Analysis
-
max time kernel
151s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
15-06-2024 23:44
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
85be438cf3b733d4e561a32ac51eddd79128e7a70238235d87858e4ae56e8c8c.exe
Resource
win7-20240611-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
85be438cf3b733d4e561a32ac51eddd79128e7a70238235d87858e4ae56e8c8c.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
85be438cf3b733d4e561a32ac51eddd79128e7a70238235d87858e4ae56e8c8c.exe
-
Size
192KB
-
MD5
c944b8a93e7f5c37ff9086cee9ac50e0
-
SHA1
030b6894dce44404e3eb443b4700fe44e0bd35da
-
SHA256
85be438cf3b733d4e561a32ac51eddd79128e7a70238235d87858e4ae56e8c8c
-
SHA512
d9e15f2c16b9e3ec59a8a19fc9600e226f570d09bcb4181055d993027edd57356ceefb2edcada7eac7323b17769c28a7c61b9997ff0a5a21a7c45d82b948639b
-
SSDEEP
1536:kJSVSY2P9InKJ3wBmsQU2vH6LWeEnouy8O6Nuf51TQmQM22OwJwTa58nFwWy0wtc:VSY2Vs0VlUiHVe0outkTy27zU
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Akdafn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cfnkmi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eelgcg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmlecinf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fdfmpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iciopdca.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgfoie32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Illbhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ihglhp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbnjhh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gneijien.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kljdkpfl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clkicbfa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ciihklpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pnhjgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cdnncfoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kohnoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lneaqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dkgldm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kdnkdmec.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgcnahoo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joblkegc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Khagijcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gmjcblbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pgpgjepk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Clmdmm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhbold32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bckjhl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahchdb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdfahaaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ciqcmiei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gpkpedmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aigmnqgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Anneqafn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eppcmncq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dpjgifpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jjaimn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lneaqn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nenakoho.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oagoep32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nedhjj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgnkci32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkimpfmg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkidlk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbgpkpnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gnbjlpom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pkcpei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocpfkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bkkgfm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhhfdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ghacfmic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mobomnoq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njpihk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aadobccg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcemnopj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pcbncfjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bgcbhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Flnlkgjq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jecnnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jkmeoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bedhgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hhaanh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mjcjog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmjaohol.exe -
UPX dump on OEP (original entry point) 64 IoCs
resource yara_rule behavioral1/files/0x000a000000012294-5.dat UPX behavioral1/files/0x00090000000142d0-18.dat UPX behavioral1/files/0x0007000000014453-31.dat UPX behavioral1/files/0x0008000000014497-48.dat UPX behavioral1/files/0x000d000000014161-58.dat UPX behavioral1/files/0x0006000000015602-72.dat UPX behavioral1/files/0x000600000001561c-85.dat UPX behavioral1/files/0x0006000000015c1c-98.dat UPX behavioral1/files/0x0006000000015c39-112.dat UPX behavioral1/files/0x0006000000015c60-125.dat UPX behavioral1/files/0x0006000000015c79-138.dat UPX behavioral1/files/0x0006000000015c91-158.dat UPX behavioral1/files/0x0006000000015cb2-173.dat UPX behavioral1/files/0x0006000000015cd2-178.dat UPX behavioral1/files/0x0006000000015cfc-194.dat UPX behavioral1/files/0x0006000000015e85-207.dat UPX behavioral1/files/0x0006000000016096-227.dat UPX behavioral1/files/0x0006000000016c07-266.dat UPX behavioral1/files/0x0006000000016c2a-275.dat UPX behavioral1/files/0x0006000000016c9d-284.dat UPX behavioral1/files/0x0006000000016cdc-295.dat UPX behavioral1/files/0x0006000000016cfe-318.dat UPX behavioral1/files/0x0006000000016cec-306.dat UPX behavioral1/files/0x0006000000016d0f-329.dat UPX behavioral1/files/0x0006000000016812-257.dat UPX behavioral1/files/0x000600000001657c-248.dat UPX behavioral1/files/0x00060000000162fd-238.dat UPX behavioral1/files/0x0006000000015f1f-220.dat UPX behavioral1/files/0x0006000000016d3c-337.dat UPX behavioral1/files/0x0006000000016d5b-348.dat UPX behavioral1/files/0x0006000000016d98-361.dat UPX behavioral1/files/0x001500000001861a-392.dat UPX behavioral1/files/0x00050000000186ce-403.dat UPX behavioral1/files/0x00050000000186e0-413.dat UPX behavioral1/files/0x000500000001872a-424.dat UPX behavioral1/files/0x0006000000018b21-435.dat UPX behavioral1/files/0x0006000000018b79-447.dat UPX behavioral1/files/0x0006000000018bf9-459.dat UPX behavioral1/files/0x000500000001921d-470.dat UPX behavioral1/files/0x0005000000019375-501.dat UPX behavioral1/files/0x000500000001942d-511.dat UPX behavioral1/files/0x0005000000019450-522.dat UPX behavioral1/files/0x0005000000019487-533.dat UPX behavioral1/files/0x00050000000194a6-542.dat UPX behavioral1/files/0x00050000000194af-556.dat UPX behavioral1/files/0x000500000001951d-566.dat UPX behavioral1/files/0x0005000000019548-578.dat UPX behavioral1/files/0x00050000000195be-589.dat UPX behavioral1/files/0x00050000000195c1-599.dat UPX behavioral1/files/0x00050000000195c4-611.dat UPX behavioral1/files/0x00050000000195c8-622.dat UPX behavioral1/files/0x00050000000195cc-630.dat UPX behavioral1/files/0x00050000000195d4-652.dat UPX behavioral1/files/0x00050000000195d0-643.dat UPX behavioral1/files/0x00050000000196c3-663.dat UPX behavioral1/files/0x000500000001933f-490.dat UPX behavioral1/files/0x00050000000192f9-479.dat UPX behavioral1/files/0x0005000000019763-674.dat UPX behavioral1/files/0x0005000000019c00-690.dat UPX behavioral1/files/0x0006000000017578-383.dat UPX behavioral1/files/0x0006000000017090-372.dat UPX behavioral1/files/0x0005000000019c05-700.dat UPX behavioral1/files/0x0005000000019d41-713.dat UPX behavioral1/files/0x0005000000019d79-725.dat UPX -
Executes dropped EXE 64 IoCs
pid Process 2416 Kocbkk32.exe 2244 Kmjojo32.exe 2724 Kkolkk32.exe 2592 Leimip32.exe 2816 Lcojjmea.exe 2456 Lgmcqkkh.exe 2952 Laegiq32.exe 332 Lmlhnagm.exe 2448 Libicbma.exe 1356 Mhhfdo32.exe 532 Mapjmehi.exe 1916 Mlfojn32.exe 1764 Meppiblm.exe 1708 Magqncba.exe 2800 Naimccpo.exe 1536 Ndjfeo32.exe 1908 Nodgel32.exe 2788 Nhllob32.exe 2328 Nadpgggp.exe 1812 Nkmdpm32.exe 1492 Ohaeia32.exe 1032 Ookmfk32.exe 1928 Olonpp32.exe 580 Oalfhf32.exe 2164 Okdkal32.exe 3052 Odlojanh.exe 2908 Okfgfl32.exe 1728 Pkidlk32.exe 2128 Pfbelipa.exe 2964 Pkfceo32.exe 2856 Qbplbi32.exe 2260 Qiladcdh.exe 2324 Amnfnfgg.exe 2408 Achojp32.exe 2536 Aaloddnn.exe 776 Ajecmj32.exe 320 Aaolidlk.exe 936 Ajgpbj32.exe 1952 Abbeflpf.exe 2040 Bnielm32.exe 1692 Bhajdblk.exe 2936 Bhdgjb32.exe 2864 Bbikgk32.exe 2932 Blaopqpo.exe 1204 Bejdiffp.exe 1776 Bfkpqn32.exe 2860 Baadng32.exe 1964 Chkmkacq.exe 1552 Cdanpb32.exe 2400 Cmjbhh32.exe 1932 Cddjebgb.exe 996 Ciqcmiei.exe 2196 Clooiddm.exe 1520 Chfpoeja.exe 2608 Cejphiik.exe 2564 Chhldeho.exe 2848 Dobdqo32.exe 2460 Delmmigh.exe 2944 Dlfejcoe.exe 1996 Dhmfod32.exe 1124 Dognlnlf.exe 2000 Dgbcpq32.exe 2672 Dpjgifpa.exe 1588 Dpmdofno.exe -
Loads dropped DLL 64 IoCs
pid Process 2192 85be438cf3b733d4e561a32ac51eddd79128e7a70238235d87858e4ae56e8c8c.exe 2192 85be438cf3b733d4e561a32ac51eddd79128e7a70238235d87858e4ae56e8c8c.exe 2416 Kocbkk32.exe 2416 Kocbkk32.exe 2244 Kmjojo32.exe 2244 Kmjojo32.exe 2724 Kkolkk32.exe 2724 Kkolkk32.exe 2592 Leimip32.exe 2592 Leimip32.exe 2816 Lcojjmea.exe 2816 Lcojjmea.exe 2456 Lgmcqkkh.exe 2456 Lgmcqkkh.exe 2952 Laegiq32.exe 2952 Laegiq32.exe 332 Lmlhnagm.exe 332 Lmlhnagm.exe 2448 Libicbma.exe 2448 Libicbma.exe 1356 Mhhfdo32.exe 1356 Mhhfdo32.exe 532 Mapjmehi.exe 532 Mapjmehi.exe 1916 Mlfojn32.exe 1916 Mlfojn32.exe 1764 Meppiblm.exe 1764 Meppiblm.exe 1708 Magqncba.exe 1708 Magqncba.exe 2800 Naimccpo.exe 2800 Naimccpo.exe 1536 Ndjfeo32.exe 1536 Ndjfeo32.exe 1908 Nodgel32.exe 1908 Nodgel32.exe 2788 Nhllob32.exe 2788 Nhllob32.exe 2328 Nadpgggp.exe 2328 Nadpgggp.exe 1812 Nkmdpm32.exe 1812 Nkmdpm32.exe 1492 Ohaeia32.exe 1492 Ohaeia32.exe 1032 Ookmfk32.exe 1032 Ookmfk32.exe 1928 Olonpp32.exe 1928 Olonpp32.exe 580 Oalfhf32.exe 580 Oalfhf32.exe 2164 Okdkal32.exe 2164 Okdkal32.exe 3052 Odlojanh.exe 3052 Odlojanh.exe 2908 Okfgfl32.exe 2908 Okfgfl32.exe 1728 Pkidlk32.exe 1728 Pkidlk32.exe 2128 Pfbelipa.exe 2128 Pfbelipa.exe 2964 Pkfceo32.exe 2964 Pkfceo32.exe 2856 Qbplbi32.exe 2856 Qbplbi32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Gmoqnhla.exe Gfehan32.exe File created C:\Windows\SysWOW64\Kainfp32.dll Aijbfo32.exe File opened for modification C:\Windows\SysWOW64\Lemdncoa.exe Lifcib32.exe File created C:\Windows\SysWOW64\Bfjkphjd.exe Aldfcpjn.exe File created C:\Windows\SysWOW64\Hmcfhkjg.exe Hdkape32.exe File created C:\Windows\SysWOW64\Phploedo.dll Kbaglpee.exe File created C:\Windows\SysWOW64\Legaoehg.exe Kajiigba.exe File created C:\Windows\SysWOW64\Kcnhjgln.dll Nbhkmg32.exe File created C:\Windows\SysWOW64\Bfdmobkp.dll Mbpipp32.exe File created C:\Windows\SysWOW64\Cljoegei.dll Lohccp32.exe File created C:\Windows\SysWOW64\Jcdadhjb.exe Jkimpfmg.exe File created C:\Windows\SysWOW64\Pkhdcccf.dll Edcqjc32.exe File opened for modification C:\Windows\SysWOW64\Qekbgbpf.exe Pidaba32.exe File created C:\Windows\SysWOW64\Abbeflpf.exe Ajgpbj32.exe File created C:\Windows\SysWOW64\Bggaoocn.dll Bckjhl32.exe File opened for modification C:\Windows\SysWOW64\Dejbqb32.exe Clbnhmjo.exe File created C:\Windows\SysWOW64\Kaajei32.exe Kncaojfb.exe File created C:\Windows\SysWOW64\Dddnjc32.dll Kaajei32.exe File created C:\Windows\SysWOW64\Fofbhgde.exe Fdqnkoep.exe File created C:\Windows\SysWOW64\Lgmcqkkh.exe Lcojjmea.exe File created C:\Windows\SysWOW64\Pdcpnn32.dll Mnaggcej.exe File created C:\Windows\SysWOW64\Gcmobfna.dll Gdjqamme.exe File created C:\Windows\SysWOW64\Dfkclf32.exe Dbmkfh32.exe File created C:\Windows\SysWOW64\Nahlmpdg.dll Lihobnap.exe File opened for modification C:\Windows\SysWOW64\Fenphjei.exe Fkilka32.exe File created C:\Windows\SysWOW64\Mhnkcm32.dll Blgcio32.exe File opened for modification C:\Windows\SysWOW64\Okbpde32.exe Odhhgkib.exe File opened for modification C:\Windows\SysWOW64\Ndcapd32.exe Ngpqfp32.exe File opened for modification C:\Windows\SysWOW64\Gaeqmk32.exe Fenphjei.exe File created C:\Windows\SysWOW64\Mdcagkgd.dll Hphidanj.exe File opened for modification C:\Windows\SysWOW64\Pjihmmbk.exe Ppddpd32.exe File created C:\Windows\SysWOW64\Joqgkdem.dll Gdnfjl32.exe File opened for modification C:\Windows\SysWOW64\Okdkal32.exe Oalfhf32.exe File created C:\Windows\SysWOW64\Iedfqeka.exe Illbhp32.exe File opened for modification C:\Windows\SysWOW64\Dnpciaef.exe Cegoqlof.exe File created C:\Windows\SysWOW64\Hclemh32.dll Dkgldm32.exe File created C:\Windows\SysWOW64\Fmjgcipg.exe Fpffje32.exe File created C:\Windows\SysWOW64\Lghnaplj.dll Kqiaclhj.exe File opened for modification C:\Windows\SysWOW64\Qogbdl32.exe Qjhmfekp.exe File created C:\Windows\SysWOW64\Hjipenda.exe Helgmg32.exe File created C:\Windows\SysWOW64\Lohccp32.exe Lhnkffeo.exe File created C:\Windows\SysWOW64\Clllik32.dll Ahchdb32.exe File opened for modification C:\Windows\SysWOW64\Mclebc32.exe Mjcaimgg.exe File created C:\Windows\SysWOW64\Mhflcm32.exe Mcidkf32.exe File created C:\Windows\SysWOW64\Bchqdi32.dll Bfqpecma.exe File created C:\Windows\SysWOW64\Gkeeihpg.dll Loaokjjg.exe File created C:\Windows\SysWOW64\Hcmpomck.dll Nghpjn32.exe File created C:\Windows\SysWOW64\Bafmhm32.dll Ccgnelll.exe File created C:\Windows\SysWOW64\Abacpl32.dll Bhdgjb32.exe File opened for modification C:\Windows\SysWOW64\Nbhfke32.exe Mioabp32.exe File opened for modification C:\Windows\SysWOW64\Oiakgcnl.exe Ocgbji32.exe File created C:\Windows\SysWOW64\Iapgkl32.exe Ifffkncm.exe File opened for modification C:\Windows\SysWOW64\Edoefl32.exe Emdmjamj.exe File created C:\Windows\SysWOW64\Abigipko.dll Ciaefa32.exe File created C:\Windows\SysWOW64\Ghgfmi32.dll Qobdgo32.exe File created C:\Windows\SysWOW64\Opodknco.exe Offpbi32.exe File created C:\Windows\SysWOW64\Pollhnif.dll Abdbflnf.exe File opened for modification C:\Windows\SysWOW64\Aldfcpjn.exe Apnfno32.exe File created C:\Windows\SysWOW64\Hfqbqqjl.dll Gildahhp.exe File created C:\Windows\SysWOW64\Nenakoho.exe Nigafnck.exe File opened for modification C:\Windows\SysWOW64\Jbnjhh32.exe Imaapa32.exe File opened for modification C:\Windows\SysWOW64\Bhdjno32.exe Bdfahaaa.exe File created C:\Windows\SysWOW64\Pkfaka32.dll Bejdiffp.exe File created C:\Windows\SysWOW64\Cdoime32.dll Fooembgb.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3904 3404 WerFault.exe 730 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anignn32.dll" Nmhmlbkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggknna32.dll" Jbnjhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppjedf32.dll" Iciopdca.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kdnkdmec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ijqjgo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pcdldknm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mofapq32.dll" Emgdmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqalfl32.dll" Kocbkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnmjpi32.dll" Dobdqo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ppddpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hmaick32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apkodqok.dll" Jcgapdeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmcjeh32.dll" Cppobaeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdbgmkqd.dll" Mecglbfl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ieomef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmiacp32.dll" Mjcaimgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbjjjgna.dll" Pioeoi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lkihdioa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkepinpk.dll" Jhlmmfef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fppfqpoe.dll" Nbfnggeo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gneijien.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Loqmba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhajpc32.dll" Mlfojn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mgebdipp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ogqaehak.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pbomli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifcmmf32.dll" Ficehj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kmimcbja.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ahchdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khcpdm32.dll" Nadpgggp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Binoil32.dll" Qjhmfekp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Igebkiof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eepejpil.dll" Ckjamgmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pbajbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hfjbmb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mojbaham.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpblmaab.dll" Qhkkim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaehhqjh.dll" Pkcpei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdnldmfb.dll" Jlckbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mcqombic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qndhjl32.dll" Epbbkf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Giaidnkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmmdpala.dll" Mhflcm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Opodknco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omgipo32.dll" Ijqjgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cddjebgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdoime32.dll" Fooembgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chplalhi.dll" Oaigib32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fooembgb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Akdafn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idfejc32.dll" Iqhfnifq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipbolili.dll" Pglojj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnbppmob.dll" Dlpbna32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Neknki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Apkgpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Apmcefmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Blgcio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbaab32.dll" Jmfafgbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kncaojfb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ncmglp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpbpbbdb.dll" Jjfkmdlg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dcemnopj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qjhmfekp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmjplobo.dll" Imodkadq.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2192 wrote to memory of 2416 2192 85be438cf3b733d4e561a32ac51eddd79128e7a70238235d87858e4ae56e8c8c.exe 28 PID 2192 wrote to memory of 2416 2192 85be438cf3b733d4e561a32ac51eddd79128e7a70238235d87858e4ae56e8c8c.exe 28 PID 2192 wrote to memory of 2416 2192 85be438cf3b733d4e561a32ac51eddd79128e7a70238235d87858e4ae56e8c8c.exe 28 PID 2192 wrote to memory of 2416 2192 85be438cf3b733d4e561a32ac51eddd79128e7a70238235d87858e4ae56e8c8c.exe 28 PID 2416 wrote to memory of 2244 2416 Kocbkk32.exe 29 PID 2416 wrote to memory of 2244 2416 Kocbkk32.exe 29 PID 2416 wrote to memory of 2244 2416 Kocbkk32.exe 29 PID 2416 wrote to memory of 2244 2416 Kocbkk32.exe 29 PID 2244 wrote to memory of 2724 2244 Kmjojo32.exe 30 PID 2244 wrote to memory of 2724 2244 Kmjojo32.exe 30 PID 2244 wrote to memory of 2724 2244 Kmjojo32.exe 30 PID 2244 wrote to memory of 2724 2244 Kmjojo32.exe 30 PID 2724 wrote to memory of 2592 2724 Kkolkk32.exe 31 PID 2724 wrote to memory of 2592 2724 Kkolkk32.exe 31 PID 2724 wrote to memory of 2592 2724 Kkolkk32.exe 31 PID 2724 wrote to memory of 2592 2724 Kkolkk32.exe 31 PID 2592 wrote to memory of 2816 2592 Leimip32.exe 32 PID 2592 wrote to memory of 2816 2592 Leimip32.exe 32 PID 2592 wrote to memory of 2816 2592 Leimip32.exe 32 PID 2592 wrote to memory of 2816 2592 Leimip32.exe 32 PID 2816 wrote to memory of 2456 2816 Lcojjmea.exe 33 PID 2816 wrote to memory of 2456 2816 Lcojjmea.exe 33 PID 2816 wrote to memory of 2456 2816 Lcojjmea.exe 33 PID 2816 wrote to memory of 2456 2816 Lcojjmea.exe 33 PID 2456 wrote to memory of 2952 2456 Lgmcqkkh.exe 34 PID 2456 wrote to memory of 2952 2456 Lgmcqkkh.exe 34 PID 2456 wrote to memory of 2952 2456 Lgmcqkkh.exe 34 PID 2456 wrote to memory of 2952 2456 Lgmcqkkh.exe 34 PID 2952 wrote to memory of 332 2952 Laegiq32.exe 35 PID 2952 wrote to memory of 332 2952 Laegiq32.exe 35 PID 2952 wrote to memory of 332 2952 Laegiq32.exe 35 PID 2952 wrote to memory of 332 2952 Laegiq32.exe 35 PID 332 wrote to memory of 2448 332 Lmlhnagm.exe 36 PID 332 wrote to memory of 2448 332 Lmlhnagm.exe 36 PID 332 wrote to memory of 2448 332 Lmlhnagm.exe 36 PID 332 wrote to memory of 2448 332 Lmlhnagm.exe 36 PID 2448 wrote to memory of 1356 2448 Libicbma.exe 37 PID 2448 wrote to memory of 1356 2448 Libicbma.exe 37 PID 2448 wrote to memory of 1356 2448 Libicbma.exe 37 PID 2448 wrote to memory of 1356 2448 Libicbma.exe 37 PID 1356 wrote to memory of 532 1356 Mhhfdo32.exe 38 PID 1356 wrote to memory of 532 1356 Mhhfdo32.exe 38 PID 1356 wrote to memory of 532 1356 Mhhfdo32.exe 38 PID 1356 wrote to memory of 532 1356 Mhhfdo32.exe 38 PID 532 wrote to memory of 1916 532 Mapjmehi.exe 39 PID 532 wrote to memory of 1916 532 Mapjmehi.exe 39 PID 532 wrote to memory of 1916 532 Mapjmehi.exe 39 PID 532 wrote to memory of 1916 532 Mapjmehi.exe 39 PID 1916 wrote to memory of 1764 1916 Mlfojn32.exe 40 PID 1916 wrote to memory of 1764 1916 Mlfojn32.exe 40 PID 1916 wrote to memory of 1764 1916 Mlfojn32.exe 40 PID 1916 wrote to memory of 1764 1916 Mlfojn32.exe 40 PID 1764 wrote to memory of 1708 1764 Meppiblm.exe 41 PID 1764 wrote to memory of 1708 1764 Meppiblm.exe 41 PID 1764 wrote to memory of 1708 1764 Meppiblm.exe 41 PID 1764 wrote to memory of 1708 1764 Meppiblm.exe 41 PID 1708 wrote to memory of 2800 1708 Magqncba.exe 42 PID 1708 wrote to memory of 2800 1708 Magqncba.exe 42 PID 1708 wrote to memory of 2800 1708 Magqncba.exe 42 PID 1708 wrote to memory of 2800 1708 Magqncba.exe 42 PID 2800 wrote to memory of 1536 2800 Naimccpo.exe 43 PID 2800 wrote to memory of 1536 2800 Naimccpo.exe 43 PID 2800 wrote to memory of 1536 2800 Naimccpo.exe 43 PID 2800 wrote to memory of 1536 2800 Naimccpo.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\85be438cf3b733d4e561a32ac51eddd79128e7a70238235d87858e4ae56e8c8c.exe"C:\Users\Admin\AppData\Local\Temp\85be438cf3b733d4e561a32ac51eddd79128e7a70238235d87858e4ae56e8c8c.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\Kocbkk32.exeC:\Windows\system32\Kocbkk32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\Kmjojo32.exeC:\Windows\system32\Kmjojo32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\Kkolkk32.exeC:\Windows\system32\Kkolkk32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Leimip32.exeC:\Windows\system32\Leimip32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\Lcojjmea.exeC:\Windows\system32\Lcojjmea.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\Lgmcqkkh.exeC:\Windows\system32\Lgmcqkkh.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\Laegiq32.exeC:\Windows\system32\Laegiq32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\Lmlhnagm.exeC:\Windows\system32\Lmlhnagm.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:332 -
C:\Windows\SysWOW64\Libicbma.exeC:\Windows\system32\Libicbma.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\SysWOW64\Mhhfdo32.exeC:\Windows\system32\Mhhfdo32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\Windows\SysWOW64\Mapjmehi.exeC:\Windows\system32\Mapjmehi.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:532 -
C:\Windows\SysWOW64\Mlfojn32.exeC:\Windows\system32\Mlfojn32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\SysWOW64\Meppiblm.exeC:\Windows\system32\Meppiblm.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Windows\SysWOW64\Magqncba.exeC:\Windows\system32\Magqncba.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SysWOW64\Naimccpo.exeC:\Windows\system32\Naimccpo.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\Ndjfeo32.exeC:\Windows\system32\Ndjfeo32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1536 -
C:\Windows\SysWOW64\Nodgel32.exeC:\Windows\system32\Nodgel32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1908 -
C:\Windows\SysWOW64\Nhllob32.exeC:\Windows\system32\Nhllob32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2788 -
C:\Windows\SysWOW64\Nadpgggp.exeC:\Windows\system32\Nadpgggp.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2328 -
C:\Windows\SysWOW64\Nkmdpm32.exeC:\Windows\system32\Nkmdpm32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1812 -
C:\Windows\SysWOW64\Ohaeia32.exeC:\Windows\system32\Ohaeia32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1492 -
C:\Windows\SysWOW64\Ookmfk32.exeC:\Windows\system32\Ookmfk32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1032 -
C:\Windows\SysWOW64\Olonpp32.exeC:\Windows\system32\Olonpp32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1928 -
C:\Windows\SysWOW64\Oalfhf32.exeC:\Windows\system32\Oalfhf32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:580 -
C:\Windows\SysWOW64\Okdkal32.exeC:\Windows\system32\Okdkal32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2164 -
C:\Windows\SysWOW64\Odlojanh.exeC:\Windows\system32\Odlojanh.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3052 -
C:\Windows\SysWOW64\Okfgfl32.exeC:\Windows\system32\Okfgfl32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2908 -
C:\Windows\SysWOW64\Pkidlk32.exeC:\Windows\system32\Pkidlk32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1728 -
C:\Windows\SysWOW64\Pfbelipa.exeC:\Windows\system32\Pfbelipa.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2128 -
C:\Windows\SysWOW64\Pkfceo32.exeC:\Windows\system32\Pkfceo32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2964 -
C:\Windows\SysWOW64\Qbplbi32.exeC:\Windows\system32\Qbplbi32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2856 -
C:\Windows\SysWOW64\Qiladcdh.exeC:\Windows\system32\Qiladcdh.exe33⤵
- Executes dropped EXE
PID:2260 -
C:\Windows\SysWOW64\Amnfnfgg.exeC:\Windows\system32\Amnfnfgg.exe34⤵
- Executes dropped EXE
PID:2324 -
C:\Windows\SysWOW64\Achojp32.exeC:\Windows\system32\Achojp32.exe35⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Aaloddnn.exeC:\Windows\system32\Aaloddnn.exe36⤵
- Executes dropped EXE
PID:2536 -
C:\Windows\SysWOW64\Ajecmj32.exeC:\Windows\system32\Ajecmj32.exe37⤵
- Executes dropped EXE
PID:776 -
C:\Windows\SysWOW64\Aaolidlk.exeC:\Windows\system32\Aaolidlk.exe38⤵
- Executes dropped EXE
PID:320 -
C:\Windows\SysWOW64\Ajgpbj32.exeC:\Windows\system32\Ajgpbj32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:936 -
C:\Windows\SysWOW64\Abbeflpf.exeC:\Windows\system32\Abbeflpf.exe40⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Bnielm32.exeC:\Windows\system32\Bnielm32.exe41⤵
- Executes dropped EXE
PID:2040 -
C:\Windows\SysWOW64\Bhajdblk.exeC:\Windows\system32\Bhajdblk.exe42⤵
- Executes dropped EXE
PID:1692 -
C:\Windows\SysWOW64\Bhdgjb32.exeC:\Windows\system32\Bhdgjb32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2936 -
C:\Windows\SysWOW64\Bbikgk32.exeC:\Windows\system32\Bbikgk32.exe44⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Blaopqpo.exeC:\Windows\system32\Blaopqpo.exe45⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Bejdiffp.exeC:\Windows\system32\Bejdiffp.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1204 -
C:\Windows\SysWOW64\Bfkpqn32.exeC:\Windows\system32\Bfkpqn32.exe47⤵
- Executes dropped EXE
PID:1776 -
C:\Windows\SysWOW64\Baadng32.exeC:\Windows\system32\Baadng32.exe48⤵
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\Chkmkacq.exeC:\Windows\system32\Chkmkacq.exe49⤵
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Cdanpb32.exeC:\Windows\system32\Cdanpb32.exe50⤵
- Executes dropped EXE
PID:1552 -
C:\Windows\SysWOW64\Cmjbhh32.exeC:\Windows\system32\Cmjbhh32.exe51⤵
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Cddjebgb.exeC:\Windows\system32\Cddjebgb.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:1932 -
C:\Windows\SysWOW64\Ciqcmiei.exeC:\Windows\system32\Ciqcmiei.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:996 -
C:\Windows\SysWOW64\Clooiddm.exeC:\Windows\system32\Clooiddm.exe54⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\Chfpoeja.exeC:\Windows\system32\Chfpoeja.exe55⤵
- Executes dropped EXE
PID:1520 -
C:\Windows\SysWOW64\Cejphiik.exeC:\Windows\system32\Cejphiik.exe56⤵
- Executes dropped EXE
PID:2608 -
C:\Windows\SysWOW64\Chhldeho.exeC:\Windows\system32\Chhldeho.exe57⤵
- Executes dropped EXE
PID:2564 -
C:\Windows\SysWOW64\Dobdqo32.exeC:\Windows\system32\Dobdqo32.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:2848 -
C:\Windows\SysWOW64\Delmmigh.exeC:\Windows\system32\Delmmigh.exe59⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Dlfejcoe.exeC:\Windows\system32\Dlfejcoe.exe60⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Dhmfod32.exeC:\Windows\system32\Dhmfod32.exe61⤵
- Executes dropped EXE
PID:1996 -
C:\Windows\SysWOW64\Dognlnlf.exeC:\Windows\system32\Dognlnlf.exe62⤵
- Executes dropped EXE
PID:1124 -
C:\Windows\SysWOW64\Dgbcpq32.exeC:\Windows\system32\Dgbcpq32.exe63⤵
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\Dpjgifpa.exeC:\Windows\system32\Dpjgifpa.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Dpmdofno.exeC:\Windows\system32\Dpmdofno.exe65⤵
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\Eckpkamb.exeC:\Windows\system32\Eckpkamb.exe66⤵PID:2392
-
C:\Windows\SysWOW64\Elcdcgcc.exeC:\Windows\system32\Elcdcgcc.exe67⤵PID:2204
-
C:\Windows\SysWOW64\Eflill32.exeC:\Windows\system32\Eflill32.exe68⤵PID:608
-
C:\Windows\SysWOW64\Eodnebpd.exeC:\Windows\system32\Eodnebpd.exe69⤵PID:1984
-
C:\Windows\SysWOW64\Enlglnci.exeC:\Windows\system32\Enlglnci.exe70⤵PID:1960
-
C:\Windows\SysWOW64\Edfpih32.exeC:\Windows\system32\Edfpih32.exe71⤵PID:2356
-
C:\Windows\SysWOW64\Fnndan32.exeC:\Windows\system32\Fnndan32.exe72⤵PID:1656
-
C:\Windows\SysWOW64\Fkbdkb32.exeC:\Windows\system32\Fkbdkb32.exe73⤵PID:1744
-
C:\Windows\SysWOW64\Fqomci32.exeC:\Windows\system32\Fqomci32.exe74⤵PID:1992
-
C:\Windows\SysWOW64\Fncmmmma.exeC:\Windows\system32\Fncmmmma.exe75⤵PID:2836
-
C:\Windows\SysWOW64\Fqajihle.exeC:\Windows\system32\Fqajihle.exe76⤵PID:2832
-
C:\Windows\SysWOW64\Fmhjni32.exeC:\Windows\system32\Fmhjni32.exe77⤵PID:2584
-
C:\Windows\SysWOW64\Fpffje32.exeC:\Windows\system32\Fpffje32.exe78⤵
- Drops file in System32 directory
PID:2720 -
C:\Windows\SysWOW64\Fmjgcipg.exeC:\Windows\system32\Fmjgcipg.exe79⤵PID:1788
-
C:\Windows\SysWOW64\Fpicodoj.exeC:\Windows\system32\Fpicodoj.exe80⤵PID:924
-
C:\Windows\SysWOW64\Fbgpkpnn.exeC:\Windows\system32\Fbgpkpnn.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2580 -
C:\Windows\SysWOW64\Gmmdiind.exeC:\Windows\system32\Gmmdiind.exe82⤵PID:2440
-
C:\Windows\SysWOW64\Gpkpedmh.exeC:\Windows\system32\Gpkpedmh.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1064 -
C:\Windows\SysWOW64\Gfehan32.exeC:\Windows\system32\Gfehan32.exe84⤵
- Drops file in System32 directory
PID:1684 -
C:\Windows\SysWOW64\Gmoqnhla.exeC:\Windows\system32\Gmoqnhla.exe85⤵PID:2412
-
C:\Windows\SysWOW64\Gpnmjd32.exeC:\Windows\system32\Gpnmjd32.exe86⤵PID:1712
-
C:\Windows\SysWOW64\Gifaciae.exeC:\Windows\system32\Gifaciae.exe87⤵PID:1660
-
C:\Windows\SysWOW64\Gnbjlpom.exeC:\Windows\system32\Gnbjlpom.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2548 -
C:\Windows\SysWOW64\Gaafhloq.exeC:\Windows\system32\Gaafhloq.exe89⤵PID:1232
-
C:\Windows\SysWOW64\Gjijqa32.exeC:\Windows\system32\Gjijqa32.exe90⤵PID:2476
-
C:\Windows\SysWOW64\Gacbmk32.exeC:\Windows\system32\Gacbmk32.exe91⤵PID:1116
-
C:\Windows\SysWOW64\Gjlgfaco.exeC:\Windows\system32\Gjlgfaco.exe92⤵PID:908
-
C:\Windows\SysWOW64\Gmjcblbb.exeC:\Windows\system32\Gmjcblbb.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1616 -
C:\Windows\SysWOW64\Hddlof32.exeC:\Windows\system32\Hddlof32.exe94⤵PID:1096
-
C:\Windows\SysWOW64\Hjndlqal.exeC:\Windows\system32\Hjndlqal.exe95⤵PID:2552
-
C:\Windows\SysWOW64\Hpkldg32.exeC:\Windows\system32\Hpkldg32.exe96⤵PID:2280
-
C:\Windows\SysWOW64\Hjqqap32.exeC:\Windows\system32\Hjqqap32.exe97⤵PID:2632
-
C:\Windows\SysWOW64\Hajinjff.exeC:\Windows\system32\Hajinjff.exe98⤵PID:2276
-
C:\Windows\SysWOW64\Hmaick32.exeC:\Windows\system32\Hmaick32.exe99⤵
- Modifies registry class
PID:1640 -
C:\Windows\SysWOW64\Hdkape32.exeC:\Windows\system32\Hdkape32.exe100⤵
- Drops file in System32 directory
PID:2516 -
C:\Windows\SysWOW64\Hmcfhkjg.exeC:\Windows\system32\Hmcfhkjg.exe101⤵PID:2636
-
C:\Windows\SysWOW64\Hoebpc32.exeC:\Windows\system32\Hoebpc32.exe102⤵PID:2124
-
C:\Windows\SysWOW64\Hbqoqbho.exeC:\Windows\system32\Hbqoqbho.exe103⤵PID:2368
-
C:\Windows\SysWOW64\Ihmgiiff.exeC:\Windows\system32\Ihmgiiff.exe104⤵PID:1944
-
C:\Windows\SysWOW64\Ipdojfgh.exeC:\Windows\system32\Ipdojfgh.exe105⤵PID:2340
-
C:\Windows\SysWOW64\Ibckfa32.exeC:\Windows\system32\Ibckfa32.exe106⤵PID:2500
-
C:\Windows\SysWOW64\Ihpdoh32.exeC:\Windows\system32\Ihpdoh32.exe107⤵PID:1008
-
C:\Windows\SysWOW64\Iknpkd32.exeC:\Windows\system32\Iknpkd32.exe108⤵PID:2880
-
C:\Windows\SysWOW64\Iecdhm32.exeC:\Windows\system32\Iecdhm32.exe109⤵PID:2364
-
C:\Windows\SysWOW64\Jeadap32.exeC:\Windows\system32\Jeadap32.exe110⤵PID:2912
-
C:\Windows\SysWOW64\Jpfhoi32.exeC:\Windows\system32\Jpfhoi32.exe111⤵PID:2568
-
C:\Windows\SysWOW64\Jfcqgpfi.exeC:\Windows\system32\Jfcqgpfi.exe112⤵PID:2988
-
C:\Windows\SysWOW64\Jcgapdeb.exeC:\Windows\system32\Jcgapdeb.exe113⤵
- Modifies registry class
PID:2984 -
C:\Windows\SysWOW64\Jjaimn32.exeC:\Windows\system32\Jjaimn32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1808 -
C:\Windows\SysWOW64\Jonbee32.exeC:\Windows\system32\Jonbee32.exe115⤵PID:2532
-
C:\Windows\SysWOW64\Jhffnk32.exeC:\Windows\system32\Jhffnk32.exe116⤵PID:1084
-
C:\Windows\SysWOW64\Jkebjf32.exeC:\Windows\system32\Jkebjf32.exe117⤵PID:2868
-
C:\Windows\SysWOW64\Kdmgclfk.exeC:\Windows\system32\Kdmgclfk.exe118⤵PID:3044
-
C:\Windows\SysWOW64\Kbaglpee.exeC:\Windows\system32\Kbaglpee.exe119⤵
- Drops file in System32 directory
PID:848 -
C:\Windows\SysWOW64\Kdpcikdi.exeC:\Windows\system32\Kdpcikdi.exe120⤵PID:2296
-
C:\Windows\SysWOW64\Knhhaaki.exeC:\Windows\system32\Knhhaaki.exe121⤵PID:2388
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-