Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
66s -
max time network
53s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
11/06/2024, 21:10
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4069dec624d67c3a467f094d4e55c89128ce10bd9d8eda6adb4f4bbe891a45b9.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
4069dec624d67c3a467f094d4e55c89128ce10bd9d8eda6adb4f4bbe891a45b9.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
4069dec624d67c3a467f094d4e55c89128ce10bd9d8eda6adb4f4bbe891a45b9.exe
-
Size
96KB
-
MD5
4e1f01aec90e81e972f1db6d46901737
-
SHA1
960dfe0745b5f012ac7cd543d79f5044530e0ce3
-
SHA256
4069dec624d67c3a467f094d4e55c89128ce10bd9d8eda6adb4f4bbe891a45b9
-
SHA512
02d03f95ece4f8a93d17d6b2bce7ab4240745722b3b0b2580fd12f1d1223ed2c3c975b9509487dc93fd710c891fac895daed193ae295ec2b0342c08e13f62309
-
SSDEEP
1536:KzTttF52OY5051KokF7SbinARU+f76MqFgWfe2LC7RZObZUUWaegPYA:KzTtB2mqK+CClUUWae
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dopigd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkoigdom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmpijp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qgpogili.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlghoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhgfkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efhlhh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbbkaako.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkqkhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohpkmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jibmgi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhilfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocamjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcepkfld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nggqoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phcomcng.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcelmhen.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdqgmmjb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iemppiab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oebflhaf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eaqdegaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fckajehi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpleig32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cofecami.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fplpll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Poaqemao.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaiimadl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncfdie32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqhacgdh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdifoehl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eiobceef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plcdiabk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efhcbodf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbhkac32.exe -
Executes dropped EXE 64 IoCs
pid Process 4900 Mcbahlip.exe 4204 Njljefql.exe 1812 Nnhfee32.exe 1472 Nceonl32.exe 3052 Nklfoi32.exe 2656 Njogjfoj.exe 1316 Nqiogp32.exe 1908 Nddkgonp.exe 684 Ngcgcjnc.exe 840 Nbhkac32.exe 3092 Ndghmo32.exe 1860 Ngedij32.exe 3552 Nnolfdcn.exe 4992 Nqmhbpba.exe 4100 Nggqoj32.exe 4944 Nbmelbid.exe 1244 Ncnadk32.exe 3828 Okeieh32.exe 3500 Oqbamo32.exe 2128 Occkojkm.exe 5024 Obdkma32.exe 3716 Ojopad32.exe 964 Oqihnn32.exe 2216 Okolkg32.exe 1620 Obidhaog.exe 876 Pcjapi32.exe 1272 Pjdilcla.exe 3844 Pbkamqmd.exe 1412 Pghieg32.exe 2764 Pjffbc32.exe 2500 Peljol32.exe 2684 Pkfblfab.exe 3968 Pbpjhp32.exe 4080 Pcagphom.exe 2980 Pkhoae32.exe 4004 Pbbgnpgl.exe 3992 Peqcjkfp.exe 4612 Pgopffec.exe 1580 Pbddcoei.exe 4616 Qcepkg32.exe 4332 Qjpiha32.exe 2552 Qbgqio32.exe 4452 Qeemej32.exe 4600 Qjbena32.exe 2884 Qbimoo32.exe 4116 Aegikj32.exe 2152 Alabgd32.exe 3480 Abkjdnoa.exe 532 Acmflf32.exe 4228 Aldomc32.exe 3724 Anbkio32.exe 4676 Aelcfilb.exe 1564 Alfkbc32.exe 3192 Andgoobc.exe 1592 Aacckjaf.exe 1548 Ahmlgd32.exe 4852 Angddopp.exe 1160 Aaepqjpd.exe 2104 Adcmmeog.exe 880 Alkdnboj.exe 1044 Bahmfj32.exe 1168 Becifhfj.exe 4904 Blmacb32.exe 3216 Bbgipldd.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Jljbeali.exe Process not Found File opened for modification C:\Windows\SysWOW64\Bmhocd32.exe Process not Found File created C:\Windows\SysWOW64\Ldanqkki.exe Likjcbkc.exe File created C:\Windows\SysWOW64\Ingfla32.dll Cffdpghg.exe File opened for modification C:\Windows\SysWOW64\Iomcgl32.exe Iickkbje.exe File opened for modification C:\Windows\SysWOW64\Mbgjbkfg.exe Mnlnbl32.exe File created C:\Windows\SysWOW64\Golneb32.dll Gmiclo32.exe File opened for modification C:\Windows\SysWOW64\Madjhb32.exe Process not Found File created C:\Windows\SysWOW64\Pkjnpq32.dll Pbbgnpgl.exe File opened for modification C:\Windows\SysWOW64\Hfpecg32.exe Hninbj32.exe File opened for modification C:\Windows\SysWOW64\Bdojjo32.exe Process not Found File created C:\Windows\SysWOW64\Aeddnp32.exe Aaiimadl.exe File created C:\Windows\SysWOW64\Pjcmhh32.dll Dlkbjqgm.exe File created C:\Windows\SysWOW64\Gemdebha.dll Process not Found File created C:\Windows\SysWOW64\Ebdpoomj.dll Process not Found File created C:\Windows\SysWOW64\Qgmbjkdp.dll Oqbamo32.exe File created C:\Windows\SysWOW64\Dmpfbk32.exe Cjaifp32.exe File created C:\Windows\SysWOW64\Imiehfao.exe Process not Found File created C:\Windows\SysWOW64\Flbfjl32.dll Process not Found File created C:\Windows\SysWOW64\Dndhqgbm.dll Process not Found File created C:\Windows\SysWOW64\Gjihje32.dll Dedkdcie.exe File opened for modification C:\Windows\SysWOW64\Ikfabm32.exe Iigdfa32.exe File opened for modification C:\Windows\SysWOW64\Aaiimadl.exe Akoqpg32.exe File created C:\Windows\SysWOW64\Jbecoe32.dll Process not Found File created C:\Windows\SysWOW64\Mhjmpfcl.dll Process not Found File created C:\Windows\SysWOW64\Cklgfgfg.dll Process not Found File created C:\Windows\SysWOW64\Aacckjaf.exe Andgoobc.exe File opened for modification C:\Windows\SysWOW64\Cknnpm32.exe Chpada32.exe File created C:\Windows\SysWOW64\Nokpao32.dll Dhocqigp.exe File created C:\Windows\SysWOW64\Eiildjag.exe Efkphnbd.exe File opened for modification C:\Windows\SysWOW64\Nnkpnclp.exe Process not Found File opened for modification C:\Windows\SysWOW64\Fmcjpl32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Lpepbgbd.exe Process not Found File created C:\Windows\SysWOW64\Cdbinofi.dll Jidklf32.exe File created C:\Windows\SysWOW64\Pdkjmfeo.dll Alcfei32.exe File created C:\Windows\SysWOW64\Lhnblp32.dll Fjhacf32.exe File opened for modification C:\Windows\SysWOW64\Pkpmdbfd.exe Process not Found File opened for modification C:\Windows\SysWOW64\Alpbecod.exe Process not Found File opened for modification C:\Windows\SysWOW64\Jekqmhia.exe Process not Found File created C:\Windows\SysWOW64\Appfnncn.dll Process not Found File created C:\Windows\SysWOW64\Hilpobpd.dll Process not Found File created C:\Windows\SysWOW64\Eckgieoo.dll Dkoggkjo.exe File created C:\Windows\SysWOW64\Ocalcppo.dll Eoolbinc.exe File opened for modification C:\Windows\SysWOW64\Cmipblaq.exe Cjjcfabm.exe File created C:\Windows\SysWOW64\Qfmjef32.dll Pibdmp32.exe File opened for modification C:\Windows\SysWOW64\Aefjii32.exe Process not Found File created C:\Windows\SysWOW64\Hicakqhn.dll Process not Found File created C:\Windows\SysWOW64\Ogeacidl.dll Process not Found File created C:\Windows\SysWOW64\Fgmdec32.exe Process not Found File created C:\Windows\SysWOW64\Lipgdi32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Jmmjgejj.exe Jefbfgig.exe File created C:\Windows\SysWOW64\Fngdja32.dll Ohnebd32.exe File created C:\Windows\SysWOW64\Pkogiikb.exe Ohpkmn32.exe File created C:\Windows\SysWOW64\Cjpekc32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Dkahilkl.exe Process not Found File created C:\Windows\SysWOW64\Gepgfb32.dll Process not Found File created C:\Windows\SysWOW64\Hfnphn32.exe Hcpclbfa.exe File created C:\Windows\SysWOW64\Emeoooml.exe Ekgbccni.exe File created C:\Windows\SysWOW64\Oalfdbfa.dll Gnfhfl32.exe File opened for modification C:\Windows\SysWOW64\Hdjbiheb.exe Process not Found File opened for modification C:\Windows\SysWOW64\Phcgcqab.exe Process not Found File created C:\Windows\SysWOW64\Gnmnfkia.exe Ggcfja32.exe File created C:\Windows\SysWOW64\Mckemg32.exe Mplhql32.exe File created C:\Windows\SysWOW64\Cdckomdh.dll Mfhfhong.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4204 548 Process not Found 1875 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Icnpmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ppjgoaoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icndnfbg.dll" Bqdblmhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Piomhofd.dll" Iafonaao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfendmoc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chdfonda.dll" Hiefcj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aafjpc32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jnhpoamf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ooagno32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbhoqj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jkmgblok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeipof32.dll" Aodfajaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efeifngp.dll" Efhlhh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" 4069dec624d67c3a467f094d4e55c89128ce10bd9d8eda6adb4f4bbe891a45b9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikkokgea.dll" Lllcen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhkdnkh.dll" Bhhdil32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lfjjga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mojhgbdl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fjadje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhaoapj.dll" Lpqiemge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmcgolla.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfoafi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Edknqiho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ienekbld.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phcomcng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iipejo32.dll" Cabomkll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enabbk32.dll" Efccmidp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ikbnacmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhomfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfebfnqn.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lebkhc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nklbmllg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Neafjdkn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fjmkoeqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eamhodmf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pgihfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjopcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oekiqccc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efafgifc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdepoj32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfpggnan.dll" Ekacmjgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfoaecol.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhagfo32.dll" Fhdfbfdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jicdap32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knefeffd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohqbhdpj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aopmfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcklla32.dll" Ehailbaa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijcoimpn.dll" Gcagkdba.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2852 wrote to memory of 4900 2852 4069dec624d67c3a467f094d4e55c89128ce10bd9d8eda6adb4f4bbe891a45b9.exe 81 PID 2852 wrote to memory of 4900 2852 4069dec624d67c3a467f094d4e55c89128ce10bd9d8eda6adb4f4bbe891a45b9.exe 81 PID 2852 wrote to memory of 4900 2852 4069dec624d67c3a467f094d4e55c89128ce10bd9d8eda6adb4f4bbe891a45b9.exe 81 PID 4900 wrote to memory of 4204 4900 Mcbahlip.exe 82 PID 4900 wrote to memory of 4204 4900 Mcbahlip.exe 82 PID 4900 wrote to memory of 4204 4900 Mcbahlip.exe 82 PID 4204 wrote to memory of 1812 4204 Njljefql.exe 83 PID 4204 wrote to memory of 1812 4204 Njljefql.exe 83 PID 4204 wrote to memory of 1812 4204 Njljefql.exe 83 PID 1812 wrote to memory of 1472 1812 Nnhfee32.exe 84 PID 1812 wrote to memory of 1472 1812 Nnhfee32.exe 84 PID 1812 wrote to memory of 1472 1812 Nnhfee32.exe 84 PID 1472 wrote to memory of 3052 1472 Nceonl32.exe 85 PID 1472 wrote to memory of 3052 1472 Nceonl32.exe 85 PID 1472 wrote to memory of 3052 1472 Nceonl32.exe 85 PID 3052 wrote to memory of 2656 3052 Nklfoi32.exe 86 PID 3052 wrote to memory of 2656 3052 Nklfoi32.exe 86 PID 3052 wrote to memory of 2656 3052 Nklfoi32.exe 86 PID 2656 wrote to memory of 1316 2656 Njogjfoj.exe 87 PID 2656 wrote to memory of 1316 2656 Njogjfoj.exe 87 PID 2656 wrote to memory of 1316 2656 Njogjfoj.exe 87 PID 1316 wrote to memory of 1908 1316 Nqiogp32.exe 88 PID 1316 wrote to memory of 1908 1316 Nqiogp32.exe 88 PID 1316 wrote to memory of 1908 1316 Nqiogp32.exe 88 PID 1908 wrote to memory of 684 1908 Nddkgonp.exe 89 PID 1908 wrote to memory of 684 1908 Nddkgonp.exe 89 PID 1908 wrote to memory of 684 1908 Nddkgonp.exe 89 PID 684 wrote to memory of 840 684 Ngcgcjnc.exe 90 PID 684 wrote to memory of 840 684 Ngcgcjnc.exe 90 PID 684 wrote to memory of 840 684 Ngcgcjnc.exe 90 PID 840 wrote to memory of 3092 840 Nbhkac32.exe 91 PID 840 wrote to memory of 3092 840 Nbhkac32.exe 91 PID 840 wrote to memory of 3092 840 Nbhkac32.exe 91 PID 3092 wrote to memory of 1860 3092 Ndghmo32.exe 92 PID 3092 wrote to memory of 1860 3092 Ndghmo32.exe 92 PID 3092 wrote to memory of 1860 3092 Ndghmo32.exe 92 PID 1860 wrote to memory of 3552 1860 Ngedij32.exe 93 PID 1860 wrote to memory of 3552 1860 Ngedij32.exe 93 PID 1860 wrote to memory of 3552 1860 Ngedij32.exe 93 PID 3552 wrote to memory of 4992 3552 Nnolfdcn.exe 94 PID 3552 wrote to memory of 4992 3552 Nnolfdcn.exe 94 PID 3552 wrote to memory of 4992 3552 Nnolfdcn.exe 94 PID 4992 wrote to memory of 4100 4992 Nqmhbpba.exe 95 PID 4992 wrote to memory of 4100 4992 Nqmhbpba.exe 95 PID 4992 wrote to memory of 4100 4992 Nqmhbpba.exe 95 PID 4100 wrote to memory of 4944 4100 Nggqoj32.exe 96 PID 4100 wrote to memory of 4944 4100 Nggqoj32.exe 96 PID 4100 wrote to memory of 4944 4100 Nggqoj32.exe 96 PID 4944 wrote to memory of 1244 4944 Nbmelbid.exe 97 PID 4944 wrote to memory of 1244 4944 Nbmelbid.exe 97 PID 4944 wrote to memory of 1244 4944 Nbmelbid.exe 97 PID 1244 wrote to memory of 3828 1244 Ncnadk32.exe 98 PID 1244 wrote to memory of 3828 1244 Ncnadk32.exe 98 PID 1244 wrote to memory of 3828 1244 Ncnadk32.exe 98 PID 3828 wrote to memory of 3500 3828 Okeieh32.exe 99 PID 3828 wrote to memory of 3500 3828 Okeieh32.exe 99 PID 3828 wrote to memory of 3500 3828 Okeieh32.exe 99 PID 3500 wrote to memory of 2128 3500 Oqbamo32.exe 100 PID 3500 wrote to memory of 2128 3500 Oqbamo32.exe 100 PID 3500 wrote to memory of 2128 3500 Oqbamo32.exe 100 PID 2128 wrote to memory of 5024 2128 Occkojkm.exe 101 PID 2128 wrote to memory of 5024 2128 Occkojkm.exe 101 PID 2128 wrote to memory of 5024 2128 Occkojkm.exe 101 PID 5024 wrote to memory of 3716 5024 Obdkma32.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\4069dec624d67c3a467f094d4e55c89128ce10bd9d8eda6adb4f4bbe891a45b9.exe"C:\Users\Admin\AppData\Local\Temp\4069dec624d67c3a467f094d4e55c89128ce10bd9d8eda6adb4f4bbe891a45b9.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\Mcbahlip.exeC:\Windows\system32\Mcbahlip.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4900 -
C:\Windows\SysWOW64\Njljefql.exeC:\Windows\system32\Njljefql.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4204 -
C:\Windows\SysWOW64\Nnhfee32.exeC:\Windows\system32\Nnhfee32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Windows\SysWOW64\Nceonl32.exeC:\Windows\system32\Nceonl32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Windows\SysWOW64\Nklfoi32.exeC:\Windows\system32\Nklfoi32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\Njogjfoj.exeC:\Windows\system32\Njogjfoj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Nqiogp32.exeC:\Windows\system32\Nqiogp32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Windows\SysWOW64\Nddkgonp.exeC:\Windows\system32\Nddkgonp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Windows\SysWOW64\Ngcgcjnc.exeC:\Windows\system32\Ngcgcjnc.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:684 -
C:\Windows\SysWOW64\Nbhkac32.exeC:\Windows\system32\Nbhkac32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Windows\SysWOW64\Ndghmo32.exeC:\Windows\system32\Ndghmo32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3092 -
C:\Windows\SysWOW64\Ngedij32.exeC:\Windows\system32\Ngedij32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\SysWOW64\Nnolfdcn.exeC:\Windows\system32\Nnolfdcn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3552 -
C:\Windows\SysWOW64\Nqmhbpba.exeC:\Windows\system32\Nqmhbpba.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\Windows\SysWOW64\Nggqoj32.exeC:\Windows\system32\Nggqoj32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4100 -
C:\Windows\SysWOW64\Nbmelbid.exeC:\Windows\system32\Nbmelbid.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Windows\SysWOW64\Ncnadk32.exeC:\Windows\system32\Ncnadk32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Windows\SysWOW64\Okeieh32.exeC:\Windows\system32\Okeieh32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3828 -
C:\Windows\SysWOW64\Oqbamo32.exeC:\Windows\system32\Oqbamo32.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3500 -
C:\Windows\SysWOW64\Occkojkm.exeC:\Windows\system32\Occkojkm.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\Obdkma32.exeC:\Windows\system32\Obdkma32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5024 -
C:\Windows\SysWOW64\Ojopad32.exeC:\Windows\system32\Ojopad32.exe23⤵
- Executes dropped EXE
PID:3716 -
C:\Windows\SysWOW64\Oqihnn32.exeC:\Windows\system32\Oqihnn32.exe24⤵
- Executes dropped EXE
PID:964 -
C:\Windows\SysWOW64\Okolkg32.exeC:\Windows\system32\Okolkg32.exe25⤵
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\Obidhaog.exeC:\Windows\system32\Obidhaog.exe26⤵
- Executes dropped EXE
PID:1620 -
C:\Windows\SysWOW64\Pcjapi32.exeC:\Windows\system32\Pcjapi32.exe27⤵
- Executes dropped EXE
PID:876 -
C:\Windows\SysWOW64\Pjdilcla.exeC:\Windows\system32\Pjdilcla.exe28⤵
- Executes dropped EXE
PID:1272 -
C:\Windows\SysWOW64\Pbkamqmd.exeC:\Windows\system32\Pbkamqmd.exe29⤵
- Executes dropped EXE
PID:3844 -
C:\Windows\SysWOW64\Pghieg32.exeC:\Windows\system32\Pghieg32.exe30⤵
- Executes dropped EXE
PID:1412 -
C:\Windows\SysWOW64\Pjffbc32.exeC:\Windows\system32\Pjffbc32.exe31⤵
- Executes dropped EXE
PID:2764 -
C:\Windows\SysWOW64\Peljol32.exeC:\Windows\system32\Peljol32.exe32⤵
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Pkfblfab.exeC:\Windows\system32\Pkfblfab.exe33⤵
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\Pbpjhp32.exeC:\Windows\system32\Pbpjhp32.exe34⤵
- Executes dropped EXE
PID:3968 -
C:\Windows\SysWOW64\Pcagphom.exeC:\Windows\system32\Pcagphom.exe35⤵
- Executes dropped EXE
PID:4080 -
C:\Windows\SysWOW64\Pkhoae32.exeC:\Windows\system32\Pkhoae32.exe36⤵
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\Pbbgnpgl.exeC:\Windows\system32\Pbbgnpgl.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4004 -
C:\Windows\SysWOW64\Peqcjkfp.exeC:\Windows\system32\Peqcjkfp.exe38⤵
- Executes dropped EXE
PID:3992 -
C:\Windows\SysWOW64\Pgopffec.exeC:\Windows\system32\Pgopffec.exe39⤵
- Executes dropped EXE
PID:4612 -
C:\Windows\SysWOW64\Pbddcoei.exeC:\Windows\system32\Pbddcoei.exe40⤵
- Executes dropped EXE
PID:1580 -
C:\Windows\SysWOW64\Qcepkg32.exeC:\Windows\system32\Qcepkg32.exe41⤵
- Executes dropped EXE
PID:4616 -
C:\Windows\SysWOW64\Qjpiha32.exeC:\Windows\system32\Qjpiha32.exe42⤵
- Executes dropped EXE
PID:4332 -
C:\Windows\SysWOW64\Qbgqio32.exeC:\Windows\system32\Qbgqio32.exe43⤵
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\Qeemej32.exeC:\Windows\system32\Qeemej32.exe44⤵
- Executes dropped EXE
PID:4452 -
C:\Windows\SysWOW64\Qjbena32.exeC:\Windows\system32\Qjbena32.exe45⤵
- Executes dropped EXE
PID:4600 -
C:\Windows\SysWOW64\Qbimoo32.exeC:\Windows\system32\Qbimoo32.exe46⤵
- Executes dropped EXE
PID:2884 -
C:\Windows\SysWOW64\Aegikj32.exeC:\Windows\system32\Aegikj32.exe47⤵
- Executes dropped EXE
PID:4116 -
C:\Windows\SysWOW64\Alabgd32.exeC:\Windows\system32\Alabgd32.exe48⤵
- Executes dropped EXE
PID:2152 -
C:\Windows\SysWOW64\Abkjdnoa.exeC:\Windows\system32\Abkjdnoa.exe49⤵
- Executes dropped EXE
PID:3480 -
C:\Windows\SysWOW64\Acmflf32.exeC:\Windows\system32\Acmflf32.exe50⤵
- Executes dropped EXE
PID:532 -
C:\Windows\SysWOW64\Aldomc32.exeC:\Windows\system32\Aldomc32.exe51⤵
- Executes dropped EXE
PID:4228 -
C:\Windows\SysWOW64\Anbkio32.exeC:\Windows\system32\Anbkio32.exe52⤵
- Executes dropped EXE
PID:3724 -
C:\Windows\SysWOW64\Aelcfilb.exeC:\Windows\system32\Aelcfilb.exe53⤵
- Executes dropped EXE
PID:4676 -
C:\Windows\SysWOW64\Alfkbc32.exeC:\Windows\system32\Alfkbc32.exe54⤵
- Executes dropped EXE
PID:1564 -
C:\Windows\SysWOW64\Andgoobc.exeC:\Windows\system32\Andgoobc.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3192 -
C:\Windows\SysWOW64\Aacckjaf.exeC:\Windows\system32\Aacckjaf.exe56⤵
- Executes dropped EXE
PID:1592 -
C:\Windows\SysWOW64\Ahmlgd32.exeC:\Windows\system32\Ahmlgd32.exe57⤵
- Executes dropped EXE
PID:1548 -
C:\Windows\SysWOW64\Angddopp.exeC:\Windows\system32\Angddopp.exe58⤵
- Executes dropped EXE
PID:4852 -
C:\Windows\SysWOW64\Aaepqjpd.exeC:\Windows\system32\Aaepqjpd.exe59⤵
- Executes dropped EXE
PID:1160 -
C:\Windows\SysWOW64\Adcmmeog.exeC:\Windows\system32\Adcmmeog.exe60⤵
- Executes dropped EXE
PID:2104 -
C:\Windows\SysWOW64\Alkdnboj.exeC:\Windows\system32\Alkdnboj.exe61⤵
- Executes dropped EXE
PID:880 -
C:\Windows\SysWOW64\Bahmfj32.exeC:\Windows\system32\Bahmfj32.exe62⤵
- Executes dropped EXE
PID:1044 -
C:\Windows\SysWOW64\Becifhfj.exeC:\Windows\system32\Becifhfj.exe63⤵
- Executes dropped EXE
PID:1168 -
C:\Windows\SysWOW64\Blmacb32.exeC:\Windows\system32\Blmacb32.exe64⤵
- Executes dropped EXE
PID:4904 -
C:\Windows\SysWOW64\Bbgipldd.exeC:\Windows\system32\Bbgipldd.exe65⤵
- Executes dropped EXE
PID:3216 -
C:\Windows\SysWOW64\Beeflhdh.exeC:\Windows\system32\Beeflhdh.exe66⤵PID:2604
-
C:\Windows\SysWOW64\Bhdbhcck.exeC:\Windows\system32\Bhdbhcck.exe67⤵PID:3324
-
C:\Windows\SysWOW64\Bbifelba.exeC:\Windows\system32\Bbifelba.exe68⤵PID:2508
-
C:\Windows\SysWOW64\Behbag32.exeC:\Windows\system32\Behbag32.exe69⤵PID:3684
-
C:\Windows\SysWOW64\Blbknaib.exeC:\Windows\system32\Blbknaib.exe70⤵PID:1576
-
C:\Windows\SysWOW64\Bblckl32.exeC:\Windows\system32\Bblckl32.exe71⤵PID:3360
-
C:\Windows\SysWOW64\Bdmpcdfm.exeC:\Windows\system32\Bdmpcdfm.exe72⤵PID:5092
-
C:\Windows\SysWOW64\Bldgdago.exeC:\Windows\system32\Bldgdago.exe73⤵PID:4636
-
C:\Windows\SysWOW64\Bobcpmfc.exeC:\Windows\system32\Bobcpmfc.exe74⤵PID:2848
-
C:\Windows\SysWOW64\Bbnpqk32.exeC:\Windows\system32\Bbnpqk32.exe75⤵PID:4660
-
C:\Windows\SysWOW64\Bhkhibmc.exeC:\Windows\system32\Bhkhibmc.exe76⤵PID:3676
-
C:\Windows\SysWOW64\Cbqlfkmi.exeC:\Windows\system32\Cbqlfkmi.exe77⤵PID:4936
-
C:\Windows\SysWOW64\Cacmah32.exeC:\Windows\system32\Cacmah32.exe78⤵PID:4652
-
C:\Windows\SysWOW64\Cdainc32.exeC:\Windows\system32\Cdainc32.exe79⤵PID:1936
-
C:\Windows\SysWOW64\Cogmkl32.exeC:\Windows\system32\Cogmkl32.exe80⤵PID:2288
-
C:\Windows\SysWOW64\Cafigg32.exeC:\Windows\system32\Cafigg32.exe81⤵PID:4920
-
C:\Windows\SysWOW64\Chpada32.exeC:\Windows\system32\Chpada32.exe82⤵
- Drops file in System32 directory
PID:4540 -
C:\Windows\SysWOW64\Cknnpm32.exeC:\Windows\system32\Cknnpm32.exe83⤵PID:2448
-
C:\Windows\SysWOW64\Cdfbibnb.exeC:\Windows\system32\Cdfbibnb.exe84⤵PID:4872
-
C:\Windows\SysWOW64\Clnjjpod.exeC:\Windows\system32\Clnjjpod.exe85⤵PID:2324
-
C:\Windows\SysWOW64\Cbgbgj32.exeC:\Windows\system32\Cbgbgj32.exe86⤵PID:812
-
C:\Windows\SysWOW64\Cdiooblp.exeC:\Windows\system32\Cdiooblp.exe87⤵PID:1436
-
C:\Windows\SysWOW64\Cbjoljdo.exeC:\Windows\system32\Cbjoljdo.exe88⤵PID:4884
-
C:\Windows\SysWOW64\Cehkhecb.exeC:\Windows\system32\Cehkhecb.exe89⤵PID:4292
-
C:\Windows\SysWOW64\Chghdqbf.exeC:\Windows\system32\Chghdqbf.exe90⤵PID:2456
-
C:\Windows\SysWOW64\Ckedalaj.exeC:\Windows\system32\Ckedalaj.exe91⤵PID:4180
-
C:\Windows\SysWOW64\Dbllbibl.exeC:\Windows\system32\Dbllbibl.exe92⤵PID:2972
-
C:\Windows\SysWOW64\Dekhneap.exeC:\Windows\system32\Dekhneap.exe93⤵PID:4316
-
C:\Windows\SysWOW64\Dhidjpqc.exeC:\Windows\system32\Dhidjpqc.exe94⤵PID:436
-
C:\Windows\SysWOW64\Dkgqfl32.exeC:\Windows\system32\Dkgqfl32.exe95⤵PID:468
-
C:\Windows\SysWOW64\Dboigi32.exeC:\Windows\system32\Dboigi32.exe96⤵PID:2900
-
C:\Windows\SysWOW64\Demecd32.exeC:\Windows\system32\Demecd32.exe97⤵PID:4340
-
C:\Windows\SysWOW64\Dkjmlk32.exeC:\Windows\system32\Dkjmlk32.exe98⤵PID:4352
-
C:\Windows\SysWOW64\Doeiljfn.exeC:\Windows\system32\Doeiljfn.exe99⤵PID:3024
-
C:\Windows\SysWOW64\Dbaemi32.exeC:\Windows\system32\Dbaemi32.exe100⤵PID:428
-
C:\Windows\SysWOW64\Ddbbeade.exeC:\Windows\system32\Ddbbeade.exe101⤵PID:2196
-
C:\Windows\SysWOW64\Dkljak32.exeC:\Windows\system32\Dkljak32.exe102⤵PID:2952
-
C:\Windows\SysWOW64\Dccbbhld.exeC:\Windows\system32\Dccbbhld.exe103⤵PID:2516
-
C:\Windows\SysWOW64\Deanodkh.exeC:\Windows\system32\Deanodkh.exe104⤵PID:116
-
C:\Windows\SysWOW64\Dhpjkojk.exeC:\Windows\system32\Dhpjkojk.exe105⤵PID:2092
-
C:\Windows\SysWOW64\Dkoggkjo.exeC:\Windows\system32\Dkoggkjo.exe106⤵
- Drops file in System32 directory
PID:448 -
C:\Windows\SysWOW64\Dceohhja.exeC:\Windows\system32\Dceohhja.exe107⤵PID:3304
-
C:\Windows\SysWOW64\Dedkdcie.exeC:\Windows\system32\Dedkdcie.exe108⤵
- Drops file in System32 directory
PID:1172 -
C:\Windows\SysWOW64\Dlncan32.exeC:\Windows\system32\Dlncan32.exe109⤵PID:3484
-
C:\Windows\SysWOW64\Ekacmjgl.exeC:\Windows\system32\Ekacmjgl.exe110⤵
- Modifies registry class
PID:3332 -
C:\Windows\SysWOW64\Eaklidoi.exeC:\Windows\system32\Eaklidoi.exe111⤵PID:5036
-
C:\Windows\SysWOW64\Edihepnm.exeC:\Windows\system32\Edihepnm.exe112⤵PID:816
-
C:\Windows\SysWOW64\Elppfmoo.exeC:\Windows\system32\Elppfmoo.exe113⤵PID:2220
-
C:\Windows\SysWOW64\Eoolbinc.exeC:\Windows\system32\Eoolbinc.exe114⤵
- Drops file in System32 directory
PID:3736 -
C:\Windows\SysWOW64\Eamhodmf.exeC:\Windows\system32\Eamhodmf.exe115⤵
- Modifies registry class
PID:5096 -
C:\Windows\SysWOW64\Edkdkplj.exeC:\Windows\system32\Edkdkplj.exe116⤵PID:1088
-
C:\Windows\SysWOW64\Elbmlmml.exeC:\Windows\system32\Elbmlmml.exe117⤵PID:3740
-
C:\Windows\SysWOW64\Eoaihhlp.exeC:\Windows\system32\Eoaihhlp.exe118⤵PID:1064
-
C:\Windows\SysWOW64\Eapedd32.exeC:\Windows\system32\Eapedd32.exe119⤵PID:1940
-
C:\Windows\SysWOW64\Ednaqo32.exeC:\Windows\system32\Ednaqo32.exe120⤵PID:4908
-
C:\Windows\SysWOW64\Eleiam32.exeC:\Windows\system32\Eleiam32.exe121⤵PID:4644
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-