Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
14/10/2023, 19:13
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.c877931d10aab9a54a94639e3af10d70.exe
Resource
win7-20230831-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.c877931d10aab9a54a94639e3af10d70.exe
Resource
win10v2004-20230915-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.c877931d10aab9a54a94639e3af10d70.exe
-
Size
110KB
-
MD5
c877931d10aab9a54a94639e3af10d70
-
SHA1
11d163239e25519890349e7944923acaef571d7b
-
SHA256
7bec6bddcc91e7523ad52a1082b6565ad6d906effe7faefc9fc2974a40bdf2e9
-
SHA512
ed1aaf4a5f396b13e80369b5a02140e61c815017b8ebf30f89f79833e4ba153d29363c6d0570732ffb85572bc9fcc36dc6bb64b9c0a6d5adb2d77a48e37a6692
-
SSDEEP
1536:JxLqTZFiLGQC1e/KGg3kRSAm1rT2L1emMBf72XnsWslNPmNbZvB2L3:JxLq7iLGQdRSNq1KzYncWbRa3
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahinbo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Albkieqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekcgkb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hecjke32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhfpbpdo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deokja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egbdjhlp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gqagkjne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icnphd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abemep32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Niihlkdm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bahkih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hoobdp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndpjnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjjldpdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npjnbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hchqbkkm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlifnphl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qcncodki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbiapb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjnaaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mobbdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpihbjmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnkbcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aajohjon.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmedjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbldhn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idfaefkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gqagkjne.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aqfolqna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phpbffnp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anfmeldl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anijjkbj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpbokjho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Moipoh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Figgdg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laiipofp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogpfko32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieagmcmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oikjkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Feimadoe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Keekjc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phpbffnp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aekddhcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imgicgca.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhaggp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bghddp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifihdi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhmmieil.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Noqofdlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcofbifb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hoobdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lakfeodm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gloejmld.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jglkkiea.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebpqjmpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bafndi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gqbneq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdokmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phlikg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bichcc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlkplk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohdlpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpdhkf32.exe -
Executes dropped EXE 64 IoCs
pid Process 3740 Gdaociml.exe 3692 Glldgljg.exe 1692 Gipdap32.exe 3484 Hibafp32.exe 1088 Hckeoeno.exe 1572 Hcpojd32.exe 3800 Hpcodihc.exe 3392 Ipflihfq.exe 1268 Icfekc32.exe 5100 Idfaefkd.exe 2628 Ilafiihp.exe 2472 Inqbclob.exe 1972 Icnklbmj.exe 3920 Jlfpdh32.exe 2372 Jpdhkf32.exe 2940 Jlkipgpe.exe 4560 Jklinohd.exe 4804 Jnlbojee.exe 4696 Oldjcg32.exe 5084 Oelolmnd.exe 4184 Omgcpokp.exe 2496 Omjpeo32.exe 3884 Phodcg32.exe 3684 Pdfehh32.exe 3456 Pefabkej.exe 2160 Pkbjjbda.exe 4104 Plbfdekd.exe 3984 Pejkmk32.exe 3724 Pocpfphe.exe 4220 Qdphngfl.exe 4772 Qachgk32.exe 4544 Aafemk32.exe 4912 Aahbbkaq.exe 2968 Akqfkp32.exe 212 Aajohjon.exe 1272 Aamknj32.exe 4300 Albpkc32.exe 3036 Aekddhcb.exe 4972 Bochmn32.exe 2904 Blgifbil.exe 3752 Bnhenj32.exe 1436 Bklfgo32.exe 3412 Bafndi32.exe 3952 Bkobmnka.exe 1624 Bahkih32.exe 552 Bkaobnio.exe 468 Bffcpg32.exe 4216 Cnahdi32.exe 704 Clchbqoo.exe 3580 Cdnmfclj.exe 2436 Cnfaohbj.exe 4392 Clgbmp32.exe 736 Cfpffeaj.exe 4152 Cljobphg.exe 4160 Chqogq32.exe 3960 Dfdpad32.exe 3468 Domdjj32.exe 3196 Dmadco32.exe 3672 Doaneiop.exe 4228 Dijbno32.exe 4404 Dbbffdlq.exe 2632 Eofgpikj.exe 3320 Eiokinbk.exe 5116 Enkdaepb.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Oelolmnd.exe Oldjcg32.exe File created C:\Windows\SysWOW64\Eecgicmp.dll Finnef32.exe File created C:\Windows\SysWOW64\Dflfoi32.dll Djipbbne.exe File created C:\Windows\SysWOW64\Oqmhqapg.exe Ojcpdg32.exe File opened for modification C:\Windows\SysWOW64\Gqbneq32.exe Gjhfif32.exe File created C:\Windows\SysWOW64\Poeahaib.exe Phlikg32.exe File created C:\Windows\SysWOW64\Iekomapo.dll Gloejmld.exe File created C:\Windows\SysWOW64\Ljeffhcd.dll Hcpojd32.exe File created C:\Windows\SysWOW64\Oflfdbip.exe Ooangh32.exe File created C:\Windows\SysWOW64\Gdokakcj.dll Amfhgj32.exe File created C:\Windows\SysWOW64\Kgiamm32.dll Omjnhiiq.exe File opened for modification C:\Windows\SysWOW64\Pphckb32.exe Pdbbfadn.exe File created C:\Windows\SysWOW64\Nbalhp32.dll Bkobmnka.exe File opened for modification C:\Windows\SysWOW64\Pmblagmf.exe Pnmopk32.exe File opened for modification C:\Windows\SysWOW64\Gloejmld.exe Ggbmafnm.exe File created C:\Windows\SysWOW64\Knnicgle.dll Hjieii32.exe File opened for modification C:\Windows\SysWOW64\Gehbjm32.exe Fnnjmbpm.exe File created C:\Windows\SysWOW64\Njgigo32.dll Jjpode32.exe File opened for modification C:\Windows\SysWOW64\Dmjmekgn.exe Goamlkpk.exe File created C:\Windows\SysWOW64\Gjcmngnj.exe Gcjdam32.exe File opened for modification C:\Windows\SysWOW64\Ibpgqa32.exe Icogcjde.exe File created C:\Windows\SysWOW64\Abpmpkoh.exe Qdllffpo.exe File opened for modification C:\Windows\SysWOW64\Epiaig32.exe Eipilmgh.exe File opened for modification C:\Windows\SysWOW64\Jmmcgbnf.exe Iiokacgp.exe File created C:\Windows\SysWOW64\Qdphngfl.exe Pocpfphe.exe File created C:\Windows\SysWOW64\Hhjhdagb.dll Hpnoncim.exe File created C:\Windows\SysWOW64\Aqmiic32.dll Ibaeen32.exe File opened for modification C:\Windows\SysWOW64\Kcfnqccd.exe Hcofbifb.exe File created C:\Windows\SysWOW64\Glkkmjeh.dll Mbldhn32.exe File opened for modification C:\Windows\SysWOW64\Gjcfcakn.exe Gloejmld.exe File opened for modification C:\Windows\SysWOW64\Ijonfmbn.exe Imknli32.exe File opened for modification C:\Windows\SysWOW64\Dnghhqdk.exe Djipbbne.exe File created C:\Windows\SysWOW64\Amjbbfgo.exe Akkffkhk.exe File opened for modification C:\Windows\SysWOW64\Ilnlom32.exe Iahgad32.exe File created C:\Windows\SysWOW64\Gloejmld.exe Ggbmafnm.exe File opened for modification C:\Windows\SysWOW64\Kplmliko.exe Kefiopki.exe File created C:\Windows\SysWOW64\Olpigmpg.dll Agaoca32.exe File created C:\Windows\SysWOW64\Ilchfdgp.dll Dmadco32.exe File opened for modification C:\Windows\SysWOW64\Ieidhh32.exe Iplkpa32.exe File created C:\Windows\SysWOW64\Egened32.exe Eqlfhjig.exe File opened for modification C:\Windows\SysWOW64\Goamlkpk.exe Giddddad.exe File created C:\Windows\SysWOW64\Jnedgq32.exe Jaqcnl32.exe File opened for modification C:\Windows\SysWOW64\Ggbmafnm.exe Glmhdm32.exe File created C:\Windows\SysWOW64\Eflmeb32.dll Cfedmfqd.exe File created C:\Windows\SysWOW64\Jjakkmpk.exe Ijonfmbn.exe File opened for modification C:\Windows\SysWOW64\Eiahnnph.exe Enkdaepb.exe File created C:\Windows\SysWOW64\Jjgkan32.dll Oikjkc32.exe File opened for modification C:\Windows\SysWOW64\Fcneeo32.exe Famhmfkl.exe File created C:\Windows\SysWOW64\Cpfmlghd.exe Cildom32.exe File created C:\Windows\SysWOW64\Hdeeipfp.dll Fqbeoc32.exe File created C:\Windows\SysWOW64\Mkofokch.dll Kfkamk32.exe File created C:\Windows\SysWOW64\Jhnojl32.exe Jbagbebm.exe File created C:\Windows\SysWOW64\Ocnabm32.exe Obnehj32.exe File opened for modification C:\Windows\SysWOW64\Dggkipii.exe Dajbaika.exe File created C:\Windows\SysWOW64\Lakfeodm.exe Lhcali32.exe File created C:\Windows\SysWOW64\Dbjade32.exe Dlpigk32.exe File opened for modification C:\Windows\SysWOW64\Jqbbno32.exe Jflnafno.exe File opened for modification C:\Windows\SysWOW64\Feenjgfq.exe Finnef32.exe File opened for modification C:\Windows\SysWOW64\Gkhbbi32.exe Gqbneq32.exe File opened for modification C:\Windows\SysWOW64\Lhammfci.exe Lipmoo32.exe File created C:\Windows\SysWOW64\Oedeli32.dll Lmneemaq.exe File created C:\Windows\SysWOW64\Gijmad32.exe Gbpedjnb.exe File created C:\Windows\SysWOW64\Pjijdf32.dll Lkcccn32.exe File created C:\Windows\SysWOW64\Kljhfc32.dll Hcaibo32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 9144 9112 WerFault.exe 796 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pejkmk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jhnojl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlqeenhm.dll" Kefiopki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dajbaika.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hbiapb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kemhei32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omaeem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blciboie.dll" Pejkmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nopfpgip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Piocecgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjgmjh32.dll" Bemlhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abkejc32.dll" Becknc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oelolmnd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ejojljqa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oohkai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkmhgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Delcme32.dll" Homcbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kifcnjpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fijkdmhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jdalog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Npjnbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Blgifbil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghgmioe.dll" Cnhgjaml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hnlodjpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpefcn32.dll" Ipoheakj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jilfifme.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dnonkq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Blknpdho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmonod32.dll" Dibdeegc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kplijk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nbdkhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgdgna32.dll" Imiehfao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpemkcck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fifomlap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojlnphpd.dll" Ficlmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ficlmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhcmcm32.dll" Domdjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Monjjgkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Maoifh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjpdjplo.dll" Decmjjie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmqmbmdf.dll" Felbnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndpjnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pemqkk32.dll" Akjnnpcf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iiokacgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eincadmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnppkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Goglcahb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ppnenlka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mddkbbfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cemeoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbelak32.dll" Cpcila32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddhhbngi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehmfqgao.dll" Kfjjbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjjmaneh.dll" Bfhofnpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfhofnpp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iqdmghnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jegohe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmpbkm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qjfmkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Blknpdho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Epeohn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kaqejcep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhjojdql.dll" Ifihdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehfomc32.dll" Khbiello.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4380 wrote to memory of 3740 4380 NEAS.c877931d10aab9a54a94639e3af10d70.exe 81 PID 4380 wrote to memory of 3740 4380 NEAS.c877931d10aab9a54a94639e3af10d70.exe 81 PID 4380 wrote to memory of 3740 4380 NEAS.c877931d10aab9a54a94639e3af10d70.exe 81 PID 3740 wrote to memory of 3692 3740 Gdaociml.exe 83 PID 3740 wrote to memory of 3692 3740 Gdaociml.exe 83 PID 3740 wrote to memory of 3692 3740 Gdaociml.exe 83 PID 3692 wrote to memory of 1692 3692 Glldgljg.exe 84 PID 3692 wrote to memory of 1692 3692 Glldgljg.exe 84 PID 3692 wrote to memory of 1692 3692 Glldgljg.exe 84 PID 1692 wrote to memory of 3484 1692 Gipdap32.exe 85 PID 1692 wrote to memory of 3484 1692 Gipdap32.exe 85 PID 1692 wrote to memory of 3484 1692 Gipdap32.exe 85 PID 3484 wrote to memory of 1088 3484 Hibafp32.exe 86 PID 3484 wrote to memory of 1088 3484 Hibafp32.exe 86 PID 3484 wrote to memory of 1088 3484 Hibafp32.exe 86 PID 1088 wrote to memory of 1572 1088 Hckeoeno.exe 87 PID 1088 wrote to memory of 1572 1088 Hckeoeno.exe 87 PID 1088 wrote to memory of 1572 1088 Hckeoeno.exe 87 PID 1572 wrote to memory of 3800 1572 Hcpojd32.exe 88 PID 1572 wrote to memory of 3800 1572 Hcpojd32.exe 88 PID 1572 wrote to memory of 3800 1572 Hcpojd32.exe 88 PID 3800 wrote to memory of 3392 3800 Hpcodihc.exe 89 PID 3800 wrote to memory of 3392 3800 Hpcodihc.exe 89 PID 3800 wrote to memory of 3392 3800 Hpcodihc.exe 89 PID 3392 wrote to memory of 1268 3392 Ipflihfq.exe 90 PID 3392 wrote to memory of 1268 3392 Ipflihfq.exe 90 PID 3392 wrote to memory of 1268 3392 Ipflihfq.exe 90 PID 1268 wrote to memory of 5100 1268 Icfekc32.exe 91 PID 1268 wrote to memory of 5100 1268 Icfekc32.exe 91 PID 1268 wrote to memory of 5100 1268 Icfekc32.exe 91 PID 5100 wrote to memory of 2628 5100 Idfaefkd.exe 92 PID 5100 wrote to memory of 2628 5100 Idfaefkd.exe 92 PID 5100 wrote to memory of 2628 5100 Idfaefkd.exe 92 PID 2628 wrote to memory of 2472 2628 Ilafiihp.exe 93 PID 2628 wrote to memory of 2472 2628 Ilafiihp.exe 93 PID 2628 wrote to memory of 2472 2628 Ilafiihp.exe 93 PID 2472 wrote to memory of 1972 2472 Inqbclob.exe 94 PID 2472 wrote to memory of 1972 2472 Inqbclob.exe 94 PID 2472 wrote to memory of 1972 2472 Inqbclob.exe 94 PID 1972 wrote to memory of 3920 1972 Icnklbmj.exe 95 PID 1972 wrote to memory of 3920 1972 Icnklbmj.exe 95 PID 1972 wrote to memory of 3920 1972 Icnklbmj.exe 95 PID 3920 wrote to memory of 2372 3920 Jlfpdh32.exe 96 PID 3920 wrote to memory of 2372 3920 Jlfpdh32.exe 96 PID 3920 wrote to memory of 2372 3920 Jlfpdh32.exe 96 PID 2372 wrote to memory of 2940 2372 Jpdhkf32.exe 97 PID 2372 wrote to memory of 2940 2372 Jpdhkf32.exe 97 PID 2372 wrote to memory of 2940 2372 Jpdhkf32.exe 97 PID 2940 wrote to memory of 4560 2940 Jlkipgpe.exe 98 PID 2940 wrote to memory of 4560 2940 Jlkipgpe.exe 98 PID 2940 wrote to memory of 4560 2940 Jlkipgpe.exe 98 PID 4560 wrote to memory of 4804 4560 Jklinohd.exe 99 PID 4560 wrote to memory of 4804 4560 Jklinohd.exe 99 PID 4560 wrote to memory of 4804 4560 Jklinohd.exe 99 PID 4804 wrote to memory of 4696 4804 Jnlbojee.exe 100 PID 4804 wrote to memory of 4696 4804 Jnlbojee.exe 100 PID 4804 wrote to memory of 4696 4804 Jnlbojee.exe 100 PID 4696 wrote to memory of 5084 4696 Oldjcg32.exe 101 PID 4696 wrote to memory of 5084 4696 Oldjcg32.exe 101 PID 4696 wrote to memory of 5084 4696 Oldjcg32.exe 101 PID 5084 wrote to memory of 4184 5084 Oelolmnd.exe 102 PID 5084 wrote to memory of 4184 5084 Oelolmnd.exe 102 PID 5084 wrote to memory of 4184 5084 Oelolmnd.exe 102 PID 4184 wrote to memory of 2496 4184 Omgcpokp.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.c877931d10aab9a54a94639e3af10d70.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.c877931d10aab9a54a94639e3af10d70.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4380 -
C:\Windows\SysWOW64\Gdaociml.exeC:\Windows\system32\Gdaociml.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3740 -
C:\Windows\SysWOW64\Glldgljg.exeC:\Windows\system32\Glldgljg.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3692 -
C:\Windows\SysWOW64\Gipdap32.exeC:\Windows\system32\Gipdap32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\SysWOW64\Hibafp32.exeC:\Windows\system32\Hibafp32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3484 -
C:\Windows\SysWOW64\Hckeoeno.exeC:\Windows\system32\Hckeoeno.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Windows\SysWOW64\Hcpojd32.exeC:\Windows\system32\Hcpojd32.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Windows\SysWOW64\Hpcodihc.exeC:\Windows\system32\Hpcodihc.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3800 -
C:\Windows\SysWOW64\Ipflihfq.exeC:\Windows\system32\Ipflihfq.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3392 -
C:\Windows\SysWOW64\Icfekc32.exeC:\Windows\system32\Icfekc32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Windows\SysWOW64\Idfaefkd.exeC:\Windows\system32\Idfaefkd.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Windows\SysWOW64\Ilafiihp.exeC:\Windows\system32\Ilafiihp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Inqbclob.exeC:\Windows\system32\Inqbclob.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\Icnklbmj.exeC:\Windows\system32\Icnklbmj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\SysWOW64\Jlfpdh32.exeC:\Windows\system32\Jlfpdh32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3920 -
C:\Windows\SysWOW64\Jpdhkf32.exeC:\Windows\system32\Jpdhkf32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\Jlkipgpe.exeC:\Windows\system32\Jlkipgpe.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\Jklinohd.exeC:\Windows\system32\Jklinohd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4560 -
C:\Windows\SysWOW64\Jnlbojee.exeC:\Windows\system32\Jnlbojee.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4804 -
C:\Windows\SysWOW64\Oldjcg32.exeC:\Windows\system32\Oldjcg32.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4696 -
C:\Windows\SysWOW64\Oelolmnd.exeC:\Windows\system32\Oelolmnd.exe21⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5084 -
C:\Windows\SysWOW64\Omgcpokp.exeC:\Windows\system32\Omgcpokp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4184 -
C:\Windows\SysWOW64\Omjpeo32.exeC:\Windows\system32\Omjpeo32.exe23⤵
- Executes dropped EXE
PID:2496 -
C:\Windows\SysWOW64\Phodcg32.exeC:\Windows\system32\Phodcg32.exe24⤵
- Executes dropped EXE
PID:3884 -
C:\Windows\SysWOW64\Pdfehh32.exeC:\Windows\system32\Pdfehh32.exe25⤵
- Executes dropped EXE
PID:3684 -
C:\Windows\SysWOW64\Pefabkej.exeC:\Windows\system32\Pefabkej.exe26⤵
- Executes dropped EXE
PID:3456 -
C:\Windows\SysWOW64\Pkbjjbda.exeC:\Windows\system32\Pkbjjbda.exe27⤵
- Executes dropped EXE
PID:2160 -
C:\Windows\SysWOW64\Plbfdekd.exeC:\Windows\system32\Plbfdekd.exe28⤵
- Executes dropped EXE
PID:4104 -
C:\Windows\SysWOW64\Pejkmk32.exeC:\Windows\system32\Pejkmk32.exe29⤵
- Executes dropped EXE
- Modifies registry class
PID:3984 -
C:\Windows\SysWOW64\Pocpfphe.exeC:\Windows\system32\Pocpfphe.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3724 -
C:\Windows\SysWOW64\Qdphngfl.exeC:\Windows\system32\Qdphngfl.exe31⤵
- Executes dropped EXE
PID:4220 -
C:\Windows\SysWOW64\Qachgk32.exeC:\Windows\system32\Qachgk32.exe32⤵
- Executes dropped EXE
PID:4772 -
C:\Windows\SysWOW64\Aafemk32.exeC:\Windows\system32\Aafemk32.exe33⤵
- Executes dropped EXE
PID:4544 -
C:\Windows\SysWOW64\Aahbbkaq.exeC:\Windows\system32\Aahbbkaq.exe34⤵
- Executes dropped EXE
PID:4912 -
C:\Windows\SysWOW64\Akqfkp32.exeC:\Windows\system32\Akqfkp32.exe35⤵
- Executes dropped EXE
PID:2968 -
C:\Windows\SysWOW64\Aajohjon.exeC:\Windows\system32\Aajohjon.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:212 -
C:\Windows\SysWOW64\Aamknj32.exeC:\Windows\system32\Aamknj32.exe37⤵
- Executes dropped EXE
PID:1272 -
C:\Windows\SysWOW64\Albpkc32.exeC:\Windows\system32\Albpkc32.exe38⤵
- Executes dropped EXE
PID:4300 -
C:\Windows\SysWOW64\Aekddhcb.exeC:\Windows\system32\Aekddhcb.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3036 -
C:\Windows\SysWOW64\Bochmn32.exeC:\Windows\system32\Bochmn32.exe40⤵
- Executes dropped EXE
PID:4972 -
C:\Windows\SysWOW64\Blgifbil.exeC:\Windows\system32\Blgifbil.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:2904 -
C:\Windows\SysWOW64\Bnhenj32.exeC:\Windows\system32\Bnhenj32.exe42⤵
- Executes dropped EXE
PID:3752 -
C:\Windows\SysWOW64\Bklfgo32.exeC:\Windows\system32\Bklfgo32.exe43⤵
- Executes dropped EXE
PID:1436 -
C:\Windows\SysWOW64\Bafndi32.exeC:\Windows\system32\Bafndi32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3412 -
C:\Windows\SysWOW64\Bkobmnka.exeC:\Windows\system32\Bkobmnka.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3952 -
C:\Windows\SysWOW64\Bahkih32.exeC:\Windows\system32\Bahkih32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Bkaobnio.exeC:\Windows\system32\Bkaobnio.exe47⤵
- Executes dropped EXE
PID:552 -
C:\Windows\SysWOW64\Bffcpg32.exeC:\Windows\system32\Bffcpg32.exe48⤵
- Executes dropped EXE
PID:468 -
C:\Windows\SysWOW64\Cnahdi32.exeC:\Windows\system32\Cnahdi32.exe49⤵
- Executes dropped EXE
PID:4216 -
C:\Windows\SysWOW64\Clchbqoo.exeC:\Windows\system32\Clchbqoo.exe50⤵
- Executes dropped EXE
PID:704 -
C:\Windows\SysWOW64\Cdnmfclj.exeC:\Windows\system32\Cdnmfclj.exe51⤵
- Executes dropped EXE
PID:3580 -
C:\Windows\SysWOW64\Cnfaohbj.exeC:\Windows\system32\Cnfaohbj.exe52⤵
- Executes dropped EXE
PID:2436 -
C:\Windows\SysWOW64\Clgbmp32.exeC:\Windows\system32\Clgbmp32.exe53⤵
- Executes dropped EXE
PID:4392 -
C:\Windows\SysWOW64\Cfpffeaj.exeC:\Windows\system32\Cfpffeaj.exe54⤵
- Executes dropped EXE
PID:736 -
C:\Windows\SysWOW64\Cljobphg.exeC:\Windows\system32\Cljobphg.exe55⤵
- Executes dropped EXE
PID:4152 -
C:\Windows\SysWOW64\Chqogq32.exeC:\Windows\system32\Chqogq32.exe56⤵
- Executes dropped EXE
PID:4160 -
C:\Windows\SysWOW64\Dfdpad32.exeC:\Windows\system32\Dfdpad32.exe57⤵
- Executes dropped EXE
PID:3960 -
C:\Windows\SysWOW64\Domdjj32.exeC:\Windows\system32\Domdjj32.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:3468 -
C:\Windows\SysWOW64\Dmadco32.exeC:\Windows\system32\Dmadco32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3196 -
C:\Windows\SysWOW64\Doaneiop.exeC:\Windows\system32\Doaneiop.exe60⤵
- Executes dropped EXE
PID:3672 -
C:\Windows\SysWOW64\Dijbno32.exeC:\Windows\system32\Dijbno32.exe61⤵
- Executes dropped EXE
PID:4228 -
C:\Windows\SysWOW64\Dbbffdlq.exeC:\Windows\system32\Dbbffdlq.exe62⤵
- Executes dropped EXE
PID:4404 -
C:\Windows\SysWOW64\Eofgpikj.exeC:\Windows\system32\Eofgpikj.exe63⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\Eiokinbk.exeC:\Windows\system32\Eiokinbk.exe64⤵
- Executes dropped EXE
PID:3320 -
C:\Windows\SysWOW64\Enkdaepb.exeC:\Windows\system32\Enkdaepb.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5116 -
C:\Windows\SysWOW64\Eiahnnph.exeC:\Windows\system32\Eiahnnph.exe66⤵PID:4032
-
C:\Windows\SysWOW64\Ebimgcfi.exeC:\Windows\system32\Ebimgcfi.exe67⤵PID:4680
-
C:\Windows\SysWOW64\Emoadlfo.exeC:\Windows\system32\Emoadlfo.exe68⤵PID:1952
-
C:\Windows\SysWOW64\Eblimcdf.exeC:\Windows\system32\Eblimcdf.exe69⤵PID:4520
-
C:\Windows\SysWOW64\Emanjldl.exeC:\Windows\system32\Emanjldl.exe70⤵PID:4856
-
C:\Windows\SysWOW64\Enbjad32.exeC:\Windows\system32\Enbjad32.exe71⤵PID:2192
-
C:\Windows\SysWOW64\Felbnn32.exeC:\Windows\system32\Felbnn32.exe72⤵
- Modifies registry class
PID:3624 -
C:\Windows\SysWOW64\Fpbflg32.exeC:\Windows\system32\Fpbflg32.exe73⤵PID:2196
-
C:\Windows\SysWOW64\Fijkdmhn.exeC:\Windows\system32\Fijkdmhn.exe74⤵
- Modifies registry class
PID:2960 -
C:\Windows\SysWOW64\Fngcmcfe.exeC:\Windows\system32\Fngcmcfe.exe75⤵PID:4504
-
C:\Windows\SysWOW64\Flkdfh32.exeC:\Windows\system32\Flkdfh32.exe76⤵PID:4672
-
C:\Windows\SysWOW64\Fbelcblk.exeC:\Windows\system32\Fbelcblk.exe77⤵PID:1872
-
C:\Windows\SysWOW64\Fiodpl32.exeC:\Windows\system32\Fiodpl32.exe78⤵PID:3680
-
C:\Windows\SysWOW64\Fbgihaji.exeC:\Windows\system32\Fbgihaji.exe79⤵PID:3060
-
C:\Windows\SysWOW64\Fmmmfj32.exeC:\Windows\system32\Fmmmfj32.exe80⤵PID:2440
-
C:\Windows\SysWOW64\Fnnjmbpm.exeC:\Windows\system32\Fnnjmbpm.exe81⤵
- Drops file in System32 directory
PID:2880 -
C:\Windows\SysWOW64\Gehbjm32.exeC:\Windows\system32\Gehbjm32.exe82⤵PID:3704
-
C:\Windows\SysWOW64\Gmojkj32.exeC:\Windows\system32\Gmojkj32.exe83⤵PID:4188
-
C:\Windows\SysWOW64\Gnqfcbnj.exeC:\Windows\system32\Gnqfcbnj.exe84⤵PID:1468
-
C:\Windows\SysWOW64\Gifkpknp.exeC:\Windows\system32\Gifkpknp.exe85⤵PID:440
-
C:\Windows\SysWOW64\Gldglf32.exeC:\Windows\system32\Gldglf32.exe86⤵PID:4192
-
C:\Windows\SysWOW64\Gfjkjo32.exeC:\Windows\system32\Gfjkjo32.exe87⤵PID:3228
-
C:\Windows\SysWOW64\Glgcbf32.exeC:\Windows\system32\Glgcbf32.exe88⤵PID:4488
-
C:\Windows\SysWOW64\Gbalopbn.exeC:\Windows\system32\Gbalopbn.exe89⤵PID:5060
-
C:\Windows\SysWOW64\Gikdkj32.exeC:\Windows\system32\Gikdkj32.exe90⤵PID:3612
-
C:\Windows\SysWOW64\Goglcahb.exeC:\Windows\system32\Goglcahb.exe91⤵
- Modifies registry class
PID:3052 -
C:\Windows\SysWOW64\Gimqajgh.exeC:\Windows\system32\Gimqajgh.exe92⤵PID:4776
-
C:\Windows\SysWOW64\Gbeejp32.exeC:\Windows\system32\Gbeejp32.exe93⤵PID:2316
-
C:\Windows\SysWOW64\Hipmfjee.exeC:\Windows\system32\Hipmfjee.exe94⤵PID:3564
-
C:\Windows\SysWOW64\Hbhboolf.exeC:\Windows\system32\Hbhboolf.exe95⤵PID:3556
-
C:\Windows\SysWOW64\Hoobdp32.exeC:\Windows\system32\Hoobdp32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3608 -
C:\Windows\SysWOW64\Hidgai32.exeC:\Windows\system32\Hidgai32.exe97⤵PID:684
-
C:\Windows\SysWOW64\Hpnoncim.exeC:\Windows\system32\Hpnoncim.exe98⤵
- Drops file in System32 directory
PID:1504 -
C:\Windows\SysWOW64\Hekgfj32.exeC:\Windows\system32\Hekgfj32.exe99⤵PID:2952
-
C:\Windows\SysWOW64\Hpqldc32.exeC:\Windows\system32\Hpqldc32.exe100⤵PID:5140
-
C:\Windows\SysWOW64\Hfjdqmng.exeC:\Windows\system32\Hfjdqmng.exe101⤵PID:5180
-
C:\Windows\SysWOW64\Ibaeen32.exeC:\Windows\system32\Ibaeen32.exe102⤵
- Drops file in System32 directory
PID:5228 -
C:\Windows\SysWOW64\Imgicgca.exeC:\Windows\system32\Imgicgca.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5272 -
C:\Windows\SysWOW64\Ibcaknbi.exeC:\Windows\system32\Ibcaknbi.exe104⤵PID:5320
-
C:\Windows\SysWOW64\Imiehfao.exeC:\Windows\system32\Imiehfao.exe105⤵
- Modifies registry class
PID:5368 -
C:\Windows\SysWOW64\Igajal32.exeC:\Windows\system32\Igajal32.exe106⤵PID:5412
-
C:\Windows\SysWOW64\Iomoenej.exeC:\Windows\system32\Iomoenej.exe107⤵PID:5456
-
C:\Windows\SysWOW64\Iefgbh32.exeC:\Windows\system32\Iefgbh32.exe108⤵PID:5508
-
C:\Windows\SysWOW64\Iplkpa32.exeC:\Windows\system32\Iplkpa32.exe109⤵
- Drops file in System32 directory
PID:5548 -
C:\Windows\SysWOW64\Ieidhh32.exeC:\Windows\system32\Ieidhh32.exe110⤵PID:5600
-
C:\Windows\SysWOW64\Ipoheakj.exeC:\Windows\system32\Ipoheakj.exe111⤵
- Modifies registry class
PID:5648 -
C:\Windows\SysWOW64\Jiglnf32.exeC:\Windows\system32\Jiglnf32.exe112⤵PID:5696
-
C:\Windows\SysWOW64\Jcoaglhk.exeC:\Windows\system32\Jcoaglhk.exe113⤵PID:5732
-
C:\Windows\SysWOW64\Jiiicf32.exeC:\Windows\system32\Jiiicf32.exe114⤵PID:5788
-
C:\Windows\SysWOW64\Jilfifme.exeC:\Windows\system32\Jilfifme.exe115⤵
- Modifies registry class
PID:5832 -
C:\Windows\SysWOW64\Johnamkm.exeC:\Windows\system32\Johnamkm.exe116⤵PID:5880
-
C:\Windows\SysWOW64\Jniood32.exeC:\Windows\system32\Jniood32.exe117⤵PID:5928
-
C:\Windows\SysWOW64\Jcfggkac.exeC:\Windows\system32\Jcfggkac.exe118⤵PID:5964
-
C:\Windows\SysWOW64\Jjpode32.exeC:\Windows\system32\Jjpode32.exe119⤵
- Drops file in System32 directory
PID:6012 -
C:\Windows\SysWOW64\Kcidmkpq.exeC:\Windows\system32\Kcidmkpq.exe120⤵PID:6056
-
C:\Windows\SysWOW64\Knnhjcog.exeC:\Windows\system32\Knnhjcog.exe121⤵PID:6108
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-