Analysis
-
max time kernel
163s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
11-10-2023 11:20
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
bfca00da960f12bea9bb7c49617d0fb8_JC.exe
Resource
win7-20230831-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
bfca00da960f12bea9bb7c49617d0fb8_JC.exe
Resource
win10v2004-20230915-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
bfca00da960f12bea9bb7c49617d0fb8_JC.exe
-
Size
74KB
-
MD5
bfca00da960f12bea9bb7c49617d0fb8
-
SHA1
a0c154a9ae3d262329b51ce0323a2ca0eb89bd29
-
SHA256
d736b4a7ae31f2f0254eb2ca8ea0d2c6d1af8de723ee73386f2488490c1c8f4c
-
SHA512
1d28b69db51e69970e8a39558886549150a9ccb9a3a76781d0fb15dee23431f89d3a6cc0342500b4ef986fa847967cb868506af1b4387ed29eadf876147b82e7
-
SSDEEP
1536:FzNyED66VIJyoOJIDwN5rVcUNdYRvxJfI7RaUMLkw4m:FzhbK0oOJJDHjYFLI7RVMe
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odgjdibf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjjggede.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aqffdejj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lqdakjak.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fligjnlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ipgbngfp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlbecadc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gdgdofep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cpklql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aepmjk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgphje32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glcelq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahpdnaci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hmbflc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cqiehnml.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncecioib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Knjhae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mbpoop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nhkief32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mncjffbl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eohmdhki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Onneeceo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajhdmplk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekggijge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cnokmkfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajcdhj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opjgidfa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkqhpmkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lcmopeae.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjpcel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jldbiabp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nplkhf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnienqbi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boabkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cfqmjajc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bplhhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fdiafc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddhhnana.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Amaqde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hpkcafjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ecbjdcml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ilfomm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kdeghfhj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbbpnc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkalmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Olhlaoea.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfpbfljd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Capbaacl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oihapg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gifjjacn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ecgone32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bodano32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lohqgj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad bfca00da960f12bea9bb7c49617d0fb8_JC.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijngkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bnhjinpo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmooak32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpmhmbko.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdgdofep.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmmppc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Keapmf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfncia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dijgjpip.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgpbhmna.exe -
Executes dropped EXE 64 IoCs
pid Process 1536 Kibeoo32.exe 3812 Modpib32.exe 3260 Mlofcf32.exe 4732 Nfldgk32.exe 1844 Nqaiecjd.exe 3988 Qamago32.exe 2780 Aadghn32.exe 2188 Amnebo32.exe 3728 Bbaclegm.exe 4664 Bdcmkgmm.exe 4076 Cbkfbcpb.exe 4092 Cdolgfbp.exe 1416 Dkpjdo32.exe 1896 Enhifi32.exe 664 Fboecfii.exe 3560 Gbpnjdkg.exe 1808 Hnbnjc32.exe 1804 Ieeimlep.exe 1252 Iloajfml.exe 1344 Jldkeeig.exe 4404 Jbbmmo32.exe 1168 Keceoj32.exe 4224 Ncjdki32.exe 4772 Ollljmhg.exe 4768 Pfncia32.exe 4132 Peempn32.exe 4616 Pbimjb32.exe 4968 Apimodmh.exe 4708 Bikeni32.exe 4384 Cefoni32.exe 2640 Cboibm32.exe 452 Debnjgcp.exe 1188 Elolco32.exe 676 Fjgfgbek.exe 4396 Fpfholhc.exe 5008 Gqmnpk32.exe 2648 Hmkeekag.exe 3324 Hnmnengg.exe 4220 Iqbpahpc.exe 2428 Iglhob32.exe 3100 Jjdgal32.exe 4228 Jgjeppkp.exe 4156 Jaefne32.exe 4480 Kceoppmo.exe 440 Knbinhfl.exe 4804 Ljkghi32.exe 5020 Mhkgnkoj.exe 4440 Nncoaq32.exe 3252 Odgjdibf.exe 2528 Pfkpiled.exe 4024 Anfmeldl.exe 4312 Anijjkbj.exe 2412 Biljib32.exe 3596 Cpklql32.exe 3860 Dijgjpip.exe 4420 Dfqdid32.exe 1320 Eemgkpef.exe 4084 Ebagdddp.exe 4588 Eohhie32.exe 1684 Fhiphi32.exe 4388 Gllajf32.exe 3932 Ggafgo32.exe 4036 Gpodkdll.exe 4476 Hhleefhe.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Bacjmh32.exe Aokkknbl.exe File opened for modification C:\Windows\SysWOW64\Aiapjecl.exe Qniogl32.exe File created C:\Windows\SysWOW64\Anfmeldl.exe Pfkpiled.exe File opened for modification C:\Windows\SysWOW64\Jkeloa32.exe Jahnkl32.exe File opened for modification C:\Windows\SysWOW64\Apimodmh.exe Pbimjb32.exe File opened for modification C:\Windows\SysWOW64\Ebocpd32.exe Daccdf32.exe File created C:\Windows\SysWOW64\Cknjjlee.dll Eohmdhki.exe File opened for modification C:\Windows\SysWOW64\Kibeoo32.exe bfca00da960f12bea9bb7c49617d0fb8_JC.exe File created C:\Windows\SysWOW64\Keapmf32.exe Jldbiabp.exe File opened for modification C:\Windows\SysWOW64\Mnanpfdo.exe Lckicnei.exe File opened for modification C:\Windows\SysWOW64\Lebiddfi.exe Lohqgj32.exe File opened for modification C:\Windows\SysWOW64\Hnhknj32.exe Hadkdf32.exe File created C:\Windows\SysWOW64\Dhejij32.exe Dpnbhl32.exe File created C:\Windows\SysWOW64\Ciebfc32.dll Ahpdnaci.exe File opened for modification C:\Windows\SysWOW64\Lnihod32.exe Kilpgnfi.exe File created C:\Windows\SysWOW64\Mobjho32.exe Mnanpfdo.exe File created C:\Windows\SysWOW64\Nclokbca.dll Aokkknbl.exe File created C:\Windows\SysWOW64\Fclnkgap.dll Fdiafc32.exe File created C:\Windows\SysWOW64\Nkdodffe.dll Fomfpg32.exe File created C:\Windows\SysWOW64\Flqeap32.dll Lnlloj32.exe File created C:\Windows\SysWOW64\Jmfiheah.dll Gganjh32.exe File created C:\Windows\SysWOW64\Mglkge32.dll Ecbjdcml.exe File created C:\Windows\SysWOW64\Ielmki32.exe Iobeno32.exe File opened for modification C:\Windows\SysWOW64\Ihmobn32.exe Ibpgjg32.exe File opened for modification C:\Windows\SysWOW64\Qniogl32.exe Plapdb32.exe File created C:\Windows\SysWOW64\Jgfdemck.dll Cflkihbd.exe File opened for modification C:\Windows\SysWOW64\Qfpbfljd.exe Qqcjnell.exe File created C:\Windows\SysWOW64\Lnbkeclf.exe Llcoihmb.exe File created C:\Windows\SysWOW64\Plpjhk32.exe Lqdakjak.exe File created C:\Windows\SysWOW64\Fgoleo32.dll Hlppgddh.exe File created C:\Windows\SysWOW64\Iloajfml.exe Ieeimlep.exe File created C:\Windows\SysWOW64\Oenldl32.dll Afjlgafe.exe File opened for modification C:\Windows\SysWOW64\Hpmpgfhd.exe Hkpgooim.exe File created C:\Windows\SysWOW64\Ibkadden.dll Nacmnlkd.exe File opened for modification C:\Windows\SysWOW64\Aappdj32.exe Afjlgafe.exe File created C:\Windows\SysWOW64\Lpccfm32.exe Khgbjqng.exe File opened for modification C:\Windows\SysWOW64\Hebcjdkb.exe Hnhknj32.exe File created C:\Windows\SysWOW64\Aoeooiqn.dll Dkikglce.exe File opened for modification C:\Windows\SysWOW64\Nmfmnjgh.exe Nobldfio.exe File created C:\Windows\SysWOW64\Doeifpkk.exe Dememj32.exe File created C:\Windows\SysWOW64\Mpgbleck.dll Llcoihmb.exe File created C:\Windows\SysWOW64\Gifjjacn.exe Gicndaep.exe File created C:\Windows\SysWOW64\Nncoaq32.exe Mhkgnkoj.exe File created C:\Windows\SysWOW64\Aifklc32.dll Cmmbmiag.exe File created C:\Windows\SysWOW64\Pkhnna32.dll Cdoegcfl.exe File opened for modification C:\Windows\SysWOW64\Nqaiecjd.exe Nfldgk32.exe File created C:\Windows\SysWOW64\Edkamckh.dll Pfncia32.exe File created C:\Windows\SysWOW64\Beahon32.dll Nobdlqnc.exe File opened for modification C:\Windows\SysWOW64\Gcggec32.exe Fgnjjb32.exe File opened for modification C:\Windows\SysWOW64\Jlfpnn32.exe Jgigfg32.exe File opened for modification C:\Windows\SysWOW64\Cfdgcmqd.exe Bhnidi32.exe File created C:\Windows\SysWOW64\Opjgidfa.exe Nplkhf32.exe File created C:\Windows\SysWOW64\Fagenneg.exe Fbbhla32.exe File created C:\Windows\SysWOW64\Hillnoif.exe Hicihp32.exe File created C:\Windows\SysWOW64\Bhobfffa.dll Chokcakp.exe File opened for modification C:\Windows\SysWOW64\Djhifnho.exe Dlfhhgpp.exe File created C:\Windows\SysWOW64\Bmcpfocg.dll Qniogl32.exe File created C:\Windows\SysWOW64\Nambpl32.dll Hbihdn32.exe File created C:\Windows\SysWOW64\Jpqedfne.exe Jidpblik.exe File opened for modification C:\Windows\SysWOW64\Chokcakp.exe Cfonin32.exe File created C:\Windows\SysWOW64\Dlfhhgpp.exe Dbndoa32.exe File created C:\Windows\SysWOW64\Obgeqcnn.exe Nejbaqgo.exe File opened for modification C:\Windows\SysWOW64\Doeifpkk.exe Dememj32.exe File created C:\Windows\SysWOW64\Mjnfnn32.dll Mojmbf32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Njnpie32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aokkknbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Anijjkbj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pjgemi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmcpfocg.dll" Qniogl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bodano32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bcboan32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Edemdine.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bdgmio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdkqcp32.dll" Bcboan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgqcnjba.dll" Dfgcjpdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jpdhdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iomgjk32.dll" Kkaljpmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnnejp32.dll" Cjpcel32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jjjpgb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Inbndi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kgngqico.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ddhhnana.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hbonci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eainnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mjlafqbb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ljkghi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cigcjj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ajhdmplk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cieddjdp.dll" Diicfa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Enhpje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohbeqk32.dll" Amkhfegn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Edjgpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aogije32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkclkqdm.dll" Mfkcibdl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jmkdeaee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cfogohpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lamofk32.dll" Lmncgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blqhlo32.dll" Acfhkj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hjkbhlno.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eoindndf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bgbmdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejgcnh32.dll" Clmjcfdb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lcndab32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ackiqpce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bcfabgel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbhhqamj.dll" Nfldgk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fpfholhc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ggafgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cecdiafb.dll" Dmakgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojnmhq32.dll" Gqpaifia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geollfdn.dll" Koekpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Diicfa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hkgnpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aiapjecl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jidpblik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ncpejd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hmkeekag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dijgjpip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Adkelplc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mghkbhfa.dll" Daccdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ecgone32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pihdnloc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhobfffa.dll" Chokcakp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pmiidnko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgdqpp32.dll" Cbgbpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dfefeq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bpcgionf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aooniidp.dll" Knbinhfl.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1124 wrote to memory of 1536 1124 bfca00da960f12bea9bb7c49617d0fb8_JC.exe 88 PID 1124 wrote to memory of 1536 1124 bfca00da960f12bea9bb7c49617d0fb8_JC.exe 88 PID 1124 wrote to memory of 1536 1124 bfca00da960f12bea9bb7c49617d0fb8_JC.exe 88 PID 1536 wrote to memory of 3812 1536 Kibeoo32.exe 89 PID 1536 wrote to memory of 3812 1536 Kibeoo32.exe 89 PID 1536 wrote to memory of 3812 1536 Kibeoo32.exe 89 PID 3812 wrote to memory of 3260 3812 Modpib32.exe 90 PID 3812 wrote to memory of 3260 3812 Modpib32.exe 90 PID 3812 wrote to memory of 3260 3812 Modpib32.exe 90 PID 3260 wrote to memory of 4732 3260 Mlofcf32.exe 91 PID 3260 wrote to memory of 4732 3260 Mlofcf32.exe 91 PID 3260 wrote to memory of 4732 3260 Mlofcf32.exe 91 PID 4732 wrote to memory of 1844 4732 Nfldgk32.exe 92 PID 4732 wrote to memory of 1844 4732 Nfldgk32.exe 92 PID 4732 wrote to memory of 1844 4732 Nfldgk32.exe 92 PID 1844 wrote to memory of 3988 1844 Nqaiecjd.exe 93 PID 1844 wrote to memory of 3988 1844 Nqaiecjd.exe 93 PID 1844 wrote to memory of 3988 1844 Nqaiecjd.exe 93 PID 3988 wrote to memory of 2780 3988 Qamago32.exe 94 PID 3988 wrote to memory of 2780 3988 Qamago32.exe 94 PID 3988 wrote to memory of 2780 3988 Qamago32.exe 94 PID 2780 wrote to memory of 2188 2780 Aadghn32.exe 95 PID 2780 wrote to memory of 2188 2780 Aadghn32.exe 95 PID 2780 wrote to memory of 2188 2780 Aadghn32.exe 95 PID 2188 wrote to memory of 3728 2188 Amnebo32.exe 96 PID 2188 wrote to memory of 3728 2188 Amnebo32.exe 96 PID 2188 wrote to memory of 3728 2188 Amnebo32.exe 96 PID 3728 wrote to memory of 4664 3728 Bbaclegm.exe 97 PID 3728 wrote to memory of 4664 3728 Bbaclegm.exe 97 PID 3728 wrote to memory of 4664 3728 Bbaclegm.exe 97 PID 4664 wrote to memory of 4076 4664 Bdcmkgmm.exe 98 PID 4664 wrote to memory of 4076 4664 Bdcmkgmm.exe 98 PID 4664 wrote to memory of 4076 4664 Bdcmkgmm.exe 98 PID 4076 wrote to memory of 4092 4076 Cbkfbcpb.exe 99 PID 4076 wrote to memory of 4092 4076 Cbkfbcpb.exe 99 PID 4076 wrote to memory of 4092 4076 Cbkfbcpb.exe 99 PID 4092 wrote to memory of 1416 4092 Cdolgfbp.exe 100 PID 4092 wrote to memory of 1416 4092 Cdolgfbp.exe 100 PID 4092 wrote to memory of 1416 4092 Cdolgfbp.exe 100 PID 1416 wrote to memory of 1896 1416 Dkpjdo32.exe 101 PID 1416 wrote to memory of 1896 1416 Dkpjdo32.exe 101 PID 1416 wrote to memory of 1896 1416 Dkpjdo32.exe 101 PID 1896 wrote to memory of 664 1896 Enhifi32.exe 102 PID 1896 wrote to memory of 664 1896 Enhifi32.exe 102 PID 1896 wrote to memory of 664 1896 Enhifi32.exe 102 PID 664 wrote to memory of 3560 664 Fboecfii.exe 104 PID 664 wrote to memory of 3560 664 Fboecfii.exe 104 PID 664 wrote to memory of 3560 664 Fboecfii.exe 104 PID 3560 wrote to memory of 1808 3560 Gbpnjdkg.exe 106 PID 3560 wrote to memory of 1808 3560 Gbpnjdkg.exe 106 PID 3560 wrote to memory of 1808 3560 Gbpnjdkg.exe 106 PID 1808 wrote to memory of 1804 1808 Hnbnjc32.exe 107 PID 1808 wrote to memory of 1804 1808 Hnbnjc32.exe 107 PID 1808 wrote to memory of 1804 1808 Hnbnjc32.exe 107 PID 1804 wrote to memory of 1252 1804 Ieeimlep.exe 108 PID 1804 wrote to memory of 1252 1804 Ieeimlep.exe 108 PID 1804 wrote to memory of 1252 1804 Ieeimlep.exe 108 PID 1252 wrote to memory of 1344 1252 Iloajfml.exe 109 PID 1252 wrote to memory of 1344 1252 Iloajfml.exe 109 PID 1252 wrote to memory of 1344 1252 Iloajfml.exe 109 PID 1344 wrote to memory of 4404 1344 Jldkeeig.exe 110 PID 1344 wrote to memory of 4404 1344 Jldkeeig.exe 110 PID 1344 wrote to memory of 4404 1344 Jldkeeig.exe 110 PID 4404 wrote to memory of 1168 4404 Jbbmmo32.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\bfca00da960f12bea9bb7c49617d0fb8_JC.exe"C:\Users\Admin\AppData\Local\Temp\bfca00da960f12bea9bb7c49617d0fb8_JC.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1124 -
C:\Windows\SysWOW64\Kibeoo32.exeC:\Windows\system32\Kibeoo32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Windows\SysWOW64\Modpib32.exeC:\Windows\system32\Modpib32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3812 -
C:\Windows\SysWOW64\Mlofcf32.exeC:\Windows\system32\Mlofcf32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3260 -
C:\Windows\SysWOW64\Nfldgk32.exeC:\Windows\system32\Nfldgk32.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4732 -
C:\Windows\SysWOW64\Nqaiecjd.exeC:\Windows\system32\Nqaiecjd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Windows\SysWOW64\Qamago32.exeC:\Windows\system32\Qamago32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3988 -
C:\Windows\SysWOW64\Aadghn32.exeC:\Windows\system32\Aadghn32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\Amnebo32.exeC:\Windows\system32\Amnebo32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\Bbaclegm.exeC:\Windows\system32\Bbaclegm.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3728 -
C:\Windows\SysWOW64\Bdcmkgmm.exeC:\Windows\system32\Bdcmkgmm.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4664 -
C:\Windows\SysWOW64\Cbkfbcpb.exeC:\Windows\system32\Cbkfbcpb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4076 -
C:\Windows\SysWOW64\Cdolgfbp.exeC:\Windows\system32\Cdolgfbp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4092 -
C:\Windows\SysWOW64\Dkpjdo32.exeC:\Windows\system32\Dkpjdo32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Windows\SysWOW64\Enhifi32.exeC:\Windows\system32\Enhifi32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\SysWOW64\Fboecfii.exeC:\Windows\system32\Fboecfii.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:664 -
C:\Windows\SysWOW64\Gbpnjdkg.exeC:\Windows\system32\Gbpnjdkg.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3560 -
C:\Windows\SysWOW64\Hnbnjc32.exeC:\Windows\system32\Hnbnjc32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Windows\SysWOW64\Ieeimlep.exeC:\Windows\system32\Ieeimlep.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\SysWOW64\Iloajfml.exeC:\Windows\system32\Iloajfml.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Windows\SysWOW64\Jldkeeig.exeC:\Windows\system32\Jldkeeig.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1344 -
C:\Windows\SysWOW64\Jbbmmo32.exeC:\Windows\system32\Jbbmmo32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4404 -
C:\Windows\SysWOW64\Keceoj32.exeC:\Windows\system32\Keceoj32.exe23⤵
- Executes dropped EXE
PID:1168 -
C:\Windows\SysWOW64\Ncjdki32.exeC:\Windows\system32\Ncjdki32.exe24⤵
- Executes dropped EXE
PID:4224 -
C:\Windows\SysWOW64\Ollljmhg.exeC:\Windows\system32\Ollljmhg.exe25⤵
- Executes dropped EXE
PID:4772 -
C:\Windows\SysWOW64\Pfncia32.exeC:\Windows\system32\Pfncia32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4768 -
C:\Windows\SysWOW64\Peempn32.exeC:\Windows\system32\Peempn32.exe27⤵
- Executes dropped EXE
PID:4132 -
C:\Windows\SysWOW64\Pbimjb32.exeC:\Windows\system32\Pbimjb32.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4616 -
C:\Windows\SysWOW64\Apimodmh.exeC:\Windows\system32\Apimodmh.exe29⤵
- Executes dropped EXE
PID:4968 -
C:\Windows\SysWOW64\Bikeni32.exeC:\Windows\system32\Bikeni32.exe30⤵
- Executes dropped EXE
PID:4708 -
C:\Windows\SysWOW64\Cefoni32.exeC:\Windows\system32\Cefoni32.exe31⤵
- Executes dropped EXE
PID:4384 -
C:\Windows\SysWOW64\Cboibm32.exeC:\Windows\system32\Cboibm32.exe32⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Debnjgcp.exeC:\Windows\system32\Debnjgcp.exe33⤵
- Executes dropped EXE
PID:452 -
C:\Windows\SysWOW64\Elolco32.exeC:\Windows\system32\Elolco32.exe34⤵
- Executes dropped EXE
PID:1188 -
C:\Windows\SysWOW64\Fjgfgbek.exeC:\Windows\system32\Fjgfgbek.exe35⤵
- Executes dropped EXE
PID:676 -
C:\Windows\SysWOW64\Fpfholhc.exeC:\Windows\system32\Fpfholhc.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:4396 -
C:\Windows\SysWOW64\Gqmnpk32.exeC:\Windows\system32\Gqmnpk32.exe37⤵
- Executes dropped EXE
PID:5008 -
C:\Windows\SysWOW64\Hmkeekag.exeC:\Windows\system32\Hmkeekag.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:2648 -
C:\Windows\SysWOW64\Hnmnengg.exeC:\Windows\system32\Hnmnengg.exe39⤵
- Executes dropped EXE
PID:3324 -
C:\Windows\SysWOW64\Iqbpahpc.exeC:\Windows\system32\Iqbpahpc.exe40⤵
- Executes dropped EXE
PID:4220 -
C:\Windows\SysWOW64\Iglhob32.exeC:\Windows\system32\Iglhob32.exe41⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Jjdgal32.exeC:\Windows\system32\Jjdgal32.exe42⤵
- Executes dropped EXE
PID:3100 -
C:\Windows\SysWOW64\Jgjeppkp.exeC:\Windows\system32\Jgjeppkp.exe43⤵
- Executes dropped EXE
PID:4228 -
C:\Windows\SysWOW64\Jaefne32.exeC:\Windows\system32\Jaefne32.exe44⤵
- Executes dropped EXE
PID:4156 -
C:\Windows\SysWOW64\Kceoppmo.exeC:\Windows\system32\Kceoppmo.exe45⤵
- Executes dropped EXE
PID:4480 -
C:\Windows\SysWOW64\Knbinhfl.exeC:\Windows\system32\Knbinhfl.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:440 -
C:\Windows\SysWOW64\Ljkghi32.exeC:\Windows\system32\Ljkghi32.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:4804 -
C:\Windows\SysWOW64\Mhkgnkoj.exeC:\Windows\system32\Mhkgnkoj.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5020 -
C:\Windows\SysWOW64\Nncoaq32.exeC:\Windows\system32\Nncoaq32.exe49⤵
- Executes dropped EXE
PID:4440 -
C:\Windows\SysWOW64\Odgjdibf.exeC:\Windows\system32\Odgjdibf.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3252 -
C:\Windows\SysWOW64\Pfkpiled.exeC:\Windows\system32\Pfkpiled.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2528 -
C:\Windows\SysWOW64\Anfmeldl.exeC:\Windows\system32\Anfmeldl.exe52⤵
- Executes dropped EXE
PID:4024 -
C:\Windows\SysWOW64\Anijjkbj.exeC:\Windows\system32\Anijjkbj.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:4312 -
C:\Windows\SysWOW64\Biljib32.exeC:\Windows\system32\Biljib32.exe54⤵
- Executes dropped EXE
PID:2412 -
C:\Windows\SysWOW64\Cpklql32.exeC:\Windows\system32\Cpklql32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3596 -
C:\Windows\SysWOW64\Dijgjpip.exeC:\Windows\system32\Dijgjpip.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3860 -
C:\Windows\SysWOW64\Dfqdid32.exeC:\Windows\system32\Dfqdid32.exe57⤵
- Executes dropped EXE
PID:4420 -
C:\Windows\SysWOW64\Eemgkpef.exeC:\Windows\system32\Eemgkpef.exe58⤵
- Executes dropped EXE
PID:1320 -
C:\Windows\SysWOW64\Ebagdddp.exeC:\Windows\system32\Ebagdddp.exe59⤵
- Executes dropped EXE
PID:4084 -
C:\Windows\SysWOW64\Eohhie32.exeC:\Windows\system32\Eohhie32.exe60⤵
- Executes dropped EXE
PID:4588 -
C:\Windows\SysWOW64\Fhiphi32.exeC:\Windows\system32\Fhiphi32.exe61⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Gllajf32.exeC:\Windows\system32\Gllajf32.exe62⤵
- Executes dropped EXE
PID:4388 -
C:\Windows\SysWOW64\Ggafgo32.exeC:\Windows\system32\Ggafgo32.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:3932 -
C:\Windows\SysWOW64\Gpodkdll.exeC:\Windows\system32\Gpodkdll.exe64⤵
- Executes dropped EXE
PID:4036 -
C:\Windows\SysWOW64\Hhleefhe.exeC:\Windows\system32\Hhleefhe.exe65⤵
- Executes dropped EXE
PID:4476 -
C:\Windows\SysWOW64\Hgpbhmna.exeC:\Windows\system32\Hgpbhmna.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:760 -
C:\Windows\SysWOW64\Iobmmoed.exeC:\Windows\system32\Iobmmoed.exe67⤵PID:4352
-
C:\Windows\SysWOW64\Ijngkf32.exeC:\Windows\system32\Ijngkf32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4976 -
C:\Windows\SysWOW64\Jqofippg.exeC:\Windows\system32\Jqofippg.exe69⤵PID:4864
-
C:\Windows\SysWOW64\Jjjggede.exeC:\Windows\system32\Jjjggede.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2236 -
C:\Windows\SysWOW64\Kgngqico.exeC:\Windows\system32\Kgngqico.exe71⤵
- Modifies registry class
PID:3500 -
C:\Windows\SysWOW64\Kmpido32.exeC:\Windows\system32\Kmpido32.exe72⤵PID:740
-
C:\Windows\SysWOW64\Kggjghkd.exeC:\Windows\system32\Kggjghkd.exe73⤵PID:2076
-
C:\Windows\SysWOW64\Lhopgg32.exeC:\Windows\system32\Lhopgg32.exe74⤵PID:3148
-
C:\Windows\SysWOW64\Lhammfci.exeC:\Windows\system32\Lhammfci.exe75⤵PID:4876
-
C:\Windows\SysWOW64\Mfkcibdl.exeC:\Windows\system32\Mfkcibdl.exe76⤵
- Modifies registry class
PID:3884 -
C:\Windows\SysWOW64\Mapgfk32.exeC:\Windows\system32\Mapgfk32.exe77⤵PID:2172
-
C:\Windows\SysWOW64\Nplkhf32.exeC:\Windows\system32\Nplkhf32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2752 -
C:\Windows\SysWOW64\Opjgidfa.exeC:\Windows\system32\Opjgidfa.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2056 -
C:\Windows\SysWOW64\Pjgemi32.exeC:\Windows\system32\Pjgemi32.exe80⤵
- Modifies registry class
PID:3052 -
C:\Windows\SysWOW64\Pdmikb32.exeC:\Windows\system32\Pdmikb32.exe81⤵PID:1412
-
C:\Windows\SysWOW64\Pjahchpb.exeC:\Windows\system32\Pjahchpb.exe82⤵PID:368
-
C:\Windows\SysWOW64\Adkelplc.exeC:\Windows\system32\Adkelplc.exe83⤵
- Modifies registry class
PID:4468 -
C:\Windows\SysWOW64\Aqilaplo.exeC:\Windows\system32\Aqilaplo.exe84⤵PID:1688
-
C:\Windows\SysWOW64\Bbbkbbkg.exeC:\Windows\system32\Bbbkbbkg.exe85⤵PID:4568
-
C:\Windows\SysWOW64\Cjomldfp.exeC:\Windows\system32\Cjomldfp.exe86⤵PID:2176
-
C:\Windows\SysWOW64\Cqiehnml.exeC:\Windows\system32\Cqiehnml.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4124 -
C:\Windows\SysWOW64\Cigcjj32.exeC:\Windows\system32\Cigcjj32.exe88⤵
- Modifies registry class
PID:4120 -
C:\Windows\SysWOW64\Dgomaf32.exeC:\Windows\system32\Dgomaf32.exe89⤵PID:1124
-
C:\Windows\SysWOW64\Dnienqbi.exeC:\Windows\system32\Dnienqbi.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3892 -
C:\Windows\SysWOW64\Elaobdmm.exeC:\Windows\system32\Elaobdmm.exe91⤵PID:4008
-
C:\Windows\SysWOW64\Eoindndf.exeC:\Windows\system32\Eoindndf.exe92⤵
- Modifies registry class
PID:4860 -
C:\Windows\SysWOW64\Flpkcbqm.exeC:\Windows\system32\Flpkcbqm.exe93⤵PID:2736
-
C:\Windows\SysWOW64\Gkqhpmkg.exeC:\Windows\system32\Gkqhpmkg.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4076 -
C:\Windows\SysWOW64\Giahndcf.exeC:\Windows\system32\Giahndcf.exe95⤵PID:4556
-
C:\Windows\SysWOW64\Gammbfqa.exeC:\Windows\system32\Gammbfqa.exe96⤵PID:4248
-
C:\Windows\SysWOW64\Gekeie32.exeC:\Windows\system32\Gekeie32.exe97⤵PID:3632
-
C:\Windows\SysWOW64\Ilcjgm32.exeC:\Windows\system32\Ilcjgm32.exe98⤵PID:2272
-
C:\Windows\SysWOW64\Ieknpb32.exeC:\Windows\system32\Ieknpb32.exe99⤵PID:5076
-
C:\Windows\SysWOW64\Iofpnhmc.exeC:\Windows\system32\Iofpnhmc.exe100⤵PID:312
-
C:\Windows\SysWOW64\Jfgnka32.exeC:\Windows\system32\Jfgnka32.exe101⤵PID:3864
-
C:\Windows\SysWOW64\Kkmijf32.exeC:\Windows\system32\Kkmijf32.exe102⤵PID:3728
-
C:\Windows\SysWOW64\Kfggbope.exeC:\Windows\system32\Kfggbope.exe103⤵PID:4356
-
C:\Windows\SysWOW64\Lcndab32.exeC:\Windows\system32\Lcndab32.exe104⤵
- Modifies registry class
PID:3364 -
C:\Windows\SysWOW64\Mlgegcng.exeC:\Windows\system32\Mlgegcng.exe105⤵PID:5004
-
C:\Windows\SysWOW64\Ncecioib.exeC:\Windows\system32\Ncecioib.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4376 -
C:\Windows\SysWOW64\Nmbamdkm.exeC:\Windows\system32\Nmbamdkm.exe107⤵PID:4212
-
C:\Windows\SysWOW64\Obccpj32.exeC:\Windows\system32\Obccpj32.exe108⤵PID:4068
-
C:\Windows\SysWOW64\Bgbmdd32.exeC:\Windows\system32\Bgbmdd32.exe109⤵
- Modifies registry class
PID:1168 -
C:\Windows\SysWOW64\Cmmbmiag.exeC:\Windows\system32\Cmmbmiag.exe110⤵
- Drops file in System32 directory
PID:4908 -
C:\Windows\SysWOW64\Cnmoglij.exeC:\Windows\system32\Cnmoglij.exe111⤵PID:4168
-
C:\Windows\SysWOW64\Ccigpbga.exeC:\Windows\system32\Ccigpbga.exe112⤵PID:4616
-
C:\Windows\SysWOW64\Cnokmkfh.exeC:\Windows\system32\Cnokmkfh.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2356 -
C:\Windows\SysWOW64\Ckclfp32.exeC:\Windows\system32\Ckclfp32.exe114⤵PID:3900
-
C:\Windows\SysWOW64\Cnahbk32.exeC:\Windows\system32\Cnahbk32.exe115⤵PID:3228
-
C:\Windows\SysWOW64\Eanqpdgi.exeC:\Windows\system32\Eanqpdgi.exe116⤵PID:4224
-
C:\Windows\SysWOW64\Fnmqegle.exeC:\Windows\system32\Fnmqegle.exe117⤵PID:2832
-
C:\Windows\SysWOW64\Fhjoilop.exeC:\Windows\system32\Fhjoilop.exe118⤵PID:3904
-
C:\Windows\SysWOW64\Fndgfffm.exeC:\Windows\system32\Fndgfffm.exe119⤵PID:3756
-
C:\Windows\SysWOW64\Genobp32.exeC:\Windows\system32\Genobp32.exe120⤵PID:2232
-
C:\Windows\SysWOW64\Haaocp32.exeC:\Windows\system32\Haaocp32.exe121⤵PID:2204
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-