Analysis
-
max time kernel
111s -
max time network
102s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
09/05/2024, 20:07
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2f633d28876e861cbc37b80c2197aeb25a5d87d95af6fbac9b135ccd971c2277.exe
Resource
win7-20240508-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
2f633d28876e861cbc37b80c2197aeb25a5d87d95af6fbac9b135ccd971c2277.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
2f633d28876e861cbc37b80c2197aeb25a5d87d95af6fbac9b135ccd971c2277.exe
-
Size
304KB
-
MD5
0081a8fb89058f7831bf2da06b807ade
-
SHA1
d32df0766888f9f50272037291b22824e5555fa0
-
SHA256
2f633d28876e861cbc37b80c2197aeb25a5d87d95af6fbac9b135ccd971c2277
-
SHA512
67fa626a9394b65205eefd7d929082a6af5aed9887c021b7e25ff6b014061697123c68d20ed3bf10cd94a9bc2a51084acfc34a8486984ffe3ca412be6c048300
-
SSDEEP
3072:DmfH7s+CDgR1E4Bw7eLejz+k5rD0LZSnulc0VP7SnHjg:ekcRnBwCLEKIrD0Lu
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfehed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mplafeil.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jinboekc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ombcji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pgllfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aadifclh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nagiji32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnakhkol.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plcdiabk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djmibn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icfekc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jpdhkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gfbploob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dobfld32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aimkjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Falcae32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmijbcpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fdkggg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijegcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mcmabg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jngjch32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkodhk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmiclo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bpkdjofm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fpjjac32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gldglf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hemdlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hmhhehlb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bcoenmao.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lifjnm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkpheidp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpkdjofm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pcmlfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Knfeeimj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Amddjegd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cfcqpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hglaej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fpjcgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mjahlgpf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bohbhmfm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnkbcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Opqofe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adgbpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nojjcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ocpgod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Knchpiom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oeehkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Knefeffd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gjfnedho.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bklomh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmjemflb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efafgifc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Domdjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dbbffdlq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjlhgaqp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nmdgikhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lfhdlh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogpepl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bepmoh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhjfhl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggnedlao.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jddnfd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eidbij32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjmcnbdm.exe -
Executes dropped EXE 64 IoCs
pid Process 3756 Fhcpgmjf.exe 2268 Fomhdg32.exe 4352 Fooeif32.exe 3380 Fbnafb32.exe 924 Flceckoj.exe 1948 Foabofnn.exe 2608 Fcmnpe32.exe 2104 Ffkjlp32.exe 2124 Fhjfhl32.exe 4720 Gkmlofol.exe 4700 Gfbploob.exe 2416 Gkoiefmj.exe 3288 Gdhmnlcj.exe 2176 Gblngpbd.exe 4344 Hkdbpe32.exe 1388 Hihbijhn.exe 4592 Hflcbngh.exe 728 Hcpclbfa.exe 4788 Hmhhehlb.exe 3552 Hfqlnm32.exe 4824 Ikpaldog.exe 3656 Icifbang.exe 3560 Ickchq32.exe 2976 Ipbdmaah.exe 60 Imfdff32.exe 2860 Ibcmom32.exe 3692 Jlkagbej.exe 1916 Jmknaell.exe 3952 Jfcbjk32.exe 1972 Jehokgge.exe 628 Jifhaenk.exe 4460 Kboljk32.exe 4472 Klgqcqkl.exe 3368 Kfmepi32.exe 4652 Klimip32.exe 1592 Kdqejn32.exe 4600 Kmijbcpl.exe 2528 Kpgfooop.exe 1452 Kedoge32.exe 1076 Kpjcdn32.exe 3056 Kibgmdcn.exe 2236 Klqcioba.exe 4312 Lffhfh32.exe 1996 Llcpoo32.exe 4960 Lfhdlh32.exe 1204 Ligqhc32.exe 1404 Lbdolh32.exe 2080 Lmiciaaj.exe 4484 Mplhql32.exe 2192 Mckemg32.exe 4604 Mmpijp32.exe 4212 Mcmabg32.exe 4804 Migjoaaf.exe 2276 Mpablkhc.exe 644 Mcpnhfhf.exe 3864 Npcoakfp.exe 4512 Ngmgne32.exe 1284 Nngokoej.exe 1816 Ndaggimg.exe 1588 Njnpppkn.exe 2132 Nphhmj32.exe 964 Njqmepik.exe 3388 Ndfqbhia.exe 3016 Nfgmjqop.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Kelkaj32.exe Kkcfid32.exe File opened for modification C:\Windows\SysWOW64\Gfheof32.exe Gpnmbl32.exe File created C:\Windows\SysWOW64\Plikcm32.dll Bmeandma.exe File created C:\Windows\SysWOW64\Nfgmjqop.exe Ndfqbhia.exe File created C:\Windows\SysWOW64\Bqjdgbbi.dll Hhbkinel.exe File opened for modification C:\Windows\SysWOW64\Ojbacd32.exe Oeehkn32.exe File opened for modification C:\Windows\SysWOW64\Hemdlj32.exe Hbohpn32.exe File created C:\Windows\SysWOW64\Aogbfi32.exe Ahmjjoig.exe File created C:\Windows\SysWOW64\Dfoiaj32.exe Dpdaepai.exe File created C:\Windows\SysWOW64\Mhpbkngk.dll Nnkpnclp.exe File opened for modification C:\Windows\SysWOW64\Dheibpje.exe Dfglfdkb.exe File created C:\Windows\SysWOW64\Fpimlfke.exe Flmqlg32.exe File created C:\Windows\SysWOW64\Gaamlecg.exe Gmeakf32.exe File opened for modification C:\Windows\SysWOW64\Dejacond.exe Dopigd32.exe File opened for modification C:\Windows\SysWOW64\Oigllh32.exe Oghppm32.exe File opened for modification C:\Windows\SysWOW64\Glipgf32.exe Geohklaa.exe File opened for modification C:\Windows\SysWOW64\Hkpqkcpd.exe Hbhijepa.exe File created C:\Windows\SysWOW64\Bgeemcfc.dll Nmenca32.exe File created C:\Windows\SysWOW64\Najceeoo.exe Nojjcj32.exe File created C:\Windows\SysWOW64\Okedcjcm.exe Oehlkc32.exe File created C:\Windows\SysWOW64\Hmenjlfh.dll Hihbijhn.exe File created C:\Windows\SysWOW64\Pmjggi32.dll Hnoklk32.exe File opened for modification C:\Windows\SysWOW64\Fffhifdk.exe Fplpll32.exe File opened for modification C:\Windows\SysWOW64\Dokgdkeh.exe Dmlkhofd.exe File created C:\Windows\SysWOW64\Dbbffdlq.exe Dkhnjk32.exe File created C:\Windows\SysWOW64\Ipgbdbqb.exe Iinjhh32.exe File created C:\Windows\SysWOW64\Bmkcqn32.exe Bjlgdc32.exe File created C:\Windows\SysWOW64\Indfca32.exe Igjngh32.exe File opened for modification C:\Windows\SysWOW64\Jnhidk32.exe Jjlmclqa.exe File opened for modification C:\Windows\SysWOW64\Nnfgcd32.exe Njkkbehl.exe File opened for modification C:\Windows\SysWOW64\Bqdblmhl.exe Aimkjp32.exe File opened for modification C:\Windows\SysWOW64\Ebnfbcbc.exe Ekdnei32.exe File created C:\Windows\SysWOW64\Ndikch32.dll Baegibae.exe File opened for modification C:\Windows\SysWOW64\Hdhedh32.exe Hmnmgnoh.exe File created C:\Windows\SysWOW64\Lcgpni32.exe Llmhaold.exe File created C:\Windows\SysWOW64\Ficlfj32.dll Gpgind32.exe File created C:\Windows\SysWOW64\Mcifkf32.exe Mnmmboed.exe File created C:\Windows\SysWOW64\Bhoqeibl.exe Bcahmb32.exe File created C:\Windows\SysWOW64\Mpieqeko.exe Miomdk32.exe File created C:\Windows\SysWOW64\Npchgdcd.exe Niipjj32.exe File opened for modification C:\Windows\SysWOW64\Ddcqedkk.exe Daediilg.exe File opened for modification C:\Windows\SysWOW64\Iknmla32.exe Icfekc32.exe File opened for modification C:\Windows\SysWOW64\Kpgfooop.exe Kmijbcpl.exe File created C:\Windows\SysWOW64\Cfcqpa32.exe Cgqqdeod.exe File created C:\Windows\SysWOW64\Dmoohe32.exe Dfefkkqp.exe File created C:\Windows\SysWOW64\Lckiihok.exe Lnoaaaad.exe File created C:\Windows\SysWOW64\Jfdnfdoa.dll Neclenfo.exe File opened for modification C:\Windows\SysWOW64\Pnplfj32.exe Pfiddm32.exe File opened for modification C:\Windows\SysWOW64\Bnhjohkb.exe Bfabnjjp.exe File created C:\Windows\SysWOW64\Dfknkg32.exe Dejacond.exe File created C:\Windows\SysWOW64\Ionqbdem.dll Qqhcpo32.exe File created C:\Windows\SysWOW64\Cmjemflb.exe Cfqmpl32.exe File created C:\Windows\SysWOW64\Hfqlnm32.exe Hmhhehlb.exe File created C:\Windows\SysWOW64\Bmngqdpj.exe Bfdodjhm.exe File opened for modification C:\Windows\SysWOW64\Jddnfd32.exe Jnjejjgh.exe File created C:\Windows\SysWOW64\Olfghg32.exe Oaqbkn32.exe File created C:\Windows\SysWOW64\Opemca32.exe Oileggkb.exe File opened for modification C:\Windows\SysWOW64\Fpjcgm32.exe Ffaong32.exe File created C:\Windows\SysWOW64\Kgipcogp.exe Kdkdgchl.exe File created C:\Windows\SysWOW64\Ehkljb32.dll Lmpkadnm.exe File created C:\Windows\SysWOW64\Ibdlakbf.dll Hffken32.exe File created C:\Windows\SysWOW64\Npbceggm.exe Nmdgikhi.exe File created C:\Windows\SysWOW64\Keakgpko.exe Kbbokdlk.exe File created C:\Windows\SysWOW64\Fknajfhe.dll Fmhdkknd.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7008 8380 Process not Found 1131 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iomcgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhkgkgoe.dll" Knefeffd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gdobnj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aagkhd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Icnklbmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ojgjndno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hkbdki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Iloidijb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nlmdbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adfnba32.dll" Npgmpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jmknaell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggnjnq32.dll" Efkphnbd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hdilnojp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jgogbgei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jcfggkac.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cfipef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kgflcifg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Imfdff32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dclkee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hekgfj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Blqllqqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mcifkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mfhbga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oppceehj.dll" Nglhld32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gejopl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cfdhkhjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Feocelll.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Malpia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncpgam32.dll" Llmhaold.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbjieo32.dll" Bdojjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpnpfack.dll" Dikpbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqdmimbf.dll" Gbchdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lghnikdd.dll" Ocopdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fmlneg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bmngqdpj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cnkplejl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nomncpcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bqfoamfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhoneioi.dll" Jgkdbacp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epopbo32.dll" Bhkfkmmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Afhohlbj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qcdbfk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ejoomhmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfpfngma.dll" Gmbmkpie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiacfqch.dll" Jnhidk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fddqghpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flakaffp.dll" Fpjcgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igpoaebh.dll" Pkpmdbfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ndaggimg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mholheco.dll" Biadeoce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jlobkg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Agdcpkll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgmdfppj.dll" Fnaokmco.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dfgcakon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Omcjep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jghdlf32.dll" Djdflp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahamlm32.dll" Gkleeplq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chlaag32.dll" Lfhnaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gnhnaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipgijcij.dll" Lcdciiec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hnoklk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nohehq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pgkelj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lnnbqnjn.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4544 wrote to memory of 3756 4544 2f633d28876e861cbc37b80c2197aeb25a5d87d95af6fbac9b135ccd971c2277.exe 82 PID 4544 wrote to memory of 3756 4544 2f633d28876e861cbc37b80c2197aeb25a5d87d95af6fbac9b135ccd971c2277.exe 82 PID 4544 wrote to memory of 3756 4544 2f633d28876e861cbc37b80c2197aeb25a5d87d95af6fbac9b135ccd971c2277.exe 82 PID 3756 wrote to memory of 2268 3756 Fhcpgmjf.exe 83 PID 3756 wrote to memory of 2268 3756 Fhcpgmjf.exe 83 PID 3756 wrote to memory of 2268 3756 Fhcpgmjf.exe 83 PID 2268 wrote to memory of 4352 2268 Fomhdg32.exe 84 PID 2268 wrote to memory of 4352 2268 Fomhdg32.exe 84 PID 2268 wrote to memory of 4352 2268 Fomhdg32.exe 84 PID 4352 wrote to memory of 3380 4352 Fooeif32.exe 85 PID 4352 wrote to memory of 3380 4352 Fooeif32.exe 85 PID 4352 wrote to memory of 3380 4352 Fooeif32.exe 85 PID 3380 wrote to memory of 924 3380 Fbnafb32.exe 86 PID 3380 wrote to memory of 924 3380 Fbnafb32.exe 86 PID 3380 wrote to memory of 924 3380 Fbnafb32.exe 86 PID 924 wrote to memory of 1948 924 Flceckoj.exe 88 PID 924 wrote to memory of 1948 924 Flceckoj.exe 88 PID 924 wrote to memory of 1948 924 Flceckoj.exe 88 PID 1948 wrote to memory of 2608 1948 Foabofnn.exe 89 PID 1948 wrote to memory of 2608 1948 Foabofnn.exe 89 PID 1948 wrote to memory of 2608 1948 Foabofnn.exe 89 PID 2608 wrote to memory of 2104 2608 Fcmnpe32.exe 90 PID 2608 wrote to memory of 2104 2608 Fcmnpe32.exe 90 PID 2608 wrote to memory of 2104 2608 Fcmnpe32.exe 90 PID 2104 wrote to memory of 2124 2104 Ffkjlp32.exe 93 PID 2104 wrote to memory of 2124 2104 Ffkjlp32.exe 93 PID 2104 wrote to memory of 2124 2104 Ffkjlp32.exe 93 PID 2124 wrote to memory of 4720 2124 Fhjfhl32.exe 94 PID 2124 wrote to memory of 4720 2124 Fhjfhl32.exe 94 PID 2124 wrote to memory of 4720 2124 Fhjfhl32.exe 94 PID 4720 wrote to memory of 4700 4720 Gkmlofol.exe 95 PID 4720 wrote to memory of 4700 4720 Gkmlofol.exe 95 PID 4720 wrote to memory of 4700 4720 Gkmlofol.exe 95 PID 4700 wrote to memory of 2416 4700 Gfbploob.exe 96 PID 4700 wrote to memory of 2416 4700 Gfbploob.exe 96 PID 4700 wrote to memory of 2416 4700 Gfbploob.exe 96 PID 2416 wrote to memory of 3288 2416 Gkoiefmj.exe 97 PID 2416 wrote to memory of 3288 2416 Gkoiefmj.exe 97 PID 2416 wrote to memory of 3288 2416 Gkoiefmj.exe 97 PID 3288 wrote to memory of 2176 3288 Gdhmnlcj.exe 98 PID 3288 wrote to memory of 2176 3288 Gdhmnlcj.exe 98 PID 3288 wrote to memory of 2176 3288 Gdhmnlcj.exe 98 PID 2176 wrote to memory of 4344 2176 Gblngpbd.exe 99 PID 2176 wrote to memory of 4344 2176 Gblngpbd.exe 99 PID 2176 wrote to memory of 4344 2176 Gblngpbd.exe 99 PID 4344 wrote to memory of 1388 4344 Hkdbpe32.exe 100 PID 4344 wrote to memory of 1388 4344 Hkdbpe32.exe 100 PID 4344 wrote to memory of 1388 4344 Hkdbpe32.exe 100 PID 1388 wrote to memory of 4592 1388 Hihbijhn.exe 101 PID 1388 wrote to memory of 4592 1388 Hihbijhn.exe 101 PID 1388 wrote to memory of 4592 1388 Hihbijhn.exe 101 PID 4592 wrote to memory of 728 4592 Hflcbngh.exe 102 PID 4592 wrote to memory of 728 4592 Hflcbngh.exe 102 PID 4592 wrote to memory of 728 4592 Hflcbngh.exe 102 PID 728 wrote to memory of 4788 728 Hcpclbfa.exe 103 PID 728 wrote to memory of 4788 728 Hcpclbfa.exe 103 PID 728 wrote to memory of 4788 728 Hcpclbfa.exe 103 PID 4788 wrote to memory of 3552 4788 Hmhhehlb.exe 104 PID 4788 wrote to memory of 3552 4788 Hmhhehlb.exe 104 PID 4788 wrote to memory of 3552 4788 Hmhhehlb.exe 104 PID 3552 wrote to memory of 4824 3552 Hfqlnm32.exe 105 PID 3552 wrote to memory of 4824 3552 Hfqlnm32.exe 105 PID 3552 wrote to memory of 4824 3552 Hfqlnm32.exe 105 PID 4824 wrote to memory of 3656 4824 Ikpaldog.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\2f633d28876e861cbc37b80c2197aeb25a5d87d95af6fbac9b135ccd971c2277.exe"C:\Users\Admin\AppData\Local\Temp\2f633d28876e861cbc37b80c2197aeb25a5d87d95af6fbac9b135ccd971c2277.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4544 -
C:\Windows\SysWOW64\Fhcpgmjf.exeC:\Windows\system32\Fhcpgmjf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3756 -
C:\Windows\SysWOW64\Fomhdg32.exeC:\Windows\system32\Fomhdg32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\SysWOW64\Fooeif32.exeC:\Windows\system32\Fooeif32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4352 -
C:\Windows\SysWOW64\Fbnafb32.exeC:\Windows\system32\Fbnafb32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3380 -
C:\Windows\SysWOW64\Flceckoj.exeC:\Windows\system32\Flceckoj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:924 -
C:\Windows\SysWOW64\Foabofnn.exeC:\Windows\system32\Foabofnn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\SysWOW64\Fcmnpe32.exeC:\Windows\system32\Fcmnpe32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Ffkjlp32.exeC:\Windows\system32\Ffkjlp32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\Fhjfhl32.exeC:\Windows\system32\Fhjfhl32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\Gkmlofol.exeC:\Windows\system32\Gkmlofol.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4720 -
C:\Windows\SysWOW64\Gfbploob.exeC:\Windows\system32\Gfbploob.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4700 -
C:\Windows\SysWOW64\Gkoiefmj.exeC:\Windows\system32\Gkoiefmj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\Gdhmnlcj.exeC:\Windows\system32\Gdhmnlcj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3288 -
C:\Windows\SysWOW64\Gblngpbd.exeC:\Windows\system32\Gblngpbd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\SysWOW64\Hkdbpe32.exeC:\Windows\system32\Hkdbpe32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4344 -
C:\Windows\SysWOW64\Hihbijhn.exeC:\Windows\system32\Hihbijhn.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Windows\SysWOW64\Hflcbngh.exeC:\Windows\system32\Hflcbngh.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4592 -
C:\Windows\SysWOW64\Hcpclbfa.exeC:\Windows\system32\Hcpclbfa.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:728 -
C:\Windows\SysWOW64\Hmhhehlb.exeC:\Windows\system32\Hmhhehlb.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4788 -
C:\Windows\SysWOW64\Hfqlnm32.exeC:\Windows\system32\Hfqlnm32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3552 -
C:\Windows\SysWOW64\Ikpaldog.exeC:\Windows\system32\Ikpaldog.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4824 -
C:\Windows\SysWOW64\Icifbang.exeC:\Windows\system32\Icifbang.exe23⤵
- Executes dropped EXE
PID:3656 -
C:\Windows\SysWOW64\Ickchq32.exeC:\Windows\system32\Ickchq32.exe24⤵
- Executes dropped EXE
PID:3560 -
C:\Windows\SysWOW64\Ipbdmaah.exeC:\Windows\system32\Ipbdmaah.exe25⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Imfdff32.exeC:\Windows\system32\Imfdff32.exe26⤵
- Executes dropped EXE
- Modifies registry class
PID:60 -
C:\Windows\SysWOW64\Ibcmom32.exeC:\Windows\system32\Ibcmom32.exe27⤵
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\Jlkagbej.exeC:\Windows\system32\Jlkagbej.exe28⤵
- Executes dropped EXE
PID:3692 -
C:\Windows\SysWOW64\Jmknaell.exeC:\Windows\system32\Jmknaell.exe29⤵
- Executes dropped EXE
- Modifies registry class
PID:1916 -
C:\Windows\SysWOW64\Jfcbjk32.exeC:\Windows\system32\Jfcbjk32.exe30⤵
- Executes dropped EXE
PID:3952 -
C:\Windows\SysWOW64\Jehokgge.exeC:\Windows\system32\Jehokgge.exe31⤵
- Executes dropped EXE
PID:1972 -
C:\Windows\SysWOW64\Jifhaenk.exeC:\Windows\system32\Jifhaenk.exe32⤵
- Executes dropped EXE
PID:628 -
C:\Windows\SysWOW64\Kboljk32.exeC:\Windows\system32\Kboljk32.exe33⤵
- Executes dropped EXE
PID:4460 -
C:\Windows\SysWOW64\Klgqcqkl.exeC:\Windows\system32\Klgqcqkl.exe34⤵
- Executes dropped EXE
PID:4472 -
C:\Windows\SysWOW64\Kfmepi32.exeC:\Windows\system32\Kfmepi32.exe35⤵
- Executes dropped EXE
PID:3368 -
C:\Windows\SysWOW64\Klimip32.exeC:\Windows\system32\Klimip32.exe36⤵
- Executes dropped EXE
PID:4652 -
C:\Windows\SysWOW64\Kdqejn32.exeC:\Windows\system32\Kdqejn32.exe37⤵
- Executes dropped EXE
PID:1592 -
C:\Windows\SysWOW64\Kmijbcpl.exeC:\Windows\system32\Kmijbcpl.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4600 -
C:\Windows\SysWOW64\Kpgfooop.exeC:\Windows\system32\Kpgfooop.exe39⤵
- Executes dropped EXE
PID:2528 -
C:\Windows\SysWOW64\Kedoge32.exeC:\Windows\system32\Kedoge32.exe40⤵
- Executes dropped EXE
PID:1452 -
C:\Windows\SysWOW64\Kpjcdn32.exeC:\Windows\system32\Kpjcdn32.exe41⤵
- Executes dropped EXE
PID:1076 -
C:\Windows\SysWOW64\Kibgmdcn.exeC:\Windows\system32\Kibgmdcn.exe42⤵
- Executes dropped EXE
PID:3056 -
C:\Windows\SysWOW64\Klqcioba.exeC:\Windows\system32\Klqcioba.exe43⤵
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\Lffhfh32.exeC:\Windows\system32\Lffhfh32.exe44⤵
- Executes dropped EXE
PID:4312 -
C:\Windows\SysWOW64\Llcpoo32.exeC:\Windows\system32\Llcpoo32.exe45⤵
- Executes dropped EXE
PID:1996 -
C:\Windows\SysWOW64\Lfhdlh32.exeC:\Windows\system32\Lfhdlh32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4960 -
C:\Windows\SysWOW64\Ligqhc32.exeC:\Windows\system32\Ligqhc32.exe47⤵
- Executes dropped EXE
PID:1204 -
C:\Windows\SysWOW64\Lbdolh32.exeC:\Windows\system32\Lbdolh32.exe48⤵
- Executes dropped EXE
PID:1404 -
C:\Windows\SysWOW64\Lmiciaaj.exeC:\Windows\system32\Lmiciaaj.exe49⤵
- Executes dropped EXE
PID:2080 -
C:\Windows\SysWOW64\Mplhql32.exeC:\Windows\system32\Mplhql32.exe50⤵
- Executes dropped EXE
PID:4484 -
C:\Windows\SysWOW64\Mckemg32.exeC:\Windows\system32\Mckemg32.exe51⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Mmpijp32.exeC:\Windows\system32\Mmpijp32.exe52⤵
- Executes dropped EXE
PID:4604 -
C:\Windows\SysWOW64\Mcmabg32.exeC:\Windows\system32\Mcmabg32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4212 -
C:\Windows\SysWOW64\Migjoaaf.exeC:\Windows\system32\Migjoaaf.exe54⤵
- Executes dropped EXE
PID:4804 -
C:\Windows\SysWOW64\Mpablkhc.exeC:\Windows\system32\Mpablkhc.exe55⤵
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\Mcpnhfhf.exeC:\Windows\system32\Mcpnhfhf.exe56⤵
- Executes dropped EXE
PID:644 -
C:\Windows\SysWOW64\Npcoakfp.exeC:\Windows\system32\Npcoakfp.exe57⤵
- Executes dropped EXE
PID:3864 -
C:\Windows\SysWOW64\Ngmgne32.exeC:\Windows\system32\Ngmgne32.exe58⤵
- Executes dropped EXE
PID:4512 -
C:\Windows\SysWOW64\Nngokoej.exeC:\Windows\system32\Nngokoej.exe59⤵
- Executes dropped EXE
PID:1284 -
C:\Windows\SysWOW64\Ndaggimg.exeC:\Windows\system32\Ndaggimg.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:1816 -
C:\Windows\SysWOW64\Njnpppkn.exeC:\Windows\system32\Njnpppkn.exe61⤵
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\Nphhmj32.exeC:\Windows\system32\Nphhmj32.exe62⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Njqmepik.exeC:\Windows\system32\Njqmepik.exe63⤵
- Executes dropped EXE
PID:964 -
C:\Windows\SysWOW64\Ndfqbhia.exeC:\Windows\system32\Ndfqbhia.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3388 -
C:\Windows\SysWOW64\Nfgmjqop.exeC:\Windows\system32\Nfgmjqop.exe65⤵
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\Npmagine.exeC:\Windows\system32\Npmagine.exe66⤵PID:4684
-
C:\Windows\SysWOW64\Nckndeni.exeC:\Windows\system32\Nckndeni.exe67⤵PID:4364
-
C:\Windows\SysWOW64\Olcbmj32.exeC:\Windows\system32\Olcbmj32.exe68⤵PID:4828
-
C:\Windows\SysWOW64\Ocnjidkf.exeC:\Windows\system32\Ocnjidkf.exe69⤵PID:2304
-
C:\Windows\SysWOW64\Oncofm32.exeC:\Windows\system32\Oncofm32.exe70⤵PID:4068
-
C:\Windows\SysWOW64\Ocpgod32.exeC:\Windows\system32\Ocpgod32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:436 -
C:\Windows\SysWOW64\Ofnckp32.exeC:\Windows\system32\Ofnckp32.exe72⤵PID:3924
-
C:\Windows\SysWOW64\Olhlhjpd.exeC:\Windows\system32\Olhlhjpd.exe73⤵PID:1016
-
C:\Windows\SysWOW64\Ocbddc32.exeC:\Windows\system32\Ocbddc32.exe74⤵PID:4736
-
C:\Windows\SysWOW64\Oqfdnhfk.exeC:\Windows\system32\Oqfdnhfk.exe75⤵PID:4164
-
C:\Windows\SysWOW64\Ocdqjceo.exeC:\Windows\system32\Ocdqjceo.exe76⤵PID:3400
-
C:\Windows\SysWOW64\Olmeci32.exeC:\Windows\system32\Olmeci32.exe77⤵PID:952
-
C:\Windows\SysWOW64\Ocgmpccl.exeC:\Windows\system32\Ocgmpccl.exe78⤵PID:2580
-
C:\Windows\SysWOW64\Ojaelm32.exeC:\Windows\system32\Ojaelm32.exe79⤵PID:3860
-
C:\Windows\SysWOW64\Pdfjifjo.exeC:\Windows\system32\Pdfjifjo.exe80⤵PID:4708
-
C:\Windows\SysWOW64\Pjcbbmif.exeC:\Windows\system32\Pjcbbmif.exe81⤵PID:2308
-
C:\Windows\SysWOW64\Pclgkb32.exeC:\Windows\system32\Pclgkb32.exe82⤵PID:4996
-
C:\Windows\SysWOW64\Pnakhkol.exeC:\Windows\system32\Pnakhkol.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1576 -
C:\Windows\SysWOW64\Pcncpbmd.exeC:\Windows\system32\Pcncpbmd.exe84⤵PID:4924
-
C:\Windows\SysWOW64\Pmfhig32.exeC:\Windows\system32\Pmfhig32.exe85⤵PID:4584
-
C:\Windows\SysWOW64\Pgllfp32.exeC:\Windows\system32\Pgllfp32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4580 -
C:\Windows\SysWOW64\Pjjhbl32.exeC:\Windows\system32\Pjjhbl32.exe87⤵PID:4480
-
C:\Windows\SysWOW64\Pcbmka32.exeC:\Windows\system32\Pcbmka32.exe88⤵PID:1564
-
C:\Windows\SysWOW64\Qnhahj32.exeC:\Windows\system32\Qnhahj32.exe89⤵PID:4268
-
C:\Windows\SysWOW64\Qdbiedpa.exeC:\Windows\system32\Qdbiedpa.exe90⤵PID:4232
-
C:\Windows\SysWOW64\Qmmnjfnl.exeC:\Windows\system32\Qmmnjfnl.exe91⤵PID:4692
-
C:\Windows\SysWOW64\Qcgffqei.exeC:\Windows\system32\Qcgffqei.exe92⤵PID:2556
-
C:\Windows\SysWOW64\Ajanck32.exeC:\Windows\system32\Ajanck32.exe93⤵PID:384
-
C:\Windows\SysWOW64\Adgbpc32.exeC:\Windows\system32\Adgbpc32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1424 -
C:\Windows\SysWOW64\Afhohlbj.exeC:\Windows\system32\Afhohlbj.exe95⤵
- Modifies registry class
PID:3492 -
C:\Windows\SysWOW64\Ambgef32.exeC:\Windows\system32\Ambgef32.exe96⤵PID:2768
-
C:\Windows\SysWOW64\Aclpap32.exeC:\Windows\system32\Aclpap32.exe97⤵PID:2252
-
C:\Windows\SysWOW64\Ajfhnjhq.exeC:\Windows\system32\Ajfhnjhq.exe98⤵PID:4020
-
C:\Windows\SysWOW64\Amddjegd.exeC:\Windows\system32\Amddjegd.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2008 -
C:\Windows\SysWOW64\Agjhgngj.exeC:\Windows\system32\Agjhgngj.exe100⤵PID:2524
-
C:\Windows\SysWOW64\Andqdh32.exeC:\Windows\system32\Andqdh32.exe101⤵PID:2680
-
C:\Windows\SysWOW64\Aeniabfd.exeC:\Windows\system32\Aeniabfd.exe102⤵PID:4016
-
C:\Windows\SysWOW64\Ajkaii32.exeC:\Windows\system32\Ajkaii32.exe103⤵PID:3688
-
C:\Windows\SysWOW64\Aadifclh.exeC:\Windows\system32\Aadifclh.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2928 -
C:\Windows\SysWOW64\Accfbokl.exeC:\Windows\system32\Accfbokl.exe105⤵PID:5144
-
C:\Windows\SysWOW64\Bfabnjjp.exeC:\Windows\system32\Bfabnjjp.exe106⤵
- Drops file in System32 directory
PID:5192 -
C:\Windows\SysWOW64\Bnhjohkb.exeC:\Windows\system32\Bnhjohkb.exe107⤵PID:5236
-
C:\Windows\SysWOW64\Bfdodjhm.exeC:\Windows\system32\Bfdodjhm.exe108⤵
- Drops file in System32 directory
PID:5280 -
C:\Windows\SysWOW64\Bmngqdpj.exeC:\Windows\system32\Bmngqdpj.exe109⤵
- Modifies registry class
PID:5324 -
C:\Windows\SysWOW64\Beeoaapl.exeC:\Windows\system32\Beeoaapl.exe110⤵PID:5368
-
C:\Windows\SysWOW64\Bgcknmop.exeC:\Windows\system32\Bgcknmop.exe111⤵PID:5412
-
C:\Windows\SysWOW64\Bmpcfdmg.exeC:\Windows\system32\Bmpcfdmg.exe112⤵PID:5456
-
C:\Windows\SysWOW64\Bcjlcn32.exeC:\Windows\system32\Bcjlcn32.exe113⤵PID:5500
-
C:\Windows\SysWOW64\Bfhhoi32.exeC:\Windows\system32\Bfhhoi32.exe114⤵PID:5544
-
C:\Windows\SysWOW64\Banllbdn.exeC:\Windows\system32\Banllbdn.exe115⤵PID:5588
-
C:\Windows\SysWOW64\Bclhhnca.exeC:\Windows\system32\Bclhhnca.exe116⤵PID:5632
-
C:\Windows\SysWOW64\Bfkedibe.exeC:\Windows\system32\Bfkedibe.exe117⤵PID:5676
-
C:\Windows\SysWOW64\Bcoenmao.exeC:\Windows\system32\Bcoenmao.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5720 -
C:\Windows\SysWOW64\Cfmajipb.exeC:\Windows\system32\Cfmajipb.exe119⤵PID:5764
-
C:\Windows\SysWOW64\Cabfga32.exeC:\Windows\system32\Cabfga32.exe120⤵PID:5808
-
C:\Windows\SysWOW64\Cdabcm32.exeC:\Windows\system32\Cdabcm32.exe121⤵PID:5852
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-