Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
166s -
max time network
179s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
13/10/2023, 20:33
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.a17f31d5c4b27030d8470c3cd5f25130.exe
Resource
win7-20230831-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.a17f31d5c4b27030d8470c3cd5f25130.exe
Resource
win10v2004-20230915-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.a17f31d5c4b27030d8470c3cd5f25130.exe
-
Size
107KB
-
MD5
a17f31d5c4b27030d8470c3cd5f25130
-
SHA1
8f4629526ddf3fdfe787d7a732a59dda657e9fad
-
SHA256
d4789a50479fafb28b1cb4399e37adc77bec0f21fd96265d9c3dbc1eb49dbcc4
-
SHA512
736c37e39307886cec0a1a2ad6d5884933ce82ee632c5c489cf2285ad4fbff06385f4fd24eea8519f3d8c376bbb112245438603e7e6bc3688358d76a6ac12efd
-
SSDEEP
1536:6pJOSgx5yzcwdjjBOlmJv2LubaIZTJ+7LhkiB0MPiKeEAgHD/Chx3y:6pwQzpdQ80ubaMU7uihJ5233y
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jknfnbmi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmdqai32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oobfhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njekfenc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnbnchlb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eflocepa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdlcbjfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgenlldo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaiiffjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgbjlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mokmnm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clmjcfdb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Femgia32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meefhl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elienf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ingpgcmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oejbpb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qejkfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcmall32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eopbghnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlfpnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pddhlnfg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adiknkco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njaakf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpmajdig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eodclj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpkqbq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kaemgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Poaqocgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgphjk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdgfmk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbigapjb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgjkag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Geohdago.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onkimc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckbegmin.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebocpd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnphag32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfnbbg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eckfaj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Loecgfjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmiccf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmhfddeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkpqdifa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mljficpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efamkepl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dohkhq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gejoib32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akiijq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhbdbpnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmmblkpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dohkhq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jeidan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dqmjqb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdnkhn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eibfmp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbndoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Heohinog.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqfgfclm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfdlif32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obnbjdfi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dihllkal.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjohnkdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmlkaela.exe -
Executes dropped EXE 64 IoCs
pid Process 4176 Bdnkhn32.exe 2088 Dijppjfd.exe 1504 Eieplhlf.exe 4988 Eacaej32.exe 3460 Ejnbdp32.exe 3408 Fhiinbdo.exe 2840 Gbhpajlj.exe 1432 Gbjlgj32.exe 660 Giddddad.exe 960 Hleneo32.exe 4564 Hhlnjpdi.exe 4388 Hklglk32.exe 232 Hcflch32.exe 5116 Hlnqln32.exe 2132 Hakidd32.exe 3532 Ijgjpaao.exe 4992 Jjpmfpid.exe 2028 Joaojf32.exe 3268 Kiomnk32.exe 4112 Kmobii32.exe 3296 Kkdoje32.exe 1992 Ljephmgl.exe 3744 Ljoboloa.exe 3372 Mlialb32.exe 3728 Ncbfcp32.exe 4624 Nfabok32.exe 2704 Npnqcpmc.exe 3592 Oikngeoo.exe 3052 Obfpejcl.exe 2148 Piikhc32.exe 3468 Pgmkbg32.exe 3280 Pdalkk32.exe 1988 Ajggjq32.exe 3068 Akkmocjl.exe 1720 Bkpfjb32.exe 1224 Cdbmifdl.exe 228 Cnahbk32.exe 4808 Dmiaig32.exe 4156 Dedceddg.exe 2356 Enaaiifb.exe 1416 Ecafgo32.exe 4036 Enigjh32.exe 3328 Febogbhg.exe 3952 Flodilma.exe 1392 Fmpaqd32.exe 1412 Fcjimnjl.exe 4684 Flaaok32.exe 4436 Flfjjkgi.exe 2980 Genobp32.exe 3808 Gjndpg32.exe 4724 Hlfcqh32.exe 2172 Heohinog.exe 4916 Hmlicp32.exe 1664 Ildpbfmf.exe 4740 Iaahjmkn.exe 3596 Ihkpgg32.exe 1616 Jnjednnp.exe 2860 Jknfnbmi.exe 1368 Jahnkl32.exe 972 Jlponebi.exe 2156 Kfmmajed.exe 1652 Kkjejqcl.exe 664 Khnfce32.exe 4092 Knkokl32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ciaich32.dll Kddpnpdn.exe File created C:\Windows\SysWOW64\Mqpfofao.dll Boanniao.exe File created C:\Windows\SysWOW64\Hmihgd32.dll Kaemgn32.exe File opened for modification C:\Windows\SysWOW64\Gdleap32.exe Gifadggi.exe File created C:\Windows\SysWOW64\Jcbibeki.exe Jbcmhb32.exe File created C:\Windows\SysWOW64\Oleabh32.dll Omjhgoco.exe File opened for modification C:\Windows\SysWOW64\Epikid32.exe Ejlban32.exe File opened for modification C:\Windows\SysWOW64\Qejkfp32.exe Qopbjf32.exe File created C:\Windows\SysWOW64\Hjbajokj.dll Alimnj32.exe File created C:\Windows\SysWOW64\Ljephmgl.exe Kkdoje32.exe File created C:\Windows\SysWOW64\Hneijndb.dll Gifadggi.exe File created C:\Windows\SysWOW64\Nqkihpie.exe Njaakf32.exe File created C:\Windows\SysWOW64\Oklegcdn.dll Chblebll.exe File created C:\Windows\SysWOW64\Iiffoc32.exe Hjjbmhfg.exe File created C:\Windows\SysWOW64\Keoeel32.exe Kmdqai32.exe File created C:\Windows\SysWOW64\Gelqhibk.dll Pafcjijo.exe File created C:\Windows\SysWOW64\Fgijlm32.dll Ejlban32.exe File created C:\Windows\SysWOW64\Jlqohhja.exe Igcgpalj.exe File opened for modification C:\Windows\SysWOW64\Kflnpild.exe Jnifbmfo.exe File created C:\Windows\SysWOW64\Coldbl32.exe Chblebll.exe File created C:\Windows\SysWOW64\Genobp32.exe Flfjjkgi.exe File created C:\Windows\SysWOW64\Egidim32.dll Kigoeagd.exe File created C:\Windows\SysWOW64\Bcnafl32.dll Nklfho32.exe File opened for modification C:\Windows\SysWOW64\Calmcg32.exe Ckbegmin.exe File created C:\Windows\SysWOW64\Mlialb32.exe Ljoboloa.exe File opened for modification C:\Windows\SysWOW64\Iiffoc32.exe Hjjbmhfg.exe File opened for modification C:\Windows\SysWOW64\Olfolp32.exe Oflfoepg.exe File created C:\Windows\SysWOW64\Qjohiimm.dll Kcikagij.exe File created C:\Windows\SysWOW64\Lgccdbdj.dll Knbaoh32.exe File created C:\Windows\SysWOW64\Genbjogo.dll Baanhi32.exe File opened for modification C:\Windows\SysWOW64\Mgceqh32.exe Mnjqhcno.exe File created C:\Windows\SysWOW64\Jbafjmfi.dll Ochjmd32.exe File opened for modification C:\Windows\SysWOW64\Nklbfaae.exe Nhmejf32.exe File created C:\Windows\SysWOW64\Ifjngf32.dll Fmkgdgej.exe File created C:\Windows\SysWOW64\Nbbpolba.dll Mnjqfeld.exe File created C:\Windows\SysWOW64\Loecgfjf.exe Lhkkjl32.exe File opened for modification C:\Windows\SysWOW64\Ickcaf32.exe Iifodmak.exe File created C:\Windows\SysWOW64\Gjohnkdd.exe Fmkgdgej.exe File opened for modification C:\Windows\SysWOW64\Phombg32.exe Padeem32.exe File created C:\Windows\SysWOW64\Eopbghnb.exe Eknpfj32.exe File created C:\Windows\SysWOW64\Dhhplida.dll Lgqfmcge.exe File created C:\Windows\SysWOW64\Akiijq32.exe Adoamfhn.exe File created C:\Windows\SysWOW64\Obcled32.exe Oflkqc32.exe File created C:\Windows\SysWOW64\Hjjbmhfg.exe Hbcklkee.exe File created C:\Windows\SysWOW64\Ndgpii32.dll Pnmhqh32.exe File created C:\Windows\SysWOW64\Lgoaln32.dll Higjkehf.exe File created C:\Windows\SysWOW64\Kllibo32.dll Jqhaolli.exe File opened for modification C:\Windows\SysWOW64\Mndapl32.exe Mgjicb32.exe File created C:\Windows\SysWOW64\Ohbfgkan.dll Qqcjnell.exe File created C:\Windows\SysWOW64\Kepdfo32.exe Knfliefc.exe File created C:\Windows\SysWOW64\Pakaab32.dll Dedceddg.exe File created C:\Windows\SysWOW64\Qaiaojhj.dll Cnjkgf32.exe File created C:\Windows\SysWOW64\Hohgpbon.dll Imbhiial.exe File opened for modification C:\Windows\SysWOW64\Fihecici.exe Fifhmi32.exe File created C:\Windows\SysWOW64\Apbonqaj.dll Pgmkbg32.exe File opened for modification C:\Windows\SysWOW64\Dmiaig32.exe Cnahbk32.exe File created C:\Windows\SysWOW64\Mlhahj32.dll Pocpqcpm.exe File opened for modification C:\Windows\SysWOW64\Hoglmg32.exe Gmfpeoga.exe File created C:\Windows\SysWOW64\Npfcfghe.dll Dnondf32.exe File created C:\Windows\SysWOW64\Nakgec32.dll Fbecgned.exe File created C:\Windows\SysWOW64\Hpjdea32.dll Dmnhgdjo.exe File opened for modification C:\Windows\SysWOW64\Kdeghfhj.exe Knkokl32.exe File opened for modification C:\Windows\SysWOW64\Hmdend32.exe Hfjmajbc.exe File created C:\Windows\SysWOW64\Jlpklg32.exe Jfcbcp32.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 6088 8220 WerFault.exe 740 8848 8220 WerFault.exe 740 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddecpgko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmmffnai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iebnqofj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgqedh32.dll" Mgceqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eknpfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhmopp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ecafgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgikpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqjakqen.dll" Gfnnel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmiccf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nakgec32.dll" Fbecgned.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnpfje32.dll" Jlfpnn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dafpjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnnbbf32.dll" Dmiaig32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amibqhed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhhdaj32.dll" Ldpmlh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Giafegnk.dll" Mqafbaap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Clhbhc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pehghhgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahcmje32.dll" Mchpibng.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onkimc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lfnfhg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ihcclb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Flgaodbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Haaqllnf.dll" Obgeqcnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egjoap32.dll" Aoalba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oipfgk32.dll" Ohkbldfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahbacq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjhlfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mbchkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkbohc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmpaqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfgaelbi.dll" Eodclj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hjjbmhfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Naodbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghgcbpfq.dll" Hmnmqdee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Neqoidmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndgndepc.dll" Pdqelh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnjkbi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Clmjcfdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohbfgkan.dll" Qqcjnell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kndodehf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cebllbcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbobep32.dll" Pkcepl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jenmlmll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmaoao32.dll" Mcbpcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebkdhkf.dll" Mccofn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bflgco32.dll" Hdgfmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pciqjoec.dll" Afinbdon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahgjnpna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Olangmod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lhiodm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcnafl32.dll" Nklfho32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkhkdjli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mnbnchlb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amcmie32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Imeeohoi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngehoqdn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hfaaddlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dggbmlba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlnfgdnn.dll" Ocdqcikl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpcdkh32.dll" Eopbghnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofcbkf32.dll" Nockfgao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajeami32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 8 wrote to memory of 4176 8 NEAS.a17f31d5c4b27030d8470c3cd5f25130.exe 85 PID 8 wrote to memory of 4176 8 NEAS.a17f31d5c4b27030d8470c3cd5f25130.exe 85 PID 8 wrote to memory of 4176 8 NEAS.a17f31d5c4b27030d8470c3cd5f25130.exe 85 PID 4176 wrote to memory of 2088 4176 Bdnkhn32.exe 86 PID 4176 wrote to memory of 2088 4176 Bdnkhn32.exe 86 PID 4176 wrote to memory of 2088 4176 Bdnkhn32.exe 86 PID 2088 wrote to memory of 1504 2088 Dijppjfd.exe 87 PID 2088 wrote to memory of 1504 2088 Dijppjfd.exe 87 PID 2088 wrote to memory of 1504 2088 Dijppjfd.exe 87 PID 1504 wrote to memory of 4988 1504 Eieplhlf.exe 88 PID 1504 wrote to memory of 4988 1504 Eieplhlf.exe 88 PID 1504 wrote to memory of 4988 1504 Eieplhlf.exe 88 PID 4988 wrote to memory of 3460 4988 Eacaej32.exe 89 PID 4988 wrote to memory of 3460 4988 Eacaej32.exe 89 PID 4988 wrote to memory of 3460 4988 Eacaej32.exe 89 PID 3460 wrote to memory of 3408 3460 Ejnbdp32.exe 90 PID 3460 wrote to memory of 3408 3460 Ejnbdp32.exe 90 PID 3460 wrote to memory of 3408 3460 Ejnbdp32.exe 90 PID 3408 wrote to memory of 2840 3408 Fhiinbdo.exe 91 PID 3408 wrote to memory of 2840 3408 Fhiinbdo.exe 91 PID 3408 wrote to memory of 2840 3408 Fhiinbdo.exe 91 PID 2840 wrote to memory of 1432 2840 Gbhpajlj.exe 92 PID 2840 wrote to memory of 1432 2840 Gbhpajlj.exe 92 PID 2840 wrote to memory of 1432 2840 Gbhpajlj.exe 92 PID 1432 wrote to memory of 660 1432 Gbjlgj32.exe 93 PID 1432 wrote to memory of 660 1432 Gbjlgj32.exe 93 PID 1432 wrote to memory of 660 1432 Gbjlgj32.exe 93 PID 660 wrote to memory of 960 660 Giddddad.exe 94 PID 660 wrote to memory of 960 660 Giddddad.exe 94 PID 660 wrote to memory of 960 660 Giddddad.exe 94 PID 960 wrote to memory of 4564 960 Hleneo32.exe 95 PID 960 wrote to memory of 4564 960 Hleneo32.exe 95 PID 960 wrote to memory of 4564 960 Hleneo32.exe 95 PID 4564 wrote to memory of 4388 4564 Hhlnjpdi.exe 96 PID 4564 wrote to memory of 4388 4564 Hhlnjpdi.exe 96 PID 4564 wrote to memory of 4388 4564 Hhlnjpdi.exe 96 PID 4388 wrote to memory of 232 4388 Hklglk32.exe 97 PID 4388 wrote to memory of 232 4388 Hklglk32.exe 97 PID 4388 wrote to memory of 232 4388 Hklglk32.exe 97 PID 232 wrote to memory of 5116 232 Hcflch32.exe 98 PID 232 wrote to memory of 5116 232 Hcflch32.exe 98 PID 232 wrote to memory of 5116 232 Hcflch32.exe 98 PID 5116 wrote to memory of 2132 5116 Hlnqln32.exe 99 PID 5116 wrote to memory of 2132 5116 Hlnqln32.exe 99 PID 5116 wrote to memory of 2132 5116 Hlnqln32.exe 99 PID 2132 wrote to memory of 3532 2132 Hakidd32.exe 100 PID 2132 wrote to memory of 3532 2132 Hakidd32.exe 100 PID 2132 wrote to memory of 3532 2132 Hakidd32.exe 100 PID 3532 wrote to memory of 4992 3532 Ijgjpaao.exe 101 PID 3532 wrote to memory of 4992 3532 Ijgjpaao.exe 101 PID 3532 wrote to memory of 4992 3532 Ijgjpaao.exe 101 PID 4992 wrote to memory of 2028 4992 Jjpmfpid.exe 102 PID 4992 wrote to memory of 2028 4992 Jjpmfpid.exe 102 PID 4992 wrote to memory of 2028 4992 Jjpmfpid.exe 102 PID 2028 wrote to memory of 3268 2028 Joaojf32.exe 103 PID 2028 wrote to memory of 3268 2028 Joaojf32.exe 103 PID 2028 wrote to memory of 3268 2028 Joaojf32.exe 103 PID 3268 wrote to memory of 4112 3268 Kiomnk32.exe 104 PID 3268 wrote to memory of 4112 3268 Kiomnk32.exe 104 PID 3268 wrote to memory of 4112 3268 Kiomnk32.exe 104 PID 4112 wrote to memory of 3296 4112 Kmobii32.exe 105 PID 4112 wrote to memory of 3296 4112 Kmobii32.exe 105 PID 4112 wrote to memory of 3296 4112 Kmobii32.exe 105 PID 3296 wrote to memory of 1992 3296 Kkdoje32.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.a17f31d5c4b27030d8470c3cd5f25130.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.a17f31d5c4b27030d8470c3cd5f25130.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:8 -
C:\Windows\SysWOW64\Bdnkhn32.exeC:\Windows\system32\Bdnkhn32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4176 -
C:\Windows\SysWOW64\Dijppjfd.exeC:\Windows\system32\Dijppjfd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\Eieplhlf.exeC:\Windows\system32\Eieplhlf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\SysWOW64\Eacaej32.exeC:\Windows\system32\Eacaej32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\Windows\SysWOW64\Ejnbdp32.exeC:\Windows\system32\Ejnbdp32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3460 -
C:\Windows\SysWOW64\Fhiinbdo.exeC:\Windows\system32\Fhiinbdo.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3408 -
C:\Windows\SysWOW64\Gbhpajlj.exeC:\Windows\system32\Gbhpajlj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\Gbjlgj32.exeC:\Windows\system32\Gbjlgj32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Windows\SysWOW64\Giddddad.exeC:\Windows\system32\Giddddad.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:660 -
C:\Windows\SysWOW64\Hleneo32.exeC:\Windows\system32\Hleneo32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Windows\SysWOW64\Hhlnjpdi.exeC:\Windows\system32\Hhlnjpdi.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\Windows\SysWOW64\Hklglk32.exeC:\Windows\system32\Hklglk32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4388 -
C:\Windows\SysWOW64\Hcflch32.exeC:\Windows\system32\Hcflch32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:232 -
C:\Windows\SysWOW64\Hlnqln32.exeC:\Windows\system32\Hlnqln32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5116 -
C:\Windows\SysWOW64\Hakidd32.exeC:\Windows\system32\Hakidd32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\Ijgjpaao.exeC:\Windows\system32\Ijgjpaao.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3532 -
C:\Windows\SysWOW64\Jjpmfpid.exeC:\Windows\system32\Jjpmfpid.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\Windows\SysWOW64\Joaojf32.exeC:\Windows\system32\Joaojf32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\Kiomnk32.exeC:\Windows\system32\Kiomnk32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3268 -
C:\Windows\SysWOW64\Kmobii32.exeC:\Windows\system32\Kmobii32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4112 -
C:\Windows\SysWOW64\Kkdoje32.exeC:\Windows\system32\Kkdoje32.exe22⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3296 -
C:\Windows\SysWOW64\Ljephmgl.exeC:\Windows\system32\Ljephmgl.exe23⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Ljoboloa.exeC:\Windows\system32\Ljoboloa.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3744 -
C:\Windows\SysWOW64\Mlialb32.exeC:\Windows\system32\Mlialb32.exe25⤵
- Executes dropped EXE
PID:3372 -
C:\Windows\SysWOW64\Ncbfcp32.exeC:\Windows\system32\Ncbfcp32.exe26⤵
- Executes dropped EXE
PID:3728 -
C:\Windows\SysWOW64\Nfabok32.exeC:\Windows\system32\Nfabok32.exe27⤵
- Executes dropped EXE
PID:4624 -
C:\Windows\SysWOW64\Npnqcpmc.exeC:\Windows\system32\Npnqcpmc.exe28⤵
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Oikngeoo.exeC:\Windows\system32\Oikngeoo.exe29⤵
- Executes dropped EXE
PID:3592 -
C:\Windows\SysWOW64\Obfpejcl.exeC:\Windows\system32\Obfpejcl.exe30⤵
- Executes dropped EXE
PID:3052 -
C:\Windows\SysWOW64\Piikhc32.exeC:\Windows\system32\Piikhc32.exe31⤵
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\Pgmkbg32.exeC:\Windows\system32\Pgmkbg32.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3468 -
C:\Windows\SysWOW64\Pdalkk32.exeC:\Windows\system32\Pdalkk32.exe33⤵
- Executes dropped EXE
PID:3280 -
C:\Windows\SysWOW64\Ajggjq32.exeC:\Windows\system32\Ajggjq32.exe34⤵
- Executes dropped EXE
PID:1988 -
C:\Windows\SysWOW64\Akkmocjl.exeC:\Windows\system32\Akkmocjl.exe35⤵
- Executes dropped EXE
PID:3068 -
C:\Windows\SysWOW64\Bkpfjb32.exeC:\Windows\system32\Bkpfjb32.exe36⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Cdbmifdl.exeC:\Windows\system32\Cdbmifdl.exe37⤵
- Executes dropped EXE
PID:1224 -
C:\Windows\SysWOW64\Cnahbk32.exeC:\Windows\system32\Cnahbk32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:228 -
C:\Windows\SysWOW64\Dmiaig32.exeC:\Windows\system32\Dmiaig32.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:4808 -
C:\Windows\SysWOW64\Dedceddg.exeC:\Windows\system32\Dedceddg.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4156 -
C:\Windows\SysWOW64\Enaaiifb.exeC:\Windows\system32\Enaaiifb.exe41⤵
- Executes dropped EXE
PID:2356 -
C:\Windows\SysWOW64\Ecafgo32.exeC:\Windows\system32\Ecafgo32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:1416 -
C:\Windows\SysWOW64\Enigjh32.exeC:\Windows\system32\Enigjh32.exe43⤵
- Executes dropped EXE
PID:4036 -
C:\Windows\SysWOW64\Febogbhg.exeC:\Windows\system32\Febogbhg.exe44⤵
- Executes dropped EXE
PID:3328 -
C:\Windows\SysWOW64\Flodilma.exeC:\Windows\system32\Flodilma.exe45⤵
- Executes dropped EXE
PID:3952 -
C:\Windows\SysWOW64\Fmpaqd32.exeC:\Windows\system32\Fmpaqd32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:1392 -
C:\Windows\SysWOW64\Fcjimnjl.exeC:\Windows\system32\Fcjimnjl.exe47⤵
- Executes dropped EXE
PID:1412 -
C:\Windows\SysWOW64\Flaaok32.exeC:\Windows\system32\Flaaok32.exe48⤵
- Executes dropped EXE
PID:4684 -
C:\Windows\SysWOW64\Flfjjkgi.exeC:\Windows\system32\Flfjjkgi.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4436 -
C:\Windows\SysWOW64\Genobp32.exeC:\Windows\system32\Genobp32.exe50⤵
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\Gjndpg32.exeC:\Windows\system32\Gjndpg32.exe51⤵
- Executes dropped EXE
PID:3808 -
C:\Windows\SysWOW64\Hlfcqh32.exeC:\Windows\system32\Hlfcqh32.exe52⤵
- Executes dropped EXE
PID:4724 -
C:\Windows\SysWOW64\Heohinog.exeC:\Windows\system32\Heohinog.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Hmlicp32.exeC:\Windows\system32\Hmlicp32.exe54⤵
- Executes dropped EXE
PID:4916 -
C:\Windows\SysWOW64\Ildpbfmf.exeC:\Windows\system32\Ildpbfmf.exe55⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\Iaahjmkn.exeC:\Windows\system32\Iaahjmkn.exe56⤵
- Executes dropped EXE
PID:4740 -
C:\Windows\SysWOW64\Ihkpgg32.exeC:\Windows\system32\Ihkpgg32.exe57⤵
- Executes dropped EXE
PID:3596 -
C:\Windows\SysWOW64\Jnjednnp.exeC:\Windows\system32\Jnjednnp.exe58⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Jknfnbmi.exeC:\Windows\system32\Jknfnbmi.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\Jahnkl32.exeC:\Windows\system32\Jahnkl32.exe60⤵
- Executes dropped EXE
PID:1368 -
C:\Windows\SysWOW64\Jlponebi.exeC:\Windows\system32\Jlponebi.exe61⤵
- Executes dropped EXE
PID:972 -
C:\Windows\SysWOW64\Kfmmajed.exeC:\Windows\system32\Kfmmajed.exe62⤵
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Kkjejqcl.exeC:\Windows\system32\Kkjejqcl.exe63⤵
- Executes dropped EXE
PID:1652 -
C:\Windows\SysWOW64\Khnfce32.exeC:\Windows\system32\Khnfce32.exe64⤵
- Executes dropped EXE
PID:664 -
C:\Windows\SysWOW64\Knkokl32.exeC:\Windows\system32\Knkokl32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4092 -
C:\Windows\SysWOW64\Kdeghfhj.exeC:\Windows\system32\Kdeghfhj.exe66⤵PID:2692
-
C:\Windows\SysWOW64\Lhelddln.exeC:\Windows\system32\Lhelddln.exe67⤵PID:4668
-
C:\Windows\SysWOW64\Lfnfhg32.exeC:\Windows\system32\Lfnfhg32.exe68⤵
- Modifies registry class
PID:3996 -
C:\Windows\SysWOW64\Lkjoqnei.exeC:\Windows\system32\Lkjoqnei.exe69⤵PID:4548
-
C:\Windows\SysWOW64\Mfdlif32.exeC:\Windows\system32\Mfdlif32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2312 -
C:\Windows\SysWOW64\Mnbnchlb.exeC:\Windows\system32\Mnbnchlb.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3828 -
C:\Windows\SysWOW64\Mbbcofpf.exeC:\Windows\system32\Mbbcofpf.exe72⤵PID:1400
-
C:\Windows\SysWOW64\Niohap32.exeC:\Windows\system32\Niohap32.exe73⤵PID:2512
-
C:\Windows\SysWOW64\Nnnmogae.exeC:\Windows\system32\Nnnmogae.exe74⤵PID:2340
-
C:\Windows\SysWOW64\Obnbjdfi.exeC:\Windows\system32\Obnbjdfi.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2252 -
C:\Windows\SysWOW64\Oflkqc32.exeC:\Windows\system32\Oflkqc32.exe76⤵
- Drops file in System32 directory
PID:548 -
C:\Windows\SysWOW64\Obcled32.exeC:\Windows\system32\Obcled32.exe77⤵PID:3684
-
C:\Windows\SysWOW64\Omkmhlpf.exeC:\Windows\system32\Omkmhlpf.exe78⤵PID:4944
-
C:\Windows\SysWOW64\Obgeqcnn.exeC:\Windows\system32\Obgeqcnn.exe79⤵
- Modifies registry class
PID:1868 -
C:\Windows\SysWOW64\Pocpqcpm.exeC:\Windows\system32\Pocpqcpm.exe80⤵
- Drops file in System32 directory
PID:3244 -
C:\Windows\SysWOW64\Ppgeff32.exeC:\Windows\system32\Ppgeff32.exe81⤵PID:1532
-
C:\Windows\SysWOW64\Qfanbpjg.exeC:\Windows\system32\Qfanbpjg.exe82⤵PID:4960
-
C:\Windows\SysWOW64\Aoalba32.exeC:\Windows\system32\Aoalba32.exe83⤵
- Modifies registry class
PID:3932 -
C:\Windows\SysWOW64\Amibqhed.exeC:\Windows\system32\Amibqhed.exe84⤵
- Modifies registry class
PID:4148 -
C:\Windows\SysWOW64\Bcfkiock.exeC:\Windows\system32\Bcfkiock.exe85⤵PID:4824
-
C:\Windows\SysWOW64\Bmlofhca.exeC:\Windows\system32\Bmlofhca.exe86⤵PID:3092
-
C:\Windows\SysWOW64\Bchgnoai.exeC:\Windows\system32\Bchgnoai.exe87⤵PID:3356
-
C:\Windows\SysWOW64\Bnnklg32.exeC:\Windows\system32\Bnnklg32.exe88⤵PID:1580
-
C:\Windows\SysWOW64\Boohcpgm.exeC:\Windows\system32\Boohcpgm.exe89⤵PID:3276
-
C:\Windows\SysWOW64\Bnphag32.exeC:\Windows\system32\Bnphag32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2040 -
C:\Windows\SysWOW64\Bjgifhep.exeC:\Windows\system32\Bjgifhep.exe91⤵PID:3584
-
C:\Windows\SysWOW64\Bodano32.exeC:\Windows\system32\Bodano32.exe92⤵PID:2992
-
C:\Windows\SysWOW64\Clhbhc32.exeC:\Windows\system32\Clhbhc32.exe93⤵
- Modifies registry class
PID:216 -
C:\Windows\SysWOW64\Cofndo32.exeC:\Windows\system32\Cofndo32.exe94⤵PID:1120
-
C:\Windows\SysWOW64\Cpfkna32.exeC:\Windows\system32\Cpfkna32.exe95⤵PID:3812
-
C:\Windows\SysWOW64\Cgpcklpd.exeC:\Windows\system32\Cgpcklpd.exe96⤵PID:1256
-
C:\Windows\SysWOW64\Cnjkgf32.exeC:\Windows\system32\Cnjkgf32.exe97⤵
- Drops file in System32 directory
PID:3036 -
C:\Windows\SysWOW64\Cokgonmp.exeC:\Windows\system32\Cokgonmp.exe98⤵PID:3752
-
C:\Windows\SysWOW64\Cgdlfk32.exeC:\Windows\system32\Cgdlfk32.exe99⤵PID:2212
-
C:\Windows\SysWOW64\Claenb32.exeC:\Windows\system32\Claenb32.exe100⤵PID:988
-
C:\Windows\SysWOW64\Djeegf32.exeC:\Windows\system32\Djeegf32.exe101⤵PID:1300
-
C:\Windows\SysWOW64\Djgbmffn.exeC:\Windows\system32\Djgbmffn.exe102⤵PID:1804
-
C:\Windows\SysWOW64\Dqajjp32.exeC:\Windows\system32\Dqajjp32.exe103⤵PID:5136
-
C:\Windows\SysWOW64\Dfnbbg32.exeC:\Windows\system32\Dfnbbg32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5172 -
C:\Windows\SysWOW64\Dmhkoaco.exeC:\Windows\system32\Dmhkoaco.exe105⤵PID:5216
-
C:\Windows\SysWOW64\Dgnolj32.exeC:\Windows\system32\Dgnolj32.exe106⤵PID:5264
-
C:\Windows\SysWOW64\Dqfceoje.exeC:\Windows\system32\Dqfceoje.exe107⤵PID:5308
-
C:\Windows\SysWOW64\Dqhpjohb.exeC:\Windows\system32\Dqhpjohb.exe108⤵PID:5344
-
C:\Windows\SysWOW64\Dfeibf32.exeC:\Windows\system32\Dfeibf32.exe109⤵PID:5396
-
C:\Windows\SysWOW64\Eckfaj32.exeC:\Windows\system32\Eckfaj32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5468 -
C:\Windows\SysWOW64\Eflocepa.exeC:\Windows\system32\Eflocepa.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5508 -
C:\Windows\SysWOW64\Eodclj32.exeC:\Windows\system32\Eodclj32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5556 -
C:\Windows\SysWOW64\Enfcjb32.exeC:\Windows\system32\Enfcjb32.exe113⤵PID:5620
-
C:\Windows\SysWOW64\Fpnfbi32.exeC:\Windows\system32\Fpnfbi32.exe114⤵PID:5660
-
C:\Windows\SysWOW64\Fnofpqff.exeC:\Windows\system32\Fnofpqff.exe115⤵PID:5720
-
C:\Windows\SysWOW64\Gablgk32.exeC:\Windows\system32\Gablgk32.exe116⤵PID:5760
-
C:\Windows\SysWOW64\Gfodpbpl.exeC:\Windows\system32\Gfodpbpl.exe117⤵PID:5804
-
C:\Windows\SysWOW64\Ghcjedcj.exeC:\Windows\system32\Ghcjedcj.exe118⤵PID:5848
-
C:\Windows\SysWOW64\Gpnoigpe.exeC:\Windows\system32\Gpnoigpe.exe119⤵PID:5888
-
C:\Windows\SysWOW64\Hhhdpd32.exeC:\Windows\system32\Hhhdpd32.exe120⤵PID:5932
-
C:\Windows\SysWOW64\Hnblmnfa.exeC:\Windows\system32\Hnblmnfa.exe121⤵PID:5992
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-