Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
19/04/2024, 23:24
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7e276987213414ff10175bde85cb0b24132825004881d926ba2492a91c1e7a11.exe
Resource
win7-20240220-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
7e276987213414ff10175bde85cb0b24132825004881d926ba2492a91c1e7a11.exe
Resource
win10v2004-20240412-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
7e276987213414ff10175bde85cb0b24132825004881d926ba2492a91c1e7a11.exe
-
Size
112KB
-
MD5
e4112f02a5f4ae4d32d75ba57f0c664d
-
SHA1
47cd93ae7bc849d52f0d989ac4191fe25fee92a3
-
SHA256
7e276987213414ff10175bde85cb0b24132825004881d926ba2492a91c1e7a11
-
SHA512
f60b0a4806fc56f6bcf2b9d31378f5764da8215e6d73e412116c9a6ce858984eff7b0aad716229a93b6797118891a3ed8b8a01fcc39a5c3b0216c9b44f23b343
-
SSDEEP
3072:cE03BIbGOJTfAWeSR7zk3nEb8l09FeJLCQnFIBOaCUjKaVLjd:cE03BdMYqRr8l09FeJLbnCBbC+nVLjd
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obgomgee.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iidipnal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jioaqfcc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfgmjqop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hbgmcnhf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcllonma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Danecp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alkkhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gjjjle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gidphq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojjffddl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajhddjfn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgehcmmm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bemcgmak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jfffjqdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jmbklj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pqpnombl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bffkij32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Belebq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Caebma32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obdbgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fmficqpc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkjlge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bagflcje.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acjclpcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fbqefhpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lijdhiaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gcfqfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aqkgpedc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aimoln32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Befmfngc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jibeql32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnocof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ngpjnkpf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iehfdi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnfdcjkg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajhddjfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gmkbnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jagqlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jbocea32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgneampk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogfcjnaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qiappono.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfaedkdp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kemhff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Chbedh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjffbc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gohhpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lpqiemge.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imihfl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcpebmkb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qeemej32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhdbhcck.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dagiil32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmmocpjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hapaemll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Haggelfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Icnpmp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lllcen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ahhblemi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aihfanhg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjclbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kmlnbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pcagphom.exe -
Executes dropped EXE 64 IoCs
pid Process 4888 Mkjqcp32.exe 4956 Mnimpk32.exe 4884 Nqgilg32.exe 2448 Nhnamd32.exe 2908 Nkmmip32.exe 1504 Nnkiek32.exe 4696 Ndebbe32.exe 4836 Ngcnnq32.exe 1764 Nkojooih.exe 2204 Nnmfkkhl.exe 5040 Ndgoge32.exe 4160 Ngfkcp32.exe 1832 Nnpcpjfi.exe 2404 Nbkoai32.exe 4680 Niegnc32.exe 4076 Nkccjo32.exe 1676 Nbnlfimp.exe 1812 Nigdcc32.exe 1244 Nkfpon32.exe 2484 Obphlhkm.exe 856 Oendhdjq.exe 1708 Okhmenan.exe 4728 Ongiaiqa.exe 3112 Oeqanc32.exe 4044 Okkjjnok.exe 2216 Obdbgh32.exe 4912 Oiojdb32.exe 4548 Okmfpm32.exe 4352 Obgomgee.exe 4580 Oeekicdi.exe 2736 Obikbgbb.exe 1612 Oalknd32.exe 2712 Ogfcjnaj.exe 2252 Pblhhg32.exe 4508 Paohccgj.exe 4772 Paaeiceg.exe 912 Pihmjqfj.exe 4204 Ppbegkmg.exe 4176 Pbpacfmj.exe 388 Peonoaln.exe 4344 Ppdbljkd.exe 4112 Peajdajk.exe 4088 Pimfep32.exe 640 Plkbak32.exe 1736 Pahkjbop.exe 1904 Pecgja32.exe 2596 Plmogkoe.exe 2220 Qbggce32.exe 392 Qefdpq32.exe 2296 Qiappono.exe 4916 Qhdpll32.exe 3456 Qbjdiedp.exe 3608 Qamdda32.exe 3088 Albibj32.exe 3464 Apndbici.exe 4612 Aejmkpaq.exe 1972 Ahiigkqd.exe 1168 Abnnddpj.exe 4848 Aihfanhg.exe 2376 Apbnnh32.exe 2408 Aackeqeb.exe 3148 Aikbfnfd.exe 1104 Aliobieh.exe 60 Aogkoedl.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Nbkoai32.exe Nnpcpjfi.exe File created C:\Windows\SysWOW64\Qkkdmeko.dll Flnlhk32.exe File opened for modification C:\Windows\SysWOW64\Hboagf32.exe Gppekj32.exe File created C:\Windows\SysWOW64\Imakkfdg.exe Iifokh32.exe File created C:\Windows\SysWOW64\Jlkagbej.exe Jmhale32.exe File opened for modification C:\Windows\SysWOW64\Fmficqpc.exe Fjhmgeao.exe File created C:\Windows\SysWOW64\Hmcjlfqa.dll Aqkgpedc.exe File opened for modification C:\Windows\SysWOW64\Miifeq32.exe Mgkjhe32.exe File opened for modification C:\Windows\SysWOW64\Pjeoglgc.exe Pdifoehl.exe File opened for modification C:\Windows\SysWOW64\Ppbegkmg.exe Pihmjqfj.exe File opened for modification C:\Windows\SysWOW64\Peajdajk.exe Ppdbljkd.exe File created C:\Windows\SysWOW64\Lfifebhe.dll Pgjfkg32.exe File opened for modification C:\Windows\SysWOW64\Acmflf32.exe Anpncp32.exe File created C:\Windows\SysWOW64\Elgfgl32.exe Edpnfo32.exe File created C:\Windows\SysWOW64\Elhcgeja.dll Gblngpbd.exe File opened for modification C:\Windows\SysWOW64\Aabmqd32.exe Amgapeea.exe File opened for modification C:\Windows\SysWOW64\Blpechop.exe Bhdibj32.exe File created C:\Windows\SysWOW64\Boanecla.exe Blbaihmn.exe File created C:\Windows\SysWOW64\Gdibmd32.dll Blgkdg32.exe File opened for modification C:\Windows\SysWOW64\Imihfl32.exe Ifopiajn.exe File created C:\Windows\SysWOW64\Meknidfo.dll Qnnanphk.exe File created C:\Windows\SysWOW64\Jiglalpk.dll Aaepqjpd.exe File created C:\Windows\SysWOW64\Njnpppkn.exe Ncdgcf32.exe File created C:\Windows\SysWOW64\Mdehlk32.exe Mlopkm32.exe File opened for modification C:\Windows\SysWOW64\Qmkadgpo.exe Pjmehkqk.exe File created C:\Windows\SysWOW64\Naeheh32.dll Cjbpaf32.exe File opened for modification C:\Windows\SysWOW64\Dldpkoil.exe Dekhneap.exe File opened for modification C:\Windows\SysWOW64\Hfcicmqp.exe Hbgmcnhf.exe File created C:\Windows\SysWOW64\Hkmgakaf.dll Obangb32.exe File created C:\Windows\SysWOW64\Agffge32.exe Aegikj32.exe File created C:\Windows\SysWOW64\Ifhmhq32.dll Hccglh32.exe File opened for modification C:\Windows\SysWOW64\Odnnnnfe.exe Ondeac32.exe File opened for modification C:\Windows\SysWOW64\Fllpbldb.exe Fdegandp.exe File created C:\Windows\SysWOW64\Mdmegp32.exe Mkepnjng.exe File opened for modification C:\Windows\SysWOW64\Mkgmcjld.exe Mcpebmkb.exe File opened for modification C:\Windows\SysWOW64\Anfmjhmd.exe Afoeiklb.exe File created C:\Windows\SysWOW64\Mifnjj32.dll Eocenh32.exe File created C:\Windows\SysWOW64\Gnchkk32.dll Iihkpg32.exe File created C:\Windows\SysWOW64\Pmfhig32.exe Pjhlml32.exe File opened for modification C:\Windows\SysWOW64\Oiojdb32.exe Obdbgh32.exe File created C:\Windows\SysWOW64\Kijjfe32.dll Hmfbjnbp.exe File created C:\Windows\SysWOW64\Icjmmg32.exe Iidipnal.exe File created C:\Windows\SysWOW64\Hlkefpan.dll Pgemphmn.exe File created C:\Windows\SysWOW64\Dccbbhld.exe Dkljak32.exe File created C:\Windows\SysWOW64\Bnmcjg32.exe Bffkij32.exe File opened for modification C:\Windows\SysWOW64\Bemcgmak.exe Bockjc32.exe File created C:\Windows\SysWOW64\Odnnnnfe.exe Ondeac32.exe File created C:\Windows\SysWOW64\Daolnf32.exe Ckedalaj.exe File opened for modification C:\Windows\SysWOW64\Kfoafi32.exe Kpeiioac.exe File created C:\Windows\SysWOW64\Onkhkpho.dll Icgqggce.exe File created C:\Windows\SysWOW64\Fhgjblfq.exe Fdlnbm32.exe File opened for modification C:\Windows\SysWOW64\Ojjolnaq.exe Olfobjbg.exe File created C:\Windows\SysWOW64\Mpolqa32.exe Mamleegg.exe File created C:\Windows\SysWOW64\Gkoiefmj.exe Gmlhii32.exe File created C:\Windows\SysWOW64\Nbnlfimp.exe Nkccjo32.exe File created C:\Windows\SysWOW64\Pbpacfmj.exe Ppbegkmg.exe File created C:\Windows\SysWOW64\Pjeoglgc.exe Pdifoehl.exe File created C:\Windows\SysWOW64\Dddhpjof.exe Daekdooc.exe File created C:\Windows\SysWOW64\Lbkdpj32.dll Gohhpe32.exe File opened for modification C:\Windows\SysWOW64\Qnjnnj32.exe Qfcfml32.exe File created C:\Windows\SysWOW64\Oalnaifk.dll Fhgjblfq.exe File created C:\Windows\SysWOW64\Bjjplc32.dll Jcllonma.exe File created C:\Windows\SysWOW64\Lpebpm32.exe Lmgfda32.exe File created C:\Windows\SysWOW64\Bdjinlko.dll Pmoahijl.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 15480 15404 WerFault.exe 789 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Coojfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll" Dodbbdbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Chebighd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Blennh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpamgn32.dll" Ojjffddl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Odocigqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dodbbdbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahofihhi.dll" Pecgja32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lmccchkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hekcnknf.dll" Pkjlge32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Adcmmeog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dccbbhld.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mlcifmbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gfcgge32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hippdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipmack32.dll" Idacmfkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmlgol32.dll" Jpaghf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnnaog32.dll" Okloegjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oepgml32.dll" Becifhfj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Himldi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kdeoemeg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Djlddi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkindkmi.dll" Dcopbp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eflhoigi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llebfo32.dll" Fhajlc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmnoof32.dll" Gcimkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgdphnlp.dll" Hmhhehlb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kpgfooop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mlhbal32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pihmjqfj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fdlnbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cggogaka.dll" Oendhdjq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kknafn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lbjlfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nnpcpjfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pdmpje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fokbim32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pgjfkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adfpgmlj.dll" Aedpaoif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghiqbiae.dll" Kpjjod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cilkoi32.dll" Boepel32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Icnpmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Njnpppkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Paaeiceg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hledan32.dll" Kemhff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfnphnen.dll" Afjlnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibooqjdb.dll" Hbckbepg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bbgipldd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cdhhdlid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mnfipekh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ikpaldog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njkoaebi.dll" Odbgim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ndkahnhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ippggbck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Paohccgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpqikhah.dll" Chphoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mcpebmkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iihqganf.dll" Lenamdem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmjcppnj.dll" Alkkhi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aegikj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjaqjfh.dll" Bhhdil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gjjjle32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Agffge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iedoeq32.dll" Hmabdibj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3460 wrote to memory of 4888 3460 7e276987213414ff10175bde85cb0b24132825004881d926ba2492a91c1e7a11.exe 86 PID 3460 wrote to memory of 4888 3460 7e276987213414ff10175bde85cb0b24132825004881d926ba2492a91c1e7a11.exe 86 PID 3460 wrote to memory of 4888 3460 7e276987213414ff10175bde85cb0b24132825004881d926ba2492a91c1e7a11.exe 86 PID 4888 wrote to memory of 4956 4888 Mkjqcp32.exe 87 PID 4888 wrote to memory of 4956 4888 Mkjqcp32.exe 87 PID 4888 wrote to memory of 4956 4888 Mkjqcp32.exe 87 PID 4956 wrote to memory of 4884 4956 Mnimpk32.exe 88 PID 4956 wrote to memory of 4884 4956 Mnimpk32.exe 88 PID 4956 wrote to memory of 4884 4956 Mnimpk32.exe 88 PID 4884 wrote to memory of 2448 4884 Nqgilg32.exe 89 PID 4884 wrote to memory of 2448 4884 Nqgilg32.exe 89 PID 4884 wrote to memory of 2448 4884 Nqgilg32.exe 89 PID 2448 wrote to memory of 2908 2448 Nhnamd32.exe 90 PID 2448 wrote to memory of 2908 2448 Nhnamd32.exe 90 PID 2448 wrote to memory of 2908 2448 Nhnamd32.exe 90 PID 2908 wrote to memory of 1504 2908 Nkmmip32.exe 91 PID 2908 wrote to memory of 1504 2908 Nkmmip32.exe 91 PID 2908 wrote to memory of 1504 2908 Nkmmip32.exe 91 PID 1504 wrote to memory of 4696 1504 Nnkiek32.exe 92 PID 1504 wrote to memory of 4696 1504 Nnkiek32.exe 92 PID 1504 wrote to memory of 4696 1504 Nnkiek32.exe 92 PID 4696 wrote to memory of 4836 4696 Ndebbe32.exe 93 PID 4696 wrote to memory of 4836 4696 Ndebbe32.exe 93 PID 4696 wrote to memory of 4836 4696 Ndebbe32.exe 93 PID 4836 wrote to memory of 1764 4836 Ngcnnq32.exe 94 PID 4836 wrote to memory of 1764 4836 Ngcnnq32.exe 94 PID 4836 wrote to memory of 1764 4836 Ngcnnq32.exe 94 PID 1764 wrote to memory of 2204 1764 Nkojooih.exe 95 PID 1764 wrote to memory of 2204 1764 Nkojooih.exe 95 PID 1764 wrote to memory of 2204 1764 Nkojooih.exe 95 PID 2204 wrote to memory of 5040 2204 Nnmfkkhl.exe 96 PID 2204 wrote to memory of 5040 2204 Nnmfkkhl.exe 96 PID 2204 wrote to memory of 5040 2204 Nnmfkkhl.exe 96 PID 5040 wrote to memory of 4160 5040 Ndgoge32.exe 97 PID 5040 wrote to memory of 4160 5040 Ndgoge32.exe 97 PID 5040 wrote to memory of 4160 5040 Ndgoge32.exe 97 PID 4160 wrote to memory of 1832 4160 Ngfkcp32.exe 98 PID 4160 wrote to memory of 1832 4160 Ngfkcp32.exe 98 PID 4160 wrote to memory of 1832 4160 Ngfkcp32.exe 98 PID 1832 wrote to memory of 2404 1832 Nnpcpjfi.exe 99 PID 1832 wrote to memory of 2404 1832 Nnpcpjfi.exe 99 PID 1832 wrote to memory of 2404 1832 Nnpcpjfi.exe 99 PID 2404 wrote to memory of 4680 2404 Nbkoai32.exe 100 PID 2404 wrote to memory of 4680 2404 Nbkoai32.exe 100 PID 2404 wrote to memory of 4680 2404 Nbkoai32.exe 100 PID 4680 wrote to memory of 4076 4680 Niegnc32.exe 101 PID 4680 wrote to memory of 4076 4680 Niegnc32.exe 101 PID 4680 wrote to memory of 4076 4680 Niegnc32.exe 101 PID 4076 wrote to memory of 1676 4076 Nkccjo32.exe 102 PID 4076 wrote to memory of 1676 4076 Nkccjo32.exe 102 PID 4076 wrote to memory of 1676 4076 Nkccjo32.exe 102 PID 1676 wrote to memory of 1812 1676 Nbnlfimp.exe 103 PID 1676 wrote to memory of 1812 1676 Nbnlfimp.exe 103 PID 1676 wrote to memory of 1812 1676 Nbnlfimp.exe 103 PID 1812 wrote to memory of 1244 1812 Nigdcc32.exe 105 PID 1812 wrote to memory of 1244 1812 Nigdcc32.exe 105 PID 1812 wrote to memory of 1244 1812 Nigdcc32.exe 105 PID 1244 wrote to memory of 2484 1244 Nkfpon32.exe 106 PID 1244 wrote to memory of 2484 1244 Nkfpon32.exe 106 PID 1244 wrote to memory of 2484 1244 Nkfpon32.exe 106 PID 2484 wrote to memory of 856 2484 Obphlhkm.exe 107 PID 2484 wrote to memory of 856 2484 Obphlhkm.exe 107 PID 2484 wrote to memory of 856 2484 Obphlhkm.exe 107 PID 856 wrote to memory of 1708 856 Oendhdjq.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\7e276987213414ff10175bde85cb0b24132825004881d926ba2492a91c1e7a11.exe"C:\Users\Admin\AppData\Local\Temp\7e276987213414ff10175bde85cb0b24132825004881d926ba2492a91c1e7a11.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3460 -
C:\Windows\SysWOW64\Mkjqcp32.exeC:\Windows\system32\Mkjqcp32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Windows\SysWOW64\Mnimpk32.exeC:\Windows\system32\Mnimpk32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4956 -
C:\Windows\SysWOW64\Nqgilg32.exeC:\Windows\system32\Nqgilg32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4884 -
C:\Windows\SysWOW64\Nhnamd32.exeC:\Windows\system32\Nhnamd32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\SysWOW64\Nkmmip32.exeC:\Windows\system32\Nkmmip32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\Nnkiek32.exeC:\Windows\system32\Nnkiek32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\SysWOW64\Ndebbe32.exeC:\Windows\system32\Ndebbe32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4696 -
C:\Windows\SysWOW64\Ngcnnq32.exeC:\Windows\system32\Ngcnnq32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4836 -
C:\Windows\SysWOW64\Nkojooih.exeC:\Windows\system32\Nkojooih.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Windows\SysWOW64\Nnmfkkhl.exeC:\Windows\system32\Nnmfkkhl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\SysWOW64\Ndgoge32.exeC:\Windows\system32\Ndgoge32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\Windows\SysWOW64\Ngfkcp32.exeC:\Windows\system32\Ngfkcp32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4160 -
C:\Windows\SysWOW64\Nnpcpjfi.exeC:\Windows\system32\Nnpcpjfi.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Windows\SysWOW64\Nbkoai32.exeC:\Windows\system32\Nbkoai32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\Niegnc32.exeC:\Windows\system32\Niegnc32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4680 -
C:\Windows\SysWOW64\Nkccjo32.exeC:\Windows\system32\Nkccjo32.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4076 -
C:\Windows\SysWOW64\Nbnlfimp.exeC:\Windows\system32\Nbnlfimp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\SysWOW64\Nigdcc32.exeC:\Windows\system32\Nigdcc32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Windows\SysWOW64\Nkfpon32.exeC:\Windows\system32\Nkfpon32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Windows\SysWOW64\Obphlhkm.exeC:\Windows\system32\Obphlhkm.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\Oendhdjq.exeC:\Windows\system32\Oendhdjq.exe22⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Windows\SysWOW64\Okhmenan.exeC:\Windows\system32\Okhmenan.exe23⤵
- Executes dropped EXE
PID:1708 -
C:\Windows\SysWOW64\Ongiaiqa.exeC:\Windows\system32\Ongiaiqa.exe24⤵
- Executes dropped EXE
PID:4728 -
C:\Windows\SysWOW64\Oeqanc32.exeC:\Windows\system32\Oeqanc32.exe25⤵
- Executes dropped EXE
PID:3112 -
C:\Windows\SysWOW64\Okkjjnok.exeC:\Windows\system32\Okkjjnok.exe26⤵
- Executes dropped EXE
PID:4044 -
C:\Windows\SysWOW64\Obdbgh32.exeC:\Windows\system32\Obdbgh32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2216 -
C:\Windows\SysWOW64\Oiojdb32.exeC:\Windows\system32\Oiojdb32.exe28⤵
- Executes dropped EXE
PID:4912 -
C:\Windows\SysWOW64\Okmfpm32.exeC:\Windows\system32\Okmfpm32.exe29⤵
- Executes dropped EXE
PID:4548 -
C:\Windows\SysWOW64\Obgomgee.exeC:\Windows\system32\Obgomgee.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4352 -
C:\Windows\SysWOW64\Oeekicdi.exeC:\Windows\system32\Oeekicdi.exe31⤵
- Executes dropped EXE
PID:4580 -
C:\Windows\SysWOW64\Obikbgbb.exeC:\Windows\system32\Obikbgbb.exe32⤵
- Executes dropped EXE
PID:2736 -
C:\Windows\SysWOW64\Oalknd32.exeC:\Windows\system32\Oalknd32.exe33⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Ogfcjnaj.exeC:\Windows\system32\Ogfcjnaj.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\Pblhhg32.exeC:\Windows\system32\Pblhhg32.exe35⤵
- Executes dropped EXE
PID:2252 -
C:\Windows\SysWOW64\Paohccgj.exeC:\Windows\system32\Paohccgj.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:4508 -
C:\Windows\SysWOW64\Paaeiceg.exeC:\Windows\system32\Paaeiceg.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:4772 -
C:\Windows\SysWOW64\Pihmjqfj.exeC:\Windows\system32\Pihmjqfj.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:912 -
C:\Windows\SysWOW64\Ppbegkmg.exeC:\Windows\system32\Ppbegkmg.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4204 -
C:\Windows\SysWOW64\Pbpacfmj.exeC:\Windows\system32\Pbpacfmj.exe40⤵
- Executes dropped EXE
PID:4176 -
C:\Windows\SysWOW64\Peonoaln.exeC:\Windows\system32\Peonoaln.exe41⤵
- Executes dropped EXE
PID:388 -
C:\Windows\SysWOW64\Ppdbljkd.exeC:\Windows\system32\Ppdbljkd.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4344 -
C:\Windows\SysWOW64\Peajdajk.exeC:\Windows\system32\Peajdajk.exe43⤵
- Executes dropped EXE
PID:4112 -
C:\Windows\SysWOW64\Pimfep32.exeC:\Windows\system32\Pimfep32.exe44⤵
- Executes dropped EXE
PID:4088 -
C:\Windows\SysWOW64\Plkbak32.exeC:\Windows\system32\Plkbak32.exe45⤵
- Executes dropped EXE
PID:640 -
C:\Windows\SysWOW64\Pahkjbop.exeC:\Windows\system32\Pahkjbop.exe46⤵
- Executes dropped EXE
PID:1736 -
C:\Windows\SysWOW64\Pecgja32.exeC:\Windows\system32\Pecgja32.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:1904 -
C:\Windows\SysWOW64\Plmogkoe.exeC:\Windows\system32\Plmogkoe.exe48⤵
- Executes dropped EXE
PID:2596 -
C:\Windows\SysWOW64\Qbggce32.exeC:\Windows\system32\Qbggce32.exe49⤵
- Executes dropped EXE
PID:2220 -
C:\Windows\SysWOW64\Qefdpq32.exeC:\Windows\system32\Qefdpq32.exe50⤵
- Executes dropped EXE
PID:392 -
C:\Windows\SysWOW64\Qiappono.exeC:\Windows\system32\Qiappono.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2296 -
C:\Windows\SysWOW64\Qhdpll32.exeC:\Windows\system32\Qhdpll32.exe52⤵
- Executes dropped EXE
PID:4916 -
C:\Windows\SysWOW64\Qbjdiedp.exeC:\Windows\system32\Qbjdiedp.exe53⤵
- Executes dropped EXE
PID:3456 -
C:\Windows\SysWOW64\Qamdda32.exeC:\Windows\system32\Qamdda32.exe54⤵
- Executes dropped EXE
PID:3608 -
C:\Windows\SysWOW64\Albibj32.exeC:\Windows\system32\Albibj32.exe55⤵
- Executes dropped EXE
PID:3088 -
C:\Windows\SysWOW64\Apndbici.exeC:\Windows\system32\Apndbici.exe56⤵
- Executes dropped EXE
PID:3464 -
C:\Windows\SysWOW64\Aejmkpaq.exeC:\Windows\system32\Aejmkpaq.exe57⤵
- Executes dropped EXE
PID:4612 -
C:\Windows\SysWOW64\Ahiigkqd.exeC:\Windows\system32\Ahiigkqd.exe58⤵
- Executes dropped EXE
PID:1972 -
C:\Windows\SysWOW64\Abnnddpj.exeC:\Windows\system32\Abnnddpj.exe59⤵
- Executes dropped EXE
PID:1168 -
C:\Windows\SysWOW64\Aihfanhg.exeC:\Windows\system32\Aihfanhg.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4848 -
C:\Windows\SysWOW64\Apbnnh32.exeC:\Windows\system32\Apbnnh32.exe61⤵
- Executes dropped EXE
PID:2376 -
C:\Windows\SysWOW64\Aackeqeb.exeC:\Windows\system32\Aackeqeb.exe62⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Aikbfnfd.exeC:\Windows\system32\Aikbfnfd.exe63⤵
- Executes dropped EXE
PID:3148 -
C:\Windows\SysWOW64\Aliobieh.exeC:\Windows\system32\Aliobieh.exe64⤵
- Executes dropped EXE
PID:1104 -
C:\Windows\SysWOW64\Aogkoedl.exeC:\Windows\system32\Aogkoedl.exe65⤵
- Executes dropped EXE
PID:60 -
C:\Windows\SysWOW64\Aeacko32.exeC:\Windows\system32\Aeacko32.exe66⤵PID:5068
-
C:\Windows\SysWOW64\Aimoln32.exeC:\Windows\system32\Aimoln32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3268 -
C:\Windows\SysWOW64\Alkkhi32.exeC:\Windows\system32\Alkkhi32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4748 -
C:\Windows\SysWOW64\Aojhdd32.exeC:\Windows\system32\Aojhdd32.exe69⤵PID:3920
-
C:\Windows\SysWOW64\Aahdqp32.exeC:\Windows\system32\Aahdqp32.exe70⤵PID:1172
-
C:\Windows\SysWOW64\Aedpaoif.exeC:\Windows\system32\Aedpaoif.exe71⤵
- Modifies registry class
PID:3500 -
C:\Windows\SysWOW64\Blnhni32.exeC:\Windows\system32\Blnhni32.exe72⤵PID:2956
-
C:\Windows\SysWOW64\Boldjd32.exeC:\Windows\system32\Boldjd32.exe73⤵PID:1260
-
C:\Windows\SysWOW64\Befmfngc.exeC:\Windows\system32\Befmfngc.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3964 -
C:\Windows\SysWOW64\Bhdibj32.exeC:\Windows\system32\Bhdibj32.exe75⤵
- Drops file in System32 directory
PID:1356 -
C:\Windows\SysWOW64\Blpechop.exeC:\Windows\system32\Blpechop.exe76⤵PID:4952
-
C:\Windows\SysWOW64\Booaodnd.exeC:\Windows\system32\Booaodnd.exe77⤵PID:944
-
C:\Windows\SysWOW64\Bammlomg.exeC:\Windows\system32\Bammlomg.exe78⤵PID:216
-
C:\Windows\SysWOW64\Bidemmnj.exeC:\Windows\system32\Bidemmnj.exe79⤵PID:3912
-
C:\Windows\SysWOW64\Blbaihmn.exeC:\Windows\system32\Blbaihmn.exe80⤵
- Drops file in System32 directory
PID:220 -
C:\Windows\SysWOW64\Boanecla.exeC:\Windows\system32\Boanecla.exe81⤵PID:4552
-
C:\Windows\SysWOW64\Bbljeb32.exeC:\Windows\system32\Bbljeb32.exe82⤵PID:1828
-
C:\Windows\SysWOW64\Bekfan32.exeC:\Windows\system32\Bekfan32.exe83⤵PID:5144
-
C:\Windows\SysWOW64\Blennh32.exeC:\Windows\system32\Blennh32.exe84⤵
- Modifies registry class
PID:5204 -
C:\Windows\SysWOW64\Bockjc32.exeC:\Windows\system32\Bockjc32.exe85⤵
- Drops file in System32 directory
PID:5244 -
C:\Windows\SysWOW64\Bemcgmak.exeC:\Windows\system32\Bemcgmak.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5280 -
C:\Windows\SysWOW64\Blgkdg32.exeC:\Windows\system32\Blgkdg32.exe87⤵
- Drops file in System32 directory
PID:5324 -
C:\Windows\SysWOW64\Bpcgdfaa.exeC:\Windows\system32\Bpcgdfaa.exe88⤵PID:5368
-
C:\Windows\SysWOW64\Boegpc32.exeC:\Windows\system32\Boegpc32.exe89⤵PID:5412
-
C:\Windows\SysWOW64\Beppmmoi.exeC:\Windows\system32\Beppmmoi.exe90⤵PID:5464
-
C:\Windows\SysWOW64\Bikkml32.exeC:\Windows\system32\Bikkml32.exe91⤵PID:5520
-
C:\Windows\SysWOW64\Cpedjf32.exeC:\Windows\system32\Cpedjf32.exe92⤵PID:5568
-
C:\Windows\SysWOW64\Cccpfa32.exeC:\Windows\system32\Cccpfa32.exe93⤵PID:5612
-
C:\Windows\SysWOW64\Cafpanem.exeC:\Windows\system32\Cafpanem.exe94⤵PID:5656
-
C:\Windows\SysWOW64\Chphoh32.exeC:\Windows\system32\Chphoh32.exe95⤵
- Modifies registry class
PID:5704 -
C:\Windows\SysWOW64\Cpgqpe32.exeC:\Windows\system32\Cpgqpe32.exe96⤵PID:5744
-
C:\Windows\SysWOW64\Ccfmla32.exeC:\Windows\system32\Ccfmla32.exe97⤵PID:5784
-
C:\Windows\SysWOW64\Chbedh32.exeC:\Windows\system32\Chbedh32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5832 -
C:\Windows\SysWOW64\Commqb32.exeC:\Windows\system32\Commqb32.exe99⤵PID:5880
-
C:\Windows\SysWOW64\Cakjmm32.exeC:\Windows\system32\Cakjmm32.exe100⤵PID:5924
-
C:\Windows\SysWOW64\Chebighd.exeC:\Windows\system32\Chebighd.exe101⤵
- Modifies registry class
PID:5968 -
C:\Windows\SysWOW64\Coojfa32.exeC:\Windows\system32\Coojfa32.exe102⤵
- Modifies registry class
PID:6008 -
C:\Windows\SysWOW64\Ceibclgn.exeC:\Windows\system32\Ceibclgn.exe103⤵PID:6056
-
C:\Windows\SysWOW64\Capchmmb.exeC:\Windows\system32\Capchmmb.exe104⤵PID:6100
-
C:\Windows\SysWOW64\Digkijmd.exeC:\Windows\system32\Digkijmd.exe105⤵PID:6136
-
C:\Windows\SysWOW64\Dpacfd32.exeC:\Windows\system32\Dpacfd32.exe106⤵PID:5164
-
C:\Windows\SysWOW64\Dcopbp32.exeC:\Windows\system32\Dcopbp32.exe107⤵
- Modifies registry class
PID:5228 -
C:\Windows\SysWOW64\Denlnk32.exeC:\Windows\system32\Denlnk32.exe108⤵PID:5320
-
C:\Windows\SysWOW64\Dhlhjf32.exeC:\Windows\system32\Dhlhjf32.exe109⤵PID:5380
-
C:\Windows\SysWOW64\Dephckaf.exeC:\Windows\system32\Dephckaf.exe110⤵PID:5448
-
C:\Windows\SysWOW64\Djlddi32.exeC:\Windows\system32\Djlddi32.exe111⤵
- Modifies registry class
PID:5548 -
C:\Windows\SysWOW64\Dljqpd32.exeC:\Windows\system32\Dljqpd32.exe112⤵PID:5596
-
C:\Windows\SysWOW64\Dpemacql.exeC:\Windows\system32\Dpemacql.exe113⤵PID:5696
-
C:\Windows\SysWOW64\Dagiil32.exeC:\Windows\system32\Dagiil32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5764 -
C:\Windows\SysWOW64\Dhqaefng.exeC:\Windows\system32\Dhqaefng.exe115⤵PID:5876
-
C:\Windows\SysWOW64\Dphifcoi.exeC:\Windows\system32\Dphifcoi.exe116⤵PID:5916
-
C:\Windows\SysWOW64\Dcfebonm.exeC:\Windows\system32\Dcfebonm.exe117⤵PID:5992
-
C:\Windows\SysWOW64\Dhcnke32.exeC:\Windows\system32\Dhcnke32.exe118⤵PID:6036
-
C:\Windows\SysWOW64\Dpjflb32.exeC:\Windows\system32\Dpjflb32.exe119⤵PID:6124
-
C:\Windows\SysWOW64\Dakbckbe.exeC:\Windows\system32\Dakbckbe.exe120⤵PID:5200
-
C:\Windows\SysWOW64\Ejbkehcg.exeC:\Windows\system32\Ejbkehcg.exe121⤵PID:5276
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-