Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
163s -
max time network
172s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
03/11/2023, 04:12
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.35f054dcd20f3fdf518084a101d7b9a0_JC.exe
Resource
win7-20231020-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.35f054dcd20f3fdf518084a101d7b9a0_JC.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
NEAS.35f054dcd20f3fdf518084a101d7b9a0_JC.exe
-
Size
337KB
-
MD5
35f054dcd20f3fdf518084a101d7b9a0
-
SHA1
5abeabf409122f2f7edd9d389b41a2288d2e436d
-
SHA256
cdf03fb27614811c8839f07db3d20c8a706c05a509de97edaab1c69d177780cc
-
SHA512
d75a31a9c11710d3dec4c710d8ca2a180643a8679197d977e9f4290b5d26bb1256bb1f3bf380079c02792bb6c0a1f38794efa7295b51707334e2cbae801c62e7
-
SSDEEP
6144:RAX7OAwlrob1f2WZgYxYQoEl1YxXJ+jbC0+xYKo:eX7xpk8gYia6wPN+U
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cocamaam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iapjpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bammeebe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfklamii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apekha32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdjjnoje.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofaeffpa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qobhepjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Boflfiai.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmjmnpmb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgpgplej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilhkcmib.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llemnd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llbinnbq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkajoiok.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpiqpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpjfng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ablahjhj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhbbmjne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlflog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdhibn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pblolb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iffcgoka.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgkfil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojgbpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgkfil32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfnpacjb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohboeenl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpbmpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iikmlnae.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efafqolp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igomeb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npnjcm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amloakki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cglbanmo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad NEAS.35f054dcd20f3fdf518084a101d7b9a0_JC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qnfkgfdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifdohl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agpoqoaf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlcjaq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfekoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kanffogf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmgecn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kelkkpae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aikbpckb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmblkmcd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcqjkafb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljloii32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pagbklae.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clmjcfdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbgibgpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mchhamcl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipihiaqa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnlcknle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jddggb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baocpnmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Baocpnmf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhndepbi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhheepbk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Holfhfij.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oakbonkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnokeqll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iphihnjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldgclgcl.exe -
Executes dropped EXE 64 IoCs
pid Process 3276 Kbinlp32.exe 396 Lmkbeg32.exe 3016 Mminfech.exe 1696 Ndjldo32.exe 4644 Olgnnqpe.exe 2664 Ofooqinh.exe 3392 Omkdcccb.exe 1708 Pmefiakh.exe 4412 Ppepkmhi.exe 1880 Qciebg32.exe 876 Aneppo32.exe 4268 Bnobfn32.exe 2992 Bdmdng32.exe 2392 Dmiaig32.exe 1536 Eakdje32.exe 4232 Flaaok32.exe 3496 Gkbnkfei.exe 1084 Hmjmnpmb.exe 4476 Iamoon32.exe 2828 Ioclnblj.exe 2776 Jogeia32.exe 2296 Jhdcmf32.exe 2600 Jekpljgg.exe 4904 Kfmmajed.exe 1836 Kbkdgj32.exe 416 Mieeka32.exe 2128 Mbpfig32.exe 1152 Neeifa32.exe 2756 Nfgbec32.exe 4364 Oefamoma.exe 4636 Pblolb32.exe 2540 Pldcdhpi.exe 4424 Pfjgbapo.exe 976 Plimpg32.exe 116 Qpibke32.exe 2844 Qibfdkgh.exe 3464 Abodhpic.exe 2104 Aebjokda.exe 4876 Bcfkiock.exe 2204 Cjnoggoh.exe 2280 Copajm32.exe 4228 Dfnbbg32.exe 4932 Fmmmqnaf.exe 2404 Fakfglhm.exe 3832 Fcnlng32.exe 64 Gpjfng32.exe 1180 Hdlhoefk.exe 4456 Hfmqapcl.exe 4964 Hmginjki.exe 1276 Ipjoee32.exe 2040 Iffcgoka.exe 4984 Ipohpdbb.exe 4276 Jognokdi.exe 4132 Jddggb32.exe 1732 Kgkfil32.exe 4136 Opfedb32.exe 1132 Olmficce.exe 3512 Pijiif32.exe 3236 Pbbnbkpe.exe 1324 Qlkbka32.exe 1560 Qahkch32.exe 2484 Aehpof32.exe 3480 Ablahjhj.exe 932 Aikbpckb.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Bnobfn32.exe Aneppo32.exe File opened for modification C:\Windows\SysWOW64\Ncenga32.exe Mahbck32.exe File created C:\Windows\SysWOW64\Phjjdd32.dll Dhkjooqb.exe File opened for modification C:\Windows\SysWOW64\Cdkipb32.exe Cggifn32.exe File created C:\Windows\SysWOW64\Kcndda32.dll Fbkblb32.exe File created C:\Windows\SysWOW64\Ifdohl32.exe Hfklamii.exe File opened for modification C:\Windows\SysWOW64\Qocfjlan.exe Qifnaecf.exe File created C:\Windows\SysWOW64\Pfhgklao.dll Cnokhonp.exe File opened for modification C:\Windows\SysWOW64\Fbmoabde.exe Fkcgdh32.exe File created C:\Windows\SysWOW64\Kagpdenb.dll Odmgmmhf.exe File created C:\Windows\SysWOW64\Kbjkbj32.dll Jnhphg32.exe File created C:\Windows\SysWOW64\Pndhqb32.dll Ddjmkg32.exe File created C:\Windows\SysWOW64\Pfjgbapo.exe Pldcdhpi.exe File opened for modification C:\Windows\SysWOW64\Hmginjki.exe Hfmqapcl.exe File created C:\Windows\SysWOW64\Lpapiipo.exe Ligglo32.exe File opened for modification C:\Windows\SysWOW64\Odkjgm32.exe Ngkjbkem.exe File created C:\Windows\SysWOW64\Cjecjahd.exe Cooolhin.exe File opened for modification C:\Windows\SysWOW64\Dkbomgde.exe Dbgnobpg.exe File opened for modification C:\Windows\SysWOW64\Gmafjp32.exe Glpmkm32.exe File created C:\Windows\SysWOW64\Holfhfij.exe Hfaaddlo.exe File created C:\Windows\SysWOW64\Ofgbflng.dll Lmkbeg32.exe File opened for modification C:\Windows\SysWOW64\Iamoon32.exe Hmjmnpmb.exe File created C:\Windows\SysWOW64\Pblolb32.exe Oefamoma.exe File opened for modification C:\Windows\SysWOW64\Lpapiipo.exe Ligglo32.exe File created C:\Windows\SysWOW64\Eopbgf32.dll Ccbhhl32.exe File opened for modification C:\Windows\SysWOW64\Hjhfbl32.exe Gbmanj32.exe File created C:\Windows\SysWOW64\Ojnnkf32.dll Jbgmkfli.exe File created C:\Windows\SysWOW64\Mkgileqg.dll Kpnjknni.exe File created C:\Windows\SysWOW64\Mfpdcc32.dll Bideafko.exe File created C:\Windows\SysWOW64\Aegghi32.dll Fkgiea32.exe File created C:\Windows\SysWOW64\Eiijfg32.dll Lkbkkbdj.exe File opened for modification C:\Windows\SysWOW64\Dobffj32.exe Dejamdca.exe File created C:\Windows\SysWOW64\Hdhemn32.exe Hibape32.exe File created C:\Windows\SysWOW64\Pqjbkclg.dll Npnjcm32.exe File created C:\Windows\SysWOW64\Lbnibp32.dll Akiijq32.exe File created C:\Windows\SysWOW64\Egnqbobf.dll Dbqqeahl.exe File opened for modification C:\Windows\SysWOW64\Glpdecjb.exe Fipkch32.exe File created C:\Windows\SysWOW64\Ljjjqd32.dll Gmafjp32.exe File opened for modification C:\Windows\SysWOW64\Flaaok32.exe Eakdje32.exe File created C:\Windows\SysWOW64\Neeifa32.exe Mbpfig32.exe File created C:\Windows\SysWOW64\Kflono32.dll Mgpaqbcf.exe File created C:\Windows\SysWOW64\Mplapkoj.exe Miaica32.exe File created C:\Windows\SysWOW64\Fmhdcm32.dll Edqdij32.exe File opened for modification C:\Windows\SysWOW64\Phajgf32.exe Pagbklae.exe File created C:\Windows\SysWOW64\Keifneoc.exe Khdedapj.exe File created C:\Windows\SysWOW64\Khmhilbf.exe Jlfhdk32.exe File opened for modification C:\Windows\SysWOW64\Aikbpckb.exe Ablahjhj.exe File opened for modification C:\Windows\SysWOW64\Lbhojo32.exe Lmkfah32.exe File opened for modification C:\Windows\SysWOW64\Kldmmp32.exe Jfkehk32.exe File created C:\Windows\SysWOW64\Pidpnknl.dll Bllbkg32.exe File opened for modification C:\Windows\SysWOW64\Cglbanmo.exe Caojigoh.exe File created C:\Windows\SysWOW64\Oldijd32.dll Iiehjgnp.exe File created C:\Windows\SysWOW64\Dfagnn32.dll Fbnflihq.exe File opened for modification C:\Windows\SysWOW64\Nelmik32.exe Nifldj32.exe File created C:\Windows\SysWOW64\Codipmej.dll Klahof32.exe File created C:\Windows\SysWOW64\Ciaaqgdb.dll Ofhkgeij.exe File created C:\Windows\SysWOW64\Iempingp.exe Ifcimb32.exe File created C:\Windows\SysWOW64\Mchhamcl.exe Mipchg32.exe File created C:\Windows\SysWOW64\Odmgmmhf.exe Ojgbpd32.exe File created C:\Windows\SysWOW64\Nockfgao.exe Nifcnpch.exe File opened for modification C:\Windows\SysWOW64\Kjffngap.exe Kibmqond.exe File created C:\Windows\SysWOW64\Fcqidkmb.dll Iapjpd32.exe File created C:\Windows\SysWOW64\Popbqhhf.dll Aqkgikip.exe File created C:\Windows\SysWOW64\Oagpne32.exe Nhheepbk.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fkmbbajb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} NEAS.35f054dcd20f3fdf518084a101d7b9a0_JC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgkfil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oapaicmk.dll" Fojenfeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndfgdmpi.dll" Hbhjqp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dobffj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Edqdij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hfnpacjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knagdd32.dll" Ndjldo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mceccbpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gaqhdmmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ilhkcmib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfmmajed.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkbkna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njkiaa32.dll" Mmfalimb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckkqjp32.dll" Epfflj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emhngp32.dll" Iikmlnae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mocloa32.dll" Fmgecn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bddcocff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ighfkpji.dll" Eqiilp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Flaaok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlfkdnlg.dll" Hdlhoefk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djgkbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phjjdd32.dll" Dhkjooqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gepmno32.dll" Fcnlng32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ocjgcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpjgjefj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jejbba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkeofojm.dll" Gejhol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jogeia32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lkbkkbdj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ilepmjdo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Egnhnkmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hibape32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hchqlqpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehkbbn32.dll" Kbkdgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmmohhoj.dll" Efnennjc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mchhamcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ojgbpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jdhibn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jhndepbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Higjkehf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnfiapfj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Locgljca.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aokceaoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ejklfd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efafqolp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bndbjd32.dll" Eohcon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjhfbl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmefiakh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgkmid32.dll" Lqfnqjpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fchebfmg.dll" Acnjbpdb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ejlmppha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baekjn32.dll" Hodgei32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kojdflkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hnhknj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mbhafgpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Epfflj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dehchiqm.dll" Flaaok32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dehkbkip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dafbhkhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Llemnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Omjhgoco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjflabfj.dll" Hnokeqll.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1680 wrote to memory of 3276 1680 NEAS.35f054dcd20f3fdf518084a101d7b9a0_JC.exe 91 PID 1680 wrote to memory of 3276 1680 NEAS.35f054dcd20f3fdf518084a101d7b9a0_JC.exe 91 PID 1680 wrote to memory of 3276 1680 NEAS.35f054dcd20f3fdf518084a101d7b9a0_JC.exe 91 PID 3276 wrote to memory of 396 3276 Kbinlp32.exe 92 PID 3276 wrote to memory of 396 3276 Kbinlp32.exe 92 PID 3276 wrote to memory of 396 3276 Kbinlp32.exe 92 PID 396 wrote to memory of 3016 396 Lmkbeg32.exe 93 PID 396 wrote to memory of 3016 396 Lmkbeg32.exe 93 PID 396 wrote to memory of 3016 396 Lmkbeg32.exe 93 PID 3016 wrote to memory of 1696 3016 Mminfech.exe 94 PID 3016 wrote to memory of 1696 3016 Mminfech.exe 94 PID 3016 wrote to memory of 1696 3016 Mminfech.exe 94 PID 1696 wrote to memory of 4644 1696 Ndjldo32.exe 95 PID 1696 wrote to memory of 4644 1696 Ndjldo32.exe 95 PID 1696 wrote to memory of 4644 1696 Ndjldo32.exe 95 PID 4644 wrote to memory of 2664 4644 Olgnnqpe.exe 96 PID 4644 wrote to memory of 2664 4644 Olgnnqpe.exe 96 PID 4644 wrote to memory of 2664 4644 Olgnnqpe.exe 96 PID 2664 wrote to memory of 3392 2664 Ofooqinh.exe 97 PID 2664 wrote to memory of 3392 2664 Ofooqinh.exe 97 PID 2664 wrote to memory of 3392 2664 Ofooqinh.exe 97 PID 3392 wrote to memory of 1708 3392 Omkdcccb.exe 98 PID 3392 wrote to memory of 1708 3392 Omkdcccb.exe 98 PID 3392 wrote to memory of 1708 3392 Omkdcccb.exe 98 PID 1708 wrote to memory of 4412 1708 Pmefiakh.exe 99 PID 1708 wrote to memory of 4412 1708 Pmefiakh.exe 99 PID 1708 wrote to memory of 4412 1708 Pmefiakh.exe 99 PID 4412 wrote to memory of 1880 4412 Ppepkmhi.exe 101 PID 4412 wrote to memory of 1880 4412 Ppepkmhi.exe 101 PID 4412 wrote to memory of 1880 4412 Ppepkmhi.exe 101 PID 1880 wrote to memory of 876 1880 Qciebg32.exe 102 PID 1880 wrote to memory of 876 1880 Qciebg32.exe 102 PID 1880 wrote to memory of 876 1880 Qciebg32.exe 102 PID 876 wrote to memory of 4268 876 Aneppo32.exe 104 PID 876 wrote to memory of 4268 876 Aneppo32.exe 104 PID 876 wrote to memory of 4268 876 Aneppo32.exe 104 PID 4268 wrote to memory of 2992 4268 Bnobfn32.exe 105 PID 4268 wrote to memory of 2992 4268 Bnobfn32.exe 105 PID 4268 wrote to memory of 2992 4268 Bnobfn32.exe 105 PID 2992 wrote to memory of 2392 2992 Bdmdng32.exe 106 PID 2992 wrote to memory of 2392 2992 Bdmdng32.exe 106 PID 2992 wrote to memory of 2392 2992 Bdmdng32.exe 106 PID 2392 wrote to memory of 1536 2392 Dmiaig32.exe 107 PID 2392 wrote to memory of 1536 2392 Dmiaig32.exe 107 PID 2392 wrote to memory of 1536 2392 Dmiaig32.exe 107 PID 1536 wrote to memory of 4232 1536 Eakdje32.exe 108 PID 1536 wrote to memory of 4232 1536 Eakdje32.exe 108 PID 1536 wrote to memory of 4232 1536 Eakdje32.exe 108 PID 4232 wrote to memory of 3496 4232 Flaaok32.exe 109 PID 4232 wrote to memory of 3496 4232 Flaaok32.exe 109 PID 4232 wrote to memory of 3496 4232 Flaaok32.exe 109 PID 3496 wrote to memory of 1084 3496 Gkbnkfei.exe 110 PID 3496 wrote to memory of 1084 3496 Gkbnkfei.exe 110 PID 3496 wrote to memory of 1084 3496 Gkbnkfei.exe 110 PID 1084 wrote to memory of 4476 1084 Hmjmnpmb.exe 111 PID 1084 wrote to memory of 4476 1084 Hmjmnpmb.exe 111 PID 1084 wrote to memory of 4476 1084 Hmjmnpmb.exe 111 PID 4476 wrote to memory of 2828 4476 Iamoon32.exe 112 PID 4476 wrote to memory of 2828 4476 Iamoon32.exe 112 PID 4476 wrote to memory of 2828 4476 Iamoon32.exe 112 PID 2828 wrote to memory of 2776 2828 Ioclnblj.exe 113 PID 2828 wrote to memory of 2776 2828 Ioclnblj.exe 113 PID 2828 wrote to memory of 2776 2828 Ioclnblj.exe 113 PID 2776 wrote to memory of 2296 2776 Jogeia32.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.35f054dcd20f3fdf518084a101d7b9a0_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.35f054dcd20f3fdf518084a101d7b9a0_JC.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\Kbinlp32.exeC:\Windows\system32\Kbinlp32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3276 -
C:\Windows\SysWOW64\Lmkbeg32.exeC:\Windows\system32\Lmkbeg32.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\SysWOW64\Mminfech.exeC:\Windows\system32\Mminfech.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\Ndjldo32.exeC:\Windows\system32\Ndjldo32.exe5⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\SysWOW64\Olgnnqpe.exeC:\Windows\system32\Olgnnqpe.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4644 -
C:\Windows\SysWOW64\Ofooqinh.exeC:\Windows\system32\Ofooqinh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Omkdcccb.exeC:\Windows\system32\Omkdcccb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3392 -
C:\Windows\SysWOW64\Pmefiakh.exeC:\Windows\system32\Pmefiakh.exe9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SysWOW64\Ppepkmhi.exeC:\Windows\system32\Ppepkmhi.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4412 -
C:\Windows\SysWOW64\Qciebg32.exeC:\Windows\system32\Qciebg32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Windows\SysWOW64\Aneppo32.exeC:\Windows\system32\Aneppo32.exe12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:876 -
C:\Windows\SysWOW64\Bnobfn32.exeC:\Windows\system32\Bnobfn32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4268 -
C:\Windows\SysWOW64\Bdmdng32.exeC:\Windows\system32\Bdmdng32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\Dmiaig32.exeC:\Windows\system32\Dmiaig32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\Eakdje32.exeC:\Windows\system32\Eakdje32.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Windows\SysWOW64\Flaaok32.exeC:\Windows\system32\Flaaok32.exe17⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4232 -
C:\Windows\SysWOW64\Gkbnkfei.exeC:\Windows\system32\Gkbnkfei.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3496 -
C:\Windows\SysWOW64\Hmjmnpmb.exeC:\Windows\system32\Hmjmnpmb.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\SysWOW64\Iamoon32.exeC:\Windows\system32\Iamoon32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4476 -
C:\Windows\SysWOW64\Ioclnblj.exeC:\Windows\system32\Ioclnblj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\Jogeia32.exeC:\Windows\system32\Jogeia32.exe22⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\Jhdcmf32.exeC:\Windows\system32\Jhdcmf32.exe23⤵
- Executes dropped EXE
PID:2296 -
C:\Windows\SysWOW64\Jekpljgg.exeC:\Windows\system32\Jekpljgg.exe24⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Kfmmajed.exeC:\Windows\system32\Kfmmajed.exe25⤵
- Executes dropped EXE
- Modifies registry class
PID:4904 -
C:\Windows\SysWOW64\Kbkdgj32.exeC:\Windows\system32\Kbkdgj32.exe26⤵
- Executes dropped EXE
- Modifies registry class
PID:1836 -
C:\Windows\SysWOW64\Mieeka32.exeC:\Windows\system32\Mieeka32.exe27⤵
- Executes dropped EXE
PID:416 -
C:\Windows\SysWOW64\Mbpfig32.exeC:\Windows\system32\Mbpfig32.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2128 -
C:\Windows\SysWOW64\Neeifa32.exeC:\Windows\system32\Neeifa32.exe29⤵
- Executes dropped EXE
PID:1152 -
C:\Windows\SysWOW64\Nfgbec32.exeC:\Windows\system32\Nfgbec32.exe30⤵
- Executes dropped EXE
PID:2756 -
C:\Windows\SysWOW64\Oefamoma.exeC:\Windows\system32\Oefamoma.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4364 -
C:\Windows\SysWOW64\Pblolb32.exeC:\Windows\system32\Pblolb32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4636 -
C:\Windows\SysWOW64\Pldcdhpi.exeC:\Windows\system32\Pldcdhpi.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2540 -
C:\Windows\SysWOW64\Pfjgbapo.exeC:\Windows\system32\Pfjgbapo.exe34⤵
- Executes dropped EXE
PID:4424 -
C:\Windows\SysWOW64\Plimpg32.exeC:\Windows\system32\Plimpg32.exe35⤵
- Executes dropped EXE
PID:976 -
C:\Windows\SysWOW64\Qpibke32.exeC:\Windows\system32\Qpibke32.exe36⤵
- Executes dropped EXE
PID:116 -
C:\Windows\SysWOW64\Qibfdkgh.exeC:\Windows\system32\Qibfdkgh.exe37⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Abodhpic.exeC:\Windows\system32\Abodhpic.exe38⤵
- Executes dropped EXE
PID:3464 -
C:\Windows\SysWOW64\Aebjokda.exeC:\Windows\system32\Aebjokda.exe39⤵
- Executes dropped EXE
PID:2104 -
C:\Windows\SysWOW64\Bcfkiock.exeC:\Windows\system32\Bcfkiock.exe40⤵
- Executes dropped EXE
PID:4876 -
C:\Windows\SysWOW64\Cjnoggoh.exeC:\Windows\system32\Cjnoggoh.exe41⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Copajm32.exeC:\Windows\system32\Copajm32.exe42⤵
- Executes dropped EXE
PID:2280 -
C:\Windows\SysWOW64\Dfnbbg32.exeC:\Windows\system32\Dfnbbg32.exe43⤵
- Executes dropped EXE
PID:4228 -
C:\Windows\SysWOW64\Fmmmqnaf.exeC:\Windows\system32\Fmmmqnaf.exe44⤵
- Executes dropped EXE
PID:4932 -
C:\Windows\SysWOW64\Fakfglhm.exeC:\Windows\system32\Fakfglhm.exe45⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Fcnlng32.exeC:\Windows\system32\Fcnlng32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:3832 -
C:\Windows\SysWOW64\Gpjfng32.exeC:\Windows\system32\Gpjfng32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:64 -
C:\Windows\SysWOW64\Hdlhoefk.exeC:\Windows\system32\Hdlhoefk.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:1180 -
C:\Windows\SysWOW64\Hfmqapcl.exeC:\Windows\system32\Hfmqapcl.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4456 -
C:\Windows\SysWOW64\Hmginjki.exeC:\Windows\system32\Hmginjki.exe50⤵
- Executes dropped EXE
PID:4964 -
C:\Windows\SysWOW64\Ipjoee32.exeC:\Windows\system32\Ipjoee32.exe51⤵
- Executes dropped EXE
PID:1276 -
C:\Windows\SysWOW64\Iffcgoka.exeC:\Windows\system32\Iffcgoka.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2040 -
C:\Windows\SysWOW64\Ipohpdbb.exeC:\Windows\system32\Ipohpdbb.exe53⤵
- Executes dropped EXE
PID:4984 -
C:\Windows\SysWOW64\Jognokdi.exeC:\Windows\system32\Jognokdi.exe54⤵
- Executes dropped EXE
PID:4276 -
C:\Windows\SysWOW64\Jddggb32.exeC:\Windows\system32\Jddggb32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4132 -
C:\Windows\SysWOW64\Kgkfil32.exeC:\Windows\system32\Kgkfil32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1732 -
C:\Windows\SysWOW64\Opfedb32.exeC:\Windows\system32\Opfedb32.exe57⤵
- Executes dropped EXE
PID:4136 -
C:\Windows\SysWOW64\Olmficce.exeC:\Windows\system32\Olmficce.exe58⤵
- Executes dropped EXE
PID:1132 -
C:\Windows\SysWOW64\Pijiif32.exeC:\Windows\system32\Pijiif32.exe59⤵
- Executes dropped EXE
PID:3512 -
C:\Windows\SysWOW64\Pbbnbkpe.exeC:\Windows\system32\Pbbnbkpe.exe60⤵
- Executes dropped EXE
PID:3236 -
C:\Windows\SysWOW64\Qlkbka32.exeC:\Windows\system32\Qlkbka32.exe61⤵
- Executes dropped EXE
PID:1324 -
C:\Windows\SysWOW64\Qahkch32.exeC:\Windows\system32\Qahkch32.exe62⤵
- Executes dropped EXE
PID:1560 -
C:\Windows\SysWOW64\Aehpof32.exeC:\Windows\system32\Aehpof32.exe63⤵
- Executes dropped EXE
PID:2484 -
C:\Windows\SysWOW64\Ablahjhj.exeC:\Windows\system32\Ablahjhj.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3480 -
C:\Windows\SysWOW64\Aikbpckb.exeC:\Windows\system32\Aikbpckb.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:932 -
C:\Windows\SysWOW64\Aogkhjii.exeC:\Windows\system32\Aogkhjii.exe66⤵PID:2012
-
C:\Windows\SysWOW64\Bammeebe.exeC:\Windows\system32\Bammeebe.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2896 -
C:\Windows\SysWOW64\Chphhn32.exeC:\Windows\system32\Chphhn32.exe68⤵PID:4592
-
C:\Windows\SysWOW64\Cediab32.exeC:\Windows\system32\Cediab32.exe69⤵PID:3272
-
C:\Windows\SysWOW64\Djgkbp32.exeC:\Windows\system32\Djgkbp32.exe70⤵
- Modifies registry class
PID:4420 -
C:\Windows\SysWOW64\Dpemjifi.exeC:\Windows\system32\Dpemjifi.exe71⤵PID:3384
-
C:\Windows\SysWOW64\Dllmoj32.exeC:\Windows\system32\Dllmoj32.exe72⤵PID:488
-
C:\Windows\SysWOW64\Ejbknnid.exeC:\Windows\system32\Ejbknnid.exe73⤵PID:1640
-
C:\Windows\SysWOW64\Efnennjc.exeC:\Windows\system32\Efnennjc.exe74⤵
- Modifies registry class
PID:3884 -
C:\Windows\SysWOW64\Godehbed.exeC:\Windows\system32\Godehbed.exe75⤵PID:408
-
C:\Windows\SysWOW64\Gfnnel32.exeC:\Windows\system32\Gfnnel32.exe76⤵PID:4484
-
C:\Windows\SysWOW64\Hpbajp32.exeC:\Windows\system32\Hpbajp32.exe77⤵PID:1472
-
C:\Windows\SysWOW64\Ibmmbj32.exeC:\Windows\system32\Ibmmbj32.exe78⤵PID:4724
-
C:\Windows\SysWOW64\Jidbpa32.exeC:\Windows\system32\Jidbpa32.exe79⤵PID:5136
-
C:\Windows\SysWOW64\Kfhbifgq.exeC:\Windows\system32\Kfhbifgq.exe80⤵PID:5176
-
C:\Windows\SysWOW64\Kanffogf.exeC:\Windows\system32\Kanffogf.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5224 -
C:\Windows\SysWOW64\Lkbkkbdj.exeC:\Windows\system32\Lkbkkbdj.exe82⤵
- Drops file in System32 directory
- Modifies registry class
PID:5268 -
C:\Windows\SysWOW64\Ligglo32.exeC:\Windows\system32\Ligglo32.exe83⤵
- Drops file in System32 directory
PID:5308 -
C:\Windows\SysWOW64\Lpapiipo.exeC:\Windows\system32\Lpapiipo.exe84⤵PID:5352
-
C:\Windows\SysWOW64\Mgpaqbcf.exeC:\Windows\system32\Mgpaqbcf.exe85⤵
- Drops file in System32 directory
PID:5396 -
C:\Windows\SysWOW64\Mahbck32.exeC:\Windows\system32\Mahbck32.exe86⤵
- Drops file in System32 directory
PID:5436 -
C:\Windows\SysWOW64\Ncenga32.exeC:\Windows\system32\Ncenga32.exe87⤵PID:5488
-
C:\Windows\SysWOW64\Onhoehpp.exeC:\Windows\system32\Onhoehpp.exe88⤵PID:5584
-
C:\Windows\SysWOW64\Pcagjndj.exeC:\Windows\system32\Pcagjndj.exe89⤵PID:5636
-
C:\Windows\SysWOW64\Qnfkgfdp.exeC:\Windows\system32\Qnfkgfdp.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5760 -
C:\Windows\SysWOW64\Aalndaml.exeC:\Windows\system32\Aalndaml.exe91⤵PID:5980
-
C:\Windows\SysWOW64\Baocpnmf.exeC:\Windows\system32\Baocpnmf.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6020 -
C:\Windows\SysWOW64\Caapfnkd.exeC:\Windows\system32\Caapfnkd.exe93⤵PID:6096
-
C:\Windows\SysWOW64\Ckladcoa.exeC:\Windows\system32\Ckladcoa.exe94⤵PID:6132
-
C:\Windows\SysWOW64\Cddemi32.exeC:\Windows\system32\Cddemi32.exe95⤵PID:5144
-
C:\Windows\SysWOW64\Cahffmel.exeC:\Windows\system32\Cahffmel.exe96⤵PID:948
-
C:\Windows\SysWOW64\Clmjcfdb.exeC:\Windows\system32\Clmjcfdb.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5296 -
C:\Windows\SysWOW64\Dehkbkip.exeC:\Windows\system32\Dehkbkip.exe98⤵
- Modifies registry class
PID:5364 -
C:\Windows\SysWOW64\Dkedjbgg.exeC:\Windows\system32\Dkedjbgg.exe99⤵PID:5444
-
C:\Windows\SysWOW64\Dldpde32.exeC:\Windows\system32\Dldpde32.exe100⤵PID:5484
-
C:\Windows\SysWOW64\Dboiaoff.exeC:\Windows\system32\Dboiaoff.exe101⤵PID:5512
-
C:\Windows\SysWOW64\Dafbhkhl.exeC:\Windows\system32\Dafbhkhl.exe102⤵
- Modifies registry class
PID:5544 -
C:\Windows\SysWOW64\Elkfed32.exeC:\Windows\system32\Elkfed32.exe103⤵PID:4644
-
C:\Windows\SysWOW64\Eaklcj32.exeC:\Windows\system32\Eaklcj32.exe104⤵PID:4300
-
C:\Windows\SysWOW64\Ehgqed32.exeC:\Windows\system32\Ehgqed32.exe105⤵PID:3240
-
C:\Windows\SysWOW64\Fdbked32.exeC:\Windows\system32\Fdbked32.exe106⤵PID:5696
-
C:\Windows\SysWOW64\Fohobmke.exeC:\Windows\system32\Fohobmke.exe107⤵PID:5740
-
C:\Windows\SysWOW64\Ffdddg32.exeC:\Windows\system32\Ffdddg32.exe108⤵PID:5028
-
C:\Windows\SysWOW64\Fkalmn32.exeC:\Windows\system32\Fkalmn32.exe109⤵PID:5820
-
C:\Windows\SysWOW64\Ghlcga32.exeC:\Windows\system32\Ghlcga32.exe110⤵PID:5928
-
C:\Windows\SysWOW64\Gfbpfedp.exeC:\Windows\system32\Gfbpfedp.exe111⤵PID:5792
-
C:\Windows\SysWOW64\Gokdoj32.exeC:\Windows\system32\Gokdoj32.exe112⤵PID:6040
-
C:\Windows\SysWOW64\Hkdbik32.exeC:\Windows\system32\Hkdbik32.exe113⤵PID:6088
-
C:\Windows\SysWOW64\Hbnjfefo.exeC:\Windows\system32\Hbnjfefo.exe114⤵PID:5128
-
C:\Windows\SysWOW64\Hodgei32.exeC:\Windows\system32\Hodgei32.exe115⤵
- Modifies registry class
PID:5860 -
C:\Windows\SysWOW64\Hfnpacjb.exeC:\Windows\system32\Hfnpacjb.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5292 -
C:\Windows\SysWOW64\Ipiaphop.exeC:\Windows\system32\Ipiaphop.exe117⤵PID:5404
-
C:\Windows\SysWOW64\Ifcimb32.exeC:\Windows\system32\Ifcimb32.exe118⤵
- Drops file in System32 directory
PID:936 -
C:\Windows\SysWOW64\Iempingp.exeC:\Windows\system32\Iempingp.exe119⤵PID:5564
-
C:\Windows\SysWOW64\Jecejm32.exeC:\Windows\system32\Jecejm32.exe120⤵PID:4648
-
C:\Windows\SysWOW64\Kfoapo32.exeC:\Windows\system32\Kfoapo32.exe121⤵PID:2664
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-