Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
91s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
21/10/2023, 18:33
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.372351d65747522ae584114f0f4e7980_JC.exe
Resource
win7-20231020-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.372351d65747522ae584114f0f4e7980_JC.exe
Resource
win10v2004-20231020-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.372351d65747522ae584114f0f4e7980_JC.exe
-
Size
80KB
-
MD5
372351d65747522ae584114f0f4e7980
-
SHA1
1864346613837bf754c6fd2af3fc4ae11e02322a
-
SHA256
88caab4fc9f53df980004a311dc99cd9bc97c44e4a0bad7cc9ebf24e4c6b1ae5
-
SHA512
a56a87456c67cbdf61ad9091c882228b2bef2a0a6aec3b18f274bbb84eeafc8cc867b2dba0c51525d1d10f3ceac7143a25bac444bfe8fbefe69af158715ba319
-
SSDEEP
1536:9k70HmMCIN4+E9knNcr46/9Nz5YMkhohBE8VGh:9kIHmMRSonNSDVUAEQGh
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqkqhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akihcfid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kqdaadln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibaeen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljqhkckn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhphmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkaclqkk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kapfiqoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbhgoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qjffpe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bphqji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpacqg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcdqhecd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pidlqb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcdjbk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kngkqbgl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Digehphc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klhnfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bphgeo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdbpgl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mapppn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpapnfhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jphkkpbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmnbfhal.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doagjc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enpfan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Halhfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfnhfm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbccge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kapfiqoj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kemooo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omdieb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpqjjjjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agimkk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbnhoj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piocecgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpedeiff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eghkjdoa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcclncbh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dibdeegc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfdpad32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eohmkb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpgdai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlqloo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kncaec32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qodeajbg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhqefjpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Moipoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iacngdgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnmopk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbbicl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Geldkfpi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lancko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oflmnh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdeiqgkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pehjfm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlepcdoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opeiadfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkhgod32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkdpbpih.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmcpoedn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obnnnc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfkmkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fijdjfdb.exe -
Executes dropped EXE 64 IoCs
pid Process 3128 Idahjg32.exe 2820 Ikkpgafg.exe 4440 Idcepgmg.exe 4332 Iciaqc32.exe 2288 Ilafiihp.exe 5064 Ijegcm32.exe 2656 Icnklbmj.exe 1240 Jpaleglc.exe 1096 Jlhljhbg.exe 1392 Jdodkebj.exe 3872 Jgpmmp32.exe 420 Jqhafffk.exe 3524 Jnlbojee.exe 2640 Jcikgacl.exe 4476 Kjccdkki.exe 1212 Kclgmq32.exe 2180 Kjepjkhf.exe 944 Kkeldnpi.exe 976 Kqbdldnq.exe 2148 Kkgiimng.exe 4040 Kqdaadln.exe 1576 Kjmfjj32.exe 2864 Lgqfdnah.exe 4872 Lqikmc32.exe 1728 Lknojl32.exe 2524 Ldgccb32.exe 2376 Lnohlgep.exe 3756 Lmdemd32.exe 4612 Lcnmin32.exe 4212 Lndagg32.exe 208 Mcqjon32.exe 1352 Madjhb32.exe 4660 Mkjnfkma.exe 2276 Maggnali.exe 1888 Meepdp32.exe 3704 Mmpdhboj.exe 4940 Mgehfkop.exe 8 Mmbanbmg.exe 3904 Nclikl32.exe 3092 Nmenca32.exe 1700 Nnfgcd32.exe 4880 Neqopnhb.exe 692 Njmhhefi.exe 1460 Ndflak32.exe 752 Nlmdbh32.exe 1916 Oeehkn32.exe 316 Onnmdcjm.exe 3112 Olanmgig.exe 3744 Omcjep32.exe 2456 Oldjcg32.exe 3496 Oaqbkn32.exe 5052 Ohkkhhmh.exe 5024 Oodcdb32.exe 3024 Ohmhmh32.exe 1988 Okkdic32.exe 1868 Peahgl32.exe 4380 Pahilmoc.exe 2724 Pkpmdbfd.exe 748 Pajeam32.exe 5032 Phdnngdn.exe 1860 Pmaffnce.exe 1856 Plbfdekd.exe 4264 Popbpqjh.exe 4684 Phigif32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Kjeqge32.dll Mmbanbmg.exe File created C:\Windows\SysWOW64\Fiqjke32.exe Fiqjke32.exe File created C:\Windows\SysWOW64\Kpikki32.dll Omdieb32.exe File opened for modification C:\Windows\SysWOW64\Ilafiihp.exe Iciaqc32.exe File created C:\Windows\SysWOW64\Hhimhobl.exe Haodle32.exe File opened for modification C:\Windows\SysWOW64\Mjlalkmd.exe Mcaipa32.exe File opened for modification C:\Windows\SysWOW64\Caqpkjcl.exe Ckggnp32.exe File created C:\Windows\SysWOW64\Cefnemqj.dll Apimodmh.exe File created C:\Windows\SysWOW64\Bfcklp32.dll Fbbicl32.exe File created C:\Windows\SysWOW64\Naefjl32.dll Dlqpaafg.exe File opened for modification C:\Windows\SysWOW64\Foclgq32.exe Fgmdec32.exe File opened for modification C:\Windows\SysWOW64\Blqllqqa.exe Bffcpg32.exe File created C:\Windows\SysWOW64\Nfldgk32.exe Ncmhko32.exe File created C:\Windows\SysWOW64\Olanmgig.exe Onnmdcjm.exe File opened for modification C:\Windows\SysWOW64\Mhckcgpj.exe Mcdeeq32.exe File created C:\Windows\SysWOW64\Popbpqjh.exe Plbfdekd.exe File created C:\Windows\SysWOW64\Pofhbgmn.exe Pmhkflnj.exe File created C:\Windows\SysWOW64\Fpkefnho.dll Njmhhefi.exe File opened for modification C:\Windows\SysWOW64\Pnmopk32.exe Paiogf32.exe File created C:\Windows\SysWOW64\Pfbmdabh.exe Pcdqhecd.exe File created C:\Windows\SysWOW64\Pmaffnce.exe Phdnngdn.exe File created C:\Windows\SysWOW64\Gfqnichl.dll Blqllqqa.exe File created C:\Windows\SysWOW64\Ggmkff32.dll Jljbeali.exe File opened for modification C:\Windows\SysWOW64\Nmhijd32.exe Nimmifgo.exe File created C:\Windows\SysWOW64\Hhcmlj32.dll Iciaqc32.exe File created C:\Windows\SysWOW64\Jipegn32.dll Ekaapi32.exe File opened for modification C:\Windows\SysWOW64\Jgmjmjnb.exe Jlgepanl.exe File opened for modification C:\Windows\SysWOW64\Nfcabp32.exe Nmkmjjaa.exe File opened for modification C:\Windows\SysWOW64\Doagjc32.exe Dhgonidg.exe File created C:\Windows\SysWOW64\Ddlnnc32.dll Hbnaeh32.exe File opened for modification C:\Windows\SysWOW64\Nclikl32.exe Mmbanbmg.exe File created C:\Windows\SysWOW64\Ceknlgnl.dll Gngeik32.exe File opened for modification C:\Windows\SysWOW64\Ajohfcpj.exe Adepji32.exe File opened for modification C:\Windows\SysWOW64\Efgemb32.exe Ekaapi32.exe File opened for modification C:\Windows\SysWOW64\Iipfmggc.exe Igajal32.exe File opened for modification C:\Windows\SysWOW64\Mgloefco.exe Mmfkhmdi.exe File opened for modification C:\Windows\SysWOW64\Albpkc32.exe Anaomkdb.exe File opened for modification C:\Windows\SysWOW64\Bnoknihb.exe Blnoga32.exe File created C:\Windows\SysWOW64\Bgicnp32.dll Dqnjgl32.exe File opened for modification C:\Windows\SysWOW64\Okolfj32.exe Ocdgahag.exe File created C:\Windows\SysWOW64\Jhdnigno.dll Ijegcm32.exe File created C:\Windows\SysWOW64\Konidd32.dll Fefedmil.exe File created C:\Windows\SysWOW64\Ieoigp32.dll Akblfj32.exe File created C:\Windows\SysWOW64\Glofjfnn.dll Banjnm32.exe File opened for modification C:\Windows\SysWOW64\Ocfdgg32.exe Okolfj32.exe File opened for modification C:\Windows\SysWOW64\Ffqhcq32.exe Flkdfh32.exe File created C:\Windows\SysWOW64\Clahmb32.dll Lcnfohmi.exe File opened for modification C:\Windows\SysWOW64\Ebfign32.exe Eohmkb32.exe File created C:\Windows\SysWOW64\Fgjimp32.dll Ppolhcnm.exe File created C:\Windows\SysWOW64\Ehfomc32.dll Kedlip32.exe File created C:\Windows\SysWOW64\Khiofk32.exe Kapfiqoj.exe File created C:\Windows\SysWOW64\Pcdqhecd.exe Pkmhgh32.exe File created C:\Windows\SysWOW64\Hfhgkmpj.exe Hpnoncim.exe File opened for modification C:\Windows\SysWOW64\Flkdfh32.exe Fbbpmb32.exe File created C:\Windows\SysWOW64\Kldgkp32.dll Kemooo32.exe File created C:\Windows\SysWOW64\Ghfqhkbn.dll Cigkdmel.exe File created C:\Windows\SysWOW64\Blnoga32.exe Bedgjgkg.exe File created C:\Windows\SysWOW64\Ojnfihmo.exe Niojoeel.exe File opened for modification C:\Windows\SysWOW64\Maggnali.exe Mkjnfkma.exe File opened for modification C:\Windows\SysWOW64\Abmjqe32.exe Aalmimfd.exe File created C:\Windows\SysWOW64\Oodcdb32.exe Ohkkhhmh.exe File created C:\Windows\SysWOW64\Ofaqkhem.dll Akihcfid.exe File created C:\Windows\SysWOW64\Mnmmboed.exe Mmmqhl32.exe File opened for modification C:\Windows\SysWOW64\Lljdai32.exe Lepleocn.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4656 3840 WerFault.exe 634 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jicchk32.dll" Ledepn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdafpj32.dll" Kqdaadln.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnfihkqm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcdjbk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mgloefco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgqjbf32.dll" Mjlhgaqp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Blnoga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fanmld32.dll" Nmcpoedn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aaohcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nqmojd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgicnp32.dll" Dqnjgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Khiofk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gofdmmgd.dll" Bllbaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcmgob32.dll" Eecphp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnknop32.dll" Jadgnb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iipfmggc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idefqiag.dll" Lqhdbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lqkqhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hbenoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfeijqqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfqnichl.dll" Blqllqqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckjbhmad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdflknog.dll" Mfkkqmiq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdbpgl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nbebbk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qbngeadf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckkpjkai.dll" Nadleilm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cedckdaj.dll" Pnfiplog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjnmfk32.dll" Medglemj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dpgbgpbe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kofkbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gflonn32.dll" Ofjqihnn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bagmdllg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhikci32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eohmkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjmmpa32.dll" Hehdfdek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cigkdmel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mcfkpjng.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bafndi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnnnfkal.dll" Gkaclqkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gpaihooo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pccahbmn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lplfcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcmhel32.dll" Ihdldn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jhifomdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eecphp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ilnbicff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jadgnb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abpcja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkoafbld.dll" Lgdidgjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Omcjep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fenhjedb.dll" Hipmfjee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgmjmjnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Idcepgmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jljbeali.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Acppddig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Popbpqjh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gpaihooo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Icnklbmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ilkoim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ppikbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmdlmg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpdcag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfchag32.dll" Bmladm32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4136 wrote to memory of 3128 4136 NEAS.372351d65747522ae584114f0f4e7980_JC.exe 89 PID 4136 wrote to memory of 3128 4136 NEAS.372351d65747522ae584114f0f4e7980_JC.exe 89 PID 4136 wrote to memory of 3128 4136 NEAS.372351d65747522ae584114f0f4e7980_JC.exe 89 PID 3128 wrote to memory of 2820 3128 Idahjg32.exe 88 PID 3128 wrote to memory of 2820 3128 Idahjg32.exe 88 PID 3128 wrote to memory of 2820 3128 Idahjg32.exe 88 PID 2820 wrote to memory of 4440 2820 Ikkpgafg.exe 90 PID 2820 wrote to memory of 4440 2820 Ikkpgafg.exe 90 PID 2820 wrote to memory of 4440 2820 Ikkpgafg.exe 90 PID 4440 wrote to memory of 4332 4440 Idcepgmg.exe 91 PID 4440 wrote to memory of 4332 4440 Idcepgmg.exe 91 PID 4440 wrote to memory of 4332 4440 Idcepgmg.exe 91 PID 4332 wrote to memory of 2288 4332 Iciaqc32.exe 92 PID 4332 wrote to memory of 2288 4332 Iciaqc32.exe 92 PID 4332 wrote to memory of 2288 4332 Iciaqc32.exe 92 PID 2288 wrote to memory of 5064 2288 Ilafiihp.exe 93 PID 2288 wrote to memory of 5064 2288 Ilafiihp.exe 93 PID 2288 wrote to memory of 5064 2288 Ilafiihp.exe 93 PID 5064 wrote to memory of 2656 5064 Ijegcm32.exe 94 PID 5064 wrote to memory of 2656 5064 Ijegcm32.exe 94 PID 5064 wrote to memory of 2656 5064 Ijegcm32.exe 94 PID 2656 wrote to memory of 1240 2656 Icnklbmj.exe 95 PID 2656 wrote to memory of 1240 2656 Icnklbmj.exe 95 PID 2656 wrote to memory of 1240 2656 Icnklbmj.exe 95 PID 1240 wrote to memory of 1096 1240 Jpaleglc.exe 96 PID 1240 wrote to memory of 1096 1240 Jpaleglc.exe 96 PID 1240 wrote to memory of 1096 1240 Jpaleglc.exe 96 PID 1096 wrote to memory of 1392 1096 Jlhljhbg.exe 97 PID 1096 wrote to memory of 1392 1096 Jlhljhbg.exe 97 PID 1096 wrote to memory of 1392 1096 Jlhljhbg.exe 97 PID 1392 wrote to memory of 3872 1392 Jdodkebj.exe 98 PID 1392 wrote to memory of 3872 1392 Jdodkebj.exe 98 PID 1392 wrote to memory of 3872 1392 Jdodkebj.exe 98 PID 3872 wrote to memory of 420 3872 Jgpmmp32.exe 99 PID 3872 wrote to memory of 420 3872 Jgpmmp32.exe 99 PID 3872 wrote to memory of 420 3872 Jgpmmp32.exe 99 PID 420 wrote to memory of 3524 420 Jqhafffk.exe 100 PID 420 wrote to memory of 3524 420 Jqhafffk.exe 100 PID 420 wrote to memory of 3524 420 Jqhafffk.exe 100 PID 3524 wrote to memory of 2640 3524 Jnlbojee.exe 101 PID 3524 wrote to memory of 2640 3524 Jnlbojee.exe 101 PID 3524 wrote to memory of 2640 3524 Jnlbojee.exe 101 PID 2640 wrote to memory of 4476 2640 Jcikgacl.exe 102 PID 2640 wrote to memory of 4476 2640 Jcikgacl.exe 102 PID 2640 wrote to memory of 4476 2640 Jcikgacl.exe 102 PID 4476 wrote to memory of 1212 4476 Kjccdkki.exe 103 PID 4476 wrote to memory of 1212 4476 Kjccdkki.exe 103 PID 4476 wrote to memory of 1212 4476 Kjccdkki.exe 103 PID 1212 wrote to memory of 2180 1212 Kclgmq32.exe 104 PID 1212 wrote to memory of 2180 1212 Kclgmq32.exe 104 PID 1212 wrote to memory of 2180 1212 Kclgmq32.exe 104 PID 2180 wrote to memory of 944 2180 Kjepjkhf.exe 105 PID 2180 wrote to memory of 944 2180 Kjepjkhf.exe 105 PID 2180 wrote to memory of 944 2180 Kjepjkhf.exe 105 PID 944 wrote to memory of 976 944 Kkeldnpi.exe 106 PID 944 wrote to memory of 976 944 Kkeldnpi.exe 106 PID 944 wrote to memory of 976 944 Kkeldnpi.exe 106 PID 976 wrote to memory of 2148 976 Kqbdldnq.exe 107 PID 976 wrote to memory of 2148 976 Kqbdldnq.exe 107 PID 976 wrote to memory of 2148 976 Kqbdldnq.exe 107 PID 2148 wrote to memory of 4040 2148 Kkgiimng.exe 108 PID 2148 wrote to memory of 4040 2148 Kkgiimng.exe 108 PID 2148 wrote to memory of 4040 2148 Kkgiimng.exe 108 PID 4040 wrote to memory of 1576 4040 Kqdaadln.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.372351d65747522ae584114f0f4e7980_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.372351d65747522ae584114f0f4e7980_JC.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4136 -
C:\Windows\SysWOW64\Idahjg32.exeC:\Windows\system32\Idahjg32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3128
-
-
C:\Windows\SysWOW64\Ikkpgafg.exeC:\Windows\system32\Ikkpgafg.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\Idcepgmg.exeC:\Windows\system32\Idcepgmg.exe2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4440 -
C:\Windows\SysWOW64\Iciaqc32.exeC:\Windows\system32\Iciaqc32.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4332 -
C:\Windows\SysWOW64\Ilafiihp.exeC:\Windows\system32\Ilafiihp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\Ijegcm32.exeC:\Windows\system32\Ijegcm32.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5064 -
C:\Windows\SysWOW64\Icnklbmj.exeC:\Windows\system32\Icnklbmj.exe6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Jpaleglc.exeC:\Windows\system32\Jpaleglc.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1240 -
C:\Windows\SysWOW64\Jlhljhbg.exeC:\Windows\system32\Jlhljhbg.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\SysWOW64\Jdodkebj.exeC:\Windows\system32\Jdodkebj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Windows\SysWOW64\Jgpmmp32.exeC:\Windows\system32\Jgpmmp32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3872 -
C:\Windows\SysWOW64\Jqhafffk.exeC:\Windows\system32\Jqhafffk.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:420 -
C:\Windows\SysWOW64\Jnlbojee.exeC:\Windows\system32\Jnlbojee.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3524 -
C:\Windows\SysWOW64\Jcikgacl.exeC:\Windows\system32\Jcikgacl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Kjccdkki.exeC:\Windows\system32\Kjccdkki.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4476 -
C:\Windows\SysWOW64\Kclgmq32.exeC:\Windows\system32\Kclgmq32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Windows\SysWOW64\Kjepjkhf.exeC:\Windows\system32\Kjepjkhf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\Kkeldnpi.exeC:\Windows\system32\Kkeldnpi.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:944 -
C:\Windows\SysWOW64\Kqbdldnq.exeC:\Windows\system32\Kqbdldnq.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:976 -
C:\Windows\SysWOW64\Kkgiimng.exeC:\Windows\system32\Kkgiimng.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\Kqdaadln.exeC:\Windows\system32\Kqdaadln.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4040 -
C:\Windows\SysWOW64\Kjmfjj32.exeC:\Windows\system32\Kjmfjj32.exe21⤵
- Executes dropped EXE
PID:1576 -
C:\Windows\SysWOW64\Lgqfdnah.exeC:\Windows\system32\Lgqfdnah.exe22⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Lqikmc32.exeC:\Windows\system32\Lqikmc32.exe23⤵
- Executes dropped EXE
PID:4872 -
C:\Windows\SysWOW64\Lknojl32.exeC:\Windows\system32\Lknojl32.exe24⤵
- Executes dropped EXE
PID:1728 -
C:\Windows\SysWOW64\Ldgccb32.exeC:\Windows\system32\Ldgccb32.exe25⤵
- Executes dropped EXE
PID:2524 -
C:\Windows\SysWOW64\Lnohlgep.exeC:\Windows\system32\Lnohlgep.exe26⤵
- Executes dropped EXE
PID:2376 -
C:\Windows\SysWOW64\Lmdemd32.exeC:\Windows\system32\Lmdemd32.exe27⤵
- Executes dropped EXE
PID:3756 -
C:\Windows\SysWOW64\Lcnmin32.exeC:\Windows\system32\Lcnmin32.exe28⤵
- Executes dropped EXE
PID:4612 -
C:\Windows\SysWOW64\Lndagg32.exeC:\Windows\system32\Lndagg32.exe29⤵
- Executes dropped EXE
PID:4212 -
C:\Windows\SysWOW64\Mcqjon32.exeC:\Windows\system32\Mcqjon32.exe30⤵
- Executes dropped EXE
PID:208 -
C:\Windows\SysWOW64\Madjhb32.exeC:\Windows\system32\Madjhb32.exe31⤵
- Executes dropped EXE
PID:1352 -
C:\Windows\SysWOW64\Mkjnfkma.exeC:\Windows\system32\Mkjnfkma.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4660 -
C:\Windows\SysWOW64\Maggnali.exeC:\Windows\system32\Maggnali.exe33⤵
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\Meepdp32.exeC:\Windows\system32\Meepdp32.exe34⤵
- Executes dropped EXE
PID:1888 -
C:\Windows\SysWOW64\Mmpdhboj.exeC:\Windows\system32\Mmpdhboj.exe35⤵
- Executes dropped EXE
PID:3704 -
C:\Windows\SysWOW64\Mgehfkop.exeC:\Windows\system32\Mgehfkop.exe36⤵
- Executes dropped EXE
PID:4940 -
C:\Windows\SysWOW64\Mmbanbmg.exeC:\Windows\system32\Mmbanbmg.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:8 -
C:\Windows\SysWOW64\Nclikl32.exeC:\Windows\system32\Nclikl32.exe38⤵
- Executes dropped EXE
PID:3904 -
C:\Windows\SysWOW64\Nmenca32.exeC:\Windows\system32\Nmenca32.exe39⤵
- Executes dropped EXE
PID:3092 -
C:\Windows\SysWOW64\Nnfgcd32.exeC:\Windows\system32\Nnfgcd32.exe40⤵
- Executes dropped EXE
PID:1700 -
C:\Windows\SysWOW64\Neqopnhb.exeC:\Windows\system32\Neqopnhb.exe41⤵
- Executes dropped EXE
PID:4880 -
C:\Windows\SysWOW64\Njmhhefi.exeC:\Windows\system32\Njmhhefi.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:692 -
C:\Windows\SysWOW64\Ndflak32.exeC:\Windows\system32\Ndflak32.exe43⤵
- Executes dropped EXE
PID:1460 -
C:\Windows\SysWOW64\Nlmdbh32.exeC:\Windows\system32\Nlmdbh32.exe44⤵
- Executes dropped EXE
PID:752 -
C:\Windows\SysWOW64\Oeehkn32.exeC:\Windows\system32\Oeehkn32.exe45⤵
- Executes dropped EXE
PID:1916 -
C:\Windows\SysWOW64\Onnmdcjm.exeC:\Windows\system32\Onnmdcjm.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:316 -
C:\Windows\SysWOW64\Olanmgig.exeC:\Windows\system32\Olanmgig.exe47⤵
- Executes dropped EXE
PID:3112 -
C:\Windows\SysWOW64\Omcjep32.exeC:\Windows\system32\Omcjep32.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:3744 -
C:\Windows\SysWOW64\Oldjcg32.exeC:\Windows\system32\Oldjcg32.exe49⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Oaqbkn32.exeC:\Windows\system32\Oaqbkn32.exe50⤵
- Executes dropped EXE
PID:3496 -
C:\Windows\SysWOW64\Ohkkhhmh.exeC:\Windows\system32\Ohkkhhmh.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5052 -
C:\Windows\SysWOW64\Oodcdb32.exeC:\Windows\system32\Oodcdb32.exe52⤵
- Executes dropped EXE
PID:5024 -
C:\Windows\SysWOW64\Ohmhmh32.exeC:\Windows\system32\Ohmhmh32.exe53⤵
- Executes dropped EXE
PID:3024 -
C:\Windows\SysWOW64\Okkdic32.exeC:\Windows\system32\Okkdic32.exe54⤵
- Executes dropped EXE
PID:1988 -
C:\Windows\SysWOW64\Peahgl32.exeC:\Windows\system32\Peahgl32.exe55⤵
- Executes dropped EXE
PID:1868 -
C:\Windows\SysWOW64\Pahilmoc.exeC:\Windows\system32\Pahilmoc.exe56⤵
- Executes dropped EXE
PID:4380 -
C:\Windows\SysWOW64\Pkpmdbfd.exeC:\Windows\system32\Pkpmdbfd.exe57⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Pajeam32.exeC:\Windows\system32\Pajeam32.exe58⤵
- Executes dropped EXE
PID:748 -
C:\Windows\SysWOW64\Phdnngdn.exeC:\Windows\system32\Phdnngdn.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5032 -
C:\Windows\SysWOW64\Pmaffnce.exeC:\Windows\system32\Pmaffnce.exe60⤵
- Executes dropped EXE
PID:1860 -
C:\Windows\SysWOW64\Plbfdekd.exeC:\Windows\system32\Plbfdekd.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1856 -
C:\Windows\SysWOW64\Popbpqjh.exeC:\Windows\system32\Popbpqjh.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:4264 -
C:\Windows\SysWOW64\Phigif32.exeC:\Windows\system32\Phigif32.exe63⤵
- Executes dropped EXE
PID:4684 -
C:\Windows\SysWOW64\Pocpfphe.exeC:\Windows\system32\Pocpfphe.exe64⤵PID:3132
-
C:\Windows\SysWOW64\Qemhbj32.exeC:\Windows\system32\Qemhbj32.exe65⤵PID:2120
-
C:\Windows\SysWOW64\Qkipkani.exeC:\Windows\system32\Qkipkani.exe66⤵PID:4320
-
C:\Windows\SysWOW64\Adikdfna.exeC:\Windows\system32\Adikdfna.exe67⤵PID:224
-
C:\Windows\SysWOW64\Anaomkdb.exeC:\Windows\system32\Anaomkdb.exe68⤵
- Drops file in System32 directory
PID:2428 -
C:\Windows\SysWOW64\Albpkc32.exeC:\Windows\system32\Albpkc32.exe69⤵PID:4748
-
C:\Windows\SysWOW64\Aaohcj32.exeC:\Windows\system32\Aaohcj32.exe70⤵
- Modifies registry class
PID:676 -
C:\Windows\SysWOW64\Adndoe32.exeC:\Windows\system32\Adndoe32.exe71⤵PID:1140
-
C:\Windows\SysWOW64\Akglloai.exeC:\Windows\system32\Akglloai.exe72⤵PID:368
-
C:\Windows\SysWOW64\Bnfihkqm.exeC:\Windows\system32\Bnfihkqm.exe73⤵
- Modifies registry class
PID:1872 -
C:\Windows\SysWOW64\Bdpaeehj.exeC:\Windows\system32\Bdpaeehj.exe74⤵PID:2984
-
C:\Windows\SysWOW64\Bkjiao32.exeC:\Windows\system32\Bkjiao32.exe75⤵PID:4864
-
C:\Windows\SysWOW64\Bhnikc32.exeC:\Windows\system32\Bhnikc32.exe76⤵PID:3424
-
C:\Windows\SysWOW64\Bafndi32.exeC:\Windows\system32\Bafndi32.exe77⤵
- Modifies registry class
PID:760 -
C:\Windows\SysWOW64\Bllbaa32.exeC:\Windows\system32\Bllbaa32.exe78⤵
- Modifies registry class
PID:1836 -
C:\Windows\SysWOW64\Bedgjgkg.exeC:\Windows\system32\Bedgjgkg.exe79⤵
- Drops file in System32 directory
PID:4820 -
C:\Windows\SysWOW64\Blnoga32.exeC:\Windows\system32\Blnoga32.exe80⤵
- Drops file in System32 directory
- Modifies registry class
PID:1356 -
C:\Windows\SysWOW64\Bnoknihb.exeC:\Windows\system32\Bnoknihb.exe81⤵PID:3940
-
C:\Windows\SysWOW64\Bffcpg32.exeC:\Windows\system32\Bffcpg32.exe82⤵
- Drops file in System32 directory
PID:3912 -
C:\Windows\SysWOW64\Blqllqqa.exeC:\Windows\system32\Blqllqqa.exe83⤵
- Drops file in System32 directory
- Modifies registry class
PID:1800 -
C:\Windows\SysWOW64\Cnahdi32.exeC:\Windows\system32\Cnahdi32.exe84⤵PID:1056
-
C:\Windows\SysWOW64\Cdlqqcnl.exeC:\Windows\system32\Cdlqqcnl.exe85⤵PID:2488
-
C:\Windows\SysWOW64\Ckeimm32.exeC:\Windows\system32\Ckeimm32.exe86⤵PID:3048
-
C:\Windows\SysWOW64\Cfkmkf32.exeC:\Windows\system32\Cfkmkf32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5140 -
C:\Windows\SysWOW64\Ckhecmcf.exeC:\Windows\system32\Ckhecmcf.exe88⤵PID:5184
-
C:\Windows\SysWOW64\Cdpjlb32.exeC:\Windows\system32\Cdpjlb32.exe89⤵PID:5228
-
C:\Windows\SysWOW64\Ckjbhmad.exeC:\Windows\system32\Ckjbhmad.exe90⤵
- Modifies registry class
PID:5272 -
C:\Windows\SysWOW64\Cbdjeg32.exeC:\Windows\system32\Cbdjeg32.exe91⤵PID:5312
-
C:\Windows\SysWOW64\Cfpffeaj.exeC:\Windows\system32\Cfpffeaj.exe92⤵PID:5360
-
C:\Windows\SysWOW64\Cohkokgj.exeC:\Windows\system32\Cohkokgj.exe93⤵PID:5404
-
C:\Windows\SysWOW64\Cfbcke32.exeC:\Windows\system32\Cfbcke32.exe94⤵PID:5448
-
C:\Windows\SysWOW64\Chqogq32.exeC:\Windows\system32\Chqogq32.exe95⤵PID:5492
-
C:\Windows\SysWOW64\Dfdpad32.exeC:\Windows\system32\Dfdpad32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5528 -
C:\Windows\SysWOW64\Dhclmp32.exeC:\Windows\system32\Dhclmp32.exe97⤵PID:5576
-
C:\Windows\SysWOW64\Dkahilkl.exeC:\Windows\system32\Dkahilkl.exe98⤵PID:5624
-
C:\Windows\SysWOW64\Dfglfdkb.exeC:\Windows\system32\Dfglfdkb.exe99⤵PID:5664
-
C:\Windows\SysWOW64\Ddjmba32.exeC:\Windows\system32\Ddjmba32.exe100⤵PID:5708
-
C:\Windows\SysWOW64\Dkceokii.exeC:\Windows\system32\Dkceokii.exe101⤵PID:5756
-
C:\Windows\SysWOW64\Ddligq32.exeC:\Windows\system32\Ddligq32.exe102⤵PID:5800
-
C:\Windows\SysWOW64\Digehphc.exeC:\Windows\system32\Digehphc.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5840 -
C:\Windows\SysWOW64\Dndnpf32.exeC:\Windows\system32\Dndnpf32.exe104⤵PID:5884
-
C:\Windows\SysWOW64\Dbpjaeoc.exeC:\Windows\system32\Dbpjaeoc.exe105⤵PID:5924
-
C:\Windows\SysWOW64\Dmennnni.exeC:\Windows\system32\Dmennnni.exe106⤵PID:5968
-
C:\Windows\SysWOW64\Dodjjimm.exeC:\Windows\system32\Dodjjimm.exe107⤵PID:6020
-
C:\Windows\SysWOW64\Dfnbgc32.exeC:\Windows\system32\Dfnbgc32.exe108⤵PID:6064
-
C:\Windows\SysWOW64\Deqcbpld.exeC:\Windows\system32\Deqcbpld.exe109⤵PID:6108
-
C:\Windows\SysWOW64\Enigke32.exeC:\Windows\system32\Enigke32.exe110⤵PID:4776
-
C:\Windows\SysWOW64\Eecphp32.exeC:\Windows\system32\Eecphp32.exe111⤵
- Modifies registry class
PID:5192 -
C:\Windows\SysWOW64\Ebgpad32.exeC:\Windows\system32\Ebgpad32.exe112⤵PID:5256
-
C:\Windows\SysWOW64\Eiahnnph.exeC:\Windows\system32\Eiahnnph.exe113⤵PID:5332
-
C:\Windows\SysWOW64\Ekodjiol.exeC:\Windows\system32\Ekodjiol.exe114⤵PID:5388
-
C:\Windows\SysWOW64\Ennqfenp.exeC:\Windows\system32\Ennqfenp.exe115⤵PID:5476
-
C:\Windows\SysWOW64\Efeihb32.exeC:\Windows\system32\Efeihb32.exe116⤵PID:5544
-
C:\Windows\SysWOW64\Ekaapi32.exeC:\Windows\system32\Ekaapi32.exe117⤵
- Drops file in System32 directory
PID:5620 -
C:\Windows\SysWOW64\Efgemb32.exeC:\Windows\system32\Efgemb32.exe118⤵PID:5676
-
C:\Windows\SysWOW64\Eifaim32.exeC:\Windows\system32\Eifaim32.exe119⤵PID:5744
-
C:\Windows\SysWOW64\Ebnfbcbc.exeC:\Windows\system32\Ebnfbcbc.exe120⤵PID:5808
-
C:\Windows\SysWOW64\Felbnn32.exeC:\Windows\system32\Felbnn32.exe121⤵PID:5876
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-