Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
163s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
01/11/2023, 08:29
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.f207796590fd175de3b238beae176216.exe
Resource
win7-20231023-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.f207796590fd175de3b238beae176216.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.f207796590fd175de3b238beae176216.exe
-
Size
285KB
-
MD5
f207796590fd175de3b238beae176216
-
SHA1
020bd1a6665bce511087c4fca6e80528d7fd61b6
-
SHA256
0cac8f022df98b70f5cfce229e0354d4bd8d54bde7adfa6e50f88155ce0b40e8
-
SHA512
2de3444562e8673d9dd0a5ef2681210fa9615681cad6e2c65fd8ca6fbdf76070e37bc1f783b6e8e08b0a4ee13d829d8adae12d20a161b2000729e0a8f9c668fe
-
SSDEEP
3072:Z1ypKpjWN4R82P9eEanfOO1vZe6KVcbMloVRr3uMg0kAqSxYiJ2QM4GKch:Z1ycjWN4RpFHanfOO1vs6KQIoi7tWa
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hplbbipm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dgeegled.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pkhhbbck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Beajnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gmojep32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfimmhkg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpphcf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebcmjqej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jdaajkfd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Loniiflo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hagnihom.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pacfdila.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fgcjea32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdiglgbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Canlfh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbeece32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gajpmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bblcda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Coepob32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcdjic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Miflehaf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbbmgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ibjibg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Molefh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bhfogiff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ogeklh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Okgabpgg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbcfan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cobciblp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndfqlnno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gnhdea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jbaocfmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Igedenca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Okjnhpee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Llkjmb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kanbjn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glpdjpbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kmbkfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mhppcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jpenoe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Galonj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffjignde.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcqjhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hoglmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Goepgg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dopiqj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oemephgn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpenoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lmodqdpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lpelqj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Khpcid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ecjhmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cmlckhig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mhmmieil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hpqlof32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Coepob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jcdjka32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nemcca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Djcoko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jgdphm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eopbghnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jlocaabf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfoclflo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eedmlo32.exe -
Executes dropped EXE 64 IoCs
pid Process 2320 Gqpapacd.exe 2672 Jhmhpfmi.exe 3828 Khkdad32.exe 4872 Llkjmb32.exe 3152 Lhgdmb32.exe 4192 Mdpagc32.exe 180 Nomlek32.exe 3048 Ncaklhdi.exe 1380 Okailj32.exe 2736 Pmhkflnj.exe 1040 Piceflpi.exe 4928 Aioebj32.exe 1700 Bppcpc32.exe 3420 Bfabmmhe.exe 3596 Cefoni32.exe 424 Dfonnk32.exe 1808 Edfddl32.exe 4716 Gdfmkjlg.exe 4808 Hmkeekag.exe 1996 Hcgjhega.exe 4896 Ijjekn32.exe 4032 Iqgjmg32.exe 4624 Jeilne32.exe 1840 Jcoioabf.exe 2212 Khakqo32.exe 244 Khcgfo32.exe 796 Laeoec32.exe 3316 Loniiflo.exe 1104 Mhfmbl32.exe 4488 Meadlo32.exe 4528 Ndkjik32.exe 5068 Pkhhbbck.exe 4432 Pnmjomlg.exe 5004 Agobna32.exe 2184 Abdfkj32.exe 5044 Clmckmcq.exe 3764 Clpppmqn.exe 4832 Cihjeq32.exe 4424 Cpbbak32.exe 1664 Diopep32.exe 468 Dlpigk32.exe 1460 Eeodqocd.exe 2664 Eedmlo32.exe 1724 Fgcjea32.exe 4788 Fcaqka32.exe 5100 Ifqoehhl.exe 2944 Jopiom32.exe 2988 Kjlcmdbb.exe 4076 Kiaqnagj.exe 3044 Kplijk32.exe 2584 Kjcjmclj.exe 508 Kanbjn32.exe 1184 Liifnp32.exe 3800 Lpelqj32.exe 3920 Mjdbda32.exe 1472 Mdodbf32.exe 1048 Mhmmieil.exe 2656 Mmiealgc.exe 3140 Ohkijc32.exe 3516 Oinbgk32.exe 2376 Ppamjcpj.exe 4884 Pknghk32.exe 3428 Bglgdi32.exe 1720 Djklgb32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Llkjmb32.exe Khkdad32.exe File created C:\Windows\SysWOW64\Hholim32.dll Jmepcj32.exe File created C:\Windows\SysWOW64\Cjindm32.exe Canlfh32.exe File created C:\Windows\SysWOW64\Hkobdeok.exe Gnkajapa.exe File created C:\Windows\SysWOW64\Eadgok32.dll Dkbomgde.exe File created C:\Windows\SysWOW64\Jlclnhho.exe Ichkpb32.exe File opened for modification C:\Windows\SysWOW64\Majjgmco.exe Menpgmap.exe File created C:\Windows\SysWOW64\Onempd32.dll Khcgfo32.exe File created C:\Windows\SysWOW64\Cjkpjo32.dll Oinbgk32.exe File created C:\Windows\SysWOW64\Bglgdi32.exe Pknghk32.exe File opened for modification C:\Windows\SysWOW64\Kbkdgj32.exe Kkaljpmd.exe File created C:\Windows\SysWOW64\Npglho32.dll Ocmjcjad.exe File created C:\Windows\SysWOW64\Djbpjl32.exe Dhcdnq32.exe File opened for modification C:\Windows\SysWOW64\Jnkchmdl.exe Iejlih32.exe File created C:\Windows\SysWOW64\Pamikh32.exe Phddbbnf.exe File created C:\Windows\SysWOW64\Fdqkap32.dll Headjael.exe File created C:\Windows\SysWOW64\Bkhcpkkb.exe Aoofej32.exe File opened for modification C:\Windows\SysWOW64\Mdodbf32.exe Mjdbda32.exe File created C:\Windows\SysWOW64\Ahqcjc32.dll Ghnpmqef.exe File opened for modification C:\Windows\SysWOW64\Ngpcmj32.exe Iempingp.exe File created C:\Windows\SysWOW64\Facdom32.dll Pfcmpdjp.exe File created C:\Windows\SysWOW64\Fnmeic32.exe Foghhg32.exe File opened for modification C:\Windows\SysWOW64\Oofacdaj.exe Oiihkncb.exe File created C:\Windows\SysWOW64\Igedenca.exe Ibhlmgdj.exe File created C:\Windows\SysWOW64\Dqkmkb32.exe Dkndbkop.exe File created C:\Windows\SysWOW64\Nomlek32.exe Mdpagc32.exe File created C:\Windows\SysWOW64\Fefcgh32.exe Djklgb32.exe File opened for modification C:\Windows\SysWOW64\Jbnopbdl.exe Jhejgl32.exe File created C:\Windows\SysWOW64\Hfklamii.exe Hbkgfode.exe File created C:\Windows\SysWOW64\Nknolaob.exe Nbcjhobg.exe File created C:\Windows\SysWOW64\Jlfpnn32.exe Jcmkehcg.exe File opened for modification C:\Windows\SysWOW64\Qgdabflp.exe Pkdngf32.exe File created C:\Windows\SysWOW64\Hlmibiga.dll Fchdnkpi.exe File created C:\Windows\SysWOW64\Ojgbpd32.exe Ocmjcjad.exe File created C:\Windows\SysWOW64\Hndini32.dll Dhfacp32.exe File created C:\Windows\SysWOW64\Ccbqnakn.dll Gnaodbhl.exe File opened for modification C:\Windows\SysWOW64\Oplkgi32.exe Oibbjoij.exe File created C:\Windows\SysWOW64\Kmoihc32.dll Pacfdila.exe File created C:\Windows\SysWOW64\Jhmchd32.dll Jbkbkbfo.exe File opened for modification C:\Windows\SysWOW64\Kjffngap.exe Kjdjhgdb.exe File created C:\Windows\SysWOW64\Kckgff32.exe Kkpbbdil.exe File created C:\Windows\SysWOW64\Pcfcjdfi.dll Knioij32.exe File created C:\Windows\SysWOW64\Elenoi32.dll Ompfnoci.exe File created C:\Windows\SysWOW64\Ifoopi32.dll Pnmjomlg.exe File opened for modification C:\Windows\SysWOW64\Jklihbol.exe Ilpfgg32.exe File opened for modification C:\Windows\SysWOW64\Momqblgj.exe Lfimmhkg.exe File created C:\Windows\SysWOW64\Cdabmcdi.exe Cmgjpi32.exe File created C:\Windows\SysWOW64\Phddbbnf.exe Pchljlpo.exe File created C:\Windows\SysWOW64\Bicjjncd.exe Bbiamd32.exe File created C:\Windows\SysWOW64\Epplai32.dll Iofpnhmc.exe File opened for modification C:\Windows\SysWOW64\Bdmpljlj.exe Bblcda32.exe File opened for modification C:\Windows\SysWOW64\Hbnjfefo.exe Hkdbik32.exe File opened for modification C:\Windows\SysWOW64\Ofncde32.exe Odmgmmhf.exe File created C:\Windows\SysWOW64\Qmefmgbi.dll Gnhdea32.exe File opened for modification C:\Windows\SysWOW64\Goepgg32.exe Gblbmg32.exe File opened for modification C:\Windows\SysWOW64\Icooig32.exe Icmbcg32.exe File opened for modification C:\Windows\SysWOW64\Lfimmhkg.exe Llqhdb32.exe File opened for modification C:\Windows\SysWOW64\Gaibhj32.exe Gjojkpdp.exe File opened for modification C:\Windows\SysWOW64\Fchdnkpi.exe Flnlaahl.exe File created C:\Windows\SysWOW64\Appaki32.dll Gngnjk32.exe File created C:\Windows\SysWOW64\Oceidi32.dll Jbobnf32.exe File created C:\Windows\SysWOW64\Hmicee32.exe Gkfnnjnl.exe File created C:\Windows\SysWOW64\Glgolo32.dll Kgbjlf32.exe File created C:\Windows\SysWOW64\Eeodqocd.exe Dlpigk32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5452 5096 WerFault.exe 605 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jeekeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oceoqioq.dll" Oocdme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ibhlmgdj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pafcjijo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aoofej32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Djhifnho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kiaqnagj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ngpcmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nghcnkop.dll" Mminaikp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kkaljpmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nieglnkc.dll" Fdbdkn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lcejmeol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ogeklh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgkbak32.dll" Abdfkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hholim32.dll" Jmepcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bddcep32.dll" Ojgbpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hcgjhega.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eeodqocd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oahkdqbd.dll" Mnapnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcmoqnea.dll" Ndfqlnno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlmhaq32.dll" Okgabpgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcgmnddm.dll" Mhfmbl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ilpfgg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mekmgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hajpli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odljbmgj.dll" Kmobdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkoneo32.dll" Jjfngi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofdgji32.dll" Iiigqdfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkpeal32.dll" Doanno32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kokkqbog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fefcgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgodho32.dll" Hdmecdlh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ollpdaom.dll" Fmndkd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dampal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfjllhah.dll" Nboggf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Plokgh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Plijbblh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dfefeq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbjogi32.dll" Meadlo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lpelqj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jlfpnn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qkegiggl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Abdfkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kilphk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Njokei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aecqpp32.dll" Hjdcfp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ndfqlnno.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jlocaabf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Loniiflo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pkhhbbck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aoifoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kjffngap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ondhipkn.dll" Jjeflc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qojeabie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blmihnln.dll" Hkobdeok.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Plcdbghi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldkldmdj.dll" Ijogfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckclgbne.dll" Nadlnoaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khjeei32.dll" Fkehdnee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdlfgpeg.dll" Ejdhcjpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efegoj32.dll" Hagnihom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Canlfh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nbljaf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lmpkkjcj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2588 wrote to memory of 2320 2588 NEAS.f207796590fd175de3b238beae176216.exe 92 PID 2588 wrote to memory of 2320 2588 NEAS.f207796590fd175de3b238beae176216.exe 92 PID 2588 wrote to memory of 2320 2588 NEAS.f207796590fd175de3b238beae176216.exe 92 PID 2320 wrote to memory of 2672 2320 Gqpapacd.exe 93 PID 2320 wrote to memory of 2672 2320 Gqpapacd.exe 93 PID 2320 wrote to memory of 2672 2320 Gqpapacd.exe 93 PID 2672 wrote to memory of 3828 2672 Jhmhpfmi.exe 94 PID 2672 wrote to memory of 3828 2672 Jhmhpfmi.exe 94 PID 2672 wrote to memory of 3828 2672 Jhmhpfmi.exe 94 PID 3828 wrote to memory of 4872 3828 Khkdad32.exe 95 PID 3828 wrote to memory of 4872 3828 Khkdad32.exe 95 PID 3828 wrote to memory of 4872 3828 Khkdad32.exe 95 PID 4872 wrote to memory of 3152 4872 Llkjmb32.exe 96 PID 4872 wrote to memory of 3152 4872 Llkjmb32.exe 96 PID 4872 wrote to memory of 3152 4872 Llkjmb32.exe 96 PID 3152 wrote to memory of 4192 3152 Lhgdmb32.exe 97 PID 3152 wrote to memory of 4192 3152 Lhgdmb32.exe 97 PID 3152 wrote to memory of 4192 3152 Lhgdmb32.exe 97 PID 4192 wrote to memory of 180 4192 Mdpagc32.exe 98 PID 4192 wrote to memory of 180 4192 Mdpagc32.exe 98 PID 4192 wrote to memory of 180 4192 Mdpagc32.exe 98 PID 180 wrote to memory of 3048 180 Nomlek32.exe 99 PID 180 wrote to memory of 3048 180 Nomlek32.exe 99 PID 180 wrote to memory of 3048 180 Nomlek32.exe 99 PID 3048 wrote to memory of 1380 3048 Ncaklhdi.exe 100 PID 3048 wrote to memory of 1380 3048 Ncaklhdi.exe 100 PID 3048 wrote to memory of 1380 3048 Ncaklhdi.exe 100 PID 1380 wrote to memory of 2736 1380 Okailj32.exe 101 PID 1380 wrote to memory of 2736 1380 Okailj32.exe 101 PID 1380 wrote to memory of 2736 1380 Okailj32.exe 101 PID 2736 wrote to memory of 1040 2736 Pmhkflnj.exe 103 PID 2736 wrote to memory of 1040 2736 Pmhkflnj.exe 103 PID 2736 wrote to memory of 1040 2736 Pmhkflnj.exe 103 PID 1040 wrote to memory of 4928 1040 Piceflpi.exe 104 PID 1040 wrote to memory of 4928 1040 Piceflpi.exe 104 PID 1040 wrote to memory of 4928 1040 Piceflpi.exe 104 PID 4928 wrote to memory of 1700 4928 Aioebj32.exe 106 PID 4928 wrote to memory of 1700 4928 Aioebj32.exe 106 PID 4928 wrote to memory of 1700 4928 Aioebj32.exe 106 PID 1700 wrote to memory of 3420 1700 Bppcpc32.exe 107 PID 1700 wrote to memory of 3420 1700 Bppcpc32.exe 107 PID 1700 wrote to memory of 3420 1700 Bppcpc32.exe 107 PID 3420 wrote to memory of 3596 3420 Bfabmmhe.exe 108 PID 3420 wrote to memory of 3596 3420 Bfabmmhe.exe 108 PID 3420 wrote to memory of 3596 3420 Bfabmmhe.exe 108 PID 3596 wrote to memory of 424 3596 Cefoni32.exe 109 PID 3596 wrote to memory of 424 3596 Cefoni32.exe 109 PID 3596 wrote to memory of 424 3596 Cefoni32.exe 109 PID 424 wrote to memory of 1808 424 Dfonnk32.exe 110 PID 424 wrote to memory of 1808 424 Dfonnk32.exe 110 PID 424 wrote to memory of 1808 424 Dfonnk32.exe 110 PID 1808 wrote to memory of 4716 1808 Edfddl32.exe 111 PID 1808 wrote to memory of 4716 1808 Edfddl32.exe 111 PID 1808 wrote to memory of 4716 1808 Edfddl32.exe 111 PID 4716 wrote to memory of 4808 4716 Gdfmkjlg.exe 112 PID 4716 wrote to memory of 4808 4716 Gdfmkjlg.exe 112 PID 4716 wrote to memory of 4808 4716 Gdfmkjlg.exe 112 PID 4808 wrote to memory of 1996 4808 Hmkeekag.exe 113 PID 4808 wrote to memory of 1996 4808 Hmkeekag.exe 113 PID 4808 wrote to memory of 1996 4808 Hmkeekag.exe 113 PID 1996 wrote to memory of 4896 1996 Hcgjhega.exe 114 PID 1996 wrote to memory of 4896 1996 Hcgjhega.exe 114 PID 1996 wrote to memory of 4896 1996 Hcgjhega.exe 114 PID 4896 wrote to memory of 4032 4896 Ijjekn32.exe 115
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.f207796590fd175de3b238beae176216.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.f207796590fd175de3b238beae176216.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\Gqpapacd.exeC:\Windows\system32\Gqpapacd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\Jhmhpfmi.exeC:\Windows\system32\Jhmhpfmi.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Khkdad32.exeC:\Windows\system32\Khkdad32.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3828 -
C:\Windows\SysWOW64\Llkjmb32.exeC:\Windows\system32\Llkjmb32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Windows\SysWOW64\Lhgdmb32.exeC:\Windows\system32\Lhgdmb32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3152 -
C:\Windows\SysWOW64\Mdpagc32.exeC:\Windows\system32\Mdpagc32.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4192 -
C:\Windows\SysWOW64\Nomlek32.exeC:\Windows\system32\Nomlek32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:180 -
C:\Windows\SysWOW64\Ncaklhdi.exeC:\Windows\system32\Ncaklhdi.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\Okailj32.exeC:\Windows\system32\Okailj32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Windows\SysWOW64\Pmhkflnj.exeC:\Windows\system32\Pmhkflnj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Piceflpi.exeC:\Windows\system32\Piceflpi.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Windows\SysWOW64\Aioebj32.exeC:\Windows\system32\Aioebj32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4928 -
C:\Windows\SysWOW64\Bppcpc32.exeC:\Windows\system32\Bppcpc32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\Bfabmmhe.exeC:\Windows\system32\Bfabmmhe.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3420 -
C:\Windows\SysWOW64\Cefoni32.exeC:\Windows\system32\Cefoni32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3596 -
C:\Windows\SysWOW64\Dfonnk32.exeC:\Windows\system32\Dfonnk32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:424 -
C:\Windows\SysWOW64\Edfddl32.exeC:\Windows\system32\Edfddl32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Windows\SysWOW64\Gdfmkjlg.exeC:\Windows\system32\Gdfmkjlg.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4716 -
C:\Windows\SysWOW64\Hmkeekag.exeC:\Windows\system32\Hmkeekag.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Windows\SysWOW64\Hcgjhega.exeC:\Windows\system32\Hcgjhega.exe21⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\Ijjekn32.exeC:\Windows\system32\Ijjekn32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4896 -
C:\Windows\SysWOW64\Iqgjmg32.exeC:\Windows\system32\Iqgjmg32.exe23⤵
- Executes dropped EXE
PID:4032 -
C:\Windows\SysWOW64\Jeilne32.exeC:\Windows\system32\Jeilne32.exe24⤵
- Executes dropped EXE
PID:4624 -
C:\Windows\SysWOW64\Jcoioabf.exeC:\Windows\system32\Jcoioabf.exe25⤵
- Executes dropped EXE
PID:1840 -
C:\Windows\SysWOW64\Khakqo32.exeC:\Windows\system32\Khakqo32.exe26⤵
- Executes dropped EXE
PID:2212 -
C:\Windows\SysWOW64\Khcgfo32.exeC:\Windows\system32\Khcgfo32.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:244 -
C:\Windows\SysWOW64\Laeoec32.exeC:\Windows\system32\Laeoec32.exe28⤵
- Executes dropped EXE
PID:796 -
C:\Windows\SysWOW64\Loniiflo.exeC:\Windows\system32\Loniiflo.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3316 -
C:\Windows\SysWOW64\Mhfmbl32.exeC:\Windows\system32\Mhfmbl32.exe30⤵
- Executes dropped EXE
- Modifies registry class
PID:1104 -
C:\Windows\SysWOW64\Meadlo32.exeC:\Windows\system32\Meadlo32.exe31⤵
- Executes dropped EXE
- Modifies registry class
PID:4488 -
C:\Windows\SysWOW64\Ndkjik32.exeC:\Windows\system32\Ndkjik32.exe32⤵
- Executes dropped EXE
PID:4528 -
C:\Windows\SysWOW64\Pkhhbbck.exeC:\Windows\system32\Pkhhbbck.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:5068 -
C:\Windows\SysWOW64\Pnmjomlg.exeC:\Windows\system32\Pnmjomlg.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4432 -
C:\Windows\SysWOW64\Agobna32.exeC:\Windows\system32\Agobna32.exe35⤵
- Executes dropped EXE
PID:5004 -
C:\Windows\SysWOW64\Abdfkj32.exeC:\Windows\system32\Abdfkj32.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:2184 -
C:\Windows\SysWOW64\Clmckmcq.exeC:\Windows\system32\Clmckmcq.exe37⤵
- Executes dropped EXE
PID:5044 -
C:\Windows\SysWOW64\Clpppmqn.exeC:\Windows\system32\Clpppmqn.exe38⤵
- Executes dropped EXE
PID:3764 -
C:\Windows\SysWOW64\Cihjeq32.exeC:\Windows\system32\Cihjeq32.exe39⤵
- Executes dropped EXE
PID:4832 -
C:\Windows\SysWOW64\Cpbbak32.exeC:\Windows\system32\Cpbbak32.exe40⤵
- Executes dropped EXE
PID:4424 -
C:\Windows\SysWOW64\Diopep32.exeC:\Windows\system32\Diopep32.exe41⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\Dlpigk32.exeC:\Windows\system32\Dlpigk32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:468 -
C:\Windows\SysWOW64\Eeodqocd.exeC:\Windows\system32\Eeodqocd.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:1460 -
C:\Windows\SysWOW64\Eedmlo32.exeC:\Windows\system32\Eedmlo32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\Fgcjea32.exeC:\Windows\system32\Fgcjea32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Fcaqka32.exeC:\Windows\system32\Fcaqka32.exe46⤵
- Executes dropped EXE
PID:4788 -
C:\Windows\SysWOW64\Ifqoehhl.exeC:\Windows\system32\Ifqoehhl.exe47⤵
- Executes dropped EXE
PID:5100 -
C:\Windows\SysWOW64\Jopiom32.exeC:\Windows\system32\Jopiom32.exe48⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Kjlcmdbb.exeC:\Windows\system32\Kjlcmdbb.exe49⤵
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\Kiaqnagj.exeC:\Windows\system32\Kiaqnagj.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:4076 -
C:\Windows\SysWOW64\Kplijk32.exeC:\Windows\system32\Kplijk32.exe51⤵
- Executes dropped EXE
PID:3044 -
C:\Windows\SysWOW64\Kjcjmclj.exeC:\Windows\system32\Kjcjmclj.exe52⤵
- Executes dropped EXE
PID:2584 -
C:\Windows\SysWOW64\Kanbjn32.exeC:\Windows\system32\Kanbjn32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:508 -
C:\Windows\SysWOW64\Liifnp32.exeC:\Windows\system32\Liifnp32.exe54⤵
- Executes dropped EXE
PID:1184 -
C:\Windows\SysWOW64\Lpelqj32.exeC:\Windows\system32\Lpelqj32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3800 -
C:\Windows\SysWOW64\Mjdbda32.exeC:\Windows\system32\Mjdbda32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3920 -
C:\Windows\SysWOW64\Mdodbf32.exeC:\Windows\system32\Mdodbf32.exe57⤵
- Executes dropped EXE
PID:1472 -
C:\Windows\SysWOW64\Mhmmieil.exeC:\Windows\system32\Mhmmieil.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1048 -
C:\Windows\SysWOW64\Mmiealgc.exeC:\Windows\system32\Mmiealgc.exe59⤵
- Executes dropped EXE
PID:2656 -
C:\Windows\SysWOW64\Ohkijc32.exeC:\Windows\system32\Ohkijc32.exe60⤵
- Executes dropped EXE
PID:3140 -
C:\Windows\SysWOW64\Oinbgk32.exeC:\Windows\system32\Oinbgk32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3516 -
C:\Windows\SysWOW64\Ppamjcpj.exeC:\Windows\system32\Ppamjcpj.exe62⤵
- Executes dropped EXE
PID:2376 -
C:\Windows\SysWOW64\Pknghk32.exeC:\Windows\system32\Pknghk32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4884 -
C:\Windows\SysWOW64\Bglgdi32.exeC:\Windows\system32\Bglgdi32.exe64⤵
- Executes dropped EXE
PID:3428 -
C:\Windows\SysWOW64\Djklgb32.exeC:\Windows\system32\Djklgb32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1720 -
C:\Windows\SysWOW64\Fefcgh32.exeC:\Windows\system32\Fefcgh32.exe66⤵
- Modifies registry class
PID:4704 -
C:\Windows\SysWOW64\Fbjcplhj.exeC:\Windows\system32\Fbjcplhj.exe67⤵PID:3360
-
C:\Windows\SysWOW64\Fkehdnee.exeC:\Windows\system32\Fkehdnee.exe68⤵
- Modifies registry class
PID:4304 -
C:\Windows\SysWOW64\Gajpmg32.exeC:\Windows\system32\Gajpmg32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5124 -
C:\Windows\SysWOW64\Glpdjpbj.exeC:\Windows\system32\Glpdjpbj.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5168 -
C:\Windows\SysWOW64\Gammbfqa.exeC:\Windows\system32\Gammbfqa.exe71⤵PID:5204
-
C:\Windows\SysWOW64\Glbapoqh.exeC:\Windows\system32\Glbapoqh.exe72⤵PID:5248
-
C:\Windows\SysWOW64\Hiinoc32.exeC:\Windows\system32\Hiinoc32.exe73⤵PID:5296
-
C:\Windows\SysWOW64\Icmbcg32.exeC:\Windows\system32\Icmbcg32.exe74⤵
- Drops file in System32 directory
PID:5340 -
C:\Windows\SysWOW64\Icooig32.exeC:\Windows\system32\Icooig32.exe75⤵PID:5384
-
C:\Windows\SysWOW64\Iofpnhmc.exeC:\Windows\system32\Iofpnhmc.exe76⤵
- Drops file in System32 directory
PID:5424 -
C:\Windows\SysWOW64\Ihndgmdd.exeC:\Windows\system32\Ihndgmdd.exe77⤵PID:5464
-
C:\Windows\SysWOW64\Jbkbkbfo.exeC:\Windows\system32\Jbkbkbfo.exe78⤵
- Drops file in System32 directory
PID:5508 -
C:\Windows\SysWOW64\Jhejgl32.exeC:\Windows\system32\Jhejgl32.exe79⤵
- Drops file in System32 directory
PID:5544 -
C:\Windows\SysWOW64\Jbnopbdl.exeC:\Windows\system32\Jbnopbdl.exe80⤵PID:5592
-
C:\Windows\SysWOW64\Jmepcj32.exeC:\Windows\system32\Jmepcj32.exe81⤵
- Drops file in System32 directory
- Modifies registry class
PID:5636 -
C:\Windows\SysWOW64\Jodlof32.exeC:\Windows\system32\Jodlof32.exe82⤵PID:5676
-
C:\Windows\SysWOW64\Kilphk32.exeC:\Windows\system32\Kilphk32.exe83⤵
- Modifies registry class
PID:5720 -
C:\Windows\SysWOW64\Kfpqap32.exeC:\Windows\system32\Kfpqap32.exe84⤵PID:5764
-
C:\Windows\SysWOW64\Miflehaf.exeC:\Windows\system32\Miflehaf.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5840 -
C:\Windows\SysWOW64\Njokei32.exeC:\Windows\system32\Njokei32.exe86⤵
- Modifies registry class
PID:5928 -
C:\Windows\SysWOW64\Obccpj32.exeC:\Windows\system32\Obccpj32.exe87⤵PID:6080
-
C:\Windows\SysWOW64\Pkdngf32.exeC:\Windows\system32\Pkdngf32.exe88⤵
- Drops file in System32 directory
PID:5196 -
C:\Windows\SysWOW64\Qgdabflp.exeC:\Windows\system32\Qgdabflp.exe89⤵PID:1084
-
C:\Windows\SysWOW64\Bkpfjb32.exeC:\Windows\system32\Bkpfjb32.exe90⤵PID:5432
-
C:\Windows\SysWOW64\Dkjbgooi.exeC:\Windows\system32\Dkjbgooi.exe91⤵PID:5476
-
C:\Windows\SysWOW64\Dcegkamd.exeC:\Windows\system32\Dcegkamd.exe92⤵PID:5580
-
C:\Windows\SysWOW64\Ejdhcjpl.exeC:\Windows\system32\Ejdhcjpl.exe93⤵
- Modifies registry class
PID:5620 -
C:\Windows\SysWOW64\Ekcemmgo.exeC:\Windows\system32\Ekcemmgo.exe94⤵PID:5708
-
C:\Windows\SysWOW64\Ekeacmel.exeC:\Windows\system32\Ekeacmel.exe95⤵PID:5784
-
C:\Windows\SysWOW64\Ecafgo32.exeC:\Windows\system32\Ecafgo32.exe96⤵PID:4196
-
C:\Windows\SysWOW64\Emikpeig.exeC:\Windows\system32\Emikpeig.exe97⤵PID:2760
-
C:\Windows\SysWOW64\Eepbabjj.exeC:\Windows\system32\Eepbabjj.exe98⤵PID:1692
-
C:\Windows\SysWOW64\Fmndkd32.exeC:\Windows\system32\Fmndkd32.exe99⤵
- Modifies registry class
PID:3968 -
C:\Windows\SysWOW64\Fchlhnlo.exeC:\Windows\system32\Fchlhnlo.exe100⤵PID:5912
-
C:\Windows\SysWOW64\Gdaonmdd.exeC:\Windows\system32\Gdaonmdd.exe101⤵PID:5960
-
C:\Windows\SysWOW64\Hmecba32.exeC:\Windows\system32\Hmecba32.exe102⤵PID:6020
-
C:\Windows\SysWOW64\Hhkgpjqn.exeC:\Windows\system32\Hhkgpjqn.exe103⤵PID:6060
-
C:\Windows\SysWOW64\Haeino32.exeC:\Windows\system32\Haeino32.exe104⤵PID:6136
-
C:\Windows\SysWOW64\Ilpfgg32.exeC:\Windows\system32\Ilpfgg32.exe105⤵
- Drops file in System32 directory
- Modifies registry class
PID:6012 -
C:\Windows\SysWOW64\Jklihbol.exeC:\Windows\system32\Jklihbol.exe106⤵PID:5212
-
C:\Windows\SysWOW64\Jlkfbe32.exeC:\Windows\system32\Jlkfbe32.exe107⤵PID:3272
-
C:\Windows\SysWOW64\Jdiglgbg.exeC:\Windows\system32\Jdiglgbg.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5336 -
C:\Windows\SysWOW64\Khpcid32.exeC:\Windows\system32\Khpcid32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5352 -
C:\Windows\SysWOW64\Knmkak32.exeC:\Windows\system32\Knmkak32.exe110⤵PID:5392
-
C:\Windows\SysWOW64\Kkaljpmd.exeC:\Windows\system32\Kkaljpmd.exe111⤵
- Drops file in System32 directory
- Modifies registry class
PID:5496 -
C:\Windows\SysWOW64\Kbkdgj32.exeC:\Windows\system32\Kbkdgj32.exe112⤵PID:5536
-
C:\Windows\SysWOW64\Llqhdb32.exeC:\Windows\system32\Llqhdb32.exe113⤵
- Drops file in System32 directory
PID:5656 -
C:\Windows\SysWOW64\Lfimmhkg.exeC:\Windows\system32\Lfimmhkg.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5804 -
C:\Windows\SysWOW64\Momqblgj.exeC:\Windows\system32\Momqblgj.exe115⤵PID:2588
-
C:\Windows\SysWOW64\Mejijcea.exeC:\Windows\system32\Mejijcea.exe116⤵PID:2624
-
C:\Windows\SysWOW64\Mnbnchlb.exeC:\Windows\system32\Mnbnchlb.exe117⤵PID:5956
-
C:\Windows\SysWOW64\Mmcnap32.exeC:\Windows\system32\Mmcnap32.exe118⤵PID:5980
-
C:\Windows\SysWOW64\Mijofaje.exeC:\Windows\system32\Mijofaje.exe119⤵PID:6068
-
C:\Windows\SysWOW64\Mpdgbkab.exeC:\Windows\system32\Mpdgbkab.exe120⤵PID:6004
-
C:\Windows\SysWOW64\Nifnao32.exeC:\Windows\system32\Nifnao32.exe121⤵PID:6108
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-