Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
02/11/2023, 16:58
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.1026b2238d97f9dce033cc57f18b5114_JC.exe
Resource
win7-20231020-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.1026b2238d97f9dce033cc57f18b5114_JC.exe
Resource
win10v2004-20231020-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.1026b2238d97f9dce033cc57f18b5114_JC.exe
-
Size
90KB
-
MD5
1026b2238d97f9dce033cc57f18b5114
-
SHA1
2c0e096f573aeef2b5eace24679e3239cd89f546
-
SHA256
78d79d8dc65f13360eeb86ee1fe6fc1c4360f9dfae549396f4d06f7bb10b6909
-
SHA512
f0f49afe3f50cd00261068c32fa2560818245bae744e69310f59e3c0145d9db4a0e1aa3635753bfbb045d63ed9f695c88d2aa4a7808f79f0668c21c4d633f9ef
-
SSDEEP
1536:flIsWy8f9csv6MTJu2roG8+7Li1AitH+rKJWGUoTsG7du/Ub0VkVNK:OsWbfmsv6m2I7Li1rcr3yIG5u/Ub0+NK
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dememj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhnhplpg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lomqcjie.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfamia32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oediim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kkofofbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Paennh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlnjbedi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifmqfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Amlogfel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nkncno32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icciccmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jeneidji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ikcmmjkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jmbdmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oediim32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjdfgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ddpjjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Febogbhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hlnjbedi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ijkled32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iqdmghnp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kipalpoj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doeifpkk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgekdq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nncoaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dgmpkg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkqhpmkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mcicma32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iefgbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dggbcf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fniihmpf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blpemn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njljnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mnlfclip.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dehkbkip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pmfhbm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Damfao32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onakco32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hligqnjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pjhlfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gblbca32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glipgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ioafchai.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihlgan32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgjmkqke.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnlafaio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ahiiqafa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dldpde32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onapdl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omigmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pbpall32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cjabgm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmoehojj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ipeeobbe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iebngial.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbamcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mknlef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dndlba32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aneppo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnjqmpgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bhhiemoj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enfckp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hbnaeh32.exe -
Executes dropped EXE 64 IoCs
pid Process 2240 Cfpffeaj.exe 2540 Cohkokgj.exe 1836 Dmlkhofd.exe 4292 Dfdpad32.exe 3032 Dkahilkl.exe 3980 Dheibpje.exe 4840 Dbnmke32.exe 384 Dmcain32.exe 4112 Dflfac32.exe 3872 Dodjjimm.exe 3428 Eecphp32.exe 4732 Ebgpad32.exe 3608 Efeihb32.exe 3232 Ekaapi32.exe 5044 Eejeiocj.exe 3612 Enbjad32.exe 1108 Fihnomjp.exe 3120 Fijkdmhn.exe 1648 Fealin32.exe 1544 Ffqhcq32.exe 4400 Fbgihaji.exe 3592 Fbjena32.exe 1320 Gblbca32.exe 3332 Gldglf32.exe 4632 Gpbpbecj.exe 3128 Glipgf32.exe 5112 Gojiiafp.exe 3640 Hlnjbedi.exe 4708 Hefnkkkj.exe 1236 Hbjoeojc.exe 3280 Hmpcbhji.exe 2676 Hpqldc32.exe 4412 Hiipmhmk.exe 408 Ifmqfm32.exe 216 Ipeeobbe.exe 2736 Iebngial.exe 3600 Iojbpo32.exe 3912 Ilnbicff.exe 3336 Iefgbh32.exe 4896 Ickglm32.exe 1052 Jcanll32.exe 2080 Jljbeali.exe 5076 Jebfng32.exe 3512 Jokkgl32.exe 2400 Jlolpq32.exe 4992 Kjblje32.exe 4696 Koodbl32.exe 2544 Klcekpdo.exe 2920 Kpanan32.exe 4800 Kfnfjehl.exe 4388 Kcbfcigf.exe 4984 Kjlopc32.exe 4172 Lnjgfb32.exe 2764 Lfeljd32.exe 3976 Lomqcjie.exe 1380 Lnoaaaad.exe 4944 Lckiihok.exe 5092 Lnangaoa.exe 1992 Lcnfohmi.exe 2888 Mqafhl32.exe 4104 Mfnoqc32.exe 648 Mogcihaj.exe 1564 Mjlhgaqp.exe 4456 Mcelpggq.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Iijfhbhl.exe Inebjihf.exe File opened for modification C:\Windows\SysWOW64\Lpepbgbd.exe Likhem32.exe File created C:\Windows\SysWOW64\Kopghhaj.dll Hedhoc32.exe File opened for modification C:\Windows\SysWOW64\Ecjpfp32.exe Djalnkbo.exe File created C:\Windows\SysWOW64\Lkdgqbag.exe Lpocciba.exe File opened for modification C:\Windows\SysWOW64\Pjdpelnc.exe Pdjgha32.exe File opened for modification C:\Windows\SysWOW64\Ehbnigjj.exe Enmjlojd.exe File created C:\Windows\SysWOW64\Jfbdpabn.exe Ikmpcicg.exe File opened for modification C:\Windows\SysWOW64\Mjednmla.exe Mnlfclip.exe File opened for modification C:\Windows\SysWOW64\Gblbca32.exe Fbjena32.exe File created C:\Windows\SysWOW64\Qgaeof32.dll Adcjop32.exe File opened for modification C:\Windows\SysWOW64\Dmlkhofd.exe Cohkokgj.exe File opened for modification C:\Windows\SysWOW64\Eecphp32.exe Dodjjimm.exe File opened for modification C:\Windows\SysWOW64\Dhdkig32.exe Cefolk32.exe File created C:\Windows\SysWOW64\Apqddgbj.dll Nncoaq32.exe File created C:\Windows\SysWOW64\Eeokad32.dll Febogbhg.exe File created C:\Windows\SysWOW64\Eobffk32.exe Omkmhlpf.exe File created C:\Windows\SysWOW64\Qlmopqdc.exe Qecgcfmf.exe File created C:\Windows\SysWOW64\Hbobhb32.dll Amqhbe32.exe File created C:\Windows\SysWOW64\Ocaocfbb.dll Ikcmmjkb.exe File created C:\Windows\SysWOW64\Pdchakoo.exe Pindcboi.exe File created C:\Windows\SysWOW64\Mdlajf32.dll Gjhdkajh.exe File created C:\Windows\SysWOW64\Lckbje32.exe Lajfbmmi.exe File created C:\Windows\SysWOW64\Opmaaodc.exe Onneeceo.exe File created C:\Windows\SysWOW64\Pjhlfb32.exe Pdkcnklf.exe File created C:\Windows\SysWOW64\Mhelik32.dll Koodbl32.exe File created C:\Windows\SysWOW64\Jhkbdmbg.exe Jaajhb32.exe File opened for modification C:\Windows\SysWOW64\Cqiehnml.exe Cinpdl32.exe File created C:\Windows\SysWOW64\Eeihnf32.dll Hhlnjpdi.exe File created C:\Windows\SysWOW64\Bckknd32.exe Bnobfn32.exe File created C:\Windows\SysWOW64\Dhfhnfhc.exe Dehkbkip.exe File created C:\Windows\SysWOW64\Lebgfqmp.dll Ehbgjenf.exe File opened for modification C:\Windows\SysWOW64\Chkobkod.exe Cnfkdb32.exe File opened for modification C:\Windows\SysWOW64\Cdbpgl32.exe Coegoe32.exe File created C:\Windows\SysWOW64\Gglpgd32.exe Gcngafol.exe File created C:\Windows\SysWOW64\Ibaikgdp.dll Hcifmdeo.exe File opened for modification C:\Windows\SysWOW64\Bammeebe.exe Blpemn32.exe File created C:\Windows\SysWOW64\Okjpkd32.dll Finnef32.exe File created C:\Windows\SysWOW64\Pneclb32.dll Glhimp32.exe File created C:\Windows\SysWOW64\Dbfjfc32.dll Ohpiphlb.exe File opened for modification C:\Windows\SysWOW64\Jfdafa32.exe Jkomhhae.exe File created C:\Windows\SysWOW64\Lmjhab32.dll Jokkgl32.exe File opened for modification C:\Windows\SysWOW64\Gnblnlhl.exe Gghdaa32.exe File opened for modification C:\Windows\SysWOW64\Gcngafol.exe Gnanioad.exe File created C:\Windows\SysWOW64\Aemjjeek.exe Aocamk32.exe File created C:\Windows\SysWOW64\Fdegkdim.exe Ffpjihee.exe File created C:\Windows\SysWOW64\Pmiikh32.exe Ohlqcagj.exe File opened for modification C:\Windows\SysWOW64\Cepadh32.exe Jjkdlall.exe File created C:\Windows\SysWOW64\Ahafcp32.dll Pkedbmab.exe File opened for modification C:\Windows\SysWOW64\Iqdmghnp.exe Ijjekn32.exe File created C:\Windows\SysWOW64\Ngfnnqih.dll Lcbikd32.exe File created C:\Windows\SysWOW64\Aaeomcoo.dll Mphfjhjf.exe File created C:\Windows\SysWOW64\Ejkmkh32.dll Gfngke32.exe File created C:\Windows\SysWOW64\Lbandhne.dll Qmgelf32.exe File opened for modification C:\Windows\SysWOW64\Gclimi32.exe Glpdjpbj.exe File opened for modification C:\Windows\SysWOW64\Nclbpf32.exe Mfhbga32.exe File opened for modification C:\Windows\SysWOW64\Oajccgmd.exe Mjiloqjb.exe File opened for modification C:\Windows\SysWOW64\Goconkah.exe Fckacknf.exe File created C:\Windows\SysWOW64\Njfkmphe.exe Nclbpf32.exe File created C:\Windows\SysWOW64\Oegjjp32.dll Ohnljine.exe File created C:\Windows\SysWOW64\Oflcnqal.dll Gkqhpmkg.exe File opened for modification C:\Windows\SysWOW64\Omgjhc32.exe Obafjk32.exe File created C:\Windows\SysWOW64\Loecgfjf.exe Lhkkjl32.exe File opened for modification C:\Windows\SysWOW64\Pmfhbm32.exe Pjhlfb32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2408 7488 WerFault.exe 711 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghollnfk.dll" Ehklmd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mcicma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfnikd32.dll" Lnjgfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mqnbqh32.dll" Bphgeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmehgibj.dll" Icfmci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkhlin32.dll" Gnanioad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpaaneok.dll" Ifcben32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qhofjbnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naamaled.dll" Okeinn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocoaob32.dll" Fbjena32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ipeeobbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akeodedd.dll" Eiekog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ijmhkchl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fdpnpe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fkcibnmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hccdbf32.dll" Ogekbb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hioflcbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqhejb32.dll" Gpbpbecj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbiapehp.dll" Ilcjgm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Paennh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Egohdegl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iijfhbhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oefgjq32.dll" Hpmhdmea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kagimmol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oclkgccf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ijjekn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npdopj32.dll" Iefgbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pjbcplpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bknlbhhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ienlbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcdnbiac.dll" Oediim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqnajlid.dll" Kkkldg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kapceeje.dll" Ffqhcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fbgihaji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eolpfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dncehk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ocnampdp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Febogbhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldpbaelj.dll" Jeneidji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Igghilhi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pnifekmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Onjebpml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Elpppcdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mfhbga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Npbceggm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jkomhhae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pmiikh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iqdmghnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ononmo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bnobfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hejjmage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhjhln32.dll" Pcijoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fijkdmhn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fgcjfbed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Akdfndpd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hfamia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmipfknd.dll" Nhicoi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ohlqcagj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hjabdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Colfpace.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clmmco32.dll" Iijfhbhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Djmbbk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hcifmdeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbfjfc32.dll" Ohpiphlb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1772 wrote to memory of 2240 1772 NEAS.1026b2238d97f9dce033cc57f18b5114_JC.exe 86 PID 1772 wrote to memory of 2240 1772 NEAS.1026b2238d97f9dce033cc57f18b5114_JC.exe 86 PID 1772 wrote to memory of 2240 1772 NEAS.1026b2238d97f9dce033cc57f18b5114_JC.exe 86 PID 2240 wrote to memory of 2540 2240 Cfpffeaj.exe 87 PID 2240 wrote to memory of 2540 2240 Cfpffeaj.exe 87 PID 2240 wrote to memory of 2540 2240 Cfpffeaj.exe 87 PID 2540 wrote to memory of 1836 2540 Cohkokgj.exe 88 PID 2540 wrote to memory of 1836 2540 Cohkokgj.exe 88 PID 2540 wrote to memory of 1836 2540 Cohkokgj.exe 88 PID 1836 wrote to memory of 4292 1836 Dmlkhofd.exe 89 PID 1836 wrote to memory of 4292 1836 Dmlkhofd.exe 89 PID 1836 wrote to memory of 4292 1836 Dmlkhofd.exe 89 PID 4292 wrote to memory of 3032 4292 Dfdpad32.exe 90 PID 4292 wrote to memory of 3032 4292 Dfdpad32.exe 90 PID 4292 wrote to memory of 3032 4292 Dfdpad32.exe 90 PID 3032 wrote to memory of 3980 3032 Dkahilkl.exe 91 PID 3032 wrote to memory of 3980 3032 Dkahilkl.exe 91 PID 3032 wrote to memory of 3980 3032 Dkahilkl.exe 91 PID 3980 wrote to memory of 4840 3980 Dheibpje.exe 92 PID 3980 wrote to memory of 4840 3980 Dheibpje.exe 92 PID 3980 wrote to memory of 4840 3980 Dheibpje.exe 92 PID 4840 wrote to memory of 384 4840 Dbnmke32.exe 93 PID 4840 wrote to memory of 384 4840 Dbnmke32.exe 93 PID 4840 wrote to memory of 384 4840 Dbnmke32.exe 93 PID 384 wrote to memory of 4112 384 Dmcain32.exe 94 PID 384 wrote to memory of 4112 384 Dmcain32.exe 94 PID 384 wrote to memory of 4112 384 Dmcain32.exe 94 PID 4112 wrote to memory of 3872 4112 Dflfac32.exe 95 PID 4112 wrote to memory of 3872 4112 Dflfac32.exe 95 PID 4112 wrote to memory of 3872 4112 Dflfac32.exe 95 PID 3872 wrote to memory of 3428 3872 Dodjjimm.exe 96 PID 3872 wrote to memory of 3428 3872 Dodjjimm.exe 96 PID 3872 wrote to memory of 3428 3872 Dodjjimm.exe 96 PID 3428 wrote to memory of 4732 3428 Eecphp32.exe 97 PID 3428 wrote to memory of 4732 3428 Eecphp32.exe 97 PID 3428 wrote to memory of 4732 3428 Eecphp32.exe 97 PID 4732 wrote to memory of 3608 4732 Ebgpad32.exe 98 PID 4732 wrote to memory of 3608 4732 Ebgpad32.exe 98 PID 4732 wrote to memory of 3608 4732 Ebgpad32.exe 98 PID 3608 wrote to memory of 3232 3608 Efeihb32.exe 99 PID 3608 wrote to memory of 3232 3608 Efeihb32.exe 99 PID 3608 wrote to memory of 3232 3608 Efeihb32.exe 99 PID 3232 wrote to memory of 5044 3232 Ekaapi32.exe 100 PID 3232 wrote to memory of 5044 3232 Ekaapi32.exe 100 PID 3232 wrote to memory of 5044 3232 Ekaapi32.exe 100 PID 5044 wrote to memory of 3612 5044 Eejeiocj.exe 102 PID 5044 wrote to memory of 3612 5044 Eejeiocj.exe 102 PID 5044 wrote to memory of 3612 5044 Eejeiocj.exe 102 PID 3612 wrote to memory of 1108 3612 Enbjad32.exe 103 PID 3612 wrote to memory of 1108 3612 Enbjad32.exe 103 PID 3612 wrote to memory of 1108 3612 Enbjad32.exe 103 PID 1108 wrote to memory of 3120 1108 Fihnomjp.exe 104 PID 1108 wrote to memory of 3120 1108 Fihnomjp.exe 104 PID 1108 wrote to memory of 3120 1108 Fihnomjp.exe 104 PID 3120 wrote to memory of 1648 3120 Fijkdmhn.exe 105 PID 3120 wrote to memory of 1648 3120 Fijkdmhn.exe 105 PID 3120 wrote to memory of 1648 3120 Fijkdmhn.exe 105 PID 1648 wrote to memory of 1544 1648 Fealin32.exe 106 PID 1648 wrote to memory of 1544 1648 Fealin32.exe 106 PID 1648 wrote to memory of 1544 1648 Fealin32.exe 106 PID 1544 wrote to memory of 4400 1544 Ffqhcq32.exe 107 PID 1544 wrote to memory of 4400 1544 Ffqhcq32.exe 107 PID 1544 wrote to memory of 4400 1544 Ffqhcq32.exe 107 PID 4400 wrote to memory of 3592 4400 Fbgihaji.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.1026b2238d97f9dce033cc57f18b5114_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.1026b2238d97f9dce033cc57f18b5114_JC.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Windows\SysWOW64\Cfpffeaj.exeC:\Windows\system32\Cfpffeaj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\Cohkokgj.exeC:\Windows\system32\Cohkokgj.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\Dmlkhofd.exeC:\Windows\system32\Dmlkhofd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Windows\SysWOW64\Dfdpad32.exeC:\Windows\system32\Dfdpad32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4292 -
C:\Windows\SysWOW64\Dkahilkl.exeC:\Windows\system32\Dkahilkl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\Dheibpje.exeC:\Windows\system32\Dheibpje.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3980 -
C:\Windows\SysWOW64\Dbnmke32.exeC:\Windows\system32\Dbnmke32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4840 -
C:\Windows\SysWOW64\Dmcain32.exeC:\Windows\system32\Dmcain32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:384 -
C:\Windows\SysWOW64\Dflfac32.exeC:\Windows\system32\Dflfac32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4112 -
C:\Windows\SysWOW64\Dodjjimm.exeC:\Windows\system32\Dodjjimm.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3872 -
C:\Windows\SysWOW64\Eecphp32.exeC:\Windows\system32\Eecphp32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3428 -
C:\Windows\SysWOW64\Ebgpad32.exeC:\Windows\system32\Ebgpad32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4732 -
C:\Windows\SysWOW64\Efeihb32.exeC:\Windows\system32\Efeihb32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3608 -
C:\Windows\SysWOW64\Ekaapi32.exeC:\Windows\system32\Ekaapi32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3232 -
C:\Windows\SysWOW64\Eejeiocj.exeC:\Windows\system32\Eejeiocj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5044 -
C:\Windows\SysWOW64\Enbjad32.exeC:\Windows\system32\Enbjad32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3612 -
C:\Windows\SysWOW64\Fihnomjp.exeC:\Windows\system32\Fihnomjp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Windows\SysWOW64\Fijkdmhn.exeC:\Windows\system32\Fijkdmhn.exe19⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3120 -
C:\Windows\SysWOW64\Fealin32.exeC:\Windows\system32\Fealin32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\SysWOW64\Ffqhcq32.exeC:\Windows\system32\Ffqhcq32.exe21⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\SysWOW64\Fbgihaji.exeC:\Windows\system32\Fbgihaji.exe22⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4400 -
C:\Windows\SysWOW64\Fbjena32.exeC:\Windows\system32\Fbjena32.exe23⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3592 -
C:\Windows\SysWOW64\Gblbca32.exeC:\Windows\system32\Gblbca32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1320 -
C:\Windows\SysWOW64\Gldglf32.exeC:\Windows\system32\Gldglf32.exe25⤵
- Executes dropped EXE
PID:3332 -
C:\Windows\SysWOW64\Gpbpbecj.exeC:\Windows\system32\Gpbpbecj.exe26⤵
- Executes dropped EXE
- Modifies registry class
PID:4632 -
C:\Windows\SysWOW64\Glipgf32.exeC:\Windows\system32\Glipgf32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3128 -
C:\Windows\SysWOW64\Gojiiafp.exeC:\Windows\system32\Gojiiafp.exe28⤵
- Executes dropped EXE
PID:5112 -
C:\Windows\SysWOW64\Hlnjbedi.exeC:\Windows\system32\Hlnjbedi.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3640 -
C:\Windows\SysWOW64\Hefnkkkj.exeC:\Windows\system32\Hefnkkkj.exe30⤵
- Executes dropped EXE
PID:4708 -
C:\Windows\SysWOW64\Hbjoeojc.exeC:\Windows\system32\Hbjoeojc.exe31⤵
- Executes dropped EXE
PID:1236 -
C:\Windows\SysWOW64\Hmpcbhji.exeC:\Windows\system32\Hmpcbhji.exe32⤵
- Executes dropped EXE
PID:3280 -
C:\Windows\SysWOW64\Hpqldc32.exeC:\Windows\system32\Hpqldc32.exe33⤵
- Executes dropped EXE
PID:2676 -
C:\Windows\SysWOW64\Hiipmhmk.exeC:\Windows\system32\Hiipmhmk.exe34⤵
- Executes dropped EXE
PID:4412 -
C:\Windows\SysWOW64\Ifmqfm32.exeC:\Windows\system32\Ifmqfm32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:408 -
C:\Windows\SysWOW64\Ipeeobbe.exeC:\Windows\system32\Ipeeobbe.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:216 -
C:\Windows\SysWOW64\Iebngial.exeC:\Windows\system32\Iebngial.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2736 -
C:\Windows\SysWOW64\Iojbpo32.exeC:\Windows\system32\Iojbpo32.exe38⤵
- Executes dropped EXE
PID:3600 -
C:\Windows\SysWOW64\Ilnbicff.exeC:\Windows\system32\Ilnbicff.exe39⤵
- Executes dropped EXE
PID:3912 -
C:\Windows\SysWOW64\Iefgbh32.exeC:\Windows\system32\Iefgbh32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3336 -
C:\Windows\SysWOW64\Ickglm32.exeC:\Windows\system32\Ickglm32.exe41⤵
- Executes dropped EXE
PID:4896 -
C:\Windows\SysWOW64\Jcanll32.exeC:\Windows\system32\Jcanll32.exe42⤵
- Executes dropped EXE
PID:1052 -
C:\Windows\SysWOW64\Jljbeali.exeC:\Windows\system32\Jljbeali.exe43⤵
- Executes dropped EXE
PID:2080 -
C:\Windows\SysWOW64\Jebfng32.exeC:\Windows\system32\Jebfng32.exe44⤵
- Executes dropped EXE
PID:5076 -
C:\Windows\SysWOW64\Jokkgl32.exeC:\Windows\system32\Jokkgl32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3512 -
C:\Windows\SysWOW64\Jlolpq32.exeC:\Windows\system32\Jlolpq32.exe46⤵
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Kjblje32.exeC:\Windows\system32\Kjblje32.exe47⤵
- Executes dropped EXE
PID:4992 -
C:\Windows\SysWOW64\Koodbl32.exeC:\Windows\system32\Koodbl32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4696 -
C:\Windows\SysWOW64\Klcekpdo.exeC:\Windows\system32\Klcekpdo.exe49⤵
- Executes dropped EXE
PID:2544 -
C:\Windows\SysWOW64\Kpanan32.exeC:\Windows\system32\Kpanan32.exe50⤵
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\Kfnfjehl.exeC:\Windows\system32\Kfnfjehl.exe51⤵
- Executes dropped EXE
PID:4800 -
C:\Windows\SysWOW64\Kcbfcigf.exeC:\Windows\system32\Kcbfcigf.exe52⤵
- Executes dropped EXE
PID:4388 -
C:\Windows\SysWOW64\Kjlopc32.exeC:\Windows\system32\Kjlopc32.exe53⤵
- Executes dropped EXE
PID:4984 -
C:\Windows\SysWOW64\Lnjgfb32.exeC:\Windows\system32\Lnjgfb32.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:4172 -
C:\Windows\SysWOW64\Lfeljd32.exeC:\Windows\system32\Lfeljd32.exe55⤵
- Executes dropped EXE
PID:2764 -
C:\Windows\SysWOW64\Lomqcjie.exeC:\Windows\system32\Lomqcjie.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3976 -
C:\Windows\SysWOW64\Lnoaaaad.exeC:\Windows\system32\Lnoaaaad.exe57⤵
- Executes dropped EXE
PID:1380 -
C:\Windows\SysWOW64\Lckiihok.exeC:\Windows\system32\Lckiihok.exe58⤵
- Executes dropped EXE
PID:4944 -
C:\Windows\SysWOW64\Lnangaoa.exeC:\Windows\system32\Lnangaoa.exe59⤵
- Executes dropped EXE
PID:5092 -
C:\Windows\SysWOW64\Lcnfohmi.exeC:\Windows\system32\Lcnfohmi.exe60⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Mqafhl32.exeC:\Windows\system32\Mqafhl32.exe61⤵
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Mfnoqc32.exeC:\Windows\system32\Mfnoqc32.exe62⤵
- Executes dropped EXE
PID:4104 -
C:\Windows\SysWOW64\Mogcihaj.exeC:\Windows\system32\Mogcihaj.exe63⤵
- Executes dropped EXE
PID:648 -
C:\Windows\SysWOW64\Mjlhgaqp.exeC:\Windows\system32\Mjlhgaqp.exe64⤵
- Executes dropped EXE
PID:1564 -
C:\Windows\SysWOW64\Mcelpggq.exeC:\Windows\system32\Mcelpggq.exe65⤵
- Executes dropped EXE
PID:4456 -
C:\Windows\SysWOW64\Mnjqmpgg.exeC:\Windows\system32\Mnjqmpgg.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1684 -
C:\Windows\SysWOW64\Mcgiefen.exeC:\Windows\system32\Mcgiefen.exe67⤵PID:2128
-
C:\Windows\SysWOW64\Mfhbga32.exeC:\Windows\system32\Mfhbga32.exe68⤵
- Drops file in System32 directory
- Modifies registry class
PID:3296 -
C:\Windows\SysWOW64\Nclbpf32.exeC:\Windows\system32\Nclbpf32.exe69⤵
- Drops file in System32 directory
PID:1840 -
C:\Windows\SysWOW64\Njfkmphe.exeC:\Windows\system32\Njfkmphe.exe70⤵PID:3448
-
C:\Windows\SysWOW64\Npbceggm.exeC:\Windows\system32\Npbceggm.exe71⤵
- Modifies registry class
PID:1280 -
C:\Windows\SysWOW64\Njhgbp32.exeC:\Windows\system32\Njhgbp32.exe72⤵PID:1220
-
C:\Windows\SysWOW64\Npepkf32.exeC:\Windows\system32\Npepkf32.exe73⤵PID:1604
-
C:\Windows\SysWOW64\Njjdho32.exeC:\Windows\system32\Njjdho32.exe74⤵PID:3176
-
C:\Windows\SysWOW64\Ngndaccj.exeC:\Windows\system32\Ngndaccj.exe75⤵PID:2396
-
C:\Windows\SysWOW64\Nagiji32.exeC:\Windows\system32\Nagiji32.exe76⤵PID:3264
-
C:\Windows\SysWOW64\Nfcabp32.exeC:\Windows\system32\Nfcabp32.exe77⤵PID:3104
-
C:\Windows\SysWOW64\Oaifpi32.exeC:\Windows\system32\Oaifpi32.exe78⤵PID:3792
-
C:\Windows\SysWOW64\Ompfej32.exeC:\Windows\system32\Ompfej32.exe79⤵PID:336
-
C:\Windows\SysWOW64\Ogekbb32.exeC:\Windows\system32\Ogekbb32.exe80⤵
- Modifies registry class
PID:3868 -
C:\Windows\SysWOW64\Ombcji32.exeC:\Windows\system32\Ombcji32.exe81⤵PID:716
-
C:\Windows\SysWOW64\Oclkgccf.exeC:\Windows\system32\Oclkgccf.exe82⤵
- Modifies registry class
PID:3896 -
C:\Windows\SysWOW64\Onapdl32.exeC:\Windows\system32\Onapdl32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5160 -
C:\Windows\SysWOW64\Opclldhj.exeC:\Windows\system32\Opclldhj.exe84⤵PID:5204
-
C:\Windows\SysWOW64\Ofmdio32.exeC:\Windows\system32\Ofmdio32.exe85⤵PID:5252
-
C:\Windows\SysWOW64\Omgmeigd.exeC:\Windows\system32\Omgmeigd.exe86⤵PID:5296
-
C:\Windows\SysWOW64\Ohlqcagj.exeC:\Windows\system32\Ohlqcagj.exe87⤵
- Drops file in System32 directory
- Modifies registry class
PID:5340 -
C:\Windows\SysWOW64\Pmiikh32.exeC:\Windows\system32\Pmiikh32.exe88⤵
- Modifies registry class
PID:5384 -
C:\Windows\SysWOW64\Phonha32.exeC:\Windows\system32\Phonha32.exe89⤵PID:5428
-
C:\Windows\SysWOW64\Pnifekmd.exeC:\Windows\system32\Pnifekmd.exe90⤵
- Modifies registry class
PID:5472 -
C:\Windows\SysWOW64\Ppjbmc32.exeC:\Windows\system32\Ppjbmc32.exe91⤵PID:5512
-
C:\Windows\SysWOW64\Pnkbkk32.exeC:\Windows\system32\Pnkbkk32.exe92⤵PID:5564
-
C:\Windows\SysWOW64\Pjbcplpe.exeC:\Windows\system32\Pjbcplpe.exe93⤵
- Modifies registry class
PID:5600 -
C:\Windows\SysWOW64\Pdjgha32.exeC:\Windows\system32\Pdjgha32.exe94⤵
- Drops file in System32 directory
PID:5644 -
C:\Windows\SysWOW64\Pjdpelnc.exeC:\Windows\system32\Pjdpelnc.exe95⤵PID:5684
-
C:\Windows\SysWOW64\Qhhpop32.exeC:\Windows\system32\Qhhpop32.exe96⤵PID:5740
-
C:\Windows\SysWOW64\Qpcecb32.exeC:\Windows\system32\Qpcecb32.exe97⤵PID:5784
-
C:\Windows\SysWOW64\Qmgelf32.exeC:\Windows\system32\Qmgelf32.exe98⤵
- Drops file in System32 directory
PID:5820 -
C:\Windows\SysWOW64\Qdaniq32.exeC:\Windows\system32\Qdaniq32.exe99⤵PID:5868
-
C:\Windows\SysWOW64\Aogbfi32.exeC:\Windows\system32\Aogbfi32.exe100⤵PID:5916
-
C:\Windows\SysWOW64\Adcjop32.exeC:\Windows\system32\Adcjop32.exe101⤵
- Drops file in System32 directory
PID:5960 -
C:\Windows\SysWOW64\Amlogfel.exeC:\Windows\system32\Amlogfel.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6004 -
C:\Windows\SysWOW64\Ahaceo32.exeC:\Windows\system32\Ahaceo32.exe103⤵PID:6056
-
C:\Windows\SysWOW64\Aokkahlo.exeC:\Windows\system32\Aokkahlo.exe104⤵PID:6100
-
C:\Windows\SysWOW64\Ahdpjn32.exeC:\Windows\system32\Ahdpjn32.exe105⤵PID:6136
-
C:\Windows\SysWOW64\Amqhbe32.exeC:\Windows\system32\Amqhbe32.exe106⤵
- Drops file in System32 directory
PID:5152 -
C:\Windows\SysWOW64\Ahfmpnql.exeC:\Windows\system32\Ahfmpnql.exe107⤵PID:5244
-
C:\Windows\SysWOW64\Aopemh32.exeC:\Windows\system32\Aopemh32.exe108⤵PID:5308
-
C:\Windows\SysWOW64\Bhhiemoj.exeC:\Windows\system32\Bhhiemoj.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5368 -
C:\Windows\SysWOW64\Bmeandma.exeC:\Windows\system32\Bmeandma.exe110⤵PID:5436
-
C:\Windows\SysWOW64\Bgnffj32.exeC:\Windows\system32\Bgnffj32.exe111⤵PID:5504
-
C:\Windows\SysWOW64\Bmhocd32.exeC:\Windows\system32\Bmhocd32.exe112⤵PID:5572
-
C:\Windows\SysWOW64\Bdagpnbk.exeC:\Windows\system32\Bdagpnbk.exe113⤵PID:5632
-
C:\Windows\SysWOW64\Bklomh32.exeC:\Windows\system32\Bklomh32.exe114⤵PID:5712
-
C:\Windows\SysWOW64\Bphgeo32.exeC:\Windows\system32\Bphgeo32.exe115⤵
- Modifies registry class
PID:5776 -
C:\Windows\SysWOW64\Bknlbhhe.exeC:\Windows\system32\Bknlbhhe.exe116⤵
- Modifies registry class
PID:5864 -
C:\Windows\SysWOW64\Cncnob32.exeC:\Windows\system32\Cncnob32.exe117⤵PID:5940
-
C:\Windows\SysWOW64\Cnfkdb32.exeC:\Windows\system32\Cnfkdb32.exe118⤵
- Drops file in System32 directory
PID:6016 -
C:\Windows\SysWOW64\Chkobkod.exeC:\Windows\system32\Chkobkod.exe119⤵PID:6092
-
C:\Windows\SysWOW64\Coegoe32.exeC:\Windows\system32\Coegoe32.exe120⤵
- Drops file in System32 directory
PID:5148 -
C:\Windows\SysWOW64\Cdbpgl32.exeC:\Windows\system32\Cdbpgl32.exe121⤵PID:5264
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-