Analysis
-
max time kernel
146s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
14/06/2024, 01:23
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
912748f3a1461e4c4ad11acd90dcf6e8f9ed8045831ca2c5c3cbfe0fd40aa75c.exe
Resource
win7-20240611-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
912748f3a1461e4c4ad11acd90dcf6e8f9ed8045831ca2c5c3cbfe0fd40aa75c.exe
Resource
win10v2004-20240611-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
912748f3a1461e4c4ad11acd90dcf6e8f9ed8045831ca2c5c3cbfe0fd40aa75c.exe
-
Size
136KB
-
MD5
a571d4b5c9b9c322294b0b0629693b18
-
SHA1
7a7601cea73930fd8e557c6b57d124eddf1b24bd
-
SHA256
912748f3a1461e4c4ad11acd90dcf6e8f9ed8045831ca2c5c3cbfe0fd40aa75c
-
SHA512
7f09930f234b977a4a888113455c486cdab97d2a015349db6ae4814c5c17faddb2d108c8ebfd755e4abea62897fad531a5660e454164e73a58fb475ae1c5cf31
-
SSDEEP
3072:Ps29SHQWaovdoFXv1IOxXBqi/mjRrz3OT:Pr8HQWldoFjqi/GOT
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nlgefh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eecqjpee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gmjaic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jmhmpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mgljbm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnbhek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Alhjai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bdhhqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dbbkja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Feeiob32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glfhll32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkppbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ncjqhmkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lmkfei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Magnek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngkmnacm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlgefh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccfhhffh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fmcoja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Piphee32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckccgane.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Piblek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ppoqge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bloqah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gelppaof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hhmepp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lahkigca.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhgclfje.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pabjem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Emcbkn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcfkfo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mppepcfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mhbped32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nceclqan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbllihbf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nglfapnl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aigaon32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgknheej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnojdcfi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbbkja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dmafennb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Emhlfmgj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lliflp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obojhlbq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ahdaee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oicpfh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbdocc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mkclhl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omdneebf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pjhknm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Libgjj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meigpkka.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfkpdn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abpfhcje.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Najdnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dbfabp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ckignd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjlhneio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cdikkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ofbfdmeb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Admemg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efncicpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fhkpmjln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adpkee32.exe -
UPX dump on OEP (original entry point) 64 IoCs
resource yara_rule behavioral1/files/0x000500000000b309-5.dat UPX behavioral1/files/0x001b0000000146f3-27.dat UPX behavioral1/files/0x000700000001470e-32.dat UPX behavioral1/files/0x0007000000015ccd-47.dat UPX behavioral1/files/0x0006000000016d2e-58.dat UPX behavioral1/files/0x0006000000016d51-71.dat UPX behavioral1/files/0x0006000000016d7f-84.dat UPX behavioral1/files/0x0006000000016d97-99.dat UPX behavioral1/files/0x0006000000016da9-110.dat UPX behavioral1/files/0x0006000000017077-125.dat UPX behavioral1/files/0x00060000000173b3-137.dat UPX behavioral1/files/0x000600000001753d-150.dat UPX behavioral1/files/0x000d00000001863a-163.dat UPX behavioral1/files/0x00050000000186d6-176.dat UPX behavioral1/files/0x00050000000186ea-189.dat UPX behavioral1/files/0x000500000001875e-203.dat UPX behavioral1/files/0x000500000001877a-217.dat UPX behavioral1/files/0x0006000000018b9f-227.dat UPX behavioral1/files/0x0006000000019006-239.dat UPX behavioral1/files/0x0005000000019257-246.dat UPX behavioral1/files/0x0005000000019346-256.dat UPX behavioral1/files/0x00560000000146dc-263.dat UPX behavioral1/files/0x00050000000193f1-275.dat UPX behavioral1/files/0x0005000000019427-287.dat UPX behavioral1/files/0x0005000000019439-297.dat UPX behavioral1/files/0x0005000000019494-309.dat UPX behavioral1/files/0x000500000001950e-320.dat UPX behavioral1/files/0x00050000000195c8-331.dat UPX behavioral1/files/0x00050000000195f5-337.dat UPX behavioral1/files/0x00050000000195fb-351.dat UPX behavioral1/files/0x0005000000019601-361.dat UPX behavioral1/files/0x0005000000019605-374.dat UPX behavioral1/files/0x0005000000019607-383.dat UPX behavioral1/files/0x0005000000019609-394.dat UPX behavioral1/files/0x000500000001960d-404.dat UPX behavioral1/files/0x0005000000019611-413.dat UPX behavioral1/files/0x000500000001968a-424.dat UPX behavioral1/files/0x000500000001977f-437.dat UPX behavioral1/files/0x0005000000019833-446.dat UPX behavioral1/files/0x00050000000199bb-457.dat UPX behavioral1/files/0x0005000000019c32-468.dat UPX behavioral1/files/0x0005000000019c92-479.dat UPX behavioral1/files/0x0005000000019d9b-489.dat UPX behavioral1/files/0x0005000000019ed8-501.dat UPX behavioral1/files/0x000500000001a018-512.dat UPX behavioral1/files/0x000500000001a083-525.dat UPX behavioral1/files/0x000500000001a335-535.dat UPX behavioral1/files/0x000500000001a431-550.dat UPX behavioral1/files/0x000500000001a439-561.dat UPX behavioral1/files/0x000500000001a441-573.dat UPX behavioral1/files/0x000500000001a48e-585.dat UPX behavioral1/files/0x000500000001a49f-595.dat UPX behavioral1/files/0x000500000001a4ab-606.dat UPX behavioral1/files/0x000500000001a4b3-617.dat UPX behavioral1/files/0x000500000001a4b7-628.dat UPX behavioral1/files/0x000500000001a4bb-637.dat UPX behavioral1/files/0x000500000001a4bf-647.dat UPX behavioral1/files/0x000500000001a4c3-659.dat UPX behavioral1/files/0x000500000001a4c8-669.dat UPX behavioral1/files/0x000500000001a4cc-683.dat UPX behavioral1/files/0x000500000001a4d0-691.dat UPX behavioral1/files/0x000500000001a4d5-702.dat UPX behavioral1/files/0x000500000001a4d9-712.dat UPX behavioral1/files/0x000500000001a4e0-723.dat UPX -
Executes dropped EXE 64 IoCs
pid Process 3048 Limmokib.exe 2656 Lpgele32.exe 2700 Lbfahp32.exe 2664 Lmkfei32.exe 2684 Ldenbcge.exe 2568 Lgdjnofi.exe 2352 Libgjj32.exe 2588 Loooca32.exe 2348 Meigpkka.exe 2360 Mhgclfje.exe 2000 Mcmhiojk.exe 952 Migpeiag.exe 1644 Mochnppo.exe 1508 Menakj32.exe 2056 Mkjica32.exe 888 Mepnpj32.exe 556 Mhnjle32.exe 1748 Mohbip32.exe 2068 Magnek32.exe 328 Mdejaf32.exe 884 Njbcim32.exe 1820 Naikkk32.exe 1604 Naikkk32.exe 920 Ngfcca32.exe 2504 Nnplpl32.exe 2120 Npnhlg32.exe 1092 Nfkpdn32.exe 3036 Nnbhek32.exe 1512 Ncoamb32.exe 2044 Ngkmnacm.exe 2744 Nlgefh32.exe 2096 Nqcagfim.exe 1096 Njkfpl32.exe 2564 Nhnfkigh.exe 3012 Nccjhafn.exe 2840 Nbfjdn32.exe 3004 Ofbfdmeb.exe 956 Oojknblb.exe 496 Obigjnkf.exe 1904 Oicpfh32.exe 2616 Oomhcbjp.exe 1764 Oqndkj32.exe 1056 Oiellh32.exe 2940 Onbddoog.exe 236 Obnqem32.exe 1812 Ojieip32.exe 2144 Omgaek32.exe 1404 Oenifh32.exe 1824 Ofpfnqjp.exe 2032 Ojkboo32.exe 1940 Paejki32.exe 1352 Pccfge32.exe 1876 Pgobhcac.exe 2640 Pjmodopf.exe 2756 Pmlkpjpj.exe 2796 Ppjglfon.exe 2876 Piblek32.exe 2580 Plahag32.exe 3028 Pchpbded.exe 2900 Peiljl32.exe 1448 Piehkkcl.exe 2008 Ppoqge32.exe 1920 Pnbacbac.exe 2024 Pfiidobe.exe -
Loads dropped DLL 64 IoCs
pid Process 2988 912748f3a1461e4c4ad11acd90dcf6e8f9ed8045831ca2c5c3cbfe0fd40aa75c.exe 2988 912748f3a1461e4c4ad11acd90dcf6e8f9ed8045831ca2c5c3cbfe0fd40aa75c.exe 3048 Limmokib.exe 3048 Limmokib.exe 2656 Lpgele32.exe 2656 Lpgele32.exe 2700 Lbfahp32.exe 2700 Lbfahp32.exe 2664 Lmkfei32.exe 2664 Lmkfei32.exe 2684 Ldenbcge.exe 2684 Ldenbcge.exe 2568 Lgdjnofi.exe 2568 Lgdjnofi.exe 2352 Libgjj32.exe 2352 Libgjj32.exe 2588 Loooca32.exe 2588 Loooca32.exe 2348 Meigpkka.exe 2348 Meigpkka.exe 2360 Mhgclfje.exe 2360 Mhgclfje.exe 2000 Mcmhiojk.exe 2000 Mcmhiojk.exe 952 Migpeiag.exe 952 Migpeiag.exe 1644 Mochnppo.exe 1644 Mochnppo.exe 1508 Menakj32.exe 1508 Menakj32.exe 2056 Mkjica32.exe 2056 Mkjica32.exe 888 Mepnpj32.exe 888 Mepnpj32.exe 556 Mhnjle32.exe 556 Mhnjle32.exe 1748 Mohbip32.exe 1748 Mohbip32.exe 2068 Magnek32.exe 2068 Magnek32.exe 328 Mdejaf32.exe 328 Mdejaf32.exe 884 Njbcim32.exe 884 Njbcim32.exe 1820 Naikkk32.exe 1820 Naikkk32.exe 1604 Naikkk32.exe 1604 Naikkk32.exe 920 Ngfcca32.exe 920 Ngfcca32.exe 2504 Nnplpl32.exe 2504 Nnplpl32.exe 2120 Npnhlg32.exe 2120 Npnhlg32.exe 1092 Nfkpdn32.exe 1092 Nfkpdn32.exe 3036 Nnbhek32.exe 3036 Nnbhek32.exe 1512 Ncoamb32.exe 1512 Ncoamb32.exe 2044 Ngkmnacm.exe 2044 Ngkmnacm.exe 2744 Nlgefh32.exe 2744 Nlgefh32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Jngohf32.dll Aalmklfi.exe File created C:\Windows\SysWOW64\Bifgdk32.exe Bghjhp32.exe File created C:\Windows\SysWOW64\Mhkdik32.dll Cnaocmmi.exe File created C:\Windows\SysWOW64\Eqdajkkb.exe Enfenplo.exe File created C:\Windows\SysWOW64\Kgcampld.dll Eeqdep32.exe File created C:\Windows\SysWOW64\Ckqfeoma.dll Lfjqnjkh.exe File created C:\Windows\SysWOW64\Lkppbl32.exe Lhbcfa32.exe File opened for modification C:\Windows\SysWOW64\Dcenlceh.exe Dknekeef.exe File created C:\Windows\SysWOW64\Alenki32.exe Aigaon32.exe File created C:\Windows\SysWOW64\Glpjaf32.dll Emeopn32.exe File created C:\Windows\SysWOW64\Gangic32.exe Gopkmhjk.exe File opened for modification C:\Windows\SysWOW64\Coelaaoi.exe Blgpef32.exe File opened for modification C:\Windows\SysWOW64\Bhfagipa.exe Begeknan.exe File created C:\Windows\SysWOW64\Djmccf32.dll Icpigm32.exe File created C:\Windows\SysWOW64\Bmkmdk32.exe Bjlqhoba.exe File created C:\Windows\SysWOW64\Opfdll32.dll Cjdfmo32.exe File opened for modification C:\Windows\SysWOW64\Bebkpn32.exe Bbdocc32.exe File created C:\Windows\SysWOW64\Fbgmbg32.exe Fphafl32.exe File created C:\Windows\SysWOW64\Iggkllpe.exe Idhopq32.exe File created C:\Windows\SysWOW64\Hhijaf32.dll Enakbp32.exe File opened for modification C:\Windows\SysWOW64\Aplifb32.exe Ahdaee32.exe File opened for modification C:\Windows\SysWOW64\Piblek32.exe Ppjglfon.exe File created C:\Windows\SysWOW64\Dqhhknjp.exe Djnpnc32.exe File created C:\Windows\SysWOW64\Ahpjhc32.dll Gejcjbah.exe File opened for modification C:\Windows\SysWOW64\Eecqjpee.exe Enihne32.exe File created C:\Windows\SysWOW64\Ljdjcj32.dll Jmhmpb32.exe File created C:\Windows\SysWOW64\Nhokkp32.dll Ccahbp32.exe File opened for modification C:\Windows\SysWOW64\Pndniaop.exe Ppamme32.exe File opened for modification C:\Windows\SysWOW64\Pogclp32.exe Pgplkb32.exe File created C:\Windows\SysWOW64\Eiomkn32.exe Eecqjpee.exe File created C:\Windows\SysWOW64\Gfhemi32.dll Ailkjmpo.exe File created C:\Windows\SysWOW64\Hpmgqnfl.exe Hnojdcfi.exe File created C:\Windows\SysWOW64\Jcgogk32.exe Jokcgmee.exe File created C:\Windows\SysWOW64\Jpbpbqda.dll Djbiicon.exe File opened for modification C:\Windows\SysWOW64\Djefobmk.exe Dfijnd32.exe File created C:\Windows\SysWOW64\Fpgiom32.dll Bdeeqehb.exe File created C:\Windows\SysWOW64\Bebkpn32.exe Bbdocc32.exe File created C:\Windows\SysWOW64\Okgnab32.exe Omdneebf.exe File opened for modification C:\Windows\SysWOW64\Fjgoce32.exe Fcmgfkeg.exe File created C:\Windows\SysWOW64\Khknah32.dll Fjaonpnn.exe File created C:\Windows\SysWOW64\Pfjbgnme.exe Pggbla32.exe File opened for modification C:\Windows\SysWOW64\Plahag32.exe Piblek32.exe File opened for modification C:\Windows\SysWOW64\Ccfhhffh.exe Cphlljge.exe File created C:\Windows\SysWOW64\Mppepcfg.exe Mmahdggc.exe File created C:\Windows\SysWOW64\Pgmkloid.dll Npfgpe32.exe File opened for modification C:\Windows\SysWOW64\Menakj32.exe Mochnppo.exe File created C:\Windows\SysWOW64\Qaefjm32.exe Qnfjna32.exe File created C:\Windows\SysWOW64\Abbbnchb.exe Apcfahio.exe File created C:\Windows\SysWOW64\Ahcfok32.dll Djnpnc32.exe File created C:\Windows\SysWOW64\Gokfbfnk.dll Nejiih32.exe File created C:\Windows\SysWOW64\Ooeggp32.exe Oikojfgk.exe File opened for modification C:\Windows\SysWOW64\Cgejac32.exe Chbjffad.exe File created C:\Windows\SysWOW64\Cgpgce32.exe Ccdlbf32.exe File created C:\Windows\SysWOW64\Hgilchkf.exe Hobcak32.exe File created C:\Windows\SysWOW64\Iknnbklc.exe Ihoafpmp.exe File opened for modification C:\Windows\SysWOW64\Ckccgane.exe Cdikkg32.exe File created C:\Windows\SysWOW64\Mdejaf32.exe Magnek32.exe File created C:\Windows\SysWOW64\Nejiih32.exe Nncahjgl.exe File opened for modification C:\Windows\SysWOW64\Oclilp32.exe Oqmmpd32.exe File opened for modification C:\Windows\SysWOW64\Npnhlg32.exe Nnplpl32.exe File opened for modification C:\Windows\SysWOW64\Pabjem32.exe Pndniaop.exe File created C:\Windows\SysWOW64\Bbdocc32.exe Boiccdnf.exe File created C:\Windows\SysWOW64\Icplghmh.dll Bbdocc32.exe File created C:\Windows\SysWOW64\Lblqijln.dll Ncjqhmkm.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5964 5932 WerFault.exe 560 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Meigpkka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqmoql32.dll" Pndniaop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndejjf32.dll" Ankdiqih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeahel32.dll" Aenbdoii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kmopod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Egllae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbelkc32.dll" Fmjejphb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpekfank.dll" Gddifnbk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nhkbkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Olpdjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bghjhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hahjpbad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bhhnli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Keanebkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iakdqgfi.dll" Qpgpkcpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Idceea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpmcnehn.dll" Iqalka32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cnmehnan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qffmipmp.dll" Enfenplo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbjhdo32.dll" Qnfjna32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Emcbkn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fhkpmjln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ollfnfje.dll" Jqfffqpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkoginch.dll" Fcmgfkeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gangic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kblhgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhijaf32.dll" Enakbp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Begeknan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfmpcjge.dll" Bgknheej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Facdeo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Icmlam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Enfenplo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Djbiicon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Leajdfnm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oddpfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmccegik.dll" Ocnfbo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Behnnm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bidjnkdg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bingpmnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jcdbbloa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jicgpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ebgacddo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cnmehnan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ecejkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhnijp32.dll" Idhopq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jknpfqoh.dll" Mihiih32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dbfabp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cddfocpb.dll" Keanebkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgagbb32.dll" Mdpjlajk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kolpjf32.dll" Pkndaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Djklnnaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ofbfdmeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cndbcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikbkhq32.dll" Jkbcln32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jbllihbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jnclnihj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pfjbgnme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mepnpj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gangic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnnclg32.dll" Ghhofmql.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kcfkfo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pbhmnkjf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bdbhke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkakief.dll" Efncicpm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2988 wrote to memory of 3048 2988 912748f3a1461e4c4ad11acd90dcf6e8f9ed8045831ca2c5c3cbfe0fd40aa75c.exe 28 PID 2988 wrote to memory of 3048 2988 912748f3a1461e4c4ad11acd90dcf6e8f9ed8045831ca2c5c3cbfe0fd40aa75c.exe 28 PID 2988 wrote to memory of 3048 2988 912748f3a1461e4c4ad11acd90dcf6e8f9ed8045831ca2c5c3cbfe0fd40aa75c.exe 28 PID 2988 wrote to memory of 3048 2988 912748f3a1461e4c4ad11acd90dcf6e8f9ed8045831ca2c5c3cbfe0fd40aa75c.exe 28 PID 3048 wrote to memory of 2656 3048 Limmokib.exe 29 PID 3048 wrote to memory of 2656 3048 Limmokib.exe 29 PID 3048 wrote to memory of 2656 3048 Limmokib.exe 29 PID 3048 wrote to memory of 2656 3048 Limmokib.exe 29 PID 2656 wrote to memory of 2700 2656 Lpgele32.exe 30 PID 2656 wrote to memory of 2700 2656 Lpgele32.exe 30 PID 2656 wrote to memory of 2700 2656 Lpgele32.exe 30 PID 2656 wrote to memory of 2700 2656 Lpgele32.exe 30 PID 2700 wrote to memory of 2664 2700 Lbfahp32.exe 31 PID 2700 wrote to memory of 2664 2700 Lbfahp32.exe 31 PID 2700 wrote to memory of 2664 2700 Lbfahp32.exe 31 PID 2700 wrote to memory of 2664 2700 Lbfahp32.exe 31 PID 2664 wrote to memory of 2684 2664 Lmkfei32.exe 32 PID 2664 wrote to memory of 2684 2664 Lmkfei32.exe 32 PID 2664 wrote to memory of 2684 2664 Lmkfei32.exe 32 PID 2664 wrote to memory of 2684 2664 Lmkfei32.exe 32 PID 2684 wrote to memory of 2568 2684 Ldenbcge.exe 33 PID 2684 wrote to memory of 2568 2684 Ldenbcge.exe 33 PID 2684 wrote to memory of 2568 2684 Ldenbcge.exe 33 PID 2684 wrote to memory of 2568 2684 Ldenbcge.exe 33 PID 2568 wrote to memory of 2352 2568 Lgdjnofi.exe 34 PID 2568 wrote to memory of 2352 2568 Lgdjnofi.exe 34 PID 2568 wrote to memory of 2352 2568 Lgdjnofi.exe 34 PID 2568 wrote to memory of 2352 2568 Lgdjnofi.exe 34 PID 2352 wrote to memory of 2588 2352 Libgjj32.exe 35 PID 2352 wrote to memory of 2588 2352 Libgjj32.exe 35 PID 2352 wrote to memory of 2588 2352 Libgjj32.exe 35 PID 2352 wrote to memory of 2588 2352 Libgjj32.exe 35 PID 2588 wrote to memory of 2348 2588 Loooca32.exe 36 PID 2588 wrote to memory of 2348 2588 Loooca32.exe 36 PID 2588 wrote to memory of 2348 2588 Loooca32.exe 36 PID 2588 wrote to memory of 2348 2588 Loooca32.exe 36 PID 2348 wrote to memory of 2360 2348 Meigpkka.exe 37 PID 2348 wrote to memory of 2360 2348 Meigpkka.exe 37 PID 2348 wrote to memory of 2360 2348 Meigpkka.exe 37 PID 2348 wrote to memory of 2360 2348 Meigpkka.exe 37 PID 2360 wrote to memory of 2000 2360 Mhgclfje.exe 38 PID 2360 wrote to memory of 2000 2360 Mhgclfje.exe 38 PID 2360 wrote to memory of 2000 2360 Mhgclfje.exe 38 PID 2360 wrote to memory of 2000 2360 Mhgclfje.exe 38 PID 2000 wrote to memory of 952 2000 Mcmhiojk.exe 39 PID 2000 wrote to memory of 952 2000 Mcmhiojk.exe 39 PID 2000 wrote to memory of 952 2000 Mcmhiojk.exe 39 PID 2000 wrote to memory of 952 2000 Mcmhiojk.exe 39 PID 952 wrote to memory of 1644 952 Migpeiag.exe 40 PID 952 wrote to memory of 1644 952 Migpeiag.exe 40 PID 952 wrote to memory of 1644 952 Migpeiag.exe 40 PID 952 wrote to memory of 1644 952 Migpeiag.exe 40 PID 1644 wrote to memory of 1508 1644 Mochnppo.exe 41 PID 1644 wrote to memory of 1508 1644 Mochnppo.exe 41 PID 1644 wrote to memory of 1508 1644 Mochnppo.exe 41 PID 1644 wrote to memory of 1508 1644 Mochnppo.exe 41 PID 1508 wrote to memory of 2056 1508 Menakj32.exe 42 PID 1508 wrote to memory of 2056 1508 Menakj32.exe 42 PID 1508 wrote to memory of 2056 1508 Menakj32.exe 42 PID 1508 wrote to memory of 2056 1508 Menakj32.exe 42 PID 2056 wrote to memory of 888 2056 Mkjica32.exe 43 PID 2056 wrote to memory of 888 2056 Mkjica32.exe 43 PID 2056 wrote to memory of 888 2056 Mkjica32.exe 43 PID 2056 wrote to memory of 888 2056 Mkjica32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\912748f3a1461e4c4ad11acd90dcf6e8f9ed8045831ca2c5c3cbfe0fd40aa75c.exe"C:\Users\Admin\AppData\Local\Temp\912748f3a1461e4c4ad11acd90dcf6e8f9ed8045831ca2c5c3cbfe0fd40aa75c.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\Limmokib.exeC:\Windows\system32\Limmokib.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\Lpgele32.exeC:\Windows\system32\Lpgele32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Lbfahp32.exeC:\Windows\system32\Lbfahp32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\Lmkfei32.exeC:\Windows\system32\Lmkfei32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Ldenbcge.exeC:\Windows\system32\Ldenbcge.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\Lgdjnofi.exeC:\Windows\system32\Lgdjnofi.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\Libgjj32.exeC:\Windows\system32\Libgjj32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\Loooca32.exeC:\Windows\system32\Loooca32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\Meigpkka.exeC:\Windows\system32\Meigpkka.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\Mhgclfje.exeC:\Windows\system32\Mhgclfje.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\Mcmhiojk.exeC:\Windows\system32\Mcmhiojk.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\SysWOW64\Migpeiag.exeC:\Windows\system32\Migpeiag.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Windows\SysWOW64\Mochnppo.exeC:\Windows\system32\Mochnppo.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\SysWOW64\Menakj32.exeC:\Windows\system32\Menakj32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\SysWOW64\Mkjica32.exeC:\Windows\system32\Mkjica32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\Mepnpj32.exeC:\Windows\system32\Mepnpj32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:888 -
C:\Windows\SysWOW64\Mhnjle32.exeC:\Windows\system32\Mhnjle32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:556 -
C:\Windows\SysWOW64\Mohbip32.exeC:\Windows\system32\Mohbip32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1748 -
C:\Windows\SysWOW64\Magnek32.exeC:\Windows\system32\Magnek32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2068 -
C:\Windows\SysWOW64\Mdejaf32.exeC:\Windows\system32\Mdejaf32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:328 -
C:\Windows\SysWOW64\Njbcim32.exeC:\Windows\system32\Njbcim32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:884 -
C:\Windows\SysWOW64\Naikkk32.exeC:\Windows\system32\Naikkk32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1820 -
C:\Windows\SysWOW64\Naikkk32.exeC:\Windows\system32\Naikkk32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1604 -
C:\Windows\SysWOW64\Ngfcca32.exeC:\Windows\system32\Ngfcca32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:920 -
C:\Windows\SysWOW64\Nnplpl32.exeC:\Windows\system32\Nnplpl32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2504 -
C:\Windows\SysWOW64\Npnhlg32.exeC:\Windows\system32\Npnhlg32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2120 -
C:\Windows\SysWOW64\Nfkpdn32.exeC:\Windows\system32\Nfkpdn32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1092 -
C:\Windows\SysWOW64\Nnbhek32.exeC:\Windows\system32\Nnbhek32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:3036 -
C:\Windows\SysWOW64\Ncoamb32.exeC:\Windows\system32\Ncoamb32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1512 -
C:\Windows\SysWOW64\Ngkmnacm.exeC:\Windows\system32\Ngkmnacm.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2044 -
C:\Windows\SysWOW64\Nlgefh32.exeC:\Windows\system32\Nlgefh32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2744 -
C:\Windows\SysWOW64\Nqcagfim.exeC:\Windows\system32\Nqcagfim.exe33⤵
- Executes dropped EXE
PID:2096 -
C:\Windows\SysWOW64\Njkfpl32.exeC:\Windows\system32\Njkfpl32.exe34⤵
- Executes dropped EXE
PID:1096 -
C:\Windows\SysWOW64\Nhnfkigh.exeC:\Windows\system32\Nhnfkigh.exe35⤵
- Executes dropped EXE
PID:2564 -
C:\Windows\SysWOW64\Nccjhafn.exeC:\Windows\system32\Nccjhafn.exe36⤵
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\Nbfjdn32.exeC:\Windows\system32\Nbfjdn32.exe37⤵
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\Ofbfdmeb.exeC:\Windows\system32\Ofbfdmeb.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3004 -
C:\Windows\SysWOW64\Oojknblb.exeC:\Windows\system32\Oojknblb.exe39⤵
- Executes dropped EXE
PID:956 -
C:\Windows\SysWOW64\Obigjnkf.exeC:\Windows\system32\Obigjnkf.exe40⤵
- Executes dropped EXE
PID:496 -
C:\Windows\SysWOW64\Oicpfh32.exeC:\Windows\system32\Oicpfh32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1904 -
C:\Windows\SysWOW64\Oomhcbjp.exeC:\Windows\system32\Oomhcbjp.exe42⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Oqndkj32.exeC:\Windows\system32\Oqndkj32.exe43⤵
- Executes dropped EXE
PID:1764 -
C:\Windows\SysWOW64\Oiellh32.exeC:\Windows\system32\Oiellh32.exe44⤵
- Executes dropped EXE
PID:1056 -
C:\Windows\SysWOW64\Onbddoog.exeC:\Windows\system32\Onbddoog.exe45⤵
- Executes dropped EXE
PID:2940 -
C:\Windows\SysWOW64\Obnqem32.exeC:\Windows\system32\Obnqem32.exe46⤵
- Executes dropped EXE
PID:236 -
C:\Windows\SysWOW64\Ojieip32.exeC:\Windows\system32\Ojieip32.exe47⤵
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\Omgaek32.exeC:\Windows\system32\Omgaek32.exe48⤵
- Executes dropped EXE
PID:2144 -
C:\Windows\SysWOW64\Oenifh32.exeC:\Windows\system32\Oenifh32.exe49⤵
- Executes dropped EXE
PID:1404 -
C:\Windows\SysWOW64\Ofpfnqjp.exeC:\Windows\system32\Ofpfnqjp.exe50⤵
- Executes dropped EXE
PID:1824 -
C:\Windows\SysWOW64\Ojkboo32.exeC:\Windows\system32\Ojkboo32.exe51⤵
- Executes dropped EXE
PID:2032 -
C:\Windows\SysWOW64\Paejki32.exeC:\Windows\system32\Paejki32.exe52⤵
- Executes dropped EXE
PID:1940 -
C:\Windows\SysWOW64\Pccfge32.exeC:\Windows\system32\Pccfge32.exe53⤵
- Executes dropped EXE
PID:1352 -
C:\Windows\SysWOW64\Pgobhcac.exeC:\Windows\system32\Pgobhcac.exe54⤵
- Executes dropped EXE
PID:1876 -
C:\Windows\SysWOW64\Pjmodopf.exeC:\Windows\system32\Pjmodopf.exe55⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Pmlkpjpj.exeC:\Windows\system32\Pmlkpjpj.exe56⤵
- Executes dropped EXE
PID:2756 -
C:\Windows\SysWOW64\Ppjglfon.exeC:\Windows\system32\Ppjglfon.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2796 -
C:\Windows\SysWOW64\Piblek32.exeC:\Windows\system32\Piblek32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2876 -
C:\Windows\SysWOW64\Plahag32.exeC:\Windows\system32\Plahag32.exe59⤵
- Executes dropped EXE
PID:2580 -
C:\Windows\SysWOW64\Pchpbded.exeC:\Windows\system32\Pchpbded.exe60⤵
- Executes dropped EXE
PID:3028 -
C:\Windows\SysWOW64\Peiljl32.exeC:\Windows\system32\Peiljl32.exe61⤵
- Executes dropped EXE
PID:2900 -
C:\Windows\SysWOW64\Piehkkcl.exeC:\Windows\system32\Piehkkcl.exe62⤵
- Executes dropped EXE
PID:1448 -
C:\Windows\SysWOW64\Ppoqge32.exeC:\Windows\system32\Ppoqge32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Pnbacbac.exeC:\Windows\system32\Pnbacbac.exe64⤵
- Executes dropped EXE
PID:1920 -
C:\Windows\SysWOW64\Pfiidobe.exeC:\Windows\system32\Pfiidobe.exe65⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Pigeqkai.exeC:\Windows\system32\Pigeqkai.exe66⤵PID:1628
-
C:\Windows\SysWOW64\Ppamme32.exeC:\Windows\system32\Ppamme32.exe67⤵
- Drops file in System32 directory
PID:2304 -
C:\Windows\SysWOW64\Pndniaop.exeC:\Windows\system32\Pndniaop.exe68⤵
- Drops file in System32 directory
- Modifies registry class
PID:1476 -
C:\Windows\SysWOW64\Pabjem32.exeC:\Windows\system32\Pabjem32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1052 -
C:\Windows\SysWOW64\Pijbfj32.exeC:\Windows\system32\Pijbfj32.exe70⤵PID:1296
-
C:\Windows\SysWOW64\Qlhnbf32.exeC:\Windows\system32\Qlhnbf32.exe71⤵PID:1612
-
C:\Windows\SysWOW64\Qnfjna32.exeC:\Windows\system32\Qnfjna32.exe72⤵
- Drops file in System32 directory
- Modifies registry class
PID:3056 -
C:\Windows\SysWOW64\Qaefjm32.exeC:\Windows\system32\Qaefjm32.exe73⤵PID:1752
-
C:\Windows\SysWOW64\Qhooggdn.exeC:\Windows\system32\Qhooggdn.exe74⤵PID:2476
-
C:\Windows\SysWOW64\Qjmkcbcb.exeC:\Windows\system32\Qjmkcbcb.exe75⤵PID:2652
-
C:\Windows\SysWOW64\Qmlgonbe.exeC:\Windows\system32\Qmlgonbe.exe76⤵PID:2800
-
C:\Windows\SysWOW64\Qecoqk32.exeC:\Windows\system32\Qecoqk32.exe77⤵PID:2584
-
C:\Windows\SysWOW64\Ahakmf32.exeC:\Windows\system32\Ahakmf32.exe78⤵PID:2780
-
C:\Windows\SysWOW64\Afdlhchf.exeC:\Windows\system32\Afdlhchf.exe79⤵PID:2804
-
C:\Windows\SysWOW64\Ankdiqih.exeC:\Windows\system32\Ankdiqih.exe80⤵
- Modifies registry class
PID:2512 -
C:\Windows\SysWOW64\Aplpai32.exeC:\Windows\system32\Aplpai32.exe81⤵PID:1884
-
C:\Windows\SysWOW64\Adhlaggp.exeC:\Windows\system32\Adhlaggp.exe82⤵PID:1536
-
C:\Windows\SysWOW64\Ajbdna32.exeC:\Windows\system32\Ajbdna32.exe83⤵PID:2436
-
C:\Windows\SysWOW64\Aiedjneg.exeC:\Windows\system32\Aiedjneg.exe84⤵PID:2404
-
C:\Windows\SysWOW64\Aalmklfi.exeC:\Windows\system32\Aalmklfi.exe85⤵
- Drops file in System32 directory
PID:2516 -
C:\Windows\SysWOW64\Adjigg32.exeC:\Windows\system32\Adjigg32.exe86⤵PID:2992
-
C:\Windows\SysWOW64\Abmibdlh.exeC:\Windows\system32\Abmibdlh.exe87⤵PID:2484
-
C:\Windows\SysWOW64\Aigaon32.exeC:\Windows\system32\Aigaon32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1716 -
C:\Windows\SysWOW64\Alenki32.exeC:\Windows\system32\Alenki32.exe89⤵PID:1760
-
C:\Windows\SysWOW64\Admemg32.exeC:\Windows\system32\Admemg32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2364 -
C:\Windows\SysWOW64\Abpfhcje.exeC:\Windows\system32\Abpfhcje.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2748 -
C:\Windows\SysWOW64\Aenbdoii.exeC:\Windows\system32\Aenbdoii.exe92⤵
- Modifies registry class
PID:1240 -
C:\Windows\SysWOW64\Alhjai32.exeC:\Windows\system32\Alhjai32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3032 -
C:\Windows\SysWOW64\Apcfahio.exeC:\Windows\system32\Apcfahio.exe94⤵
- Drops file in System32 directory
PID:2984 -
C:\Windows\SysWOW64\Abbbnchb.exeC:\Windows\system32\Abbbnchb.exe95⤵PID:692
-
C:\Windows\SysWOW64\Afmonbqk.exeC:\Windows\system32\Afmonbqk.exe96⤵PID:1736
-
C:\Windows\SysWOW64\Ailkjmpo.exeC:\Windows\system32\Ailkjmpo.exe97⤵
- Drops file in System32 directory
PID:1616 -
C:\Windows\SysWOW64\Boiccdnf.exeC:\Windows\system32\Boiccdnf.exe98⤵
- Drops file in System32 directory
PID:2952 -
C:\Windows\SysWOW64\Bbdocc32.exeC:\Windows\system32\Bbdocc32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1744 -
C:\Windows\SysWOW64\Bebkpn32.exeC:\Windows\system32\Bebkpn32.exe100⤵PID:688
-
C:\Windows\SysWOW64\Bingpmnl.exeC:\Windows\system32\Bingpmnl.exe101⤵
- Modifies registry class
PID:2132 -
C:\Windows\SysWOW64\Blmdlhmp.exeC:\Windows\system32\Blmdlhmp.exe102⤵PID:1640
-
C:\Windows\SysWOW64\Bbflib32.exeC:\Windows\system32\Bbflib32.exe103⤵PID:572
-
C:\Windows\SysWOW64\Beehencq.exeC:\Windows\system32\Beehencq.exe104⤵PID:2832
-
C:\Windows\SysWOW64\Bdhhqk32.exeC:\Windows\system32\Bdhhqk32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2764 -
C:\Windows\SysWOW64\Bloqah32.exeC:\Windows\system32\Bloqah32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2936 -
C:\Windows\SysWOW64\Bnpmipql.exeC:\Windows\system32\Bnpmipql.exe107⤵PID:2792
-
C:\Windows\SysWOW64\Begeknan.exeC:\Windows\system32\Begeknan.exe108⤵
- Drops file in System32 directory
- Modifies registry class
PID:2768 -
C:\Windows\SysWOW64\Bhfagipa.exeC:\Windows\system32\Bhfagipa.exe109⤵PID:2388
-
C:\Windows\SysWOW64\Bkdmcdoe.exeC:\Windows\system32\Bkdmcdoe.exe110⤵PID:1732
-
C:\Windows\SysWOW64\Bopicc32.exeC:\Windows\system32\Bopicc32.exe111⤵PID:1608
-
C:\Windows\SysWOW64\Bnbjopoi.exeC:\Windows\system32\Bnbjopoi.exe112⤵PID:2064
-
C:\Windows\SysWOW64\Bhhnli32.exeC:\Windows\system32\Bhhnli32.exe113⤵
- Modifies registry class
PID:1160 -
C:\Windows\SysWOW64\Bgknheej.exeC:\Windows\system32\Bgknheej.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1964 -
C:\Windows\SysWOW64\Bnefdp32.exeC:\Windows\system32\Bnefdp32.exe115⤵PID:1568
-
C:\Windows\SysWOW64\Baqbenep.exeC:\Windows\system32\Baqbenep.exe116⤵PID:900
-
C:\Windows\SysWOW64\Bcaomf32.exeC:\Windows\system32\Bcaomf32.exe117⤵PID:1968
-
C:\Windows\SysWOW64\Ckignd32.exeC:\Windows\system32\Ckignd32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2148 -
C:\Windows\SysWOW64\Cljcelan.exeC:\Windows\system32\Cljcelan.exe119⤵PID:2548
-
C:\Windows\SysWOW64\Cpeofk32.exeC:\Windows\system32\Cpeofk32.exe120⤵PID:1980
-
C:\Windows\SysWOW64\Ccdlbf32.exeC:\Windows\system32\Ccdlbf32.exe121⤵
- Drops file in System32 directory
PID:2012
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-