Analysis
-
max time kernel
178s -
max time network
182s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
05/04/2024, 01:58
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e5022e03e6e935f7dbfc98bb72605735bb265f7ee0b25fe1cacbf5d0239d89d0.exe
Resource
win7-20240220-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
e5022e03e6e935f7dbfc98bb72605735bb265f7ee0b25fe1cacbf5d0239d89d0.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
e5022e03e6e935f7dbfc98bb72605735bb265f7ee0b25fe1cacbf5d0239d89d0.exe
-
Size
85KB
-
MD5
3853a4156da3478d8ef02c312e8a2425
-
SHA1
bcce6cddc4d75912dc4c2211b016f520d647cb6f
-
SHA256
e5022e03e6e935f7dbfc98bb72605735bb265f7ee0b25fe1cacbf5d0239d89d0
-
SHA512
42b13cbdd8c9152bcdf9341dcd853ebe663c48d38098dfb6af8edd6635d6c6f5a63ba38aa5dee0855511ddce97d198927343ae626175106a939a0cbf48f2cb2b
-
SSDEEP
1536:J07o+fBrU4nYaB1vtzLhItR1Tmzl2LHBMQ262AjCsQ2PCZZrqOlNfVSLUK+:JMrpfxhmczWHBMQH2qC7ZQOlzSLUK+
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebkbbmqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbniai32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcknpi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmjqjqao.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nciojeem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjhfgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mphoob32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdddjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anobaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngbeok32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cafhap32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Embkhn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjopmh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpefaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpandm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agndidce.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nicalpak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffeaichg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inecac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljfodd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdaomobj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clbmfm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jijhom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgefogop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikmnec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjjjhifm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Noopof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abonimmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nakhkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epgpajdp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmpjfn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkhdjdgq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikokkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dibmfb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bemlap32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paelpcgc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcmnkh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdehep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpniaool.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nahgik32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flinddpj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgnogmkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amdbffme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbmclobc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnfcbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glpdecjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmfpeoga.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpgigj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjnoggoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kijjldkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lebalokn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dklhmlac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlcgam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Leihlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nadlnoaj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhfcbfdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afmmibga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oqfbihll.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odpjhfag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgkbfjeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eopbghnb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhgneqha.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njdeklca.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmphkg32.exe -
Executes dropped EXE 64 IoCs
pid Process 2196 Edgbii32.exe 776 Ebkbbmqj.exe 2724 Ekcgkb32.exe 2940 Johggfha.exe 1980 Bbhildae.exe 3636 Fkemfl32.exe 4100 Lbhool32.exe 3996 Pkmhgh32.exe 3752 Acdioc32.exe 884 Dpefaq32.exe 1912 Debnjgcp.exe 3532 Ddcogo32.exe 1936 Dmkcpdao.exe 4680 Defheg32.exe 1120 Dgfdojfm.exe 4940 Dmplkd32.exe 3836 Eleimp32.exe 2860 Eennefib.exe 3476 Epcbbohh.exe 4268 Ecdkdj32.exe 2928 Epjhcnbp.exe 708 Eegqldqg.exe 4488 Fgfmeg32.exe 2660 Fnqebaog.exe 2668 Fcmnkh32.exe 2224 Fpandm32.exe 2192 Fneoma32.exe 3464 Fgncff32.exe 1968 Mehafq32.exe 2156 Qbkcek32.exe 3492 Qghlmbae.exe 3972 Qfilkj32.exe 816 Agmehamp.exe 900 Ailabddb.exe 2244 Anijjkbj.exe 216 Aecbge32.exe 2500 Bbniai32.exe 4748 Bihancje.exe 3852 Beobcdoi.exe 1208 Bkhjpn32.exe 1848 Bbbblhnc.exe 3628 Bgokdomj.exe 4484 Bnicai32.exe 1116 Chddpn32.exe 4880 Cbihmg32.exe 1056 Cehdib32.exe 3368 Clbmfm32.exe 1988 Mhmmieil.exe 3580 Qjeaog32.exe 464 Ghdhja32.exe 3680 Kblkap32.exe 5068 Nlnkgbhp.exe 544 Ncecioib.exe 4024 Anqfepaj.exe 3348 Adjnaj32.exe 3600 Ajggjq32.exe 2480 Apaofk32.exe 3668 Agndidce.exe 980 Ajlpepbi.exe 4136 Akkmocjl.exe 2428 Aphegjhc.exe 228 Bjqjpp32.exe 3304 Bloflk32.exe 3780 Bcinie32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Cnahbk32.exe Ccldebeo.exe File created C:\Windows\SysWOW64\Hfmigmgf.exe Hkhdjdgq.exe File opened for modification C:\Windows\SysWOW64\Fiilmofe.exe Embkhn32.exe File opened for modification C:\Windows\SysWOW64\Dkmebh32.exe Cjlijp32.exe File created C:\Windows\SysWOW64\Qkgnqm32.dll Fjmkhkff.exe File opened for modification C:\Windows\SysWOW64\Cgiflnoa.exe Chfepa32.exe File created C:\Windows\SysWOW64\Gcmghl32.dll Bhdilold.exe File created C:\Windows\SysWOW64\Fphneijl.exe Fmiaimki.exe File created C:\Windows\SysWOW64\Lhohahlh.dll Gehbcb32.exe File created C:\Windows\SysWOW64\Gfgnnedj.exe Gpnfak32.exe File opened for modification C:\Windows\SysWOW64\Johggfha.exe Ekcgkb32.exe File opened for modification C:\Windows\SysWOW64\Mfkkjbnn.exe Moacnh32.exe File created C:\Windows\SysWOW64\Obdkak32.exe Ocakenif.exe File created C:\Windows\SysWOW64\Abokkkac.dll Dgfdojfm.exe File opened for modification C:\Windows\SysWOW64\Ccldebeo.exe Cqmgigfk.exe File created C:\Windows\SysWOW64\Gfgfmp32.dll Igcojdhp.exe File created C:\Windows\SysWOW64\Gackgo32.dll Aebhaede.exe File opened for modification C:\Windows\SysWOW64\Plkpmlfi.exe Phodlm32.exe File created C:\Windows\SysWOW64\Pcnhfi32.exe Ofjgmdgg.exe File created C:\Windows\SysWOW64\Kffphhmj.exe Dmknog32.exe File created C:\Windows\SysWOW64\Bdendn32.dll Fcgemhic.exe File created C:\Windows\SysWOW64\Pollccqh.dll Jijhom32.exe File created C:\Windows\SysWOW64\Hbmclobc.exe Hkckoe32.exe File opened for modification C:\Windows\SysWOW64\Bjjjhifm.exe Bgknlmgi.exe File opened for modification C:\Windows\SysWOW64\Clbmfm32.exe Cehdib32.exe File created C:\Windows\SysWOW64\Hjeodp32.dll Mhmmieil.exe File created C:\Windows\SysWOW64\Nahgik32.exe Nbefmopd.exe File created C:\Windows\SysWOW64\Aoeleelp.exe Ahkdhk32.exe File opened for modification C:\Windows\SysWOW64\Iikmlnae.exe Igmqpbab.exe File created C:\Windows\SysWOW64\Ejngcgpo.dll Mikjmhaq.exe File created C:\Windows\SysWOW64\Aphegjhc.exe Akkmocjl.exe File opened for modification C:\Windows\SysWOW64\Bjielh32.exe Bgkipl32.exe File opened for modification C:\Windows\SysWOW64\Ilafcomm.exe Igdnkhoe.exe File created C:\Windows\SysWOW64\Glghpa32.dll Obikgppg.exe File opened for modification C:\Windows\SysWOW64\Kijjldkh.exe Kpbfbo32.exe File opened for modification C:\Windows\SysWOW64\Bdmmnd32.exe Bopefnnf.exe File created C:\Windows\SysWOW64\Kkjqkhld.dll Jelioh32.exe File created C:\Windows\SysWOW64\Lecnkice.dll Lnlloj32.exe File created C:\Windows\SysWOW64\Iibjdooa.dll Efdjqeni.exe File opened for modification C:\Windows\SysWOW64\Fbcfan32.exe Flinddpj.exe File opened for modification C:\Windows\SysWOW64\Ioeineap.exe Ipbhch32.exe File created C:\Windows\SysWOW64\Hjfjqj32.dll Mlifgfnj.exe File opened for modification C:\Windows\SysWOW64\Paelpcgc.exe Pkkdci32.exe File opened for modification C:\Windows\SysWOW64\Fgfmeg32.exe Eegqldqg.exe File created C:\Windows\SysWOW64\Qbkcek32.exe Mehafq32.exe File created C:\Windows\SysWOW64\Fgekcecd.dll Bcpdidol.exe File created C:\Windows\SysWOW64\Kgjggkqi.exe Kelkkpae.exe File created C:\Windows\SysWOW64\Cghemnje.dll Hkpqdifa.exe File created C:\Windows\SysWOW64\Kcikagij.exe Kknfmdko.exe File created C:\Windows\SysWOW64\Boffej32.dll Lmpkkjcj.exe File created C:\Windows\SysWOW64\Mjcjof32.dll Ebdcejpk.exe File created C:\Windows\SysWOW64\Gnlmai32.exe Fmjqjqao.exe File created C:\Windows\SysWOW64\Jihcig32.dll Ipbhch32.exe File opened for modification C:\Windows\SysWOW64\Oqhooh32.exe Ojnfbnbl.exe File created C:\Windows\SysWOW64\Llqmbp32.dll Fcmnkh32.exe File created C:\Windows\SysWOW64\Fjkchf32.dll Bjielh32.exe File created C:\Windows\SysWOW64\Khknaa32.exe Knbiil32.exe File created C:\Windows\SysWOW64\Ioljaael.dll Fkkemble.exe File opened for modification C:\Windows\SysWOW64\Oicccj32.exe Obikgppg.exe File opened for modification C:\Windows\SysWOW64\Bmokgnol.exe Behbfqoj.exe File created C:\Windows\SysWOW64\Bbhildae.exe Johggfha.exe File created C:\Windows\SysWOW64\Flohdkpg.dll Pchljlpo.exe File created C:\Windows\SysWOW64\Ahkdhk32.exe Qoboofnb.exe File created C:\Windows\SysWOW64\Qdldlp32.dll Aeodapcl.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phombg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbniai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmjqjqao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kknfmdko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jceheoop.dll" Apekha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idmafn32.dll" Fgncff32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djgbmffn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkpqdifa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgkgfgde.dll" Cpdgjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfjbic32.dll" Cmpoch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkjqkhld.dll" Jelioh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imieibie.dll" Llemnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfoadqde.dll" Hkmdoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beglpldq.dll" Illmho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lhenko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cqmgigfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlafpoch.dll" Dcnqkb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iickdgpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Momhii32.dll" Dibmfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anqdigmo.dll" Oiakpheo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgqfmcge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohfkehcl.dll" Anobaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcomef32.dll" Eecpaeoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebkbbmqj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjielh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oqlkon32.dll" Bdjjnoje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkjikd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngkocc32.dll" Qanhkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpfkiepp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abedil32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nbefmopd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdmohnhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeeded32.dll" Cgiflnoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpjmbckp.dll" Ppbekd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ikqqfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fphnff32.dll" Obgccn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjedpkne.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ihdaoajd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhphfppl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjemcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhlkbe32.dll" Behbfqoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iejecf32.dll" Cbihmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npajmk32.dll" Beippj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjjcof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oehldi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gjohnkdd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnhegp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcdcia32.dll" Mohbcamn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nojeqbeo.dll" Aecbge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djgbmffn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Liaqlcep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnjdgp32.dll" Lobpadoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdepaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hbjonepq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojcghc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajjoej32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cqmgigfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klgmoe32.dll" Lpmfnj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Llpmhodc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjmjinog.dll" Lcjchd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndddeknc.dll" Pcnhfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cieoen32.dll" Pkmhgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccmbkmgd.dll" Cjjcof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmjekp32.dll" Cfglahbj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3780 wrote to memory of 2196 3780 e5022e03e6e935f7dbfc98bb72605735bb265f7ee0b25fe1cacbf5d0239d89d0.exe 85 PID 3780 wrote to memory of 2196 3780 e5022e03e6e935f7dbfc98bb72605735bb265f7ee0b25fe1cacbf5d0239d89d0.exe 85 PID 3780 wrote to memory of 2196 3780 e5022e03e6e935f7dbfc98bb72605735bb265f7ee0b25fe1cacbf5d0239d89d0.exe 85 PID 2196 wrote to memory of 776 2196 Edgbii32.exe 86 PID 2196 wrote to memory of 776 2196 Edgbii32.exe 86 PID 2196 wrote to memory of 776 2196 Edgbii32.exe 86 PID 776 wrote to memory of 2724 776 Ebkbbmqj.exe 89 PID 776 wrote to memory of 2724 776 Ebkbbmqj.exe 89 PID 776 wrote to memory of 2724 776 Ebkbbmqj.exe 89 PID 2724 wrote to memory of 2940 2724 Ekcgkb32.exe 91 PID 2724 wrote to memory of 2940 2724 Ekcgkb32.exe 91 PID 2724 wrote to memory of 2940 2724 Ekcgkb32.exe 91 PID 2940 wrote to memory of 1980 2940 Johggfha.exe 92 PID 2940 wrote to memory of 1980 2940 Johggfha.exe 92 PID 2940 wrote to memory of 1980 2940 Johggfha.exe 92 PID 1980 wrote to memory of 3636 1980 Bbhildae.exe 93 PID 1980 wrote to memory of 3636 1980 Bbhildae.exe 93 PID 1980 wrote to memory of 3636 1980 Bbhildae.exe 93 PID 3636 wrote to memory of 4100 3636 Fkemfl32.exe 95 PID 3636 wrote to memory of 4100 3636 Fkemfl32.exe 95 PID 3636 wrote to memory of 4100 3636 Fkemfl32.exe 95 PID 4100 wrote to memory of 3996 4100 Lbhool32.exe 97 PID 4100 wrote to memory of 3996 4100 Lbhool32.exe 97 PID 4100 wrote to memory of 3996 4100 Lbhool32.exe 97 PID 3996 wrote to memory of 3752 3996 Pkmhgh32.exe 99 PID 3996 wrote to memory of 3752 3996 Pkmhgh32.exe 99 PID 3996 wrote to memory of 3752 3996 Pkmhgh32.exe 99 PID 3752 wrote to memory of 884 3752 Acdioc32.exe 100 PID 3752 wrote to memory of 884 3752 Acdioc32.exe 100 PID 3752 wrote to memory of 884 3752 Acdioc32.exe 100 PID 884 wrote to memory of 1912 884 Dpefaq32.exe 101 PID 884 wrote to memory of 1912 884 Dpefaq32.exe 101 PID 884 wrote to memory of 1912 884 Dpefaq32.exe 101 PID 1912 wrote to memory of 3532 1912 Debnjgcp.exe 102 PID 1912 wrote to memory of 3532 1912 Debnjgcp.exe 102 PID 1912 wrote to memory of 3532 1912 Debnjgcp.exe 102 PID 3532 wrote to memory of 1936 3532 Ddcogo32.exe 103 PID 3532 wrote to memory of 1936 3532 Ddcogo32.exe 103 PID 3532 wrote to memory of 1936 3532 Ddcogo32.exe 103 PID 1936 wrote to memory of 4680 1936 Dmkcpdao.exe 104 PID 1936 wrote to memory of 4680 1936 Dmkcpdao.exe 104 PID 1936 wrote to memory of 4680 1936 Dmkcpdao.exe 104 PID 4680 wrote to memory of 1120 4680 Defheg32.exe 105 PID 4680 wrote to memory of 1120 4680 Defheg32.exe 105 PID 4680 wrote to memory of 1120 4680 Defheg32.exe 105 PID 1120 wrote to memory of 4940 1120 Dgfdojfm.exe 106 PID 1120 wrote to memory of 4940 1120 Dgfdojfm.exe 106 PID 1120 wrote to memory of 4940 1120 Dgfdojfm.exe 106 PID 4940 wrote to memory of 3836 4940 Dmplkd32.exe 107 PID 4940 wrote to memory of 3836 4940 Dmplkd32.exe 107 PID 4940 wrote to memory of 3836 4940 Dmplkd32.exe 107 PID 3836 wrote to memory of 2860 3836 Eleimp32.exe 108 PID 3836 wrote to memory of 2860 3836 Eleimp32.exe 108 PID 3836 wrote to memory of 2860 3836 Eleimp32.exe 108 PID 2860 wrote to memory of 3476 2860 Eennefib.exe 109 PID 2860 wrote to memory of 3476 2860 Eennefib.exe 109 PID 2860 wrote to memory of 3476 2860 Eennefib.exe 109 PID 3476 wrote to memory of 4268 3476 Epcbbohh.exe 110 PID 3476 wrote to memory of 4268 3476 Epcbbohh.exe 110 PID 3476 wrote to memory of 4268 3476 Epcbbohh.exe 110 PID 4268 wrote to memory of 2928 4268 Ecdkdj32.exe 111 PID 4268 wrote to memory of 2928 4268 Ecdkdj32.exe 111 PID 4268 wrote to memory of 2928 4268 Ecdkdj32.exe 111 PID 2928 wrote to memory of 708 2928 Epjhcnbp.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\e5022e03e6e935f7dbfc98bb72605735bb265f7ee0b25fe1cacbf5d0239d89d0.exe"C:\Users\Admin\AppData\Local\Temp\e5022e03e6e935f7dbfc98bb72605735bb265f7ee0b25fe1cacbf5d0239d89d0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3780 -
C:\Windows\SysWOW64\Edgbii32.exeC:\Windows\system32\Edgbii32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\Ebkbbmqj.exeC:\Windows\system32\Ebkbbmqj.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:776 -
C:\Windows\SysWOW64\Ekcgkb32.exeC:\Windows\system32\Ekcgkb32.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Johggfha.exeC:\Windows\system32\Johggfha.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\Bbhildae.exeC:\Windows\system32\Bbhildae.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\Fkemfl32.exeC:\Windows\system32\Fkemfl32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3636 -
C:\Windows\SysWOW64\Lbhool32.exeC:\Windows\system32\Lbhool32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4100 -
C:\Windows\SysWOW64\Pkmhgh32.exeC:\Windows\system32\Pkmhgh32.exe9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3996 -
C:\Windows\SysWOW64\Acdioc32.exeC:\Windows\system32\Acdioc32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3752 -
C:\Windows\SysWOW64\Dpefaq32.exeC:\Windows\system32\Dpefaq32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:884 -
C:\Windows\SysWOW64\Debnjgcp.exeC:\Windows\system32\Debnjgcp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\SysWOW64\Ddcogo32.exeC:\Windows\system32\Ddcogo32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3532 -
C:\Windows\SysWOW64\Dmkcpdao.exeC:\Windows\system32\Dmkcpdao.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Windows\SysWOW64\Defheg32.exeC:\Windows\system32\Defheg32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4680 -
C:\Windows\SysWOW64\Dgfdojfm.exeC:\Windows\system32\Dgfdojfm.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\Windows\SysWOW64\Dmplkd32.exeC:\Windows\system32\Dmplkd32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Windows\SysWOW64\Eleimp32.exeC:\Windows\system32\Eleimp32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3836 -
C:\Windows\SysWOW64\Eennefib.exeC:\Windows\system32\Eennefib.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\Epcbbohh.exeC:\Windows\system32\Epcbbohh.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3476 -
C:\Windows\SysWOW64\Ecdkdj32.exeC:\Windows\system32\Ecdkdj32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4268 -
C:\Windows\SysWOW64\Epjhcnbp.exeC:\Windows\system32\Epjhcnbp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\Eegqldqg.exeC:\Windows\system32\Eegqldqg.exe23⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:708 -
C:\Windows\SysWOW64\Fgfmeg32.exeC:\Windows\system32\Fgfmeg32.exe24⤵
- Executes dropped EXE
PID:4488 -
C:\Windows\SysWOW64\Fnqebaog.exeC:\Windows\system32\Fnqebaog.exe25⤵
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\Fcmnkh32.exeC:\Windows\system32\Fcmnkh32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2668 -
C:\Windows\SysWOW64\Fpandm32.exeC:\Windows\system32\Fpandm32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2224 -
C:\Windows\SysWOW64\Fneoma32.exeC:\Windows\system32\Fneoma32.exe28⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Fgncff32.exeC:\Windows\system32\Fgncff32.exe29⤵
- Executes dropped EXE
- Modifies registry class
PID:3464 -
C:\Windows\SysWOW64\Mehafq32.exeC:\Windows\system32\Mehafq32.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1968 -
C:\Windows\SysWOW64\Qbkcek32.exeC:\Windows\system32\Qbkcek32.exe31⤵
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Qghlmbae.exeC:\Windows\system32\Qghlmbae.exe32⤵
- Executes dropped EXE
PID:3492 -
C:\Windows\SysWOW64\Qfilkj32.exeC:\Windows\system32\Qfilkj32.exe33⤵
- Executes dropped EXE
PID:3972 -
C:\Windows\SysWOW64\Agmehamp.exeC:\Windows\system32\Agmehamp.exe34⤵
- Executes dropped EXE
PID:816 -
C:\Windows\SysWOW64\Ailabddb.exeC:\Windows\system32\Ailabddb.exe35⤵
- Executes dropped EXE
PID:900 -
C:\Windows\SysWOW64\Anijjkbj.exeC:\Windows\system32\Anijjkbj.exe36⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Aecbge32.exeC:\Windows\system32\Aecbge32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:216 -
C:\Windows\SysWOW64\Bbniai32.exeC:\Windows\system32\Bbniai32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2500 -
C:\Windows\SysWOW64\Bihancje.exeC:\Windows\system32\Bihancje.exe39⤵
- Executes dropped EXE
PID:4748 -
C:\Windows\SysWOW64\Beobcdoi.exeC:\Windows\system32\Beobcdoi.exe40⤵
- Executes dropped EXE
PID:3852 -
C:\Windows\SysWOW64\Bkhjpn32.exeC:\Windows\system32\Bkhjpn32.exe41⤵
- Executes dropped EXE
PID:1208 -
C:\Windows\SysWOW64\Bbbblhnc.exeC:\Windows\system32\Bbbblhnc.exe42⤵
- Executes dropped EXE
PID:1848 -
C:\Windows\SysWOW64\Bgokdomj.exeC:\Windows\system32\Bgokdomj.exe43⤵
- Executes dropped EXE
PID:3628 -
C:\Windows\SysWOW64\Bnicai32.exeC:\Windows\system32\Bnicai32.exe44⤵
- Executes dropped EXE
PID:4484 -
C:\Windows\SysWOW64\Chddpn32.exeC:\Windows\system32\Chddpn32.exe45⤵
- Executes dropped EXE
PID:1116 -
C:\Windows\SysWOW64\Cbihmg32.exeC:\Windows\system32\Cbihmg32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:4880 -
C:\Windows\SysWOW64\Cehdib32.exeC:\Windows\system32\Cehdib32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1056 -
C:\Windows\SysWOW64\Clbmfm32.exeC:\Windows\system32\Clbmfm32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3368 -
C:\Windows\SysWOW64\Mhmmieil.exeC:\Windows\system32\Mhmmieil.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1988 -
C:\Windows\SysWOW64\Qjeaog32.exeC:\Windows\system32\Qjeaog32.exe50⤵
- Executes dropped EXE
PID:3580 -
C:\Windows\SysWOW64\Ghdhja32.exeC:\Windows\system32\Ghdhja32.exe51⤵
- Executes dropped EXE
PID:464 -
C:\Windows\SysWOW64\Kblkap32.exeC:\Windows\system32\Kblkap32.exe52⤵
- Executes dropped EXE
PID:3680 -
C:\Windows\SysWOW64\Nlnkgbhp.exeC:\Windows\system32\Nlnkgbhp.exe53⤵
- Executes dropped EXE
PID:5068 -
C:\Windows\SysWOW64\Ncecioib.exeC:\Windows\system32\Ncecioib.exe54⤵
- Executes dropped EXE
PID:544 -
C:\Windows\SysWOW64\Anqfepaj.exeC:\Windows\system32\Anqfepaj.exe55⤵
- Executes dropped EXE
PID:4024 -
C:\Windows\SysWOW64\Adjnaj32.exeC:\Windows\system32\Adjnaj32.exe56⤵
- Executes dropped EXE
PID:3348 -
C:\Windows\SysWOW64\Ajggjq32.exeC:\Windows\system32\Ajggjq32.exe57⤵
- Executes dropped EXE
PID:3600 -
C:\Windows\SysWOW64\Apaofk32.exeC:\Windows\system32\Apaofk32.exe58⤵
- Executes dropped EXE
PID:2480 -
C:\Windows\SysWOW64\Agndidce.exeC:\Windows\system32\Agndidce.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3668 -
C:\Windows\SysWOW64\Ajlpepbi.exeC:\Windows\system32\Ajlpepbi.exe60⤵
- Executes dropped EXE
PID:980 -
C:\Windows\SysWOW64\Akkmocjl.exeC:\Windows\system32\Akkmocjl.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4136 -
C:\Windows\SysWOW64\Aphegjhc.exeC:\Windows\system32\Aphegjhc.exe62⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Bjqjpp32.exeC:\Windows\system32\Bjqjpp32.exe63⤵
- Executes dropped EXE
PID:228 -
C:\Windows\SysWOW64\Bloflk32.exeC:\Windows\system32\Bloflk32.exe64⤵
- Executes dropped EXE
PID:3304 -
C:\Windows\SysWOW64\Bcinie32.exeC:\Windows\system32\Bcinie32.exe65⤵
- Executes dropped EXE
PID:3780 -
C:\Windows\SysWOW64\Bjcfeola.exeC:\Windows\system32\Bjcfeola.exe66⤵PID:3396
-
C:\Windows\SysWOW64\Bkbcpb32.exeC:\Windows\system32\Bkbcpb32.exe67⤵PID:4656
-
C:\Windows\SysWOW64\Bldogjib.exeC:\Windows\system32\Bldogjib.exe68⤵PID:4980
-
C:\Windows\SysWOW64\Bgicdc32.exeC:\Windows\system32\Bgicdc32.exe69⤵PID:3292
-
C:\Windows\SysWOW64\Bnclamqe.exeC:\Windows\system32\Bnclamqe.exe70⤵PID:3920
-
C:\Windows\SysWOW64\Bcpdidol.exeC:\Windows\system32\Bcpdidol.exe71⤵
- Drops file in System32 directory
PID:4996 -
C:\Windows\SysWOW64\Bjjmfn32.exeC:\Windows\system32\Bjjmfn32.exe72⤵PID:3460
-
C:\Windows\SysWOW64\Ckiipa32.exeC:\Windows\system32\Ckiipa32.exe73⤵PID:3804
-
C:\Windows\SysWOW64\Cmkehicj.exeC:\Windows\system32\Cmkehicj.exe74⤵PID:5028
-
C:\Windows\SysWOW64\Cdbmifdl.exeC:\Windows\system32\Cdbmifdl.exe75⤵PID:1568
-
C:\Windows\SysWOW64\Cklffq32.exeC:\Windows\system32\Cklffq32.exe76⤵PID:1260
-
C:\Windows\SysWOW64\Cmmbmiag.exeC:\Windows\system32\Cmmbmiag.exe77⤵PID:1272
-
C:\Windows\SysWOW64\Cddjofbj.exeC:\Windows\system32\Cddjofbj.exe78⤵PID:4800
-
C:\Windows\SysWOW64\Cknbkpif.exeC:\Windows\system32\Cknbkpif.exe79⤵PID:2484
-
C:\Windows\SysWOW64\Cjabgm32.exeC:\Windows\system32\Cjabgm32.exe80⤵PID:1388
-
C:\Windows\SysWOW64\Cmpoch32.exeC:\Windows\system32\Cmpoch32.exe81⤵
- Modifies registry class
PID:4760 -
C:\Windows\SysWOW64\Cdfgdf32.exeC:\Windows\system32\Cdfgdf32.exe82⤵PID:3424
-
C:\Windows\SysWOW64\Ckqoapgd.exeC:\Windows\system32\Ckqoapgd.exe83⤵PID:260
-
C:\Windows\SysWOW64\Cqmgigfk.exeC:\Windows\system32\Cqmgigfk.exe84⤵
- Drops file in System32 directory
- Modifies registry class
PID:1756 -
C:\Windows\SysWOW64\Ccldebeo.exeC:\Windows\system32\Ccldebeo.exe85⤵
- Drops file in System32 directory
PID:5020 -
C:\Windows\SysWOW64\Cnahbk32.exeC:\Windows\system32\Cnahbk32.exe86⤵PID:1636
-
C:\Windows\SysWOW64\Cqpdof32.exeC:\Windows\system32\Cqpdof32.exe87⤵PID:1932
-
C:\Windows\SysWOW64\Dcnqkb32.exeC:\Windows\system32\Dcnqkb32.exe88⤵
- Modifies registry class
PID:4720 -
C:\Windows\SysWOW64\Dkehlo32.exeC:\Windows\system32\Dkehlo32.exe89⤵PID:2560
-
C:\Windows\SysWOW64\Dmfecgim.exeC:\Windows\system32\Dmfecgim.exe90⤵PID:4344
-
C:\Windows\SysWOW64\Dgliapic.exeC:\Windows\system32\Dgliapic.exe91⤵PID:1648
-
C:\Windows\SysWOW64\Dkjbgooi.exeC:\Windows\system32\Dkjbgooi.exe92⤵PID:3636
-
C:\Windows\SysWOW64\Dmknog32.exeC:\Windows\system32\Dmknog32.exe93⤵
- Drops file in System32 directory
PID:2204 -
C:\Windows\SysWOW64\Kffphhmj.exeC:\Windows\system32\Kffphhmj.exe94⤵PID:5088
-
C:\Windows\SysWOW64\Lhelddln.exeC:\Windows\system32\Lhelddln.exe95⤵PID:4804
-
C:\Windows\SysWOW64\Lbmqmi32.exeC:\Windows\system32\Lbmqmi32.exe96⤵PID:3996
-
C:\Windows\SysWOW64\Mpdgbkab.exeC:\Windows\system32\Mpdgbkab.exe97⤵PID:3536
-
C:\Windows\SysWOW64\Mbbcofpf.exeC:\Windows\system32\Mbbcofpf.exe98⤵PID:4680
-
C:\Windows\SysWOW64\Nfpled32.exeC:\Windows\system32\Nfpled32.exe99⤵PID:4368
-
C:\Windows\SysWOW64\Nnnmogae.exeC:\Windows\system32\Nnnmogae.exe100⤵PID:4020
-
C:\Windows\SysWOW64\Nicalpak.exeC:\Windows\system32\Nicalpak.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4616 -
C:\Windows\SysWOW64\Nlbnhkqo.exeC:\Windows\system32\Nlbnhkqo.exe102⤵PID:2584
-
C:\Windows\SysWOW64\Ofjokc32.exeC:\Windows\system32\Ofjokc32.exe103⤵PID:744
-
C:\Windows\SysWOW64\Beippj32.exeC:\Windows\system32\Beippj32.exe104⤵
- Modifies registry class
PID:820 -
C:\Windows\SysWOW64\Bpodmb32.exeC:\Windows\system32\Bpodmb32.exe105⤵PID:1912
-
C:\Windows\SysWOW64\Bcmqin32.exeC:\Windows\system32\Bcmqin32.exe106⤵PID:3836
-
C:\Windows\SysWOW64\Bekmei32.exeC:\Windows\system32\Bekmei32.exe107⤵PID:708
-
C:\Windows\SysWOW64\Bjgifhep.exeC:\Windows\system32\Bjgifhep.exe108⤵PID:1696
-
C:\Windows\SysWOW64\Bpaacblm.exeC:\Windows\system32\Bpaacblm.exe109⤵PID:4472
-
C:\Windows\SysWOW64\Bgkipl32.exeC:\Windows\system32\Bgkipl32.exe110⤵
- Drops file in System32 directory
PID:4812 -
C:\Windows\SysWOW64\Bjielh32.exeC:\Windows\system32\Bjielh32.exe111⤵
- Drops file in System32 directory
- Modifies registry class
PID:3912 -
C:\Windows\SysWOW64\Clhbhc32.exeC:\Windows\system32\Clhbhc32.exe112⤵PID:1768
-
C:\Windows\SysWOW64\Ccajdmin.exeC:\Windows\system32\Ccajdmin.exe113⤵PID:3616
-
C:\Windows\SysWOW64\Cjnoggoh.exeC:\Windows\system32\Cjnoggoh.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2668 -
C:\Windows\SysWOW64\Cgbppknb.exeC:\Windows\system32\Cgbppknb.exe115⤵PID:3200
-
C:\Windows\SysWOW64\Cnlhme32.exeC:\Windows\system32\Cnlhme32.exe116⤵PID:3748
-
C:\Windows\SysWOW64\Comddn32.exeC:\Windows\system32\Comddn32.exe117⤵PID:4328
-
C:\Windows\SysWOW64\Cfglahbj.exeC:\Windows\system32\Cfglahbj.exe118⤵
- Modifies registry class
PID:2124 -
C:\Windows\SysWOW64\Cckmklac.exeC:\Windows\system32\Cckmklac.exe119⤵PID:4552
-
C:\Windows\SysWOW64\Djeegf32.exeC:\Windows\system32\Djeegf32.exe120⤵PID:1848
-
C:\Windows\SysWOW64\Dobnpm32.exeC:\Windows\system32\Dobnpm32.exe121⤵PID:4568
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-