Analysis
-
max time kernel
147s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
25-03-2024 22:05
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f0301ef452c4e1e50bf7b3787e9fc4a4f927f7e65bee2b79f73a89c855066bcf.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
f0301ef452c4e1e50bf7b3787e9fc4a4f927f7e65bee2b79f73a89c855066bcf.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
f0301ef452c4e1e50bf7b3787e9fc4a4f927f7e65bee2b79f73a89c855066bcf.exe
-
Size
273KB
-
MD5
23efc80fd5f207eb3dc73dd4f2a49b83
-
SHA1
d3237aa3c28d9d04eccdd2c69450be047629e855
-
SHA256
f0301ef452c4e1e50bf7b3787e9fc4a4f927f7e65bee2b79f73a89c855066bcf
-
SHA512
d38e43ab3924e2e895ca86cab84ac949d736873721b654fbe996da242d17c75bccade6e397c30b7486ff14678a527569b8848e433332a0364d0e984c9c5a113f
-
SSDEEP
6144:42HMSvcibfvlsZRkTebwBhGv4dC+1R8pvBgL0eXkUbGKl9veOPSV3uo97fQ6uPgC:FHMO
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajjjocap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajjjocap.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbgalmej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flmqlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aadifclh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhkjej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kppici32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbgalmej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qljcoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adfgdpmi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdkcde32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gohaeo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpekef32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbadcpbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgpgng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omegjomb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkpnga32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oncofm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnifigpa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nemcjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djfcaohp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Facqkg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdoihpbk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nelfeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dokgdkeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldjhpl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kocphojh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Foghnabl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inbqhhfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahgjejhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nenbjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kemhei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcimkc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oiihahme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmkcqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfoplpla.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aoabad32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnicid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnkpnclp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qhhpop32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnddgjbj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehdmlhcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bciehh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gijekg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmenca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdiakp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojjolnaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oidofh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hammhcij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkcadhgm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qqijje32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgjljpkm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klfjijgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbpbed32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpiljh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npchgdcd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogklelna.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmfclm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hflcbngh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klpjad32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ledoegkm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldfoad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eiobceef.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fahaplon.exe -
Executes dropped EXE 64 IoCs
pid Process 4824 Gcojed32.exe 2336 Gdqgmmjb.exe 1136 Ghopckpi.exe 624 Gbgdlq32.exe 1164 Gdeqhl32.exe 3376 Gkoiefmj.exe 764 Gbiaapdf.exe 4844 Gdhmnlcj.exe 2588 Gkaejf32.exe 4960 Gcimkc32.exe 2184 Hiefcj32.exe 4852 Hkdbpe32.exe 3368 Hbnjmp32.exe 5052 Helfik32.exe 4800 Hkfoeega.exe 3508 Hflcbngh.exe 4408 Hodgkc32.exe 3732 Hfnphn32.exe 4516 Himldi32.exe 2236 Hofdacke.exe 2492 Hkmefd32.exe 2748 Hcdmga32.exe 4532 Iiaephpc.exe 3840 Ikpaldog.exe 3460 Ibjjhn32.exe 672 Iehfdi32.exe 2424 Imoneg32.exe 4696 Icifbang.exe 4648 Iifokh32.exe 2732 Ildkgc32.exe 2796 Ibnccmbo.exe 4320 Iihkpg32.exe 2056 Ilghlc32.exe 3704 Icnpmp32.exe 3496 Ifllil32.exe 1832 Imfdff32.exe 2076 Icplcpgo.exe 1772 Jfoiokfb.exe 4120 Jeaikh32.exe 3716 Jmhale32.exe 3372 Jlkagbej.exe 3880 Jbeidl32.exe 3388 Jioaqfcc.exe 4348 Jcefno32.exe 1664 Jianff32.exe 4264 Jfeopj32.exe 2744 Jlednamo.exe 3692 Kiidgeki.exe 4440 Kbaipkbi.exe 3244 Kpgfooop.exe 552 Kibgmdcn.exe 3292 Lbjlfi32.exe 2272 Ldjhpl32.exe 232 Ligqhc32.exe 4968 Lpqiemge.exe 1316 Lenamdem.exe 2472 Likjcbkc.exe 4336 Lpebpm32.exe 4676 Nlaegk32.exe 996 Nckndeni.exe 3184 Oponmilc.exe 1988 Oncofm32.exe 640 Ojjolnaq.exe 928 Ocbddc32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Hkfoeega.exe Helfik32.exe File created C:\Windows\SysWOW64\Egdeookg.dll Micoed32.exe File opened for modification C:\Windows\SysWOW64\Fmpqfq32.exe Fpjcgm32.exe File created C:\Windows\SysWOW64\Gbgdlq32.exe Ghopckpi.exe File created C:\Windows\SysWOW64\Ehjhee32.dll Famjkl32.exe File created C:\Windows\SysWOW64\Micoed32.exe Malgcg32.exe File created C:\Windows\SysWOW64\Ajlgckkf.dll Oimkbaed.exe File opened for modification C:\Windows\SysWOW64\Qcclld32.exe Qohpkf32.exe File created C:\Windows\SysWOW64\Foghnabl.exe Fgppmd32.exe File created C:\Windows\SysWOW64\Fmhgok32.dll Epokedmj.exe File created C:\Windows\SysWOW64\Iahlcaol.exe Ijadbdoj.exe File opened for modification C:\Windows\SysWOW64\Nhpbfpka.exe Nbcjnilj.exe File created C:\Windows\SysWOW64\Nefped32.exe Najceeoo.exe File created C:\Windows\SysWOW64\Cbbnpg32.exe Cocacl32.exe File opened for modification C:\Windows\SysWOW64\Icfmci32.exe Ijmhkchl.exe File created C:\Windows\SysWOW64\Hhodke32.dll Khabke32.exe File created C:\Windows\SysWOW64\Jclhkbae.dll Nckndeni.exe File created C:\Windows\SysWOW64\Mkankndb.dll Kngcje32.exe File created C:\Windows\SysWOW64\Dajkgl32.dll Jbfheo32.exe File created C:\Windows\SysWOW64\Oimkbaed.exe Oklkdi32.exe File created C:\Windows\SysWOW64\Kahdohfm.dll Dogogcpo.exe File opened for modification C:\Windows\SysWOW64\Lbqklb32.exe Lhkgoiqe.exe File created C:\Windows\SysWOW64\Gdilpd32.dll Ogklelna.exe File opened for modification C:\Windows\SysWOW64\Pomgjn32.exe Pjpobg32.exe File created C:\Windows\SysWOW64\Cfadkb32.exe Cpglnhad.exe File opened for modification C:\Windows\SysWOW64\Fkpool32.exe Fhabbp32.exe File created C:\Windows\SysWOW64\Cmkjoj32.dll Jbppgona.exe File opened for modification C:\Windows\SysWOW64\Khpgckkb.exe Kfnkkb32.exe File created C:\Windows\SysWOW64\Ogpmjb32.exe Olkhmi32.exe File created C:\Windows\SysWOW64\Cfikmcdh.dll Kpgodhkd.exe File created C:\Windows\SysWOW64\Cpjdachc.dll Dmihij32.exe File created C:\Windows\SysWOW64\Ihoofe32.dll Iihkpg32.exe File created C:\Windows\SysWOW64\Pnpban32.dll Kijchhbo.exe File created C:\Windows\SysWOW64\Majjng32.exe Mnlnbl32.exe File opened for modification C:\Windows\SysWOW64\Bnoknihb.exe Bnmoijje.exe File created C:\Windows\SysWOW64\Gjhfif32.exe Gkefmjcj.exe File opened for modification C:\Windows\SysWOW64\Hqdkkp32.exe Gjkbnfha.exe File created C:\Windows\SysWOW64\Pfogpg32.dll Ejbbmnnb.exe File created C:\Windows\SysWOW64\Fcmpdfhi.dll Licfngjd.exe File created C:\Windows\SysWOW64\Pomfkgml.dll Jjihfbno.exe File created C:\Windows\SysWOW64\Nlnbgddc.exe Nipekiep.exe File created C:\Windows\SysWOW64\Fbgnfajk.dll Kbpbed32.exe File opened for modification C:\Windows\SysWOW64\Pqcjepfo.exe Pfnegggi.exe File created C:\Windows\SysWOW64\Eplgeokq.exe Eiaoid32.exe File created C:\Windows\SysWOW64\Eoaedogc.dll Pkegpb32.exe File created C:\Windows\SysWOW64\Qhhpop32.exe Pnkbkk32.exe File opened for modification C:\Windows\SysWOW64\Jjihfbno.exe Jjgkab32.exe File opened for modification C:\Windows\SysWOW64\Gaogak32.exe Foqkdp32.exe File opened for modification C:\Windows\SysWOW64\Gcimkc32.exe Gkaejf32.exe File created C:\Windows\SysWOW64\Dhmgki32.exe Daconoae.exe File created C:\Windows\SysWOW64\Oocmii32.exe Oldamm32.exe File created C:\Windows\SysWOW64\Phedhmhi.exe Pefhlaie.exe File opened for modification C:\Windows\SysWOW64\Gbgdlq32.exe Ghopckpi.exe File created C:\Windows\SysWOW64\Hiefcj32.exe Gcimkc32.exe File created C:\Windows\SysWOW64\Oponmilc.exe Nckndeni.exe File created C:\Windows\SysWOW64\Ceifibod.dll Qljcoj32.exe File opened for modification C:\Windows\SysWOW64\Pdhbmh32.exe Pkpmdbfd.exe File created C:\Windows\SysWOW64\Gkaejf32.exe Gdhmnlcj.exe File opened for modification C:\Windows\SysWOW64\Nemcjk32.exe Mbognp32.exe File created C:\Windows\SysWOW64\Agdhbi32.exe Amodep32.exe File created C:\Windows\SysWOW64\Bkmmaeap.exe Bfpdin32.exe File created C:\Windows\SysWOW64\Bnoknihb.exe Bnmoijje.exe File opened for modification C:\Windows\SysWOW64\Lobjni32.exe Lqhdbm32.exe File created C:\Windows\SysWOW64\Clhgbgki.dll Gjficg32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7772 12188 WerFault.exe 858 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dleglm32.dll" Opemca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laniklje.dll" Dpehof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfamapjo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hnhghcki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfbghcbm.dll" Majjng32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkkgpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iokgal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiqhki32.dll" Npchgdcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmkjoj32.dll" Jbppgona.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkpnga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lenamdem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghdi32.dll" Hdmein32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlpokp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fccfqqkf.dll" Bfpdin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cijpahho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lapmnano.dll" Hnhkdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llfgke32.dll" Khfkfedn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccemjbpf.dll" Gpkchqdj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Leopnglc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gjaphgpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhoilahe.dll" Jfeopj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlnbgddc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Keceoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onjegled.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pefhlaie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcgmfg32.dll" Lcnmin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjokgg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibpgqa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfbkeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jqdoem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooiolbic.dll" Qqffjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpglnhad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oihoif32.dll" Eaqdegaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbfheo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nenbjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhihdcbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Neppokal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkpheidp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Micfao32.dll" Kbpkkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qhhpop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qfcfml32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Neppokal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibpiogmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mblkhq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mnphmkji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iadenp32.dll" Nolgijpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfnqklgh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afhohlbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhgloc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbdjeg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iaedanal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbiado32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hlambk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hgcmbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afjeceml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajdjin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkkahahf.dll" Nohehq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll" Deagdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lhkgoiqe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iedjmioj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhpbkngk.dll" Najmjokc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gnqfcbnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Okchnk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aeaanjkl.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 460 wrote to memory of 4824 460 f0301ef452c4e1e50bf7b3787e9fc4a4f927f7e65bee2b79f73a89c855066bcf.exe 89 PID 460 wrote to memory of 4824 460 f0301ef452c4e1e50bf7b3787e9fc4a4f927f7e65bee2b79f73a89c855066bcf.exe 89 PID 460 wrote to memory of 4824 460 f0301ef452c4e1e50bf7b3787e9fc4a4f927f7e65bee2b79f73a89c855066bcf.exe 89 PID 4824 wrote to memory of 2336 4824 Gcojed32.exe 90 PID 4824 wrote to memory of 2336 4824 Gcojed32.exe 90 PID 4824 wrote to memory of 2336 4824 Gcojed32.exe 90 PID 2336 wrote to memory of 1136 2336 Gdqgmmjb.exe 91 PID 2336 wrote to memory of 1136 2336 Gdqgmmjb.exe 91 PID 2336 wrote to memory of 1136 2336 Gdqgmmjb.exe 91 PID 1136 wrote to memory of 624 1136 Ghopckpi.exe 92 PID 1136 wrote to memory of 624 1136 Ghopckpi.exe 92 PID 1136 wrote to memory of 624 1136 Ghopckpi.exe 92 PID 624 wrote to memory of 1164 624 Gbgdlq32.exe 93 PID 624 wrote to memory of 1164 624 Gbgdlq32.exe 93 PID 624 wrote to memory of 1164 624 Gbgdlq32.exe 93 PID 1164 wrote to memory of 3376 1164 Gdeqhl32.exe 94 PID 1164 wrote to memory of 3376 1164 Gdeqhl32.exe 94 PID 1164 wrote to memory of 3376 1164 Gdeqhl32.exe 94 PID 3376 wrote to memory of 764 3376 Gkoiefmj.exe 95 PID 3376 wrote to memory of 764 3376 Gkoiefmj.exe 95 PID 3376 wrote to memory of 764 3376 Gkoiefmj.exe 95 PID 764 wrote to memory of 4844 764 Gbiaapdf.exe 96 PID 764 wrote to memory of 4844 764 Gbiaapdf.exe 96 PID 764 wrote to memory of 4844 764 Gbiaapdf.exe 96 PID 4844 wrote to memory of 2588 4844 Gdhmnlcj.exe 97 PID 4844 wrote to memory of 2588 4844 Gdhmnlcj.exe 97 PID 4844 wrote to memory of 2588 4844 Gdhmnlcj.exe 97 PID 2588 wrote to memory of 4960 2588 Gkaejf32.exe 98 PID 2588 wrote to memory of 4960 2588 Gkaejf32.exe 98 PID 2588 wrote to memory of 4960 2588 Gkaejf32.exe 98 PID 4960 wrote to memory of 2184 4960 Gcimkc32.exe 99 PID 4960 wrote to memory of 2184 4960 Gcimkc32.exe 99 PID 4960 wrote to memory of 2184 4960 Gcimkc32.exe 99 PID 2184 wrote to memory of 4852 2184 Hiefcj32.exe 100 PID 2184 wrote to memory of 4852 2184 Hiefcj32.exe 100 PID 2184 wrote to memory of 4852 2184 Hiefcj32.exe 100 PID 4852 wrote to memory of 3368 4852 Hkdbpe32.exe 101 PID 4852 wrote to memory of 3368 4852 Hkdbpe32.exe 101 PID 4852 wrote to memory of 3368 4852 Hkdbpe32.exe 101 PID 3368 wrote to memory of 5052 3368 Hbnjmp32.exe 102 PID 3368 wrote to memory of 5052 3368 Hbnjmp32.exe 102 PID 3368 wrote to memory of 5052 3368 Hbnjmp32.exe 102 PID 5052 wrote to memory of 4800 5052 Helfik32.exe 103 PID 5052 wrote to memory of 4800 5052 Helfik32.exe 103 PID 5052 wrote to memory of 4800 5052 Helfik32.exe 103 PID 4800 wrote to memory of 3508 4800 Hkfoeega.exe 104 PID 4800 wrote to memory of 3508 4800 Hkfoeega.exe 104 PID 4800 wrote to memory of 3508 4800 Hkfoeega.exe 104 PID 3508 wrote to memory of 4408 3508 Hflcbngh.exe 105 PID 3508 wrote to memory of 4408 3508 Hflcbngh.exe 105 PID 3508 wrote to memory of 4408 3508 Hflcbngh.exe 105 PID 4408 wrote to memory of 3732 4408 Hodgkc32.exe 106 PID 4408 wrote to memory of 3732 4408 Hodgkc32.exe 106 PID 4408 wrote to memory of 3732 4408 Hodgkc32.exe 106 PID 3732 wrote to memory of 4516 3732 Hfnphn32.exe 107 PID 3732 wrote to memory of 4516 3732 Hfnphn32.exe 107 PID 3732 wrote to memory of 4516 3732 Hfnphn32.exe 107 PID 4516 wrote to memory of 2236 4516 Himldi32.exe 108 PID 4516 wrote to memory of 2236 4516 Himldi32.exe 108 PID 4516 wrote to memory of 2236 4516 Himldi32.exe 108 PID 2236 wrote to memory of 2492 2236 Hofdacke.exe 109 PID 2236 wrote to memory of 2492 2236 Hofdacke.exe 109 PID 2236 wrote to memory of 2492 2236 Hofdacke.exe 109 PID 2492 wrote to memory of 2748 2492 Hkmefd32.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\f0301ef452c4e1e50bf7b3787e9fc4a4f927f7e65bee2b79f73a89c855066bcf.exe"C:\Users\Admin\AppData\Local\Temp\f0301ef452c4e1e50bf7b3787e9fc4a4f927f7e65bee2b79f73a89c855066bcf.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:460 -
C:\Windows\SysWOW64\Gcojed32.exeC:\Windows\system32\Gcojed32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4824 -
C:\Windows\SysWOW64\Gdqgmmjb.exeC:\Windows\system32\Gdqgmmjb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\Ghopckpi.exeC:\Windows\system32\Ghopckpi.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Windows\SysWOW64\Gbgdlq32.exeC:\Windows\system32\Gbgdlq32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Windows\SysWOW64\Gdeqhl32.exeC:\Windows\system32\Gdeqhl32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Windows\SysWOW64\Gkoiefmj.exeC:\Windows\system32\Gkoiefmj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3376 -
C:\Windows\SysWOW64\Gbiaapdf.exeC:\Windows\system32\Gbiaapdf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Windows\SysWOW64\Gdhmnlcj.exeC:\Windows\system32\Gdhmnlcj.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4844 -
C:\Windows\SysWOW64\Gkaejf32.exeC:\Windows\system32\Gkaejf32.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\Gcimkc32.exeC:\Windows\system32\Gcimkc32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4960 -
C:\Windows\SysWOW64\Hiefcj32.exeC:\Windows\system32\Hiefcj32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\Hkdbpe32.exeC:\Windows\system32\Hkdbpe32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4852 -
C:\Windows\SysWOW64\Hbnjmp32.exeC:\Windows\system32\Hbnjmp32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3368 -
C:\Windows\SysWOW64\Helfik32.exeC:\Windows\system32\Helfik32.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Windows\SysWOW64\Hkfoeega.exeC:\Windows\system32\Hkfoeega.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4800 -
C:\Windows\SysWOW64\Hflcbngh.exeC:\Windows\system32\Hflcbngh.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3508 -
C:\Windows\SysWOW64\Hodgkc32.exeC:\Windows\system32\Hodgkc32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4408 -
C:\Windows\SysWOW64\Hfnphn32.exeC:\Windows\system32\Hfnphn32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3732 -
C:\Windows\SysWOW64\Himldi32.exeC:\Windows\system32\Himldi32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4516 -
C:\Windows\SysWOW64\Hofdacke.exeC:\Windows\system32\Hofdacke.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\Hkmefd32.exeC:\Windows\system32\Hkmefd32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\SysWOW64\Hcdmga32.exeC:\Windows\system32\Hcdmga32.exe23⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Iiaephpc.exeC:\Windows\system32\Iiaephpc.exe24⤵
- Executes dropped EXE
PID:4532 -
C:\Windows\SysWOW64\Ikpaldog.exeC:\Windows\system32\Ikpaldog.exe25⤵
- Executes dropped EXE
PID:3840 -
C:\Windows\SysWOW64\Ibjjhn32.exeC:\Windows\system32\Ibjjhn32.exe26⤵
- Executes dropped EXE
PID:3460 -
C:\Windows\SysWOW64\Iehfdi32.exeC:\Windows\system32\Iehfdi32.exe27⤵
- Executes dropped EXE
PID:672 -
C:\Windows\SysWOW64\Imoneg32.exeC:\Windows\system32\Imoneg32.exe28⤵
- Executes dropped EXE
PID:2424 -
C:\Windows\SysWOW64\Icifbang.exeC:\Windows\system32\Icifbang.exe29⤵
- Executes dropped EXE
PID:4696 -
C:\Windows\SysWOW64\Iifokh32.exeC:\Windows\system32\Iifokh32.exe30⤵
- Executes dropped EXE
PID:4648 -
C:\Windows\SysWOW64\Ildkgc32.exeC:\Windows\system32\Ildkgc32.exe31⤵
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\Ibnccmbo.exeC:\Windows\system32\Ibnccmbo.exe32⤵
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\Iihkpg32.exeC:\Windows\system32\Iihkpg32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4320 -
C:\Windows\SysWOW64\Ilghlc32.exeC:\Windows\system32\Ilghlc32.exe34⤵
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Icnpmp32.exeC:\Windows\system32\Icnpmp32.exe35⤵
- Executes dropped EXE
PID:3704 -
C:\Windows\SysWOW64\Ifllil32.exeC:\Windows\system32\Ifllil32.exe36⤵
- Executes dropped EXE
PID:3496 -
C:\Windows\SysWOW64\Imfdff32.exeC:\Windows\system32\Imfdff32.exe37⤵
- Executes dropped EXE
PID:1832 -
C:\Windows\SysWOW64\Icplcpgo.exeC:\Windows\system32\Icplcpgo.exe38⤵
- Executes dropped EXE
PID:2076 -
C:\Windows\SysWOW64\Jfoiokfb.exeC:\Windows\system32\Jfoiokfb.exe39⤵
- Executes dropped EXE
PID:1772 -
C:\Windows\SysWOW64\Jeaikh32.exeC:\Windows\system32\Jeaikh32.exe40⤵
- Executes dropped EXE
PID:4120 -
C:\Windows\SysWOW64\Jmhale32.exeC:\Windows\system32\Jmhale32.exe41⤵
- Executes dropped EXE
PID:3716 -
C:\Windows\SysWOW64\Jlkagbej.exeC:\Windows\system32\Jlkagbej.exe42⤵
- Executes dropped EXE
PID:3372 -
C:\Windows\SysWOW64\Jbeidl32.exeC:\Windows\system32\Jbeidl32.exe43⤵
- Executes dropped EXE
PID:3880 -
C:\Windows\SysWOW64\Jioaqfcc.exeC:\Windows\system32\Jioaqfcc.exe44⤵
- Executes dropped EXE
PID:3388 -
C:\Windows\SysWOW64\Jcefno32.exeC:\Windows\system32\Jcefno32.exe45⤵
- Executes dropped EXE
PID:4348 -
C:\Windows\SysWOW64\Jianff32.exeC:\Windows\system32\Jianff32.exe46⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\Jfeopj32.exeC:\Windows\system32\Jfeopj32.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:4264 -
C:\Windows\SysWOW64\Jlednamo.exeC:\Windows\system32\Jlednamo.exe48⤵
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Kiidgeki.exeC:\Windows\system32\Kiidgeki.exe49⤵
- Executes dropped EXE
PID:3692 -
C:\Windows\SysWOW64\Kbaipkbi.exeC:\Windows\system32\Kbaipkbi.exe50⤵
- Executes dropped EXE
PID:4440 -
C:\Windows\SysWOW64\Kpgfooop.exeC:\Windows\system32\Kpgfooop.exe51⤵
- Executes dropped EXE
PID:3244 -
C:\Windows\SysWOW64\Kibgmdcn.exeC:\Windows\system32\Kibgmdcn.exe52⤵
- Executes dropped EXE
PID:552 -
C:\Windows\SysWOW64\Lbjlfi32.exeC:\Windows\system32\Lbjlfi32.exe53⤵
- Executes dropped EXE
PID:3292 -
C:\Windows\SysWOW64\Ldjhpl32.exeC:\Windows\system32\Ldjhpl32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2272 -
C:\Windows\SysWOW64\Ligqhc32.exeC:\Windows\system32\Ligqhc32.exe55⤵
- Executes dropped EXE
PID:232 -
C:\Windows\SysWOW64\Lpqiemge.exeC:\Windows\system32\Lpqiemge.exe56⤵
- Executes dropped EXE
PID:4968 -
C:\Windows\SysWOW64\Lenamdem.exeC:\Windows\system32\Lenamdem.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:1316 -
C:\Windows\SysWOW64\Likjcbkc.exeC:\Windows\system32\Likjcbkc.exe58⤵
- Executes dropped EXE
PID:2472 -
C:\Windows\SysWOW64\Lpebpm32.exeC:\Windows\system32\Lpebpm32.exe59⤵
- Executes dropped EXE
PID:4336 -
C:\Windows\SysWOW64\Nlaegk32.exeC:\Windows\system32\Nlaegk32.exe60⤵
- Executes dropped EXE
PID:4676 -
C:\Windows\SysWOW64\Nckndeni.exeC:\Windows\system32\Nckndeni.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:996 -
C:\Windows\SysWOW64\Oponmilc.exeC:\Windows\system32\Oponmilc.exe62⤵
- Executes dropped EXE
PID:3184 -
C:\Windows\SysWOW64\Oncofm32.exeC:\Windows\system32\Oncofm32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1988 -
C:\Windows\SysWOW64\Ojjolnaq.exeC:\Windows\system32\Ojjolnaq.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:640 -
C:\Windows\SysWOW64\Ocbddc32.exeC:\Windows\system32\Ocbddc32.exe65⤵
- Executes dropped EXE
PID:928 -
C:\Windows\SysWOW64\Olkhmi32.exeC:\Windows\system32\Olkhmi32.exe66⤵
- Drops file in System32 directory
PID:4724 -
C:\Windows\SysWOW64\Ogpmjb32.exeC:\Windows\system32\Ogpmjb32.exe67⤵PID:4860
-
C:\Windows\SysWOW64\Onjegled.exeC:\Windows\system32\Onjegled.exe68⤵
- Modifies registry class
PID:4940 -
C:\Windows\SysWOW64\Ocgmpccl.exeC:\Windows\system32\Ocgmpccl.exe69⤵PID:4880
-
C:\Windows\SysWOW64\Ojaelm32.exeC:\Windows\system32\Ojaelm32.exe70⤵PID:4552
-
C:\Windows\SysWOW64\Pfhfan32.exeC:\Windows\system32\Pfhfan32.exe71⤵PID:4564
-
C:\Windows\SysWOW64\Pclgkb32.exeC:\Windows\system32\Pclgkb32.exe72⤵PID:5016
-
C:\Windows\SysWOW64\Pnakhkol.exeC:\Windows\system32\Pnakhkol.exe73⤵PID:4616
-
C:\Windows\SysWOW64\Pdkcde32.exeC:\Windows\system32\Pdkcde32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4520 -
C:\Windows\SysWOW64\Pjhlml32.exeC:\Windows\system32\Pjhlml32.exe75⤵PID:3028
-
C:\Windows\SysWOW64\Pqbdjfln.exeC:\Windows\system32\Pqbdjfln.exe76⤵PID:2872
-
C:\Windows\SysWOW64\Pqdqof32.exeC:\Windows\system32\Pqdqof32.exe77⤵PID:4884
-
C:\Windows\SysWOW64\Pcbmka32.exeC:\Windows\system32\Pcbmka32.exe78⤵PID:2584
-
C:\Windows\SysWOW64\Qnhahj32.exeC:\Windows\system32\Qnhahj32.exe79⤵PID:1448
-
C:\Windows\SysWOW64\Qqfmde32.exeC:\Windows\system32\Qqfmde32.exe80⤵PID:2712
-
C:\Windows\SysWOW64\Qfcfml32.exeC:\Windows\system32\Qfcfml32.exe81⤵
- Modifies registry class
PID:2728 -
C:\Windows\SysWOW64\Qqijje32.exeC:\Windows\system32\Qqijje32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4216 -
C:\Windows\SysWOW64\Qcgffqei.exeC:\Windows\system32\Qcgffqei.exe83⤵PID:1148
-
C:\Windows\SysWOW64\Adgbpc32.exeC:\Windows\system32\Adgbpc32.exe84⤵PID:5188
-
C:\Windows\SysWOW64\Afhohlbj.exeC:\Windows\system32\Afhohlbj.exe85⤵
- Modifies registry class
PID:5236 -
C:\Windows\SysWOW64\Aclpap32.exeC:\Windows\system32\Aclpap32.exe86⤵PID:5272
-
C:\Windows\SysWOW64\Afjlnk32.exeC:\Windows\system32\Afjlnk32.exe87⤵PID:5316
-
C:\Windows\SysWOW64\Amddjegd.exeC:\Windows\system32\Amddjegd.exe88⤵PID:5360
-
C:\Windows\SysWOW64\Aabmqd32.exeC:\Windows\system32\Aabmqd32.exe89⤵PID:5416
-
C:\Windows\SysWOW64\Aglemn32.exeC:\Windows\system32\Aglemn32.exe90⤵PID:5460
-
C:\Windows\SysWOW64\Aadifclh.exeC:\Windows\system32\Aadifclh.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5508 -
C:\Windows\SysWOW64\Agoabn32.exeC:\Windows\system32\Agoabn32.exe92⤵PID:5548
-
C:\Windows\SysWOW64\Bnhjohkb.exeC:\Windows\system32\Bnhjohkb.exe93⤵PID:5596
-
C:\Windows\SysWOW64\Bfdodjhm.exeC:\Windows\system32\Bfdodjhm.exe94⤵PID:5636
-
C:\Windows\SysWOW64\Beeoaapl.exeC:\Windows\system32\Beeoaapl.exe95⤵PID:5672
-
C:\Windows\SysWOW64\Bgehcmmm.exeC:\Windows\system32\Bgehcmmm.exe96⤵PID:5716
-
C:\Windows\SysWOW64\Bclhhnca.exeC:\Windows\system32\Bclhhnca.exe97⤵PID:5756
-
C:\Windows\SysWOW64\Bjfaeh32.exeC:\Windows\system32\Bjfaeh32.exe98⤵PID:5800
-
C:\Windows\SysWOW64\Cfmajipb.exeC:\Windows\system32\Cfmajipb.exe99⤵PID:5840
-
C:\Windows\SysWOW64\Cabfga32.exeC:\Windows\system32\Cabfga32.exe100⤵PID:5920
-
C:\Windows\SysWOW64\Ceqnmpfo.exeC:\Windows\system32\Ceqnmpfo.exe101⤵PID:5960
-
C:\Windows\SysWOW64\Cfbkeh32.exeC:\Windows\system32\Cfbkeh32.exe102⤵
- Modifies registry class
PID:6004 -
C:\Windows\SysWOW64\Cmlcbbcj.exeC:\Windows\system32\Cmlcbbcj.exe103⤵PID:6044
-
C:\Windows\SysWOW64\Cjpckf32.exeC:\Windows\system32\Cjpckf32.exe104⤵PID:6092
-
C:\Windows\SysWOW64\Cajlhqjp.exeC:\Windows\system32\Cajlhqjp.exe105⤵PID:932
-
C:\Windows\SysWOW64\Cnnlaehj.exeC:\Windows\system32\Cnnlaehj.exe106⤵PID:5184
-
C:\Windows\SysWOW64\Cegdnopg.exeC:\Windows\system32\Cegdnopg.exe107⤵PID:5280
-
C:\Windows\SysWOW64\Dhfajjoj.exeC:\Windows\system32\Dhfajjoj.exe108⤵PID:5344
-
C:\Windows\SysWOW64\Dopigd32.exeC:\Windows\system32\Dopigd32.exe109⤵PID:5424
-
C:\Windows\SysWOW64\Djgjlelk.exeC:\Windows\system32\Djgjlelk.exe110⤵PID:5504
-
C:\Windows\SysWOW64\Dmefhako.exeC:\Windows\system32\Dmefhako.exe111⤵PID:5584
-
C:\Windows\SysWOW64\Dhkjej32.exeC:\Windows\system32\Dhkjej32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5660 -
C:\Windows\SysWOW64\Daconoae.exeC:\Windows\system32\Daconoae.exe113⤵
- Drops file in System32 directory
PID:5696 -
C:\Windows\SysWOW64\Dhmgki32.exeC:\Windows\system32\Dhmgki32.exe114⤵PID:5796
-
C:\Windows\SysWOW64\Dogogcpo.exeC:\Windows\system32\Dogogcpo.exe115⤵
- Drops file in System32 directory
PID:5900 -
C:\Windows\SysWOW64\Deagdn32.exeC:\Windows\system32\Deagdn32.exe116⤵
- Modifies registry class
PID:5988 -
C:\Windows\SysWOW64\Dgbdlf32.exeC:\Windows\system32\Dgbdlf32.exe117⤵PID:6084
-
C:\Windows\SysWOW64\Doilmc32.exeC:\Windows\system32\Doilmc32.exe118⤵PID:5168
-
C:\Windows\SysWOW64\Ehapfiem.exeC:\Windows\system32\Ehapfiem.exe119⤵PID:5244
-
C:\Windows\SysWOW64\Eolhbc32.exeC:\Windows\system32\Eolhbc32.exe120⤵PID:5492
-
C:\Windows\SysWOW64\Ehdmlhcj.exeC:\Windows\system32\Ehdmlhcj.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5668
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-