Analysis
-
max time kernel
157s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
09/05/2024, 01:44
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
980e1171352d26e42f0c2d67ffe4b0082cc400a1c3408e7cb864104a9c9acc1d.exe
Resource
win7-20240419-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
980e1171352d26e42f0c2d67ffe4b0082cc400a1c3408e7cb864104a9c9acc1d.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
980e1171352d26e42f0c2d67ffe4b0082cc400a1c3408e7cb864104a9c9acc1d.exe
-
Size
304KB
-
MD5
0675b6ea40fa94f407ebeae44bfd95ac
-
SHA1
0bc981e692e76e632019afb7b9ffcc7b3cda51b0
-
SHA256
980e1171352d26e42f0c2d67ffe4b0082cc400a1c3408e7cb864104a9c9acc1d
-
SHA512
9ef6768cd9aeefd7356fde4a51d17a3b43bed2c5b429e560e6369cf87c6708422bbcff2c917f049b3770e1e86d789cdf6176522c070534ad255b29fe0822c71e
-
SSDEEP
6144:Kn4zbiecO7JfnrFVoXJtpNr1RgAaa6FlFlcOuLr2/24qXPAbgPBFpYrFVO/fnrF8:44vFJfnYdsWfna
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppblkffp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Leenanik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oblmnmjl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhkmoifp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgmbmn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfjfoidl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akblpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Najjmjkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmfmfigl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjhjli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibadoc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klahof32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnendhol.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfhbpghl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgbpkoej.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfqogfjo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oblmnmjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgphjk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohggah32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aqjpod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnkajapa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agbkfood.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oldagc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bochfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbgibgpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nppfimnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjkjjmlf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Beomhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cocamaam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjkmhblk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdenghpi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqnemp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pimkkfka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alcfoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilepmjdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jimeelkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plndma32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpcffalc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcepdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ligglo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfomfo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnnmogae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fknimh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llmpco32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkpbbdil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Digeaenp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emenhcdf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpankd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adfgne32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klgqmfpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpgmaf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdclcmba.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajanmqbc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdagidhi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ondleo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhipiihc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncifdlii.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbcjhobg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajfhhp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhablf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghkebd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njdlfbgm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlohjpoi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnldeg32.exe -
Executes dropped EXE 64 IoCs
pid Process 224 Gebimmco.exe 996 Hgbonm32.exe 4824 Jgedjjki.exe 3520 Jfokff32.exe 2332 Kfhnme32.exe 624 Lhcjbfag.exe 1848 Mdlgmgdh.exe 2632 Najjmjkg.exe 1684 Nieoal32.exe 3940 Ndjcne32.exe 3804 Ngklppei.exe 3104 Odaiodbp.exe 1104 Oiqomj32.exe 1384 Pjoknhbe.exe 4592 Qpkppbho.exe 2684 Aqpika32.exe 3620 Agnkck32.exe 4688 Bqnemp32.exe 4628 Bjhgke32.exe 936 Bmhibi32.exe 220 Ccendc32.exe 3796 Dmknog32.exe 3984 Dcgcaq32.exe 2612 Ekcemmgo.exe 1808 Ejkndijd.exe 5072 Fchlhnlo.exe 1244 Gdclcmba.exe 1976 Hkggfe32.exe 4448 Iejgelej.exe 4752 Jogeia32.exe 1624 Jdgjgh32.exe 1636 Koceep32.exe 2304 Lkfeeo32.exe 4600 Lfpcngdo.exe 2696 Lmjkka32.exe 1612 Mokdllim.exe 4052 Mfgiof32.exe 2032 Moomgl32.exe 620 Mkfnlmkl.exe 2564 Nnnmogae.exe 3424 Olfgcj32.exe 1332 Onjmjegg.exe 1776 Ppblkffp.exe 3696 Pimmil32.exe 3928 Qednnm32.exe 1924 Qpibke32.exe 4748 Apnkfelb.exe 4424 Algiaepd.exe 5068 Aohbbqme.exe 2624 Bibpkiie.exe 4640 Boaeioej.exe 4332 Clhbhc32.exe 4812 Dlcaca32.exe 1668 Dgkbfjeg.exe 320 Dfqogfjo.exe 400 Efgehe32.exe 2248 Ejjgic32.exe 3184 Fplimi32.exe 4440 Fjanjb32.exe 3924 Gpjfng32.exe 3560 Ghcjedcj.exe 3916 Gnmbao32.exe 1420 Hpqlof32.exe 540 Hmdlhk32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Ajfhhp32.exe Ajanmqbc.exe File created C:\Windows\SysWOW64\Dmlkaela.exe Dnkkcmdb.exe File created C:\Windows\SysWOW64\Odaiodbp.exe Ngklppei.exe File opened for modification C:\Windows\SysWOW64\Hkggfe32.exe Gdclcmba.exe File opened for modification C:\Windows\SysWOW64\Gempqo32.exe Gochceml.exe File created C:\Windows\SysWOW64\Npjajbjb.dll Iohjebkd.exe File opened for modification C:\Windows\SysWOW64\Aqjpod32.exe Agbkfood.exe File created C:\Windows\SysWOW64\Fbipejob.dll Gfhehlhe.exe File opened for modification C:\Windows\SysWOW64\Oanodnip.exe Ojcghc32.exe File created C:\Windows\SysWOW64\Beglqgcf.exe Bnmcdm32.exe File created C:\Windows\SysWOW64\Ccmlai32.dll Amloakki.exe File created C:\Windows\SysWOW64\Mibpng32.exe Lgkakm32.exe File opened for modification C:\Windows\SysWOW64\Bglefdke.exe Babmjj32.exe File opened for modification C:\Windows\SysWOW64\Bicjjncd.exe Bfenncdp.exe File opened for modification C:\Windows\SysWOW64\Klceeejl.exe Kckqlpck.exe File created C:\Windows\SysWOW64\Gebimmco.exe 980e1171352d26e42f0c2d67ffe4b0082cc400a1c3408e7cb864104a9c9acc1d.exe File created C:\Windows\SysWOW64\Gahnae32.dll Albikp32.exe File opened for modification C:\Windows\SysWOW64\Iecmcpoj.exe Hpfdkiac.exe File created C:\Windows\SysWOW64\Aajcnkmk.dll Enfceefi.exe File created C:\Windows\SysWOW64\Bjmnho32.exe Bglefdke.exe File created C:\Windows\SysWOW64\Hnggoe32.dll Knmicfnn.exe File opened for modification C:\Windows\SysWOW64\Abpcicpi.exe Onhoehpp.exe File created C:\Windows\SysWOW64\Mpadcj32.dll Enigek32.exe File created C:\Windows\SysWOW64\Hameic32.exe Hpnhoqmi.exe File created C:\Windows\SysWOW64\Edkddeag.exe Eoollocp.exe File created C:\Windows\SysWOW64\Loqejjad.exe Lfeaegdi.exe File created C:\Windows\SysWOW64\Mgbige32.dll Hpkcafjg.exe File created C:\Windows\SysWOW64\Pjofcb32.exe Pdenghpi.exe File opened for modification C:\Windows\SysWOW64\Kfanen32.exe Kpgfhddn.exe File created C:\Windows\SysWOW64\Pchcdbck.exe Pfdbknda.exe File opened for modification C:\Windows\SysWOW64\Enkdjkep.exe Eiokbd32.exe File created C:\Windows\SysWOW64\Deanhj32.exe Cefolk32.exe File created C:\Windows\SysWOW64\Qejpjp32.dll Lgqfmcge.exe File created C:\Windows\SysWOW64\Oimlagii.dll Phcgmffo.exe File created C:\Windows\SysWOW64\Fkllghoq.exe Feocoaai.exe File created C:\Windows\SysWOW64\Oemephgn.exe Oldagc32.exe File opened for modification C:\Windows\SysWOW64\Mqpqghgn.exe Lnohemjm.exe File created C:\Windows\SysWOW64\Pbcqli32.dll Ncifdlii.exe File created C:\Windows\SysWOW64\Dojgnpke.exe Dmlkaela.exe File created C:\Windows\SysWOW64\Cpgqik32.exe Abcgii32.exe File created C:\Windows\SysWOW64\Oenldl32.dll Ajfhhp32.exe File created C:\Windows\SysWOW64\Jfbkijdo.exe Jkmgladi.exe File created C:\Windows\SysWOW64\Hienee32.exe Hplimpdi.exe File created C:\Windows\SysWOW64\Plgjgb32.dll Klgqmfpj.exe File created C:\Windows\SysWOW64\Ohkkanbe.exe Ojpdgjid.exe File created C:\Windows\SysWOW64\Inhgaipf.exe Ihknibbo.exe File opened for modification C:\Windows\SysWOW64\Aedfdjdl.exe Ajoagadf.exe File created C:\Windows\SysWOW64\Mcikmdne.dll Babmjj32.exe File created C:\Windows\SysWOW64\Jkmgladi.exe Jnifbmfo.exe File created C:\Windows\SysWOW64\Ioljaael.dll Fpeapilo.exe File created C:\Windows\SysWOW64\Mjjnen32.dll Gldgflba.exe File opened for modification C:\Windows\SysWOW64\Bmngjj32.exe Bebbeh32.exe File created C:\Windows\SysWOW64\Kdinpc32.dll Jgedjjki.exe File created C:\Windows\SysWOW64\Jkfakb32.exe Ifbbbl32.exe File created C:\Windows\SysWOW64\Kaabkj32.dll Hddbmedc.exe File created C:\Windows\SysWOW64\Bhnqoo32.exe Bcokah32.exe File opened for modification C:\Windows\SysWOW64\Jpqedfne.exe Jmplbk32.exe File opened for modification C:\Windows\SysWOW64\Mmfkac32.exe Mfjfoidl.exe File created C:\Windows\SysWOW64\Edkail32.dll Bgbpkoej.exe File created C:\Windows\SysWOW64\Cdfpdc32.exe Cnlhhi32.exe File opened for modification C:\Windows\SysWOW64\Nmfchq32.exe Njhglelp.exe File opened for modification C:\Windows\SysWOW64\Encgofhl.exe Ekekcjih.exe File opened for modification C:\Windows\SysWOW64\Lqbgcp32.exe Kknhjj32.exe File opened for modification C:\Windows\SysWOW64\Ffpjihee.exe Fhljpcfk.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 1708 8936 WerFault.exe 637 5192 8936 WerFault.exe 637 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpnhoqmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfpebmne.dll" Kfhnme32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ppblkffp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mimphakb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfdbknda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bqafpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hekgppma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gpjfng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Khkbcopl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkckld32.dll" Cdaigi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qmepkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Foijeajf.dll" Koceep32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dlcaca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nknolaob.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Klahof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Edkddeag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkhepqnd.dll" Agbkfood.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nfhbpghl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amloakki.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjkmhblk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kqknekjf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igcgpalj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kcmmap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inopfb32.dll" Lhcjbfag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bacjmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgkakm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjmnho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emhngp32.dll" Ibadoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjkmhblk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjpdcn32.dll" Mgidgakk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcqdhq32.dll" Mnknkbdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pcepdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlalhlfd.dll" Emenhcdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Npepdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ffpjihee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmoihc32.dll" Ooejhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnggoe32.dll" Knmicfnn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pneelmjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phjdggoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcknlq32.dll" Kfehoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Klgqmfpj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkggfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfhdch32.dll" Qpolahdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdpndo32.dll" Gbgibgpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmoapqgi.dll" Lnldeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpmqae32.dll" Khkbcopl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qolnjhjb.dll" Plifea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahnghafl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phlqlgmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nmfchq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfanen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lccqdo32.dll" Moglkikl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aggean32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Npgmjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnnomb32.dll" Hkpqdifa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Odaiodbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmkfah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ffobbmpp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oiqomj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lnnakg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkmncghf.dll" Jefbomoe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibhdgjap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgenlldo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Acclejeb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2380 wrote to memory of 224 2380 980e1171352d26e42f0c2d67ffe4b0082cc400a1c3408e7cb864104a9c9acc1d.exe 91 PID 2380 wrote to memory of 224 2380 980e1171352d26e42f0c2d67ffe4b0082cc400a1c3408e7cb864104a9c9acc1d.exe 91 PID 2380 wrote to memory of 224 2380 980e1171352d26e42f0c2d67ffe4b0082cc400a1c3408e7cb864104a9c9acc1d.exe 91 PID 224 wrote to memory of 996 224 Gebimmco.exe 92 PID 224 wrote to memory of 996 224 Gebimmco.exe 92 PID 224 wrote to memory of 996 224 Gebimmco.exe 92 PID 996 wrote to memory of 4824 996 Hgbonm32.exe 93 PID 996 wrote to memory of 4824 996 Hgbonm32.exe 93 PID 996 wrote to memory of 4824 996 Hgbonm32.exe 93 PID 4824 wrote to memory of 3520 4824 Jgedjjki.exe 94 PID 4824 wrote to memory of 3520 4824 Jgedjjki.exe 94 PID 4824 wrote to memory of 3520 4824 Jgedjjki.exe 94 PID 3520 wrote to memory of 2332 3520 Jfokff32.exe 95 PID 3520 wrote to memory of 2332 3520 Jfokff32.exe 95 PID 3520 wrote to memory of 2332 3520 Jfokff32.exe 95 PID 2332 wrote to memory of 624 2332 Kfhnme32.exe 96 PID 2332 wrote to memory of 624 2332 Kfhnme32.exe 96 PID 2332 wrote to memory of 624 2332 Kfhnme32.exe 96 PID 624 wrote to memory of 1848 624 Lhcjbfag.exe 98 PID 624 wrote to memory of 1848 624 Lhcjbfag.exe 98 PID 624 wrote to memory of 1848 624 Lhcjbfag.exe 98 PID 1848 wrote to memory of 2632 1848 Mdlgmgdh.exe 99 PID 1848 wrote to memory of 2632 1848 Mdlgmgdh.exe 99 PID 1848 wrote to memory of 2632 1848 Mdlgmgdh.exe 99 PID 2632 wrote to memory of 1684 2632 Najjmjkg.exe 100 PID 2632 wrote to memory of 1684 2632 Najjmjkg.exe 100 PID 2632 wrote to memory of 1684 2632 Najjmjkg.exe 100 PID 1684 wrote to memory of 3940 1684 Nieoal32.exe 101 PID 1684 wrote to memory of 3940 1684 Nieoal32.exe 101 PID 1684 wrote to memory of 3940 1684 Nieoal32.exe 101 PID 3940 wrote to memory of 3804 3940 Ndjcne32.exe 102 PID 3940 wrote to memory of 3804 3940 Ndjcne32.exe 102 PID 3940 wrote to memory of 3804 3940 Ndjcne32.exe 102 PID 3804 wrote to memory of 3104 3804 Ngklppei.exe 103 PID 3804 wrote to memory of 3104 3804 Ngklppei.exe 103 PID 3804 wrote to memory of 3104 3804 Ngklppei.exe 103 PID 3104 wrote to memory of 1104 3104 Odaiodbp.exe 105 PID 3104 wrote to memory of 1104 3104 Odaiodbp.exe 105 PID 3104 wrote to memory of 1104 3104 Odaiodbp.exe 105 PID 1104 wrote to memory of 1384 1104 Oiqomj32.exe 106 PID 1104 wrote to memory of 1384 1104 Oiqomj32.exe 106 PID 1104 wrote to memory of 1384 1104 Oiqomj32.exe 106 PID 1384 wrote to memory of 4592 1384 Pjoknhbe.exe 107 PID 1384 wrote to memory of 4592 1384 Pjoknhbe.exe 107 PID 1384 wrote to memory of 4592 1384 Pjoknhbe.exe 107 PID 4592 wrote to memory of 2684 4592 Qpkppbho.exe 108 PID 4592 wrote to memory of 2684 4592 Qpkppbho.exe 108 PID 4592 wrote to memory of 2684 4592 Qpkppbho.exe 108 PID 2684 wrote to memory of 3620 2684 Aqpika32.exe 109 PID 2684 wrote to memory of 3620 2684 Aqpika32.exe 109 PID 2684 wrote to memory of 3620 2684 Aqpika32.exe 109 PID 3620 wrote to memory of 4688 3620 Agnkck32.exe 110 PID 3620 wrote to memory of 4688 3620 Agnkck32.exe 110 PID 3620 wrote to memory of 4688 3620 Agnkck32.exe 110 PID 4688 wrote to memory of 4628 4688 Bqnemp32.exe 112 PID 4688 wrote to memory of 4628 4688 Bqnemp32.exe 112 PID 4688 wrote to memory of 4628 4688 Bqnemp32.exe 112 PID 4552 wrote to memory of 936 4552 Bbbkbbkg.exe 114 PID 4552 wrote to memory of 936 4552 Bbbkbbkg.exe 114 PID 4552 wrote to memory of 936 4552 Bbbkbbkg.exe 114 PID 936 wrote to memory of 220 936 Bmhibi32.exe 115 PID 936 wrote to memory of 220 936 Bmhibi32.exe 115 PID 936 wrote to memory of 220 936 Bmhibi32.exe 115 PID 220 wrote to memory of 3796 220 Ccendc32.exe 116
Processes
-
C:\Users\Admin\AppData\Local\Temp\980e1171352d26e42f0c2d67ffe4b0082cc400a1c3408e7cb864104a9c9acc1d.exe"C:\Users\Admin\AppData\Local\Temp\980e1171352d26e42f0c2d67ffe4b0082cc400a1c3408e7cb864104a9c9acc1d.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\Gebimmco.exeC:\Windows\system32\Gebimmco.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:224 -
C:\Windows\SysWOW64\Hgbonm32.exeC:\Windows\system32\Hgbonm32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:996 -
C:\Windows\SysWOW64\Jgedjjki.exeC:\Windows\system32\Jgedjjki.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4824 -
C:\Windows\SysWOW64\Jfokff32.exeC:\Windows\system32\Jfokff32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3520 -
C:\Windows\SysWOW64\Kfhnme32.exeC:\Windows\system32\Kfhnme32.exe6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\Lhcjbfag.exeC:\Windows\system32\Lhcjbfag.exe7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Windows\SysWOW64\Mdlgmgdh.exeC:\Windows\system32\Mdlgmgdh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\SysWOW64\Najjmjkg.exeC:\Windows\system32\Najjmjkg.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Nieoal32.exeC:\Windows\system32\Nieoal32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\SysWOW64\Ndjcne32.exeC:\Windows\system32\Ndjcne32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3940 -
C:\Windows\SysWOW64\Ngklppei.exeC:\Windows\system32\Ngklppei.exe12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3804 -
C:\Windows\SysWOW64\Odaiodbp.exeC:\Windows\system32\Odaiodbp.exe13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3104 -
C:\Windows\SysWOW64\Oiqomj32.exeC:\Windows\system32\Oiqomj32.exe14⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Windows\SysWOW64\Pjoknhbe.exeC:\Windows\system32\Pjoknhbe.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Windows\SysWOW64\Qpkppbho.exeC:\Windows\system32\Qpkppbho.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4592 -
C:\Windows\SysWOW64\Aqpika32.exeC:\Windows\system32\Aqpika32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\Agnkck32.exeC:\Windows\system32\Agnkck32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3620 -
C:\Windows\SysWOW64\Bqnemp32.exeC:\Windows\system32\Bqnemp32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4688 -
C:\Windows\SysWOW64\Bjhgke32.exeC:\Windows\system32\Bjhgke32.exe20⤵
- Executes dropped EXE
PID:4628 -
C:\Windows\SysWOW64\Bbbkbbkg.exeC:\Windows\system32\Bbbkbbkg.exe21⤵
- Suspicious use of WriteProcessMemory
PID:4552 -
C:\Windows\SysWOW64\Bmhibi32.exeC:\Windows\system32\Bmhibi32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:936 -
C:\Windows\SysWOW64\Ccendc32.exeC:\Windows\system32\Ccendc32.exe23⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:220 -
C:\Windows\SysWOW64\Dmknog32.exeC:\Windows\system32\Dmknog32.exe24⤵
- Executes dropped EXE
PID:3796 -
C:\Windows\SysWOW64\Dcgcaq32.exeC:\Windows\system32\Dcgcaq32.exe25⤵
- Executes dropped EXE
PID:3984 -
C:\Windows\SysWOW64\Ekcemmgo.exeC:\Windows\system32\Ekcemmgo.exe26⤵
- Executes dropped EXE
PID:2612 -
C:\Windows\SysWOW64\Ejkndijd.exeC:\Windows\system32\Ejkndijd.exe27⤵
- Executes dropped EXE
PID:1808 -
C:\Windows\SysWOW64\Fchlhnlo.exeC:\Windows\system32\Fchlhnlo.exe28⤵
- Executes dropped EXE
PID:5072 -
C:\Windows\SysWOW64\Gdclcmba.exeC:\Windows\system32\Gdclcmba.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1244 -
C:\Windows\SysWOW64\Hkggfe32.exeC:\Windows\system32\Hkggfe32.exe30⤵
- Executes dropped EXE
- Modifies registry class
PID:1976 -
C:\Windows\SysWOW64\Iejgelej.exeC:\Windows\system32\Iejgelej.exe31⤵
- Executes dropped EXE
PID:4448 -
C:\Windows\SysWOW64\Jogeia32.exeC:\Windows\system32\Jogeia32.exe32⤵
- Executes dropped EXE
PID:4752 -
C:\Windows\SysWOW64\Jdgjgh32.exeC:\Windows\system32\Jdgjgh32.exe33⤵
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Koceep32.exeC:\Windows\system32\Koceep32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:1636 -
C:\Windows\SysWOW64\Lkfeeo32.exeC:\Windows\system32\Lkfeeo32.exe35⤵
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Lfpcngdo.exeC:\Windows\system32\Lfpcngdo.exe36⤵
- Executes dropped EXE
PID:4600 -
C:\Windows\SysWOW64\Lmjkka32.exeC:\Windows\system32\Lmjkka32.exe37⤵
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\Mokdllim.exeC:\Windows\system32\Mokdllim.exe38⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Mfgiof32.exeC:\Windows\system32\Mfgiof32.exe39⤵
- Executes dropped EXE
PID:4052 -
C:\Windows\SysWOW64\Moomgl32.exeC:\Windows\system32\Moomgl32.exe40⤵
- Executes dropped EXE
PID:2032 -
C:\Windows\SysWOW64\Mkfnlmkl.exeC:\Windows\system32\Mkfnlmkl.exe41⤵
- Executes dropped EXE
PID:620 -
C:\Windows\SysWOW64\Nnnmogae.exeC:\Windows\system32\Nnnmogae.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2564 -
C:\Windows\SysWOW64\Olfgcj32.exeC:\Windows\system32\Olfgcj32.exe43⤵
- Executes dropped EXE
PID:3424 -
C:\Windows\SysWOW64\Onjmjegg.exeC:\Windows\system32\Onjmjegg.exe44⤵
- Executes dropped EXE
PID:1332 -
C:\Windows\SysWOW64\Ppblkffp.exeC:\Windows\system32\Ppblkffp.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1776 -
C:\Windows\SysWOW64\Pimmil32.exeC:\Windows\system32\Pimmil32.exe46⤵
- Executes dropped EXE
PID:3696 -
C:\Windows\SysWOW64\Qednnm32.exeC:\Windows\system32\Qednnm32.exe47⤵
- Executes dropped EXE
PID:3928 -
C:\Windows\SysWOW64\Qpibke32.exeC:\Windows\system32\Qpibke32.exe48⤵
- Executes dropped EXE
PID:1924 -
C:\Windows\SysWOW64\Apnkfelb.exeC:\Windows\system32\Apnkfelb.exe49⤵
- Executes dropped EXE
PID:4748 -
C:\Windows\SysWOW64\Algiaepd.exeC:\Windows\system32\Algiaepd.exe50⤵
- Executes dropped EXE
PID:4424 -
C:\Windows\SysWOW64\Aohbbqme.exeC:\Windows\system32\Aohbbqme.exe51⤵
- Executes dropped EXE
PID:5068 -
C:\Windows\SysWOW64\Bibpkiie.exeC:\Windows\system32\Bibpkiie.exe52⤵
- Executes dropped EXE
PID:2624 -
C:\Windows\SysWOW64\Boaeioej.exeC:\Windows\system32\Boaeioej.exe53⤵
- Executes dropped EXE
PID:4640 -
C:\Windows\SysWOW64\Clhbhc32.exeC:\Windows\system32\Clhbhc32.exe54⤵
- Executes dropped EXE
PID:4332 -
C:\Windows\SysWOW64\Dlcaca32.exeC:\Windows\system32\Dlcaca32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:4812 -
C:\Windows\SysWOW64\Dgkbfjeg.exeC:\Windows\system32\Dgkbfjeg.exe56⤵
- Executes dropped EXE
PID:1668 -
C:\Windows\SysWOW64\Dfqogfjo.exeC:\Windows\system32\Dfqogfjo.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:320 -
C:\Windows\SysWOW64\Efgehe32.exeC:\Windows\system32\Efgehe32.exe58⤵
- Executes dropped EXE
PID:400 -
C:\Windows\SysWOW64\Ejjgic32.exeC:\Windows\system32\Ejjgic32.exe59⤵
- Executes dropped EXE
PID:2248 -
C:\Windows\SysWOW64\Fplimi32.exeC:\Windows\system32\Fplimi32.exe60⤵
- Executes dropped EXE
PID:3184 -
C:\Windows\SysWOW64\Fjanjb32.exeC:\Windows\system32\Fjanjb32.exe61⤵
- Executes dropped EXE
PID:4440 -
C:\Windows\SysWOW64\Gpjfng32.exeC:\Windows\system32\Gpjfng32.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:3924 -
C:\Windows\SysWOW64\Ghcjedcj.exeC:\Windows\system32\Ghcjedcj.exe63⤵
- Executes dropped EXE
PID:3560 -
C:\Windows\SysWOW64\Gnmbao32.exeC:\Windows\system32\Gnmbao32.exe64⤵
- Executes dropped EXE
PID:3916 -
C:\Windows\SysWOW64\Hpqlof32.exeC:\Windows\system32\Hpqlof32.exe65⤵
- Executes dropped EXE
PID:1420 -
C:\Windows\SysWOW64\Hmdlhk32.exeC:\Windows\system32\Hmdlhk32.exe66⤵
- Executes dropped EXE
PID:540 -
C:\Windows\SysWOW64\Hhmmkcko.exeC:\Windows\system32\Hhmmkcko.exe67⤵PID:1476
-
C:\Windows\SysWOW64\Jpmdabfb.exeC:\Windows\system32\Jpmdabfb.exe68⤵PID:5076
-
C:\Windows\SysWOW64\Kkgbjkac.exeC:\Windows\system32\Kkgbjkac.exe69⤵PID:4468
-
C:\Windows\SysWOW64\Khkbcopl.exeC:\Windows\system32\Khkbcopl.exe70⤵
- Modifies registry class
PID:1284 -
C:\Windows\SysWOW64\Kknhjj32.exeC:\Windows\system32\Kknhjj32.exe71⤵
- Drops file in System32 directory
PID:3408 -
C:\Windows\SysWOW64\Lqbgcp32.exeC:\Windows\system32\Lqbgcp32.exe72⤵PID:3616
-
C:\Windows\SysWOW64\Ldpoinjq.exeC:\Windows\system32\Ldpoinjq.exe73⤵PID:3252
-
C:\Windows\SysWOW64\Ldblon32.exeC:\Windows\system32\Ldblon32.exe74⤵PID:1108
-
C:\Windows\SysWOW64\Mhgkfkhl.exeC:\Windows\system32\Mhgkfkhl.exe75⤵PID:2656
-
C:\Windows\SysWOW64\Ondleo32.exeC:\Windows\system32\Ondleo32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2172 -
C:\Windows\SysWOW64\Oijqbh32.exeC:\Windows\system32\Oijqbh32.exe77⤵PID:3648
-
C:\Windows\SysWOW64\Obdbqm32.exeC:\Windows\system32\Obdbqm32.exe78⤵PID:4212
-
C:\Windows\SysWOW64\Ppkopail.exeC:\Windows\system32\Ppkopail.exe79⤵PID:3500
-
C:\Windows\SysWOW64\Ppmleagi.exeC:\Windows\system32\Ppmleagi.exe80⤵PID:4864
-
C:\Windows\SysWOW64\Phkmoc32.exeC:\Windows\system32\Phkmoc32.exe81⤵PID:2220
-
C:\Windows\SysWOW64\Pneelmjo.exeC:\Windows\system32\Pneelmjo.exe82⤵
- Modifies registry class
PID:4860 -
C:\Windows\SysWOW64\Plifea32.exeC:\Windows\system32\Plifea32.exe83⤵
- Modifies registry class
PID:3160 -
C:\Windows\SysWOW64\Qlkbka32.exeC:\Windows\system32\Qlkbka32.exe84⤵PID:3940
-
C:\Windows\SysWOW64\Albikp32.exeC:\Windows\system32\Albikp32.exe85⤵
- Drops file in System32 directory
PID:224 -
C:\Windows\SysWOW64\Aified32.exeC:\Windows\system32\Aified32.exe86⤵PID:4280
-
C:\Windows\SysWOW64\Aemjjeek.exeC:\Windows\system32\Aemjjeek.exe87⤵PID:2344
-
C:\Windows\SysWOW64\Aacjofkp.exeC:\Windows\system32\Aacjofkp.exe88⤵PID:3328
-
C:\Windows\SysWOW64\Alioloje.exeC:\Windows\system32\Alioloje.exe89⤵PID:4744
-
C:\Windows\SysWOW64\Abcgii32.exeC:\Windows\system32\Abcgii32.exe90⤵
- Drops file in System32 directory
PID:3472 -
C:\Windows\SysWOW64\Cpgqik32.exeC:\Windows\system32\Cpgqik32.exe91⤵PID:3516
-
C:\Windows\SysWOW64\Dcmcfeke.exeC:\Windows\system32\Dcmcfeke.exe92⤵PID:2128
-
C:\Windows\SysWOW64\Dlgddkpc.exeC:\Windows\system32\Dlgddkpc.exe93⤵PID:3872
-
C:\Windows\SysWOW64\Dadlmanj.exeC:\Windows\system32\Dadlmanj.exe94⤵PID:2140
-
C:\Windows\SysWOW64\Fjnjjlog.exeC:\Windows\system32\Fjnjjlog.exe95⤵PID:3804
-
C:\Windows\SysWOW64\Fbiooolb.exeC:\Windows\system32\Fbiooolb.exe96⤵PID:2300
-
C:\Windows\SysWOW64\Fomohc32.exeC:\Windows\system32\Fomohc32.exe97⤵PID:4392
-
C:\Windows\SysWOW64\Fckhnaab.exeC:\Windows\system32\Fckhnaab.exe98⤵PID:3044
-
C:\Windows\SysWOW64\Fjepkk32.exeC:\Windows\system32\Fjepkk32.exe99⤵PID:872
-
C:\Windows\SysWOW64\Hpnhoqmi.exeC:\Windows\system32\Hpnhoqmi.exe100⤵
- Drops file in System32 directory
- Modifies registry class
PID:2264 -
C:\Windows\SysWOW64\Hameic32.exeC:\Windows\system32\Hameic32.exe101⤵PID:5148
-
C:\Windows\SysWOW64\Hikfbeod.exeC:\Windows\system32\Hikfbeod.exe102⤵PID:5188
-
C:\Windows\SysWOW64\Hjjbmhfg.exeC:\Windows\system32\Hjjbmhfg.exe103⤵PID:5228
-
C:\Windows\SysWOW64\Hcbgen32.exeC:\Windows\system32\Hcbgen32.exe104⤵PID:5280
-
C:\Windows\SysWOW64\Ibhdgjap.exeC:\Windows\system32\Ibhdgjap.exe105⤵
- Modifies registry class
PID:5324 -
C:\Windows\SysWOW64\Ijfbhflj.exeC:\Windows\system32\Ijfbhflj.exe106⤵PID:5376
-
C:\Windows\SysWOW64\Jfalhgni.exeC:\Windows\system32\Jfalhgni.exe107⤵PID:5420
-
C:\Windows\SysWOW64\Kfhbifgq.exeC:\Windows\system32\Kfhbifgq.exe108⤵PID:5460
-
C:\Windows\SysWOW64\Kmbkfp32.exeC:\Windows\system32\Kmbkfp32.exe109⤵PID:5508
-
C:\Windows\SysWOW64\Kilhqq32.exeC:\Windows\system32\Kilhqq32.exe110⤵PID:5552
-
C:\Windows\SysWOW64\Kdalni32.exeC:\Windows\system32\Kdalni32.exe111⤵PID:5600
-
C:\Windows\SysWOW64\Lmnjan32.exeC:\Windows\system32\Lmnjan32.exe112⤵PID:5644
-
C:\Windows\SysWOW64\Ldhbnhlm.exeC:\Windows\system32\Ldhbnhlm.exe113⤵PID:5688
-
C:\Windows\SysWOW64\Lmqggncn.exeC:\Windows\system32\Lmqggncn.exe114⤵PID:5732
-
C:\Windows\SysWOW64\Ligglo32.exeC:\Windows\system32\Ligglo32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5780 -
C:\Windows\SysWOW64\Mjnnmn32.exeC:\Windows\system32\Mjnnmn32.exe116⤵PID:5828
-
C:\Windows\SysWOW64\Mddbjg32.exeC:\Windows\system32\Mddbjg32.exe117⤵PID:5876
-
C:\Windows\SysWOW64\Majoikof.exeC:\Windows\system32\Majoikof.exe118⤵PID:5928
-
C:\Windows\SysWOW64\Mgidgakk.exeC:\Windows\system32\Mgidgakk.exe119⤵
- Modifies registry class
PID:5976 -
C:\Windows\SysWOW64\Ndmepe32.exeC:\Windows\system32\Ndmepe32.exe120⤵PID:6016
-
C:\Windows\SysWOW64\Naaejj32.exeC:\Windows\system32\Naaejj32.exe121⤵PID:6060
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-