Analysis
-
max time kernel
159s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
09/03/2024, 23:38
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
8955df798999b0923a450d5c62f52d3e7ee9a1696552655da0c5cd2850a19178.exe
Resource
win7-20240221-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
8955df798999b0923a450d5c62f52d3e7ee9a1696552655da0c5cd2850a19178.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
8955df798999b0923a450d5c62f52d3e7ee9a1696552655da0c5cd2850a19178.exe
-
Size
242KB
-
MD5
bdcd4909dc12c3d8061d116bd14a114d
-
SHA1
6662b000f0b39ba17f1b412e58bf411d7e47316b
-
SHA256
8955df798999b0923a450d5c62f52d3e7ee9a1696552655da0c5cd2850a19178
-
SHA512
5478b6689394ccb03beb8be277d0cb1480f75ff144c54a59752825302f52239bf34aa70dc91b94c72efeec102fdd1a658640b44f5a496e2396fdcfa533b9536c
-
SSDEEP
3072:WrrN+MVtiQn2tOFGuqIJ7V6V8ZLB6V16VKcWmjRrzKbKcWmjRrzK8VHkdYaM88KC:krN+uiQnoy7V66LB6X62UyHEYa0
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqikob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eqkmpo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdhpba32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocamcc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmenca32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhmmkcko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpjgaoqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ganldgib.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hidgai32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjeiodek.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oikjkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icnphd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plejoode.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afboll32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eijiak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Poomegpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipoheakj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgpfbjlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnhdbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Noijmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckfphc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjmfmh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jeaiij32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nakhaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfhnme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lqpamb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jiiicf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oiagde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbiklmhp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmofagfp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgehfkop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmjfodne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icnklbmj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfcabp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klggli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lohqnd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lojmcdgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iajmmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aqhcid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glengm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icnklbmj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oalipoiq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfeijqqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffpcbchm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nldjnk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mniallpq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnkfmm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peempn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkfcigkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akgcdc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npgalidl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfdbknda.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oioojh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gimqajgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddhhnana.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bijnnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nblcgpho.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqjbddpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jacpcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmoagk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahakhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acnefoac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgqgfl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gidnkkpc.exe -
UPX dump on OEP (original entry point) 64 IoCs
resource yara_rule behavioral2/files/0x00080000000231fa-7.dat UPX behavioral2/files/0x0007000000023202-14.dat UPX behavioral2/files/0x0007000000023205-23.dat UPX behavioral2/files/0x0007000000023207-31.dat UPX behavioral2/memory/3184-41-0x0000000000400000-0x0000000000467000-memory.dmp UPX behavioral2/files/0x000700000002320a-40.dat UPX behavioral2/files/0x000700000002320c-47.dat UPX behavioral2/memory/5116-53-0x0000000000400000-0x0000000000467000-memory.dmp UPX behavioral2/files/0x000700000002320e-55.dat UPX behavioral2/files/0x0007000000023210-63.dat UPX behavioral2/memory/1012-64-0x0000000000400000-0x0000000000467000-memory.dmp UPX behavioral2/files/0x0007000000023212-71.dat UPX behavioral2/memory/1488-72-0x0000000000400000-0x0000000000467000-memory.dmp UPX behavioral2/files/0x0007000000023214-79.dat UPX behavioral2/files/0x0007000000023216-87.dat UPX behavioral2/memory/1716-89-0x0000000000400000-0x0000000000467000-memory.dmp UPX behavioral2/files/0x0007000000023218-95.dat UPX behavioral2/memory/1576-97-0x0000000000400000-0x0000000000467000-memory.dmp UPX behavioral2/files/0x000700000002321a-104.dat UPX behavioral2/memory/2340-105-0x0000000000400000-0x0000000000467000-memory.dmp UPX behavioral2/files/0x000700000002321c-111.dat UPX behavioral2/files/0x000700000002321e-120.dat UPX behavioral2/files/0x0007000000023220-127.dat UPX behavioral2/files/0x0007000000023222-135.dat UPX behavioral2/files/0x0007000000023224-143.dat UPX behavioral2/files/0x0007000000023226-151.dat UPX behavioral2/files/0x0007000000023228-161.dat UPX behavioral2/files/0x000700000002322a-167.dat UPX behavioral2/files/0x000700000002322c-175.dat UPX behavioral2/files/0x000700000002322e-183.dat UPX behavioral2/files/0x0007000000023230-191.dat UPX behavioral2/files/0x0007000000023232-199.dat UPX behavioral2/files/0x0007000000023234-207.dat UPX behavioral2/files/0x0007000000023236-215.dat UPX behavioral2/files/0x0007000000023238-223.dat UPX behavioral2/files/0x000700000002323a-231.dat UPX behavioral2/files/0x000700000002323c-239.dat UPX behavioral2/files/0x000700000002323e-247.dat UPX behavioral2/files/0x0007000000023244-255.dat UPX behavioral2/memory/4392-321-0x0000000000400000-0x0000000000467000-memory.dmp UPX behavioral2/memory/4036-328-0x0000000000400000-0x0000000000467000-memory.dmp UPX behavioral2/memory/2784-335-0x0000000000400000-0x0000000000467000-memory.dmp UPX behavioral2/memory/4764-341-0x0000000000400000-0x0000000000467000-memory.dmp UPX behavioral2/memory/3336-347-0x0000000000400000-0x0000000000467000-memory.dmp UPX behavioral2/memory/352-353-0x0000000000400000-0x0000000000467000-memory.dmp UPX behavioral2/memory/2352-359-0x0000000000400000-0x0000000000467000-memory.dmp UPX behavioral2/memory/4436-365-0x0000000000400000-0x0000000000467000-memory.dmp UPX behavioral2/memory/2792-372-0x0000000000400000-0x0000000000467000-memory.dmp UPX behavioral2/memory/1928-382-0x0000000000400000-0x0000000000467000-memory.dmp UPX behavioral2/memory/4068-384-0x0000000000400000-0x0000000000467000-memory.dmp UPX behavioral2/memory/2672-402-0x0000000000400000-0x0000000000467000-memory.dmp UPX behavioral2/memory/1616-408-0x0000000000400000-0x0000000000467000-memory.dmp UPX behavioral2/memory/1300-444-0x0000000000400000-0x0000000000467000-memory.dmp UPX behavioral2/memory/868-451-0x0000000000400000-0x0000000000467000-memory.dmp UPX behavioral2/memory/1968-456-0x0000000000400000-0x0000000000467000-memory.dmp UPX behavioral2/files/0x0007000000023294-490.dat UPX behavioral2/files/0x00070000000232eb-762.dat UPX behavioral2/files/0x0007000000023344-1030.dat UPX behavioral2/files/0x000700000002336d-1156.dat UPX behavioral2/files/0x0007000000023441-1969.dat UPX behavioral2/files/0x0007000000023508-3607.dat UPX behavioral2/files/0x0008000000023515-3750.dat UPX behavioral2/files/0x0007000000023524-3785.dat UPX behavioral2/files/0x000700000002353c-3886.dat UPX -
Executes dropped EXE 64 IoCs
pid Process 1888 Gnjjfegi.exe 4240 Gknkpjfb.exe 2188 Hpomcp32.exe 2488 Hacbhb32.exe 3184 Jjamia32.exe 5116 Jdgafjpn.exe 1676 Kghjhemo.exe 1012 Knbbep32.exe 1156 Knkekn32.exe 1688 Ljbfpo32.exe 1716 Licfngjd.exe 1576 Lbkkgl32.exe 2340 Ljgpkonp.exe 648 Llflea32.exe 3088 Lhmmjbkf.exe 4608 Mngegmbc.exe 1548 Mniallpq.exe 1656 Nimbkc32.exe 3960 Nlnkmnah.exe 760 Nefped32.exe 916 Oondnini.exe 1864 Oeoblb32.exe 3852 Oohgdhfn.exe 4528 Pcepkfld.exe 4824 Piphgq32.exe 4592 Pibdmp32.exe 4312 Poomegpf.exe 2868 Pekbga32.exe 2812 Pcobaedj.exe 2260 Qkjgegae.exe 2492 Qcclld32.exe 4892 Bmofagfp.exe 1116 Bckkca32.exe 3516 Cjecpkcg.exe 2796 Ckfphc32.exe 4988 Cfcjfk32.exe 3728 Dcpmen32.exe 2872 Djjebh32.exe 5012 Ecbjkngo.exe 3004 Ecefqnel.exe 3244 Eplgeokq.exe 4392 Ebjcajjd.exe 4856 Eidlnd32.exe 4036 Epndknin.exe 2784 Eleepoob.exe 4764 Glcaambb.exe 3336 Glengm32.exe 352 Gbofcghl.exe 2352 Glgjlm32.exe 4436 Gkhkjd32.exe 2792 Gmiclo32.exe 1928 Gdcliikj.exe 4068 Gkmdecbg.exe 2672 Hgdejd32.exe 1616 Icdheded.exe 2568 Ikkpgafg.exe 1640 Ilmmni32.exe 2228 Icfekc32.exe 3820 Iciaqc32.exe 1064 Innfnl32.exe 376 Ikbfgppo.exe 2460 Icnklbmj.exe 1300 Jncoikmp.exe 868 Jdmgfedl.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Gghpel32.dll Pcobaedj.exe File opened for modification C:\Windows\SysWOW64\Dmhkoaco.exe Cljomc32.exe File opened for modification C:\Windows\SysWOW64\Nohdaf32.exe Nhnlelfm.exe File created C:\Windows\SysWOW64\Hfjjlc32.dll Fbpchb32.exe File created C:\Windows\SysWOW64\Njokei32.exe Ljleil32.exe File created C:\Windows\SysWOW64\Jhpjbgne.exe Hopfadlp.exe File created C:\Windows\SysWOW64\Amdcghbo.dll Jepjhg32.exe File opened for modification C:\Windows\SysWOW64\Nnhmnn32.exe Nfaemp32.exe File opened for modification C:\Windows\SysWOW64\Jdfjld32.exe Jnlbojee.exe File created C:\Windows\SysWOW64\Madjhb32.exe Mkhapk32.exe File opened for modification C:\Windows\SysWOW64\Malpia32.exe Maggnali.exe File created C:\Windows\SysWOW64\Feoodn32.exe Fbpchb32.exe File opened for modification C:\Windows\SysWOW64\Qcclld32.exe Qkjgegae.exe File created C:\Windows\SysWOW64\Gmiadfmi.dll Fmfgek32.exe File created C:\Windows\SysWOW64\Kjblje32.exe Kgdpni32.exe File created C:\Windows\SysWOW64\Mfpell32.exe Mcaipa32.exe File opened for modification C:\Windows\SysWOW64\Nakhaf32.exe Mcfkpjng.exe File created C:\Windows\SysWOW64\Pokanf32.exe Piaiqlak.exe File created C:\Windows\SysWOW64\Pmcqcpof.dll Nhlpom32.exe File created C:\Windows\SysWOW64\Ogpheoll.dll Nahgik32.exe File created C:\Windows\SysWOW64\Aablof32.dll Kpoalo32.exe File created C:\Windows\SysWOW64\Ioechgii.dll Cjcolm32.exe File created C:\Windows\SysWOW64\Nildajdg.exe Lnhdbc32.exe File opened for modification C:\Windows\SysWOW64\Edfdop32.exe Eahhcd32.exe File created C:\Windows\SysWOW64\Npjfngdm.dll Ljfhqh32.exe File opened for modification C:\Windows\SysWOW64\Nliakd32.exe Nijeoikf.exe File created C:\Windows\SysWOW64\Fnipbc32.exe Flkdfh32.exe File opened for modification C:\Windows\SysWOW64\Oqmhqapg.exe Oblhcj32.exe File created C:\Windows\SysWOW64\Nfjljb32.dll Oghpib32.exe File created C:\Windows\SysWOW64\Gnjjfegi.exe 8955df798999b0923a450d5c62f52d3e7ee9a1696552655da0c5cd2850a19178.exe File created C:\Windows\SysWOW64\Milcqamo.dll Kqbdldnq.exe File created C:\Windows\SysWOW64\Kkbkmqed.exe Khdoqefq.exe File opened for modification C:\Windows\SysWOW64\Mhbmin32.exe Mfaqafjl.exe File created C:\Windows\SysWOW64\Dpchag32.dll Ijpepcfj.exe File opened for modification C:\Windows\SysWOW64\Bcdlgnkk.exe Bgnkamef.exe File opened for modification C:\Windows\SysWOW64\Mablfnne.exe Mledmg32.exe File created C:\Windows\SysWOW64\Pijcpmhc.exe Oooaah32.exe File created C:\Windows\SysWOW64\Hjhfgi32.exe Gjlfkj32.exe File created C:\Windows\SysWOW64\Meogbcel.exe Lpbojlfd.exe File opened for modification C:\Windows\SysWOW64\Ohebek32.exe Ogcfncjf.exe File opened for modification C:\Windows\SysWOW64\Qqamieno.exe Qhjegh32.exe File created C:\Windows\SysWOW64\Afmfgbld.dll Ddhhnana.exe File created C:\Windows\SysWOW64\Joalgeee.dll Eeeaibid.exe File created C:\Windows\SysWOW64\Joicekop.dll Lgjijmin.exe File created C:\Windows\SysWOW64\Ndmdae32.dll Hplbickp.exe File created C:\Windows\SysWOW64\Oiccje32.exe Objkmkjj.exe File created C:\Windows\SysWOW64\Kblpcndd.exe Kdkoef32.exe File created C:\Windows\SysWOW64\Kgflcifg.exe Kpmdfonj.exe File created C:\Windows\SysWOW64\Ibnjkbog.exe Hannao32.exe File created C:\Windows\SysWOW64\Lclbfl32.dll Dkdmpl32.exe File opened for modification C:\Windows\SysWOW64\Aqhcid32.exe Ahakhg32.exe File created C:\Windows\SysWOW64\Acddcaom.dll Lbkkgl32.exe File created C:\Windows\SysWOW64\Mdeodj32.dll Ljhefhha.exe File created C:\Windows\SysWOW64\Flmqlg32.exe Fechomko.exe File created C:\Windows\SysWOW64\Gmbjqfjb.dll Nagiji32.exe File opened for modification C:\Windows\SysWOW64\Glkmmefl.exe Gimqajgh.exe File created C:\Windows\SysWOW64\Ngaabfio.exe Nildajdg.exe File opened for modification C:\Windows\SysWOW64\Pllnbh32.exe Pjnbfmom.exe File created C:\Windows\SysWOW64\Ioakpf32.dll Nliakd32.exe File created C:\Windows\SysWOW64\Anjkcakk.dll Khdoqefq.exe File created C:\Windows\SysWOW64\Mipoje32.dll Ljleil32.exe File created C:\Windows\SysWOW64\Inhaeica.dll Chbenm32.exe File opened for modification C:\Windows\SysWOW64\Donlkjng.exe Ddhhnana.exe File created C:\Windows\SysWOW64\Bedgjgkg.exe Ojigdcll.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghaeocdd.dll" Oqhoeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpikki32.dll" Omdieb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" 8955df798999b0923a450d5c62f52d3e7ee9a1696552655da0c5cd2850a19178.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glaecb32.dll" Gdcliikj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mccfdmmo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hidgai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpekmi32.dll" Ipjoja32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofckhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ppnenlka.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phpbffnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chflphjh.dll" Iefgbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efeifngp.dll" Epndknin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qckfid32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Egdqkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jommbpbc.dll" Nijeoikf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ecefqnel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lojmcdgl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mfpell32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjcikejg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Idfkednq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Meogbcel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghdhja32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eplgeokq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpjgaoqm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nglhld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmncdk32.dll" Bogkmgba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdjgko32.dll" Jgeghp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fealin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbhhlbgb.dll" Pjnbfmom.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmgabcge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Flkdfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pinffi32.dll" Icachjbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npjfngdm.dll" Ljfhqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hlglidlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emniheha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldphjaof.dll" Kpdbhn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpiejkql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kinacmmd.dll" Mlkejgfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Poomegpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpnkah32.dll" Ncpeaoih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aocdjq32.dll" Mlifnphl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngaabfio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pbhgoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgnfpc32.dll" Kbgfhnhi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmofagfp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hoclopne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mckmcadl.dll" Oiagde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pbimjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nboggf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbaahf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lklbdm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hlepcdoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pcbkml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlnlqocc.dll" Dnfanjqp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpbojlfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jncoikmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omfigmch.dll" Moajmk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Moglkikl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjgeedch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pcdjic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pcffoben.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pcffoben.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ioakpf32.dll" Nliakd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ooqqmoac.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1488 wrote to memory of 1888 1488 8955df798999b0923a450d5c62f52d3e7ee9a1696552655da0c5cd2850a19178.exe 88 PID 1488 wrote to memory of 1888 1488 8955df798999b0923a450d5c62f52d3e7ee9a1696552655da0c5cd2850a19178.exe 88 PID 1488 wrote to memory of 1888 1488 8955df798999b0923a450d5c62f52d3e7ee9a1696552655da0c5cd2850a19178.exe 88 PID 1888 wrote to memory of 4240 1888 Gnjjfegi.exe 89 PID 1888 wrote to memory of 4240 1888 Gnjjfegi.exe 89 PID 1888 wrote to memory of 4240 1888 Gnjjfegi.exe 89 PID 4240 wrote to memory of 2188 4240 Gknkpjfb.exe 90 PID 4240 wrote to memory of 2188 4240 Gknkpjfb.exe 90 PID 4240 wrote to memory of 2188 4240 Gknkpjfb.exe 90 PID 2188 wrote to memory of 2488 2188 Hpomcp32.exe 91 PID 2188 wrote to memory of 2488 2188 Hpomcp32.exe 91 PID 2188 wrote to memory of 2488 2188 Hpomcp32.exe 91 PID 2488 wrote to memory of 3184 2488 Hacbhb32.exe 92 PID 2488 wrote to memory of 3184 2488 Hacbhb32.exe 92 PID 2488 wrote to memory of 3184 2488 Hacbhb32.exe 92 PID 3184 wrote to memory of 5116 3184 Jjamia32.exe 93 PID 3184 wrote to memory of 5116 3184 Jjamia32.exe 93 PID 3184 wrote to memory of 5116 3184 Jjamia32.exe 93 PID 5116 wrote to memory of 1676 5116 Jdgafjpn.exe 94 PID 5116 wrote to memory of 1676 5116 Jdgafjpn.exe 94 PID 5116 wrote to memory of 1676 5116 Jdgafjpn.exe 94 PID 1676 wrote to memory of 1012 1676 Kghjhemo.exe 96 PID 1676 wrote to memory of 1012 1676 Kghjhemo.exe 96 PID 1676 wrote to memory of 1012 1676 Kghjhemo.exe 96 PID 1012 wrote to memory of 1156 1012 Knbbep32.exe 97 PID 1012 wrote to memory of 1156 1012 Knbbep32.exe 97 PID 1012 wrote to memory of 1156 1012 Knbbep32.exe 97 PID 1156 wrote to memory of 1688 1156 Knkekn32.exe 99 PID 1156 wrote to memory of 1688 1156 Knkekn32.exe 99 PID 1156 wrote to memory of 1688 1156 Knkekn32.exe 99 PID 1688 wrote to memory of 1716 1688 Ljbfpo32.exe 100 PID 1688 wrote to memory of 1716 1688 Ljbfpo32.exe 100 PID 1688 wrote to memory of 1716 1688 Ljbfpo32.exe 100 PID 1716 wrote to memory of 1576 1716 Licfngjd.exe 101 PID 1716 wrote to memory of 1576 1716 Licfngjd.exe 101 PID 1716 wrote to memory of 1576 1716 Licfngjd.exe 101 PID 1576 wrote to memory of 2340 1576 Lbkkgl32.exe 102 PID 1576 wrote to memory of 2340 1576 Lbkkgl32.exe 102 PID 1576 wrote to memory of 2340 1576 Lbkkgl32.exe 102 PID 2340 wrote to memory of 648 2340 Ljgpkonp.exe 103 PID 2340 wrote to memory of 648 2340 Ljgpkonp.exe 103 PID 2340 wrote to memory of 648 2340 Ljgpkonp.exe 103 PID 648 wrote to memory of 3088 648 Llflea32.exe 104 PID 648 wrote to memory of 3088 648 Llflea32.exe 104 PID 648 wrote to memory of 3088 648 Llflea32.exe 104 PID 3088 wrote to memory of 4608 3088 Lhmmjbkf.exe 105 PID 3088 wrote to memory of 4608 3088 Lhmmjbkf.exe 105 PID 3088 wrote to memory of 4608 3088 Lhmmjbkf.exe 105 PID 4608 wrote to memory of 1548 4608 Mngegmbc.exe 106 PID 4608 wrote to memory of 1548 4608 Mngegmbc.exe 106 PID 4608 wrote to memory of 1548 4608 Mngegmbc.exe 106 PID 1548 wrote to memory of 1656 1548 Mniallpq.exe 107 PID 1548 wrote to memory of 1656 1548 Mniallpq.exe 107 PID 1548 wrote to memory of 1656 1548 Mniallpq.exe 107 PID 1656 wrote to memory of 3960 1656 Nimbkc32.exe 108 PID 1656 wrote to memory of 3960 1656 Nimbkc32.exe 108 PID 1656 wrote to memory of 3960 1656 Nimbkc32.exe 108 PID 3960 wrote to memory of 760 3960 Nlnkmnah.exe 109 PID 3960 wrote to memory of 760 3960 Nlnkmnah.exe 109 PID 3960 wrote to memory of 760 3960 Nlnkmnah.exe 109 PID 760 wrote to memory of 916 760 Nefped32.exe 111 PID 760 wrote to memory of 916 760 Nefped32.exe 111 PID 760 wrote to memory of 916 760 Nefped32.exe 111 PID 916 wrote to memory of 1864 916 Oondnini.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\8955df798999b0923a450d5c62f52d3e7ee9a1696552655da0c5cd2850a19178.exe"C:\Users\Admin\AppData\Local\Temp\8955df798999b0923a450d5c62f52d3e7ee9a1696552655da0c5cd2850a19178.exe"1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Windows\SysWOW64\Gnjjfegi.exeC:\Windows\system32\Gnjjfegi.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Windows\SysWOW64\Gknkpjfb.exeC:\Windows\system32\Gknkpjfb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4240 -
C:\Windows\SysWOW64\Hpomcp32.exeC:\Windows\system32\Hpomcp32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\Hacbhb32.exeC:\Windows\system32\Hacbhb32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SysWOW64\Jjamia32.exeC:\Windows\system32\Jjamia32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3184 -
C:\Windows\SysWOW64\Jdgafjpn.exeC:\Windows\system32\Jdgafjpn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5116 -
C:\Windows\SysWOW64\Kghjhemo.exeC:\Windows\system32\Kghjhemo.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\SysWOW64\Knbbep32.exeC:\Windows\system32\Knbbep32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1012 -
C:\Windows\SysWOW64\Knkekn32.exeC:\Windows\system32\Knkekn32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Windows\SysWOW64\Ljbfpo32.exeC:\Windows\system32\Ljbfpo32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\Licfngjd.exeC:\Windows\system32\Licfngjd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\SysWOW64\Lbkkgl32.exeC:\Windows\system32\Lbkkgl32.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Windows\SysWOW64\Ljgpkonp.exeC:\Windows\system32\Ljgpkonp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\Llflea32.exeC:\Windows\system32\Llflea32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:648 -
C:\Windows\SysWOW64\Lhmmjbkf.exeC:\Windows\system32\Lhmmjbkf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3088 -
C:\Windows\SysWOW64\Mngegmbc.exeC:\Windows\system32\Mngegmbc.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4608 -
C:\Windows\SysWOW64\Mniallpq.exeC:\Windows\system32\Mniallpq.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Windows\SysWOW64\Nimbkc32.exeC:\Windows\system32\Nimbkc32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\Nlnkmnah.exeC:\Windows\system32\Nlnkmnah.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3960 -
C:\Windows\SysWOW64\Nefped32.exeC:\Windows\system32\Nefped32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Windows\SysWOW64\Oondnini.exeC:\Windows\system32\Oondnini.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:916 -
C:\Windows\SysWOW64\Oeoblb32.exeC:\Windows\system32\Oeoblb32.exe23⤵
- Executes dropped EXE
PID:1864 -
C:\Windows\SysWOW64\Oohgdhfn.exeC:\Windows\system32\Oohgdhfn.exe24⤵
- Executes dropped EXE
PID:3852 -
C:\Windows\SysWOW64\Pcepkfld.exeC:\Windows\system32\Pcepkfld.exe25⤵
- Executes dropped EXE
PID:4528 -
C:\Windows\SysWOW64\Piphgq32.exeC:\Windows\system32\Piphgq32.exe26⤵
- Executes dropped EXE
PID:4824 -
C:\Windows\SysWOW64\Pibdmp32.exeC:\Windows\system32\Pibdmp32.exe27⤵
- Executes dropped EXE
PID:4592 -
C:\Windows\SysWOW64\Poomegpf.exeC:\Windows\system32\Poomegpf.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4312 -
C:\Windows\SysWOW64\Pekbga32.exeC:\Windows\system32\Pekbga32.exe29⤵
- Executes dropped EXE
PID:2868 -
C:\Windows\SysWOW64\Pcobaedj.exeC:\Windows\system32\Pcobaedj.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2812 -
C:\Windows\SysWOW64\Qkjgegae.exeC:\Windows\system32\Qkjgegae.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2260 -
C:\Windows\SysWOW64\Qcclld32.exeC:\Windows\system32\Qcclld32.exe32⤵
- Executes dropped EXE
PID:2492 -
C:\Windows\SysWOW64\Bmofagfp.exeC:\Windows\system32\Bmofagfp.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4892 -
C:\Windows\SysWOW64\Bckkca32.exeC:\Windows\system32\Bckkca32.exe34⤵
- Executes dropped EXE
PID:1116 -
C:\Windows\SysWOW64\Cjecpkcg.exeC:\Windows\system32\Cjecpkcg.exe35⤵
- Executes dropped EXE
PID:3516 -
C:\Windows\SysWOW64\Ckfphc32.exeC:\Windows\system32\Ckfphc32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\Cfcjfk32.exeC:\Windows\system32\Cfcjfk32.exe37⤵
- Executes dropped EXE
PID:4988 -
C:\Windows\SysWOW64\Dcpmen32.exeC:\Windows\system32\Dcpmen32.exe38⤵
- Executes dropped EXE
PID:3728 -
C:\Windows\SysWOW64\Djjebh32.exeC:\Windows\system32\Djjebh32.exe39⤵
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Ecbjkngo.exeC:\Windows\system32\Ecbjkngo.exe40⤵
- Executes dropped EXE
PID:5012 -
C:\Windows\SysWOW64\Ecefqnel.exeC:\Windows\system32\Ecefqnel.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:3004 -
C:\Windows\SysWOW64\Eplgeokq.exeC:\Windows\system32\Eplgeokq.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:3244 -
C:\Windows\SysWOW64\Ebjcajjd.exeC:\Windows\system32\Ebjcajjd.exe43⤵
- Executes dropped EXE
PID:4392 -
C:\Windows\SysWOW64\Eidlnd32.exeC:\Windows\system32\Eidlnd32.exe44⤵
- Executes dropped EXE
PID:4856 -
C:\Windows\SysWOW64\Epndknin.exeC:\Windows\system32\Epndknin.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:4036 -
C:\Windows\SysWOW64\Eleepoob.exeC:\Windows\system32\Eleepoob.exe46⤵
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\Glcaambb.exeC:\Windows\system32\Glcaambb.exe47⤵
- Executes dropped EXE
PID:4764 -
C:\Windows\SysWOW64\Glengm32.exeC:\Windows\system32\Glengm32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3336 -
C:\Windows\SysWOW64\Gbofcghl.exeC:\Windows\system32\Gbofcghl.exe49⤵
- Executes dropped EXE
PID:352 -
C:\Windows\SysWOW64\Glgjlm32.exeC:\Windows\system32\Glgjlm32.exe50⤵
- Executes dropped EXE
PID:2352 -
C:\Windows\SysWOW64\Gkhkjd32.exeC:\Windows\system32\Gkhkjd32.exe51⤵
- Executes dropped EXE
PID:4436 -
C:\Windows\SysWOW64\Gmiclo32.exeC:\Windows\system32\Gmiclo32.exe52⤵
- Executes dropped EXE
PID:2792 -
C:\Windows\SysWOW64\Gdcliikj.exeC:\Windows\system32\Gdcliikj.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:1928 -
C:\Windows\SysWOW64\Gkmdecbg.exeC:\Windows\system32\Gkmdecbg.exe54⤵
- Executes dropped EXE
PID:4068 -
C:\Windows\SysWOW64\Hgdejd32.exeC:\Windows\system32\Hgdejd32.exe55⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Icdheded.exeC:\Windows\system32\Icdheded.exe56⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Ikkpgafg.exeC:\Windows\system32\Ikkpgafg.exe57⤵
- Executes dropped EXE
PID:2568 -
C:\Windows\SysWOW64\Ilmmni32.exeC:\Windows\system32\Ilmmni32.exe58⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Icfekc32.exeC:\Windows\system32\Icfekc32.exe59⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Iciaqc32.exeC:\Windows\system32\Iciaqc32.exe60⤵
- Executes dropped EXE
PID:3820 -
C:\Windows\SysWOW64\Innfnl32.exeC:\Windows\system32\Innfnl32.exe61⤵
- Executes dropped EXE
PID:1064 -
C:\Windows\SysWOW64\Ikbfgppo.exeC:\Windows\system32\Ikbfgppo.exe62⤵
- Executes dropped EXE
PID:376 -
C:\Windows\SysWOW64\Icnklbmj.exeC:\Windows\system32\Icnklbmj.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Jncoikmp.exeC:\Windows\system32\Jncoikmp.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:1300 -
C:\Windows\SysWOW64\Jdmgfedl.exeC:\Windows\system32\Jdmgfedl.exe65⤵
- Executes dropped EXE
PID:868 -
C:\Windows\SysWOW64\Jnelok32.exeC:\Windows\system32\Jnelok32.exe66⤵PID:1968
-
C:\Windows\SysWOW64\Jdodkebj.exeC:\Windows\system32\Jdodkebj.exe67⤵PID:1916
-
C:\Windows\SysWOW64\Jnlbojee.exeC:\Windows\system32\Jnlbojee.exe68⤵
- Drops file in System32 directory
PID:3588 -
C:\Windows\SysWOW64\Jdfjld32.exeC:\Windows\system32\Jdfjld32.exe69⤵PID:2028
-
C:\Windows\SysWOW64\Jgeghp32.exeC:\Windows\system32\Jgeghp32.exe70⤵
- Modifies registry class
PID:220 -
C:\Windows\SysWOW64\Kmaopfjm.exeC:\Windows\system32\Kmaopfjm.exe71⤵PID:1484
-
C:\Windows\SysWOW64\Kclgmq32.exeC:\Windows\system32\Kclgmq32.exe72⤵PID:736
-
C:\Windows\SysWOW64\Kqphfe32.exeC:\Windows\system32\Kqphfe32.exe73⤵PID:100
-
C:\Windows\SysWOW64\Kgipcogp.exeC:\Windows\system32\Kgipcogp.exe74⤵PID:4460
-
C:\Windows\SysWOW64\Kjhloj32.exeC:\Windows\system32\Kjhloj32.exe75⤵PID:1680
-
C:\Windows\SysWOW64\Kqbdldnq.exeC:\Windows\system32\Kqbdldnq.exe76⤵
- Drops file in System32 directory
PID:2680 -
C:\Windows\SysWOW64\Knfeeimj.exeC:\Windows\system32\Knfeeimj.exe77⤵PID:3632
-
C:\Windows\SysWOW64\Kcbnnpka.exeC:\Windows\system32\Kcbnnpka.exe78⤵PID:3616
-
C:\Windows\SysWOW64\Kjmfjj32.exeC:\Windows\system32\Kjmfjj32.exe79⤵PID:3544
-
C:\Windows\SysWOW64\Kmkbfeab.exeC:\Windows\system32\Kmkbfeab.exe80⤵PID:3280
-
C:\Windows\SysWOW64\Kdbjhbbd.exeC:\Windows\system32\Kdbjhbbd.exe81⤵PID:3024
-
C:\Windows\SysWOW64\Lklbdm32.exeC:\Windows\system32\Lklbdm32.exe82⤵
- Modifies registry class
PID:5144 -
C:\Windows\SysWOW64\Lqikmc32.exeC:\Windows\system32\Lqikmc32.exe83⤵PID:5196
-
C:\Windows\SysWOW64\Lgccinoe.exeC:\Windows\system32\Lgccinoe.exe84⤵PID:5276
-
C:\Windows\SysWOW64\Lkalplel.exeC:\Windows\system32\Lkalplel.exe85⤵PID:5328
-
C:\Windows\SysWOW64\Lnohlgep.exeC:\Windows\system32\Lnohlgep.exe86⤵PID:5384
-
C:\Windows\SysWOW64\Lclpdncg.exeC:\Windows\system32\Lclpdncg.exe87⤵PID:5432
-
C:\Windows\SysWOW64\Ljfhqh32.exeC:\Windows\system32\Ljfhqh32.exe88⤵
- Drops file in System32 directory
- Modifies registry class
PID:5480 -
C:\Windows\SysWOW64\Lqpamb32.exeC:\Windows\system32\Lqpamb32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5520 -
C:\Windows\SysWOW64\Lgjijmin.exeC:\Windows\system32\Lgjijmin.exe90⤵
- Drops file in System32 directory
PID:5564 -
C:\Windows\SysWOW64\Ljhefhha.exeC:\Windows\system32\Ljhefhha.exe91⤵
- Drops file in System32 directory
PID:5612 -
C:\Windows\SysWOW64\Lmgabcge.exeC:\Windows\system32\Lmgabcge.exe92⤵
- Modifies registry class
PID:5668 -
C:\Windows\SysWOW64\Mkhapk32.exeC:\Windows\system32\Mkhapk32.exe93⤵
- Drops file in System32 directory
PID:5724 -
C:\Windows\SysWOW64\Madjhb32.exeC:\Windows\system32\Madjhb32.exe94⤵PID:5780
-
C:\Windows\SysWOW64\Mccfdmmo.exeC:\Windows\system32\Mccfdmmo.exe95⤵
- Modifies registry class
PID:5828 -
C:\Windows\SysWOW64\Mnhkbfme.exeC:\Windows\system32\Mnhkbfme.exe96⤵PID:5880
-
C:\Windows\SysWOW64\Maggnali.exeC:\Windows\system32\Maggnali.exe97⤵
- Drops file in System32 directory
PID:5940 -
C:\Windows\SysWOW64\Malpia32.exeC:\Windows\system32\Malpia32.exe98⤵PID:5976
-
C:\Windows\SysWOW64\Mgehfkop.exeC:\Windows\system32\Mgehfkop.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6036 -
C:\Windows\SysWOW64\Mnpabe32.exeC:\Windows\system32\Mnpabe32.exe100⤵PID:6072
-
C:\Windows\SysWOW64\Manmoq32.exeC:\Windows\system32\Manmoq32.exe101⤵PID:6116
-
C:\Windows\SysWOW64\Nclikl32.exeC:\Windows\system32\Nclikl32.exe102⤵PID:5124
-
C:\Windows\SysWOW64\Nlcalieg.exeC:\Windows\system32\Nlcalieg.exe103⤵PID:5212
-
C:\Windows\SysWOW64\Nmenca32.exeC:\Windows\system32\Nmenca32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5336 -
C:\Windows\SysWOW64\Nlfnaicd.exeC:\Windows\system32\Nlfnaicd.exe105⤵PID:5424
-
C:\Windows\SysWOW64\Nmgjia32.exeC:\Windows\system32\Nmgjia32.exe106⤵PID:3260
-
C:\Windows\SysWOW64\Nenbjo32.exeC:\Windows\system32\Nenbjo32.exe107⤵PID:5584
-
C:\Windows\SysWOW64\Najmjokc.exeC:\Windows\system32\Najmjokc.exe108⤵PID:5660
-
C:\Windows\SysWOW64\Ojbacd32.exeC:\Windows\system32\Ojbacd32.exe109⤵PID:5776
-
C:\Windows\SysWOW64\Oalipoiq.exeC:\Windows\system32\Oalipoiq.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5864 -
C:\Windows\SysWOW64\Ojigdcll.exeC:\Windows\system32\Ojigdcll.exe111⤵
- Drops file in System32 directory
PID:6044 -
C:\Windows\SysWOW64\Bedgjgkg.exeC:\Windows\system32\Bedgjgkg.exe112⤵PID:5184
-
C:\Windows\SysWOW64\Domdjj32.exeC:\Windows\system32\Domdjj32.exe113⤵PID:5416
-
C:\Windows\SysWOW64\Fihnomjp.exeC:\Windows\system32\Fihnomjp.exe114⤵PID:5512
-
C:\Windows\SysWOW64\Flfkkhid.exeC:\Windows\system32\Flfkkhid.exe115⤵PID:5692
-
C:\Windows\SysWOW64\Fbpchb32.exeC:\Windows\system32\Fbpchb32.exe116⤵
- Drops file in System32 directory
PID:5804 -
C:\Windows\SysWOW64\Feoodn32.exeC:\Windows\system32\Feoodn32.exe117⤵PID:3660
-
C:\Windows\SysWOW64\Fmfgek32.exeC:\Windows\system32\Fmfgek32.exe118⤵
- Drops file in System32 directory
PID:4040 -
C:\Windows\SysWOW64\Fngcmcfe.exeC:\Windows\system32\Fngcmcfe.exe119⤵PID:768
-
C:\Windows\SysWOW64\Fealin32.exeC:\Windows\system32\Fealin32.exe120⤵
- Modifies registry class
PID:6068 -
C:\Windows\SysWOW64\Flkdfh32.exeC:\Windows\system32\Flkdfh32.exe121⤵
- Drops file in System32 directory
- Modifies registry class
PID:6140
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-