Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
163s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
01/11/2023, 20:30
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.dc476e77199e23c5dbc30e24a1ff67b0_JC.exe
Resource
win7-20231025-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.dc476e77199e23c5dbc30e24a1ff67b0_JC.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.dc476e77199e23c5dbc30e24a1ff67b0_JC.exe
-
Size
271KB
-
MD5
dc476e77199e23c5dbc30e24a1ff67b0
-
SHA1
7af1afb75152ff3ab3c0961631e1e60d952d6bd5
-
SHA256
ef12afe77c561367b20c4db60890dff6b7ef8e71976450b55ec934b876f16e00
-
SHA512
73a7c534bbef5b7cfd22fbe6e0f5945da0cc23d67ac5e32c0291ed213b323f43d7b638cac200462f005003f6623fb3a428f2f2b98462386f337664341163e508
-
SSDEEP
3072:mCuMs3Fxf0J24ho1mtye3lFDrFDHZtOga24ho1mtye3lxXZBnkO/ACVItRX24hoo:mQs3Fxf0GsFj5tT3sFxHnkO/ACmLksF
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Koceep32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aifdcgcp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljpideje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmiffhkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdbmalja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkfanqmd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmneemaq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nehekq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnolojhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcimei32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hifcqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nipokfil.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjcfeola.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhfenmbe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlclnhho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lobhqdec.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndfgfd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aehghn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laqhao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbljoh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afboll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hphglf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hifcqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmjinjnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdiglgbg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glenpb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjmjnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcdakd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldeonbkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cioifm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnaghb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahffqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Naaqhlmg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmlnomif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iqipcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emjgcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbbhla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eimlgnij.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngbgmpcq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjhfjg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfpcngdo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpfidh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cokpekpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdpckbli.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pimmil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gempqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gadqepkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdodekhg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Coigllel.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaglma32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dabpgbpm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdbmalja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abkjnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agdcja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bibpkiie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cohdoh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfljfjpq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdmpck32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gckcap32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hifaic32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnlafaio.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnipliip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hihimfag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eaoenjqa.exe -
Executes dropped EXE 64 IoCs
pid Process 880 Apgqie32.exe 4088 Dbfoclai.exe 1532 Eebgqe32.exe 3500 Eegqldqg.exe 2324 Gnlenp32.exe 3816 Gjhonp32.exe 1180 Hfcinq32.exe 472 Imfdaigj.exe 3592 Kdhlepkl.exe 3832 Nkjlqd32.exe 5060 Oddmoj32.exe 3876 Okcogc32.exe 4044 Pdnpeh32.exe 2112 Pojjcp32.exe 2804 Qhghge32.exe 3608 Aeglbeea.exe 3356 Bghddp32.exe 2156 Bnicai32.exe 2176 Cejaobel.exe 4644 Chkjpm32.exe 4360 Dlnlak32.exe 2572 Eihcln32.exe 2628 Eimlgnij.exe 4868 Eipilmgh.exe 3748 Fefjanml.exe 4844 Fpcdof32.exe 4824 Ggoiap32.exe 3736 Gegchl32.exe 4208 Gckcap32.exe 1896 Hfpenj32.exe 976 Hokgmpkl.exe 4640 Imfmgcdn.exe 4660 Icdoolge.exe 2456 Jopiom32.exe 2672 Kfcdaehf.exe 1872 Likcdpop.exe 4740 Lagepl32.exe 4876 Lmneemaq.exe 4236 Malnklgg.exe 404 Mdaqhf32.exe 100 Nieoal32.exe 4620 Ngipjp32.exe 4976 Odhppclh.exe 3504 Pgpobmca.exe 2080 Bbmbgb32.exe 1832 Cegnol32.exe 928 Cejjdlap.exe 468 Dgomaf32.exe 1932 Fkehdnee.exe 212 Fifhbf32.exe 5016 Ghbkdald.exe 4760 Gbhpajlj.exe 4820 Giahndcf.exe 1200 Gkcdfl32.exe 420 Ghgeoq32.exe 1640 Hifaic32.exe 3604 Haafnf32.exe 1776 Hikkdc32.exe 3680 Hllcfnhm.exe 2340 Ikejbjip.exe 4884 Ileflmpb.exe 4728 Ifnkeb32.exe 1420 Jloibkhh.exe 4060 Jfgnka32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Dkfanqmd.exe Deliaf32.exe File opened for modification C:\Windows\SysWOW64\Fifhbf32.exe Fkehdnee.exe File opened for modification C:\Windows\SysWOW64\Jlkfbe32.exe Jafaem32.exe File opened for modification C:\Windows\SysWOW64\Olfgcj32.exe Oemofpel.exe File created C:\Windows\SysWOW64\Djelqo32.exe Cioifm32.exe File created C:\Windows\SysWOW64\Nhnlilfk.dll Cofnba32.exe File created C:\Windows\SysWOW64\Cejaobel.exe Bnicai32.exe File created C:\Windows\SysWOW64\Hlafpoch.dll Cknbkpif.exe File created C:\Windows\SysWOW64\Gmlngkld.dll Ldpoinjq.exe File created C:\Windows\SysWOW64\Qkfmicmi.dll Ogklob32.exe File created C:\Windows\SysWOW64\Efamkepl.exe Djfckenm.exe File created C:\Windows\SysWOW64\Ngeaej32.exe Njaakf32.exe File created C:\Windows\SysWOW64\Fhiddl32.dll Malnklgg.exe File created C:\Windows\SysWOW64\Llqhdb32.exe Kffphhmj.exe File created C:\Windows\SysWOW64\Fkopgn32.exe Fohobmke.exe File created C:\Windows\SysWOW64\Cikmbf32.dll Kipkaj32.exe File opened for modification C:\Windows\SysWOW64\Ohjlqklp.exe Ooaghe32.exe File opened for modification C:\Windows\SysWOW64\Fhfenmbe.exe Dmfecgim.exe File opened for modification C:\Windows\SysWOW64\Hjdcfp32.exe Epgpajdp.exe File created C:\Windows\SysWOW64\Jliimf32.exe Ilglgfjd.exe File created C:\Windows\SysWOW64\Jjbleonn.dll Plbfohbl.exe File created C:\Windows\SysWOW64\Plkdkcqg.dll Kkioojpp.exe File created C:\Windows\SysWOW64\Mqbpjmeg.exe Mnaghb32.exe File created C:\Windows\SysWOW64\Qiclhh32.dll Pjalpida.exe File created C:\Windows\SysWOW64\Ndmdbf32.dll Fcanmlea.exe File created C:\Windows\SysWOW64\Npgjbabk.exe Mlialb32.exe File created C:\Windows\SysWOW64\Inflio32.exe Ihicah32.exe File created C:\Windows\SysWOW64\Fielal32.dll Pmjpod32.exe File created C:\Windows\SysWOW64\Lncjgddf.exe Lggeej32.exe File opened for modification C:\Windows\SysWOW64\Coojpg32.exe Cibagpgg.exe File created C:\Windows\SysWOW64\Bmpdbd32.dll Eaabci32.exe File created C:\Windows\SysWOW64\Omecechf.dll Jiokpfee.exe File created C:\Windows\SysWOW64\Fngcfikb.exe Fmfgoa32.exe File created C:\Windows\SysWOW64\Mgbqpa32.dll Kdhlepkl.exe File created C:\Windows\SysWOW64\Opkflmkn.dll Fhfenmbe.exe File created C:\Windows\SysWOW64\Gihacc32.dll Npgjbabk.exe File created C:\Windows\SysWOW64\Incclnha.dll Meiabh32.exe File created C:\Windows\SysWOW64\Eebgqe32.exe Dbfoclai.exe File created C:\Windows\SysWOW64\Nieoal32.exe Mdaqhf32.exe File created C:\Windows\SysWOW64\Hngaibfg.dll Hodgei32.exe File opened for modification C:\Windows\SysWOW64\Ggnlhgkg.exe Gempqo32.exe File opened for modification C:\Windows\SysWOW64\Kelaef32.exe Knbiil32.exe File opened for modification C:\Windows\SysWOW64\Dpqonl32.exe Cpeobn32.exe File created C:\Windows\SysWOW64\Femcdp32.dll Ecefjckj.exe File created C:\Windows\SysWOW64\Glbakchp.exe Gjadck32.exe File created C:\Windows\SysWOW64\Jbccbi32.exe Iannpa32.exe File opened for modification C:\Windows\SysWOW64\Pgemimck.exe Pjalpida.exe File created C:\Windows\SysWOW64\Hlkmfkli.exe Gfeahffl.exe File created C:\Windows\SysWOW64\Ibhdgjap.exe Hfljfjpq.exe File opened for modification C:\Windows\SysWOW64\Lpfidh32.exe Lpcmoi32.exe File created C:\Windows\SysWOW64\Fphebcac.dll Jbgfca32.exe File created C:\Windows\SysWOW64\Plagmh32.exe Pfgopnbo.exe File opened for modification C:\Windows\SysWOW64\Kndodehf.exe Iqipcd32.exe File created C:\Windows\SysWOW64\Fhhgdagj.dll Mmhggbgd.exe File opened for modification C:\Windows\SysWOW64\Pgpobmca.exe Odhppclh.exe File created C:\Windows\SysWOW64\Hqklahgj.dll Cibagpgg.exe File created C:\Windows\SysWOW64\Fiekhm32.exe Fkajoiok.exe File opened for modification C:\Windows\SysWOW64\Malnklgg.exe Lmneemaq.exe File created C:\Windows\SysWOW64\Bamfhjof.dll Nkmmbe32.exe File created C:\Windows\SysWOW64\Idkgpm32.dll Ndpafe32.exe File created C:\Windows\SysWOW64\Phldlh32.dll Cioifm32.exe File opened for modification C:\Windows\SysWOW64\Ecefjckj.exe Eiobmjkd.exe File created C:\Windows\SysWOW64\Lpipoahh.dll Eebgqe32.exe File opened for modification C:\Windows\SysWOW64\Kdhlepkl.exe Imfdaigj.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5444 940 WerFault.exe 583 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pocpqcpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aleibd32.dll" Ghiogkfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghdoae32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igpkjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dalhcnfl.dll" Aehghn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mcnmhpoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfenga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbfneebc.dll" Phhhbi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efamkepl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jopiom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eddodfhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjnccd32.dll" Eaoenjqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Monqiloa.dll" Jnifbmfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlmbgm32.dll" Mnaghb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndpafe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Haffoffj.dll" Edgkif32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghgeoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdbmalja.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afboll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmocmggl.dll" Jplkig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Celilo32.dll" Jlclnhho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bckecf32.dll" Npipnjmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fekmdelm.dll" Dabpgbpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flipnbop.dll" Ekemap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gadqepkn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkfnnjnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pappijpj.dll" Gmggpekm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ekkkip32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgafin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fefjanml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnonap32.dll" Ghgeoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opkflmkn.dll" Fhfenmbe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pemhmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Biaiqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbccbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjnnmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Okcogc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohjlqklp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mqjibapd.dll" Pokjnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejqngl32.dll" Codhgg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgkfhngo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djbddnmm.dll" Fiekhm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ekemap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhpjjc32.dll" Mdaqhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dabpgbpm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qmhdhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nieglnkc.dll" Fdbdkn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qkgcog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blpmkn32.dll" Nkjlqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekekpd32.dll" Jdiglgbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abjkmqni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cadcfd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fokbbcmo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jfgnka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbedaand.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mbkfcabb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abjkijki.dll" Fgpilc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gfeahffl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmagah32.dll" Lgdinmod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aeglbeea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bpjkbcbe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lajmmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjpokm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ecefjckj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5116 wrote to memory of 880 5116 NEAS.dc476e77199e23c5dbc30e24a1ff67b0_JC.exe 88 PID 5116 wrote to memory of 880 5116 NEAS.dc476e77199e23c5dbc30e24a1ff67b0_JC.exe 88 PID 5116 wrote to memory of 880 5116 NEAS.dc476e77199e23c5dbc30e24a1ff67b0_JC.exe 88 PID 880 wrote to memory of 4088 880 Apgqie32.exe 89 PID 880 wrote to memory of 4088 880 Apgqie32.exe 89 PID 880 wrote to memory of 4088 880 Apgqie32.exe 89 PID 4088 wrote to memory of 1532 4088 Dbfoclai.exe 90 PID 4088 wrote to memory of 1532 4088 Dbfoclai.exe 90 PID 4088 wrote to memory of 1532 4088 Dbfoclai.exe 90 PID 1532 wrote to memory of 3500 1532 Eebgqe32.exe 91 PID 1532 wrote to memory of 3500 1532 Eebgqe32.exe 91 PID 1532 wrote to memory of 3500 1532 Eebgqe32.exe 91 PID 3500 wrote to memory of 2324 3500 Eegqldqg.exe 93 PID 3500 wrote to memory of 2324 3500 Eegqldqg.exe 93 PID 3500 wrote to memory of 2324 3500 Eegqldqg.exe 93 PID 2324 wrote to memory of 3816 2324 Gnlenp32.exe 94 PID 2324 wrote to memory of 3816 2324 Gnlenp32.exe 94 PID 2324 wrote to memory of 3816 2324 Gnlenp32.exe 94 PID 3816 wrote to memory of 1180 3816 Gjhonp32.exe 95 PID 3816 wrote to memory of 1180 3816 Gjhonp32.exe 95 PID 3816 wrote to memory of 1180 3816 Gjhonp32.exe 95 PID 1180 wrote to memory of 472 1180 Hfcinq32.exe 98 PID 1180 wrote to memory of 472 1180 Hfcinq32.exe 98 PID 1180 wrote to memory of 472 1180 Hfcinq32.exe 98 PID 472 wrote to memory of 3592 472 Imfdaigj.exe 99 PID 472 wrote to memory of 3592 472 Imfdaigj.exe 99 PID 472 wrote to memory of 3592 472 Imfdaigj.exe 99 PID 3592 wrote to memory of 3832 3592 Kdhlepkl.exe 100 PID 3592 wrote to memory of 3832 3592 Kdhlepkl.exe 100 PID 3592 wrote to memory of 3832 3592 Kdhlepkl.exe 100 PID 3832 wrote to memory of 5060 3832 Nkjlqd32.exe 101 PID 3832 wrote to memory of 5060 3832 Nkjlqd32.exe 101 PID 3832 wrote to memory of 5060 3832 Nkjlqd32.exe 101 PID 5060 wrote to memory of 3876 5060 Oddmoj32.exe 102 PID 5060 wrote to memory of 3876 5060 Oddmoj32.exe 102 PID 5060 wrote to memory of 3876 5060 Oddmoj32.exe 102 PID 3876 wrote to memory of 4044 3876 Okcogc32.exe 103 PID 3876 wrote to memory of 4044 3876 Okcogc32.exe 103 PID 3876 wrote to memory of 4044 3876 Okcogc32.exe 103 PID 4044 wrote to memory of 2112 4044 Pdnpeh32.exe 104 PID 4044 wrote to memory of 2112 4044 Pdnpeh32.exe 104 PID 4044 wrote to memory of 2112 4044 Pdnpeh32.exe 104 PID 2112 wrote to memory of 2804 2112 Pojjcp32.exe 105 PID 2112 wrote to memory of 2804 2112 Pojjcp32.exe 105 PID 2112 wrote to memory of 2804 2112 Pojjcp32.exe 105 PID 2804 wrote to memory of 3608 2804 Qhghge32.exe 106 PID 2804 wrote to memory of 3608 2804 Qhghge32.exe 106 PID 2804 wrote to memory of 3608 2804 Qhghge32.exe 106 PID 3608 wrote to memory of 3356 3608 Aeglbeea.exe 107 PID 3608 wrote to memory of 3356 3608 Aeglbeea.exe 107 PID 3608 wrote to memory of 3356 3608 Aeglbeea.exe 107 PID 3356 wrote to memory of 2156 3356 Bghddp32.exe 108 PID 3356 wrote to memory of 2156 3356 Bghddp32.exe 108 PID 3356 wrote to memory of 2156 3356 Bghddp32.exe 108 PID 2156 wrote to memory of 2176 2156 Bnicai32.exe 109 PID 2156 wrote to memory of 2176 2156 Bnicai32.exe 109 PID 2156 wrote to memory of 2176 2156 Bnicai32.exe 109 PID 2176 wrote to memory of 4644 2176 Cejaobel.exe 110 PID 2176 wrote to memory of 4644 2176 Cejaobel.exe 110 PID 2176 wrote to memory of 4644 2176 Cejaobel.exe 110 PID 4644 wrote to memory of 4360 4644 Chkjpm32.exe 112 PID 4644 wrote to memory of 4360 4644 Chkjpm32.exe 112 PID 4644 wrote to memory of 4360 4644 Chkjpm32.exe 112 PID 4360 wrote to memory of 2572 4360 Dlnlak32.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.dc476e77199e23c5dbc30e24a1ff67b0_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.dc476e77199e23c5dbc30e24a1ff67b0_JC.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5116 -
C:\Windows\SysWOW64\Apgqie32.exeC:\Windows\system32\Apgqie32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:880 -
C:\Windows\SysWOW64\Dbfoclai.exeC:\Windows\system32\Dbfoclai.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4088 -
C:\Windows\SysWOW64\Eebgqe32.exeC:\Windows\system32\Eebgqe32.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\SysWOW64\Eegqldqg.exeC:\Windows\system32\Eegqldqg.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3500 -
C:\Windows\SysWOW64\Gnlenp32.exeC:\Windows\system32\Gnlenp32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\Gjhonp32.exeC:\Windows\system32\Gjhonp32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3816 -
C:\Windows\SysWOW64\Hfcinq32.exeC:\Windows\system32\Hfcinq32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Windows\SysWOW64\Imfdaigj.exeC:\Windows\system32\Imfdaigj.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:472 -
C:\Windows\SysWOW64\Kdhlepkl.exeC:\Windows\system32\Kdhlepkl.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3592 -
C:\Windows\SysWOW64\Nkjlqd32.exeC:\Windows\system32\Nkjlqd32.exe11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3832 -
C:\Windows\SysWOW64\Oddmoj32.exeC:\Windows\system32\Oddmoj32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Windows\SysWOW64\Okcogc32.exeC:\Windows\system32\Okcogc32.exe13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3876 -
C:\Windows\SysWOW64\Pdnpeh32.exeC:\Windows\system32\Pdnpeh32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4044 -
C:\Windows\SysWOW64\Pojjcp32.exeC:\Windows\system32\Pojjcp32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\Qhghge32.exeC:\Windows\system32\Qhghge32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\Aeglbeea.exeC:\Windows\system32\Aeglbeea.exe17⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3608 -
C:\Windows\SysWOW64\Bghddp32.exeC:\Windows\system32\Bghddp32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3356 -
C:\Windows\SysWOW64\Bnicai32.exeC:\Windows\system32\Bnicai32.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\Cejaobel.exeC:\Windows\system32\Cejaobel.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\SysWOW64\Chkjpm32.exeC:\Windows\system32\Chkjpm32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4644 -
C:\Windows\SysWOW64\Dlnlak32.exeC:\Windows\system32\Dlnlak32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4360 -
C:\Windows\SysWOW64\Eihcln32.exeC:\Windows\system32\Eihcln32.exe23⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Eimlgnij.exeC:\Windows\system32\Eimlgnij.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Eipilmgh.exeC:\Windows\system32\Eipilmgh.exe25⤵
- Executes dropped EXE
PID:4868 -
C:\Windows\SysWOW64\Fefjanml.exeC:\Windows\system32\Fefjanml.exe26⤵
- Executes dropped EXE
- Modifies registry class
PID:3748 -
C:\Windows\SysWOW64\Fpcdof32.exeC:\Windows\system32\Fpcdof32.exe27⤵
- Executes dropped EXE
PID:4844 -
C:\Windows\SysWOW64\Ggoiap32.exeC:\Windows\system32\Ggoiap32.exe28⤵
- Executes dropped EXE
PID:4824 -
C:\Windows\SysWOW64\Gegchl32.exeC:\Windows\system32\Gegchl32.exe29⤵
- Executes dropped EXE
PID:3736 -
C:\Windows\SysWOW64\Gckcap32.exeC:\Windows\system32\Gckcap32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4208 -
C:\Windows\SysWOW64\Hfpenj32.exeC:\Windows\system32\Hfpenj32.exe31⤵
- Executes dropped EXE
PID:1896 -
C:\Windows\SysWOW64\Hokgmpkl.exeC:\Windows\system32\Hokgmpkl.exe32⤵
- Executes dropped EXE
PID:976 -
C:\Windows\SysWOW64\Imfmgcdn.exeC:\Windows\system32\Imfmgcdn.exe33⤵
- Executes dropped EXE
PID:4640 -
C:\Windows\SysWOW64\Icdoolge.exeC:\Windows\system32\Icdoolge.exe34⤵
- Executes dropped EXE
PID:4660 -
C:\Windows\SysWOW64\Jopiom32.exeC:\Windows\system32\Jopiom32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:2456 -
C:\Windows\SysWOW64\Kfcdaehf.exeC:\Windows\system32\Kfcdaehf.exe36⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Likcdpop.exeC:\Windows\system32\Likcdpop.exe37⤵
- Executes dropped EXE
PID:1872 -
C:\Windows\SysWOW64\Lagepl32.exeC:\Windows\system32\Lagepl32.exe38⤵
- Executes dropped EXE
PID:4740 -
C:\Windows\SysWOW64\Lmneemaq.exeC:\Windows\system32\Lmneemaq.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4876 -
C:\Windows\SysWOW64\Malnklgg.exeC:\Windows\system32\Malnklgg.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4236 -
C:\Windows\SysWOW64\Mdaqhf32.exeC:\Windows\system32\Mdaqhf32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:404 -
C:\Windows\SysWOW64\Nieoal32.exeC:\Windows\system32\Nieoal32.exe42⤵
- Executes dropped EXE
PID:100 -
C:\Windows\SysWOW64\Ngipjp32.exeC:\Windows\system32\Ngipjp32.exe43⤵
- Executes dropped EXE
PID:4620 -
C:\Windows\SysWOW64\Odhppclh.exeC:\Windows\system32\Odhppclh.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4976 -
C:\Windows\SysWOW64\Pgpobmca.exeC:\Windows\system32\Pgpobmca.exe45⤵
- Executes dropped EXE
PID:3504 -
C:\Windows\SysWOW64\Bbmbgb32.exeC:\Windows\system32\Bbmbgb32.exe46⤵
- Executes dropped EXE
PID:2080 -
C:\Windows\SysWOW64\Cegnol32.exeC:\Windows\system32\Cegnol32.exe47⤵
- Executes dropped EXE
PID:1832 -
C:\Windows\SysWOW64\Cejjdlap.exeC:\Windows\system32\Cejjdlap.exe48⤵
- Executes dropped EXE
PID:928 -
C:\Windows\SysWOW64\Dgomaf32.exeC:\Windows\system32\Dgomaf32.exe49⤵
- Executes dropped EXE
PID:468 -
C:\Windows\SysWOW64\Fkehdnee.exeC:\Windows\system32\Fkehdnee.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1932 -
C:\Windows\SysWOW64\Fifhbf32.exeC:\Windows\system32\Fifhbf32.exe51⤵
- Executes dropped EXE
PID:212 -
C:\Windows\SysWOW64\Ghbkdald.exeC:\Windows\system32\Ghbkdald.exe52⤵
- Executes dropped EXE
PID:5016 -
C:\Windows\SysWOW64\Gbhpajlj.exeC:\Windows\system32\Gbhpajlj.exe53⤵
- Executes dropped EXE
PID:4760 -
C:\Windows\SysWOW64\Giahndcf.exeC:\Windows\system32\Giahndcf.exe54⤵
- Executes dropped EXE
PID:4820 -
C:\Windows\SysWOW64\Gkcdfl32.exeC:\Windows\system32\Gkcdfl32.exe55⤵
- Executes dropped EXE
PID:1200 -
C:\Windows\SysWOW64\Ghgeoq32.exeC:\Windows\system32\Ghgeoq32.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:420 -
C:\Windows\SysWOW64\Hifaic32.exeC:\Windows\system32\Hifaic32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Haafnf32.exeC:\Windows\system32\Haafnf32.exe58⤵
- Executes dropped EXE
PID:3604 -
C:\Windows\SysWOW64\Hikkdc32.exeC:\Windows\system32\Hikkdc32.exe59⤵
- Executes dropped EXE
PID:1776 -
C:\Windows\SysWOW64\Hllcfnhm.exeC:\Windows\system32\Hllcfnhm.exe60⤵
- Executes dropped EXE
PID:3680 -
C:\Windows\SysWOW64\Ikejbjip.exeC:\Windows\system32\Ikejbjip.exe61⤵
- Executes dropped EXE
PID:2340 -
C:\Windows\SysWOW64\Ileflmpb.exeC:\Windows\system32\Ileflmpb.exe62⤵
- Executes dropped EXE
PID:4884 -
C:\Windows\SysWOW64\Ifnkeb32.exeC:\Windows\system32\Ifnkeb32.exe63⤵
- Executes dropped EXE
PID:4728 -
C:\Windows\SysWOW64\Jloibkhh.exeC:\Windows\system32\Jloibkhh.exe64⤵
- Executes dropped EXE
PID:1420 -
C:\Windows\SysWOW64\Jfgnka32.exeC:\Windows\system32\Jfgnka32.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:4060 -
C:\Windows\SysWOW64\Jlafhkfe.exeC:\Windows\system32\Jlafhkfe.exe66⤵PID:4256
-
C:\Windows\SysWOW64\Jhjcbljf.exeC:\Windows\system32\Jhjcbljf.exe67⤵PID:1240
-
C:\Windows\SysWOW64\Kcphpdil.exeC:\Windows\system32\Kcphpdil.exe68⤵PID:4772
-
C:\Windows\SysWOW64\Kbedaand.exeC:\Windows\system32\Kbedaand.exe69⤵
- Modifies registry class
PID:1152 -
C:\Windows\SysWOW64\Kmjinjnj.exeC:\Windows\system32\Kmjinjnj.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3636 -
C:\Windows\SysWOW64\Kcdakd32.exeC:\Windows\system32\Kcdakd32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2180 -
C:\Windows\SysWOW64\Kjcccm32.exeC:\Windows\system32\Kjcccm32.exe72⤵PID:3268
-
C:\Windows\SysWOW64\Lobhqdec.exeC:\Windows\system32\Lobhqdec.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3164 -
C:\Windows\SysWOW64\Lflpmn32.exeC:\Windows\system32\Lflpmn32.exe74⤵PID:2012
-
C:\Windows\SysWOW64\Liabjh32.exeC:\Windows\system32\Liabjh32.exe75⤵PID:4568
-
C:\Windows\SysWOW64\Mmahff32.exeC:\Windows\system32\Mmahff32.exe76⤵PID:1060
-
C:\Windows\SysWOW64\Mcnmhpoj.exeC:\Windows\system32\Mcnmhpoj.exe77⤵
- Modifies registry class
PID:2912 -
C:\Windows\SysWOW64\Mlialb32.exeC:\Windows\system32\Mlialb32.exe78⤵
- Drops file in System32 directory
PID:2732 -
C:\Windows\SysWOW64\Npgjbabk.exeC:\Windows\system32\Npgjbabk.exe79⤵
- Drops file in System32 directory
PID:5128 -
C:\Windows\SysWOW64\Nipokfil.exeC:\Windows\system32\Nipokfil.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5168 -
C:\Windows\SysWOW64\Niblafgi.exeC:\Windows\system32\Niblafgi.exe81⤵PID:5208
-
C:\Windows\SysWOW64\Nbjpjl32.exeC:\Windows\system32\Nbjpjl32.exe82⤵PID:5248
-
C:\Windows\SysWOW64\Nfhipj32.exeC:\Windows\system32\Nfhipj32.exe83⤵PID:5292
-
C:\Windows\SysWOW64\Opgciodi.exeC:\Windows\system32\Opgciodi.exe84⤵PID:5328
-
C:\Windows\SysWOW64\Ofalfi32.exeC:\Windows\system32\Ofalfi32.exe85⤵PID:5376
-
C:\Windows\SysWOW64\Okaabg32.exeC:\Windows\system32\Okaabg32.exe86⤵PID:5436
-
C:\Windows\SysWOW64\Bjcfeola.exeC:\Windows\system32\Bjcfeola.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5484 -
C:\Windows\SysWOW64\Bldogjib.exeC:\Windows\system32\Bldogjib.exe88⤵PID:5524
-
C:\Windows\SysWOW64\Bgicdc32.exeC:\Windows\system32\Bgicdc32.exe89⤵PID:5568
-
C:\Windows\SysWOW64\Cknbkpif.exeC:\Windows\system32\Cknbkpif.exe90⤵
- Drops file in System32 directory
PID:5616 -
C:\Windows\SysWOW64\Dkehlo32.exeC:\Windows\system32\Dkehlo32.exe91⤵PID:5656
-
C:\Windows\SysWOW64\Dmfecgim.exeC:\Windows\system32\Dmfecgim.exe92⤵
- Drops file in System32 directory
PID:5708 -
C:\Windows\SysWOW64\Fhfenmbe.exeC:\Windows\system32\Fhfenmbe.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5800 -
C:\Windows\SysWOW64\Gaglma32.exeC:\Windows\system32\Gaglma32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5904 -
C:\Windows\SysWOW64\Hldgkiki.exeC:\Windows\system32\Hldgkiki.exe95⤵PID:5956
-
C:\Windows\SysWOW64\Hlipfh32.exeC:\Windows\system32\Hlipfh32.exe96⤵PID:6012
-
C:\Windows\SysWOW64\Hlmiagbo.exeC:\Windows\system32\Hlmiagbo.exe97⤵PID:6092
-
C:\Windows\SysWOW64\Iamoon32.exeC:\Windows\system32\Iamoon32.exe98⤵PID:6136
-
C:\Windows\SysWOW64\Ilbclg32.exeC:\Windows\system32\Ilbclg32.exe99⤵PID:5160
-
C:\Windows\SysWOW64\Iaokdn32.exeC:\Windows\system32\Iaokdn32.exe100⤵PID:5240
-
C:\Windows\SysWOW64\Ihicah32.exeC:\Windows\system32\Ihicah32.exe101⤵
- Drops file in System32 directory
PID:5312 -
C:\Windows\SysWOW64\Inflio32.exeC:\Windows\system32\Inflio32.exe102⤵PID:5408
-
C:\Windows\SysWOW64\Ilglgfjd.exeC:\Windows\system32\Ilglgfjd.exe103⤵
- Drops file in System32 directory
PID:180 -
C:\Windows\SysWOW64\Jliimf32.exeC:\Windows\system32\Jliimf32.exe104⤵PID:5404
-
C:\Windows\SysWOW64\Jafaem32.exeC:\Windows\system32\Jafaem32.exe105⤵
- Drops file in System32 directory
PID:5496 -
C:\Windows\SysWOW64\Jlkfbe32.exeC:\Windows\system32\Jlkfbe32.exe106⤵PID:5576
-
C:\Windows\SysWOW64\Jahnkl32.exeC:\Windows\system32\Jahnkl32.exe107⤵PID:1780
-
C:\Windows\SysWOW64\Jdiglgbg.exeC:\Windows\system32\Jdiglgbg.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5756 -
C:\Windows\SysWOW64\Koceep32.exeC:\Windows\system32\Koceep32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5836 -
C:\Windows\SysWOW64\Khlinedh.exeC:\Windows\system32\Khlinedh.exe110⤵PID:5776
-
C:\Windows\SysWOW64\Kffphhmj.exeC:\Windows\system32\Kffphhmj.exe111⤵
- Drops file in System32 directory
PID:5900 -
C:\Windows\SysWOW64\Llqhdb32.exeC:\Windows\system32\Llqhdb32.exe112⤵PID:6008
-
C:\Windows\SysWOW64\Loodqn32.exeC:\Windows\system32\Loodqn32.exe113⤵PID:3040
-
C:\Windows\SysWOW64\Lfpcngdo.exeC:\Windows\system32\Lfpcngdo.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2828 -
C:\Windows\SysWOW64\Lmjkka32.exeC:\Windows\system32\Lmjkka32.exe115⤵PID:4988
-
C:\Windows\SysWOW64\Mkadam32.exeC:\Windows\system32\Mkadam32.exe116⤵PID:6052
-
C:\Windows\SysWOW64\Moomgl32.exeC:\Windows\system32\Moomgl32.exe117⤵PID:220
-
C:\Windows\SysWOW64\Npipnjmm.exeC:\Windows\system32\Npipnjmm.exe118⤵
- Modifies registry class
PID:5232 -
C:\Windows\SysWOW64\Nehekq32.exeC:\Windows\system32\Nehekq32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5360 -
C:\Windows\SysWOW64\Oemofpel.exeC:\Windows\system32\Oemofpel.exe120⤵
- Drops file in System32 directory
PID:1500 -
C:\Windows\SysWOW64\Olfgcj32.exeC:\Windows\system32\Olfgcj32.exe121⤵PID:5456
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-