Analysis
-
max time kernel
143s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
09/05/2024, 01:22
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
8d955eadec60d6176fbd7df6532efd4566eb281e2d53c2c6cf0660a3a409af54.exe
Resource
win7-20240221-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
8d955eadec60d6176fbd7df6532efd4566eb281e2d53c2c6cf0660a3a409af54.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
8d955eadec60d6176fbd7df6532efd4566eb281e2d53c2c6cf0660a3a409af54.exe
-
Size
136KB
-
MD5
51ccf32bb2a6adb5bf0bf98ddebfd501
-
SHA1
a953350d46dbd1e456a0162927b18ddfc4ca0517
-
SHA256
8d955eadec60d6176fbd7df6532efd4566eb281e2d53c2c6cf0660a3a409af54
-
SHA512
31250e964dbea95089e15757d503e1a5d10c8ac9f376911f849a7b6d9f1161e19aeb22102da810dfff7a468fd632d44ae3e37c77b8fb1214f968f3069c6710d9
-
SSDEEP
1536:LkHMolYxM+6uyi8NkT3qqEvXFimOI0v0zkA01QSf9ve5XRlKjz0cZ44mjD9r8230:khIJT4XFimZN01x5e5XRlri/mjRrz3OT
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gkbcbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ggicgopd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mdghaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dpjbgh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jagpdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gojhafnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ljkaeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aggiigmn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnflke32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alnalh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ebqngb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpbdnk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgbdodnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pckajebj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jmnqje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lgpdglhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kjeglh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aakjdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lhfnkqgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fjegog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcckcbgp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qgjccb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flnlkgjq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpgcip32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abpjjeim.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfghdcfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pdeqfhjd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfhdnn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aggiigmn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmbmeifk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pplaki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Igmbgk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apppkekc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkecij32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgabdlfb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnjofo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aijbfo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgcnghpl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkfclo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aejlnmkm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnmcfeia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gjfgqk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dljmlj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcpacf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Keeeje32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljnqdhga.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehpcehcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jpjifjdg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olbfagca.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aohdmdoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aihfap32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Golbnm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imaapa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Japciodd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Noemqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fjdnlhco.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfnneb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kambcbhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gjpqpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pljcllqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Imiigiab.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eoajel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecfldoph.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpbmqe32.exe -
UPX dump on OEP (original entry point) 64 IoCs
resource yara_rule behavioral1/files/0x000e000000014698-12.dat UPX behavioral1/files/0x002a000000014b6d-26.dat UPX behavioral1/files/0x00070000000155d4-47.dat UPX behavioral1/files/0x0006000000016cf0-69.dat UPX behavioral1/files/0x0006000000016d11-82.dat UPX behavioral1/files/0x0006000000016d41-88.dat UPX behavioral1/files/0x0013000000014c67-101.dat UPX behavioral1/files/0x0006000000016d89-127.dat UPX behavioral1/files/0x000600000001704f-147.dat UPX behavioral1/files/0x000500000001868c-154.dat UPX behavioral1/files/0x00050000000186a0-173.dat UPX behavioral1/files/0x0006000000018ae8-180.dat UPX behavioral1/files/0x0006000000018b33-194.dat UPX behavioral1/files/0x0006000000018b42-217.dat UPX behavioral1/files/0x0006000000018b6a-225.dat UPX behavioral1/files/0x00050000000192f4-253.dat UPX behavioral1/files/0x00050000000193b0-286.dat UPX behavioral1/files/0x000500000001946b-297.dat UPX behavioral1/files/0x00040000000194d8-328.dat UPX behavioral1/files/0x0005000000019547-382.dat UPX behavioral1/files/0x00050000000195a2-404.dat UPX behavioral1/files/0x00050000000195a6-415.dat UPX behavioral1/files/0x00050000000195a8-426.dat UPX behavioral1/files/0x00050000000196d8-461.dat UPX behavioral1/files/0x0005000000019bd6-472.dat UPX behavioral1/files/0x0005000000019bd8-482.dat UPX behavioral1/files/0x0005000000019d4d-502.dat UPX behavioral1/files/0x0005000000019cba-492.dat UPX behavioral1/files/0x0005000000019f42-516.dat UPX behavioral1/files/0x000500000001a00c-525.dat UPX behavioral1/files/0x000500000001a04c-534.dat UPX behavioral1/files/0x000500000001a3cd-565.dat UPX behavioral1/files/0x000500000001a40b-574.dat UPX behavioral1/files/0x000500000001a42b-583.dat UPX behavioral1/files/0x000500000001a432-593.dat UPX behavioral1/files/0x000500000001a445-615.dat UPX behavioral1/files/0x000500000001a449-625.dat UPX behavioral1/files/0x000500000001a44d-638.dat UPX behavioral1/files/0x000500000001a451-652.dat UPX behavioral1/files/0x000500000001a455-665.dat UPX behavioral1/files/0x000500000001a459-676.dat UPX behavioral1/files/0x000500000001a45d-691.dat UPX behavioral1/files/0x000500000001a461-704.dat UPX behavioral1/files/0x000500000001a465-719.dat UPX behavioral1/files/0x000500000001a46a-732.dat UPX behavioral1/files/0x000500000001a46e-743.dat UPX behavioral1/files/0x000500000001a472-756.dat UPX behavioral1/files/0x000500000001a477-769.dat UPX behavioral1/files/0x000500000001a47b-784.dat UPX behavioral1/files/0x000500000001a488-810.dat UPX behavioral1/files/0x000500000001c652-858.dat UPX behavioral1/files/0x000500000001c82b-896.dat UPX behavioral1/files/0x000500000001c834-916.dat UPX behavioral1/files/0x000500000001c839-931.dat UPX behavioral1/files/0x000500000001c83d-943.dat UPX behavioral1/files/0x000500000001c841-953.dat UPX behavioral1/files/0x000500000001c845-966.dat UPX behavioral1/files/0x000500000001c849-979.dat UPX behavioral1/files/0x000500000001c84d-990.dat UPX behavioral1/files/0x000500000001c855-1011.dat UPX behavioral1/files/0x000500000001c85a-1024.dat UPX behavioral1/files/0x000400000001c8dd-1047.dat UPX behavioral1/files/0x000400000001c8e2-1058.dat UPX behavioral1/files/0x000400000001c8e6-1067.dat UPX -
Executes dropped EXE 64 IoCs
pid Process 2136 Kglcogeo.exe 2688 Kbaglpee.exe 2624 Kkileele.exe 2736 Kgpmjf32.exe 2412 Kddmdk32.exe 584 Konndhmb.exe 1084 Lifbmn32.exe 2064 Lpgajgeg.exe 2672 Ljabkeaf.exe 2004 Meffhnal.exe 2276 Mjcoqdoc.exe 1960 Mhgoji32.exe 2172 Mpbdnk32.exe 772 Mikhgqbi.exe 1704 Mfoiqe32.exe 3052 Mdbiji32.exe 1268 Nmkncofl.exe 3016 Nbhfke32.exe 1040 Nplfdj32.exe 792 Nkegeg32.exe 2016 Nhiholof.exe 2320 Naalga32.exe 2400 Noemqe32.exe 1380 Oionacqo.exe 1592 Ommfga32.exe 2496 Ogekpg32.exe 2960 Opplolac.exe 2680 Oihqgbhd.exe 2760 Padeldeo.exe 1684 Pkljdj32.exe 2484 Pddnnp32.exe 2940 Pnmcfeia.exe 2476 Pnopldgn.exe 1484 Pclhdl32.exe 2820 Pnalad32.exe 2256 Qndigd32.exe 1844 Qoeeolig.exe 1464 Qmifhq32.exe 1724 Ajmfad32.exe 2784 Akncimmh.exe 1068 Aibcba32.exe 1496 Anolkh32.exe 980 Akcldl32.exe 1360 Aapemc32.exe 1624 Bmnlbcfg.exe 1424 Bidlgdlk.exe 1756 Bpnddn32.exe 2600 Bekmle32.exe 716 Bleeioil.exe 2872 Bfkifhib.exe 2528 Chlfnp32.exe 2024 Cbajkiof.exe 1384 Cikbhc32.exe 2388 Cohkpj32.exe 1100 Cebcmdlg.exe 2480 Cojhejbh.exe 1892 Cdgpnqpo.exe 1764 Cakqgeoi.exe 2648 Cheido32.exe 2036 Cmbalfem.exe 1320 Dbojdmcd.exe 1452 Dmdnbecj.exe 2664 Depbfhpe.exe 1736 Dpegcq32.exe -
Loads dropped DLL 64 IoCs
pid Process 3008 8d955eadec60d6176fbd7df6532efd4566eb281e2d53c2c6cf0660a3a409af54.exe 3008 8d955eadec60d6176fbd7df6532efd4566eb281e2d53c2c6cf0660a3a409af54.exe 2136 Kglcogeo.exe 2136 Kglcogeo.exe 2688 Kbaglpee.exe 2688 Kbaglpee.exe 2624 Kkileele.exe 2624 Kkileele.exe 2736 Kgpmjf32.exe 2736 Kgpmjf32.exe 2412 Kddmdk32.exe 2412 Kddmdk32.exe 584 Konndhmb.exe 584 Konndhmb.exe 1084 Lifbmn32.exe 1084 Lifbmn32.exe 2064 Lpgajgeg.exe 2064 Lpgajgeg.exe 2672 Ljabkeaf.exe 2672 Ljabkeaf.exe 2004 Meffhnal.exe 2004 Meffhnal.exe 2276 Mjcoqdoc.exe 2276 Mjcoqdoc.exe 1960 Mhgoji32.exe 1960 Mhgoji32.exe 2172 Mpbdnk32.exe 2172 Mpbdnk32.exe 772 Mikhgqbi.exe 772 Mikhgqbi.exe 1704 Mfoiqe32.exe 1704 Mfoiqe32.exe 3052 Mdbiji32.exe 3052 Mdbiji32.exe 1268 Nmkncofl.exe 1268 Nmkncofl.exe 3016 Nbhfke32.exe 3016 Nbhfke32.exe 1040 Nplfdj32.exe 1040 Nplfdj32.exe 792 Nkegeg32.exe 792 Nkegeg32.exe 2016 Nhiholof.exe 2016 Nhiholof.exe 2320 Naalga32.exe 2320 Naalga32.exe 2400 Noemqe32.exe 2400 Noemqe32.exe 1380 Oionacqo.exe 1380 Oionacqo.exe 1592 Ommfga32.exe 1592 Ommfga32.exe 2496 Ogekpg32.exe 2496 Ogekpg32.exe 2960 Opplolac.exe 2960 Opplolac.exe 2680 Oihqgbhd.exe 2680 Oihqgbhd.exe 2760 Padeldeo.exe 2760 Padeldeo.exe 1684 Pkljdj32.exe 1684 Pkljdj32.exe 2484 Pddnnp32.exe 2484 Pddnnp32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Fjfikeqd.dll Flfpabkp.exe File created C:\Windows\SysWOW64\Fjdnlhco.exe Fcjeon32.exe File opened for modification C:\Windows\SysWOW64\Pckajebj.exe Plaimk32.exe File created C:\Windows\SysWOW64\Jhhamo32.dll Jmdepg32.exe File created C:\Windows\SysWOW64\Cfmhdpnc.exe Cocphf32.exe File created C:\Windows\SysWOW64\Ldoqge32.dll Kkileele.exe File created C:\Windows\SysWOW64\Ppmncnbh.dll Jdflqo32.exe File created C:\Windows\SysWOW64\Pomhcg32.exe Piqpkpml.exe File created C:\Windows\SysWOW64\Egpfmb32.dll Knfndjdp.exe File created C:\Windows\SysWOW64\Ahgofi32.exe Anbkipok.exe File created C:\Windows\SysWOW64\Dpjbgh32.exe Dhckfkbh.exe File created C:\Windows\SysWOW64\Dobfbpbc.dll Cmppehkh.exe File created C:\Windows\SysWOW64\Mbfmiaej.dll Ibfaopoi.exe File created C:\Windows\SysWOW64\Oeeikk32.dll Mimgeigj.exe File created C:\Windows\SysWOW64\Ikdngobg.dll Fgjjad32.exe File created C:\Windows\SysWOW64\Mkqqnq32.exe Mdghaf32.exe File created C:\Windows\SysWOW64\Qkielpdf.exe Qbnphngk.exe File created C:\Windows\SysWOW64\Dnefhpma.exe Dgknkf32.exe File opened for modification C:\Windows\SysWOW64\Deakjjbk.exe Dnhbmpkn.exe File created C:\Windows\SysWOW64\Mcmahg32.dll Eoblnd32.exe File created C:\Windows\SysWOW64\Dhnhab32.dll Efedga32.exe File created C:\Windows\SysWOW64\Jjfkmdlg.exe Jggoqimd.exe File created C:\Windows\SysWOW64\Coikpclh.dll Gpabcbdb.exe File created C:\Windows\SysWOW64\Khmggg32.dll Cojhejbh.exe File created C:\Windows\SysWOW64\Cchlkipc.dll Gcahoqhf.exe File created C:\Windows\SysWOW64\Chlojnpb.dll Kbmfgk32.exe File created C:\Windows\SysWOW64\Colpld32.exe Cmmcpi32.exe File created C:\Windows\SysWOW64\Eckfklnl.dll Dppigchi.exe File created C:\Windows\SysWOW64\Bcbonpco.dll Jcnoejch.exe File opened for modification C:\Windows\SysWOW64\Anolkh32.exe Aibcba32.exe File created C:\Windows\SysWOW64\Aqmamm32.exe Aciqcifh.exe File created C:\Windows\SysWOW64\Hjmicg32.dll Lngpog32.exe File opened for modification C:\Windows\SysWOW64\Nfghdcfj.exe Npmphinm.exe File created C:\Windows\SysWOW64\Gdmdacnn.exe Gbohehoj.exe File created C:\Windows\SysWOW64\Lbfook32.exe Lhnkffeo.exe File created C:\Windows\SysWOW64\Mbhlek32.exe Lhpglecl.exe File opened for modification C:\Windows\SysWOW64\Cmppehkh.exe Cfehhn32.exe File created C:\Windows\SysWOW64\Gbejnl32.dll Fccglehn.exe File created C:\Windows\SysWOW64\Ffbafegj.dll Aqmamm32.exe File opened for modification C:\Windows\SysWOW64\Ieibdnnp.exe Imbjcpnn.exe File created C:\Windows\SysWOW64\Hbaaik32.exe Hlgimqhf.exe File created C:\Windows\SysWOW64\Hhejnc32.exe Hbiaemkk.exe File created C:\Windows\SysWOW64\Hehiqh32.dll Hfbcidmk.exe File created C:\Windows\SysWOW64\Aodcbn32.dll Ndcapd32.exe File opened for modification C:\Windows\SysWOW64\Cdgpnqpo.exe Cojhejbh.exe File created C:\Windows\SysWOW64\Ommfga32.exe Oionacqo.exe File created C:\Windows\SysWOW64\Cbajkiof.exe Chlfnp32.exe File opened for modification C:\Windows\SysWOW64\Aojabdlf.exe Ajmijmnn.exe File created C:\Windows\SysWOW64\Eabepp32.exe Ekhmcelc.exe File created C:\Windows\SysWOW64\Oedcmfgb.dll Kbaglpee.exe File created C:\Windows\SysWOW64\Mqdkdffe.dll Phhjblpa.exe File opened for modification C:\Windows\SysWOW64\Mimgeigj.exe Mbcoio32.exe File opened for modification C:\Windows\SysWOW64\Kljdkpfl.exe Kilgoe32.exe File created C:\Windows\SysWOW64\Lkfddc32.exe Lqqpgj32.exe File created C:\Windows\SysWOW64\Odjdmjgo.exe Omqlpp32.exe File opened for modification C:\Windows\SysWOW64\Clmdmm32.exe Cfpldf32.exe File created C:\Windows\SysWOW64\Hghillnd.exe Hqnapb32.exe File opened for modification C:\Windows\SysWOW64\Kkileele.exe Kbaglpee.exe File created C:\Windows\SysWOW64\Gglbfg32.exe Gekfnoog.exe File opened for modification C:\Windows\SysWOW64\Lkfddc32.exe Lqqpgj32.exe File opened for modification C:\Windows\SysWOW64\Nlhjhi32.exe Nbpeoc32.exe File opened for modification C:\Windows\SysWOW64\Ebnabb32.exe Eppefg32.exe File created C:\Windows\SysWOW64\Iikkon32.exe Ibacbcgg.exe File created C:\Windows\SysWOW64\Kambcbhb.exe Jnofgg32.exe -
Program crash 1 IoCs
pid pid_target Process 6524 6500 WerFault.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cbajkiof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fbbofjnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mahlae32.dll" Jhdlad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pplqiiqb.dll" Flocfmnl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fbpbpkpj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mjfnomde.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dnefhpma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qoeeolig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olnldn32.dll" Hfjpdjjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aakepajf.dll" Fkejcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gedaglad.dll" Hhhgcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kgnbnpkp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cfehhn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cakqgeoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eimllb32.dll" Dfpaic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nnleiipc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfenefej.dll" Edidqf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Noemqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pgpgjepk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mbchni32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717} 8d955eadec60d6176fbd7df6532efd4566eb281e2d53c2c6cf0660a3a409af54.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ljigih32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Omqlpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icehdl32.dll" Kadfkhkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apidjmhc.dll" Gghmmilh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfepegb.dll" Epbbkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hclfag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Omefkplm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hbidne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bokblhqh.dll" Klhgfq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gglbfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ekhkjm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hhhgcc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ibfaopoi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Laleof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eoajel32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Imiigiab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ikjhki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdkehipd.dll" Fcbecl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gjpqpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddaafojo.dll" Oeindm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qgjccb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bigkel32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jggoqimd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeqkmn32.dll" Hbknkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Baojapfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hpkompgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifjic32.dll" Ibipmiek.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jagpdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gefmne32.dll" Pnalad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Coikpclh.dll" Gpabcbdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enoamb32.dll" Bbeded32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bgoime32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jfgebjnm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kcdlhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bpbmqe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ipjahd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bammlq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmhflfhh.dll" Kgnbnpkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qppkfhlc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmaebf32.dll" Jdcpkp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hdpcokdo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hbknkl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ilabmedg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3008 wrote to memory of 2136 3008 8d955eadec60d6176fbd7df6532efd4566eb281e2d53c2c6cf0660a3a409af54.exe 28 PID 3008 wrote to memory of 2136 3008 8d955eadec60d6176fbd7df6532efd4566eb281e2d53c2c6cf0660a3a409af54.exe 28 PID 3008 wrote to memory of 2136 3008 8d955eadec60d6176fbd7df6532efd4566eb281e2d53c2c6cf0660a3a409af54.exe 28 PID 3008 wrote to memory of 2136 3008 8d955eadec60d6176fbd7df6532efd4566eb281e2d53c2c6cf0660a3a409af54.exe 28 PID 2136 wrote to memory of 2688 2136 Kglcogeo.exe 29 PID 2136 wrote to memory of 2688 2136 Kglcogeo.exe 29 PID 2136 wrote to memory of 2688 2136 Kglcogeo.exe 29 PID 2136 wrote to memory of 2688 2136 Kglcogeo.exe 29 PID 2688 wrote to memory of 2624 2688 Kbaglpee.exe 30 PID 2688 wrote to memory of 2624 2688 Kbaglpee.exe 30 PID 2688 wrote to memory of 2624 2688 Kbaglpee.exe 30 PID 2688 wrote to memory of 2624 2688 Kbaglpee.exe 30 PID 2624 wrote to memory of 2736 2624 Kkileele.exe 31 PID 2624 wrote to memory of 2736 2624 Kkileele.exe 31 PID 2624 wrote to memory of 2736 2624 Kkileele.exe 31 PID 2624 wrote to memory of 2736 2624 Kkileele.exe 31 PID 2736 wrote to memory of 2412 2736 Kgpmjf32.exe 610 PID 2736 wrote to memory of 2412 2736 Kgpmjf32.exe 610 PID 2736 wrote to memory of 2412 2736 Kgpmjf32.exe 610 PID 2736 wrote to memory of 2412 2736 Kgpmjf32.exe 610 PID 2412 wrote to memory of 584 2412 Kddmdk32.exe 592 PID 2412 wrote to memory of 584 2412 Kddmdk32.exe 592 PID 2412 wrote to memory of 584 2412 Kddmdk32.exe 592 PID 2412 wrote to memory of 584 2412 Kddmdk32.exe 592 PID 584 wrote to memory of 1084 584 Konndhmb.exe 34 PID 584 wrote to memory of 1084 584 Konndhmb.exe 34 PID 584 wrote to memory of 1084 584 Konndhmb.exe 34 PID 584 wrote to memory of 1084 584 Konndhmb.exe 34 PID 1084 wrote to memory of 2064 1084 Lifbmn32.exe 35 PID 1084 wrote to memory of 2064 1084 Lifbmn32.exe 35 PID 1084 wrote to memory of 2064 1084 Lifbmn32.exe 35 PID 1084 wrote to memory of 2064 1084 Lifbmn32.exe 35 PID 2064 wrote to memory of 2672 2064 Lpgajgeg.exe 36 PID 2064 wrote to memory of 2672 2064 Lpgajgeg.exe 36 PID 2064 wrote to memory of 2672 2064 Lpgajgeg.exe 36 PID 2064 wrote to memory of 2672 2064 Lpgajgeg.exe 36 PID 2672 wrote to memory of 2004 2672 Ljabkeaf.exe 37 PID 2672 wrote to memory of 2004 2672 Ljabkeaf.exe 37 PID 2672 wrote to memory of 2004 2672 Ljabkeaf.exe 37 PID 2672 wrote to memory of 2004 2672 Ljabkeaf.exe 37 PID 2004 wrote to memory of 2276 2004 Meffhnal.exe 38 PID 2004 wrote to memory of 2276 2004 Meffhnal.exe 38 PID 2004 wrote to memory of 2276 2004 Meffhnal.exe 38 PID 2004 wrote to memory of 2276 2004 Meffhnal.exe 38 PID 2276 wrote to memory of 1960 2276 Mjcoqdoc.exe 39 PID 2276 wrote to memory of 1960 2276 Mjcoqdoc.exe 39 PID 2276 wrote to memory of 1960 2276 Mjcoqdoc.exe 39 PID 2276 wrote to memory of 1960 2276 Mjcoqdoc.exe 39 PID 1960 wrote to memory of 2172 1960 Mhgoji32.exe 40 PID 1960 wrote to memory of 2172 1960 Mhgoji32.exe 40 PID 1960 wrote to memory of 2172 1960 Mhgoji32.exe 40 PID 1960 wrote to memory of 2172 1960 Mhgoji32.exe 40 PID 2172 wrote to memory of 772 2172 Mpbdnk32.exe 41 PID 2172 wrote to memory of 772 2172 Mpbdnk32.exe 41 PID 2172 wrote to memory of 772 2172 Mpbdnk32.exe 41 PID 2172 wrote to memory of 772 2172 Mpbdnk32.exe 41 PID 772 wrote to memory of 1704 772 Mikhgqbi.exe 42 PID 772 wrote to memory of 1704 772 Mikhgqbi.exe 42 PID 772 wrote to memory of 1704 772 Mikhgqbi.exe 42 PID 772 wrote to memory of 1704 772 Mikhgqbi.exe 42 PID 1704 wrote to memory of 3052 1704 Mfoiqe32.exe 43 PID 1704 wrote to memory of 3052 1704 Mfoiqe32.exe 43 PID 1704 wrote to memory of 3052 1704 Mfoiqe32.exe 43 PID 1704 wrote to memory of 3052 1704 Mfoiqe32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\1042769292\zmstage.exeC:\Users\Admin\AppData\Local\Temp\1042769292\zmstage.exe1⤵PID:1328
-
C:\Users\Admin\AppData\Local\Temp\8d955eadec60d6176fbd7df6532efd4566eb281e2d53c2c6cf0660a3a409af54.exe"C:\Users\Admin\AppData\Local\Temp\8d955eadec60d6176fbd7df6532efd4566eb281e2d53c2c6cf0660a3a409af54.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\Kglcogeo.exeC:\Windows\system32\Kglcogeo.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\SysWOW64\Kbaglpee.exeC:\Windows\system32\Kbaglpee.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Kkileele.exeC:\Windows\system32\Kkileele.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\Kgpmjf32.exeC:\Windows\system32\Kgpmjf32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Kddmdk32.exeC:\Windows\system32\Kddmdk32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\Konndhmb.exeC:\Windows\system32\Konndhmb.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:584 -
C:\Windows\SysWOW64\Lifbmn32.exeC:\Windows\system32\Lifbmn32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\SysWOW64\Lpgajgeg.exeC:\Windows\system32\Lpgajgeg.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\Ljabkeaf.exeC:\Windows\system32\Ljabkeaf.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Meffhnal.exeC:\Windows\system32\Meffhnal.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\Mjcoqdoc.exeC:\Windows\system32\Mjcoqdoc.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\Mhgoji32.exeC:\Windows\system32\Mhgoji32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\SysWOW64\Mpbdnk32.exeC:\Windows\system32\Mpbdnk32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\Mikhgqbi.exeC:\Windows\system32\Mikhgqbi.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:772 -
C:\Windows\SysWOW64\Mfoiqe32.exeC:\Windows\system32\Mfoiqe32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\SysWOW64\Mdbiji32.exeC:\Windows\system32\Mdbiji32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3052 -
C:\Windows\SysWOW64\Nmkncofl.exeC:\Windows\system32\Nmkncofl.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1268 -
C:\Windows\SysWOW64\Nbhfke32.exeC:\Windows\system32\Nbhfke32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3016 -
C:\Windows\SysWOW64\Nplfdj32.exeC:\Windows\system32\Nplfdj32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1040 -
C:\Windows\SysWOW64\Nkegeg32.exeC:\Windows\system32\Nkegeg32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:792 -
C:\Windows\SysWOW64\Nhiholof.exeC:\Windows\system32\Nhiholof.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2016 -
C:\Windows\SysWOW64\Naalga32.exeC:\Windows\system32\Naalga32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2320 -
C:\Windows\SysWOW64\Noemqe32.exeC:\Windows\system32\Noemqe32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2400 -
C:\Windows\SysWOW64\Oionacqo.exeC:\Windows\system32\Oionacqo.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1380 -
C:\Windows\SysWOW64\Ommfga32.exeC:\Windows\system32\Ommfga32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1592 -
C:\Windows\SysWOW64\Ogekpg32.exeC:\Windows\system32\Ogekpg32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2496 -
C:\Windows\SysWOW64\Opplolac.exeC:\Windows\system32\Opplolac.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2960 -
C:\Windows\SysWOW64\Oihqgbhd.exeC:\Windows\system32\Oihqgbhd.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2680 -
C:\Windows\SysWOW64\Padeldeo.exeC:\Windows\system32\Padeldeo.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2760 -
C:\Windows\SysWOW64\Pkljdj32.exeC:\Windows\system32\Pkljdj32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1684 -
C:\Windows\SysWOW64\Pddnnp32.exeC:\Windows\system32\Pddnnp32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2484 -
C:\Windows\SysWOW64\Pnmcfeia.exeC:\Windows\system32\Pnmcfeia.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2940 -
C:\Windows\SysWOW64\Pnopldgn.exeC:\Windows\system32\Pnopldgn.exe34⤵
- Executes dropped EXE
PID:2476 -
C:\Windows\SysWOW64\Pclhdl32.exeC:\Windows\system32\Pclhdl32.exe35⤵
- Executes dropped EXE
PID:1484 -
C:\Windows\SysWOW64\Pnalad32.exeC:\Windows\system32\Pnalad32.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:2820 -
C:\Windows\SysWOW64\Qndigd32.exeC:\Windows\system32\Qndigd32.exe37⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\Qoeeolig.exeC:\Windows\system32\Qoeeolig.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:1844 -
C:\Windows\SysWOW64\Qmifhq32.exeC:\Windows\system32\Qmifhq32.exe39⤵
- Executes dropped EXE
PID:1464 -
C:\Windows\SysWOW64\Ajmfad32.exeC:\Windows\system32\Ajmfad32.exe40⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Akncimmh.exeC:\Windows\system32\Akncimmh.exe41⤵
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\Aibcba32.exeC:\Windows\system32\Aibcba32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1068 -
C:\Windows\SysWOW64\Anolkh32.exeC:\Windows\system32\Anolkh32.exe43⤵
- Executes dropped EXE
PID:1496 -
C:\Windows\SysWOW64\Akcldl32.exeC:\Windows\system32\Akcldl32.exe44⤵
- Executes dropped EXE
PID:980 -
C:\Windows\SysWOW64\Aapemc32.exeC:\Windows\system32\Aapemc32.exe45⤵
- Executes dropped EXE
PID:1360 -
C:\Windows\SysWOW64\Bmnlbcfg.exeC:\Windows\system32\Bmnlbcfg.exe46⤵
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Bidlgdlk.exeC:\Windows\system32\Bidlgdlk.exe47⤵
- Executes dropped EXE
PID:1424 -
C:\Windows\SysWOW64\Bpnddn32.exeC:\Windows\system32\Bpnddn32.exe48⤵
- Executes dropped EXE
PID:1756 -
C:\Windows\SysWOW64\Bekmle32.exeC:\Windows\system32\Bekmle32.exe49⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Bleeioil.exeC:\Windows\system32\Bleeioil.exe50⤵
- Executes dropped EXE
PID:716 -
C:\Windows\SysWOW64\Bfkifhib.exeC:\Windows\system32\Bfkifhib.exe51⤵
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Chlfnp32.exeC:\Windows\system32\Chlfnp32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2528 -
C:\Windows\SysWOW64\Cbajkiof.exeC:\Windows\system32\Cbajkiof.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:2024 -
C:\Windows\SysWOW64\Cikbhc32.exeC:\Windows\system32\Cikbhc32.exe54⤵
- Executes dropped EXE
PID:1384 -
C:\Windows\SysWOW64\Cohkpj32.exeC:\Windows\system32\Cohkpj32.exe55⤵
- Executes dropped EXE
PID:2388 -
C:\Windows\SysWOW64\Cebcmdlg.exeC:\Windows\system32\Cebcmdlg.exe56⤵
- Executes dropped EXE
PID:1100 -
C:\Windows\SysWOW64\Cojhejbh.exeC:\Windows\system32\Cojhejbh.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2480 -
C:\Windows\SysWOW64\Cdgpnqpo.exeC:\Windows\system32\Cdgpnqpo.exe58⤵
- Executes dropped EXE
PID:1892 -
C:\Windows\SysWOW64\Cakqgeoi.exeC:\Windows\system32\Cakqgeoi.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:1764 -
C:\Windows\SysWOW64\Cheido32.exeC:\Windows\system32\Cheido32.exe60⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Cmbalfem.exeC:\Windows\system32\Cmbalfem.exe61⤵
- Executes dropped EXE
PID:2036 -
C:\Windows\SysWOW64\Dbojdmcd.exeC:\Windows\system32\Dbojdmcd.exe62⤵
- Executes dropped EXE
PID:1320 -
C:\Windows\SysWOW64\Dmdnbecj.exeC:\Windows\system32\Dmdnbecj.exe63⤵
- Executes dropped EXE
PID:1452 -
C:\Windows\SysWOW64\Depbfhpe.exeC:\Windows\system32\Depbfhpe.exe64⤵
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\Dpegcq32.exeC:\Windows\system32\Dpegcq32.exe65⤵
- Executes dropped EXE
PID:1736 -
C:\Windows\SysWOW64\Debplg32.exeC:\Windows\system32\Debplg32.exe66⤵PID:684
-
C:\Windows\SysWOW64\Dpgcip32.exeC:\Windows\system32\Dpgcip32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3044 -
C:\Windows\SysWOW64\Dkadjn32.exeC:\Windows\system32\Dkadjn32.exe68⤵PID:2304
-
C:\Windows\SysWOW64\Ddiibc32.exeC:\Windows\system32\Ddiibc32.exe69⤵PID:572
-
C:\Windows\SysWOW64\Eeielfhk.exeC:\Windows\system32\Eeielfhk.exe70⤵PID:1692
-
C:\Windows\SysWOW64\Ehgbhbgn.exeC:\Windows\system32\Ehgbhbgn.exe71⤵PID:2144
-
C:\Windows\SysWOW64\Eoajel32.exeC:\Windows\system32\Eoajel32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1560 -
C:\Windows\SysWOW64\Ednbncmb.exeC:\Windows\system32\Ednbncmb.exe73⤵PID:2508
-
C:\Windows\SysWOW64\Ekhkjm32.exeC:\Windows\system32\Ekhkjm32.exe74⤵
- Modifies registry class
PID:1988 -
C:\Windows\SysWOW64\Epecbd32.exeC:\Windows\system32\Epecbd32.exe75⤵PID:2800
-
C:\Windows\SysWOW64\Ejmhkiig.exeC:\Windows\system32\Ejmhkiig.exe76⤵PID:1716
-
C:\Windows\SysWOW64\Ecfldoph.exeC:\Windows\system32\Ecfldoph.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2556 -
C:\Windows\SysWOW64\Enkpahon.exeC:\Windows\system32\Enkpahon.exe78⤵PID:2932
-
C:\Windows\SysWOW64\Fchijone.exeC:\Windows\system32\Fchijone.exe79⤵PID:2700
-
C:\Windows\SysWOW64\Fjbafi32.exeC:\Windows\system32\Fjbafi32.exe80⤵PID:1420
-
C:\Windows\SysWOW64\Fcjeon32.exeC:\Windows\system32\Fcjeon32.exe81⤵
- Drops file in System32 directory
PID:1620 -
C:\Windows\SysWOW64\Fjdnlhco.exeC:\Windows\system32\Fjdnlhco.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2216 -
C:\Windows\SysWOW64\Fkejcq32.exeC:\Windows\system32\Fkejcq32.exe83⤵
- Modifies registry class
PID:2380 -
C:\Windows\SysWOW64\Fbpbpkpj.exeC:\Windows\system32\Fbpbpkpj.exe84⤵
- Modifies registry class
PID:3004 -
C:\Windows\SysWOW64\Fbbofjnh.exeC:\Windows\system32\Fbbofjnh.exe85⤵
- Modifies registry class
PID:1248 -
C:\Windows\SysWOW64\Fqglggcp.exeC:\Windows\system32\Fqglggcp.exe86⤵PID:1964
-
C:\Windows\SysWOW64\Gjpqpl32.exeC:\Windows\system32\Gjpqpl32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1092 -
C:\Windows\SysWOW64\Gqiimfam.exeC:\Windows\system32\Gqiimfam.exe88⤵PID:2176
-
C:\Windows\SysWOW64\Gjbmelgm.exeC:\Windows\system32\Gjbmelgm.exe89⤵PID:1744
-
C:\Windows\SysWOW64\Gcjbna32.exeC:\Windows\system32\Gcjbna32.exe90⤵PID:2628
-
C:\Windows\SysWOW64\Gnpflj32.exeC:\Windows\system32\Gnpflj32.exe91⤵PID:2448
-
C:\Windows\SysWOW64\Gpabcbdb.exeC:\Windows\system32\Gpabcbdb.exe92⤵
- Drops file in System32 directory
- Modifies registry class
PID:1908 -
C:\Windows\SysWOW64\Gjfgqk32.exeC:\Windows\system32\Gjfgqk32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2012 -
C:\Windows\SysWOW64\Gcokiaji.exeC:\Windows\system32\Gcokiaji.exe94⤵PID:240
-
C:\Windows\SysWOW64\Gildahhp.exeC:\Windows\system32\Gildahhp.exe95⤵PID:2296
-
C:\Windows\SysWOW64\Gcahoqhf.exeC:\Windows\system32\Gcahoqhf.exe96⤵
- Drops file in System32 directory
PID:1852 -
C:\Windows\SysWOW64\Hinqgg32.exeC:\Windows\system32\Hinqgg32.exe97⤵PID:2904
-
C:\Windows\SysWOW64\Hnkion32.exeC:\Windows\system32\Hnkion32.exe98⤵PID:2888
-
C:\Windows\SysWOW64\Hipmmg32.exeC:\Windows\system32\Hipmmg32.exe99⤵PID:1664
-
C:\Windows\SysWOW64\Hpjeialg.exeC:\Windows\system32\Hpjeialg.exe100⤵PID:2740
-
C:\Windows\SysWOW64\Hbiaemkk.exeC:\Windows\system32\Hbiaemkk.exe101⤵
- Drops file in System32 directory
PID:1088 -
C:\Windows\SysWOW64\Hhejnc32.exeC:\Windows\system32\Hhejnc32.exe102⤵PID:2944
-
C:\Windows\SysWOW64\Hbknkl32.exeC:\Windows\system32\Hbknkl32.exe103⤵
- Modifies registry class
PID:1328 -
C:\Windows\SysWOW64\Hhhgcc32.exeC:\Windows\system32\Hhhgcc32.exe104⤵
- Modifies registry class
PID:1928 -
C:\Windows\SysWOW64\Hmeolj32.exeC:\Windows\system32\Hmeolj32.exe105⤵PID:2604
-
C:\Windows\SysWOW64\Hhjcic32.exeC:\Windows\system32\Hhjcic32.exe106⤵PID:1792
-
C:\Windows\SysWOW64\Hmglajcd.exeC:\Windows\system32\Hmglajcd.exe107⤵PID:1492
-
C:\Windows\SysWOW64\Idadnd32.exeC:\Windows\system32\Idadnd32.exe108⤵PID:1752
-
C:\Windows\SysWOW64\Imiigiab.exeC:\Windows\system32\Imiigiab.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2608 -
C:\Windows\SysWOW64\Ibfaopoi.exeC:\Windows\system32\Ibfaopoi.exe110⤵
- Drops file in System32 directory
- Modifies registry class
PID:884 -
C:\Windows\SysWOW64\Iipiljgf.exeC:\Windows\system32\Iipiljgf.exe111⤵PID:1524
-
C:\Windows\SysWOW64\Ipjahd32.exeC:\Windows\system32\Ipjahd32.exe112⤵
- Modifies registry class
PID:1612 -
C:\Windows\SysWOW64\Iegjqk32.exeC:\Windows\system32\Iegjqk32.exe113⤵PID:2020
-
C:\Windows\SysWOW64\Ilabmedg.exeC:\Windows\system32\Ilabmedg.exe114⤵
- Modifies registry class
PID:2660 -
C:\Windows\SysWOW64\Ifffkncm.exeC:\Windows\system32\Ifffkncm.exe115⤵PID:2052
-
C:\Windows\SysWOW64\Iiecgjba.exeC:\Windows\system32\Iiecgjba.exe116⤵PID:2188
-
C:\Windows\SysWOW64\Ioakoq32.exeC:\Windows\system32\Ioakoq32.exe117⤵PID:1572
-
C:\Windows\SysWOW64\Jhjphfgi.exeC:\Windows\system32\Jhjphfgi.exe118⤵PID:776
-
C:\Windows\SysWOW64\Jodhdp32.exeC:\Windows\system32\Jodhdp32.exe119⤵PID:1608
-
C:\Windows\SysWOW64\Jenpajfb.exeC:\Windows\system32\Jenpajfb.exe120⤵PID:1968
-
C:\Windows\SysWOW64\Jkkija32.exeC:\Windows\system32\Jkkija32.exe121⤵PID:2864
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-