Analysis
-
max time kernel
81s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
12/10/2023, 12:00
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
321ebc21c9d03805c2f13bafa33120d0_JC.exe
Resource
win7-20230831-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
321ebc21c9d03805c2f13bafa33120d0_JC.exe
Resource
win10v2004-20230915-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
321ebc21c9d03805c2f13bafa33120d0_JC.exe
-
Size
45KB
-
MD5
321ebc21c9d03805c2f13bafa33120d0
-
SHA1
7c340f2aaac7999b9b418d8906c777cb85320b9a
-
SHA256
300eb3e0f370ad25c8d301878ed68d2c2199beeb42fa815fba0467388548e949
-
SHA512
80fcf190b0d19f3477b5b490bfddd82d71535c3c7280bf4b7c061c2809656309551c77aa094ddd02b1aca827beed35d5a9d69a8d270a9bf9cff22f79f23237f7
-
SSDEEP
768:Zz9u4F8YC3v0CY4gKslDvZGfkMn7Tyuoa7jGzXIlFvt64bYD/1H5pK:Zz9u41CxYqslDssW7TMueXIlVtv27K
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dllmoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfkbnk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnnidjcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eelifc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iplkje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Locnlmoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qhbhapha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fejlbgek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oookbega.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aeemop32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpneom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aeofoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpojml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nebdighb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjcfeola.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcngddao.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbfglg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcgdcome.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agglld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gekckpgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnhphg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldkfno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oioojh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgqblp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jopaejlo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckghid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmknkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnaodbhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Miaica32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjcjmclj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfpqap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iggakn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amodnenk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghkebd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chlffghn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekpmljin.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdpnpe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfoapo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahgamo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cemcqcgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opmaaodc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hedhoc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onifpodl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqioqf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlipomli.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aeofoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pchljlpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehekjk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfdpjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Folacfcd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbqdmodg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkiclepa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdehep32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmlbij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elojej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dodbkiho.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngklppei.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdfbbhdp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iplkje32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfiajinf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amodnenk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjahchpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alcfpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qlkbka32.exe -
Executes dropped EXE 64 IoCs
pid Process 1380 Jpdbjleo.exe 2192 Kmpido32.exe 1448 Kjcjmclj.exe 4964 Labkempb.exe 860 Lccdghmc.exe 5016 Mmpbkm32.exe 3300 Mdodbf32.exe 3592 Mjkiephp.exe 2264 Njmejp32.exe 3780 Nkpbpp32.exe 3860 Ngklppei.exe 1416 Ohkijc32.exe 2480 Okkalnjm.exe 2600 Ohobebig.exe 2424 Ogdofo32.exe 1724 Opmcod32.exe 1684 Oalpigkb.exe 2208 Pdmikb32.exe 4468 Pgnblm32.exe 4156 Pjahchpb.exe 4068 Qhbhapha.exe 1460 Qjcdih32.exe 3640 Ahgamo32.exe 1904 Ahinbo32.exe 4168 Agnkck32.exe 728 Aqilaplo.exe 1728 Bbhhlccb.exe 4732 Bgeadjai.exe 412 Bqnemp32.exe 2216 Bnaffdfc.exe 1900 Bgjjoi32.exe 2856 Bdnkhn32.exe 404 Bilcol32.exe 2204 Cgaqphgl.exe 4308 Ceeaim32.exe 3944 Cjdfgc32.exe 2472 Cnboma32.exe 1688 Dgmpkg32.exe 1760 Dlkiaece.exe 3972 Enpknplq.exe 4860 Ebpqjmpd.exe 4476 Eimelg32.exe 4364 Fjpoio32.exe 468 Ficlmf32.exe 5036 Fejlbgek.exe 1732 Focakm32.exe 2796 Facjlhil.exe 2884 Gedohfmp.exe 2368 Gajpmg32.exe 4120 Ghdhja32.exe 2152 Gkeakl32.exe 4208 Hocjaj32.exe 3260 Hlgjko32.exe 1776 Hepoddcc.exe 2388 Himgjbii.exe 180 Hedhoc32.exe 1240 Iibaeb32.exe 824 Icooig32.exe 4868 Ifphkbep.exe 4164 Jhqqlmba.exe 4688 Jcfejfag.exe 4204 Jomeoggk.exe 4060 Jcknee32.exe 3184 Jflgfpkc.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Gajpmg32.exe Gedohfmp.exe File created C:\Windows\SysWOW64\Jkjikd32.dll Ecmlmcmb.exe File created C:\Windows\SysWOW64\Fjlmdmqj.exe Fofigd32.exe File created C:\Windows\SysWOW64\Kiikkada.exe Kbocng32.exe File created C:\Windows\SysWOW64\Jomeoggk.exe Jcfejfag.exe File created C:\Windows\SysWOW64\Fobomglo.exe Eopbghnb.exe File opened for modification C:\Windows\SysWOW64\Qofjjb32.exe Qjiaak32.exe File created C:\Windows\SysWOW64\Ibchnb32.dll Kahpgcch.exe File created C:\Windows\SysWOW64\Hmblee32.dll Ippgqg32.exe File created C:\Windows\SysWOW64\Nlnbqjjq.exe Ncfmhecp.exe File opened for modification C:\Windows\SysWOW64\Mnndhi32.exe Mmlhpaji.exe File created C:\Windows\SysWOW64\Qhfonk32.dll Ckidoc32.exe File opened for modification C:\Windows\SysWOW64\Bjokno32.exe Bjmnho32.exe File opened for modification C:\Windows\SysWOW64\Kngcdkjo.exe Knefnkla.exe File opened for modification C:\Windows\SysWOW64\Iqklhd32.exe Ihpgda32.exe File created C:\Windows\SysWOW64\Difici32.dll Qhbhapha.exe File opened for modification C:\Windows\SysWOW64\Qaegcb32.exe Pkhokkel.exe File created C:\Windows\SysWOW64\Lhlggc32.dll Bjmnho32.exe File created C:\Windows\SysWOW64\Ibhjkk32.dll Jjopmh32.exe File created C:\Windows\SysWOW64\Nfhipj32.exe Nidhffef.exe File created C:\Windows\SysWOW64\Khpcid32.exe Knkokl32.exe File opened for modification C:\Windows\SysWOW64\Ecmlmcmb.exe Ehekjk32.exe File created C:\Windows\SysWOW64\Dcmdnb32.dll Kipkaj32.exe File created C:\Windows\SysWOW64\Beqljn32.exe Bngdndfn.exe File opened for modification C:\Windows\SysWOW64\Agglld32.exe Afhoaahg.exe File created C:\Windows\SysWOW64\Qfckia32.dll Jkkjfa32.exe File opened for modification C:\Windows\SysWOW64\Cjhfjg32.exe Capbaacl.exe File created C:\Windows\SysWOW64\Hmecba32.exe Hmcfma32.exe File created C:\Windows\SysWOW64\Nicalpak.exe Niadfpcn.exe File created C:\Windows\SysWOW64\Cahijaij.dll Kemhpl32.exe File opened for modification C:\Windows\SysWOW64\Onhhkb32.exe Odocbmfd.exe File opened for modification C:\Windows\SysWOW64\Pddmml32.exe Fbpcah32.exe File opened for modification C:\Windows\SysWOW64\Hffbfn32.exe Hkaoiemi.exe File created C:\Windows\SysWOW64\Bnaffdfc.exe Bqnemp32.exe File created C:\Windows\SysWOW64\Jfffcf32.exe Jibejb32.exe File created C:\Windows\SysWOW64\Objhpiqa.dll Ihnmlg32.exe File created C:\Windows\SysWOW64\Kdipce32.exe Komhkn32.exe File opened for modification C:\Windows\SysWOW64\Qlkbka32.exe Pngbam32.exe File opened for modification C:\Windows\SysWOW64\Dkjmea32.exe Nnfgmjfb.exe File created C:\Windows\SysWOW64\Kblpnall.exe Klbgag32.exe File created C:\Windows\SysWOW64\Jofaqlji.dll Bjokno32.exe File created C:\Windows\SysWOW64\Pdmikb32.exe Oalpigkb.exe File opened for modification C:\Windows\SysWOW64\Kblpnall.exe Klbgag32.exe File created C:\Windows\SysWOW64\Eimelg32.exe Ebpqjmpd.exe File created C:\Windows\SysWOW64\Cqpnlobf.dll Gfkbnk32.exe File opened for modification C:\Windows\SysWOW64\Beqljn32.exe Bngdndfn.exe File opened for modification C:\Windows\SysWOW64\Mibpng32.exe Mdehep32.exe File created C:\Windows\SysWOW64\Lkfclf32.dll Jhndepbi.exe File created C:\Windows\SysWOW64\Pkhokkel.exe Neglceej.exe File opened for modification C:\Windows\SysWOW64\Ajfobfaj.exe Alaaajmb.exe File created C:\Windows\SysWOW64\Hjhbmn32.dll Medggidb.exe File opened for modification C:\Windows\SysWOW64\Gkeonggf.exe Gnaodbhl.exe File created C:\Windows\SysWOW64\Bjjjhifm.exe Bcpblo32.exe File created C:\Windows\SysWOW64\Ggoddakg.dll Jgngkmkf.exe File opened for modification C:\Windows\SysWOW64\Ogdofo32.exe Ohobebig.exe File created C:\Windows\SysWOW64\Befmpdmq.exe Boldcj32.exe File opened for modification C:\Windows\SysWOW64\Kmbdkj32.exe Kblpnall.exe File opened for modification C:\Windows\SysWOW64\Bjmnho32.exe Bepeph32.exe File created C:\Windows\SysWOW64\Feqnfbig.dll Dkdmpl32.exe File created C:\Windows\SysWOW64\Gglpbh32.exe Gekckpgl.exe File created C:\Windows\SysWOW64\Niadfpcn.exe Nnlqig32.exe File opened for modification C:\Windows\SysWOW64\Pjeoablq.exe Pckfdh32.exe File opened for modification C:\Windows\SysWOW64\Fejlbgek.exe Ficlmf32.exe File created C:\Windows\SysWOW64\Egleni32.dll Ldnjndpo.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6828 7152 WerFault.exe 1012 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lajmmc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fjlmdmqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckghid32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gilajmfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjqfmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdfbnhhc.dll" Miflehaf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Acbhhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pchljlpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Llgjcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ojmqgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Idgocigi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plhllf32.dll" Pgnblm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnppaiii.dll" Iibaeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aiapjecl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cefega32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifefggbd.dll" Caeiam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlegjk32.dll" Nnfgmjfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aiojijfj.dll" Lekeajmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ehocjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abcghg32.dll" Ihbdja32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lkjlciem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnibpanm.dll" Pdmikb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddmlgm32.dll" Bgeadjai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifphkbep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cqpdof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajfobfaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hioifocj.dll" Jehoemmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qiilbk32.dll" Doojni32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Enpknplq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmkbeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfikolfl.dll" Bjagcndq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jijaef32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbbhjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbqjdd32.dll" Alcfpm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gjndpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Befmpdmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbocng32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kblpnall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cplhopqe.dll" Enigjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnolojhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Opmaaodc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mbjnlfnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfhjefhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npjjnkkh.dll" Iqklhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfomiaim.dll" Bbhhlccb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ldccid32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onifpodl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Blkkaohc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhkljb32.dll" Igomeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Calcbp32.dll" Ppclej32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aqhcid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naoplkpo.dll" Nqifkl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Deanhj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdpgen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhmpkmpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohdpkpcl.dll" Pohnhdog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Capnapfh.dll" Einmaaqb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Haefqjeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Effjdd32.dll" Hedhoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfpqap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Elpppcdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fofcni32.dll" Ceqngekl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibhjkk32.dll" Jjopmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhnako32.dll" Lhnhplpg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3836 wrote to memory of 1380 3836 321ebc21c9d03805c2f13bafa33120d0_JC.exe 80 PID 3836 wrote to memory of 1380 3836 321ebc21c9d03805c2f13bafa33120d0_JC.exe 80 PID 3836 wrote to memory of 1380 3836 321ebc21c9d03805c2f13bafa33120d0_JC.exe 80 PID 1380 wrote to memory of 2192 1380 Jpdbjleo.exe 81 PID 1380 wrote to memory of 2192 1380 Jpdbjleo.exe 81 PID 1380 wrote to memory of 2192 1380 Jpdbjleo.exe 81 PID 2192 wrote to memory of 1448 2192 Kmpido32.exe 82 PID 2192 wrote to memory of 1448 2192 Kmpido32.exe 82 PID 2192 wrote to memory of 1448 2192 Kmpido32.exe 82 PID 1448 wrote to memory of 4964 1448 Kjcjmclj.exe 83 PID 1448 wrote to memory of 4964 1448 Kjcjmclj.exe 83 PID 1448 wrote to memory of 4964 1448 Kjcjmclj.exe 83 PID 4964 wrote to memory of 860 4964 Labkempb.exe 84 PID 4964 wrote to memory of 860 4964 Labkempb.exe 84 PID 4964 wrote to memory of 860 4964 Labkempb.exe 84 PID 860 wrote to memory of 5016 860 Lccdghmc.exe 85 PID 860 wrote to memory of 5016 860 Lccdghmc.exe 85 PID 860 wrote to memory of 5016 860 Lccdghmc.exe 85 PID 5016 wrote to memory of 3300 5016 Mmpbkm32.exe 86 PID 5016 wrote to memory of 3300 5016 Mmpbkm32.exe 86 PID 5016 wrote to memory of 3300 5016 Mmpbkm32.exe 86 PID 3300 wrote to memory of 3592 3300 Mdodbf32.exe 87 PID 3300 wrote to memory of 3592 3300 Mdodbf32.exe 87 PID 3300 wrote to memory of 3592 3300 Mdodbf32.exe 87 PID 3592 wrote to memory of 2264 3592 Mjkiephp.exe 88 PID 3592 wrote to memory of 2264 3592 Mjkiephp.exe 88 PID 3592 wrote to memory of 2264 3592 Mjkiephp.exe 88 PID 2264 wrote to memory of 3780 2264 Njmejp32.exe 89 PID 2264 wrote to memory of 3780 2264 Njmejp32.exe 89 PID 2264 wrote to memory of 3780 2264 Njmejp32.exe 89 PID 3780 wrote to memory of 3860 3780 Nkpbpp32.exe 90 PID 3780 wrote to memory of 3860 3780 Nkpbpp32.exe 90 PID 3780 wrote to memory of 3860 3780 Nkpbpp32.exe 90 PID 3860 wrote to memory of 1416 3860 Ngklppei.exe 91 PID 3860 wrote to memory of 1416 3860 Ngklppei.exe 91 PID 3860 wrote to memory of 1416 3860 Ngklppei.exe 91 PID 1416 wrote to memory of 2480 1416 Ohkijc32.exe 92 PID 1416 wrote to memory of 2480 1416 Ohkijc32.exe 92 PID 1416 wrote to memory of 2480 1416 Ohkijc32.exe 92 PID 2480 wrote to memory of 2600 2480 Okkalnjm.exe 93 PID 2480 wrote to memory of 2600 2480 Okkalnjm.exe 93 PID 2480 wrote to memory of 2600 2480 Okkalnjm.exe 93 PID 2600 wrote to memory of 2424 2600 Ohobebig.exe 94 PID 2600 wrote to memory of 2424 2600 Ohobebig.exe 94 PID 2600 wrote to memory of 2424 2600 Ohobebig.exe 94 PID 2424 wrote to memory of 1724 2424 Ogdofo32.exe 95 PID 2424 wrote to memory of 1724 2424 Ogdofo32.exe 95 PID 2424 wrote to memory of 1724 2424 Ogdofo32.exe 95 PID 1724 wrote to memory of 1684 1724 Opmcod32.exe 96 PID 1724 wrote to memory of 1684 1724 Opmcod32.exe 96 PID 1724 wrote to memory of 1684 1724 Opmcod32.exe 96 PID 1684 wrote to memory of 2208 1684 Oalpigkb.exe 97 PID 1684 wrote to memory of 2208 1684 Oalpigkb.exe 97 PID 1684 wrote to memory of 2208 1684 Oalpigkb.exe 97 PID 2208 wrote to memory of 4468 2208 Pdmikb32.exe 98 PID 2208 wrote to memory of 4468 2208 Pdmikb32.exe 98 PID 2208 wrote to memory of 4468 2208 Pdmikb32.exe 98 PID 4468 wrote to memory of 4156 4468 Pgnblm32.exe 99 PID 4468 wrote to memory of 4156 4468 Pgnblm32.exe 99 PID 4468 wrote to memory of 4156 4468 Pgnblm32.exe 99 PID 4156 wrote to memory of 4068 4156 Pjahchpb.exe 100 PID 4156 wrote to memory of 4068 4156 Pjahchpb.exe 100 PID 4156 wrote to memory of 4068 4156 Pjahchpb.exe 100 PID 4068 wrote to memory of 1460 4068 Qhbhapha.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\321ebc21c9d03805c2f13bafa33120d0_JC.exe"C:\Users\Admin\AppData\Local\Temp\321ebc21c9d03805c2f13bafa33120d0_JC.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3836 -
C:\Windows\SysWOW64\Jpdbjleo.exeC:\Windows\system32\Jpdbjleo.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Windows\SysWOW64\Kmpido32.exeC:\Windows\system32\Kmpido32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\Kjcjmclj.exeC:\Windows\system32\Kjcjmclj.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Windows\SysWOW64\Labkempb.exeC:\Windows\system32\Labkempb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Windows\SysWOW64\Lccdghmc.exeC:\Windows\system32\Lccdghmc.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Windows\SysWOW64\Mmpbkm32.exeC:\Windows\system32\Mmpbkm32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Windows\SysWOW64\Mdodbf32.exeC:\Windows\system32\Mdodbf32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3300 -
C:\Windows\SysWOW64\Mjkiephp.exeC:\Windows\system32\Mjkiephp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3592 -
C:\Windows\SysWOW64\Njmejp32.exeC:\Windows\system32\Njmejp32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\SysWOW64\Nkpbpp32.exeC:\Windows\system32\Nkpbpp32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3780 -
C:\Windows\SysWOW64\Ngklppei.exeC:\Windows\system32\Ngklppei.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3860 -
C:\Windows\SysWOW64\Ohkijc32.exeC:\Windows\system32\Ohkijc32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Windows\SysWOW64\Okkalnjm.exeC:\Windows\system32\Okkalnjm.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\Ohobebig.exeC:\Windows\system32\Ohobebig.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Ogdofo32.exeC:\Windows\system32\Ogdofo32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\Opmcod32.exeC:\Windows\system32\Opmcod32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\SysWOW64\Oalpigkb.exeC:\Windows\system32\Oalpigkb.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\SysWOW64\Pdmikb32.exeC:\Windows\system32\Pdmikb32.exe19⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\Pgnblm32.exeC:\Windows\system32\Pgnblm32.exe20⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4468 -
C:\Windows\SysWOW64\Pjahchpb.exeC:\Windows\system32\Pjahchpb.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4156 -
C:\Windows\SysWOW64\Qhbhapha.exeC:\Windows\system32\Qhbhapha.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4068 -
C:\Windows\SysWOW64\Qjcdih32.exeC:\Windows\system32\Qjcdih32.exe23⤵
- Executes dropped EXE
PID:1460 -
C:\Windows\SysWOW64\Ahgamo32.exeC:\Windows\system32\Ahgamo32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3640 -
C:\Windows\SysWOW64\Ahinbo32.exeC:\Windows\system32\Ahinbo32.exe25⤵
- Executes dropped EXE
PID:1904 -
C:\Windows\SysWOW64\Agnkck32.exeC:\Windows\system32\Agnkck32.exe26⤵
- Executes dropped EXE
PID:4168 -
C:\Windows\SysWOW64\Aqilaplo.exeC:\Windows\system32\Aqilaplo.exe27⤵
- Executes dropped EXE
PID:728 -
C:\Windows\SysWOW64\Bbhhlccb.exeC:\Windows\system32\Bbhhlccb.exe28⤵
- Executes dropped EXE
- Modifies registry class
PID:1728 -
C:\Windows\SysWOW64\Bgeadjai.exeC:\Windows\system32\Bgeadjai.exe29⤵
- Executes dropped EXE
- Modifies registry class
PID:4732 -
C:\Windows\SysWOW64\Bqnemp32.exeC:\Windows\system32\Bqnemp32.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:412 -
C:\Windows\SysWOW64\Bnaffdfc.exeC:\Windows\system32\Bnaffdfc.exe31⤵
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\Bgjjoi32.exeC:\Windows\system32\Bgjjoi32.exe32⤵
- Executes dropped EXE
PID:1900 -
C:\Windows\SysWOW64\Bdnkhn32.exeC:\Windows\system32\Bdnkhn32.exe33⤵
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Bilcol32.exeC:\Windows\system32\Bilcol32.exe34⤵
- Executes dropped EXE
PID:404 -
C:\Windows\SysWOW64\Cgaqphgl.exeC:\Windows\system32\Cgaqphgl.exe35⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Ceeaim32.exeC:\Windows\system32\Ceeaim32.exe36⤵
- Executes dropped EXE
PID:4308 -
C:\Windows\SysWOW64\Cjdfgc32.exeC:\Windows\system32\Cjdfgc32.exe37⤵
- Executes dropped EXE
PID:3944 -
C:\Windows\SysWOW64\Cnboma32.exeC:\Windows\system32\Cnboma32.exe38⤵
- Executes dropped EXE
PID:2472 -
C:\Windows\SysWOW64\Dgmpkg32.exeC:\Windows\system32\Dgmpkg32.exe39⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Dlkiaece.exeC:\Windows\system32\Dlkiaece.exe40⤵
- Executes dropped EXE
PID:1760 -
C:\Windows\SysWOW64\Enpknplq.exeC:\Windows\system32\Enpknplq.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:3972 -
C:\Windows\SysWOW64\Ebpqjmpd.exeC:\Windows\system32\Ebpqjmpd.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4860 -
C:\Windows\SysWOW64\Eimelg32.exeC:\Windows\system32\Eimelg32.exe43⤵
- Executes dropped EXE
PID:4476 -
C:\Windows\SysWOW64\Fjpoio32.exeC:\Windows\system32\Fjpoio32.exe44⤵
- Executes dropped EXE
PID:4364 -
C:\Windows\SysWOW64\Ficlmf32.exeC:\Windows\system32\Ficlmf32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:468 -
C:\Windows\SysWOW64\Fejlbgek.exeC:\Windows\system32\Fejlbgek.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5036 -
C:\Windows\SysWOW64\Focakm32.exeC:\Windows\system32\Focakm32.exe47⤵
- Executes dropped EXE
PID:1732 -
C:\Windows\SysWOW64\Facjlhil.exeC:\Windows\system32\Facjlhil.exe48⤵
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\Gedohfmp.exeC:\Windows\system32\Gedohfmp.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2884 -
C:\Windows\SysWOW64\Gajpmg32.exeC:\Windows\system32\Gajpmg32.exe50⤵
- Executes dropped EXE
PID:2368 -
C:\Windows\SysWOW64\Ghdhja32.exeC:\Windows\system32\Ghdhja32.exe51⤵
- Executes dropped EXE
PID:4120 -
C:\Windows\SysWOW64\Gkeakl32.exeC:\Windows\system32\Gkeakl32.exe52⤵
- Executes dropped EXE
PID:2152 -
C:\Windows\SysWOW64\Hocjaj32.exeC:\Windows\system32\Hocjaj32.exe53⤵
- Executes dropped EXE
PID:4208 -
C:\Windows\SysWOW64\Hlgjko32.exeC:\Windows\system32\Hlgjko32.exe54⤵
- Executes dropped EXE
PID:3260 -
C:\Windows\SysWOW64\Hepoddcc.exeC:\Windows\system32\Hepoddcc.exe55⤵
- Executes dropped EXE
PID:1776 -
C:\Windows\SysWOW64\Himgjbii.exeC:\Windows\system32\Himgjbii.exe56⤵
- Executes dropped EXE
PID:2388 -
C:\Windows\SysWOW64\Hedhoc32.exeC:\Windows\system32\Hedhoc32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:180 -
C:\Windows\SysWOW64\Iibaeb32.exeC:\Windows\system32\Iibaeb32.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:1240 -
C:\Windows\SysWOW64\Icooig32.exeC:\Windows\system32\Icooig32.exe59⤵
- Executes dropped EXE
PID:824 -
C:\Windows\SysWOW64\Ifphkbep.exeC:\Windows\system32\Ifphkbep.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:4868 -
C:\Windows\SysWOW64\Jhqqlmba.exeC:\Windows\system32\Jhqqlmba.exe61⤵
- Executes dropped EXE
PID:4164 -
C:\Windows\SysWOW64\Jcfejfag.exeC:\Windows\system32\Jcfejfag.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4688 -
C:\Windows\SysWOW64\Jomeoggk.exeC:\Windows\system32\Jomeoggk.exe63⤵
- Executes dropped EXE
PID:4204 -
C:\Windows\SysWOW64\Jcknee32.exeC:\Windows\system32\Jcknee32.exe64⤵
- Executes dropped EXE
PID:4060 -
C:\Windows\SysWOW64\Jflgfpkc.exeC:\Windows\system32\Jflgfpkc.exe65⤵
- Executes dropped EXE
PID:3184 -
C:\Windows\SysWOW64\Kcphpdil.exeC:\Windows\system32\Kcphpdil.exe66⤵PID:940
-
C:\Windows\SysWOW64\Kfpqap32.exeC:\Windows\system32\Kfpqap32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1820 -
C:\Windows\SysWOW64\Kjnihnmd.exeC:\Windows\system32\Kjnihnmd.exe68⤵PID:4980
-
C:\Windows\SysWOW64\Kjqfmn32.exeC:\Windows\system32\Kjqfmn32.exe69⤵
- Modifies registry class
PID:3540 -
C:\Windows\SysWOW64\Kblkap32.exeC:\Windows\system32\Kblkap32.exe70⤵PID:4100
-
C:\Windows\SysWOW64\Lopkkdgf.exeC:\Windows\system32\Lopkkdgf.exe71⤵PID:2592
-
C:\Windows\SysWOW64\Lkflpe32.exeC:\Windows\system32\Lkflpe32.exe72⤵PID:2808
-
C:\Windows\SysWOW64\Lbqdmodg.exeC:\Windows\system32\Lbqdmodg.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2968 -
C:\Windows\SysWOW64\Lpdefc32.exeC:\Windows\system32\Lpdefc32.exe74⤵PID:4072
-
C:\Windows\SysWOW64\Ljjicl32.exeC:\Windows\system32\Ljjicl32.exe75⤵PID:3928
-
C:\Windows\SysWOW64\Lcbmlbig.exeC:\Windows\system32\Lcbmlbig.exe76⤵PID:640
-
C:\Windows\SysWOW64\Lmkbeg32.exeC:\Windows\system32\Lmkbeg32.exe77⤵
- Modifies registry class
PID:4276 -
C:\Windows\SysWOW64\Lbgjmnno.exeC:\Windows\system32\Lbgjmnno.exe78⤵PID:3496
-
C:\Windows\SysWOW64\Llpofd32.exeC:\Windows\system32\Llpofd32.exe79⤵PID:2012
-
C:\Windows\SysWOW64\Mcicma32.exeC:\Windows\system32\Mcicma32.exe80⤵PID:1276
-
C:\Windows\SysWOW64\Miflehaf.exeC:\Windows\system32\Miflehaf.exe81⤵
- Modifies registry class
PID:3188 -
C:\Windows\SysWOW64\Mboqnm32.exeC:\Windows\system32\Mboqnm32.exe82⤵PID:4016
-
C:\Windows\SysWOW64\Mcnmhpoj.exeC:\Windows\system32\Mcnmhpoj.exe83⤵PID:1452
-
C:\Windows\SysWOW64\Nfcoekhe.exeC:\Windows\system32\Nfcoekhe.exe84⤵PID:4124
-
C:\Windows\SysWOW64\Nidhffef.exeC:\Windows\system32\Nidhffef.exe85⤵
- Drops file in System32 directory
PID:4532 -
C:\Windows\SysWOW64\Nfhipj32.exeC:\Windows\system32\Nfhipj32.exe86⤵PID:2016
-
C:\Windows\SysWOW64\Nmbamdkm.exeC:\Windows\system32\Nmbamdkm.exe87⤵PID:2964
-
C:\Windows\SysWOW64\Njfafhjf.exeC:\Windows\system32\Njfafhjf.exe88⤵PID:4924
-
C:\Windows\SysWOW64\Opcjno32.exeC:\Windows\system32\Opcjno32.exe89⤵PID:4192
-
C:\Windows\SysWOW64\Odqbdnod.exeC:\Windows\system32\Odqbdnod.exe90⤵PID:2092
-
C:\Windows\SysWOW64\Ollgiplp.exeC:\Windows\system32\Ollgiplp.exe91⤵PID:3600
-
C:\Windows\SysWOW64\Pmgcoaie.exeC:\Windows\system32\Pmgcoaie.exe92⤵PID:2860
-
C:\Windows\SysWOW64\Pcdlghgl.exeC:\Windows\system32\Pcdlghgl.exe93⤵PID:420
-
C:\Windows\SysWOW64\Qdfefkll.exeC:\Windows\system32\Qdfefkll.exe94⤵PID:3032
-
C:\Windows\SysWOW64\Qibmoa32.exeC:\Windows\system32\Qibmoa32.exe95⤵PID:3636
-
C:\Windows\SysWOW64\Qckbggad.exeC:\Windows\system32\Qckbggad.exe96⤵PID:5040
-
C:\Windows\SysWOW64\Alcfpm32.exeC:\Windows\system32\Alcfpm32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4744 -
C:\Windows\SysWOW64\Acbhhf32.exeC:\Windows\system32\Acbhhf32.exe98⤵
- Modifies registry class
PID:4176 -
C:\Windows\SysWOW64\Addahh32.exeC:\Windows\system32\Addahh32.exe99⤵PID:1604
-
C:\Windows\SysWOW64\Bjcfeola.exeC:\Windows\system32\Bjcfeola.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3564 -
C:\Windows\SysWOW64\Bcngddao.exeC:\Windows\system32\Bcngddao.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2772 -
C:\Windows\SysWOW64\Cnmoglij.exeC:\Windows\system32\Cnmoglij.exe102⤵PID:2080
-
C:\Windows\SysWOW64\Cjcolm32.exeC:\Windows\system32\Cjcolm32.exe103⤵PID:2156
-
C:\Windows\SysWOW64\Cqpdof32.exeC:\Windows\system32\Cqpdof32.exe104⤵
- Modifies registry class
PID:4700 -
C:\Windows\SysWOW64\Dgqblp32.exeC:\Windows\system32\Dgqblp32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3052 -
C:\Windows\SysWOW64\Dmphjfab.exeC:\Windows\system32\Dmphjfab.exe106⤵PID:3100
-
C:\Windows\SysWOW64\Eanqpdgi.exeC:\Windows\system32\Eanqpdgi.exe107⤵PID:4912
-
C:\Windows\SysWOW64\Eelifc32.exeC:\Windows\system32\Eelifc32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4488 -
C:\Windows\SysWOW64\Endnohdp.exeC:\Windows\system32\Endnohdp.exe109⤵PID:1116
-
C:\Windows\SysWOW64\Ecccmo32.exeC:\Windows\system32\Ecccmo32.exe110⤵PID:3076
-
C:\Windows\SysWOW64\Enigjh32.exeC:\Windows\system32\Enigjh32.exe111⤵
- Modifies registry class
PID:5080 -
C:\Windows\SysWOW64\Fmbnfcam.exeC:\Windows\system32\Fmbnfcam.exe112⤵PID:5188
-
C:\Windows\SysWOW64\Genobp32.exeC:\Windows\system32\Genobp32.exe113⤵PID:5228
-
C:\Windows\SysWOW64\Glhgojef.exeC:\Windows\system32\Glhgojef.exe114⤵PID:5284
-
C:\Windows\SysWOW64\Gjndpg32.exeC:\Windows\system32\Gjndpg32.exe115⤵
- Modifies registry class
PID:5324 -
C:\Windows\SysWOW64\Gechnpid.exeC:\Windows\system32\Gechnpid.exe116⤵PID:5372
-
C:\Windows\SysWOW64\Glmqjj32.exeC:\Windows\system32\Glmqjj32.exe117⤵PID:5420
-
C:\Windows\SysWOW64\Gmnmbbgp.exeC:\Windows\system32\Gmnmbbgp.exe118⤵PID:5468
-
C:\Windows\SysWOW64\Gkbnkfei.exeC:\Windows\system32\Gkbnkfei.exe119⤵PID:5516
-
C:\Windows\SysWOW64\Hmcfma32.exeC:\Windows\system32\Hmcfma32.exe120⤵
- Drops file in System32 directory
PID:5568 -
C:\Windows\SysWOW64\Hmecba32.exeC:\Windows\system32\Hmecba32.exe121⤵PID:5620
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-