Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
168s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
01/11/2023, 23:20
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.cf9b2c7ac23519a2e6f9fc7c3debada0_JC.exe
Resource
win7-20231023-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.cf9b2c7ac23519a2e6f9fc7c3debada0_JC.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
NEAS.cf9b2c7ac23519a2e6f9fc7c3debada0_JC.exe
-
Size
363KB
-
MD5
cf9b2c7ac23519a2e6f9fc7c3debada0
-
SHA1
d45318405ddbc72a7f438764afae4c0b13095b95
-
SHA256
cdc8e1c74b7e83da46c4204a471fdc5199554856b1d90c3a1a8239223916a414
-
SHA512
a6ba687ebd9d4a47bfafa768daba45321b11dca9d32f3008cf6303c7a52124165179ea57db50aa0116a91240d65478979ff3a326600576747d210c55bf35eacd
-
SSDEEP
6144:VNjFx5tTDUZNSN58VU5tTbVXksax8n5tTDUZNSN58VU5tT:fn5t6NSN6G5tP6sus5t6NSN6G5t
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kiphcdkb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omhicj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcimei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nladpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmodqdpo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okbhgq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bonhqnpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fifhmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdkghg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnbifmla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpijgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmmifaci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbenfq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcaiif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gggmqa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qbggmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nllleapo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pqknbmhc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eijbge32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oicccj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aldeap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhgkqn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chagiqhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmmppc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekljic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmmqgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgmfel32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldjodh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iciflfcd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcjgeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnggnh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbgkpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbkagfba.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcmgphma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcfgaq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ledeicdf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhfogiff.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gicndaep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmafjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Engjol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlqohhja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofaeffpa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joekkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfgboc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pndoagfc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flqigq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meogbcel.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djckiapl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcbnjcbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncgiolkk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iffcgoka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aclpkffa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aehghn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bngdndfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iikmlnae.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kakmhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmceaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebocpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkimae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfoahd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qdjgbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbjlal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhhdpd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdjpff32.exe -
Executes dropped EXE 64 IoCs
pid Process 1976 Hcofbifb.exe 768 Ikmpcicg.exe 2128 Jfdafa32.exe 4828 Joaojf32.exe 4088 Kblkap32.exe 1980 Lmheph32.exe 3124 Mcggga32.exe 2036 Mfhpilbc.exe 2656 Njmopj32.exe 4932 Njceqili.exe 1860 Oiphbd32.exe 3616 Pdlbpldg.exe 4652 Apcllk32.exe 3964 Bdkghg32.exe 4492 Bqdechnf.exe 1092 Cdfgdf32.exe 908 Cjcolm32.exe 1696 Dnkkij32.exe 1996 Eakdje32.exe 1224 Eghimo32.exe 1152 Fhalcm32.exe 1724 Glkdejcd.exe 1844 Hdmojkjg.exe 2044 Hkiclepa.exe 4252 Ikgpmc32.exe 1752 Ihkpgg32.exe 1228 Jefgak32.exe 3848 Jhgpbf32.exe 4576 Jekpljgg.exe 1676 Klgend32.exe 3828 Kfdcbiol.exe 1288 Lndaaj32.exe 1728 Lfnfhg32.exe 4816 Lmhnea32.exe 4336 Lfbpcgbl.exe 4696 Mnggnh32.exe 3636 Neaokboj.exe 3448 Nmmqgo32.exe 3580 Nnpjdfpb.exe 1028 Olkqnjhd.exe 4272 Ofcaab32.exe 3364 Pblolb32.exe 1812 Poelfc32.exe 2112 Ampojimo.exe 4468 Bchgnoai.exe 4464 Bcomonkq.exe 2308 Cgmfel32.exe 4628 Cnjkgf32.exe 4592 Djgbmffn.exe 2096 Ecnbgian.exe 4284 Ffahnd32.exe 2876 Fanbll32.exe 4688 Gjmmfq32.exe 1920 Gpjfng32.exe 4072 Gcgndf32.exe 4536 Hhhdpd32.exe 2576 Iffcgoka.exe 3952 Idjdqc32.exe 5008 Idmafc32.exe 3300 Igmjhnej.exe 3116 Jdajabdc.exe 4316 Jmqekg32.exe 2124 Kdbchp32.exe 456 Kojdkhdd.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ojkepmqp.exe Olcklj32.exe File created C:\Windows\SysWOW64\Bbjlnk32.dll Lqcjqcnp.exe File created C:\Windows\SysWOW64\Bpqjcp32.exe Bfhfjjii.exe File created C:\Windows\SysWOW64\Ikgpmc32.exe Hkiclepa.exe File created C:\Windows\SysWOW64\Feqlmqgl.dll Kfdcbiol.exe File created C:\Windows\SysWOW64\Hcimei32.exe Flqigq32.exe File created C:\Windows\SysWOW64\Pqhammje.exe Pjnipc32.exe File created C:\Windows\SysWOW64\Olnkfd32.exe Nknolaob.exe File created C:\Windows\SysWOW64\Egcpch32.dll Pmlmdd32.exe File created C:\Windows\SysWOW64\Mopabjci.dll Hcofbifb.exe File opened for modification C:\Windows\SysWOW64\Pjkofh32.exe Pcagjndj.exe File created C:\Windows\SysWOW64\Eijbge32.exe Ebpjjk32.exe File created C:\Windows\SysWOW64\Bcnbmdbj.dll Pclnon32.exe File opened for modification C:\Windows\SysWOW64\Dkahba32.exe Dhnbkfek.exe File created C:\Windows\SysWOW64\Lbddnj32.dll Hefneq32.exe File created C:\Windows\SysWOW64\Klgend32.exe Jekpljgg.exe File created C:\Windows\SysWOW64\Gbqlhfgk.exe Gbnobf32.exe File opened for modification C:\Windows\SysWOW64\Njpjap32.exe Nokfcg32.exe File opened for modification C:\Windows\SysWOW64\Bdgmio32.exe Afapjk32.exe File opened for modification C:\Windows\SysWOW64\Dcffggkb.exe Dnjmoqmk.exe File opened for modification C:\Windows\SysWOW64\Gpjfng32.exe Gjmmfq32.exe File created C:\Windows\SysWOW64\Cgndikgd.exe Cggnhlml.exe File created C:\Windows\SysWOW64\Hkgnpn32.exe Hpmpgfhd.exe File opened for modification C:\Windows\SysWOW64\Iohede32.exe Iikmlnae.exe File created C:\Windows\SysWOW64\Iijfagmj.exe Ihkigd32.exe File opened for modification C:\Windows\SysWOW64\Jikohe32.exe Joekkl32.exe File created C:\Windows\SysWOW64\Lmkmilfb.dll Inbpbnlg.exe File created C:\Windows\SysWOW64\Pemibn32.dll Kjffngap.exe File created C:\Windows\SysWOW64\Bpfmidbh.dll Fiekhm32.exe File created C:\Windows\SysWOW64\Nceonmdp.dll Kpepmkjl.exe File opened for modification C:\Windows\SysWOW64\Hkjoao32.exe Hadkdf32.exe File created C:\Windows\SysWOW64\Cegjdgdl.dll Hhhdpd32.exe File created C:\Windows\SysWOW64\Pjkofh32.exe Pcagjndj.exe File opened for modification C:\Windows\SysWOW64\Iofmpb32.exe Hfmigmgf.exe File created C:\Windows\SysWOW64\Ebplen32.dll Qbggmk32.exe File created C:\Windows\SysWOW64\Beaoimie.dll Aldeap32.exe File created C:\Windows\SysWOW64\Bmomecoi.exe Bjaqih32.exe File created C:\Windows\SysWOW64\Hehkjpod.exe Hoobnf32.exe File created C:\Windows\SysWOW64\Njmopj32.exe Mfhpilbc.exe File opened for modification C:\Windows\SysWOW64\Bdkghg32.exe Apcllk32.exe File created C:\Windows\SysWOW64\Hbppaopp.exe Hdicbkci.exe File created C:\Windows\SysWOW64\Oeicopoo.exe Nhbfpl32.exe File created C:\Windows\SysWOW64\Clfbdd32.dll Fdopkhfk.exe File created C:\Windows\SysWOW64\Kcmmap32.exe Knpeii32.exe File created C:\Windows\SysWOW64\Gkdaij32.exe Fmdach32.exe File created C:\Windows\SysWOW64\Qpqcncda.dll Nalpbf32.exe File created C:\Windows\SysWOW64\Ommjipel.exe Ogqaqigd.exe File opened for modification C:\Windows\SysWOW64\Ommjipel.exe Ogqaqigd.exe File created C:\Windows\SysWOW64\Mhldlnko.exe Mbbloc32.exe File created C:\Windows\SysWOW64\Pochllfo.dll Mbbloc32.exe File created C:\Windows\SysWOW64\Aoebjc32.dll Moacbe32.exe File created C:\Windows\SysWOW64\Aldeap32.exe Alplfpbp.exe File created C:\Windows\SysWOW64\Igdmbh32.dll Ldjodh32.exe File created C:\Windows\SysWOW64\Hoellb32.dll Bkjikd32.exe File created C:\Windows\SysWOW64\Kjffngap.exe Kiejfo32.exe File created C:\Windows\SysWOW64\Ecdbhe32.exe Egnacd32.exe File opened for modification C:\Windows\SysWOW64\Pgbijg32.exe Pqhammje.exe File opened for modification C:\Windows\SysWOW64\Kkechjib.exe Kjffngap.exe File opened for modification C:\Windows\SysWOW64\Eohcon32.exe Eiokbd32.exe File opened for modification C:\Windows\SysWOW64\Hhfplejl.exe Hbihdn32.exe File created C:\Windows\SysWOW64\Moacbe32.exe Mhgkfkhl.exe File opened for modification C:\Windows\SysWOW64\Ldjodh32.exe Kpepmkjl.exe File opened for modification C:\Windows\SysWOW64\Kcpjgo32.exe Kjgenjhe.exe File created C:\Windows\SysWOW64\Cdjbel32.exe Ckbnlfeb.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhnebcph.dll" Idmafc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eciahbno.dll" Jmfdpkeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eiokbd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bqdechnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qnoalo32.dll" Lmhnea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnhjinpo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebapednb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njedlojg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdkgam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pebfen32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Moacnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ikmpcicg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ihhmaehj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqoanabl.dll" Cdhfpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhfplejl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhnhkpgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohbfgkan.dll" Poaqocgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qiimdlje.dll" Ljdboe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olheak32.dll" Lankloml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncgiolkk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fomfpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hcimei32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgeabloo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jndenjmo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkacff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ofckao32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fihqfh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpepmkjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfbjkc32.dll" Ledeicdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdemhoen.dll" Llbphdfl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Idgocigi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgijikcd.dll" Linmlm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ilkocb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnjakmff.dll" Hebcjdkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} NEAS.cf9b2c7ac23519a2e6f9fc7c3debada0_JC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhgpkljo.dll" Neebkkgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdhemn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akipdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpkja32.dll" Fihnhc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gpnfak32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gjgmpkfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ilnlhb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Idmafc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Klgqmfpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gipeopep.dll" Ajfobfaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcgadcqe.dll" Bkmmkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fifhmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgephccp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfhgng32.dll" Fqphbi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Malgmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hfmigmgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdakiidg.dll" Jekqgnno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jemfbgiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqpiiqce.dll" Jhgpbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iofmpb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmlnomif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Acheqi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kcpjgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldkkddha.dll" Kiphcdkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hcofbifb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdfgdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Calcbp32.dll" Pdkcnklf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nknolaob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jcjgeb32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1492 wrote to memory of 1976 1492 NEAS.cf9b2c7ac23519a2e6f9fc7c3debada0_JC.exe 92 PID 1492 wrote to memory of 1976 1492 NEAS.cf9b2c7ac23519a2e6f9fc7c3debada0_JC.exe 92 PID 1492 wrote to memory of 1976 1492 NEAS.cf9b2c7ac23519a2e6f9fc7c3debada0_JC.exe 92 PID 1976 wrote to memory of 768 1976 Hcofbifb.exe 93 PID 1976 wrote to memory of 768 1976 Hcofbifb.exe 93 PID 1976 wrote to memory of 768 1976 Hcofbifb.exe 93 PID 768 wrote to memory of 2128 768 Ikmpcicg.exe 94 PID 768 wrote to memory of 2128 768 Ikmpcicg.exe 94 PID 768 wrote to memory of 2128 768 Ikmpcicg.exe 94 PID 2128 wrote to memory of 4828 2128 Jfdafa32.exe 95 PID 2128 wrote to memory of 4828 2128 Jfdafa32.exe 95 PID 2128 wrote to memory of 4828 2128 Jfdafa32.exe 95 PID 4828 wrote to memory of 4088 4828 Joaojf32.exe 96 PID 4828 wrote to memory of 4088 4828 Joaojf32.exe 96 PID 4828 wrote to memory of 4088 4828 Joaojf32.exe 96 PID 4088 wrote to memory of 1980 4088 Kblkap32.exe 97 PID 4088 wrote to memory of 1980 4088 Kblkap32.exe 97 PID 4088 wrote to memory of 1980 4088 Kblkap32.exe 97 PID 1980 wrote to memory of 3124 1980 Lmheph32.exe 98 PID 1980 wrote to memory of 3124 1980 Lmheph32.exe 98 PID 1980 wrote to memory of 3124 1980 Lmheph32.exe 98 PID 3124 wrote to memory of 2036 3124 Mcggga32.exe 99 PID 3124 wrote to memory of 2036 3124 Mcggga32.exe 99 PID 3124 wrote to memory of 2036 3124 Mcggga32.exe 99 PID 2036 wrote to memory of 2656 2036 Mfhpilbc.exe 100 PID 2036 wrote to memory of 2656 2036 Mfhpilbc.exe 100 PID 2036 wrote to memory of 2656 2036 Mfhpilbc.exe 100 PID 2656 wrote to memory of 4932 2656 Njmopj32.exe 101 PID 2656 wrote to memory of 4932 2656 Njmopj32.exe 101 PID 2656 wrote to memory of 4932 2656 Njmopj32.exe 101 PID 4932 wrote to memory of 1860 4932 Njceqili.exe 102 PID 4932 wrote to memory of 1860 4932 Njceqili.exe 102 PID 4932 wrote to memory of 1860 4932 Njceqili.exe 102 PID 1860 wrote to memory of 3616 1860 Oiphbd32.exe 103 PID 1860 wrote to memory of 3616 1860 Oiphbd32.exe 103 PID 1860 wrote to memory of 3616 1860 Oiphbd32.exe 103 PID 3616 wrote to memory of 4652 3616 Pdlbpldg.exe 104 PID 3616 wrote to memory of 4652 3616 Pdlbpldg.exe 104 PID 3616 wrote to memory of 4652 3616 Pdlbpldg.exe 104 PID 4652 wrote to memory of 3964 4652 Apcllk32.exe 105 PID 4652 wrote to memory of 3964 4652 Apcllk32.exe 105 PID 4652 wrote to memory of 3964 4652 Apcllk32.exe 105 PID 3964 wrote to memory of 4492 3964 Bdkghg32.exe 106 PID 3964 wrote to memory of 4492 3964 Bdkghg32.exe 106 PID 3964 wrote to memory of 4492 3964 Bdkghg32.exe 106 PID 4492 wrote to memory of 1092 4492 Bqdechnf.exe 107 PID 4492 wrote to memory of 1092 4492 Bqdechnf.exe 107 PID 4492 wrote to memory of 1092 4492 Bqdechnf.exe 107 PID 1092 wrote to memory of 908 1092 Cdfgdf32.exe 108 PID 1092 wrote to memory of 908 1092 Cdfgdf32.exe 108 PID 1092 wrote to memory of 908 1092 Cdfgdf32.exe 108 PID 908 wrote to memory of 1696 908 Cjcolm32.exe 109 PID 908 wrote to memory of 1696 908 Cjcolm32.exe 109 PID 908 wrote to memory of 1696 908 Cjcolm32.exe 109 PID 1696 wrote to memory of 1996 1696 Dnkkij32.exe 110 PID 1696 wrote to memory of 1996 1696 Dnkkij32.exe 110 PID 1696 wrote to memory of 1996 1696 Dnkkij32.exe 110 PID 1996 wrote to memory of 1224 1996 Eakdje32.exe 111 PID 1996 wrote to memory of 1224 1996 Eakdje32.exe 111 PID 1996 wrote to memory of 1224 1996 Eakdje32.exe 111 PID 1224 wrote to memory of 1152 1224 Eghimo32.exe 112 PID 1224 wrote to memory of 1152 1224 Eghimo32.exe 112 PID 1224 wrote to memory of 1152 1224 Eghimo32.exe 112 PID 1152 wrote to memory of 1724 1152 Fhalcm32.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.cf9b2c7ac23519a2e6f9fc7c3debada0_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.cf9b2c7ac23519a2e6f9fc7c3debada0_JC.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\SysWOW64\Hcofbifb.exeC:\Windows\system32\Hcofbifb.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\Ikmpcicg.exeC:\Windows\system32\Ikmpcicg.exe3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Windows\SysWOW64\Jfdafa32.exeC:\Windows\system32\Jfdafa32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\Joaojf32.exeC:\Windows\system32\Joaojf32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4828 -
C:\Windows\SysWOW64\Kblkap32.exeC:\Windows\system32\Kblkap32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4088 -
C:\Windows\SysWOW64\Lmheph32.exeC:\Windows\system32\Lmheph32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\Mcggga32.exeC:\Windows\system32\Mcggga32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3124 -
C:\Windows\SysWOW64\Mfhpilbc.exeC:\Windows\system32\Mfhpilbc.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\SysWOW64\Njmopj32.exeC:\Windows\system32\Njmopj32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Njceqili.exeC:\Windows\system32\Njceqili.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4932 -
C:\Windows\SysWOW64\Oiphbd32.exeC:\Windows\system32\Oiphbd32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\SysWOW64\Pdlbpldg.exeC:\Windows\system32\Pdlbpldg.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3616 -
C:\Windows\SysWOW64\Apcllk32.exeC:\Windows\system32\Apcllk32.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4652 -
C:\Windows\SysWOW64\Bdkghg32.exeC:\Windows\system32\Bdkghg32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3964 -
C:\Windows\SysWOW64\Bqdechnf.exeC:\Windows\system32\Bqdechnf.exe16⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4492 -
C:\Windows\SysWOW64\Cdfgdf32.exeC:\Windows\system32\Cdfgdf32.exe17⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1092 -
C:\Windows\SysWOW64\Cjcolm32.exeC:\Windows\system32\Cjcolm32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:908 -
C:\Windows\SysWOW64\Dnkkij32.exeC:\Windows\system32\Dnkkij32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\SysWOW64\Eakdje32.exeC:\Windows\system32\Eakdje32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\Eghimo32.exeC:\Windows\system32\Eghimo32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Windows\SysWOW64\Fhalcm32.exeC:\Windows\system32\Fhalcm32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\SysWOW64\Glkdejcd.exeC:\Windows\system32\Glkdejcd.exe23⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Hdmojkjg.exeC:\Windows\system32\Hdmojkjg.exe24⤵
- Executes dropped EXE
PID:1844 -
C:\Windows\SysWOW64\Hkiclepa.exeC:\Windows\system32\Hkiclepa.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2044 -
C:\Windows\SysWOW64\Ikgpmc32.exeC:\Windows\system32\Ikgpmc32.exe26⤵
- Executes dropped EXE
PID:4252 -
C:\Windows\SysWOW64\Ihkpgg32.exeC:\Windows\system32\Ihkpgg32.exe27⤵
- Executes dropped EXE
PID:1752 -
C:\Windows\SysWOW64\Jefgak32.exeC:\Windows\system32\Jefgak32.exe28⤵
- Executes dropped EXE
PID:1228 -
C:\Windows\SysWOW64\Jhgpbf32.exeC:\Windows\system32\Jhgpbf32.exe29⤵
- Executes dropped EXE
- Modifies registry class
PID:3848 -
C:\Windows\SysWOW64\Jekpljgg.exeC:\Windows\system32\Jekpljgg.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4576 -
C:\Windows\SysWOW64\Klgend32.exeC:\Windows\system32\Klgend32.exe31⤵
- Executes dropped EXE
PID:1676 -
C:\Windows\SysWOW64\Kfdcbiol.exeC:\Windows\system32\Kfdcbiol.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3828 -
C:\Windows\SysWOW64\Lndaaj32.exeC:\Windows\system32\Lndaaj32.exe33⤵
- Executes dropped EXE
PID:1288 -
C:\Windows\SysWOW64\Lfnfhg32.exeC:\Windows\system32\Lfnfhg32.exe34⤵
- Executes dropped EXE
PID:1728 -
C:\Windows\SysWOW64\Lmhnea32.exeC:\Windows\system32\Lmhnea32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:4816 -
C:\Windows\SysWOW64\Lfbpcgbl.exeC:\Windows\system32\Lfbpcgbl.exe36⤵
- Executes dropped EXE
PID:4336 -
C:\Windows\SysWOW64\Mnggnh32.exeC:\Windows\system32\Mnggnh32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4696 -
C:\Windows\SysWOW64\Neaokboj.exeC:\Windows\system32\Neaokboj.exe38⤵
- Executes dropped EXE
PID:3636 -
C:\Windows\SysWOW64\Nmmqgo32.exeC:\Windows\system32\Nmmqgo32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3448 -
C:\Windows\SysWOW64\Nnpjdfpb.exeC:\Windows\system32\Nnpjdfpb.exe40⤵
- Executes dropped EXE
PID:3580 -
C:\Windows\SysWOW64\Olkqnjhd.exeC:\Windows\system32\Olkqnjhd.exe41⤵
- Executes dropped EXE
PID:1028 -
C:\Windows\SysWOW64\Ofcaab32.exeC:\Windows\system32\Ofcaab32.exe42⤵
- Executes dropped EXE
PID:4272 -
C:\Windows\SysWOW64\Pblolb32.exeC:\Windows\system32\Pblolb32.exe43⤵
- Executes dropped EXE
PID:3364 -
C:\Windows\SysWOW64\Poelfc32.exeC:\Windows\system32\Poelfc32.exe44⤵
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\Ampojimo.exeC:\Windows\system32\Ampojimo.exe45⤵
- Executes dropped EXE
PID:2112 -
C:\Windows\SysWOW64\Bchgnoai.exeC:\Windows\system32\Bchgnoai.exe46⤵
- Executes dropped EXE
PID:4468 -
C:\Windows\SysWOW64\Bcomonkq.exeC:\Windows\system32\Bcomonkq.exe47⤵
- Executes dropped EXE
PID:4464 -
C:\Windows\SysWOW64\Cgmfel32.exeC:\Windows\system32\Cgmfel32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2308 -
C:\Windows\SysWOW64\Cnjkgf32.exeC:\Windows\system32\Cnjkgf32.exe49⤵
- Executes dropped EXE
PID:4628 -
C:\Windows\SysWOW64\Djgbmffn.exeC:\Windows\system32\Djgbmffn.exe50⤵
- Executes dropped EXE
PID:4592 -
C:\Windows\SysWOW64\Ecnbgian.exeC:\Windows\system32\Ecnbgian.exe51⤵
- Executes dropped EXE
PID:2096 -
C:\Windows\SysWOW64\Ffahnd32.exeC:\Windows\system32\Ffahnd32.exe52⤵
- Executes dropped EXE
PID:4284 -
C:\Windows\SysWOW64\Fanbll32.exeC:\Windows\system32\Fanbll32.exe53⤵
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Gjmmfq32.exeC:\Windows\system32\Gjmmfq32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4688 -
C:\Windows\SysWOW64\Gpjfng32.exeC:\Windows\system32\Gpjfng32.exe55⤵
- Executes dropped EXE
PID:1920 -
C:\Windows\SysWOW64\Gcgndf32.exeC:\Windows\system32\Gcgndf32.exe56⤵
- Executes dropped EXE
PID:4072 -
C:\Windows\SysWOW64\Hhhdpd32.exeC:\Windows\system32\Hhhdpd32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4536 -
C:\Windows\SysWOW64\Iffcgoka.exeC:\Windows\system32\Iffcgoka.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2576 -
C:\Windows\SysWOW64\Idjdqc32.exeC:\Windows\system32\Idjdqc32.exe59⤵
- Executes dropped EXE
PID:3952 -
C:\Windows\SysWOW64\Idmafc32.exeC:\Windows\system32\Idmafc32.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:5008 -
C:\Windows\SysWOW64\Igmjhnej.exeC:\Windows\system32\Igmjhnej.exe61⤵
- Executes dropped EXE
PID:3300 -
C:\Windows\SysWOW64\Jdajabdc.exeC:\Windows\system32\Jdajabdc.exe62⤵
- Executes dropped EXE
PID:3116 -
C:\Windows\SysWOW64\Jmqekg32.exeC:\Windows\system32\Jmqekg32.exe63⤵
- Executes dropped EXE
PID:4316 -
C:\Windows\SysWOW64\Kdbchp32.exeC:\Windows\system32\Kdbchp32.exe64⤵
- Executes dropped EXE
PID:2124 -
C:\Windows\SysWOW64\Kojdkhdd.exeC:\Windows\system32\Kojdkhdd.exe65⤵
- Executes dropped EXE
PID:456 -
C:\Windows\SysWOW64\Lnoalehl.exeC:\Windows\system32\Lnoalehl.exe66⤵PID:4292
-
C:\Windows\SysWOW64\Lqdcio32.exeC:\Windows\system32\Lqdcio32.exe67⤵PID:2136
-
C:\Windows\SysWOW64\Lkjhfh32.exeC:\Windows\system32\Lkjhfh32.exe68⤵PID:3556
-
C:\Windows\SysWOW64\Mbhina32.exeC:\Windows\system32\Mbhina32.exe69⤵PID:4392
-
C:\Windows\SysWOW64\Mhgkfkhl.exeC:\Windows\system32\Mhgkfkhl.exe70⤵
- Drops file in System32 directory
PID:820 -
C:\Windows\SysWOW64\Moacbe32.exeC:\Windows\system32\Moacbe32.exe71⤵
- Drops file in System32 directory
PID:3264 -
C:\Windows\SysWOW64\Mhihkjfj.exeC:\Windows\system32\Mhihkjfj.exe72⤵PID:3076
-
C:\Windows\SysWOW64\Neebkkgi.exeC:\Windows\system32\Neebkkgi.exe73⤵
- Modifies registry class
PID:4836 -
C:\Windows\SysWOW64\Nbibeo32.exeC:\Windows\system32\Nbibeo32.exe74⤵PID:1108
-
C:\Windows\SysWOW64\Ongijo32.exeC:\Windows\system32\Ongijo32.exe75⤵PID:3640
-
C:\Windows\SysWOW64\Pnbifmla.exeC:\Windows\system32\Pnbifmla.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1540 -
C:\Windows\SysWOW64\Qbggmk32.exeC:\Windows\system32\Qbggmk32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1384 -
C:\Windows\SysWOW64\Alplfpbp.exeC:\Windows\system32\Alplfpbp.exe78⤵
- Drops file in System32 directory
PID:2936 -
C:\Windows\SysWOW64\Aldeap32.exeC:\Windows\system32\Aldeap32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4900 -
C:\Windows\SysWOW64\Apdkmn32.exeC:\Windows\system32\Apdkmn32.exe80⤵PID:4012
-
C:\Windows\SysWOW64\Blbabnbk.exeC:\Windows\system32\Blbabnbk.exe81⤵PID:2408
-
C:\Windows\SysWOW64\Ciioaa32.exeC:\Windows\system32\Ciioaa32.exe82⤵PID:1504
-
C:\Windows\SysWOW64\Coegih32.exeC:\Windows\system32\Coegih32.exe83⤵PID:1628
-
C:\Windows\SysWOW64\Dpqcoj32.exeC:\Windows\system32\Dpqcoj32.exe84⤵PID:5140
-
C:\Windows\SysWOW64\Dcdifdem.exeC:\Windows\system32\Dcdifdem.exe85⤵PID:5208
-
C:\Windows\SysWOW64\Ffpadn32.exeC:\Windows\system32\Ffpadn32.exe86⤵PID:5248
-
C:\Windows\SysWOW64\Foifmcoa.exeC:\Windows\system32\Foifmcoa.exe87⤵PID:5300
-
C:\Windows\SysWOW64\Fjnjjlog.exeC:\Windows\system32\Fjnjjlog.exe88⤵PID:5340
-
C:\Windows\SysWOW64\Fokbbcmo.exeC:\Windows\system32\Fokbbcmo.exe89⤵PID:5380
-
C:\Windows\SysWOW64\Fihqfh32.exeC:\Windows\system32\Fihqfh32.exe90⤵
- Modifies registry class
PID:5420 -
C:\Windows\SysWOW64\Gobicbgf.exeC:\Windows\system32\Gobicbgf.exe91⤵PID:5460
-
C:\Windows\SysWOW64\Gjgmpkfl.exeC:\Windows\system32\Gjgmpkfl.exe92⤵
- Modifies registry class
PID:5500 -
C:\Windows\SysWOW64\Gbgkpm32.exeC:\Windows\system32\Gbgkpm32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5544 -
C:\Windows\SysWOW64\Gqhknd32.exeC:\Windows\system32\Gqhknd32.exe94⤵PID:5588
-
C:\Windows\SysWOW64\Gfedfk32.exeC:\Windows\system32\Gfedfk32.exe95⤵PID:5628
-
C:\Windows\SysWOW64\Iippne32.exeC:\Windows\system32\Iippne32.exe96⤵PID:5676
-
C:\Windows\SysWOW64\Idnfal32.exeC:\Windows\system32\Idnfal32.exe97⤵PID:5724
-
C:\Windows\SysWOW64\Jjhonfjg.exeC:\Windows\system32\Jjhonfjg.exe98⤵PID:5848
-
C:\Windows\SysWOW64\Kmbkfp32.exeC:\Windows\system32\Kmbkfp32.exe99⤵PID:5920
-
C:\Windows\SysWOW64\Kkihedld.exeC:\Windows\system32\Kkihedld.exe100⤵PID:5960
-
C:\Windows\SysWOW64\Kpepmkjl.exeC:\Windows\system32\Kpepmkjl.exe101⤵
- Drops file in System32 directory
- Modifies registry class
PID:6072 -
C:\Windows\SysWOW64\Ldjodh32.exeC:\Windows\system32\Ldjodh32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5132 -
C:\Windows\SysWOW64\Mdaedgdb.exeC:\Windows\system32\Mdaedgdb.exe103⤵PID:5164
-
C:\Windows\SysWOW64\Mjnnmn32.exeC:\Windows\system32\Mjnnmn32.exe104⤵PID:5416
-
C:\Windows\SysWOW64\Odnngclb.exeC:\Windows\system32\Odnngclb.exe105⤵PID:5488
-
C:\Windows\SysWOW64\Onklkhnn.exeC:\Windows\system32\Onklkhnn.exe106⤵PID:5552
-
C:\Windows\SysWOW64\Pcgdcome.exeC:\Windows\system32\Pcgdcome.exe107⤵PID:5620
-
C:\Windows\SysWOW64\Pbhdafdd.exeC:\Windows\system32\Pbhdafdd.exe108⤵PID:5688
-
C:\Windows\SysWOW64\Pgemimck.exeC:\Windows\system32\Pgemimck.exe109⤵PID:5772
-
C:\Windows\SysWOW64\Pbkagfba.exeC:\Windows\system32\Pbkagfba.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5832 -
C:\Windows\SysWOW64\Pclnon32.exeC:\Windows\system32\Pclnon32.exe111⤵
- Drops file in System32 directory
PID:5860 -
C:\Windows\SysWOW64\Pndoagfc.exeC:\Windows\system32\Pndoagfc.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5880 -
C:\Windows\SysWOW64\Pcagjndj.exeC:\Windows\system32\Pcagjndj.exe113⤵
- Drops file in System32 directory
PID:5988 -
C:\Windows\SysWOW64\Pjkofh32.exeC:\Windows\system32\Pjkofh32.exe114⤵PID:6024
-
C:\Windows\SysWOW64\Qaegcb32.exeC:\Windows\system32\Qaegcb32.exe115⤵PID:3804
-
C:\Windows\SysWOW64\Aloekjod.exeC:\Windows\system32\Aloekjod.exe116⤵PID:6128
-
C:\Windows\SysWOW64\Abimhd32.exeC:\Windows\system32\Abimhd32.exe117⤵PID:5152
-
C:\Windows\SysWOW64\Ajfobfaj.exeC:\Windows\system32\Ajfobfaj.exe118⤵
- Modifies registry class
PID:4328 -
C:\Windows\SysWOW64\Bngdndfn.exeC:\Windows\system32\Bngdndfn.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5288 -
C:\Windows\SysWOW64\Bdcmfkde.exeC:\Windows\system32\Bdcmfkde.exe120⤵PID:1784
-
C:\Windows\SysWOW64\Bbifobho.exeC:\Windows\system32\Bbifobho.exe121⤵PID:5348
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-