Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
73s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
21/10/2023, 19:42
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.e9b3d22ebddbc24ac9417ca65c3253d9_JC.exe
Resource
win7-20231020-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.e9b3d22ebddbc24ac9417ca65c3253d9_JC.exe
Resource
win10v2004-20230915-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.e9b3d22ebddbc24ac9417ca65c3253d9_JC.exe
-
Size
112KB
-
MD5
e9b3d22ebddbc24ac9417ca65c3253d9
-
SHA1
ffcd781f0dd57c5fad5f9e159580ce7a71c86f5b
-
SHA256
63b32241cca974697eed85ab6b28f9a13a75d37fc2b2909f2304ad29eda76725
-
SHA512
615253a90ee80728bd813c83f1785736c27f923a8e494de869c07611c770350cbd84fad23fa4d50d59920ab5b57027a98290395e3a43fd61c947b330f9e4f282
-
SSDEEP
1536:htqfZQHIzcLBuA8VccveyfllOOp41vdjwjXq+66DFUABABOVLefEjw6YmLg:CfZzCBuA8VcmeallOug1cj6+JB8M6mk
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iehmmb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kefiopki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apnkfelb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gblbca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ombcji32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apimodmh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cefoni32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbglgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cammjakm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjmjgk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phpbffnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phpbffnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmpdhboj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlpfhe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekonpckp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhdcmp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lacbpccn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejhkdc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Foapaa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdcmkgmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Daeifj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mginniij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgpobmca.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neclenfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Caojpaij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcegclgp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkefmjcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abpcja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hladlc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egnajocq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bedbhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icgbob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Paiogf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epaemojk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eihcln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aqfolqna.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jblmgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qppaclio.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmbiackg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfdbpjmi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bghddp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igdgglfl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aimogakj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcgldl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpqklh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ondljl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nckkfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhmafcnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jepbodhg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfedmfqd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfjnhe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abjmkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Andqol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjlaoioh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kncaec32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdmngm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgibjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dndlba32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdimqm32.exe -
Executes dropped EXE 64 IoCs
pid Process 4744 Kqphfe32.exe 3668 Lklbdm32.exe 4468 Lkalplel.exe 2388 Lekmnajj.exe 2892 Mepfiq32.exe 1136 Mmpdhboj.exe 1604 Mjdebfnd.exe 5080 Nhmofj32.exe 3692 Njmhhefi.exe 2540 Neclenfo.exe 4672 Najmjokc.exe 872 Ohfami32.exe 484 Oejbfmpg.exe 4912 Olfghg32.exe 2684 Peahgl32.exe 384 Pdhbmh32.exe 3228 Pldcjeia.exe 2040 Qaalblgi.exe 544 Adfnofpd.exe 2752 Akglloai.exe 1652 Bnkbcj32.exe 3788 Bakgoh32.exe 3356 Cndeii32.exe 3852 Cnindhpg.exe 2312 Dokgdkeh.exe 3868 Ddjmba32.exe 1572 Dbpjaeoc.exe 4860 Dkhnjk32.exe 2348 Ekkkoj32.exe 1396 Eoideh32.exe 3548 Eiahnnph.exe 392 Eicedn32.exe 3696 Fflohaij.exe 1124 Flmqlg32.exe 3772 Gmojkj32.exe 4728 Gblbca32.exe 2228 Hlpfhe32.exe 884 Iinjhh32.exe 4452 Iojbpo32.exe 4492 Igdgglfl.exe 4812 Ilqoobdd.exe 3276 Jpcapp32.exe 3916 Jinboekc.exe 3352 Kjblje32.exe 3684 Kpoalo32.exe 4360 Kncaec32.exe 3824 Klhnfo32.exe 1528 Kjlopc32.exe 2408 Lnjgfb32.exe 4644 Lomqcjie.exe 1812 Lnangaoa.exe 4832 Ljhnlb32.exe 1020 Mfnoqc32.exe 4708 Mfqlfb32.exe 2824 Mmkdcm32.exe 1492 Mmmqhl32.exe 4256 Mgbefe32.exe 5064 Monjjgkb.exe 1028 Mfhbga32.exe 1376 Nqmfdj32.exe 2168 Njfkmphe.exe 4700 Ngjkfd32.exe 2392 Nglhld32.exe 1772 Npgmpf32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ppahmb32.exe Pjdpelnc.exe File opened for modification C:\Windows\SysWOW64\Jblmgf32.exe Jlbejloe.exe File created C:\Windows\SysWOW64\Acccdj32.exe Aimogakj.exe File created C:\Windows\SysWOW64\Mnedig32.dll Process not Found File created C:\Windows\SysWOW64\Emfbmcph.dll Process not Found File created C:\Windows\SysWOW64\Bfgcag32.dll Process not Found File created C:\Windows\SysWOW64\Iaghgm32.dll Lklbdm32.exe File created C:\Windows\SysWOW64\Cqichhmn.dll Peahgl32.exe File opened for modification C:\Windows\SysWOW64\Jhoeef32.exe Jaemilci.exe File opened for modification C:\Windows\SysWOW64\Glqkefff.exe Giboijgb.exe File created C:\Windows\SysWOW64\Nmkgdlkh.dll Phfhfa32.exe File created C:\Windows\SysWOW64\Dendok32.exe Dndlba32.exe File created C:\Windows\SysWOW64\Mfqlfb32.exe Mfnoqc32.exe File opened for modification C:\Windows\SysWOW64\Obgohklm.exe Niojoeel.exe File opened for modification C:\Windows\SysWOW64\Hejjanpm.exe Hnpaec32.exe File opened for modification C:\Windows\SysWOW64\Ogcike32.exe Oeamcmmo.exe File created C:\Windows\SysWOW64\Folnlh32.dll Mfhbga32.exe File created C:\Windows\SysWOW64\Cogcho32.dll Pcbdcf32.exe File created C:\Windows\SysWOW64\Ohdbkh32.exe Oakjnnap.exe File opened for modification C:\Windows\SysWOW64\Hnnljj32.exe Hhdcmp32.exe File created C:\Windows\SysWOW64\Jbjabqbh.dll Mafofggd.exe File created C:\Windows\SysWOW64\Onimmoeg.dll Ijlkfg32.exe File created C:\Windows\SysWOW64\Edbiniff.exe Ebdlangb.exe File created C:\Windows\SysWOW64\Jkkdccim.dll Nahdapae.exe File created C:\Windows\SysWOW64\Kfbpoi32.dll Nonbqd32.exe File opened for modification C:\Windows\SysWOW64\Jikoopij.exe Jbagbebm.exe File created C:\Windows\SysWOW64\Dcffnbee.exe Daeifj32.exe File created C:\Windows\SysWOW64\Hbfdjc32.exe Hqghqpnl.exe File opened for modification C:\Windows\SysWOW64\Jqklnp32.exe Process not Found File created C:\Windows\SysWOW64\Hhjamhbn.dll Dbpjaeoc.exe File created C:\Windows\SysWOW64\Biepfnpi.dll Iiopca32.exe File opened for modification C:\Windows\SysWOW64\Flcfnn32.exe Fjeibc32.exe File created C:\Windows\SysWOW64\Iidedlmj.dll Khbhdn32.exe File opened for modification C:\Windows\SysWOW64\Bakgoh32.exe Bnkbcj32.exe File created C:\Windows\SysWOW64\Ieeimlep.exe Inkaqb32.exe File opened for modification C:\Windows\SysWOW64\Qfmmplad.exe Qmeigg32.exe File opened for modification C:\Windows\SysWOW64\Abdfkj32.exe Agobna32.exe File created C:\Windows\SysWOW64\Goadfa32.exe Koggehff.exe File opened for modification C:\Windows\SysWOW64\Dndlba32.exe Process not Found File created C:\Windows\SysWOW64\Nhhldc32.exe Nandhi32.exe File created C:\Windows\SysWOW64\Naqqmieo.exe Niihlkdm.exe File created C:\Windows\SysWOW64\Lhenai32.exe Llnnmhfe.exe File created C:\Windows\SysWOW64\Bcidlo32.dll Cajjjk32.exe File created C:\Windows\SysWOW64\Ajgqdaoi.dll Fggdpnkf.exe File opened for modification C:\Windows\SysWOW64\Qejfkmem.exe Pcijce32.exe File created C:\Windows\SysWOW64\Eoideh32.exe Ekkkoj32.exe File created C:\Windows\SysWOW64\Nqmfdj32.exe Mfhbga32.exe File opened for modification C:\Windows\SysWOW64\Mpclce32.exe Mablfnne.exe File created C:\Windows\SysWOW64\Qmekbhdn.dll Ndmgnkja.exe File opened for modification C:\Windows\SysWOW64\Didjqoae.exe Dpkehi32.exe File created C:\Windows\SysWOW64\Ppehbl32.dll Process not Found File created C:\Windows\SysWOW64\Mjdebfnd.exe Mmpdhboj.exe File opened for modification C:\Windows\SysWOW64\Aajhndkb.exe Ahaceo32.exe File created C:\Windows\SysWOW64\Kahinkaf.exe Jhoeef32.exe File created C:\Windows\SysWOW64\Oljoen32.exe Nfpghccm.exe File created C:\Windows\SysWOW64\Fgjhpcmo.exe Egened32.exe File opened for modification C:\Windows\SysWOW64\Obnehj32.exe Oqmhqapg.exe File opened for modification C:\Windows\SysWOW64\Pnknim32.exe Pgaelcgm.exe File created C:\Windows\SysWOW64\Pjbofkpn.dll Efopjbjg.exe File created C:\Windows\SysWOW64\Bndfbikc.dll Akglloai.exe File created C:\Windows\SysWOW64\Lddble32.exe Lbcedmnl.exe File created C:\Windows\SysWOW64\Lhdggb32.exe Lbhool32.exe File created C:\Windows\SysWOW64\Gphddlfp.exe Ffcpgcfj.exe File created C:\Windows\SysWOW64\Fcdpakhk.dll Bpaikm32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7480 7544 Process not Found 1297 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Olfghg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aaldccip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcnhog32.dll" Kbnlim32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oheienli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gklcce32.dll" Eebgqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmjlkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhjamhbn.dll" Dbpjaeoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcbbjj32.dll" Dkhnjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofbmdj32.dll" Infhebbh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jakchf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Haafdi32.dll" Piceflpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkeoha32.dll" Bmimdg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gphddlfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iidedlmj.dll" Khbhdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpagekkf.dll" Ckggnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gnckooob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kncaec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Indkpcdk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lagepl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lkalplel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmkdcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epopbo32.dll" Bdojjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbpijjbj.dll" Nfpghccm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Debaqh32.dll" Okfbgiij.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pakdbp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dcmedk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfjnhe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjkcqdje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qnglia32.dll" Ebbmpmnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcmgbngb.dll" Halaloif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhgkfkhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dppgmlhk.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmhkflnj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ffcpgcfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ompbfo32.dll" Hejjanpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Conllp32.dll" Pcijce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efopjbjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bqkigp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbagbebm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laibqedm.dll" Qhghge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ffjkdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dojqjdbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mablfnne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfdqfbai.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knnicgle.dll" Hlhaee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hladlc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dokgdkeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpclaedf.dll" Hqghqpnl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Apddce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndmgnkja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqgbobll.dll" Aepmjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bqnemp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eohmkb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mhjhmhhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipimhnjc.dll" Qiiflaoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afcmfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdcmkgmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ejjaqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nncoaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Odgjdibf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2776 wrote to memory of 4744 2776 NEAS.e9b3d22ebddbc24ac9417ca65c3253d9_JC.exe 83 PID 2776 wrote to memory of 4744 2776 NEAS.e9b3d22ebddbc24ac9417ca65c3253d9_JC.exe 83 PID 2776 wrote to memory of 4744 2776 NEAS.e9b3d22ebddbc24ac9417ca65c3253d9_JC.exe 83 PID 4744 wrote to memory of 3668 4744 Kqphfe32.exe 84 PID 4744 wrote to memory of 3668 4744 Kqphfe32.exe 84 PID 4744 wrote to memory of 3668 4744 Kqphfe32.exe 84 PID 3668 wrote to memory of 4468 3668 Lklbdm32.exe 85 PID 3668 wrote to memory of 4468 3668 Lklbdm32.exe 85 PID 3668 wrote to memory of 4468 3668 Lklbdm32.exe 85 PID 4468 wrote to memory of 2388 4468 Lkalplel.exe 86 PID 4468 wrote to memory of 2388 4468 Lkalplel.exe 86 PID 4468 wrote to memory of 2388 4468 Lkalplel.exe 86 PID 2388 wrote to memory of 2892 2388 Lekmnajj.exe 87 PID 2388 wrote to memory of 2892 2388 Lekmnajj.exe 87 PID 2388 wrote to memory of 2892 2388 Lekmnajj.exe 87 PID 2892 wrote to memory of 1136 2892 Mepfiq32.exe 88 PID 2892 wrote to memory of 1136 2892 Mepfiq32.exe 88 PID 2892 wrote to memory of 1136 2892 Mepfiq32.exe 88 PID 1136 wrote to memory of 1604 1136 Mmpdhboj.exe 89 PID 1136 wrote to memory of 1604 1136 Mmpdhboj.exe 89 PID 1136 wrote to memory of 1604 1136 Mmpdhboj.exe 89 PID 1604 wrote to memory of 5080 1604 Mjdebfnd.exe 90 PID 1604 wrote to memory of 5080 1604 Mjdebfnd.exe 90 PID 1604 wrote to memory of 5080 1604 Mjdebfnd.exe 90 PID 5080 wrote to memory of 3692 5080 Nhmofj32.exe 91 PID 5080 wrote to memory of 3692 5080 Nhmofj32.exe 91 PID 5080 wrote to memory of 3692 5080 Nhmofj32.exe 91 PID 3692 wrote to memory of 2540 3692 Njmhhefi.exe 92 PID 3692 wrote to memory of 2540 3692 Njmhhefi.exe 92 PID 3692 wrote to memory of 2540 3692 Njmhhefi.exe 92 PID 2540 wrote to memory of 4672 2540 Neclenfo.exe 93 PID 2540 wrote to memory of 4672 2540 Neclenfo.exe 93 PID 2540 wrote to memory of 4672 2540 Neclenfo.exe 93 PID 4672 wrote to memory of 872 4672 Najmjokc.exe 94 PID 4672 wrote to memory of 872 4672 Najmjokc.exe 94 PID 4672 wrote to memory of 872 4672 Najmjokc.exe 94 PID 872 wrote to memory of 484 872 Ohfami32.exe 95 PID 872 wrote to memory of 484 872 Ohfami32.exe 95 PID 872 wrote to memory of 484 872 Ohfami32.exe 95 PID 484 wrote to memory of 4912 484 Oejbfmpg.exe 96 PID 484 wrote to memory of 4912 484 Oejbfmpg.exe 96 PID 484 wrote to memory of 4912 484 Oejbfmpg.exe 96 PID 4912 wrote to memory of 2684 4912 Olfghg32.exe 97 PID 4912 wrote to memory of 2684 4912 Olfghg32.exe 97 PID 4912 wrote to memory of 2684 4912 Olfghg32.exe 97 PID 2684 wrote to memory of 384 2684 Peahgl32.exe 98 PID 2684 wrote to memory of 384 2684 Peahgl32.exe 98 PID 2684 wrote to memory of 384 2684 Peahgl32.exe 98 PID 384 wrote to memory of 3228 384 Pdhbmh32.exe 99 PID 384 wrote to memory of 3228 384 Pdhbmh32.exe 99 PID 384 wrote to memory of 3228 384 Pdhbmh32.exe 99 PID 3228 wrote to memory of 2040 3228 Pldcjeia.exe 100 PID 3228 wrote to memory of 2040 3228 Pldcjeia.exe 100 PID 3228 wrote to memory of 2040 3228 Pldcjeia.exe 100 PID 2040 wrote to memory of 544 2040 Qaalblgi.exe 101 PID 2040 wrote to memory of 544 2040 Qaalblgi.exe 101 PID 2040 wrote to memory of 544 2040 Qaalblgi.exe 101 PID 544 wrote to memory of 2752 544 Adfnofpd.exe 102 PID 544 wrote to memory of 2752 544 Adfnofpd.exe 102 PID 544 wrote to memory of 2752 544 Adfnofpd.exe 102 PID 2752 wrote to memory of 1652 2752 Akglloai.exe 103 PID 2752 wrote to memory of 1652 2752 Akglloai.exe 103 PID 2752 wrote to memory of 1652 2752 Akglloai.exe 103 PID 1652 wrote to memory of 3788 1652 Bnkbcj32.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.e9b3d22ebddbc24ac9417ca65c3253d9_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.e9b3d22ebddbc24ac9417ca65c3253d9_JC.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\Kqphfe32.exeC:\Windows\system32\Kqphfe32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4744 -
C:\Windows\SysWOW64\Lklbdm32.exeC:\Windows\system32\Lklbdm32.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3668 -
C:\Windows\SysWOW64\Lkalplel.exeC:\Windows\system32\Lkalplel.exe4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4468 -
C:\Windows\SysWOW64\Lekmnajj.exeC:\Windows\system32\Lekmnajj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\Mepfiq32.exeC:\Windows\system32\Mepfiq32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\Mmpdhboj.exeC:\Windows\system32\Mmpdhboj.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Windows\SysWOW64\Mjdebfnd.exeC:\Windows\system32\Mjdebfnd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Windows\SysWOW64\Nhmofj32.exeC:\Windows\system32\Nhmofj32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5080 -
C:\Windows\SysWOW64\Njmhhefi.exeC:\Windows\system32\Njmhhefi.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3692 -
C:\Windows\SysWOW64\Neclenfo.exeC:\Windows\system32\Neclenfo.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\Najmjokc.exeC:\Windows\system32\Najmjokc.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4672 -
C:\Windows\SysWOW64\Ohfami32.exeC:\Windows\system32\Ohfami32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:872 -
C:\Windows\SysWOW64\Oejbfmpg.exeC:\Windows\system32\Oejbfmpg.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:484 -
C:\Windows\SysWOW64\Olfghg32.exeC:\Windows\system32\Olfghg32.exe15⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\Windows\SysWOW64\Peahgl32.exeC:\Windows\system32\Peahgl32.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\Pdhbmh32.exeC:\Windows\system32\Pdhbmh32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:384 -
C:\Windows\SysWOW64\Pldcjeia.exeC:\Windows\system32\Pldcjeia.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3228 -
C:\Windows\SysWOW64\Qaalblgi.exeC:\Windows\system32\Qaalblgi.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\Adfnofpd.exeC:\Windows\system32\Adfnofpd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:544 -
C:\Windows\SysWOW64\Akglloai.exeC:\Windows\system32\Akglloai.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Bnkbcj32.exeC:\Windows\system32\Bnkbcj32.exe22⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\SysWOW64\Bakgoh32.exeC:\Windows\system32\Bakgoh32.exe23⤵
- Executes dropped EXE
PID:3788 -
C:\Windows\SysWOW64\Cndeii32.exeC:\Windows\system32\Cndeii32.exe24⤵
- Executes dropped EXE
PID:3356 -
C:\Windows\SysWOW64\Cnindhpg.exeC:\Windows\system32\Cnindhpg.exe25⤵
- Executes dropped EXE
PID:3852 -
C:\Windows\SysWOW64\Dokgdkeh.exeC:\Windows\system32\Dokgdkeh.exe26⤵
- Executes dropped EXE
- Modifies registry class
PID:2312 -
C:\Windows\SysWOW64\Ddjmba32.exeC:\Windows\system32\Ddjmba32.exe27⤵
- Executes dropped EXE
PID:3868 -
C:\Windows\SysWOW64\Dbpjaeoc.exeC:\Windows\system32\Dbpjaeoc.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1572 -
C:\Windows\SysWOW64\Dkhnjk32.exeC:\Windows\system32\Dkhnjk32.exe29⤵
- Executes dropped EXE
- Modifies registry class
PID:4860 -
C:\Windows\SysWOW64\Ekkkoj32.exeC:\Windows\system32\Ekkkoj32.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2348 -
C:\Windows\SysWOW64\Eoideh32.exeC:\Windows\system32\Eoideh32.exe31⤵
- Executes dropped EXE
PID:1396 -
C:\Windows\SysWOW64\Eiahnnph.exeC:\Windows\system32\Eiahnnph.exe32⤵
- Executes dropped EXE
PID:3548 -
C:\Windows\SysWOW64\Eicedn32.exeC:\Windows\system32\Eicedn32.exe33⤵
- Executes dropped EXE
PID:392 -
C:\Windows\SysWOW64\Fflohaij.exeC:\Windows\system32\Fflohaij.exe34⤵
- Executes dropped EXE
PID:3696 -
C:\Windows\SysWOW64\Flmqlg32.exeC:\Windows\system32\Flmqlg32.exe35⤵
- Executes dropped EXE
PID:1124 -
C:\Windows\SysWOW64\Gmojkj32.exeC:\Windows\system32\Gmojkj32.exe36⤵
- Executes dropped EXE
PID:3772 -
C:\Windows\SysWOW64\Gblbca32.exeC:\Windows\system32\Gblbca32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4728 -
C:\Windows\SysWOW64\Hlpfhe32.exeC:\Windows\system32\Hlpfhe32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Iinjhh32.exeC:\Windows\system32\Iinjhh32.exe39⤵
- Executes dropped EXE
PID:884 -
C:\Windows\SysWOW64\Iojbpo32.exeC:\Windows\system32\Iojbpo32.exe40⤵
- Executes dropped EXE
PID:4452 -
C:\Windows\SysWOW64\Igdgglfl.exeC:\Windows\system32\Igdgglfl.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4492 -
C:\Windows\SysWOW64\Ilqoobdd.exeC:\Windows\system32\Ilqoobdd.exe42⤵
- Executes dropped EXE
PID:4812 -
C:\Windows\SysWOW64\Jpcapp32.exeC:\Windows\system32\Jpcapp32.exe43⤵
- Executes dropped EXE
PID:3276 -
C:\Windows\SysWOW64\Jinboekc.exeC:\Windows\system32\Jinboekc.exe44⤵
- Executes dropped EXE
PID:3916 -
C:\Windows\SysWOW64\Kjblje32.exeC:\Windows\system32\Kjblje32.exe45⤵
- Executes dropped EXE
PID:3352 -
C:\Windows\SysWOW64\Kpoalo32.exeC:\Windows\system32\Kpoalo32.exe46⤵
- Executes dropped EXE
PID:3684 -
C:\Windows\SysWOW64\Kncaec32.exeC:\Windows\system32\Kncaec32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4360 -
C:\Windows\SysWOW64\Klhnfo32.exeC:\Windows\system32\Klhnfo32.exe48⤵
- Executes dropped EXE
PID:3824 -
C:\Windows\SysWOW64\Kjlopc32.exeC:\Windows\system32\Kjlopc32.exe49⤵
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\Lnjgfb32.exeC:\Windows\system32\Lnjgfb32.exe50⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Lomqcjie.exeC:\Windows\system32\Lomqcjie.exe51⤵
- Executes dropped EXE
PID:4644 -
C:\Windows\SysWOW64\Lnangaoa.exeC:\Windows\system32\Lnangaoa.exe52⤵
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\Ljhnlb32.exeC:\Windows\system32\Ljhnlb32.exe53⤵
- Executes dropped EXE
PID:4832 -
C:\Windows\SysWOW64\Mfnoqc32.exeC:\Windows\system32\Mfnoqc32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1020 -
C:\Windows\SysWOW64\Mfqlfb32.exeC:\Windows\system32\Mfqlfb32.exe55⤵
- Executes dropped EXE
PID:4708 -
C:\Windows\SysWOW64\Mmkdcm32.exeC:\Windows\system32\Mmkdcm32.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:2824 -
C:\Windows\SysWOW64\Mmmqhl32.exeC:\Windows\system32\Mmmqhl32.exe57⤵
- Executes dropped EXE
PID:1492 -
C:\Windows\SysWOW64\Mgbefe32.exeC:\Windows\system32\Mgbefe32.exe58⤵
- Executes dropped EXE
PID:4256 -
C:\Windows\SysWOW64\Monjjgkb.exeC:\Windows\system32\Monjjgkb.exe59⤵
- Executes dropped EXE
PID:5064 -
C:\Windows\SysWOW64\Mfhbga32.exeC:\Windows\system32\Mfhbga32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1028 -
C:\Windows\SysWOW64\Nqmfdj32.exeC:\Windows\system32\Nqmfdj32.exe61⤵
- Executes dropped EXE
PID:1376 -
C:\Windows\SysWOW64\Njfkmphe.exeC:\Windows\system32\Njfkmphe.exe62⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Ngjkfd32.exeC:\Windows\system32\Ngjkfd32.exe63⤵
- Executes dropped EXE
PID:4700 -
C:\Windows\SysWOW64\Nglhld32.exeC:\Windows\system32\Nglhld32.exe64⤵
- Executes dropped EXE
PID:2392 -
C:\Windows\SysWOW64\Npgmpf32.exeC:\Windows\system32\Npgmpf32.exe65⤵
- Executes dropped EXE
PID:1772 -
C:\Windows\SysWOW64\Ojomcopk.exeC:\Windows\system32\Ojomcopk.exe66⤵PID:2788
-
C:\Windows\SysWOW64\Oplfkeob.exeC:\Windows\system32\Oplfkeob.exe67⤵PID:4296
-
C:\Windows\SysWOW64\Ompfej32.exeC:\Windows\system32\Ompfej32.exe68⤵PID:4116
-
C:\Windows\SysWOW64\Ocjoadei.exeC:\Windows\system32\Ocjoadei.exe69⤵PID:2936
-
C:\Windows\SysWOW64\Ombcji32.exeC:\Windows\system32\Ombcji32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2180 -
C:\Windows\SysWOW64\Oaplqh32.exeC:\Windows\system32\Oaplqh32.exe71⤵PID:3304
-
C:\Windows\SysWOW64\Ondljl32.exeC:\Windows\system32\Ondljl32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4544 -
C:\Windows\SysWOW64\Ocaebc32.exeC:\Windows\system32\Ocaebc32.exe73⤵PID:4348
-
C:\Windows\SysWOW64\Pjkmomfn.exeC:\Windows\system32\Pjkmomfn.exe74⤵PID:3336
-
C:\Windows\SysWOW64\Phonha32.exeC:\Windows\system32\Phonha32.exe75⤵PID:4988
-
C:\Windows\SysWOW64\Ppjbmc32.exeC:\Windows\system32\Ppjbmc32.exe76⤵PID:2416
-
C:\Windows\SysWOW64\Paiogf32.exeC:\Windows\system32\Paiogf32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:972 -
C:\Windows\SysWOW64\Pnmopk32.exeC:\Windows\system32\Pnmopk32.exe78⤵PID:4264
-
C:\Windows\SysWOW64\Pjdpelnc.exeC:\Windows\system32\Pjdpelnc.exe79⤵
- Drops file in System32 directory
PID:4040 -
C:\Windows\SysWOW64\Ppahmb32.exeC:\Windows\system32\Ppahmb32.exe80⤵PID:1520
-
C:\Windows\SysWOW64\Qmeigg32.exeC:\Windows\system32\Qmeigg32.exe81⤵
- Drops file in System32 directory
PID:2156 -
C:\Windows\SysWOW64\Qfmmplad.exeC:\Windows\system32\Qfmmplad.exe82⤵PID:1188
-
C:\Windows\SysWOW64\Qacameaj.exeC:\Windows\system32\Qacameaj.exe83⤵PID:1440
-
C:\Windows\SysWOW64\Akkffkhk.exeC:\Windows\system32\Akkffkhk.exe84⤵PID:4816
-
C:\Windows\SysWOW64\Ahaceo32.exeC:\Windows\system32\Ahaceo32.exe85⤵
- Drops file in System32 directory
PID:4692 -
C:\Windows\SysWOW64\Aajhndkb.exeC:\Windows\system32\Aajhndkb.exe86⤵PID:2904
-
C:\Windows\SysWOW64\Aggpfkjj.exeC:\Windows\system32\Aggpfkjj.exe87⤵PID:956
-
C:\Windows\SysWOW64\Aaldccip.exeC:\Windows\system32\Aaldccip.exe88⤵
- Modifies registry class
PID:1628 -
C:\Windows\SysWOW64\Agimkk32.exeC:\Windows\system32\Agimkk32.exe89⤵PID:2428
-
C:\Windows\SysWOW64\Bhhiemoj.exeC:\Windows\system32\Bhhiemoj.exe90⤵PID:1860
-
C:\Windows\SysWOW64\Bdojjo32.exeC:\Windows\system32\Bdojjo32.exe91⤵
- Modifies registry class
PID:3952 -
C:\Windows\SysWOW64\Boenhgdd.exeC:\Windows\system32\Boenhgdd.exe92⤵PID:2436
-
C:\Windows\SysWOW64\Bdagpnbk.exeC:\Windows\system32\Bdagpnbk.exe93⤵PID:1980
-
C:\Windows\SysWOW64\Bgbpaipl.exeC:\Windows\system32\Bgbpaipl.exe94⤵PID:4320
-
C:\Windows\SysWOW64\Bahdob32.exeC:\Windows\system32\Bahdob32.exe95⤵PID:4432
-
C:\Windows\SysWOW64\Bgelgi32.exeC:\Windows\system32\Bgelgi32.exe96⤵PID:1588
-
C:\Windows\SysWOW64\Cdimqm32.exeC:\Windows\system32\Cdimqm32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:844 -
C:\Windows\SysWOW64\Cammjakm.exeC:\Windows\system32\Cammjakm.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4496 -
C:\Windows\SysWOW64\Caojpaij.exeC:\Windows\system32\Caojpaij.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5032 -
C:\Windows\SysWOW64\Chkobkod.exeC:\Windows\system32\Chkobkod.exe100⤵PID:3424
-
C:\Windows\SysWOW64\Cpfcfmlp.exeC:\Windows\system32\Cpfcfmlp.exe101⤵PID:4240
-
C:\Windows\SysWOW64\Cnjdpaki.exeC:\Windows\system32\Cnjdpaki.exe102⤵PID:4980
-
C:\Windows\SysWOW64\Dddllkbf.exeC:\Windows\system32\Dddllkbf.exe103⤵PID:5132
-
C:\Windows\SysWOW64\Dojqjdbl.exeC:\Windows\system32\Dojqjdbl.exe104⤵
- Modifies registry class
PID:5180 -
C:\Windows\SysWOW64\Dkcndeen.exeC:\Windows\system32\Dkcndeen.exe105⤵PID:5224
-
C:\Windows\SysWOW64\Ddkbmj32.exeC:\Windows\system32\Ddkbmj32.exe106⤵PID:5312
-
C:\Windows\SysWOW64\Ehlhih32.exeC:\Windows\system32\Ehlhih32.exe107⤵PID:5348
-
C:\Windows\SysWOW64\Ebdlangb.exeC:\Windows\system32\Ebdlangb.exe108⤵
- Drops file in System32 directory
PID:5392 -
C:\Windows\SysWOW64\Edbiniff.exeC:\Windows\system32\Edbiniff.exe109⤵PID:5440
-
C:\Windows\SysWOW64\Eohmkb32.exeC:\Windows\system32\Eohmkb32.exe110⤵
- Modifies registry class
PID:5480 -
C:\Windows\SysWOW64\Edeeci32.exeC:\Windows\system32\Edeeci32.exe111⤵PID:5528
-
C:\Windows\SysWOW64\Ekonpckp.exeC:\Windows\system32\Ekonpckp.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5572 -
C:\Windows\SysWOW64\Eqlfhjig.exeC:\Windows\system32\Eqlfhjig.exe113⤵PID:5616
-
C:\Windows\SysWOW64\Egened32.exeC:\Windows\system32\Egened32.exe114⤵
- Drops file in System32 directory
PID:5676 -
C:\Windows\SysWOW64\Fgjhpcmo.exeC:\Windows\system32\Fgjhpcmo.exe115⤵PID:5716
-
C:\Windows\SysWOW64\Foapaa32.exeC:\Windows\system32\Foapaa32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5764 -
C:\Windows\SysWOW64\Fdnhih32.exeC:\Windows\system32\Fdnhih32.exe117⤵PID:5808
-
C:\Windows\SysWOW64\Foclgq32.exeC:\Windows\system32\Foclgq32.exe118⤵PID:5856
-
C:\Windows\SysWOW64\Fofilp32.exeC:\Windows\system32\Fofilp32.exe119⤵PID:5924
-
C:\Windows\SysWOW64\Fqgedh32.exeC:\Windows\system32\Fqgedh32.exe120⤵PID:5964
-
C:\Windows\SysWOW64\Fajbjh32.exeC:\Windows\system32\Fajbjh32.exe121⤵PID:6004
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-