Analysis
-
max time kernel
86s -
max time network
178s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
12/10/2023, 21:59
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
eedd1850f59a6213e7e3ca8f654fe069_JC.exe
Resource
win7-20230831-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
eedd1850f59a6213e7e3ca8f654fe069_JC.exe
Resource
win10v2004-20230915-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
eedd1850f59a6213e7e3ca8f654fe069_JC.exe
-
Size
81KB
-
MD5
eedd1850f59a6213e7e3ca8f654fe069
-
SHA1
4b75573248b2024016a4aa798a17170f3419b867
-
SHA256
aa90c85714e0c4e6dcbea4bddd2ff91ba29882571e0aa60a92ef66e0ff01dac6
-
SHA512
03e58f6a157b16f2e034b2d5074886e95223f6dd1b48282da2fcb0e39f83ad091f81e629ed5d726b056bc390cc38c09e09c66ffe3f4c33418abcaef497e4f997
-
SSDEEP
1536:npcbMufOx/1wW9GOvRsuOYeN3z7m4LO++/+1m6KadhYxU33HX0L:pChQwW9GOEYeN3z/LrCimBaH8UH30L
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bqpbboeg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpmfklbq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejgdim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfcgpkhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iofpnhmc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgpodk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmqggncn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pajekb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkcpia32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Komhkn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iodaikfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgkooeen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjffkhpl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Geeecogb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jajdff32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkfookmo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alkidi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enedio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejgdim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcnpgf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppdbfpaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfjmajbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkadam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcjfpfnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ioqohb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjnece32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ceoillaj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Femndhgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Komhkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emfgpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgqehgco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcqhcgqi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pldljbmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nemchn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkcaeige.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkedjbgg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhbpqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgcqlh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfiedfmd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgeiokao.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elojej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnppkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opjgidfa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkfcigkm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enfcjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocldhqgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmoehojj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Diopep32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcidoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kabpan32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ognginic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Peddhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljephmgl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnmojj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boohcpgm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcjfpfnh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gqdbbelf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iidiidgj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkiqla32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejkenpnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfngke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kanffogf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikgpmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ponfed32.exe -
Executes dropped EXE 64 IoCs
pid Process 3976 Hdicggla.exe 1188 Jmbdmg32.exe 3324 Japmcfcc.exe 4980 Kaioidkh.exe 3864 Leqkeajd.exe 3700 Mdmngm32.exe 2032 Mhppik32.exe 1800 Moiheebb.exe 4704 Nonbqd32.exe 4124 Nejgbn32.exe 4220 Nemchn32.exe 1068 Onhhmpoo.exe 1616 Pfmlok32.exe 676 Pkonbamc.exe 828 Qbmpjkqk.exe 3104 Agmehamp.exe 3844 Aecbge32.exe 1864 Bnppkj32.exe 228 Bfnnmg32.exe 4480 Cnlpgibd.exe 3384 Cnpibh32.exe 2924 Cfjnhe32.exe 4352 Dlicflic.exe 3860 Diopep32.exe 3656 Ehifak32.exe 4224 Efjgpc32.exe 4952 Epgdch32.exe 3152 Flpbnh32.exe 3796 Fikihlmj.exe 4436 Gedfblql.exe 852 Ggdbmoho.exe 5008 Gplged32.exe 860 Hcaibo32.exe 2160 Ihjafd32.exe 3020 Ijjnpg32.exe 2728 Jfgefg32.exe 3428 Kmhccpci.exe 2016 Kgcqlh32.exe 4476 Lglcag32.exe 1136 Lipmoo32.exe 2088 Mjafoapj.exe 4612 Mdodbf32.exe 2380 Mdcmnfop.exe 4212 Nmpkakak.exe 1724 Omjnhiiq.exe 416 Opjgidfa.exe 4780 Oickbjmb.exe 1420 Opopdd32.exe 972 Pncanhaf.exe 216 Pjjaci32.exe 5116 Pjlnhi32.exe 700 Pdbbfadn.exe 4184 Pjahchpb.exe 3824 Aamipe32.exe 3588 Akenij32.exe 1348 Aqdbfa32.exe 1412 Agqhik32.exe 2660 Bdgehobe.exe 376 Bhennm32.exe 1804 Bqpbboeg.exe 3916 Bdnkhn32.exe 1664 Bdphnmjk.exe 5076 Cjomldfp.exe 2740 Cnmebblf.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Hdicggla.exe eedd1850f59a6213e7e3ca8f654fe069_JC.exe File created C:\Windows\SysWOW64\Bfnnmg32.exe Bnppkj32.exe File created C:\Windows\SysWOW64\Ldjhib32.exe Libggiik.exe File opened for modification C:\Windows\SysWOW64\Lofjam32.exe Ldqfddml.exe File created C:\Windows\SysWOW64\Obgeqcnn.exe Olnmdi32.exe File created C:\Windows\SysWOW64\Kdophj32.exe Kmegkp32.exe File opened for modification C:\Windows\SysWOW64\Onjmjegg.exe Oeahap32.exe File opened for modification C:\Windows\SysWOW64\Gofkckoe.exe Gfngke32.exe File created C:\Windows\SysWOW64\Baiebmog.dll Nljopa32.exe File created C:\Windows\SysWOW64\Mogimj32.dll Lipmoo32.exe File created C:\Windows\SysWOW64\Qgalelin.exe Pglcjl32.exe File created C:\Windows\SysWOW64\Dcfchp32.dll Gmjlmo32.exe File created C:\Windows\SysWOW64\Ekajjh32.dll Imbaobmp.exe File created C:\Windows\SysWOW64\Ibncmchl.exe Pajekb32.exe File opened for modification C:\Windows\SysWOW64\Lgkakm32.exe Lmbmbgmo.exe File created C:\Windows\SysWOW64\Mflbjejb.exe Mkfnlmkl.exe File opened for modification C:\Windows\SysWOW64\Gpnoigpe.exe Gnmbao32.exe File opened for modification C:\Windows\SysWOW64\Dllmoj32.exe Dohmff32.exe File created C:\Windows\SysWOW64\Ldmlih32.exe Lnccmnak.exe File opened for modification C:\Windows\SysWOW64\Ilglgfjd.exe Iemdkl32.exe File created C:\Windows\SysWOW64\Kpfboe32.dll Phfcdcfg.exe File created C:\Windows\SysWOW64\Jfhbpmjb.dll Fcdbmb32.exe File created C:\Windows\SysWOW64\Ahgnqlhk.dll Ikgpmc32.exe File created C:\Windows\SysWOW64\Miqlpbap.exe Lbgcch32.exe File created C:\Windows\SysWOW64\Mkdagm32.exe Mfgiof32.exe File created C:\Windows\SysWOW64\Fhofop32.dll Jdajabdc.exe File opened for modification C:\Windows\SysWOW64\Ipckqnja.exe Iiibdc32.exe File created C:\Windows\SysWOW64\Aecbge32.exe Agmehamp.exe File opened for modification C:\Windows\SysWOW64\Plejoode.exe Plcmiofg.exe File created C:\Windows\SysWOW64\Ekeacmel.exe Dgliapic.exe File created C:\Windows\SysWOW64\Okloomoj.exe Obdkfg32.exe File created C:\Windows\SysWOW64\Libggiik.exe Lpjcnd32.exe File opened for modification C:\Windows\SysWOW64\Hfjmajbc.exe Hppedpkf.exe File created C:\Windows\SysWOW64\Gfpcpefb.exe Gofkckoe.exe File opened for modification C:\Windows\SysWOW64\Bdphnmjk.exe Bdnkhn32.exe File opened for modification C:\Windows\SysWOW64\Eijigg32.exe Enedio32.exe File created C:\Windows\SysWOW64\Plcnfpfp.dll Aljmal32.exe File created C:\Windows\SysWOW64\Fhmfcc32.dll Olfgcj32.exe File opened for modification C:\Windows\SysWOW64\Kpfggang.exe Kgnbol32.exe File opened for modification C:\Windows\SysWOW64\Kanffogf.exe Jmpnppap.exe File created C:\Windows\SysWOW64\Digjeg32.dll Blonbh32.exe File created C:\Windows\SysWOW64\Kjhpdofp.dll Kjhlipla.exe File created C:\Windows\SysWOW64\Jojboa32.exe Jddnah32.exe File created C:\Windows\SysWOW64\Lpibmbek.dll Lofjam32.exe File opened for modification C:\Windows\SysWOW64\Nnidcg32.exe Nilkkq32.exe File created C:\Windows\SysWOW64\Ognnmkdm.dll Odhman32.exe File created C:\Windows\SysWOW64\Mnjnokej.dll Haobnpkc.exe File opened for modification C:\Windows\SysWOW64\Lcmopeae.exe Lmqggncn.exe File created C:\Windows\SysWOW64\Cobciblp.exe Bejoqm32.exe File created C:\Windows\SysWOW64\Idqogkic.dll Cjomldfp.exe File opened for modification C:\Windows\SysWOW64\Dgliapic.exe Cmblhh32.exe File created C:\Windows\SysWOW64\Emgnje32.exe Ekeacmel.exe File created C:\Windows\SysWOW64\Pdfdgbbe.dll Ppnbpg32.exe File opened for modification C:\Windows\SysWOW64\Ifipmo32.exe Ipohpdbb.exe File created C:\Windows\SysWOW64\Odighm32.dll Ipohpdbb.exe File opened for modification C:\Windows\SysWOW64\Ihjafd32.exe Hcaibo32.exe File opened for modification C:\Windows\SysWOW64\Djipbbne.exe Cbknhqbl.exe File created C:\Windows\SysWOW64\Ljephmgl.exe Kcdakd32.exe File opened for modification C:\Windows\SysWOW64\Gfcgpkhk.exe Gqfohdjd.exe File created C:\Windows\SysWOW64\Fkcibnmd.exe Ncofjaho.exe File opened for modification C:\Windows\SysWOW64\Jlpklg32.exe Jpijgf32.exe File created C:\Windows\SysWOW64\Ollhping.dll Elkbhbeb.exe File opened for modification C:\Windows\SysWOW64\Iofpnhmc.exe Ijigfaol.exe File created C:\Windows\SysWOW64\Jkfcigkm.exe Jlafhkfe.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbpnegbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpjonehk.dll" Opopdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpimgjbm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ficgkico.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chnlbndj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alkckicf.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iemdkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibfafq32.dll" Mbpoop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hledpl32.dll" Oajoaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Inhion32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pemhmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imhdbi32.dll" Eoocfegl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njbcqk32.dll" Icedkn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgfojd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjahchpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okiboajh.dll" Eijigg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lceajc32.dll" Ccendc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmqggncn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdeqaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Banlia32.dll" Headon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eqkmpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahgnqlhk.dll" Ikgpmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elnipj32.dll" Jndhkmfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gfpcpefb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkhkblii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nklfho32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddmhcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fkcibnmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkfookmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfdqfbai.dll" Ejglcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igioikpj.dll" Cnmoglij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hoglbc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnmebblf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fcdbmb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Helfbqeb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnppkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjlhopo.dll" Bplammmf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgkakm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpnglbkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcdmdcjf.dll" Oianmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fojdcfae.dll" Dllmoj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdophj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmoehojj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Opopdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbccec32.dll" Bqpbboeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmjkhghe.dll" Cnmebblf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ekeacmel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfpmdman.dll" Jkfcigkm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjipmoai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnmoglij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbdclc32.dll" Obbekn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Algbfo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpbgnlfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gpkliaol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcmmfocn.dll" Ifmcmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pncanhaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ejkenpnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ppnbpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Meeefc32.dll" Gcddjiel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ognginic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lipmoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebjjjj32.dll" Djipbbne.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phfcdcfg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4996 wrote to memory of 3976 4996 eedd1850f59a6213e7e3ca8f654fe069_JC.exe 84 PID 4996 wrote to memory of 3976 4996 eedd1850f59a6213e7e3ca8f654fe069_JC.exe 84 PID 4996 wrote to memory of 3976 4996 eedd1850f59a6213e7e3ca8f654fe069_JC.exe 84 PID 3976 wrote to memory of 1188 3976 Hdicggla.exe 85 PID 3976 wrote to memory of 1188 3976 Hdicggla.exe 85 PID 3976 wrote to memory of 1188 3976 Hdicggla.exe 85 PID 1188 wrote to memory of 3324 1188 Jmbdmg32.exe 86 PID 1188 wrote to memory of 3324 1188 Jmbdmg32.exe 86 PID 1188 wrote to memory of 3324 1188 Jmbdmg32.exe 86 PID 3324 wrote to memory of 4980 3324 Japmcfcc.exe 87 PID 3324 wrote to memory of 4980 3324 Japmcfcc.exe 87 PID 3324 wrote to memory of 4980 3324 Japmcfcc.exe 87 PID 4980 wrote to memory of 3864 4980 Kaioidkh.exe 88 PID 4980 wrote to memory of 3864 4980 Kaioidkh.exe 88 PID 4980 wrote to memory of 3864 4980 Kaioidkh.exe 88 PID 3864 wrote to memory of 3700 3864 Leqkeajd.exe 89 PID 3864 wrote to memory of 3700 3864 Leqkeajd.exe 89 PID 3864 wrote to memory of 3700 3864 Leqkeajd.exe 89 PID 3700 wrote to memory of 2032 3700 Mdmngm32.exe 90 PID 3700 wrote to memory of 2032 3700 Mdmngm32.exe 90 PID 3700 wrote to memory of 2032 3700 Mdmngm32.exe 90 PID 2032 wrote to memory of 1800 2032 Mhppik32.exe 91 PID 2032 wrote to memory of 1800 2032 Mhppik32.exe 91 PID 2032 wrote to memory of 1800 2032 Mhppik32.exe 91 PID 1800 wrote to memory of 4704 1800 Moiheebb.exe 92 PID 1800 wrote to memory of 4704 1800 Moiheebb.exe 92 PID 1800 wrote to memory of 4704 1800 Moiheebb.exe 92 PID 4704 wrote to memory of 4124 4704 Nonbqd32.exe 93 PID 4704 wrote to memory of 4124 4704 Nonbqd32.exe 93 PID 4704 wrote to memory of 4124 4704 Nonbqd32.exe 93 PID 4124 wrote to memory of 4220 4124 Nejgbn32.exe 94 PID 4124 wrote to memory of 4220 4124 Nejgbn32.exe 94 PID 4124 wrote to memory of 4220 4124 Nejgbn32.exe 94 PID 4220 wrote to memory of 1068 4220 Nemchn32.exe 95 PID 4220 wrote to memory of 1068 4220 Nemchn32.exe 95 PID 4220 wrote to memory of 1068 4220 Nemchn32.exe 95 PID 1068 wrote to memory of 1616 1068 Onhhmpoo.exe 96 PID 1068 wrote to memory of 1616 1068 Onhhmpoo.exe 96 PID 1068 wrote to memory of 1616 1068 Onhhmpoo.exe 96 PID 1616 wrote to memory of 676 1616 Pfmlok32.exe 97 PID 1616 wrote to memory of 676 1616 Pfmlok32.exe 97 PID 1616 wrote to memory of 676 1616 Pfmlok32.exe 97 PID 676 wrote to memory of 828 676 Pkonbamc.exe 98 PID 676 wrote to memory of 828 676 Pkonbamc.exe 98 PID 676 wrote to memory of 828 676 Pkonbamc.exe 98 PID 828 wrote to memory of 3104 828 Qbmpjkqk.exe 99 PID 828 wrote to memory of 3104 828 Qbmpjkqk.exe 99 PID 828 wrote to memory of 3104 828 Qbmpjkqk.exe 99 PID 3104 wrote to memory of 3844 3104 Agmehamp.exe 100 PID 3104 wrote to memory of 3844 3104 Agmehamp.exe 100 PID 3104 wrote to memory of 3844 3104 Agmehamp.exe 100 PID 3844 wrote to memory of 1864 3844 Aecbge32.exe 101 PID 3844 wrote to memory of 1864 3844 Aecbge32.exe 101 PID 3844 wrote to memory of 1864 3844 Aecbge32.exe 101 PID 1864 wrote to memory of 228 1864 Bnppkj32.exe 102 PID 1864 wrote to memory of 228 1864 Bnppkj32.exe 102 PID 1864 wrote to memory of 228 1864 Bnppkj32.exe 102 PID 228 wrote to memory of 4480 228 Bfnnmg32.exe 103 PID 228 wrote to memory of 4480 228 Bfnnmg32.exe 103 PID 228 wrote to memory of 4480 228 Bfnnmg32.exe 103 PID 4480 wrote to memory of 3384 4480 Cnlpgibd.exe 104 PID 4480 wrote to memory of 3384 4480 Cnlpgibd.exe 104 PID 4480 wrote to memory of 3384 4480 Cnlpgibd.exe 104 PID 3384 wrote to memory of 2924 3384 Cnpibh32.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\eedd1850f59a6213e7e3ca8f654fe069_JC.exe"C:\Users\Admin\AppData\Local\Temp\eedd1850f59a6213e7e3ca8f654fe069_JC.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4996 -
C:\Windows\SysWOW64\Hdicggla.exeC:\Windows\system32\Hdicggla.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3976 -
C:\Windows\SysWOW64\Jmbdmg32.exeC:\Windows\system32\Jmbdmg32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Windows\SysWOW64\Japmcfcc.exeC:\Windows\system32\Japmcfcc.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3324 -
C:\Windows\SysWOW64\Kaioidkh.exeC:\Windows\system32\Kaioidkh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4980 -
C:\Windows\SysWOW64\Leqkeajd.exeC:\Windows\system32\Leqkeajd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3864 -
C:\Windows\SysWOW64\Mdmngm32.exeC:\Windows\system32\Mdmngm32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3700 -
C:\Windows\SysWOW64\Mhppik32.exeC:\Windows\system32\Mhppik32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\Moiheebb.exeC:\Windows\system32\Moiheebb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\SysWOW64\Nonbqd32.exeC:\Windows\system32\Nonbqd32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4704 -
C:\Windows\SysWOW64\Nejgbn32.exeC:\Windows\system32\Nejgbn32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4124 -
C:\Windows\SysWOW64\Nemchn32.exeC:\Windows\system32\Nemchn32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4220 -
C:\Windows\SysWOW64\Onhhmpoo.exeC:\Windows\system32\Onhhmpoo.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Windows\SysWOW64\Pfmlok32.exeC:\Windows\system32\Pfmlok32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\SysWOW64\Pkonbamc.exeC:\Windows\system32\Pkonbamc.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:676 -
C:\Windows\SysWOW64\Qbmpjkqk.exeC:\Windows\system32\Qbmpjkqk.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:828 -
C:\Windows\SysWOW64\Agmehamp.exeC:\Windows\system32\Agmehamp.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3104 -
C:\Windows\SysWOW64\Aecbge32.exeC:\Windows\system32\Aecbge32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3844 -
C:\Windows\SysWOW64\Bnppkj32.exeC:\Windows\system32\Bnppkj32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\SysWOW64\Bfnnmg32.exeC:\Windows\system32\Bfnnmg32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:228 -
C:\Windows\SysWOW64\Cnlpgibd.exeC:\Windows\system32\Cnlpgibd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4480 -
C:\Windows\SysWOW64\Cnpibh32.exeC:\Windows\system32\Cnpibh32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3384 -
C:\Windows\SysWOW64\Cfjnhe32.exeC:\Windows\system32\Cfjnhe32.exe23⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Dlicflic.exeC:\Windows\system32\Dlicflic.exe24⤵
- Executes dropped EXE
PID:4352 -
C:\Windows\SysWOW64\Diopep32.exeC:\Windows\system32\Diopep32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3860 -
C:\Windows\SysWOW64\Ehifak32.exeC:\Windows\system32\Ehifak32.exe26⤵
- Executes dropped EXE
PID:3656 -
C:\Windows\SysWOW64\Efjgpc32.exeC:\Windows\system32\Efjgpc32.exe27⤵
- Executes dropped EXE
PID:4224 -
C:\Windows\SysWOW64\Epgdch32.exeC:\Windows\system32\Epgdch32.exe28⤵
- Executes dropped EXE
PID:4952 -
C:\Windows\SysWOW64\Flpbnh32.exeC:\Windows\system32\Flpbnh32.exe29⤵
- Executes dropped EXE
PID:3152 -
C:\Windows\SysWOW64\Fikihlmj.exeC:\Windows\system32\Fikihlmj.exe30⤵
- Executes dropped EXE
PID:3796 -
C:\Windows\SysWOW64\Gedfblql.exeC:\Windows\system32\Gedfblql.exe31⤵
- Executes dropped EXE
PID:4436 -
C:\Windows\SysWOW64\Ggdbmoho.exeC:\Windows\system32\Ggdbmoho.exe32⤵
- Executes dropped EXE
PID:852 -
C:\Windows\SysWOW64\Gplged32.exeC:\Windows\system32\Gplged32.exe33⤵
- Executes dropped EXE
PID:5008 -
C:\Windows\SysWOW64\Hcaibo32.exeC:\Windows\system32\Hcaibo32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:860 -
C:\Windows\SysWOW64\Ihjafd32.exeC:\Windows\system32\Ihjafd32.exe35⤵
- Executes dropped EXE
PID:2160 -
C:\Windows\SysWOW64\Ijjnpg32.exeC:\Windows\system32\Ijjnpg32.exe36⤵
- Executes dropped EXE
PID:3020 -
C:\Windows\SysWOW64\Jfgefg32.exeC:\Windows\system32\Jfgefg32.exe37⤵
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\Kmhccpci.exeC:\Windows\system32\Kmhccpci.exe38⤵
- Executes dropped EXE
PID:3428 -
C:\Windows\SysWOW64\Kgcqlh32.exeC:\Windows\system32\Kgcqlh32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2016 -
C:\Windows\SysWOW64\Lglcag32.exeC:\Windows\system32\Lglcag32.exe40⤵
- Executes dropped EXE
PID:4476 -
C:\Windows\SysWOW64\Lipmoo32.exeC:\Windows\system32\Lipmoo32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1136 -
C:\Windows\SysWOW64\Mjafoapj.exeC:\Windows\system32\Mjafoapj.exe42⤵
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\Mdodbf32.exeC:\Windows\system32\Mdodbf32.exe43⤵
- Executes dropped EXE
PID:4612 -
C:\Windows\SysWOW64\Mdcmnfop.exeC:\Windows\system32\Mdcmnfop.exe44⤵
- Executes dropped EXE
PID:2380 -
C:\Windows\SysWOW64\Nmpkakak.exeC:\Windows\system32\Nmpkakak.exe45⤵
- Executes dropped EXE
PID:4212 -
C:\Windows\SysWOW64\Omjnhiiq.exeC:\Windows\system32\Omjnhiiq.exe46⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Opjgidfa.exeC:\Windows\system32\Opjgidfa.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:416 -
C:\Windows\SysWOW64\Oickbjmb.exeC:\Windows\system32\Oickbjmb.exe48⤵
- Executes dropped EXE
PID:4780 -
C:\Windows\SysWOW64\Opopdd32.exeC:\Windows\system32\Opopdd32.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:1420 -
C:\Windows\SysWOW64\Pncanhaf.exeC:\Windows\system32\Pncanhaf.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:972 -
C:\Windows\SysWOW64\Pjjaci32.exeC:\Windows\system32\Pjjaci32.exe51⤵
- Executes dropped EXE
PID:216 -
C:\Windows\SysWOW64\Pjlnhi32.exeC:\Windows\system32\Pjlnhi32.exe52⤵
- Executes dropped EXE
PID:5116 -
C:\Windows\SysWOW64\Pdbbfadn.exeC:\Windows\system32\Pdbbfadn.exe53⤵
- Executes dropped EXE
PID:700 -
C:\Windows\SysWOW64\Pjahchpb.exeC:\Windows\system32\Pjahchpb.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:4184 -
C:\Windows\SysWOW64\Aamipe32.exeC:\Windows\system32\Aamipe32.exe55⤵
- Executes dropped EXE
PID:3824 -
C:\Windows\SysWOW64\Akenij32.exeC:\Windows\system32\Akenij32.exe56⤵
- Executes dropped EXE
PID:3588 -
C:\Windows\SysWOW64\Aqdbfa32.exeC:\Windows\system32\Aqdbfa32.exe57⤵
- Executes dropped EXE
PID:1348 -
C:\Windows\SysWOW64\Agqhik32.exeC:\Windows\system32\Agqhik32.exe58⤵
- Executes dropped EXE
PID:1412 -
C:\Windows\SysWOW64\Bdgehobe.exeC:\Windows\system32\Bdgehobe.exe59⤵
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\Bhennm32.exeC:\Windows\system32\Bhennm32.exe60⤵
- Executes dropped EXE
PID:376 -
C:\Windows\SysWOW64\Bqpbboeg.exeC:\Windows\system32\Bqpbboeg.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1804 -
C:\Windows\SysWOW64\Bdnkhn32.exeC:\Windows\system32\Bdnkhn32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3916 -
C:\Windows\SysWOW64\Bdphnmjk.exeC:\Windows\system32\Bdphnmjk.exe63⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\Cjomldfp.exeC:\Windows\system32\Cjomldfp.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5076 -
C:\Windows\SysWOW64\Cnmebblf.exeC:\Windows\system32\Cnmebblf.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:2740 -
C:\Windows\SysWOW64\Cegnol32.exeC:\Windows\system32\Cegnol32.exe66⤵PID:3480
-
C:\Windows\SysWOW64\Cbknhqbl.exeC:\Windows\system32\Cbknhqbl.exe67⤵
- Drops file in System32 directory
PID:2928 -
C:\Windows\SysWOW64\Djipbbne.exeC:\Windows\system32\Djipbbne.exe68⤵
- Modifies registry class
PID:3752 -
C:\Windows\SysWOW64\Dbgndoho.exeC:\Windows\system32\Dbgndoho.exe69⤵PID:4332
-
C:\Windows\SysWOW64\Ejglcq32.exeC:\Windows\system32\Ejglcq32.exe70⤵
- Modifies registry class
PID:3376 -
C:\Windows\SysWOW64\Enedio32.exeC:\Windows\system32\Enedio32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4732 -
C:\Windows\SysWOW64\Eijigg32.exeC:\Windows\system32\Eijigg32.exe72⤵
- Modifies registry class
PID:1808 -
C:\Windows\SysWOW64\Ejkenpnp.exeC:\Windows\system32\Ejkenpnp.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1400 -
C:\Windows\SysWOW64\Elkbhbeb.exeC:\Windows\system32\Elkbhbeb.exe74⤵
- Drops file in System32 directory
PID:4140 -
C:\Windows\SysWOW64\Eahjqicj.exeC:\Windows\system32\Eahjqicj.exe75⤵PID:3888
-
C:\Windows\SysWOW64\Folkjnbc.exeC:\Windows\system32\Folkjnbc.exe76⤵PID:3348
-
C:\Windows\SysWOW64\Fejlbgek.exeC:\Windows\system32\Fejlbgek.exe77⤵PID:4376
-
C:\Windows\SysWOW64\Fhkecb32.exeC:\Windows\system32\Fhkecb32.exe78⤵PID:2288
-
C:\Windows\SysWOW64\Ijigfaol.exeC:\Windows\system32\Ijigfaol.exe79⤵
- Drops file in System32 directory
PID:2556 -
C:\Windows\SysWOW64\Iofpnhmc.exeC:\Windows\system32\Iofpnhmc.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4808 -
C:\Windows\SysWOW64\Jlafhkfe.exeC:\Windows\system32\Jlafhkfe.exe81⤵
- Drops file in System32 directory
PID:4484 -
C:\Windows\SysWOW64\Jkfcigkm.exeC:\Windows\system32\Jkfcigkm.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2976 -
C:\Windows\SysWOW64\Jkhpogij.exeC:\Windows\system32\Jkhpogij.exe83⤵PID:4868
-
C:\Windows\SysWOW64\Kjipmoai.exeC:\Windows\system32\Kjipmoai.exe84⤵
- Modifies registry class
PID:1748 -
C:\Windows\SysWOW64\Kcdakd32.exeC:\Windows\system32\Kcdakd32.exe85⤵
- Drops file in System32 directory
PID:4364 -
C:\Windows\SysWOW64\Ljephmgl.exeC:\Windows\system32\Ljephmgl.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5028 -
C:\Windows\SysWOW64\Lpgalc32.exeC:\Windows\system32\Lpgalc32.exe87⤵PID:1016
-
C:\Windows\SysWOW64\Llmbqdfb.exeC:\Windows\system32\Llmbqdfb.exe88⤵PID:3704
-
C:\Windows\SysWOW64\Mpnglbkf.exeC:\Windows\system32\Mpnglbkf.exe89⤵
- Modifies registry class
PID:3292 -
C:\Windows\SysWOW64\Mcnmhpoj.exeC:\Windows\system32\Mcnmhpoj.exe90⤵PID:3172
-
C:\Windows\SysWOW64\Mjheejff.exeC:\Windows\system32\Mjheejff.exe91⤵PID:1296
-
C:\Windows\SysWOW64\Nfabok32.exeC:\Windows\system32\Nfabok32.exe92⤵PID:3812
-
C:\Windows\SysWOW64\Nmkkle32.exeC:\Windows\system32\Nmkkle32.exe93⤵PID:1592
-
C:\Windows\SysWOW64\Nidhffef.exeC:\Windows\system32\Nidhffef.exe94⤵PID:1344
-
C:\Windows\SysWOW64\Opefdo32.exeC:\Windows\system32\Opefdo32.exe95⤵PID:2992
-
C:\Windows\SysWOW64\Plcmiofg.exeC:\Windows\system32\Plcmiofg.exe96⤵
- Drops file in System32 directory
PID:2944 -
C:\Windows\SysWOW64\Plejoode.exeC:\Windows\system32\Plejoode.exe97⤵PID:3896
-
C:\Windows\SysWOW64\Pkfjmfld.exeC:\Windows\system32\Pkfjmfld.exe98⤵PID:3240
-
C:\Windows\SysWOW64\Pdoofl32.exeC:\Windows\system32\Pdoofl32.exe99⤵PID:5032
-
C:\Windows\SysWOW64\Ppepkmhi.exeC:\Windows\system32\Ppepkmhi.exe100⤵PID:2056
-
C:\Windows\SysWOW64\Pgbdmfnc.exeC:\Windows\system32\Pgbdmfnc.exe101⤵PID:4580
-
C:\Windows\SysWOW64\Qpmfklbq.exeC:\Windows\system32\Qpmfklbq.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3664 -
C:\Windows\SysWOW64\Alcfpm32.exeC:\Windows\system32\Alcfpm32.exe103⤵PID:4512
-
C:\Windows\SysWOW64\Apcllk32.exeC:\Windows\system32\Apcllk32.exe104⤵PID:3580
-
C:\Windows\SysWOW64\Agndidce.exeC:\Windows\system32\Agndidce.exe105⤵PID:5092
-
C:\Windows\SysWOW64\Aljmal32.exeC:\Windows\system32\Aljmal32.exe106⤵
- Drops file in System32 directory
PID:3272 -
C:\Windows\SysWOW64\Bnlfqngm.exeC:\Windows\system32\Bnlfqngm.exe107⤵PID:4608
-
C:\Windows\SysWOW64\Ccendc32.exeC:\Windows\system32\Ccendc32.exe108⤵
- Modifies registry class
PID:1408 -
C:\Windows\SysWOW64\Cnjbbl32.exeC:\Windows\system32\Cnjbbl32.exe109⤵PID:4584
-
C:\Windows\SysWOW64\Cnmoglij.exeC:\Windows\system32\Cnmoglij.exe110⤵
- Modifies registry class
PID:4840 -
C:\Windows\SysWOW64\Cmblhh32.exeC:\Windows\system32\Cmblhh32.exe111⤵
- Drops file in System32 directory
PID:3164 -
C:\Windows\SysWOW64\Dgliapic.exeC:\Windows\system32\Dgliapic.exe112⤵
- Drops file in System32 directory
PID:1728 -
C:\Windows\SysWOW64\Ekeacmel.exeC:\Windows\system32\Ekeacmel.exe113⤵
- Drops file in System32 directory
- Modifies registry class
PID:5140 -
C:\Windows\SysWOW64\Emgnje32.exeC:\Windows\system32\Emgnje32.exe114⤵PID:5176
-
C:\Windows\SysWOW64\Eglbhnkp.exeC:\Windows\system32\Eglbhnkp.exe115⤵PID:5240
-
C:\Windows\SysWOW64\Fnpmkg32.exeC:\Windows\system32\Fnpmkg32.exe116⤵PID:5288
-
C:\Windows\SysWOW64\Gaglma32.exeC:\Windows\system32\Gaglma32.exe117⤵PID:5324
-
C:\Windows\SysWOW64\Glmqjj32.exeC:\Windows\system32\Glmqjj32.exe118⤵PID:5372
-
C:\Windows\SysWOW64\Geeecogb.exeC:\Windows\system32\Geeecogb.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5428 -
C:\Windows\SysWOW64\Haobnpkc.exeC:\Windows\system32\Haobnpkc.exe120⤵
- Drops file in System32 directory
PID:5472 -
C:\Windows\SysWOW64\Hdahek32.exeC:\Windows\system32\Hdahek32.exe121⤵PID:5516
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-