Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
134s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
28/10/2023, 20:16
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.e3401a57d136f003ab4105b867ec9380.exe
Resource
win7-20231023-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.e3401a57d136f003ab4105b867ec9380.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.e3401a57d136f003ab4105b867ec9380.exe
-
Size
84KB
-
MD5
e3401a57d136f003ab4105b867ec9380
-
SHA1
15ea1dbabf00204a2fc1142e029417f4692d014b
-
SHA256
6ad307c5d87969dbe886e8e5df40a100157cfe6ea5d5ace69bdb1e7a94d278db
-
SHA512
0c670585e071901ae6c3a9bcdcea5a6c5bd797b8c88c47833bf9f0beb8c37b36e8cb17361e5da9ef043f4c0c66562ab184f88b9ca466c9d73723af8ad44e0f5d
-
SSDEEP
1536:KePi4rkgXmdmGiIn1b5+foUen8ANZLvfPDyH6n8dEelLYR7xeGSmUmmmmmmmmmmo:Kea4rHWP71l6oUef3PDyH6n8djlLYR7V
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kaflio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgbkgmao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlbdba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpegfm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmedmj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Haeino32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iodjcnca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldblon32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bopgdcnc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpmmfbfl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmifcjif.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbiioe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnanadfi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nenjng32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbbggeli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjpoio32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdfapjbl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jekpljgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blkkaohc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcpjpn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eeaqfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qfcjhphd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogjdheqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgagll32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjebiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbdano32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odnfonag.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhfhnfhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Deanhj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhpckb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnepbm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Poagma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njmejp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Celgjlpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aiimejap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elepei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbhcdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pikqcl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dapcab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcdifdem.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Linojbdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gojgkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Linojbdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfqjkljn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kanffogf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibncmchl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odfcjc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjpoio32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aacjofkp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogjmnomi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpaqqdjj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kidmcqeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glmqjj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kadnfkji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkhdgfen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocknmjcf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpkppbho.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccendc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peaahmcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Peaahmcd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Maefnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcnmhpoj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eanqpdgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmnmbbgp.exe -
Executes dropped EXE 64 IoCs
pid Process 1892 Gjebiq32.exe 2136 Ijjekn32.exe 2660 Jcjodbgl.exe 3064 Jjhalkjc.exe 2636 Kfdklllb.exe 1460 Lhadgmge.exe 4036 Maoakaip.exe 2580 Moglpedd.exe 1884 Onmahojj.exe 4756 Okcogc32.exe 992 Poagma32.exe 1556 Pgoigcip.exe 696 Qhghge32.exe 4600 Aeeomegd.exe 4612 Aeglbeea.exe 1808 Bghddp32.exe 1012 Beobcdoi.exe 5036 Bpfcelml.exe 2140 Cpmifkgd.exe 2952 Cppelkeb.exe 3848 Cnebmgjj.exe 5060 Dbckcf32.exe 3536 Dfcqod32.exe 5004 Ehifak32.exe 2456 Ebagdddp.exe 224 Eeaqfo32.exe 4932 Fochecog.exe 1096 Fgmllpng.exe 4660 Gllajf32.exe 1832 Gpodkdll.exe 232 Hpaqqdjj.exe 4852 Hjlaoioh.exe 2156 Hcipcnac.exe 868 Iqmplbpl.exe 1888 Iodjcnca.exe 4648 Imjgbb32.exe 408 Jmmcgbnf.exe 4368 Jonlimkg.exe 1500 Jopiom32.exe 532 Jjhjae32.exe 2620 Kpgoolbl.exe 2316 Kaflio32.exe 4760 Kidmcqeg.exe 3340 Kifjip32.exe 4188 Lgjglg32.exe 3012 Ladhkmno.exe 3060 Lfcmhc32.exe 3944 Mffjnc32.exe 1420 Mapgfk32.exe 4444 Mjkiephp.exe 528 Njmejp32.exe 860 Nmnnlk32.exe 1336 Ndjcne32.exe 1008 Nmedmj32.exe 4252 Odfcjc32.exe 3852 Oajccgmd.exe 2568 Pkgaglpp.exe 1208 Pgbkgmao.exe 3040 Qpkppbho.exe 1952 Qpmmfbfl.exe 440 Aqpika32.exe 4292 Ancjef32.exe 60 Aglnnkid.exe 4212 Akjgdjoj.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Efmcmbjq.dll Ogljcokf.exe File created C:\Windows\SysWOW64\Qkjbfi32.dll Iajbinaf.exe File created C:\Windows\SysWOW64\Fgocnleh.dll Nmajbnha.exe File opened for modification C:\Windows\SysWOW64\Oeahap32.exe Olidijjf.exe File created C:\Windows\SysWOW64\Gfcnka32.exe Gpjfng32.exe File opened for modification C:\Windows\SysWOW64\Mqnfon32.exe Mkangg32.exe File created C:\Windows\SysWOW64\Ejldginl.dll Obanqgkl.exe File created C:\Windows\SysWOW64\Poagma32.exe Okcogc32.exe File opened for modification C:\Windows\SysWOW64\Akjgdjoj.exe Aglnnkid.exe File created C:\Windows\SysWOW64\Cgffmigc.dll Qipjokik.exe File created C:\Windows\SysWOW64\Gfqjkljn.exe Gjjjfkdj.exe File opened for modification C:\Windows\SysWOW64\Pbmnlf32.exe Pghiomqi.exe File opened for modification C:\Windows\SysWOW64\Haeino32.exe Heohinog.exe File created C:\Windows\SysWOW64\Njjnnm32.dll Ainfpi32.exe File opened for modification C:\Windows\SysWOW64\Ebbinp32.exe Elepei32.exe File opened for modification C:\Windows\SysWOW64\Kanffogf.exe Kfhbifgq.exe File opened for modification C:\Windows\SysWOW64\Obanqgkl.exe Ogljcokf.exe File opened for modification C:\Windows\SysWOW64\Pcjaio32.exe Pkoldl32.exe File opened for modification C:\Windows\SysWOW64\Ocknmjcf.exe Ofgmdf32.exe File created C:\Windows\SysWOW64\Ckmmpg32.exe Bdphnmjk.exe File created C:\Windows\SysWOW64\Hhhdpd32.exe Hanlcjgh.exe File opened for modification C:\Windows\SysWOW64\Dpqcoj32.exe Dapcab32.exe File opened for modification C:\Windows\SysWOW64\Fochecog.exe Eeaqfo32.exe File created C:\Windows\SysWOW64\Abcgii32.exe Aacjofkp.exe File created C:\Windows\SysWOW64\Aoldgfoo.dll Lmfhjhdm.exe File created C:\Windows\SysWOW64\Epgobe32.dll Ioqohb32.exe File opened for modification C:\Windows\SysWOW64\Mhpeelnd.exe Ldblon32.exe File created C:\Windows\SysWOW64\Gnoanl32.dll Ihkpgg32.exe File opened for modification C:\Windows\SysWOW64\Pllieg32.exe Peaahmcd.exe File opened for modification C:\Windows\SysWOW64\Dlcaca32.exe Cckmklac.exe File created C:\Windows\SysWOW64\Olcbfp32.exe Ocknmjcf.exe File created C:\Windows\SysWOW64\Qhghge32.exe Pgoigcip.exe File created C:\Windows\SysWOW64\Cpdcmkpj.dll Nffljjfc.exe File created C:\Windows\SysWOW64\Aifklc32.dll Cgbfka32.exe File opened for modification C:\Windows\SysWOW64\Fegiba32.exe Elhnhm32.exe File created C:\Windows\SysWOW64\Cjakkgha.dll Amblpikl.exe File opened for modification C:\Windows\SysWOW64\Hhhdpd32.exe Hanlcjgh.exe File created C:\Windows\SysWOW64\Nlaakbkm.dll Pgbkgmao.exe File created C:\Windows\SysWOW64\Dmjnljjm.dll Omgjhc32.exe File opened for modification C:\Windows\SysWOW64\Ajnmjp32.exe Akipic32.exe File opened for modification C:\Windows\SysWOW64\Lfkich32.exe Loaafnah.exe File created C:\Windows\SysWOW64\Bbpjik32.dll Aoalba32.exe File created C:\Windows\SysWOW64\Kklfkfie.dll Hmaihekc.exe File opened for modification C:\Windows\SysWOW64\Libnapmg.exe Lcifde32.exe File created C:\Windows\SysWOW64\Lmqggncn.exe Ldhbnhlm.exe File created C:\Windows\SysWOW64\Kakdifap.dll Fbjcplhj.exe File opened for modification C:\Windows\SysWOW64\Qkpmcddi.exe Qlomemlj.exe File created C:\Windows\SysWOW64\Plbeef32.dll Fjfnphpf.exe File opened for modification C:\Windows\SysWOW64\Ojgbpd32.exe Olcbfp32.exe File created C:\Windows\SysWOW64\Beobcdoi.exe Bghddp32.exe File opened for modification C:\Windows\SysWOW64\Fgmllpng.exe Fochecog.exe File created C:\Windows\SysWOW64\Aiimejap.exe Abodhpic.exe File opened for modification C:\Windows\SysWOW64\Jhqqlmba.exe Jbghpc32.exe File opened for modification C:\Windows\SysWOW64\Jkqccbkf.exe Ieoapl32.exe File created C:\Windows\SysWOW64\Odfcjc32.exe Nmedmj32.exe File opened for modification C:\Windows\SysWOW64\Kblkap32.exe Jodlof32.exe File created C:\Windows\SysWOW64\Mhqfbg32.dll Ifcpgiji.exe File created C:\Windows\SysWOW64\Lkjhfh32.exe Lqdcio32.exe File created C:\Windows\SysWOW64\Pqihgcma.exe Obanqgkl.exe File created C:\Windows\SysWOW64\Gnjmmfin.dll Eedkniob.exe File created C:\Windows\SysWOW64\Donloloo.dll Celgjlpn.exe File created C:\Windows\SysWOW64\Minbgdmm.dll Lfimmhkg.exe File created C:\Windows\SysWOW64\Ldkfno32.exe Lnanadfi.exe File created C:\Windows\SysWOW64\Ffdddg32.exe Fhpckb32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6444 952 WerFault.exe 570 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lfcmhc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajbegg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpkokb32.dll" Pjcbkbnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jidkek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkgaglpp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hhhkjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpboakjk.dll" Opkfjgmh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aiimejap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjqafj32.dll" Fmkqknci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdaajd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpkonnoh.dll" Alaaajmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqdfipld.dll" Emhdeoel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Elepei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nmnnlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lnikmjdm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fanbll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhqfbg32.dll" Ifcpgiji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eapbgm32.dll" Ibncmchl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flhlak32.dll" Hdaajd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ancjef32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Addhbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oanicm32.dll" Cnpbgajc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kakdifap.dll" Fbjcplhj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gjndpg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ionbcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fanbll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Obnlpnbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhblfpng.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chpangnk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlefebfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkoinlbg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eaqdpjia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lceajc32.dll" Ccendc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaimiagp.dll" Nkkggl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfnbbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcfqjihp.dll" Gmpcmkaa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hboaql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jpjqaldi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lkjhfh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lcbikd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckggbk32.dll" Hdfapjbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aoalba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmginjki.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebbinp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpkfmfok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kekljlkp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnpbgajc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oenfbj32.dll" Mikepg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Haeino32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fndinf32.dll" Bmlofhca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Madbpi32.dll" Lcpledob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgggockk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hanlcjgh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pqihgcma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajfobfaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcpkmo32.dll" Kbigajfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgnlgdfg.dll" Hpaqqdjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgocnleh.dll" Nmajbnha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bahdje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nkhdgfen.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ladhkmno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hommhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qpboqfjk.dll" Bgggockk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bqdechnf.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2716 wrote to memory of 1892 2716 NEAS.e3401a57d136f003ab4105b867ec9380.exe 90 PID 2716 wrote to memory of 1892 2716 NEAS.e3401a57d136f003ab4105b867ec9380.exe 90 PID 2716 wrote to memory of 1892 2716 NEAS.e3401a57d136f003ab4105b867ec9380.exe 90 PID 1892 wrote to memory of 2136 1892 Gjebiq32.exe 91 PID 1892 wrote to memory of 2136 1892 Gjebiq32.exe 91 PID 1892 wrote to memory of 2136 1892 Gjebiq32.exe 91 PID 2136 wrote to memory of 2660 2136 Ijjekn32.exe 92 PID 2136 wrote to memory of 2660 2136 Ijjekn32.exe 92 PID 2136 wrote to memory of 2660 2136 Ijjekn32.exe 92 PID 2660 wrote to memory of 3064 2660 Jcjodbgl.exe 93 PID 2660 wrote to memory of 3064 2660 Jcjodbgl.exe 93 PID 2660 wrote to memory of 3064 2660 Jcjodbgl.exe 93 PID 3064 wrote to memory of 2636 3064 Jjhalkjc.exe 94 PID 3064 wrote to memory of 2636 3064 Jjhalkjc.exe 94 PID 3064 wrote to memory of 2636 3064 Jjhalkjc.exe 94 PID 2636 wrote to memory of 1460 2636 Kfdklllb.exe 95 PID 2636 wrote to memory of 1460 2636 Kfdklllb.exe 95 PID 2636 wrote to memory of 1460 2636 Kfdklllb.exe 95 PID 1460 wrote to memory of 4036 1460 Lhadgmge.exe 96 PID 1460 wrote to memory of 4036 1460 Lhadgmge.exe 96 PID 1460 wrote to memory of 4036 1460 Lhadgmge.exe 96 PID 4036 wrote to memory of 2580 4036 Maoakaip.exe 97 PID 4036 wrote to memory of 2580 4036 Maoakaip.exe 97 PID 4036 wrote to memory of 2580 4036 Maoakaip.exe 97 PID 2580 wrote to memory of 1884 2580 Moglpedd.exe 98 PID 2580 wrote to memory of 1884 2580 Moglpedd.exe 98 PID 2580 wrote to memory of 1884 2580 Moglpedd.exe 98 PID 1884 wrote to memory of 4756 1884 Onmahojj.exe 99 PID 1884 wrote to memory of 4756 1884 Onmahojj.exe 99 PID 1884 wrote to memory of 4756 1884 Onmahojj.exe 99 PID 4756 wrote to memory of 992 4756 Okcogc32.exe 100 PID 4756 wrote to memory of 992 4756 Okcogc32.exe 100 PID 4756 wrote to memory of 992 4756 Okcogc32.exe 100 PID 992 wrote to memory of 1556 992 Poagma32.exe 101 PID 992 wrote to memory of 1556 992 Poagma32.exe 101 PID 992 wrote to memory of 1556 992 Poagma32.exe 101 PID 1556 wrote to memory of 696 1556 Pgoigcip.exe 102 PID 1556 wrote to memory of 696 1556 Pgoigcip.exe 102 PID 1556 wrote to memory of 696 1556 Pgoigcip.exe 102 PID 696 wrote to memory of 4600 696 Qhghge32.exe 103 PID 696 wrote to memory of 4600 696 Qhghge32.exe 103 PID 696 wrote to memory of 4600 696 Qhghge32.exe 103 PID 4600 wrote to memory of 4612 4600 Aeeomegd.exe 104 PID 4600 wrote to memory of 4612 4600 Aeeomegd.exe 104 PID 4600 wrote to memory of 4612 4600 Aeeomegd.exe 104 PID 4612 wrote to memory of 1808 4612 Aeglbeea.exe 105 PID 4612 wrote to memory of 1808 4612 Aeglbeea.exe 105 PID 4612 wrote to memory of 1808 4612 Aeglbeea.exe 105 PID 1808 wrote to memory of 1012 1808 Bghddp32.exe 106 PID 1808 wrote to memory of 1012 1808 Bghddp32.exe 106 PID 1808 wrote to memory of 1012 1808 Bghddp32.exe 106 PID 1012 wrote to memory of 5036 1012 Beobcdoi.exe 107 PID 1012 wrote to memory of 5036 1012 Beobcdoi.exe 107 PID 1012 wrote to memory of 5036 1012 Beobcdoi.exe 107 PID 5036 wrote to memory of 2140 5036 Bpfcelml.exe 108 PID 5036 wrote to memory of 2140 5036 Bpfcelml.exe 108 PID 5036 wrote to memory of 2140 5036 Bpfcelml.exe 108 PID 2140 wrote to memory of 2952 2140 Cpmifkgd.exe 109 PID 2140 wrote to memory of 2952 2140 Cpmifkgd.exe 109 PID 2140 wrote to memory of 2952 2140 Cpmifkgd.exe 109 PID 2952 wrote to memory of 3848 2952 Cppelkeb.exe 110 PID 2952 wrote to memory of 3848 2952 Cppelkeb.exe 110 PID 2952 wrote to memory of 3848 2952 Cppelkeb.exe 110 PID 3848 wrote to memory of 5060 3848 Cnebmgjj.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.e3401a57d136f003ab4105b867ec9380.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.e3401a57d136f003ab4105b867ec9380.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Gjebiq32.exeC:\Windows\system32\Gjebiq32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Windows\SysWOW64\Ijjekn32.exeC:\Windows\system32\Ijjekn32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\SysWOW64\Jcjodbgl.exeC:\Windows\system32\Jcjodbgl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Jjhalkjc.exeC:\Windows\system32\Jjhalkjc.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SysWOW64\Kfdklllb.exeC:\Windows\system32\Kfdklllb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\Lhadgmge.exeC:\Windows\system32\Lhadgmge.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Windows\SysWOW64\Maoakaip.exeC:\Windows\system32\Maoakaip.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4036 -
C:\Windows\SysWOW64\Moglpedd.exeC:\Windows\system32\Moglpedd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\Onmahojj.exeC:\Windows\system32\Onmahojj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Windows\SysWOW64\Okcogc32.exeC:\Windows\system32\Okcogc32.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4756 -
C:\Windows\SysWOW64\Poagma32.exeC:\Windows\system32\Poagma32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:992 -
C:\Windows\SysWOW64\Pgoigcip.exeC:\Windows\system32\Pgoigcip.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Windows\SysWOW64\Qhghge32.exeC:\Windows\system32\Qhghge32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:696 -
C:\Windows\SysWOW64\Aeeomegd.exeC:\Windows\system32\Aeeomegd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Windows\SysWOW64\Aeglbeea.exeC:\Windows\system32\Aeglbeea.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4612 -
C:\Windows\SysWOW64\Bghddp32.exeC:\Windows\system32\Bghddp32.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Windows\SysWOW64\Beobcdoi.exeC:\Windows\system32\Beobcdoi.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1012 -
C:\Windows\SysWOW64\Bpfcelml.exeC:\Windows\system32\Bpfcelml.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5036 -
C:\Windows\SysWOW64\Cpmifkgd.exeC:\Windows\system32\Cpmifkgd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\SysWOW64\Cppelkeb.exeC:\Windows\system32\Cppelkeb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\Cnebmgjj.exeC:\Windows\system32\Cnebmgjj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3848 -
C:\Windows\SysWOW64\Dbckcf32.exeC:\Windows\system32\Dbckcf32.exe23⤵
- Executes dropped EXE
PID:5060 -
C:\Windows\SysWOW64\Dfcqod32.exeC:\Windows\system32\Dfcqod32.exe24⤵
- Executes dropped EXE
PID:3536 -
C:\Windows\SysWOW64\Ehifak32.exeC:\Windows\system32\Ehifak32.exe25⤵
- Executes dropped EXE
PID:5004 -
C:\Windows\SysWOW64\Ebagdddp.exeC:\Windows\system32\Ebagdddp.exe26⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Eeaqfo32.exeC:\Windows\system32\Eeaqfo32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:224 -
C:\Windows\SysWOW64\Fochecog.exeC:\Windows\system32\Fochecog.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4932 -
C:\Windows\SysWOW64\Fgmllpng.exeC:\Windows\system32\Fgmllpng.exe29⤵
- Executes dropped EXE
PID:1096 -
C:\Windows\SysWOW64\Gllajf32.exeC:\Windows\system32\Gllajf32.exe30⤵
- Executes dropped EXE
PID:4660 -
C:\Windows\SysWOW64\Gpodkdll.exeC:\Windows\system32\Gpodkdll.exe31⤵
- Executes dropped EXE
PID:1832 -
C:\Windows\SysWOW64\Hpaqqdjj.exeC:\Windows\system32\Hpaqqdjj.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:232 -
C:\Windows\SysWOW64\Hjlaoioh.exeC:\Windows\system32\Hjlaoioh.exe33⤵
- Executes dropped EXE
PID:4852 -
C:\Windows\SysWOW64\Hcipcnac.exeC:\Windows\system32\Hcipcnac.exe34⤵
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Iqmplbpl.exeC:\Windows\system32\Iqmplbpl.exe35⤵
- Executes dropped EXE
PID:868 -
C:\Windows\SysWOW64\Iodjcnca.exeC:\Windows\system32\Iodjcnca.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1888 -
C:\Windows\SysWOW64\Imjgbb32.exeC:\Windows\system32\Imjgbb32.exe37⤵
- Executes dropped EXE
PID:4648 -
C:\Windows\SysWOW64\Jmmcgbnf.exeC:\Windows\system32\Jmmcgbnf.exe38⤵
- Executes dropped EXE
PID:408 -
C:\Windows\SysWOW64\Jonlimkg.exeC:\Windows\system32\Jonlimkg.exe39⤵
- Executes dropped EXE
PID:4368 -
C:\Windows\SysWOW64\Jopiom32.exeC:\Windows\system32\Jopiom32.exe40⤵
- Executes dropped EXE
PID:1500 -
C:\Windows\SysWOW64\Jjhjae32.exeC:\Windows\system32\Jjhjae32.exe41⤵
- Executes dropped EXE
PID:532 -
C:\Windows\SysWOW64\Kpgoolbl.exeC:\Windows\system32\Kpgoolbl.exe42⤵
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Kaflio32.exeC:\Windows\system32\Kaflio32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Kidmcqeg.exeC:\Windows\system32\Kidmcqeg.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4760 -
C:\Windows\SysWOW64\Kifjip32.exeC:\Windows\system32\Kifjip32.exe45⤵
- Executes dropped EXE
PID:3340 -
C:\Windows\SysWOW64\Lgjglg32.exeC:\Windows\system32\Lgjglg32.exe46⤵
- Executes dropped EXE
PID:4188 -
C:\Windows\SysWOW64\Ladhkmno.exeC:\Windows\system32\Ladhkmno.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:3012 -
C:\Windows\SysWOW64\Lfcmhc32.exeC:\Windows\system32\Lfcmhc32.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:3060 -
C:\Windows\SysWOW64\Mffjnc32.exeC:\Windows\system32\Mffjnc32.exe49⤵
- Executes dropped EXE
PID:3944 -
C:\Windows\SysWOW64\Mapgfk32.exeC:\Windows\system32\Mapgfk32.exe50⤵
- Executes dropped EXE
PID:1420 -
C:\Windows\SysWOW64\Mjkiephp.exeC:\Windows\system32\Mjkiephp.exe51⤵
- Executes dropped EXE
PID:4444 -
C:\Windows\SysWOW64\Njmejp32.exeC:\Windows\system32\Njmejp32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:528 -
C:\Windows\SysWOW64\Nmnnlk32.exeC:\Windows\system32\Nmnnlk32.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:860 -
C:\Windows\SysWOW64\Ndjcne32.exeC:\Windows\system32\Ndjcne32.exe54⤵
- Executes dropped EXE
PID:1336 -
C:\Windows\SysWOW64\Nmedmj32.exeC:\Windows\system32\Nmedmj32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1008 -
C:\Windows\SysWOW64\Odfcjc32.exeC:\Windows\system32\Odfcjc32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4252 -
C:\Windows\SysWOW64\Oajccgmd.exeC:\Windows\system32\Oajccgmd.exe57⤵
- Executes dropped EXE
PID:3852 -
C:\Windows\SysWOW64\Pkgaglpp.exeC:\Windows\system32\Pkgaglpp.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:2568 -
C:\Windows\SysWOW64\Pgbkgmao.exeC:\Windows\system32\Pgbkgmao.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1208 -
C:\Windows\SysWOW64\Qpkppbho.exeC:\Windows\system32\Qpkppbho.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Qpmmfbfl.exeC:\Windows\system32\Qpmmfbfl.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Aqpika32.exeC:\Windows\system32\Aqpika32.exe62⤵
- Executes dropped EXE
PID:440 -
C:\Windows\SysWOW64\Ancjef32.exeC:\Windows\system32\Ancjef32.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:4292 -
C:\Windows\SysWOW64\Aglnnkid.exeC:\Windows\system32\Aglnnkid.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:60 -
C:\Windows\SysWOW64\Akjgdjoj.exeC:\Windows\system32\Akjgdjoj.exe65⤵
- Executes dropped EXE
PID:4212 -
C:\Windows\SysWOW64\Addhbo32.exeC:\Windows\system32\Addhbo32.exe66⤵
- Modifies registry class
PID:3420 -
C:\Windows\SysWOW64\Bkamdi32.exeC:\Windows\system32\Bkamdi32.exe67⤵PID:4860
-
C:\Windows\SysWOW64\Bjfjee32.exeC:\Windows\system32\Bjfjee32.exe68⤵PID:2088
-
C:\Windows\SysWOW64\Bdlncn32.exeC:\Windows\system32\Bdlncn32.exe69⤵PID:4340
-
C:\Windows\SysWOW64\Bdnkhn32.exeC:\Windows\system32\Bdnkhn32.exe70⤵PID:2396
-
C:\Windows\SysWOW64\Bdphnmjk.exeC:\Windows\system32\Bdphnmjk.exe71⤵
- Drops file in System32 directory
PID:4376 -
C:\Windows\SysWOW64\Ckmmpg32.exeC:\Windows\system32\Ckmmpg32.exe72⤵PID:4296
-
C:\Windows\SysWOW64\Cbiabq32.exeC:\Windows\system32\Cbiabq32.exe73⤵PID:3520
-
C:\Windows\SysWOW64\Cnpbgajc.exeC:\Windows\system32\Cnpbgajc.exe74⤵
- Modifies registry class
PID:4304 -
C:\Windows\SysWOW64\Celgjlpn.exeC:\Windows\system32\Celgjlpn.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2764 -
C:\Windows\SysWOW64\Djipbbne.exeC:\Windows\system32\Djipbbne.exe76⤵PID:4272
-
C:\Windows\SysWOW64\Dnghhqdk.exeC:\Windows\system32\Dnghhqdk.exe77⤵PID:568
-
C:\Windows\SysWOW64\Dbdano32.exeC:\Windows\system32\Dbdano32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4864 -
C:\Windows\SysWOW64\Diafqi32.exeC:\Windows\system32\Diafqi32.exe79⤵PID:1212
-
C:\Windows\SysWOW64\Djbbhafj.exeC:\Windows\system32\Djbbhafj.exe80⤵PID:2104
-
C:\Windows\SysWOW64\Dehgejep.exeC:\Windows\system32\Dehgejep.exe81⤵PID:4592
-
C:\Windows\SysWOW64\Eblgon32.exeC:\Windows\system32\Eblgon32.exe82⤵PID:2260
-
C:\Windows\SysWOW64\Eaqdpjia.exeC:\Windows\system32\Eaqdpjia.exe83⤵
- Modifies registry class
PID:1736 -
C:\Windows\SysWOW64\Fjpoio32.exeC:\Windows\system32\Fjpoio32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1452 -
C:\Windows\SysWOW64\Fbjcplhj.exeC:\Windows\system32\Fbjcplhj.exe85⤵
- Drops file in System32 directory
- Modifies registry class
PID:636 -
C:\Windows\SysWOW64\Feofmf32.exeC:\Windows\system32\Feofmf32.exe86⤵PID:5088
-
C:\Windows\SysWOW64\Gojgkl32.exeC:\Windows\system32\Gojgkl32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:8 -
C:\Windows\SysWOW64\Gkcdfl32.exeC:\Windows\system32\Gkcdfl32.exe88⤵PID:5148
-
C:\Windows\SysWOW64\Hcabhido.exeC:\Windows\system32\Hcabhido.exe89⤵PID:5200
-
C:\Windows\SysWOW64\Hommhi32.exeC:\Windows\system32\Hommhi32.exe90⤵
- Modifies registry class
PID:5240 -
C:\Windows\SysWOW64\Icakofel.exeC:\Windows\system32\Icakofel.exe91⤵PID:5280
-
C:\Windows\SysWOW64\Jbghpc32.exeC:\Windows\system32\Jbghpc32.exe92⤵
- Drops file in System32 directory
PID:5320 -
C:\Windows\SysWOW64\Jhqqlmba.exeC:\Windows\system32\Jhqqlmba.exe93⤵PID:5364
-
C:\Windows\SysWOW64\Jjgcgo32.exeC:\Windows\system32\Jjgcgo32.exe94⤵PID:5400
-
C:\Windows\SysWOW64\Jodlof32.exeC:\Windows\system32\Jodlof32.exe95⤵
- Drops file in System32 directory
PID:5456 -
C:\Windows\SysWOW64\Kblkap32.exeC:\Windows\system32\Kblkap32.exe96⤵PID:5496
-
C:\Windows\SysWOW64\Kkdoje32.exeC:\Windows\system32\Kkdoje32.exe97⤵PID:5536
-
C:\Windows\SysWOW64\Lkflpe32.exeC:\Windows\system32\Lkflpe32.exe98⤵PID:5576
-
C:\Windows\SysWOW64\Lmfhjhdm.exeC:\Windows\system32\Lmfhjhdm.exe99⤵
- Drops file in System32 directory
PID:5616 -
C:\Windows\SysWOW64\Lpgalc32.exeC:\Windows\system32\Lpgalc32.exe100⤵PID:5660
-
C:\Windows\SysWOW64\Mmokpglb.exeC:\Windows\system32\Mmokpglb.exe101⤵PID:5704
-
C:\Windows\SysWOW64\Mppdbb32.exeC:\Windows\system32\Mppdbb32.exe102⤵PID:5744
-
C:\Windows\SysWOW64\Mcnmhpoj.exeC:\Windows\system32\Mcnmhpoj.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5784 -
C:\Windows\SysWOW64\Mikepg32.exeC:\Windows\system32\Mikepg32.exe104⤵
- Modifies registry class
PID:5824 -
C:\Windows\SysWOW64\Mcpjnp32.exeC:\Windows\system32\Mcpjnp32.exe105⤵PID:5868
-
C:\Windows\SysWOW64\Nbhcdl32.exeC:\Windows\system32\Nbhcdl32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5908 -
C:\Windows\SysWOW64\Nffljjfc.exeC:\Windows\system32\Nffljjfc.exe107⤵
- Drops file in System32 directory
PID:5952 -
C:\Windows\SysWOW64\Nlbdba32.exeC:\Windows\system32\Nlbdba32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6004 -
C:\Windows\SysWOW64\Odnfonag.exeC:\Windows\system32\Odnfonag.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6040 -
C:\Windows\SysWOW64\Omgjhc32.exeC:\Windows\system32\Omgjhc32.exe110⤵
- Drops file in System32 directory
PID:6092 -
C:\Windows\SysWOW64\Pljcjn32.exeC:\Windows\system32\Pljcjn32.exe111⤵PID:5136
-
C:\Windows\SysWOW64\Qlomemlj.exeC:\Windows\system32\Qlomemlj.exe112⤵
- Drops file in System32 directory
PID:5168 -
C:\Windows\SysWOW64\Qkpmcddi.exeC:\Windows\system32\Qkpmcddi.exe113⤵PID:5248
-
C:\Windows\SysWOW64\Qdhalj32.exeC:\Windows\system32\Qdhalj32.exe114⤵PID:5316
-
C:\Windows\SysWOW64\Adjnaj32.exeC:\Windows\system32\Adjnaj32.exe115⤵PID:5388
-
C:\Windows\SysWOW64\Akipic32.exeC:\Windows\system32\Akipic32.exe116⤵
- Drops file in System32 directory
PID:5440 -
C:\Windows\SysWOW64\Ajnmjp32.exeC:\Windows\system32\Ajnmjp32.exe117⤵PID:5528
-
C:\Windows\SysWOW64\Aphegjhc.exeC:\Windows\system32\Aphegjhc.exe118⤵PID:5608
-
C:\Windows\SysWOW64\Bdfnmhnj.exeC:\Windows\system32\Bdfnmhnj.exe119⤵PID:5672
-
C:\Windows\SysWOW64\Bgggockk.exeC:\Windows\system32\Bgggockk.exe120⤵
- Modifies registry class
PID:5736 -
C:\Windows\SysWOW64\Bldogjib.exeC:\Windows\system32\Bldogjib.exe121⤵PID:4208
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-