Analysis
-
max time kernel
138s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
19-03-2024 05:19
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
30eb6989bf5f3ceec35d7aace8cb055d58202248dbc54426bfe8f1777ba18f75.exe
Resource
win7-20231129-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
30eb6989bf5f3ceec35d7aace8cb055d58202248dbc54426bfe8f1777ba18f75.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
30eb6989bf5f3ceec35d7aace8cb055d58202248dbc54426bfe8f1777ba18f75.exe
-
Size
57KB
-
MD5
2951bc5b2b5f6a793435614f93a0ed42
-
SHA1
a42ecd4d20f899ee945ff4a868831f6004f298e6
-
SHA256
30eb6989bf5f3ceec35d7aace8cb055d58202248dbc54426bfe8f1777ba18f75
-
SHA512
50ec2ae9e76b223f93aa6f366a8a3fbf6ce97d6826af021dd80030902ba8e32f4f79e5f463951b82ed862a4641c2205f99272bb33a3c5275b6a3475306cf8fdd
-
SSDEEP
1536:lfXpnXYrQI+NFnlocP49W2Nq17n/cibZ4VVER:lfFYr/YwaQUjR
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eeailhme.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pidjcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfnbbg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggldde32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcghkm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmkkle32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkchpoka.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Najjmjkg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khbhdn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbpnjdkg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjdokb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imdgljil.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afnefieo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oiphbd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhgiic32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnikmjdm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hanlcjgh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Daeifj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elhfbp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfnnmg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dehgejep.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mknlef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adohmidb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eckfaj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhegjdag.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcgndf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpnglbkf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Offeahhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iacepmik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kojkeogp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kaajfe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogmiepcf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Albpff32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqpfknbj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjmmfq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qoocnpag.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfhpilbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkigbfja.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgkfil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qamago32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecgodpgb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hepgkohh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Leqkeajd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khbhdn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neclpamg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhbakk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pokanf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfjakgpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgbdmfnc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idkkki32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdeghfhj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmnbej32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcceifof.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkhbbi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebeapc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpnglbkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilglgfjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfjgbapo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgqehgco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Daeifj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eekjep32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihgnfnjl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfchjddj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gqokekph.exe -
Executes dropped EXE 64 IoCs
pid Process 5112 Jpnakk32.exe 2260 Laiipofp.exe 2932 Loofnccf.exe 3332 Mcoljagj.exe 4632 Mhldbh32.exe 3692 Mfenglqf.exe 2468 Nqmojd32.exe 3624 Nhhdnf32.exe 1828 Ocihgnam.exe 212 Opbean32.exe 3356 Pafkgphl.exe 4620 Ppnenlka.exe 1504 Qamago32.exe 4132 Qjhbfd32.exe 4328 Apeknk32.exe 2940 Aadghn32.exe 2408 Adepji32.exe 3980 Ampaho32.exe 1056 Bdcmkgmm.exe 1744 Cbkfbcpb.exe 4788 Ccppmc32.exe 928 Daeifj32.exe 3428 Ddklbd32.exe 2800 Dpalgenf.exe 2192 Ecbeip32.exe 996 Epffbd32.exe 4344 Ekljpm32.exe 2728 Ecgodpgb.exe 4048 Eahobg32.exe 4972 Fggdpnkf.exe 4012 Fkgillpj.exe 4968 Fcekfnkb.exe 1544 Fjocbhbo.exe 1072 Gcghkm32.exe 5020 Gclafmej.exe 3384 Gbpnjdkg.exe 4536 Gkhbbi32.exe 3580 Hepgkohh.exe 3844 Hebcao32.exe 4136 Hgcmbj32.exe 3488 Hnmeodjc.exe 2084 Hnpaec32.exe 2580 Hghfnioq.exe 2044 Ijiopd32.exe 1448 Iabglnco.exe 2916 Ibdplaho.exe 3640 Ilmedf32.exe 1768 Jjdokb32.exe 5160 Jldkeeig.exe 5200 Jbncbpqd.exe 5248 Jjkdlall.exe 5288 Kalcik32.exe 5332 Khihld32.exe 5376 Loemnnhe.exe 5416 Mhiabbdi.exe 5464 Mhnjna32.exe 5508 Nlgbon32.exe 5548 Oljoen32.exe 5588 Ollljmhg.exe 5628 Ofdqcc32.exe 5668 Oheienli.exe 5708 Odljjo32.exe 5748 Podkmgop.exe 5788 Pdqcenmg.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Dfakcj32.exe Ciiaogon.exe File created C:\Windows\SysWOW64\Lpljgpbj.dll Kfdklllb.exe File created C:\Windows\SysWOW64\Dngnaa32.dll Ebeapc32.exe File opened for modification C:\Windows\SysWOW64\Kdeghfhj.exe Kdbjbfjl.exe File opened for modification C:\Windows\SysWOW64\Qamago32.exe Ppnenlka.exe File created C:\Windows\SysWOW64\Daeifj32.exe Ccppmc32.exe File created C:\Windows\SysWOW64\Fffcpnjo.dll Hfhbipdb.exe File opened for modification C:\Windows\SysWOW64\Ehnpmkbg.exe Ebokodfc.exe File created C:\Windows\SysWOW64\Igokfd32.dll Pdoofl32.exe File created C:\Windows\SysWOW64\Bjhkaf32.dll Kdbjbfjl.exe File created C:\Windows\SysWOW64\Ilqfjc32.dll Gmpcmkaa.exe File opened for modification C:\Windows\SysWOW64\Pkmhgh32.exe Pdqcenmg.exe File opened for modification C:\Windows\SysWOW64\Mkgfdgpq.exe Mejnlpai.exe File created C:\Windows\SysWOW64\Ofacao32.dll Qfilkj32.exe File opened for modification C:\Windows\SysWOW64\Najjmjkg.exe Npjnbg32.exe File created C:\Windows\SysWOW64\Plmdmk32.dll Micheb32.exe File created C:\Windows\SysWOW64\Fibmebpm.dll Iglhob32.exe File created C:\Windows\SysWOW64\Qfilkj32.exe Qoocnpag.exe File created C:\Windows\SysWOW64\Jknbhdmb.dll Nieoal32.exe File opened for modification C:\Windows\SysWOW64\Ihgnfnjl.exe Iooimi32.exe File opened for modification C:\Windows\SysWOW64\Pkigbfja.exe Pdoofl32.exe File opened for modification C:\Windows\SysWOW64\Fggdpnkf.exe Eahobg32.exe File opened for modification C:\Windows\SysWOW64\Ibdplaho.exe Iabglnco.exe File created C:\Windows\SysWOW64\Bpfhem32.dll Bqahmhpi.exe File created C:\Windows\SysWOW64\Hmginjki.exe Hhjqec32.exe File created C:\Windows\SysWOW64\Fhcbhh32.dll Qamago32.exe File created C:\Windows\SysWOW64\Cbkfbcpb.exe Bdcmkgmm.exe File created C:\Windows\SysWOW64\Eahobg32.exe Ecgodpgb.exe File opened for modification C:\Windows\SysWOW64\Gcghkm32.exe Fjocbhbo.exe File created C:\Windows\SysWOW64\Bjmpfdhb.exe Bhbahm32.exe File opened for modification C:\Windows\SysWOW64\Dgqblp32.exe Dkjbgooi.exe File opened for modification C:\Windows\SysWOW64\Kojkeogp.exe Kdeghfhj.exe File created C:\Windows\SysWOW64\Feiglp32.dll Fjpoio32.exe File created C:\Windows\SysWOW64\Pmefiakh.exe Plcmiofg.exe File opened for modification C:\Windows\SysWOW64\Aneppo32.exe Qkpmcddi.exe File created C:\Windows\SysWOW64\Cngdcmid.dll Aneppo32.exe File created C:\Windows\SysWOW64\Bhodilni.dll Gjmmfq32.exe File opened for modification C:\Windows\SysWOW64\Apeknk32.exe Qjhbfd32.exe File created C:\Windows\SysWOW64\Iibaeb32.exe Hommhi32.exe File opened for modification C:\Windows\SysWOW64\Icmbcg32.exe Ihgnfnjl.exe File created C:\Windows\SysWOW64\Ecgodpgb.exe Ekljpm32.exe File created C:\Windows\SysWOW64\Jinbplpa.dll Fcepbooa.exe File opened for modification C:\Windows\SysWOW64\Ikpjmd32.exe Hlkmlhea.exe File opened for modification C:\Windows\SysWOW64\Jekpljgg.exe Joahop32.exe File created C:\Windows\SysWOW64\Eqpfknbj.exe Ejennd32.exe File opened for modification C:\Windows\SysWOW64\Iabglnco.exe Ijiopd32.exe File created C:\Windows\SysWOW64\Ljhchc32.exe Lgjglg32.exe File opened for modification C:\Windows\SysWOW64\Gclimi32.exe Giddddad.exe File opened for modification C:\Windows\SysWOW64\Nidhffef.exe Npldnp32.exe File created C:\Windows\SysWOW64\Gmfpgmil.exe Ggjgofkd.exe File created C:\Windows\SysWOW64\Lqcnhf32.dll Hghfnioq.exe File opened for modification C:\Windows\SysWOW64\Oacmchcl.exe Ogmiepcf.exe File opened for modification C:\Windows\SysWOW64\Eeailhme.exe Ebpqjmpd.exe File created C:\Windows\SysWOW64\Gkedmpik.dll Lfqjhmhk.exe File created C:\Windows\SysWOW64\Hhndme32.dll Kkjejqcl.exe File created C:\Windows\SysWOW64\Lfcfpn32.dll Kgkfil32.exe File created C:\Windows\SysWOW64\Ddklbd32.exe Daeifj32.exe File created C:\Windows\SysWOW64\Ciiaogon.exe Afeban32.exe File opened for modification C:\Windows\SysWOW64\Mhldbh32.exe Mcoljagj.exe File created C:\Windows\SysWOW64\Hojpbigq.exe Himgjbii.exe File opened for modification C:\Windows\SysWOW64\Mddidm32.exe Mohplf32.exe File opened for modification C:\Windows\SysWOW64\Dpalgenf.exe Ddklbd32.exe File created C:\Windows\SysWOW64\Elhfbp32.exe Dmbiackg.exe File created C:\Windows\SysWOW64\Jogeia32.exe Idbalhho.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 9016 8880 WerFault.exe 489 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fachkklb.dll" Fkgillpj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lopkkdgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flplcjpa.dll" Gcgndf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngifef32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jhdcmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhnebcph.dll" Ipcakd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eqpfknbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpljgpbj.dll" Kfdklllb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mhhcne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajlpepbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fjocbhbo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkjbgooi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dodjemee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iabodcnj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mejijcea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Khbhdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcljpeah.dll" Flhoinbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfljnejl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hipdpbgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hjmfmnhp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbkfbcpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hoefgj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bibpkiie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmlcae32.dll" Himgjbii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naompiea.dll" Kgnbol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgfkaf32.dll" Kacgld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkpdnm32.dll" Pkmhgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ancoda32.dll" Ceehcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcmeff32.dll" Ehnpmkbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehcfdc32.dll" Eckfaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Beippj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hebcao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Moglpedd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddnmeejo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nbdijpjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odmqgd32.dll" Fnnimbaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lbmqmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgonal32.dll" Hanlcjgh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igjlibib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcpjnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhbakk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Offeahhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bckknd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfedfi32.dll" Gclafmej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdclbd32.dll" Aaofedkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhackbjl.dll" Fiaogfai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ihgnfnjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eqpfknbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oapllk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohnncn32.dll" Jldkeeig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bejhhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkdgpp32.dll" Ihgnfnjl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifdgaond.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Opbean32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dehgejep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mbiphhhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dngnaa32.dll" Ebeapc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hojpbigq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Offeahhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kffkpkqi.dll" Gcceifof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfndbnlp.dll" Jflnafno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmjblgka.dll" Dkjbgooi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ilpfgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djhiglji.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4812 wrote to memory of 5112 4812 30eb6989bf5f3ceec35d7aace8cb055d58202248dbc54426bfe8f1777ba18f75.exe 97 PID 4812 wrote to memory of 5112 4812 30eb6989bf5f3ceec35d7aace8cb055d58202248dbc54426bfe8f1777ba18f75.exe 97 PID 4812 wrote to memory of 5112 4812 30eb6989bf5f3ceec35d7aace8cb055d58202248dbc54426bfe8f1777ba18f75.exe 97 PID 5112 wrote to memory of 2260 5112 Jpnakk32.exe 98 PID 5112 wrote to memory of 2260 5112 Jpnakk32.exe 98 PID 5112 wrote to memory of 2260 5112 Jpnakk32.exe 98 PID 2260 wrote to memory of 2932 2260 Laiipofp.exe 99 PID 2260 wrote to memory of 2932 2260 Laiipofp.exe 99 PID 2260 wrote to memory of 2932 2260 Laiipofp.exe 99 PID 2932 wrote to memory of 3332 2932 Loofnccf.exe 100 PID 2932 wrote to memory of 3332 2932 Loofnccf.exe 100 PID 2932 wrote to memory of 3332 2932 Loofnccf.exe 100 PID 3332 wrote to memory of 4632 3332 Mcoljagj.exe 101 PID 3332 wrote to memory of 4632 3332 Mcoljagj.exe 101 PID 3332 wrote to memory of 4632 3332 Mcoljagj.exe 101 PID 4632 wrote to memory of 3692 4632 Mhldbh32.exe 102 PID 4632 wrote to memory of 3692 4632 Mhldbh32.exe 102 PID 4632 wrote to memory of 3692 4632 Mhldbh32.exe 102 PID 3692 wrote to memory of 2468 3692 Mfenglqf.exe 103 PID 3692 wrote to memory of 2468 3692 Mfenglqf.exe 103 PID 3692 wrote to memory of 2468 3692 Mfenglqf.exe 103 PID 2468 wrote to memory of 3624 2468 Nqmojd32.exe 104 PID 2468 wrote to memory of 3624 2468 Nqmojd32.exe 104 PID 2468 wrote to memory of 3624 2468 Nqmojd32.exe 104 PID 3624 wrote to memory of 1828 3624 Nhhdnf32.exe 105 PID 3624 wrote to memory of 1828 3624 Nhhdnf32.exe 105 PID 3624 wrote to memory of 1828 3624 Nhhdnf32.exe 105 PID 1828 wrote to memory of 212 1828 Ocihgnam.exe 106 PID 1828 wrote to memory of 212 1828 Ocihgnam.exe 106 PID 1828 wrote to memory of 212 1828 Ocihgnam.exe 106 PID 212 wrote to memory of 3356 212 Opbean32.exe 107 PID 212 wrote to memory of 3356 212 Opbean32.exe 107 PID 212 wrote to memory of 3356 212 Opbean32.exe 107 PID 3356 wrote to memory of 4620 3356 Pafkgphl.exe 108 PID 3356 wrote to memory of 4620 3356 Pafkgphl.exe 108 PID 3356 wrote to memory of 4620 3356 Pafkgphl.exe 108 PID 4620 wrote to memory of 1504 4620 Ppnenlka.exe 109 PID 4620 wrote to memory of 1504 4620 Ppnenlka.exe 109 PID 4620 wrote to memory of 1504 4620 Ppnenlka.exe 109 PID 1504 wrote to memory of 4132 1504 Qamago32.exe 110 PID 1504 wrote to memory of 4132 1504 Qamago32.exe 110 PID 1504 wrote to memory of 4132 1504 Qamago32.exe 110 PID 4132 wrote to memory of 4328 4132 Qjhbfd32.exe 111 PID 4132 wrote to memory of 4328 4132 Qjhbfd32.exe 111 PID 4132 wrote to memory of 4328 4132 Qjhbfd32.exe 111 PID 4328 wrote to memory of 2940 4328 Apeknk32.exe 112 PID 4328 wrote to memory of 2940 4328 Apeknk32.exe 112 PID 4328 wrote to memory of 2940 4328 Apeknk32.exe 112 PID 2940 wrote to memory of 2408 2940 Aadghn32.exe 113 PID 2940 wrote to memory of 2408 2940 Aadghn32.exe 113 PID 2940 wrote to memory of 2408 2940 Aadghn32.exe 113 PID 2408 wrote to memory of 3980 2408 Adepji32.exe 114 PID 2408 wrote to memory of 3980 2408 Adepji32.exe 114 PID 2408 wrote to memory of 3980 2408 Adepji32.exe 114 PID 3980 wrote to memory of 1056 3980 Ampaho32.exe 115 PID 3980 wrote to memory of 1056 3980 Ampaho32.exe 115 PID 3980 wrote to memory of 1056 3980 Ampaho32.exe 115 PID 1056 wrote to memory of 1744 1056 Bdcmkgmm.exe 116 PID 1056 wrote to memory of 1744 1056 Bdcmkgmm.exe 116 PID 1056 wrote to memory of 1744 1056 Bdcmkgmm.exe 116 PID 1744 wrote to memory of 4788 1744 Cbkfbcpb.exe 117 PID 1744 wrote to memory of 4788 1744 Cbkfbcpb.exe 117 PID 1744 wrote to memory of 4788 1744 Cbkfbcpb.exe 117 PID 4788 wrote to memory of 928 4788 Ccppmc32.exe 118
Processes
-
C:\Users\Admin\AppData\Local\Temp\30eb6989bf5f3ceec35d7aace8cb055d58202248dbc54426bfe8f1777ba18f75.exe"C:\Users\Admin\AppData\Local\Temp\30eb6989bf5f3ceec35d7aace8cb055d58202248dbc54426bfe8f1777ba18f75.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Windows\SysWOW64\Jpnakk32.exeC:\Windows\system32\Jpnakk32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5112 -
C:\Windows\SysWOW64\Laiipofp.exeC:\Windows\system32\Laiipofp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\SysWOW64\Loofnccf.exeC:\Windows\system32\Loofnccf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\Mcoljagj.exeC:\Windows\system32\Mcoljagj.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3332 -
C:\Windows\SysWOW64\Mhldbh32.exeC:\Windows\system32\Mhldbh32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4632 -
C:\Windows\SysWOW64\Mfenglqf.exeC:\Windows\system32\Mfenglqf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3692 -
C:\Windows\SysWOW64\Nqmojd32.exeC:\Windows\system32\Nqmojd32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\Nhhdnf32.exeC:\Windows\system32\Nhhdnf32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3624 -
C:\Windows\SysWOW64\Ocihgnam.exeC:\Windows\system32\Ocihgnam.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Windows\SysWOW64\Opbean32.exeC:\Windows\system32\Opbean32.exe11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:212 -
C:\Windows\SysWOW64\Pafkgphl.exeC:\Windows\system32\Pafkgphl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3356 -
C:\Windows\SysWOW64\Ppnenlka.exeC:\Windows\system32\Ppnenlka.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\Windows\SysWOW64\Qamago32.exeC:\Windows\system32\Qamago32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\SysWOW64\Qjhbfd32.exeC:\Windows\system32\Qjhbfd32.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4132 -
C:\Windows\SysWOW64\Apeknk32.exeC:\Windows\system32\Apeknk32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4328 -
C:\Windows\SysWOW64\Aadghn32.exeC:\Windows\system32\Aadghn32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\Adepji32.exeC:\Windows\system32\Adepji32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\Ampaho32.exeC:\Windows\system32\Ampaho32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3980 -
C:\Windows\SysWOW64\Bdcmkgmm.exeC:\Windows\system32\Bdcmkgmm.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Windows\SysWOW64\Cbkfbcpb.exeC:\Windows\system32\Cbkfbcpb.exe21⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\Ccppmc32.exeC:\Windows\system32\Ccppmc32.exe22⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4788 -
C:\Windows\SysWOW64\Daeifj32.exeC:\Windows\system32\Daeifj32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:928 -
C:\Windows\SysWOW64\Ddklbd32.exeC:\Windows\system32\Ddklbd32.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3428 -
C:\Windows\SysWOW64\Dpalgenf.exeC:\Windows\system32\Dpalgenf.exe25⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Ecbeip32.exeC:\Windows\system32\Ecbeip32.exe26⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Epffbd32.exeC:\Windows\system32\Epffbd32.exe27⤵
- Executes dropped EXE
PID:996 -
C:\Windows\SysWOW64\Ekljpm32.exeC:\Windows\system32\Ekljpm32.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4344 -
C:\Windows\SysWOW64\Ecgodpgb.exeC:\Windows\system32\Ecgodpgb.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2728 -
C:\Windows\SysWOW64\Eahobg32.exeC:\Windows\system32\Eahobg32.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4048 -
C:\Windows\SysWOW64\Fggdpnkf.exeC:\Windows\system32\Fggdpnkf.exe31⤵
- Executes dropped EXE
PID:4972 -
C:\Windows\SysWOW64\Fkgillpj.exeC:\Windows\system32\Fkgillpj.exe32⤵
- Executes dropped EXE
- Modifies registry class
PID:4012 -
C:\Windows\SysWOW64\Fcekfnkb.exeC:\Windows\system32\Fcekfnkb.exe33⤵
- Executes dropped EXE
PID:4968 -
C:\Windows\SysWOW64\Fjocbhbo.exeC:\Windows\system32\Fjocbhbo.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1544 -
C:\Windows\SysWOW64\Gcghkm32.exeC:\Windows\system32\Gcghkm32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1072 -
C:\Windows\SysWOW64\Gclafmej.exeC:\Windows\system32\Gclafmej.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:5020 -
C:\Windows\SysWOW64\Gnaecedp.exeC:\Windows\system32\Gnaecedp.exe37⤵PID:4324
-
C:\Windows\SysWOW64\Gbpnjdkg.exeC:\Windows\system32\Gbpnjdkg.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3384 -
C:\Windows\SysWOW64\Gkhbbi32.exeC:\Windows\system32\Gkhbbi32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4536 -
C:\Windows\SysWOW64\Hepgkohh.exeC:\Windows\system32\Hepgkohh.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3580 -
C:\Windows\SysWOW64\Hebcao32.exeC:\Windows\system32\Hebcao32.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:3844 -
C:\Windows\SysWOW64\Hgcmbj32.exeC:\Windows\system32\Hgcmbj32.exe42⤵
- Executes dropped EXE
PID:4136 -
C:\Windows\SysWOW64\Hnmeodjc.exeC:\Windows\system32\Hnmeodjc.exe43⤵
- Executes dropped EXE
PID:3488 -
C:\Windows\SysWOW64\Hnpaec32.exeC:\Windows\system32\Hnpaec32.exe44⤵
- Executes dropped EXE
PID:2084 -
C:\Windows\SysWOW64\Hghfnioq.exeC:\Windows\system32\Hghfnioq.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2580 -
C:\Windows\SysWOW64\Ijiopd32.exeC:\Windows\system32\Ijiopd32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2044 -
C:\Windows\SysWOW64\Iabglnco.exeC:\Windows\system32\Iabglnco.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1448 -
C:\Windows\SysWOW64\Ibdplaho.exeC:\Windows\system32\Ibdplaho.exe48⤵
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\Ilmedf32.exeC:\Windows\system32\Ilmedf32.exe49⤵
- Executes dropped EXE
PID:3640 -
C:\Windows\SysWOW64\Jjdokb32.exeC:\Windows\system32\Jjdokb32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1768 -
C:\Windows\SysWOW64\Jldkeeig.exeC:\Windows\system32\Jldkeeig.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:5160 -
C:\Windows\SysWOW64\Jbncbpqd.exeC:\Windows\system32\Jbncbpqd.exe52⤵
- Executes dropped EXE
PID:5200 -
C:\Windows\SysWOW64\Jjkdlall.exeC:\Windows\system32\Jjkdlall.exe53⤵
- Executes dropped EXE
PID:5248 -
C:\Windows\SysWOW64\Kalcik32.exeC:\Windows\system32\Kalcik32.exe54⤵
- Executes dropped EXE
PID:5288 -
C:\Windows\SysWOW64\Khihld32.exeC:\Windows\system32\Khihld32.exe55⤵
- Executes dropped EXE
PID:5332 -
C:\Windows\SysWOW64\Loemnnhe.exeC:\Windows\system32\Loemnnhe.exe56⤵
- Executes dropped EXE
PID:5376 -
C:\Windows\SysWOW64\Mhiabbdi.exeC:\Windows\system32\Mhiabbdi.exe57⤵
- Executes dropped EXE
PID:5416 -
C:\Windows\SysWOW64\Mhnjna32.exeC:\Windows\system32\Mhnjna32.exe58⤵
- Executes dropped EXE
PID:5464 -
C:\Windows\SysWOW64\Nlgbon32.exeC:\Windows\system32\Nlgbon32.exe59⤵
- Executes dropped EXE
PID:5508 -
C:\Windows\SysWOW64\Oljoen32.exeC:\Windows\system32\Oljoen32.exe60⤵
- Executes dropped EXE
PID:5548 -
C:\Windows\SysWOW64\Ollljmhg.exeC:\Windows\system32\Ollljmhg.exe61⤵
- Executes dropped EXE
PID:5588 -
C:\Windows\SysWOW64\Ofdqcc32.exeC:\Windows\system32\Ofdqcc32.exe62⤵
- Executes dropped EXE
PID:5628 -
C:\Windows\SysWOW64\Oheienli.exeC:\Windows\system32\Oheienli.exe63⤵
- Executes dropped EXE
PID:5668 -
C:\Windows\SysWOW64\Odljjo32.exeC:\Windows\system32\Odljjo32.exe64⤵
- Executes dropped EXE
PID:5708 -
C:\Windows\SysWOW64\Podkmgop.exeC:\Windows\system32\Podkmgop.exe65⤵
- Executes dropped EXE
PID:5748 -
C:\Windows\SysWOW64\Pdqcenmg.exeC:\Windows\system32\Pdqcenmg.exe66⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5788 -
C:\Windows\SysWOW64\Pkmhgh32.exeC:\Windows\system32\Pkmhgh32.exe67⤵
- Modifies registry class
PID:5828 -
C:\Windows\SysWOW64\Pokanf32.exeC:\Windows\system32\Pokanf32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5864 -
C:\Windows\SysWOW64\Pfeijqqe.exeC:\Windows\system32\Pfeijqqe.exe69⤵PID:5924
-
C:\Windows\SysWOW64\Amkabind.exeC:\Windows\system32\Amkabind.exe70⤵PID:5980
-
C:\Windows\SysWOW64\Afeban32.exeC:\Windows\system32\Afeban32.exe71⤵
- Drops file in System32 directory
PID:6112 -
C:\Windows\SysWOW64\Ciiaogon.exeC:\Windows\system32\Ciiaogon.exe72⤵
- Drops file in System32 directory
PID:3044 -
C:\Windows\SysWOW64\Dfakcj32.exeC:\Windows\system32\Dfakcj32.exe73⤵PID:5192
-
C:\Windows\SysWOW64\Dmbiackg.exeC:\Windows\system32\Dmbiackg.exe74⤵
- Drops file in System32 directory
PID:672 -
C:\Windows\SysWOW64\Elhfbp32.exeC:\Windows\system32\Elhfbp32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5340 -
C:\Windows\SysWOW64\Fnnimbaj.exeC:\Windows\system32\Fnnimbaj.exe76⤵
- Modifies registry class
PID:5392 -
C:\Windows\SysWOW64\Ffnglc32.exeC:\Windows\system32\Ffnglc32.exe77⤵PID:5504
-
C:\Windows\SysWOW64\Flhoinbl.exeC:\Windows\system32\Flhoinbl.exe78⤵
- Modifies registry class
PID:5556 -
C:\Windows\SysWOW64\Gloejmld.exeC:\Windows\system32\Gloejmld.exe79⤵PID:5600
-
C:\Windows\SysWOW64\Gnoacp32.exeC:\Windows\system32\Gnoacp32.exe80⤵PID:5700
-
C:\Windows\SysWOW64\Gqokekph.exeC:\Windows\system32\Gqokekph.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5756 -
C:\Windows\SysWOW64\Hfefdpfe.exeC:\Windows\system32\Hfefdpfe.exe82⤵PID:5820
-
C:\Windows\SysWOW64\Hmpnqj32.exeC:\Windows\system32\Hmpnqj32.exe83⤵PID:4044
-
C:\Windows\SysWOW64\Hfhbipdb.exeC:\Windows\system32\Hfhbipdb.exe84⤵
- Drops file in System32 directory
PID:2420 -
C:\Windows\SysWOW64\Hdicggla.exeC:\Windows\system32\Hdicggla.exe85⤵PID:5908
-
C:\Windows\SysWOW64\Imdgljil.exeC:\Windows\system32\Imdgljil.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4492 -
C:\Windows\SysWOW64\Igjlibib.exeC:\Windows\system32\Igjlibib.exe87⤵
- Modifies registry class
PID:2108 -
C:\Windows\SysWOW64\Iglhob32.exeC:\Windows\system32\Iglhob32.exe88⤵
- Drops file in System32 directory
PID:6136 -
C:\Windows\SysWOW64\Kfanflne.exeC:\Windows\system32\Kfanflne.exe89⤵PID:5188
-
C:\Windows\SysWOW64\Kfdklllb.exeC:\Windows\system32\Kfdklllb.exe90⤵
- Drops file in System32 directory
- Modifies registry class
PID:5344 -
C:\Windows\SysWOW64\Kmbmdeoj.exeC:\Windows\system32\Kmbmdeoj.exe91⤵PID:5440
-
C:\Windows\SysWOW64\Leqkeajd.exeC:\Windows\system32\Leqkeajd.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5624 -
C:\Windows\SysWOW64\Mejnlpai.exeC:\Windows\system32\Mejnlpai.exe93⤵
- Drops file in System32 directory
PID:5716 -
C:\Windows\SysWOW64\Mkgfdgpq.exeC:\Windows\system32\Mkgfdgpq.exe94⤵PID:5836
-
C:\Windows\SysWOW64\Moglpedd.exeC:\Windows\system32\Moglpedd.exe95⤵
- Modifies registry class
PID:5892 -
C:\Windows\SysWOW64\Mknlef32.exeC:\Windows\system32\Mknlef32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5076 -
C:\Windows\SysWOW64\Ngifef32.exeC:\Windows\system32\Ngifef32.exe97⤵
- Modifies registry class
PID:4024 -
C:\Windows\SysWOW64\Nemchn32.exeC:\Windows\system32\Nemchn32.exe98⤵PID:5148
-
C:\Windows\SysWOW64\Ngnppfgb.exeC:\Windows\system32\Ngnppfgb.exe99⤵PID:5240
-
C:\Windows\SysWOW64\Oolnabal.exeC:\Windows\system32\Oolnabal.exe100⤵PID:6036
-
C:\Windows\SysWOW64\Odifjipd.exeC:\Windows\system32\Odifjipd.exe101⤵PID:5528
-
C:\Windows\SysWOW64\Pocdba32.exeC:\Windows\system32\Pocdba32.exe102⤵PID:5744
-
C:\Windows\SysWOW64\Pklamb32.exeC:\Windows\system32\Pklamb32.exe103⤵PID:3400
-
C:\Windows\SysWOW64\Pbfjjlgc.exeC:\Windows\system32\Pbfjjlgc.exe104⤵PID:4400
-
C:\Windows\SysWOW64\Qoocnpag.exeC:\Windows\system32\Qoocnpag.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5128 -
C:\Windows\SysWOW64\Qfilkj32.exeC:\Windows\system32\Qfilkj32.exe106⤵
- Drops file in System32 directory
PID:5320 -
C:\Windows\SysWOW64\Afnefieo.exeC:\Windows\system32\Afnefieo.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4540 -
C:\Windows\SysWOW64\Bomppneg.exeC:\Windows\system32\Bomppneg.exe108⤵PID:1972
-
C:\Windows\SysWOW64\Bejhhd32.exeC:\Windows\system32\Bejhhd32.exe109⤵
- Modifies registry class
PID:2296 -
C:\Windows\SysWOW64\Bpomem32.exeC:\Windows\system32\Bpomem32.exe110⤵PID:5944
-
C:\Windows\SysWOW64\Bfnnmg32.exeC:\Windows\system32\Bfnnmg32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3728 -
C:\Windows\SysWOW64\Bgokdomj.exeC:\Windows\system32\Bgokdomj.exe112⤵PID:4584
-
C:\Windows\SysWOW64\Ceehcc32.exeC:\Windows\system32\Ceehcc32.exe113⤵
- Modifies registry class
PID:5304 -
C:\Windows\SysWOW64\Cbihmg32.exeC:\Windows\system32\Cbihmg32.exe114⤵PID:4676
-
C:\Windows\SysWOW64\Cfljnejl.exeC:\Windows\system32\Cfljnejl.exe115⤵
- Modifies registry class
PID:6016 -
C:\Windows\SysWOW64\Dfngcdhi.exeC:\Windows\system32\Dfngcdhi.exe116⤵PID:6160
-
C:\Windows\SysWOW64\Eekjep32.exeC:\Windows\system32\Eekjep32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6204 -
C:\Windows\SysWOW64\Ebokodfc.exeC:\Windows\system32\Ebokodfc.exe118⤵
- Drops file in System32 directory
PID:6248 -
C:\Windows\SysWOW64\Ehnpmkbg.exeC:\Windows\system32\Ehnpmkbg.exe119⤵
- Modifies registry class
PID:6304 -
C:\Windows\SysWOW64\Ebeapc32.exeC:\Windows\system32\Ebeapc32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:6388 -
C:\Windows\SysWOW64\Foonjd32.exeC:\Windows\system32\Foonjd32.exe121⤵PID:6472
-
C:\Windows\SysWOW64\Ifqoehhl.exeC:\Windows\system32\Ifqoehhl.exe122⤵PID:6512
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-