Analysis
-
max time kernel
148s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
11-10-2023 06:10
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b84abbc057f2791ebc66eae1449d6690_JC.exe
Resource
win7-20230831-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
b84abbc057f2791ebc66eae1449d6690_JC.exe
Resource
win10v2004-20230915-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
b84abbc057f2791ebc66eae1449d6690_JC.exe
-
Size
89KB
-
MD5
b84abbc057f2791ebc66eae1449d6690
-
SHA1
5c379fc5e6eb23bf0787f51ee22d063a8819c421
-
SHA256
42cb42be6cd388f08f8e60dc45b8ccce9f21d19e5b1aad1a3795c3ee2f60f82c
-
SHA512
dd099642d6859267eb94451df5dcbea4f4a0d08228a693a3854dea538c2ca89681862920450866c1902cb22627c26c1b2925028d9b5ddd42a2e00fb8c598675d
-
SSDEEP
1536:qv2W/RRn1CSbCx8WW/ikRJnauLB+FwcFaRQBD68a+VMKKTRVGFtUhQfR1WRaRORY:qv2kn1CSOx/W/imVauQOeAr4MKy3G7Ug
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohkkanbe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dofgklcb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oooodcci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ajhdmplk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mngepb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aiejda32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocldhqgb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifhibhfc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fooecl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Heochp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onapnbhi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnppkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jddggb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gmkibl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdbked32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ngpcmj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekaaio32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngeaej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cknlln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Idpdfija.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cckmklac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fpjcpbdn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ficlmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fqfeag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aaqgop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mhgfdmle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nipedokm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njaakf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nmmgae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Inflio32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojjoedfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hljnkdnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ifmcmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bifblbad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mnbnchlb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kojdkhdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jkeloa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ncakglka.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgefae32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekhncp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ofhcdlgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nmpdgdmp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dccjfaog.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llbphdfl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Malgmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iameid32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oilmhhfd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgpmdh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngombd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qkjlpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ocknmjcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Agcikk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dikpla32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmdjjemp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmobdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Phmhgmpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ilnbch32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgmfel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ehcndkaa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aghdco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Egnhcgeb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhbqalle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Apcllk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aokcjngj.exe -
Executes dropped EXE 64 IoCs
pid Process 1372 Ndfanlpi.exe 3112 Ofhcdlgg.exe 3464 Qffoejkg.exe 1004 Aofjoo32.exe 1420 Aokcjngj.exe 3572 Bnppkj32.exe 1916 Bkfmjnii.exe 1200 Bpdfpmoo.exe 3792 Dhbqalle.exe 2300 Eoconenj.exe 2120 Fgcjea32.exe 1744 Fofdkcmd.exe 4512 Gjghdj32.exe 1944 Hfpenj32.exe 3368 Hljnkdnk.exe 4420 Hhckeeam.exe 4556 Hhehkepj.exe 1384 Ifihdi32.exe 3676 Icpecm32.exe 3884 Jmdjha32.exe 216 Kgqdfi32.exe 228 Kidmcqeg.exe 4788 Lmfodn32.exe 960 Lagepl32.exe 2320 Lhcjbfag.exe 1304 Mdlgmgdh.exe 316 Mpedgghj.exe 372 Nfaijand.exe 2244 Niglfl32.exe 4688 Ohkijc32.exe 3380 Opfnne32.exe 2892 Okkalnjm.exe 836 Opmcod32.exe 1036 Paaidf32.exe 756 Phpklp32.exe 1720 Qkcackeb.exe 768 Ancjef32.exe 4380 Adpogp32.exe 3024 Ajaqjfbp.exe 3136 Bdgehobe.exe 3316 Bnoiqd32.exe 3560 Bkhceh32.exe 3612 Bkjpkg32.exe 4924 Cgaqphgl.exe 1124 Ckoifgmb.exe 4368 Cgejkh32.exe 4280 Cejjdlap.exe 3616 Capkim32.exe 396 Dabhomea.exe 4392 Deqqek32.exe 2716 Dlmegd32.exe 4712 Dhcfleff.exe 4212 Dhfcae32.exe 2784 Ehhpge32.exe 1060 Elfhmc32.exe 1628 Eliecc32.exe 4504 Ejnbdp32.exe 732 Eahjqicj.exe 3360 Fhbbmc32.exe 2564 Fhdocc32.exe 4732 Fbjcplhj.exe 3132 Ficlmf32.exe 460 Fejlbgek.exe 1048 Faamghko.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Eofgioah.exe Eilomd32.exe File created C:\Windows\SysWOW64\Eiahhdee.exe Eohcon32.exe File created C:\Windows\SysWOW64\Bgdjicmn.exe Agndidce.exe File created C:\Windows\SysWOW64\Fghhpq32.dll Gmmome32.exe File created C:\Windows\SysWOW64\Gbpnegbo.exe Glcelq32.exe File created C:\Windows\SysWOW64\Qcbmegol.exe Qgllpf32.exe File created C:\Windows\SysWOW64\Pmomfb32.dll Cflkihbd.exe File opened for modification C:\Windows\SysWOW64\Dlfniafa.exe Djgbmffn.exe File opened for modification C:\Windows\SysWOW64\Ehcndkaa.exe Ecfeldcj.exe File opened for modification C:\Windows\SysWOW64\Cdlpjicj.exe Ckclacmi.exe File created C:\Windows\SysWOW64\Ddifaqcn.exe Dkqahk32.exe File created C:\Windows\SysWOW64\Lhcjbfag.exe Lagepl32.exe File created C:\Windows\SysWOW64\Melfpb32.exe Mnbnchlb.exe File created C:\Windows\SysWOW64\Dcmdnb32.dll Kfanen32.exe File opened for modification C:\Windows\SysWOW64\Cpbbln32.exe Cihjpd32.exe File created C:\Windows\SysWOW64\Jeeded32.dll Cggifn32.exe File created C:\Windows\SysWOW64\Nackep32.dll Qpahghbg.exe File created C:\Windows\SysWOW64\Pgoijppn.dll Dnhgcgbi.exe File created C:\Windows\SysWOW64\Onifpodl.exe Oilmhhfd.exe File created C:\Windows\SysWOW64\Aoejoj32.dll Daqbbe32.exe File created C:\Windows\SysWOW64\Pbaihddp.dll Gpmgph32.exe File created C:\Windows\SysWOW64\Eammlc32.dll Qkjgomgb.exe File opened for modification C:\Windows\SysWOW64\Emknmi32.exe Efafqolp.exe File created C:\Windows\SysWOW64\Bhhhma32.dll Opjnai32.exe File created C:\Windows\SysWOW64\Pcnhfi32.exe Onapnbhi.exe File opened for modification C:\Windows\SysWOW64\Ofdhlh32.exe Opjponbf.exe File created C:\Windows\SysWOW64\Ffhnocfd.exe Fmmmqnaf.exe File opened for modification C:\Windows\SysWOW64\Loecgfjf.exe Ldpoinjq.exe File opened for modification C:\Windows\SysWOW64\Ifjfhh32.exe Imbaobmp.exe File opened for modification C:\Windows\SysWOW64\Mflgff32.exe Loeoei32.exe File opened for modification C:\Windows\SysWOW64\Inkjao32.exe Igoeoe32.exe File created C:\Windows\SysWOW64\Ofkkpagl.dll Knoonphp.exe File opened for modification C:\Windows\SysWOW64\Knioij32.exe Jngbcj32.exe File opened for modification C:\Windows\SysWOW64\Jlafhkfe.exe Jchaoe32.exe File created C:\Windows\SysWOW64\Ahnclp32.exe Abqjci32.exe File created C:\Windows\SysWOW64\Fmbbhi32.dll Hjhfgi32.exe File opened for modification C:\Windows\SysWOW64\Pcagjndj.exe Pndoagfc.exe File created C:\Windows\SysWOW64\Legngqpa.dll Pnakaa32.exe File created C:\Windows\SysWOW64\Fjhiogqh.dll Mnbnchlb.exe File created C:\Windows\SysWOW64\Panabc32.exe Pkaijl32.exe File created C:\Windows\SysWOW64\Qekbaf32.exe Pehekgmp.exe File created C:\Windows\SysWOW64\Bbhkgb32.dll Dckdddcd.exe File created C:\Windows\SysWOW64\Gopdnemk.dll Qckbggad.exe File created C:\Windows\SysWOW64\Odocbmfd.exe Ojjoedfn.exe File opened for modification C:\Windows\SysWOW64\Aompjamo.exe Ajqgbjoh.exe File created C:\Windows\SysWOW64\Almnebcg.dll Nacmnlkd.exe File created C:\Windows\SysWOW64\Kllibo32.dll Jlmfomcp.exe File created C:\Windows\SysWOW64\Jhfihp32.exe Jpoagb32.exe File opened for modification C:\Windows\SysWOW64\Echbad32.exe Ehcndkaa.exe File opened for modification C:\Windows\SysWOW64\Eidlhj32.exe Ebjckppa.exe File created C:\Windows\SysWOW64\Ebkolf32.dll Jmplbk32.exe File created C:\Windows\SysWOW64\Laheqjdd.dll Qaoofaoi.exe File created C:\Windows\SysWOW64\Dpmihlcf.dll Bnppkj32.exe File created C:\Windows\SysWOW64\Okkalnjm.exe Opfnne32.exe File created C:\Windows\SysWOW64\Ndghli32.dll Opbcdieb.exe File opened for modification C:\Windows\SysWOW64\Iaaflh32.exe Hkgnpn32.exe File created C:\Windows\SysWOW64\Oaliidon.exe Ojbamj32.exe File created C:\Windows\SysWOW64\Ndjfmf32.dll Ehhgpj32.exe File created C:\Windows\SysWOW64\Hbcklkee.exe Habndbpf.exe File opened for modification C:\Windows\SysWOW64\Bqhlpbjd.exe Bgpggm32.exe File created C:\Windows\SysWOW64\Bhmokfdk.dll Kpoaed32.exe File opened for modification C:\Windows\SysWOW64\Ldccid32.exe Lnikmjdm.exe File opened for modification C:\Windows\SysWOW64\Ejennd32.exe Eckfaj32.exe File created C:\Windows\SysWOW64\Lfdjkn32.dll Coegih32.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 3104 8460 WerFault.exe 1095 8404 8460 WerFault.exe 1095 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Peajhk32.dll" Lpcedbjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Epjadk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kkofofbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncdkgi32.dll" Nffljjfc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dfclmfhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blggmjbd.dll" Knjhae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaddifhc.dll" Kgeiokao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfdflk32.dll" Qbekgknb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbnbgcei.dll" Hipdjfoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqmdhonl.dll" Jiglgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kpoaed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kcmmap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qpioeell.dll" Ofhcdlgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkjbfi32.dll" Ihdjfhhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ppjbfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ajaqjfbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llfmba32.dll" Pcdjic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Codhgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hmhmko32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lqfgfclm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ngbeok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iekijfnm.dll" Kmaooihb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gonilenb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olbpjb32.dll" Haclio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jhmfba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kfanen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppmmcbgi.dll" Coqnmkpd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Feofmf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Emanepld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnncad32.dll" Loeoei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Olqofjhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mjneec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjneikmp.dll" Pgmkbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ndfqlnno.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bokeai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gpqjaanf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fodkoepa.dll" Bnfiapfj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nmfchq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Idbonc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlhadl32.dll" Gpeclq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ofhcdlgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blgmmd32.dll" Lfjchn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fmpaqd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ihfglhfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kkaljpmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qajhigcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kdigkjpl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kkooep32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ihkila32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cpjmok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdaemjcg.dll" Bmomecoi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ljpideje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kgkfhngo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Akdfndpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndjfmf32.dll" Ehhgpj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pcagjndj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pknhff32.dll" Homadjin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ocknmjcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ncplekbq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ieoapl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lajmmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oooodcci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gkjocm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfolobpo.dll" Ngbpbjoe.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3068 wrote to memory of 1372 3068 b84abbc057f2791ebc66eae1449d6690_JC.exe 90 PID 3068 wrote to memory of 1372 3068 b84abbc057f2791ebc66eae1449d6690_JC.exe 90 PID 3068 wrote to memory of 1372 3068 b84abbc057f2791ebc66eae1449d6690_JC.exe 90 PID 1372 wrote to memory of 3112 1372 Ndfanlpi.exe 91 PID 1372 wrote to memory of 3112 1372 Ndfanlpi.exe 91 PID 1372 wrote to memory of 3112 1372 Ndfanlpi.exe 91 PID 3112 wrote to memory of 3464 3112 Ofhcdlgg.exe 92 PID 3112 wrote to memory of 3464 3112 Ofhcdlgg.exe 92 PID 3112 wrote to memory of 3464 3112 Ofhcdlgg.exe 92 PID 3464 wrote to memory of 1004 3464 Qffoejkg.exe 93 PID 3464 wrote to memory of 1004 3464 Qffoejkg.exe 93 PID 3464 wrote to memory of 1004 3464 Qffoejkg.exe 93 PID 1004 wrote to memory of 1420 1004 Aofjoo32.exe 94 PID 1004 wrote to memory of 1420 1004 Aofjoo32.exe 94 PID 1004 wrote to memory of 1420 1004 Aofjoo32.exe 94 PID 1420 wrote to memory of 3572 1420 Aokcjngj.exe 95 PID 1420 wrote to memory of 3572 1420 Aokcjngj.exe 95 PID 1420 wrote to memory of 3572 1420 Aokcjngj.exe 95 PID 3572 wrote to memory of 1916 3572 Bnppkj32.exe 96 PID 3572 wrote to memory of 1916 3572 Bnppkj32.exe 96 PID 3572 wrote to memory of 1916 3572 Bnppkj32.exe 96 PID 1916 wrote to memory of 1200 1916 Bkfmjnii.exe 97 PID 1916 wrote to memory of 1200 1916 Bkfmjnii.exe 97 PID 1916 wrote to memory of 1200 1916 Bkfmjnii.exe 97 PID 1200 wrote to memory of 3792 1200 Bpdfpmoo.exe 98 PID 1200 wrote to memory of 3792 1200 Bpdfpmoo.exe 98 PID 1200 wrote to memory of 3792 1200 Bpdfpmoo.exe 98 PID 3792 wrote to memory of 2300 3792 Dhbqalle.exe 99 PID 3792 wrote to memory of 2300 3792 Dhbqalle.exe 99 PID 3792 wrote to memory of 2300 3792 Dhbqalle.exe 99 PID 2300 wrote to memory of 2120 2300 Eoconenj.exe 100 PID 2300 wrote to memory of 2120 2300 Eoconenj.exe 100 PID 2300 wrote to memory of 2120 2300 Eoconenj.exe 100 PID 2120 wrote to memory of 1744 2120 Fgcjea32.exe 101 PID 2120 wrote to memory of 1744 2120 Fgcjea32.exe 101 PID 2120 wrote to memory of 1744 2120 Fgcjea32.exe 101 PID 1744 wrote to memory of 4512 1744 Fofdkcmd.exe 102 PID 1744 wrote to memory of 4512 1744 Fofdkcmd.exe 102 PID 1744 wrote to memory of 4512 1744 Fofdkcmd.exe 102 PID 4512 wrote to memory of 1944 4512 Gjghdj32.exe 103 PID 4512 wrote to memory of 1944 4512 Gjghdj32.exe 103 PID 4512 wrote to memory of 1944 4512 Gjghdj32.exe 103 PID 1944 wrote to memory of 3368 1944 Hfpenj32.exe 104 PID 1944 wrote to memory of 3368 1944 Hfpenj32.exe 104 PID 1944 wrote to memory of 3368 1944 Hfpenj32.exe 104 PID 3368 wrote to memory of 4420 3368 Hljnkdnk.exe 105 PID 3368 wrote to memory of 4420 3368 Hljnkdnk.exe 105 PID 3368 wrote to memory of 4420 3368 Hljnkdnk.exe 105 PID 4420 wrote to memory of 4556 4420 Hhckeeam.exe 106 PID 4420 wrote to memory of 4556 4420 Hhckeeam.exe 106 PID 4420 wrote to memory of 4556 4420 Hhckeeam.exe 106 PID 4556 wrote to memory of 1384 4556 Hhehkepj.exe 107 PID 4556 wrote to memory of 1384 4556 Hhehkepj.exe 107 PID 4556 wrote to memory of 1384 4556 Hhehkepj.exe 107 PID 1384 wrote to memory of 3676 1384 Ifihdi32.exe 108 PID 1384 wrote to memory of 3676 1384 Ifihdi32.exe 108 PID 1384 wrote to memory of 3676 1384 Ifihdi32.exe 108 PID 3676 wrote to memory of 3884 3676 Icpecm32.exe 109 PID 3676 wrote to memory of 3884 3676 Icpecm32.exe 109 PID 3676 wrote to memory of 3884 3676 Icpecm32.exe 109 PID 3884 wrote to memory of 216 3884 Jmdjha32.exe 110 PID 3884 wrote to memory of 216 3884 Jmdjha32.exe 110 PID 3884 wrote to memory of 216 3884 Jmdjha32.exe 110 PID 216 wrote to memory of 228 216 Kgqdfi32.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\b84abbc057f2791ebc66eae1449d6690_JC.exe"C:\Users\Admin\AppData\Local\Temp\b84abbc057f2791ebc66eae1449d6690_JC.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\SysWOW64\Ndfanlpi.exeC:\Windows\system32\Ndfanlpi.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Windows\SysWOW64\Ofhcdlgg.exeC:\Windows\system32\Ofhcdlgg.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3112 -
C:\Windows\SysWOW64\Qffoejkg.exeC:\Windows\system32\Qffoejkg.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3464 -
C:\Windows\SysWOW64\Aofjoo32.exeC:\Windows\system32\Aofjoo32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1004 -
C:\Windows\SysWOW64\Aokcjngj.exeC:\Windows\system32\Aokcjngj.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Windows\SysWOW64\Bnppkj32.exeC:\Windows\system32\Bnppkj32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3572 -
C:\Windows\SysWOW64\Bkfmjnii.exeC:\Windows\system32\Bkfmjnii.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\SysWOW64\Bpdfpmoo.exeC:\Windows\system32\Bpdfpmoo.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Windows\SysWOW64\Dhbqalle.exeC:\Windows\system32\Dhbqalle.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3792 -
C:\Windows\SysWOW64\Eoconenj.exeC:\Windows\system32\Eoconenj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\SysWOW64\Fgcjea32.exeC:\Windows\system32\Fgcjea32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\Fofdkcmd.exeC:\Windows\system32\Fofdkcmd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\Gjghdj32.exeC:\Windows\system32\Gjghdj32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4512 -
C:\Windows\SysWOW64\Hfpenj32.exeC:\Windows\system32\Hfpenj32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\SysWOW64\Hljnkdnk.exeC:\Windows\system32\Hljnkdnk.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3368 -
C:\Windows\SysWOW64\Hhckeeam.exeC:\Windows\system32\Hhckeeam.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4420 -
C:\Windows\SysWOW64\Hhehkepj.exeC:\Windows\system32\Hhehkepj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4556 -
C:\Windows\SysWOW64\Ifihdi32.exeC:\Windows\system32\Ifihdi32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Windows\SysWOW64\Icpecm32.exeC:\Windows\system32\Icpecm32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3676 -
C:\Windows\SysWOW64\Jmdjha32.exeC:\Windows\system32\Jmdjha32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3884 -
C:\Windows\SysWOW64\Kgqdfi32.exeC:\Windows\system32\Kgqdfi32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:216 -
C:\Windows\SysWOW64\Kidmcqeg.exeC:\Windows\system32\Kidmcqeg.exe23⤵
- Executes dropped EXE
PID:228 -
C:\Windows\SysWOW64\Lmfodn32.exeC:\Windows\system32\Lmfodn32.exe24⤵
- Executes dropped EXE
PID:4788 -
C:\Windows\SysWOW64\Lagepl32.exeC:\Windows\system32\Lagepl32.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:960 -
C:\Windows\SysWOW64\Lhcjbfag.exeC:\Windows\system32\Lhcjbfag.exe26⤵
- Executes dropped EXE
PID:2320 -
C:\Windows\SysWOW64\Mdlgmgdh.exeC:\Windows\system32\Mdlgmgdh.exe27⤵
- Executes dropped EXE
PID:1304 -
C:\Windows\SysWOW64\Mpedgghj.exeC:\Windows\system32\Mpedgghj.exe28⤵
- Executes dropped EXE
PID:316 -
C:\Windows\SysWOW64\Nfaijand.exeC:\Windows\system32\Nfaijand.exe29⤵
- Executes dropped EXE
PID:372 -
C:\Windows\SysWOW64\Niglfl32.exeC:\Windows\system32\Niglfl32.exe30⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Ohkijc32.exeC:\Windows\system32\Ohkijc32.exe31⤵
- Executes dropped EXE
PID:4688 -
C:\Windows\SysWOW64\Opfnne32.exeC:\Windows\system32\Opfnne32.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3380 -
C:\Windows\SysWOW64\Okkalnjm.exeC:\Windows\system32\Okkalnjm.exe33⤵
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Opmcod32.exeC:\Windows\system32\Opmcod32.exe34⤵
- Executes dropped EXE
PID:836 -
C:\Windows\SysWOW64\Paaidf32.exeC:\Windows\system32\Paaidf32.exe35⤵
- Executes dropped EXE
PID:1036 -
C:\Windows\SysWOW64\Phpklp32.exeC:\Windows\system32\Phpklp32.exe36⤵
- Executes dropped EXE
PID:756 -
C:\Windows\SysWOW64\Qkcackeb.exeC:\Windows\system32\Qkcackeb.exe37⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Ancjef32.exeC:\Windows\system32\Ancjef32.exe38⤵
- Executes dropped EXE
PID:768 -
C:\Windows\SysWOW64\Adpogp32.exeC:\Windows\system32\Adpogp32.exe39⤵
- Executes dropped EXE
PID:4380 -
C:\Windows\SysWOW64\Ajaqjfbp.exeC:\Windows\system32\Ajaqjfbp.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:3024 -
C:\Windows\SysWOW64\Bdgehobe.exeC:\Windows\system32\Bdgehobe.exe41⤵
- Executes dropped EXE
PID:3136 -
C:\Windows\SysWOW64\Bnoiqd32.exeC:\Windows\system32\Bnoiqd32.exe42⤵
- Executes dropped EXE
PID:3316 -
C:\Windows\SysWOW64\Bkhceh32.exeC:\Windows\system32\Bkhceh32.exe43⤵
- Executes dropped EXE
PID:3560 -
C:\Windows\SysWOW64\Bkjpkg32.exeC:\Windows\system32\Bkjpkg32.exe44⤵
- Executes dropped EXE
PID:3612 -
C:\Windows\SysWOW64\Cgaqphgl.exeC:\Windows\system32\Cgaqphgl.exe45⤵
- Executes dropped EXE
PID:4924 -
C:\Windows\SysWOW64\Ckoifgmb.exeC:\Windows\system32\Ckoifgmb.exe46⤵
- Executes dropped EXE
PID:1124 -
C:\Windows\SysWOW64\Cgejkh32.exeC:\Windows\system32\Cgejkh32.exe47⤵
- Executes dropped EXE
PID:4368 -
C:\Windows\SysWOW64\Cejjdlap.exeC:\Windows\system32\Cejjdlap.exe48⤵
- Executes dropped EXE
PID:4280 -
C:\Windows\SysWOW64\Capkim32.exeC:\Windows\system32\Capkim32.exe49⤵
- Executes dropped EXE
PID:3616 -
C:\Windows\SysWOW64\Dabhomea.exeC:\Windows\system32\Dabhomea.exe50⤵
- Executes dropped EXE
PID:396 -
C:\Windows\SysWOW64\Deqqek32.exeC:\Windows\system32\Deqqek32.exe51⤵
- Executes dropped EXE
PID:4392 -
C:\Windows\SysWOW64\Dlmegd32.exeC:\Windows\system32\Dlmegd32.exe52⤵
- Executes dropped EXE
PID:2716 -
C:\Windows\SysWOW64\Dhcfleff.exeC:\Windows\system32\Dhcfleff.exe53⤵
- Executes dropped EXE
PID:4712 -
C:\Windows\SysWOW64\Dhfcae32.exeC:\Windows\system32\Dhfcae32.exe54⤵
- Executes dropped EXE
PID:4212 -
C:\Windows\SysWOW64\Ehhpge32.exeC:\Windows\system32\Ehhpge32.exe55⤵
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\Elfhmc32.exeC:\Windows\system32\Elfhmc32.exe56⤵
- Executes dropped EXE
PID:1060 -
C:\Windows\SysWOW64\Eliecc32.exeC:\Windows\system32\Eliecc32.exe57⤵
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\Ejnbdp32.exeC:\Windows\system32\Ejnbdp32.exe58⤵
- Executes dropped EXE
PID:4504 -
C:\Windows\SysWOW64\Eahjqicj.exeC:\Windows\system32\Eahjqicj.exe59⤵
- Executes dropped EXE
PID:732 -
C:\Windows\SysWOW64\Fhbbmc32.exeC:\Windows\system32\Fhbbmc32.exe60⤵
- Executes dropped EXE
PID:3360 -
C:\Windows\SysWOW64\Fhdocc32.exeC:\Windows\system32\Fhdocc32.exe61⤵
- Executes dropped EXE
PID:2564 -
C:\Windows\SysWOW64\Fbjcplhj.exeC:\Windows\system32\Fbjcplhj.exe62⤵
- Executes dropped EXE
PID:4732 -
C:\Windows\SysWOW64\Ficlmf32.exeC:\Windows\system32\Ficlmf32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3132 -
C:\Windows\SysWOW64\Fejlbgek.exeC:\Windows\system32\Fejlbgek.exe64⤵
- Executes dropped EXE
PID:460 -
C:\Windows\SysWOW64\Faamghko.exeC:\Windows\system32\Faamghko.exe65⤵
- Executes dropped EXE
PID:1048 -
C:\Windows\SysWOW64\Fhkecb32.exeC:\Windows\system32\Fhkecb32.exe66⤵PID:4664
-
C:\Windows\SysWOW64\Foenplji.exeC:\Windows\system32\Foenplji.exe67⤵PID:2456
-
C:\Windows\SysWOW64\Feofmf32.exeC:\Windows\system32\Feofmf32.exe68⤵
- Modifies registry class
PID:5060 -
C:\Windows\SysWOW64\Glinjqhb.exeC:\Windows\system32\Glinjqhb.exe69⤵PID:60
-
C:\Windows\SysWOW64\Gimoce32.exeC:\Windows\system32\Gimoce32.exe70⤵PID:2508
-
C:\Windows\SysWOW64\Gahcgg32.exeC:\Windows\system32\Gahcgg32.exe71⤵PID:3944
-
C:\Windows\SysWOW64\Golcak32.exeC:\Windows\system32\Golcak32.exe72⤵PID:4912
-
C:\Windows\SysWOW64\Ghdhja32.exeC:\Windows\system32\Ghdhja32.exe73⤵PID:1524
-
C:\Windows\SysWOW64\Giddddad.exeC:\Windows\system32\Giddddad.exe74⤵PID:4224
-
C:\Windows\SysWOW64\Gekeie32.exeC:\Windows\system32\Gekeie32.exe75⤵PID:2760
-
C:\Windows\SysWOW64\Hkgnalep.exeC:\Windows\system32\Hkgnalep.exe76⤵PID:2620
-
C:\Windows\SysWOW64\Haafnf32.exeC:\Windows\system32\Haafnf32.exe77⤵PID:680
-
C:\Windows\SysWOW64\Hepoddcc.exeC:\Windows\system32\Hepoddcc.exe78⤵PID:5036
-
C:\Windows\SysWOW64\Hccomh32.exeC:\Windows\system32\Hccomh32.exe79⤵PID:4748
-
C:\Windows\SysWOW64\Hhpheo32.exeC:\Windows\system32\Hhpheo32.exe80⤵PID:4992
-
C:\Windows\SysWOW64\Hojpbigq.exeC:\Windows\system32\Hojpbigq.exe81⤵PID:1072
-
C:\Windows\SysWOW64\Hkaqgjme.exeC:\Windows\system32\Hkaqgjme.exe82⤵PID:2096
-
C:\Windows\SysWOW64\Iefedcmk.exeC:\Windows\system32\Iefedcmk.exe83⤵PID:4864
-
C:\Windows\SysWOW64\Ilqmam32.exeC:\Windows\system32\Ilqmam32.exe84⤵PID:4272
-
C:\Windows\SysWOW64\Iameid32.exeC:\Windows\system32\Iameid32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1652 -
C:\Windows\SysWOW64\Ifphkbep.exeC:\Windows\system32\Ifphkbep.exe86⤵PID:4624
-
C:\Windows\SysWOW64\Jhqqlmba.exeC:\Windows\system32\Jhqqlmba.exe87⤵PID:728
-
C:\Windows\SysWOW64\Jjpmfpid.exeC:\Windows\system32\Jjpmfpid.exe88⤵PID:3452
-
C:\Windows\SysWOW64\Jchaoe32.exeC:\Windows\system32\Jchaoe32.exe89⤵
- Drops file in System32 directory
PID:5124 -
C:\Windows\SysWOW64\Jlafhkfe.exeC:\Windows\system32\Jlafhkfe.exe90⤵PID:5184
-
C:\Windows\SysWOW64\Kbbhka32.exeC:\Windows\system32\Kbbhka32.exe91⤵PID:5224
-
C:\Windows\SysWOW64\Kmhlijpm.exeC:\Windows\system32\Kmhlijpm.exe92⤵PID:5264
-
C:\Windows\SysWOW64\Kcbded32.exeC:\Windows\system32\Kcbded32.exe93⤵PID:5304
-
C:\Windows\SysWOW64\Kkmijf32.exeC:\Windows\system32\Kkmijf32.exe94⤵PID:5352
-
C:\Windows\SysWOW64\Kkofofbb.exeC:\Windows\system32\Kkofofbb.exe95⤵
- Modifies registry class
PID:5392 -
C:\Windows\SysWOW64\Kblkap32.exeC:\Windows\system32\Kblkap32.exe96⤵PID:5428
-
C:\Windows\SysWOW64\Kmaooihb.exeC:\Windows\system32\Kmaooihb.exe97⤵
- Modifies registry class
PID:5468 -
C:\Windows\SysWOW64\Lfjchn32.exeC:\Windows\system32\Lfjchn32.exe98⤵
- Modifies registry class
PID:5512 -
C:\Windows\SysWOW64\Lkflpe32.exeC:\Windows\system32\Lkflpe32.exe99⤵PID:5552
-
C:\Windows\SysWOW64\Lijlii32.exeC:\Windows\system32\Lijlii32.exe100⤵PID:5596
-
C:\Windows\SysWOW64\Lpdefc32.exeC:\Windows\system32\Lpdefc32.exe101⤵PID:5640
-
C:\Windows\SysWOW64\Lcdjba32.exeC:\Windows\system32\Lcdjba32.exe102⤵PID:5676
-
C:\Windows\SysWOW64\Ljoboloa.exeC:\Windows\system32\Ljoboloa.exe103⤵PID:5724
-
C:\Windows\SysWOW64\Mbjgcnll.exeC:\Windows\system32\Mbjgcnll.exe104⤵PID:5768
-
C:\Windows\SysWOW64\Midoph32.exeC:\Windows\system32\Midoph32.exe105⤵PID:5808
-
C:\Windows\SysWOW64\Mcicma32.exeC:\Windows\system32\Mcicma32.exe106⤵PID:5852
-
C:\Windows\SysWOW64\Nmmgae32.exeC:\Windows\system32\Nmmgae32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5892 -
C:\Windows\SysWOW64\Nffljjfc.exeC:\Windows\system32\Nffljjfc.exe108⤵
- Modifies registry class
PID:5936 -
C:\Windows\SysWOW64\Nmpdgdmp.exeC:\Windows\system32\Nmpdgdmp.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5980 -
C:\Windows\SysWOW64\Njceqili.exeC:\Windows\system32\Njceqili.exe110⤵PID:6024
-
C:\Windows\SysWOW64\Opjponbf.exeC:\Windows\system32\Opjponbf.exe111⤵
- Drops file in System32 directory
PID:6064 -
C:\Windows\SysWOW64\Ofdhlh32.exeC:\Windows\system32\Ofdhlh32.exe112⤵PID:6104
-
C:\Windows\SysWOW64\Olqqdo32.exeC:\Windows\system32\Olqqdo32.exe113⤵PID:2628
-
C:\Windows\SysWOW64\Pignccea.exeC:\Windows\system32\Pignccea.exe114⤵PID:2440
-
C:\Windows\SysWOW64\Pgknlg32.exeC:\Windows\system32\Pgknlg32.exe115⤵PID:5208
-
C:\Windows\SysWOW64\Ppccemjk.exeC:\Windows\system32\Ppccemjk.exe116⤵PID:5256
-
C:\Windows\SysWOW64\Pgmkbg32.exeC:\Windows\system32\Pgmkbg32.exe117⤵
- Modifies registry class
PID:5336 -
C:\Windows\SysWOW64\Pcdlghgl.exeC:\Windows\system32\Pcdlghgl.exe118⤵PID:4244
-
C:\Windows\SysWOW64\Pkkdhe32.exeC:\Windows\system32\Pkkdhe32.exe119⤵PID:5412
-
C:\Windows\SysWOW64\Pdchakoo.exeC:\Windows\system32\Pdchakoo.exe120⤵PID:5480
-
C:\Windows\SysWOW64\Qckbggad.exeC:\Windows\system32\Qckbggad.exe121⤵
- Drops file in System32 directory
PID:5544
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-