Analysis
-
max time kernel
178s -
max time network
188s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
02-01-2024 15:17
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0cec5cab32586daf5d4e09b052abb187.exe
Resource
win7-20231215-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
0cec5cab32586daf5d4e09b052abb187.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
0cec5cab32586daf5d4e09b052abb187.exe
-
Size
255KB
-
MD5
0cec5cab32586daf5d4e09b052abb187
-
SHA1
2ce4e08310a1ad90cf114af199cf2b956080ec2a
-
SHA256
1921a12cdb73a133c1ac549423576b11fb1522007228c787adad0ff1f1d10de9
-
SHA512
57005019ddf820656a18447cd441fdb6d3a3a8cd328046bca3d4aab07ce986a5726fa6d6a73ccbae1a39c2c2bdddaeab23caa8d1347b43ccb84d243c750c5056
-
SSDEEP
3072:Kp/S/ebJbYSwyw8asCHNhMXi6Y0HYSx9m9jqLsFmsdYXmAMS3KUUibN8ohXiHm9D:KpNbl+y2xUS6UJjwszeXmDZUH8aiGaEP
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obbnlkbd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjehaopm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acgacegg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lopmbomp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Foocegea.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcaqeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmfkin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Capikhgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhhnipbe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oocdme32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckeigc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egbkodei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fqphbi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcfjfqah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fejlbgek.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mojmbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iiibdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jioajliq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bagfeioc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Capikhgh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anaofa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcaqka32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnicko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ameipl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ealkcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekdolcbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhihejhi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aijefj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Addhbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khbioa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cioghg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npjnll32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipplmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bidefbcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjiljdaj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qekbaf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpldpddh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqbehh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmfjok32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpomoc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhpaki32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhdfgo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eoilfidj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjfngi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhhphebj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpenpp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Koajfk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcbkgb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlbpggdb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blbkck32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohlifj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlooef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnqbmadp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddgpfgil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmpjhbee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdfcla32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhkfdcbd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggjjfq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cimamn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfghem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amloakki.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peonhg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Appaangd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gngllfol.exe -
Executes dropped EXE 64 IoCs
pid Process 1672 Dlicflic.exe 1760 Elilmi32.exe 4908 Ehpmbj32.exe 916 Fbhnec32.exe 3732 Fcaqka32.exe 4456 Gcfjfqah.exe 2640 Gledpe32.exe 5088 Mpedgghj.exe 212 Odcfdc32.exe 1896 Pphckb32.exe 4580 Qjcdih32.exe 2276 Addhbo32.exe 5036 Bqbohocd.exe 4556 Bkjpkg32.exe 1964 Djmima32.exe 3420 Dnkbcp32.exe 4792 Eahjqicj.exe 4920 Fejlbgek.exe 4316 Geabbfoc.exe 3400 Hiinoc32.exe 2972 Hhbdko32.exe 5040 Ikjcmi32.exe 4180 Jkomhhae.exe 3188 Jfgnka32.exe 3340 Kjipmoai.exe 1404 Kmmedi32.exe 1232 Mlgegcng.exe 4552 Njceqili.exe 1652 Ofdhlh32.exe 4540 Olqqdo32.exe 1028 Okaabg32.exe 3048 Pghaghfn.exe 552 Pdalkk32.exe 3376 Anqfepaj.exe 2608 Agpqnd32.exe 4876 Acgacegg.exe 1080 Bkepeaaa.exe 2732 Dcqmpa32.exe 3440 Dqdnjfpc.exe 4912 Eljknl32.exe 3868 Faqflb32.exe 2672 Gokmfe32.exe 220 Hmecba32.exe 4036 Hhpaki32.exe 2936 Ioclnblj.exe 1784 Jlblcdpf.exe 2900 Lmeapbpa.exe 4672 Ldqfddml.exe 1388 Lfbpcgbl.exe 2460 Mokdllim.exe 3192 Mkhkblii.exe 3380 Nilkkq32.exe 4272 Nbiioe32.exe 4184 Onjmjegg.exe 1140 Obgeqcnn.exe 872 Pbahgbfc.exe 812 Qbeaba32.exe 4616 Aooolbep.exe 344 Aekdolkj.exe 4656 Cggikk32.exe 4612 Dobnpm32.exe 3444 Egiohh32.exe 3464 Egnhcgeb.exe 2520 Fpnfbi32.exe -
Loads dropped DLL 1 IoCs
pid Process 3184 Ciljbh32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Iohjle32.dll Dbnmek32.exe File created C:\Windows\SysWOW64\Aodejohd.exe Adoamfhn.exe File created C:\Windows\SysWOW64\Cfmacoep.exe Capikhgh.exe File created C:\Windows\SysWOW64\Eipigqop.exe Cmaikcmf.exe File opened for modification C:\Windows\SysWOW64\Macdgn32.exe Mjiljdaj.exe File opened for modification C:\Windows\SysWOW64\Alpboida.exe Aajoapdk.exe File opened for modification C:\Windows\SysWOW64\Lfodgicf.exe Likcme32.exe File created C:\Windows\SysWOW64\Hmmfha32.dll Ajfhhp32.exe File created C:\Windows\SysWOW64\Abjkijki.dll Fmiaimki.exe File opened for modification C:\Windows\SysWOW64\Dibdok32.exe Dpjofefp.exe File created C:\Windows\SysWOW64\Aecagakh.dll Egknco32.exe File created C:\Windows\SysWOW64\Onbmjegm.dll Bhdilold.exe File created C:\Windows\SysWOW64\Lecnkice.dll Kbbodj32.exe File created C:\Windows\SysWOW64\Boffej32.dll Lmpkkjcj.exe File created C:\Windows\SysWOW64\Mbhafgpp.exe Mpghel32.exe File created C:\Windows\SysWOW64\Ohdpkpcl.dll Ohnelj32.exe File opened for modification C:\Windows\SysWOW64\Adcjhf32.exe Aogbpo32.exe File opened for modification C:\Windows\SysWOW64\Keebno32.exe Koljaeen.exe File opened for modification C:\Windows\SysWOW64\Nihdhl32.exe Nqmocjdf.exe File created C:\Windows\SysWOW64\Ndilifdh.dll Pmmleg32.exe File created C:\Windows\SysWOW64\Onjmjegg.exe Nbiioe32.exe File opened for modification C:\Windows\SysWOW64\Fhablf32.exe Fmlnomif.exe File created C:\Windows\SysWOW64\Hnbaba32.dll Cjecjahd.exe File created C:\Windows\SysWOW64\Fglalp32.dll Bhkfdcbd.exe File opened for modification C:\Windows\SysWOW64\Gdjilphb.exe Gmpqof32.exe File opened for modification C:\Windows\SysWOW64\Hfodnd32.exe Hlipal32.exe File created C:\Windows\SysWOW64\Fcffcd32.dll Jlphnbfe.exe File created C:\Windows\SysWOW64\Cnkppnga.exe Cioghg32.exe File created C:\Windows\SysWOW64\Pphckb32.exe Odcfdc32.exe File created C:\Windows\SysWOW64\Kncmepjq.dll Ndfqlnno.exe File opened for modification C:\Windows\SysWOW64\Ccbanfko.exe Cmhial32.exe File created C:\Windows\SysWOW64\Onohgh32.dll Cmhial32.exe File opened for modification C:\Windows\SysWOW64\Pcbkgb32.exe Pimfji32.exe File created C:\Windows\SysWOW64\Ckpenokc.dll Dobnpm32.exe File opened for modification C:\Windows\SysWOW64\Noeaaqlq.exe Nihiiimi.exe File opened for modification C:\Windows\SysWOW64\Kcpqafba.exe Kqmkjk32.exe File created C:\Windows\SysWOW64\Bbjedgdf.dll Igneng32.exe File created C:\Windows\SysWOW64\Kpgfhddn.exe Keabkkdg.exe File created C:\Windows\SysWOW64\Mlhidg32.exe Macdgn32.exe File opened for modification C:\Windows\SysWOW64\Agaomf32.exe Afpbenhi.exe File created C:\Windows\SysWOW64\Pghaghfn.exe Okaabg32.exe File opened for modification C:\Windows\SysWOW64\Ialhdh32.exe Ijpcbn32.exe File opened for modification C:\Windows\SysWOW64\Naejcl32.exe Nliakd32.exe File created C:\Windows\SysWOW64\Ggajebac.dll Kahqbgjp.exe File opened for modification C:\Windows\SysWOW64\Jiokpfee.exe Ikcdfbmc.exe File opened for modification C:\Windows\SysWOW64\Lbjeei32.exe Liaqlcep.exe File created C:\Windows\SysWOW64\Aokkknbl.exe Adfgne32.exe File created C:\Windows\SysWOW64\Phfhog32.exe Pjehaopm.exe File created C:\Windows\SysWOW64\Lmpkkjcj.exe Lddgghfo.exe File created C:\Windows\SysWOW64\Oaqjmemq.dll Diqnda32.exe File created C:\Windows\SysWOW64\Mkhkblii.exe Mokdllim.exe File created C:\Windows\SysWOW64\Imjddmpl.exe Ibeqgdpf.exe File created C:\Windows\SysWOW64\Aeeemg32.dll Bnkgomnl.exe File opened for modification C:\Windows\SysWOW64\Eoilfidj.exe Eddhipdd.exe File created C:\Windows\SysWOW64\Ehpkhelp.dll Bgeabloo.exe File opened for modification C:\Windows\SysWOW64\Lggjpmqa.exe Lambcc32.exe File created C:\Windows\SysWOW64\Hoogpcco.exe Hnokeqll.exe File opened for modification C:\Windows\SysWOW64\Qqcjnell.exe Qcpieamc.exe File opened for modification C:\Windows\SysWOW64\Hpmhmbko.exe Hhdcfe32.exe File opened for modification C:\Windows\SysWOW64\Dppeeqjo.exe Cifmif32.exe File opened for modification C:\Windows\SysWOW64\Cbhifj32.exe Cmlamb32.exe File created C:\Windows\SysWOW64\Pelchhkm.dll Behbfqoj.exe File created C:\Windows\SysWOW64\Bqbohocd.exe Addhbo32.exe File created C:\Windows\SysWOW64\Diohqplg.dll Iiibdc32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dedeij32.dll" Mlkejgfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Igneng32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cifmif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Andckncb.dll" Ngdfifao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohnelj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Okcccdkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fnlcknle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jfjaemfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lchood32.dll" Aekdolkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mlgegcng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Engmeblo.dll" Keabkkdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hggqniih.dll" Fmlnomif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epqjji32.dll" Pcgdbakj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gjfiml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdqeglpa.dll" Edakbbdl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkjpkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kainifch.dll" Phqbaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cobkbhgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kajkamff.dll" Lhihejhi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Opadmkcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onbmjegm.dll" Bhdilold.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggoddakg.dll" Jdpkoalc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kqmkjk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ipplmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kalccp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhlmqkjh.dll" Kflnpild.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Appaangd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aogkhjii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lbgaecjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hekgppma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpfmidbh.dll" Ebdlkdlp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fqphbi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jacpma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jfgnka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmfjok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emphagjj.dll" Hnckhddo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhihejhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lddgghfo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dedkimfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdjdkc32.dll" Oidopn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bminokil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jdkkjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aajoapdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cmpjhbee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dcdiahme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpoafbfi.dll" Onjmjegg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpcahb32.dll" Mikcbb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nobdlqnc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hcqjkafb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Elilmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajeami32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eainnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gjoclm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Klhdjj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pilpoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiaabf32.dll" Khplnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhjkjd32.dll" Cggikk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckpfpj32.dll" Lfodgicf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cggikk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebggep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Addiiq32.dll" Piaijbgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjonobhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhofffjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aecpnk32.dll" Egiohh32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 760 wrote to memory of 1672 760 0cec5cab32586daf5d4e09b052abb187.exe 92 PID 760 wrote to memory of 1672 760 0cec5cab32586daf5d4e09b052abb187.exe 92 PID 760 wrote to memory of 1672 760 0cec5cab32586daf5d4e09b052abb187.exe 92 PID 1672 wrote to memory of 1760 1672 Dlicflic.exe 95 PID 1672 wrote to memory of 1760 1672 Dlicflic.exe 95 PID 1672 wrote to memory of 1760 1672 Dlicflic.exe 95 PID 1760 wrote to memory of 4908 1760 Elilmi32.exe 94 PID 1760 wrote to memory of 4908 1760 Elilmi32.exe 94 PID 1760 wrote to memory of 4908 1760 Elilmi32.exe 94 PID 4908 wrote to memory of 916 4908 Ehpmbj32.exe 96 PID 4908 wrote to memory of 916 4908 Ehpmbj32.exe 96 PID 4908 wrote to memory of 916 4908 Ehpmbj32.exe 96 PID 916 wrote to memory of 3732 916 Fbhnec32.exe 97 PID 916 wrote to memory of 3732 916 Fbhnec32.exe 97 PID 916 wrote to memory of 3732 916 Fbhnec32.exe 97 PID 3732 wrote to memory of 4456 3732 Fcaqka32.exe 98 PID 3732 wrote to memory of 4456 3732 Fcaqka32.exe 98 PID 3732 wrote to memory of 4456 3732 Fcaqka32.exe 98 PID 4456 wrote to memory of 2640 4456 Gcfjfqah.exe 99 PID 4456 wrote to memory of 2640 4456 Gcfjfqah.exe 99 PID 4456 wrote to memory of 2640 4456 Gcfjfqah.exe 99 PID 2640 wrote to memory of 5088 2640 Gledpe32.exe 100 PID 2640 wrote to memory of 5088 2640 Gledpe32.exe 100 PID 2640 wrote to memory of 5088 2640 Gledpe32.exe 100 PID 5088 wrote to memory of 212 5088 Mpedgghj.exe 101 PID 5088 wrote to memory of 212 5088 Mpedgghj.exe 101 PID 5088 wrote to memory of 212 5088 Mpedgghj.exe 101 PID 212 wrote to memory of 1896 212 Odcfdc32.exe 102 PID 212 wrote to memory of 1896 212 Odcfdc32.exe 102 PID 212 wrote to memory of 1896 212 Odcfdc32.exe 102 PID 1896 wrote to memory of 4580 1896 Pphckb32.exe 103 PID 1896 wrote to memory of 4580 1896 Pphckb32.exe 103 PID 1896 wrote to memory of 4580 1896 Pphckb32.exe 103 PID 4580 wrote to memory of 2276 4580 Qjcdih32.exe 104 PID 4580 wrote to memory of 2276 4580 Qjcdih32.exe 104 PID 4580 wrote to memory of 2276 4580 Qjcdih32.exe 104 PID 2276 wrote to memory of 5036 2276 Addhbo32.exe 105 PID 2276 wrote to memory of 5036 2276 Addhbo32.exe 105 PID 2276 wrote to memory of 5036 2276 Addhbo32.exe 105 PID 5036 wrote to memory of 4556 5036 Bqbohocd.exe 106 PID 5036 wrote to memory of 4556 5036 Bqbohocd.exe 106 PID 5036 wrote to memory of 4556 5036 Bqbohocd.exe 106 PID 4556 wrote to memory of 1964 4556 Bkjpkg32.exe 107 PID 4556 wrote to memory of 1964 4556 Bkjpkg32.exe 107 PID 4556 wrote to memory of 1964 4556 Bkjpkg32.exe 107 PID 1964 wrote to memory of 3420 1964 Djmima32.exe 108 PID 1964 wrote to memory of 3420 1964 Djmima32.exe 108 PID 1964 wrote to memory of 3420 1964 Djmima32.exe 108 PID 3420 wrote to memory of 4792 3420 Dnkbcp32.exe 109 PID 3420 wrote to memory of 4792 3420 Dnkbcp32.exe 109 PID 3420 wrote to memory of 4792 3420 Dnkbcp32.exe 109 PID 4792 wrote to memory of 4920 4792 Eahjqicj.exe 110 PID 4792 wrote to memory of 4920 4792 Eahjqicj.exe 110 PID 4792 wrote to memory of 4920 4792 Eahjqicj.exe 110 PID 4920 wrote to memory of 4316 4920 Fejlbgek.exe 111 PID 4920 wrote to memory of 4316 4920 Fejlbgek.exe 111 PID 4920 wrote to memory of 4316 4920 Fejlbgek.exe 111 PID 4316 wrote to memory of 3400 4316 Geabbfoc.exe 112 PID 4316 wrote to memory of 3400 4316 Geabbfoc.exe 112 PID 4316 wrote to memory of 3400 4316 Geabbfoc.exe 112 PID 3400 wrote to memory of 2972 3400 Hiinoc32.exe 113 PID 3400 wrote to memory of 2972 3400 Hiinoc32.exe 113 PID 3400 wrote to memory of 2972 3400 Hiinoc32.exe 113 PID 2972 wrote to memory of 5040 2972 Hhbdko32.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\0cec5cab32586daf5d4e09b052abb187.exe"C:\Users\Admin\AppData\Local\Temp\0cec5cab32586daf5d4e09b052abb187.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Windows\SysWOW64\Dlicflic.exeC:\Windows\system32\Dlicflic.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\SysWOW64\Elilmi32.exeC:\Windows\system32\Elilmi32.exe3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1760
-
-
-
C:\Windows\SysWOW64\Ehpmbj32.exeC:\Windows\system32\Ehpmbj32.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4908 -
C:\Windows\SysWOW64\Fbhnec32.exeC:\Windows\system32\Fbhnec32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:916 -
C:\Windows\SysWOW64\Fcaqka32.exeC:\Windows\system32\Fcaqka32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3732 -
C:\Windows\SysWOW64\Gcfjfqah.exeC:\Windows\system32\Gcfjfqah.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4456 -
C:\Windows\SysWOW64\Gledpe32.exeC:\Windows\system32\Gledpe32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Mpedgghj.exeC:\Windows\system32\Mpedgghj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5088 -
C:\Windows\SysWOW64\Odcfdc32.exeC:\Windows\system32\Odcfdc32.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:212 -
C:\Windows\SysWOW64\Pphckb32.exeC:\Windows\system32\Pphckb32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\SysWOW64\Qjcdih32.exeC:\Windows\system32\Qjcdih32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4580 -
C:\Windows\SysWOW64\Addhbo32.exeC:\Windows\system32\Addhbo32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\Bqbohocd.exeC:\Windows\system32\Bqbohocd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5036 -
C:\Windows\SysWOW64\Bkjpkg32.exeC:\Windows\system32\Bkjpkg32.exe12⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4556 -
C:\Windows\SysWOW64\Djmima32.exeC:\Windows\system32\Djmima32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\Dnkbcp32.exeC:\Windows\system32\Dnkbcp32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3420 -
C:\Windows\SysWOW64\Eahjqicj.exeC:\Windows\system32\Eahjqicj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4792 -
C:\Windows\SysWOW64\Fejlbgek.exeC:\Windows\system32\Fejlbgek.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Windows\SysWOW64\Geabbfoc.exeC:\Windows\system32\Geabbfoc.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4316 -
C:\Windows\SysWOW64\Hiinoc32.exeC:\Windows\system32\Hiinoc32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3400 -
C:\Windows\SysWOW64\Hhbdko32.exeC:\Windows\system32\Hhbdko32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Ikjcmi32.exeC:\Windows\system32\Ikjcmi32.exe20⤵
- Executes dropped EXE
PID:5040 -
C:\Windows\SysWOW64\Jkomhhae.exeC:\Windows\system32\Jkomhhae.exe21⤵
- Executes dropped EXE
PID:4180 -
C:\Windows\SysWOW64\Jfgnka32.exeC:\Windows\system32\Jfgnka32.exe22⤵
- Executes dropped EXE
- Modifies registry class
PID:3188 -
C:\Windows\SysWOW64\Kjipmoai.exeC:\Windows\system32\Kjipmoai.exe23⤵
- Executes dropped EXE
PID:3340 -
C:\Windows\SysWOW64\Kmmedi32.exeC:\Windows\system32\Kmmedi32.exe24⤵
- Executes dropped EXE
PID:1404 -
C:\Windows\SysWOW64\Mlgegcng.exeC:\Windows\system32\Mlgegcng.exe25⤵
- Executes dropped EXE
- Modifies registry class
PID:1232 -
C:\Windows\SysWOW64\Njceqili.exeC:\Windows\system32\Njceqili.exe26⤵
- Executes dropped EXE
PID:4552 -
C:\Windows\SysWOW64\Ofdhlh32.exeC:\Windows\system32\Ofdhlh32.exe27⤵
- Executes dropped EXE
PID:1652 -
C:\Windows\SysWOW64\Olqqdo32.exeC:\Windows\system32\Olqqdo32.exe28⤵
- Executes dropped EXE
PID:4540 -
C:\Windows\SysWOW64\Okaabg32.exeC:\Windows\system32\Okaabg32.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1028 -
C:\Windows\SysWOW64\Pghaghfn.exeC:\Windows\system32\Pghaghfn.exe30⤵
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\Pdalkk32.exeC:\Windows\system32\Pdalkk32.exe31⤵
- Executes dropped EXE
PID:552 -
C:\Windows\SysWOW64\Anqfepaj.exeC:\Windows\system32\Anqfepaj.exe32⤵
- Executes dropped EXE
PID:3376 -
C:\Windows\SysWOW64\Agpqnd32.exeC:\Windows\system32\Agpqnd32.exe33⤵
- Executes dropped EXE
PID:2608 -
C:\Windows\SysWOW64\Acgacegg.exeC:\Windows\system32\Acgacegg.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4876 -
C:\Windows\SysWOW64\Bkepeaaa.exeC:\Windows\system32\Bkepeaaa.exe35⤵
- Executes dropped EXE
PID:1080 -
C:\Windows\SysWOW64\Dcqmpa32.exeC:\Windows\system32\Dcqmpa32.exe36⤵
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\Dqdnjfpc.exeC:\Windows\system32\Dqdnjfpc.exe37⤵
- Executes dropped EXE
PID:3440 -
C:\Windows\SysWOW64\Eljknl32.exeC:\Windows\system32\Eljknl32.exe38⤵
- Executes dropped EXE
PID:4912 -
C:\Windows\SysWOW64\Faqflb32.exeC:\Windows\system32\Faqflb32.exe39⤵
- Executes dropped EXE
PID:3868 -
C:\Windows\SysWOW64\Gokmfe32.exeC:\Windows\system32\Gokmfe32.exe40⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Hmecba32.exeC:\Windows\system32\Hmecba32.exe41⤵
- Executes dropped EXE
PID:220 -
C:\Windows\SysWOW64\Hhpaki32.exeC:\Windows\system32\Hhpaki32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4036 -
C:\Windows\SysWOW64\Ioclnblj.exeC:\Windows\system32\Ioclnblj.exe43⤵
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Jlblcdpf.exeC:\Windows\system32\Jlblcdpf.exe44⤵
- Executes dropped EXE
PID:1784 -
C:\Windows\SysWOW64\Lmeapbpa.exeC:\Windows\system32\Lmeapbpa.exe45⤵
- Executes dropped EXE
PID:2900 -
C:\Windows\SysWOW64\Ldqfddml.exeC:\Windows\system32\Ldqfddml.exe46⤵
- Executes dropped EXE
PID:4672 -
C:\Windows\SysWOW64\Lfbpcgbl.exeC:\Windows\system32\Lfbpcgbl.exe47⤵
- Executes dropped EXE
PID:1388 -
C:\Windows\SysWOW64\Mokdllim.exeC:\Windows\system32\Mokdllim.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2460 -
C:\Windows\SysWOW64\Mkhkblii.exeC:\Windows\system32\Mkhkblii.exe49⤵
- Executes dropped EXE
PID:3192 -
C:\Windows\SysWOW64\Nilkkq32.exeC:\Windows\system32\Nilkkq32.exe50⤵
- Executes dropped EXE
PID:3380 -
C:\Windows\SysWOW64\Nbiioe32.exeC:\Windows\system32\Nbiioe32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4272 -
C:\Windows\SysWOW64\Onjmjegg.exeC:\Windows\system32\Onjmjegg.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:4184 -
C:\Windows\SysWOW64\Obgeqcnn.exeC:\Windows\system32\Obgeqcnn.exe53⤵
- Executes dropped EXE
PID:1140 -
C:\Windows\SysWOW64\Pbahgbfc.exeC:\Windows\system32\Pbahgbfc.exe54⤵
- Executes dropped EXE
PID:872 -
C:\Windows\SysWOW64\Qbeaba32.exeC:\Windows\system32\Qbeaba32.exe55⤵
- Executes dropped EXE
PID:812 -
C:\Windows\SysWOW64\Aooolbep.exeC:\Windows\system32\Aooolbep.exe56⤵
- Executes dropped EXE
PID:4616 -
C:\Windows\SysWOW64\Aekdolkj.exeC:\Windows\system32\Aekdolkj.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:344 -
C:\Windows\SysWOW64\Cggikk32.exeC:\Windows\system32\Cggikk32.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:4656 -
C:\Windows\SysWOW64\Dobnpm32.exeC:\Windows\system32\Dobnpm32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4612 -
C:\Windows\SysWOW64\Egiohh32.exeC:\Windows\system32\Egiohh32.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:3444 -
C:\Windows\SysWOW64\Egnhcgeb.exeC:\Windows\system32\Egnhcgeb.exe61⤵
- Executes dropped EXE
PID:3464 -
C:\Windows\SysWOW64\Fpnfbi32.exeC:\Windows\system32\Fpnfbi32.exe62⤵
- Executes dropped EXE
PID:2520 -
C:\Windows\SysWOW64\Gablgk32.exeC:\Windows\system32\Gablgk32.exe63⤵PID:5068
-
C:\Windows\SysWOW64\Gcceifof.exeC:\Windows\system32\Gcceifof.exe64⤵PID:1600
-
C:\Windows\SysWOW64\Hfkdkqeo.exeC:\Windows\system32\Hfkdkqeo.exe65⤵PID:1524
-
C:\Windows\SysWOW64\Ijpcbn32.exeC:\Windows\system32\Ijpcbn32.exe66⤵
- Drops file in System32 directory
PID:3312 -
C:\Windows\SysWOW64\Ialhdh32.exeC:\Windows\system32\Ialhdh32.exe67⤵PID:2268
-
C:\Windows\SysWOW64\Ipcakd32.exeC:\Windows\system32\Ipcakd32.exe68⤵PID:3704
-
C:\Windows\SysWOW64\Jdfcla32.exeC:\Windows\system32\Jdfcla32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1828 -
C:\Windows\SysWOW64\Koekpi32.exeC:\Windows\system32\Koekpi32.exe70⤵PID:4572
-
C:\Windows\SysWOW64\Khplnn32.exeC:\Windows\system32\Khplnn32.exe71⤵
- Modifies registry class
PID:4632 -
C:\Windows\SysWOW64\Kkqepi32.exeC:\Windows\system32\Kkqepi32.exe72⤵PID:2776
-
C:\Windows\SysWOW64\Ldnbdnlc.exeC:\Windows\system32\Ldnbdnlc.exe73⤵PID:760
-
C:\Windows\SysWOW64\Mojmbf32.exeC:\Windows\system32\Mojmbf32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4692 -
C:\Windows\SysWOW64\Okcccdkp.exeC:\Windows\system32\Okcccdkp.exe75⤵
- Modifies registry class
PID:1924 -
C:\Windows\SysWOW64\Oelhljaq.exeC:\Windows\system32\Oelhljaq.exe76⤵PID:4352
-
C:\Windows\SysWOW64\Ondleo32.exeC:\Windows\system32\Ondleo32.exe77⤵PID:2600
-
C:\Windows\SysWOW64\Ogmaneoa.exeC:\Windows\system32\Ogmaneoa.exe78⤵PID:4284
-
C:\Windows\SysWOW64\Ongijo32.exeC:\Windows\system32\Ongijo32.exe79⤵PID:2896
-
C:\Windows\SysWOW64\Oilmhhfd.exeC:\Windows\system32\Oilmhhfd.exe80⤵PID:4112
-
C:\Windows\SysWOW64\Oiagcg32.exeC:\Windows\system32\Oiagcg32.exe81⤵PID:1888
-
C:\Windows\SysWOW64\Pihmcflg.exeC:\Windows\system32\Pihmcflg.exe82⤵PID:3136
-
C:\Windows\SysWOW64\Peonhg32.exeC:\Windows\system32\Peonhg32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4940 -
C:\Windows\SysWOW64\Alplfpbp.exeC:\Windows\system32\Alplfpbp.exe84⤵PID:2828
-
C:\Windows\SysWOW64\Aaoadg32.exeC:\Windows\system32\Aaoadg32.exe85⤵PID:3920
-
C:\Windows\SysWOW64\Appaangd.exeC:\Windows\system32\Appaangd.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1816 -
C:\Windows\SysWOW64\Aogkhjii.exeC:\Windows\system32\Aogkhjii.exe87⤵
- Modifies registry class
PID:3592 -
C:\Windows\SysWOW64\Bojhnjgf.exeC:\Windows\system32\Bojhnjgf.exe88⤵PID:5160
-
C:\Windows\SysWOW64\Bhdilold.exeC:\Windows\system32\Bhdilold.exe89⤵
- Drops file in System32 directory
- Modifies registry class
PID:5204 -
C:\Windows\SysWOW64\Bidefbcg.exeC:\Windows\system32\Bidefbcg.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5260 -
C:\Windows\SysWOW64\Cbofdg32.exeC:\Windows\system32\Cbofdg32.exe91⤵PID:5300
-
C:\Windows\SysWOW64\Chlomnfl.exeC:\Windows\system32\Chlomnfl.exe92⤵PID:5368
-
C:\Windows\SysWOW64\Eodlad32.exeC:\Windows\system32\Eodlad32.exe93⤵PID:5424
-
C:\Windows\SysWOW64\Hpenpp32.exeC:\Windows\system32\Hpenpp32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5472 -
C:\Windows\SysWOW64\Hcbgen32.exeC:\Windows\system32\Hcbgen32.exe95⤵PID:5512
-
C:\Windows\SysWOW64\Iafgob32.exeC:\Windows\system32\Iafgob32.exe96⤵PID:5552
-
C:\Windows\SysWOW64\Ifcpgiji.exeC:\Windows\system32\Ifcpgiji.exe97⤵PID:5596
-
C:\Windows\SysWOW64\Iiibdc32.exeC:\Windows\system32\Iiibdc32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5636 -
C:\Windows\SysWOW64\Ipckqnja.exeC:\Windows\system32\Ipckqnja.exe99⤵PID:5672
-
C:\Windows\SysWOW64\Jjhonfjg.exeC:\Windows\system32\Jjhonfjg.exe100⤵PID:5720
-
C:\Windows\SysWOW64\Jpegfm32.exeC:\Windows\system32\Jpegfm32.exe101⤵PID:5768
-
C:\Windows\SysWOW64\Jagqfp32.exeC:\Windows\system32\Jagqfp32.exe102⤵PID:5812
-
C:\Windows\SysWOW64\Jbhmnhcm.exeC:\Windows\system32\Jbhmnhcm.exe103⤵PID:5888
-
C:\Windows\SysWOW64\Mjednmla.exeC:\Windows\system32\Mjednmla.exe104⤵PID:6008
-
C:\Windows\SysWOW64\Cbcieqpd.exeC:\Windows\system32\Cbcieqpd.exe105⤵PID:6048
-
C:\Windows\SysWOW64\Coijja32.exeC:\Windows\system32\Coijja32.exe106⤵PID:6088
-
C:\Windows\SysWOW64\Dampal32.exeC:\Windows\system32\Dampal32.exe107⤵PID:6124
-
C:\Windows\SysWOW64\Dhfhnfhc.exeC:\Windows\system32\Dhfhnfhc.exe108⤵PID:5144
-
C:\Windows\SysWOW64\Fhngfcdi.exeC:\Windows\system32\Fhngfcdi.exe109⤵PID:5196
-
C:\Windows\SysWOW64\Hflclcle.exeC:\Windows\system32\Hflclcle.exe110⤵PID:5240
-
C:\Windows\SysWOW64\Hmfkin32.exeC:\Windows\system32\Hmfkin32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5328 -
C:\Windows\SysWOW64\Hbbdad32.exeC:\Windows\system32\Hbbdad32.exe112⤵PID:2604
-
C:\Windows\SysWOW64\Hillnoif.exeC:\Windows\system32\Hillnoif.exe113⤵PID:5336
-
C:\Windows\SysWOW64\Ibeqgdpf.exeC:\Windows\system32\Ibeqgdpf.exe114⤵
- Drops file in System32 directory
PID:624 -
C:\Windows\SysWOW64\Imjddmpl.exeC:\Windows\system32\Imjddmpl.exe115⤵PID:1396
-
C:\Windows\SysWOW64\Ibgmldnd.exeC:\Windows\system32\Ibgmldnd.exe116⤵PID:5452
-
C:\Windows\SysWOW64\Immaimnj.exeC:\Windows\system32\Immaimnj.exe117⤵PID:5532
-
C:\Windows\SysWOW64\Ildkpiqo.exeC:\Windows\system32\Ildkpiqo.exe118⤵PID:4256
-
C:\Windows\SysWOW64\Jcplle32.exeC:\Windows\system32\Jcplle32.exe119⤵PID:5620
-
C:\Windows\SysWOW64\Jioajliq.exeC:\Windows\system32\Jioajliq.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5688 -
C:\Windows\SysWOW64\Jefbomoe.exeC:\Windows\system32\Jefbomoe.exe121⤵PID:5764
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-