Analysis
-
max time kernel
135s -
max time network
104s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
15/05/2024, 23:04
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
695df1cc9433ea7bd3b981fcf0d3375d7b0fe68a7b8a6066bf74b938dfb946d9.exe
Resource
win7-20240508-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
695df1cc9433ea7bd3b981fcf0d3375d7b0fe68a7b8a6066bf74b938dfb946d9.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
695df1cc9433ea7bd3b981fcf0d3375d7b0fe68a7b8a6066bf74b938dfb946d9.exe
-
Size
512KB
-
MD5
c79cdf8ca25411e2480325fa70d41e49
-
SHA1
e030f0a5aed7f9e7be222d2e8cc0f9f07152b509
-
SHA256
695df1cc9433ea7bd3b981fcf0d3375d7b0fe68a7b8a6066bf74b938dfb946d9
-
SHA512
c44913b71b9cb1269baa81695e0af42250a6e5b50816e930fa751826b883075d53a5ae72fc79c8bb5482cd68672e7826ddc496f170e86e5109e58936c8eac180
-
SSDEEP
6144:7hrfUS+853XBpnTfwNPbAvjDAcXxxXfY09cnEWPDZ:dGQBpnchWcZ
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdopod32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Capchmmb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djnaji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffbnph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpnhekgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbanme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdffocib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmnjhioc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhfmalbg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gqfooodg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcedaheh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifmcdblq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kacphh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjmhppqd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndbnboqb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkncdifl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Camfbm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqciba32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcpapkgp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcekkjcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gidphq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbhqjchp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbanme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjolnb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfqjafdq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkpgck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfhqbe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njogjfoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Caimgncj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cibank32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejegjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eoapbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbenqg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iikopmkd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfkoeppq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kipabjil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qiappono.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cojqkbdf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dohmlp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epmcab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hippdo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgekbljc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfcpncdk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icljbg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpjqhgol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Camfbm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmmfmbhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmmfmbhn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmdedo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hikfip32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laopdgcg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpdelajl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifhiib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jangmibi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kilhgk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peonoaln.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Appahiag.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Denlnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjhfnccl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Haidklda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hccglh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laefdf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cidncj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Denlnk32.exe -
Executes dropped EXE 64 IoCs
pid Process 848 Phhqpn32.exe 4880 Ppphak32.exe 1804 Pnbimhfd.exe 4804 Pbpacfmj.exe 1020 Peonoaln.exe 3668 Peajdajk.exe 4516 Ppgobjia.exe 544 Pecgja32.exe 3164 Qnlkcfni.exe 3300 Qiappono.exe 4684 Qpkhmi32.exe 2292 Qamdda32.exe 3852 Qhfmalbg.exe 232 Appahiag.exe 988 Aaanpa32.exe 1600 Aojhdd32.exe 1072 Ahblmjhj.exe 1932 Bbhqjchp.exe 716 Bakqfp32.exe 4936 Bibigmpl.exe 4876 Booaodnd.exe 4448 Behiln32.exe 728 Bpnnig32.exe 4660 Bekfan32.exe 3740 Bhibni32.exe 2856 Bockjc32.exe 1168 Baaggo32.exe 2628 Bemcgmak.exe 3248 Bhlocipo.exe 3216 Ceblbm32.exe 2824 Clldogdc.exe 4696 Cojqkbdf.exe 2544 Caimgncj.exe 4824 Cipehkcl.exe 4692 Cpjmee32.exe 3116 Cakjmm32.exe 1536 Cibank32.exe 4940 Chebighd.exe 412 Cpljkdig.exe 2888 Camfbm32.exe 3120 Cidncj32.exe 2392 Cpofpdgd.exe 4832 Coagla32.exe 408 Capchmmb.exe 3888 Cekohk32.exe 1332 Dhjkdg32.exe 2220 Dpacfd32.exe 1360 Doccaall.exe 3624 Dabpnlkp.exe 3040 Denlnk32.exe 1680 Diihojkb.exe 5088 Dlgdkeje.exe 3176 Dcalgo32.exe 2452 Dadlclim.exe 4484 Djlddi32.exe 1744 Dohmlp32.exe 4132 Dcdimopp.exe 1036 Debeijoc.exe 1640 Djnaji32.exe 3612 Dllmfd32.exe 1980 Dokjbp32.exe 3504 Dcfebonm.exe 4992 Daifnk32.exe 816 Djpnohej.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Jbkjjblm.exe Jdhine32.exe File opened for modification C:\Windows\SysWOW64\Mpkbebbf.exe Mnlfigcc.exe File opened for modification C:\Windows\SysWOW64\Dllmfd32.exe Djnaji32.exe File opened for modification C:\Windows\SysWOW64\Ebeejijj.exe Eofinnkf.exe File created C:\Windows\SysWOW64\Oeahce32.dll Gbgkfg32.exe File created C:\Windows\SysWOW64\Jpojcf32.exe Jaljgidl.exe File opened for modification C:\Windows\SysWOW64\Jfkoeppq.exe Jbocea32.exe File created C:\Windows\SysWOW64\Hdgohg32.dll Fbqefhpm.exe File opened for modification C:\Windows\SysWOW64\Hmioonpn.exe Himcoo32.exe File created C:\Windows\SysWOW64\Ibojncfj.exe Icljbg32.exe File created C:\Windows\SysWOW64\Lpcioj32.dll Hboagf32.exe File created C:\Windows\SysWOW64\Hcqjfh32.exe Hpenfjad.exe File opened for modification C:\Windows\SysWOW64\Ifhiib32.exe Icjmmg32.exe File opened for modification C:\Windows\SysWOW64\Jjpeepnb.exe Jfdida32.exe File created C:\Windows\SysWOW64\Jkdnpo32.exe Jfhbppbc.exe File created C:\Windows\SysWOW64\Baaggo32.exe Bockjc32.exe File created C:\Windows\SysWOW64\Ehlaaddj.exe Ejjqeg32.exe File created C:\Windows\SysWOW64\Eagncfoj.dll Gppekj32.exe File opened for modification C:\Windows\SysWOW64\Jigollag.exe Jkdnpo32.exe File opened for modification C:\Windows\SysWOW64\Kacphh32.exe Kilhgk32.exe File created C:\Windows\SysWOW64\Gbajhpfb.dll Gmoliohh.exe File created C:\Windows\SysWOW64\Ijaida32.exe Ibjqcd32.exe File created C:\Windows\SysWOW64\Egoqlckf.dll Ibjqcd32.exe File created C:\Windows\SysWOW64\Kckbqpnj.exe Kdhbec32.exe File created C:\Windows\SysWOW64\Lcmofolg.exe Ldkojb32.exe File opened for modification C:\Windows\SysWOW64\Efgodj32.exe Dakbckbe.exe File created C:\Windows\SysWOW64\Fhajlc32.exe Fjnjqfij.exe File created C:\Windows\SysWOW64\Kncfca32.dll Fjhmgeao.exe File opened for modification C:\Windows\SysWOW64\Njogjfoj.exe Nklfoi32.exe File created C:\Windows\SysWOW64\Iikopmkd.exe Ifmcdblq.exe File created C:\Windows\SysWOW64\Kpjjod32.exe Kmlnbi32.exe File opened for modification C:\Windows\SysWOW64\Mkgmcjld.exe Mglack32.exe File created C:\Windows\SysWOW64\Aaanpa32.exe Appahiag.exe File opened for modification C:\Windows\SysWOW64\Gmkbnp32.exe Gjlfbd32.exe File opened for modification C:\Windows\SysWOW64\Gfhqbe32.exe Gbldaffp.exe File created C:\Windows\SysWOW64\Cpljkdig.exe Chebighd.exe File created C:\Windows\SysWOW64\Ndbnboqb.exe Nqfbaq32.exe File opened for modification C:\Windows\SysWOW64\Ngpjnkpf.exe Ndbnboqb.exe File opened for modification C:\Windows\SysWOW64\Jdcpcf32.exe Jpgdbg32.exe File created C:\Windows\SysWOW64\Iljnde32.dll Jiikak32.exe File created C:\Windows\SysWOW64\Ogdimilg.dll Kpmfddnf.exe File created C:\Windows\SysWOW64\Ggmlbfpm.dll Dchbhn32.exe File created C:\Windows\SysWOW64\Efneehef.exe Ebbidj32.exe File created C:\Windows\SysWOW64\Jpckhigh.dll Gjjjle32.exe File created C:\Windows\SysWOW64\Akanejnd.dll Kipabjil.exe File created C:\Windows\SysWOW64\Mncmjfmk.exe Mjhqjg32.exe File opened for modification C:\Windows\SysWOW64\Nqiogp32.exe Nafokcol.exe File opened for modification C:\Windows\SysWOW64\Nggqoj32.exe Ncldnkae.exe File created C:\Windows\SysWOW64\Eddfam32.dll Qpkhmi32.exe File opened for modification C:\Windows\SysWOW64\Icljbg32.exe Iannfk32.exe File created C:\Windows\SysWOW64\Eeopdi32.dll Ijfboafl.exe File created C:\Windows\SysWOW64\Hehifldd.dll Kbapjafe.exe File created C:\Windows\SysWOW64\Lpappc32.exe Laopdgcg.exe File created C:\Windows\SysWOW64\Qpkhmi32.exe Qiappono.exe File opened for modification C:\Windows\SysWOW64\Ibccic32.exe Idacmfkj.exe File created C:\Windows\SysWOW64\Lmmcfa32.dll Kdopod32.exe File created C:\Windows\SysWOW64\Fnelfilp.dll Maohkd32.exe File opened for modification C:\Windows\SysWOW64\Appahiag.exe Qhfmalbg.exe File opened for modification C:\Windows\SysWOW64\Gpklpkio.exe Gqikdn32.exe File created C:\Windows\SysWOW64\Gjclbc32.exe Gfhqbe32.exe File created C:\Windows\SysWOW64\Gameonno.exe Gmaioo32.exe File opened for modification C:\Windows\SysWOW64\Hjfihc32.exe Hfjmgdlf.exe File created C:\Windows\SysWOW64\Appahiag.exe Qhfmalbg.exe File created C:\Windows\SysWOW64\Jgegko32.dll Diihojkb.exe -
Program crash 1 IoCs
pid pid_target Process 9388 10200 WerFault.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncihikcg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Behiln32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhajlc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpkqnp32.dll" Gpnhekgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gfhqbe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gjclbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lcpllo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lnepih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfhilofo.dll" Ecphimfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Miimhchp.dll" Eqciba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gcpapkgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdiihjon.dll" Kkkdan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgkhlnbn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ldohebqh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plilol32.dll" Lddbqa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhlocipo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jagqlj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ncgkcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Booaodnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cpofpdgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bademghm.dll" Fmocba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Peeafpaf.dll" Gbenqg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gjlfbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmlnbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmihaj32.dll" Ehonfc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdopod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngpjnkpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kinemkko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lkdggmlj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node 695df1cc9433ea7bd3b981fcf0d3375d7b0fe68a7b8a6066bf74b938dfb946d9.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jidbflcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Peonoaln.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djnaji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efpajh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfogkh32.dll" Hcedaheh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dendnoah.dll" Iannfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbapjafe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gcpapkgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblgaie.dll" Kilhgk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcpebmkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfmona32.dll" Efgodj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ipldfi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbmfoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iebapp32.dll" Gcekkjcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnkdikig.dll" Lcmofolg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Maohkd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nklfoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkindkmi.dll" Dabpnlkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fojjgcdm.dll" Gfqjafdq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbfiep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efikji32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fcnejk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lihoogdd.dll" Ifmcdblq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpjflb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpgkkioa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ipckgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhikhod.dll" Lmqgnhmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpaifalo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qamdda32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdffocib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ldaeka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mgnnhk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Peonoaln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Caimgncj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4160 wrote to memory of 848 4160 695df1cc9433ea7bd3b981fcf0d3375d7b0fe68a7b8a6066bf74b938dfb946d9.exe 83 PID 4160 wrote to memory of 848 4160 695df1cc9433ea7bd3b981fcf0d3375d7b0fe68a7b8a6066bf74b938dfb946d9.exe 83 PID 4160 wrote to memory of 848 4160 695df1cc9433ea7bd3b981fcf0d3375d7b0fe68a7b8a6066bf74b938dfb946d9.exe 83 PID 848 wrote to memory of 4880 848 Phhqpn32.exe 84 PID 848 wrote to memory of 4880 848 Phhqpn32.exe 84 PID 848 wrote to memory of 4880 848 Phhqpn32.exe 84 PID 4880 wrote to memory of 1804 4880 Ppphak32.exe 85 PID 4880 wrote to memory of 1804 4880 Ppphak32.exe 85 PID 4880 wrote to memory of 1804 4880 Ppphak32.exe 85 PID 1804 wrote to memory of 4804 1804 Pnbimhfd.exe 86 PID 1804 wrote to memory of 4804 1804 Pnbimhfd.exe 86 PID 1804 wrote to memory of 4804 1804 Pnbimhfd.exe 86 PID 4804 wrote to memory of 1020 4804 Pbpacfmj.exe 87 PID 4804 wrote to memory of 1020 4804 Pbpacfmj.exe 87 PID 4804 wrote to memory of 1020 4804 Pbpacfmj.exe 87 PID 1020 wrote to memory of 3668 1020 Peonoaln.exe 88 PID 1020 wrote to memory of 3668 1020 Peonoaln.exe 88 PID 1020 wrote to memory of 3668 1020 Peonoaln.exe 88 PID 3668 wrote to memory of 4516 3668 Peajdajk.exe 89 PID 3668 wrote to memory of 4516 3668 Peajdajk.exe 89 PID 3668 wrote to memory of 4516 3668 Peajdajk.exe 89 PID 4516 wrote to memory of 544 4516 Ppgobjia.exe 90 PID 4516 wrote to memory of 544 4516 Ppgobjia.exe 90 PID 4516 wrote to memory of 544 4516 Ppgobjia.exe 90 PID 544 wrote to memory of 3164 544 Pecgja32.exe 91 PID 544 wrote to memory of 3164 544 Pecgja32.exe 91 PID 544 wrote to memory of 3164 544 Pecgja32.exe 91 PID 3164 wrote to memory of 3300 3164 Qnlkcfni.exe 92 PID 3164 wrote to memory of 3300 3164 Qnlkcfni.exe 92 PID 3164 wrote to memory of 3300 3164 Qnlkcfni.exe 92 PID 3300 wrote to memory of 4684 3300 Qiappono.exe 93 PID 3300 wrote to memory of 4684 3300 Qiappono.exe 93 PID 3300 wrote to memory of 4684 3300 Qiappono.exe 93 PID 4684 wrote to memory of 2292 4684 Qpkhmi32.exe 94 PID 4684 wrote to memory of 2292 4684 Qpkhmi32.exe 94 PID 4684 wrote to memory of 2292 4684 Qpkhmi32.exe 94 PID 2292 wrote to memory of 3852 2292 Qamdda32.exe 95 PID 2292 wrote to memory of 3852 2292 Qamdda32.exe 95 PID 2292 wrote to memory of 3852 2292 Qamdda32.exe 95 PID 3852 wrote to memory of 232 3852 Qhfmalbg.exe 98 PID 3852 wrote to memory of 232 3852 Qhfmalbg.exe 98 PID 3852 wrote to memory of 232 3852 Qhfmalbg.exe 98 PID 232 wrote to memory of 988 232 Appahiag.exe 99 PID 232 wrote to memory of 988 232 Appahiag.exe 99 PID 232 wrote to memory of 988 232 Appahiag.exe 99 PID 988 wrote to memory of 1600 988 Aaanpa32.exe 100 PID 988 wrote to memory of 1600 988 Aaanpa32.exe 100 PID 988 wrote to memory of 1600 988 Aaanpa32.exe 100 PID 1600 wrote to memory of 1072 1600 Aojhdd32.exe 101 PID 1600 wrote to memory of 1072 1600 Aojhdd32.exe 101 PID 1600 wrote to memory of 1072 1600 Aojhdd32.exe 101 PID 1072 wrote to memory of 1932 1072 Ahblmjhj.exe 102 PID 1072 wrote to memory of 1932 1072 Ahblmjhj.exe 102 PID 1072 wrote to memory of 1932 1072 Ahblmjhj.exe 102 PID 1932 wrote to memory of 716 1932 Bbhqjchp.exe 103 PID 1932 wrote to memory of 716 1932 Bbhqjchp.exe 103 PID 1932 wrote to memory of 716 1932 Bbhqjchp.exe 103 PID 716 wrote to memory of 4936 716 Bakqfp32.exe 104 PID 716 wrote to memory of 4936 716 Bakqfp32.exe 104 PID 716 wrote to memory of 4936 716 Bakqfp32.exe 104 PID 4936 wrote to memory of 4876 4936 Bibigmpl.exe 106 PID 4936 wrote to memory of 4876 4936 Bibigmpl.exe 106 PID 4936 wrote to memory of 4876 4936 Bibigmpl.exe 106 PID 4876 wrote to memory of 4448 4876 Booaodnd.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\695df1cc9433ea7bd3b981fcf0d3375d7b0fe68a7b8a6066bf74b938dfb946d9.exe"C:\Users\Admin\AppData\Local\Temp\695df1cc9433ea7bd3b981fcf0d3375d7b0fe68a7b8a6066bf74b938dfb946d9.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4160 -
C:\Windows\SysWOW64\Phhqpn32.exeC:\Windows\system32\Phhqpn32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:848 -
C:\Windows\SysWOW64\Ppphak32.exeC:\Windows\system32\Ppphak32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Windows\SysWOW64\Pnbimhfd.exeC:\Windows\system32\Pnbimhfd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\SysWOW64\Pbpacfmj.exeC:\Windows\system32\Pbpacfmj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4804 -
C:\Windows\SysWOW64\Peonoaln.exeC:\Windows\system32\Peonoaln.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Windows\SysWOW64\Peajdajk.exeC:\Windows\system32\Peajdajk.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3668 -
C:\Windows\SysWOW64\Ppgobjia.exeC:\Windows\system32\Ppgobjia.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4516 -
C:\Windows\SysWOW64\Pecgja32.exeC:\Windows\system32\Pecgja32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:544 -
C:\Windows\SysWOW64\Qnlkcfni.exeC:\Windows\system32\Qnlkcfni.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3164 -
C:\Windows\SysWOW64\Qiappono.exeC:\Windows\system32\Qiappono.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3300 -
C:\Windows\SysWOW64\Qpkhmi32.exeC:\Windows\system32\Qpkhmi32.exe12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4684 -
C:\Windows\SysWOW64\Qamdda32.exeC:\Windows\system32\Qamdda32.exe13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\Qhfmalbg.exeC:\Windows\system32\Qhfmalbg.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3852 -
C:\Windows\SysWOW64\Appahiag.exeC:\Windows\system32\Appahiag.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:232 -
C:\Windows\SysWOW64\Aaanpa32.exeC:\Windows\system32\Aaanpa32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:988 -
C:\Windows\SysWOW64\Aojhdd32.exeC:\Windows\system32\Aojhdd32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Windows\SysWOW64\Ahblmjhj.exeC:\Windows\system32\Ahblmjhj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Windows\SysWOW64\Bbhqjchp.exeC:\Windows\system32\Bbhqjchp.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\SysWOW64\Bakqfp32.exeC:\Windows\system32\Bakqfp32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:716 -
C:\Windows\SysWOW64\Bibigmpl.exeC:\Windows\system32\Bibigmpl.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\Windows\SysWOW64\Booaodnd.exeC:\Windows\system32\Booaodnd.exe22⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4876 -
C:\Windows\SysWOW64\Behiln32.exeC:\Windows\system32\Behiln32.exe23⤵
- Executes dropped EXE
- Modifies registry class
PID:4448 -
C:\Windows\SysWOW64\Bpnnig32.exeC:\Windows\system32\Bpnnig32.exe24⤵
- Executes dropped EXE
PID:728 -
C:\Windows\SysWOW64\Bekfan32.exeC:\Windows\system32\Bekfan32.exe25⤵
- Executes dropped EXE
PID:4660 -
C:\Windows\SysWOW64\Bhibni32.exeC:\Windows\system32\Bhibni32.exe26⤵
- Executes dropped EXE
PID:3740 -
C:\Windows\SysWOW64\Bockjc32.exeC:\Windows\system32\Bockjc32.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2856 -
C:\Windows\SysWOW64\Baaggo32.exeC:\Windows\system32\Baaggo32.exe28⤵
- Executes dropped EXE
PID:1168 -
C:\Windows\SysWOW64\Bemcgmak.exeC:\Windows\system32\Bemcgmak.exe29⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Bhlocipo.exeC:\Windows\system32\Bhlocipo.exe30⤵
- Executes dropped EXE
- Modifies registry class
PID:3248 -
C:\Windows\SysWOW64\Ceblbm32.exeC:\Windows\system32\Ceblbm32.exe31⤵
- Executes dropped EXE
PID:3216 -
C:\Windows\SysWOW64\Clldogdc.exeC:\Windows\system32\Clldogdc.exe32⤵
- Executes dropped EXE
PID:2824 -
C:\Windows\SysWOW64\Cojqkbdf.exeC:\Windows\system32\Cojqkbdf.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4696 -
C:\Windows\SysWOW64\Caimgncj.exeC:\Windows\system32\Caimgncj.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2544 -
C:\Windows\SysWOW64\Cipehkcl.exeC:\Windows\system32\Cipehkcl.exe35⤵
- Executes dropped EXE
PID:4824 -
C:\Windows\SysWOW64\Cpjmee32.exeC:\Windows\system32\Cpjmee32.exe36⤵
- Executes dropped EXE
PID:4692 -
C:\Windows\SysWOW64\Cakjmm32.exeC:\Windows\system32\Cakjmm32.exe37⤵
- Executes dropped EXE
PID:3116 -
C:\Windows\SysWOW64\Cibank32.exeC:\Windows\system32\Cibank32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1536 -
C:\Windows\SysWOW64\Chebighd.exeC:\Windows\system32\Chebighd.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4940 -
C:\Windows\SysWOW64\Cpljkdig.exeC:\Windows\system32\Cpljkdig.exe40⤵
- Executes dropped EXE
PID:412 -
C:\Windows\SysWOW64\Camfbm32.exeC:\Windows\system32\Camfbm32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Cidncj32.exeC:\Windows\system32\Cidncj32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3120 -
C:\Windows\SysWOW64\Cpofpdgd.exeC:\Windows\system32\Cpofpdgd.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:2392 -
C:\Windows\SysWOW64\Coagla32.exeC:\Windows\system32\Coagla32.exe44⤵
- Executes dropped EXE
PID:4832 -
C:\Windows\SysWOW64\Capchmmb.exeC:\Windows\system32\Capchmmb.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:408 -
C:\Windows\SysWOW64\Cekohk32.exeC:\Windows\system32\Cekohk32.exe46⤵
- Executes dropped EXE
PID:3888 -
C:\Windows\SysWOW64\Dhjkdg32.exeC:\Windows\system32\Dhjkdg32.exe47⤵
- Executes dropped EXE
PID:1332 -
C:\Windows\SysWOW64\Dpacfd32.exeC:\Windows\system32\Dpacfd32.exe48⤵
- Executes dropped EXE
PID:2220 -
C:\Windows\SysWOW64\Doccaall.exeC:\Windows\system32\Doccaall.exe49⤵
- Executes dropped EXE
PID:1360 -
C:\Windows\SysWOW64\Dabpnlkp.exeC:\Windows\system32\Dabpnlkp.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:3624 -
C:\Windows\SysWOW64\Denlnk32.exeC:\Windows\system32\Denlnk32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Diihojkb.exeC:\Windows\system32\Diihojkb.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1680 -
C:\Windows\SysWOW64\Dlgdkeje.exeC:\Windows\system32\Dlgdkeje.exe53⤵
- Executes dropped EXE
PID:5088 -
C:\Windows\SysWOW64\Dcalgo32.exeC:\Windows\system32\Dcalgo32.exe54⤵
- Executes dropped EXE
PID:3176 -
C:\Windows\SysWOW64\Dadlclim.exeC:\Windows\system32\Dadlclim.exe55⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Djlddi32.exeC:\Windows\system32\Djlddi32.exe56⤵
- Executes dropped EXE
PID:4484 -
C:\Windows\SysWOW64\Dohmlp32.exeC:\Windows\system32\Dohmlp32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1744 -
C:\Windows\SysWOW64\Dcdimopp.exeC:\Windows\system32\Dcdimopp.exe58⤵
- Executes dropped EXE
PID:4132 -
C:\Windows\SysWOW64\Debeijoc.exeC:\Windows\system32\Debeijoc.exe59⤵
- Executes dropped EXE
PID:1036 -
C:\Windows\SysWOW64\Djnaji32.exeC:\Windows\system32\Djnaji32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1640 -
C:\Windows\SysWOW64\Dllmfd32.exeC:\Windows\system32\Dllmfd32.exe61⤵
- Executes dropped EXE
PID:3612 -
C:\Windows\SysWOW64\Dokjbp32.exeC:\Windows\system32\Dokjbp32.exe62⤵
- Executes dropped EXE
PID:1980 -
C:\Windows\SysWOW64\Dcfebonm.exeC:\Windows\system32\Dcfebonm.exe63⤵
- Executes dropped EXE
PID:3504 -
C:\Windows\SysWOW64\Daifnk32.exeC:\Windows\system32\Daifnk32.exe64⤵
- Executes dropped EXE
PID:4992 -
C:\Windows\SysWOW64\Djpnohej.exeC:\Windows\system32\Djpnohej.exe65⤵
- Executes dropped EXE
PID:816 -
C:\Windows\SysWOW64\Dhcnke32.exeC:\Windows\system32\Dhcnke32.exe66⤵PID:1420
-
C:\Windows\SysWOW64\Dpjflb32.exeC:\Windows\system32\Dpjflb32.exe67⤵
- Modifies registry class
PID:1668 -
C:\Windows\SysWOW64\Dchbhn32.exeC:\Windows\system32\Dchbhn32.exe68⤵
- Drops file in System32 directory
PID:624 -
C:\Windows\SysWOW64\Dakbckbe.exeC:\Windows\system32\Dakbckbe.exe69⤵
- Drops file in System32 directory
PID:392 -
C:\Windows\SysWOW64\Efgodj32.exeC:\Windows\system32\Efgodj32.exe70⤵
- Modifies registry class
PID:4848 -
C:\Windows\SysWOW64\Ehekqe32.exeC:\Windows\system32\Ehekqe32.exe71⤵PID:2040
-
C:\Windows\SysWOW64\Epmcab32.exeC:\Windows\system32\Epmcab32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5044 -
C:\Windows\SysWOW64\Eoocmoao.exeC:\Windows\system32\Eoocmoao.exe73⤵PID:3416
-
C:\Windows\SysWOW64\Eckonn32.exeC:\Windows\system32\Eckonn32.exe74⤵PID:516
-
C:\Windows\SysWOW64\Ebnoikqb.exeC:\Windows\system32\Ebnoikqb.exe75⤵PID:4272
-
C:\Windows\SysWOW64\Efikji32.exeC:\Windows\system32\Efikji32.exe76⤵
- Modifies registry class
PID:4372 -
C:\Windows\SysWOW64\Ejegjh32.exeC:\Windows\system32\Ejegjh32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5032 -
C:\Windows\SysWOW64\Elccfc32.exeC:\Windows\system32\Elccfc32.exe78⤵PID:512
-
C:\Windows\SysWOW64\Epopgbia.exeC:\Windows\system32\Epopgbia.exe79⤵PID:1728
-
C:\Windows\SysWOW64\Eoapbo32.exeC:\Windows\system32\Eoapbo32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:752 -
C:\Windows\SysWOW64\Ebploj32.exeC:\Windows\system32\Ebploj32.exe81⤵PID:3084
-
C:\Windows\SysWOW64\Eflhoigi.exeC:\Windows\system32\Eflhoigi.exe82⤵PID:2260
-
C:\Windows\SysWOW64\Ejgdpg32.exeC:\Windows\system32\Ejgdpg32.exe83⤵PID:3144
-
C:\Windows\SysWOW64\Ehjdldfl.exeC:\Windows\system32\Ehjdldfl.exe84⤵PID:4840
-
C:\Windows\SysWOW64\Eleplc32.exeC:\Windows\system32\Eleplc32.exe85⤵PID:940
-
C:\Windows\SysWOW64\Eqalmafo.exeC:\Windows\system32\Eqalmafo.exe86⤵PID:4440
-
C:\Windows\SysWOW64\Ecphimfb.exeC:\Windows\system32\Ecphimfb.exe87⤵
- Modifies registry class
PID:5144 -
C:\Windows\SysWOW64\Ebbidj32.exeC:\Windows\system32\Ebbidj32.exe88⤵
- Drops file in System32 directory
PID:5188 -
C:\Windows\SysWOW64\Efneehef.exeC:\Windows\system32\Efneehef.exe89⤵PID:5228
-
C:\Windows\SysWOW64\Ejjqeg32.exeC:\Windows\system32\Ejjqeg32.exe90⤵
- Drops file in System32 directory
PID:5268 -
C:\Windows\SysWOW64\Ehlaaddj.exeC:\Windows\system32\Ehlaaddj.exe91⤵PID:5308
-
C:\Windows\SysWOW64\Eqciba32.exeC:\Windows\system32\Eqciba32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5356 -
C:\Windows\SysWOW64\Eofinnkf.exeC:\Windows\system32\Eofinnkf.exe93⤵
- Drops file in System32 directory
PID:5400 -
C:\Windows\SysWOW64\Ebeejijj.exeC:\Windows\system32\Ebeejijj.exe94⤵PID:5440
-
C:\Windows\SysWOW64\Efpajh32.exeC:\Windows\system32\Efpajh32.exe95⤵
- Modifies registry class
PID:5480 -
C:\Windows\SysWOW64\Ehonfc32.exeC:\Windows\system32\Ehonfc32.exe96⤵
- Modifies registry class
PID:5520 -
C:\Windows\SysWOW64\Emjjgbjp.exeC:\Windows\system32\Emjjgbjp.exe97⤵PID:5564
-
C:\Windows\SysWOW64\Eqfeha32.exeC:\Windows\system32\Eqfeha32.exe98⤵PID:5600
-
C:\Windows\SysWOW64\Eoifcnid.exeC:\Windows\system32\Eoifcnid.exe99⤵PID:5644
-
C:\Windows\SysWOW64\Fbgbpihg.exeC:\Windows\system32\Fbgbpihg.exe100⤵PID:5696
-
C:\Windows\SysWOW64\Ffbnph32.exeC:\Windows\system32\Ffbnph32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5736 -
C:\Windows\SysWOW64\Fjnjqfij.exeC:\Windows\system32\Fjnjqfij.exe102⤵
- Drops file in System32 directory
PID:5780 -
C:\Windows\SysWOW64\Fhajlc32.exeC:\Windows\system32\Fhajlc32.exe103⤵
- Modifies registry class
PID:5820 -
C:\Windows\SysWOW64\Fmmfmbhn.exeC:\Windows\system32\Fmmfmbhn.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5868 -
C:\Windows\SysWOW64\Fokbim32.exeC:\Windows\system32\Fokbim32.exe105⤵PID:5912
-
C:\Windows\SysWOW64\Fbioei32.exeC:\Windows\system32\Fbioei32.exe106⤵PID:5956
-
C:\Windows\SysWOW64\Ffekegon.exeC:\Windows\system32\Ffekegon.exe107⤵PID:6000
-
C:\Windows\SysWOW64\Fjqgff32.exeC:\Windows\system32\Fjqgff32.exe108⤵PID:6040
-
C:\Windows\SysWOW64\Fmocba32.exeC:\Windows\system32\Fmocba32.exe109⤵
- Modifies registry class
PID:6080 -
C:\Windows\SysWOW64\Fqkocpod.exeC:\Windows\system32\Fqkocpod.exe110⤵PID:6124
-
C:\Windows\SysWOW64\Fomonm32.exeC:\Windows\system32\Fomonm32.exe111⤵PID:5152
-
C:\Windows\SysWOW64\Fbllkh32.exeC:\Windows\system32\Fbllkh32.exe112⤵PID:5224
-
C:\Windows\SysWOW64\Ffggkgmk.exeC:\Windows\system32\Ffggkgmk.exe113⤵PID:5300
-
C:\Windows\SysWOW64\Fifdgblo.exeC:\Windows\system32\Fifdgblo.exe114⤵PID:5384
-
C:\Windows\SysWOW64\Fmapha32.exeC:\Windows\system32\Fmapha32.exe115⤵PID:5464
-
C:\Windows\SysWOW64\Fopldmcl.exeC:\Windows\system32\Fopldmcl.exe116⤵PID:5560
-
C:\Windows\SysWOW64\Fckhdk32.exeC:\Windows\system32\Fckhdk32.exe117⤵PID:5652
-
C:\Windows\SysWOW64\Fbnhphbp.exeC:\Windows\system32\Fbnhphbp.exe118⤵PID:5728
-
C:\Windows\SysWOW64\Fqohnp32.exeC:\Windows\system32\Fqohnp32.exe119⤵PID:5664
-
C:\Windows\SysWOW64\Fobiilai.exeC:\Windows\system32\Fobiilai.exe120⤵PID:5852
-
C:\Windows\SysWOW64\Fcnejk32.exeC:\Windows\system32\Fcnejk32.exe121⤵
- Modifies registry class
PID:5924
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-