipoh32.exeC:\Windows\system32\Moipoh32.exe114⤵PID:5704
-
C:\Windows\SysWOW64\Mjodla32.exeC:\Windows\system32\Mjodla32.exe115⤵PID:5784
-
C:\Windows\SysWOW64\Mmmqhl32.exeC:\Windows\system32\Mmmqhl32.exe116⤵PID:5852
-
C:\Windows\SysWOW64\Mjaabq32.exeC:\Windows\system32\Mjaabq32.exe117⤵PID:5924
-
C:\Windows\SysWOW64\Monjjgkb.exeC:\Windows\system32\Monjjgkb.exe118⤵PID:6004
-
C:\Windows\SysWOW64\Mjcngpjh.exeC:\Windows\system32\Mjcngpjh.exe119⤵PID:6072
-
C:\Windows\SysWOW64\Nopfpgip.exeC:\Windows\system32\Nopfpgip.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5124 -
C:\Windows\SysWOW64\Nfjola32.exeC:\Windows\system32\Nfjola32.exe121⤵PID:5256
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-