Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
311s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
11/10/2023, 16:36
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.a6ec29b4c064cdcb45b85a4b9f0b7c67_JC.exe
Resource
win7-20230831-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.a6ec29b4c064cdcb45b85a4b9f0b7c67_JC.exe
Resource
win10v2004-20230915-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
NEAS.a6ec29b4c064cdcb45b85a4b9f0b7c67_JC.exe
-
Size
82KB
-
MD5
a6ec29b4c064cdcb45b85a4b9f0b7c67
-
SHA1
54255816d5f470f5c64f22c0d82f6dbd5879ae43
-
SHA256
27ad2ef467f1824d39b815bc5f2c2b28b3d1ab7063a337d77e7520bfaffe7ead
-
SHA512
0b482113d7cd1bd539920632b59d804679c92f44e02fa4f155d6ed8532b8db7d548175ac40c8178e1ed5d6ec2f3104cbc6c086d94d93971b3d476c4e90dc645c
-
SSDEEP
1536:yFOMlmPrNGhPfuLXQnDA4/DD67ebUr02L7wpm6+wDSmQFN6TiN1sJtvQu:y0/PxGhHQgnDAQD6KIZMpm6tm7N6TO1y
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmdfjhaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knjemf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kckgplld.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Koodeg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chalog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkndladn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Maanjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpgndkhb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aglnqfdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnofdjcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgekhljp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcdmep32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahinej32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oehlno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddpcdgaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnhngckb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfeedmol.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qffgbhcg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jedbfamo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qdofcm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blmafnhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jejcmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgbjekic.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdojmj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gchdga32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjjbocai.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fejeljod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpjommjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmomag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcbifnho.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bccnme32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckidhi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hemkhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcmddh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bokkdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkblie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohfhjj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbpcknkk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipnoaodh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjlhlknn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khakje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldgkmhno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgofeegj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qgpoeh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnjphpgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdmnacna.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fiahaikc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obgcldco.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kqfeca32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjnilgji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcpcgbfq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppclop32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkblie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckidhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llnggk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnhccp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfpfiqld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hoglfm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlnjeqpd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njcnjk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpajni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dglbkcbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfoajb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjheic32.exe -
Executes dropped EXE 64 IoCs
pid Process 4104 Jgeknfdb.exe 1312 Kfoajb32.exe 2904 Kfanpb32.exe 4660 Khakje32.exe 2196 Kmncbl32.exe 2032 Knmplopo.exe 4340 Kallhjoc.exe 2580 Kfhdqa32.exe 944 Ldleje32.exe 1600 Lfkafq32.exe 3108 Leladhcf.exe 1248 Ljijlo32.exe 3376 Moklnm32.exe 4092 Mkdihm32.exe 3716 Mdmnacna.exe 3872 Maanjg32.exe 1576 Gpgndkhb.exe 4376 Ebbmicdo.exe 2944 Bggghiah.exe 3080 Gjikomca.exe 1792 Genolf32.exe 1596 Qmflnqkf.exe 3456 Qimmba32.exe 1320 Aedngbfo.exe 940 Amkfip32.exe 1512 Abhnag32.exe 1760 Agfggeko.exe 4184 Aidccqkc.exe 4100 Apqhejpm.exe 440 Bepmca32.exe 3216 Bljepkco.exe 3240 Bccnme32.exe 4280 Bllbekal.exe 4088 Bcfkbeii.exe 1096 Bipcoo32.exe 2636 Pkceia32.exe 3012 Bdapja32.exe 1328 Blmafnhb.exe 3584 Chfoqnlc.exe 3764 Ckidhi32.exe 4776 Dbefdfco.exe 1180 Eogfeeoe.exe 4792 Elkfnino.exe 1264 Elncdi32.exe 64 Echkqcci.exe 3212 Faabmodl.exe 2432 Fojlabop.exe 4920 Ffddnm32.exe 4540 Gkalfc32.exe 4064 Gchdga32.exe 944 Gffqcl32.exe 1100 Gcjamqcd.exe 4340 Gdlnei32.exe 3760 Gmceff32.exe 4104 Gcmnbpaa.exe 1256 Gdnjjh32.exe 1476 Hbgdol32.exe 648 Hiqllfiq.exe 4752 Hejjfgmb.exe 2888 Hflceibb.exe 4580 Iijobeaf.exe 844 Ipdgoo32.exe 4320 Ifnpkipp.exe 2364 Iillgdoc.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Ohfoboll.exe Mhefkajo.exe File opened for modification C:\Windows\SysWOW64\Jejcmd32.exe Ilbndoho.exe File opened for modification C:\Windows\SysWOW64\Kmdliace.exe Kjepmfca.exe File created C:\Windows\SysWOW64\Jghpefmb.exe Jcmddh32.exe File created C:\Windows\SysWOW64\Omfcafqa.exe Nflkel32.exe File opened for modification C:\Windows\SysWOW64\Fiekbbcb.exe Fnofdjcl.exe File opened for modification C:\Windows\SysWOW64\Gebagb32.exe Gbdekg32.exe File created C:\Windows\SysWOW64\Pdhobdbn.dll Jldkjofl.exe File opened for modification C:\Windows\SysWOW64\Kgdfkk32.exe Kdfjop32.exe File created C:\Windows\SysWOW64\Pcpnnn32.dll Gblbfl32.exe File created C:\Windows\SysWOW64\Gkmncbad.dll Kngbmpqi.exe File opened for modification C:\Windows\SysWOW64\Nmmqkgil.exe Ngphcqkd.exe File opened for modification C:\Windows\SysWOW64\Ikkhcpng.exe Iillgdoc.exe File created C:\Windows\SysWOW64\Lbmhod32.exe Lpnlbi32.exe File opened for modification C:\Windows\SysWOW64\Qlbmag32.exe Qeheembn.exe File created C:\Windows\SysWOW64\Hpdbdb32.dll Ekmhhe32.exe File created C:\Windows\SysWOW64\Jqnnjbia.dll Mjlhjmlk.exe File opened for modification C:\Windows\SysWOW64\Dpajni32.exe Cncnbnll.exe File created C:\Windows\SysWOW64\Hiodoqdc.dll Jfaebjgb.exe File opened for modification C:\Windows\SysWOW64\Kfhdqa32.exe Kallhjoc.exe File created C:\Windows\SysWOW64\Poiicpol.dll Gchdga32.exe File opened for modification C:\Windows\SysWOW64\Lfanod32.exe Lpgfbjjk.exe File opened for modification C:\Windows\SysWOW64\Onjigh32.exe Ojmqqj32.exe File created C:\Windows\SysWOW64\Ocgboo32.exe Ommjbeki.exe File opened for modification C:\Windows\SysWOW64\Bhcpmi32.exe Bpmhllmg.exe File opened for modification C:\Windows\SysWOW64\Khakje32.exe Kfanpb32.exe File opened for modification C:\Windows\SysWOW64\Lglmljqh.exe Ldmqpoad.exe File created C:\Windows\SysWOW64\Eahihldm.dll Incdih32.exe File created C:\Windows\SysWOW64\Ijjfoiip.dll Knmplopo.exe File created C:\Windows\SysWOW64\Leladhcf.exe Lfkafq32.exe File created C:\Windows\SysWOW64\Bipcoo32.exe Bcfkbeii.exe File created C:\Windows\SysWOW64\Elncdi32.exe Elkfnino.exe File created C:\Windows\SysWOW64\Piohjlol.exe Pahpionj.exe File created C:\Windows\SysWOW64\Jlkedbmg.dll Mekmam32.exe File opened for modification C:\Windows\SysWOW64\Jihkccef.exe Jldkjofl.exe File created C:\Windows\SysWOW64\Kqhaia32.exe Knjemf32.exe File created C:\Windows\SysWOW64\Fojnhd32.dll Ljlfme32.exe File created C:\Windows\SysWOW64\Hlkmpa32.exe Hoglfm32.exe File created C:\Windows\SysWOW64\Nmmqkgil.exe Ngphcqkd.exe File created C:\Windows\SysWOW64\Ddnfjf32.dll Ifllgj32.exe File created C:\Windows\SysWOW64\Miombfnf.dll Echkqcci.exe File created C:\Windows\SysWOW64\Knabhk32.exe Kghjkahi.exe File created C:\Windows\SysWOW64\Mmfaeo32.exe Mjheic32.exe File opened for modification C:\Windows\SysWOW64\Bgkideqo.exe Bdmmhjak.exe File created C:\Windows\SysWOW64\Moklnm32.exe Ljijlo32.exe File opened for modification C:\Windows\SysWOW64\Emenai32.exe Eelijl32.exe File opened for modification C:\Windows\SysWOW64\Mdmnacna.exe Mkdihm32.exe File opened for modification C:\Windows\SysWOW64\Hlnjeqpd.exe Hfaamjal.exe File created C:\Windows\SysWOW64\Kmnffi32.dll Kgmjpf32.exe File created C:\Windows\SysWOW64\Enkmij32.exe Ekekmpoe.exe File created C:\Windows\SysWOW64\Ndckdb32.dll Kgdpqe32.exe File created C:\Windows\SysWOW64\Obblij32.dll Ekekmpoe.exe File created C:\Windows\SysWOW64\Fppmblbg.dll Bljepkco.exe File opened for modification C:\Windows\SysWOW64\Ldmqpoad.exe Kgipfjbk.exe File created C:\Windows\SysWOW64\Oqljke32.dll Dkloagjl.exe File created C:\Windows\SysWOW64\Ffgepm32.exe Fiahaikc.exe File created C:\Windows\SysWOW64\Gmafde32.exe Gblbfl32.exe File opened for modification C:\Windows\SysWOW64\Gbnoll32.exe Gmafde32.exe File created C:\Windows\SysWOW64\Hqddcegn.exe Hjjlgk32.exe File created C:\Windows\SysWOW64\Idflacae.dll Iabpec32.exe File created C:\Windows\SysWOW64\Lhdimk32.dll Khakje32.exe File opened for modification C:\Windows\SysWOW64\Hoglfm32.exe Heohngll.exe File opened for modification C:\Windows\SysWOW64\Mcpcgbfq.exe Mqafkggm.exe File created C:\Windows\SysWOW64\Inagchnl.exe Ijekbi32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbgdol32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kqfeca32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckkopcec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pndiej32.dll" Bddhej32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnjphpgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfffmkej.dll" Blmafnhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmfaeo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ppeidoab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odaibomk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpgfbjjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jqbkekli.dll" Kjlmfgll.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ekceaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hofpbo32.dll" Mqdcag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjcgai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cncnbnll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhaioiic.dll" Moklnm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bipcoo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hiqllfiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phnokiil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjbmondk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dpajni32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Focljlfi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bknpbdfp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qmflnqkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifohqk32.dll" Peaodn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nmmqkgil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljkhei32.dll" Njcnjk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfpfiqld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flqlohgk.dll" Qkinpgih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ocbhdpfk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Apqhejpm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kngigf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ljaohdid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gehbej32.dll" Mcqjbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gchdga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmqong32.dll" Pogggcai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjjfkj32.dll" Mjheic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbhfpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mndhgl32.dll" Jcmddh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojphmj32.dll" Nmmqkgil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qclena32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnjhlk32.dll" Igjdchib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kallhjoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kakdhcgi.dll" Kallhjoc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aedngbfo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdnjjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hflcqm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Agbkjhli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oejico32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qekbjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeodgnpd.dll" Dfpfiqld.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chmbchfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njabkpcg.dll" Pgkejiba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mgjimh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iimjkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnokaf32.dll" Jghpefmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fafqfe32.dll" Gkmjdmjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jejcmd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lqandj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnlpoghb.dll" Ncnoiq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adldal32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Calmmm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chalog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Calnpg32.dll" Oiihog32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3380 wrote to memory of 4104 3380 NEAS.a6ec29b4c064cdcb45b85a4b9f0b7c67_JC.exe 84 PID 3380 wrote to memory of 4104 3380 NEAS.a6ec29b4c064cdcb45b85a4b9f0b7c67_JC.exe 84 PID 3380 wrote to memory of 4104 3380 NEAS.a6ec29b4c064cdcb45b85a4b9f0b7c67_JC.exe 84 PID 4104 wrote to memory of 1312 4104 Jgeknfdb.exe 85 PID 4104 wrote to memory of 1312 4104 Jgeknfdb.exe 85 PID 4104 wrote to memory of 1312 4104 Jgeknfdb.exe 85 PID 1312 wrote to memory of 2904 1312 Kfoajb32.exe 86 PID 1312 wrote to memory of 2904 1312 Kfoajb32.exe 86 PID 1312 wrote to memory of 2904 1312 Kfoajb32.exe 86 PID 2904 wrote to memory of 4660 2904 Kfanpb32.exe 87 PID 2904 wrote to memory of 4660 2904 Kfanpb32.exe 87 PID 2904 wrote to memory of 4660 2904 Kfanpb32.exe 87 PID 4660 wrote to memory of 2196 4660 Khakje32.exe 88 PID 4660 wrote to memory of 2196 4660 Khakje32.exe 88 PID 4660 wrote to memory of 2196 4660 Khakje32.exe 88 PID 2196 wrote to memory of 2032 2196 Kmncbl32.exe 89 PID 2196 wrote to memory of 2032 2196 Kmncbl32.exe 89 PID 2196 wrote to memory of 2032 2196 Kmncbl32.exe 89 PID 2032 wrote to memory of 4340 2032 Knmplopo.exe 90 PID 2032 wrote to memory of 4340 2032 Knmplopo.exe 90 PID 2032 wrote to memory of 4340 2032 Knmplopo.exe 90 PID 4340 wrote to memory of 2580 4340 Kallhjoc.exe 92 PID 4340 wrote to memory of 2580 4340 Kallhjoc.exe 92 PID 4340 wrote to memory of 2580 4340 Kallhjoc.exe 92 PID 2580 wrote to memory of 944 2580 Kfhdqa32.exe 93 PID 2580 wrote to memory of 944 2580 Kfhdqa32.exe 93 PID 2580 wrote to memory of 944 2580 Kfhdqa32.exe 93 PID 944 wrote to memory of 1600 944 Ldleje32.exe 94 PID 944 wrote to memory of 1600 944 Ldleje32.exe 94 PID 944 wrote to memory of 1600 944 Ldleje32.exe 94 PID 1600 wrote to memory of 3108 1600 Lfkafq32.exe 95 PID 1600 wrote to memory of 3108 1600 Lfkafq32.exe 95 PID 1600 wrote to memory of 3108 1600 Lfkafq32.exe 95 PID 3108 wrote to memory of 1248 3108 Leladhcf.exe 97 PID 3108 wrote to memory of 1248 3108 Leladhcf.exe 97 PID 3108 wrote to memory of 1248 3108 Leladhcf.exe 97 PID 1248 wrote to memory of 3376 1248 Ljijlo32.exe 98 PID 1248 wrote to memory of 3376 1248 Ljijlo32.exe 98 PID 1248 wrote to memory of 3376 1248 Ljijlo32.exe 98 PID 3376 wrote to memory of 4092 3376 Moklnm32.exe 99 PID 3376 wrote to memory of 4092 3376 Moklnm32.exe 99 PID 3376 wrote to memory of 4092 3376 Moklnm32.exe 99 PID 4092 wrote to memory of 3716 4092 Mkdihm32.exe 101 PID 4092 wrote to memory of 3716 4092 Mkdihm32.exe 101 PID 4092 wrote to memory of 3716 4092 Mkdihm32.exe 101 PID 3716 wrote to memory of 3872 3716 Mdmnacna.exe 102 PID 3716 wrote to memory of 3872 3716 Mdmnacna.exe 102 PID 3716 wrote to memory of 3872 3716 Mdmnacna.exe 102 PID 3872 wrote to memory of 1576 3872 Maanjg32.exe 103 PID 3872 wrote to memory of 1576 3872 Maanjg32.exe 103 PID 3872 wrote to memory of 1576 3872 Maanjg32.exe 103 PID 1576 wrote to memory of 4376 1576 Gpgndkhb.exe 104 PID 1576 wrote to memory of 4376 1576 Gpgndkhb.exe 104 PID 1576 wrote to memory of 4376 1576 Gpgndkhb.exe 104 PID 4376 wrote to memory of 2944 4376 Ebbmicdo.exe 105 PID 4376 wrote to memory of 2944 4376 Ebbmicdo.exe 105 PID 4376 wrote to memory of 2944 4376 Ebbmicdo.exe 105 PID 2944 wrote to memory of 3080 2944 Bggghiah.exe 106 PID 2944 wrote to memory of 3080 2944 Bggghiah.exe 106 PID 2944 wrote to memory of 3080 2944 Bggghiah.exe 106 PID 3080 wrote to memory of 1792 3080 Gjikomca.exe 107 PID 3080 wrote to memory of 1792 3080 Gjikomca.exe 107 PID 3080 wrote to memory of 1792 3080 Gjikomca.exe 107 PID 1792 wrote to memory of 1596 1792 Genolf32.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.a6ec29b4c064cdcb45b85a4b9f0b7c67_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.a6ec29b4c064cdcb45b85a4b9f0b7c67_JC.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3380 -
C:\Windows\SysWOW64\Jgeknfdb.exeC:\Windows\system32\Jgeknfdb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4104 -
C:\Windows\SysWOW64\Kfoajb32.exeC:\Windows\system32\Kfoajb32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Windows\SysWOW64\Kfanpb32.exeC:\Windows\system32\Kfanpb32.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\Khakje32.exeC:\Windows\system32\Khakje32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4660 -
C:\Windows\SysWOW64\Kmncbl32.exeC:\Windows\system32\Kmncbl32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\Knmplopo.exeC:\Windows\system32\Knmplopo.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\Kallhjoc.exeC:\Windows\system32\Kallhjoc.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4340 -
C:\Windows\SysWOW64\Kfhdqa32.exeC:\Windows\system32\Kfhdqa32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\Ldleje32.exeC:\Windows\system32\Ldleje32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:944 -
C:\Windows\SysWOW64\Lfkafq32.exeC:\Windows\system32\Lfkafq32.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Windows\SysWOW64\Leladhcf.exeC:\Windows\system32\Leladhcf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3108 -
C:\Windows\SysWOW64\Ljijlo32.exeC:\Windows\system32\Ljijlo32.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Windows\SysWOW64\Moklnm32.exeC:\Windows\system32\Moklnm32.exe14⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3376 -
C:\Windows\SysWOW64\Mkdihm32.exeC:\Windows\system32\Mkdihm32.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4092 -
C:\Windows\SysWOW64\Mdmnacna.exeC:\Windows\system32\Mdmnacna.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3716 -
C:\Windows\SysWOW64\Maanjg32.exeC:\Windows\system32\Maanjg32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3872 -
C:\Windows\SysWOW64\Gpgndkhb.exeC:\Windows\system32\Gpgndkhb.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Windows\SysWOW64\Ebbmicdo.exeC:\Windows\system32\Ebbmicdo.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4376 -
C:\Windows\SysWOW64\Bggghiah.exeC:\Windows\system32\Bggghiah.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\Gjikomca.exeC:\Windows\system32\Gjikomca.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3080 -
C:\Windows\SysWOW64\Genolf32.exeC:\Windows\system32\Genolf32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\SysWOW64\Qmflnqkf.exeC:\Windows\system32\Qmflnqkf.exe23⤵
- Executes dropped EXE
- Modifies registry class
PID:1596 -
C:\Windows\SysWOW64\Qimmba32.exeC:\Windows\system32\Qimmba32.exe24⤵
- Executes dropped EXE
PID:3456 -
C:\Windows\SysWOW64\Aedngbfo.exeC:\Windows\system32\Aedngbfo.exe25⤵
- Executes dropped EXE
- Modifies registry class
PID:1320 -
C:\Windows\SysWOW64\Amkfip32.exeC:\Windows\system32\Amkfip32.exe26⤵
- Executes dropped EXE
PID:940 -
C:\Windows\SysWOW64\Abhnag32.exeC:\Windows\system32\Abhnag32.exe27⤵
- Executes dropped EXE
PID:1512 -
C:\Windows\SysWOW64\Agfggeko.exeC:\Windows\system32\Agfggeko.exe28⤵
- Executes dropped EXE
PID:1760 -
C:\Windows\SysWOW64\Aidccqkc.exeC:\Windows\system32\Aidccqkc.exe29⤵
- Executes dropped EXE
PID:4184 -
C:\Windows\SysWOW64\Apqhejpm.exeC:\Windows\system32\Apqhejpm.exe30⤵
- Executes dropped EXE
- Modifies registry class
PID:4100 -
C:\Windows\SysWOW64\Bepmca32.exeC:\Windows\system32\Bepmca32.exe31⤵
- Executes dropped EXE
PID:440 -
C:\Windows\SysWOW64\Bljepkco.exeC:\Windows\system32\Bljepkco.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3216 -
C:\Windows\SysWOW64\Bccnme32.exeC:\Windows\system32\Bccnme32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3240 -
C:\Windows\SysWOW64\Bllbekal.exeC:\Windows\system32\Bllbekal.exe34⤵
- Executes dropped EXE
PID:4280 -
C:\Windows\SysWOW64\Bcfkbeii.exeC:\Windows\system32\Bcfkbeii.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4088 -
C:\Windows\SysWOW64\Bipcoo32.exeC:\Windows\system32\Bipcoo32.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:1096 -
C:\Windows\SysWOW64\Pkceia32.exeC:\Windows\system32\Pkceia32.exe37⤵
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Bdapja32.exeC:\Windows\system32\Bdapja32.exe38⤵
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\Blmafnhb.exeC:\Windows\system32\Blmafnhb.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1328 -
C:\Windows\SysWOW64\Chfoqnlc.exeC:\Windows\system32\Chfoqnlc.exe40⤵
- Executes dropped EXE
PID:3584 -
C:\Windows\SysWOW64\Ckidhi32.exeC:\Windows\system32\Ckidhi32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3764 -
C:\Windows\SysWOW64\Dbefdfco.exeC:\Windows\system32\Dbefdfco.exe42⤵
- Executes dropped EXE
PID:4776 -
C:\Windows\SysWOW64\Eogfeeoe.exeC:\Windows\system32\Eogfeeoe.exe43⤵
- Executes dropped EXE
PID:1180 -
C:\Windows\SysWOW64\Elkfnino.exeC:\Windows\system32\Elkfnino.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4792 -
C:\Windows\SysWOW64\Elncdi32.exeC:\Windows\system32\Elncdi32.exe45⤵
- Executes dropped EXE
PID:1264 -
C:\Windows\SysWOW64\Echkqcci.exeC:\Windows\system32\Echkqcci.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:64 -
C:\Windows\SysWOW64\Faabmodl.exeC:\Windows\system32\Faabmodl.exe47⤵
- Executes dropped EXE
PID:3212 -
C:\Windows\SysWOW64\Fojlabop.exeC:\Windows\system32\Fojlabop.exe48⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Ffddnm32.exeC:\Windows\system32\Ffddnm32.exe49⤵
- Executes dropped EXE
PID:4920 -
C:\Windows\SysWOW64\Gkalfc32.exeC:\Windows\system32\Gkalfc32.exe50⤵
- Executes dropped EXE
PID:4540 -
C:\Windows\SysWOW64\Gchdga32.exeC:\Windows\system32\Gchdga32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4064 -
C:\Windows\SysWOW64\Gffqcl32.exeC:\Windows\system32\Gffqcl32.exe52⤵
- Executes dropped EXE
PID:944 -
C:\Windows\SysWOW64\Gcjamqcd.exeC:\Windows\system32\Gcjamqcd.exe53⤵
- Executes dropped EXE
PID:1100 -
C:\Windows\SysWOW64\Gdlnei32.exeC:\Windows\system32\Gdlnei32.exe54⤵
- Executes dropped EXE
PID:4340 -
C:\Windows\SysWOW64\Gmceff32.exeC:\Windows\system32\Gmceff32.exe55⤵
- Executes dropped EXE
PID:3760 -
C:\Windows\SysWOW64\Gcmnbpaa.exeC:\Windows\system32\Gcmnbpaa.exe56⤵
- Executes dropped EXE
PID:4104 -
C:\Windows\SysWOW64\Gdnjjh32.exeC:\Windows\system32\Gdnjjh32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:1256 -
C:\Windows\SysWOW64\Hbgdol32.exeC:\Windows\system32\Hbgdol32.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:1476 -
C:\Windows\SysWOW64\Hiqllfiq.exeC:\Windows\system32\Hiqllfiq.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:648 -
C:\Windows\SysWOW64\Hejjfgmb.exeC:\Windows\system32\Hejjfgmb.exe60⤵
- Executes dropped EXE
PID:4752 -
C:\Windows\SysWOW64\Hflceibb.exeC:\Windows\system32\Hflceibb.exe61⤵
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Iijobeaf.exeC:\Windows\system32\Iijobeaf.exe62⤵
- Executes dropped EXE
PID:4580 -
C:\Windows\SysWOW64\Ipdgoo32.exeC:\Windows\system32\Ipdgoo32.exe63⤵
- Executes dropped EXE
PID:844 -
C:\Windows\SysWOW64\Ifnpkipp.exeC:\Windows\system32\Ifnpkipp.exe64⤵
- Executes dropped EXE
PID:4320 -
C:\Windows\SysWOW64\Iillgdoc.exeC:\Windows\system32\Iillgdoc.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2364 -
C:\Windows\SysWOW64\Ikkhcpng.exeC:\Windows\system32\Ikkhcpng.exe66⤵PID:5052
-
C:\Windows\SysWOW64\Icbpdmoi.exeC:\Windows\system32\Icbpdmoi.exe67⤵PID:3092
-
C:\Windows\SysWOW64\Iecmledg.exeC:\Windows\system32\Iecmledg.exe68⤵PID:5068
-
C:\Windows\SysWOW64\Iehfgeqb.exeC:\Windows\system32\Iehfgeqb.exe69⤵PID:2952
-
C:\Windows\SysWOW64\Ilbndoho.exeC:\Windows\system32\Ilbndoho.exe70⤵
- Drops file in System32 directory
PID:1576 -
C:\Windows\SysWOW64\Jejcmd32.exeC:\Windows\system32\Jejcmd32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4624 -
C:\Windows\SysWOW64\Jldkjofl.exeC:\Windows\system32\Jldkjofl.exe72⤵
- Drops file in System32 directory
PID:2852 -
C:\Windows\SysWOW64\Jihkccef.exeC:\Windows\system32\Jihkccef.exe73⤵PID:3652
-
C:\Windows\SysWOW64\Jpdqemjp.exeC:\Windows\system32\Jpdqemjp.exe74⤵PID:3232
-
C:\Windows\SysWOW64\Jpgmkl32.exeC:\Windows\system32\Jpgmkl32.exe75⤵PID:4820
-
C:\Windows\SysWOW64\Jlnnpmna.exeC:\Windows\system32\Jlnnpmna.exe76⤵PID:4188
-
C:\Windows\SysWOW64\Klpkemlo.exeC:\Windows\system32\Klpkemlo.exe77⤵PID:3304
-
C:\Windows\SysWOW64\Kbjcbgcl.exeC:\Windows\system32\Kbjcbgcl.exe78⤵PID:4660
-
C:\Windows\SysWOW64\Klgqflfg.exeC:\Windows\system32\Klgqflfg.exe79⤵PID:1248
-
C:\Windows\SysWOW64\Keoeoa32.exeC:\Windows\system32\Keoeoa32.exe80⤵PID:3400
-
C:\Windows\SysWOW64\Klimllcd.exeC:\Windows\system32\Klimllcd.exe81⤵PID:4440
-
C:\Windows\SysWOW64\Kbcehe32.exeC:\Windows\system32\Kbcehe32.exe82⤵PID:956
-
C:\Windows\SysWOW64\Limnep32.exeC:\Windows\system32\Limnep32.exe83⤵PID:1960
-
C:\Windows\SysWOW64\Lpgfbjjk.exeC:\Windows\system32\Lpgfbjjk.exe84⤵
- Drops file in System32 directory
- Modifies registry class
PID:3952 -
C:\Windows\SysWOW64\Lfanod32.exeC:\Windows\system32\Lfanod32.exe85⤵PID:3888
-
C:\Windows\SysWOW64\Llnggk32.exeC:\Windows\system32\Llnggk32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2808 -
C:\Windows\SysWOW64\Lbhocegl.exeC:\Windows\system32\Lbhocegl.exe87⤵PID:2692
-
C:\Windows\SysWOW64\Libgpooi.exeC:\Windows\system32\Libgpooi.exe88⤵PID:1860
-
C:\Windows\SysWOW64\Ldgkmhno.exeC:\Windows\system32\Ldgkmhno.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1036 -
C:\Windows\SysWOW64\Leihep32.exeC:\Windows\system32\Leihep32.exe90⤵PID:556
-
C:\Windows\SysWOW64\Lpnlbi32.exeC:\Windows\system32\Lpnlbi32.exe91⤵
- Drops file in System32 directory
PID:4428 -
C:\Windows\SysWOW64\Lbmhod32.exeC:\Windows\system32\Lbmhod32.exe92⤵PID:1520
-
C:\Windows\SysWOW64\Lifqkn32.exeC:\Windows\system32\Lifqkn32.exe93⤵PID:2320
-
C:\Windows\SysWOW64\Lpqihhbp.exeC:\Windows\system32\Lpqihhbp.exe94⤵PID:464
-
C:\Windows\SysWOW64\Mboeddad.exeC:\Windows\system32\Mboeddad.exe95⤵PID:4120
-
C:\Windows\SysWOW64\Aqhccj32.exeC:\Windows\system32\Aqhccj32.exe96⤵PID:2904
-
C:\Windows\SysWOW64\Cggnaabi.exeC:\Windows\system32\Cggnaabi.exe97⤵PID:3472
-
C:\Windows\SysWOW64\Cmdfjhaq.exeC:\Windows\system32\Cmdfjhaq.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5064 -
C:\Windows\SysWOW64\Dmkljgki.exeC:\Windows\system32\Dmkljgki.exe99⤵PID:1544
-
C:\Windows\SysWOW64\Ikeacd32.exeC:\Windows\system32\Ikeacd32.exe100⤵PID:1160
-
C:\Windows\SysWOW64\Kghjkahi.exeC:\Windows\system32\Kghjkahi.exe101⤵
- Drops file in System32 directory
PID:1772 -
C:\Windows\SysWOW64\Knabhk32.exeC:\Windows\system32\Knabhk32.exe102⤵PID:4512
-
C:\Windows\SysWOW64\Kapodf32.exeC:\Windows\system32\Kapodf32.exe103⤵PID:4044
-
C:\Windows\SysWOW64\Nkghehkg.exeC:\Windows\system32\Nkghehkg.exe104⤵PID:4980
-
C:\Windows\SysWOW64\Naaqabbd.exeC:\Windows\system32\Naaqabbd.exe105⤵PID:828
-
C:\Windows\SysWOW64\Nihhcocf.exeC:\Windows\system32\Nihhcocf.exe106⤵PID:4292
-
C:\Windows\SysWOW64\Nkiejg32.exeC:\Windows\system32\Nkiejg32.exe107⤵PID:3732
-
C:\Windows\SysWOW64\Obbjad32.exeC:\Windows\system32\Obbjad32.exe108⤵PID:1272
-
C:\Windows\SysWOW64\Oeafmpfh.exeC:\Windows\system32\Oeafmpfh.exe109⤵PID:4328
-
C:\Windows\SysWOW64\Oioocn32.exeC:\Windows\system32\Oioocn32.exe110⤵PID:2232
-
C:\Windows\SysWOW64\Obgcldco.exeC:\Windows\system32\Obgcldco.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4308 -
C:\Windows\SysWOW64\Oajchq32.exeC:\Windows\system32\Oajchq32.exe112⤵PID:3088
-
C:\Windows\SysWOW64\Okbhqf32.exeC:\Windows\system32\Okbhqf32.exe113⤵PID:1832
-
C:\Windows\SysWOW64\Objpbc32.exeC:\Windows\system32\Objpbc32.exe114⤵PID:4864
-
C:\Windows\SysWOW64\Oehlno32.exeC:\Windows\system32\Oehlno32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3968 -
C:\Windows\SysWOW64\Ohfhjj32.exeC:\Windows\system32\Ohfhjj32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3916 -
C:\Windows\SysWOW64\Oejico32.exeC:\Windows\system32\Oejico32.exe117⤵
- Modifies registry class
PID:3036 -
C:\Windows\SysWOW64\Pkgaleme.exeC:\Windows\system32\Pkgaleme.exe118⤵PID:4284
-
C:\Windows\SysWOW64\Phkbejko.exeC:\Windows\system32\Phkbejko.exe119⤵PID:4872
-
C:\Windows\SysWOW64\Poejbd32.exeC:\Windows\system32\Poejbd32.exe120⤵PID:1068
-
C:\Windows\SysWOW64\Phnokiil.exeC:\Windows\system32\Phnokiil.exe121⤵
- Modifies registry class
PID:1480
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-