Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
134s -
max time network
170s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
01/11/2023, 17:33
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.cbe4d96f7645e12aa98a54f506bd7158_JC.exe
Resource
win7-20231020-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.cbe4d96f7645e12aa98a54f506bd7158_JC.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
NEAS.cbe4d96f7645e12aa98a54f506bd7158_JC.exe
-
Size
89KB
-
MD5
cbe4d96f7645e12aa98a54f506bd7158
-
SHA1
542e30aa963391edc7429fb68481057708f68e64
-
SHA256
ba665ce55b94d00cf8edbe483d580dc020fd2ad08d6d29985a8faeb72f970cd2
-
SHA512
3db6c669638018552d11de368abec02ca142826204b0f7153f7b6f5219cb863f988096b981bb0462be9d44df3cd1f318253a407e9d5223ef6b563ae69e95d64d
-
SSDEEP
1536:vp7j2QEViEROVtpeaVb48SyMRrPTyjTXxwxjnNEiA33FpE+RQbR+KRFR3RzR1URb:R7j5pEYJea148forwDxwdNqFi+ebjb5C
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iofmpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Inmggo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kimgad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Knfliefc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gmimll32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbccbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lpnlicne.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnffjl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlfhhgpp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fchdnkpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jpkpbpko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ejmild32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blhpjnbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gpeclq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcmkehcg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejglcq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcibchgq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfchcijo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkianp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdleap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Febogbhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hagnihom.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clknnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dpckclld.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdaajkfd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgagjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Icbpkg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Keabkkdg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inejlibi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Imgbdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jbccbi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkdnjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fhngfcdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eckogc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkfkod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oplkgi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbqonf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jmffnq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bomknp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gfkjef32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peaokh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pedlpgqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cpnpqakp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oiagcg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogkcihgj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhbifl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Balfko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fhmpkmpm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgboiq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plpqba32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Liabjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Liabjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jmlkpgia.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbggmk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fppchile.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ilpaei32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkeonggf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Majjgmco.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igcojdhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jdddjq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efccfojn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qbngeadf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ajqgbjoh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdjbcnjo.exe -
Executes dropped EXE 64 IoCs
pid Process 4868 Ldkhlcnb.exe 3456 Nconfh32.exe 232 Pdqcenmg.exe 3996 Pbgqdb32.exe 5032 Piceflpi.exe 4116 Qbngeadf.exe 3968 Alpnde32.exe 4876 Bfhofnpp.exe 1460 Bcnleb32.exe 4356 Cpnpqakp.exe 1228 Cepadh32.exe 3592 Dpoiho32.exe 3212 Egbdjhlp.exe 2716 Gcimfg32.exe 1320 Gdkffi32.exe 2780 Hnehdo32.exe 1464 Hnhdjn32.exe 1912 Hjoeoo32.exe 5116 Hdicggla.exe 4948 Incdem32.exe 2624 Iaifbg32.exe 4648 Jelhcd32.exe 4704 Jabiie32.exe 1604 Kceoppmo.exe 3548 Lfddci32.exe 4944 Mhfmbl32.exe 508 Mmhofbma.exe 3812 Nehjmnei.exe 1780 Nemchn32.exe 4552 Oakjnnap.exe 2268 Poagma32.exe 5012 Pkjegb32.exe 4920 Cgagjo32.exe 480 Cpklql32.exe 4764 Cbqonf32.exe 2764 Dhbqalle.exe 988 Dlbfmjqi.exe 1388 Ehkcgkdj.exe 4064 Fhefmjlp.exe 4308 Ginenk32.exe 4080 Hgmebnpd.exe 1632 Hjbhph32.exe 1720 Iiokacgp.exe 668 Icdoolge.exe 1360 Jmffnq32.exe 5008 Lhammfci.exe 5068 Libido32.exe 4520 Ldgnbg32.exe 1156 Mpchbhjl.exe 280 Ngklppei.exe 2640 Oiqomj32.exe 5004 Opopdd32.exe 3140 Qkcackeb.exe 4584 Agnkck32.exe 4988 Bdlncn32.exe 1392 Bglgdi32.exe 3304 Cjfclcpg.exe 1944 Djipbbne.exe 2804 Dicbfhni.exe 4628 Ejglcq32.exe 4460 Eimelg32.exe 2844 Fhflhcfa.exe 1792 Gikbneio.exe 3440 Gogjflhf.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Mmlphfed.exe Mllcocna.exe File opened for modification C:\Windows\SysWOW64\Feapdaof.exe Fhmpkmpm.exe File opened for modification C:\Windows\SysWOW64\Efhcld32.exe Ejabgcdp.exe File opened for modification C:\Windows\SysWOW64\Jdbheajp.exe Jnhphg32.exe File opened for modification C:\Windows\SysWOW64\Elojej32.exe Efdbhpbn.exe File created C:\Windows\SysWOW64\Bfabhppm.exe Bfoebq32.exe File created C:\Windows\SysWOW64\Hlmpoh32.dll Bibpkiie.exe File created C:\Windows\SysWOW64\Ldoadabi.exe Lemagjjj.exe File created C:\Windows\SysWOW64\Bcghlnih.exe Bfchcijo.exe File created C:\Windows\SysWOW64\Ejofacfb.exe Epjadk32.exe File created C:\Windows\SysWOW64\Mhfmbl32.exe Lfddci32.exe File opened for modification C:\Windows\SysWOW64\Ogifci32.exe Olcbfp32.exe File created C:\Windows\SysWOW64\Igcojdhp.exe Ifbbbl32.exe File created C:\Windows\SysWOW64\Kolnpglb.dll Cmaikcmf.exe File opened for modification C:\Windows\SysWOW64\Cjgpoq32.exe Cobkbhgk.exe File created C:\Windows\SysWOW64\Gdjilphb.exe Fjmkhkff.exe File created C:\Windows\SysWOW64\Hpgico32.dll Kihdqkaf.exe File created C:\Windows\SysWOW64\Pohnhdog.exe Oofacdaj.exe File created C:\Windows\SysWOW64\Eabjjafe.dll Qlggcp32.exe File opened for modification C:\Windows\SysWOW64\Gfaaebnj.exe Gmimll32.exe File created C:\Windows\SysWOW64\Mknjgajl.exe Mnjjmmkc.exe File created C:\Windows\SysWOW64\Dqfhed32.dll Dfphmp32.exe File created C:\Windows\SysWOW64\Ooinijfk.dll Ceaealoh.exe File opened for modification C:\Windows\SysWOW64\Gdqgfbop.exe Gcojoj32.exe File created C:\Windows\SysWOW64\Cggnhlml.exe Cmaikcmf.exe File opened for modification C:\Windows\SysWOW64\Gmdjjemp.exe Gdleap32.exe File created C:\Windows\SysWOW64\Gjgmjh32.dll Bfhofnpp.exe File created C:\Windows\SysWOW64\Gfljgkdm.dll Fhbifl32.exe File created C:\Windows\SysWOW64\Mgbige32.dll Hgdlnp32.exe File created C:\Windows\SysWOW64\Bganac32.exe Bagfeioc.exe File created C:\Windows\SysWOW64\Pfoamp32.exe Npipnjmm.exe File opened for modification C:\Windows\SysWOW64\Giqlbqcc.exe Gbgdef32.exe File created C:\Windows\SysWOW64\Kjkpio32.dll Olcbfp32.exe File created C:\Windows\SysWOW64\Obddmc32.dll Fhhaclqc.exe File opened for modification C:\Windows\SysWOW64\Bjkhme32.exe Alcofi32.exe File opened for modification C:\Windows\SysWOW64\Cmdfpbkc.exe Cggnhlml.exe File created C:\Windows\SysWOW64\Almifk32.exe Akipic32.exe File created C:\Windows\SysWOW64\Kedoqkbe.exe Kdcbic32.exe File created C:\Windows\SysWOW64\Lajhfkfo.dll Leihlj32.exe File created C:\Windows\SysWOW64\Ooejhn32.exe Oihapg32.exe File created C:\Windows\SysWOW64\Oigdmh32.exe Obnlpnbm.exe File created C:\Windows\SysWOW64\Pbnghq32.dll Ldgclgcl.exe File created C:\Windows\SysWOW64\Qomhogfn.dll Fdiafc32.exe File created C:\Windows\SysWOW64\Eanqpdgi.exe Dcegkamd.exe File created C:\Windows\SysWOW64\Eciilj32.exe Dokqfl32.exe File created C:\Windows\SysWOW64\Lihhnokg.dll Gjhdkajh.exe File created C:\Windows\SysWOW64\Emkhfj32.dll Cjindm32.exe File created C:\Windows\SysWOW64\Cfnqdale.exe Ckhlgilp.exe File opened for modification C:\Windows\SysWOW64\Hjbhph32.exe Hgmebnpd.exe File created C:\Windows\SysWOW64\Gikbneio.exe Fhflhcfa.exe File opened for modification C:\Windows\SysWOW64\Bjqjpp32.exe Almifk32.exe File created C:\Windows\SysWOW64\Fhfion32.dll Mmlphfed.exe File created C:\Windows\SysWOW64\Bfhofnpp.exe Alpnde32.exe File created C:\Windows\SysWOW64\Gjndpg32.exe Fhhaclqc.exe File created C:\Windows\SysWOW64\Fcnlng32.exe Fmdcamko.exe File opened for modification C:\Windows\SysWOW64\Jaddpppa.exe Jbccbi32.exe File created C:\Windows\SysWOW64\Ilpaei32.exe Ieeihomg.exe File opened for modification C:\Windows\SysWOW64\Fhbifl32.exe Feapdaof.exe File opened for modification C:\Windows\SysWOW64\Pedlpgqe.exe Pojccmii.exe File created C:\Windows\SysWOW64\Fhlkkb32.dll Iloimopp.exe File created C:\Windows\SysWOW64\Ocicekcm.dll Pkkdhe32.exe File opened for modification C:\Windows\SysWOW64\Kkabefqp.exe Kmhlijpm.exe File created C:\Windows\SysWOW64\Kagimmol.exe Kilhqq32.exe File opened for modification C:\Windows\SysWOW64\Ccbanfko.exe Cfnqdale.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lajhfkfo.dll" Leihlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbkigk32.dll" Mhafoh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hdicggla.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Djjobedk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kieeoj32.dll" Kilhqq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kolkip32.dll" Gbgdef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Biojkf32.dll" Ooejhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Niflidok.dll" Gokmfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Npcokpln.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iickdgpb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Liabjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oiejckcq.dll" Hmioicek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Icbpkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dnhncjom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hneijndb.dll" Gmbmefob.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hjhaeklb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Emfgpo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bocjdiol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dfcqjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpheoll.dll" Nbefmopd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jefbcdik.dll" Ajpqhdkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dliffkod.dll" Cbqonf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eokjke32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bbgehd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcmdcg32.dll" Fjhaml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omhnja32.dll" Jkhpogij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ccajdmin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fmdcamko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdicnflc.dll" Oplkgi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Meqmmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Donloloo.dll" Cjfclcpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mehcnlie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oagbljcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikgahofh.dll" Mikepg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fhljpcfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Miomnaip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dpckclld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jmffnq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Agnkck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdbiml32.dll" Oigdmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Endbmcal.dll" Edkddeag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fapdomgg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Okpkaqmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhlkkb32.dll" Iloimopp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phobaibg.dll" Bedgejbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cldgnp32.dll" Bjnece32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dannbogl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Idpbhc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Djelqo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jkaadebl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bjnece32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjopnl32.dll" Hihbco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibkadden.dll" Oboicmhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pehghhgc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mllcocna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Efccfojn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjnafn32.dll" Fjfegl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epofikbn.dll" Ghgjlaln.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jfdinf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mjbopcip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Danoae32.dll" Qfcjhphd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ihpgda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nepgcgje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqpnmlqd.dll" Pohnhdog.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4500 wrote to memory of 4868 4500 NEAS.cbe4d96f7645e12aa98a54f506bd7158_JC.exe 91 PID 4500 wrote to memory of 4868 4500 NEAS.cbe4d96f7645e12aa98a54f506bd7158_JC.exe 91 PID 4500 wrote to memory of 4868 4500 NEAS.cbe4d96f7645e12aa98a54f506bd7158_JC.exe 91 PID 4868 wrote to memory of 3456 4868 Ldkhlcnb.exe 92 PID 4868 wrote to memory of 3456 4868 Ldkhlcnb.exe 92 PID 4868 wrote to memory of 3456 4868 Ldkhlcnb.exe 92 PID 3456 wrote to memory of 232 3456 Nconfh32.exe 93 PID 3456 wrote to memory of 232 3456 Nconfh32.exe 93 PID 3456 wrote to memory of 232 3456 Nconfh32.exe 93 PID 232 wrote to memory of 3996 232 Pdqcenmg.exe 94 PID 232 wrote to memory of 3996 232 Pdqcenmg.exe 94 PID 232 wrote to memory of 3996 232 Pdqcenmg.exe 94 PID 3996 wrote to memory of 5032 3996 Pbgqdb32.exe 95 PID 3996 wrote to memory of 5032 3996 Pbgqdb32.exe 95 PID 3996 wrote to memory of 5032 3996 Pbgqdb32.exe 95 PID 5032 wrote to memory of 4116 5032 Piceflpi.exe 96 PID 5032 wrote to memory of 4116 5032 Piceflpi.exe 96 PID 5032 wrote to memory of 4116 5032 Piceflpi.exe 96 PID 4116 wrote to memory of 3968 4116 Qbngeadf.exe 97 PID 4116 wrote to memory of 3968 4116 Qbngeadf.exe 97 PID 4116 wrote to memory of 3968 4116 Qbngeadf.exe 97 PID 3968 wrote to memory of 4876 3968 Alpnde32.exe 98 PID 3968 wrote to memory of 4876 3968 Alpnde32.exe 98 PID 3968 wrote to memory of 4876 3968 Alpnde32.exe 98 PID 4876 wrote to memory of 1460 4876 Bfhofnpp.exe 99 PID 4876 wrote to memory of 1460 4876 Bfhofnpp.exe 99 PID 4876 wrote to memory of 1460 4876 Bfhofnpp.exe 99 PID 1460 wrote to memory of 4356 1460 Bcnleb32.exe 100 PID 1460 wrote to memory of 4356 1460 Bcnleb32.exe 100 PID 1460 wrote to memory of 4356 1460 Bcnleb32.exe 100 PID 4356 wrote to memory of 1228 4356 Cpnpqakp.exe 101 PID 4356 wrote to memory of 1228 4356 Cpnpqakp.exe 101 PID 4356 wrote to memory of 1228 4356 Cpnpqakp.exe 101 PID 1228 wrote to memory of 3592 1228 Cepadh32.exe 102 PID 1228 wrote to memory of 3592 1228 Cepadh32.exe 102 PID 1228 wrote to memory of 3592 1228 Cepadh32.exe 102 PID 3592 wrote to memory of 3212 3592 Dpoiho32.exe 103 PID 3592 wrote to memory of 3212 3592 Dpoiho32.exe 103 PID 3592 wrote to memory of 3212 3592 Dpoiho32.exe 103 PID 3212 wrote to memory of 2716 3212 Egbdjhlp.exe 104 PID 3212 wrote to memory of 2716 3212 Egbdjhlp.exe 104 PID 3212 wrote to memory of 2716 3212 Egbdjhlp.exe 104 PID 2716 wrote to memory of 1320 2716 Gcimfg32.exe 105 PID 2716 wrote to memory of 1320 2716 Gcimfg32.exe 105 PID 2716 wrote to memory of 1320 2716 Gcimfg32.exe 105 PID 1320 wrote to memory of 2780 1320 Gdkffi32.exe 106 PID 1320 wrote to memory of 2780 1320 Gdkffi32.exe 106 PID 1320 wrote to memory of 2780 1320 Gdkffi32.exe 106 PID 2780 wrote to memory of 1464 2780 Hnehdo32.exe 107 PID 2780 wrote to memory of 1464 2780 Hnehdo32.exe 107 PID 2780 wrote to memory of 1464 2780 Hnehdo32.exe 107 PID 1464 wrote to memory of 1912 1464 Hnhdjn32.exe 108 PID 1464 wrote to memory of 1912 1464 Hnhdjn32.exe 108 PID 1464 wrote to memory of 1912 1464 Hnhdjn32.exe 108 PID 1912 wrote to memory of 5116 1912 Hjoeoo32.exe 109 PID 1912 wrote to memory of 5116 1912 Hjoeoo32.exe 109 PID 1912 wrote to memory of 5116 1912 Hjoeoo32.exe 109 PID 5116 wrote to memory of 4948 5116 Hdicggla.exe 110 PID 5116 wrote to memory of 4948 5116 Hdicggla.exe 110 PID 5116 wrote to memory of 4948 5116 Hdicggla.exe 110 PID 4948 wrote to memory of 2624 4948 Incdem32.exe 111 PID 4948 wrote to memory of 2624 4948 Incdem32.exe 111 PID 4948 wrote to memory of 2624 4948 Incdem32.exe 111 PID 2624 wrote to memory of 4648 2624 Iaifbg32.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.cbe4d96f7645e12aa98a54f506bd7158_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.cbe4d96f7645e12aa98a54f506bd7158_JC.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4500 -
C:\Windows\SysWOW64\Ldkhlcnb.exeC:\Windows\system32\Ldkhlcnb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4868 -
C:\Windows\SysWOW64\Nconfh32.exeC:\Windows\system32\Nconfh32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3456 -
C:\Windows\SysWOW64\Pdqcenmg.exeC:\Windows\system32\Pdqcenmg.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:232 -
C:\Windows\SysWOW64\Pbgqdb32.exeC:\Windows\system32\Pbgqdb32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3996 -
C:\Windows\SysWOW64\Piceflpi.exeC:\Windows\system32\Piceflpi.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Windows\SysWOW64\Qbngeadf.exeC:\Windows\system32\Qbngeadf.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4116 -
C:\Windows\SysWOW64\Alpnde32.exeC:\Windows\system32\Alpnde32.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3968 -
C:\Windows\SysWOW64\Bfhofnpp.exeC:\Windows\system32\Bfhofnpp.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4876 -
C:\Windows\SysWOW64\Bcnleb32.exeC:\Windows\system32\Bcnleb32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Windows\SysWOW64\Cpnpqakp.exeC:\Windows\system32\Cpnpqakp.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4356 -
C:\Windows\SysWOW64\Cepadh32.exeC:\Windows\system32\Cepadh32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Windows\SysWOW64\Dpoiho32.exeC:\Windows\system32\Dpoiho32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3592 -
C:\Windows\SysWOW64\Egbdjhlp.exeC:\Windows\system32\Egbdjhlp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3212 -
C:\Windows\SysWOW64\Gcimfg32.exeC:\Windows\system32\Gcimfg32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Gdkffi32.exeC:\Windows\system32\Gdkffi32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Windows\SysWOW64\Hnehdo32.exeC:\Windows\system32\Hnehdo32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\Hnhdjn32.exeC:\Windows\system32\Hnhdjn32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Windows\SysWOW64\Hjoeoo32.exeC:\Windows\system32\Hjoeoo32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\SysWOW64\Hdicggla.exeC:\Windows\system32\Hdicggla.exe20⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5116 -
C:\Windows\SysWOW64\Incdem32.exeC:\Windows\system32\Incdem32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4948 -
C:\Windows\SysWOW64\Iaifbg32.exeC:\Windows\system32\Iaifbg32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\Jelhcd32.exeC:\Windows\system32\Jelhcd32.exe23⤵
- Executes dropped EXE
PID:4648 -
C:\Windows\SysWOW64\Jabiie32.exeC:\Windows\system32\Jabiie32.exe24⤵
- Executes dropped EXE
PID:4704 -
C:\Windows\SysWOW64\Kceoppmo.exeC:\Windows\system32\Kceoppmo.exe25⤵
- Executes dropped EXE
PID:1604 -
C:\Windows\SysWOW64\Lfddci32.exeC:\Windows\system32\Lfddci32.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3548 -
C:\Windows\SysWOW64\Mhfmbl32.exeC:\Windows\system32\Mhfmbl32.exe27⤵
- Executes dropped EXE
PID:4944 -
C:\Windows\SysWOW64\Mmhofbma.exeC:\Windows\system32\Mmhofbma.exe28⤵
- Executes dropped EXE
PID:508 -
C:\Windows\SysWOW64\Nehjmnei.exeC:\Windows\system32\Nehjmnei.exe29⤵
- Executes dropped EXE
PID:3812 -
C:\Windows\SysWOW64\Nemchn32.exeC:\Windows\system32\Nemchn32.exe30⤵
- Executes dropped EXE
PID:1780 -
C:\Windows\SysWOW64\Oakjnnap.exeC:\Windows\system32\Oakjnnap.exe31⤵
- Executes dropped EXE
PID:4552 -
C:\Windows\SysWOW64\Poagma32.exeC:\Windows\system32\Poagma32.exe32⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Pkjegb32.exeC:\Windows\system32\Pkjegb32.exe33⤵
- Executes dropped EXE
PID:5012 -
C:\Windows\SysWOW64\Cgagjo32.exeC:\Windows\system32\Cgagjo32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4920 -
C:\Windows\SysWOW64\Cpklql32.exeC:\Windows\system32\Cpklql32.exe35⤵
- Executes dropped EXE
PID:480 -
C:\Windows\SysWOW64\Cbqonf32.exeC:\Windows\system32\Cbqonf32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4764 -
C:\Windows\SysWOW64\Dhbqalle.exeC:\Windows\system32\Dhbqalle.exe37⤵
- Executes dropped EXE
PID:2764 -
C:\Windows\SysWOW64\Dlbfmjqi.exeC:\Windows\system32\Dlbfmjqi.exe38⤵
- Executes dropped EXE
PID:988 -
C:\Windows\SysWOW64\Ehkcgkdj.exeC:\Windows\system32\Ehkcgkdj.exe39⤵
- Executes dropped EXE
PID:1388 -
C:\Windows\SysWOW64\Fhefmjlp.exeC:\Windows\system32\Fhefmjlp.exe40⤵
- Executes dropped EXE
PID:4064 -
C:\Windows\SysWOW64\Ginenk32.exeC:\Windows\system32\Ginenk32.exe41⤵
- Executes dropped EXE
PID:4308 -
C:\Windows\SysWOW64\Hgmebnpd.exeC:\Windows\system32\Hgmebnpd.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4080 -
C:\Windows\SysWOW64\Hjbhph32.exeC:\Windows\system32\Hjbhph32.exe43⤵
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\Iiokacgp.exeC:\Windows\system32\Iiokacgp.exe44⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Icdoolge.exeC:\Windows\system32\Icdoolge.exe45⤵
- Executes dropped EXE
PID:668 -
C:\Windows\SysWOW64\Jmffnq32.exeC:\Windows\system32\Jmffnq32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1360 -
C:\Windows\SysWOW64\Lhammfci.exeC:\Windows\system32\Lhammfci.exe47⤵
- Executes dropped EXE
PID:5008 -
C:\Windows\SysWOW64\Libido32.exeC:\Windows\system32\Libido32.exe48⤵
- Executes dropped EXE
PID:5068 -
C:\Windows\SysWOW64\Ldgnbg32.exeC:\Windows\system32\Ldgnbg32.exe49⤵
- Executes dropped EXE
PID:4520 -
C:\Windows\SysWOW64\Mpchbhjl.exeC:\Windows\system32\Mpchbhjl.exe50⤵
- Executes dropped EXE
PID:1156 -
C:\Windows\SysWOW64\Ngklppei.exeC:\Windows\system32\Ngklppei.exe51⤵
- Executes dropped EXE
PID:280 -
C:\Windows\SysWOW64\Oiqomj32.exeC:\Windows\system32\Oiqomj32.exe52⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Opopdd32.exeC:\Windows\system32\Opopdd32.exe53⤵
- Executes dropped EXE
PID:5004 -
C:\Windows\SysWOW64\Qkcackeb.exeC:\Windows\system32\Qkcackeb.exe54⤵
- Executes dropped EXE
PID:3140 -
C:\Windows\SysWOW64\Agnkck32.exeC:\Windows\system32\Agnkck32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:4584 -
C:\Windows\SysWOW64\Bdlncn32.exeC:\Windows\system32\Bdlncn32.exe56⤵
- Executes dropped EXE
PID:4988 -
C:\Windows\SysWOW64\Bglgdi32.exeC:\Windows\system32\Bglgdi32.exe57⤵
- Executes dropped EXE
PID:1392 -
C:\Windows\SysWOW64\Cjfclcpg.exeC:\Windows\system32\Cjfclcpg.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:3304 -
C:\Windows\SysWOW64\Djipbbne.exeC:\Windows\system32\Djipbbne.exe59⤵
- Executes dropped EXE
PID:1944 -
C:\Windows\SysWOW64\Dicbfhni.exeC:\Windows\system32\Dicbfhni.exe60⤵
- Executes dropped EXE
PID:2804 -
C:\Windows\SysWOW64\Ejglcq32.exeC:\Windows\system32\Ejglcq32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4628 -
C:\Windows\SysWOW64\Eimelg32.exeC:\Windows\system32\Eimelg32.exe62⤵
- Executes dropped EXE
PID:4460 -
C:\Windows\SysWOW64\Fhflhcfa.exeC:\Windows\system32\Fhflhcfa.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2844 -
C:\Windows\SysWOW64\Gikbneio.exeC:\Windows\system32\Gikbneio.exe64⤵
- Executes dropped EXE
PID:1792 -
C:\Windows\SysWOW64\Gogjflhf.exeC:\Windows\system32\Gogjflhf.exe65⤵
- Executes dropped EXE
PID:3440 -
C:\Windows\SysWOW64\Hepoddcc.exeC:\Windows\system32\Hepoddcc.exe66⤵PID:1812
-
C:\Windows\SysWOW64\Ioafchai.exeC:\Windows\system32\Ioafchai.exe67⤵PID:3624
-
C:\Windows\SysWOW64\Ijigfaol.exeC:\Windows\system32\Ijigfaol.exe68⤵PID:1524
-
C:\Windows\SysWOW64\Jloibkhh.exeC:\Windows\system32\Jloibkhh.exe69⤵PID:1200
-
C:\Windows\SysWOW64\Jkhpogij.exeC:\Windows\system32\Jkhpogij.exe70⤵
- Modifies registry class
PID:3248 -
C:\Windows\SysWOW64\Kmhlijpm.exeC:\Windows\system32\Kmhlijpm.exe71⤵
- Drops file in System32 directory
PID:4280 -
C:\Windows\SysWOW64\Kkabefqp.exeC:\Windows\system32\Kkabefqp.exe72⤵PID:1972
-
C:\Windows\SysWOW64\Liabjh32.exeC:\Windows\system32\Liabjh32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2124 -
C:\Windows\SysWOW64\Mcggga32.exeC:\Windows\system32\Mcggga32.exe74⤵PID:1048
-
C:\Windows\SysWOW64\Mlbllc32.exeC:\Windows\system32\Mlbllc32.exe75⤵PID:2276
-
C:\Windows\SysWOW64\Mikepg32.exeC:\Windows\system32\Mikepg32.exe76⤵
- Modifies registry class
PID:3436 -
C:\Windows\SysWOW64\Ojhnlh32.exeC:\Windows\system32\Ojhnlh32.exe77⤵PID:5128
-
C:\Windows\SysWOW64\Olndnp32.exeC:\Windows\system32\Olndnp32.exe78⤵PID:5172
-
C:\Windows\SysWOW64\Oplmdnpc.exeC:\Windows\system32\Oplmdnpc.exe79⤵PID:5212
-
C:\Windows\SysWOW64\Pkkdhe32.exeC:\Windows\system32\Pkkdhe32.exe80⤵
- Drops file in System32 directory
PID:5260 -
C:\Windows\SysWOW64\Agikne32.exeC:\Windows\system32\Agikne32.exe81⤵PID:5304
-
C:\Windows\SysWOW64\Akgcdc32.exeC:\Windows\system32\Akgcdc32.exe82⤵PID:5344
-
C:\Windows\SysWOW64\Apcllk32.exeC:\Windows\system32\Apcllk32.exe83⤵PID:5388
-
C:\Windows\SysWOW64\Akipic32.exeC:\Windows\system32\Akipic32.exe84⤵
- Drops file in System32 directory
PID:5432 -
C:\Windows\SysWOW64\Almifk32.exeC:\Windows\system32\Almifk32.exe85⤵
- Drops file in System32 directory
PID:5476 -
C:\Windows\SysWOW64\Bjqjpp32.exeC:\Windows\system32\Bjqjpp32.exe86⤵PID:5520
-
C:\Windows\SysWOW64\Bdkghg32.exeC:\Windows\system32\Bdkghg32.exe87⤵PID:5564
-
C:\Windows\SysWOW64\Bdpqcg32.exeC:\Windows\system32\Bdpqcg32.exe88⤵PID:5608
-
C:\Windows\SysWOW64\Cmkehicj.exeC:\Windows\system32\Cmkehicj.exe89⤵PID:5652
-
C:\Windows\SysWOW64\Ccigpbga.exeC:\Windows\system32\Ccigpbga.exe90⤵PID:5692
-
C:\Windows\SysWOW64\Dnhncjom.exeC:\Windows\system32\Dnhncjom.exe91⤵
- Modifies registry class
PID:5736 -
C:\Windows\SysWOW64\Dcegkamd.exeC:\Windows\system32\Dcegkamd.exe92⤵
- Drops file in System32 directory
PID:5776 -
C:\Windows\SysWOW64\Eanqpdgi.exeC:\Windows\system32\Eanqpdgi.exe93⤵PID:5820
-
C:\Windows\SysWOW64\Febogbhg.exeC:\Windows\system32\Febogbhg.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5864 -
C:\Windows\SysWOW64\Fjphoi32.exeC:\Windows\system32\Fjphoi32.exe95⤵PID:5908
-
C:\Windows\SysWOW64\Fhhaclqc.exeC:\Windows\system32\Fhhaclqc.exe96⤵
- Drops file in System32 directory
PID:5980 -
C:\Windows\SysWOW64\Gjndpg32.exeC:\Windows\system32\Gjndpg32.exe97⤵PID:6024
-
C:\Windows\SysWOW64\Gokmfe32.exeC:\Windows\system32\Gokmfe32.exe98⤵
- Modifies registry class
PID:6068 -
C:\Windows\SysWOW64\Glompi32.exeC:\Windows\system32\Glompi32.exe99⤵PID:6112
-
C:\Windows\SysWOW64\Gehbio32.exeC:\Windows\system32\Gehbio32.exe100⤵PID:5124
-
C:\Windows\SysWOW64\Haaocp32.exeC:\Windows\system32\Haaocp32.exe101⤵PID:5180
-
C:\Windows\SysWOW64\Hhkgpjqn.exeC:\Windows\system32\Hhkgpjqn.exe102⤵PID:4368
-
C:\Windows\SysWOW64\Hklpaeno.exeC:\Windows\system32\Hklpaeno.exe103⤵PID:3420
-
C:\Windows\SysWOW64\Ihdjfhhc.exeC:\Windows\system32\Ihdjfhhc.exe104⤵PID:5296
-
C:\Windows\SysWOW64\Jnjednnp.exeC:\Windows\system32\Jnjednnp.exe105⤵PID:5356
-
C:\Windows\SysWOW64\Jlkfbe32.exeC:\Windows\system32\Jlkfbe32.exe106⤵PID:5420
-
C:\Windows\SysWOW64\Jlnbhe32.exeC:\Windows\system32\Jlnbhe32.exe107⤵PID:5552
-
C:\Windows\SysWOW64\Jekpljgg.exeC:\Windows\system32\Jekpljgg.exe108⤵PID:5628
-
C:\Windows\SysWOW64\Khbpndnp.exeC:\Windows\system32\Khbpndnp.exe109⤵PID:5764
-
C:\Windows\SysWOW64\Npipnjmm.exeC:\Windows\system32\Npipnjmm.exe110⤵
- Drops file in System32 directory
PID:5848 -
C:\Windows\SysWOW64\Pfoamp32.exeC:\Windows\system32\Pfoamp32.exe111⤵PID:3764
-
C:\Windows\SysWOW64\Qfcjhphd.exeC:\Windows\system32\Qfcjhphd.exe112⤵
- Modifies registry class
PID:5956 -
C:\Windows\SysWOW64\Bedgejbo.exeC:\Windows\system32\Bedgejbo.exe113⤵
- Modifies registry class
PID:6000 -
C:\Windows\SysWOW64\Bomknp32.exeC:\Windows\system32\Bomknp32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6080 -
C:\Windows\SysWOW64\Bibpkiie.exeC:\Windows\system32\Bibpkiie.exe115⤵
- Drops file in System32 directory
PID:1084 -
C:\Windows\SysWOW64\Bckddn32.exeC:\Windows\system32\Bckddn32.exe116⤵PID:4960
-
C:\Windows\SysWOW64\Bidlqhgc.exeC:\Windows\system32\Bidlqhgc.exe117⤵PID:4428
-
C:\Windows\SysWOW64\Boaeioej.exeC:\Windows\system32\Boaeioej.exe118⤵PID:3956
-
C:\Windows\SysWOW64\Ccajdmin.exeC:\Windows\system32\Ccajdmin.exe119⤵
- Modifies registry class
PID:3816 -
C:\Windows\SysWOW64\Cfeplh32.exeC:\Windows\system32\Cfeplh32.exe120⤵PID:1912
-
C:\Windows\SysWOW64\Comddn32.exeC:\Windows\system32\Comddn32.exe121⤵PID:5372
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-