Analysis
-
max time kernel
136s -
max time network
105s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
28-06-2024 22:25
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
63815ab85a0f8289fe5e55bd7b0f0e2801c24ef717a7042dadce53d78905ee97.exe
Resource
win7-20240221-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
63815ab85a0f8289fe5e55bd7b0f0e2801c24ef717a7042dadce53d78905ee97.exe
Resource
win10v2004-20240611-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
63815ab85a0f8289fe5e55bd7b0f0e2801c24ef717a7042dadce53d78905ee97.exe
-
Size
75KB
-
MD5
26dba483de6f227542a048979a82d856
-
SHA1
547159ea8152808361bb71ac919f31a4a8d3d839
-
SHA256
63815ab85a0f8289fe5e55bd7b0f0e2801c24ef717a7042dadce53d78905ee97
-
SHA512
16fc303c2a28c2750b207bda0ef6abd3d90ceb167546d0ae4bf68f683b24fd34031814295be6b869f3c3931ff4868a2db0d776c859bcf1152e24f6f814de2be3
-
SSDEEP
1536:sy+OWoVUOFFPlDrI8N/00P8eC7lK4gmSRQ2L16+lWCWQv:syZBVUoFPlDr/8FJtgmaB16+bWQv
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgagbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odmgcgbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofeilobp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gifmnpnl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajneip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ceoibflm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cogmkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibqpimpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkbkamnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chdkoa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njqmepik.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbkhfc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhbgqohi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbdolh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lllcen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bclhhnca.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hadkpm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcpebmkb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ognpebpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ognpebpj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbhdmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnjbke32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njfmke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbmncp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbcilkjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cchiaqjm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlgdkeje.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmbklj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kaemnhla.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocnjidkf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdemhe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jidbflcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imfdff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecmeig32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Heocnk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llemdo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npfkgjdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aeklkchg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icljbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iikopmkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkgdml32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpaifalo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bapiabak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bapiabak.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dchbhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbnhphbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekemhj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmannhhj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anmjcieo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjolnb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icljbg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mncmjfmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddonekbl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdabcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdhhdlid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldaeka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dccbbhld.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfcbjk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npcoakfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npfkgjdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckcgkldl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcddpdpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbllkh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpgdbg32.exe -
Executes dropped EXE 64 IoCs
pid Process 4012 Cedihl32.exe 1268 Chbedh32.exe 1248 Commqb32.exe 3928 Cchiaqjm.exe 4436 Cibank32.exe 2952 Chebighd.exe 2496 Coojfa32.exe 1472 Camfbm32.exe 624 Cidncj32.exe 4000 Cpofpdgd.exe 2556 Ccmclp32.exe 1476 Cekohk32.exe 3592 Dhjkdg32.exe 4440 Dpacfd32.exe 3852 Dabpnlkp.exe 4792 Diihojkb.exe 1140 Dlgdkeje.exe 3668 Dcalgo32.exe 2188 Djlddi32.exe 2688 Dpemacql.exe 4608 Dohmlp32.exe 1832 Debeijoc.exe 336 Dllmfd32.exe 4676 Daifnk32.exe 2624 Djpnohej.exe 3076 Dlojkddn.exe 2672 Domfgpca.exe 2812 Dchbhn32.exe 208 Efgodj32.exe 920 Ejbkehcg.exe 4180 Eoocmoao.exe 3676 Ebnoikqb.exe 3824 Ejegjh32.exe 3140 Elccfc32.exe 3116 Ecmlcmhe.exe 4812 Eflhoigi.exe 4044 Ejgdpg32.exe 1692 Eleplc32.exe 4820 Ecphimfb.exe 2340 Ebbidj32.exe 3000 Ehlaaddj.exe 1064 Elhmablc.exe 3712 Eofinnkf.exe 4928 Ebeejijj.exe 2908 Efpajh32.exe 720 Ehonfc32.exe 3972 Emjjgbjp.exe 396 Eoifcnid.exe 756 Ecdbdl32.exe 4356 Ffbnph32.exe 2380 Fjnjqfij.exe 2296 Fmmfmbhn.exe 2196 Fokbim32.exe 5108 Fbioei32.exe 3492 Fjqgff32.exe 2436 Ficgacna.exe 968 Fmocba32.exe 2012 Fcikolnh.exe 2124 Fbllkh32.exe 3048 Ffggkgmk.exe 5028 Fmapha32.exe 1136 Fqmlhpla.exe 2732 Fckhdk32.exe 3556 Fbnhphbp.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ijkljp32.exe Ibccic32.exe File created C:\Windows\SysWOW64\Njcpee32.exe Ngedij32.exe File created C:\Windows\SysWOW64\Inomojol.dll Eofinnkf.exe File opened for modification C:\Windows\SysWOW64\Nnmopdep.exe Nkncdifl.exe File created C:\Windows\SysWOW64\Eocenh32.exe Eleiam32.exe File created C:\Windows\SysWOW64\Pnfmmb32.dll Giofnacd.exe File opened for modification C:\Windows\SysWOW64\Bdkcmdhp.exe Bjbndobo.exe File opened for modification C:\Windows\SysWOW64\Cbgbgj32.exe Ckpjfm32.exe File opened for modification C:\Windows\SysWOW64\Kiidgeki.exe Jpppnp32.exe File created C:\Windows\SysWOW64\Fpkknm32.dll Ndfqbhia.exe File created C:\Windows\SysWOW64\Gfcgge32.exe Gcekkjcj.exe File created C:\Windows\SysWOW64\Mngoghpn.dll Gmaioo32.exe File created C:\Windows\SysWOW64\Gmlhii32.exe Gcddpdpo.exe File created C:\Windows\SysWOW64\Lipdae32.dll Pdpmpdbd.exe File created C:\Windows\SysWOW64\Jdemhe32.exe Jpjqhgol.exe File created C:\Windows\SysWOW64\Eoocmoao.exe Ejbkehcg.exe File created C:\Windows\SysWOW64\Ibooqjdb.dll Hfofbd32.exe File created C:\Windows\SysWOW64\Gqffnmfa.dll Mcklgm32.exe File opened for modification C:\Windows\SysWOW64\Nafokcol.exe Nnjbke32.exe File created C:\Windows\SysWOW64\Cedihl32.exe 63815ab85a0f8289fe5e55bd7b0f0e2801c24ef717a7042dadce53d78905ee97.exe File opened for modification C:\Windows\SysWOW64\Ecjhcg32.exe Ehedfo32.exe File created C:\Windows\SysWOW64\Lpcioj32.dll Gppekj32.exe File created C:\Windows\SysWOW64\Lgikfn32.exe Ldkojb32.exe File created C:\Windows\SysWOW64\Bheenp32.dll Lcdegnep.exe File created C:\Windows\SysWOW64\Bcjlcn32.exe Balpgb32.exe File opened for modification C:\Windows\SysWOW64\Dhfajjoj.exe Calhnpgn.exe File created C:\Windows\SysWOW64\Fopfdhej.dll 63815ab85a0f8289fe5e55bd7b0f0e2801c24ef717a7042dadce53d78905ee97.exe File opened for modification C:\Windows\SysWOW64\Onjegled.exe Ofcmfodb.exe File created C:\Windows\SysWOW64\Legdcg32.dll Nnhfee32.exe File created C:\Windows\SysWOW64\Imfdff32.exe Ieolehop.exe File opened for modification C:\Windows\SysWOW64\Icljbg32.exe Iannfk32.exe File created C:\Windows\SysWOW64\Bgllgqcp.dll Jdemhe32.exe File opened for modification C:\Windows\SysWOW64\Iannfk32.exe Imbaemhc.exe File created C:\Windows\SysWOW64\Oekgfqeg.dll Hodgkc32.exe File opened for modification C:\Windows\SysWOW64\Lepncd32.exe Lbabgh32.exe File opened for modification C:\Windows\SysWOW64\Odmgcgbi.exe Olfobjbg.exe File opened for modification C:\Windows\SysWOW64\Daconoae.exe Dodbbdbb.exe File created C:\Windows\SysWOW64\Mnlfigcc.exe Mjqjih32.exe File created C:\Windows\SysWOW64\Ecmeig32.exe Ekemhj32.exe File created C:\Windows\SysWOW64\Mdmann32.dll Gdqgmmjb.exe File created C:\Windows\SysWOW64\Hiclgb32.dll Ofqpqo32.exe File opened for modification C:\Windows\SysWOW64\Ceckcp32.exe Cmlcbbcj.exe File created C:\Windows\SysWOW64\Kjmidh32.dll Obangb32.exe File opened for modification C:\Windows\SysWOW64\Qajadlja.exe Qbgqio32.exe File created C:\Windows\SysWOW64\Blfdia32.exe Baaplhef.exe File created C:\Windows\SysWOW64\Cehkhecb.exe Ckcgkldl.exe File created C:\Windows\SysWOW64\Mpnaemnl.dll Hcdmga32.exe File created C:\Windows\SysWOW64\Eghpcp32.dll Mcmabg32.exe File created C:\Windows\SysWOW64\Ngbpidjh.exe Ndcdmikd.exe File created C:\Windows\SysWOW64\Nnqbanmo.exe Nfjjppmm.exe File created C:\Windows\SysWOW64\Mkbchk32.exe Mcklgm32.exe File created C:\Windows\SysWOW64\Dllfkn32.exe Dccbbhld.exe File created C:\Windows\SysWOW64\Pmannhhj.exe Pfhfan32.exe File opened for modification C:\Windows\SysWOW64\Jmbklj32.exe Jkdnpo32.exe File created C:\Windows\SysWOW64\Jpjqhgol.exe Jmkdlkph.exe File opened for modification C:\Windows\SysWOW64\Bjbndobo.exe Blpnib32.exe File opened for modification C:\Windows\SysWOW64\Doilmc32.exe Dgbdlf32.exe File opened for modification C:\Windows\SysWOW64\Ipegmg32.exe Imgkql32.exe File created C:\Windows\SysWOW64\Jphopllo.dll Lpcfkm32.exe File created C:\Windows\SysWOW64\Qnjnnj32.exe Qfcfml32.exe File opened for modification C:\Windows\SysWOW64\Ibccic32.exe Ipegmg32.exe File opened for modification C:\Windows\SysWOW64\Pkceffcd.exe Pclneicb.exe File created C:\Windows\SysWOW64\Elikfp32.dll Gmlhii32.exe File created C:\Windows\SysWOW64\Kiidgeki.exe Jpppnp32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 13484 14164 WerFault.exe 725 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbefaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjhmqf32.dll" Himldi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hcbpab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Miimhchp.dll" Elhmablc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfkkgo32.dll" Ibccic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eocqqdjh.dll" Daaicfgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocdfloja.dll" Jpppnp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmdina32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Npmagine.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qnnanphk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nfjjppmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onjegled.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ickfifmb.dll" Agglboim.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fjepaecb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmafhe32.dll" Lkdggmlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nknjccol.dll" Ehljfnpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnakhkol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmngqdpj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cchiaqjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abngjnmo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Llemdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmlnpc32.dll" Cidncj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmmfmbhn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojalgcnd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aelcfilb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pglcddpd.dll" Helfik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bchomn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bcoenmao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chbedh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mkbchk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ieolehop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnbeadp.dll" Bapiabak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmmlba.dll" Caebma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dohmlp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chbijmok.dll" Gmkbnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ipegmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjhcgd32.dll" Gcddpdpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fojhkmkj.dll" Llemdo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngdmod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pncgmkmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ficgacna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckegia32.dll" Laciofpa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cafigg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dojcgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hecmijim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmphmhjc.dll" Pfaigm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aqncedbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnacjn32.dll" Mcnhmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmfgdeof.dll" Onholckc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fkopnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gkhbdg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlefklpj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlhbal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkfpkkqa.dll" Gifmnpnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pegplgln.dll" Oqihnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjqkei32.dll" Icifbang.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmcdaagm.dll" Ocgmpccl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ifhiib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ekacmjgl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nbhkac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciglpe32.dll" Hkfoeega.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nngokoej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nloiakho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmmfmbhn.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 712 wrote to memory of 4012 712 63815ab85a0f8289fe5e55bd7b0f0e2801c24ef717a7042dadce53d78905ee97.exe 83 PID 712 wrote to memory of 4012 712 63815ab85a0f8289fe5e55bd7b0f0e2801c24ef717a7042dadce53d78905ee97.exe 83 PID 712 wrote to memory of 4012 712 63815ab85a0f8289fe5e55bd7b0f0e2801c24ef717a7042dadce53d78905ee97.exe 83 PID 4012 wrote to memory of 1268 4012 Cedihl32.exe 84 PID 4012 wrote to memory of 1268 4012 Cedihl32.exe 84 PID 4012 wrote to memory of 1268 4012 Cedihl32.exe 84 PID 1268 wrote to memory of 1248 1268 Chbedh32.exe 85 PID 1268 wrote to memory of 1248 1268 Chbedh32.exe 85 PID 1268 wrote to memory of 1248 1268 Chbedh32.exe 85 PID 1248 wrote to memory of 3928 1248 Commqb32.exe 86 PID 1248 wrote to memory of 3928 1248 Commqb32.exe 86 PID 1248 wrote to memory of 3928 1248 Commqb32.exe 86 PID 3928 wrote to memory of 4436 3928 Cchiaqjm.exe 87 PID 3928 wrote to memory of 4436 3928 Cchiaqjm.exe 87 PID 3928 wrote to memory of 4436 3928 Cchiaqjm.exe 87 PID 4436 wrote to memory of 2952 4436 Cibank32.exe 88 PID 4436 wrote to memory of 2952 4436 Cibank32.exe 88 PID 4436 wrote to memory of 2952 4436 Cibank32.exe 88 PID 2952 wrote to memory of 2496 2952 Chebighd.exe 89 PID 2952 wrote to memory of 2496 2952 Chebighd.exe 89 PID 2952 wrote to memory of 2496 2952 Chebighd.exe 89 PID 2496 wrote to memory of 1472 2496 Coojfa32.exe 90 PID 2496 wrote to memory of 1472 2496 Coojfa32.exe 90 PID 2496 wrote to memory of 1472 2496 Coojfa32.exe 90 PID 1472 wrote to memory of 624 1472 Camfbm32.exe 91 PID 1472 wrote to memory of 624 1472 Camfbm32.exe 91 PID 1472 wrote to memory of 624 1472 Camfbm32.exe 91 PID 624 wrote to memory of 4000 624 Cidncj32.exe 92 PID 624 wrote to memory of 4000 624 Cidncj32.exe 92 PID 624 wrote to memory of 4000 624 Cidncj32.exe 92 PID 4000 wrote to memory of 2556 4000 Cpofpdgd.exe 93 PID 4000 wrote to memory of 2556 4000 Cpofpdgd.exe 93 PID 4000 wrote to memory of 2556 4000 Cpofpdgd.exe 93 PID 2556 wrote to memory of 1476 2556 Ccmclp32.exe 94 PID 2556 wrote to memory of 1476 2556 Ccmclp32.exe 94 PID 2556 wrote to memory of 1476 2556 Ccmclp32.exe 94 PID 1476 wrote to memory of 3592 1476 Cekohk32.exe 95 PID 1476 wrote to memory of 3592 1476 Cekohk32.exe 95 PID 1476 wrote to memory of 3592 1476 Cekohk32.exe 95 PID 3592 wrote to memory of 4440 3592 Dhjkdg32.exe 96 PID 3592 wrote to memory of 4440 3592 Dhjkdg32.exe 96 PID 3592 wrote to memory of 4440 3592 Dhjkdg32.exe 96 PID 4440 wrote to memory of 3852 4440 Dpacfd32.exe 97 PID 4440 wrote to memory of 3852 4440 Dpacfd32.exe 97 PID 4440 wrote to memory of 3852 4440 Dpacfd32.exe 97 PID 3852 wrote to memory of 4792 3852 Dabpnlkp.exe 98 PID 3852 wrote to memory of 4792 3852 Dabpnlkp.exe 98 PID 3852 wrote to memory of 4792 3852 Dabpnlkp.exe 98 PID 4792 wrote to memory of 1140 4792 Diihojkb.exe 99 PID 4792 wrote to memory of 1140 4792 Diihojkb.exe 99 PID 4792 wrote to memory of 1140 4792 Diihojkb.exe 99 PID 1140 wrote to memory of 3668 1140 Dlgdkeje.exe 100 PID 1140 wrote to memory of 3668 1140 Dlgdkeje.exe 100 PID 1140 wrote to memory of 3668 1140 Dlgdkeje.exe 100 PID 3668 wrote to memory of 2188 3668 Dcalgo32.exe 101 PID 3668 wrote to memory of 2188 3668 Dcalgo32.exe 101 PID 3668 wrote to memory of 2188 3668 Dcalgo32.exe 101 PID 2188 wrote to memory of 2688 2188 Djlddi32.exe 102 PID 2188 wrote to memory of 2688 2188 Djlddi32.exe 102 PID 2188 wrote to memory of 2688 2188 Djlddi32.exe 102 PID 2688 wrote to memory of 4608 2688 Dpemacql.exe 103 PID 2688 wrote to memory of 4608 2688 Dpemacql.exe 103 PID 2688 wrote to memory of 4608 2688 Dpemacql.exe 103 PID 4608 wrote to memory of 1832 4608 Dohmlp32.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\63815ab85a0f8289fe5e55bd7b0f0e2801c24ef717a7042dadce53d78905ee97.exe"C:\Users\Admin\AppData\Local\Temp\63815ab85a0f8289fe5e55bd7b0f0e2801c24ef717a7042dadce53d78905ee97.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:712 -
C:\Windows\SysWOW64\Cedihl32.exeC:\Windows\system32\Cedihl32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4012 -
C:\Windows\SysWOW64\Chbedh32.exeC:\Windows\system32\Chbedh32.exe3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Windows\SysWOW64\Commqb32.exeC:\Windows\system32\Commqb32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Windows\SysWOW64\Cchiaqjm.exeC:\Windows\system32\Cchiaqjm.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3928 -
C:\Windows\SysWOW64\Cibank32.exeC:\Windows\system32\Cibank32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4436 -
C:\Windows\SysWOW64\Chebighd.exeC:\Windows\system32\Chebighd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\Coojfa32.exeC:\Windows\system32\Coojfa32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\Camfbm32.exeC:\Windows\system32\Camfbm32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Windows\SysWOW64\Cidncj32.exeC:\Windows\system32\Cidncj32.exe10⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Windows\SysWOW64\Cpofpdgd.exeC:\Windows\system32\Cpofpdgd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4000 -
C:\Windows\SysWOW64\Ccmclp32.exeC:\Windows\system32\Ccmclp32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\Cekohk32.exeC:\Windows\system32\Cekohk32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Windows\SysWOW64\Dhjkdg32.exeC:\Windows\system32\Dhjkdg32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3592 -
C:\Windows\SysWOW64\Dpacfd32.exeC:\Windows\system32\Dpacfd32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4440 -
C:\Windows\SysWOW64\Dabpnlkp.exeC:\Windows\system32\Dabpnlkp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3852 -
C:\Windows\SysWOW64\Diihojkb.exeC:\Windows\system32\Diihojkb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4792 -
C:\Windows\SysWOW64\Dlgdkeje.exeC:\Windows\system32\Dlgdkeje.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Windows\SysWOW64\Dcalgo32.exeC:\Windows\system32\Dcalgo32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3668 -
C:\Windows\SysWOW64\Djlddi32.exeC:\Windows\system32\Djlddi32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\Dpemacql.exeC:\Windows\system32\Dpemacql.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Dohmlp32.exeC:\Windows\system32\Dohmlp32.exe22⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4608 -
C:\Windows\SysWOW64\Debeijoc.exeC:\Windows\system32\Debeijoc.exe23⤵
- Executes dropped EXE
PID:1832 -
C:\Windows\SysWOW64\Dllmfd32.exeC:\Windows\system32\Dllmfd32.exe24⤵
- Executes dropped EXE
PID:336 -
C:\Windows\SysWOW64\Daifnk32.exeC:\Windows\system32\Daifnk32.exe25⤵
- Executes dropped EXE
PID:4676 -
C:\Windows\SysWOW64\Djpnohej.exeC:\Windows\system32\Djpnohej.exe26⤵
- Executes dropped EXE
PID:2624 -
C:\Windows\SysWOW64\Dlojkddn.exeC:\Windows\system32\Dlojkddn.exe27⤵
- Executes dropped EXE
PID:3076 -
C:\Windows\SysWOW64\Domfgpca.exeC:\Windows\system32\Domfgpca.exe28⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Dchbhn32.exeC:\Windows\system32\Dchbhn32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Efgodj32.exeC:\Windows\system32\Efgodj32.exe30⤵
- Executes dropped EXE
PID:208 -
C:\Windows\SysWOW64\Ejbkehcg.exeC:\Windows\system32\Ejbkehcg.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:920 -
C:\Windows\SysWOW64\Eoocmoao.exeC:\Windows\system32\Eoocmoao.exe32⤵
- Executes dropped EXE
PID:4180 -
C:\Windows\SysWOW64\Ebnoikqb.exeC:\Windows\system32\Ebnoikqb.exe33⤵
- Executes dropped EXE
PID:3676 -
C:\Windows\SysWOW64\Ejegjh32.exeC:\Windows\system32\Ejegjh32.exe34⤵
- Executes dropped EXE
PID:3824 -
C:\Windows\SysWOW64\Elccfc32.exeC:\Windows\system32\Elccfc32.exe35⤵
- Executes dropped EXE
PID:3140 -
C:\Windows\SysWOW64\Ecmlcmhe.exeC:\Windows\system32\Ecmlcmhe.exe36⤵
- Executes dropped EXE
PID:3116 -
C:\Windows\SysWOW64\Eflhoigi.exeC:\Windows\system32\Eflhoigi.exe37⤵
- Executes dropped EXE
PID:4812 -
C:\Windows\SysWOW64\Ejgdpg32.exeC:\Windows\system32\Ejgdpg32.exe38⤵
- Executes dropped EXE
PID:4044 -
C:\Windows\SysWOW64\Eleplc32.exeC:\Windows\system32\Eleplc32.exe39⤵
- Executes dropped EXE
PID:1692 -
C:\Windows\SysWOW64\Ecphimfb.exeC:\Windows\system32\Ecphimfb.exe40⤵
- Executes dropped EXE
PID:4820 -
C:\Windows\SysWOW64\Ebbidj32.exeC:\Windows\system32\Ebbidj32.exe41⤵
- Executes dropped EXE
PID:2340 -
C:\Windows\SysWOW64\Ehlaaddj.exeC:\Windows\system32\Ehlaaddj.exe42⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Elhmablc.exeC:\Windows\system32\Elhmablc.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:1064 -
C:\Windows\SysWOW64\Eofinnkf.exeC:\Windows\system32\Eofinnkf.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3712 -
C:\Windows\SysWOW64\Ebeejijj.exeC:\Windows\system32\Ebeejijj.exe45⤵
- Executes dropped EXE
PID:4928 -
C:\Windows\SysWOW64\Efpajh32.exeC:\Windows\system32\Efpajh32.exe46⤵
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Ehonfc32.exeC:\Windows\system32\Ehonfc32.exe47⤵
- Executes dropped EXE
PID:720 -
C:\Windows\SysWOW64\Emjjgbjp.exeC:\Windows\system32\Emjjgbjp.exe48⤵
- Executes dropped EXE
PID:3972 -
C:\Windows\SysWOW64\Eoifcnid.exeC:\Windows\system32\Eoifcnid.exe49⤵
- Executes dropped EXE
PID:396 -
C:\Windows\SysWOW64\Ecdbdl32.exeC:\Windows\system32\Ecdbdl32.exe50⤵
- Executes dropped EXE
PID:756 -
C:\Windows\SysWOW64\Ffbnph32.exeC:\Windows\system32\Ffbnph32.exe51⤵
- Executes dropped EXE
PID:4356 -
C:\Windows\SysWOW64\Fjnjqfij.exeC:\Windows\system32\Fjnjqfij.exe52⤵
- Executes dropped EXE
PID:2380 -
C:\Windows\SysWOW64\Fmmfmbhn.exeC:\Windows\system32\Fmmfmbhn.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:2296 -
C:\Windows\SysWOW64\Fokbim32.exeC:\Windows\system32\Fokbim32.exe54⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\Fbioei32.exeC:\Windows\system32\Fbioei32.exe55⤵
- Executes dropped EXE
PID:5108 -
C:\Windows\SysWOW64\Fjqgff32.exeC:\Windows\system32\Fjqgff32.exe56⤵
- Executes dropped EXE
PID:3492 -
C:\Windows\SysWOW64\Ficgacna.exeC:\Windows\system32\Ficgacna.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:2436 -
C:\Windows\SysWOW64\Fmocba32.exeC:\Windows\system32\Fmocba32.exe58⤵
- Executes dropped EXE
PID:968 -
C:\Windows\SysWOW64\Fcikolnh.exeC:\Windows\system32\Fcikolnh.exe59⤵
- Executes dropped EXE
PID:2012 -
C:\Windows\SysWOW64\Fbllkh32.exeC:\Windows\system32\Fbllkh32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2124 -
C:\Windows\SysWOW64\Ffggkgmk.exeC:\Windows\system32\Ffggkgmk.exe61⤵
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\Fmapha32.exeC:\Windows\system32\Fmapha32.exe62⤵
- Executes dropped EXE
PID:5028 -
C:\Windows\SysWOW64\Fqmlhpla.exeC:\Windows\system32\Fqmlhpla.exe63⤵
- Executes dropped EXE
PID:1136 -
C:\Windows\SysWOW64\Fckhdk32.exeC:\Windows\system32\Fckhdk32.exe64⤵
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\Fbnhphbp.exeC:\Windows\system32\Fbnhphbp.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3556 -
C:\Windows\SysWOW64\Fjepaecb.exeC:\Windows\system32\Fjepaecb.exe66⤵
- Modifies registry class
PID:1664 -
C:\Windows\SysWOW64\Fmclmabe.exeC:\Windows\system32\Fmclmabe.exe67⤵PID:4256
-
C:\Windows\SysWOW64\Fobiilai.exeC:\Windows\system32\Fobiilai.exe68⤵PID:808
-
C:\Windows\SysWOW64\Fbqefhpm.exeC:\Windows\system32\Fbqefhpm.exe69⤵PID:2940
-
C:\Windows\SysWOW64\Fjhmgeao.exeC:\Windows\system32\Fjhmgeao.exe70⤵PID:2432
-
C:\Windows\SysWOW64\Fmficqpc.exeC:\Windows\system32\Fmficqpc.exe71⤵PID:4320
-
C:\Windows\SysWOW64\Fodeolof.exeC:\Windows\system32\Fodeolof.exe72⤵PID:3132
-
C:\Windows\SysWOW64\Gcpapkgp.exeC:\Windows\system32\Gcpapkgp.exe73⤵PID:4336
-
C:\Windows\SysWOW64\Gfnnlffc.exeC:\Windows\system32\Gfnnlffc.exe74⤵PID:3500
-
C:\Windows\SysWOW64\Gjjjle32.exeC:\Windows\system32\Gjjjle32.exe75⤵PID:4380
-
C:\Windows\SysWOW64\Gqdbiofi.exeC:\Windows\system32\Gqdbiofi.exe76⤵PID:372
-
C:\Windows\SysWOW64\Gbenqg32.exeC:\Windows\system32\Gbenqg32.exe77⤵PID:2072
-
C:\Windows\SysWOW64\Gfqjafdq.exeC:\Windows\system32\Gfqjafdq.exe78⤵PID:4052
-
C:\Windows\SysWOW64\Giofnacd.exeC:\Windows\system32\Giofnacd.exe79⤵
- Drops file in System32 directory
PID:4064 -
C:\Windows\SysWOW64\Gmkbnp32.exeC:\Windows\system32\Gmkbnp32.exe80⤵
- Modifies registry class
PID:3028 -
C:\Windows\SysWOW64\Gcekkjcj.exeC:\Windows\system32\Gcekkjcj.exe81⤵
- Drops file in System32 directory
PID:2796 -
C:\Windows\SysWOW64\Gfcgge32.exeC:\Windows\system32\Gfcgge32.exe82⤵PID:3584
-
C:\Windows\SysWOW64\Gjocgdkg.exeC:\Windows\system32\Gjocgdkg.exe83⤵PID:2444
-
C:\Windows\SysWOW64\Gmmocpjk.exeC:\Windows\system32\Gmmocpjk.exe84⤵PID:4624
-
C:\Windows\SysWOW64\Gcggpj32.exeC:\Windows\system32\Gcggpj32.exe85⤵PID:2244
-
C:\Windows\SysWOW64\Gjapmdid.exeC:\Windows\system32\Gjapmdid.exe86⤵PID:2768
-
C:\Windows\SysWOW64\Gqkhjn32.exeC:\Windows\system32\Gqkhjn32.exe87⤵PID:4880
-
C:\Windows\SysWOW64\Gcidfi32.exeC:\Windows\system32\Gcidfi32.exe88⤵PID:744
-
C:\Windows\SysWOW64\Gfhqbe32.exeC:\Windows\system32\Gfhqbe32.exe89⤵PID:3820
-
C:\Windows\SysWOW64\Gifmnpnl.exeC:\Windows\system32\Gifmnpnl.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5132 -
C:\Windows\SysWOW64\Gmaioo32.exeC:\Windows\system32\Gmaioo32.exe91⤵
- Drops file in System32 directory
PID:5192 -
C:\Windows\SysWOW64\Gppekj32.exeC:\Windows\system32\Gppekj32.exe92⤵
- Drops file in System32 directory
PID:5236 -
C:\Windows\SysWOW64\Hfjmgdlf.exeC:\Windows\system32\Hfjmgdlf.exe93⤵PID:5280
-
C:\Windows\SysWOW64\Hihicplj.exeC:\Windows\system32\Hihicplj.exe94⤵PID:5324
-
C:\Windows\SysWOW64\Hmdedo32.exeC:\Windows\system32\Hmdedo32.exe95⤵PID:5368
-
C:\Windows\SysWOW64\Hcnnaikp.exeC:\Windows\system32\Hcnnaikp.exe96⤵PID:5420
-
C:\Windows\SysWOW64\Hfljmdjc.exeC:\Windows\system32\Hfljmdjc.exe97⤵PID:5460
-
C:\Windows\SysWOW64\Hikfip32.exeC:\Windows\system32\Hikfip32.exe98⤵PID:5508
-
C:\Windows\SysWOW64\Habnjm32.exeC:\Windows\system32\Habnjm32.exe99⤵PID:5552
-
C:\Windows\SysWOW64\Hcqjfh32.exeC:\Windows\system32\Hcqjfh32.exe100⤵PID:5608
-
C:\Windows\SysWOW64\Hfofbd32.exeC:\Windows\system32\Hfofbd32.exe101⤵
- Drops file in System32 directory
PID:5652 -
C:\Windows\SysWOW64\Himcoo32.exeC:\Windows\system32\Himcoo32.exe102⤵PID:5696
-
C:\Windows\SysWOW64\Hadkpm32.exeC:\Windows\system32\Hadkpm32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5736 -
C:\Windows\SysWOW64\Hpgkkioa.exeC:\Windows\system32\Hpgkkioa.exe104⤵PID:5784
-
C:\Windows\SysWOW64\Hccglh32.exeC:\Windows\system32\Hccglh32.exe105⤵PID:5828
-
C:\Windows\SysWOW64\Hbeghene.exeC:\Windows\system32\Hbeghene.exe106⤵PID:5876
-
C:\Windows\SysWOW64\Hjmoibog.exeC:\Windows\system32\Hjmoibog.exe107⤵PID:5952
-
C:\Windows\SysWOW64\Hmklen32.exeC:\Windows\system32\Hmklen32.exe108⤵PID:5992
-
C:\Windows\SysWOW64\Haggelfd.exeC:\Windows\system32\Haggelfd.exe109⤵PID:6028
-
C:\Windows\SysWOW64\Hbhdmd32.exeC:\Windows\system32\Hbhdmd32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6076 -
C:\Windows\SysWOW64\Hjolnb32.exeC:\Windows\system32\Hjolnb32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6128 -
C:\Windows\SysWOW64\Hibljoco.exeC:\Windows\system32\Hibljoco.exe112⤵PID:5036
-
C:\Windows\SysWOW64\Ipldfi32.exeC:\Windows\system32\Ipldfi32.exe113⤵PID:5228
-
C:\Windows\SysWOW64\Icgqggce.exeC:\Windows\system32\Icgqggce.exe114⤵PID:5272
-
C:\Windows\SysWOW64\Iffmccbi.exeC:\Windows\system32\Iffmccbi.exe115⤵PID:5356
-
C:\Windows\SysWOW64\Ijaida32.exeC:\Windows\system32\Ijaida32.exe116⤵PID:5400
-
C:\Windows\SysWOW64\Impepm32.exeC:\Windows\system32\Impepm32.exe117⤵PID:5476
-
C:\Windows\SysWOW64\Iakaql32.exeC:\Windows\system32\Iakaql32.exe118⤵PID:5544
-
C:\Windows\SysWOW64\Icjmmg32.exeC:\Windows\system32\Icjmmg32.exe119⤵PID:5636
-
C:\Windows\SysWOW64\Ifhiib32.exeC:\Windows\system32\Ifhiib32.exe120⤵
- Modifies registry class
PID:5704 -
C:\Windows\SysWOW64\Iiffen32.exeC:\Windows\system32\Iiffen32.exe121⤵PID:5776
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-