Analysis
-
max time kernel
171s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
12/10/2023, 11:49
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
04dd39604e1e041411789e9ab71aa1ac_JC.exe
Resource
win7-20230831-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
04dd39604e1e041411789e9ab71aa1ac_JC.exe
Resource
win10v2004-20230915-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
04dd39604e1e041411789e9ab71aa1ac_JC.exe
-
Size
64KB
-
MD5
04dd39604e1e041411789e9ab71aa1ac
-
SHA1
31f6d57b0812eec4398ea86d46e63547a45bd3e7
-
SHA256
e256b953e6b6ea65d538c5c8082543885bfb75cadaf385312022924ee3cf17b8
-
SHA512
daa56627f63d20ccf7784026973491013f645109e2c7ab0ad3b2b4ef80d8957d4bc4f9539b88a8139a9c8b1f7fa09d152cf0da063719639cd15657f11d1fa27b
-
SSDEEP
1536:RMcZBT2q8vkgb5GcgDZloHr2I2LW2+lWu:RxXVtgb5IDZuHrCW2+L
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffbgog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehlpjikd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddmhhd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdifhkni.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kicdke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amjillkj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phqbaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpkllo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amloakki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbplgbbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dqnjgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npedfjfo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdamph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkcgdh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Holjjd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egbdekcg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhdfll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kblkap32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkndie32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkdoje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cokpekpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpcmagpo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aefjbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qachgk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elhnhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfkehk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlglpkpi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjofcb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baanhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inkaqb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhbdbpnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdffkgpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hedaoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hplbbipm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qoplop32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnbnhedj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdhkchlg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnmgni32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgebif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmmffnai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcjdam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmkehicj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fobomglo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdhklgnf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Banabi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjdebfnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkphhgfc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihaidhgf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klfjbpmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aqmldddb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfnnhj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmmppc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfhgdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gikdkj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fijdcljo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbpchb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecikjoep.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iiqooh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbgoik32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nedjdp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chfegk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Joamlacj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olcklj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcjmhk32.exe -
Executes dropped EXE 64 IoCs
pid Process 2656 Lmdemd32.exe 3676 Mcqjon32.exe 3664 Mjkblhfo.exe 1440 Mnhkbfme.exe 460 Mjdebfnd.exe 3216 Nnbnhedj.exe 800 Nmgjia32.exe 1124 Ndflak32.exe 4500 Oeheqm32.exe 3472 Omegjomb.exe 2768 Ohmhmh32.exe 1800 Poimpapp.exe 3104 Plmmif32.exe 4936 Poliea32.exe 3524 Pdhbmh32.exe 2484 Pmaffnce.exe 3968 Pdkoch32.exe 4112 Popbpqjh.exe 3220 Pkgcea32.exe 1468 Qhkdof32.exe 2700 Qachgk32.exe 4068 Amjillkj.exe 2856 Aknifq32.exe 1708 Alnfpcag.exe 3240 Ahdged32.exe 4400 Aaohcj32.exe 4616 Bochmn32.exe 324 Bhkmec32.exe 1200 Bohbhmfm.exe 4396 Bhbcfbjk.exe 5052 Camddhoi.exe 4164 Cfkmkf32.exe 1624 Cnfaohbj.exe 1856 Chlflabp.exe 5004 Cohkokgj.exe 4152 Ekkkoj32.exe 2552 Ennqfenp.exe 1160 Fbpchb32.exe 1480 Glbjggof.exe 2740 Gfhndpol.exe 752 Gifkpknp.exe 828 Gbnoiqdq.exe 716 Gemkelcd.exe 2144 Gbalopbn.exe 2792 Gikdkj32.exe 1964 Gbchdp32.exe 4424 Agdcpkll.exe 2644 Amnlme32.exe 232 Adhdjpjf.exe 380 Aonhghjl.exe 2568 Apodoq32.exe 2952 Akdilipp.exe 620 Apaadpng.exe 3700 Bphgeo32.exe 5044 Bgbpaipl.exe 3324 Bnlhncgi.exe 1828 Bdfpkm32.exe 3776 Bkphhgfc.exe 3108 Bajqda32.exe 4688 Chfegk32.exe 3668 Cdmfllhn.exe 3488 Ckgohf32.exe 1780 Cdpcal32.exe 4204 Cgnomg32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Pgpmdh32.exe Odaphl32.exe File created C:\Windows\SysWOW64\Bfhabgce.dll Fgbfbc32.exe File created C:\Windows\SysWOW64\Fjhmbihg.exe Famhmfkl.exe File opened for modification C:\Windows\SysWOW64\Bqafpc32.exe Bjgncihp.exe File opened for modification C:\Windows\SysWOW64\Gfhndpol.exe Glbjggof.exe File created C:\Windows\SysWOW64\Ghklmk32.exe Gaadpqmp.exe File created C:\Windows\SysWOW64\Jbecoe32.dll Qhkdof32.exe File created C:\Windows\SysWOW64\Lhjicplp.dll Hcipcnac.exe File created C:\Windows\SysWOW64\Lmkbeg32.exe Lfqjhmhk.exe File created C:\Windows\SysWOW64\Ddfhqcqb.dll Bdhkchlg.exe File created C:\Windows\SysWOW64\Nbadmege.exe Nlglpkpi.exe File created C:\Windows\SysWOW64\Gemkelcd.exe Gbnoiqdq.exe File opened for modification C:\Windows\SysWOW64\Gmcdolbn.exe Gdjpff32.exe File created C:\Windows\SysWOW64\Cjcmognb.exe Bgeabloo.exe File created C:\Windows\SysWOW64\Ameipl32.exe Qfkqcb32.exe File created C:\Windows\SysWOW64\Odaphl32.exe Onekeb32.exe File created C:\Windows\SysWOW64\Egjbabja.dll Npgalidl.exe File opened for modification C:\Windows\SysWOW64\Pcdjic32.exe Pljalipc.exe File created C:\Windows\SysWOW64\Pgaboa32.exe Pllnbh32.exe File opened for modification C:\Windows\SysWOW64\Bimkde32.exe Bfnnhj32.exe File created C:\Windows\SysWOW64\Gggigpnm.dll Addabl32.exe File created C:\Windows\SysWOW64\Alnfpcag.exe Aknifq32.exe File created C:\Windows\SysWOW64\Bqjoqdcl.dll Camddhoi.exe File opened for modification C:\Windows\SysWOW64\Dkndie32.exe Dafppp32.exe File created C:\Windows\SysWOW64\Nhepeibn.dll Ageofe32.exe File created C:\Windows\SysWOW64\Pbhghdkf.dll Iiqooh32.exe File opened for modification C:\Windows\SysWOW64\Bphgoe32.exe Bkkofn32.exe File created C:\Windows\SysWOW64\Bgbmqpej.dll Nmmgae32.exe File created C:\Windows\SysWOW64\Adocpjbi.dll Gadqepkn.exe File opened for modification C:\Windows\SysWOW64\Cjcmognb.exe Bgeabloo.exe File opened for modification C:\Windows\SysWOW64\Hpnohinj.exe Hmpclnof.exe File created C:\Windows\SysWOW64\Lcmfnf32.dll Kfgpblda.exe File created C:\Windows\SysWOW64\Ekkkoj32.exe Cohkokgj.exe File opened for modification C:\Windows\SysWOW64\Komoed32.exe Kjqfmn32.exe File created C:\Windows\SysWOW64\Eeeaibid.exe Ekpmljin.exe File opened for modification C:\Windows\SysWOW64\Jkkjfa32.exe Jfnbnk32.exe File created C:\Windows\SysWOW64\Famhmfkl.exe Edihdb32.exe File created C:\Windows\SysWOW64\Gdiakp32.exe Gnohnffc.exe File created C:\Windows\SysWOW64\Hqpnmlqd.dll Pfilfm32.exe File created C:\Windows\SysWOW64\Pbaihddp.dll Gkbkna32.exe File created C:\Windows\SysWOW64\Alnfiifd.exe Ahbjij32.exe File created C:\Windows\SysWOW64\Ncecioib.exe Nlnkgbhp.exe File created C:\Windows\SysWOW64\Efkijn32.dll Fgbmliee.exe File created C:\Windows\SysWOW64\Ennikm32.dll Kbneij32.exe File created C:\Windows\SysWOW64\Oenljoji.exe Oocdme32.exe File created C:\Windows\SysWOW64\Hffbfn32.exe Holjjd32.exe File opened for modification C:\Windows\SysWOW64\Jiageecb.exe Jbgoik32.exe File created C:\Windows\SysWOW64\Pgdodq32.exe Ppjghgdg.exe File created C:\Windows\SysWOW64\Ekdanmkl.dll Pckpja32.exe File created C:\Windows\SysWOW64\Ccbqeg32.dll Qpmfklbq.exe File created C:\Windows\SysWOW64\Mkhepqnd.dll Aichng32.exe File opened for modification C:\Windows\SysWOW64\Ndflak32.exe Nmgjia32.exe File opened for modification C:\Windows\SysWOW64\Aonhghjl.exe Adhdjpjf.exe File opened for modification C:\Windows\SysWOW64\Fnjhccnd.exe Fhmpkmpm.exe File created C:\Windows\SysWOW64\Ohdpkpcl.dll Pcdjic32.exe File opened for modification C:\Windows\SysWOW64\Gggmgk32.exe Gdiakp32.exe File created C:\Windows\SysWOW64\Lpinac32.exe Lmkbeg32.exe File created C:\Windows\SysWOW64\Glndff32.dll Ffnkggld.exe File created C:\Windows\SysWOW64\Mgfkfg32.dll Hidgko32.exe File created C:\Windows\SysWOW64\Qhjegh32.exe Pflikm32.exe File created C:\Windows\SysWOW64\Efhcld32.exe Epokojbg.exe File opened for modification C:\Windows\SysWOW64\Gkbkna32.exe Gdhcagnp.exe File created C:\Windows\SysWOW64\Jkkjfa32.exe Jfnbnk32.exe File created C:\Windows\SysWOW64\Anaflcjf.dll Oenljoji.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Epokojbg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Agbgda32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jdjfohjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hojndd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfkhddge.dll" Aoifoa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pllnbh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Epjadk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdenghpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Paioplob.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnbnhedj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ejjaqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oocdme32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpmpgfhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjhcpe32.dll" Amloakki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mqjibapd.dll" Pgaboa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cpbbln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcgleaad.dll" Fkcgdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfckia32.dll" Jnifbmfo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qfkqcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aobieq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdiijemd.dll" Alpboida.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Boojnk32.dll" Hpnohinj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jlanpfkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emojjn32.dll" Ffbgog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhjlln32.dll" Gpcmagpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfflabao.dll" Agpoqoaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agpiceon.dll" Afmmibga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pqpgnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ibdiln32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Agpoqoaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jnkchmdl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhnlelfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Komkno32.dll" Fagjolao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojmjcf32.dll" Glbjggof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgbpaipl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdlphjaf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gijedm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Elhnhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkbnbjlb.dll" Hojndd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlglpkpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lemjlcgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgfqmlko.dll" Pllppnnm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfjcpc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmkjdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oekpdoll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ihnkobpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Odkaac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbjpohpp.dll" Pnifoaba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egcfmlqp.dll" Bfoebq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmildo32.dll" Eigohp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkhbbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omecechf.dll" Jnnpnl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qpmmfbfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfikjkob.dll" Cokpekpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iohjebkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agchffjb.dll" Ejklfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fphneijl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cagolf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbbmgj32.dll" Kejepfgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afghgkdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Apcemh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jdodekhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hoobnf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmdkmnkd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3408 wrote to memory of 2656 3408 04dd39604e1e041411789e9ab71aa1ac_JC.exe 83 PID 3408 wrote to memory of 2656 3408 04dd39604e1e041411789e9ab71aa1ac_JC.exe 83 PID 3408 wrote to memory of 2656 3408 04dd39604e1e041411789e9ab71aa1ac_JC.exe 83 PID 2656 wrote to memory of 3676 2656 Lmdemd32.exe 84 PID 2656 wrote to memory of 3676 2656 Lmdemd32.exe 84 PID 2656 wrote to memory of 3676 2656 Lmdemd32.exe 84 PID 3676 wrote to memory of 3664 3676 Mcqjon32.exe 85 PID 3676 wrote to memory of 3664 3676 Mcqjon32.exe 85 PID 3676 wrote to memory of 3664 3676 Mcqjon32.exe 85 PID 3664 wrote to memory of 1440 3664 Mjkblhfo.exe 86 PID 3664 wrote to memory of 1440 3664 Mjkblhfo.exe 86 PID 3664 wrote to memory of 1440 3664 Mjkblhfo.exe 86 PID 1440 wrote to memory of 460 1440 Mnhkbfme.exe 87 PID 1440 wrote to memory of 460 1440 Mnhkbfme.exe 87 PID 1440 wrote to memory of 460 1440 Mnhkbfme.exe 87 PID 460 wrote to memory of 3216 460 Mjdebfnd.exe 88 PID 460 wrote to memory of 3216 460 Mjdebfnd.exe 88 PID 460 wrote to memory of 3216 460 Mjdebfnd.exe 88 PID 3216 wrote to memory of 800 3216 Nnbnhedj.exe 89 PID 3216 wrote to memory of 800 3216 Nnbnhedj.exe 89 PID 3216 wrote to memory of 800 3216 Nnbnhedj.exe 89 PID 800 wrote to memory of 1124 800 Nmgjia32.exe 90 PID 800 wrote to memory of 1124 800 Nmgjia32.exe 90 PID 800 wrote to memory of 1124 800 Nmgjia32.exe 90 PID 1124 wrote to memory of 4500 1124 Ndflak32.exe 91 PID 1124 wrote to memory of 4500 1124 Ndflak32.exe 91 PID 1124 wrote to memory of 4500 1124 Ndflak32.exe 91 PID 4500 wrote to memory of 3472 4500 Oeheqm32.exe 92 PID 4500 wrote to memory of 3472 4500 Oeheqm32.exe 92 PID 4500 wrote to memory of 3472 4500 Oeheqm32.exe 92 PID 3472 wrote to memory of 2768 3472 Omegjomb.exe 93 PID 3472 wrote to memory of 2768 3472 Omegjomb.exe 93 PID 3472 wrote to memory of 2768 3472 Omegjomb.exe 93 PID 2768 wrote to memory of 1800 2768 Ohmhmh32.exe 94 PID 2768 wrote to memory of 1800 2768 Ohmhmh32.exe 94 PID 2768 wrote to memory of 1800 2768 Ohmhmh32.exe 94 PID 1800 wrote to memory of 3104 1800 Poimpapp.exe 96 PID 1800 wrote to memory of 3104 1800 Poimpapp.exe 96 PID 1800 wrote to memory of 3104 1800 Poimpapp.exe 96 PID 3104 wrote to memory of 4936 3104 Plmmif32.exe 97 PID 3104 wrote to memory of 4936 3104 Plmmif32.exe 97 PID 3104 wrote to memory of 4936 3104 Plmmif32.exe 97 PID 4936 wrote to memory of 3524 4936 Poliea32.exe 98 PID 4936 wrote to memory of 3524 4936 Poliea32.exe 98 PID 4936 wrote to memory of 3524 4936 Poliea32.exe 98 PID 3524 wrote to memory of 2484 3524 Pdhbmh32.exe 99 PID 3524 wrote to memory of 2484 3524 Pdhbmh32.exe 99 PID 3524 wrote to memory of 2484 3524 Pdhbmh32.exe 99 PID 2484 wrote to memory of 3968 2484 Pmaffnce.exe 100 PID 2484 wrote to memory of 3968 2484 Pmaffnce.exe 100 PID 2484 wrote to memory of 3968 2484 Pmaffnce.exe 100 PID 3968 wrote to memory of 4112 3968 Pdkoch32.exe 101 PID 3968 wrote to memory of 4112 3968 Pdkoch32.exe 101 PID 3968 wrote to memory of 4112 3968 Pdkoch32.exe 101 PID 4112 wrote to memory of 3220 4112 Popbpqjh.exe 102 PID 4112 wrote to memory of 3220 4112 Popbpqjh.exe 102 PID 4112 wrote to memory of 3220 4112 Popbpqjh.exe 102 PID 3220 wrote to memory of 1468 3220 Pkgcea32.exe 103 PID 3220 wrote to memory of 1468 3220 Pkgcea32.exe 103 PID 3220 wrote to memory of 1468 3220 Pkgcea32.exe 103 PID 1468 wrote to memory of 2700 1468 Qhkdof32.exe 104 PID 1468 wrote to memory of 2700 1468 Qhkdof32.exe 104 PID 1468 wrote to memory of 2700 1468 Qhkdof32.exe 104 PID 2700 wrote to memory of 4068 2700 Qachgk32.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\04dd39604e1e041411789e9ab71aa1ac_JC.exe"C:\Users\Admin\AppData\Local\Temp\04dd39604e1e041411789e9ab71aa1ac_JC.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3408 -
C:\Windows\SysWOW64\Lmdemd32.exeC:\Windows\system32\Lmdemd32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Mcqjon32.exeC:\Windows\system32\Mcqjon32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3676 -
C:\Windows\SysWOW64\Mjkblhfo.exeC:\Windows\system32\Mjkblhfo.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3664 -
C:\Windows\SysWOW64\Mnhkbfme.exeC:\Windows\system32\Mnhkbfme.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Windows\SysWOW64\Mjdebfnd.exeC:\Windows\system32\Mjdebfnd.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:460 -
C:\Windows\SysWOW64\Nnbnhedj.exeC:\Windows\system32\Nnbnhedj.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3216 -
C:\Windows\SysWOW64\Nmgjia32.exeC:\Windows\system32\Nmgjia32.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:800 -
C:\Windows\SysWOW64\Ndflak32.exeC:\Windows\system32\Ndflak32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1124 -
C:\Windows\SysWOW64\Oeheqm32.exeC:\Windows\system32\Oeheqm32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4500 -
C:\Windows\SysWOW64\Omegjomb.exeC:\Windows\system32\Omegjomb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3472 -
C:\Windows\SysWOW64\Ohmhmh32.exeC:\Windows\system32\Ohmhmh32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\Poimpapp.exeC:\Windows\system32\Poimpapp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\SysWOW64\Plmmif32.exeC:\Windows\system32\Plmmif32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3104 -
C:\Windows\SysWOW64\Poliea32.exeC:\Windows\system32\Poliea32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\Windows\SysWOW64\Pdhbmh32.exeC:\Windows\system32\Pdhbmh32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3524 -
C:\Windows\SysWOW64\Pmaffnce.exeC:\Windows\system32\Pmaffnce.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\Pdkoch32.exeC:\Windows\system32\Pdkoch32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3968 -
C:\Windows\SysWOW64\Popbpqjh.exeC:\Windows\system32\Popbpqjh.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4112 -
C:\Windows\SysWOW64\Pkgcea32.exeC:\Windows\system32\Pkgcea32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3220 -
C:\Windows\SysWOW64\Qhkdof32.exeC:\Windows\system32\Qhkdof32.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Windows\SysWOW64\Qachgk32.exeC:\Windows\system32\Qachgk32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\Amjillkj.exeC:\Windows\system32\Amjillkj.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4068 -
C:\Windows\SysWOW64\Aknifq32.exeC:\Windows\system32\Aknifq32.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2856 -
C:\Windows\SysWOW64\Alnfpcag.exeC:\Windows\system32\Alnfpcag.exe25⤵
- Executes dropped EXE
PID:1708 -
C:\Windows\SysWOW64\Ahdged32.exeC:\Windows\system32\Ahdged32.exe26⤵
- Executes dropped EXE
PID:3240 -
C:\Windows\SysWOW64\Aaohcj32.exeC:\Windows\system32\Aaohcj32.exe27⤵
- Executes dropped EXE
PID:4400 -
C:\Windows\SysWOW64\Bochmn32.exeC:\Windows\system32\Bochmn32.exe28⤵
- Executes dropped EXE
PID:4616 -
C:\Windows\SysWOW64\Bhkmec32.exeC:\Windows\system32\Bhkmec32.exe29⤵
- Executes dropped EXE
PID:324 -
C:\Windows\SysWOW64\Bohbhmfm.exeC:\Windows\system32\Bohbhmfm.exe30⤵
- Executes dropped EXE
PID:1200 -
C:\Windows\SysWOW64\Bhbcfbjk.exeC:\Windows\system32\Bhbcfbjk.exe31⤵
- Executes dropped EXE
PID:4396 -
C:\Windows\SysWOW64\Camddhoi.exeC:\Windows\system32\Camddhoi.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5052 -
C:\Windows\SysWOW64\Cfkmkf32.exeC:\Windows\system32\Cfkmkf32.exe33⤵
- Executes dropped EXE
PID:4164 -
C:\Windows\SysWOW64\Cnfaohbj.exeC:\Windows\system32\Cnfaohbj.exe34⤵
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Chlflabp.exeC:\Windows\system32\Chlflabp.exe35⤵
- Executes dropped EXE
PID:1856 -
C:\Windows\SysWOW64\Cohkokgj.exeC:\Windows\system32\Cohkokgj.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5004 -
C:\Windows\SysWOW64\Ekkkoj32.exeC:\Windows\system32\Ekkkoj32.exe37⤵
- Executes dropped EXE
PID:4152 -
C:\Windows\SysWOW64\Ennqfenp.exeC:\Windows\system32\Ennqfenp.exe38⤵
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\Fbpchb32.exeC:\Windows\system32\Fbpchb32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1160 -
C:\Windows\SysWOW64\Glbjggof.exeC:\Windows\system32\Glbjggof.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1480 -
C:\Windows\SysWOW64\Gfhndpol.exeC:\Windows\system32\Gfhndpol.exe41⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Gifkpknp.exeC:\Windows\system32\Gifkpknp.exe42⤵
- Executes dropped EXE
PID:752 -
C:\Windows\SysWOW64\Gbnoiqdq.exeC:\Windows\system32\Gbnoiqdq.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:828 -
C:\Windows\SysWOW64\Gemkelcd.exeC:\Windows\system32\Gemkelcd.exe44⤵
- Executes dropped EXE
PID:716 -
C:\Windows\SysWOW64\Gbalopbn.exeC:\Windows\system32\Gbalopbn.exe45⤵
- Executes dropped EXE
PID:2144 -
C:\Windows\SysWOW64\Gikdkj32.exeC:\Windows\system32\Gikdkj32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2792 -
C:\Windows\SysWOW64\Gbchdp32.exeC:\Windows\system32\Gbchdp32.exe47⤵
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Agdcpkll.exeC:\Windows\system32\Agdcpkll.exe48⤵
- Executes dropped EXE
PID:4424 -
C:\Windows\SysWOW64\Amnlme32.exeC:\Windows\system32\Amnlme32.exe49⤵
- Executes dropped EXE
PID:2644 -
C:\Windows\SysWOW64\Adhdjpjf.exeC:\Windows\system32\Adhdjpjf.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:232 -
C:\Windows\SysWOW64\Aonhghjl.exeC:\Windows\system32\Aonhghjl.exe51⤵
- Executes dropped EXE
PID:380 -
C:\Windows\SysWOW64\Apodoq32.exeC:\Windows\system32\Apodoq32.exe52⤵
- Executes dropped EXE
PID:2568 -
C:\Windows\SysWOW64\Akdilipp.exeC:\Windows\system32\Akdilipp.exe53⤵
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\Apaadpng.exeC:\Windows\system32\Apaadpng.exe54⤵
- Executes dropped EXE
PID:620 -
C:\Windows\SysWOW64\Bphgeo32.exeC:\Windows\system32\Bphgeo32.exe55⤵
- Executes dropped EXE
PID:3700 -
C:\Windows\SysWOW64\Bgbpaipl.exeC:\Windows\system32\Bgbpaipl.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:5044 -
C:\Windows\SysWOW64\Bnlhncgi.exeC:\Windows\system32\Bnlhncgi.exe57⤵
- Executes dropped EXE
PID:3324 -
C:\Windows\SysWOW64\Bdfpkm32.exeC:\Windows\system32\Bdfpkm32.exe58⤵
- Executes dropped EXE
PID:1828 -
C:\Windows\SysWOW64\Bkphhgfc.exeC:\Windows\system32\Bkphhgfc.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3776 -
C:\Windows\SysWOW64\Bajqda32.exeC:\Windows\system32\Bajqda32.exe60⤵
- Executes dropped EXE
PID:3108 -
C:\Windows\SysWOW64\Chfegk32.exeC:\Windows\system32\Chfegk32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4688 -
C:\Windows\SysWOW64\Cdmfllhn.exeC:\Windows\system32\Cdmfllhn.exe62⤵
- Executes dropped EXE
PID:3668 -
C:\Windows\SysWOW64\Ckgohf32.exeC:\Windows\system32\Ckgohf32.exe63⤵
- Executes dropped EXE
PID:3488 -
C:\Windows\SysWOW64\Cdpcal32.exeC:\Windows\system32\Cdpcal32.exe64⤵
- Executes dropped EXE
PID:1780 -
C:\Windows\SysWOW64\Cgnomg32.exeC:\Windows\system32\Cgnomg32.exe65⤵
- Executes dropped EXE
PID:4204 -
C:\Windows\SysWOW64\Chnlgjlb.exeC:\Windows\system32\Chnlgjlb.exe66⤵PID:2380
-
C:\Windows\SysWOW64\Cogddd32.exeC:\Windows\system32\Cogddd32.exe67⤵PID:3456
-
C:\Windows\SysWOW64\Dafppp32.exeC:\Windows\system32\Dafppp32.exe68⤵
- Drops file in System32 directory
PID:3368 -
C:\Windows\SysWOW64\Dkndie32.exeC:\Windows\system32\Dkndie32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5080 -
C:\Windows\SysWOW64\Dnmaea32.exeC:\Windows\system32\Dnmaea32.exe70⤵PID:1948
-
C:\Windows\SysWOW64\Dqnjgl32.exeC:\Windows\system32\Dqnjgl32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1980 -
C:\Windows\SysWOW64\Dnqcfjae.exeC:\Windows\system32\Dnqcfjae.exe72⤵PID:1608
-
C:\Windows\SysWOW64\Ddklbd32.exeC:\Windows\system32\Ddklbd32.exe73⤵PID:4540
-
C:\Windows\SysWOW64\Dkedonpo.exeC:\Windows\system32\Dkedonpo.exe74⤵PID:4944
-
C:\Windows\SysWOW64\Daollh32.exeC:\Windows\system32\Daollh32.exe75⤵PID:944
-
C:\Windows\SysWOW64\Ddmhhd32.exeC:\Windows\system32\Ddmhhd32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1652 -
C:\Windows\SysWOW64\Ejjaqk32.exeC:\Windows\system32\Ejjaqk32.exe77⤵
- Modifies registry class
PID:2724 -
C:\Windows\SysWOW64\Edoencdm.exeC:\Windows\system32\Edoencdm.exe78⤵PID:836
-
C:\Windows\SysWOW64\Eaceghcg.exeC:\Windows\system32\Eaceghcg.exe79⤵PID:1632
-
C:\Windows\SysWOW64\Ejagaj32.exeC:\Windows\system32\Ejagaj32.exe80⤵PID:4528
-
C:\Windows\SysWOW64\Eahobg32.exeC:\Windows\system32\Eahobg32.exe81⤵PID:2080
-
C:\Windows\SysWOW64\Ecikjoep.exeC:\Windows\system32\Ecikjoep.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2920 -
C:\Windows\SysWOW64\Ejccgi32.exeC:\Windows\system32\Ejccgi32.exe83⤵PID:4880
-
C:\Windows\SysWOW64\Edihdb32.exeC:\Windows\system32\Edihdb32.exe84⤵
- Drops file in System32 directory
PID:220 -
C:\Windows\SysWOW64\Famhmfkl.exeC:\Windows\system32\Famhmfkl.exe85⤵
- Drops file in System32 directory
PID:1404 -
C:\Windows\SysWOW64\Fjhmbihg.exeC:\Windows\system32\Fjhmbihg.exe86⤵PID:1464
-
C:\Windows\SysWOW64\Fdmaoahm.exeC:\Windows\system32\Fdmaoahm.exe87⤵PID:3396
-
C:\Windows\SysWOW64\Fbdnne32.exeC:\Windows\system32\Fbdnne32.exe88⤵PID:4100
-
C:\Windows\SysWOW64\Fcekfnkb.exeC:\Windows\system32\Fcekfnkb.exe89⤵PID:4680
-
C:\Windows\SysWOW64\Fnjocf32.exeC:\Windows\system32\Fnjocf32.exe90⤵PID:2716
-
C:\Windows\SysWOW64\Gcghkm32.exeC:\Windows\system32\Gcghkm32.exe91⤵PID:2356
-
C:\Windows\SysWOW64\Gjaphgpl.exeC:\Windows\system32\Gjaphgpl.exe92⤵PID:4728
-
C:\Windows\SysWOW64\Gbhhieao.exeC:\Windows\system32\Gbhhieao.exe93⤵PID:3372
-
C:\Windows\SysWOW64\Gcjdam32.exeC:\Windows\system32\Gcjdam32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4388 -
C:\Windows\SysWOW64\Gnohnffc.exeC:\Windows\system32\Gnohnffc.exe95⤵
- Drops file in System32 directory
PID:872 -
C:\Windows\SysWOW64\Gdiakp32.exeC:\Windows\system32\Gdiakp32.exe96⤵
- Drops file in System32 directory
PID:4448 -
C:\Windows\SysWOW64\Gggmgk32.exeC:\Windows\system32\Gggmgk32.exe97⤵PID:4080
-
C:\Windows\SysWOW64\Gjficg32.exeC:\Windows\system32\Gjficg32.exe98⤵PID:664
-
C:\Windows\SysWOW64\Gqpapacd.exeC:\Windows\system32\Gqpapacd.exe99⤵PID:3832
-
C:\Windows\SysWOW64\Gkefmjcj.exeC:\Windows\system32\Gkefmjcj.exe100⤵PID:5132
-
C:\Windows\SysWOW64\Gndbie32.exeC:\Windows\system32\Gndbie32.exe101⤵PID:5168
-
C:\Windows\SysWOW64\Gdnjfojj.exeC:\Windows\system32\Gdnjfojj.exe102⤵PID:5220
-
C:\Windows\SysWOW64\Gkhbbi32.exeC:\Windows\system32\Gkhbbi32.exe103⤵
- Modifies registry class
PID:5268 -
C:\Windows\SysWOW64\Gbbkocid.exeC:\Windows\system32\Gbbkocid.exe104⤵PID:5308
-
C:\Windows\SysWOW64\Hepgkohh.exeC:\Windows\system32\Hepgkohh.exe105⤵PID:5352
-
C:\Windows\SysWOW64\Hkjohi32.exeC:\Windows\system32\Hkjohi32.exe106⤵PID:5408
-
C:\Windows\SysWOW64\Hbdgec32.exeC:\Windows\system32\Hbdgec32.exe107⤵PID:5448
-
C:\Windows\SysWOW64\Hebcao32.exeC:\Windows\system32\Hebcao32.exe108⤵PID:5500
-
C:\Windows\SysWOW64\Hgapmj32.exeC:\Windows\system32\Hgapmj32.exe109⤵PID:5548
-
C:\Windows\SysWOW64\Hnkhjdle.exeC:\Windows\system32\Hnkhjdle.exe110⤵PID:5584
-
C:\Windows\SysWOW64\Haidfpki.exeC:\Windows\system32\Haidfpki.exe111⤵PID:5628
-
C:\Windows\SysWOW64\Hchqbkkm.exeC:\Windows\system32\Hchqbkkm.exe112⤵PID:5672
-
C:\Windows\SysWOW64\Hkohchko.exeC:\Windows\system32\Hkohchko.exe113⤵PID:5724
-
C:\Windows\SysWOW64\Hbiapb32.exeC:\Windows\system32\Hbiapb32.exe114⤵PID:5768
-
C:\Windows\SysWOW64\Hcjmhk32.exeC:\Windows\system32\Hcjmhk32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5816 -
C:\Windows\SysWOW64\Hnbnjc32.exeC:\Windows\system32\Hnbnjc32.exe116⤵PID:5864
-
C:\Windows\SysWOW64\Indkpcdk.exeC:\Windows\system32\Indkpcdk.exe117⤵PID:5904
-
C:\Windows\SysWOW64\Ilhkigcd.exeC:\Windows\system32\Ilhkigcd.exe118⤵PID:5948
-
C:\Windows\SysWOW64\Iaedanal.exeC:\Windows\system32\Iaedanal.exe119⤵PID:5992
-
C:\Windows\SysWOW64\Iholohii.exeC:\Windows\system32\Iholohii.exe120⤵PID:6036
-
C:\Windows\SysWOW64\Ibdplaho.exeC:\Windows\system32\Ibdplaho.exe121⤵PID:6080
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-