Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
157s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
30/12/2023, 18:53
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c57347e76546f1f3f93323fc9c6f7024.exe
Resource
win7-20231215-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
c57347e76546f1f3f93323fc9c6f7024.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
c57347e76546f1f3f93323fc9c6f7024.exe
-
Size
250KB
-
MD5
c57347e76546f1f3f93323fc9c6f7024
-
SHA1
ccd60efe5dcd1b224fe2368122dde502bd5b109c
-
SHA256
d1eec15271af01615dcad6704b244bdb772a3f7ed5ec5edee2d1b17ab393290c
-
SHA512
2c0012900aab1c69266d8de741f6944a2d9088f0de8d85855adfbd3d5af8f6f4abda33d598ce8f254d9a15cb3885d8e5911e44c4b8f80a9a55535b89a9f04b5f
-
SSDEEP
6144:1k7tV+fZvCvfmZ7KRRRGBCvfmZ7KFpNlJTBCvfmZ7d:1uV+I
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icakofel.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhdhhchf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knabne32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iqfcbahb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apcead32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idebniil.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnnkaa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndcoeq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfiagd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aljmal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocegnoog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmbjcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iblfgc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpfonnab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hncmfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adfnhlfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfieagka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jomeoggk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmdpok32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jidkek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iomcqa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgfaij32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mclhjkfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdhcagnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgmkbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpmqoqbp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjiaak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcddlhgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkjikd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmkqknci.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfbebpdq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njljnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkgqpaed.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnifbmfo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hoakpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ignndo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcpcgfmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enfjdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iokocmnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nebdighb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acheqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bokeai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlemcq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmbjcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnjkgf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dqdgop32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecmlmcmb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kijjldkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhdmfljb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qemhlp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbnflihq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnkhjdle.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihgnfnjl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnnklg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Coegih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opongobp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iqfcbahb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fejlbgek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iheaqolo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijqmacpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bllbkg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmcjiagf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhkgnkoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pelacg32.exe -
Executes dropped EXE 64 IoCs
pid Process 2556 Ekngemhd.exe 3936 Fglnkm32.exe 1896 Fbaahf32.exe 3260 Ggepalof.exe 2040 Hnkhjdle.exe 896 Hchqbkkm.exe 4300 Hkcbnh32.exe 1364 Iagqgn32.exe 2636 Jlanpfkj.exe 1464 Jhoeef32.exe 888 Kbeibo32.exe 2044 Kdkoef32.exe 4116 Lhbkac32.exe 3832 Mclhjkfa.exe 700 Mlemcq32.exe 4372 Mhknhabf.exe 4160 Nfiagd32.exe 1472 Ndpjnq32.exe 4364 Odbgdp32.exe 4448 Ochamg32.exe 3804 Pbddobla.exe 928 Almanf32.exe 2460 Blknpdho.exe 400 Cidgdg32.exe 2408 Dfakcj32.exe 3996 Digmqe32.exe 3280 Fckaeioa.exe 2724 Fcbgfhii.exe 4900 Gcpcgfmi.exe 1116 Hdbmfhbi.exe 720 Hqimlihn.exe 4140 Incdem32.exe 5116 Knkcmild.exe 4644 Lndfchdj.exe 804 Loniiflo.exe 3060 Mhkgnkoj.exe 4588 Nkpijfgf.exe 2288 Nkjlqd32.exe 264 Pkhhbbck.exe 4692 Pfdbpjmi.exe 1856 Agmehamp.exe 2920 Aiqkmd32.exe 4724 Bfieagka.exe 1108 Cfbhhfbg.exe 4736 Cppelkeb.exe 1992 Dfngcdhi.exe 5064 Dhdmfljb.exe 1312 Ehpmbj32.exe 660 Eedmlo32.exe 1144 Fghcqq32.exe 564 Ggafgo32.exe 464 Hgkimn32.exe 1148 Hokgmpkl.exe 2972 Hfgloiqf.exe 4780 Icminm32.exe 4028 Ijgakgej.exe 2552 Iqfcbahb.exe 4852 Jcgldl32.exe 1836 Jcnbekok.exe 3980 Jikjmbmb.exe 3844 Kpgoolbl.exe 3512 Kplijk32.exe 5052 Lpbokjho.exe 3448 Lagepl32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Mgceqh32.exe Mnjqhcno.exe File created C:\Windows\SysWOW64\Kogibk32.dll Jaddpppa.exe File opened for modification C:\Windows\SysWOW64\Kepdfo32.exe Knabne32.exe File created C:\Windows\SysWOW64\Mkagaa32.dll Oampdkbj.exe File created C:\Windows\SysWOW64\Lmgglf32.dll Hkcbnh32.exe File created C:\Windows\SysWOW64\Epplai32.dll Icakofel.exe File created C:\Windows\SysWOW64\Hkhbaj32.dll Kqknekjf.exe File created C:\Windows\SysWOW64\Foekbg32.exe Edmjpoli.exe File created C:\Windows\SysWOW64\Nhmejf32.exe Nkieab32.exe File created C:\Windows\SysWOW64\Idebniil.exe Hhihnihm.exe File created C:\Windows\SysWOW64\Jnnpnl32.exe Jnkchmdl.exe File opened for modification C:\Windows\SysWOW64\Cbnkhcha.exe Cfgjcb32.exe File opened for modification C:\Windows\SysWOW64\Iqfcbahb.exe Ijgakgej.exe File opened for modification C:\Windows\SysWOW64\Ldjhib32.exe Kmdqai32.exe File created C:\Windows\SysWOW64\Cikqab32.dll Nfcoekhe.exe File created C:\Windows\SysWOW64\Gjfbnpkg.dll Cpljdjnd.exe File opened for modification C:\Windows\SysWOW64\Fkcibnmd.exe Flnlaahl.exe File created C:\Windows\SysWOW64\Digmqe32.exe Dfakcj32.exe File created C:\Windows\SysWOW64\Icakofel.exe Ihlgan32.exe File created C:\Windows\SysWOW64\Hcpjpn32.exe Hjhfgi32.exe File created C:\Windows\SysWOW64\Mabnlh32.exe Mqpqghgn.exe File opened for modification C:\Windows\SysWOW64\Hchqbkkm.exe Hnkhjdle.exe File opened for modification C:\Windows\SysWOW64\Jhoeef32.exe Jlanpfkj.exe File created C:\Windows\SysWOW64\Odgodh32.dll Aqfolqna.exe File opened for modification C:\Windows\SysWOW64\Hplimpdi.exe Hibape32.exe File opened for modification C:\Windows\SysWOW64\Gnfmapqo.exe Gpelchhp.exe File opened for modification C:\Windows\SysWOW64\Megdmhbp.exe Medggidb.exe File created C:\Windows\SysWOW64\Pbnopf32.dll Qjiaak32.exe File created C:\Windows\SysWOW64\Ljmmnf32.exe Kepdfo32.exe File created C:\Windows\SysWOW64\Gaepgacn.exe Gjkgkg32.exe File created C:\Windows\SysWOW64\Dnpjpj32.dll Opongobp.exe File created C:\Windows\SysWOW64\Jnfamk32.dll Eangimij.exe File opened for modification C:\Windows\SysWOW64\Mmdlflki.exe Mhhcne32.exe File created C:\Windows\SysWOW64\Hhihnihm.exe Hbppaopp.exe File opened for modification C:\Windows\SysWOW64\Ddjmkg32.exe Dfpfokfg.exe File opened for modification C:\Windows\SysWOW64\Bijnnf32.exe Agiagn32.exe File opened for modification C:\Windows\SysWOW64\Cfjnch32.exe Cmaikcmf.exe File created C:\Windows\SysWOW64\Fkcibnmd.exe Flnlaahl.exe File created C:\Windows\SysWOW64\Hgahnjpk.exe Hkkgii32.exe File opened for modification C:\Windows\SysWOW64\Dkgqpaed.exe Ddklnh32.exe File created C:\Windows\SysWOW64\Klloichl.exe Kbfjljhf.exe File opened for modification C:\Windows\SysWOW64\Fblldn32.exe Ficgkico.exe File opened for modification C:\Windows\SysWOW64\Dhnnoe32.exe Dcaefo32.exe File created C:\Windows\SysWOW64\Enacadhc.dll Ibncmchl.exe File created C:\Windows\SysWOW64\Knabne32.exe Kqnbea32.exe File created C:\Windows\SysWOW64\Dfcjoa32.exe Dkmebh32.exe File opened for modification C:\Windows\SysWOW64\Kplijk32.exe Kpgoolbl.exe File opened for modification C:\Windows\SysWOW64\Ihgnfnjl.exe Iheaqolo.exe File created C:\Windows\SysWOW64\Clhbhc32.exe Bodano32.exe File created C:\Windows\SysWOW64\Ljnqoldc.dll Pelacg32.exe File opened for modification C:\Windows\SysWOW64\Edcqojqh.exe Dannbogl.exe File opened for modification C:\Windows\SysWOW64\Nelfnd32.exe Neiiiecg.exe File created C:\Windows\SysWOW64\Khqeenpg.dll Fiodib32.exe File created C:\Windows\SysWOW64\Mgbqpa32.dll Nkpijfgf.exe File created C:\Windows\SysWOW64\Ioaegj32.dll Mmdlflki.exe File created C:\Windows\SysWOW64\Dogfkpih.exe Dhnnoe32.exe File created C:\Windows\SysWOW64\Ihqlml32.dll Kpbfbo32.exe File created C:\Windows\SysWOW64\Oboakhmo.exe Onaieifh.exe File created C:\Windows\SysWOW64\Dendcmjg.dll Cbgbpp32.exe File opened for modification C:\Windows\SysWOW64\Kgefae32.exe Kqknekjf.exe File opened for modification C:\Windows\SysWOW64\Pppoeg32.exe Pfhklabb.exe File created C:\Windows\SysWOW64\Phoaeipj.dll Gkhkdjli.exe File created C:\Windows\SysWOW64\Eaedbq32.dll Fllkjd32.exe File created C:\Windows\SysWOW64\Oocmcn32.exe Oejijiip.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnbhjhfh.dll" Nbdijpjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eheldnol.dll" Gdhcagnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejkmkh32.dll" Goconkah.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlkejgfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eaedbq32.dll" Fllkjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Limmplda.dll" Bhgcdjje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjmpfdhb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lfbpcgbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcoblg32.dll" Jcgldl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnlfclip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmhpanjp.dll" Hglaookl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fllkjd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gpeclq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifefggbd.dll" Cogmdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbkiee32.dll" Bnkgomnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhodilni.dll" Ggoaje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqochl32.dll" Abcgii32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mminaikp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icpofn32.dll" Dcaefo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnfamk32.dll" Eangimij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekmdnmee.dll" Nelmik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plhppp32.dll" Ncbfcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbkbabje.dll" Bcngddao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qecgcfmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bedbgmjo.dll" Cmflkl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ligglo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmmloo32.dll" Pmangnmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kljdie32.dll" Iomcqa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mnnkaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkjikd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfkklk32.dll" Fbaahf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkefphem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bijnai32.dll" Llcoihmb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lndfchdj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdopkhfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gklenf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhknaghc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Genobp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipehob32.dll" Ggicmh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lcifde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nllekk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kiajck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Obqopddf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebbinp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojgjmbjb.dll" Afinbdon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hqimlihn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpmcffca.dll" Djeegf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Donjdabe.dll" Ndmepe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fkqebg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oofacdaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Klibdcjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlocei32.dll" Iioicn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mnjqhcno.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gqdbbelf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ipflcnln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Foqdem32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amblpikl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjickj32.dll" Feapdaof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Odhppclh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngekmf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmkqknci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjpdcn32.dll" Mdfopf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lagepl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfpjgi32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3660 wrote to memory of 2556 3660 c57347e76546f1f3f93323fc9c6f7024.exe 92 PID 3660 wrote to memory of 2556 3660 c57347e76546f1f3f93323fc9c6f7024.exe 92 PID 3660 wrote to memory of 2556 3660 c57347e76546f1f3f93323fc9c6f7024.exe 92 PID 2556 wrote to memory of 3936 2556 Ekngemhd.exe 93 PID 2556 wrote to memory of 3936 2556 Ekngemhd.exe 93 PID 2556 wrote to memory of 3936 2556 Ekngemhd.exe 93 PID 3936 wrote to memory of 1896 3936 Fglnkm32.exe 94 PID 3936 wrote to memory of 1896 3936 Fglnkm32.exe 94 PID 3936 wrote to memory of 1896 3936 Fglnkm32.exe 94 PID 1896 wrote to memory of 3260 1896 Fbaahf32.exe 95 PID 1896 wrote to memory of 3260 1896 Fbaahf32.exe 95 PID 1896 wrote to memory of 3260 1896 Fbaahf32.exe 95 PID 3260 wrote to memory of 2040 3260 Ggepalof.exe 96 PID 3260 wrote to memory of 2040 3260 Ggepalof.exe 96 PID 3260 wrote to memory of 2040 3260 Ggepalof.exe 96 PID 2040 wrote to memory of 896 2040 Hnkhjdle.exe 97 PID 2040 wrote to memory of 896 2040 Hnkhjdle.exe 97 PID 2040 wrote to memory of 896 2040 Hnkhjdle.exe 97 PID 896 wrote to memory of 4300 896 Hchqbkkm.exe 98 PID 896 wrote to memory of 4300 896 Hchqbkkm.exe 98 PID 896 wrote to memory of 4300 896 Hchqbkkm.exe 98 PID 4300 wrote to memory of 1364 4300 Hkcbnh32.exe 99 PID 4300 wrote to memory of 1364 4300 Hkcbnh32.exe 99 PID 4300 wrote to memory of 1364 4300 Hkcbnh32.exe 99 PID 1364 wrote to memory of 2636 1364 Iagqgn32.exe 100 PID 1364 wrote to memory of 2636 1364 Iagqgn32.exe 100 PID 1364 wrote to memory of 2636 1364 Iagqgn32.exe 100 PID 2636 wrote to memory of 1464 2636 Jlanpfkj.exe 101 PID 2636 wrote to memory of 1464 2636 Jlanpfkj.exe 101 PID 2636 wrote to memory of 1464 2636 Jlanpfkj.exe 101 PID 1464 wrote to memory of 888 1464 Jhoeef32.exe 102 PID 1464 wrote to memory of 888 1464 Jhoeef32.exe 102 PID 1464 wrote to memory of 888 1464 Jhoeef32.exe 102 PID 888 wrote to memory of 2044 888 Kbeibo32.exe 103 PID 888 wrote to memory of 2044 888 Kbeibo32.exe 103 PID 888 wrote to memory of 2044 888 Kbeibo32.exe 103 PID 2044 wrote to memory of 4116 2044 Kdkoef32.exe 104 PID 2044 wrote to memory of 4116 2044 Kdkoef32.exe 104 PID 2044 wrote to memory of 4116 2044 Kdkoef32.exe 104 PID 4116 wrote to memory of 3832 4116 Lhbkac32.exe 105 PID 4116 wrote to memory of 3832 4116 Lhbkac32.exe 105 PID 4116 wrote to memory of 3832 4116 Lhbkac32.exe 105 PID 3832 wrote to memory of 700 3832 Mclhjkfa.exe 106 PID 3832 wrote to memory of 700 3832 Mclhjkfa.exe 106 PID 3832 wrote to memory of 700 3832 Mclhjkfa.exe 106 PID 700 wrote to memory of 4372 700 Mlemcq32.exe 107 PID 700 wrote to memory of 4372 700 Mlemcq32.exe 107 PID 700 wrote to memory of 4372 700 Mlemcq32.exe 107 PID 4372 wrote to memory of 4160 4372 Mhknhabf.exe 108 PID 4372 wrote to memory of 4160 4372 Mhknhabf.exe 108 PID 4372 wrote to memory of 4160 4372 Mhknhabf.exe 108 PID 4160 wrote to memory of 1472 4160 Nfiagd32.exe 109 PID 4160 wrote to memory of 1472 4160 Nfiagd32.exe 109 PID 4160 wrote to memory of 1472 4160 Nfiagd32.exe 109 PID 1472 wrote to memory of 4364 1472 Ndpjnq32.exe 110 PID 1472 wrote to memory of 4364 1472 Ndpjnq32.exe 110 PID 1472 wrote to memory of 4364 1472 Ndpjnq32.exe 110 PID 4364 wrote to memory of 4448 4364 Odbgdp32.exe 111 PID 4364 wrote to memory of 4448 4364 Odbgdp32.exe 111 PID 4364 wrote to memory of 4448 4364 Odbgdp32.exe 111 PID 4448 wrote to memory of 3804 4448 Ochamg32.exe 112 PID 4448 wrote to memory of 3804 4448 Ochamg32.exe 112 PID 4448 wrote to memory of 3804 4448 Ochamg32.exe 112 PID 3804 wrote to memory of 928 3804 Pbddobla.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\c57347e76546f1f3f93323fc9c6f7024.exe"C:\Users\Admin\AppData\Local\Temp\c57347e76546f1f3f93323fc9c6f7024.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3660 -
C:\Windows\SysWOW64\Ekngemhd.exeC:\Windows\system32\Ekngemhd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\Fglnkm32.exeC:\Windows\system32\Fglnkm32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3936 -
C:\Windows\SysWOW64\Fbaahf32.exeC:\Windows\system32\Fbaahf32.exe4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\SysWOW64\Ggepalof.exeC:\Windows\system32\Ggepalof.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3260 -
C:\Windows\SysWOW64\Hnkhjdle.exeC:\Windows\system32\Hnkhjdle.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\Hchqbkkm.exeC:\Windows\system32\Hchqbkkm.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:896 -
C:\Windows\SysWOW64\Hkcbnh32.exeC:\Windows\system32\Hkcbnh32.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4300 -
C:\Windows\SysWOW64\Iagqgn32.exeC:\Windows\system32\Iagqgn32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Windows\SysWOW64\Jlanpfkj.exeC:\Windows\system32\Jlanpfkj.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\Jhoeef32.exeC:\Windows\system32\Jhoeef32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Windows\SysWOW64\Kbeibo32.exeC:\Windows\system32\Kbeibo32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:888 -
C:\Windows\SysWOW64\Kdkoef32.exeC:\Windows\system32\Kdkoef32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\Lhbkac32.exeC:\Windows\system32\Lhbkac32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4116 -
C:\Windows\SysWOW64\Mclhjkfa.exeC:\Windows\system32\Mclhjkfa.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3832 -
C:\Windows\SysWOW64\Mlemcq32.exeC:\Windows\system32\Mlemcq32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:700 -
C:\Windows\SysWOW64\Mhknhabf.exeC:\Windows\system32\Mhknhabf.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4372 -
C:\Windows\SysWOW64\Nfiagd32.exeC:\Windows\system32\Nfiagd32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4160 -
C:\Windows\SysWOW64\Ndpjnq32.exeC:\Windows\system32\Ndpjnq32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Windows\SysWOW64\Odbgdp32.exeC:\Windows\system32\Odbgdp32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4364 -
C:\Windows\SysWOW64\Ochamg32.exeC:\Windows\system32\Ochamg32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4448 -
C:\Windows\SysWOW64\Pbddobla.exeC:\Windows\system32\Pbddobla.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3804 -
C:\Windows\SysWOW64\Almanf32.exeC:\Windows\system32\Almanf32.exe23⤵
- Executes dropped EXE
PID:928 -
C:\Windows\SysWOW64\Blknpdho.exeC:\Windows\system32\Blknpdho.exe24⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Cidgdg32.exeC:\Windows\system32\Cidgdg32.exe25⤵
- Executes dropped EXE
PID:400 -
C:\Windows\SysWOW64\Dfakcj32.exeC:\Windows\system32\Dfakcj32.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2408 -
C:\Windows\SysWOW64\Digmqe32.exeC:\Windows\system32\Digmqe32.exe27⤵
- Executes dropped EXE
PID:3996 -
C:\Windows\SysWOW64\Fckaeioa.exeC:\Windows\system32\Fckaeioa.exe28⤵
- Executes dropped EXE
PID:3280 -
C:\Windows\SysWOW64\Fcbgfhii.exeC:\Windows\system32\Fcbgfhii.exe29⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Gcpcgfmi.exeC:\Windows\system32\Gcpcgfmi.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4900 -
C:\Windows\SysWOW64\Hdbmfhbi.exeC:\Windows\system32\Hdbmfhbi.exe31⤵
- Executes dropped EXE
PID:1116 -
C:\Windows\SysWOW64\Hqimlihn.exeC:\Windows\system32\Hqimlihn.exe32⤵
- Executes dropped EXE
- Modifies registry class
PID:720 -
C:\Windows\SysWOW64\Incdem32.exeC:\Windows\system32\Incdem32.exe33⤵
- Executes dropped EXE
PID:4140 -
C:\Windows\SysWOW64\Knkcmild.exeC:\Windows\system32\Knkcmild.exe34⤵
- Executes dropped EXE
PID:5116 -
C:\Windows\SysWOW64\Lndfchdj.exeC:\Windows\system32\Lndfchdj.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:4644 -
C:\Windows\SysWOW64\Loniiflo.exeC:\Windows\system32\Loniiflo.exe36⤵
- Executes dropped EXE
PID:804 -
C:\Windows\SysWOW64\Mhkgnkoj.exeC:\Windows\system32\Mhkgnkoj.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3060 -
C:\Windows\SysWOW64\Nkpijfgf.exeC:\Windows\system32\Nkpijfgf.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4588 -
C:\Windows\SysWOW64\Nkjlqd32.exeC:\Windows\system32\Nkjlqd32.exe39⤵
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Pkhhbbck.exeC:\Windows\system32\Pkhhbbck.exe40⤵
- Executes dropped EXE
PID:264 -
C:\Windows\SysWOW64\Pfdbpjmi.exeC:\Windows\system32\Pfdbpjmi.exe41⤵
- Executes dropped EXE
PID:4692 -
C:\Windows\SysWOW64\Agmehamp.exeC:\Windows\system32\Agmehamp.exe42⤵
- Executes dropped EXE
PID:1856 -
C:\Windows\SysWOW64\Aiqkmd32.exeC:\Windows\system32\Aiqkmd32.exe43⤵
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\Bfieagka.exeC:\Windows\system32\Bfieagka.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4724 -
C:\Windows\SysWOW64\Cfbhhfbg.exeC:\Windows\system32\Cfbhhfbg.exe45⤵
- Executes dropped EXE
PID:1108 -
C:\Windows\SysWOW64\Cppelkeb.exeC:\Windows\system32\Cppelkeb.exe46⤵
- Executes dropped EXE
PID:4736 -
C:\Windows\SysWOW64\Dfngcdhi.exeC:\Windows\system32\Dfngcdhi.exe47⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Dhdmfljb.exeC:\Windows\system32\Dhdmfljb.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5064 -
C:\Windows\SysWOW64\Ehpmbj32.exeC:\Windows\system32\Ehpmbj32.exe49⤵
- Executes dropped EXE
PID:1312 -
C:\Windows\SysWOW64\Eedmlo32.exeC:\Windows\system32\Eedmlo32.exe50⤵
- Executes dropped EXE
PID:660 -
C:\Windows\SysWOW64\Fghcqq32.exeC:\Windows\system32\Fghcqq32.exe51⤵
- Executes dropped EXE
PID:1144 -
C:\Windows\SysWOW64\Ggafgo32.exeC:\Windows\system32\Ggafgo32.exe52⤵
- Executes dropped EXE
PID:564 -
C:\Windows\SysWOW64\Hgkimn32.exeC:\Windows\system32\Hgkimn32.exe53⤵
- Executes dropped EXE
PID:464 -
C:\Windows\SysWOW64\Hokgmpkl.exeC:\Windows\system32\Hokgmpkl.exe54⤵
- Executes dropped EXE
PID:1148 -
C:\Windows\SysWOW64\Hfgloiqf.exeC:\Windows\system32\Hfgloiqf.exe55⤵
- Executes dropped EXE
PID:2972 -
C:\Windows\SysWOW64\Icminm32.exeC:\Windows\system32\Icminm32.exe56⤵
- Executes dropped EXE
PID:4780 -
C:\Windows\SysWOW64\Ijgakgej.exeC:\Windows\system32\Ijgakgej.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4028 -
C:\Windows\SysWOW64\Iqfcbahb.exeC:\Windows\system32\Iqfcbahb.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\Jcgldl32.exeC:\Windows\system32\Jcgldl32.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:4852 -
C:\Windows\SysWOW64\Jcnbekok.exeC:\Windows\system32\Jcnbekok.exe60⤵
- Executes dropped EXE
PID:1836 -
C:\Windows\SysWOW64\Jikjmbmb.exeC:\Windows\system32\Jikjmbmb.exe61⤵
- Executes dropped EXE
PID:3980 -
C:\Windows\SysWOW64\Kpgoolbl.exeC:\Windows\system32\Kpgoolbl.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3844 -
C:\Windows\SysWOW64\Kplijk32.exeC:\Windows\system32\Kplijk32.exe63⤵
- Executes dropped EXE
PID:3512 -
C:\Windows\SysWOW64\Lpbokjho.exeC:\Windows\system32\Lpbokjho.exe64⤵
- Executes dropped EXE
PID:5052 -
C:\Windows\SysWOW64\Lagepl32.exeC:\Windows\system32\Lagepl32.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:3448 -
C:\Windows\SysWOW64\Ljoiibbm.exeC:\Windows\system32\Ljoiibbm.exe66⤵PID:4884
-
C:\Windows\SysWOW64\Lhcjbfag.exeC:\Windows\system32\Lhcjbfag.exe67⤵PID:3244
-
C:\Windows\SysWOW64\Mhhcne32.exeC:\Windows\system32\Mhhcne32.exe68⤵
- Drops file in System32 directory
PID:4524 -
C:\Windows\SysWOW64\Mmdlflki.exeC:\Windows\system32\Mmdlflki.exe69⤵
- Drops file in System32 directory
PID:4380 -
C:\Windows\SysWOW64\Mjiloqjb.exeC:\Windows\system32\Mjiloqjb.exe70⤵PID:4224
-
C:\Windows\SysWOW64\Ndejcemn.exeC:\Windows\system32\Ndejcemn.exe71⤵PID:2084
-
C:\Windows\SysWOW64\Ngklppei.exeC:\Windows\system32\Ngklppei.exe72⤵PID:4080
-
C:\Windows\SysWOW64\Npcaie32.exeC:\Windows\system32\Npcaie32.exe73⤵PID:2448
-
C:\Windows\SysWOW64\Odhppclh.exeC:\Windows\system32\Odhppclh.exe74⤵
- Modifies registry class
PID:4172 -
C:\Windows\SysWOW64\Pgpobmca.exeC:\Windows\system32\Pgpobmca.exe75⤵PID:3584
-
C:\Windows\SysWOW64\Qkqdnkge.exeC:\Windows\system32\Qkqdnkge.exe76⤵PID:2100
-
C:\Windows\SysWOW64\Qjeaog32.exeC:\Windows\system32\Qjeaog32.exe77⤵PID:4416
-
C:\Windows\SysWOW64\Ancjef32.exeC:\Windows\system32\Ancjef32.exe78⤵PID:2096
-
C:\Windows\SysWOW64\Akgjnj32.exeC:\Windows\system32\Akgjnj32.exe79⤵PID:2760
-
C:\Windows\SysWOW64\Aqfolqna.exeC:\Windows\system32\Aqfolqna.exe80⤵
- Drops file in System32 directory
PID:924 -
C:\Windows\SysWOW64\Bdlncn32.exeC:\Windows\system32\Bdlncn32.exe81⤵PID:748
-
C:\Windows\SysWOW64\Bkefphem.exeC:\Windows\system32\Bkefphem.exe82⤵
- Modifies registry class
PID:648 -
C:\Windows\SysWOW64\Bdnkhn32.exeC:\Windows\system32\Bdnkhn32.exe83⤵PID:4796
-
C:\Windows\SysWOW64\Bjmpfdhb.exeC:\Windows\system32\Bjmpfdhb.exe84⤵
- Modifies registry class
PID:3792 -
C:\Windows\SysWOW64\Cinpdl32.exeC:\Windows\system32\Cinpdl32.exe85⤵PID:556
-
C:\Windows\SysWOW64\Cbfema32.exeC:\Windows\system32\Cbfema32.exe86⤵PID:2380
-
C:\Windows\SysWOW64\Cgcmeh32.exeC:\Windows\system32\Cgcmeh32.exe87⤵PID:3896
-
C:\Windows\SysWOW64\Djipbbne.exeC:\Windows\system32\Djipbbne.exe88⤵PID:5140
-
C:\Windows\SysWOW64\Dlhlleeh.exeC:\Windows\system32\Dlhlleeh.exe89⤵PID:5236
-
C:\Windows\SysWOW64\Ehofhdli.exeC:\Windows\system32\Ehofhdli.exe90⤵PID:5280
-
C:\Windows\SysWOW64\Eahjqicj.exeC:\Windows\system32\Eahjqicj.exe91⤵PID:5328
-
C:\Windows\SysWOW64\Fhbbmc32.exeC:\Windows\system32\Fhbbmc32.exe92⤵PID:5372
-
C:\Windows\SysWOW64\Fbggkl32.exeC:\Windows\system32\Fbggkl32.exe93⤵PID:5432
-
C:\Windows\SysWOW64\Foqdem32.exeC:\Windows\system32\Foqdem32.exe94⤵
- Modifies registry class
PID:5476 -
C:\Windows\SysWOW64\Fejlbgek.exeC:\Windows\system32\Fejlbgek.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5532 -
C:\Windows\SysWOW64\Geabbfoc.exeC:\Windows\system32\Geabbfoc.exe96⤵PID:5608
-
C:\Windows\SysWOW64\Hifaic32.exeC:\Windows\system32\Hifaic32.exe97⤵PID:5680
-
C:\Windows\SysWOW64\Hligqnjp.exeC:\Windows\system32\Hligqnjp.exe98⤵PID:5732
-
C:\Windows\SysWOW64\Hipdpbgf.exeC:\Windows\system32\Hipdpbgf.exe99⤵PID:5776
-
C:\Windows\SysWOW64\Hchihhng.exeC:\Windows\system32\Hchihhng.exe100⤵PID:5816
-
C:\Windows\SysWOW64\Iheaqolo.exeC:\Windows\system32\Iheaqolo.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5876 -
C:\Windows\SysWOW64\Ihgnfnjl.exeC:\Windows\system32\Ihgnfnjl.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5912 -
C:\Windows\SysWOW64\Ioafchai.exeC:\Windows\system32\Ioafchai.exe103⤵PID:5976
-
C:\Windows\SysWOW64\Ihlgan32.exeC:\Windows\system32\Ihlgan32.exe104⤵
- Drops file in System32 directory
PID:6020 -
C:\Windows\SysWOW64\Icakofel.exeC:\Windows\system32\Icakofel.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:6060 -
C:\Windows\SysWOW64\Ihndgmdd.exeC:\Windows\system32\Ihndgmdd.exe106⤵PID:6096
-
C:\Windows\SysWOW64\Jfbdpabn.exeC:\Windows\system32\Jfbdpabn.exe107⤵PID:5128
-
C:\Windows\SysWOW64\Jjpmfpid.exeC:\Windows\system32\Jjpmfpid.exe108⤵PID:5172
-
C:\Windows\SysWOW64\Jomeoggk.exeC:\Windows\system32\Jomeoggk.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5320 -
C:\Windows\SysWOW64\Joaojf32.exeC:\Windows\system32\Joaojf32.exe110⤵PID:5416
-
C:\Windows\SysWOW64\Kcphpdil.exeC:\Windows\system32\Kcphpdil.exe111⤵PID:5504
-
C:\Windows\SysWOW64\Kfpqap32.exeC:\Windows\system32\Kfpqap32.exe112⤵PID:936
-
C:\Windows\SysWOW64\Kcdakd32.exeC:\Windows\system32\Kcdakd32.exe113⤵PID:3660
-
C:\Windows\SysWOW64\Kiajck32.exeC:\Windows\system32\Kiajck32.exe114⤵
- Modifies registry class
PID:5580 -
C:\Windows\SysWOW64\Kifcnjpi.exeC:\Windows\system32\Kifcnjpi.exe115⤵PID:208
-
C:\Windows\SysWOW64\Lfjchn32.exeC:\Windows\system32\Lfjchn32.exe116⤵PID:5768
-
C:\Windows\SysWOW64\Mjehok32.exeC:\Windows\system32\Mjehok32.exe117⤵PID:5844
-
C:\Windows\SysWOW64\Ncbfcp32.exeC:\Windows\system32\Ncbfcp32.exe118⤵
- Modifies registry class
PID:5924 -
C:\Windows\SysWOW64\Nlnkgbhp.exeC:\Windows\system32\Nlnkgbhp.exe119⤵PID:5972
-
C:\Windows\SysWOW64\Nfcoekhe.exeC:\Windows\system32\Nfcoekhe.exe120⤵
- Drops file in System32 directory
PID:6004 -
C:\Windows\SysWOW64\Nmmgae32.exeC:\Windows\system32\Nmmgae32.exe121⤵PID:6092
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-