Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
161s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
16/10/2023, 18:24
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.71dc180c1c8af1d09d77fbc35d047f20.exe
Resource
win7-20230831-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.71dc180c1c8af1d09d77fbc35d047f20.exe
Resource
win10v2004-20230915-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.71dc180c1c8af1d09d77fbc35d047f20.exe
-
Size
136KB
-
MD5
71dc180c1c8af1d09d77fbc35d047f20
-
SHA1
f67eefe8e90fe50f21bd46ecf604e568bd86581f
-
SHA256
37b807d9cfa611c627f6b1f8d1a26d428ceef3cab557e61a1b45307f76fff519
-
SHA512
d94b599e60e308492694ea61befa4d622d2e8ca8b923574c96360986afa7070b6a374c3bef05e13cd805d5477769022b77fc729584b57b9098d2e7a56220cd7e
-
SSDEEP
3072:Pp5sEyRpCCPu8qvNzOyEs2k8QYxQdLrCimBaH8UH30ZIvM6qMH5X3O/gU:Pp8HiiyEXFtCApaH8m3QIvMWH5H3U
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dinanb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkfmjnii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbihmg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdkghg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcmqin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oqmhlego.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kahqbgjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogefqeaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgbonm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfaglf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkhokkel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpcffalc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpjjgl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkhjpn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pghiomqi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekgqnccj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkfmjnii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Geipnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alcofi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckghid32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbllkohi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjnndime.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpoljg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aanjiqki.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edoegi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eipilmgh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kimgba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdaajd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkkabeng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lajfbmmi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peljha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cajblmci.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fffqjfom.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdcdlb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eflceb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggdbmoho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eddodfhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Difpflco.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ledeicdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfljfjpq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Moofhiid.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkkhlhlj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbnbhfde.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efhjjcpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcdepd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cacmkn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdaigi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Koggqlmo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgioah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekgqnccj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbjhelnp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbfoeiei.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkkabeng.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqdechnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehjdejkj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpqjcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejagkodl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bloflk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckidoc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjambg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dildibfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eflceb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gipbck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgikpc32.exe -
Executes dropped EXE 64 IoCs
pid Process 4860 Hnokjm32.exe 548 Inagpm32.exe 4360 Iqdmghnp.exe 4436 Ifaepolg.exe 2212 Ijonfmbn.exe 4764 Jjakkmpk.exe 1548 Jeilne32.exe 4128 Japmcfcc.exe 4672 Jgjeppkp.exe 4560 Jmgmhgig.exe 4504 Jcaeea32.exe 800 Jaefne32.exe 1392 Kjmjgk32.exe 2000 Kceoppmo.exe 1684 Kmncif32.exe 4676 Khcgfo32.exe 732 Keghocao.exe 4004 Knpmhh32.exe 5080 Khhaanop.exe 2780 Lhjnfn32.exe 2240 Lennpb32.exe 3668 Logbigbg.exe 3788 Ldckan32.exe 4892 Loiong32.exe 5108 Ldfhgn32.exe 2772 Leedqa32.exe 2248 Lkbmih32.exe 1108 Mdkabmjf.exe 4276 Mopeofjl.exe 4340 Mmebpbod.exe 3388 Mhkgnkoj.exe 4452 Mmhofbma.exe 1916 Mmjlkb32.exe 1664 Nmlhaa32.exe 4540 Nkpijfgf.exe 3616 Nhdicjfp.exe 932 Nehjmnei.exe 5028 Nncoaq32.exe 3928 Nkgoke32.exe 4760 Ndpcdjho.exe 720 Noehac32.exe 2036 Oeopnmoa.exe 4168 Ogqmee32.exe 1284 Ohpiphlb.exe 2188 Oahnhncc.exe 1908 Ogefqeaj.exe 1404 Pohnnqgo.exe 4636 Pfbfjk32.exe 5084 Pojjcp32.exe 4844 Pfdbpjmi.exe 4048 Qnpgdmjd.exe 4124 Qdipag32.exe 2400 Qkchna32.exe 3052 Qhghge32.exe 2120 Afkipi32.exe 1980 Aocmio32.exe 2072 Abbiej32.exe 3116 Agobna32.exe 3744 Anijjkbj.exe 1536 Ainnhdbp.exe 5008 Aohfdnil.exe 1076 Aiqkmd32.exe 4828 Anncek32.exe 3564 Bichcc32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Biiole32.exe Bbofpk32.exe File opened for modification C:\Windows\SysWOW64\Cpmifkgd.exe Cicqja32.exe File opened for modification C:\Windows\SysWOW64\Jgcafl32.exe Bimkde32.exe File created C:\Windows\SysWOW64\Hjbhph32.exe Hgdlcm32.exe File created C:\Windows\SysWOW64\Nqmocjdf.exe Nfgkfadq.exe File opened for modification C:\Windows\SysWOW64\Bmpaad32.exe Amikae32.exe File created C:\Windows\SysWOW64\Lajfbmmi.exe Libnapmg.exe File opened for modification C:\Windows\SysWOW64\Donceaac.exe Cdiohhbm.exe File opened for modification C:\Windows\SysWOW64\Ifnbph32.exe Icpecm32.exe File created C:\Windows\SysWOW64\Jikojcaa.exe Ifmcmg32.exe File created C:\Windows\SysWOW64\Halhecdg.dll Iiokacgp.exe File opened for modification C:\Windows\SysWOW64\Bkfmjnii.exe Bfieagka.exe File created C:\Windows\SysWOW64\Jmihpa32.exe Jpegfm32.exe File created C:\Windows\SysWOW64\Cjipnbpb.dll Ijngkf32.exe File created C:\Windows\SysWOW64\Cdhfpm32.exe Cmnncb32.exe File opened for modification C:\Windows\SysWOW64\Ldhbnhlm.exe Lajfbmmi.exe File created C:\Windows\SysWOW64\Peljdi32.dll Nihdhl32.exe File created C:\Windows\SysWOW64\Ifhhflhc.dll Ebifha32.exe File created C:\Windows\SysWOW64\Ndgpii32.dll Pbhdafdd.exe File created C:\Windows\SysWOW64\Eeacgp32.dll Cmedca32.exe File created C:\Windows\SysWOW64\Aohfdnil.exe Ainnhdbp.exe File opened for modification C:\Windows\SysWOW64\Qlkbka32.exe Nkagndmc.exe File opened for modification C:\Windows\SysWOW64\Lajfbmmi.exe Libnapmg.exe File created C:\Windows\SysWOW64\Bimkde32.exe Niipdpae.exe File opened for modification C:\Windows\SysWOW64\Enemjobn.exe Ekgqnccj.exe File created C:\Windows\SysWOW64\Qimdklek.dll Ihmnldib.exe File created C:\Windows\SysWOW64\Jplmglbf.exe Jbhmnhcm.exe File opened for modification C:\Windows\SysWOW64\Qfepnmjn.exe Pplhab32.exe File created C:\Windows\SysWOW64\Fncilm32.exe Fkempa32.exe File created C:\Windows\SysWOW64\Oejcki32.dll Ogqmee32.exe File created C:\Windows\SysWOW64\Efllohoa.dll Ejbknnid.exe File created C:\Windows\SysWOW64\Endbmcal.dll Eaabci32.exe File created C:\Windows\SysWOW64\Iedanb32.dll Ehifak32.exe File created C:\Windows\SysWOW64\Ljmmai32.dll Qgopplkq.exe File opened for modification C:\Windows\SysWOW64\Lalchm32.exe Ldhbnhlm.exe File opened for modification C:\Windows\SysWOW64\Pclnon32.exe Pjdifibo.exe File created C:\Windows\SysWOW64\Ehimkd32.exe Eaoenjqa.exe File created C:\Windows\SysWOW64\Pafkpfni.exe Pjlcclfl.exe File created C:\Windows\SysWOW64\Opfqgkgc.dll Hpejlc32.exe File created C:\Windows\SysWOW64\Ahmpgegh.dll Ejiqom32.exe File opened for modification C:\Windows\SysWOW64\Nqaipgal.exe Mncmck32.exe File created C:\Windows\SysWOW64\Dkgqpaed.exe Dbllkohi.exe File created C:\Windows\SysWOW64\Fooecl32.exe Fffqjfom.exe File created C:\Windows\SysWOW64\Okndkohj.dll Iqfcbahb.exe File created C:\Windows\SysWOW64\Hbdjbn32.dll Cakjfcfe.exe File opened for modification C:\Windows\SysWOW64\Icklhnop.exe Hjbhph32.exe File opened for modification C:\Windows\SysWOW64\Ljnddb32.exe Lafmce32.exe File created C:\Windows\SysWOW64\Adlodhhl.dll Jmihpa32.exe File opened for modification C:\Windows\SysWOW64\Ldckan32.exe Logbigbg.exe File created C:\Windows\SysWOW64\Cbnbhfde.exe Chinkndp.exe File created C:\Windows\SysWOW64\Fgegdc32.exe Fqkogiki.exe File opened for modification C:\Windows\SysWOW64\Leedqa32.exe Ldfhgn32.exe File created C:\Windows\SysWOW64\Ngcdji32.dll Eoconenj.exe File created C:\Windows\SysWOW64\Kamjmf32.exe Klpaep32.exe File created C:\Windows\SysWOW64\Fqdbnhco.exe Fjjjanla.exe File created C:\Windows\SysWOW64\Naohpdqd.dll Oqmhlego.exe File created C:\Windows\SysWOW64\Cgklggic.exe Cancoqkl.exe File opened for modification C:\Windows\SysWOW64\Jgjeppkp.exe Japmcfcc.exe File created C:\Windows\SysWOW64\Iaiddajo.exe Iiblcdil.exe File created C:\Windows\SysWOW64\Kgbepdpf.exe Kphmbjhi.exe File created C:\Windows\SysWOW64\Ojcpmm32.exe Oblhlpne.exe File created C:\Windows\SysWOW64\Dacnkkem.dll Jopiom32.exe File created C:\Windows\SysWOW64\Aocaod32.dll Nbfoeiei.exe File created C:\Windows\SysWOW64\Ndmdbf32.dll Ffpjihee.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1284 6924 WerFault.exe 694 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onfbpi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fncilm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjnjjlog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eaoenjqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjiqiemm.dll" Kmncif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akdake32.dll" Ldfhgn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ginenk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljidhima.dll" Kchmljab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cbihmg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bimkde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fniiabfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaoeoidq.dll" Afocdkac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npgmdnlj.dll" Ignnjk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ccgjjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdiohhbm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hingefqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbofelbi.dll" Bgbmdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlikicki.dll" Jahnkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nkqpcnig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pclnon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Moacnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elilpfdh.dll" Faholm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnmojj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipllghgi.dll" Ehimkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fcckcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqldhh32.dll" Ncihbaie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbnbhfde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddfhqcqb.dll" Bdkghg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kijhgmeo.dll" Bgicdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdebcp32.dll" Hmkiqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nfgkfadq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dcbllh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jplmglbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffqgddjj.dll" Kkihedld.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mncmck32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgbmdd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkjocm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnfmno32.dll" Kdgapp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kllhjplh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qblacnob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkklkejm.dll" Leedqa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cappkh32.dll" Gjghdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ockhfbgl.dll" Akgcdc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckbnlfeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjpmlp32.dll" Qepccqlm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Goabhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Difpflco.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmfedhie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eflceb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmgbginj.dll" Jqhphq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Malohibh.dll" Nodijffl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcgpmj32.dll" Cpmifkgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpmobi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nglkbd32.dll" Hbegakcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eefiehmd.dll" Egkdne32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aneppo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfdflk32.dll" Qlkbka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpfmgq32.dll" Gqaeme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lhgiic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alfdoj32.dll" Lhbafo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jijoiimg.dll" Pjemcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljheeage.dll" Ofqnlplf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Momcamke.dll" Cgagjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjambg32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4888 wrote to memory of 4860 4888 NEAS.71dc180c1c8af1d09d77fbc35d047f20.exe 83 PID 4888 wrote to memory of 4860 4888 NEAS.71dc180c1c8af1d09d77fbc35d047f20.exe 83 PID 4888 wrote to memory of 4860 4888 NEAS.71dc180c1c8af1d09d77fbc35d047f20.exe 83 PID 4860 wrote to memory of 548 4860 Hnokjm32.exe 84 PID 4860 wrote to memory of 548 4860 Hnokjm32.exe 84 PID 4860 wrote to memory of 548 4860 Hnokjm32.exe 84 PID 548 wrote to memory of 4360 548 Inagpm32.exe 85 PID 548 wrote to memory of 4360 548 Inagpm32.exe 85 PID 548 wrote to memory of 4360 548 Inagpm32.exe 85 PID 4360 wrote to memory of 4436 4360 Iqdmghnp.exe 86 PID 4360 wrote to memory of 4436 4360 Iqdmghnp.exe 86 PID 4360 wrote to memory of 4436 4360 Iqdmghnp.exe 86 PID 4436 wrote to memory of 2212 4436 Ifaepolg.exe 87 PID 4436 wrote to memory of 2212 4436 Ifaepolg.exe 87 PID 4436 wrote to memory of 2212 4436 Ifaepolg.exe 87 PID 2212 wrote to memory of 4764 2212 Ijonfmbn.exe 88 PID 2212 wrote to memory of 4764 2212 Ijonfmbn.exe 88 PID 2212 wrote to memory of 4764 2212 Ijonfmbn.exe 88 PID 4764 wrote to memory of 1548 4764 Jjakkmpk.exe 90 PID 4764 wrote to memory of 1548 4764 Jjakkmpk.exe 90 PID 4764 wrote to memory of 1548 4764 Jjakkmpk.exe 90 PID 1548 wrote to memory of 4128 1548 Jeilne32.exe 91 PID 1548 wrote to memory of 4128 1548 Jeilne32.exe 91 PID 1548 wrote to memory of 4128 1548 Jeilne32.exe 91 PID 4128 wrote to memory of 4672 4128 Japmcfcc.exe 92 PID 4128 wrote to memory of 4672 4128 Japmcfcc.exe 92 PID 4128 wrote to memory of 4672 4128 Japmcfcc.exe 92 PID 4672 wrote to memory of 4560 4672 Jgjeppkp.exe 93 PID 4672 wrote to memory of 4560 4672 Jgjeppkp.exe 93 PID 4672 wrote to memory of 4560 4672 Jgjeppkp.exe 93 PID 4560 wrote to memory of 4504 4560 Jmgmhgig.exe 94 PID 4560 wrote to memory of 4504 4560 Jmgmhgig.exe 94 PID 4560 wrote to memory of 4504 4560 Jmgmhgig.exe 94 PID 4504 wrote to memory of 800 4504 Jcaeea32.exe 95 PID 4504 wrote to memory of 800 4504 Jcaeea32.exe 95 PID 4504 wrote to memory of 800 4504 Jcaeea32.exe 95 PID 800 wrote to memory of 1392 800 Jaefne32.exe 96 PID 800 wrote to memory of 1392 800 Jaefne32.exe 96 PID 800 wrote to memory of 1392 800 Jaefne32.exe 96 PID 1392 wrote to memory of 2000 1392 Kjmjgk32.exe 97 PID 1392 wrote to memory of 2000 1392 Kjmjgk32.exe 97 PID 1392 wrote to memory of 2000 1392 Kjmjgk32.exe 97 PID 2000 wrote to memory of 1684 2000 Kceoppmo.exe 98 PID 2000 wrote to memory of 1684 2000 Kceoppmo.exe 98 PID 2000 wrote to memory of 1684 2000 Kceoppmo.exe 98 PID 1684 wrote to memory of 4676 1684 Kmncif32.exe 99 PID 1684 wrote to memory of 4676 1684 Kmncif32.exe 99 PID 1684 wrote to memory of 4676 1684 Kmncif32.exe 99 PID 4676 wrote to memory of 732 4676 Khcgfo32.exe 100 PID 4676 wrote to memory of 732 4676 Khcgfo32.exe 100 PID 4676 wrote to memory of 732 4676 Khcgfo32.exe 100 PID 732 wrote to memory of 4004 732 Keghocao.exe 101 PID 732 wrote to memory of 4004 732 Keghocao.exe 101 PID 732 wrote to memory of 4004 732 Keghocao.exe 101 PID 4004 wrote to memory of 5080 4004 Knpmhh32.exe 102 PID 4004 wrote to memory of 5080 4004 Knpmhh32.exe 102 PID 4004 wrote to memory of 5080 4004 Knpmhh32.exe 102 PID 5080 wrote to memory of 2780 5080 Khhaanop.exe 103 PID 5080 wrote to memory of 2780 5080 Khhaanop.exe 103 PID 5080 wrote to memory of 2780 5080 Khhaanop.exe 103 PID 2780 wrote to memory of 2240 2780 Lhjnfn32.exe 104 PID 2780 wrote to memory of 2240 2780 Lhjnfn32.exe 104 PID 2780 wrote to memory of 2240 2780 Lhjnfn32.exe 104 PID 2240 wrote to memory of 3668 2240 Lennpb32.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.71dc180c1c8af1d09d77fbc35d047f20.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.71dc180c1c8af1d09d77fbc35d047f20.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Windows\SysWOW64\Hnokjm32.exeC:\Windows\system32\Hnokjm32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4860 -
C:\Windows\SysWOW64\Inagpm32.exeC:\Windows\system32\Inagpm32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Windows\SysWOW64\Iqdmghnp.exeC:\Windows\system32\Iqdmghnp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4360 -
C:\Windows\SysWOW64\Ifaepolg.exeC:\Windows\system32\Ifaepolg.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4436 -
C:\Windows\SysWOW64\Ijonfmbn.exeC:\Windows\system32\Ijonfmbn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\Jjakkmpk.exeC:\Windows\system32\Jjakkmpk.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4764 -
C:\Windows\SysWOW64\Jeilne32.exeC:\Windows\system32\Jeilne32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Windows\SysWOW64\Japmcfcc.exeC:\Windows\system32\Japmcfcc.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4128 -
C:\Windows\SysWOW64\Jgjeppkp.exeC:\Windows\system32\Jgjeppkp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4672 -
C:\Windows\SysWOW64\Jmgmhgig.exeC:\Windows\system32\Jmgmhgig.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4560 -
C:\Windows\SysWOW64\Jcaeea32.exeC:\Windows\system32\Jcaeea32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Windows\SysWOW64\Jaefne32.exeC:\Windows\system32\Jaefne32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:800 -
C:\Windows\SysWOW64\Kjmjgk32.exeC:\Windows\system32\Kjmjgk32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Windows\SysWOW64\Kceoppmo.exeC:\Windows\system32\Kceoppmo.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\SysWOW64\Kmncif32.exeC:\Windows\system32\Kmncif32.exe16⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\SysWOW64\Khcgfo32.exeC:\Windows\system32\Khcgfo32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4676 -
C:\Windows\SysWOW64\Keghocao.exeC:\Windows\system32\Keghocao.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:732 -
C:\Windows\SysWOW64\Knpmhh32.exeC:\Windows\system32\Knpmhh32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4004 -
C:\Windows\SysWOW64\Khhaanop.exeC:\Windows\system32\Khhaanop.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5080 -
C:\Windows\SysWOW64\Lhjnfn32.exeC:\Windows\system32\Lhjnfn32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\Lennpb32.exeC:\Windows\system32\Lennpb32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\Logbigbg.exeC:\Windows\system32\Logbigbg.exe23⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3668 -
C:\Windows\SysWOW64\Ldckan32.exeC:\Windows\system32\Ldckan32.exe24⤵
- Executes dropped EXE
PID:3788 -
C:\Windows\SysWOW64\Loiong32.exeC:\Windows\system32\Loiong32.exe25⤵
- Executes dropped EXE
PID:4892 -
C:\Windows\SysWOW64\Ldfhgn32.exeC:\Windows\system32\Ldfhgn32.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5108 -
C:\Windows\SysWOW64\Leedqa32.exeC:\Windows\system32\Leedqa32.exe27⤵
- Executes dropped EXE
- Modifies registry class
PID:2772 -
C:\Windows\SysWOW64\Lkbmih32.exeC:\Windows\system32\Lkbmih32.exe28⤵
- Executes dropped EXE
PID:2248 -
C:\Windows\SysWOW64\Mdkabmjf.exeC:\Windows\system32\Mdkabmjf.exe29⤵
- Executes dropped EXE
PID:1108 -
C:\Windows\SysWOW64\Mopeofjl.exeC:\Windows\system32\Mopeofjl.exe30⤵
- Executes dropped EXE
PID:4276 -
C:\Windows\SysWOW64\Mmebpbod.exeC:\Windows\system32\Mmebpbod.exe31⤵
- Executes dropped EXE
PID:4340 -
C:\Windows\SysWOW64\Mhkgnkoj.exeC:\Windows\system32\Mhkgnkoj.exe32⤵
- Executes dropped EXE
PID:3388 -
C:\Windows\SysWOW64\Mmhofbma.exeC:\Windows\system32\Mmhofbma.exe33⤵
- Executes dropped EXE
PID:4452 -
C:\Windows\SysWOW64\Mmjlkb32.exeC:\Windows\system32\Mmjlkb32.exe34⤵
- Executes dropped EXE
PID:1916 -
C:\Windows\SysWOW64\Nmlhaa32.exeC:\Windows\system32\Nmlhaa32.exe35⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\Nkpijfgf.exeC:\Windows\system32\Nkpijfgf.exe36⤵
- Executes dropped EXE
PID:4540 -
C:\Windows\SysWOW64\Nhdicjfp.exeC:\Windows\system32\Nhdicjfp.exe37⤵
- Executes dropped EXE
PID:3616 -
C:\Windows\SysWOW64\Nehjmnei.exeC:\Windows\system32\Nehjmnei.exe38⤵
- Executes dropped EXE
PID:932 -
C:\Windows\SysWOW64\Nncoaq32.exeC:\Windows\system32\Nncoaq32.exe39⤵
- Executes dropped EXE
PID:5028 -
C:\Windows\SysWOW64\Nkgoke32.exeC:\Windows\system32\Nkgoke32.exe40⤵
- Executes dropped EXE
PID:3928 -
C:\Windows\SysWOW64\Ndpcdjho.exeC:\Windows\system32\Ndpcdjho.exe41⤵
- Executes dropped EXE
PID:4760 -
C:\Windows\SysWOW64\Noehac32.exeC:\Windows\system32\Noehac32.exe42⤵
- Executes dropped EXE
PID:720 -
C:\Windows\SysWOW64\Oeopnmoa.exeC:\Windows\system32\Oeopnmoa.exe43⤵
- Executes dropped EXE
PID:2036 -
C:\Windows\SysWOW64\Ogqmee32.exeC:\Windows\system32\Ogqmee32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4168 -
C:\Windows\SysWOW64\Ohpiphlb.exeC:\Windows\system32\Ohpiphlb.exe45⤵
- Executes dropped EXE
PID:1284 -
C:\Windows\SysWOW64\Oahnhncc.exeC:\Windows\system32\Oahnhncc.exe46⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Ogefqeaj.exeC:\Windows\system32\Ogefqeaj.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1908 -
C:\Windows\SysWOW64\Pohnnqgo.exeC:\Windows\system32\Pohnnqgo.exe48⤵
- Executes dropped EXE
PID:1404 -
C:\Windows\SysWOW64\Pfbfjk32.exeC:\Windows\system32\Pfbfjk32.exe49⤵
- Executes dropped EXE
PID:4636 -
C:\Windows\SysWOW64\Pojjcp32.exeC:\Windows\system32\Pojjcp32.exe50⤵
- Executes dropped EXE
PID:5084 -
C:\Windows\SysWOW64\Pfdbpjmi.exeC:\Windows\system32\Pfdbpjmi.exe51⤵
- Executes dropped EXE
PID:4844 -
C:\Windows\SysWOW64\Qnpgdmjd.exeC:\Windows\system32\Qnpgdmjd.exe52⤵
- Executes dropped EXE
PID:4048 -
C:\Windows\SysWOW64\Qdipag32.exeC:\Windows\system32\Qdipag32.exe53⤵
- Executes dropped EXE
PID:4124 -
C:\Windows\SysWOW64\Qkchna32.exeC:\Windows\system32\Qkchna32.exe54⤵
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Qhghge32.exeC:\Windows\system32\Qhghge32.exe55⤵
- Executes dropped EXE
PID:3052 -
C:\Windows\SysWOW64\Afkipi32.exeC:\Windows\system32\Afkipi32.exe56⤵
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Aocmio32.exeC:\Windows\system32\Aocmio32.exe57⤵
- Executes dropped EXE
PID:1980 -
C:\Windows\SysWOW64\Abbiej32.exeC:\Windows\system32\Abbiej32.exe58⤵
- Executes dropped EXE
PID:2072 -
C:\Windows\SysWOW64\Agobna32.exeC:\Windows\system32\Agobna32.exe59⤵
- Executes dropped EXE
PID:3116 -
C:\Windows\SysWOW64\Anijjkbj.exeC:\Windows\system32\Anijjkbj.exe60⤵
- Executes dropped EXE
PID:3744 -
C:\Windows\SysWOW64\Ainnhdbp.exeC:\Windows\system32\Ainnhdbp.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1536 -
C:\Windows\SysWOW64\Aohfdnil.exeC:\Windows\system32\Aohfdnil.exe62⤵
- Executes dropped EXE
PID:5008 -
C:\Windows\SysWOW64\Aiqkmd32.exeC:\Windows\system32\Aiqkmd32.exe63⤵
- Executes dropped EXE
PID:1076 -
C:\Windows\SysWOW64\Anncek32.exeC:\Windows\system32\Anncek32.exe64⤵
- Executes dropped EXE
PID:4828 -
C:\Windows\SysWOW64\Bichcc32.exeC:\Windows\system32\Bichcc32.exe65⤵
- Executes dropped EXE
PID:3564 -
C:\Windows\SysWOW64\Bkadoo32.exeC:\Windows\system32\Bkadoo32.exe66⤵PID:3704
-
C:\Windows\SysWOW64\Bfghlhmd.exeC:\Windows\system32\Bfghlhmd.exe67⤵PID:4704
-
C:\Windows\SysWOW64\Bnbmqjjo.exeC:\Windows\system32\Bnbmqjjo.exe68⤵PID:1688
-
C:\Windows\SysWOW64\Bfieagka.exeC:\Windows\system32\Bfieagka.exe69⤵
- Drops file in System32 directory
PID:3136 -
C:\Windows\SysWOW64\Bkfmjnii.exeC:\Windows\system32\Bkfmjnii.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1504 -
C:\Windows\SysWOW64\Bbpeghpe.exeC:\Windows\system32\Bbpeghpe.exe71⤵PID:5048
-
C:\Windows\SysWOW64\Beobcdoi.exeC:\Windows\system32\Beobcdoi.exe72⤵PID:4464
-
C:\Windows\SysWOW64\Bkhjpn32.exeC:\Windows\system32\Bkhjpn32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2920 -
C:\Windows\SysWOW64\Bngfli32.exeC:\Windows\system32\Bngfli32.exe74⤵PID:4848
-
C:\Windows\SysWOW64\Biljib32.exeC:\Windows\system32\Biljib32.exe75⤵PID:5076
-
C:\Windows\SysWOW64\Bbeobhlp.exeC:\Windows\system32\Bbeobhlp.exe76⤵PID:924
-
C:\Windows\SysWOW64\Cgagjo32.exeC:\Windows\system32\Cgagjo32.exe77⤵
- Modifies registry class
PID:4272 -
C:\Windows\SysWOW64\Cbglgg32.exeC:\Windows\system32\Cbglgg32.exe78⤵PID:1192
-
C:\Windows\SysWOW64\Ceehcc32.exeC:\Windows\system32\Ceehcc32.exe79⤵PID:1176
-
C:\Windows\SysWOW64\Cpklql32.exeC:\Windows\system32\Cpklql32.exe80⤵PID:4200
-
C:\Windows\SysWOW64\Cbihmg32.exeC:\Windows\system32\Cbihmg32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1620 -
C:\Windows\SysWOW64\Cicqja32.exeC:\Windows\system32\Cicqja32.exe82⤵
- Drops file in System32 directory
PID:3544 -
C:\Windows\SysWOW64\Cpmifkgd.exeC:\Windows\system32\Cpmifkgd.exe83⤵
- Modifies registry class
PID:4820 -
C:\Windows\SysWOW64\Cfgace32.exeC:\Windows\system32\Cfgace32.exe84⤵PID:1556
-
C:\Windows\SysWOW64\Chinkndp.exeC:\Windows\system32\Chinkndp.exe85⤵
- Drops file in System32 directory
PID:1496 -
C:\Windows\SysWOW64\Cbnbhfde.exeC:\Windows\system32\Cbnbhfde.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:112 -
C:\Windows\SysWOW64\Cihjeq32.exeC:\Windows\system32\Cihjeq32.exe87⤵PID:1752
-
C:\Windows\SysWOW64\Cbqonf32.exeC:\Windows\system32\Cbqonf32.exe88⤵PID:4924
-
C:\Windows\SysWOW64\Dehnpp32.exeC:\Windows\system32\Dehnpp32.exe89⤵PID:4652
-
C:\Windows\SysWOW64\Dpnbmi32.exeC:\Windows\system32\Dpnbmi32.exe90⤵PID:4564
-
C:\Windows\SysWOW64\Efhjjcpo.exeC:\Windows\system32\Efhjjcpo.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5088 -
C:\Windows\SysWOW64\Ehifak32.exeC:\Windows\system32\Ehifak32.exe92⤵
- Drops file in System32 directory
PID:3368 -
C:\Windows\SysWOW64\Eoconenj.exeC:\Windows\system32\Eoconenj.exe93⤵
- Drops file in System32 directory
PID:3520 -
C:\Windows\SysWOW64\Eihcln32.exeC:\Windows\system32\Eihcln32.exe94⤵PID:2824
-
C:\Windows\SysWOW64\Epbkhhel.exeC:\Windows\system32\Epbkhhel.exe95⤵PID:5128
-
C:\Windows\SysWOW64\Eflceb32.exeC:\Windows\system32\Eflceb32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5184 -
C:\Windows\SysWOW64\Efopjbjg.exeC:\Windows\system32\Efopjbjg.exe97⤵PID:5232
-
C:\Windows\SysWOW64\Ehpmbj32.exeC:\Windows\system32\Ehpmbj32.exe98⤵PID:5276
-
C:\Windows\SysWOW64\Epgdch32.exeC:\Windows\system32\Epgdch32.exe99⤵PID:5316
-
C:\Windows\SysWOW64\Ebeapc32.exeC:\Windows\system32\Ebeapc32.exe100⤵PID:5360
-
C:\Windows\SysWOW64\Eipilmgh.exeC:\Windows\system32\Eipilmgh.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5408 -
C:\Windows\SysWOW64\Fbhnec32.exeC:\Windows\system32\Fbhnec32.exe102⤵PID:5456
-
C:\Windows\SysWOW64\Fhefmjlp.exeC:\Windows\system32\Fhefmjlp.exe103⤵PID:5500
-
C:\Windows\SysWOW64\Foonjd32.exeC:\Windows\system32\Foonjd32.exe104⤵PID:5544
-
C:\Windows\SysWOW64\Fgffka32.exeC:\Windows\system32\Fgffka32.exe105⤵PID:5596
-
C:\Windows\SysWOW64\Fhgccijm.exeC:\Windows\system32\Fhgccijm.exe106⤵PID:5640
-
C:\Windows\SysWOW64\Fcmgpbjc.exeC:\Windows\system32\Fcmgpbjc.exe107⤵PID:5684
-
C:\Windows\SysWOW64\Fifomlap.exeC:\Windows\system32\Fifomlap.exe108⤵PID:5736
-
C:\Windows\SysWOW64\Fpcdof32.exeC:\Windows\system32\Fpcdof32.exe109⤵PID:5780
-
C:\Windows\SysWOW64\Fepmgm32.exeC:\Windows\system32\Fepmgm32.exe110⤵PID:5820
-
C:\Windows\SysWOW64\Fhnichde.exeC:\Windows\system32\Fhnichde.exe111⤵PID:5864
-
C:\Windows\SysWOW64\Gccmaack.exeC:\Windows\system32\Gccmaack.exe112⤵PID:5908
-
C:\Windows\SysWOW64\Ginenk32.exeC:\Windows\system32\Ginenk32.exe113⤵
- Modifies registry class
PID:5952 -
C:\Windows\SysWOW64\Gojnfb32.exeC:\Windows\system32\Gojnfb32.exe114⤵PID:5996
-
C:\Windows\SysWOW64\Gipbck32.exeC:\Windows\system32\Gipbck32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6036 -
C:\Windows\SysWOW64\Glnnofhi.exeC:\Windows\system32\Glnnofhi.exe116⤵PID:6080
-
C:\Windows\SysWOW64\Ggdbmoho.exeC:\Windows\system32\Ggdbmoho.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6128 -
C:\Windows\SysWOW64\Gheodg32.exeC:\Windows\system32\Gheodg32.exe118⤵PID:5144
-
C:\Windows\SysWOW64\Googaaej.exeC:\Windows\system32\Googaaej.exe119⤵PID:5216
-
C:\Windows\SysWOW64\Geipnl32.exeC:\Windows\system32\Geipnl32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5308 -
C:\Windows\SysWOW64\Gpodkdll.exeC:\Windows\system32\Gpodkdll.exe121⤵PID:5352
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-