Analysis
-
max time kernel
140s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
14-05-2024 21:39
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
5143ff9fb03821881e29547327ba724dc50ae6312c380006d94f1b9f7fd9db31.exe
Resource
win7-20240221-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
5143ff9fb03821881e29547327ba724dc50ae6312c380006d94f1b9f7fd9db31.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
5143ff9fb03821881e29547327ba724dc50ae6312c380006d94f1b9f7fd9db31.exe
-
Size
128KB
-
MD5
02e4ac2444d67826f44e18ac0af1dd21
-
SHA1
6fa4feac322e899f7ae2cd90f81714a7fa3c68ef
-
SHA256
5143ff9fb03821881e29547327ba724dc50ae6312c380006d94f1b9f7fd9db31
-
SHA512
990f2fb12bbeafeb2f8653c88c88dc6d113113186fb3d3e321ee085639d74aa7352822a0e20474afba66f5deb5edb82d12ad10efe8b205f5a040012b86e11974
-
SSDEEP
3072:5d5umcdwP7PoTF2nD4g8gr5exUEdmjRrz3TIUV4BKi:A7dsPX43YMGEdGTBI
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ihpfgalh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knmdeioh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nlefhcnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Omioekbo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ooabmbbe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckjamgmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pdakniag.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bejfao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hfbcidmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iiqldc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckhdggom.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkdemk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlafkb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oalhqohl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqgmfkhg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pegqpacp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kdklfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hqnapb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Agglbp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baefnmml.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dihmpinj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nagbgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Poklngnf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gonale32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Coicfd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcdkef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Emdeok32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fijbco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ndhlhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lgehno32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbdjcffd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Llbqfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Paknelgk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plgolf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hbdjcffd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmdbnnlj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obgkpb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkklhjnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qiioon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Npdhaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dpnladjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jibnop32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oiljam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mobfgdcl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olmela32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gneijien.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbblda32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klfjpa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hblgnkdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cinafkkd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbffoabe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hkahgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ngdjaofc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fefqdl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aflfjc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehkhaqpk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhfnkqgk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qngopb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfejjgli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iflmjihl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbagipfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gkalhgfd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmhkin32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iakino32.exe -
UPX dump on OEP (original entry point) 64 IoCs
resource yara_rule behavioral1/files/0x0009000000016c90-5.dat UPX behavioral1/files/0x0008000000016d4a-20.dat UPX behavioral1/files/0x0009000000016d55-34.dat UPX behavioral1/files/0x0007000000018b42-47.dat UPX behavioral1/files/0x00050000000194f2-60.dat UPX behavioral1/files/0x000500000001950c-73.dat UPX behavioral1/files/0x0005000000019547-86.dat UPX behavioral1/files/0x000500000001959c-100.dat UPX behavioral1/files/0x0009000000016d24-113.dat UPX behavioral1/files/0x00050000000195a4-125.dat UPX behavioral1/files/0x00050000000195a7-135.dat UPX behavioral1/files/0x00050000000195a9-153.dat UPX behavioral1/files/0x00050000000195ba-166.dat UPX behavioral1/files/0x0005000000019646-181.dat UPX behavioral1/files/0x000500000001996e-194.dat UPX behavioral1/files/0x0005000000019bd7-207.dat UPX behavioral1/files/0x0005000000019ce6-233.dat UPX behavioral1/files/0x0005000000019d59-243.dat UPX behavioral1/files/0x0005000000019f60-250.dat UPX behavioral1/files/0x0005000000019bef-223.dat UPX behavioral1/files/0x000500000001a013-260.dat UPX behavioral1/files/0x000500000001a2d0-269.dat UPX behavioral1/files/0x000500000001a3c8-291.dat UPX behavioral1/files/0x000500000001a3c2-282.dat UPX behavioral1/files/0x000500000001a3d4-301.dat UPX behavioral1/memory/2076-348-0x0000000000300000-0x0000000000333000-memory.dmp UPX behavioral1/files/0x000500000001a447-356.dat UPX behavioral1/files/0x000500000001a44b-369.dat UPX behavioral1/files/0x000500000001a44f-378.dat UPX behavioral1/files/0x000500000001a443-345.dat UPX behavioral1/files/0x000500000001a453-389.dat UPX behavioral1/files/0x000500000001a457-400.dat UPX behavioral1/files/0x000500000001a45b-412.dat UPX behavioral1/files/0x000500000001a45f-422.dat UPX behavioral1/files/0x000500000001a463-434.dat UPX behavioral1/files/0x000500000001a470-468.dat UPX behavioral1/files/0x000500000001a474-479.dat UPX behavioral1/files/0x000500000001a479-489.dat UPX behavioral1/files/0x000500000001a46c-457.dat UPX behavioral1/files/0x000500000001a47d-502.dat UPX behavioral1/files/0x000500000001a467-444.dat UPX behavioral1/files/0x000500000001a484-511.dat UPX behavioral1/files/0x000500000001a489-521.dat UPX behavioral1/files/0x000500000001a43b-333.dat UPX behavioral1/files/0x000500000001a543-532.dat UPX behavioral1/files/0x000500000001a431-325.dat UPX behavioral1/files/0x000500000001a429-312.dat UPX behavioral1/files/0x000500000001ad1c-541.dat UPX behavioral1/files/0x000500000001c288-553.dat UPX behavioral1/files/0x000500000001c6d5-563.dat UPX behavioral1/files/0x000500000001c71e-573.dat UPX behavioral1/files/0x000500000001c78b-582.dat UPX behavioral1/files/0x000500000001c82d-593.dat UPX behavioral1/files/0x000500000001c832-603.dat UPX behavioral1/files/0x000500000001c837-614.dat UPX behavioral1/files/0x000500000001c83b-628.dat UPX behavioral1/files/0x000500000001c83f-638.dat UPX behavioral1/files/0x000500000001c843-648.dat UPX behavioral1/files/0x000500000001c847-658.dat UPX behavioral1/files/0x000500000001c84b-670.dat UPX behavioral1/files/0x000500000001c84f-683.dat UPX behavioral1/files/0x000500000001c853-695.dat UPX behavioral1/files/0x000500000001c857-708.dat UPX behavioral1/files/0x000500000001c85d-722.dat UPX -
Executes dropped EXE 64 IoCs
pid Process 2308 Lgoboc32.exe 2880 Mjpkqonj.exe 2908 Miehak32.exe 2916 Melifl32.exe 2632 Mpamde32.exe 2500 Maefamlh.exe 2624 Nagbgl32.exe 2392 Ndhlhg32.exe 2848 Njdqka32.exe 1944 Npaich32.exe 1264 Nlhjhi32.exe 2000 Noffdd32.exe 1872 Oiljam32.exe 768 Obgkpb32.exe 1332 Olophhjd.exe 3068 Oalhqohl.exe 2484 Oanefo32.exe 2664 Okgjodmi.exe 868 Ppcbgkka.exe 824 Pkifdd32.exe 1516 Pdakniag.exe 2736 Plmpblnb.exe 1748 Poklngnf.exe 1852 Ppkhhjei.exe 3012 Pegqpacp.exe 1168 Panaeb32.exe 1740 Qnebjc32.exe 2076 Qhjfgl32.exe 1612 Qngopb32.exe 1560 Ajnpecbj.exe 2928 Anlhkbhq.exe 3040 Aciqcifh.exe 2612 Amaelomh.exe 2508 Ajeeeblb.exe 2416 Aflfjc32.exe 1676 Bbbgod32.exe 2876 Bkklhjnk.exe 1044 Biolanld.exe 1340 Boidnh32.exe 1696 Bgdibkam.exe 1644 Behilopf.exe 936 Bejfao32.exe 588 Cnckjddd.exe 2720 Cjjkpe32.exe 2704 Ccbphk32.exe 2716 Cmjdaqgi.exe 852 Ccdmnj32.exe 1500 Ddblgn32.exe 2012 Dphmloih.exe 880 Dknajh32.exe 736 Dpkibo32.exe 2020 Dbifnj32.exe 2176 Elajgpmj.exe 2108 Edibhmml.exe 2304 Eejopecj.exe 2912 Eldglp32.exe 2832 Egikjh32.exe 2536 Ehkhaqpk.exe 2580 Eeohkeoe.exe 2520 Eklqcl32.exe 2556 Eeaepd32.exe 828 Eoiiijcc.exe 2384 Eecafd32.exe 1732 Folfoj32.exe -
Loads dropped DLL 64 IoCs
pid Process 1640 5143ff9fb03821881e29547327ba724dc50ae6312c380006d94f1b9f7fd9db31.exe 1640 5143ff9fb03821881e29547327ba724dc50ae6312c380006d94f1b9f7fd9db31.exe 2308 Lgoboc32.exe 2308 Lgoboc32.exe 2880 Mjpkqonj.exe 2880 Mjpkqonj.exe 2908 Miehak32.exe 2908 Miehak32.exe 2916 Melifl32.exe 2916 Melifl32.exe 2632 Mpamde32.exe 2632 Mpamde32.exe 2500 Maefamlh.exe 2500 Maefamlh.exe 2624 Nagbgl32.exe 2624 Nagbgl32.exe 2392 Ndhlhg32.exe 2392 Ndhlhg32.exe 2848 Njdqka32.exe 2848 Njdqka32.exe 1944 Npaich32.exe 1944 Npaich32.exe 1264 Nlhjhi32.exe 1264 Nlhjhi32.exe 2000 Noffdd32.exe 2000 Noffdd32.exe 1872 Oiljam32.exe 1872 Oiljam32.exe 768 Obgkpb32.exe 768 Obgkpb32.exe 1332 Olophhjd.exe 1332 Olophhjd.exe 3068 Oalhqohl.exe 3068 Oalhqohl.exe 2484 Oanefo32.exe 2484 Oanefo32.exe 2664 Okgjodmi.exe 2664 Okgjodmi.exe 868 Ppcbgkka.exe 868 Ppcbgkka.exe 824 Pkifdd32.exe 824 Pkifdd32.exe 1516 Pdakniag.exe 1516 Pdakniag.exe 2736 Plmpblnb.exe 2736 Plmpblnb.exe 1748 Poklngnf.exe 1748 Poklngnf.exe 1852 Ppkhhjei.exe 1852 Ppkhhjei.exe 3012 Pegqpacp.exe 3012 Pegqpacp.exe 1168 Panaeb32.exe 1168 Panaeb32.exe 1740 Qnebjc32.exe 1740 Qnebjc32.exe 2076 Qhjfgl32.exe 2076 Qhjfgl32.exe 1612 Qngopb32.exe 1612 Qngopb32.exe 1560 Ajnpecbj.exe 1560 Ajnpecbj.exe 2928 Anlhkbhq.exe 2928 Anlhkbhq.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Cbblda32.exe Ckhdggom.exe File created C:\Windows\SysWOW64\Fpnehm32.dll Bcpimq32.exe File opened for modification C:\Windows\SysWOW64\Mpamde32.exe Melifl32.exe File created C:\Windows\SysWOW64\Qqmfpqmc.dll Pmkhjncg.exe File created C:\Windows\SysWOW64\Eibkmp32.dll Paknelgk.exe File opened for modification C:\Windows\SysWOW64\Eejopecj.exe Edibhmml.exe File opened for modification C:\Windows\SysWOW64\Jedcpi32.exe Jlkngc32.exe File opened for modification C:\Windows\SysWOW64\Bdkhjgeh.exe Bkbdabog.exe File created C:\Windows\SysWOW64\Ehkhaqpk.exe Egikjh32.exe File created C:\Windows\SysWOW64\Gmpcgace.exe Gfejjgli.exe File opened for modification C:\Windows\SysWOW64\Kdpfadlm.exe Kkgahoel.exe File opened for modification C:\Windows\SysWOW64\Qlgkki32.exe Qiioon32.exe File opened for modification C:\Windows\SysWOW64\Cinafkkd.exe Cbdiia32.exe File created C:\Windows\SysWOW64\Aognbnkm.exe Adaiee32.exe File created C:\Windows\SysWOW64\Ekliqn32.dll Gcgqgd32.exe File created C:\Windows\SysWOW64\Ljnfmlph.dll Jfjolf32.exe File created C:\Windows\SysWOW64\Dljdnm32.dll Koaqcn32.exe File created C:\Windows\SysWOW64\Obhdcanc.exe Omklkkpl.exe File created C:\Windows\SysWOW64\Olpilg32.exe Obhdcanc.exe File created C:\Windows\SysWOW64\Nefdpjkl.exe Npjlhcmd.exe File created C:\Windows\SysWOW64\Amaelomh.exe Aciqcifh.exe File created C:\Windows\SysWOW64\Iamdkfnc.exe Idicbbpi.exe File created C:\Windows\SysWOW64\Cfnmapnj.dll Mbcoio32.exe File opened for modification C:\Windows\SysWOW64\Ikgkei32.exe Hclfag32.exe File opened for modification C:\Windows\SysWOW64\Pbagipfi.exe Plgolf32.exe File created C:\Windows\SysWOW64\Flclam32.exe Fgfdie32.exe File created C:\Windows\SysWOW64\Hmmdin32.exe Hdbpekam.exe File created C:\Windows\SysWOW64\Qjdaldla.dll Ldbofgme.exe File created C:\Windows\SysWOW64\Looghene.dll Jbpfnh32.exe File created C:\Windows\SysWOW64\Difqji32.exe Dpnladjl.exe File created C:\Windows\SysWOW64\Njdqka32.exe Ndhlhg32.exe File created C:\Windows\SysWOW64\Oalhqohl.exe Olophhjd.exe File opened for modification C:\Windows\SysWOW64\Giipab32.exe Gifclb32.exe File created C:\Windows\SysWOW64\Ipbgkbdb.dll Maefamlh.exe File created C:\Windows\SysWOW64\Pbagipfi.exe Plgolf32.exe File opened for modification C:\Windows\SysWOW64\Aakjdo32.exe Acfmcc32.exe File opened for modification C:\Windows\SysWOW64\Dmmpolof.exe Dcdkef32.exe File created C:\Windows\SysWOW64\Qndhjl32.dll Epbbkf32.exe File created C:\Windows\SysWOW64\Ppcbgkka.exe Okgjodmi.exe File created C:\Windows\SysWOW64\Eiapeffl.dll Omioekbo.exe File created C:\Windows\SysWOW64\Opqoge32.exe Oekjjl32.exe File opened for modification C:\Windows\SysWOW64\Hgpjhn32.exe Hnheohcl.exe File created C:\Windows\SysWOW64\Jndape32.dll Hblgnkdh.exe File opened for modification C:\Windows\SysWOW64\Hmlkfo32.exe Hfbcidmk.exe File opened for modification C:\Windows\SysWOW64\Jibnop32.exe Jmkmjoec.exe File opened for modification C:\Windows\SysWOW64\Ihpfgalh.exe Iafnjg32.exe File created C:\Windows\SysWOW64\Kmhnlgkg.dll Akcomepg.exe File created C:\Windows\SysWOW64\Bgcbhd32.exe Bqgmfkhg.exe File created C:\Windows\SysWOW64\Lalcbnjb.dll Eopphehb.exe File created C:\Windows\SysWOW64\Jkofeknc.dll Mjpkqonj.exe File created C:\Windows\SysWOW64\Plibla32.dll Olophhjd.exe File created C:\Windows\SysWOW64\Qnebjc32.exe Panaeb32.exe File opened for modification C:\Windows\SysWOW64\Igoomk32.exe Iaegpaao.exe File created C:\Windows\SysWOW64\Bnochnpm.exe Bhbkpgbf.exe File created C:\Windows\SysWOW64\Alelkg32.dll Difqji32.exe File created C:\Windows\SysWOW64\Ehpcehcj.exe Ebckmaec.exe File opened for modification C:\Windows\SysWOW64\Gonale32.exe Gcgqgd32.exe File created C:\Windows\SysWOW64\Mpamde32.exe Melifl32.exe File created C:\Windows\SysWOW64\Pefqie32.dll Dbifnj32.exe File opened for modification C:\Windows\SysWOW64\Hkahgk32.exe Hegpjaac.exe File created C:\Windows\SysWOW64\Ikmpacaf.dll Ehkhaqpk.exe File created C:\Windows\SysWOW64\Ihnijmcj.dll Knmdeioh.exe File created C:\Windows\SysWOW64\Mdhpmg32.dll Paiaplin.exe File created C:\Windows\SysWOW64\Cjehmbkc.dll Hifpke32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5080 5056 WerFault.exe 371 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Npaich32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qeppdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elbafomj.dll" Qoeamo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckkhdaei.dll" Gmhkin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jbfilffm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ehkhaqpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jliaac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jkchmo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cchbgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Flclam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aflfjc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mbcoio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcfahenq.dll" Adaiee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pncadjah.dll" Hffibceh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ccbphk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kcecbq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajfjbh32.dll" Fhljkm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oanefo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmlkmc32.dll" Ccbphk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmmjebjg.dll" Llbqfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Addfkeid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nagbgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eecafd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jedcpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cabalojc.dll" Knkgpi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Knmdeioh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qiioon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oabkom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajaclncd.dll" Cenljmgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okmjae32.dll" Ppinkcnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lldmleam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oekjjl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pebpkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejilio32.dll" Obgnhkkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Phfoee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fnacpffh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcchb32.dll" Nmfbpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dcghkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkkcoogp.dll" Njdqka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oalhqohl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aplpbjee.dll" Iafnjg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nlefhcnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gqlhkofn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Momfan32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Goiehm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecinnn32.dll" Pbagipfi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dnhbmpkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jfjolf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831} 5143ff9fb03821881e29547327ba724dc50ae6312c380006d94f1b9f7fd9db31.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bknlaikf.dll" Bbbgod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hblgnkdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fooembgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qlgkki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Foahmh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hkdemk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iggkja32.dll" Odkgec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojacgdmh.dll" Ghbljk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eghoka32.dll" Khjgel32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Obgkpb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ppkhhjei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Joidhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kijkje32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lnecigcp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mmccqbpm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1640 wrote to memory of 2308 1640 5143ff9fb03821881e29547327ba724dc50ae6312c380006d94f1b9f7fd9db31.exe 28 PID 1640 wrote to memory of 2308 1640 5143ff9fb03821881e29547327ba724dc50ae6312c380006d94f1b9f7fd9db31.exe 28 PID 1640 wrote to memory of 2308 1640 5143ff9fb03821881e29547327ba724dc50ae6312c380006d94f1b9f7fd9db31.exe 28 PID 1640 wrote to memory of 2308 1640 5143ff9fb03821881e29547327ba724dc50ae6312c380006d94f1b9f7fd9db31.exe 28 PID 2308 wrote to memory of 2880 2308 Lgoboc32.exe 29 PID 2308 wrote to memory of 2880 2308 Lgoboc32.exe 29 PID 2308 wrote to memory of 2880 2308 Lgoboc32.exe 29 PID 2308 wrote to memory of 2880 2308 Lgoboc32.exe 29 PID 2880 wrote to memory of 2908 2880 Mjpkqonj.exe 30 PID 2880 wrote to memory of 2908 2880 Mjpkqonj.exe 30 PID 2880 wrote to memory of 2908 2880 Mjpkqonj.exe 30 PID 2880 wrote to memory of 2908 2880 Mjpkqonj.exe 30 PID 2908 wrote to memory of 2916 2908 Miehak32.exe 31 PID 2908 wrote to memory of 2916 2908 Miehak32.exe 31 PID 2908 wrote to memory of 2916 2908 Miehak32.exe 31 PID 2908 wrote to memory of 2916 2908 Miehak32.exe 31 PID 2916 wrote to memory of 2632 2916 Melifl32.exe 32 PID 2916 wrote to memory of 2632 2916 Melifl32.exe 32 PID 2916 wrote to memory of 2632 2916 Melifl32.exe 32 PID 2916 wrote to memory of 2632 2916 Melifl32.exe 32 PID 2632 wrote to memory of 2500 2632 Mpamde32.exe 33 PID 2632 wrote to memory of 2500 2632 Mpamde32.exe 33 PID 2632 wrote to memory of 2500 2632 Mpamde32.exe 33 PID 2632 wrote to memory of 2500 2632 Mpamde32.exe 33 PID 2500 wrote to memory of 2624 2500 Maefamlh.exe 34 PID 2500 wrote to memory of 2624 2500 Maefamlh.exe 34 PID 2500 wrote to memory of 2624 2500 Maefamlh.exe 34 PID 2500 wrote to memory of 2624 2500 Maefamlh.exe 34 PID 2624 wrote to memory of 2392 2624 Nagbgl32.exe 35 PID 2624 wrote to memory of 2392 2624 Nagbgl32.exe 35 PID 2624 wrote to memory of 2392 2624 Nagbgl32.exe 35 PID 2624 wrote to memory of 2392 2624 Nagbgl32.exe 35 PID 2392 wrote to memory of 2848 2392 Ndhlhg32.exe 36 PID 2392 wrote to memory of 2848 2392 Ndhlhg32.exe 36 PID 2392 wrote to memory of 2848 2392 Ndhlhg32.exe 36 PID 2392 wrote to memory of 2848 2392 Ndhlhg32.exe 36 PID 2848 wrote to memory of 1944 2848 Njdqka32.exe 37 PID 2848 wrote to memory of 1944 2848 Njdqka32.exe 37 PID 2848 wrote to memory of 1944 2848 Njdqka32.exe 37 PID 2848 wrote to memory of 1944 2848 Njdqka32.exe 37 PID 1944 wrote to memory of 1264 1944 Npaich32.exe 38 PID 1944 wrote to memory of 1264 1944 Npaich32.exe 38 PID 1944 wrote to memory of 1264 1944 Npaich32.exe 38 PID 1944 wrote to memory of 1264 1944 Npaich32.exe 38 PID 1264 wrote to memory of 2000 1264 Nlhjhi32.exe 39 PID 1264 wrote to memory of 2000 1264 Nlhjhi32.exe 39 PID 1264 wrote to memory of 2000 1264 Nlhjhi32.exe 39 PID 1264 wrote to memory of 2000 1264 Nlhjhi32.exe 39 PID 2000 wrote to memory of 1872 2000 Noffdd32.exe 40 PID 2000 wrote to memory of 1872 2000 Noffdd32.exe 40 PID 2000 wrote to memory of 1872 2000 Noffdd32.exe 40 PID 2000 wrote to memory of 1872 2000 Noffdd32.exe 40 PID 1872 wrote to memory of 768 1872 Oiljam32.exe 41 PID 1872 wrote to memory of 768 1872 Oiljam32.exe 41 PID 1872 wrote to memory of 768 1872 Oiljam32.exe 41 PID 1872 wrote to memory of 768 1872 Oiljam32.exe 41 PID 768 wrote to memory of 1332 768 Obgkpb32.exe 42 PID 768 wrote to memory of 1332 768 Obgkpb32.exe 42 PID 768 wrote to memory of 1332 768 Obgkpb32.exe 42 PID 768 wrote to memory of 1332 768 Obgkpb32.exe 42 PID 1332 wrote to memory of 3068 1332 Olophhjd.exe 43 PID 1332 wrote to memory of 3068 1332 Olophhjd.exe 43 PID 1332 wrote to memory of 3068 1332 Olophhjd.exe 43 PID 1332 wrote to memory of 3068 1332 Olophhjd.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\5143ff9fb03821881e29547327ba724dc50ae6312c380006d94f1b9f7fd9db31.exe"C:\Users\Admin\AppData\Local\Temp\5143ff9fb03821881e29547327ba724dc50ae6312c380006d94f1b9f7fd9db31.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\SysWOW64\Lgoboc32.exeC:\Windows\system32\Lgoboc32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\SysWOW64\Mjpkqonj.exeC:\Windows\system32\Mjpkqonj.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\Miehak32.exeC:\Windows\system32\Miehak32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\Melifl32.exeC:\Windows\system32\Melifl32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\Mpamde32.exeC:\Windows\system32\Mpamde32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Maefamlh.exeC:\Windows\system32\Maefamlh.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\Nagbgl32.exeC:\Windows\system32\Nagbgl32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\Ndhlhg32.exeC:\Windows\system32\Ndhlhg32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\Njdqka32.exeC:\Windows\system32\Njdqka32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\Npaich32.exeC:\Windows\system32\Npaich32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\SysWOW64\Nlhjhi32.exeC:\Windows\system32\Nlhjhi32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Windows\SysWOW64\Noffdd32.exeC:\Windows\system32\Noffdd32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\SysWOW64\Oiljam32.exeC:\Windows\system32\Oiljam32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Windows\SysWOW64\Obgkpb32.exeC:\Windows\system32\Obgkpb32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Windows\SysWOW64\Olophhjd.exeC:\Windows\system32\Olophhjd.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1332 -
C:\Windows\SysWOW64\Oalhqohl.exeC:\Windows\system32\Oalhqohl.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3068 -
C:\Windows\SysWOW64\Oanefo32.exeC:\Windows\system32\Oanefo32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2484 -
C:\Windows\SysWOW64\Okgjodmi.exeC:\Windows\system32\Okgjodmi.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2664 -
C:\Windows\SysWOW64\Ppcbgkka.exeC:\Windows\system32\Ppcbgkka.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:868 -
C:\Windows\SysWOW64\Pkifdd32.exeC:\Windows\system32\Pkifdd32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:824 -
C:\Windows\SysWOW64\Pdakniag.exeC:\Windows\system32\Pdakniag.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1516 -
C:\Windows\SysWOW64\Plmpblnb.exeC:\Windows\system32\Plmpblnb.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2736 -
C:\Windows\SysWOW64\Poklngnf.exeC:\Windows\system32\Poklngnf.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1748 -
C:\Windows\SysWOW64\Ppkhhjei.exeC:\Windows\system32\Ppkhhjei.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1852 -
C:\Windows\SysWOW64\Pegqpacp.exeC:\Windows\system32\Pegqpacp.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:3012 -
C:\Windows\SysWOW64\Panaeb32.exeC:\Windows\system32\Panaeb32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1168 -
C:\Windows\SysWOW64\Qnebjc32.exeC:\Windows\system32\Qnebjc32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1740 -
C:\Windows\SysWOW64\Qhjfgl32.exeC:\Windows\system32\Qhjfgl32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2076 -
C:\Windows\SysWOW64\Qngopb32.exeC:\Windows\system32\Qngopb32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1612 -
C:\Windows\SysWOW64\Ajnpecbj.exeC:\Windows\system32\Ajnpecbj.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1560 -
C:\Windows\SysWOW64\Anlhkbhq.exeC:\Windows\system32\Anlhkbhq.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2928 -
C:\Windows\SysWOW64\Aciqcifh.exeC:\Windows\system32\Aciqcifh.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3040 -
C:\Windows\SysWOW64\Amaelomh.exeC:\Windows\system32\Amaelomh.exe34⤵
- Executes dropped EXE
PID:2612 -
C:\Windows\SysWOW64\Ajeeeblb.exeC:\Windows\system32\Ajeeeblb.exe35⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Aflfjc32.exeC:\Windows\system32\Aflfjc32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2416 -
C:\Windows\SysWOW64\Bbbgod32.exeC:\Windows\system32\Bbbgod32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:1676 -
C:\Windows\SysWOW64\Bkklhjnk.exeC:\Windows\system32\Bkklhjnk.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Biolanld.exeC:\Windows\system32\Biolanld.exe39⤵
- Executes dropped EXE
PID:1044 -
C:\Windows\SysWOW64\Boidnh32.exeC:\Windows\system32\Boidnh32.exe40⤵
- Executes dropped EXE
PID:1340 -
C:\Windows\SysWOW64\Bgdibkam.exeC:\Windows\system32\Bgdibkam.exe41⤵
- Executes dropped EXE
PID:1696 -
C:\Windows\SysWOW64\Behilopf.exeC:\Windows\system32\Behilopf.exe42⤵
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\Bejfao32.exeC:\Windows\system32\Bejfao32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:936 -
C:\Windows\SysWOW64\Cnckjddd.exeC:\Windows\system32\Cnckjddd.exe44⤵
- Executes dropped EXE
PID:588 -
C:\Windows\SysWOW64\Cjjkpe32.exeC:\Windows\system32\Cjjkpe32.exe45⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Ccbphk32.exeC:\Windows\system32\Ccbphk32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:2704 -
C:\Windows\SysWOW64\Cmjdaqgi.exeC:\Windows\system32\Cmjdaqgi.exe47⤵
- Executes dropped EXE
PID:2716 -
C:\Windows\SysWOW64\Ccdmnj32.exeC:\Windows\system32\Ccdmnj32.exe48⤵
- Executes dropped EXE
PID:852 -
C:\Windows\SysWOW64\Ddblgn32.exeC:\Windows\system32\Ddblgn32.exe49⤵
- Executes dropped EXE
PID:1500 -
C:\Windows\SysWOW64\Dphmloih.exeC:\Windows\system32\Dphmloih.exe50⤵
- Executes dropped EXE
PID:2012 -
C:\Windows\SysWOW64\Dknajh32.exeC:\Windows\system32\Dknajh32.exe51⤵
- Executes dropped EXE
PID:880 -
C:\Windows\SysWOW64\Dpkibo32.exeC:\Windows\system32\Dpkibo32.exe52⤵
- Executes dropped EXE
PID:736 -
C:\Windows\SysWOW64\Dbifnj32.exeC:\Windows\system32\Dbifnj32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2020 -
C:\Windows\SysWOW64\Elajgpmj.exeC:\Windows\system32\Elajgpmj.exe54⤵
- Executes dropped EXE
PID:2176 -
C:\Windows\SysWOW64\Edibhmml.exeC:\Windows\system32\Edibhmml.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2108 -
C:\Windows\SysWOW64\Eejopecj.exeC:\Windows\system32\Eejopecj.exe56⤵
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Eldglp32.exeC:\Windows\system32\Eldglp32.exe57⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Egikjh32.exeC:\Windows\system32\Egikjh32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2832 -
C:\Windows\SysWOW64\Ehkhaqpk.exeC:\Windows\system32\Ehkhaqpk.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2536 -
C:\Windows\SysWOW64\Eeohkeoe.exeC:\Windows\system32\Eeohkeoe.exe60⤵
- Executes dropped EXE
PID:2580 -
C:\Windows\SysWOW64\Eklqcl32.exeC:\Windows\system32\Eklqcl32.exe61⤵
- Executes dropped EXE
PID:2520 -
C:\Windows\SysWOW64\Eeaepd32.exeC:\Windows\system32\Eeaepd32.exe62⤵
- Executes dropped EXE
PID:2556 -
C:\Windows\SysWOW64\Eoiiijcc.exeC:\Windows\system32\Eoiiijcc.exe63⤵
- Executes dropped EXE
PID:828 -
C:\Windows\SysWOW64\Eecafd32.exeC:\Windows\system32\Eecafd32.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:2384 -
C:\Windows\SysWOW64\Folfoj32.exeC:\Windows\system32\Folfoj32.exe65⤵
- Executes dropped EXE
PID:1732 -
C:\Windows\SysWOW64\Fhdjgoha.exeC:\Windows\system32\Fhdjgoha.exe66⤵PID:1788
-
C:\Windows\SysWOW64\Fnacpffh.exeC:\Windows\system32\Fnacpffh.exe67⤵
- Modifies registry class
PID:548 -
C:\Windows\SysWOW64\Fgigil32.exeC:\Windows\system32\Fgigil32.exe68⤵PID:2560
-
C:\Windows\SysWOW64\Fqalaa32.exeC:\Windows\system32\Fqalaa32.exe69⤵PID:1504
-
C:\Windows\SysWOW64\Ffodjh32.exeC:\Windows\system32\Ffodjh32.exe70⤵PID:2348
-
C:\Windows\SysWOW64\Fogibnha.exeC:\Windows\system32\Fogibnha.exe71⤵PID:1028
-
C:\Windows\SysWOW64\Ffaaoh32.exeC:\Windows\system32\Ffaaoh32.exe72⤵PID:1768
-
C:\Windows\SysWOW64\Goiehm32.exeC:\Windows\system32\Goiehm32.exe73⤵
- Modifies registry class
PID:2892 -
C:\Windows\SysWOW64\Ghajacmo.exeC:\Windows\system32\Ghajacmo.exe74⤵PID:888
-
C:\Windows\SysWOW64\Gfejjgli.exeC:\Windows\system32\Gfejjgli.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2272 -
C:\Windows\SysWOW64\Gmpcgace.exeC:\Windows\system32\Gmpcgace.exe76⤵PID:1508
-
C:\Windows\SysWOW64\Gifclb32.exeC:\Windows\system32\Gifclb32.exe77⤵
- Drops file in System32 directory
PID:2296 -
C:\Windows\SysWOW64\Giipab32.exeC:\Windows\system32\Giipab32.exe78⤵PID:2608
-
C:\Windows\SysWOW64\Gneijien.exeC:\Windows\system32\Gneijien.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2512 -
C:\Windows\SysWOW64\Gcbabpcf.exeC:\Windows\system32\Gcbabpcf.exe80⤵PID:2768
-
C:\Windows\SysWOW64\Hnheohcl.exeC:\Windows\system32\Hnheohcl.exe81⤵
- Drops file in System32 directory
PID:2840 -
C:\Windows\SysWOW64\Hgpjhn32.exeC:\Windows\system32\Hgpjhn32.exe82⤵PID:2360
-
C:\Windows\SysWOW64\Hahnac32.exeC:\Windows\system32\Hahnac32.exe83⤵PID:1192
-
C:\Windows\SysWOW64\Hfegij32.exeC:\Windows\system32\Hfegij32.exe84⤵PID:2220
-
C:\Windows\SysWOW64\Hpnkbpdd.exeC:\Windows\system32\Hpnkbpdd.exe85⤵PID:804
-
C:\Windows\SysWOW64\Hblgnkdh.exeC:\Windows\system32\Hblgnkdh.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2676 -
C:\Windows\SysWOW64\Hifpke32.exeC:\Windows\system32\Hifpke32.exe87⤵
- Drops file in System32 directory
PID:2216 -
C:\Windows\SysWOW64\Hboddk32.exeC:\Windows\system32\Hboddk32.exe88⤵PID:2828
-
C:\Windows\SysWOW64\Iflmjihl.exeC:\Windows\system32\Iflmjihl.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1796 -
C:\Windows\SysWOW64\Iliebpfc.exeC:\Windows\system32\Iliebpfc.exe90⤵PID:2480
-
C:\Windows\SysWOW64\Iafnjg32.exeC:\Windows\system32\Iafnjg32.exe91⤵
- Drops file in System32 directory
- Modifies registry class
PID:1920 -
C:\Windows\SysWOW64\Ihpfgalh.exeC:\Windows\system32\Ihpfgalh.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2708 -
C:\Windows\SysWOW64\Ibejdjln.exeC:\Windows\system32\Ibejdjln.exe93⤵PID:2212
-
C:\Windows\SysWOW64\Idgglb32.exeC:\Windows\system32\Idgglb32.exe94⤵PID:928
-
C:\Windows\SysWOW64\Imokehhl.exeC:\Windows\system32\Imokehhl.exe95⤵PID:2968
-
C:\Windows\SysWOW64\Idicbbpi.exeC:\Windows\system32\Idicbbpi.exe96⤵
- Drops file in System32 directory
PID:2776 -
C:\Windows\SysWOW64\Iamdkfnc.exeC:\Windows\system32\Iamdkfnc.exe97⤵PID:2096
-
C:\Windows\SysWOW64\Jaoqqflp.exeC:\Windows\system32\Jaoqqflp.exe98⤵PID:2532
-
C:\Windows\SysWOW64\Jkhejkcq.exeC:\Windows\system32\Jkhejkcq.exe99⤵PID:2604
-
C:\Windows\SysWOW64\Jliaac32.exeC:\Windows\system32\Jliaac32.exe100⤵
- Modifies registry class
PID:2376 -
C:\Windows\SysWOW64\Jeafjiop.exeC:\Windows\system32\Jeafjiop.exe101⤵PID:2856
-
C:\Windows\SysWOW64\Jlkngc32.exeC:\Windows\system32\Jlkngc32.exe102⤵
- Drops file in System32 directory
PID:2016 -
C:\Windows\SysWOW64\Jedcpi32.exeC:\Windows\system32\Jedcpi32.exe103⤵
- Modifies registry class
PID:2284 -
C:\Windows\SysWOW64\Jlnklcej.exeC:\Windows\system32\Jlnklcej.exe104⤵PID:1780
-
C:\Windows\SysWOW64\Jefpeh32.exeC:\Windows\system32\Jefpeh32.exe105⤵PID:1136
-
C:\Windows\SysWOW64\Jkchmo32.exeC:\Windows\system32\Jkchmo32.exe106⤵
- Modifies registry class
PID:1756 -
C:\Windows\SysWOW64\Kdklfe32.exeC:\Windows\system32\Kdklfe32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:240 -
C:\Windows\SysWOW64\Koaqcn32.exeC:\Windows\system32\Koaqcn32.exe108⤵
- Drops file in System32 directory
PID:1840 -
C:\Windows\SysWOW64\Kekiphge.exeC:\Windows\system32\Kekiphge.exe109⤵PID:1912
-
C:\Windows\SysWOW64\Kkgahoel.exeC:\Windows\system32\Kkgahoel.exe110⤵
- Drops file in System32 directory
PID:2264 -
C:\Windows\SysWOW64\Kdpfadlm.exeC:\Windows\system32\Kdpfadlm.exe111⤵PID:2836
-
C:\Windows\SysWOW64\Knhjjj32.exeC:\Windows\system32\Knhjjj32.exe112⤵PID:2660
-
C:\Windows\SysWOW64\Kcecbq32.exeC:\Windows\system32\Kcecbq32.exe113⤵
- Modifies registry class
PID:2956 -
C:\Windows\SysWOW64\Knkgpi32.exeC:\Windows\system32\Knkgpi32.exe114⤵
- Modifies registry class
PID:1900 -
C:\Windows\SysWOW64\Kgclio32.exeC:\Windows\system32\Kgclio32.exe115⤵PID:1124
-
C:\Windows\SysWOW64\Knmdeioh.exeC:\Windows\system32\Knmdeioh.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1684 -
C:\Windows\SysWOW64\Lgehno32.exeC:\Windows\system32\Lgehno32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:592 -
C:\Windows\SysWOW64\Llbqfe32.exeC:\Windows\system32\Llbqfe32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1760 -
C:\Windows\SysWOW64\Lboiol32.exeC:\Windows\system32\Lboiol32.exe119⤵PID:1804
-
C:\Windows\SysWOW64\Lldmleam.exeC:\Windows\system32\Lldmleam.exe120⤵
- Modifies registry class
PID:2192 -
C:\Windows\SysWOW64\Lbafdlod.exeC:\Windows\system32\Lbafdlod.exe121⤵PID:3060
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-