Analysis
-
max time kernel
175s -
max time network
195s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
30/12/2023, 00:01
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
07daea469313851d70f15e923506561c.exe
Resource
win7-20231215-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
07daea469313851d70f15e923506561c.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
07daea469313851d70f15e923506561c.exe
-
Size
1.5MB
-
MD5
07daea469313851d70f15e923506561c
-
SHA1
5e8f363aa4a3bc1948b05549bac0995efbf96bd6
-
SHA256
50b23714f9a719ea31a03553d4f7c05b3294eb6b8a01a839e26202a1f7a9e198
-
SHA512
fc1461ea6d9b0a88756c570dddfe842580e6ce4f076d1569a8a5236a6f27db2ebaa88e92af54b03b65f041e9ab163de4c5c88fb43089166b488ece2f0f5359f2
-
SSDEEP
24576:4Cmm0BmmvFimLUm0BmmvFimvTkm0BmmvFimLUm0BmmvFimQ:/iiBiFiBiZ
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bjaeei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Edklljnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Chlomnfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jmfdpkeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cbfema32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Chmnnamb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oehldi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kbiede32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajfhhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ogmidbal.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnmdfknm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fgnjjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bghddp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gpelchhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dfphmp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqklfe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgfmom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Blgiphni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mackfa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpqcoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Efnennjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Injcginc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jnaighhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cegnhb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qlbfnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Egkdne32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obidljll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ppdbfpaa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aloekjod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jfeoip32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgenlldo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iohede32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hlmiagbo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddmaia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Egkgljkm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efdjqeni.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpfjfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qlbfnk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfnpmgaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kjlmbnof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ijcaaibe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jghpkq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkcnnk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifjoma32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nifldj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Njkklk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lpmfnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pgqefilj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bjlgnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gpcmagpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jlhlcnge.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afnepojl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Palbpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jpnhof32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ednolp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpcmagpo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cndecn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eoladdeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ecmlmcmb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhaeli32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boipfp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhkjooqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ahonbhig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aqjpod32.exe -
Executes dropped EXE 64 IoCs
pid Process 4720 Kjdqhjpf.exe 1592 Lmnlpcel.exe 5084 Lkbmih32.exe 1444 Mackfa32.exe 4708 Nggjog32.exe 1760 Pbapom32.exe 2952 Agmehamp.exe 3240 Bghddp32.exe 3748 Ceehcc32.exe 4304 Chkjpm32.exe 1732 Dhdmfljb.exe 5024 Eoladdeo.exe 4488 Gohapb32.exe 4428 Hjieii32.exe 1504 Ijedehgm.exe 2660 Iqfcbahb.exe 3416 Jcpojk32.exe 4700 Kclnfi32.exe 1240 Mmiealgc.exe 1948 Okiefn32.exe 3420 Oajccgmd.exe 404 Pdofpb32.exe 4588 Qgehml32.exe 1320 Qdihfq32.exe 2656 Bkefphem.exe 1924 Cbfema32.exe 2672 Ejdonq32.exe 3616 Gbjlgj32.exe 4628 Iabodcnj.exe 2064 Jchaoe32.exe 2900 Kjlmbnof.exe 3436 Lopkkdgf.exe 1636 Lcdjba32.exe 3156 Mpnglbkf.exe 3528 Njokei32.exe 2264 Pgknlg32.exe 4272 Bloflk32.exe 2212 Dmnkdfce.exe 1916 Fjphoi32.exe 1784 Fhchhm32.exe 3480 Fmbnfcam.exe 1600 Gdfhil32.exe 1384 Gehbio32.exe 2632 Hlmiagbo.exe 2268 Ioeicajh.exe 1652 Jakkplbc.exe 4964 Lfimmhkg.exe 3464 Lohggm32.exe 1436 Nmjdaoni.exe 1228 Nblfee32.exe 4824 Nnbfjf32.exe 2000 Obeikc32.exe 3660 Pifghmae.exe 4812 Pbokab32.exe 4252 Qpibke32.exe 4456 Bomknp32.exe 5040 Cnealfkf.exe 4720 Cjpllgme.exe 3012 Doidql32.exe 4348 Fgqehgco.exe 836 Gpelchhp.exe 2344 Imnoni32.exe 228 Jahgpf32.exe 2864 Jolhjj32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ogmidbal.exe Oenljoji.exe File created C:\Windows\SysWOW64\Djaipe32.exe Dibmfb32.exe File created C:\Windows\SysWOW64\Ccdncaoc.dll Gpcmagpo.exe File created C:\Windows\SysWOW64\Ppmkpp32.dll Lkbmih32.exe File created C:\Windows\SysWOW64\Cpedckdl.exe Ccacjgfb.exe File created C:\Windows\SysWOW64\Djnaco32.exe Dpemjifi.exe File created C:\Windows\SysWOW64\Lmqggncn.exe Lpmfnj32.exe File opened for modification C:\Windows\SysWOW64\Dgpgplej.exe Dacohegc.exe File opened for modification C:\Windows\SysWOW64\Ihnkobpl.exe Hjjnkkjp.exe File created C:\Windows\SysWOW64\Aocokj32.dll Kccbdf32.exe File created C:\Windows\SysWOW64\Ljbcnm32.dll Hboaql32.exe File created C:\Windows\SysWOW64\Bkmiof32.dll Obmeeh32.exe File created C:\Windows\SysWOW64\Fdpnpe32.exe Eekanh32.exe File created C:\Windows\SysWOW64\Pogpcghp.exe Pmgcidqm.exe File created C:\Windows\SysWOW64\Gbnobf32.exe Gifjjacn.exe File created C:\Windows\SysWOW64\Mpkbohhd.exe Mknjgajl.exe File created C:\Windows\SysWOW64\Ilbnkiba.exe Ibijbc32.exe File opened for modification C:\Windows\SysWOW64\Hkpgooim.exe Hahcfi32.exe File created C:\Windows\SysWOW64\Jjmcghjj.exe Jbaocfmo.exe File created C:\Windows\SysWOW64\Gihaob32.dll Nblfee32.exe File opened for modification C:\Windows\SysWOW64\Eekanh32.exe Ehgqed32.exe File created C:\Windows\SysWOW64\Cmcniamb.dll Immaimnj.exe File created C:\Windows\SysWOW64\Ladaigki.dll Ddmaia32.exe File opened for modification C:\Windows\SysWOW64\Pmgcidqm.exe Omegdebp.exe File opened for modification C:\Windows\SysWOW64\Odmgmmhf.exe Ocknmjcf.exe File created C:\Windows\SysWOW64\Pbkiee32.dll Bmpcpjcd.exe File opened for modification C:\Windows\SysWOW64\Boipfp32.exe Bjlgnh32.exe File opened for modification C:\Windows\SysWOW64\Iqfcbahb.exe Ijedehgm.exe File created C:\Windows\SysWOW64\Cbfema32.exe Bkefphem.exe File opened for modification C:\Windows\SysWOW64\Iakajagl.exe Icgqqmib.exe File opened for modification C:\Windows\SysWOW64\Iioicn32.exe Gcojoj32.exe File created C:\Windows\SysWOW64\Jfcbcp32.exe Jlkaahjg.exe File created C:\Windows\SysWOW64\Cihjpd32.exe Cclagm32.exe File created C:\Windows\SysWOW64\Fdjnha32.exe Fgfmom32.exe File created C:\Windows\SysWOW64\Hqddjp32.exe Hfnpmgaj.exe File created C:\Windows\SysWOW64\Kicdke32.exe Jlocaabf.exe File created C:\Windows\SysWOW64\Cggalc32.dll Hkpgooim.exe File created C:\Windows\SysWOW64\Oceidi32.dll Jncfmgfi.exe File created C:\Windows\SysWOW64\Bikojc32.dll Fqhbgf32.exe File created C:\Windows\SysWOW64\Pjeoablq.exe Pmangnmg.exe File created C:\Windows\SysWOW64\Agjhadmh.exe Ajfhhp32.exe File opened for modification C:\Windows\SysWOW64\Dhfacp32.exe Dmnpah32.exe File created C:\Windows\SysWOW64\Ghlahp32.dll Eajehd32.exe File opened for modification C:\Windows\SysWOW64\Mhafoh32.exe Mjiljdaj.exe File opened for modification C:\Windows\SysWOW64\Nhfpjghi.exe Mbigapjb.exe File created C:\Windows\SysWOW64\Nophma32.dll Aachaa32.exe File opened for modification C:\Windows\SysWOW64\Gbnobf32.exe Gifjjacn.exe File created C:\Windows\SysWOW64\Pkcopi32.exe Kccbdf32.exe File created C:\Windows\SysWOW64\Flebpn32.dll Nnbfjf32.exe File created C:\Windows\SysWOW64\Jbaocfmo.exe Jhijjp32.exe File created C:\Windows\SysWOW64\Cdicdi32.exe Chbcphph.exe File created C:\Windows\SysWOW64\Anqdigmo.dll Ohdlke32.exe File opened for modification C:\Windows\SysWOW64\Mabnlh32.exe Mkeeda32.exe File created C:\Windows\SysWOW64\Pnoefg32.exe Onfbpi32.exe File created C:\Windows\SysWOW64\Fnpapfnf.dll Afeblb32.exe File created C:\Windows\SysWOW64\Hjjnkkjp.exe Hncmfj32.exe File created C:\Windows\SysWOW64\Iddkfb32.dll Lklnle32.exe File created C:\Windows\SysWOW64\Oijfde32.dll Hcgjajmo.exe File created C:\Windows\SysWOW64\Jflkmqpj.dll Nnmdfknm.exe File created C:\Windows\SysWOW64\Cegnhb32.exe Bkqmnn32.exe File created C:\Windows\SysWOW64\Jdembk32.exe Jjmhie32.exe File created C:\Windows\SysWOW64\Kmegkp32.exe Jfffcf32.exe File opened for modification C:\Windows\SysWOW64\Onfbpi32.exe Odnngclb.exe File created C:\Windows\SysWOW64\Immaimnj.exe Ibgmldnd.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ngnnbq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Heimmh32.dll" Eekanh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pljalipc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Miabik32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Adiknkco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhddnhoa.dll" Glbjpmdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kjlmbnof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oeekbhif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ilbnkiba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ifjdjbdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jinjgohg.dll" Pdhklgnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doljdjfa.dll" Mlqjlmjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Obidljll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neeheggd.dll" Lcdjba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ecmlmcmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhcefm32.dll" Eehnnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ihnkobpl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jncfmgfi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jakkplbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liiiei32.dll" Nacboi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gdfhil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cakjfcfe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ldbjah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Egkdne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnolbm32.dll" Agmehamp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Boagkmab.dll" Gdfhil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfbcpgeg.dll" Nenbdd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aachaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jipqhhig.dll" Edplapnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lcifde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eoollocp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aegbji32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kjjinp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gmdcpoid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eidjjdgb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 07daea469313851d70f15e923506561c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hjieii32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cbefkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpbcpboc.dll" Imakdl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qqfmnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kicdke32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hjjnkkjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flldjj32.dll" Anaofa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpkpgaob.dll" Iqfcbahb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okjgcp32.dll" Pnaalghe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmadni32.dll" Lmfondmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfemnonh.dll" Lgikpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Njacikbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcklaa32.dll" Fdpnpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlnfgdnn.dll" Pjeoablq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fofcni32.dll" Cmiffhkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hhfenc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fgqehgco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgfceo32.dll" Kphmbjhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bikojc32.dll" Fqhbgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Malgcg32.dll" Cjindm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfpedlcp.dll" Noijmp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kmobdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ckhelb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppgkh32.dll" Dkcnnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkklkejm.dll" Lmnlpcel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ldiiio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aloekjod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlilah32.dll" Nmbaggce.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3988 wrote to memory of 4720 3988 07daea469313851d70f15e923506561c.exe 91 PID 3988 wrote to memory of 4720 3988 07daea469313851d70f15e923506561c.exe 91 PID 3988 wrote to memory of 4720 3988 07daea469313851d70f15e923506561c.exe 91 PID 4720 wrote to memory of 1592 4720 Kjdqhjpf.exe 92 PID 4720 wrote to memory of 1592 4720 Kjdqhjpf.exe 92 PID 4720 wrote to memory of 1592 4720 Kjdqhjpf.exe 92 PID 1592 wrote to memory of 5084 1592 Lmnlpcel.exe 93 PID 1592 wrote to memory of 5084 1592 Lmnlpcel.exe 93 PID 1592 wrote to memory of 5084 1592 Lmnlpcel.exe 93 PID 5084 wrote to memory of 1444 5084 Lkbmih32.exe 94 PID 5084 wrote to memory of 1444 5084 Lkbmih32.exe 94 PID 5084 wrote to memory of 1444 5084 Lkbmih32.exe 94 PID 1444 wrote to memory of 4708 1444 Mackfa32.exe 95 PID 1444 wrote to memory of 4708 1444 Mackfa32.exe 95 PID 1444 wrote to memory of 4708 1444 Mackfa32.exe 95 PID 4708 wrote to memory of 1760 4708 Nggjog32.exe 96 PID 4708 wrote to memory of 1760 4708 Nggjog32.exe 96 PID 4708 wrote to memory of 1760 4708 Nggjog32.exe 96 PID 1760 wrote to memory of 2952 1760 Pbapom32.exe 97 PID 1760 wrote to memory of 2952 1760 Pbapom32.exe 97 PID 1760 wrote to memory of 2952 1760 Pbapom32.exe 97 PID 2952 wrote to memory of 3240 2952 Agmehamp.exe 98 PID 2952 wrote to memory of 3240 2952 Agmehamp.exe 98 PID 2952 wrote to memory of 3240 2952 Agmehamp.exe 98 PID 3240 wrote to memory of 3748 3240 Bghddp32.exe 99 PID 3240 wrote to memory of 3748 3240 Bghddp32.exe 99 PID 3240 wrote to memory of 3748 3240 Bghddp32.exe 99 PID 3748 wrote to memory of 4304 3748 Ceehcc32.exe 100 PID 3748 wrote to memory of 4304 3748 Ceehcc32.exe 100 PID 3748 wrote to memory of 4304 3748 Ceehcc32.exe 100 PID 4304 wrote to memory of 1732 4304 Chkjpm32.exe 101 PID 4304 wrote to memory of 1732 4304 Chkjpm32.exe 101 PID 4304 wrote to memory of 1732 4304 Chkjpm32.exe 101 PID 1732 wrote to memory of 5024 1732 Dhdmfljb.exe 102 PID 1732 wrote to memory of 5024 1732 Dhdmfljb.exe 102 PID 1732 wrote to memory of 5024 1732 Dhdmfljb.exe 102 PID 5024 wrote to memory of 4488 5024 Eoladdeo.exe 103 PID 5024 wrote to memory of 4488 5024 Eoladdeo.exe 103 PID 5024 wrote to memory of 4488 5024 Eoladdeo.exe 103 PID 4488 wrote to memory of 4428 4488 Gohapb32.exe 104 PID 4488 wrote to memory of 4428 4488 Gohapb32.exe 104 PID 4488 wrote to memory of 4428 4488 Gohapb32.exe 104 PID 4428 wrote to memory of 1504 4428 Hjieii32.exe 105 PID 4428 wrote to memory of 1504 4428 Hjieii32.exe 105 PID 4428 wrote to memory of 1504 4428 Hjieii32.exe 105 PID 1504 wrote to memory of 2660 1504 Ijedehgm.exe 106 PID 1504 wrote to memory of 2660 1504 Ijedehgm.exe 106 PID 1504 wrote to memory of 2660 1504 Ijedehgm.exe 106 PID 2660 wrote to memory of 3416 2660 Iqfcbahb.exe 107 PID 2660 wrote to memory of 3416 2660 Iqfcbahb.exe 107 PID 2660 wrote to memory of 3416 2660 Iqfcbahb.exe 107 PID 3416 wrote to memory of 4700 3416 Jcpojk32.exe 108 PID 3416 wrote to memory of 4700 3416 Jcpojk32.exe 108 PID 3416 wrote to memory of 4700 3416 Jcpojk32.exe 108 PID 4700 wrote to memory of 1240 4700 Kclnfi32.exe 109 PID 4700 wrote to memory of 1240 4700 Kclnfi32.exe 109 PID 4700 wrote to memory of 1240 4700 Kclnfi32.exe 109 PID 1240 wrote to memory of 1948 1240 Mmiealgc.exe 110 PID 1240 wrote to memory of 1948 1240 Mmiealgc.exe 110 PID 1240 wrote to memory of 1948 1240 Mmiealgc.exe 110 PID 1948 wrote to memory of 3420 1948 Okiefn32.exe 111 PID 1948 wrote to memory of 3420 1948 Okiefn32.exe 111 PID 1948 wrote to memory of 3420 1948 Okiefn32.exe 111 PID 3420 wrote to memory of 404 3420 Oajccgmd.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\07daea469313851d70f15e923506561c.exe"C:\Users\Admin\AppData\Local\Temp\07daea469313851d70f15e923506561c.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3988 -
C:\Windows\SysWOW64\Kjdqhjpf.exeC:\Windows\system32\Kjdqhjpf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4720 -
C:\Windows\SysWOW64\Lmnlpcel.exeC:\Windows\system32\Lmnlpcel.exe3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Windows\SysWOW64\Lkbmih32.exeC:\Windows\system32\Lkbmih32.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5084 -
C:\Windows\SysWOW64\Mackfa32.exeC:\Windows\system32\Mackfa32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Windows\SysWOW64\Nggjog32.exeC:\Windows\system32\Nggjog32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4708 -
C:\Windows\SysWOW64\Pbapom32.exeC:\Windows\system32\Pbapom32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\SysWOW64\Agmehamp.exeC:\Windows\system32\Agmehamp.exe8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\Bghddp32.exeC:\Windows\system32\Bghddp32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3240 -
C:\Windows\SysWOW64\Ceehcc32.exeC:\Windows\system32\Ceehcc32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3748 -
C:\Windows\SysWOW64\Chkjpm32.exeC:\Windows\system32\Chkjpm32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4304 -
C:\Windows\SysWOW64\Dhdmfljb.exeC:\Windows\system32\Dhdmfljb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\SysWOW64\Eoladdeo.exeC:\Windows\system32\Eoladdeo.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5024 -
C:\Windows\SysWOW64\Gohapb32.exeC:\Windows\system32\Gohapb32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4488 -
C:\Windows\SysWOW64\Hjieii32.exeC:\Windows\system32\Hjieii32.exe15⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4428 -
C:\Windows\SysWOW64\Ijedehgm.exeC:\Windows\system32\Ijedehgm.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\SysWOW64\Iqfcbahb.exeC:\Windows\system32\Iqfcbahb.exe17⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Jcpojk32.exeC:\Windows\system32\Jcpojk32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3416 -
C:\Windows\SysWOW64\Kclnfi32.exeC:\Windows\system32\Kclnfi32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4700 -
C:\Windows\SysWOW64\Mmiealgc.exeC:\Windows\system32\Mmiealgc.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1240 -
C:\Windows\SysWOW64\Okiefn32.exeC:\Windows\system32\Okiefn32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\SysWOW64\Oajccgmd.exeC:\Windows\system32\Oajccgmd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3420 -
C:\Windows\SysWOW64\Pdofpb32.exeC:\Windows\system32\Pdofpb32.exe23⤵
- Executes dropped EXE
PID:404 -
C:\Windows\SysWOW64\Qgehml32.exeC:\Windows\system32\Qgehml32.exe24⤵
- Executes dropped EXE
PID:4588 -
C:\Windows\SysWOW64\Qdihfq32.exeC:\Windows\system32\Qdihfq32.exe25⤵
- Executes dropped EXE
PID:1320 -
C:\Windows\SysWOW64\Bkefphem.exeC:\Windows\system32\Bkefphem.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2656 -
C:\Windows\SysWOW64\Cbfema32.exeC:\Windows\system32\Cbfema32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1924 -
C:\Windows\SysWOW64\Ejdonq32.exeC:\Windows\system32\Ejdonq32.exe28⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Gbjlgj32.exeC:\Windows\system32\Gbjlgj32.exe29⤵
- Executes dropped EXE
PID:3616 -
C:\Windows\SysWOW64\Iabodcnj.exeC:\Windows\system32\Iabodcnj.exe30⤵
- Executes dropped EXE
PID:4628 -
C:\Windows\SysWOW64\Jchaoe32.exeC:\Windows\system32\Jchaoe32.exe31⤵
- Executes dropped EXE
PID:2064 -
C:\Windows\SysWOW64\Kjlmbnof.exeC:\Windows\system32\Kjlmbnof.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2900 -
C:\Windows\SysWOW64\Lopkkdgf.exeC:\Windows\system32\Lopkkdgf.exe33⤵
- Executes dropped EXE
PID:3436 -
C:\Windows\SysWOW64\Lcdjba32.exeC:\Windows\system32\Lcdjba32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:1636 -
C:\Windows\SysWOW64\Mpnglbkf.exeC:\Windows\system32\Mpnglbkf.exe35⤵
- Executes dropped EXE
PID:3156 -
C:\Windows\SysWOW64\Njokei32.exeC:\Windows\system32\Njokei32.exe36⤵
- Executes dropped EXE
PID:3528 -
C:\Windows\SysWOW64\Pgknlg32.exeC:\Windows\system32\Pgknlg32.exe37⤵
- Executes dropped EXE
PID:2264 -
C:\Windows\SysWOW64\Bloflk32.exeC:\Windows\system32\Bloflk32.exe38⤵
- Executes dropped EXE
PID:4272 -
C:\Windows\SysWOW64\Dmnkdfce.exeC:\Windows\system32\Dmnkdfce.exe39⤵
- Executes dropped EXE
PID:2212 -
C:\Windows\SysWOW64\Fjphoi32.exeC:\Windows\system32\Fjphoi32.exe40⤵
- Executes dropped EXE
PID:1916 -
C:\Windows\SysWOW64\Fhchhm32.exeC:\Windows\system32\Fhchhm32.exe41⤵
- Executes dropped EXE
PID:1784 -
C:\Windows\SysWOW64\Fmbnfcam.exeC:\Windows\system32\Fmbnfcam.exe42⤵
- Executes dropped EXE
PID:3480 -
C:\Windows\SysWOW64\Gdfhil32.exeC:\Windows\system32\Gdfhil32.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:1600 -
C:\Windows\SysWOW64\Gehbio32.exeC:\Windows\system32\Gehbio32.exe44⤵
- Executes dropped EXE
PID:1384 -
C:\Windows\SysWOW64\Hlmiagbo.exeC:\Windows\system32\Hlmiagbo.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\Ioeicajh.exeC:\Windows\system32\Ioeicajh.exe46⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Jakkplbc.exeC:\Windows\system32\Jakkplbc.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:1652 -
C:\Windows\SysWOW64\Lfimmhkg.exeC:\Windows\system32\Lfimmhkg.exe48⤵
- Executes dropped EXE
PID:4964 -
C:\Windows\SysWOW64\Lohggm32.exeC:\Windows\system32\Lohggm32.exe49⤵
- Executes dropped EXE
PID:3464 -
C:\Windows\SysWOW64\Nmjdaoni.exeC:\Windows\system32\Nmjdaoni.exe50⤵
- Executes dropped EXE
PID:1436 -
C:\Windows\SysWOW64\Nblfee32.exeC:\Windows\system32\Nblfee32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1228 -
C:\Windows\SysWOW64\Nnbfjf32.exeC:\Windows\system32\Nnbfjf32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4824 -
C:\Windows\SysWOW64\Obeikc32.exeC:\Windows\system32\Obeikc32.exe53⤵
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\Pifghmae.exeC:\Windows\system32\Pifghmae.exe54⤵
- Executes dropped EXE
PID:3660 -
C:\Windows\SysWOW64\Pbokab32.exeC:\Windows\system32\Pbokab32.exe55⤵
- Executes dropped EXE
PID:4812 -
C:\Windows\SysWOW64\Qpibke32.exeC:\Windows\system32\Qpibke32.exe56⤵
- Executes dropped EXE
PID:4252 -
C:\Windows\SysWOW64\Bomknp32.exeC:\Windows\system32\Bomknp32.exe57⤵
- Executes dropped EXE
PID:4456 -
C:\Windows\SysWOW64\Cnealfkf.exeC:\Windows\system32\Cnealfkf.exe58⤵
- Executes dropped EXE
PID:5040 -
C:\Windows\SysWOW64\Cjpllgme.exeC:\Windows\system32\Cjpllgme.exe59⤵
- Executes dropped EXE
PID:4720 -
C:\Windows\SysWOW64\Doidql32.exeC:\Windows\system32\Doidql32.exe60⤵
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\Fgqehgco.exeC:\Windows\system32\Fgqehgco.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:4348 -
C:\Windows\SysWOW64\Gpelchhp.exeC:\Windows\system32\Gpelchhp.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:836 -
C:\Windows\SysWOW64\Imnoni32.exeC:\Windows\system32\Imnoni32.exe63⤵
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Jahgpf32.exeC:\Windows\system32\Jahgpf32.exe64⤵
- Executes dropped EXE
PID:228 -
C:\Windows\SysWOW64\Jolhjj32.exeC:\Windows\system32\Jolhjj32.exe65⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Kdmjmqjf.exeC:\Windows\system32\Kdmjmqjf.exe66⤵PID:3440
-
C:\Windows\SysWOW64\Ldiiio32.exeC:\Windows\system32\Ldiiio32.exe67⤵
- Modifies registry class
PID:1608 -
C:\Windows\SysWOW64\Lonnfg32.exeC:\Windows\system32\Lonnfg32.exe68⤵PID:3356
-
C:\Windows\SysWOW64\Ldkfno32.exeC:\Windows\system32\Ldkfno32.exe69⤵PID:3748
-
C:\Windows\SysWOW64\Mgceqh32.exeC:\Windows\system32\Mgceqh32.exe70⤵PID:2608
-
C:\Windows\SysWOW64\Moacbe32.exeC:\Windows\system32\Moacbe32.exe71⤵PID:4672
-
C:\Windows\SysWOW64\Mdnlkl32.exeC:\Windows\system32\Mdnlkl32.exe72⤵PID:2772
-
C:\Windows\SysWOW64\Nbdijpjh.exeC:\Windows\system32\Nbdijpjh.exe73⤵PID:4956
-
C:\Windows\SysWOW64\Negoaj32.exeC:\Windows\system32\Negoaj32.exe74⤵PID:2872
-
C:\Windows\SysWOW64\Nqnofkkj.exeC:\Windows\system32\Nqnofkkj.exe75⤵PID:2756
-
C:\Windows\SysWOW64\Oooodcci.exeC:\Windows\system32\Oooodcci.exe76⤵PID:5036
-
C:\Windows\SysWOW64\Oeekbhif.exeC:\Windows\system32\Oeekbhif.exe77⤵
- Modifies registry class
PID:552 -
C:\Windows\SysWOW64\Ppkopail.exeC:\Windows\system32\Ppkopail.exe78⤵PID:1976
-
C:\Windows\SysWOW64\Pihmcflg.exeC:\Windows\system32\Pihmcflg.exe79⤵PID:220
-
C:\Windows\SysWOW64\Ppdbfpaa.exeC:\Windows\system32\Ppdbfpaa.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1380 -
C:\Windows\SysWOW64\Peajngoi.exeC:\Windows\system32\Peajngoi.exe81⤵PID:2972
-
C:\Windows\SysWOW64\Aemjjeek.exeC:\Windows\system32\Aemjjeek.exe82⤵PID:2420
-
C:\Windows\SysWOW64\Abqjci32.exeC:\Windows\system32\Abqjci32.exe83⤵PID:2844
-
C:\Windows\SysWOW64\Alioloje.exeC:\Windows\system32\Alioloje.exe84⤵PID:3148
-
C:\Windows\SysWOW64\Blkkaohc.exeC:\Windows\system32\Blkkaohc.exe85⤵PID:4212
-
C:\Windows\SysWOW64\Blnhgn32.exeC:\Windows\system32\Blnhgn32.exe86⤵PID:4280
-
C:\Windows\SysWOW64\Chlomnfl.exeC:\Windows\system32\Chlomnfl.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4532 -
C:\Windows\SysWOW64\Ccacjgfb.exeC:\Windows\system32\Ccacjgfb.exe88⤵
- Drops file in System32 directory
PID:3364 -
C:\Windows\SysWOW64\Cpedckdl.exeC:\Windows\system32\Cpedckdl.exe89⤵PID:4016
-
C:\Windows\SysWOW64\Cebllbcc.exeC:\Windows\system32\Cebllbcc.exe90⤵PID:4528
-
C:\Windows\SysWOW64\Ccfmef32.exeC:\Windows\system32\Ccfmef32.exe91⤵PID:4708
-
C:\Windows\SysWOW64\Cakjfcfe.exeC:\Windows\system32\Cakjfcfe.exe92⤵
- Modifies registry class
PID:2460 -
C:\Windows\SysWOW64\Clqncl32.exeC:\Windows\system32\Clqncl32.exe93⤵PID:4084
-
C:\Windows\SysWOW64\Dekobaki.exeC:\Windows\system32\Dekobaki.exe94⤵PID:1240
-
C:\Windows\SysWOW64\Dpqcoj32.exeC:\Windows\system32\Dpqcoj32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3892 -
C:\Windows\SysWOW64\Dpcpei32.exeC:\Windows\system32\Dpcpei32.exe96⤵PID:1104
-
C:\Windows\SysWOW64\Dfphmp32.exeC:\Windows\system32\Dfphmp32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3416 -
C:\Windows\SysWOW64\Dpemjifi.exeC:\Windows\system32\Dpemjifi.exe98⤵
- Drops file in System32 directory
PID:2304 -
C:\Windows\SysWOW64\Djnaco32.exeC:\Windows\system32\Djnaco32.exe99⤵PID:1892
-
C:\Windows\SysWOW64\Elojej32.exeC:\Windows\system32\Elojej32.exe100⤵PID:5116
-
C:\Windows\SysWOW64\Eplckh32.exeC:\Windows\system32\Eplckh32.exe101⤵PID:4488
-
C:\Windows\SysWOW64\Ehhgpj32.exeC:\Windows\system32\Ehhgpj32.exe102⤵PID:3988
-
C:\Windows\SysWOW64\Ecmlmcmb.exeC:\Windows\system32\Ecmlmcmb.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5064 -
C:\Windows\SysWOW64\Elepei32.exeC:\Windows\system32\Elepei32.exe104⤵PID:3692
-
C:\Windows\SysWOW64\Efnennjc.exeC:\Windows\system32\Efnennjc.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1504 -
C:\Windows\SysWOW64\Fjlmdmqj.exeC:\Windows\system32\Fjlmdmqj.exe106⤵PID:4344
-
C:\Windows\SysWOW64\Fcdbmb32.exeC:\Windows\system32\Fcdbmb32.exe107⤵PID:3420
-
C:\Windows\SysWOW64\Fqhbgf32.exeC:\Windows\system32\Fqhbgf32.exe108⤵
- Drops file in System32 directory
- Modifies registry class
PID:4420 -
C:\Windows\SysWOW64\Fqjolfda.exeC:\Windows\system32\Fqjolfda.exe109⤵PID:5160
-
C:\Windows\SysWOW64\Ffggdmbi.exeC:\Windows\system32\Ffggdmbi.exe110⤵PID:5204
-
C:\Windows\SysWOW64\Foplnb32.exeC:\Windows\system32\Foplnb32.exe111⤵PID:5244
-
C:\Windows\SysWOW64\Gqohge32.exeC:\Windows\system32\Gqohge32.exe112⤵PID:5296
-
C:\Windows\SysWOW64\Hmaihekc.exeC:\Windows\system32\Hmaihekc.exe113⤵PID:5340
-
C:\Windows\SysWOW64\Hboaql32.exeC:\Windows\system32\Hboaql32.exe114⤵
- Drops file in System32 directory
PID:5380 -
C:\Windows\SysWOW64\Hbanfk32.exeC:\Windows\system32\Hbanfk32.exe115⤵PID:5444
-
C:\Windows\SysWOW64\Hfacai32.exeC:\Windows\system32\Hfacai32.exe116⤵PID:5484
-
C:\Windows\SysWOW64\Ibhdgjap.exeC:\Windows\system32\Ibhdgjap.exe117⤵PID:5528
-
C:\Windows\SysWOW64\Icgqqmib.exeC:\Windows\system32\Icgqqmib.exe118⤵
- Drops file in System32 directory
PID:5564 -
C:\Windows\SysWOW64\Iakajagl.exeC:\Windows\system32\Iakajagl.exe119⤵PID:5616
-
C:\Windows\SysWOW64\Ifhibhfc.exeC:\Windows\system32\Ifhibhfc.exe120⤵PID:5656
-
C:\Windows\SysWOW64\Ipqnknld.exeC:\Windows\system32\Ipqnknld.exe121⤵PID:5696
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-