Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
123s -
max time network
181s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
28/10/2023, 17:52
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.3ec4ad939cf944cca245b58c669c44c9.exe
Resource
win7-20231023-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.3ec4ad939cf944cca245b58c669c44c9.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
NEAS.3ec4ad939cf944cca245b58c669c44c9.exe
-
Size
75KB
-
MD5
3ec4ad939cf944cca245b58c669c44c9
-
SHA1
61c702f1c38bf23a0a592bc3d49700773fdf9f1b
-
SHA256
b40321642413b605f8e477f9b4f353998db5924cb51d8566b376c34185c72972
-
SHA512
4bd6fb8b6ee4c78a340c57038af161210e5c429158aed0a92862b0801f818c39ba2f77d03c4dd10ef4f23ed4089f3543b9f2556c59d82406802c286436c0c796
-
SSDEEP
1536:hyNQz7QCNNCz7Bdx4S9oLTyuP42L46+lWCWQv:CsvN8dQmux46+bWQv
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efoiko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjmokmji.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbnknpqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndfgfd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iiaein32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddngdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lejgln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obdkfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hheoci32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hoadecal.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acnefoac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmbjcb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbqlpabf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dikpla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pebfen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aoifoa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfchcijo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obfpejcl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mphfjhjf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bccfleqi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkkjfa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfejme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnlmai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnmmleja.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Admkgifd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Koceep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmdpok32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbahgbfc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icbpkg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bogcqpdd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckkilhjm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohkkanbe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlnlkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eodclj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlefebfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgijnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hahcfi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eiobmjkd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aoifoa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iiigqdfd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncifdlii.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flbhia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfglpjqo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljhcbhnb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icoodj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfhkop32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acgfpf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iomcqa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Loqejjad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcfabgel.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfipol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlnlkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbmclobc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iiigqdfd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aoofej32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdfmcobk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Femndhgh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipiaphop.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gafmkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjpbkc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eceoanpo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmcdolbn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejaklmpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgigfg32.exe -
Executes dropped EXE 64 IoCs
pid Process 2636 Bdlncn32.exe 1508 Ckcbaf32.exe 3992 Cbnknpqj.exe 3832 Dalkek32.exe 472 Eaqdpjia.exe 624 Ehklmd32.exe 2224 Flbhia32.exe 3380 Gklnem32.exe 2744 Glpdjpbj.exe 2336 Hhnkppbf.exe 2936 Icjengld.exe 2100 Ikmpcicg.exe 1196 Jfdafa32.exe 4324 Mfofjk32.exe 3580 Ncecioib.exe 1456 Obfpejcl.exe 5036 Odelpm32.exe 4544 Pmbjcb32.exe 2472 Admkgifd.exe 4396 Bcinie32.exe 3724 Bjeckojo.exe 2116 Blflmj32.exe 372 Cjofambd.exe 4372 Ddnmeejo.exe 1232 Eegpkcbd.exe 1036 Ecoiapdj.exe 1312 Emgnje32.exe 4816 Elhnhm32.exe 3492 Feella32.exe 4340 Fjdajhbi.exe 4912 Fmejlcoj.exe 3320 Ghohdk32.exe 400 Haeino32.exe 2492 Ionbcb32.exe 2724 Iemdkl32.exe 5004 Jlblcdpf.exe 3504 Koceep32.exe 2708 Koeajo32.exe 5056 Mejijcea.exe 4084 Nbepdfnc.exe 1040 Nfeepdbg.exe 1720 Oeahap32.exe 3284 Onjmjegg.exe 408 Obgeqcnn.exe 1200 Pmdpok32.exe 336 Pbahgbfc.exe 1340 Ppeipfdm.exe 1968 Pimmil32.exe 4788 Qmkfoj32.exe 2284 Algiaepd.exe 3760 Bgafin32.exe 4072 Blnoad32.exe 2204 Bckddn32.exe 1724 Boaeioej.exe 2188 Dnqaheai.exe 4824 Dqomdppm.exe 1012 Dfqogfjo.exe 2628 Dgplai32.exe 3384 Eodclj32.exe 4296 Fjanjb32.exe 1212 Gmimll32.exe 3784 Gplbcgbg.exe 1512 Gjagapbn.exe 2788 Hfhgfaha.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Nkncno32.exe Nddkaddm.exe File opened for modification C:\Windows\SysWOW64\Lmppmh32.exe Lplpcc32.exe File created C:\Windows\SysWOW64\Bhmllhmp.dll Gflhie32.exe File created C:\Windows\SysWOW64\Iifodmak.exe Iciflfcd.exe File opened for modification C:\Windows\SysWOW64\Oenljoji.exe Oocdme32.exe File created C:\Windows\SysWOW64\Ijlkqj32.exe Hahcfi32.exe File created C:\Windows\SysWOW64\Ddnmeejo.exe Cjofambd.exe File created C:\Windows\SysWOW64\Bigfndlc.dll Ehddpdlc.exe File created C:\Windows\SysWOW64\Gedaobdo.dll Ppemmg32.exe File created C:\Windows\SysWOW64\Cafqkmge.dll Idfaolpb.exe File created C:\Windows\SysWOW64\Ncifdlii.exe Nnmmleja.exe File opened for modification C:\Windows\SysWOW64\Hmhmko32.exe Hlipal32.exe File opened for modification C:\Windows\SysWOW64\Lbmheomi.exe Lmppmh32.exe File created C:\Windows\SysWOW64\Kncmepjq.dll Pjaefc32.exe File opened for modification C:\Windows\SysWOW64\Gkjhif32.exe Gaadpqmp.exe File opened for modification C:\Windows\SysWOW64\Aqhcid32.exe Aoifoa32.exe File created C:\Windows\SysWOW64\Fielal32.dll Pogpcghp.exe File created C:\Windows\SysWOW64\Caachqjp.dll Gjjjfkdj.exe File created C:\Windows\SysWOW64\Kppmgb32.dll Kgenlldo.exe File created C:\Windows\SysWOW64\Inkjao32.exe Idbfhiko.exe File created C:\Windows\SysWOW64\Cmjgba32.dll Nmipnp32.exe File created C:\Windows\SysWOW64\Kmdqai32.exe Kppphe32.exe File created C:\Windows\SysWOW64\Cijpkmml.exe Cbphncfo.exe File opened for modification C:\Windows\SysWOW64\Ioeineap.exe Imbpam32.exe File created C:\Windows\SysWOW64\Ibdpblpk.dll Ehlpjikd.exe File created C:\Windows\SysWOW64\Ciefpn32.exe Ckaffjbg.exe File opened for modification C:\Windows\SysWOW64\Cfipol32.exe Eennoknp.exe File created C:\Windows\SysWOW64\Cdicdi32.exe Colklb32.exe File created C:\Windows\SysWOW64\Dmgdcp32.dll Ncecioib.exe File created C:\Windows\SysWOW64\Omneeicm.dll Feella32.exe File created C:\Windows\SysWOW64\Ihgqiiph.dll Hoibmmpi.exe File created C:\Windows\SysWOW64\Ogbckf32.dll Pjhbah32.exe File opened for modification C:\Windows\SysWOW64\Jofaeb32.exe Jcoapami.exe File created C:\Windows\SysWOW64\Odbkef32.dll Blhhaigj.exe File created C:\Windows\SysWOW64\Bccfleqi.exe Bnfmcn32.exe File created C:\Windows\SysWOW64\Bmfgid32.dll Gafmkp32.exe File created C:\Windows\SysWOW64\Laocpjjj.dll Ckaffjbg.exe File created C:\Windows\SysWOW64\Adjppm32.dll Nnmmleja.exe File created C:\Windows\SysWOW64\Ngehcfci.dll Ecoiapdj.exe File created C:\Windows\SysWOW64\Kbkaiddd.exe Kgenlldo.exe File opened for modification C:\Windows\SysWOW64\Bohbackj.exe Boeelcmm.exe File opened for modification C:\Windows\SysWOW64\Lkgdfb32.exe Lmnjan32.exe File created C:\Windows\SysWOW64\Fljkkgjq.dll Knioij32.exe File created C:\Windows\SysWOW64\Nlhbja32.exe Niifnf32.exe File created C:\Windows\SysWOW64\Bqhlpbjd.exe Bfchcijo.exe File created C:\Windows\SysWOW64\Npckji32.dll Ppeipfdm.exe File created C:\Windows\SysWOW64\Blamdnfl.dll Aegidp32.exe File opened for modification C:\Windows\SysWOW64\Cjjcof32.exe Cmfcfb32.exe File opened for modification C:\Windows\SysWOW64\Djaipe32.exe Daiegp32.exe File created C:\Windows\SysWOW64\Dkokma32.exe Feddpj32.exe File created C:\Windows\SysWOW64\Ccbqeg32.dll Pmbjcb32.exe File created C:\Windows\SysWOW64\Ejngcgpo.dll Mmgfmg32.exe File opened for modification C:\Windows\SysWOW64\Fjmkhkff.exe Fpggkbfq.exe File created C:\Windows\SysWOW64\Gklnem32.exe Flbhia32.exe File created C:\Windows\SysWOW64\Eeagnc32.exe Dobffj32.exe File created C:\Windows\SysWOW64\Gbcohl32.exe Gmggpekm.exe File created C:\Windows\SysWOW64\Lobogqeq.dll Jdddjq32.exe File opened for modification C:\Windows\SysWOW64\Qocfjlan.exe Pacfdila.exe File created C:\Windows\SysWOW64\Gageoman.dll Fbhplnca.exe File created C:\Windows\SysWOW64\Hbmclobc.exe Hheoci32.exe File opened for modification C:\Windows\SysWOW64\Oemephgn.exe Okgabpgg.exe File created C:\Windows\SysWOW64\Cagolf32.exe Cabfagee.exe File created C:\Windows\SysWOW64\Jhpckehm.dll Gklenf32.exe File opened for modification C:\Windows\SysWOW64\Cjecjahd.exe Cooolhin.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aeiooi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pgdodq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dalkek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aeiooi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djcfee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ggpbcaei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oeclockl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Peljha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpopnf32.dll" Ggpbcaei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iciflfcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmqjplak.dll" Gpfjfg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oemephgn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnpalk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmlmdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpnkbhef.dll" Dfcjoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehhjekgq.dll" Mmnglh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gflhie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mfjfoidl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmqiag32.dll" Lcbikd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Moiphnde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flplcjpa.dll" Gplbcgbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mdjapphl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdjpff32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mchpibng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Acilkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbomimbi.dll" Nliakd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Glpdjpbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbbnfjom.dll" Nnojad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jejjld32.dll" Fmejlcoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbpkdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kiggln32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hlefgphj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Echkgnnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enljfc32.dll" Efoiko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jihcig32.dll" Imbpam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fljkkgjq.dll" Knioij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjhbah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plcbgiaq.dll" Dobffj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knabne32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qocfjlan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hdehho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nldhbggg.dll" Mndapl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Blnoad32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mfejme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmkcjd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Palbpb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Algiaepd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Imdgjlgb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djcfee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdaiegkj.dll" Hgboiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnaacjha.dll" Iildfd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akniofoa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbjonepq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gjagapbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iifodmak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emhlefoa.dll" Nllekk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jookdcie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ppemmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihdhon32.dll" Cjecjahd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhpckehm.dll" Gklenf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjhndf32.dll" Mejijcea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ppeipfdm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pokjnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njonhjlo.dll" Engjol32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1536 wrote to memory of 2636 1536 NEAS.3ec4ad939cf944cca245b58c669c44c9.exe 92 PID 1536 wrote to memory of 2636 1536 NEAS.3ec4ad939cf944cca245b58c669c44c9.exe 92 PID 1536 wrote to memory of 2636 1536 NEAS.3ec4ad939cf944cca245b58c669c44c9.exe 92 PID 2636 wrote to memory of 1508 2636 Bdlncn32.exe 93 PID 2636 wrote to memory of 1508 2636 Bdlncn32.exe 93 PID 2636 wrote to memory of 1508 2636 Bdlncn32.exe 93 PID 1508 wrote to memory of 3992 1508 Ckcbaf32.exe 94 PID 1508 wrote to memory of 3992 1508 Ckcbaf32.exe 94 PID 1508 wrote to memory of 3992 1508 Ckcbaf32.exe 94 PID 3992 wrote to memory of 3832 3992 Cbnknpqj.exe 95 PID 3992 wrote to memory of 3832 3992 Cbnknpqj.exe 95 PID 3992 wrote to memory of 3832 3992 Cbnknpqj.exe 95 PID 3832 wrote to memory of 472 3832 Dalkek32.exe 96 PID 3832 wrote to memory of 472 3832 Dalkek32.exe 96 PID 3832 wrote to memory of 472 3832 Dalkek32.exe 96 PID 472 wrote to memory of 624 472 Eaqdpjia.exe 97 PID 472 wrote to memory of 624 472 Eaqdpjia.exe 97 PID 472 wrote to memory of 624 472 Eaqdpjia.exe 97 PID 624 wrote to memory of 2224 624 Ehklmd32.exe 98 PID 624 wrote to memory of 2224 624 Ehklmd32.exe 98 PID 624 wrote to memory of 2224 624 Ehklmd32.exe 98 PID 2224 wrote to memory of 3380 2224 Flbhia32.exe 99 PID 2224 wrote to memory of 3380 2224 Flbhia32.exe 99 PID 2224 wrote to memory of 3380 2224 Flbhia32.exe 99 PID 3380 wrote to memory of 2744 3380 Gklnem32.exe 100 PID 3380 wrote to memory of 2744 3380 Gklnem32.exe 100 PID 3380 wrote to memory of 2744 3380 Gklnem32.exe 100 PID 2744 wrote to memory of 2336 2744 Glpdjpbj.exe 101 PID 2744 wrote to memory of 2336 2744 Glpdjpbj.exe 101 PID 2744 wrote to memory of 2336 2744 Glpdjpbj.exe 101 PID 2336 wrote to memory of 2936 2336 Hhnkppbf.exe 102 PID 2336 wrote to memory of 2936 2336 Hhnkppbf.exe 102 PID 2336 wrote to memory of 2936 2336 Hhnkppbf.exe 102 PID 2936 wrote to memory of 2100 2936 Icjengld.exe 103 PID 2936 wrote to memory of 2100 2936 Icjengld.exe 103 PID 2936 wrote to memory of 2100 2936 Icjengld.exe 103 PID 2100 wrote to memory of 1196 2100 Ikmpcicg.exe 104 PID 2100 wrote to memory of 1196 2100 Ikmpcicg.exe 104 PID 2100 wrote to memory of 1196 2100 Ikmpcicg.exe 104 PID 1196 wrote to memory of 4324 1196 Jfdafa32.exe 105 PID 1196 wrote to memory of 4324 1196 Jfdafa32.exe 105 PID 1196 wrote to memory of 4324 1196 Jfdafa32.exe 105 PID 4324 wrote to memory of 3580 4324 Mfofjk32.exe 106 PID 4324 wrote to memory of 3580 4324 Mfofjk32.exe 106 PID 4324 wrote to memory of 3580 4324 Mfofjk32.exe 106 PID 3580 wrote to memory of 1456 3580 Ncecioib.exe 107 PID 3580 wrote to memory of 1456 3580 Ncecioib.exe 107 PID 3580 wrote to memory of 1456 3580 Ncecioib.exe 107 PID 1456 wrote to memory of 5036 1456 Obfpejcl.exe 108 PID 1456 wrote to memory of 5036 1456 Obfpejcl.exe 108 PID 1456 wrote to memory of 5036 1456 Obfpejcl.exe 108 PID 5036 wrote to memory of 4544 5036 Odelpm32.exe 109 PID 5036 wrote to memory of 4544 5036 Odelpm32.exe 109 PID 5036 wrote to memory of 4544 5036 Odelpm32.exe 109 PID 4544 wrote to memory of 2472 4544 Pmbjcb32.exe 110 PID 4544 wrote to memory of 2472 4544 Pmbjcb32.exe 110 PID 4544 wrote to memory of 2472 4544 Pmbjcb32.exe 110 PID 2472 wrote to memory of 4396 2472 Admkgifd.exe 111 PID 2472 wrote to memory of 4396 2472 Admkgifd.exe 111 PID 2472 wrote to memory of 4396 2472 Admkgifd.exe 111 PID 4396 wrote to memory of 3724 4396 Bcinie32.exe 112 PID 4396 wrote to memory of 3724 4396 Bcinie32.exe 112 PID 4396 wrote to memory of 3724 4396 Bcinie32.exe 112 PID 3724 wrote to memory of 2116 3724 Bjeckojo.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.3ec4ad939cf944cca245b58c669c44c9.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.3ec4ad939cf944cca245b58c669c44c9.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Windows\SysWOW64\Bdlncn32.exeC:\Windows\system32\Bdlncn32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\Ckcbaf32.exeC:\Windows\system32\Ckcbaf32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\SysWOW64\Cbnknpqj.exeC:\Windows\system32\Cbnknpqj.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3992 -
C:\Windows\SysWOW64\Dalkek32.exeC:\Windows\system32\Dalkek32.exe5⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3832 -
C:\Windows\SysWOW64\Eaqdpjia.exeC:\Windows\system32\Eaqdpjia.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:472 -
C:\Windows\SysWOW64\Ehklmd32.exeC:\Windows\system32\Ehklmd32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Windows\SysWOW64\Flbhia32.exeC:\Windows\system32\Flbhia32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\Gklnem32.exeC:\Windows\system32\Gklnem32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3380 -
C:\Windows\SysWOW64\Glpdjpbj.exeC:\Windows\system32\Glpdjpbj.exe10⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\Hhnkppbf.exeC:\Windows\system32\Hhnkppbf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\Icjengld.exeC:\Windows\system32\Icjengld.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\Ikmpcicg.exeC:\Windows\system32\Ikmpcicg.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\Jfdafa32.exeC:\Windows\system32\Jfdafa32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Windows\SysWOW64\Mfofjk32.exeC:\Windows\system32\Mfofjk32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4324 -
C:\Windows\SysWOW64\Ncecioib.exeC:\Windows\system32\Ncecioib.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3580 -
C:\Windows\SysWOW64\Obfpejcl.exeC:\Windows\system32\Obfpejcl.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Windows\SysWOW64\Odelpm32.exeC:\Windows\system32\Odelpm32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5036 -
C:\Windows\SysWOW64\Pmbjcb32.exeC:\Windows\system32\Pmbjcb32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4544 -
C:\Windows\SysWOW64\Admkgifd.exeC:\Windows\system32\Admkgifd.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\Bcinie32.exeC:\Windows\system32\Bcinie32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4396 -
C:\Windows\SysWOW64\Bjeckojo.exeC:\Windows\system32\Bjeckojo.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3724 -
C:\Windows\SysWOW64\Blflmj32.exeC:\Windows\system32\Blflmj32.exe23⤵
- Executes dropped EXE
PID:2116 -
C:\Windows\SysWOW64\Cjofambd.exeC:\Windows\system32\Cjofambd.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:372 -
C:\Windows\SysWOW64\Ddnmeejo.exeC:\Windows\system32\Ddnmeejo.exe25⤵
- Executes dropped EXE
PID:4372 -
C:\Windows\SysWOW64\Eegpkcbd.exeC:\Windows\system32\Eegpkcbd.exe26⤵
- Executes dropped EXE
PID:1232 -
C:\Windows\SysWOW64\Ecoiapdj.exeC:\Windows\system32\Ecoiapdj.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1036 -
C:\Windows\SysWOW64\Emgnje32.exeC:\Windows\system32\Emgnje32.exe28⤵
- Executes dropped EXE
PID:1312 -
C:\Windows\SysWOW64\Elhnhm32.exeC:\Windows\system32\Elhnhm32.exe29⤵
- Executes dropped EXE
PID:4816 -
C:\Windows\SysWOW64\Feella32.exeC:\Windows\system32\Feella32.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3492 -
C:\Windows\SysWOW64\Fjdajhbi.exeC:\Windows\system32\Fjdajhbi.exe31⤵
- Executes dropped EXE
PID:4340 -
C:\Windows\SysWOW64\Fmejlcoj.exeC:\Windows\system32\Fmejlcoj.exe32⤵
- Executes dropped EXE
- Modifies registry class
PID:4912 -
C:\Windows\SysWOW64\Ghohdk32.exeC:\Windows\system32\Ghohdk32.exe33⤵
- Executes dropped EXE
PID:3320 -
C:\Windows\SysWOW64\Haeino32.exeC:\Windows\system32\Haeino32.exe34⤵
- Executes dropped EXE
PID:400 -
C:\Windows\SysWOW64\Ionbcb32.exeC:\Windows\system32\Ionbcb32.exe35⤵
- Executes dropped EXE
PID:2492 -
C:\Windows\SysWOW64\Iemdkl32.exeC:\Windows\system32\Iemdkl32.exe36⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Jlblcdpf.exeC:\Windows\system32\Jlblcdpf.exe37⤵
- Executes dropped EXE
PID:5004 -
C:\Windows\SysWOW64\Koceep32.exeC:\Windows\system32\Koceep32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3504 -
C:\Windows\SysWOW64\Koeajo32.exeC:\Windows\system32\Koeajo32.exe39⤵
- Executes dropped EXE
PID:2708 -
C:\Windows\SysWOW64\Mejijcea.exeC:\Windows\system32\Mejijcea.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:5056 -
C:\Windows\SysWOW64\Nbepdfnc.exeC:\Windows\system32\Nbepdfnc.exe41⤵
- Executes dropped EXE
PID:4084 -
C:\Windows\SysWOW64\Nfeepdbg.exeC:\Windows\system32\Nfeepdbg.exe42⤵
- Executes dropped EXE
PID:1040 -
C:\Windows\SysWOW64\Oeahap32.exeC:\Windows\system32\Oeahap32.exe43⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Onjmjegg.exeC:\Windows\system32\Onjmjegg.exe44⤵
- Executes dropped EXE
PID:3284 -
C:\Windows\SysWOW64\Obgeqcnn.exeC:\Windows\system32\Obgeqcnn.exe45⤵
- Executes dropped EXE
PID:408 -
C:\Windows\SysWOW64\Pmdpok32.exeC:\Windows\system32\Pmdpok32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1200 -
C:\Windows\SysWOW64\Pbahgbfc.exeC:\Windows\system32\Pbahgbfc.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:336 -
C:\Windows\SysWOW64\Ppeipfdm.exeC:\Windows\system32\Ppeipfdm.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1340 -
C:\Windows\SysWOW64\Pimmil32.exeC:\Windows\system32\Pimmil32.exe49⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Qmkfoj32.exeC:\Windows\system32\Qmkfoj32.exe50⤵
- Executes dropped EXE
PID:4788 -
C:\Windows\SysWOW64\Algiaepd.exeC:\Windows\system32\Algiaepd.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:2284 -
C:\Windows\SysWOW64\Bgafin32.exeC:\Windows\system32\Bgafin32.exe52⤵
- Executes dropped EXE
PID:3760 -
C:\Windows\SysWOW64\Blnoad32.exeC:\Windows\system32\Blnoad32.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:4072 -
C:\Windows\SysWOW64\Bckddn32.exeC:\Windows\system32\Bckddn32.exe54⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Boaeioej.exeC:\Windows\system32\Boaeioej.exe55⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Dnqaheai.exeC:\Windows\system32\Dnqaheai.exe56⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Dqomdppm.exeC:\Windows\system32\Dqomdppm.exe57⤵
- Executes dropped EXE
PID:4824 -
C:\Windows\SysWOW64\Dfqogfjo.exeC:\Windows\system32\Dfqogfjo.exe58⤵
- Executes dropped EXE
PID:1012 -
C:\Windows\SysWOW64\Dgplai32.exeC:\Windows\system32\Dgplai32.exe59⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Eodclj32.exeC:\Windows\system32\Eodclj32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3384 -
C:\Windows\SysWOW64\Fjanjb32.exeC:\Windows\system32\Fjanjb32.exe61⤵
- Executes dropped EXE
PID:4296 -
C:\Windows\SysWOW64\Gmimll32.exeC:\Windows\system32\Gmimll32.exe62⤵
- Executes dropped EXE
PID:1212 -
C:\Windows\SysWOW64\Gplbcgbg.exeC:\Windows\system32\Gplbcgbg.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:3784 -
C:\Windows\SysWOW64\Gjagapbn.exeC:\Windows\system32\Gjagapbn.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:1512 -
C:\Windows\SysWOW64\Hfhgfaha.exeC:\Windows\system32\Hfhgfaha.exe65⤵
- Executes dropped EXE
PID:2788 -
C:\Windows\SysWOW64\Hmbpbk32.exeC:\Windows\system32\Hmbpbk32.exe66⤵PID:4488
-
C:\Windows\SysWOW64\Hfkdkqeo.exeC:\Windows\system32\Hfkdkqeo.exe67⤵PID:1784
-
C:\Windows\SysWOW64\Haeadi32.exeC:\Windows\system32\Haeadi32.exe68⤵PID:872
-
C:\Windows\SysWOW64\Hoibmmpi.exeC:\Windows\system32\Hoibmmpi.exe69⤵
- Drops file in System32 directory
PID:1492 -
C:\Windows\SysWOW64\Ihfpabbd.exeC:\Windows\system32\Ihfpabbd.exe70⤵PID:4184
-
C:\Windows\SysWOW64\Igmjhnej.exeC:\Windows\system32\Igmjhnej.exe71⤵PID:112
-
C:\Windows\SysWOW64\Jgdphm32.exeC:\Windows\system32\Jgdphm32.exe72⤵PID:1884
-
C:\Windows\SysWOW64\Jpmdabfb.exeC:\Windows\system32\Jpmdabfb.exe73⤵PID:3448
-
C:\Windows\SysWOW64\Kobnji32.exeC:\Windows\system32\Kobnji32.exe74⤵PID:4424
-
C:\Windows\SysWOW64\Kknhjj32.exeC:\Windows\system32\Kknhjj32.exe75⤵PID:3300
-
C:\Windows\SysWOW64\Kdfmcobk.exeC:\Windows\system32\Kdfmcobk.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5096 -
C:\Windows\SysWOW64\Lnfgmc32.exeC:\Windows\system32\Lnfgmc32.exe77⤵PID:3444
-
C:\Windows\SysWOW64\Mohplf32.exeC:\Windows\system32\Mohplf32.exe78⤵PID:932
-
C:\Windows\SysWOW64\Mhpeelnd.exeC:\Windows\system32\Mhpeelnd.exe79⤵PID:1644
-
C:\Windows\SysWOW64\Bhgeao32.exeC:\Windows\system32\Bhgeao32.exe80⤵PID:4048
-
C:\Windows\SysWOW64\Gjjjfkdj.exeC:\Windows\system32\Gjjjfkdj.exe81⤵
- Drops file in System32 directory
PID:3756 -
C:\Windows\SysWOW64\Gpkliaol.exeC:\Windows\system32\Gpkliaol.exe82⤵PID:2616
-
C:\Windows\SysWOW64\Hjcllilo.exeC:\Windows\system32\Hjcllilo.exe83⤵PID:4532
-
C:\Windows\SysWOW64\Hbanfk32.exeC:\Windows\system32\Hbanfk32.exe84⤵PID:404
-
C:\Windows\SysWOW64\Imklncch.exeC:\Windows\system32\Imklncch.exe85⤵PID:2212
-
C:\Windows\SysWOW64\Iiffoc32.exeC:\Windows\system32\Iiffoc32.exe86⤵PID:4560
-
C:\Windows\SysWOW64\Ipqnknld.exeC:\Windows\system32\Ipqnknld.exe87⤵PID:4520
-
C:\Windows\SysWOW64\Ijfbhflj.exeC:\Windows\system32\Ijfbhflj.exe88⤵PID:2468
-
C:\Windows\SysWOW64\Kdophj32.exeC:\Windows\system32\Kdophj32.exe89⤵PID:624
-
C:\Windows\SysWOW64\Kpjjhj32.exeC:\Windows\system32\Kpjjhj32.exe90⤵PID:2704
-
C:\Windows\SysWOW64\Lgdbedmc.exeC:\Windows\system32\Lgdbedmc.exe91⤵PID:1148
-
C:\Windows\SysWOW64\Lmnjan32.exeC:\Windows\system32\Lmnjan32.exe92⤵
- Drops file in System32 directory
PID:2336 -
C:\Windows\SysWOW64\Lkgdfb32.exeC:\Windows\system32\Lkgdfb32.exe93⤵PID:4400
-
C:\Windows\SysWOW64\Lcbikd32.exeC:\Windows\system32\Lcbikd32.exe94⤵
- Modifies registry class
PID:220 -
C:\Windows\SysWOW64\Mgpaqbcf.exeC:\Windows\system32\Mgpaqbcf.exe95⤵PID:3468
-
C:\Windows\SysWOW64\Mphfjhjf.exeC:\Windows\system32\Mphfjhjf.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1992 -
C:\Windows\SysWOW64\Mcklac32.exeC:\Windows\system32\Mcklac32.exe97⤵PID:4700
-
C:\Windows\SysWOW64\Nglala32.exeC:\Windows\system32\Nglala32.exe98⤵PID:3988
-
C:\Windows\SysWOW64\Nddkaddm.exeC:\Windows\system32\Nddkaddm.exe99⤵
- Drops file in System32 directory
PID:1496 -
C:\Windows\SysWOW64\Nkncno32.exeC:\Windows\system32\Nkncno32.exe100⤵PID:2400
-
C:\Windows\SysWOW64\Ndfgfd32.exeC:\Windows\system32\Ndfgfd32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5048 -
C:\Windows\SysWOW64\Okjbimal.exeC:\Windows\system32\Okjbimal.exe102⤵PID:5124
-
C:\Windows\SysWOW64\Obdkfg32.exeC:\Windows\system32\Obdkfg32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5196 -
C:\Windows\SysWOW64\Pcjaio32.exeC:\Windows\system32\Pcjaio32.exe104⤵PID:5256
-
C:\Windows\SysWOW64\Peljha32.exeC:\Windows\system32\Peljha32.exe105⤵
- Modifies registry class
PID:5296 -
C:\Windows\SysWOW64\Pjhbah32.exeC:\Windows\system32\Pjhbah32.exe106⤵
- Drops file in System32 directory
- Modifies registry class
PID:5352 -
C:\Windows\SysWOW64\Ajphagha.exeC:\Windows\system32\Ajphagha.exe107⤵PID:5404
-
C:\Windows\SysWOW64\Aegidp32.exeC:\Windows\system32\Aegidp32.exe108⤵
- Drops file in System32 directory
PID:5440 -
C:\Windows\SysWOW64\Alaaajmb.exeC:\Windows\system32\Alaaajmb.exe109⤵PID:5484
-
C:\Windows\SysWOW64\Abkjnd32.exeC:\Windows\system32\Abkjnd32.exe110⤵PID:5524
-
C:\Windows\SysWOW64\Alcofi32.exeC:\Windows\system32\Alcofi32.exe111⤵PID:5568
-
C:\Windows\SysWOW64\Blhhaigj.exeC:\Windows\system32\Blhhaigj.exe112⤵
- Drops file in System32 directory
PID:5616 -
C:\Windows\SysWOW64\Beqljn32.exeC:\Windows\system32\Beqljn32.exe113⤵PID:5664
-
C:\Windows\SysWOW64\Bdfilkbb.exeC:\Windows\system32\Bdfilkbb.exe114⤵PID:5720
-
C:\Windows\SysWOW64\Clfdcgkj.exeC:\Windows\system32\Clfdcgkj.exe115⤵PID:5764
-
C:\Windows\SysWOW64\Cbqlpabf.exeC:\Windows\system32\Cbqlpabf.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5840 -
C:\Windows\SysWOW64\Cecbgl32.exeC:\Windows\system32\Cecbgl32.exe117⤵PID:5908
-
C:\Windows\SysWOW64\Eceoanpo.exeC:\Windows\system32\Eceoanpo.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5960 -
C:\Windows\SysWOW64\Edgkif32.exeC:\Windows\system32\Edgkif32.exe119⤵PID:6012
-
C:\Windows\SysWOW64\Echkgnnl.exeC:\Windows\system32\Echkgnnl.exe120⤵
- Modifies registry class
PID:6052 -
C:\Windows\SysWOW64\Ehddpdlc.exeC:\Windows\system32\Ehddpdlc.exe121⤵
- Drops file in System32 directory
PID:6132
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-