Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
15/10/2023, 15:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.c3c41d9b52c3cb1d526589a594d5f749_JC.exe
Resource
win7-20230831-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.c3c41d9b52c3cb1d526589a594d5f749_JC.exe
Resource
win10v2004-20230915-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
NEAS.c3c41d9b52c3cb1d526589a594d5f749_JC.exe
-
Size
77KB
-
MD5
c3c41d9b52c3cb1d526589a594d5f749
-
SHA1
cd135e8b7ffad70693b322db33def5202d88c637
-
SHA256
3b05b6f34664830c1e9f315e4e7a4515a6b610c8102da2fffcd1fc556af2d461
-
SHA512
af1728733e3ce4471b438187c52960c4f52d53a4f9576f0269c0b2b51591b848becafbb009b1682b44851f46d92f292f199c29ee4d3fe2ebeb68c6b0cc53d7f5
-
SSDEEP
1536:7NWbzqocSMAry9herpcaTRr47i2Ltbwfi+TjRC/D:4zq7SMA29IrpcaTV47vBwf1TjYD
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahpdnaci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fclmkb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anijjkbj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgbhdkml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppgeff32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdaigi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnkedd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnpdegjp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmlplbib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cphgca32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cemcqcgi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfoihalp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpncbemh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehomph32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgjnpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kijcanhl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aopemh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfqjhmhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmnmqdee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgebnc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhjknljl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qfaiabnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qnhabp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhgfdmle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhdfll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdclbopg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chagiqhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddekmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjjbjjdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Neeifa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emknmi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbbdad32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbinkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bheplb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igajal32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lomqcjie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pekkhn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahhbfkbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elaobdmm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aloekjod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahhbfkbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgqqnjea.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmkeekag.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpenmadn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egjebn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhjknljl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onekeb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gamjea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhpbpepo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eiahnnph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llofnh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oeheqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogefqeaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfonin32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmnpah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elpknehe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Keinepch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hemdlj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhidcffq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmamba32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jipqkopf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nldhpeop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iejlih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pefabkej.exe -
Executes dropped EXE 64 IoCs
pid Process 2236 Oeheqm32.exe 4168 Phaahggp.exe 416 Pefabkej.exe 4632 Pdmkhgho.exe 1588 Anmfbl32.exe 4300 Blielbfi.exe 2220 Bddjpd32.exe 1384 Bahkih32.exe 1144 Bheplb32.exe 4696 Chiigadc.exe 4012 Cdpjlb32.exe 3276 Cfbcke32.exe 2104 Dbicpfdk.exe 2588 Dnpdegjp.exe 2452 Dkhnjk32.exe 1500 Eiahnnph.exe 4748 Eblimcdf.exe 2816 Fimhjl32.exe 4024 Fpimlfke.exe 2176 Gojiiafp.exe 2512 Hemdlj32.exe 3900 Igajal32.exe 4624 Jcfggkac.exe 4364 Kgkfnh32.exe 1892 Lomqcjie.exe 412 Lfgipd32.exe 1136 Mmhgmmbf.exe 1656 Mgbefe32.exe 4736 Njhgbp32.exe 4992 Omnjojpo.exe 4708 Pjpfjl32.exe 4340 Qaqegecm.exe 1516 Aopemh32.exe 1464 Bdagpnbk.exe 3716 Bogkmgba.exe 1696 Bknlbhhe.exe 1104 Cnaaib32.exe 1420 Cdpcal32.exe 840 Coegoe32.exe 812 Dkndie32.exe 4520 Fdlkdhnk.exe 4480 Ihpcinld.exe 968 Iamamcop.exe 2912 Klndfj32.exe 2676 Lllagh32.exe 4360 Mledmg32.exe 2000 Mfpell32.exe 3680 Nbnlaldg.exe 3496 Nimmifgo.exe 3472 Omopjcjp.exe 5044 Oihmedma.exe 1204 Ocnabm32.exe 4144 Pmkofa32.exe 3264 Paihlpfi.exe 3328 Qiiflaoo.exe 3064 Afappe32.exe 4912 Ampaho32.exe 4924 Bbaclegm.exe 1256 Bpjmph32.exe 4492 Cmedjl32.exe 992 Egpnooan.exe 2252 Ekngemhd.exe 3188 Fgqgfl32.exe 4824 Gjhfif32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Eajehd32.exe Dkkcqj32.exe File created C:\Windows\SysWOW64\Gohokhje.dll Jicdlc32.exe File opened for modification C:\Windows\SysWOW64\Qcepem32.exe Qbddmejf.exe File created C:\Windows\SysWOW64\Knoghk32.dll Iiaein32.exe File opened for modification C:\Windows\SysWOW64\Ebcdjc32.exe Ebokodfc.exe File created C:\Windows\SysWOW64\Faopah32.exe Fkehdnee.exe File opened for modification C:\Windows\SysWOW64\Icjengld.exe Ikcmmjkb.exe File opened for modification C:\Windows\SysWOW64\Bcmqin32.exe Blchmdff.exe File created C:\Windows\SysWOW64\Jiciqh32.dll Mpmodg32.exe File created C:\Windows\SysWOW64\Diffabgj.exe Dpnbhl32.exe File created C:\Windows\SysWOW64\Gbcohl32.exe Gpeclq32.exe File created C:\Windows\SysWOW64\Edmleg32.dll Ppdjpcng.exe File created C:\Windows\SysWOW64\Dpnbhl32.exe Didjkbim.exe File created C:\Windows\SysWOW64\Efopeeao.exe Dpehikja.exe File created C:\Windows\SysWOW64\Bmhfddeq.exe Bijnnf32.exe File opened for modification C:\Windows\SysWOW64\Fpimlfke.exe Fimhjl32.exe File opened for modification C:\Windows\SysWOW64\Clgmkbna.exe Cfjeckpj.exe File created C:\Windows\SysWOW64\Lbpmbipk.exe Lkfeeo32.exe File opened for modification C:\Windows\SysWOW64\Jaimko32.exe Jbhmnhcm.exe File opened for modification C:\Windows\SysWOW64\Kkihedld.exe Kdophj32.exe File opened for modification C:\Windows\SysWOW64\Amdddkma.exe Afjlgafe.exe File created C:\Windows\SysWOW64\Fpbojb32.dll Femgia32.exe File opened for modification C:\Windows\SysWOW64\Dbicpfdk.exe Cfbcke32.exe File opened for modification C:\Windows\SysWOW64\Obphenpj.exe Oapllk32.exe File created C:\Windows\SysWOW64\Ajlfmg32.dll Obphenpj.exe File opened for modification C:\Windows\SysWOW64\Flinddpj.exe Fjhaml32.exe File created C:\Windows\SysWOW64\Oipgkfab.dll Mledmg32.exe File created C:\Windows\SysWOW64\Maeaajpl.exe Mmbopm32.exe File created C:\Windows\SysWOW64\Eofjcclq.dll Fhchhm32.exe File created C:\Windows\SysWOW64\Loodqn32.exe Lhelddln.exe File created C:\Windows\SysWOW64\Icbpkg32.exe Hillnoif.exe File created C:\Windows\SysWOW64\Plnple32.dll Dpnbhl32.exe File opened for modification C:\Windows\SysWOW64\Ehomph32.exe Eaddcnad.exe File created C:\Windows\SysWOW64\Peaokh32.exe Poggnnkk.exe File created C:\Windows\SysWOW64\Mmebpbod.exe Leqkeajd.exe File created C:\Windows\SysWOW64\Eomjgpen.dll Commjgga.exe File created C:\Windows\SysWOW64\Niidli32.dll Ncgkma32.exe File opened for modification C:\Windows\SysWOW64\Ckladcoa.exe Cdaigi32.exe File opened for modification C:\Windows\SysWOW64\Dlbcoe32.exe Dehkbkip.exe File created C:\Windows\SysWOW64\Leqkeajd.exe Kmeiie32.exe File created C:\Windows\SysWOW64\Plifea32.exe Plapdb32.exe File opened for modification C:\Windows\SysWOW64\Gilajmfp.exe Gaqmej32.exe File created C:\Windows\SysWOW64\Mnjmbl32.dll Njdlfbgm.exe File created C:\Windows\SysWOW64\Cbccbiml.dll Cdnelpod.exe File opened for modification C:\Windows\SysWOW64\Ddpeigle.exe Dboiaoff.exe File created C:\Windows\SysWOW64\Komkno32.dll Fagjolao.exe File opened for modification C:\Windows\SysWOW64\Bocoqj32.exe Bjgghc32.exe File created C:\Windows\SysWOW64\Hipdpbgf.exe Hllcfnhm.exe File created C:\Windows\SysWOW64\Nnkmmelm.dll Oecnmi32.exe File opened for modification C:\Windows\SysWOW64\Hcfqoici.exe Gmlhbo32.exe File created C:\Windows\SysWOW64\Qkhidahm.dll Npgalidl.exe File opened for modification C:\Windows\SysWOW64\Aihaifam.exe Aggean32.exe File opened for modification C:\Windows\SysWOW64\Emknmi32.exe Elkbcf32.exe File created C:\Windows\SysWOW64\Mhnjna32.exe Ldkhlcnb.exe File created C:\Windows\SysWOW64\Dapcab32.exe Dpnfjjla.exe File created C:\Windows\SysWOW64\Lnccmnak.exe Ldjodh32.exe File opened for modification C:\Windows\SysWOW64\Ibgmldnd.exe Ipiaphop.exe File opened for modification C:\Windows\SysWOW64\Lpjcnd32.exe Kipkaj32.exe File created C:\Windows\SysWOW64\Aihaifam.exe Aggean32.exe File created C:\Windows\SysWOW64\Mmildo32.dll Efhcld32.exe File created C:\Windows\SysWOW64\Appaki32.dll Gacjkjgb.exe File created C:\Windows\SysWOW64\Ponndj32.dll Cnnllhpa.exe File created C:\Windows\SysWOW64\Oiohgjga.dll Icjengld.exe File created C:\Windows\SysWOW64\Fhemfbnq.exe Fomhnmgp.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpciecgl.dll" Hpjlgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnjenfjo.dll" Nimmifgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Foaoho32.dll" Bocjdiol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Diffabgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghmbhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iiopnhkp.dll" Fclmkb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eeaqfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggdcpacl.dll" Jhbfgflc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfmdohbb.dll" Acjjpllp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eoneah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Filicodb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nfhipj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aniqpe32.dll" Nppfnige.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Beippj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgqqnjea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Diicfa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afappe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aaianaoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmnpah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhjoda32.dll" Igabdekb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pgdodq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gkgeipah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neiqnh32.dll" Blielbfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Decmjjie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Boohcpgm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dnhncjom.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbhmnhcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phldlh32.dll" Dbndoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qjcdih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bblcda32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kijjldkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naqhjb32.dll" Mgagll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hddbmedc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hdclbopg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Blielbfi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Obmeeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paeeon32.dll" Abpcicpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Heimmh32.dll" Ehddpdlc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mganoh32.dll" Mdehep32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kaehepeg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkaqgjme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Joaojf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nbiioe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbfafplq.dll" Ihfglhfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Piaiqlak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkcjjhgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fnpmkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqdhecgn.dll" Mpoljg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmicbcff.dll" Hcfqoici.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njnpie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agagab32.dll" Pqhammje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmaejnbe.dll" Mpghel32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mgbefe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dcmjpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebiogg32.dll" Abqjci32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nejpckgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nobdlqnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmegkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ogljcokf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbemdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipfkga32.dll" Eceoanpo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Acicefid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjpfjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnjbbl32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3004 wrote to memory of 2236 3004 NEAS.c3c41d9b52c3cb1d526589a594d5f749_JC.exe 85 PID 3004 wrote to memory of 2236 3004 NEAS.c3c41d9b52c3cb1d526589a594d5f749_JC.exe 85 PID 3004 wrote to memory of 2236 3004 NEAS.c3c41d9b52c3cb1d526589a594d5f749_JC.exe 85 PID 2236 wrote to memory of 4168 2236 Oeheqm32.exe 86 PID 2236 wrote to memory of 4168 2236 Oeheqm32.exe 86 PID 2236 wrote to memory of 4168 2236 Oeheqm32.exe 86 PID 4168 wrote to memory of 416 4168 Phaahggp.exe 87 PID 4168 wrote to memory of 416 4168 Phaahggp.exe 87 PID 4168 wrote to memory of 416 4168 Phaahggp.exe 87 PID 416 wrote to memory of 4632 416 Pefabkej.exe 88 PID 416 wrote to memory of 4632 416 Pefabkej.exe 88 PID 416 wrote to memory of 4632 416 Pefabkej.exe 88 PID 4632 wrote to memory of 1588 4632 Pdmkhgho.exe 89 PID 4632 wrote to memory of 1588 4632 Pdmkhgho.exe 89 PID 4632 wrote to memory of 1588 4632 Pdmkhgho.exe 89 PID 1588 wrote to memory of 4300 1588 Anmfbl32.exe 90 PID 1588 wrote to memory of 4300 1588 Anmfbl32.exe 90 PID 1588 wrote to memory of 4300 1588 Anmfbl32.exe 90 PID 4300 wrote to memory of 2220 4300 Blielbfi.exe 91 PID 4300 wrote to memory of 2220 4300 Blielbfi.exe 91 PID 4300 wrote to memory of 2220 4300 Blielbfi.exe 91 PID 2220 wrote to memory of 1384 2220 Bddjpd32.exe 92 PID 2220 wrote to memory of 1384 2220 Bddjpd32.exe 92 PID 2220 wrote to memory of 1384 2220 Bddjpd32.exe 92 PID 1384 wrote to memory of 1144 1384 Bahkih32.exe 93 PID 1384 wrote to memory of 1144 1384 Bahkih32.exe 93 PID 1384 wrote to memory of 1144 1384 Bahkih32.exe 93 PID 1144 wrote to memory of 4696 1144 Bheplb32.exe 94 PID 1144 wrote to memory of 4696 1144 Bheplb32.exe 94 PID 1144 wrote to memory of 4696 1144 Bheplb32.exe 94 PID 4696 wrote to memory of 4012 4696 Chiigadc.exe 95 PID 4696 wrote to memory of 4012 4696 Chiigadc.exe 95 PID 4696 wrote to memory of 4012 4696 Chiigadc.exe 95 PID 4012 wrote to memory of 3276 4012 Cdpjlb32.exe 96 PID 4012 wrote to memory of 3276 4012 Cdpjlb32.exe 96 PID 4012 wrote to memory of 3276 4012 Cdpjlb32.exe 96 PID 3276 wrote to memory of 2104 3276 Cfbcke32.exe 97 PID 3276 wrote to memory of 2104 3276 Cfbcke32.exe 97 PID 3276 wrote to memory of 2104 3276 Cfbcke32.exe 97 PID 2104 wrote to memory of 2588 2104 Dbicpfdk.exe 98 PID 2104 wrote to memory of 2588 2104 Dbicpfdk.exe 98 PID 2104 wrote to memory of 2588 2104 Dbicpfdk.exe 98 PID 2588 wrote to memory of 2452 2588 Dnpdegjp.exe 99 PID 2588 wrote to memory of 2452 2588 Dnpdegjp.exe 99 PID 2588 wrote to memory of 2452 2588 Dnpdegjp.exe 99 PID 2452 wrote to memory of 1500 2452 Dkhnjk32.exe 100 PID 2452 wrote to memory of 1500 2452 Dkhnjk32.exe 100 PID 2452 wrote to memory of 1500 2452 Dkhnjk32.exe 100 PID 1500 wrote to memory of 4748 1500 Eiahnnph.exe 101 PID 1500 wrote to memory of 4748 1500 Eiahnnph.exe 101 PID 1500 wrote to memory of 4748 1500 Eiahnnph.exe 101 PID 4748 wrote to memory of 2816 4748 Eblimcdf.exe 102 PID 4748 wrote to memory of 2816 4748 Eblimcdf.exe 102 PID 4748 wrote to memory of 2816 4748 Eblimcdf.exe 102 PID 2816 wrote to memory of 4024 2816 Fimhjl32.exe 103 PID 2816 wrote to memory of 4024 2816 Fimhjl32.exe 103 PID 2816 wrote to memory of 4024 2816 Fimhjl32.exe 103 PID 4024 wrote to memory of 2176 4024 Fpimlfke.exe 104 PID 4024 wrote to memory of 2176 4024 Fpimlfke.exe 104 PID 4024 wrote to memory of 2176 4024 Fpimlfke.exe 104 PID 2176 wrote to memory of 2512 2176 Gojiiafp.exe 105 PID 2176 wrote to memory of 2512 2176 Gojiiafp.exe 105 PID 2176 wrote to memory of 2512 2176 Gojiiafp.exe 105 PID 2512 wrote to memory of 3900 2512 Hemdlj32.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.c3c41d9b52c3cb1d526589a594d5f749_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.c3c41d9b52c3cb1d526589a594d5f749_JC.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\Oeheqm32.exeC:\Windows\system32\Oeheqm32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\Phaahggp.exeC:\Windows\system32\Phaahggp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4168 -
C:\Windows\SysWOW64\Pefabkej.exeC:\Windows\system32\Pefabkej.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:416 -
C:\Windows\SysWOW64\Pdmkhgho.exeC:\Windows\system32\Pdmkhgho.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4632 -
C:\Windows\SysWOW64\Anmfbl32.exeC:\Windows\system32\Anmfbl32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Windows\SysWOW64\Blielbfi.exeC:\Windows\system32\Blielbfi.exe7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4300 -
C:\Windows\SysWOW64\Bddjpd32.exeC:\Windows\system32\Bddjpd32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\Bahkih32.exeC:\Windows\system32\Bahkih32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Windows\SysWOW64\Bheplb32.exeC:\Windows\system32\Bheplb32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1144 -
C:\Windows\SysWOW64\Chiigadc.exeC:\Windows\system32\Chiigadc.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4696 -
C:\Windows\SysWOW64\Cdpjlb32.exeC:\Windows\system32\Cdpjlb32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4012 -
C:\Windows\SysWOW64\Cfbcke32.exeC:\Windows\system32\Cfbcke32.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3276 -
C:\Windows\SysWOW64\Dbicpfdk.exeC:\Windows\system32\Dbicpfdk.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\Dnpdegjp.exeC:\Windows\system32\Dnpdegjp.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\Dkhnjk32.exeC:\Windows\system32\Dkhnjk32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\SysWOW64\Eiahnnph.exeC:\Windows\system32\Eiahnnph.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Windows\SysWOW64\Eblimcdf.exeC:\Windows\system32\Eblimcdf.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4748 -
C:\Windows\SysWOW64\Fimhjl32.exeC:\Windows\system32\Fimhjl32.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\Fpimlfke.exeC:\Windows\system32\Fpimlfke.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4024 -
C:\Windows\SysWOW64\Gojiiafp.exeC:\Windows\system32\Gojiiafp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\SysWOW64\Hemdlj32.exeC:\Windows\system32\Hemdlj32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\Igajal32.exeC:\Windows\system32\Igajal32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3900 -
C:\Windows\SysWOW64\Jcfggkac.exeC:\Windows\system32\Jcfggkac.exe24⤵
- Executes dropped EXE
PID:4624 -
C:\Windows\SysWOW64\Kgkfnh32.exeC:\Windows\system32\Kgkfnh32.exe25⤵
- Executes dropped EXE
PID:4364 -
C:\Windows\SysWOW64\Lomqcjie.exeC:\Windows\system32\Lomqcjie.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1892 -
C:\Windows\SysWOW64\Lfgipd32.exeC:\Windows\system32\Lfgipd32.exe27⤵
- Executes dropped EXE
PID:412 -
C:\Windows\SysWOW64\Mmhgmmbf.exeC:\Windows\system32\Mmhgmmbf.exe28⤵
- Executes dropped EXE
PID:1136 -
C:\Windows\SysWOW64\Mgbefe32.exeC:\Windows\system32\Mgbefe32.exe29⤵
- Executes dropped EXE
- Modifies registry class
PID:1656 -
C:\Windows\SysWOW64\Njhgbp32.exeC:\Windows\system32\Njhgbp32.exe30⤵
- Executes dropped EXE
PID:4736 -
C:\Windows\SysWOW64\Omnjojpo.exeC:\Windows\system32\Omnjojpo.exe31⤵
- Executes dropped EXE
PID:4992 -
C:\Windows\SysWOW64\Pjpfjl32.exeC:\Windows\system32\Pjpfjl32.exe32⤵
- Executes dropped EXE
- Modifies registry class
PID:4708 -
C:\Windows\SysWOW64\Qaqegecm.exeC:\Windows\system32\Qaqegecm.exe33⤵
- Executes dropped EXE
PID:4340 -
C:\Windows\SysWOW64\Aopemh32.exeC:\Windows\system32\Aopemh32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1516 -
C:\Windows\SysWOW64\Bdagpnbk.exeC:\Windows\system32\Bdagpnbk.exe35⤵
- Executes dropped EXE
PID:1464 -
C:\Windows\SysWOW64\Bogkmgba.exeC:\Windows\system32\Bogkmgba.exe36⤵
- Executes dropped EXE
PID:3716 -
C:\Windows\SysWOW64\Bknlbhhe.exeC:\Windows\system32\Bknlbhhe.exe37⤵
- Executes dropped EXE
PID:1696 -
C:\Windows\SysWOW64\Cnaaib32.exeC:\Windows\system32\Cnaaib32.exe38⤵
- Executes dropped EXE
PID:1104 -
C:\Windows\SysWOW64\Cdpcal32.exeC:\Windows\system32\Cdpcal32.exe39⤵
- Executes dropped EXE
PID:1420 -
C:\Windows\SysWOW64\Coegoe32.exeC:\Windows\system32\Coegoe32.exe40⤵
- Executes dropped EXE
PID:840 -
C:\Windows\SysWOW64\Dkndie32.exeC:\Windows\system32\Dkndie32.exe41⤵
- Executes dropped EXE
PID:812 -
C:\Windows\SysWOW64\Fdlkdhnk.exeC:\Windows\system32\Fdlkdhnk.exe42⤵
- Executes dropped EXE
PID:4520 -
C:\Windows\SysWOW64\Ihpcinld.exeC:\Windows\system32\Ihpcinld.exe43⤵
- Executes dropped EXE
PID:4480 -
C:\Windows\SysWOW64\Iamamcop.exeC:\Windows\system32\Iamamcop.exe44⤵
- Executes dropped EXE
PID:968 -
C:\Windows\SysWOW64\Klndfj32.exeC:\Windows\system32\Klndfj32.exe45⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Lllagh32.exeC:\Windows\system32\Lllagh32.exe46⤵
- Executes dropped EXE
PID:2676 -
C:\Windows\SysWOW64\Mledmg32.exeC:\Windows\system32\Mledmg32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4360 -
C:\Windows\SysWOW64\Mfpell32.exeC:\Windows\system32\Mfpell32.exe48⤵
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\Nbnlaldg.exeC:\Windows\system32\Nbnlaldg.exe49⤵
- Executes dropped EXE
PID:3680 -
C:\Windows\SysWOW64\Nimmifgo.exeC:\Windows\system32\Nimmifgo.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:3496 -
C:\Windows\SysWOW64\Omopjcjp.exeC:\Windows\system32\Omopjcjp.exe51⤵
- Executes dropped EXE
PID:3472 -
C:\Windows\SysWOW64\Oihmedma.exeC:\Windows\system32\Oihmedma.exe52⤵
- Executes dropped EXE
PID:5044 -
C:\Windows\SysWOW64\Ocnabm32.exeC:\Windows\system32\Ocnabm32.exe53⤵
- Executes dropped EXE
PID:1204 -
C:\Windows\SysWOW64\Pmkofa32.exeC:\Windows\system32\Pmkofa32.exe54⤵
- Executes dropped EXE
PID:4144 -
C:\Windows\SysWOW64\Paihlpfi.exeC:\Windows\system32\Paihlpfi.exe55⤵
- Executes dropped EXE
PID:3264 -
C:\Windows\SysWOW64\Qiiflaoo.exeC:\Windows\system32\Qiiflaoo.exe56⤵
- Executes dropped EXE
PID:3328 -
C:\Windows\SysWOW64\Afappe32.exeC:\Windows\system32\Afappe32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:3064 -
C:\Windows\SysWOW64\Ampaho32.exeC:\Windows\system32\Ampaho32.exe58⤵
- Executes dropped EXE
PID:4912 -
C:\Windows\SysWOW64\Bbaclegm.exeC:\Windows\system32\Bbaclegm.exe59⤵
- Executes dropped EXE
PID:4924 -
C:\Windows\SysWOW64\Bpjmph32.exeC:\Windows\system32\Bpjmph32.exe60⤵
- Executes dropped EXE
PID:1256 -
C:\Windows\SysWOW64\Cmedjl32.exeC:\Windows\system32\Cmedjl32.exe61⤵
- Executes dropped EXE
PID:4492 -
C:\Windows\SysWOW64\Egpnooan.exeC:\Windows\system32\Egpnooan.exe62⤵
- Executes dropped EXE
PID:992 -
C:\Windows\SysWOW64\Ekngemhd.exeC:\Windows\system32\Ekngemhd.exe63⤵
- Executes dropped EXE
PID:2252 -
C:\Windows\SysWOW64\Fgqgfl32.exeC:\Windows\system32\Fgqgfl32.exe64⤵
- Executes dropped EXE
PID:3188 -
C:\Windows\SysWOW64\Gjhfif32.exeC:\Windows\system32\Gjhfif32.exe65⤵
- Executes dropped EXE
PID:4824 -
C:\Windows\SysWOW64\Gqbneq32.exeC:\Windows\system32\Gqbneq32.exe66⤵PID:216
-
C:\Windows\SysWOW64\Hjmodffo.exeC:\Windows\system32\Hjmodffo.exe67⤵PID:3664
-
C:\Windows\SysWOW64\Igjbci32.exeC:\Windows\system32\Igjbci32.exe68⤵PID:3736
-
C:\Windows\SysWOW64\Ijkled32.exeC:\Windows\system32\Ijkled32.exe69⤵PID:4348
-
C:\Windows\SysWOW64\Jhhodg32.exeC:\Windows\system32\Jhhodg32.exe70⤵PID:476
-
C:\Windows\SysWOW64\Jaqcnl32.exeC:\Windows\system32\Jaqcnl32.exe71⤵PID:560
-
C:\Windows\SysWOW64\Kbgfhnhi.exeC:\Windows\system32\Kbgfhnhi.exe72⤵PID:4772
-
C:\Windows\SysWOW64\Lhbkac32.exeC:\Windows\system32\Lhbkac32.exe73⤵PID:3748
-
C:\Windows\SysWOW64\Ldkhlcnb.exeC:\Windows\system32\Ldkhlcnb.exe74⤵
- Drops file in System32 directory
PID:5084 -
C:\Windows\SysWOW64\Mhnjna32.exeC:\Windows\system32\Mhnjna32.exe75⤵PID:4500
-
C:\Windows\SysWOW64\Mccokj32.exeC:\Windows\system32\Mccokj32.exe76⤵PID:3236
-
C:\Windows\SysWOW64\Mhpgca32.exeC:\Windows\system32\Mhpgca32.exe77⤵PID:1624
-
C:\Windows\SysWOW64\Mahklf32.exeC:\Windows\system32\Mahklf32.exe78⤵PID:4628
-
C:\Windows\SysWOW64\Nlefjnno.exeC:\Windows\system32\Nlefjnno.exe79⤵PID:1460
-
C:\Windows\SysWOW64\Oljoen32.exeC:\Windows\system32\Oljoen32.exe80⤵PID:2196
-
C:\Windows\SysWOW64\Ocdgahag.exeC:\Windows\system32\Ocdgahag.exe81⤵PID:1412
-
C:\Windows\SysWOW64\Odedipge.exeC:\Windows\system32\Odedipge.exe82⤵PID:4268
-
C:\Windows\SysWOW64\Okolfj32.exeC:\Windows\system32\Okolfj32.exe83⤵PID:4852
-
C:\Windows\SysWOW64\Odjmdocp.exeC:\Windows\system32\Odjmdocp.exe84⤵PID:820
-
C:\Windows\SysWOW64\Pilpfm32.exeC:\Windows\system32\Pilpfm32.exe85⤵PID:1496
-
C:\Windows\SysWOW64\Piaiqlak.exeC:\Windows\system32\Piaiqlak.exe86⤵
- Modifies registry class
PID:3056 -
C:\Windows\SysWOW64\Apgqie32.exeC:\Windows\system32\Apgqie32.exe87⤵PID:4528
-
C:\Windows\SysWOW64\Bcicjbal.exeC:\Windows\system32\Bcicjbal.exe88⤵PID:4420
-
C:\Windows\SysWOW64\Bpbpecen.exeC:\Windows\system32\Bpbpecen.exe89⤵PID:780
-
C:\Windows\SysWOW64\Bflham32.exeC:\Windows\system32\Bflham32.exe90⤵PID:2908
-
C:\Windows\SysWOW64\Cpifeb32.exeC:\Windows\system32\Cpifeb32.exe91⤵PID:4884
-
C:\Windows\SysWOW64\Cpqlfa32.exeC:\Windows\system32\Cpqlfa32.exe92⤵PID:1364
-
C:\Windows\SysWOW64\Cfjeckpj.exeC:\Windows\system32\Cfjeckpj.exe93⤵
- Drops file in System32 directory
PID:1732 -
C:\Windows\SysWOW64\Clgmkbna.exeC:\Windows\system32\Clgmkbna.exe94⤵PID:1620
-
C:\Windows\SysWOW64\Cdnelpod.exeC:\Windows\system32\Cdnelpod.exe95⤵
- Drops file in System32 directory
PID:3888 -
C:\Windows\SysWOW64\Ddekmo32.exeC:\Windows\system32\Ddekmo32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4944 -
C:\Windows\SysWOW64\Dibdeegc.exeC:\Windows\system32\Dibdeegc.exe97⤵PID:2428
-
C:\Windows\SysWOW64\Ddhhbngi.exeC:\Windows\system32\Ddhhbngi.exe98⤵PID:4784
-
C:\Windows\SysWOW64\Elhfbp32.exeC:\Windows\system32\Elhfbp32.exe99⤵PID:1260
-
C:\Windows\SysWOW64\Fnnimbaj.exeC:\Windows\system32\Fnnimbaj.exe100⤵PID:4232
-
C:\Windows\SysWOW64\Fnglcqio.exeC:\Windows\system32\Fnglcqio.exe101⤵PID:4632
-
C:\Windows\SysWOW64\Gmdoel32.exeC:\Windows\system32\Gmdoel32.exe102⤵PID:2296
-
C:\Windows\SysWOW64\Gcngafol.exeC:\Windows\system32\Gcngafol.exe103⤵PID:1912
-
C:\Windows\SysWOW64\Hgnlmdcp.exeC:\Windows\system32\Hgnlmdcp.exe104⤵PID:2028
-
C:\Windows\SysWOW64\Hmkeekag.exeC:\Windows\system32\Hmkeekag.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1384 -
C:\Windows\SysWOW64\Hjoeoo32.exeC:\Windows\system32\Hjoeoo32.exe106⤵PID:3124
-
C:\Windows\SysWOW64\Hgebnc32.exeC:\Windows\system32\Hgebnc32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4744 -
C:\Windows\SysWOW64\Hclccd32.exeC:\Windows\system32\Hclccd32.exe108⤵PID:2236
-
C:\Windows\SysWOW64\Icqmncof.exeC:\Windows\system32\Icqmncof.exe109⤵PID:3156
-
C:\Windows\SysWOW64\Kmeiie32.exeC:\Windows\system32\Kmeiie32.exe110⤵
- Drops file in System32 directory
PID:4284 -
C:\Windows\SysWOW64\Leqkeajd.exeC:\Windows\system32\Leqkeajd.exe111⤵
- Drops file in System32 directory
PID:4132 -
C:\Windows\SysWOW64\Mmebpbod.exeC:\Windows\system32\Mmebpbod.exe112⤵PID:1500
-
C:\Windows\SysWOW64\Nggjog32.exeC:\Windows\system32\Nggjog32.exe113⤵PID:2872
-
C:\Windows\SysWOW64\Nkjlqd32.exeC:\Windows\system32\Nkjlqd32.exe114⤵PID:752
-
C:\Windows\SysWOW64\Oeopnmoa.exeC:\Windows\system32\Oeopnmoa.exe115⤵PID:4428
-
C:\Windows\SysWOW64\Ohnljine.exeC:\Windows\system32\Ohnljine.exe116⤵PID:3292
-
C:\Windows\SysWOW64\Ogefqeaj.exeC:\Windows\system32\Ogefqeaj.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3796 -
C:\Windows\SysWOW64\Pkhhbbck.exeC:\Windows\system32\Pkhhbbck.exe118⤵PID:3528
-
C:\Windows\SysWOW64\Phbolflm.exeC:\Windows\system32\Phbolflm.exe119⤵PID:2936
-
C:\Windows\SysWOW64\Qomghp32.exeC:\Windows\system32\Qomghp32.exe120⤵PID:2636
-
C:\Windows\SysWOW64\Aijeme32.exeC:\Windows\system32\Aijeme32.exe121⤵PID:3180
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-