Analysis
-
max time kernel
168s -
max time network
179s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
06/01/2024, 20:30
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e5bb1444e45b006817a7c64a262e6220.exe
Resource
win7-20231215-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
e5bb1444e45b006817a7c64a262e6220.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
e5bb1444e45b006817a7c64a262e6220.exe
-
Size
896KB
-
MD5
e5bb1444e45b006817a7c64a262e6220
-
SHA1
783f338a38b96af3f544f2a104049f18fea77b7b
-
SHA256
463faefc7686aecebc202d2444ae237124978fd16a223b132c85ac14c29a5fd7
-
SHA512
f5e79659840398a16655fd1d511991f5321c80aa280af1694eea3e6104c1f1e93d3fb4676f66f60945ab644564a89e499f5eed11a52915a7848439d6ae3d723d
-
SSDEEP
24576:Dj9TRTGryZ5d9TRTGryaITRTGryZ5d9TRTGryeLTRTGryZ5d9TRTGryaITRTGryb:Dj99bD99wI9bD99e9bD99wI9bD99
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alhpkldp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aejmdegn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkbddo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bigbgehl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbnggpfj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgfqgkib.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngikpjml.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdhkchlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olgnlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mllcocna.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oplfekdp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgaiqian.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nejpckgc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfpidk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfmigmgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifbbbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ioeineap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdjbel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afnefieo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mniafbfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pklkmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkbddo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddfikaeq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkchpoka.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dalhgfmk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dibmfb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejhkdc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqnofkkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmnlnfcb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kipkaj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pekkhn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngjcgdba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klhdjj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihagfb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Caojigoh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klhdjj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klbgpi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alhpkldp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apbngn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qcbfjqkp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fceihh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Peajngoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lejngd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecpmod32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhhiocdg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccopfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifcpgiji.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibijbc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifbbbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Peaokh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klpjji32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpchbhjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qkqdnkge.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnhlgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pekkhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mphfjhjf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfoahd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhlpom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lemhnn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfoclflo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqihjbod.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dojqcjgi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oegejc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfopcgpk.exe -
Executes dropped EXE 64 IoCs
pid Process 4792 Oeffnl32.exe 812 Pfpidk32.exe 808 Afnefieo.exe 116 Anncek32.exe 2004 Ciogobcm.exe 1112 Cldjkl32.exe 3188 Dblnid32.exe 3220 Fhiphi32.exe 4848 Geklckkd.exe 1248 Labkempb.exe 4664 Lipmoo32.exe 2896 Mpchbhjl.exe 1416 Pgihanii.exe 1692 Qkqdnkge.exe 3436 Ajodef32.exe 4436 Bdgehobe.exe 4964 Cnhlgc32.exe 1572 Cjaiac32.exe 3512 Dgmpkg32.exe 3460 Enedio32.exe 4212 Eecfah32.exe 2532 Hebkid32.exe 1252 Ijgjpaao.exe 4124 Jfdafa32.exe 4236 Lbnggpfj.exe 3540 Lbcabo32.exe 4784 Mbjgcnll.exe 3384 Ofooqinh.exe 4176 Qibmoa32.exe 3656 Alhpkldp.exe 4704 Bdhkchlg.exe 3400 Bnehgmob.exe 1520 Cjofambd.exe 3724 Cnokmkfh.exe 4332 Dkehlo32.exe 4316 Dqbadf32.exe 2792 Djjemlhf.exe 3680 Dedceddg.exe 5008 Eakdje32.exe 1352 Fnkdpgnh.exe 3140 Gmggac32.exe 3768 Gjpaffhl.exe 1800 Hmecba32.exe 3276 Haeino32.exe 2868 Ikpjmd32.exe 4344 Ionbcb32.exe 3332 Ikechced.exe 1236 Lkchpoka.exe 1260 Lfpcngdo.exe 2608 Mfgiof32.exe 5104 Mihbpalh.exe 1356 Mflbjejb.exe 4424 Neaokboj.exe 1064 Neclpamg.exe 1840 Npkmcj32.exe 2308 Npmjij32.exe 1440 Obnbjdfi.exe 4668 Pekkhn32.exe 3440 Aofemaog.exe 4216 Bgfpdmho.exe 4156 Cllkcbnl.exe 1392 Dlfniafa.exe 3844 Djlkhe32.exe 4272 Eqkmpo32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ojopki32.exe Nkqpcnig.exe File created C:\Windows\SysWOW64\Dlnjek32.dll Hnokeqll.exe File created C:\Windows\SysWOW64\Olgnlb32.exe Okbhgq32.exe File opened for modification C:\Windows\SysWOW64\Pkngco32.exe Peaokh32.exe File created C:\Windows\SysWOW64\Hbhbfh32.dll Bdbndjld.exe File created C:\Windows\SysWOW64\Jenmlmll.exe Jpqedfne.exe File opened for modification C:\Windows\SysWOW64\Afnefieo.exe Pfpidk32.exe File created C:\Windows\SysWOW64\Kdfmcobk.exe Kojdkhdd.exe File opened for modification C:\Windows\SysWOW64\Lemhnn32.exe Kaophp32.exe File created C:\Windows\SysWOW64\Pnmojp32.exe Phajgf32.exe File created C:\Windows\SysWOW64\Cgaiqian.exe Baephacf.exe File created C:\Windows\SysWOW64\Ckgmjh32.dll Ioeineap.exe File opened for modification C:\Windows\SysWOW64\Afpjoaeo.exe Aodejohd.exe File created C:\Windows\SysWOW64\Cidkie32.dll Dqmjqb32.exe File created C:\Windows\SysWOW64\Dacmol32.dll Pmmelo32.exe File opened for modification C:\Windows\SysWOW64\Dpmknf32.exe Djqbeonf.exe File created C:\Windows\SysWOW64\Lhjafhlf.dll Ofooqinh.exe File created C:\Windows\SysWOW64\Npglho32.dll Odkjgm32.exe File opened for modification C:\Windows\SysWOW64\Ceqngekl.exe Cenaaf32.exe File opened for modification C:\Windows\SysWOW64\Ajfejknb.exe Ihhmaehj.exe File opened for modification C:\Windows\SysWOW64\Cgdefhok.exe Cpjmjn32.exe File opened for modification C:\Windows\SysWOW64\Klbgpi32.exe Klpjji32.exe File created C:\Windows\SysWOW64\Fcqlqnpo.dll Ciogobcm.exe File opened for modification C:\Windows\SysWOW64\Ofooqinh.exe Mbjgcnll.exe File created C:\Windows\SysWOW64\Jibapflb.dll Hdhlhd32.exe File created C:\Windows\SysWOW64\Lenpnjke.dll Jkgpleaf.exe File created C:\Windows\SysWOW64\Mklkepal.exe Ljfhjn32.exe File created C:\Windows\SysWOW64\Domabi32.dll Cdicdi32.exe File created C:\Windows\SysWOW64\Cldjkl32.exe Ciogobcm.exe File created C:\Windows\SysWOW64\Gdcdlb32.exe Gfngke32.exe File opened for modification C:\Windows\SysWOW64\Eefhcimp.exe Edgkif32.exe File created C:\Windows\SysWOW64\Hmblee32.dll Ibijbc32.exe File created C:\Windows\SysWOW64\Fjjccl32.dll Kihdqkaf.exe File created C:\Windows\SysWOW64\Lkjlciem.exe Knfliefc.exe File created C:\Windows\SysWOW64\Nejpckgc.exe Njdlfbgm.exe File created C:\Windows\SysWOW64\Mnjmbl32.dll Njdlfbgm.exe File created C:\Windows\SysWOW64\Jbkjcgaj.exe Jfopcgpk.exe File created C:\Windows\SysWOW64\Nkqpcnig.exe Ndpafe32.exe File created C:\Windows\SysWOW64\Cigknc32.exe Cdjbel32.exe File opened for modification C:\Windows\SysWOW64\Aklddmep.exe Qcobjk32.exe File created C:\Windows\SysWOW64\Fbkblb32.exe Fkajoiok.exe File created C:\Windows\SysWOW64\Bmijllek.dll Dcgjie32.exe File opened for modification C:\Windows\SysWOW64\Ihhmaehj.exe Hiofeigg.exe File opened for modification C:\Windows\SysWOW64\Blenhmph.exe Bplammmf.exe File created C:\Windows\SysWOW64\Iabhnedc.dll Mlflog32.exe File created C:\Windows\SysWOW64\Jqogfdbb.dll Iapjeq32.exe File created C:\Windows\SysWOW64\Lemjlcgo.exe Lejngd32.exe File opened for modification C:\Windows\SysWOW64\Hfmigmgf.exe Hhihnihm.exe File created C:\Windows\SysWOW64\Kqlbncjp.dll Efopeeao.exe File created C:\Windows\SysWOW64\Fjccpo32.exe Fcikcekm.exe File opened for modification C:\Windows\SysWOW64\Hbanfk32.exe Hmdend32.exe File created C:\Windows\SysWOW64\Gdobgp32.exe Giinjg32.exe File created C:\Windows\SysWOW64\Mfgiof32.exe Lfpcngdo.exe File created C:\Windows\SysWOW64\Folcdd32.dll Oooodcci.exe File created C:\Windows\SysWOW64\Ifihbhkb.dll Jbkjcgaj.exe File opened for modification C:\Windows\SysWOW64\Nbljaf32.exe Mehjhbma.exe File created C:\Windows\SysWOW64\Gpqjaanf.exe Gfhehlhe.exe File opened for modification C:\Windows\SysWOW64\Mklkepal.exe Ljfhjn32.exe File created C:\Windows\SysWOW64\Geklckkd.exe Fhiphi32.exe File opened for modification C:\Windows\SysWOW64\Cjaiac32.exe Cnhlgc32.exe File created C:\Windows\SysWOW64\Pifjfofk.dll Bdapon32.exe File created C:\Windows\SysWOW64\Ibdiln32.exe Hfmigmgf.exe File created C:\Windows\SysWOW64\Eainnn32.exe Ejofacfb.exe File created C:\Windows\SysWOW64\Bbmjjk32.exe Afclpk32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lenpnjke.dll" Jkgpleaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjnmmcel.dll" Fkgiea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingkdn32.dll" Cldjkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kacpncqg.dll" Gglpbh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgdpgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgmbimbb.dll" Bhmbjb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dojqcjgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lbnggpfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fngpnm32.dll" Neaokboj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmnmqdee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndobfjpn.dll" Heqnokaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkijcp32.dll" Kajfmqda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dddajj32.dll" Ionbcb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmmelo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ejofacfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eainnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpihpm32.dll" Ppphkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaoigndf.dll" Ifbbbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmagah32.dll" Lnnakg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blemnk32.dll" Fcikcekm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Meembc32.dll" Lemjlcgo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dabhmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpqfhc32.dll" Bacjmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Npkmcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Coepob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbdjeiek.dll" Hheoci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mgkoolil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmggbcmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Habndbpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnlpff32.dll" Mgagll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hfmigmgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Plcdbghi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqlbncjp.dll" Efopeeao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgfblh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Folcdd32.dll" Oooodcci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djelqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eakdje32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gcqhcgqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifihbhkb.dll" Jbkjcgaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmnlnfcb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pgefogop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hbhjqp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfpmglkb.dll" Jenmlmll.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omkmcpgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdgehobe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Edgkif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnfege32.dll" Mlnpdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlnfgdnn.dll" Pdkcnklf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndpelmaa.dll" Hfmigmgf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kcgnkgkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Apmhbf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node e5bb1444e45b006817a7c64a262e6220.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ongamagn.dll" Gmqgjl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hhmmffbg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbkjcgaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkeonggf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgmlehnj.dll" Medqmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpjjkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaeadj32.dll" Bmggbcmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnokmkfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfopcgpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Elpppcdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Niqgpncn.dll" Fgiqocoq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibdmph32.dll" Maealn32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4820 wrote to memory of 4792 4820 e5bb1444e45b006817a7c64a262e6220.exe 94 PID 4820 wrote to memory of 4792 4820 e5bb1444e45b006817a7c64a262e6220.exe 94 PID 4820 wrote to memory of 4792 4820 e5bb1444e45b006817a7c64a262e6220.exe 94 PID 4792 wrote to memory of 812 4792 Oeffnl32.exe 96 PID 4792 wrote to memory of 812 4792 Oeffnl32.exe 96 PID 4792 wrote to memory of 812 4792 Oeffnl32.exe 96 PID 812 wrote to memory of 808 812 Pfpidk32.exe 97 PID 812 wrote to memory of 808 812 Pfpidk32.exe 97 PID 812 wrote to memory of 808 812 Pfpidk32.exe 97 PID 808 wrote to memory of 116 808 Afnefieo.exe 98 PID 808 wrote to memory of 116 808 Afnefieo.exe 98 PID 808 wrote to memory of 116 808 Afnefieo.exe 98 PID 116 wrote to memory of 2004 116 Anncek32.exe 99 PID 116 wrote to memory of 2004 116 Anncek32.exe 99 PID 116 wrote to memory of 2004 116 Anncek32.exe 99 PID 2004 wrote to memory of 1112 2004 Ciogobcm.exe 100 PID 2004 wrote to memory of 1112 2004 Ciogobcm.exe 100 PID 2004 wrote to memory of 1112 2004 Ciogobcm.exe 100 PID 1112 wrote to memory of 3188 1112 Cldjkl32.exe 101 PID 1112 wrote to memory of 3188 1112 Cldjkl32.exe 101 PID 1112 wrote to memory of 3188 1112 Cldjkl32.exe 101 PID 3188 wrote to memory of 3220 3188 Dblnid32.exe 102 PID 3188 wrote to memory of 3220 3188 Dblnid32.exe 102 PID 3188 wrote to memory of 3220 3188 Dblnid32.exe 102 PID 3220 wrote to memory of 4848 3220 Fhiphi32.exe 103 PID 3220 wrote to memory of 4848 3220 Fhiphi32.exe 103 PID 3220 wrote to memory of 4848 3220 Fhiphi32.exe 103 PID 4848 wrote to memory of 1248 4848 Geklckkd.exe 104 PID 4848 wrote to memory of 1248 4848 Geklckkd.exe 104 PID 4848 wrote to memory of 1248 4848 Geklckkd.exe 104 PID 1248 wrote to memory of 4664 1248 Labkempb.exe 105 PID 1248 wrote to memory of 4664 1248 Labkempb.exe 105 PID 1248 wrote to memory of 4664 1248 Labkempb.exe 105 PID 4664 wrote to memory of 2896 4664 Lipmoo32.exe 106 PID 4664 wrote to memory of 2896 4664 Lipmoo32.exe 106 PID 4664 wrote to memory of 2896 4664 Lipmoo32.exe 106 PID 2896 wrote to memory of 1416 2896 Mpchbhjl.exe 107 PID 2896 wrote to memory of 1416 2896 Mpchbhjl.exe 107 PID 2896 wrote to memory of 1416 2896 Mpchbhjl.exe 107 PID 1416 wrote to memory of 1692 1416 Pgihanii.exe 108 PID 1416 wrote to memory of 1692 1416 Pgihanii.exe 108 PID 1416 wrote to memory of 1692 1416 Pgihanii.exe 108 PID 1692 wrote to memory of 3436 1692 Qkqdnkge.exe 109 PID 1692 wrote to memory of 3436 1692 Qkqdnkge.exe 109 PID 1692 wrote to memory of 3436 1692 Qkqdnkge.exe 109 PID 3436 wrote to memory of 4436 3436 Ajodef32.exe 110 PID 3436 wrote to memory of 4436 3436 Ajodef32.exe 110 PID 3436 wrote to memory of 4436 3436 Ajodef32.exe 110 PID 4436 wrote to memory of 4964 4436 Bdgehobe.exe 111 PID 4436 wrote to memory of 4964 4436 Bdgehobe.exe 111 PID 4436 wrote to memory of 4964 4436 Bdgehobe.exe 111 PID 4964 wrote to memory of 1572 4964 Cnhlgc32.exe 112 PID 4964 wrote to memory of 1572 4964 Cnhlgc32.exe 112 PID 4964 wrote to memory of 1572 4964 Cnhlgc32.exe 112 PID 1572 wrote to memory of 3512 1572 Cjaiac32.exe 114 PID 1572 wrote to memory of 3512 1572 Cjaiac32.exe 114 PID 1572 wrote to memory of 3512 1572 Cjaiac32.exe 114 PID 3512 wrote to memory of 3460 3512 Dgmpkg32.exe 115 PID 3512 wrote to memory of 3460 3512 Dgmpkg32.exe 115 PID 3512 wrote to memory of 3460 3512 Dgmpkg32.exe 115 PID 3460 wrote to memory of 4212 3460 Enedio32.exe 116 PID 3460 wrote to memory of 4212 3460 Enedio32.exe 116 PID 3460 wrote to memory of 4212 3460 Enedio32.exe 116 PID 4212 wrote to memory of 2532 4212 Eecfah32.exe 117
Processes
-
C:\Users\Admin\AppData\Local\Temp\e5bb1444e45b006817a7c64a262e6220.exe"C:\Users\Admin\AppData\Local\Temp\e5bb1444e45b006817a7c64a262e6220.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4820 -
C:\Windows\SysWOW64\Oeffnl32.exeC:\Windows\system32\Oeffnl32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4792 -
C:\Windows\SysWOW64\Pfpidk32.exeC:\Windows\system32\Pfpidk32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Windows\SysWOW64\Afnefieo.exeC:\Windows\system32\Afnefieo.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:808 -
C:\Windows\SysWOW64\Anncek32.exeC:\Windows\system32\Anncek32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:116 -
C:\Windows\SysWOW64\Ciogobcm.exeC:\Windows\system32\Ciogobcm.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\Cldjkl32.exeC:\Windows\system32\Cldjkl32.exe7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1112 -
C:\Windows\SysWOW64\Dblnid32.exeC:\Windows\system32\Dblnid32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3188 -
C:\Windows\SysWOW64\Fhiphi32.exeC:\Windows\system32\Fhiphi32.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3220 -
C:\Windows\SysWOW64\Geklckkd.exeC:\Windows\system32\Geklckkd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Windows\SysWOW64\Labkempb.exeC:\Windows\system32\Labkempb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Windows\SysWOW64\Lipmoo32.exeC:\Windows\system32\Lipmoo32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4664 -
C:\Windows\SysWOW64\Mpchbhjl.exeC:\Windows\system32\Mpchbhjl.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\Pgihanii.exeC:\Windows\system32\Pgihanii.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Windows\SysWOW64\Qkqdnkge.exeC:\Windows\system32\Qkqdnkge.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\SysWOW64\Ajodef32.exeC:\Windows\system32\Ajodef32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3436 -
C:\Windows\SysWOW64\Bdgehobe.exeC:\Windows\system32\Bdgehobe.exe17⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4436 -
C:\Windows\SysWOW64\Cnhlgc32.exeC:\Windows\system32\Cnhlgc32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Windows\SysWOW64\Cjaiac32.exeC:\Windows\system32\Cjaiac32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Windows\SysWOW64\Dgmpkg32.exeC:\Windows\system32\Dgmpkg32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3512 -
C:\Windows\SysWOW64\Enedio32.exeC:\Windows\system32\Enedio32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3460 -
C:\Windows\SysWOW64\Eecfah32.exeC:\Windows\system32\Eecfah32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4212 -
C:\Windows\SysWOW64\Hebkid32.exeC:\Windows\system32\Hebkid32.exe23⤵
- Executes dropped EXE
PID:2532 -
C:\Windows\SysWOW64\Ijgjpaao.exeC:\Windows\system32\Ijgjpaao.exe24⤵
- Executes dropped EXE
PID:1252 -
C:\Windows\SysWOW64\Jfdafa32.exeC:\Windows\system32\Jfdafa32.exe25⤵
- Executes dropped EXE
PID:4124 -
C:\Windows\SysWOW64\Lbnggpfj.exeC:\Windows\system32\Lbnggpfj.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4236 -
C:\Windows\SysWOW64\Lbcabo32.exeC:\Windows\system32\Lbcabo32.exe27⤵
- Executes dropped EXE
PID:3540 -
C:\Windows\SysWOW64\Mbjgcnll.exeC:\Windows\system32\Mbjgcnll.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4784 -
C:\Windows\SysWOW64\Ofooqinh.exeC:\Windows\system32\Ofooqinh.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3384 -
C:\Windows\SysWOW64\Qibmoa32.exeC:\Windows\system32\Qibmoa32.exe30⤵
- Executes dropped EXE
PID:4176 -
C:\Windows\SysWOW64\Alhpkldp.exeC:\Windows\system32\Alhpkldp.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3656 -
C:\Windows\SysWOW64\Bdhkchlg.exeC:\Windows\system32\Bdhkchlg.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4704 -
C:\Windows\SysWOW64\Bnehgmob.exeC:\Windows\system32\Bnehgmob.exe33⤵
- Executes dropped EXE
PID:3400 -
C:\Windows\SysWOW64\Cjofambd.exeC:\Windows\system32\Cjofambd.exe34⤵
- Executes dropped EXE
PID:1520 -
C:\Windows\SysWOW64\Cnokmkfh.exeC:\Windows\system32\Cnokmkfh.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:3724 -
C:\Windows\SysWOW64\Dkehlo32.exeC:\Windows\system32\Dkehlo32.exe36⤵
- Executes dropped EXE
PID:4332 -
C:\Windows\SysWOW64\Dqbadf32.exeC:\Windows\system32\Dqbadf32.exe37⤵
- Executes dropped EXE
PID:4316 -
C:\Windows\SysWOW64\Djjemlhf.exeC:\Windows\system32\Djjemlhf.exe38⤵
- Executes dropped EXE
PID:2792 -
C:\Windows\SysWOW64\Dedceddg.exeC:\Windows\system32\Dedceddg.exe39⤵
- Executes dropped EXE
PID:3680 -
C:\Windows\SysWOW64\Eakdje32.exeC:\Windows\system32\Eakdje32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:5008 -
C:\Windows\SysWOW64\Fnkdpgnh.exeC:\Windows\system32\Fnkdpgnh.exe41⤵
- Executes dropped EXE
PID:1352 -
C:\Windows\SysWOW64\Gmggac32.exeC:\Windows\system32\Gmggac32.exe42⤵
- Executes dropped EXE
PID:3140 -
C:\Windows\SysWOW64\Gjpaffhl.exeC:\Windows\system32\Gjpaffhl.exe43⤵
- Executes dropped EXE
PID:3768 -
C:\Windows\SysWOW64\Hmecba32.exeC:\Windows\system32\Hmecba32.exe44⤵
- Executes dropped EXE
PID:1800 -
C:\Windows\SysWOW64\Haeino32.exeC:\Windows\system32\Haeino32.exe45⤵
- Executes dropped EXE
PID:3276 -
C:\Windows\SysWOW64\Ikpjmd32.exeC:\Windows\system32\Ikpjmd32.exe46⤵
- Executes dropped EXE
PID:2868 -
C:\Windows\SysWOW64\Ionbcb32.exeC:\Windows\system32\Ionbcb32.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:4344 -
C:\Windows\SysWOW64\Ikechced.exeC:\Windows\system32\Ikechced.exe48⤵
- Executes dropped EXE
PID:3332 -
C:\Windows\SysWOW64\Lkchpoka.exeC:\Windows\system32\Lkchpoka.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1236 -
C:\Windows\SysWOW64\Lfpcngdo.exeC:\Windows\system32\Lfpcngdo.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1260 -
C:\Windows\SysWOW64\Mfgiof32.exeC:\Windows\system32\Mfgiof32.exe51⤵
- Executes dropped EXE
PID:2608 -
C:\Windows\SysWOW64\Mihbpalh.exeC:\Windows\system32\Mihbpalh.exe52⤵
- Executes dropped EXE
PID:5104 -
C:\Windows\SysWOW64\Mflbjejb.exeC:\Windows\system32\Mflbjejb.exe53⤵
- Executes dropped EXE
PID:1356 -
C:\Windows\SysWOW64\Neaokboj.exeC:\Windows\system32\Neaokboj.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:4424 -
C:\Windows\SysWOW64\Neclpamg.exeC:\Windows\system32\Neclpamg.exe55⤵
- Executes dropped EXE
PID:1064 -
C:\Windows\SysWOW64\Npkmcj32.exeC:\Windows\system32\Npkmcj32.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:1840 -
C:\Windows\SysWOW64\Npmjij32.exeC:\Windows\system32\Npmjij32.exe57⤵
- Executes dropped EXE
PID:2308 -
C:\Windows\SysWOW64\Obnbjdfi.exeC:\Windows\system32\Obnbjdfi.exe58⤵
- Executes dropped EXE
PID:1440 -
C:\Windows\SysWOW64\Pekkhn32.exeC:\Windows\system32\Pekkhn32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4668 -
C:\Windows\SysWOW64\Aofemaog.exeC:\Windows\system32\Aofemaog.exe60⤵
- Executes dropped EXE
PID:3440 -
C:\Windows\SysWOW64\Bgfpdmho.exeC:\Windows\system32\Bgfpdmho.exe61⤵
- Executes dropped EXE
PID:4216 -
C:\Windows\SysWOW64\Cllkcbnl.exeC:\Windows\system32\Cllkcbnl.exe62⤵
- Executes dropped EXE
PID:4156 -
C:\Windows\SysWOW64\Dlfniafa.exeC:\Windows\system32\Dlfniafa.exe63⤵
- Executes dropped EXE
PID:1392 -
C:\Windows\SysWOW64\Djlkhe32.exeC:\Windows\system32\Djlkhe32.exe64⤵
- Executes dropped EXE
PID:3844 -
C:\Windows\SysWOW64\Eqkmpo32.exeC:\Windows\system32\Eqkmpo32.exe65⤵
- Executes dropped EXE
PID:4272 -
C:\Windows\SysWOW64\Ejhkdc32.exeC:\Windows\system32\Ejhkdc32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:924 -
C:\Windows\SysWOW64\Fnhppa32.exeC:\Windows\system32\Fnhppa32.exe67⤵PID:3932
-
C:\Windows\SysWOW64\Fceihh32.exeC:\Windows\system32\Fceihh32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3468 -
C:\Windows\SysWOW64\Fmmmqnaf.exeC:\Windows\system32\Fmmmqnaf.exe69⤵PID:4408
-
C:\Windows\SysWOW64\Fgcang32.exeC:\Windows\system32\Fgcang32.exe70⤵PID:4052
-
C:\Windows\SysWOW64\Fmpjfn32.exeC:\Windows\system32\Fmpjfn32.exe71⤵PID:1464
-
C:\Windows\SysWOW64\Fjcjpb32.exeC:\Windows\system32\Fjcjpb32.exe72⤵PID:808
-
C:\Windows\SysWOW64\Gcqhcgqi.exeC:\Windows\system32\Gcqhcgqi.exe73⤵
- Modifies registry class
PID:440 -
C:\Windows\SysWOW64\Gadimkpb.exeC:\Windows\system32\Gadimkpb.exe74⤵PID:116
-
C:\Windows\SysWOW64\Gmpcmkaa.exeC:\Windows\system32\Gmpcmkaa.exe75⤵PID:1652
-
C:\Windows\SysWOW64\Hfmqapcl.exeC:\Windows\system32\Hfmqapcl.exe76⤵PID:3552
-
C:\Windows\SysWOW64\Hmifcjif.exeC:\Windows\system32\Hmifcjif.exe77⤵PID:1204
-
C:\Windows\SysWOW64\Ihagfb32.exeC:\Windows\system32\Ihagfb32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:224 -
C:\Windows\SysWOW64\Idjdqc32.exeC:\Windows\system32\Idjdqc32.exe79⤵PID:4416
-
C:\Windows\SysWOW64\Jgpfmncg.exeC:\Windows\system32\Jgpfmncg.exe80⤵PID:812
-
C:\Windows\SysWOW64\Jajdff32.exeC:\Windows\system32\Jajdff32.exe81⤵PID:640
-
C:\Windows\SysWOW64\Jopaejlo.exeC:\Windows\system32\Jopaejlo.exe82⤵PID:208
-
C:\Windows\SysWOW64\Kojdkhdd.exeC:\Windows\system32\Kojdkhdd.exe83⤵
- Drops file in System32 directory
PID:4008 -
C:\Windows\SysWOW64\Kdfmcobk.exeC:\Windows\system32\Kdfmcobk.exe84⤵PID:3924
-
C:\Windows\SysWOW64\Lkgkqh32.exeC:\Windows\system32\Lkgkqh32.exe85⤵PID:2244
-
C:\Windows\SysWOW64\Lhnhplpg.exeC:\Windows\system32\Lhnhplpg.exe86⤵PID:3556
-
C:\Windows\SysWOW64\Mgceqh32.exeC:\Windows\system32\Mgceqh32.exe87⤵PID:1468
-
C:\Windows\SysWOW64\Mglhgg32.exeC:\Windows\system32\Mglhgg32.exe88⤵PID:564
-
C:\Windows\SysWOW64\Nqlbqlmm.exeC:\Windows\system32\Nqlbqlmm.exe89⤵PID:2032
-
C:\Windows\SysWOW64\Nqnofkkj.exeC:\Windows\system32\Nqnofkkj.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2876 -
C:\Windows\SysWOW64\Oooodcci.exeC:\Windows\system32\Oooodcci.exe91⤵
- Drops file in System32 directory
- Modifies registry class
PID:3804 -
C:\Windows\SysWOW64\Oelhljaq.exeC:\Windows\system32\Oelhljaq.exe92⤵PID:3132
-
C:\Windows\SysWOW64\Obdbqm32.exeC:\Windows\system32\Obdbqm32.exe93⤵PID:624
-
C:\Windows\SysWOW64\Ophbja32.exeC:\Windows\system32\Ophbja32.exe94⤵PID:3220
-
C:\Windows\SysWOW64\Oiagcg32.exeC:\Windows\system32\Oiagcg32.exe95⤵PID:3884
-
C:\Windows\SysWOW64\Ppmleagi.exeC:\Windows\system32\Ppmleagi.exe96⤵PID:1256
-
C:\Windows\SysWOW64\Ppphkq32.exeC:\Windows\system32\Ppphkq32.exe97⤵
- Modifies registry class
PID:1164 -
C:\Windows\SysWOW64\Pelacg32.exeC:\Windows\system32\Pelacg32.exe98⤵PID:4976
-
C:\Windows\SysWOW64\Peajngoi.exeC:\Windows\system32\Peajngoi.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1636 -
C:\Windows\SysWOW64\Aejmdegn.exeC:\Windows\system32\Aejmdegn.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1708 -
C:\Windows\SysWOW64\Apbngn32.exeC:\Windows\system32\Apbngn32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4708 -
C:\Windows\SysWOW64\Bplammmf.exeC:\Windows\system32\Bplammmf.exe102⤵
- Drops file in System32 directory
PID:456 -
C:\Windows\SysWOW64\Blenhmph.exeC:\Windows\system32\Blenhmph.exe103⤵PID:4948
-
C:\Windows\SysWOW64\Deiblamk.exeC:\Windows\system32\Deiblamk.exe104⤵PID:748
-
C:\Windows\SysWOW64\Fcdbmb32.exeC:\Windows\system32\Fcdbmb32.exe105⤵PID:1692
-
C:\Windows\SysWOW64\Fqjolfda.exeC:\Windows\system32\Fqjolfda.exe106⤵PID:3512
-
C:\Windows\SysWOW64\Hboaql32.exeC:\Windows\system32\Hboaql32.exe107⤵PID:3100
-
C:\Windows\SysWOW64\Hmdend32.exeC:\Windows\system32\Hmdend32.exe108⤵
- Drops file in System32 directory
PID:4944 -
C:\Windows\SysWOW64\Hbanfk32.exeC:\Windows\system32\Hbanfk32.exe109⤵PID:5140
-
C:\Windows\SysWOW64\Habndbpf.exeC:\Windows\system32\Habndbpf.exe110⤵
- Modifies registry class
PID:5192 -
C:\Windows\SysWOW64\Hmioicek.exeC:\Windows\system32\Hmioicek.exe111⤵PID:5244
-
C:\Windows\SysWOW64\Ifcpgiji.exeC:\Windows\system32\Ifcpgiji.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5296 -
C:\Windows\SysWOW64\Iannpa32.exeC:\Windows\system32\Iannpa32.exe113⤵PID:5332
-
C:\Windows\SysWOW64\Ibojgikg.exeC:\Windows\system32\Ibojgikg.exe114⤵PID:5376
-
C:\Windows\SysWOW64\Iapjeq32.exeC:\Windows\system32\Iapjeq32.exe115⤵
- Drops file in System32 directory
PID:5424 -
C:\Windows\SysWOW64\Jmgkja32.exeC:\Windows\system32\Jmgkja32.exe116⤵PID:5472
-
C:\Windows\SysWOW64\Jfopcgpk.exeC:\Windows\system32\Jfopcgpk.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5524 -
C:\Windows\SysWOW64\Jbkjcgaj.exeC:\Windows\system32\Jbkjcgaj.exe118⤵
- Drops file in System32 directory
- Modifies registry class
PID:5572 -
C:\Windows\SysWOW64\Kilhqq32.exeC:\Windows\system32\Kilhqq32.exe119⤵PID:5612
-
C:\Windows\SysWOW64\Kgbepdpf.exeC:\Windows\system32\Kgbepdpf.exe120⤵PID:5660
-
C:\Windows\SysWOW64\Ldmlih32.exeC:\Windows\system32\Ldmlih32.exe121⤵PID:5724
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-