Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
14/10/2023, 19:11
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.be994866ca2100e87dfe2cf93f081bc0.exe
Resource
win7-20230831-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.be994866ca2100e87dfe2cf93f081bc0.exe
Resource
win10v2004-20230915-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.be994866ca2100e87dfe2cf93f081bc0.exe
-
Size
59KB
-
MD5
be994866ca2100e87dfe2cf93f081bc0
-
SHA1
a95e82aa5bfaa8f78dd9fe1ce97c880ee8810919
-
SHA256
875cc0efcbb5d4972689cd200308e5cded53f6340eae8e379c4b1fa1cc87d3ad
-
SHA512
c73e14921912333a7f415f9240e236fb087025b53461295137b7c323e031d75388076ae94a299ca7322cd33cfec9f829b549797e19a008b3b7a2147cdf06c7d0
-
SSDEEP
1536:G8gk32b2WFFy1RtEjO00HXMYuo8WUmO2LLO:RgHQ1vOU3fL8WUmTLO
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajaelc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbinkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmmblkpm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmlpkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcifkf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klpakj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phnoac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnafgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnacfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oabiak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hahcfi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjhaeklb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jncobabm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdkdbgpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlfhhgpp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knqepc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abfdpfaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpbmme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eplgod32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiipmhmk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omfcmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgjggkqi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfmhjb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqfbkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcefgeif.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aemqdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghlcga32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmeoqlpl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nklbfaae.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfepdg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ongpeejj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Poqckdap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okcccdkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlkaahjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kelkkpae.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbinkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmdach32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Poidhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qojeabie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbiakf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbqpbbfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjambg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcqjhc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dklhmlac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lokdnjkg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bodano32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djjobedk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjfplo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkjocm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmkcjd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdpkoalc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dblgja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdjqienq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jphkkpbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aikbpckb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aakelfhg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icdhdfcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjdcfp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogoncd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Naodbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aehghn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgoejapi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gacjkjgb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkjpek32.exe -
Executes dropped EXE 64 IoCs
pid Process 932 Cljobphg.exe 1068 Chqogq32.exe 1624 Dokgdkeh.exe 636 Dhclmp32.exe 5048 Domdjj32.exe 3928 Dheibpje.exe 2800 Dnbakghm.exe 1860 Dmcain32.exe 4948 Dijbno32.exe 4388 Dfnbgc32.exe 4336 Ekkkoj32.exe 2760 Eecphp32.exe 3024 Eoideh32.exe 3824 Efblbbqd.exe 2600 Ekodjiol.exe 1452 Efeihb32.exe 2804 Epmmqheb.exe 3432 Eifaim32.exe 4772 Eppjfgcp.exe 3320 Fihnomjp.exe 4904 Fneggdhg.exe 1428 Fmfgek32.exe 1908 Fbbpmb32.exe 2084 Fmhdkknd.exe 3376 Fiodpl32.exe 456 Fnlmhc32.exe 220 Flpmagqi.exe 4460 Gfeaopqo.exe 976 Gmojkj32.exe 3216 Gnqfcbnj.exe 4760 Gejopl32.exe 4568 Gppcmeem.exe 1064 Gihgfk32.exe 2476 Gflhoo32.exe 2948 Gpelhd32.exe 588 Geaepk32.exe 4364 Gbeejp32.exe 4080 Hlpfhe32.exe 2104 Hffken32.exe 752 Hlbcnd32.exe 2552 Hifcgion.exe 4920 Hpqldc32.exe 4556 Hiipmhmk.exe 3272 Ibaeen32.exe 520 Iepaaico.exe 4344 Ipeeobbe.exe 4008 Iinjhh32.exe 4392 Iojbpo32.exe 1500 Iedjmioj.exe 552 Ipjoja32.exe 5020 Igdgglfl.exe 4876 Ickglm32.exe 736 Ipoheakj.exe 5044 Jekqmhia.exe 2116 Jpaekqhh.exe 796 Jgkmgk32.exe 1656 Jlgepanl.exe 3004 Jilfifme.exe 3548 Jgpfbjlo.exe 3068 Jphkkpbp.exe 3668 Jedccfqg.exe 1920 Jlolpq32.exe 460 Kcidmkpq.exe 1448 Klahfp32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Nlfeeelm.exe Nihiiimi.exe File opened for modification C:\Windows\SysWOW64\Blbodh32.exe Aehghn32.exe File created C:\Windows\SysWOW64\Giblae32.dll Inejlibi.exe File created C:\Windows\SysWOW64\Kgjggkqi.exe Kelkkpae.exe File opened for modification C:\Windows\SysWOW64\Lepnli32.exe Lbabpn32.exe File created C:\Windows\SysWOW64\Kmeeafnb.dll Qpikao32.exe File created C:\Windows\SysWOW64\Pgdgmm32.dll Pldcdhpi.exe File created C:\Windows\SysWOW64\Jmmjpjpg.exe Jfcbcp32.exe File created C:\Windows\SysWOW64\Pmphaaln.exe Pfepdg32.exe File opened for modification C:\Windows\SysWOW64\Gjojkpdp.exe Gfcnka32.exe File created C:\Windows\SysWOW64\Jndhkmfe.exe Jdkdbgpd.exe File opened for modification C:\Windows\SysWOW64\Pldcdhpi.exe Pifghmae.exe File created C:\Windows\SysWOW64\Mhbakk32.exe Mqkijnkp.exe File created C:\Windows\SysWOW64\Qjiaef32.dll Mmdefi32.exe File opened for modification C:\Windows\SysWOW64\Pcgdhkem.exe Pmmlla32.exe File created C:\Windows\SysWOW64\Ploojp32.dll Bimkde32.exe File created C:\Windows\SysWOW64\Ampaho32.exe Ajaelc32.exe File created C:\Windows\SysWOW64\Bkcbaf32.dll Qgkeep32.exe File opened for modification C:\Windows\SysWOW64\Qmnbej32.exe Qefkcl32.exe File created C:\Windows\SysWOW64\Mgoboake.exe Madjbg32.exe File opened for modification C:\Windows\SysWOW64\Gfcnka32.exe Gceaofmc.exe File opened for modification C:\Windows\SysWOW64\Eecphp32.exe Ekkkoj32.exe File created C:\Windows\SysWOW64\Pjehnm32.dll Paiogf32.exe File created C:\Windows\SysWOW64\Lhgiic32.exe Loodqn32.exe File created C:\Windows\SysWOW64\Emhmgmph.dll Lfnfhg32.exe File opened for modification C:\Windows\SysWOW64\Hhfenc32.exe Hpomme32.exe File opened for modification C:\Windows\SysWOW64\Idbonc32.exe Iacbbh32.exe File created C:\Windows\SysWOW64\Bimkde32.exe Bodfkpfg.exe File created C:\Windows\SysWOW64\Lbhoolef.dll Ghmbhd32.exe File opened for modification C:\Windows\SysWOW64\Ahdgnj32.exe Aajoapdk.exe File created C:\Windows\SysWOW64\Ojhiogdd.exe Ocnabm32.exe File opened for modification C:\Windows\SysWOW64\Qgmbkp32.exe Qlhnng32.exe File opened for modification C:\Windows\SysWOW64\Nopfpgip.exe Nmbjcljl.exe File created C:\Windows\SysWOW64\Jolhjj32.exe Jpjhlche.exe File opened for modification C:\Windows\SysWOW64\Kgkfil32.exe Kdmjmqjf.exe File created C:\Windows\SysWOW64\Naiacpeo.dll Ghjfaa32.exe File created C:\Windows\SysWOW64\Hhfenc32.exe Hpomme32.exe File opened for modification C:\Windows\SysWOW64\Ecpomiok.exe Emfgpo32.exe File created C:\Windows\SysWOW64\Aiplmq32.exe Abfdpfaj.exe File created C:\Windows\SysWOW64\Cieonn32.dll Pmhkflnj.exe File created C:\Windows\SysWOW64\Pkabbgol.exe Pehjfm32.exe File created C:\Windows\SysWOW64\Pacfdila.exe Ooejhn32.exe File opened for modification C:\Windows\SysWOW64\Caagofme.exe Cocjbkna.exe File created C:\Windows\SysWOW64\Pkkoeh32.dll Nfjofg32.exe File opened for modification C:\Windows\SysWOW64\Ongijo32.exe Okhmnc32.exe File opened for modification C:\Windows\SysWOW64\Milinkgf.exe Maealn32.exe File created C:\Windows\SysWOW64\Mcnmccfa.exe Mmdefi32.exe File opened for modification C:\Windows\SysWOW64\Lbinkb32.exe Llofnh32.exe File opened for modification C:\Windows\SysWOW64\Inecac32.exe Icoodj32.exe File opened for modification C:\Windows\SysWOW64\Ecblbi32.exe Efolidno.exe File created C:\Windows\SysWOW64\Ghkogl32.dll Mokmdh32.exe File created C:\Windows\SysWOW64\Qpmfklbq.exe Mpnglbkf.exe File opened for modification C:\Windows\SysWOW64\Bojohp32.exe Ainfpi32.exe File created C:\Windows\SysWOW64\Olgnlb32.exe Oaajoj32.exe File created C:\Windows\SysWOW64\Cfqmjajc.exe Ccbanfko.exe File created C:\Windows\SysWOW64\Gmojkj32.exe Gfeaopqo.exe File created C:\Windows\SysWOW64\Njfkmphe.exe Nopfpgip.exe File created C:\Windows\SysWOW64\Bbpoge32.exe Akffjkme.exe File created C:\Windows\SysWOW64\Cjdadgeb.dll Qpmfklbq.exe File created C:\Windows\SysWOW64\Opdhmmdg.dll Eqkmpo32.exe File created C:\Windows\SysWOW64\Appaki32.dll Gacjkjgb.exe File created C:\Windows\SysWOW64\Cckmklac.exe Claenb32.exe File created C:\Windows\SysWOW64\Nqdeefpi.exe Kapclned.exe File created C:\Windows\SysWOW64\Pfabjq32.dll Gppcmeem.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5564 5316 Process not Found 1137 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aplaoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nqnofkkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iihkjm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fifhmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egnfdqjo.dll" Gkgeipah.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbpoge32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cljomc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Midmcgif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdmmlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgqfmcge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ipeeobbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohobebig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgejeooc.dll" Bjnmib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kllfakij.dll" Nmbjcljl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppajem32.dll" Qojeabie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hdmecdlh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbomfokl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cljobphg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mfgiof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dpphcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eiaobjia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnplfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odibfg32.dll" Pjjfdfbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iqmincia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pffgom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fddogn32.dll" Pmjhlklg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncdckahg.dll" Nmajbnha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Egiohh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cajcffka.dll" Naodbm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gideogil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmiadaea.dll" Nncccnol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kihdqkaf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljaooodf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbmolo32.dll" Lmdnbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckegholn.dll" Aoalba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgkipl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbnfgneq.dll" Ghcjedcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjakoh32.dll" Gmndjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbphca32.dll" Qihoak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Poqckdap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbemdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enjajl32.dll" Dnjdigpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kiljgf32.dll" Chqogq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Didmdo32.dll" Iedjmioj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hfkdkqeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eelbhc32.dll" Pamikh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmhdkknd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkooep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kapclned.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Giblae32.dll" Inejlibi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ljqhkckn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iefkmhfm.dll" Jondojna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ooalibaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndmnfofi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bqdbec32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngjkfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pehnboko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qebeaf32.dll" Pcijce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkomkdlk.dll" Jaefne32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbqpbbfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edfaonkb.dll" Ngcngfgl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pddmml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faebdm32.dll" Qlhnng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kekcjc32.dll" Gifadggi.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3296 wrote to memory of 932 3296 NEAS.be994866ca2100e87dfe2cf93f081bc0.exe 86 PID 3296 wrote to memory of 932 3296 NEAS.be994866ca2100e87dfe2cf93f081bc0.exe 86 PID 3296 wrote to memory of 932 3296 NEAS.be994866ca2100e87dfe2cf93f081bc0.exe 86 PID 932 wrote to memory of 1068 932 Cljobphg.exe 87 PID 932 wrote to memory of 1068 932 Cljobphg.exe 87 PID 932 wrote to memory of 1068 932 Cljobphg.exe 87 PID 1068 wrote to memory of 1624 1068 Chqogq32.exe 88 PID 1068 wrote to memory of 1624 1068 Chqogq32.exe 88 PID 1068 wrote to memory of 1624 1068 Chqogq32.exe 88 PID 1624 wrote to memory of 636 1624 Dokgdkeh.exe 89 PID 1624 wrote to memory of 636 1624 Dokgdkeh.exe 89 PID 1624 wrote to memory of 636 1624 Dokgdkeh.exe 89 PID 636 wrote to memory of 5048 636 Dhclmp32.exe 90 PID 636 wrote to memory of 5048 636 Dhclmp32.exe 90 PID 636 wrote to memory of 5048 636 Dhclmp32.exe 90 PID 5048 wrote to memory of 3928 5048 Domdjj32.exe 91 PID 5048 wrote to memory of 3928 5048 Domdjj32.exe 91 PID 5048 wrote to memory of 3928 5048 Domdjj32.exe 91 PID 3928 wrote to memory of 2800 3928 Dheibpje.exe 92 PID 3928 wrote to memory of 2800 3928 Dheibpje.exe 92 PID 3928 wrote to memory of 2800 3928 Dheibpje.exe 92 PID 2800 wrote to memory of 1860 2800 Dnbakghm.exe 93 PID 2800 wrote to memory of 1860 2800 Dnbakghm.exe 93 PID 2800 wrote to memory of 1860 2800 Dnbakghm.exe 93 PID 1860 wrote to memory of 4948 1860 Dmcain32.exe 94 PID 1860 wrote to memory of 4948 1860 Dmcain32.exe 94 PID 1860 wrote to memory of 4948 1860 Dmcain32.exe 94 PID 4948 wrote to memory of 4388 4948 Dijbno32.exe 95 PID 4948 wrote to memory of 4388 4948 Dijbno32.exe 95 PID 4948 wrote to memory of 4388 4948 Dijbno32.exe 95 PID 4388 wrote to memory of 4336 4388 Dfnbgc32.exe 96 PID 4388 wrote to memory of 4336 4388 Dfnbgc32.exe 96 PID 4388 wrote to memory of 4336 4388 Dfnbgc32.exe 96 PID 4336 wrote to memory of 2760 4336 Ekkkoj32.exe 97 PID 4336 wrote to memory of 2760 4336 Ekkkoj32.exe 97 PID 4336 wrote to memory of 2760 4336 Ekkkoj32.exe 97 PID 2760 wrote to memory of 3024 2760 Eecphp32.exe 98 PID 2760 wrote to memory of 3024 2760 Eecphp32.exe 98 PID 2760 wrote to memory of 3024 2760 Eecphp32.exe 98 PID 3024 wrote to memory of 3824 3024 Eoideh32.exe 99 PID 3024 wrote to memory of 3824 3024 Eoideh32.exe 99 PID 3024 wrote to memory of 3824 3024 Eoideh32.exe 99 PID 3824 wrote to memory of 2600 3824 Efblbbqd.exe 100 PID 3824 wrote to memory of 2600 3824 Efblbbqd.exe 100 PID 3824 wrote to memory of 2600 3824 Efblbbqd.exe 100 PID 2600 wrote to memory of 1452 2600 Ekodjiol.exe 101 PID 2600 wrote to memory of 1452 2600 Ekodjiol.exe 101 PID 2600 wrote to memory of 1452 2600 Ekodjiol.exe 101 PID 1452 wrote to memory of 2804 1452 Efeihb32.exe 102 PID 1452 wrote to memory of 2804 1452 Efeihb32.exe 102 PID 1452 wrote to memory of 2804 1452 Efeihb32.exe 102 PID 2804 wrote to memory of 3432 2804 Epmmqheb.exe 103 PID 2804 wrote to memory of 3432 2804 Epmmqheb.exe 103 PID 2804 wrote to memory of 3432 2804 Epmmqheb.exe 103 PID 3432 wrote to memory of 4772 3432 Eifaim32.exe 104 PID 3432 wrote to memory of 4772 3432 Eifaim32.exe 104 PID 3432 wrote to memory of 4772 3432 Eifaim32.exe 104 PID 4772 wrote to memory of 3320 4772 Eppjfgcp.exe 105 PID 4772 wrote to memory of 3320 4772 Eppjfgcp.exe 105 PID 4772 wrote to memory of 3320 4772 Eppjfgcp.exe 105 PID 3320 wrote to memory of 4904 3320 Fihnomjp.exe 106 PID 3320 wrote to memory of 4904 3320 Fihnomjp.exe 106 PID 3320 wrote to memory of 4904 3320 Fihnomjp.exe 106 PID 4904 wrote to memory of 1428 4904 Fneggdhg.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.be994866ca2100e87dfe2cf93f081bc0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.be994866ca2100e87dfe2cf93f081bc0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3296 -
C:\Windows\SysWOW64\Cljobphg.exeC:\Windows\system32\Cljobphg.exe2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:932 -
C:\Windows\SysWOW64\Chqogq32.exeC:\Windows\system32\Chqogq32.exe3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Windows\SysWOW64\Dokgdkeh.exeC:\Windows\system32\Dokgdkeh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\SysWOW64\Dhclmp32.exeC:\Windows\system32\Dhclmp32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:636 -
C:\Windows\SysWOW64\Domdjj32.exeC:\Windows\system32\Domdjj32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5048 -
C:\Windows\SysWOW64\Dheibpje.exeC:\Windows\system32\Dheibpje.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3928 -
C:\Windows\SysWOW64\Dnbakghm.exeC:\Windows\system32\Dnbakghm.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\Dmcain32.exeC:\Windows\system32\Dmcain32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\SysWOW64\Dijbno32.exeC:\Windows\system32\Dijbno32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4948 -
C:\Windows\SysWOW64\Dfnbgc32.exeC:\Windows\system32\Dfnbgc32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4388 -
C:\Windows\SysWOW64\Ekkkoj32.exeC:\Windows\system32\Ekkkoj32.exe12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4336 -
C:\Windows\SysWOW64\Eecphp32.exeC:\Windows\system32\Eecphp32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Eoideh32.exeC:\Windows\system32\Eoideh32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\Efblbbqd.exeC:\Windows\system32\Efblbbqd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3824 -
C:\Windows\SysWOW64\Ekodjiol.exeC:\Windows\system32\Ekodjiol.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Efeihb32.exeC:\Windows\system32\Efeihb32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Windows\SysWOW64\Epmmqheb.exeC:\Windows\system32\Epmmqheb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\Eifaim32.exeC:\Windows\system32\Eifaim32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3432 -
C:\Windows\SysWOW64\Eppjfgcp.exeC:\Windows\system32\Eppjfgcp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4772 -
C:\Windows\SysWOW64\Fihnomjp.exeC:\Windows\system32\Fihnomjp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3320 -
C:\Windows\SysWOW64\Fneggdhg.exeC:\Windows\system32\Fneggdhg.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4904 -
C:\Windows\SysWOW64\Fmfgek32.exeC:\Windows\system32\Fmfgek32.exe23⤵
- Executes dropped EXE
PID:1428 -
C:\Windows\SysWOW64\Fbbpmb32.exeC:\Windows\system32\Fbbpmb32.exe24⤵
- Executes dropped EXE
PID:1908 -
C:\Windows\SysWOW64\Fmhdkknd.exeC:\Windows\system32\Fmhdkknd.exe25⤵
- Executes dropped EXE
- Modifies registry class
PID:2084 -
C:\Windows\SysWOW64\Fiodpl32.exeC:\Windows\system32\Fiodpl32.exe26⤵
- Executes dropped EXE
PID:3376 -
C:\Windows\SysWOW64\Fnlmhc32.exeC:\Windows\system32\Fnlmhc32.exe27⤵
- Executes dropped EXE
PID:456 -
C:\Windows\SysWOW64\Flpmagqi.exeC:\Windows\system32\Flpmagqi.exe28⤵
- Executes dropped EXE
PID:220 -
C:\Windows\SysWOW64\Gfeaopqo.exeC:\Windows\system32\Gfeaopqo.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4460 -
C:\Windows\SysWOW64\Gmojkj32.exeC:\Windows\system32\Gmojkj32.exe30⤵
- Executes dropped EXE
PID:976 -
C:\Windows\SysWOW64\Gnqfcbnj.exeC:\Windows\system32\Gnqfcbnj.exe31⤵
- Executes dropped EXE
PID:3216 -
C:\Windows\SysWOW64\Gejopl32.exeC:\Windows\system32\Gejopl32.exe32⤵
- Executes dropped EXE
PID:4760 -
C:\Windows\SysWOW64\Gppcmeem.exeC:\Windows\system32\Gppcmeem.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4568 -
C:\Windows\SysWOW64\Gihgfk32.exeC:\Windows\system32\Gihgfk32.exe34⤵
- Executes dropped EXE
PID:1064 -
C:\Windows\SysWOW64\Gflhoo32.exeC:\Windows\system32\Gflhoo32.exe35⤵
- Executes dropped EXE
PID:2476 -
C:\Windows\SysWOW64\Gpelhd32.exeC:\Windows\system32\Gpelhd32.exe36⤵
- Executes dropped EXE
PID:2948 -
C:\Windows\SysWOW64\Geaepk32.exeC:\Windows\system32\Geaepk32.exe37⤵
- Executes dropped EXE
PID:588 -
C:\Windows\SysWOW64\Gbeejp32.exeC:\Windows\system32\Gbeejp32.exe38⤵
- Executes dropped EXE
PID:4364 -
C:\Windows\SysWOW64\Hlpfhe32.exeC:\Windows\system32\Hlpfhe32.exe39⤵
- Executes dropped EXE
PID:4080 -
C:\Windows\SysWOW64\Hffken32.exeC:\Windows\system32\Hffken32.exe40⤵
- Executes dropped EXE
PID:2104 -
C:\Windows\SysWOW64\Hlbcnd32.exeC:\Windows\system32\Hlbcnd32.exe41⤵
- Executes dropped EXE
PID:752 -
C:\Windows\SysWOW64\Hifcgion.exeC:\Windows\system32\Hifcgion.exe42⤵
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\Hpqldc32.exeC:\Windows\system32\Hpqldc32.exe43⤵
- Executes dropped EXE
PID:4920 -
C:\Windows\SysWOW64\Hiipmhmk.exeC:\Windows\system32\Hiipmhmk.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4556 -
C:\Windows\SysWOW64\Ibaeen32.exeC:\Windows\system32\Ibaeen32.exe45⤵
- Executes dropped EXE
PID:3272 -
C:\Windows\SysWOW64\Iepaaico.exeC:\Windows\system32\Iepaaico.exe46⤵
- Executes dropped EXE
PID:520 -
C:\Windows\SysWOW64\Ipeeobbe.exeC:\Windows\system32\Ipeeobbe.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:4344 -
C:\Windows\SysWOW64\Iinjhh32.exeC:\Windows\system32\Iinjhh32.exe48⤵
- Executes dropped EXE
PID:4008 -
C:\Windows\SysWOW64\Iojbpo32.exeC:\Windows\system32\Iojbpo32.exe49⤵
- Executes dropped EXE
PID:4392 -
C:\Windows\SysWOW64\Iedjmioj.exeC:\Windows\system32\Iedjmioj.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:1500 -
C:\Windows\SysWOW64\Ipjoja32.exeC:\Windows\system32\Ipjoja32.exe51⤵
- Executes dropped EXE
PID:552 -
C:\Windows\SysWOW64\Igdgglfl.exeC:\Windows\system32\Igdgglfl.exe52⤵
- Executes dropped EXE
PID:5020 -
C:\Windows\SysWOW64\Ickglm32.exeC:\Windows\system32\Ickglm32.exe53⤵
- Executes dropped EXE
PID:4876 -
C:\Windows\SysWOW64\Ipoheakj.exeC:\Windows\system32\Ipoheakj.exe54⤵
- Executes dropped EXE
PID:736 -
C:\Windows\SysWOW64\Jekqmhia.exeC:\Windows\system32\Jekqmhia.exe55⤵
- Executes dropped EXE
PID:5044 -
C:\Windows\SysWOW64\Jpaekqhh.exeC:\Windows\system32\Jpaekqhh.exe56⤵
- Executes dropped EXE
PID:2116 -
C:\Windows\SysWOW64\Jgkmgk32.exeC:\Windows\system32\Jgkmgk32.exe57⤵
- Executes dropped EXE
PID:796 -
C:\Windows\SysWOW64\Jlgepanl.exeC:\Windows\system32\Jlgepanl.exe58⤵
- Executes dropped EXE
PID:1656 -
C:\Windows\SysWOW64\Jilfifme.exeC:\Windows\system32\Jilfifme.exe59⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Jgpfbjlo.exeC:\Windows\system32\Jgpfbjlo.exe60⤵
- Executes dropped EXE
PID:3548 -
C:\Windows\SysWOW64\Jphkkpbp.exeC:\Windows\system32\Jphkkpbp.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3068 -
C:\Windows\SysWOW64\Jedccfqg.exeC:\Windows\system32\Jedccfqg.exe62⤵
- Executes dropped EXE
PID:3668 -
C:\Windows\SysWOW64\Jlolpq32.exeC:\Windows\system32\Jlolpq32.exe63⤵
- Executes dropped EXE
PID:1920 -
C:\Windows\SysWOW64\Kcidmkpq.exeC:\Windows\system32\Kcidmkpq.exe64⤵
- Executes dropped EXE
PID:460 -
C:\Windows\SysWOW64\Klahfp32.exeC:\Windows\system32\Klahfp32.exe65⤵
- Executes dropped EXE
PID:1448 -
C:\Windows\SysWOW64\Kgflcifg.exeC:\Windows\system32\Kgflcifg.exe66⤵PID:4832
-
C:\Windows\SysWOW64\Knqepc32.exeC:\Windows\system32\Knqepc32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4116 -
C:\Windows\SysWOW64\Koaagkcb.exeC:\Windows\system32\Koaagkcb.exe68⤵PID:3844
-
C:\Windows\SysWOW64\Kflide32.exeC:\Windows\system32\Kflide32.exe69⤵PID:4576
-
C:\Windows\SysWOW64\Klfaapbl.exeC:\Windows\system32\Klfaapbl.exe70⤵PID:956
-
C:\Windows\SysWOW64\Kgkfnh32.exeC:\Windows\system32\Kgkfnh32.exe71⤵PID:2928
-
C:\Windows\SysWOW64\Klhnfo32.exeC:\Windows\system32\Klhnfo32.exe72⤵PID:4660
-
C:\Windows\SysWOW64\Kgnbdh32.exeC:\Windows\system32\Kgnbdh32.exe73⤵PID:1960
-
C:\Windows\SysWOW64\Lljklo32.exeC:\Windows\system32\Lljklo32.exe74⤵PID:4996
-
C:\Windows\SysWOW64\Loighj32.exeC:\Windows\system32\Loighj32.exe75⤵PID:516
-
C:\Windows\SysWOW64\Ljnlecmp.exeC:\Windows\system32\Ljnlecmp.exe76⤵PID:3380
-
C:\Windows\SysWOW64\Lokdnjkg.exeC:\Windows\system32\Lokdnjkg.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5140 -
C:\Windows\SysWOW64\Ljqhkckn.exeC:\Windows\system32\Ljqhkckn.exe78⤵
- Modifies registry class
PID:5184 -
C:\Windows\SysWOW64\Lqkqhm32.exeC:\Windows\system32\Lqkqhm32.exe79⤵PID:5228
-
C:\Windows\SysWOW64\Lgdidgjg.exeC:\Windows\system32\Lgdidgjg.exe80⤵PID:5284
-
C:\Windows\SysWOW64\Lmaamn32.exeC:\Windows\system32\Lmaamn32.exe81⤵PID:5324
-
C:\Windows\SysWOW64\Lggejg32.exeC:\Windows\system32\Lggejg32.exe82⤵PID:5400
-
C:\Windows\SysWOW64\Lmdnbn32.exeC:\Windows\system32\Lmdnbn32.exe83⤵
- Modifies registry class
PID:5452 -
C:\Windows\SysWOW64\Lcnfohmi.exeC:\Windows\system32\Lcnfohmi.exe84⤵PID:5504
-
C:\Windows\SysWOW64\Mqafhl32.exeC:\Windows\system32\Mqafhl32.exe85⤵PID:5548
-
C:\Windows\SysWOW64\Mfnoqc32.exeC:\Windows\system32\Mfnoqc32.exe86⤵PID:5596
-
C:\Windows\SysWOW64\Mmhgmmbf.exeC:\Windows\system32\Mmhgmmbf.exe87⤵PID:5636
-
C:\Windows\SysWOW64\Mcbpjg32.exeC:\Windows\system32\Mcbpjg32.exe88⤵PID:5684
-
C:\Windows\SysWOW64\Mjlhgaqp.exeC:\Windows\system32\Mjlhgaqp.exe89⤵PID:5732
-
C:\Windows\SysWOW64\Mmkdcm32.exeC:\Windows\system32\Mmkdcm32.exe90⤵PID:5780
-
C:\Windows\SysWOW64\Mgphpe32.exeC:\Windows\system32\Mgphpe32.exe91⤵PID:5828
-
C:\Windows\SysWOW64\Mokmdh32.exeC:\Windows\system32\Mokmdh32.exe92⤵
- Drops file in System32 directory
PID:5880 -
C:\Windows\SysWOW64\Mfeeabda.exeC:\Windows\system32\Mfeeabda.exe93⤵PID:5924
-
C:\Windows\SysWOW64\Mmpmnl32.exeC:\Windows\system32\Mmpmnl32.exe94⤵PID:5968
-
C:\Windows\SysWOW64\Mcifkf32.exeC:\Windows\system32\Mcifkf32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6016 -
C:\Windows\SysWOW64\Mfhbga32.exeC:\Windows\system32\Mfhbga32.exe96⤵PID:6056
-
C:\Windows\SysWOW64\Nmbjcljl.exeC:\Windows\system32\Nmbjcljl.exe97⤵
- Drops file in System32 directory
- Modifies registry class
PID:6104 -
C:\Windows\SysWOW64\Nopfpgip.exeC:\Windows\system32\Nopfpgip.exe98⤵
- Drops file in System32 directory
PID:5132 -
C:\Windows\SysWOW64\Njfkmphe.exeC:\Windows\system32\Njfkmphe.exe99⤵PID:5196
-
C:\Windows\SysWOW64\Nqpcjj32.exeC:\Windows\system32\Nqpcjj32.exe100⤵PID:5292
-
C:\Windows\SysWOW64\Ngjkfd32.exeC:\Windows\system32\Ngjkfd32.exe101⤵
- Modifies registry class
PID:5416 -
C:\Windows\SysWOW64\Nncccnol.exeC:\Windows\system32\Nncccnol.exe102⤵
- Modifies registry class
PID:5484 -
C:\Windows\SysWOW64\Nqbpojnp.exeC:\Windows\system32\Nqbpojnp.exe103⤵PID:5560
-
C:\Windows\SysWOW64\Nglhld32.exeC:\Windows\system32\Nglhld32.exe104⤵PID:5648
-
C:\Windows\SysWOW64\Njjdho32.exeC:\Windows\system32\Njjdho32.exe105⤵PID:5712
-
C:\Windows\SysWOW64\Nadleilm.exeC:\Windows\system32\Nadleilm.exe106⤵PID:5792
-
C:\Windows\SysWOW64\Ngndaccj.exeC:\Windows\system32\Ngndaccj.exe107⤵PID:5848
-
C:\Windows\SysWOW64\Njmqnobn.exeC:\Windows\system32\Njmqnobn.exe108⤵PID:5956
-
C:\Windows\SysWOW64\Npiiffqe.exeC:\Windows\system32\Npiiffqe.exe109⤵PID:6008
-
C:\Windows\SysWOW64\Ngqagcag.exeC:\Windows\system32\Ngqagcag.exe110⤵PID:6100
-
C:\Windows\SysWOW64\Oaifpi32.exeC:\Windows\system32\Oaifpi32.exe111⤵PID:5148
-
C:\Windows\SysWOW64\Offnhpfo.exeC:\Windows\system32\Offnhpfo.exe112⤵PID:5280
-
C:\Windows\SysWOW64\Oakbehfe.exeC:\Windows\system32\Oakbehfe.exe113⤵PID:5448
-
C:\Windows\SysWOW64\Ofhknodl.exeC:\Windows\system32\Ofhknodl.exe114⤵PID:5544
-
C:\Windows\SysWOW64\Ombcji32.exeC:\Windows\system32\Ombcji32.exe115⤵PID:5692
-
C:\Windows\SysWOW64\Oclkgccf.exeC:\Windows\system32\Oclkgccf.exe116⤵PID:5808
-
C:\Windows\SysWOW64\Onapdl32.exeC:\Windows\system32\Onapdl32.exe117⤵PID:5912
-
C:\Windows\SysWOW64\Ocohmc32.exeC:\Windows\system32\Ocohmc32.exe118⤵PID:6036
-
C:\Windows\SysWOW64\Omgmeigd.exeC:\Windows\system32\Omgmeigd.exe119⤵PID:6136
-
C:\Windows\SysWOW64\Ohlqcagj.exeC:\Windows\system32\Ohlqcagj.exe120⤵PID:5380
-
C:\Windows\SysWOW64\Pnfiplog.exeC:\Windows\system32\Pnfiplog.exe121⤵PID:5520
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-