Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
104s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
28/10/2023, 20:19
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.fd0e65942b7318cc273574e33b441cf0.exe
Resource
win7-20231020-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.fd0e65942b7318cc273574e33b441cf0.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
NEAS.fd0e65942b7318cc273574e33b441cf0.exe
-
Size
304KB
-
MD5
fd0e65942b7318cc273574e33b441cf0
-
SHA1
6112365f6176a98773c8f1655bfe258219426520
-
SHA256
67a69c9b3a0c8d44c82084f8879b5ce0c55bcce68abc4c7e0fbb0b91ef6c34a9
-
SHA512
46d21f7696678dd971d7e7be4f8f9958b444153bb6d0d3935649b124438b0a0fada4630e1a832c7f8e4905f2dc706d0efa00f7bfd0f070082a927f96482e7319
-
SSDEEP
6144:45NfITENcO7JfnrFVoXJtpNr1RgAaa6FlFlcOuLr2/24qXPAbgPBFpYrFVO/fnre:45ycJfnYdsWfna
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cqmgigfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpdgbkab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aiclodaj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdjjnoje.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjcjmclj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cldgmgml.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pggbdgmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fagjolao.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Injcginc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glbakchp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbigajfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cqmgigfk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlblcdpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hoibmmpi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfhdem32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deejpjgc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gibhihko.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oeffip32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlknbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdckpqod.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djbpjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Defajqko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njogdldg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jikojcaa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbegakcb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjklcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hddbmedc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oafacn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkfnlmkl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipjoee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlnijmhc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhflhcfa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekcplp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fppqjcli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oiojmgcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olndnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhmmkcko.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lonnfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhohfj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibeqgdpf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifgbhbbh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bepeph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jqbbno32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihknibbo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khplnn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oolgbpei.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boflfiai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gimoce32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgdlfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Niklip32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehifak32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpbdiehi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbdliejl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clmjcfdb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfnpacjb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghdoae32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jokiig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmphjfab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmknkk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmakgj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbeobhlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enoddi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnmbao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekpmljin.exe -
Executes dropped EXE 64 IoCs
pid Process 2108 Hfamia32.exe 4828 Icciccmd.exe 936 Jjfdfl32.exe 3992 Jabiie32.exe 1968 Kagbdenk.exe 1808 Lhjnfn32.exe 3984 Mhkgnkoj.exe 3564 Nehjmnei.exe 4160 Nhicoi32.exe 916 Oafacn32.exe 3940 Odkcpi32.exe 4248 Pfpidk32.exe 3372 Pfbfjk32.exe 1980 Qdllffpo.exe 1168 Adqeaf32.exe 3880 Aohfdnil.exe 4968 Bkadoo32.exe 1944 Bndjfjhl.exe 4924 Bgokdomj.exe 1716 Bbeobhlp.exe 4904 Cbqonf32.exe 3416 Dngobghg.exe 4232 Defajqko.exe 2244 Ehifak32.exe 2736 Epbkhhel.exe 2384 Eedmlo32.exe 4004 Fplnogmb.exe 388 Fikihlmj.exe 3264 Gcfjfqah.exe 3048 Ggilgn32.exe 4536 Hlogfd32.exe 3656 Hgdlcm32.exe 4860 Ignnjk32.exe 4788 Jcnbekok.exe 4008 Jqbbno32.exe 2452 Kqdodo32.exe 1232 Kpilekqj.exe 3736 Kjcjmclj.exe 4120 Kggjghkd.exe 5056 Mmpbkm32.exe 8 Mfhgcbfo.exe 2292 Mankaked.exe 3268 Mpchbhjl.exe 3356 Mabdlk32.exe 4368 Nkdlkope.exe 972 Odaiodbp.exe 2176 Oinbgk32.exe 2712 Oggllnkl.exe 408 Onqdhh32.exe 4140 Pdofpb32.exe 4448 Pphckb32.exe 3652 Qnopjfgi.exe 3096 Aaofedkl.exe 564 Aglnnkid.exe 3752 Ahpdcn32.exe 4712 Bqnemp32.exe 2444 Bjfjee32.exe 3036 Bbbkbbkg.exe 2716 Cbiabq32.exe 2248 Cbknhqbl.exe 4052 Cghgpgqd.exe 464 Celgjlpn.exe 812 Djipbbne.exe 1580 Daeddlco.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Apfodd32.dll Odhman32.exe File created C:\Windows\SysWOW64\Qcpieamc.exe Pcffoben.exe File created C:\Windows\SysWOW64\Gmdaif32.dll Fhflhcfa.exe File created C:\Windows\SysWOW64\Idkkki32.exe Ikbfbdgf.exe File created C:\Windows\SysWOW64\Pggbdgmm.exe Onqbjccl.exe File created C:\Windows\SysWOW64\Hddbmedc.exe Gkianp32.exe File opened for modification C:\Windows\SysWOW64\Efoiko32.exe Elienf32.exe File created C:\Windows\SysWOW64\Pfpidk32.exe Odkcpi32.exe File created C:\Windows\SysWOW64\Fbeeco32.exe Eoapldei.exe File created C:\Windows\SysWOW64\Ifckmnbd.dll Aochga32.exe File created C:\Windows\SysWOW64\Dbghhd32.dll Cgdlfk32.exe File created C:\Windows\SysWOW64\Jmjojh32.exe Jacnegep.exe File created C:\Windows\SysWOW64\Bfpgnpee.dll Pihmcflg.exe File created C:\Windows\SysWOW64\Mcckpooc.dll Kpilekqj.exe File opened for modification C:\Windows\SysWOW64\Miqlpbap.exe Lohggm32.exe File created C:\Windows\SysWOW64\Ebqcjedm.dll Hmhhnmao.exe File created C:\Windows\SysWOW64\Jeaidn32.exe Ilfhfh32.exe File created C:\Windows\SysWOW64\Hjnijb32.dll Dlgmjdlg.exe File created C:\Windows\SysWOW64\Kicomdnf.dll Ibgmldnd.exe File opened for modification C:\Windows\SysWOW64\Hlnqln32.exe Hedhoc32.exe File created C:\Windows\SysWOW64\Dglpfmji.dll Ejmkiiha.exe File created C:\Windows\SysWOW64\Hmegdjkj.dll Fmbnfcam.exe File opened for modification C:\Windows\SysWOW64\Gonilenb.exe Gdheol32.exe File created C:\Windows\SysWOW64\Kmnkaeeg.dll Jfalhgni.exe File opened for modification C:\Windows\SysWOW64\Ehifak32.exe Defajqko.exe File created C:\Windows\SysWOW64\Kkjoha32.dll Ajggjq32.exe File created C:\Windows\SysWOW64\Olkqnjhd.exe Oeahap32.exe File opened for modification C:\Windows\SysWOW64\Gfodpbpl.exe Gablgk32.exe File created C:\Windows\SysWOW64\Bkpdml32.dll Hocjaj32.exe File opened for modification C:\Windows\SysWOW64\Jacnegep.exe Ipcakd32.exe File created C:\Windows\SysWOW64\Gikfja32.dll Elienf32.exe File created C:\Windows\SysWOW64\Omkmhlpf.exe Olkqnjhd.exe File created C:\Windows\SysWOW64\Lfmbjg32.dll Hoibmmpi.exe File opened for modification C:\Windows\SysWOW64\Hfnpacjb.exe Hodgei32.exe File created C:\Windows\SysWOW64\Jdnnjane.exe Igedenca.exe File created C:\Windows\SysWOW64\Jmccnk32.exe Jfgnka32.exe File opened for modification C:\Windows\SysWOW64\Edknjonl.exe Eoneah32.exe File created C:\Windows\SysWOW64\Pcffoben.exe Oeffip32.exe File opened for modification C:\Windows\SysWOW64\Edemdine.exe Emkeho32.exe File created C:\Windows\SysWOW64\Igedenca.exe Injcginc.exe File created C:\Windows\SysWOW64\Hjfbiobf.dll Fplnogmb.exe File created C:\Windows\SysWOW64\Aompjamo.exe Ajlngk32.exe File created C:\Windows\SysWOW64\Ecakodpe.dll Dpckclld.exe File opened for modification C:\Windows\SysWOW64\Ggilgn32.exe Gcfjfqah.exe File created C:\Windows\SysWOW64\Jfalhgni.exe Jjklcf32.exe File created C:\Windows\SysWOW64\Giacmggo.exe Gqfohdjd.exe File opened for modification C:\Windows\SysWOW64\Pcffoben.exe Oeffip32.exe File created C:\Windows\SysWOW64\Dhlhei32.dll Bojohp32.exe File opened for modification C:\Windows\SysWOW64\Deehbe32.exe Cagolf32.exe File created C:\Windows\SysWOW64\Nbiioe32.exe Niadfpcn.exe File created C:\Windows\SysWOW64\Pabknbef.exe Pkebekgo.exe File opened for modification C:\Windows\SysWOW64\Hmjmnpmb.exe Hkiclepa.exe File opened for modification C:\Windows\SysWOW64\Emkeho32.exe Eaddcnad.exe File created C:\Windows\SysWOW64\Iifmbajf.dll Ljoboloa.exe File created C:\Windows\SysWOW64\Cnjkgf32.exe Cgpcklpd.exe File opened for modification C:\Windows\SysWOW64\Eeagnc32.exe Dgpgplej.exe File opened for modification C:\Windows\SysWOW64\Idgocigi.exe Ifbbbl32.exe File created C:\Windows\SysWOW64\Ajlngk32.exe Qcpieamc.exe File opened for modification C:\Windows\SysWOW64\Djbbhafj.exe Deejpjgc.exe File created C:\Windows\SysWOW64\Lcdjba32.exe Lmkbeg32.exe File opened for modification C:\Windows\SysWOW64\Nfhipj32.exe Nlknbb32.exe File created C:\Windows\SysWOW64\Dfmcpf32.exe Dpckclld.exe File created C:\Windows\SysWOW64\Njiccd32.dll Onqdhh32.exe File created C:\Windows\SysWOW64\Mbjgcnll.exe Llpofd32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qahkch32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbhqdhnm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Empococc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmnmdboi.dll" Boflfiai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ihicah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eeagnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Idgocigi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgqppbdk.dll" Paihffkf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdjjnoje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oinbgk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajikhfpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncjglifc.dll" Fpjcpbdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkdkdafo.dll" Fhdocc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kffkpkqi.dll" Gmimll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldiiio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejfibl32.dll" Ejofacfb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpfkna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjopgh32.dll" Ioafchai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igkhpdnd.dll" Cnjkgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Piakng32.dll" Pkcepl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kagbdenk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jopaejlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbapebjm.dll" Bbifobho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbiqoa32.dll" Dehkbkip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Moanja32.dll" Edknjonl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Belaje32.dll" Hmginjki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hnaqqj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iidiidgj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpeapilo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpbdiehi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbdebpif.dll" Paennh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjklcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofimck32.dll" Bffkcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mfcmge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acpbkiog.dll" Blkkaohc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djpfbahm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nfhipj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ldiiio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpilekqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpchbhjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Opjnai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oeccijoh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahiiqafa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jeaidn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qnopjfgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhhljfmp.dll" Ecgcpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ihcclb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ceaoll32.dll" Ifgbhbbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfdhao32.dll" Nmommn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdiloa32.dll" Omnqhbap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gablgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eojplbhc.dll" Hifmhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngaihcli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fchjfl32.dll" Dngobghg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gibhihko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aenpeoom.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjjbmhfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acilcb32.dll" Mccofn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmakgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icelfhmg.dll" Jpoagb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmbcik32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fcikhace.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aenpeoom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lecnkice.dll" Klkcmo32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4012 wrote to memory of 2108 4012 NEAS.fd0e65942b7318cc273574e33b441cf0.exe 89 PID 4012 wrote to memory of 2108 4012 NEAS.fd0e65942b7318cc273574e33b441cf0.exe 89 PID 4012 wrote to memory of 2108 4012 NEAS.fd0e65942b7318cc273574e33b441cf0.exe 89 PID 2108 wrote to memory of 4828 2108 Hfamia32.exe 91 PID 2108 wrote to memory of 4828 2108 Hfamia32.exe 91 PID 2108 wrote to memory of 4828 2108 Hfamia32.exe 91 PID 4828 wrote to memory of 936 4828 Icciccmd.exe 92 PID 4828 wrote to memory of 936 4828 Icciccmd.exe 92 PID 4828 wrote to memory of 936 4828 Icciccmd.exe 92 PID 936 wrote to memory of 3992 936 Jjfdfl32.exe 93 PID 936 wrote to memory of 3992 936 Jjfdfl32.exe 93 PID 936 wrote to memory of 3992 936 Jjfdfl32.exe 93 PID 3992 wrote to memory of 1968 3992 Jabiie32.exe 94 PID 3992 wrote to memory of 1968 3992 Jabiie32.exe 94 PID 3992 wrote to memory of 1968 3992 Jabiie32.exe 94 PID 1968 wrote to memory of 1808 1968 Kagbdenk.exe 95 PID 1968 wrote to memory of 1808 1968 Kagbdenk.exe 95 PID 1968 wrote to memory of 1808 1968 Kagbdenk.exe 95 PID 1808 wrote to memory of 3984 1808 Lhjnfn32.exe 96 PID 1808 wrote to memory of 3984 1808 Lhjnfn32.exe 96 PID 1808 wrote to memory of 3984 1808 Lhjnfn32.exe 96 PID 3984 wrote to memory of 3564 3984 Mhkgnkoj.exe 97 PID 3984 wrote to memory of 3564 3984 Mhkgnkoj.exe 97 PID 3984 wrote to memory of 3564 3984 Mhkgnkoj.exe 97 PID 3564 wrote to memory of 4160 3564 Nehjmnei.exe 98 PID 3564 wrote to memory of 4160 3564 Nehjmnei.exe 98 PID 3564 wrote to memory of 4160 3564 Nehjmnei.exe 98 PID 4160 wrote to memory of 916 4160 Nhicoi32.exe 99 PID 4160 wrote to memory of 916 4160 Nhicoi32.exe 99 PID 4160 wrote to memory of 916 4160 Nhicoi32.exe 99 PID 916 wrote to memory of 3940 916 Oafacn32.exe 100 PID 916 wrote to memory of 3940 916 Oafacn32.exe 100 PID 916 wrote to memory of 3940 916 Oafacn32.exe 100 PID 3940 wrote to memory of 4248 3940 Odkcpi32.exe 101 PID 3940 wrote to memory of 4248 3940 Odkcpi32.exe 101 PID 3940 wrote to memory of 4248 3940 Odkcpi32.exe 101 PID 4248 wrote to memory of 3372 4248 Pfpidk32.exe 102 PID 4248 wrote to memory of 3372 4248 Pfpidk32.exe 102 PID 4248 wrote to memory of 3372 4248 Pfpidk32.exe 102 PID 3372 wrote to memory of 1980 3372 Pfbfjk32.exe 103 PID 3372 wrote to memory of 1980 3372 Pfbfjk32.exe 103 PID 3372 wrote to memory of 1980 3372 Pfbfjk32.exe 103 PID 1980 wrote to memory of 1168 1980 Qdllffpo.exe 104 PID 1980 wrote to memory of 1168 1980 Qdllffpo.exe 104 PID 1980 wrote to memory of 1168 1980 Qdllffpo.exe 104 PID 1168 wrote to memory of 3880 1168 Adqeaf32.exe 105 PID 1168 wrote to memory of 3880 1168 Adqeaf32.exe 105 PID 1168 wrote to memory of 3880 1168 Adqeaf32.exe 105 PID 3880 wrote to memory of 4968 3880 Aohfdnil.exe 106 PID 3880 wrote to memory of 4968 3880 Aohfdnil.exe 106 PID 3880 wrote to memory of 4968 3880 Aohfdnil.exe 106 PID 4968 wrote to memory of 1944 4968 Bkadoo32.exe 107 PID 4968 wrote to memory of 1944 4968 Bkadoo32.exe 107 PID 4968 wrote to memory of 1944 4968 Bkadoo32.exe 107 PID 1944 wrote to memory of 4924 1944 Bndjfjhl.exe 108 PID 1944 wrote to memory of 4924 1944 Bndjfjhl.exe 108 PID 1944 wrote to memory of 4924 1944 Bndjfjhl.exe 108 PID 4924 wrote to memory of 1716 4924 Bgokdomj.exe 109 PID 4924 wrote to memory of 1716 4924 Bgokdomj.exe 109 PID 4924 wrote to memory of 1716 4924 Bgokdomj.exe 109 PID 1716 wrote to memory of 4904 1716 Bbeobhlp.exe 110 PID 1716 wrote to memory of 4904 1716 Bbeobhlp.exe 110 PID 1716 wrote to memory of 4904 1716 Bbeobhlp.exe 110 PID 4904 wrote to memory of 3416 4904 Cbqonf32.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.fd0e65942b7318cc273574e33b441cf0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.fd0e65942b7318cc273574e33b441cf0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4012 -
C:\Windows\SysWOW64\Hfamia32.exeC:\Windows\system32\Hfamia32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\Icciccmd.exeC:\Windows\system32\Icciccmd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4828 -
C:\Windows\SysWOW64\Jjfdfl32.exeC:\Windows\system32\Jjfdfl32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:936 -
C:\Windows\SysWOW64\Jabiie32.exeC:\Windows\system32\Jabiie32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3992 -
C:\Windows\SysWOW64\Kagbdenk.exeC:\Windows\system32\Kagbdenk.exe6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\Lhjnfn32.exeC:\Windows\system32\Lhjnfn32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Windows\SysWOW64\Mhkgnkoj.exeC:\Windows\system32\Mhkgnkoj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3984 -
C:\Windows\SysWOW64\Nehjmnei.exeC:\Windows\system32\Nehjmnei.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3564 -
C:\Windows\SysWOW64\Nhicoi32.exeC:\Windows\system32\Nhicoi32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4160 -
C:\Windows\SysWOW64\Oafacn32.exeC:\Windows\system32\Oafacn32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:916 -
C:\Windows\SysWOW64\Odkcpi32.exeC:\Windows\system32\Odkcpi32.exe12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3940 -
C:\Windows\SysWOW64\Pfpidk32.exeC:\Windows\system32\Pfpidk32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4248 -
C:\Windows\SysWOW64\Pfbfjk32.exeC:\Windows\system32\Pfbfjk32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3372 -
C:\Windows\SysWOW64\Qdllffpo.exeC:\Windows\system32\Qdllffpo.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\Adqeaf32.exeC:\Windows\system32\Adqeaf32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Windows\SysWOW64\Aohfdnil.exeC:\Windows\system32\Aohfdnil.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3880 -
C:\Windows\SysWOW64\Bkadoo32.exeC:\Windows\system32\Bkadoo32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Windows\SysWOW64\Bndjfjhl.exeC:\Windows\system32\Bndjfjhl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\SysWOW64\Bgokdomj.exeC:\Windows\system32\Bgokdomj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4924 -
C:\Windows\SysWOW64\Bbeobhlp.exeC:\Windows\system32\Bbeobhlp.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\SysWOW64\Cbqonf32.exeC:\Windows\system32\Cbqonf32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4904 -
C:\Windows\SysWOW64\Dngobghg.exeC:\Windows\system32\Dngobghg.exe23⤵
- Executes dropped EXE
- Modifies registry class
PID:3416 -
C:\Windows\SysWOW64\Defajqko.exeC:\Windows\system32\Defajqko.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4232 -
C:\Windows\SysWOW64\Ehifak32.exeC:\Windows\system32\Ehifak32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Epbkhhel.exeC:\Windows\system32\Epbkhhel.exe26⤵
- Executes dropped EXE
PID:2736 -
C:\Windows\SysWOW64\Eedmlo32.exeC:\Windows\system32\Eedmlo32.exe27⤵
- Executes dropped EXE
PID:2384 -
C:\Windows\SysWOW64\Fplnogmb.exeC:\Windows\system32\Fplnogmb.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4004 -
C:\Windows\SysWOW64\Fikihlmj.exeC:\Windows\system32\Fikihlmj.exe29⤵
- Executes dropped EXE
PID:388 -
C:\Windows\SysWOW64\Gcfjfqah.exeC:\Windows\system32\Gcfjfqah.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3264 -
C:\Windows\SysWOW64\Ggilgn32.exeC:\Windows\system32\Ggilgn32.exe31⤵
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\Hlogfd32.exeC:\Windows\system32\Hlogfd32.exe32⤵
- Executes dropped EXE
PID:4536 -
C:\Windows\SysWOW64\Hgdlcm32.exeC:\Windows\system32\Hgdlcm32.exe33⤵
- Executes dropped EXE
PID:3656 -
C:\Windows\SysWOW64\Ignnjk32.exeC:\Windows\system32\Ignnjk32.exe34⤵
- Executes dropped EXE
PID:4860 -
C:\Windows\SysWOW64\Jcnbekok.exeC:\Windows\system32\Jcnbekok.exe35⤵
- Executes dropped EXE
PID:4788 -
C:\Windows\SysWOW64\Jqbbno32.exeC:\Windows\system32\Jqbbno32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4008 -
C:\Windows\SysWOW64\Kqdodo32.exeC:\Windows\system32\Kqdodo32.exe37⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Kpilekqj.exeC:\Windows\system32\Kpilekqj.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1232 -
C:\Windows\SysWOW64\Kjcjmclj.exeC:\Windows\system32\Kjcjmclj.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3736 -
C:\Windows\SysWOW64\Kggjghkd.exeC:\Windows\system32\Kggjghkd.exe40⤵
- Executes dropped EXE
PID:4120 -
C:\Windows\SysWOW64\Mmpbkm32.exeC:\Windows\system32\Mmpbkm32.exe41⤵
- Executes dropped EXE
PID:5056 -
C:\Windows\SysWOW64\Mfhgcbfo.exeC:\Windows\system32\Mfhgcbfo.exe42⤵
- Executes dropped EXE
PID:8 -
C:\Windows\SysWOW64\Mankaked.exeC:\Windows\system32\Mankaked.exe43⤵
- Executes dropped EXE
PID:2292 -
C:\Windows\SysWOW64\Mpchbhjl.exeC:\Windows\system32\Mpchbhjl.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:3268 -
C:\Windows\SysWOW64\Mabdlk32.exeC:\Windows\system32\Mabdlk32.exe45⤵
- Executes dropped EXE
PID:3356 -
C:\Windows\SysWOW64\Nkdlkope.exeC:\Windows\system32\Nkdlkope.exe46⤵
- Executes dropped EXE
PID:4368 -
C:\Windows\SysWOW64\Odaiodbp.exeC:\Windows\system32\Odaiodbp.exe47⤵
- Executes dropped EXE
PID:972 -
C:\Windows\SysWOW64\Oinbgk32.exeC:\Windows\system32\Oinbgk32.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:2176 -
C:\Windows\SysWOW64\Oggllnkl.exeC:\Windows\system32\Oggllnkl.exe49⤵
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\Onqdhh32.exeC:\Windows\system32\Onqdhh32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:408 -
C:\Windows\SysWOW64\Pdofpb32.exeC:\Windows\system32\Pdofpb32.exe51⤵
- Executes dropped EXE
PID:4140 -
C:\Windows\SysWOW64\Pphckb32.exeC:\Windows\system32\Pphckb32.exe52⤵
- Executes dropped EXE
PID:4448 -
C:\Windows\SysWOW64\Qnopjfgi.exeC:\Windows\system32\Qnopjfgi.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:3652 -
C:\Windows\SysWOW64\Aaofedkl.exeC:\Windows\system32\Aaofedkl.exe54⤵
- Executes dropped EXE
PID:3096 -
C:\Windows\SysWOW64\Aglnnkid.exeC:\Windows\system32\Aglnnkid.exe55⤵
- Executes dropped EXE
PID:564 -
C:\Windows\SysWOW64\Ahpdcn32.exeC:\Windows\system32\Ahpdcn32.exe56⤵
- Executes dropped EXE
PID:3752 -
C:\Windows\SysWOW64\Bqnemp32.exeC:\Windows\system32\Bqnemp32.exe57⤵
- Executes dropped EXE
PID:4712 -
C:\Windows\SysWOW64\Bjfjee32.exeC:\Windows\system32\Bjfjee32.exe58⤵
- Executes dropped EXE
PID:2444 -
C:\Windows\SysWOW64\Bbbkbbkg.exeC:\Windows\system32\Bbbkbbkg.exe59⤵
- Executes dropped EXE
PID:3036 -
C:\Windows\SysWOW64\Cbiabq32.exeC:\Windows\system32\Cbiabq32.exe60⤵
- Executes dropped EXE
PID:2716 -
C:\Windows\SysWOW64\Cbknhqbl.exeC:\Windows\system32\Cbknhqbl.exe61⤵
- Executes dropped EXE
PID:2248 -
C:\Windows\SysWOW64\Cghgpgqd.exeC:\Windows\system32\Cghgpgqd.exe62⤵
- Executes dropped EXE
PID:4052 -
C:\Windows\SysWOW64\Celgjlpn.exeC:\Windows\system32\Celgjlpn.exe63⤵
- Executes dropped EXE
PID:464 -
C:\Windows\SysWOW64\Djipbbne.exeC:\Windows\system32\Djipbbne.exe64⤵
- Executes dropped EXE
PID:812 -
C:\Windows\SysWOW64\Daeddlco.exeC:\Windows\system32\Daeddlco.exe65⤵
- Executes dropped EXE
PID:1580 -
C:\Windows\SysWOW64\Dbdano32.exeC:\Windows\system32\Dbdano32.exe66⤵PID:3464
-
C:\Windows\SysWOW64\Djpfbahm.exeC:\Windows\system32\Djpfbahm.exe67⤵
- Modifies registry class
PID:4168 -
C:\Windows\SysWOW64\Deejpjgc.exeC:\Windows\system32\Deejpjgc.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3032 -
C:\Windows\SysWOW64\Djbbhafj.exeC:\Windows\system32\Djbbhafj.exe69⤵PID:1616
-
C:\Windows\SysWOW64\Ehhpge32.exeC:\Windows\system32\Ehhpge32.exe70⤵PID:1408
-
C:\Windows\SysWOW64\Ebpqjmpd.exeC:\Windows\system32\Ebpqjmpd.exe71⤵PID:5112
-
C:\Windows\SysWOW64\Ebbmpmnb.exeC:\Windows\system32\Ebbmpmnb.exe72⤵PID:4200
-
C:\Windows\SysWOW64\Fbggkl32.exeC:\Windows\system32\Fbggkl32.exe73⤵PID:2156
-
C:\Windows\SysWOW64\Fhdocc32.exeC:\Windows\system32\Fhdocc32.exe74⤵
- Modifies registry class
PID:2180 -
C:\Windows\SysWOW64\Fhflhcfa.exeC:\Windows\system32\Fhflhcfa.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2072 -
C:\Windows\SysWOW64\Faopah32.exeC:\Windows\system32\Faopah32.exe76⤵PID:5000
-
C:\Windows\SysWOW64\Foenplji.exeC:\Windows\system32\Foenplji.exe77⤵PID:3152
-
C:\Windows\SysWOW64\Gikbneio.exeC:\Windows\system32\Gikbneio.exe78⤵PID:3584
-
C:\Windows\SysWOW64\Gimoce32.exeC:\Windows\system32\Gimoce32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2500 -
C:\Windows\SysWOW64\Hocjaj32.exeC:\Windows\system32\Hocjaj32.exe80⤵
- Drops file in System32 directory
PID:528 -
C:\Windows\SysWOW64\Hhlnjpdi.exeC:\Windows\system32\Hhlnjpdi.exe81⤵PID:3876
-
C:\Windows\SysWOW64\Hcabhido.exeC:\Windows\system32\Hcabhido.exe82⤵PID:4772
-
C:\Windows\SysWOW64\Himgjbii.exeC:\Windows\system32\Himgjbii.exe83⤵PID:5140
-
C:\Windows\SysWOW64\Hedhoc32.exeC:\Windows\system32\Hedhoc32.exe84⤵
- Drops file in System32 directory
PID:5184 -
C:\Windows\SysWOW64\Hlnqln32.exeC:\Windows\system32\Hlnqln32.exe85⤵PID:5220
-
C:\Windows\SysWOW64\Hchihhng.exeC:\Windows\system32\Hchihhng.exe86⤵PID:5268
-
C:\Windows\SysWOW64\Ioafchai.exeC:\Windows\system32\Ioafchai.exe87⤵
- Modifies registry class
PID:5312 -
C:\Windows\SysWOW64\Jokiig32.exeC:\Windows\system32\Jokiig32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5352 -
C:\Windows\SysWOW64\Jfdafa32.exeC:\Windows\system32\Jfdafa32.exe89⤵PID:5392
-
C:\Windows\SysWOW64\Jfgnka32.exeC:\Windows\system32\Jfgnka32.exe90⤵
- Drops file in System32 directory
PID:5436 -
C:\Windows\SysWOW64\Jmccnk32.exeC:\Windows\system32\Jmccnk32.exe91⤵PID:5484
-
C:\Windows\SysWOW64\Kjnihnmd.exeC:\Windows\system32\Kjnihnmd.exe92⤵PID:5528
-
C:\Windows\SysWOW64\Ljephmgl.exeC:\Windows\system32\Ljephmgl.exe93⤵PID:5572
-
C:\Windows\SysWOW64\Lcbmlbig.exeC:\Windows\system32\Lcbmlbig.exe94⤵PID:5612
-
C:\Windows\SysWOW64\Lmkbeg32.exeC:\Windows\system32\Lmkbeg32.exe95⤵
- Drops file in System32 directory
PID:5652 -
C:\Windows\SysWOW64\Lcdjba32.exeC:\Windows\system32\Lcdjba32.exe96⤵PID:5688
-
C:\Windows\SysWOW64\Ljoboloa.exeC:\Windows\system32\Ljoboloa.exe97⤵
- Drops file in System32 directory
PID:5732 -
C:\Windows\SysWOW64\Llpofd32.exeC:\Windows\system32\Llpofd32.exe98⤵
- Drops file in System32 directory
PID:5772 -
C:\Windows\SysWOW64\Mbjgcnll.exeC:\Windows\system32\Mbjgcnll.exe99⤵PID:5812
-
C:\Windows\SysWOW64\Midoph32.exeC:\Windows\system32\Midoph32.exe100⤵PID:5852
-
C:\Windows\SysWOW64\Mcicma32.exeC:\Windows\system32\Mcicma32.exe101⤵PID:5888
-
C:\Windows\SysWOW64\Mjcljk32.exeC:\Windows\system32\Mjcljk32.exe102⤵PID:5940
-
C:\Windows\SysWOW64\Mboqnm32.exeC:\Windows\system32\Mboqnm32.exe103⤵PID:5980
-
C:\Windows\SysWOW64\Mihikgod.exeC:\Windows\system32\Mihikgod.exe104⤵PID:6020
-
C:\Windows\SysWOW64\Mpbaga32.exeC:\Windows\system32\Mpbaga32.exe105⤵PID:6060
-
C:\Windows\SysWOW64\Mflidl32.exeC:\Windows\system32\Mflidl32.exe106⤵PID:6096
-
C:\Windows\SysWOW64\Mmfaafej.exeC:\Windows\system32\Mmfaafej.exe107⤵PID:2996
-
C:\Windows\SysWOW64\Nlknbb32.exeC:\Windows\system32\Nlknbb32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5168 -
C:\Windows\SysWOW64\Nfhipj32.exeC:\Windows\system32\Nfhipj32.exe109⤵
- Modifies registry class
PID:5264 -
C:\Windows\SysWOW64\Omdnbd32.exeC:\Windows\system32\Omdnbd32.exe110⤵PID:5304
-
C:\Windows\SysWOW64\Obafjk32.exeC:\Windows\system32\Obafjk32.exe111⤵PID:5380
-
C:\Windows\SysWOW64\Opefdo32.exeC:\Windows\system32\Opefdo32.exe112⤵PID:5448
-
C:\Windows\SysWOW64\Ollgiplp.exeC:\Windows\system32\Ollgiplp.exe113⤵PID:5508
-
C:\Windows\SysWOW64\Olndnp32.exeC:\Windows\system32\Olndnp32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5560 -
C:\Windows\SysWOW64\Omnqhbap.exeC:\Windows\system32\Omnqhbap.exe115⤵
- Modifies registry class
PID:5648 -
C:\Windows\SysWOW64\Odhiemil.exeC:\Windows\system32\Odhiemil.exe116⤵PID:5720
-
C:\Windows\SysWOW64\Pcaoahio.exeC:\Windows\system32\Pcaoahio.exe117⤵PID:5800
-
C:\Windows\SysWOW64\Ajggjq32.exeC:\Windows\system32\Ajggjq32.exe118⤵
- Drops file in System32 directory
PID:5864 -
C:\Windows\SysWOW64\Apaofk32.exeC:\Windows\system32\Apaofk32.exe119⤵PID:5948
-
C:\Windows\SysWOW64\Angleokb.exeC:\Windows\system32\Angleokb.exe120⤵PID:6012
-
C:\Windows\SysWOW64\Akkmocjl.exeC:\Windows\system32\Akkmocjl.exe121⤵PID:6092
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-