Analysis
-
max time kernel
140s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
09-05-2024 02:56
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
b337c266852961a74517c69363c017c98dd33ad6c1d384fe9862a221ba90b2ce.exe
Resource
win7-20240508-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
b337c266852961a74517c69363c017c98dd33ad6c1d384fe9862a221ba90b2ce.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
b337c266852961a74517c69363c017c98dd33ad6c1d384fe9862a221ba90b2ce.exe
-
Size
360KB
-
MD5
ec897eb1b9f919d7d91e9523e0fbcf90
-
SHA1
0b06bf48744b9eaa751992547dfee1db0de3a9ea
-
SHA256
b337c266852961a74517c69363c017c98dd33ad6c1d384fe9862a221ba90b2ce
-
SHA512
c0ad864c7e1825f4b397fcdf6336d7c721aef27fd2651c384f78d6430a6959e2611ee0f5d3204afbbb0bc82cc23d7ba3f062a3c466fe8d12ce946135d4d50f66
-
SSDEEP
6144:dy4lSPepCpX2/mnbzvdLaD6OkPgl6bmIjlQFxU:M4YoCpXImbzQD6OkPgl6bmIjKxU
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofelmloo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbgjqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gaqomeke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iabhah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eoepnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbbngf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbeiefff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkbalifo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbokgpgg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfpeeqig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oqcpob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gonocmbi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddblgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llkbap32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkoplhip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pljcllqe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijeghgoh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Koddccaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkoplhip.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjlheehe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Noogpfjh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lliflp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkpagq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmlmic32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Behgcf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bobhal32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edccch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbcdbp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kifpdelo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejmhkiig.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eapfagno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfqahgpg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlphkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iaeiieeb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baigca32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lafndg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgalqkbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ancefgfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aqonbm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Behilopf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpmbfbgo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gonocmbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knjbnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elajgpmj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdkklp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omkjbb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lajhofao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdgafdfp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmbpmapf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejehgkdp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Daipqhdg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glaoalkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cilibi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbgpkpnn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfkkpmko.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qkffng32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbjochdi.exe -
UPX dump on OEP (original entry point) 64 IoCs
resource yara_rule behavioral1/files/0x0008000000015d12-29.dat UPX behavioral1/files/0x000a000000012289-1.dat UPX behavioral1/files/0x0007000000015d53-34.dat UPX behavioral1/files/0x0009000000015d83-48.dat UPX behavioral1/files/0x0006000000016a8a-62.dat UPX behavioral1/files/0x0006000000016c6f-82.dat UPX behavioral1/files/0x0006000000016cc1-90.dat UPX behavioral1/files/0x0006000000016d17-110.dat UPX behavioral1/files/0x0006000000016d32-118.dat UPX behavioral1/files/0x0033000000015ce8-133.dat UPX behavioral1/files/0x0006000000016d4b-147.dat UPX behavioral1/files/0x0006000000016d64-161.dat UPX behavioral1/files/0x0006000000016d6f-175.dat UPX behavioral1/files/0x0006000000016d9f-189.dat UPX behavioral1/files/0x0006000000016dc8-204.dat UPX behavioral1/files/0x0006000000016ddc-224.dat UPX behavioral1/files/0x00060000000171d7-236.dat UPX behavioral1/files/0x00060000000173ca-243.dat UPX behavioral1/files/0x00060000000173f9-253.dat UPX behavioral1/files/0x0014000000018668-263.dat UPX behavioral1/files/0x000500000001870e-275.dat UPX behavioral1/files/0x000500000001871f-285.dat UPX behavioral1/files/0x0005000000018784-294.dat UPX behavioral1/files/0x000500000001879e-304.dat UPX behavioral1/files/0x0006000000018b86-312.dat UPX behavioral1/files/0x0006000000018bed-324.dat UPX behavioral1/files/0x0005000000019314-334.dat UPX behavioral1/memory/2708-345-0x00000000002D0000-0x00000000002FF000-memory.dmp UPX behavioral1/files/0x00050000000193d9-346.dat UPX behavioral1/files/0x00050000000193ff-356.dat UPX behavioral1/files/0x000500000001942b-367.dat UPX behavioral1/files/0x0005000000019470-378.dat UPX behavioral1/files/0x00050000000194b3-392.dat UPX behavioral1/files/0x000500000001952d-400.dat UPX behavioral1/files/0x0005000000019627-411.dat UPX behavioral1/files/0x000500000001962b-421.dat UPX behavioral1/files/0x000500000001962f-432.dat UPX behavioral1/files/0x0005000000019635-442.dat UPX behavioral1/files/0x000500000001963b-453.dat UPX behavioral1/files/0x000500000001963f-465.dat UPX behavioral1/files/0x0005000000019641-477.dat UPX behavioral1/files/0x0005000000019643-486.dat UPX behavioral1/files/0x00050000000196bf-497.dat UPX behavioral1/files/0x00050000000196c4-508.dat UPX behavioral1/files/0x000500000001970d-519.dat UPX behavioral1/files/0x0005000000019859-529.dat UPX behavioral1/files/0x000500000001991d-543.dat UPX behavioral1/files/0x0005000000019afe-551.dat UPX behavioral1/files/0x0005000000019c6c-562.dat UPX behavioral1/files/0x0005000000019d63-573.dat UPX behavioral1/files/0x0005000000019dd5-584.dat UPX behavioral1/files/0x0005000000019f31-594.dat UPX behavioral1/files/0x000500000001a05a-606.dat UPX behavioral1/files/0x000500000001a0c1-619.dat UPX behavioral1/files/0x000500000001a3de-632.dat UPX behavioral1/files/0x000500000001a473-642.dat UPX behavioral1/files/0x000500000001a47b-655.dat UPX behavioral1/files/0x000500000001a484-663.dat UPX behavioral1/files/0x000500000001a4d1-675.dat UPX behavioral1/files/0x000500000001a4dd-684.dat UPX behavioral1/files/0x000500000001a4e9-696.dat UPX behavioral1/files/0x000500000001a4f1-707.dat UPX behavioral1/files/0x000500000001a4f5-723.dat UPX behavioral1/files/0x000500000001a4f9-732.dat UPX -
Executes dropped EXE 64 IoCs
pid Process 2568 Faagpp32.exe 2692 Ffnphf32.exe 2744 Fjilieka.exe 1656 Globlmmj.exe 2508 Glaoalkh.exe 2644 Gieojq32.exe 1748 Gaqcoc32.exe 2712 Ghkllmoi.exe 2452 Gmjaic32.exe 1872 Hmlnoc32.exe 1552 Hicodd32.exe 1876 Hejoiedd.exe 2244 Hgilchkf.exe 580 Hodpgjha.exe 588 Iaeiieeb.exe 2044 Ioijbj32.exe 3064 Igdogl32.exe 1072 Inngcfid.exe 1300 Ihdkao32.exe 2016 Ijeghgoh.exe 2984 Idklfpon.exe 1492 Idklfpon.exe 2160 Igihbknb.exe 1108 Incpoe32.exe 2880 Idmhkpml.exe 1624 Igkdgk32.exe 1500 Jgnamk32.exe 2708 Jfqahgpg.exe 2600 Joifam32.exe 2772 Jfcnngnd.exe 2588 Jokcgmee.exe 2540 Jbjochdi.exe 2928 Jicgpb32.exe 2464 Jonplmcb.exe 2764 Jifdebic.exe 2168 Jkdpanhg.exe 1232 Kihqkagp.exe 2208 Kgkafo32.exe 2364 Keoapb32.exe 1248 Kgnnln32.exe 2932 Kafbec32.exe 1560 Kcdnao32.exe 2720 Knjbnh32.exe 288 Kahojc32.exe 3036 Kpkofpgq.exe 348 Kfegbj32.exe 1572 Kmopod32.exe 828 Kaklpcoc.exe 1860 Kfgdhjmk.exe 1924 Kifpdelo.exe 2008 Lckdanld.exe 3068 Lemaif32.exe 2760 Lihmjejl.exe 2608 Loeebl32.exe 2792 Lflmci32.exe 2472 Lijjoe32.exe 1676 Lliflp32.exe 1708 Logbhl32.exe 2180 Lafndg32.exe 1904 Limfed32.exe 1932 Llkbap32.exe 2448 Lahkigca.exe 1448 Llnofpcg.exe 2424 Lollckbk.exe -
Loads dropped DLL 64 IoCs
pid Process 2556 b337c266852961a74517c69363c017c98dd33ad6c1d384fe9862a221ba90b2ce.exe 2556 b337c266852961a74517c69363c017c98dd33ad6c1d384fe9862a221ba90b2ce.exe 2568 Faagpp32.exe 2568 Faagpp32.exe 2692 Ffnphf32.exe 2692 Ffnphf32.exe 2744 Fjilieka.exe 2744 Fjilieka.exe 1656 Globlmmj.exe 1656 Globlmmj.exe 2508 Glaoalkh.exe 2508 Glaoalkh.exe 2644 Gieojq32.exe 2644 Gieojq32.exe 1748 Gaqcoc32.exe 1748 Gaqcoc32.exe 2712 Ghkllmoi.exe 2712 Ghkllmoi.exe 2452 Gmjaic32.exe 2452 Gmjaic32.exe 1872 Hmlnoc32.exe 1872 Hmlnoc32.exe 1552 Hicodd32.exe 1552 Hicodd32.exe 1876 Hejoiedd.exe 1876 Hejoiedd.exe 2244 Hgilchkf.exe 2244 Hgilchkf.exe 580 Hodpgjha.exe 580 Hodpgjha.exe 588 Iaeiieeb.exe 588 Iaeiieeb.exe 2044 Ioijbj32.exe 2044 Ioijbj32.exe 3064 Igdogl32.exe 3064 Igdogl32.exe 1072 Inngcfid.exe 1072 Inngcfid.exe 1300 Ihdkao32.exe 1300 Ihdkao32.exe 2016 Ijeghgoh.exe 2016 Ijeghgoh.exe 2984 Idklfpon.exe 2984 Idklfpon.exe 1492 Idklfpon.exe 1492 Idklfpon.exe 2160 Igihbknb.exe 2160 Igihbknb.exe 1108 Incpoe32.exe 1108 Incpoe32.exe 2880 Idmhkpml.exe 2880 Idmhkpml.exe 1624 Igkdgk32.exe 1624 Igkdgk32.exe 1500 Jgnamk32.exe 1500 Jgnamk32.exe 2708 Jfqahgpg.exe 2708 Jfqahgpg.exe 2600 Joifam32.exe 2600 Joifam32.exe 2772 Jfcnngnd.exe 2772 Jfcnngnd.exe 2588 Jokcgmee.exe 2588 Jokcgmee.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Eadphb32.dll Mlpneh32.exe File opened for modification C:\Windows\SysWOW64\Kffldlne.exe Process not Found File created C:\Windows\SysWOW64\Jhamckel.exe Jcedkd32.exe File created C:\Windows\SysWOW64\Jkjplo32.dll Bbjdjjdn.exe File created C:\Windows\SysWOW64\Alacdcjm.dll Pckajebj.exe File created C:\Windows\SysWOW64\Kgnnln32.exe Keoapb32.exe File opened for modification C:\Windows\SysWOW64\Gffoldhp.exe Ghcoqh32.exe File created C:\Windows\SysWOW64\Elkmmodo.exe Ehpalp32.exe File created C:\Windows\SysWOW64\Mneedo32.dll Hddlof32.exe File created C:\Windows\SysWOW64\Pclhdl32.exe Pdihiook.exe File opened for modification C:\Windows\SysWOW64\Klhemhpk.exe Khlili32.exe File created C:\Windows\SysWOW64\Nenakoho.exe Ndmecgba.exe File created C:\Windows\SysWOW64\Eifppipg.dll Process not Found File created C:\Windows\SysWOW64\Aemkjiem.exe Amfcikek.exe File created C:\Windows\SysWOW64\Jnicmdli.exe Jgojpjem.exe File opened for modification C:\Windows\SysWOW64\Ejehgkdp.exe Egglkp32.exe File created C:\Windows\SysWOW64\Gifaciae.exe Gfgegnbb.exe File created C:\Windows\SysWOW64\Oniefifl.dll Bfccei32.exe File opened for modification C:\Windows\SysWOW64\Jlelhe32.exe Ielclkhe.exe File created C:\Windows\SysWOW64\Hoamnbaf.dll Kahojc32.exe File created C:\Windows\SysWOW64\Bimoloog.exe Beackp32.exe File opened for modification C:\Windows\SysWOW64\Npjlhcmd.exe Process not Found File created C:\Windows\SysWOW64\Qadkpfeg.dll Ejehgkdp.exe File opened for modification C:\Windows\SysWOW64\Idfnicfl.exe Ipjahd32.exe File created C:\Windows\SysWOW64\Pqjfoa32.exe Pjpnbg32.exe File created C:\Windows\SysWOW64\Mknhnalm.dll Affdle32.exe File created C:\Windows\SysWOW64\Ldidkbpb.exe Lajhofao.exe File opened for modification C:\Windows\SysWOW64\Pkofjijm.exe Pgckjk32.exe File created C:\Windows\SysWOW64\Bbgqjdce.exe Bkmhnjlh.exe File created C:\Windows\SysWOW64\Heokmmgb.exe Hbqoqbho.exe File created C:\Windows\SysWOW64\Dppllabf.dll Fjegog32.exe File opened for modification C:\Windows\SysWOW64\Leopgo32.exe Lcncpfaf.exe File opened for modification C:\Windows\SysWOW64\Gpnmjd32.exe Glbqje32.exe File created C:\Windows\SysWOW64\Obkefk32.dll Dkigoimd.exe File opened for modification C:\Windows\SysWOW64\Lbfook32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Nabopjmj.exe Process not Found File opened for modification C:\Windows\SysWOW64\Olpdjf32.exe Onmdoioa.exe File opened for modification C:\Windows\SysWOW64\Gbjlaplk.exe Gpkpedmh.exe File created C:\Windows\SysWOW64\Gqdefddb.exe Process not Found File created C:\Windows\SysWOW64\Niebgj32.dll Process not Found File created C:\Windows\SysWOW64\Keednado.exe Knklagmb.exe File opened for modification C:\Windows\SysWOW64\Odebolpe.exe Omkjbb32.exe File created C:\Windows\SysWOW64\Iemkjqde.dll Lijjoe32.exe File created C:\Windows\SysWOW64\Cbgjqo32.exe Clmbddgp.exe File created C:\Windows\SysWOW64\Hgccgk32.dll Process not Found File created C:\Windows\SysWOW64\Bcmkhb32.dll Incpoe32.exe File opened for modification C:\Windows\SysWOW64\Iccbqh32.exe Hpefdl32.exe File created C:\Windows\SysWOW64\Fhhiii32.dll Niikceid.exe File created C:\Windows\SysWOW64\Plijimee.exe Phnnho32.exe File opened for modification C:\Windows\SysWOW64\Hhehek32.exe Hakphqja.exe File opened for modification C:\Windows\SysWOW64\Mgalqkbk.exe Mdcpdp32.exe File opened for modification C:\Windows\SysWOW64\Fjlkgn32.exe Fpffje32.exe File opened for modification C:\Windows\SysWOW64\Aoohekal.exe Akcldl32.exe File created C:\Windows\SysWOW64\Qgmfchei.exe Qdojgmfe.exe File opened for modification C:\Windows\SysWOW64\Cnmfdb32.exe Process not Found File created C:\Windows\SysWOW64\Pflomnkb.exe Pgioaa32.exe File opened for modification C:\Windows\SysWOW64\Fncdgcqm.exe Flehkhai.exe File created C:\Windows\SysWOW64\Popnbp32.dll Eniclh32.exe File created C:\Windows\SysWOW64\Mfelmo32.dll Gildahhp.exe File created C:\Windows\SysWOW64\Kncinl32.dll Bjebdfnn.exe File created C:\Windows\SysWOW64\Phqmgg32.exe Process not Found File created C:\Windows\SysWOW64\Bblogakg.exe Bpnbkeld.exe File opened for modification C:\Windows\SysWOW64\Bjallg32.exe Bbjdjjdn.exe File opened for modification C:\Windows\SysWOW64\Anjlebjc.exe Akkoig32.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\system32†Djfdob32.¿xe Process not Found File created C:\Windows\system32†Djfdob32.¿xe Process not Found -
Program crash 1 IoCs
pid pid_target Process procid_target 3640 2068 Process not Found 1257 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mdcpdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dlfejcoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epobdneg.dll" Ehoocgeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Meffhnal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnaggcej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pldebkhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjfccn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njlkihbk.dll" Kddmdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Blpjegfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gligjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fidfcc32.dll" Ecfldoph.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iabhah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Egdlec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Giddhc32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmmgmc32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ojfaijcc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pnlqnl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Egllae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gohjaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpgimglf.dll" Igchlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jkebjf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pciddedl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onmjak32.dll" Ofelmloo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbjdjjdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifdofiam.dll" Edlfhc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahgnke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doiddc32.dll" Imnbbi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdpcikdi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Magqncba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmeidehe.dll" Nhiffc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ffnphf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phcohg32.dll" Gaqomeke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Meccii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihmnkh32.dll" Bhdgjb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjaelaok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fahgfoih.dll" Ckccgane.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okjnobhq.dll" Hhjcic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pljcllqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Inngcfid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgefefnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amponajh.dll" Cpiqmlfm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fjlmpfhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iheddndj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Okojkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikekpn32.dll" Poeipifl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Figicd32.dll" Pkacpihj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhgdkjol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgefefnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mccbmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jnicmdli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Icmegf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qqdbiopj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dakmfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oldahfej.dll" Jaijak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeaiio32.dll" Liqoflfh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbjochdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pciddedl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Poklngnf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gfejjgli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2556 wrote to memory of 2568 2556 b337c266852961a74517c69363c017c98dd33ad6c1d384fe9862a221ba90b2ce.exe 28 PID 2556 wrote to memory of 2568 2556 b337c266852961a74517c69363c017c98dd33ad6c1d384fe9862a221ba90b2ce.exe 28 PID 2556 wrote to memory of 2568 2556 b337c266852961a74517c69363c017c98dd33ad6c1d384fe9862a221ba90b2ce.exe 28 PID 2556 wrote to memory of 2568 2556 b337c266852961a74517c69363c017c98dd33ad6c1d384fe9862a221ba90b2ce.exe 28 PID 2568 wrote to memory of 2692 2568 Faagpp32.exe 29 PID 2568 wrote to memory of 2692 2568 Faagpp32.exe 29 PID 2568 wrote to memory of 2692 2568 Faagpp32.exe 29 PID 2568 wrote to memory of 2692 2568 Faagpp32.exe 29 PID 2692 wrote to memory of 2744 2692 Ffnphf32.exe 30 PID 2692 wrote to memory of 2744 2692 Ffnphf32.exe 30 PID 2692 wrote to memory of 2744 2692 Ffnphf32.exe 30 PID 2692 wrote to memory of 2744 2692 Ffnphf32.exe 30 PID 2744 wrote to memory of 1656 2744 Fjilieka.exe 31 PID 2744 wrote to memory of 1656 2744 Fjilieka.exe 31 PID 2744 wrote to memory of 1656 2744 Fjilieka.exe 31 PID 2744 wrote to memory of 1656 2744 Fjilieka.exe 31 PID 1656 wrote to memory of 2508 1656 Globlmmj.exe 32 PID 1656 wrote to memory of 2508 1656 Globlmmj.exe 32 PID 1656 wrote to memory of 2508 1656 Globlmmj.exe 32 PID 1656 wrote to memory of 2508 1656 Globlmmj.exe 32 PID 2508 wrote to memory of 2644 2508 Glaoalkh.exe 33 PID 2508 wrote to memory of 2644 2508 Glaoalkh.exe 33 PID 2508 wrote to memory of 2644 2508 Glaoalkh.exe 33 PID 2508 wrote to memory of 2644 2508 Glaoalkh.exe 33 PID 2644 wrote to memory of 1748 2644 Gieojq32.exe 34 PID 2644 wrote to memory of 1748 2644 Gieojq32.exe 34 PID 2644 wrote to memory of 1748 2644 Gieojq32.exe 34 PID 2644 wrote to memory of 1748 2644 Gieojq32.exe 34 PID 1748 wrote to memory of 2712 1748 Gaqcoc32.exe 35 PID 1748 wrote to memory of 2712 1748 Gaqcoc32.exe 35 PID 1748 wrote to memory of 2712 1748 Gaqcoc32.exe 35 PID 1748 wrote to memory of 2712 1748 Gaqcoc32.exe 35 PID 2712 wrote to memory of 2452 2712 Ghkllmoi.exe 36 PID 2712 wrote to memory of 2452 2712 Ghkllmoi.exe 36 PID 2712 wrote to memory of 2452 2712 Ghkllmoi.exe 36 PID 2712 wrote to memory of 2452 2712 Ghkllmoi.exe 36 PID 2452 wrote to memory of 1872 2452 Gmjaic32.exe 37 PID 2452 wrote to memory of 1872 2452 Gmjaic32.exe 37 PID 2452 wrote to memory of 1872 2452 Gmjaic32.exe 37 PID 2452 wrote to memory of 1872 2452 Gmjaic32.exe 37 PID 1872 wrote to memory of 1552 1872 Hmlnoc32.exe 38 PID 1872 wrote to memory of 1552 1872 Hmlnoc32.exe 38 PID 1872 wrote to memory of 1552 1872 Hmlnoc32.exe 38 PID 1872 wrote to memory of 1552 1872 Hmlnoc32.exe 38 PID 1552 wrote to memory of 1876 1552 Hicodd32.exe 39 PID 1552 wrote to memory of 1876 1552 Hicodd32.exe 39 PID 1552 wrote to memory of 1876 1552 Hicodd32.exe 39 PID 1552 wrote to memory of 1876 1552 Hicodd32.exe 39 PID 1876 wrote to memory of 2244 1876 Hejoiedd.exe 40 PID 1876 wrote to memory of 2244 1876 Hejoiedd.exe 40 PID 1876 wrote to memory of 2244 1876 Hejoiedd.exe 40 PID 1876 wrote to memory of 2244 1876 Hejoiedd.exe 40 PID 2244 wrote to memory of 580 2244 Hgilchkf.exe 41 PID 2244 wrote to memory of 580 2244 Hgilchkf.exe 41 PID 2244 wrote to memory of 580 2244 Hgilchkf.exe 41 PID 2244 wrote to memory of 580 2244 Hgilchkf.exe 41 PID 580 wrote to memory of 588 580 Hodpgjha.exe 42 PID 580 wrote to memory of 588 580 Hodpgjha.exe 42 PID 580 wrote to memory of 588 580 Hodpgjha.exe 42 PID 580 wrote to memory of 588 580 Hodpgjha.exe 42 PID 588 wrote to memory of 2044 588 Iaeiieeb.exe 43 PID 588 wrote to memory of 2044 588 Iaeiieeb.exe 43 PID 588 wrote to memory of 2044 588 Iaeiieeb.exe 43 PID 588 wrote to memory of 2044 588 Iaeiieeb.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\b337c266852961a74517c69363c017c98dd33ad6c1d384fe9862a221ba90b2ce.exe"C:\Users\Admin\AppData\Local\Temp\b337c266852961a74517c69363c017c98dd33ad6c1d384fe9862a221ba90b2ce.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\Faagpp32.exeC:\Windows\system32\Faagpp32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\Ffnphf32.exeC:\Windows\system32\Ffnphf32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Fjilieka.exeC:\Windows\system32\Fjilieka.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\Globlmmj.exeC:\Windows\system32\Globlmmj.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\Glaoalkh.exeC:\Windows\system32\Glaoalkh.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\Gieojq32.exeC:\Windows\system32\Gieojq32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Gaqcoc32.exeC:\Windows\system32\Gaqcoc32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\SysWOW64\Ghkllmoi.exeC:\Windows\system32\Ghkllmoi.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Gmjaic32.exeC:\Windows\system32\Gmjaic32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\SysWOW64\Hmlnoc32.exeC:\Windows\system32\Hmlnoc32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Windows\SysWOW64\Hicodd32.exeC:\Windows\system32\Hicodd32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Windows\SysWOW64\Hejoiedd.exeC:\Windows\system32\Hejoiedd.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Windows\SysWOW64\Hgilchkf.exeC:\Windows\system32\Hgilchkf.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\Hodpgjha.exeC:\Windows\system32\Hodpgjha.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:580 -
C:\Windows\SysWOW64\Iaeiieeb.exeC:\Windows\system32\Iaeiieeb.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:588 -
C:\Windows\SysWOW64\Ioijbj32.exeC:\Windows\system32\Ioijbj32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2044 -
C:\Windows\SysWOW64\Igdogl32.exeC:\Windows\system32\Igdogl32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3064 -
C:\Windows\SysWOW64\Inngcfid.exeC:\Windows\system32\Inngcfid.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1072 -
C:\Windows\SysWOW64\Ihdkao32.exeC:\Windows\system32\Ihdkao32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1300 -
C:\Windows\SysWOW64\Ijeghgoh.exeC:\Windows\system32\Ijeghgoh.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2016 -
C:\Windows\SysWOW64\Idklfpon.exeC:\Windows\system32\Idklfpon.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2984 -
C:\Windows\SysWOW64\Idklfpon.exeC:\Windows\system32\Idklfpon.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1492 -
C:\Windows\SysWOW64\Igihbknb.exeC:\Windows\system32\Igihbknb.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2160 -
C:\Windows\SysWOW64\Incpoe32.exeC:\Windows\system32\Incpoe32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1108 -
C:\Windows\SysWOW64\Idmhkpml.exeC:\Windows\system32\Idmhkpml.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2880 -
C:\Windows\SysWOW64\Igkdgk32.exeC:\Windows\system32\Igkdgk32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1624 -
C:\Windows\SysWOW64\Jgnamk32.exeC:\Windows\system32\Jgnamk32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1500 -
C:\Windows\SysWOW64\Jfqahgpg.exeC:\Windows\system32\Jfqahgpg.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2708 -
C:\Windows\SysWOW64\Joifam32.exeC:\Windows\system32\Joifam32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2600 -
C:\Windows\SysWOW64\Jfcnngnd.exeC:\Windows\system32\Jfcnngnd.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2772 -
C:\Windows\SysWOW64\Jokcgmee.exeC:\Windows\system32\Jokcgmee.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2588 -
C:\Windows\SysWOW64\Jbjochdi.exeC:\Windows\system32\Jbjochdi.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2540 -
C:\Windows\SysWOW64\Jicgpb32.exeC:\Windows\system32\Jicgpb32.exe34⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Jonplmcb.exeC:\Windows\system32\Jonplmcb.exe35⤵
- Executes dropped EXE
PID:2464 -
C:\Windows\SysWOW64\Jifdebic.exeC:\Windows\system32\Jifdebic.exe36⤵
- Executes dropped EXE
PID:2764 -
C:\Windows\SysWOW64\Jkdpanhg.exeC:\Windows\system32\Jkdpanhg.exe37⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Kihqkagp.exeC:\Windows\system32\Kihqkagp.exe38⤵
- Executes dropped EXE
PID:1232 -
C:\Windows\SysWOW64\Kgkafo32.exeC:\Windows\system32\Kgkafo32.exe39⤵
- Executes dropped EXE
PID:2208 -
C:\Windows\SysWOW64\Keoapb32.exeC:\Windows\system32\Keoapb32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2364 -
C:\Windows\SysWOW64\Kgnnln32.exeC:\Windows\system32\Kgnnln32.exe41⤵
- Executes dropped EXE
PID:1248 -
C:\Windows\SysWOW64\Kafbec32.exeC:\Windows\system32\Kafbec32.exe42⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Kcdnao32.exeC:\Windows\system32\Kcdnao32.exe43⤵
- Executes dropped EXE
PID:1560 -
C:\Windows\SysWOW64\Knjbnh32.exeC:\Windows\system32\Knjbnh32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Kahojc32.exeC:\Windows\system32\Kahojc32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:288 -
C:\Windows\SysWOW64\Kpkofpgq.exeC:\Windows\system32\Kpkofpgq.exe46⤵
- Executes dropped EXE
PID:3036 -
C:\Windows\SysWOW64\Kfegbj32.exeC:\Windows\system32\Kfegbj32.exe47⤵
- Executes dropped EXE
PID:348 -
C:\Windows\SysWOW64\Kmopod32.exeC:\Windows\system32\Kmopod32.exe48⤵
- Executes dropped EXE
PID:1572 -
C:\Windows\SysWOW64\Kaklpcoc.exeC:\Windows\system32\Kaklpcoc.exe49⤵
- Executes dropped EXE
PID:828 -
C:\Windows\SysWOW64\Kfgdhjmk.exeC:\Windows\system32\Kfgdhjmk.exe50⤵
- Executes dropped EXE
PID:1860 -
C:\Windows\SysWOW64\Kifpdelo.exeC:\Windows\system32\Kifpdelo.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1924 -
C:\Windows\SysWOW64\Lckdanld.exeC:\Windows\system32\Lckdanld.exe52⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Lemaif32.exeC:\Windows\system32\Lemaif32.exe53⤵
- Executes dropped EXE
PID:3068 -
C:\Windows\SysWOW64\Lihmjejl.exeC:\Windows\system32\Lihmjejl.exe54⤵
- Executes dropped EXE
PID:2760 -
C:\Windows\SysWOW64\Loeebl32.exeC:\Windows\system32\Loeebl32.exe55⤵
- Executes dropped EXE
PID:2608 -
C:\Windows\SysWOW64\Lflmci32.exeC:\Windows\system32\Lflmci32.exe56⤵
- Executes dropped EXE
PID:2792 -
C:\Windows\SysWOW64\Lijjoe32.exeC:\Windows\system32\Lijjoe32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2472 -
C:\Windows\SysWOW64\Lliflp32.exeC:\Windows\system32\Lliflp32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1676 -
C:\Windows\SysWOW64\Logbhl32.exeC:\Windows\system32\Logbhl32.exe59⤵
- Executes dropped EXE
PID:1708 -
C:\Windows\SysWOW64\Lafndg32.exeC:\Windows\system32\Lafndg32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Limfed32.exeC:\Windows\system32\Limfed32.exe61⤵
- Executes dropped EXE
PID:1904 -
C:\Windows\SysWOW64\Llkbap32.exeC:\Windows\system32\Llkbap32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1932 -
C:\Windows\SysWOW64\Lahkigca.exeC:\Windows\system32\Lahkigca.exe63⤵
- Executes dropped EXE
PID:2448 -
C:\Windows\SysWOW64\Llnofpcg.exeC:\Windows\system32\Llnofpcg.exe64⤵
- Executes dropped EXE
PID:1448 -
C:\Windows\SysWOW64\Lollckbk.exeC:\Windows\system32\Lollckbk.exe65⤵
- Executes dropped EXE
PID:2424 -
C:\Windows\SysWOW64\Lajhofao.exeC:\Windows\system32\Lajhofao.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2108 -
C:\Windows\SysWOW64\Ldidkbpb.exeC:\Windows\system32\Ldidkbpb.exe67⤵PID:680
-
C:\Windows\SysWOW64\Mkclhl32.exeC:\Windows\system32\Mkclhl32.exe68⤵PID:1264
-
C:\Windows\SysWOW64\Mmahdggc.exeC:\Windows\system32\Mmahdggc.exe69⤵PID:1540
-
C:\Windows\SysWOW64\Mhgmapfi.exeC:\Windows\system32\Mhgmapfi.exe70⤵PID:1920
-
C:\Windows\SysWOW64\Mkeimlfm.exeC:\Windows\system32\Mkeimlfm.exe71⤵PID:2408
-
C:\Windows\SysWOW64\Mmceigep.exeC:\Windows\system32\Mmceigep.exe72⤵PID:2072
-
C:\Windows\SysWOW64\Mbpnanch.exeC:\Windows\system32\Mbpnanch.exe73⤵PID:1524
-
C:\Windows\SysWOW64\Mgljbm32.exeC:\Windows\system32\Mgljbm32.exe74⤵PID:2844
-
C:\Windows\SysWOW64\Mlibjc32.exeC:\Windows\system32\Mlibjc32.exe75⤵PID:2668
-
C:\Windows\SysWOW64\Mdpjlajk.exeC:\Windows\system32\Mdpjlajk.exe76⤵PID:2368
-
C:\Windows\SysWOW64\Mgnfhlin.exeC:\Windows\system32\Mgnfhlin.exe77⤵PID:1604
-
C:\Windows\SysWOW64\Mmhodf32.exeC:\Windows\system32\Mmhodf32.exe78⤵PID:1968
-
C:\Windows\SysWOW64\Mcegmm32.exeC:\Windows\system32\Mcegmm32.exe79⤵PID:2136
-
C:\Windows\SysWOW64\Meccii32.exeC:\Windows\system32\Meccii32.exe80⤵
- Modifies registry class
PID:1484 -
C:\Windows\SysWOW64\Mhbped32.exeC:\Windows\system32\Mhbped32.exe81⤵PID:2320
-
C:\Windows\SysWOW64\Ncgdbmmp.exeC:\Windows\system32\Ncgdbmmp.exe82⤵PID:2092
-
C:\Windows\SysWOW64\Nialog32.exeC:\Windows\system32\Nialog32.exe83⤵PID:1720
-
C:\Windows\SysWOW64\Nlphkb32.exeC:\Windows\system32\Nlphkb32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1792 -
C:\Windows\SysWOW64\Ncjqhmkm.exeC:\Windows\system32\Ncjqhmkm.exe85⤵PID:2164
-
C:\Windows\SysWOW64\Ndkmpe32.exeC:\Windows\system32\Ndkmpe32.exe86⤵PID:1972
-
C:\Windows\SysWOW64\Nkeelohh.exeC:\Windows\system32\Nkeelohh.exe87⤵PID:2828
-
C:\Windows\SysWOW64\Nncahjgl.exeC:\Windows\system32\Nncahjgl.exe88⤵PID:2840
-
C:\Windows\SysWOW64\Nhiffc32.exeC:\Windows\system32\Nhiffc32.exe89⤵
- Modifies registry class
PID:2636 -
C:\Windows\SysWOW64\Naajoinb.exeC:\Windows\system32\Naajoinb.exe90⤵PID:2920
-
C:\Windows\SysWOW64\Nhkbkc32.exeC:\Windows\system32\Nhkbkc32.exe91⤵PID:752
-
C:\Windows\SysWOW64\Nnhkcj32.exeC:\Windows\system32\Nnhkcj32.exe92⤵PID:1944
-
C:\Windows\SysWOW64\Npfgpe32.exeC:\Windows\system32\Npfgpe32.exe93⤵PID:2824
-
C:\Windows\SysWOW64\Nceclqan.exeC:\Windows\system32\Nceclqan.exe94⤵PID:2300
-
C:\Windows\SysWOW64\Ojolhk32.exeC:\Windows\system32\Ojolhk32.exe95⤵PID:692
-
C:\Windows\SysWOW64\Oqideepg.exeC:\Windows\system32\Oqideepg.exe96⤵PID:2988
-
C:\Windows\SysWOW64\Oddpfc32.exeC:\Windows\system32\Oddpfc32.exe97⤵PID:1436
-
C:\Windows\SysWOW64\Ofelmloo.exeC:\Windows\system32\Ofelmloo.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:896 -
C:\Windows\SysWOW64\Onmdoioa.exeC:\Windows\system32\Onmdoioa.exe99⤵
- Drops file in System32 directory
PID:852 -
C:\Windows\SysWOW64\Olpdjf32.exeC:\Windows\system32\Olpdjf32.exe100⤵PID:892
-
C:\Windows\SysWOW64\Ogeigofa.exeC:\Windows\system32\Ogeigofa.exe101⤵PID:2344
-
C:\Windows\SysWOW64\Ojcecjee.exeC:\Windows\system32\Ojcecjee.exe102⤵PID:2684
-
C:\Windows\SysWOW64\Ohfeog32.exeC:\Windows\system32\Ohfeog32.exe103⤵PID:2632
-
C:\Windows\SysWOW64\Oopnlacm.exeC:\Windows\system32\Oopnlacm.exe104⤵PID:2612
-
C:\Windows\SysWOW64\Ofjfhk32.exeC:\Windows\system32\Ofjfhk32.exe105⤵PID:1680
-
C:\Windows\SysWOW64\Ojfaijcc.exeC:\Windows\system32\Ojfaijcc.exe106⤵
- Modifies registry class
PID:2804 -
C:\Windows\SysWOW64\Oobjaqaj.exeC:\Windows\system32\Oobjaqaj.exe107⤵PID:2036
-
C:\Windows\SysWOW64\Obafnlpn.exeC:\Windows\system32\Obafnlpn.exe108⤵PID:2360
-
C:\Windows\SysWOW64\Odobjg32.exeC:\Windows\system32\Odobjg32.exe109⤵PID:1348
-
C:\Windows\SysWOW64\Obcccl32.exeC:\Windows\system32\Obcccl32.exe110⤵PID:2248
-
C:\Windows\SysWOW64\Pdaoog32.exeC:\Windows\system32\Pdaoog32.exe111⤵PID:1696
-
C:\Windows\SysWOW64\Pogclp32.exeC:\Windows\system32\Pogclp32.exe112⤵PID:2128
-
C:\Windows\SysWOW64\Pedleg32.exeC:\Windows\system32\Pedleg32.exe113⤵PID:236
-
C:\Windows\SysWOW64\Pkndaa32.exeC:\Windows\system32\Pkndaa32.exe114⤵PID:1240
-
C:\Windows\SysWOW64\Pnlqnl32.exeC:\Windows\system32\Pnlqnl32.exe115⤵
- Modifies registry class
PID:2864 -
C:\Windows\SysWOW64\Pgeefbhm.exeC:\Windows\system32\Pgeefbhm.exe116⤵PID:2604
-
C:\Windows\SysWOW64\Pkpagq32.exeC:\Windows\system32\Pkpagq32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1788 -
C:\Windows\SysWOW64\Pnomcl32.exeC:\Windows\system32\Pnomcl32.exe118⤵PID:1212
-
C:\Windows\SysWOW64\Peiepfgg.exeC:\Windows\system32\Peiepfgg.exe119⤵PID:2524
-
C:\Windows\SysWOW64\Pfjbgnme.exeC:\Windows\system32\Pfjbgnme.exe120⤵PID:2820
-
C:\Windows\SysWOW64\Pnajilng.exeC:\Windows\system32\Pnajilng.exe121⤵PID:2536
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-