Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
13/10/2023, 20:35
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.b3bfc257f41ba7bc9e3b0c5c71ba3900.exe
Resource
win7-20230831-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.b3bfc257f41ba7bc9e3b0c5c71ba3900.exe
Resource
win10v2004-20230915-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.b3bfc257f41ba7bc9e3b0c5c71ba3900.exe
-
Size
96KB
-
MD5
b3bfc257f41ba7bc9e3b0c5c71ba3900
-
SHA1
684883825103821641163a38bc6dbc751ffee1a1
-
SHA256
fc9a9cddf302cd8a909c1e411d3884fa42ed06921e6613eb825a4ee6382b9fbc
-
SHA512
6f064ea568628939e0a93fa9c94e8ead347dbb0da97e49bdb55b332f815727b25073b146dcfc72a59dc689f288e27c32bb104ccd3f0a1fc9c2290ff5e361f5de
-
SSDEEP
1536:ZnrT1kHVTH5YW/BBNFnFl8bpkJlQT+z4yLZVWh2UxUduV9jojTIvjrH:drTuHlHl3rnP8bKwTwdVZkUd69jc0vf
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlhaee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Akamff32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlqloo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Obidcdfo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldhdlnli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Naaghoik.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oeopnmoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pnfdnnbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nlnpio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dlqpaafg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fgpplf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmpgghoo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deagoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eflceb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ckfofe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjmfmh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkoplk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdgdeppb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkamdi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Defheg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mehafq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aofjoo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgmllpng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fikihlmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qhddgofo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dpoiho32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nncoaq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgokdomj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hoefgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Incdem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nhbmnj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chinkndp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggilgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gdknpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ailabddb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qkfkng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Knbinhfl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Maeaajpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ljjicl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khhaanop.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laglkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Paocim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hgpbhmna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cbaehl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnjhhpgl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eemgkpef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Khonkogj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adnbapjp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hokgmpkl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lobhqdec.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjqinamq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iggocbke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Abbiej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bfpkbfdi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pilpfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cmbpjfij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Odkcpi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjjggede.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Licfngjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nocbfjmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dbjade32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhjnfn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbklli32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gckjlf32.exe -
Executes dropped EXE 64 IoCs
pid Process 3732 Gkiaej32.exe 4012 Gdafnpqh.exe 1208 Gnjjfegi.exe 3752 Ghpocngo.exe 3680 Gpkchqdj.exe 3820 Hnodaecc.exe 4804 Hkbdki32.exe 1016 Hpomcp32.exe 1548 Hjhalefe.exe 1784 Hjjnae32.exe 3224 Hgnoki32.exe 2304 Idbodn32.exe 2956 Iafonaao.exe 4300 Inmpcc32.exe 4484 Ikqqlgem.exe 2456 Ihdafkdg.exe 464 Idkbkl32.exe 4640 Indfca32.exe 572 Jglklggl.exe 4460 Jqdoem32.exe 1508 Jgogbgei.exe 3336 Jqglkmlj.exe 3524 Jbfheo32.exe 5012 Jnmijq32.exe 2356 Jibmgi32.exe 4580 Jbkbpoog.exe 1104 Knbbep32.exe 2084 Kjhcjq32.exe 2616 Kenggi32.exe 1688 Knflpoqf.exe 4200 Kecabifp.exe 1192 Kjpijpdg.exe 5032 Liqihglg.exe 560 Ljbfpo32.exe 3232 Licfngjd.exe 3136 Lbkkgl32.exe 2584 Mbbagk32.exe 4856 Mjneln32.exe 4808 Mbgjbkfg.exe 2808 Miaboe32.exe 4696 Mbighjdd.exe 1904 Mjellmbp.exe 4208 Mifljdjo.exe 3636 Nbnpcj32.exe 4084 Njiegl32.exe 3412 Neoieenp.exe 3504 Nklbmllg.exe 660 Nknobkje.exe 3376 Neccpd32.exe 4132 Nolgijpk.exe 2420 Nhdlao32.exe 4600 Objpoh32.exe 1332 Ohghgodi.exe 4392 Oaompd32.exe 688 Okgaijaj.exe 536 Oemefcap.exe 1328 Ooejohhq.exe 1100 Oklkdi32.exe 1808 Oeaoab32.exe 3736 Pedlgbkh.exe 3632 Aeddnp32.exe 4448 Akamff32.exe 3616 Ahenokjf.exe 4164 Aanbhp32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Jbkbpoog.exe Jibmgi32.exe File created C:\Windows\SysWOW64\Aanbhp32.exe Ahenokjf.exe File created C:\Windows\SysWOW64\Bldgoeog.exe Apngjd32.exe File created C:\Windows\SysWOW64\Fgncff32.exe Fdogjk32.exe File created C:\Windows\SysWOW64\Hjeodp32.dll Qhddgofo.exe File created C:\Windows\SysWOW64\Lcjkqlam.dll Oemefcap.exe File created C:\Windows\SysWOW64\Ibnjkbog.exe Hcljmj32.exe File opened for modification C:\Windows\SysWOW64\Ancjef32.exe Agiahlkf.exe File opened for modification C:\Windows\SysWOW64\Lobhqdec.exe Jkfcigkm.exe File created C:\Windows\SysWOW64\Imjfmjln.dll Jglklggl.exe File created C:\Windows\SysWOW64\Aijlgkjq.exe Qkfkng32.exe File created C:\Windows\SysWOW64\Docpdpol.dll Jmpgghoo.exe File opened for modification C:\Windows\SysWOW64\Goadfa32.exe Glchjedc.exe File created C:\Windows\SysWOW64\Hhckeeam.exe Hokgmpkl.exe File created C:\Windows\SysWOW64\Bpocpj32.dll Hhckeeam.exe File created C:\Windows\SysWOW64\Okahhpqj.dll Lknjhokg.exe File created C:\Windows\SysWOW64\Ncmaai32.exe Nhgmcp32.exe File created C:\Windows\SysWOW64\Dchhia32.dll Cmmgof32.exe File created C:\Windows\SysWOW64\Moglpedd.exe Mgpcohcb.exe File opened for modification C:\Windows\SysWOW64\Mjellmbp.exe Mbighjdd.exe File opened for modification C:\Windows\SysWOW64\Qckfid32.exe Pbljoafi.exe File opened for modification C:\Windows\SysWOW64\Jffokn32.exe Iedbcebd.exe File opened for modification C:\Windows\SysWOW64\Bbpolb32.exe Bnaffdfc.exe File opened for modification C:\Windows\SysWOW64\Ciknefmk.exe Cbaehl32.exe File opened for modification C:\Windows\SysWOW64\Gmdoel32.exe Gfjfhbpb.exe File created C:\Windows\SysWOW64\Oeffnl32.exe Ogefqeaj.exe File created C:\Windows\SysWOW64\Miogkjip.dll Lobhqdec.exe File opened for modification C:\Windows\SysWOW64\Cfhhml32.exe Cpnpqakp.exe File created C:\Windows\SysWOW64\Fnglcqio.exe Fgncff32.exe File opened for modification C:\Windows\SysWOW64\Pdpmkhjl.exe Pnfdnnbo.exe File created C:\Windows\SysWOW64\Kqdodo32.exe Jjjggede.exe File created C:\Windows\SysWOW64\Qkamof32.dll Jjjggede.exe File created C:\Windows\SysWOW64\Mbnjicfj.dll Anjpeelk.exe File created C:\Windows\SysWOW64\Mjellmbp.exe Mbighjdd.exe File created C:\Windows\SysWOW64\Njiegl32.exe Nbnpcj32.exe File opened for modification C:\Windows\SysWOW64\Edlann32.exe Dekapfke.exe File created C:\Windows\SysWOW64\Ncieicai.dll Pojjcp32.exe File opened for modification C:\Windows\SysWOW64\Hoefgj32.exe Ckfofe32.exe File created C:\Windows\SysWOW64\Apnpee32.dll Jqdoem32.exe File opened for modification C:\Windows\SysWOW64\Knflpoqf.exe Kenggi32.exe File created C:\Windows\SysWOW64\Lhmjlm32.exe Lmgfod32.exe File created C:\Windows\SysWOW64\Deagoa32.exe Dpdogj32.exe File created C:\Windows\SysWOW64\Lkkekdhe.exe Ljjicl32.exe File created C:\Windows\SysWOW64\Ncapfeoc.dll Iagqgn32.exe File created C:\Windows\SysWOW64\Aehbmk32.exe Apkjddke.exe File created C:\Windows\SysWOW64\Ldhopqko.dll Bcnleb32.exe File created C:\Windows\SysWOW64\Dkakdg32.dll Flaiho32.exe File opened for modification C:\Windows\SysWOW64\Gjqinamq.exe Gnjhhpgl.exe File created C:\Windows\SysWOW64\Pfffnphj.dll Jjefao32.exe File opened for modification C:\Windows\SysWOW64\Lmfhjhdm.exe Lflpmn32.exe File created C:\Windows\SysWOW64\Facdchai.dll Hjhalefe.exe File created C:\Windows\SysWOW64\Moqkim32.dll Hjjnae32.exe File opened for modification C:\Windows\SysWOW64\Hbdgec32.exe Hqdkkp32.exe File created C:\Windows\SysWOW64\Jepbodhg.exe Jmijnfgd.exe File created C:\Windows\SysWOW64\Mkgfdgpq.exe Mdmngm32.exe File opened for modification C:\Windows\SysWOW64\Bndjfjhl.exe Bkfmjnii.exe File created C:\Windows\SysWOW64\Mhoaqa32.dll Ckoifgmb.exe File created C:\Windows\SysWOW64\Fbbojb32.dll Kalcik32.exe File created C:\Windows\SysWOW64\Anmglpki.dll Kmncif32.exe File created C:\Windows\SysWOW64\Khhaanop.exe Kanidd32.exe File opened for modification C:\Windows\SysWOW64\Akmjdpac.exe Aecbge32.exe File created C:\Windows\SysWOW64\Goadfa32.exe Glchjedc.exe File created C:\Windows\SysWOW64\Bglgdi32.exe Bbpolb32.exe File opened for modification C:\Windows\SysWOW64\Dpoiho32.exe Deidjf32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3052 9396 WerFault.exe 582 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mgngih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Efampahd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nfdfoala.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dpefaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jgjeppkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnfceopp.dll" Hgapmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgfaf32.dll" Namegfql.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pfppoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghijbq32.dll" Ecidpiad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgibqj32.dll" Dehnpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kljhfc32.dll" Hjlaoioh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kjpijpdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnoimo32.dll" Bjicdmmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejkiiokj.dll" Hljnkdnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhgnka32.dll" Hoefgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcpfdg32.dll" Laglkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Clpppmqn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qpmmfbfl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ccppmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nlqloo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nlnpio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdhfnche.dll" Ndnnianm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdkdne32.dll" Qckfid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ellpmolj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jepbodhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiffij32.dll" Lhjnfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnlonj32.dll" Jgogbgei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lbkkgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eldbbjof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmgglf32.dll" Ijmhkchl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdfmgqph.dll" Bmfqngcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Deokja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dpglmjoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gdknpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmpaoopf.dll" Icogcjde.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qdflaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mkgfdgpq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfbiobf.dll" Fgmllpng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eheani32.dll" Dpoiho32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pgllad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qfilkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Glchjedc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ncmaai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cdebfago.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ifoijonj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nipffmmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID NEAS.b3bfc257f41ba7bc9e3b0c5c71ba3900.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hqfqfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmipfknd.dll" Nglcjfie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dliffkod.dll" Decdeama.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dheiop32.dll" Gckcap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahafcp32.dll" Adnbapjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Njiegl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cfhhml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aqpika32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbpnedga.dll" Glabolja.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Glchjedc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cojaijla.dll" Pbljoafi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Epeohn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cigkdmel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmmfoj32.dll" Gdgdeppb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qkfkng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gfjfhbpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kagbdenk.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3396 wrote to memory of 3732 3396 NEAS.b3bfc257f41ba7bc9e3b0c5c71ba3900.exe 86 PID 3396 wrote to memory of 3732 3396 NEAS.b3bfc257f41ba7bc9e3b0c5c71ba3900.exe 86 PID 3396 wrote to memory of 3732 3396 NEAS.b3bfc257f41ba7bc9e3b0c5c71ba3900.exe 86 PID 3732 wrote to memory of 4012 3732 Gkiaej32.exe 87 PID 3732 wrote to memory of 4012 3732 Gkiaej32.exe 87 PID 3732 wrote to memory of 4012 3732 Gkiaej32.exe 87 PID 4012 wrote to memory of 1208 4012 Gdafnpqh.exe 88 PID 4012 wrote to memory of 1208 4012 Gdafnpqh.exe 88 PID 4012 wrote to memory of 1208 4012 Gdafnpqh.exe 88 PID 1208 wrote to memory of 3752 1208 Gnjjfegi.exe 89 PID 1208 wrote to memory of 3752 1208 Gnjjfegi.exe 89 PID 1208 wrote to memory of 3752 1208 Gnjjfegi.exe 89 PID 3752 wrote to memory of 3680 3752 Ghpocngo.exe 90 PID 3752 wrote to memory of 3680 3752 Ghpocngo.exe 90 PID 3752 wrote to memory of 3680 3752 Ghpocngo.exe 90 PID 3680 wrote to memory of 3820 3680 Gpkchqdj.exe 91 PID 3680 wrote to memory of 3820 3680 Gpkchqdj.exe 91 PID 3680 wrote to memory of 3820 3680 Gpkchqdj.exe 91 PID 3820 wrote to memory of 4804 3820 Hnodaecc.exe 92 PID 3820 wrote to memory of 4804 3820 Hnodaecc.exe 92 PID 3820 wrote to memory of 4804 3820 Hnodaecc.exe 92 PID 4804 wrote to memory of 1016 4804 Hkbdki32.exe 93 PID 4804 wrote to memory of 1016 4804 Hkbdki32.exe 93 PID 4804 wrote to memory of 1016 4804 Hkbdki32.exe 93 PID 1016 wrote to memory of 1548 1016 Hpomcp32.exe 94 PID 1016 wrote to memory of 1548 1016 Hpomcp32.exe 94 PID 1016 wrote to memory of 1548 1016 Hpomcp32.exe 94 PID 1548 wrote to memory of 1784 1548 Hjhalefe.exe 95 PID 1548 wrote to memory of 1784 1548 Hjhalefe.exe 95 PID 1548 wrote to memory of 1784 1548 Hjhalefe.exe 95 PID 1784 wrote to memory of 3224 1784 Hjjnae32.exe 96 PID 1784 wrote to memory of 3224 1784 Hjjnae32.exe 96 PID 1784 wrote to memory of 3224 1784 Hjjnae32.exe 96 PID 3224 wrote to memory of 2304 3224 Hgnoki32.exe 97 PID 3224 wrote to memory of 2304 3224 Hgnoki32.exe 97 PID 3224 wrote to memory of 2304 3224 Hgnoki32.exe 97 PID 2304 wrote to memory of 2956 2304 Idbodn32.exe 98 PID 2304 wrote to memory of 2956 2304 Idbodn32.exe 98 PID 2304 wrote to memory of 2956 2304 Idbodn32.exe 98 PID 2956 wrote to memory of 4300 2956 Iafonaao.exe 99 PID 2956 wrote to memory of 4300 2956 Iafonaao.exe 99 PID 2956 wrote to memory of 4300 2956 Iafonaao.exe 99 PID 4300 wrote to memory of 4484 4300 Inmpcc32.exe 100 PID 4300 wrote to memory of 4484 4300 Inmpcc32.exe 100 PID 4300 wrote to memory of 4484 4300 Inmpcc32.exe 100 PID 4484 wrote to memory of 2456 4484 Ikqqlgem.exe 101 PID 4484 wrote to memory of 2456 4484 Ikqqlgem.exe 101 PID 4484 wrote to memory of 2456 4484 Ikqqlgem.exe 101 PID 2456 wrote to memory of 464 2456 Ihdafkdg.exe 102 PID 2456 wrote to memory of 464 2456 Ihdafkdg.exe 102 PID 2456 wrote to memory of 464 2456 Ihdafkdg.exe 102 PID 464 wrote to memory of 4640 464 Idkbkl32.exe 103 PID 464 wrote to memory of 4640 464 Idkbkl32.exe 103 PID 464 wrote to memory of 4640 464 Idkbkl32.exe 103 PID 4640 wrote to memory of 572 4640 Indfca32.exe 104 PID 4640 wrote to memory of 572 4640 Indfca32.exe 104 PID 4640 wrote to memory of 572 4640 Indfca32.exe 104 PID 572 wrote to memory of 4460 572 Jglklggl.exe 105 PID 572 wrote to memory of 4460 572 Jglklggl.exe 105 PID 572 wrote to memory of 4460 572 Jglklggl.exe 105 PID 4460 wrote to memory of 1508 4460 Jqdoem32.exe 106 PID 4460 wrote to memory of 1508 4460 Jqdoem32.exe 106 PID 4460 wrote to memory of 1508 4460 Jqdoem32.exe 106 PID 1508 wrote to memory of 3336 1508 Jgogbgei.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.b3bfc257f41ba7bc9e3b0c5c71ba3900.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.b3bfc257f41ba7bc9e3b0c5c71ba3900.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3396 -
C:\Windows\SysWOW64\Gkiaej32.exeC:\Windows\system32\Gkiaej32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3732 -
C:\Windows\SysWOW64\Gdafnpqh.exeC:\Windows\system32\Gdafnpqh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4012 -
C:\Windows\SysWOW64\Gnjjfegi.exeC:\Windows\system32\Gnjjfegi.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Windows\SysWOW64\Ghpocngo.exeC:\Windows\system32\Ghpocngo.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3752 -
C:\Windows\SysWOW64\Gpkchqdj.exeC:\Windows\system32\Gpkchqdj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3680 -
C:\Windows\SysWOW64\Hnodaecc.exeC:\Windows\system32\Hnodaecc.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3820 -
C:\Windows\SysWOW64\Hkbdki32.exeC:\Windows\system32\Hkbdki32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4804 -
C:\Windows\SysWOW64\Hpomcp32.exeC:\Windows\system32\Hpomcp32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1016 -
C:\Windows\SysWOW64\Hjhalefe.exeC:\Windows\system32\Hjhalefe.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Windows\SysWOW64\Hjjnae32.exeC:\Windows\system32\Hjjnae32.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Windows\SysWOW64\Hgnoki32.exeC:\Windows\system32\Hgnoki32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3224 -
C:\Windows\SysWOW64\Idbodn32.exeC:\Windows\system32\Idbodn32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\SysWOW64\Iafonaao.exeC:\Windows\system32\Iafonaao.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\Inmpcc32.exeC:\Windows\system32\Inmpcc32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4300 -
C:\Windows\SysWOW64\Ikqqlgem.exeC:\Windows\system32\Ikqqlgem.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4484 -
C:\Windows\SysWOW64\Ihdafkdg.exeC:\Windows\system32\Ihdafkdg.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\Idkbkl32.exeC:\Windows\system32\Idkbkl32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:464 -
C:\Windows\SysWOW64\Indfca32.exeC:\Windows\system32\Indfca32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4640 -
C:\Windows\SysWOW64\Jglklggl.exeC:\Windows\system32\Jglklggl.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:572 -
C:\Windows\SysWOW64\Jqdoem32.exeC:\Windows\system32\Jqdoem32.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4460 -
C:\Windows\SysWOW64\Jgogbgei.exeC:\Windows\system32\Jgogbgei.exe22⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\SysWOW64\Jqglkmlj.exeC:\Windows\system32\Jqglkmlj.exe23⤵
- Executes dropped EXE
PID:3336 -
C:\Windows\SysWOW64\Jbfheo32.exeC:\Windows\system32\Jbfheo32.exe24⤵
- Executes dropped EXE
PID:3524 -
C:\Windows\SysWOW64\Jnmijq32.exeC:\Windows\system32\Jnmijq32.exe25⤵
- Executes dropped EXE
PID:5012 -
C:\Windows\SysWOW64\Jibmgi32.exeC:\Windows\system32\Jibmgi32.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2356 -
C:\Windows\SysWOW64\Jbkbpoog.exeC:\Windows\system32\Jbkbpoog.exe27⤵
- Executes dropped EXE
PID:4580 -
C:\Windows\SysWOW64\Knbbep32.exeC:\Windows\system32\Knbbep32.exe28⤵
- Executes dropped EXE
PID:1104 -
C:\Windows\SysWOW64\Kjhcjq32.exeC:\Windows\system32\Kjhcjq32.exe29⤵
- Executes dropped EXE
PID:2084 -
C:\Windows\SysWOW64\Kenggi32.exeC:\Windows\system32\Kenggi32.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2616 -
C:\Windows\SysWOW64\Knflpoqf.exeC:\Windows\system32\Knflpoqf.exe31⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Kniieo32.exeC:\Windows\system32\Kniieo32.exe32⤵PID:2288
-
C:\Windows\SysWOW64\Kecabifp.exeC:\Windows\system32\Kecabifp.exe33⤵
- Executes dropped EXE
PID:4200 -
C:\Windows\SysWOW64\Kjpijpdg.exeC:\Windows\system32\Kjpijpdg.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:1192 -
C:\Windows\SysWOW64\Liqihglg.exeC:\Windows\system32\Liqihglg.exe35⤵
- Executes dropped EXE
PID:5032 -
C:\Windows\SysWOW64\Ljbfpo32.exeC:\Windows\system32\Ljbfpo32.exe36⤵
- Executes dropped EXE
PID:560 -
C:\Windows\SysWOW64\Licfngjd.exeC:\Windows\system32\Licfngjd.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3232 -
C:\Windows\SysWOW64\Lbkkgl32.exeC:\Windows\system32\Lbkkgl32.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:3136 -
C:\Windows\SysWOW64\Mbbagk32.exeC:\Windows\system32\Mbbagk32.exe39⤵
- Executes dropped EXE
PID:2584 -
C:\Windows\SysWOW64\Mjneln32.exeC:\Windows\system32\Mjneln32.exe40⤵
- Executes dropped EXE
PID:4856 -
C:\Windows\SysWOW64\Mbgjbkfg.exeC:\Windows\system32\Mbgjbkfg.exe41⤵
- Executes dropped EXE
PID:4808 -
C:\Windows\SysWOW64\Miaboe32.exeC:\Windows\system32\Miaboe32.exe42⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Mbighjdd.exeC:\Windows\system32\Mbighjdd.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4696 -
C:\Windows\SysWOW64\Mjellmbp.exeC:\Windows\system32\Mjellmbp.exe44⤵
- Executes dropped EXE
PID:1904 -
C:\Windows\SysWOW64\Mifljdjo.exeC:\Windows\system32\Mifljdjo.exe45⤵
- Executes dropped EXE
PID:4208 -
C:\Windows\SysWOW64\Nbnpcj32.exeC:\Windows\system32\Nbnpcj32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3636 -
C:\Windows\SysWOW64\Njiegl32.exeC:\Windows\system32\Njiegl32.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:4084 -
C:\Windows\SysWOW64\Neoieenp.exeC:\Windows\system32\Neoieenp.exe48⤵
- Executes dropped EXE
PID:3412 -
C:\Windows\SysWOW64\Nklbmllg.exeC:\Windows\system32\Nklbmllg.exe49⤵
- Executes dropped EXE
PID:3504 -
C:\Windows\SysWOW64\Nknobkje.exeC:\Windows\system32\Nknobkje.exe50⤵
- Executes dropped EXE
PID:660 -
C:\Windows\SysWOW64\Neccpd32.exeC:\Windows\system32\Neccpd32.exe51⤵
- Executes dropped EXE
PID:3376 -
C:\Windows\SysWOW64\Nolgijpk.exeC:\Windows\system32\Nolgijpk.exe52⤵
- Executes dropped EXE
PID:4132 -
C:\Windows\SysWOW64\Nhdlao32.exeC:\Windows\system32\Nhdlao32.exe53⤵
- Executes dropped EXE
PID:2420 -
C:\Windows\SysWOW64\Objpoh32.exeC:\Windows\system32\Objpoh32.exe54⤵
- Executes dropped EXE
PID:4600 -
C:\Windows\SysWOW64\Ohghgodi.exeC:\Windows\system32\Ohghgodi.exe55⤵
- Executes dropped EXE
PID:1332 -
C:\Windows\SysWOW64\Oaompd32.exeC:\Windows\system32\Oaompd32.exe56⤵
- Executes dropped EXE
PID:4392 -
C:\Windows\SysWOW64\Okgaijaj.exeC:\Windows\system32\Okgaijaj.exe57⤵
- Executes dropped EXE
PID:688 -
C:\Windows\SysWOW64\Oemefcap.exeC:\Windows\system32\Oemefcap.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:536 -
C:\Windows\SysWOW64\Ooejohhq.exeC:\Windows\system32\Ooejohhq.exe59⤵
- Executes dropped EXE
PID:1328 -
C:\Windows\SysWOW64\Oklkdi32.exeC:\Windows\system32\Oklkdi32.exe60⤵
- Executes dropped EXE
PID:1100 -
C:\Windows\SysWOW64\Oeaoab32.exeC:\Windows\system32\Oeaoab32.exe61⤵
- Executes dropped EXE
PID:1808 -
C:\Windows\SysWOW64\Pedlgbkh.exeC:\Windows\system32\Pedlgbkh.exe62⤵
- Executes dropped EXE
PID:3736 -
C:\Windows\SysWOW64\Aeddnp32.exeC:\Windows\system32\Aeddnp32.exe63⤵
- Executes dropped EXE
PID:3632 -
C:\Windows\SysWOW64\Akamff32.exeC:\Windows\system32\Akamff32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4448 -
C:\Windows\SysWOW64\Ahenokjf.exeC:\Windows\system32\Ahenokjf.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3616 -
C:\Windows\SysWOW64\Aanbhp32.exeC:\Windows\system32\Aanbhp32.exe66⤵
- Executes dropped EXE
PID:4164 -
C:\Windows\SysWOW64\Bjicdmmd.exeC:\Windows\system32\Bjicdmmd.exe67⤵
- Modifies registry class
PID:1032 -
C:\Windows\SysWOW64\Fjmkoeqi.exeC:\Windows\system32\Fjmkoeqi.exe68⤵PID:1944
-
C:\Windows\SysWOW64\Gifkpknp.exeC:\Windows\system32\Gifkpknp.exe69⤵PID:3880
-
C:\Windows\SysWOW64\Ofegni32.exeC:\Windows\system32\Ofegni32.exe70⤵PID:4728
-
C:\Windows\SysWOW64\Pjcikejg.exeC:\Windows\system32\Pjcikejg.exe71⤵PID:4312
-
C:\Windows\SysWOW64\Cmpjoloh.exeC:\Windows\system32\Cmpjoloh.exe72⤵PID:4676
-
C:\Windows\SysWOW64\Cdjblf32.exeC:\Windows\system32\Cdjblf32.exe73⤵PID:228
-
C:\Windows\SysWOW64\Cigkdmel.exeC:\Windows\system32\Cigkdmel.exe74⤵
- Modifies registry class
PID:552 -
C:\Windows\SysWOW64\Cancekeo.exeC:\Windows\system32\Cancekeo.exe75⤵PID:3480
-
C:\Windows\SysWOW64\Ccppmc32.exeC:\Windows\system32\Ccppmc32.exe76⤵
- Modifies registry class
PID:2988 -
C:\Windows\SysWOW64\Fjmfmh32.exeC:\Windows\system32\Fjmfmh32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4388 -
C:\Windows\SysWOW64\Gkoplk32.exeC:\Windows\system32\Gkoplk32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3716 -
C:\Windows\SysWOW64\Gdgdeppb.exeC:\Windows\system32\Gdgdeppb.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1248 -
C:\Windows\SysWOW64\Gdknpp32.exeC:\Windows\system32\Gdknpp32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4396 -
C:\Windows\SysWOW64\Gkefmjcj.exeC:\Windows\system32\Gkefmjcj.exe81⤵PID:2644
-
C:\Windows\SysWOW64\Gdnjfojj.exeC:\Windows\system32\Gdnjfojj.exe82⤵PID:4512
-
C:\Windows\SysWOW64\Hqdkkp32.exeC:\Windows\system32\Hqdkkp32.exe83⤵
- Drops file in System32 directory
PID:2848 -
C:\Windows\SysWOW64\Hbdgec32.exeC:\Windows\system32\Hbdgec32.exe84⤵PID:1432
-
C:\Windows\SysWOW64\Hgapmj32.exeC:\Windows\system32\Hgapmj32.exe85⤵
- Modifies registry class
PID:4172 -
C:\Windows\SysWOW64\Haidfpki.exeC:\Windows\system32\Haidfpki.exe86⤵PID:2488
-
C:\Windows\SysWOW64\Hgcmbj32.exeC:\Windows\system32\Hgcmbj32.exe87⤵PID:1216
-
C:\Windows\SysWOW64\Hkaeih32.exeC:\Windows\system32\Hkaeih32.exe88⤵PID:1744
-
C:\Windows\SysWOW64\Hbknebqi.exeC:\Windows\system32\Hbknebqi.exe89⤵PID:2264
-
C:\Windows\SysWOW64\Hcljmj32.exeC:\Windows\system32\Hcljmj32.exe90⤵
- Drops file in System32 directory
PID:808 -
C:\Windows\SysWOW64\Ibnjkbog.exeC:\Windows\system32\Ibnjkbog.exe91⤵PID:4372
-
C:\Windows\SysWOW64\Icogcjde.exeC:\Windows\system32\Icogcjde.exe92⤵
- Modifies registry class
PID:1924 -
C:\Windows\SysWOW64\Ibpgqa32.exeC:\Windows\system32\Ibpgqa32.exe93⤵PID:1804
-
C:\Windows\SysWOW64\Igmoih32.exeC:\Windows\system32\Igmoih32.exe94⤵PID:4148
-
C:\Windows\SysWOW64\Infhebbh.exeC:\Windows\system32\Infhebbh.exe95⤵PID:1344
-
C:\Windows\SysWOW64\Iccpniqp.exeC:\Windows\system32\Iccpniqp.exe96⤵PID:4876
-
C:\Windows\SysWOW64\Ijmhkchl.exeC:\Windows\system32\Ijmhkchl.exe97⤵
- Modifies registry class
PID:1872 -
C:\Windows\SysWOW64\Iagqgn32.exeC:\Windows\system32\Iagqgn32.exe98⤵
- Drops file in System32 directory
PID:2700 -
C:\Windows\SysWOW64\Inkaqb32.exeC:\Windows\system32\Inkaqb32.exe99⤵PID:4420
-
C:\Windows\SysWOW64\Idhiii32.exeC:\Windows\system32\Idhiii32.exe100⤵PID:4564
-
C:\Windows\SysWOW64\Iloajfml.exeC:\Windows\system32\Iloajfml.exe101⤵PID:2308
-
C:\Windows\SysWOW64\Jehfcl32.exeC:\Windows\system32\Jehfcl32.exe102⤵PID:4796
-
C:\Windows\SysWOW64\Jlanpfkj.exeC:\Windows\system32\Jlanpfkj.exe103⤵PID:1548
-
C:\Windows\SysWOW64\Jblflp32.exeC:\Windows\system32\Jblflp32.exe104⤵PID:2920
-
C:\Windows\SysWOW64\Jdmcdhhe.exeC:\Windows\system32\Jdmcdhhe.exe105⤵PID:4468
-
C:\Windows\SysWOW64\Keceoj32.exeC:\Windows\system32\Keceoj32.exe106⤵PID:404
-
C:\Windows\SysWOW64\Koljgppp.exeC:\Windows\system32\Koljgppp.exe107⤵PID:4720
-
C:\Windows\SysWOW64\Klpjad32.exeC:\Windows\system32\Klpjad32.exe108⤵PID:3560
-
C:\Windows\SysWOW64\Kalcik32.exeC:\Windows\system32\Kalcik32.exe109⤵
- Drops file in System32 directory
PID:1692 -
C:\Windows\SysWOW64\Kkegbpca.exeC:\Windows\system32\Kkegbpca.exe110⤵PID:1832
-
C:\Windows\SysWOW64\Kejloi32.exeC:\Windows\system32\Kejloi32.exe111⤵PID:4392
-
C:\Windows\SysWOW64\Khihld32.exeC:\Windows\system32\Khihld32.exe112⤵PID:4656
-
C:\Windows\SysWOW64\Kaaldjil.exeC:\Windows\system32\Kaaldjil.exe113⤵PID:5088
-
C:\Windows\SysWOW64\Laffpi32.exeC:\Windows\system32\Laffpi32.exe114⤵PID:1752
-
C:\Windows\SysWOW64\Lknjhokg.exeC:\Windows\system32\Lknjhokg.exe115⤵
- Drops file in System32 directory
PID:644 -
C:\Windows\SysWOW64\Ldfoad32.exeC:\Windows\system32\Ldfoad32.exe116⤵PID:1260
-
C:\Windows\SysWOW64\Lhdggb32.exeC:\Windows\system32\Lhdggb32.exe117⤵PID:1784
-
C:\Windows\SysWOW64\Lehhqg32.exeC:\Windows\system32\Lehhqg32.exe118⤵PID:2100
-
C:\Windows\SysWOW64\Mekdffee.exeC:\Windows\system32\Mekdffee.exe119⤵PID:4580
-
C:\Windows\SysWOW64\Mlemcq32.exeC:\Windows\system32\Mlemcq32.exe120⤵PID:3740
-
C:\Windows\SysWOW64\Maaekg32.exeC:\Windows\system32\Maaekg32.exe121⤵PID:1180
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-