Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
110s -
max time network
174s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
12/10/2023, 18:23
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.e36dac36c65608208d9fd6fbc6c5f088_JC.exe
Resource
win7-20230831-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.e36dac36c65608208d9fd6fbc6c5f088_JC.exe
Resource
win10v2004-20230915-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
NEAS.e36dac36c65608208d9fd6fbc6c5f088_JC.exe
-
Size
107KB
-
MD5
e36dac36c65608208d9fd6fbc6c5f088
-
SHA1
6160ab930decf6b990983f6d0f92570dca779298
-
SHA256
649d9b3db12caf683dc76c7e7085a9059d29c87d05545826da1f625228044820
-
SHA512
d40ca4259ef3617d5f1fec14ea490183bf879d92a6ff7f564254264ebcd3faf9f6c531b72fb6dd6a191e917df83dc24814a1542b8c52087c8ff5715cd410eca6
-
SSDEEP
1536:MJs9pXn6vkGlLs2LZaIZTJ+7LhkiB0MPiKeEAgHD/Chx3y:MJs9pXokGlLlZaMU7uihJ5233y
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hknkiokp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nibbklke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anmjmojl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eodlad32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Moglkikl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Keinepch.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gimoce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgbmdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehlakjig.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Majoikof.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edhjji32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bchgnoai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhdbaihi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbiakf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjhfjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmlofhca.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obphenpj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahhbfkbf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bminokil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikndpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckpjob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkjocm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Miofcked.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdddhlbl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnoalehl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Docckfai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpgkeodo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Biadoeib.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Faakickc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pohnhdog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggilgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aqilaplo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfpjgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbhqdhnm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmangnmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgmebnpd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bocjdiol.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Giqlbqcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjaqih32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjffngap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifqoehhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghdaokfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkjejqcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hoonjjgk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npfkqpjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcddjiel.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfmigmgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iddlccfp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mobbdf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onhhmpoo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qkakhakq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Habeni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjdifibo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jklpakam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jqihjbod.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnbnchlb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emoaopnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejennd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nleojlbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogmidbal.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgfmeg32.exe -
Executes dropped EXE 64 IoCs
pid Process 4656 Cibkohef.exe 4476 Dllffa32.exe 3552 Dmplkd32.exe 2344 Egmjpi32.exe 4612 Ecfhji32.exe 2900 Fgfmeg32.exe 4732 Fdadpk32.exe 4212 Ggbmafnm.exe 3352 Gnlenp32.exe 3092 Gjebiq32.exe 576 Gnckooob.exe 1368 Hcembe32.exe 1656 Hfefdpfe.exe 1728 Ijjekn32.exe 3836 Ijmapm32.exe 3944 Jakchf32.exe 4552 Khakqo32.exe 2356 Kjfmminc.exe 1620 Lennpb32.exe 2820 Laglkb32.exe 1348 Lmqiec32.exe 3244 Mmcfkc32.exe 3924 Mobbdf32.exe 3812 Mdddhlbl.exe 1592 Nhbmnj32.exe 5008 Nonbqd32.exe 852 Ndmgnkja.exe 2340 Onhhmpoo.exe 3976 Onjebpml.exe 1540 Oolnabal.exe 3480 Poagma32.exe 3176 Pdnpeh32.exe 552 Pdeffgff.exe 4932 Qkakhakq.exe 2880 Qbmpjkqk.exe 2136 Abdfkj32.exe 4984 Afboah32.exe 4404 Bgfhnpde.exe 3068 Bfieagka.exe 1660 Cpklql32.exe 1552 Deagoa32.exe 1264 Dolinf32.exe 3848 Doqbifpl.exe 968 Eoekde32.exe 2756 Efopjbjg.exe 2308 Ebeapc32.exe 1652 Flpbnh32.exe 3204 Fgffka32.exe 2648 Fepmgm32.exe 2692 Gllajf32.exe 2556 Glqkefff.exe 3580 Ghgljg32.exe 3436 Ggilgn32.exe 2596 Hgmebnpd.exe 2248 Hokgmpkl.exe 3380 Hlogfd32.exe 4460 Icminm32.exe 3592 Ifqoehhl.exe 3324 Iqfcbahb.exe 3584 Kcbkpj32.exe 2480 Kfcdaehf.exe 2392 Kjamhd32.exe 1504 Kciaqi32.exe 3460 Kclnfi32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Fmfhigmk.dll Ofgmdf32.exe File opened for modification C:\Windows\SysWOW64\Kcbkpj32.exe Iqfcbahb.exe File created C:\Windows\SysWOW64\Qibmoa32.exe Pphlpl32.exe File opened for modification C:\Windows\SysWOW64\Egoomnin.exe Ecoiapdj.exe File created C:\Windows\SysWOW64\Mcfqjihp.dll Gmpcmkaa.exe File opened for modification C:\Windows\SysWOW64\Gqfohdjd.exe Gjlfkj32.exe File created C:\Windows\SysWOW64\Cibkohef.exe NEAS.e36dac36c65608208d9fd6fbc6c5f088_JC.exe File created C:\Windows\SysWOW64\Gnlenp32.exe Ggbmafnm.exe File opened for modification C:\Windows\SysWOW64\Kblpnall.exe Jidkek32.exe File created C:\Windows\SysWOW64\Pkhmll32.dll Aedfdjdl.exe File opened for modification C:\Windows\SysWOW64\Llmpco32.exe Knipik32.exe File created C:\Windows\SysWOW64\Ibjibg32.exe Igedenca.exe File created C:\Windows\SysWOW64\Bmngjj32.exe Bebbeh32.exe File created C:\Windows\SysWOW64\Fdopkhfk.exe Fhhpfg32.exe File created C:\Windows\SysWOW64\Afjoeo32.dll Hcjkje32.exe File created C:\Windows\SysWOW64\Dkljka32.exe Ddbbngjb.exe File opened for modification C:\Windows\SysWOW64\Fkihgb32.exe Qfepnmjn.exe File opened for modification C:\Windows\SysWOW64\Hakidd32.exe Hlnqln32.exe File created C:\Windows\SysWOW64\Kfpjgi32.exe Kkjejqcl.exe File created C:\Windows\SysWOW64\Maealn32.exe Mlhidg32.exe File opened for modification C:\Windows\SysWOW64\Nkieab32.exe Nelmik32.exe File opened for modification C:\Windows\SysWOW64\Oflkqc32.exe Nfgbec32.exe File opened for modification C:\Windows\SysWOW64\Eoollocp.exe Eefhcimp.exe File created C:\Windows\SysWOW64\Jgmobi32.dll Jlkaahjg.exe File opened for modification C:\Windows\SysWOW64\Mefmbbod.exe Bpodhf32.exe File opened for modification C:\Windows\SysWOW64\Aokceaoa.exe Aoifoa32.exe File opened for modification C:\Windows\SysWOW64\Lnihod32.exe Kbbhjc32.exe File created C:\Windows\SysWOW64\Gdngihbo.dll Abdfkj32.exe File opened for modification C:\Windows\SysWOW64\Fnjmea32.exe Fgqehgco.exe File created C:\Windows\SysWOW64\Jianpl32.exe Jlkaahjg.exe File opened for modification C:\Windows\SysWOW64\Elncjc32.exe Eceoanpo.exe File created C:\Windows\SysWOW64\Molefh32.exe Miomnaip.exe File created C:\Windows\SysWOW64\Bfhabgce.dll Faemjl32.exe File created C:\Windows\SysWOW64\Cddjofbj.exe Cklffq32.exe File opened for modification C:\Windows\SysWOW64\Hdodeedi.exe Hcjkje32.exe File created C:\Windows\SysWOW64\Nphhfp32.exe Nebdighb.exe File opened for modification C:\Windows\SysWOW64\Miomnaip.exe Mimphakb.exe File created C:\Windows\SysWOW64\Mhkihabc.dll Nfhfbedd.exe File opened for modification C:\Windows\SysWOW64\Nhnlelfm.exe Ngmpmd32.exe File created C:\Windows\SysWOW64\Jkggfeam.dll Liofdigo.exe File opened for modification C:\Windows\SysWOW64\Ibnlbm32.exe Ighhed32.exe File opened for modification C:\Windows\SysWOW64\Llcoihmb.exe Lankloml.exe File opened for modification C:\Windows\SysWOW64\Bgfhnpde.exe Afboah32.exe File created C:\Windows\SysWOW64\Bojohp32.exe Qibfdkgh.exe File created C:\Windows\SysWOW64\Cokgonmp.exe Cjnoggoh.exe File created C:\Windows\SysWOW64\Ngedbp32.exe Nddkaddm.exe File created C:\Windows\SysWOW64\Cieddjdp.dll Ocihqc32.exe File created C:\Windows\SysWOW64\Jdpkoalc.exe Jjjgbhlm.exe File opened for modification C:\Windows\SysWOW64\Eefhcimp.exe Elncjc32.exe File opened for modification C:\Windows\SysWOW64\Mjfoja32.exe Mankaked.exe File opened for modification C:\Windows\SysWOW64\Aqilaplo.exe Qjeaog32.exe File created C:\Windows\SysWOW64\Ajggjq32.exe Qckbggad.exe File created C:\Windows\SysWOW64\Fjccel32.exe Fomohc32.exe File created C:\Windows\SysWOW64\Dfemnonh.dll Lcmopeae.exe File created C:\Windows\SysWOW64\Hdhjqnap.dll Majoikof.exe File created C:\Windows\SysWOW64\Ohkbldfa.exe Oocmcn32.exe File created C:\Windows\SysWOW64\Lcnkli32.exe Kclnfi32.exe File created C:\Windows\SysWOW64\Gjikhb32.dll Fhdocc32.exe File opened for modification C:\Windows\SysWOW64\Fhfenmbe.exe Egoomnin.exe File opened for modification C:\Windows\SysWOW64\Hmolbene.exe Gcggjp32.exe File created C:\Windows\SysWOW64\Jghlgd32.dll Nddkaddm.exe File created C:\Windows\SysWOW64\Aloekjod.exe Abfqbdhd.exe File created C:\Windows\SysWOW64\Hdmecdlh.exe Abhqolee.exe File created C:\Windows\SysWOW64\Jckcfocl.dll Ifhibhfc.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hokgmpkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abkjnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eoollocp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ighnpeig.dll" Dhjcdimf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ljoiibbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfjddb32.dll" Hdodeedi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifhhflhc.dll" Epjfehbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmjjlh32.dll" Ikjapden.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmkbcppg.dll" Gijedm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmjbocfb.dll" Gcggjp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mbpdkabl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqmldgdc.dll" Ikhghi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lcmopeae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ifglmlol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajggjq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ejcaidlp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Llmpco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdoijp32.dll" Ffjdjmpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfalhgni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhdphl32.dll" Ageofe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcanghgh.dll" Faakickc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohjbefac.dll" Hfmigmgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbbhjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eekpll32.dll" Fgegdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Conpjg32.dll" Gllajf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fomohc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aokken32.dll" Aclpkffa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Malgmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ganjgf32.dll" Hlogfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqpjdj32.dll" Mbcjimda.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nepgcgje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oqimje32.dll" Loeoei32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igedenca.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gcggjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bldogjib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbfglg32.dll" Qbddmejf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlnfgdnn.dll" Pdkcnklf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Epoplk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gllajf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iqklhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbhpjd32.dll" Kjffngap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Poodicio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Najgqoje.dll" Fdiohnek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gogjflhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeamacob.dll" Obcled32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jckcfocl.dll" Ifhibhfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfhhho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dapnokng.dll" Bjaqih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdaif32.dll" Falcli32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbemdb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Flpbnh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Giqlbqcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieebmf32.dll" Eoneah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mfejme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnoido32.dll" Aifdcgcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pldnki32.dll" Ijmapm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mikiin32.dll" Lfnfhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Faakickc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnkioq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naoplkpo.dll" Nnmfdpni.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abnnnjfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jghlgd32.dll" Nddkaddm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jigdoglm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4640 wrote to memory of 4656 4640 NEAS.e36dac36c65608208d9fd6fbc6c5f088_JC.exe 85 PID 4640 wrote to memory of 4656 4640 NEAS.e36dac36c65608208d9fd6fbc6c5f088_JC.exe 85 PID 4640 wrote to memory of 4656 4640 NEAS.e36dac36c65608208d9fd6fbc6c5f088_JC.exe 85 PID 4656 wrote to memory of 4476 4656 Cibkohef.exe 86 PID 4656 wrote to memory of 4476 4656 Cibkohef.exe 86 PID 4656 wrote to memory of 4476 4656 Cibkohef.exe 86 PID 4476 wrote to memory of 3552 4476 Dllffa32.exe 87 PID 4476 wrote to memory of 3552 4476 Dllffa32.exe 87 PID 4476 wrote to memory of 3552 4476 Dllffa32.exe 87 PID 3552 wrote to memory of 2344 3552 Dmplkd32.exe 88 PID 3552 wrote to memory of 2344 3552 Dmplkd32.exe 88 PID 3552 wrote to memory of 2344 3552 Dmplkd32.exe 88 PID 2344 wrote to memory of 4612 2344 Egmjpi32.exe 89 PID 2344 wrote to memory of 4612 2344 Egmjpi32.exe 89 PID 2344 wrote to memory of 4612 2344 Egmjpi32.exe 89 PID 4612 wrote to memory of 2900 4612 Ecfhji32.exe 90 PID 4612 wrote to memory of 2900 4612 Ecfhji32.exe 90 PID 4612 wrote to memory of 2900 4612 Ecfhji32.exe 90 PID 2900 wrote to memory of 4732 2900 Fgfmeg32.exe 91 PID 2900 wrote to memory of 4732 2900 Fgfmeg32.exe 91 PID 2900 wrote to memory of 4732 2900 Fgfmeg32.exe 91 PID 4732 wrote to memory of 4212 4732 Fdadpk32.exe 92 PID 4732 wrote to memory of 4212 4732 Fdadpk32.exe 92 PID 4732 wrote to memory of 4212 4732 Fdadpk32.exe 92 PID 4212 wrote to memory of 3352 4212 Ggbmafnm.exe 93 PID 4212 wrote to memory of 3352 4212 Ggbmafnm.exe 93 PID 4212 wrote to memory of 3352 4212 Ggbmafnm.exe 93 PID 3352 wrote to memory of 3092 3352 Gnlenp32.exe 94 PID 3352 wrote to memory of 3092 3352 Gnlenp32.exe 94 PID 3352 wrote to memory of 3092 3352 Gnlenp32.exe 94 PID 3092 wrote to memory of 576 3092 Gjebiq32.exe 95 PID 3092 wrote to memory of 576 3092 Gjebiq32.exe 95 PID 3092 wrote to memory of 576 3092 Gjebiq32.exe 95 PID 576 wrote to memory of 1368 576 Gnckooob.exe 96 PID 576 wrote to memory of 1368 576 Gnckooob.exe 96 PID 576 wrote to memory of 1368 576 Gnckooob.exe 96 PID 1368 wrote to memory of 1656 1368 Hcembe32.exe 97 PID 1368 wrote to memory of 1656 1368 Hcembe32.exe 97 PID 1368 wrote to memory of 1656 1368 Hcembe32.exe 97 PID 1656 wrote to memory of 1728 1656 Hfefdpfe.exe 98 PID 1656 wrote to memory of 1728 1656 Hfefdpfe.exe 98 PID 1656 wrote to memory of 1728 1656 Hfefdpfe.exe 98 PID 1728 wrote to memory of 3836 1728 Ijjekn32.exe 99 PID 1728 wrote to memory of 3836 1728 Ijjekn32.exe 99 PID 1728 wrote to memory of 3836 1728 Ijjekn32.exe 99 PID 3836 wrote to memory of 3944 3836 Ijmapm32.exe 100 PID 3836 wrote to memory of 3944 3836 Ijmapm32.exe 100 PID 3836 wrote to memory of 3944 3836 Ijmapm32.exe 100 PID 3944 wrote to memory of 4552 3944 Jakchf32.exe 101 PID 3944 wrote to memory of 4552 3944 Jakchf32.exe 101 PID 3944 wrote to memory of 4552 3944 Jakchf32.exe 101 PID 4552 wrote to memory of 2356 4552 Khakqo32.exe 102 PID 4552 wrote to memory of 2356 4552 Khakqo32.exe 102 PID 4552 wrote to memory of 2356 4552 Khakqo32.exe 102 PID 2356 wrote to memory of 1620 2356 Kjfmminc.exe 103 PID 2356 wrote to memory of 1620 2356 Kjfmminc.exe 103 PID 2356 wrote to memory of 1620 2356 Kjfmminc.exe 103 PID 1620 wrote to memory of 2820 1620 Lennpb32.exe 104 PID 1620 wrote to memory of 2820 1620 Lennpb32.exe 104 PID 1620 wrote to memory of 2820 1620 Lennpb32.exe 104 PID 2820 wrote to memory of 1348 2820 Laglkb32.exe 105 PID 2820 wrote to memory of 1348 2820 Laglkb32.exe 105 PID 2820 wrote to memory of 1348 2820 Laglkb32.exe 105 PID 1348 wrote to memory of 3244 1348 Lmqiec32.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.e36dac36c65608208d9fd6fbc6c5f088_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.e36dac36c65608208d9fd6fbc6c5f088_JC.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4640 -
C:\Windows\SysWOW64\Cibkohef.exeC:\Windows\system32\Cibkohef.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4656 -
C:\Windows\SysWOW64\Dllffa32.exeC:\Windows\system32\Dllffa32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4476 -
C:\Windows\SysWOW64\Dmplkd32.exeC:\Windows\system32\Dmplkd32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3552 -
C:\Windows\SysWOW64\Egmjpi32.exeC:\Windows\system32\Egmjpi32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\Ecfhji32.exeC:\Windows\system32\Ecfhji32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4612 -
C:\Windows\SysWOW64\Fgfmeg32.exeC:\Windows\system32\Fgfmeg32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\Fdadpk32.exeC:\Windows\system32\Fdadpk32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4732 -
C:\Windows\SysWOW64\Ggbmafnm.exeC:\Windows\system32\Ggbmafnm.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4212 -
C:\Windows\SysWOW64\Gnlenp32.exeC:\Windows\system32\Gnlenp32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3352 -
C:\Windows\SysWOW64\Gjebiq32.exeC:\Windows\system32\Gjebiq32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3092 -
C:\Windows\SysWOW64\Gnckooob.exeC:\Windows\system32\Gnckooob.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:576 -
C:\Windows\SysWOW64\Hcembe32.exeC:\Windows\system32\Hcembe32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\SysWOW64\Hfefdpfe.exeC:\Windows\system32\Hfefdpfe.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\Ijjekn32.exeC:\Windows\system32\Ijjekn32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\Ijmapm32.exeC:\Windows\system32\Ijmapm32.exe16⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3836 -
C:\Windows\SysWOW64\Jakchf32.exeC:\Windows\system32\Jakchf32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3944 -
C:\Windows\SysWOW64\Khakqo32.exeC:\Windows\system32\Khakqo32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4552 -
C:\Windows\SysWOW64\Kjfmminc.exeC:\Windows\system32\Kjfmminc.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\Lennpb32.exeC:\Windows\system32\Lennpb32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\Laglkb32.exeC:\Windows\system32\Laglkb32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\Lmqiec32.exeC:\Windows\system32\Lmqiec32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Windows\SysWOW64\Mmcfkc32.exeC:\Windows\system32\Mmcfkc32.exe23⤵
- Executes dropped EXE
PID:3244 -
C:\Windows\SysWOW64\Mobbdf32.exeC:\Windows\system32\Mobbdf32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3924 -
C:\Windows\SysWOW64\Mdddhlbl.exeC:\Windows\system32\Mdddhlbl.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3812 -
C:\Windows\SysWOW64\Nhbmnj32.exeC:\Windows\system32\Nhbmnj32.exe26⤵
- Executes dropped EXE
PID:1592 -
C:\Windows\SysWOW64\Nonbqd32.exeC:\Windows\system32\Nonbqd32.exe27⤵
- Executes dropped EXE
PID:5008 -
C:\Windows\SysWOW64\Ndmgnkja.exeC:\Windows\system32\Ndmgnkja.exe28⤵
- Executes dropped EXE
PID:852 -
C:\Windows\SysWOW64\Onhhmpoo.exeC:\Windows\system32\Onhhmpoo.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2340 -
C:\Windows\SysWOW64\Onjebpml.exeC:\Windows\system32\Onjebpml.exe30⤵
- Executes dropped EXE
PID:3976 -
C:\Windows\SysWOW64\Oolnabal.exeC:\Windows\system32\Oolnabal.exe31⤵
- Executes dropped EXE
PID:1540 -
C:\Windows\SysWOW64\Poagma32.exeC:\Windows\system32\Poagma32.exe32⤵
- Executes dropped EXE
PID:3480 -
C:\Windows\SysWOW64\Pdnpeh32.exeC:\Windows\system32\Pdnpeh32.exe33⤵
- Executes dropped EXE
PID:3176 -
C:\Windows\SysWOW64\Pdeffgff.exeC:\Windows\system32\Pdeffgff.exe34⤵
- Executes dropped EXE
PID:552 -
C:\Windows\SysWOW64\Qkakhakq.exeC:\Windows\system32\Qkakhakq.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4932 -
C:\Windows\SysWOW64\Qbmpjkqk.exeC:\Windows\system32\Qbmpjkqk.exe36⤵
- Executes dropped EXE
PID:2880 -
C:\Windows\SysWOW64\Abdfkj32.exeC:\Windows\system32\Abdfkj32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2136 -
C:\Windows\SysWOW64\Afboah32.exeC:\Windows\system32\Afboah32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4984 -
C:\Windows\SysWOW64\Bgfhnpde.exeC:\Windows\system32\Bgfhnpde.exe39⤵
- Executes dropped EXE
PID:4404 -
C:\Windows\SysWOW64\Bfieagka.exeC:\Windows\system32\Bfieagka.exe40⤵
- Executes dropped EXE
PID:3068 -
C:\Windows\SysWOW64\Cpklql32.exeC:\Windows\system32\Cpklql32.exe41⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Deagoa32.exeC:\Windows\system32\Deagoa32.exe42⤵
- Executes dropped EXE
PID:1552 -
C:\Windows\SysWOW64\Dolinf32.exeC:\Windows\system32\Dolinf32.exe43⤵
- Executes dropped EXE
PID:1264 -
C:\Windows\SysWOW64\Doqbifpl.exeC:\Windows\system32\Doqbifpl.exe44⤵
- Executes dropped EXE
PID:3848 -
C:\Windows\SysWOW64\Eoekde32.exeC:\Windows\system32\Eoekde32.exe45⤵
- Executes dropped EXE
PID:968 -
C:\Windows\SysWOW64\Efopjbjg.exeC:\Windows\system32\Efopjbjg.exe46⤵
- Executes dropped EXE
PID:2756 -
C:\Windows\SysWOW64\Ebeapc32.exeC:\Windows\system32\Ebeapc32.exe47⤵
- Executes dropped EXE
PID:2308 -
C:\Windows\SysWOW64\Flpbnh32.exeC:\Windows\system32\Flpbnh32.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:1652 -
C:\Windows\SysWOW64\Fgffka32.exeC:\Windows\system32\Fgffka32.exe49⤵
- Executes dropped EXE
PID:3204 -
C:\Windows\SysWOW64\Fepmgm32.exeC:\Windows\system32\Fepmgm32.exe50⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Gllajf32.exeC:\Windows\system32\Gllajf32.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:2692 -
C:\Windows\SysWOW64\Glqkefff.exeC:\Windows\system32\Glqkefff.exe52⤵
- Executes dropped EXE
PID:2556 -
C:\Windows\SysWOW64\Ghgljg32.exeC:\Windows\system32\Ghgljg32.exe53⤵
- Executes dropped EXE
PID:3580 -
C:\Windows\SysWOW64\Ggilgn32.exeC:\Windows\system32\Ggilgn32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3436 -
C:\Windows\SysWOW64\Hgmebnpd.exeC:\Windows\system32\Hgmebnpd.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2596 -
C:\Windows\SysWOW64\Hokgmpkl.exeC:\Windows\system32\Hokgmpkl.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:2248 -
C:\Windows\SysWOW64\Hlogfd32.exeC:\Windows\system32\Hlogfd32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:3380 -
C:\Windows\SysWOW64\Icminm32.exeC:\Windows\system32\Icminm32.exe58⤵
- Executes dropped EXE
PID:4460 -
C:\Windows\SysWOW64\Ifqoehhl.exeC:\Windows\system32\Ifqoehhl.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3592 -
C:\Windows\SysWOW64\Iqfcbahb.exeC:\Windows\system32\Iqfcbahb.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3324 -
C:\Windows\SysWOW64\Kcbkpj32.exeC:\Windows\system32\Kcbkpj32.exe61⤵
- Executes dropped EXE
PID:3584 -
C:\Windows\SysWOW64\Kfcdaehf.exeC:\Windows\system32\Kfcdaehf.exe62⤵
- Executes dropped EXE
PID:2480 -
C:\Windows\SysWOW64\Kjamhd32.exeC:\Windows\system32\Kjamhd32.exe63⤵
- Executes dropped EXE
PID:2392 -
C:\Windows\SysWOW64\Kciaqi32.exeC:\Windows\system32\Kciaqi32.exe64⤵
- Executes dropped EXE
PID:1504 -
C:\Windows\SysWOW64\Kclnfi32.exeC:\Windows\system32\Kclnfi32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3460 -
C:\Windows\SysWOW64\Lcnkli32.exeC:\Windows\system32\Lcnkli32.exe66⤵PID:3064
-
C:\Windows\SysWOW64\Ljoiibbm.exeC:\Windows\system32\Ljoiibbm.exe67⤵
- Modifies registry class
PID:3052 -
C:\Windows\SysWOW64\Mankaked.exeC:\Windows\system32\Mankaked.exe68⤵
- Drops file in System32 directory
PID:2940 -
C:\Windows\SysWOW64\Mjfoja32.exeC:\Windows\system32\Mjfoja32.exe69⤵PID:4712
-
C:\Windows\SysWOW64\Miklkm32.exeC:\Windows\system32\Miklkm32.exe70⤵PID:3292
-
C:\Windows\SysWOW64\Nibbklke.exeC:\Windows\system32\Nibbklke.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3820 -
C:\Windows\SysWOW64\Naqqmieo.exeC:\Windows\system32\Naqqmieo.exe72⤵PID:700
-
C:\Windows\SysWOW64\Oiqomj32.exeC:\Windows\system32\Oiqomj32.exe73⤵PID:5104
-
C:\Windows\SysWOW64\Okpkgm32.exeC:\Windows\system32\Okpkgm32.exe74⤵PID:4148
-
C:\Windows\SysWOW64\Okbhlm32.exeC:\Windows\system32\Okbhlm32.exe75⤵PID:3744
-
C:\Windows\SysWOW64\Pdofpb32.exeC:\Windows\system32\Pdofpb32.exe76⤵PID:3916
-
C:\Windows\SysWOW64\Pkinmlnm.exeC:\Windows\system32\Pkinmlnm.exe77⤵PID:3144
-
C:\Windows\SysWOW64\Qjeaog32.exeC:\Windows\system32\Qjeaog32.exe78⤵
- Drops file in System32 directory
PID:4980 -
C:\Windows\SysWOW64\Aqilaplo.exeC:\Windows\system32\Aqilaplo.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4852 -
C:\Windows\SysWOW64\Bqkigp32.exeC:\Windows\system32\Bqkigp32.exe80⤵PID:1216
-
C:\Windows\SysWOW64\Bbpolb32.exeC:\Windows\system32\Bbpolb32.exe81⤵PID:2796
-
C:\Windows\SysWOW64\Cnpbgajc.exeC:\Windows\system32\Cnpbgajc.exe82⤵PID:660
-
C:\Windows\SysWOW64\Ckcbaf32.exeC:\Windows\system32\Ckcbaf32.exe83⤵PID:4028
-
C:\Windows\SysWOW64\Dnienqbi.exeC:\Windows\system32\Dnienqbi.exe84⤵PID:4512
-
C:\Windows\SysWOW64\Ejdonq32.exeC:\Windows\system32\Ejdonq32.exe85⤵PID:3172
-
C:\Windows\SysWOW64\Flmonbbp.exeC:\Windows\system32\Flmonbbp.exe86⤵PID:4624
-
C:\Windows\SysWOW64\Fhdocc32.exeC:\Windows\system32\Fhdocc32.exe87⤵
- Drops file in System32 directory
PID:444 -
C:\Windows\SysWOW64\Falcli32.exeC:\Windows\system32\Falcli32.exe88⤵
- Modifies registry class
PID:2484 -
C:\Windows\SysWOW64\Faopah32.exeC:\Windows\system32\Faopah32.exe89⤵PID:1320
-
C:\Windows\SysWOW64\Gogjflhf.exeC:\Windows\system32\Gogjflhf.exe90⤵
- Modifies registry class
PID:4220 -
C:\Windows\SysWOW64\Gimoce32.exeC:\Windows\system32\Gimoce32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1324 -
C:\Windows\SysWOW64\Gahcgg32.exeC:\Windows\system32\Gahcgg32.exe92⤵PID:316
-
C:\Windows\SysWOW64\Gajpmg32.exeC:\Windows\system32\Gajpmg32.exe93⤵PID:3732
-
C:\Windows\SysWOW64\Gkcdfl32.exeC:\Windows\system32\Gkcdfl32.exe94⤵PID:1412
-
C:\Windows\SysWOW64\Gekeie32.exeC:\Windows\system32\Gekeie32.exe95⤵PID:468
-
C:\Windows\SysWOW64\Hiinoc32.exeC:\Windows\system32\Hiinoc32.exe96⤵PID:4412
-
C:\Windows\SysWOW64\Hlnqln32.exeC:\Windows\system32\Hlnqln32.exe97⤵
- Drops file in System32 directory
PID:1864 -
C:\Windows\SysWOW64\Hakidd32.exeC:\Windows\system32\Hakidd32.exe98⤵PID:4092
-
C:\Windows\SysWOW64\Ikhghi32.exeC:\Windows\system32\Ikhghi32.exe99⤵
- Modifies registry class
PID:2244 -
C:\Windows\SysWOW64\Kmmedi32.exeC:\Windows\system32\Kmmedi32.exe100⤵PID:4804
-
C:\Windows\SysWOW64\Kcfnqccd.exeC:\Windows\system32\Kcfnqccd.exe101⤵PID:1432
-
C:\Windows\SysWOW64\Kjqfmn32.exeC:\Windows\system32\Kjqfmn32.exe102⤵PID:568
-
C:\Windows\SysWOW64\Lkflpe32.exeC:\Windows\system32\Lkflpe32.exe103⤵PID:3164
-
C:\Windows\SysWOW64\Limioiia.exeC:\Windows\system32\Limioiia.exe104⤵PID:1812
-
C:\Windows\SysWOW64\Liofdigo.exeC:\Windows\system32\Liofdigo.exe105⤵
- Drops file in System32 directory
PID:3152 -
C:\Windows\SysWOW64\Lbgjmnno.exeC:\Windows\system32\Lbgjmnno.exe106⤵PID:4924
-
C:\Windows\SysWOW64\Mihikgod.exeC:\Windows\system32\Mihikgod.exe107⤵PID:5132
-
C:\Windows\SysWOW64\Mjheejff.exeC:\Windows\system32\Mjheejff.exe108⤵PID:5176
-
C:\Windows\SysWOW64\Mbcjimda.exeC:\Windows\system32\Mbcjimda.exe109⤵
- Modifies registry class
PID:5216 -
C:\Windows\SysWOW64\Nbefolao.exeC:\Windows\system32\Nbefolao.exe110⤵PID:5256
-
C:\Windows\SysWOW64\Nboiekjd.exeC:\Windows\system32\Nboiekjd.exe111⤵PID:5300
-
C:\Windows\SysWOW64\Olgnnqpe.exeC:\Windows\system32\Olgnnqpe.exe112⤵PID:5360
-
C:\Windows\SysWOW64\Oplmdnpc.exeC:\Windows\system32\Oplmdnpc.exe113⤵PID:5404
-
C:\Windows\SysWOW64\Pmbjcb32.exeC:\Windows\system32\Pmbjcb32.exe114⤵PID:5448
-
C:\Windows\SysWOW64\Pdalkk32.exeC:\Windows\system32\Pdalkk32.exe115⤵PID:5492
-
C:\Windows\SysWOW64\Pphlpl32.exeC:\Windows\system32\Pphlpl32.exe116⤵
- Drops file in System32 directory
PID:5536 -
C:\Windows\SysWOW64\Qibmoa32.exeC:\Windows\system32\Qibmoa32.exe117⤵PID:5580
-
C:\Windows\SysWOW64\Qckbggad.exeC:\Windows\system32\Qckbggad.exe118⤵
- Drops file in System32 directory
PID:5624 -
C:\Windows\SysWOW64\Ajggjq32.exeC:\Windows\system32\Ajggjq32.exe119⤵
- Modifies registry class
PID:5668 -
C:\Windows\SysWOW64\Akgcdc32.exeC:\Windows\system32\Akgcdc32.exe120⤵PID:5720
-
C:\Windows\SysWOW64\Bgbmdd32.exeC:\Windows\system32\Bgbmdd32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5796
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-