Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
169s -
max time network
179s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
31/10/2023, 08:40
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.fa4bbe0ede323c901ea447e5f8e45146.exe
Resource
win7-20231023-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.fa4bbe0ede323c901ea447e5f8e45146.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
NEAS.fa4bbe0ede323c901ea447e5f8e45146.exe
-
Size
55KB
-
MD5
fa4bbe0ede323c901ea447e5f8e45146
-
SHA1
bc3b21bd85b60a8088e4fcd5031b41f4688b885a
-
SHA256
1624601dbd4a69c2290458c2dde106fbd8576cc1b6d7df1c994bc266f84627ab
-
SHA512
bd99759bcca116aa710beb1adbb6bd273e5f1f1023e0677127ab101bb74187adaacf7ad12471a66fc6d2f7b02933eff1ec170024f09197f9623f4439455d0a0b
-
SSDEEP
768:kvb+QT1htb46xxkVzet1OpNZCiecgp6hx4VU4l20WiosK2p/1H5HYXdnh:C+oHtb46xxeGOZC0gps4fl20zrK2LVq
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbaiip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcqeng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgqfmcge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjhmknnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkqggdoa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgjppfef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgbccm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkgicccd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oegejc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdenghpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjlafqbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jqhpafll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mapgfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdkcnklf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afpbenhi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajdjcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbmhglqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adnielci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olehai32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgoboake.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dieilepc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gqmniq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpqgclnj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djpfbahm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebpjjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qdldgg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epeobdlc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jihnaheb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejegdngb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfdkpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifleco32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lamjbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hddien32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joicgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkojheoe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfnmcnjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgkfjlib.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mejnef32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpgfhddn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgqfmcge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olmdln32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hblkddmn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcneod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnpdom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcjmapng.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgkfjlib.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghdaokfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oacdgdle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Feifpcpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhgjcmfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikgicmpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oegejc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gddqop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckfofe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nljopa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inpclnnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mebchf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfhljc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebbfpjbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Filailgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjeikh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkdqndqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Diamde32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaiqmc32.exe -
Executes dropped EXE 64 IoCs
pid Process 2112 Aofjoo32.exe 1580 Bnicai32.exe 3712 Cfgace32.exe 324 Dfngcdhi.exe 3736 Ebcdjc32.exe 1084 Gcmpgpkp.exe 440 Ihmnldib.exe 3760 Ifqoehhl.exe 920 Jokpcmmj.exe 1700 Jfgefg32.exe 2224 Kplijk32.exe 3844 Lagepl32.exe 1388 Mapgfk32.exe 980 Ndjcne32.exe 2196 Oickbjmb.exe 1572 Oggllnkl.exe 3100 Oalpigkb.exe 968 Aqdbfa32.exe 5104 Bqkigp32.exe 5084 Bgeadjai.exe 1424 Bhgjcmfi.exe 1288 Bbpolb32.exe 2872 Ckfofe32.exe 4216 Djpfbahm.exe 3612 Ebnddn32.exe 4840 Elkbhbeb.exe 4576 Feofmf32.exe 3664 Icmbcg32.exe 5116 Jjnqap32.exe 2664 Jhhgmlli.exe 2120 Kjlmbnof.exe 3600 Kfejmobh.exe 2832 Lfnmcnjn.exe 4248 Ljoboloa.exe 3000 Mbcjimda.exe 1036 Nmpdgdmp.exe 4640 Obhlkjaj.exe 2508 Pgbdmfnc.exe 2972 Angleokb.exe 3340 Bgbmdd32.exe 1964 Bcinie32.exe 4736 Bdmdng32.exe 4140 Cmkehicj.exe 3860 Cmblhh32.exe 1432 Dgnffp32.exe 4584 Fnbjpf32.exe 1452 Ghdaokfe.exe 1440 Hkiclepa.exe 380 Idinej32.exe 5080 Jeanfkob.exe 2524 Jdnqgg32.exe 464 Kfbfmi32.exe 3352 Lhjeoc32.exe 1624 Mfgiof32.exe 4268 Onecof32.exe 2052 Emfgpo32.exe 1836 Gmkibl32.exe 3876 Habeni32.exe 5096 Ikgicmpe.exe 2608 Jgbccm32.exe 5108 Jahgpf32.exe 3188 Lamjbc32.exe 3564 Lqfpoope.exe 3764 Mdloelpc.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Cbglam32.exe Chagcdpe.exe File created C:\Windows\SysWOW64\Mglekloo.dll Nbjhph32.exe File opened for modification C:\Windows\SysWOW64\Klifhpjk.exe Kfehoj32.exe File opened for modification C:\Windows\SysWOW64\Jeolonem.exe Hejjmage.exe File created C:\Windows\SysWOW64\Ognpoheh.exe Opmaaodc.exe File opened for modification C:\Windows\SysWOW64\Jndenjmo.exe Jleicg32.exe File created C:\Windows\SysWOW64\Onbbaboi.dll Gddqop32.exe File created C:\Windows\SysWOW64\Hmonjp32.exe Hfefmflb.exe File created C:\Windows\SysWOW64\Oockeiod.exe Ndhnma32.exe File created C:\Windows\SysWOW64\Dcgpmj32.dll Bnicai32.exe File created C:\Windows\SysWOW64\Jahgpf32.exe Jgbccm32.exe File created C:\Windows\SysWOW64\Djoiggbj.dll Cngfeo32.exe File created C:\Windows\SysWOW64\Pgfggene.dll Qojjmfkj.exe File opened for modification C:\Windows\SysWOW64\Cngfeo32.exe Bijnmhmp.exe File created C:\Windows\SysWOW64\Ifabik32.dll Oeehdcij.exe File opened for modification C:\Windows\SysWOW64\Pdcaahbk.exe Pnfiia32.exe File created C:\Windows\SysWOW64\Pnifoaba.exe Pdcaahbk.exe File created C:\Windows\SysWOW64\Bpqjcp32.exe Aaiqmc32.exe File created C:\Windows\SysWOW64\Mnfconak.dll Djckiapl.exe File created C:\Windows\SysWOW64\Mdcodl32.dll Nemcca32.exe File created C:\Windows\SysWOW64\Higjkehf.exe Hkkgii32.exe File opened for modification C:\Windows\SysWOW64\Pdmpck32.exe Pdkcnklf.exe File created C:\Windows\SysWOW64\Fmdach32.exe Ebjckppa.exe File created C:\Windows\SysWOW64\Haaidh32.dll Kqbdej32.exe File opened for modification C:\Windows\SysWOW64\Ebpjjk32.exe Dkfanqmd.exe File opened for modification C:\Windows\SysWOW64\Bfdkpn32.exe Bkogce32.exe File created C:\Windows\SysWOW64\Keoino32.dll Hohjqfbl.exe File opened for modification C:\Windows\SysWOW64\Jmkdeaee.exe Gflapl32.exe File created C:\Windows\SysWOW64\Flqigq32.exe Doeifpkk.exe File opened for modification C:\Windows\SysWOW64\Nhmejf32.exe Nacmnlkd.exe File opened for modification C:\Windows\SysWOW64\Bkmmkj32.exe Ajdjcc32.exe File created C:\Windows\SysWOW64\Nghcnkop.dll Nelfnd32.exe File created C:\Windows\SysWOW64\Ccqejakk.dll Beeofk32.exe File opened for modification C:\Windows\SysWOW64\Fpqgclnj.exe Foakii32.exe File created C:\Windows\SysWOW64\Kiaqggmg.exe Kfcdkk32.exe File created C:\Windows\SysWOW64\Bgbmdd32.exe Angleokb.exe File created C:\Windows\SysWOW64\Hilkfajn.dll Ligglo32.exe File created C:\Windows\SysWOW64\Foonci32.exe Fgcjoglo.exe File created C:\Windows\SysWOW64\Aaokdg32.dll Kpgoiahj.exe File created C:\Windows\SysWOW64\Lmmhlkim.dll Kfehoj32.exe File created C:\Windows\SysWOW64\Mlcgam32.exe Khdedapj.exe File created C:\Windows\SysWOW64\Naaqhlmg.exe Nifldj32.exe File created C:\Windows\SysWOW64\Hmpclnof.exe Hfekoc32.exe File created C:\Windows\SysWOW64\Jpihke32.dll Mlcgam32.exe File created C:\Windows\SysWOW64\Jleddnfj.dll Kglkdo32.exe File created C:\Windows\SysWOW64\Kplijk32.exe Jfgefg32.exe File created C:\Windows\SysWOW64\Nkojheoe.exe Mhihkjfj.exe File created C:\Windows\SysWOW64\Qimhlple.dll Fpoahbdh.exe File opened for modification C:\Windows\SysWOW64\Oalpigkb.exe Oggllnkl.exe File created C:\Windows\SysWOW64\Hnfafpfd.exe Dmnpah32.exe File created C:\Windows\SysWOW64\Nconal32.exe Mmlphfed.exe File opened for modification C:\Windows\SysWOW64\Laqhao32.exe Ljfodd32.exe File created C:\Windows\SysWOW64\Fopomipq.dll Qfkqcb32.exe File created C:\Windows\SysWOW64\Cmnncb32.exe Bmdkmdoc.exe File opened for modification C:\Windows\SysWOW64\Foonci32.exe Fgcjoglo.exe File created C:\Windows\SysWOW64\Aoonpe32.dll Angleokb.exe File created C:\Windows\SysWOW64\Kedoqkbe.exe Kpgfhddn.exe File created C:\Windows\SysWOW64\Adnielci.exe Andqia32.exe File opened for modification C:\Windows\SysWOW64\Ljfhjn32.exe Lqikfi32.exe File created C:\Windows\SysWOW64\Ichkpb32.exe Iipfgm32.exe File created C:\Windows\SysWOW64\Mgfkfg32.dll Hfekoc32.exe File opened for modification C:\Windows\SysWOW64\Bkogce32.exe Beeofk32.exe File created C:\Windows\SysWOW64\Kealapbl.dll Andqia32.exe File opened for modification C:\Windows\SysWOW64\Lfcdph32.exe Llmpco32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkkgii32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jghpkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbamqf32.dll" Imiapo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hakbkc32.dll" Hnfafpfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lfcdph32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ldckkdfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qfdbipbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oopneoel.dll" Filailgl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oockeiod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Miajbmbe.dll" Qddfomkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpojik32.dll" Klgqmfpj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nneboemj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhldlnko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iqmpfhfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gpodfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bqkigp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keioln32.dll" Coijja32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nconal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Imiapo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Okqbki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnonpm32.dll" Ldfhpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjjlan32.dll" Kplijk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckfofe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jeolonem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pimfji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doemfl32.dll" Ecoacpol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmncbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fiodib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdhklgnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aghgpc32.dll" Icpemc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lagepl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbceoped.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkojgh32.dll" Aifdcgcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inefnb32.dll" Khdedapj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpihke32.dll" Mlcgam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ehifka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckjegk32.dll" Habeni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Flebmcil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Andqia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pooafi32.dll" Inpclnnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaopee32.dll" Gljenmak.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmkehicj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ognpoheh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oilpjffh.dll" Hdhlhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ljbfiegb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Olmdln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bklfhdie.dll" Fgijdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhfmom32.dll" Jfgefg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lkqggdoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fneogf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Adnielci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mdokfb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jeanfkob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Klgqmfpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmlphfed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kijcanhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dckafp32.dll" Obgccn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmjoim32.dll" Hplbbipm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gfcebf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hgocapmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eflpee32.dll" Pmjheaad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aohfbn32.dll" Jfmeebgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmapqqhg.dll" Eehnifoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kaemgn32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4252 wrote to memory of 2112 4252 NEAS.fa4bbe0ede323c901ea447e5f8e45146.exe 91 PID 4252 wrote to memory of 2112 4252 NEAS.fa4bbe0ede323c901ea447e5f8e45146.exe 91 PID 4252 wrote to memory of 2112 4252 NEAS.fa4bbe0ede323c901ea447e5f8e45146.exe 91 PID 2112 wrote to memory of 1580 2112 Aofjoo32.exe 92 PID 2112 wrote to memory of 1580 2112 Aofjoo32.exe 92 PID 2112 wrote to memory of 1580 2112 Aofjoo32.exe 92 PID 1580 wrote to memory of 3712 1580 Bnicai32.exe 93 PID 1580 wrote to memory of 3712 1580 Bnicai32.exe 93 PID 1580 wrote to memory of 3712 1580 Bnicai32.exe 93 PID 3712 wrote to memory of 324 3712 Cfgace32.exe 94 PID 3712 wrote to memory of 324 3712 Cfgace32.exe 94 PID 3712 wrote to memory of 324 3712 Cfgace32.exe 94 PID 324 wrote to memory of 3736 324 Dfngcdhi.exe 95 PID 324 wrote to memory of 3736 324 Dfngcdhi.exe 95 PID 324 wrote to memory of 3736 324 Dfngcdhi.exe 95 PID 3736 wrote to memory of 1084 3736 Ebcdjc32.exe 96 PID 3736 wrote to memory of 1084 3736 Ebcdjc32.exe 96 PID 3736 wrote to memory of 1084 3736 Ebcdjc32.exe 96 PID 1084 wrote to memory of 440 1084 Gcmpgpkp.exe 97 PID 1084 wrote to memory of 440 1084 Gcmpgpkp.exe 97 PID 1084 wrote to memory of 440 1084 Gcmpgpkp.exe 97 PID 440 wrote to memory of 3760 440 Ihmnldib.exe 98 PID 440 wrote to memory of 3760 440 Ihmnldib.exe 98 PID 440 wrote to memory of 3760 440 Ihmnldib.exe 98 PID 3760 wrote to memory of 920 3760 Ifqoehhl.exe 99 PID 3760 wrote to memory of 920 3760 Ifqoehhl.exe 99 PID 3760 wrote to memory of 920 3760 Ifqoehhl.exe 99 PID 920 wrote to memory of 1700 920 Jokpcmmj.exe 100 PID 920 wrote to memory of 1700 920 Jokpcmmj.exe 100 PID 920 wrote to memory of 1700 920 Jokpcmmj.exe 100 PID 1700 wrote to memory of 2224 1700 Jfgefg32.exe 101 PID 1700 wrote to memory of 2224 1700 Jfgefg32.exe 101 PID 1700 wrote to memory of 2224 1700 Jfgefg32.exe 101 PID 2224 wrote to memory of 3844 2224 Kplijk32.exe 102 PID 2224 wrote to memory of 3844 2224 Kplijk32.exe 102 PID 2224 wrote to memory of 3844 2224 Kplijk32.exe 102 PID 3844 wrote to memory of 1388 3844 Lagepl32.exe 103 PID 3844 wrote to memory of 1388 3844 Lagepl32.exe 103 PID 3844 wrote to memory of 1388 3844 Lagepl32.exe 103 PID 1388 wrote to memory of 980 1388 Mapgfk32.exe 104 PID 1388 wrote to memory of 980 1388 Mapgfk32.exe 104 PID 1388 wrote to memory of 980 1388 Mapgfk32.exe 104 PID 980 wrote to memory of 2196 980 Ndjcne32.exe 105 PID 980 wrote to memory of 2196 980 Ndjcne32.exe 105 PID 980 wrote to memory of 2196 980 Ndjcne32.exe 105 PID 2196 wrote to memory of 1572 2196 Oickbjmb.exe 106 PID 2196 wrote to memory of 1572 2196 Oickbjmb.exe 106 PID 2196 wrote to memory of 1572 2196 Oickbjmb.exe 106 PID 1572 wrote to memory of 3100 1572 Oggllnkl.exe 107 PID 1572 wrote to memory of 3100 1572 Oggllnkl.exe 107 PID 1572 wrote to memory of 3100 1572 Oggllnkl.exe 107 PID 3100 wrote to memory of 968 3100 Oalpigkb.exe 108 PID 3100 wrote to memory of 968 3100 Oalpigkb.exe 108 PID 3100 wrote to memory of 968 3100 Oalpigkb.exe 108 PID 968 wrote to memory of 5104 968 Aqdbfa32.exe 109 PID 968 wrote to memory of 5104 968 Aqdbfa32.exe 109 PID 968 wrote to memory of 5104 968 Aqdbfa32.exe 109 PID 5104 wrote to memory of 5084 5104 Bqkigp32.exe 110 PID 5104 wrote to memory of 5084 5104 Bqkigp32.exe 110 PID 5104 wrote to memory of 5084 5104 Bqkigp32.exe 110 PID 5084 wrote to memory of 1424 5084 Bgeadjai.exe 111 PID 5084 wrote to memory of 1424 5084 Bgeadjai.exe 111 PID 5084 wrote to memory of 1424 5084 Bgeadjai.exe 111 PID 1424 wrote to memory of 1288 1424 Bhgjcmfi.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.fa4bbe0ede323c901ea447e5f8e45146.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.fa4bbe0ede323c901ea447e5f8e45146.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4252 -
C:\Windows\SysWOW64\Aofjoo32.exeC:\Windows\system32\Aofjoo32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\Bnicai32.exeC:\Windows\system32\Bnicai32.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\SysWOW64\Cfgace32.exeC:\Windows\system32\Cfgace32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3712 -
C:\Windows\SysWOW64\Dfngcdhi.exeC:\Windows\system32\Dfngcdhi.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:324 -
C:\Windows\SysWOW64\Ebcdjc32.exeC:\Windows\system32\Ebcdjc32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3736 -
C:\Windows\SysWOW64\Gcmpgpkp.exeC:\Windows\system32\Gcmpgpkp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\SysWOW64\Ihmnldib.exeC:\Windows\system32\Ihmnldib.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:440 -
C:\Windows\SysWOW64\Ifqoehhl.exeC:\Windows\system32\Ifqoehhl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3760 -
C:\Windows\SysWOW64\Jokpcmmj.exeC:\Windows\system32\Jokpcmmj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:920 -
C:\Windows\SysWOW64\Jfgefg32.exeC:\Windows\system32\Jfgefg32.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\Kplijk32.exeC:\Windows\system32\Kplijk32.exe12⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\Lagepl32.exeC:\Windows\system32\Lagepl32.exe13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3844 -
C:\Windows\SysWOW64\Mapgfk32.exeC:\Windows\system32\Mapgfk32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Windows\SysWOW64\Ndjcne32.exeC:\Windows\system32\Ndjcne32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:980 -
C:\Windows\SysWOW64\Oickbjmb.exeC:\Windows\system32\Oickbjmb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\Oggllnkl.exeC:\Windows\system32\Oggllnkl.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Windows\SysWOW64\Oalpigkb.exeC:\Windows\system32\Oalpigkb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3100 -
C:\Windows\SysWOW64\Aqdbfa32.exeC:\Windows\system32\Aqdbfa32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:968 -
C:\Windows\SysWOW64\Bqkigp32.exeC:\Windows\system32\Bqkigp32.exe20⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Windows\SysWOW64\Bgeadjai.exeC:\Windows\system32\Bgeadjai.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5084 -
C:\Windows\SysWOW64\Bhgjcmfi.exeC:\Windows\system32\Bhgjcmfi.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Windows\SysWOW64\Bbpolb32.exeC:\Windows\system32\Bbpolb32.exe23⤵
- Executes dropped EXE
PID:1288 -
C:\Windows\SysWOW64\Ckfofe32.exeC:\Windows\system32\Ckfofe32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2872 -
C:\Windows\SysWOW64\Djpfbahm.exeC:\Windows\system32\Djpfbahm.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4216 -
C:\Windows\SysWOW64\Ebnddn32.exeC:\Windows\system32\Ebnddn32.exe26⤵
- Executes dropped EXE
PID:3612 -
C:\Windows\SysWOW64\Elkbhbeb.exeC:\Windows\system32\Elkbhbeb.exe27⤵
- Executes dropped EXE
PID:4840 -
C:\Windows\SysWOW64\Feofmf32.exeC:\Windows\system32\Feofmf32.exe28⤵
- Executes dropped EXE
PID:4576 -
C:\Windows\SysWOW64\Icmbcg32.exeC:\Windows\system32\Icmbcg32.exe29⤵
- Executes dropped EXE
PID:3664 -
C:\Windows\SysWOW64\Jjnqap32.exeC:\Windows\system32\Jjnqap32.exe30⤵
- Executes dropped EXE
PID:5116 -
C:\Windows\SysWOW64\Jhhgmlli.exeC:\Windows\system32\Jhhgmlli.exe31⤵
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\Kjlmbnof.exeC:\Windows\system32\Kjlmbnof.exe32⤵
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Kfejmobh.exeC:\Windows\system32\Kfejmobh.exe33⤵
- Executes dropped EXE
PID:3600 -
C:\Windows\SysWOW64\Lfnmcnjn.exeC:\Windows\system32\Lfnmcnjn.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\Ljoboloa.exeC:\Windows\system32\Ljoboloa.exe35⤵
- Executes dropped EXE
PID:4248 -
C:\Windows\SysWOW64\Mbcjimda.exeC:\Windows\system32\Mbcjimda.exe36⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Nmpdgdmp.exeC:\Windows\system32\Nmpdgdmp.exe37⤵
- Executes dropped EXE
PID:1036 -
C:\Windows\SysWOW64\Obhlkjaj.exeC:\Windows\system32\Obhlkjaj.exe38⤵
- Executes dropped EXE
PID:4640 -
C:\Windows\SysWOW64\Pgbdmfnc.exeC:\Windows\system32\Pgbdmfnc.exe39⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Angleokb.exeC:\Windows\system32\Angleokb.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2972 -
C:\Windows\SysWOW64\Bgbmdd32.exeC:\Windows\system32\Bgbmdd32.exe41⤵
- Executes dropped EXE
PID:3340 -
C:\Windows\SysWOW64\Bcinie32.exeC:\Windows\system32\Bcinie32.exe42⤵
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Bdmdng32.exeC:\Windows\system32\Bdmdng32.exe43⤵
- Executes dropped EXE
PID:4736 -
C:\Windows\SysWOW64\Cmkehicj.exeC:\Windows\system32\Cmkehicj.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:4140 -
C:\Windows\SysWOW64\Cmblhh32.exeC:\Windows\system32\Cmblhh32.exe45⤵
- Executes dropped EXE
PID:3860 -
C:\Windows\SysWOW64\Dgnffp32.exeC:\Windows\system32\Dgnffp32.exe46⤵
- Executes dropped EXE
PID:1432 -
C:\Windows\SysWOW64\Fagcfc32.exeC:\Windows\system32\Fagcfc32.exe47⤵PID:1952
-
C:\Windows\SysWOW64\Fnbjpf32.exeC:\Windows\system32\Fnbjpf32.exe48⤵
- Executes dropped EXE
PID:4584 -
C:\Windows\SysWOW64\Ghdaokfe.exeC:\Windows\system32\Ghdaokfe.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1452 -
C:\Windows\SysWOW64\Hkiclepa.exeC:\Windows\system32\Hkiclepa.exe50⤵
- Executes dropped EXE
PID:1440 -
C:\Windows\SysWOW64\Idinej32.exeC:\Windows\system32\Idinej32.exe51⤵
- Executes dropped EXE
PID:380 -
C:\Windows\SysWOW64\Jeanfkob.exeC:\Windows\system32\Jeanfkob.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:5080 -
C:\Windows\SysWOW64\Jdnqgg32.exeC:\Windows\system32\Jdnqgg32.exe53⤵
- Executes dropped EXE
PID:2524 -
C:\Windows\SysWOW64\Kfbfmi32.exeC:\Windows\system32\Kfbfmi32.exe54⤵
- Executes dropped EXE
PID:464 -
C:\Windows\SysWOW64\Lhjeoc32.exeC:\Windows\system32\Lhjeoc32.exe55⤵
- Executes dropped EXE
PID:3352 -
C:\Windows\SysWOW64\Mfgiof32.exeC:\Windows\system32\Mfgiof32.exe56⤵
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Onecof32.exeC:\Windows\system32\Onecof32.exe57⤵
- Executes dropped EXE
PID:4268 -
C:\Windows\SysWOW64\Emfgpo32.exeC:\Windows\system32\Emfgpo32.exe58⤵
- Executes dropped EXE
PID:2052 -
C:\Windows\SysWOW64\Gmkibl32.exeC:\Windows\system32\Gmkibl32.exe59⤵
- Executes dropped EXE
PID:1836 -
C:\Windows\SysWOW64\Habeni32.exeC:\Windows\system32\Habeni32.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:3876 -
C:\Windows\SysWOW64\Ikgicmpe.exeC:\Windows\system32\Ikgicmpe.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5096 -
C:\Windows\SysWOW64\Jgbccm32.exeC:\Windows\system32\Jgbccm32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2608 -
C:\Windows\SysWOW64\Jahgpf32.exeC:\Windows\system32\Jahgpf32.exe63⤵
- Executes dropped EXE
PID:5108 -
C:\Windows\SysWOW64\Lamjbc32.exeC:\Windows\system32\Lamjbc32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3188 -
C:\Windows\SysWOW64\Lqfpoope.exeC:\Windows\system32\Lqfpoope.exe65⤵
- Executes dropped EXE
PID:3564 -
C:\Windows\SysWOW64\Mdloelpc.exeC:\Windows\system32\Mdloelpc.exe66⤵
- Executes dropped EXE
PID:3764 -
C:\Windows\SysWOW64\Moacbe32.exeC:\Windows\system32\Moacbe32.exe67⤵PID:4856
-
C:\Windows\SysWOW64\Mhihkjfj.exeC:\Windows\system32\Mhihkjfj.exe68⤵
- Drops file in System32 directory
PID:4844 -
C:\Windows\SysWOW64\Nkojheoe.exeC:\Windows\system32\Nkojheoe.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2756 -
C:\Windows\SysWOW64\Oeekbhif.exeC:\Windows\system32\Oeekbhif.exe70⤵PID:2720
-
C:\Windows\SysWOW64\Pnbifmla.exeC:\Windows\system32\Pnbifmla.exe71⤵PID:1328
-
C:\Windows\SysWOW64\Aaoadg32.exeC:\Windows\system32\Aaoadg32.exe72⤵PID:4224
-
C:\Windows\SysWOW64\Ejegdngb.exeC:\Windows\system32\Ejegdngb.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4636 -
C:\Windows\SysWOW64\Gflapl32.exeC:\Windows\system32\Gflapl32.exe74⤵
- Drops file in System32 directory
PID:3328 -
C:\Windows\SysWOW64\Jmkdeaee.exeC:\Windows\system32\Jmkdeaee.exe75⤵PID:180
-
C:\Windows\SysWOW64\Kaemgn32.exeC:\Windows\system32\Kaemgn32.exe76⤵
- Modifies registry class
PID:872 -
C:\Windows\SysWOW64\Ligglo32.exeC:\Windows\system32\Ligglo32.exe77⤵
- Drops file in System32 directory
PID:3844 -
C:\Windows\SysWOW64\Lgkhec32.exeC:\Windows\system32\Lgkhec32.exe78⤵PID:3440
-
C:\Windows\SysWOW64\Laqlclga.exeC:\Windows\system32\Laqlclga.exe79⤵PID:1000
-
C:\Windows\SysWOW64\Mphfjhjf.exeC:\Windows\system32\Mphfjhjf.exe80⤵PID:980
-
C:\Windows\SysWOW64\Ncbaabom.exeC:\Windows\system32\Ncbaabom.exe81⤵PID:780
-
C:\Windows\SysWOW64\Nklfho32.exeC:\Windows\system32\Nklfho32.exe82⤵PID:4024
-
C:\Windows\SysWOW64\Nbjhph32.exeC:\Windows\system32\Nbjhph32.exe83⤵
- Drops file in System32 directory
PID:1108 -
C:\Windows\SysWOW64\Onklkhnn.exeC:\Windows\system32\Onklkhnn.exe84⤵PID:1544
-
C:\Windows\SysWOW64\Anmagenh.exeC:\Windows\system32\Anmagenh.exe85⤵PID:2212
-
C:\Windows\SysWOW64\Ahjoljqc.exeC:\Windows\system32\Ahjoljqc.exe86⤵PID:1596
-
C:\Windows\SysWOW64\Bniacddk.exeC:\Windows\system32\Bniacddk.exe87⤵PID:4764
-
C:\Windows\SysWOW64\Coijja32.exeC:\Windows\system32\Coijja32.exe88⤵
- Modifies registry class
PID:3652 -
C:\Windows\SysWOW64\Doeifpkk.exeC:\Windows\system32\Doeifpkk.exe89⤵
- Drops file in System32 directory
PID:3300 -
C:\Windows\SysWOW64\Flqigq32.exeC:\Windows\system32\Flqigq32.exe90⤵PID:1792
-
C:\Windows\SysWOW64\Ghjfaa32.exeC:\Windows\system32\Ghjfaa32.exe91⤵PID:1960
-
C:\Windows\SysWOW64\Gfbpfedp.exeC:\Windows\system32\Gfbpfedp.exe92⤵PID:1948
-
C:\Windows\SysWOW64\Hejjmage.exeC:\Windows\system32\Hejjmage.exe93⤵
- Drops file in System32 directory
PID:2900 -
C:\Windows\SysWOW64\Jeolonem.exeC:\Windows\system32\Jeolonem.exe94⤵
- Modifies registry class
PID:652 -
C:\Windows\SysWOW64\Jimeelkc.exeC:\Windows\system32\Jimeelkc.exe95⤵PID:1296
-
C:\Windows\SysWOW64\Klgqmfpj.exeC:\Windows\system32\Klgqmfpj.exe96⤵
- Modifies registry class
PID:4728 -
C:\Windows\SysWOW64\Kbaiip32.exeC:\Windows\system32\Kbaiip32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4480 -
C:\Windows\SysWOW64\Kbceoped.exeC:\Windows\system32\Kbceoped.exe98⤵
- Modifies registry class
PID:3288 -
C:\Windows\SysWOW64\Kpgfhddn.exeC:\Windows\system32\Kpgfhddn.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3664 -
C:\Windows\SysWOW64\Kedoqkbe.exeC:\Windows\system32\Kedoqkbe.exe100⤵PID:1888
-
C:\Windows\SysWOW64\Ldeonbkd.exeC:\Windows\system32\Ldeonbkd.exe101⤵PID:1100
-
C:\Windows\SysWOW64\Libggiik.exeC:\Windows\system32\Libggiik.exe102⤵PID:4664
-
C:\Windows\SysWOW64\Lpqioclc.exeC:\Windows\system32\Lpqioclc.exe103⤵PID:5024
-
C:\Windows\SysWOW64\Liimgh32.exeC:\Windows\system32\Liimgh32.exe104⤵PID:2944
-
C:\Windows\SysWOW64\Lbabpn32.exeC:\Windows\system32\Lbabpn32.exe105⤵PID:2404
-
C:\Windows\SysWOW64\Mmlphfed.exeC:\Windows\system32\Mmlphfed.exe106⤵
- Drops file in System32 directory
- Modifies registry class
PID:3748 -
C:\Windows\SysWOW64\Nconal32.exeC:\Windows\system32\Nconal32.exe107⤵
- Modifies registry class
PID:3596 -
C:\Windows\SysWOW64\Nneboemj.exeC:\Windows\system32\Nneboemj.exe108⤵
- Modifies registry class
PID:3608 -
C:\Windows\SysWOW64\Nljopa32.exeC:\Windows\system32\Nljopa32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5080 -
C:\Windows\SysWOW64\Opmaaodc.exeC:\Windows\system32\Opmaaodc.exe110⤵
- Drops file in System32 directory
PID:2140 -
C:\Windows\SysWOW64\Ognpoheh.exeC:\Windows\system32\Ognpoheh.exe111⤵
- Modifies registry class
PID:3096 -
C:\Windows\SysWOW64\Pdkcnklf.exeC:\Windows\system32\Pdkcnklf.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2828 -
C:\Windows\SysWOW64\Pdmpck32.exeC:\Windows\system32\Pdmpck32.exe113⤵PID:3960
-
C:\Windows\SysWOW64\Aqijdk32.exeC:\Windows\system32\Aqijdk32.exe114⤵PID:1420
-
C:\Windows\SysWOW64\Bjokno32.exeC:\Windows\system32\Bjokno32.exe115⤵PID:384
-
C:\Windows\SysWOW64\Dmnpah32.exeC:\Windows\system32\Dmnpah32.exe116⤵
- Drops file in System32 directory
PID:952 -
C:\Windows\SysWOW64\Hnfafpfd.exeC:\Windows\system32\Hnfafpfd.exe117⤵
- Modifies registry class
PID:3936 -
C:\Windows\SysWOW64\Inpclnnj.exeC:\Windows\system32\Inpclnnj.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3008 -
C:\Windows\SysWOW64\Jpkpbpko.exeC:\Windows\system32\Jpkpbpko.exe119⤵PID:1644
-
C:\Windows\SysWOW64\Kfehoj32.exeC:\Windows\system32\Kfehoj32.exe120⤵
- Drops file in System32 directory
PID:1872 -
C:\Windows\SysWOW64\Klifhpjk.exeC:\Windows\system32\Klifhpjk.exe121⤵PID:1488
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-