Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
22/10/2023, 15:26
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.e4cb082f052b38ce6886f048d84d0e20_JC.exe
Resource
win7-20230831-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.e4cb082f052b38ce6886f048d84d0e20_JC.exe
Resource
win10v2004-20231020-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.e4cb082f052b38ce6886f048d84d0e20_JC.exe
-
Size
97KB
-
MD5
e4cb082f052b38ce6886f048d84d0e20
-
SHA1
b2ee91f4df3d9db81137b5a8cc8f0f55e6d80a09
-
SHA256
36c64a5ffd905b6a98075115618b6ae51e9a221a7ea7d63ee2002ab502ba7ffa
-
SHA512
fefa67a05daadbc04c9870826b093a6473cecd97b81892c2ea2fbd410303decfa2575d14ab4f910928cf7135391962d4e20379b1b710ebed3d303786733d7fe3
-
SSDEEP
1536:32GB8tvyj9t4VDU2hryQO7E8uZBVdKv2I+vJXeYZ6:N8puCDFOQO7MZBVd02IWJXeK6
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mdghaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kechdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Laleof32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nggggoda.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olmela32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggapbcne.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gncldi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nmflee32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfabnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bgdkkc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hokhbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kgkonj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lljpjchg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Plmbkd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llpfjomf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jijokbfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fhljkm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kekkiq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekhmcelc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ggapbcne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Llepen32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mciabmlo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oalkih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Faonom32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mloiec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mnmpdlac.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apedah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bmbgfkje.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmcopebh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cnejim32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpoolael.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jpgjgboe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ofqmcj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgidfcdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Famaimfe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlqjkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ljnqdhga.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qiflohqk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhmaeg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bolcma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Efljhq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eimcjl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfdddm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jijokbfp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laleof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nknimnap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Plpopddd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbnphngk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bdhleh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gncnmane.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkalhgfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hcjilgdb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdbepm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lofifi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcgmfgfd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igmbgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Epbbkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Igqhpj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjlbdc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Objaha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ijibng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jfgebjnm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmqmod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Omckoi32.exe -
Executes dropped EXE 64 IoCs
pid Process 2376 Ddblgn32.exe 2016 Dicnkdnf.exe 1528 Eggndi32.exe 2196 Eppcmncq.exe 2572 Eacljf32.exe 2636 Eaeipfei.exe 2964 Fggkcl32.exe 2824 Fpoolael.exe 2656 Fqalaa32.exe 2504 Fqdiga32.exe 3048 Fgnadkic.exe 1348 Gceailog.exe 2444 Gfejjgli.exe 2000 Gifclb32.exe 1780 Gncldi32.exe 932 Giipab32.exe 2184 Gneijien.exe 1640 Ggnmbn32.exe 2840 Hcdnhoac.exe 1144 Hmmbqegc.exe 1792 Hcgjmo32.exe 308 Hidcef32.exe 1832 Hblgnkdh.exe 832 Hmalldcn.exe 2696 Hbaaik32.exe 2932 Iliebpfc.exe 1568 Iedfqeka.exe 2256 Ijqoilii.exe 2332 Ihdpbq32.exe 468 Ihglhp32.exe 344 Jpdnbbah.exe 1048 Jeafjiop.exe 1392 Jpgjgboe.exe 2156 Jhdlad32.exe 2776 Kkeecogo.exe 2768 Kdnild32.exe 2680 Kgnbnpkp.exe 2600 Kadfkhkf.exe 2268 Knkgpi32.exe 1828 Ljddjj32.exe 2192 Lboiol32.exe 1728 Lldmleam.exe 1992 Lhknaf32.exe 1968 Lnhgim32.exe 1620 Lnjcomcf.exe 1344 Lqipkhbj.exe 1520 Mnmpdlac.exe 2556 Mdghaf32.exe 1360 Mkqqnq32.exe 2928 Mmbmeifk.exe 2404 Mfjann32.exe 2104 Mikjpiim.exe 2148 Mimgeigj.exe 1160 Mcckcbgp.exe 2916 Nfahomfd.exe 2136 Nlnpgd32.exe 736 Nfdddm32.exe 3000 Nibqqh32.exe 1860 Nbjeinje.exe 2632 Ofadnq32.exe 2792 Odedge32.exe 2172 Ojomdoof.exe 2020 Objaha32.exe 3044 Opnbbe32.exe -
Loads dropped DLL 64 IoCs
pid Process 2272 NEAS.e4cb082f052b38ce6886f048d84d0e20_JC.exe 2272 NEAS.e4cb082f052b38ce6886f048d84d0e20_JC.exe 2376 Ddblgn32.exe 2376 Ddblgn32.exe 2016 Dicnkdnf.exe 2016 Dicnkdnf.exe 1528 Eggndi32.exe 1528 Eggndi32.exe 2196 Eppcmncq.exe 2196 Eppcmncq.exe 2572 Eacljf32.exe 2572 Eacljf32.exe 2636 Eaeipfei.exe 2636 Eaeipfei.exe 2964 Fggkcl32.exe 2964 Fggkcl32.exe 2824 Fpoolael.exe 2824 Fpoolael.exe 2656 Fqalaa32.exe 2656 Fqalaa32.exe 2504 Fqdiga32.exe 2504 Fqdiga32.exe 3048 Fgnadkic.exe 3048 Fgnadkic.exe 1348 Gceailog.exe 1348 Gceailog.exe 2444 Gfejjgli.exe 2444 Gfejjgli.exe 2000 Gifclb32.exe 2000 Gifclb32.exe 1780 Gncldi32.exe 1780 Gncldi32.exe 932 Giipab32.exe 932 Giipab32.exe 2184 Gneijien.exe 2184 Gneijien.exe 1640 Ggnmbn32.exe 1640 Ggnmbn32.exe 2840 Hcdnhoac.exe 2840 Hcdnhoac.exe 1144 Hmmbqegc.exe 1144 Hmmbqegc.exe 1792 Hcgjmo32.exe 1792 Hcgjmo32.exe 308 Hidcef32.exe 308 Hidcef32.exe 1832 Hblgnkdh.exe 1832 Hblgnkdh.exe 832 Hmalldcn.exe 832 Hmalldcn.exe 2696 Hbaaik32.exe 2696 Hbaaik32.exe 2932 Iliebpfc.exe 2932 Iliebpfc.exe 1568 Iedfqeka.exe 1568 Iedfqeka.exe 2256 Ijqoilii.exe 2256 Ijqoilii.exe 2332 Ihdpbq32.exe 2332 Ihdpbq32.exe 468 Ihglhp32.exe 468 Ihglhp32.exe 344 Jpdnbbah.exe 344 Jpdnbbah.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Hcgjmo32.exe Hmmbqegc.exe File created C:\Windows\SysWOW64\Hbcfdk32.dll Cpfmmf32.exe File created C:\Windows\SysWOW64\Olmela32.exe Ofqmcj32.exe File opened for modification C:\Windows\SysWOW64\Ojeobm32.exe Ohfcfb32.exe File created C:\Windows\SysWOW64\Jibnop32.exe Jlnmel32.exe File created C:\Windows\SysWOW64\Jclcfm32.dll Gfejjgli.exe File created C:\Windows\SysWOW64\Gpajfg32.dll Cagienkb.exe File opened for modification C:\Windows\SysWOW64\Felajbpg.exe Fpohakbp.exe File created C:\Windows\SysWOW64\Clgmpqdg.dll Dpnladjl.exe File created C:\Windows\SysWOW64\Dkdmfe32.exe Dfhdnn32.exe File created C:\Windows\SysWOW64\Bjbndpmd.exe Bqijljfd.exe File created C:\Windows\SysWOW64\Felajbpg.exe Fpohakbp.exe File created C:\Windows\SysWOW64\Mdadjd32.exe Mbchni32.exe File created C:\Windows\SysWOW64\Ndfnecgp.exe Nqjaeeog.exe File created C:\Windows\SysWOW64\Hagojlib.dll Qldhkc32.exe File created C:\Windows\SysWOW64\Gfikmo32.dll Bqijljfd.exe File opened for modification C:\Windows\SysWOW64\Jfdhmk32.exe Jeclebja.exe File opened for modification C:\Windows\SysWOW64\Olmela32.exe Ofqmcj32.exe File created C:\Windows\SysWOW64\Lboiol32.exe Ljddjj32.exe File created C:\Windows\SysWOW64\Olbkdn32.dll Qcachc32.exe File opened for modification C:\Windows\SysWOW64\Ghlfjq32.exe Ggkibhjf.exe File created C:\Windows\SysWOW64\Dbobli32.dll Ofqmcj32.exe File created C:\Windows\SysWOW64\Ffbhcq32.dll Bhmaeg32.exe File opened for modification C:\Windows\SysWOW64\Hqgddm32.exe Hadcipbi.exe File created C:\Windows\SysWOW64\Mphiqbon.exe Ljnqdhga.exe File opened for modification C:\Windows\SysWOW64\Fggkcl32.exe Eaeipfei.exe File opened for modification C:\Windows\SysWOW64\Flapkmlj.exe Fibcoalf.exe File opened for modification C:\Windows\SysWOW64\Hiqoeplo.exe Hkmollme.exe File created C:\Windows\SysWOW64\Dociji32.dll Olmela32.exe File created C:\Windows\SysWOW64\Fbegbacp.exe Elkofg32.exe File opened for modification C:\Windows\SysWOW64\Hoqjqhjf.exe Hifbdnbi.exe File created C:\Windows\SysWOW64\Imodkadq.exe Ipjdameg.exe File created C:\Windows\SysWOW64\Jjkkbjln.exe Jijokbfp.exe File created C:\Windows\SysWOW64\Cgidfcdk.exe Bdkhjgeh.exe File created C:\Windows\SysWOW64\Ciffggmh.dll Mmbmeifk.exe File created C:\Windows\SysWOW64\Gdegfn32.exe Goiongbc.exe File created C:\Windows\SysWOW64\Ggkibhjf.exe Gqaafn32.exe File opened for modification C:\Windows\SysWOW64\Jjkkbjln.exe Jijokbfp.exe File opened for modification C:\Windows\SysWOW64\Nqmnjd32.exe Njbfnjeg.exe File created C:\Windows\SysWOW64\Leblqb32.dll Pgfjhcge.exe File created C:\Windows\SysWOW64\Aiodpjni.dll Jeclebja.exe File created C:\Windows\SysWOW64\Ngohbhce.dll Ndcapd32.exe File created C:\Windows\SysWOW64\Hcgmfgfd.exe Hgqlafap.exe File created C:\Windows\SysWOW64\Inojhc32.exe Icifjk32.exe File opened for modification C:\Windows\SysWOW64\Qcachc32.exe Qiioon32.exe File created C:\Windows\SysWOW64\Iahghfmb.dll Hjlbdc32.exe File created C:\Windows\SysWOW64\Dfaaak32.dll Jikhnaao.exe File created C:\Windows\SysWOW64\Koaclfgl.exe Khgkpl32.exe File opened for modification C:\Windows\SysWOW64\Kmimcbja.exe Kkjpggkn.exe File created C:\Windows\SysWOW64\Gncldi32.exe Gifclb32.exe File created C:\Windows\SysWOW64\Cgknkqan.dll Lldmleam.exe File created C:\Windows\SysWOW64\Hiclkp32.exe Hbidne32.exe File created C:\Windows\SysWOW64\Ndcapd32.exe Nkkmgncb.exe File created C:\Windows\SysWOW64\Jkbolo32.dll Qiflohqk.exe File created C:\Windows\SysWOW64\Hahkbf32.dll Bfabnl32.exe File created C:\Windows\SysWOW64\Jagkpl32.dll Flapkmlj.exe File created C:\Windows\SysWOW64\Elkofg32.exe Eimcjl32.exe File created C:\Windows\SysWOW64\Lgfjggll.exe Llpfjomf.exe File opened for modification C:\Windows\SysWOW64\Eaebeoan.exe Ekhmcelc.exe File created C:\Windows\SysWOW64\Ekmfne32.exe Eaebeoan.exe File created C:\Windows\SysWOW64\Aondioej.dll Gkalhgfd.exe File opened for modification C:\Windows\SysWOW64\Ndcapd32.exe Nkkmgncb.exe File created C:\Windows\SysWOW64\Jlqjkk32.exe Jibnop32.exe File created C:\Windows\SysWOW64\Ckhdggom.exe Cenljmgq.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4512 4452 WerFault.exe 378 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnjeilhc.dll" Knkgpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gdegfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baajep32.dll" Gekfnoog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmclfnqb.dll" Abmgjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kechdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qbnphngk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fijbco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hellqgnm.dll" Ghgfekpn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oejcpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hmmbqegc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ponklpcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Goldfelp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kibemb32.dll" Fleifl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Agbbgqhh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bcbfbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bmbgfkje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lkdjglfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njjhknaf.dll" Ojeobm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pgfjhcge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dinneo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Agbbgqhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dobfbpbc.dll" Coicfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fhbpkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Famaimfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gglbfg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lghgmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dpjbgh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ijkocg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nqjaeeog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pghfnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fabaocfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hjlbdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhbcdh32.dll" Kbbobkol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fmohco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knnpkl32.dll" Iedfqeka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fiepea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjdepgcg.dll" Hiqoeplo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ipmqgmcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jfgebjnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cnejim32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Japciodd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oieqmphd.dll" Cgidfcdk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fefqdl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hcgmfgfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ibacbcgg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aakjdo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hbidne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jlqjkk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kdphjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nlnpgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Efljhq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjmfenoo.dll" Glklejoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onkckhkp.dll" Llepen32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hmalldcn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pehcij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egdpmo32.dll" Bolcma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cgidfcdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjbklf32.dll" Nfdddm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bhjlli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgnenf32.dll" Bjpaop32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gnbejb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhhcghdk.dll" Dlifadkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kkjpggkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jncfhkjh.dll" Fqdiga32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2272 wrote to memory of 2376 2272 NEAS.e4cb082f052b38ce6886f048d84d0e20_JC.exe 28 PID 2272 wrote to memory of 2376 2272 NEAS.e4cb082f052b38ce6886f048d84d0e20_JC.exe 28 PID 2272 wrote to memory of 2376 2272 NEAS.e4cb082f052b38ce6886f048d84d0e20_JC.exe 28 PID 2272 wrote to memory of 2376 2272 NEAS.e4cb082f052b38ce6886f048d84d0e20_JC.exe 28 PID 2376 wrote to memory of 2016 2376 Ddblgn32.exe 29 PID 2376 wrote to memory of 2016 2376 Ddblgn32.exe 29 PID 2376 wrote to memory of 2016 2376 Ddblgn32.exe 29 PID 2376 wrote to memory of 2016 2376 Ddblgn32.exe 29 PID 2016 wrote to memory of 1528 2016 Dicnkdnf.exe 30 PID 2016 wrote to memory of 1528 2016 Dicnkdnf.exe 30 PID 2016 wrote to memory of 1528 2016 Dicnkdnf.exe 30 PID 2016 wrote to memory of 1528 2016 Dicnkdnf.exe 30 PID 1528 wrote to memory of 2196 1528 Eggndi32.exe 31 PID 1528 wrote to memory of 2196 1528 Eggndi32.exe 31 PID 1528 wrote to memory of 2196 1528 Eggndi32.exe 31 PID 1528 wrote to memory of 2196 1528 Eggndi32.exe 31 PID 2196 wrote to memory of 2572 2196 Eppcmncq.exe 32 PID 2196 wrote to memory of 2572 2196 Eppcmncq.exe 32 PID 2196 wrote to memory of 2572 2196 Eppcmncq.exe 32 PID 2196 wrote to memory of 2572 2196 Eppcmncq.exe 32 PID 2572 wrote to memory of 2636 2572 Eacljf32.exe 33 PID 2572 wrote to memory of 2636 2572 Eacljf32.exe 33 PID 2572 wrote to memory of 2636 2572 Eacljf32.exe 33 PID 2572 wrote to memory of 2636 2572 Eacljf32.exe 33 PID 2636 wrote to memory of 2964 2636 Eaeipfei.exe 34 PID 2636 wrote to memory of 2964 2636 Eaeipfei.exe 34 PID 2636 wrote to memory of 2964 2636 Eaeipfei.exe 34 PID 2636 wrote to memory of 2964 2636 Eaeipfei.exe 34 PID 2964 wrote to memory of 2824 2964 Fggkcl32.exe 35 PID 2964 wrote to memory of 2824 2964 Fggkcl32.exe 35 PID 2964 wrote to memory of 2824 2964 Fggkcl32.exe 35 PID 2964 wrote to memory of 2824 2964 Fggkcl32.exe 35 PID 2824 wrote to memory of 2656 2824 Fpoolael.exe 36 PID 2824 wrote to memory of 2656 2824 Fpoolael.exe 36 PID 2824 wrote to memory of 2656 2824 Fpoolael.exe 36 PID 2824 wrote to memory of 2656 2824 Fpoolael.exe 36 PID 2656 wrote to memory of 2504 2656 Fqalaa32.exe 37 PID 2656 wrote to memory of 2504 2656 Fqalaa32.exe 37 PID 2656 wrote to memory of 2504 2656 Fqalaa32.exe 37 PID 2656 wrote to memory of 2504 2656 Fqalaa32.exe 37 PID 2504 wrote to memory of 3048 2504 Fqdiga32.exe 38 PID 2504 wrote to memory of 3048 2504 Fqdiga32.exe 38 PID 2504 wrote to memory of 3048 2504 Fqdiga32.exe 38 PID 2504 wrote to memory of 3048 2504 Fqdiga32.exe 38 PID 3048 wrote to memory of 1348 3048 Fgnadkic.exe 39 PID 3048 wrote to memory of 1348 3048 Fgnadkic.exe 39 PID 3048 wrote to memory of 1348 3048 Fgnadkic.exe 39 PID 3048 wrote to memory of 1348 3048 Fgnadkic.exe 39 PID 1348 wrote to memory of 2444 1348 Gceailog.exe 40 PID 1348 wrote to memory of 2444 1348 Gceailog.exe 40 PID 1348 wrote to memory of 2444 1348 Gceailog.exe 40 PID 1348 wrote to memory of 2444 1348 Gceailog.exe 40 PID 2444 wrote to memory of 2000 2444 Gfejjgli.exe 41 PID 2444 wrote to memory of 2000 2444 Gfejjgli.exe 41 PID 2444 wrote to memory of 2000 2444 Gfejjgli.exe 41 PID 2444 wrote to memory of 2000 2444 Gfejjgli.exe 41 PID 2000 wrote to memory of 1780 2000 Gifclb32.exe 42 PID 2000 wrote to memory of 1780 2000 Gifclb32.exe 42 PID 2000 wrote to memory of 1780 2000 Gifclb32.exe 42 PID 2000 wrote to memory of 1780 2000 Gifclb32.exe 42 PID 1780 wrote to memory of 932 1780 Gncldi32.exe 43 PID 1780 wrote to memory of 932 1780 Gncldi32.exe 43 PID 1780 wrote to memory of 932 1780 Gncldi32.exe 43 PID 1780 wrote to memory of 932 1780 Gncldi32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.e4cb082f052b38ce6886f048d84d0e20_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.e4cb082f052b38ce6886f048d84d0e20_JC.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\Ddblgn32.exeC:\Windows\system32\Ddblgn32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\SysWOW64\Dicnkdnf.exeC:\Windows\system32\Dicnkdnf.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\Eggndi32.exeC:\Windows\system32\Eggndi32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\SysWOW64\Eppcmncq.exeC:\Windows\system32\Eppcmncq.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\Eacljf32.exeC:\Windows\system32\Eacljf32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\Eaeipfei.exeC:\Windows\system32\Eaeipfei.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\Fggkcl32.exeC:\Windows\system32\Fggkcl32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\Fpoolael.exeC:\Windows\system32\Fpoolael.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\Fqalaa32.exeC:\Windows\system32\Fqalaa32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Fqdiga32.exeC:\Windows\system32\Fqdiga32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\Fgnadkic.exeC:\Windows\system32\Fgnadkic.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\Gceailog.exeC:\Windows\system32\Gceailog.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Windows\SysWOW64\Gfejjgli.exeC:\Windows\system32\Gfejjgli.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\SysWOW64\Gifclb32.exeC:\Windows\system32\Gifclb32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\SysWOW64\Gncldi32.exeC:\Windows\system32\Gncldi32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\SysWOW64\Giipab32.exeC:\Windows\system32\Giipab32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:932 -
C:\Windows\SysWOW64\Gneijien.exeC:\Windows\system32\Gneijien.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2184 -
C:\Windows\SysWOW64\Ggnmbn32.exeC:\Windows\system32\Ggnmbn32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1640 -
C:\Windows\SysWOW64\Hcdnhoac.exeC:\Windows\system32\Hcdnhoac.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2840 -
C:\Windows\SysWOW64\Hmmbqegc.exeC:\Windows\system32\Hmmbqegc.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1144 -
C:\Windows\SysWOW64\Hcgjmo32.exeC:\Windows\system32\Hcgjmo32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1792 -
C:\Windows\SysWOW64\Hidcef32.exeC:\Windows\system32\Hidcef32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:308 -
C:\Windows\SysWOW64\Hblgnkdh.exeC:\Windows\system32\Hblgnkdh.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1832 -
C:\Windows\SysWOW64\Hmalldcn.exeC:\Windows\system32\Hmalldcn.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:832 -
C:\Windows\SysWOW64\Hbaaik32.exeC:\Windows\system32\Hbaaik32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2696 -
C:\Windows\SysWOW64\Iliebpfc.exeC:\Windows\system32\Iliebpfc.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2932 -
C:\Windows\SysWOW64\Iedfqeka.exeC:\Windows\system32\Iedfqeka.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1568 -
C:\Windows\SysWOW64\Ijqoilii.exeC:\Windows\system32\Ijqoilii.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2256 -
C:\Windows\SysWOW64\Ihdpbq32.exeC:\Windows\system32\Ihdpbq32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2332 -
C:\Windows\SysWOW64\Ihglhp32.exeC:\Windows\system32\Ihglhp32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:468 -
C:\Windows\SysWOW64\Jpdnbbah.exeC:\Windows\system32\Jpdnbbah.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:344 -
C:\Windows\SysWOW64\Jeafjiop.exeC:\Windows\system32\Jeafjiop.exe33⤵
- Executes dropped EXE
PID:1048 -
C:\Windows\SysWOW64\Jpgjgboe.exeC:\Windows\system32\Jpgjgboe.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1392 -
C:\Windows\SysWOW64\Jhdlad32.exeC:\Windows\system32\Jhdlad32.exe35⤵
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Kkeecogo.exeC:\Windows\system32\Kkeecogo.exe36⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Kdnild32.exeC:\Windows\system32\Kdnild32.exe37⤵
- Executes dropped EXE
PID:2768 -
C:\Windows\SysWOW64\Kgnbnpkp.exeC:\Windows\system32\Kgnbnpkp.exe38⤵
- Executes dropped EXE
PID:2680 -
C:\Windows\SysWOW64\Kadfkhkf.exeC:\Windows\system32\Kadfkhkf.exe39⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Knkgpi32.exeC:\Windows\system32\Knkgpi32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:2268 -
C:\Windows\SysWOW64\Ljddjj32.exeC:\Windows\system32\Ljddjj32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1828 -
C:\Windows\SysWOW64\Lboiol32.exeC:\Windows\system32\Lboiol32.exe42⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Lldmleam.exeC:\Windows\system32\Lldmleam.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1728 -
C:\Windows\SysWOW64\Lhknaf32.exeC:\Windows\system32\Lhknaf32.exe44⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Lnhgim32.exeC:\Windows\system32\Lnhgim32.exe45⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Lnjcomcf.exeC:\Windows\system32\Lnjcomcf.exe46⤵
- Executes dropped EXE
PID:1620 -
C:\Windows\SysWOW64\Lqipkhbj.exeC:\Windows\system32\Lqipkhbj.exe47⤵
- Executes dropped EXE
PID:1344 -
C:\Windows\SysWOW64\Mnmpdlac.exeC:\Windows\system32\Mnmpdlac.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1520 -
C:\Windows\SysWOW64\Mdghaf32.exeC:\Windows\system32\Mdghaf32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2556 -
C:\Windows\SysWOW64\Mkqqnq32.exeC:\Windows\system32\Mkqqnq32.exe50⤵
- Executes dropped EXE
PID:1360 -
C:\Windows\SysWOW64\Mmbmeifk.exeC:\Windows\system32\Mmbmeifk.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2928 -
C:\Windows\SysWOW64\Mfjann32.exeC:\Windows\system32\Mfjann32.exe52⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Mikjpiim.exeC:\Windows\system32\Mikjpiim.exe53⤵
- Executes dropped EXE
PID:2104 -
C:\Windows\SysWOW64\Mimgeigj.exeC:\Windows\system32\Mimgeigj.exe54⤵
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\Mcckcbgp.exeC:\Windows\system32\Mcckcbgp.exe55⤵
- Executes dropped EXE
PID:1160 -
C:\Windows\SysWOW64\Nfahomfd.exeC:\Windows\system32\Nfahomfd.exe56⤵
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\Nlnpgd32.exeC:\Windows\system32\Nlnpgd32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:2136 -
C:\Windows\SysWOW64\Nfdddm32.exeC:\Windows\system32\Nfdddm32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:736 -
C:\Windows\SysWOW64\Nibqqh32.exeC:\Windows\system32\Nibqqh32.exe59⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Nbjeinje.exeC:\Windows\system32\Nbjeinje.exe60⤵
- Executes dropped EXE
PID:1860 -
C:\Windows\SysWOW64\Ofadnq32.exeC:\Windows\system32\Ofadnq32.exe61⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\Odedge32.exeC:\Windows\system32\Odedge32.exe62⤵
- Executes dropped EXE
PID:2792 -
C:\Windows\SysWOW64\Ojomdoof.exeC:\Windows\system32\Ojomdoof.exe63⤵
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Objaha32.exeC:\Windows\system32\Objaha32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Opnbbe32.exeC:\Windows\system32\Opnbbe32.exe65⤵
- Executes dropped EXE
PID:3044 -
C:\Windows\SysWOW64\Olebgfao.exeC:\Windows\system32\Olebgfao.exe66⤵PID:2012
-
C:\Windows\SysWOW64\Pkjphcff.exeC:\Windows\system32\Pkjphcff.exe67⤵PID:880
-
C:\Windows\SysWOW64\Pepcelel.exeC:\Windows\system32\Pepcelel.exe68⤵PID:2428
-
C:\Windows\SysWOW64\Pmkhjncg.exeC:\Windows\system32\Pmkhjncg.exe69⤵PID:1996
-
C:\Windows\SysWOW64\Pebpkk32.exeC:\Windows\system32\Pebpkk32.exe70⤵PID:1408
-
C:\Windows\SysWOW64\Phqmgg32.exeC:\Windows\system32\Phqmgg32.exe71⤵PID:1600
-
C:\Windows\SysWOW64\Pmmeon32.exeC:\Windows\system32\Pmmeon32.exe72⤵PID:1592
-
C:\Windows\SysWOW64\Pgfjhcge.exeC:\Windows\system32\Pgfjhcge.exe73⤵
- Drops file in System32 directory
- Modifies registry class
PID:1688 -
C:\Windows\SysWOW64\Pghfnc32.exeC:\Windows\system32\Pghfnc32.exe74⤵
- Modifies registry class
PID:1372 -
C:\Windows\SysWOW64\Qiioon32.exeC:\Windows\system32\Qiioon32.exe75⤵
- Drops file in System32 directory
PID:2236 -
C:\Windows\SysWOW64\Qcachc32.exeC:\Windows\system32\Qcachc32.exe76⤵
- Drops file in System32 directory
PID:1668 -
C:\Windows\SysWOW64\Qnghel32.exeC:\Windows\system32\Qnghel32.exe77⤵PID:2456
-
C:\Windows\SysWOW64\Apedah32.exeC:\Windows\system32\Apedah32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1260 -
C:\Windows\SysWOW64\Ajmijmnn.exeC:\Windows\system32\Ajmijmnn.exe79⤵PID:2260
-
C:\Windows\SysWOW64\Allefimb.exeC:\Windows\system32\Allefimb.exe80⤵PID:1704
-
C:\Windows\SysWOW64\Acfmcc32.exeC:\Windows\system32\Acfmcc32.exe81⤵PID:652
-
C:\Windows\SysWOW64\Aakjdo32.exeC:\Windows\system32\Aakjdo32.exe82⤵
- Modifies registry class
PID:2348 -
C:\Windows\SysWOW64\Akcomepg.exeC:\Windows\system32\Akcomepg.exe83⤵PID:3028
-
C:\Windows\SysWOW64\Abmgjo32.exeC:\Windows\system32\Abmgjo32.exe84⤵
- Modifies registry class
PID:2948 -
C:\Windows\SysWOW64\Andgop32.exeC:\Windows\system32\Andgop32.exe85⤵PID:2320
-
C:\Windows\SysWOW64\Bhjlli32.exeC:\Windows\system32\Bhjlli32.exe86⤵
- Modifies registry class
PID:2976 -
C:\Windows\SysWOW64\Bccmmf32.exeC:\Windows\system32\Bccmmf32.exe87⤵PID:2648
-
C:\Windows\SysWOW64\Bjmeiq32.exeC:\Windows\system32\Bjmeiq32.exe88⤵PID:2968
-
C:\Windows\SysWOW64\Bmlael32.exeC:\Windows\system32\Bmlael32.exe89⤵PID:3068
-
C:\Windows\SysWOW64\Bgaebe32.exeC:\Windows\system32\Bgaebe32.exe90⤵PID:2132
-
C:\Windows\SysWOW64\Bjpaop32.exeC:\Windows\system32\Bjpaop32.exe91⤵
- Modifies registry class
PID:1864 -
C:\Windows\SysWOW64\Bqijljfd.exeC:\Windows\system32\Bqijljfd.exe92⤵
- Drops file in System32 directory
PID:2188 -
C:\Windows\SysWOW64\Bjbndpmd.exeC:\Windows\system32\Bjbndpmd.exe93⤵PID:1120
-
C:\Windows\SysWOW64\Bmbgfkje.exeC:\Windows\system32\Bmbgfkje.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2424 -
C:\Windows\SysWOW64\Cbppnbhm.exeC:\Windows\system32\Cbppnbhm.exe95⤵PID:1564
-
C:\Windows\SysWOW64\Cenljmgq.exeC:\Windows\system32\Cenljmgq.exe96⤵
- Drops file in System32 directory
PID:1628 -
C:\Windows\SysWOW64\Ckhdggom.exeC:\Windows\system32\Ckhdggom.exe97⤵PID:460
-
C:\Windows\SysWOW64\Cepipm32.exeC:\Windows\system32\Cepipm32.exe98⤵PID:2684
-
C:\Windows\SysWOW64\Cpfmmf32.exeC:\Windows\system32\Cpfmmf32.exe99⤵
- Drops file in System32 directory
PID:2548 -
C:\Windows\SysWOW64\Cagienkb.exeC:\Windows\system32\Cagienkb.exe100⤵
- Drops file in System32 directory
PID:848 -
C:\Windows\SysWOW64\Cjakccop.exeC:\Windows\system32\Cjakccop.exe101⤵PID:1232
-
C:\Windows\SysWOW64\Calcpm32.exeC:\Windows\system32\Calcpm32.exe102⤵PID:2724
-
C:\Windows\SysWOW64\Djfdob32.exeC:\Windows\system32\Djfdob32.exe103⤵PID:1608
-
C:\Windows\SysWOW64\Daplkmbg.exeC:\Windows\system32\Daplkmbg.exe104⤵PID:1000
-
C:\Windows\SysWOW64\Dbaice32.exeC:\Windows\system32\Dbaice32.exe105⤵PID:2112
-
C:\Windows\SysWOW64\Dpeiligo.exeC:\Windows\system32\Dpeiligo.exe106⤵PID:1648
-
C:\Windows\SysWOW64\Dinneo32.exeC:\Windows\system32\Dinneo32.exe107⤵
- Modifies registry class
PID:2580 -
C:\Windows\SysWOW64\Dokfme32.exeC:\Windows\system32\Dokfme32.exe108⤵PID:1696
-
C:\Windows\SysWOW64\Deenjpcd.exeC:\Windows\system32\Deenjpcd.exe109⤵PID:3064
-
C:\Windows\SysWOW64\Dpjbgh32.exeC:\Windows\system32\Dpjbgh32.exe110⤵
- Modifies registry class
PID:2044 -
C:\Windows\SysWOW64\Dbiocd32.exeC:\Windows\system32\Dbiocd32.exe111⤵PID:2116
-
C:\Windows\SysWOW64\Elacliin.exeC:\Windows\system32\Elacliin.exe112⤵PID:2452
-
C:\Windows\SysWOW64\Eeiheo32.exeC:\Windows\system32\Eeiheo32.exe113⤵PID:1732
-
C:\Windows\SysWOW64\Emdmjamj.exeC:\Windows\system32\Emdmjamj.exe114⤵PID:1488
-
C:\Windows\SysWOW64\Ekhmcelc.exeC:\Windows\system32\Ekhmcelc.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1644 -
C:\Windows\SysWOW64\Eaebeoan.exeC:\Windows\system32\Eaebeoan.exe116⤵
- Drops file in System32 directory
PID:1984 -
C:\Windows\SysWOW64\Ekmfne32.exeC:\Windows\system32\Ekmfne32.exe117⤵PID:1748
-
C:\Windows\SysWOW64\Fibcoalf.exeC:\Windows\system32\Fibcoalf.exe118⤵
- Drops file in System32 directory
PID:2396 -
C:\Windows\SysWOW64\Flapkmlj.exeC:\Windows\system32\Flapkmlj.exe119⤵
- Drops file in System32 directory
PID:2692 -
C:\Windows\SysWOW64\Fiepea32.exeC:\Windows\system32\Fiepea32.exe120⤵
- Modifies registry class
PID:1052 -
C:\Windows\SysWOW64\Fpohakbp.exeC:\Windows\system32\Fpohakbp.exe121⤵
- Drops file in System32 directory
PID:1540
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-