Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
162s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
14/10/2023, 17:53
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.4a34443d83ca1ef825e6f19d04b2afb0.exe
Resource
win7-20230831-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.4a34443d83ca1ef825e6f19d04b2afb0.exe
Resource
win10v2004-20230915-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.4a34443d83ca1ef825e6f19d04b2afb0.exe
-
Size
63KB
-
MD5
4a34443d83ca1ef825e6f19d04b2afb0
-
SHA1
d87b9a8fb36ad906af83e2d2cec501b496219ac2
-
SHA256
e584e9457bbfc5b09463bcfb9365743bd8de9d9aca91cc91ad00a9c8d0bf5aad
-
SHA512
00f1fd2bb67166eda1c4628ad524146098b1fa3011581ac3349884d48990e5b017f8a66df979d626d80e04c1ebbd766b36c214617535c08734fb3092b86be9a3
-
SSDEEP
1536:ZLOBc3J8bLRmUzA6W2p4p+VltEn9rjDHE:ZLOK36LIqtW2pAoXk9DHE
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlogojjp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifjlcmmj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdcncg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Achlch32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gphmbolk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdknfiea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Colegflh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjnjjbbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glajmppm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhhkbqea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmfdppia.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfhnjm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfngll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llhocfnb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ainmlomf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpjilj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mimgeigj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nchipb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oibohdmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oighcd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Happkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ieaekdkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofcldoef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhlogjko.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Babbpc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcfioj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbmnea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlbaljhn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmhdkdlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klhbdclg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nogjbbma.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aqonbm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kndbko32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Geddoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcjhig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alkpgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oleinmgd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omefkplm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gphlgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbmnea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdbeqmag.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad NEAS.4a34443d83ca1ef825e6f19d04b2afb0.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aohgfm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdepmh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ankckagj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkbadifn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmalldcn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mclebc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhoohgdg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlecmkel.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijqoilii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlbaljhn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iganmp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lomgjb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfhgpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ankedf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adnegldo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meafpibb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjcaimgg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjfnomde.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfokinhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnahgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Keiqlihp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfkapb32.exe -
Executes dropped EXE 64 IoCs
pid Process 2312 Eoajel32.exe 2736 Egmojnlf.exe 2460 Edqocbkp.exe 2624 Ekjgpm32.exe 2464 Ecfldoph.exe 2128 Eolmip32.exe 2868 Foojop32.exe 2928 Fmcjhdbc.exe 1544 Fdnolfon.exe 2796 Foccjood.exe 2692 Fkjdopeh.exe 2760 Fbdlkj32.exe 1392 Fgadda32.exe 1504 Gbfiaj32.exe 2376 Gqlebf32.exe 1896 Gfhnjm32.exe 2024 Gmbfggdo.exe 2396 Gghkdp32.exe 1448 Gaqomeke.exe 1292 Gmgpbf32.exe 1824 Hinqgg32.exe 1108 Hphidanj.exe 2104 Hloiib32.exe 668 Halbai32.exe 2264 Hbknkl32.exe 2140 Hdlkcdog.exe 2232 Hjfcpo32.exe 2564 Hapklimq.exe 2720 Hhjcic32.exe 2604 Ipehmebh.exe 2808 Ijklknbn.exe 1632 Iphecepe.exe 2508 Iipiljgf.exe 1992 Iibfajdc.exe 2856 Ibkkjp32.exe 2676 Ieigfk32.exe 2512 Ielclkhe.exe 1960 Jkhldafl.exe 1912 Jenpajfb.exe 2844 Jniefm32.exe 2076 Jdcmbgkj.exe 1124 Jkmeoa32.exe 2272 Jagnlkjd.exe 2012 Jdejhfig.exe 2144 Jgdfdbhk.exe 1056 Jaijak32.exe 1548 Jkbojpna.exe 1028 Jlckbh32.exe 900 Kcmcoblm.exe 3016 Kfkpknkq.exe 1232 Klehgh32.exe 1144 Koddccaa.exe 2180 Kfnmpn32.exe 1584 Klhemhpk.exe 2708 Kbdmeoob.exe 2480 Kohnoc32.exe 2452 Khabghdl.exe 2524 Kbigpn32.exe 808 Kdhcli32.exe 2904 Kgfoie32.exe 2764 Lomgjb32.exe 2768 Lqncaj32.exe 1628 Lnbdko32.exe 548 Lgkhdddo.exe -
Loads dropped DLL 64 IoCs
pid Process 344 NEAS.4a34443d83ca1ef825e6f19d04b2afb0.exe 344 NEAS.4a34443d83ca1ef825e6f19d04b2afb0.exe 2312 Eoajel32.exe 2312 Eoajel32.exe 2736 Egmojnlf.exe 2736 Egmojnlf.exe 2460 Edqocbkp.exe 2460 Edqocbkp.exe 2624 Ekjgpm32.exe 2624 Ekjgpm32.exe 2464 Ecfldoph.exe 2464 Ecfldoph.exe 2128 Eolmip32.exe 2128 Eolmip32.exe 2868 Foojop32.exe 2868 Foojop32.exe 2928 Fmcjhdbc.exe 2928 Fmcjhdbc.exe 1544 Fdnolfon.exe 1544 Fdnolfon.exe 2796 Foccjood.exe 2796 Foccjood.exe 2692 Fkjdopeh.exe 2692 Fkjdopeh.exe 2760 Fbdlkj32.exe 2760 Fbdlkj32.exe 1392 Fgadda32.exe 1392 Fgadda32.exe 1504 Gbfiaj32.exe 1504 Gbfiaj32.exe 2376 Gqlebf32.exe 2376 Gqlebf32.exe 1896 Gfhnjm32.exe 1896 Gfhnjm32.exe 2024 Gmbfggdo.exe 2024 Gmbfggdo.exe 2396 Gghkdp32.exe 2396 Gghkdp32.exe 1448 Gaqomeke.exe 1448 Gaqomeke.exe 1292 Gmgpbf32.exe 1292 Gmgpbf32.exe 1824 Hinqgg32.exe 1824 Hinqgg32.exe 1108 Hphidanj.exe 1108 Hphidanj.exe 2104 Hloiib32.exe 2104 Hloiib32.exe 668 Halbai32.exe 668 Halbai32.exe 2264 Hbknkl32.exe 2264 Hbknkl32.exe 2140 Hdlkcdog.exe 2140 Hdlkcdog.exe 2232 Hjfcpo32.exe 2232 Hjfcpo32.exe 2564 Hapklimq.exe 2564 Hapklimq.exe 2720 Hhjcic32.exe 2720 Hhjcic32.exe 2604 Ipehmebh.exe 2604 Ipehmebh.exe 2808 Ijklknbn.exe 2808 Ijklknbn.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Fdkqbd32.dll Ahjahk32.exe File opened for modification C:\Windows\SysWOW64\Bcjhig32.exe Alqplmlb.exe File created C:\Windows\SysWOW64\Akinoefk.dll Fplgljbm.exe File created C:\Windows\SysWOW64\Fckada32.dll Kbigpn32.exe File created C:\Windows\SysWOW64\Ikgeel32.dll Mfmndn32.exe File opened for modification C:\Windows\SysWOW64\Aalofa32.exe Abinjdad.exe File opened for modification C:\Windows\SysWOW64\Ddblgn32.exe Dmhdkdlg.exe File created C:\Windows\SysWOW64\Ljddjj32.exe Lcjlnpmo.exe File created C:\Windows\SysWOW64\Lnjcomcf.exe Lgqkbb32.exe File created C:\Windows\SysWOW64\Kphipide.dll Dkcebg32.exe File created C:\Windows\SysWOW64\Kalkjh32.exe Khdgabih.exe File created C:\Windows\SysWOW64\Dkbfgoak.dll Hloiib32.exe File created C:\Windows\SysWOW64\Bejfao32.exe Bmcnqama.exe File created C:\Windows\SysWOW64\Cmhglq32.exe Cgkocj32.exe File created C:\Windows\SysWOW64\Onqaonnc.exe Nkbdbbop.exe File created C:\Windows\SysWOW64\Mipjbokm.exe Medobp32.exe File opened for modification C:\Windows\SysWOW64\Kcecbq32.exe Kdbbgdjj.exe File created C:\Windows\SysWOW64\Gfbejp32.dll Ahfgbkpl.exe File created C:\Windows\SysWOW64\Bklifdmh.dll Akpmhdqd.exe File created C:\Windows\SysWOW64\Afnmbcbg.dll Hengep32.exe File created C:\Windows\SysWOW64\Bdehgnqc.exe Bbflkcao.exe File created C:\Windows\SysWOW64\Geeekf32.exe Gcfioj32.exe File created C:\Windows\SysWOW64\Hakehc32.dll Adkbgf32.exe File created C:\Windows\SysWOW64\Dihojnqo.exe Dggcbf32.exe File created C:\Windows\SysWOW64\Aippal32.dll Fgadda32.exe File created C:\Windows\SysWOW64\Nbkkmi32.dll Cmhglq32.exe File created C:\Windows\SysWOW64\Dpkibo32.exe Dahifbpk.exe File created C:\Windows\SysWOW64\Aikjmm32.dll Cdlmlidp.exe File created C:\Windows\SysWOW64\Bcgoolln.exe Bmmgbbeq.exe File created C:\Windows\SysWOW64\Dggcbf32.exe Dopkai32.exe File created C:\Windows\SysWOW64\Fmcnbemk.dll Llojpghe.exe File created C:\Windows\SysWOW64\Anlhkbhq.exe Ajqljc32.exe File created C:\Windows\SysWOW64\Pjmnfk32.exe Phobjp32.exe File created C:\Windows\SysWOW64\Ndjfgkha.exe Nakikpin.exe File created C:\Windows\SysWOW64\Mdaedhoh.exe Mmgmhngk.exe File opened for modification C:\Windows\SysWOW64\Bkklhjnk.exe Beackp32.exe File opened for modification C:\Windows\SysWOW64\Ahhaobfe.exe Adleoc32.exe File created C:\Windows\SysWOW64\Odefpfcd.dll Annpaq32.exe File created C:\Windows\SysWOW64\Bnobnc32.dll Fqnfkoen.exe File created C:\Windows\SysWOW64\Foookanl.dll Bcmeogam.exe File created C:\Windows\SysWOW64\Qhbhgbhm.dll Mpcmojia.exe File created C:\Windows\SysWOW64\Mdoafi32.dll Oepjmbka.exe File created C:\Windows\SysWOW64\Kqdodila.dll Nhjjgd32.exe File opened for modification C:\Windows\SysWOW64\Lhoohgdg.exe Ladgkmlj.exe File opened for modification C:\Windows\SysWOW64\Nakikpin.exe Nchipb32.exe File opened for modification C:\Windows\SysWOW64\Jgfghodj.exe Jckkhplq.exe File created C:\Windows\SysWOW64\Gjaamcbe.dll Oemfahcn.exe File created C:\Windows\SysWOW64\Lpenkfbe.dll Edqocbkp.exe File created C:\Windows\SysWOW64\Gpjilj32.exe Geddoa32.exe File opened for modification C:\Windows\SysWOW64\Ekjikadb.exe Eiimci32.exe File created C:\Windows\SysWOW64\Bjibgc32.dll Mmbmeifk.exe File opened for modification C:\Windows\SysWOW64\Nefdpjkl.exe Nbhhdnlh.exe File opened for modification C:\Windows\SysWOW64\Pofldf32.exe Pkjqcg32.exe File created C:\Windows\SysWOW64\Jckflh32.dll Fmhaep32.exe File opened for modification C:\Windows\SysWOW64\Dkqnoh32.exe Dbifnj32.exe File created C:\Windows\SysWOW64\Gjffnf32.dll Kcecbq32.exe File opened for modification C:\Windows\SysWOW64\Dinpnged.exe Dpfkeb32.exe File created C:\Windows\SysWOW64\Fidfbpbc.dll Blgfml32.exe File created C:\Windows\SysWOW64\Pjikmb32.dll Pjlgna32.exe File created C:\Windows\SysWOW64\Jngdfa32.dll Eeffpn32.exe File created C:\Windows\SysWOW64\Hmmbqegc.exe Hjofdi32.exe File created C:\Windows\SysWOW64\Jefdckem.dll Lbafdlod.exe File created C:\Windows\SysWOW64\Lchqcd32.exe Klhbdclg.exe File created C:\Windows\SysWOW64\Ofdclinq.exe Opjkpo32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aopahjll.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmhdkdlg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljfapjbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlnpgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Affdii32.dll" Babbpc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nqdjge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Acfpilmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjgoje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ejdaoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdqfaiab.dll" Bdknfiea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gddbfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imiomgme.dll" Lnpcabef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfhnop32.dll" Ddblgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lnhgim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ollopmbl.dll" Ldbofgme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Docopbaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfmlpf32.dll" Dpfkeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nkaane32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajjinaco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dapjdq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihhpdnkl.dll" Idcqep32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Alqplmlb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjngil32.dll" Ldangbhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djocmfki.dll" Emogdk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fgadda32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jdcmbgkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lhlbbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Acadchoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjfjcdln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnlhcobj.dll" Hkfgnldd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hakapcjd.dll" Iakgefqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oclhpp32.dll" Alqplmlb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kblhdkgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qpaknfnf.dll" Gdbeqmag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ibklddof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcefh32.dll" Cchdpbog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkalcdao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpfehq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onqaonnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhojbk32.dll" Ojjnioae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkihli32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddblgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckhnnjob.dll" Ieomef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbbckh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jegdgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eghdanac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Boifinfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nqdjge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Odmabj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkejjlpp.dll" Dahifbpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jdjgfomh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckamihfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djqdgfho.dll" Hkkaik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhiglh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oninhgae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnkmkbpj.dll" Nchipb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ockbdebl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jgidnobg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abbknb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fagina32.dll" Jolghndm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kalkjh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmhaep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifhgoghp.dll" Hjhaob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hphidanj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 344 wrote to memory of 2312 344 NEAS.4a34443d83ca1ef825e6f19d04b2afb0.exe 27 PID 344 wrote to memory of 2312 344 NEAS.4a34443d83ca1ef825e6f19d04b2afb0.exe 27 PID 344 wrote to memory of 2312 344 NEAS.4a34443d83ca1ef825e6f19d04b2afb0.exe 27 PID 344 wrote to memory of 2312 344 NEAS.4a34443d83ca1ef825e6f19d04b2afb0.exe 27 PID 2312 wrote to memory of 2736 2312 Eoajel32.exe 28 PID 2312 wrote to memory of 2736 2312 Eoajel32.exe 28 PID 2312 wrote to memory of 2736 2312 Eoajel32.exe 28 PID 2312 wrote to memory of 2736 2312 Eoajel32.exe 28 PID 2736 wrote to memory of 2460 2736 Egmojnlf.exe 29 PID 2736 wrote to memory of 2460 2736 Egmojnlf.exe 29 PID 2736 wrote to memory of 2460 2736 Egmojnlf.exe 29 PID 2736 wrote to memory of 2460 2736 Egmojnlf.exe 29 PID 2460 wrote to memory of 2624 2460 Edqocbkp.exe 30 PID 2460 wrote to memory of 2624 2460 Edqocbkp.exe 30 PID 2460 wrote to memory of 2624 2460 Edqocbkp.exe 30 PID 2460 wrote to memory of 2624 2460 Edqocbkp.exe 30 PID 2624 wrote to memory of 2464 2624 Ekjgpm32.exe 31 PID 2624 wrote to memory of 2464 2624 Ekjgpm32.exe 31 PID 2624 wrote to memory of 2464 2624 Ekjgpm32.exe 31 PID 2624 wrote to memory of 2464 2624 Ekjgpm32.exe 31 PID 2464 wrote to memory of 2128 2464 Ecfldoph.exe 32 PID 2464 wrote to memory of 2128 2464 Ecfldoph.exe 32 PID 2464 wrote to memory of 2128 2464 Ecfldoph.exe 32 PID 2464 wrote to memory of 2128 2464 Ecfldoph.exe 32 PID 2128 wrote to memory of 2868 2128 Eolmip32.exe 33 PID 2128 wrote to memory of 2868 2128 Eolmip32.exe 33 PID 2128 wrote to memory of 2868 2128 Eolmip32.exe 33 PID 2128 wrote to memory of 2868 2128 Eolmip32.exe 33 PID 2868 wrote to memory of 2928 2868 Foojop32.exe 34 PID 2868 wrote to memory of 2928 2868 Foojop32.exe 34 PID 2868 wrote to memory of 2928 2868 Foojop32.exe 34 PID 2868 wrote to memory of 2928 2868 Foojop32.exe 34 PID 2928 wrote to memory of 1544 2928 Fmcjhdbc.exe 35 PID 2928 wrote to memory of 1544 2928 Fmcjhdbc.exe 35 PID 2928 wrote to memory of 1544 2928 Fmcjhdbc.exe 35 PID 2928 wrote to memory of 1544 2928 Fmcjhdbc.exe 35 PID 1544 wrote to memory of 2796 1544 Fdnolfon.exe 36 PID 1544 wrote to memory of 2796 1544 Fdnolfon.exe 36 PID 1544 wrote to memory of 2796 1544 Fdnolfon.exe 36 PID 1544 wrote to memory of 2796 1544 Fdnolfon.exe 36 PID 2796 wrote to memory of 2692 2796 Foccjood.exe 37 PID 2796 wrote to memory of 2692 2796 Foccjood.exe 37 PID 2796 wrote to memory of 2692 2796 Foccjood.exe 37 PID 2796 wrote to memory of 2692 2796 Foccjood.exe 37 PID 2692 wrote to memory of 2760 2692 Fkjdopeh.exe 38 PID 2692 wrote to memory of 2760 2692 Fkjdopeh.exe 38 PID 2692 wrote to memory of 2760 2692 Fkjdopeh.exe 38 PID 2692 wrote to memory of 2760 2692 Fkjdopeh.exe 38 PID 2760 wrote to memory of 1392 2760 Fbdlkj32.exe 39 PID 2760 wrote to memory of 1392 2760 Fbdlkj32.exe 39 PID 2760 wrote to memory of 1392 2760 Fbdlkj32.exe 39 PID 2760 wrote to memory of 1392 2760 Fbdlkj32.exe 39 PID 1392 wrote to memory of 1504 1392 Fgadda32.exe 40 PID 1392 wrote to memory of 1504 1392 Fgadda32.exe 40 PID 1392 wrote to memory of 1504 1392 Fgadda32.exe 40 PID 1392 wrote to memory of 1504 1392 Fgadda32.exe 40 PID 1504 wrote to memory of 2376 1504 Gbfiaj32.exe 41 PID 1504 wrote to memory of 2376 1504 Gbfiaj32.exe 41 PID 1504 wrote to memory of 2376 1504 Gbfiaj32.exe 41 PID 1504 wrote to memory of 2376 1504 Gbfiaj32.exe 41 PID 2376 wrote to memory of 1896 2376 Gqlebf32.exe 42 PID 2376 wrote to memory of 1896 2376 Gqlebf32.exe 42 PID 2376 wrote to memory of 1896 2376 Gqlebf32.exe 42 PID 2376 wrote to memory of 1896 2376 Gqlebf32.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.4a34443d83ca1ef825e6f19d04b2afb0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.4a34443d83ca1ef825e6f19d04b2afb0.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:344 -
C:\Windows\SysWOW64\Eoajel32.exeC:\Windows\system32\Eoajel32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\SysWOW64\Egmojnlf.exeC:\Windows\system32\Egmojnlf.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Edqocbkp.exeC:\Windows\system32\Edqocbkp.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\SysWOW64\Ekjgpm32.exeC:\Windows\system32\Ekjgpm32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\Ecfldoph.exeC:\Windows\system32\Ecfldoph.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\Eolmip32.exeC:\Windows\system32\Eolmip32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\Foojop32.exeC:\Windows\system32\Foojop32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\Fmcjhdbc.exeC:\Windows\system32\Fmcjhdbc.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\Fdnolfon.exeC:\Windows\system32\Fdnolfon.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\SysWOW64\Foccjood.exeC:\Windows\system32\Foccjood.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\Fkjdopeh.exeC:\Windows\system32\Fkjdopeh.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Fbdlkj32.exeC:\Windows\system32\Fbdlkj32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Fgadda32.exeC:\Windows\system32\Fgadda32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Windows\SysWOW64\Gbfiaj32.exeC:\Windows\system32\Gbfiaj32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\SysWOW64\Gqlebf32.exeC:\Windows\system32\Gqlebf32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\SysWOW64\Gfhnjm32.exeC:\Windows\system32\Gfhnjm32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1896 -
C:\Windows\SysWOW64\Gmbfggdo.exeC:\Windows\system32\Gmbfggdo.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2024 -
C:\Windows\SysWOW64\Gghkdp32.exeC:\Windows\system32\Gghkdp32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2396 -
C:\Windows\SysWOW64\Gaqomeke.exeC:\Windows\system32\Gaqomeke.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1448 -
C:\Windows\SysWOW64\Gmgpbf32.exeC:\Windows\system32\Gmgpbf32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1292 -
C:\Windows\SysWOW64\Hinqgg32.exeC:\Windows\system32\Hinqgg32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1824 -
C:\Windows\SysWOW64\Hphidanj.exeC:\Windows\system32\Hphidanj.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1108 -
C:\Windows\SysWOW64\Hloiib32.exeC:\Windows\system32\Hloiib32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2104 -
C:\Windows\SysWOW64\Halbai32.exeC:\Windows\system32\Halbai32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:668 -
C:\Windows\SysWOW64\Hbknkl32.exeC:\Windows\system32\Hbknkl32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2264 -
C:\Windows\SysWOW64\Hdlkcdog.exeC:\Windows\system32\Hdlkcdog.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2140 -
C:\Windows\SysWOW64\Hjfcpo32.exeC:\Windows\system32\Hjfcpo32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2232 -
C:\Windows\SysWOW64\Hapklimq.exeC:\Windows\system32\Hapklimq.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2564 -
C:\Windows\SysWOW64\Hhjcic32.exeC:\Windows\system32\Hhjcic32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2720 -
C:\Windows\SysWOW64\Ipehmebh.exeC:\Windows\system32\Ipehmebh.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2604 -
C:\Windows\SysWOW64\Ijklknbn.exeC:\Windows\system32\Ijklknbn.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2808 -
C:\Windows\SysWOW64\Iphecepe.exeC:\Windows\system32\Iphecepe.exe33⤵
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\Iipiljgf.exeC:\Windows\system32\Iipiljgf.exe34⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Iibfajdc.exeC:\Windows\system32\Iibfajdc.exe35⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Ibkkjp32.exeC:\Windows\system32\Ibkkjp32.exe36⤵
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Ieigfk32.exeC:\Windows\system32\Ieigfk32.exe37⤵
- Executes dropped EXE
PID:2676 -
C:\Windows\SysWOW64\Ielclkhe.exeC:\Windows\system32\Ielclkhe.exe38⤵
- Executes dropped EXE
PID:2512 -
C:\Windows\SysWOW64\Jkhldafl.exeC:\Windows\system32\Jkhldafl.exe39⤵
- Executes dropped EXE
PID:1960 -
C:\Windows\SysWOW64\Jenpajfb.exeC:\Windows\system32\Jenpajfb.exe40⤵
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\Jniefm32.exeC:\Windows\system32\Jniefm32.exe41⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Jdcmbgkj.exeC:\Windows\system32\Jdcmbgkj.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:2076 -
C:\Windows\SysWOW64\Jkmeoa32.exeC:\Windows\system32\Jkmeoa32.exe43⤵
- Executes dropped EXE
PID:1124 -
C:\Windows\SysWOW64\Jagnlkjd.exeC:\Windows\system32\Jagnlkjd.exe44⤵
- Executes dropped EXE
PID:2272 -
C:\Windows\SysWOW64\Jdejhfig.exeC:\Windows\system32\Jdejhfig.exe45⤵
- Executes dropped EXE
PID:2012 -
C:\Windows\SysWOW64\Jgdfdbhk.exeC:\Windows\system32\Jgdfdbhk.exe46⤵
- Executes dropped EXE
PID:2144 -
C:\Windows\SysWOW64\Jaijak32.exeC:\Windows\system32\Jaijak32.exe47⤵
- Executes dropped EXE
PID:1056 -
C:\Windows\SysWOW64\Jkbojpna.exeC:\Windows\system32\Jkbojpna.exe48⤵
- Executes dropped EXE
PID:1548 -
C:\Windows\SysWOW64\Jlckbh32.exeC:\Windows\system32\Jlckbh32.exe49⤵
- Executes dropped EXE
PID:1028 -
C:\Windows\SysWOW64\Kcmcoblm.exeC:\Windows\system32\Kcmcoblm.exe50⤵
- Executes dropped EXE
PID:900 -
C:\Windows\SysWOW64\Kfkpknkq.exeC:\Windows\system32\Kfkpknkq.exe51⤵
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\Klehgh32.exeC:\Windows\system32\Klehgh32.exe52⤵
- Executes dropped EXE
PID:1232 -
C:\Windows\SysWOW64\Koddccaa.exeC:\Windows\system32\Koddccaa.exe53⤵
- Executes dropped EXE
PID:1144 -
C:\Windows\SysWOW64\Kfnmpn32.exeC:\Windows\system32\Kfnmpn32.exe54⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Klhemhpk.exeC:\Windows\system32\Klhemhpk.exe55⤵
- Executes dropped EXE
PID:1584 -
C:\Windows\SysWOW64\Kbdmeoob.exeC:\Windows\system32\Kbdmeoob.exe56⤵
- Executes dropped EXE
PID:2708 -
C:\Windows\SysWOW64\Kohnoc32.exeC:\Windows\system32\Kohnoc32.exe57⤵
- Executes dropped EXE
PID:2480 -
C:\Windows\SysWOW64\Khabghdl.exeC:\Windows\system32\Khabghdl.exe58⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Kbigpn32.exeC:\Windows\system32\Kbigpn32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2524 -
C:\Windows\SysWOW64\Kdhcli32.exeC:\Windows\system32\Kdhcli32.exe60⤵
- Executes dropped EXE
PID:808 -
C:\Windows\SysWOW64\Kgfoie32.exeC:\Windows\system32\Kgfoie32.exe61⤵
- Executes dropped EXE
PID:2904 -
C:\Windows\SysWOW64\Lomgjb32.exeC:\Windows\system32\Lomgjb32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2764 -
C:\Windows\SysWOW64\Lqncaj32.exeC:\Windows\system32\Lqncaj32.exe63⤵
- Executes dropped EXE
PID:2768 -
C:\Windows\SysWOW64\Lnbdko32.exeC:\Windows\system32\Lnbdko32.exe64⤵
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\Lgkhdddo.exeC:\Windows\system32\Lgkhdddo.exe65⤵
- Executes dropped EXE
PID:548 -
C:\Windows\SysWOW64\Lmgalkcf.exeC:\Windows\system32\Lmgalkcf.exe66⤵PID:2084
-
C:\Windows\SysWOW64\Ldoimh32.exeC:\Windows\system32\Ldoimh32.exe67⤵PID:844
-
C:\Windows\SysWOW64\Lbicoamh.exeC:\Windows\system32\Lbicoamh.exe68⤵PID:1552
-
C:\Windows\SysWOW64\Mkaghg32.exeC:\Windows\system32\Mkaghg32.exe69⤵PID:2284
-
C:\Windows\SysWOW64\Mbnljqic.exeC:\Windows\system32\Mbnljqic.exe70⤵PID:284
-
C:\Windows\SysWOW64\Mjnjjbbh.exeC:\Windows\system32\Mjnjjbbh.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:948 -
C:\Windows\SysWOW64\Necogkbo.exeC:\Windows\system32\Necogkbo.exe72⤵PID:1672
-
C:\Windows\SysWOW64\Nfdkoc32.exeC:\Windows\system32\Nfdkoc32.exe73⤵PID:560
-
C:\Windows\SysWOW64\Najpll32.exeC:\Windows\system32\Najpll32.exe74⤵PID:1724
-
C:\Windows\SysWOW64\Nhdhif32.exeC:\Windows\system32\Nhdhif32.exe75⤵PID:2404
-
C:\Windows\SysWOW64\Njbdea32.exeC:\Windows\system32\Njbdea32.exe76⤵PID:2148
-
C:\Windows\SysWOW64\Nallalep.exeC:\Windows\system32\Nallalep.exe77⤵PID:1968
-
C:\Windows\SysWOW64\Nbniid32.exeC:\Windows\system32\Nbniid32.exe78⤵PID:2704
-
C:\Windows\SysWOW64\Nigafnck.exeC:\Windows\system32\Nigafnck.exe79⤵PID:2620
-
C:\Windows\SysWOW64\Npaich32.exeC:\Windows\system32\Npaich32.exe80⤵PID:2500
-
C:\Windows\SysWOW64\Nfkapb32.exeC:\Windows\system32\Nfkapb32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2888 -
C:\Windows\SysWOW64\Nijnln32.exeC:\Windows\system32\Nijnln32.exe82⤵PID:2656
-
C:\Windows\SysWOW64\Npdfhhhe.exeC:\Windows\system32\Npdfhhhe.exe83⤵PID:3052
-
C:\Windows\SysWOW64\Nbbbdcgi.exeC:\Windows\system32\Nbbbdcgi.exe84⤵PID:2664
-
C:\Windows\SysWOW64\Oiljam32.exeC:\Windows\system32\Oiljam32.exe85⤵PID:524
-
C:\Windows\SysWOW64\Olkfmi32.exeC:\Windows\system32\Olkfmi32.exe86⤵PID:1068
-
C:\Windows\SysWOW64\Obdojcef.exeC:\Windows\system32\Obdojcef.exe87⤵PID:1372
-
C:\Windows\SysWOW64\Ohagbj32.exeC:\Windows\system32\Ohagbj32.exe88⤵PID:2900
-
C:\Windows\SysWOW64\Ohagbj32.exeC:\Windows\system32\Ohagbj32.exe89⤵PID:1496
-
C:\Windows\SysWOW64\Okpcoe32.exeC:\Windows\system32\Okpcoe32.exe90⤵PID:1164
-
C:\Windows\SysWOW64\Olophhjd.exeC:\Windows\system32\Olophhjd.exe91⤵PID:2360
-
C:\Windows\SysWOW64\Oehdan32.exeC:\Windows\system32\Oehdan32.exe92⤵PID:1088
-
C:\Windows\SysWOW64\Ogiaif32.exeC:\Windows\system32\Ogiaif32.exe93⤵PID:2996
-
C:\Windows\SysWOW64\Oanefo32.exeC:\Windows\system32\Oanefo32.exe94⤵PID:1924
-
C:\Windows\SysWOW64\Odmabj32.exeC:\Windows\system32\Odmabj32.exe95⤵
- Modifies registry class
PID:1248 -
C:\Windows\SysWOW64\Oijjka32.exeC:\Windows\system32\Oijjka32.exe96⤵PID:2716
-
C:\Windows\SysWOW64\Omefkplm.exeC:\Windows\system32\Omefkplm.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2812 -
C:\Windows\SysWOW64\Pkifdd32.exeC:\Windows\system32\Pkifdd32.exe98⤵PID:2748
-
C:\Windows\SysWOW64\Pmgbao32.exeC:\Windows\system32\Pmgbao32.exe99⤵PID:536
-
C:\Windows\SysWOW64\Pgpgjepk.exeC:\Windows\system32\Pgpgjepk.exe100⤵PID:1588
-
C:\Windows\SysWOW64\Pincfpoo.exeC:\Windows\system32\Pincfpoo.exe101⤵PID:2672
-
C:\Windows\SysWOW64\Pphkbj32.exeC:\Windows\system32\Pphkbj32.exe102⤵PID:1880
-
C:\Windows\SysWOW64\Pcghof32.exeC:\Windows\system32\Pcghof32.exe103⤵PID:2820
-
C:\Windows\SysWOW64\Piqpkpml.exeC:\Windows\system32\Piqpkpml.exe104⤵PID:1996
-
C:\Windows\SysWOW64\Plolgk32.exeC:\Windows\system32\Plolgk32.exe105⤵PID:1200
-
C:\Windows\SysWOW64\Palepb32.exeC:\Windows\system32\Palepb32.exe106⤵PID:2000
-
C:\Windows\SysWOW64\Pjcmap32.exeC:\Windows\system32\Pjcmap32.exe107⤵PID:776
-
C:\Windows\SysWOW64\Qobbofgn.exeC:\Windows\system32\Qobbofgn.exe108⤵PID:1704
-
C:\Windows\SysWOW64\Qaqnkafa.exeC:\Windows\system32\Qaqnkafa.exe109⤵PID:1736
-
C:\Windows\SysWOW64\Qkibcg32.exeC:\Windows\system32\Qkibcg32.exe110⤵PID:1916
-
C:\Windows\SysWOW64\Qododfek.exeC:\Windows\system32\Qododfek.exe111⤵PID:1956
-
C:\Windows\SysWOW64\Qackpado.exeC:\Windows\system32\Qackpado.exe112⤵PID:2600
-
C:\Windows\SysWOW64\Qdaglmcb.exeC:\Windows\system32\Qdaglmcb.exe113⤵PID:2592
-
C:\Windows\SysWOW64\Ajnpecbj.exeC:\Windows\system32\Ajnpecbj.exe114⤵PID:2172
-
C:\Windows\SysWOW64\Anjlebjc.exeC:\Windows\system32\Anjlebjc.exe115⤵PID:2440
-
C:\Windows\SysWOW64\Ajqljc32.exeC:\Windows\system32\Ajqljc32.exe116⤵
- Drops file in System32 directory
PID:2100 -
C:\Windows\SysWOW64\Anlhkbhq.exeC:\Windows\system32\Anlhkbhq.exe117⤵PID:2780
-
C:\Windows\SysWOW64\Aciqcifh.exeC:\Windows\system32\Aciqcifh.exe118⤵PID:1964
-
C:\Windows\SysWOW64\Ajcipc32.exeC:\Windows\system32\Ajcipc32.exe119⤵PID:2652
-
C:\Windows\SysWOW64\Aopahjll.exeC:\Windows\system32\Aopahjll.exe120⤵
- Modifies registry class
PID:2064 -
C:\Windows\SysWOW64\Aggiigmn.exeC:\Windows\system32\Aggiigmn.exe121⤵PID:1816
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-