Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
172s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
03/11/2023, 08:23
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.1cf9567443224eb6478ea16c6b7d5940.exe
Resource
win7-20231023-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.1cf9567443224eb6478ea16c6b7d5940.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
NEAS.1cf9567443224eb6478ea16c6b7d5940.exe
-
Size
314KB
-
MD5
1cf9567443224eb6478ea16c6b7d5940
-
SHA1
5b6c264f3c1e2c578f090f9899bf993f7a7f14ef
-
SHA256
5eabd342a661e1b87fe4e4ace1c5a3aa83d5621267df766e3e11e2c2f4de48c3
-
SHA512
1ead5c842d42ec845647aab8a5d781521e6f9febcc38f9ab131ae211679131ea097f1b9cadfe47ff9e9ac2b8d7426a7fe72d1035cebcf4a79b89b6fa9e19ba89
-
SSDEEP
6144:Eo9Nz2yHC0Oj6MB8MhjwszeXmr8SeNpgdyuH1lFDjC:fc6Najb87gP3C
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lalchm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nockfgao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oiglen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhnichde.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kepdfo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omldnfkj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eelifc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aeemop32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdfjcl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgdodq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njceqili.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emniheha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpfjfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbkncd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiefmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfchcijo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nahdapae.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdpgen32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcoepkdo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndomiddc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lejngd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fljlom32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idbfhiko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Capbaacl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpofbobf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eimelg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbkncd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmhejk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dqigee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkjhif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkkjfa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Leenanik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hginoiic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pihdnloc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abkjnd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oblmnmjl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifcimb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgnqafgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jafaem32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgdklb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdmpljlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnpcjplf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meadgc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjgncihp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jklihbol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mikjmhaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Leenanik.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcbngeqo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jglkkiea.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjhonp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hchihhng.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmecba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpopbepi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djaipe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkiiee32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djhifnho.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edmjpoli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdllhdco.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okiefn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfpcngdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnokeqll.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpnbmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gneaelqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkiiee32.exe -
Executes dropped EXE 64 IoCs
pid Process 4524 Jeapcq32.exe 5088 Mcoljagj.exe 4480 Mjpjgj32.exe 3676 Nmfmde32.exe 1648 Nbebbk32.exe 1352 Ojnfihmo.exe 4648 Ocgkan32.exe 4404 Oifppdpd.exe 2940 Oqoefand.exe 5100 Pakdbp32.exe 4220 Qcnjijoe.exe 4752 Cgfbbb32.exe 1548 Dpopbepi.exe 4592 Ephbhd32.exe 1136 Egegjn32.exe 3656 Gqpapacd.exe 220 Gndbie32.exe 1044 Hchqbkkm.exe 804 Iholohii.exe 808 Kkpnga32.exe 2240 Lhmafcnf.exe 4424 Mcoepkdo.exe 1824 Mlifnphl.exe 4492 Nkeipk32.exe 884 Ofdqcc32.exe 4200 Pkklbh32.exe 4496 Pkmhgh32.exe 660 Apddce32.exe 3044 Aimhmkgn.exe 4520 Bbalaoda.exe 4544 Cmmgof32.exe 4396 Cbaehl32.exe 3896 Dbcbnlcl.exe 924 Ecanojgl.exe 3100 Egpgehnb.exe 2700 Feimadoe.exe 940 Fncbha32.exe 3248 Fljlom32.exe 1812 Gfemmb32.exe 4588 Gjhonp32.exe 4976 Gdmcki32.exe 4060 Hnmnengg.exe 4032 Ijonfmbn.exe 208 Jglaepim.exe 4540 Kccbjq32.exe 1172 Keekjc32.exe 4100 Knpmhh32.exe 3240 Laglkb32.exe 1456 Lkppchfi.exe 1780 Lajhpbme.exe 1828 Malefbkc.exe 3752 Mopeofjl.exe 2760 Mkicjgnn.exe 404 Nahdapae.exe 2880 Nolekd32.exe 1924 Namnmp32.exe 3024 Oafacn32.exe 4388 Ogcike32.exe 4172 Pfkpiled.exe 2796 Pnknim32.exe 3968 Bichcc32.exe 3596 Beobcdoi.exe 3332 Bpdfpmoo.exe 5024 Cbglgg32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Pedlpgqe.exe Pkngco32.exe File created C:\Windows\SysWOW64\Gfdcpb32.dll Gqpapacd.exe File created C:\Windows\SysWOW64\Nfeepdbg.exe Nlpabkba.exe File created C:\Windows\SysWOW64\Ampojimo.exe Abjkmqni.exe File created C:\Windows\SysWOW64\Fdepaa32.exe Fipkch32.exe File created C:\Windows\SysWOW64\Nddkaddm.exe Nnjbdj32.exe File created C:\Windows\SysWOW64\Bfcompnj.exe Bebbeh32.exe File opened for modification C:\Windows\SysWOW64\Poliog32.exe Poimigfm.exe File created C:\Windows\SysWOW64\Kbbodn32.dll Aaflag32.exe File created C:\Windows\SysWOW64\Dfnmfoil.dll Pkbjchio.exe File opened for modification C:\Windows\SysWOW64\Oifppdpd.exe Ocgkan32.exe File created C:\Windows\SysWOW64\Nkeipk32.exe Mlifnphl.exe File opened for modification C:\Windows\SysWOW64\Lnfngj32.exe Lhgiic32.exe File created C:\Windows\SysWOW64\Blakhgoo.exe Adapqk32.exe File created C:\Windows\SysWOW64\Khaahimc.dll Ogifci32.exe File created C:\Windows\SysWOW64\Pjkagnii.dll Nhpbpepo.exe File opened for modification C:\Windows\SysWOW64\Lalchm32.exe Lmnjan32.exe File created C:\Windows\SysWOW64\Gejkgg32.dll Dodbkiho.exe File created C:\Windows\SysWOW64\Kdeejq32.dll Fmnkdm32.exe File created C:\Windows\SysWOW64\Ccoolcnf.dll Ikpjkf32.exe File opened for modification C:\Windows\SysWOW64\Bidefbcg.exe Bplammmf.exe File created C:\Windows\SysWOW64\Ddakdqff.exe Dodbkiho.exe File created C:\Windows\SysWOW64\Epokojbg.exe Eidbbp32.exe File created C:\Windows\SysWOW64\Pkngco32.exe Pimkkfka.exe File created C:\Windows\SysWOW64\Jqhaolli.exe Jkligd32.exe File opened for modification C:\Windows\SysWOW64\Lnadkmhj.exe Lclpmdhd.exe File opened for modification C:\Windows\SysWOW64\Ehkcgkdj.exe Eoconenj.exe File opened for modification C:\Windows\SysWOW64\Kpnepk32.exe Kcgekjgp.exe File created C:\Windows\SysWOW64\Bicbje32.dll Ladhkmno.exe File opened for modification C:\Windows\SysWOW64\Edmjpoli.exe Eopbghnb.exe File opened for modification C:\Windows\SysWOW64\Nockfgao.exe Nekgna32.exe File created C:\Windows\SysWOW64\Fihfgc32.dll Oblmnmjl.exe File created C:\Windows\SysWOW64\Kjdjhgdb.exe Kkomgkoj.exe File created C:\Windows\SysWOW64\Liecmlno.exe Lnpopcni.exe File opened for modification C:\Windows\SysWOW64\Bplammmf.exe Bajqpe32.exe File opened for modification C:\Windows\SysWOW64\Pdfjcl32.exe Pnlafaio.exe File created C:\Windows\SysWOW64\Jgmnjncm.dll Gempqo32.exe File created C:\Windows\SysWOW64\Pgdodq32.exe Ppjghgdg.exe File created C:\Windows\SysWOW64\Hdkqcp32.dll Bfqkmj32.exe File opened for modification C:\Windows\SysWOW64\Jjhjli32.exe Jqpfccgo.exe File created C:\Windows\SysWOW64\Kfdqfbai.dll Ejglcq32.exe File created C:\Windows\SysWOW64\Bnppim32.exe Bmpcpjcd.exe File created C:\Windows\SysWOW64\Bqfokblg.exe Bfqkmj32.exe File created C:\Windows\SysWOW64\Jehejalg.dll Dcnqid32.exe File created C:\Windows\SysWOW64\Bichcc32.exe Pnknim32.exe File created C:\Windows\SysWOW64\Modgbakp.dll Kjlcmdbb.exe File opened for modification C:\Windows\SysWOW64\Lmcldhfp.exe Lbnggpfj.exe File created C:\Windows\SysWOW64\Nkieab32.exe Nihiiimi.exe File created C:\Windows\SysWOW64\Ikqqfm32.exe Ibhlmgdj.exe File created C:\Windows\SysWOW64\Combgh32.exe Bjpjoa32.exe File opened for modification C:\Windows\SysWOW64\Nmfmde32.exe Mjpjgj32.exe File created C:\Windows\SysWOW64\Nlpabkba.exe Nilkkq32.exe File created C:\Windows\SysWOW64\Peddhb32.exe Obdkfg32.exe File created C:\Windows\SysWOW64\Bgckgcem.exe Baickimp.exe File opened for modification C:\Windows\SysWOW64\Lfjjqg32.exe Lejngd32.exe File created C:\Windows\SysWOW64\Eidbbp32.exe Eainnn32.exe File created C:\Windows\SysWOW64\Fbqiak32.exe Fkiapn32.exe File created C:\Windows\SysWOW64\Pfmdgq32.exe Pihdnloc.exe File created C:\Windows\SysWOW64\Fmnkdm32.exe Fmlnomif.exe File created C:\Windows\SysWOW64\Klmane32.dll Jnhphg32.exe File opened for modification C:\Windows\SysWOW64\Nldhpeop.exe Nejpckgc.exe File created C:\Windows\SysWOW64\Nmmjai32.dll Aeaagoaj.exe File created C:\Windows\SysWOW64\Gajbofac.dll Cenaaf32.exe File created C:\Windows\SysWOW64\Ekdolcbm.exe Epokojbg.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbcbnlcl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfmdgq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjkpio32.dll" Opongobp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jkligd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fljhbbae.dll" Oifppdpd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbalaoda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nocdpece.dll" Ngbpbjoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnfdkm32.dll" Pdfjcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oepfhl32.dll" Fncbha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkpeom32.dll" Mkicjgnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncnjkoaj.dll" Dncnnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pafkbh32.dll" Kpgfhddn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnffjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Biojkf32.dll" Obafim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppemkhaa.dll" Bjpjoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cbkncd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lfodmdni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmecba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhiapi32.dll" Bomknp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gfnnel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgccccec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daiodkff.dll" Njceqili.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nkghqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckmmpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjnoggoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hckgenae.dll" Kkelmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmenne32.dll" Npedfjfo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Epdaneff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjmkbk32.dll" Hgdlcm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpnepk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjfedcil.dll" Ifcimb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Noehlgol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cmaikcmf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljmmnf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID NEAS.1cf9567443224eb6478ea16c6b7d5940.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lboeknkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qohghlnd.dll" Mphoob32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qqfmnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmbfiokn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phobaibg.dll" Agmmnnpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgfbbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gicogo32.dll" Gkmlilej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aepklffh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hienee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ladhkmno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhhpfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkoiqjdj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbcohl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Maggggaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldjbbc32.dll" Nejpckgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aijjie32.dll" Poggnnkk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phddbbnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fimonh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Egegjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pabknbef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpdkol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Popjdqhl.dll" Bjgncihp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pakdbp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Agkgceeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lnoalehl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edngdafi.dll" Goconkah.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbmbgb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ihlechfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfkecd32.dll" Ppjghgdg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3492 wrote to memory of 4524 3492 NEAS.1cf9567443224eb6478ea16c6b7d5940.exe 93 PID 3492 wrote to memory of 4524 3492 NEAS.1cf9567443224eb6478ea16c6b7d5940.exe 93 PID 3492 wrote to memory of 4524 3492 NEAS.1cf9567443224eb6478ea16c6b7d5940.exe 93 PID 4524 wrote to memory of 5088 4524 Jeapcq32.exe 94 PID 4524 wrote to memory of 5088 4524 Jeapcq32.exe 94 PID 4524 wrote to memory of 5088 4524 Jeapcq32.exe 94 PID 5088 wrote to memory of 4480 5088 Mcoljagj.exe 95 PID 5088 wrote to memory of 4480 5088 Mcoljagj.exe 95 PID 5088 wrote to memory of 4480 5088 Mcoljagj.exe 95 PID 4480 wrote to memory of 3676 4480 Mjpjgj32.exe 96 PID 4480 wrote to memory of 3676 4480 Mjpjgj32.exe 96 PID 4480 wrote to memory of 3676 4480 Mjpjgj32.exe 96 PID 3676 wrote to memory of 1648 3676 Nmfmde32.exe 97 PID 3676 wrote to memory of 1648 3676 Nmfmde32.exe 97 PID 3676 wrote to memory of 1648 3676 Nmfmde32.exe 97 PID 1648 wrote to memory of 1352 1648 Nbebbk32.exe 98 PID 1648 wrote to memory of 1352 1648 Nbebbk32.exe 98 PID 1648 wrote to memory of 1352 1648 Nbebbk32.exe 98 PID 1352 wrote to memory of 4648 1352 Ojnfihmo.exe 99 PID 1352 wrote to memory of 4648 1352 Ojnfihmo.exe 99 PID 1352 wrote to memory of 4648 1352 Ojnfihmo.exe 99 PID 4648 wrote to memory of 4404 4648 Ocgkan32.exe 100 PID 4648 wrote to memory of 4404 4648 Ocgkan32.exe 100 PID 4648 wrote to memory of 4404 4648 Ocgkan32.exe 100 PID 4404 wrote to memory of 2940 4404 Oifppdpd.exe 101 PID 4404 wrote to memory of 2940 4404 Oifppdpd.exe 101 PID 4404 wrote to memory of 2940 4404 Oifppdpd.exe 101 PID 2940 wrote to memory of 5100 2940 Oqoefand.exe 102 PID 2940 wrote to memory of 5100 2940 Oqoefand.exe 102 PID 2940 wrote to memory of 5100 2940 Oqoefand.exe 102 PID 5100 wrote to memory of 4220 5100 Pakdbp32.exe 103 PID 5100 wrote to memory of 4220 5100 Pakdbp32.exe 103 PID 5100 wrote to memory of 4220 5100 Pakdbp32.exe 103 PID 4220 wrote to memory of 4752 4220 Qcnjijoe.exe 104 PID 4220 wrote to memory of 4752 4220 Qcnjijoe.exe 104 PID 4220 wrote to memory of 4752 4220 Qcnjijoe.exe 104 PID 4752 wrote to memory of 1548 4752 Cgfbbb32.exe 105 PID 4752 wrote to memory of 1548 4752 Cgfbbb32.exe 105 PID 4752 wrote to memory of 1548 4752 Cgfbbb32.exe 105 PID 1548 wrote to memory of 4592 1548 Dpopbepi.exe 106 PID 1548 wrote to memory of 4592 1548 Dpopbepi.exe 106 PID 1548 wrote to memory of 4592 1548 Dpopbepi.exe 106 PID 4592 wrote to memory of 1136 4592 Ephbhd32.exe 107 PID 4592 wrote to memory of 1136 4592 Ephbhd32.exe 107 PID 4592 wrote to memory of 1136 4592 Ephbhd32.exe 107 PID 1136 wrote to memory of 3656 1136 Egegjn32.exe 108 PID 1136 wrote to memory of 3656 1136 Egegjn32.exe 108 PID 1136 wrote to memory of 3656 1136 Egegjn32.exe 108 PID 3656 wrote to memory of 220 3656 Gqpapacd.exe 109 PID 3656 wrote to memory of 220 3656 Gqpapacd.exe 109 PID 3656 wrote to memory of 220 3656 Gqpapacd.exe 109 PID 220 wrote to memory of 1044 220 Gndbie32.exe 110 PID 220 wrote to memory of 1044 220 Gndbie32.exe 110 PID 220 wrote to memory of 1044 220 Gndbie32.exe 110 PID 1044 wrote to memory of 804 1044 Hchqbkkm.exe 111 PID 1044 wrote to memory of 804 1044 Hchqbkkm.exe 111 PID 1044 wrote to memory of 804 1044 Hchqbkkm.exe 111 PID 804 wrote to memory of 808 804 Iholohii.exe 112 PID 804 wrote to memory of 808 804 Iholohii.exe 112 PID 804 wrote to memory of 808 804 Iholohii.exe 112 PID 808 wrote to memory of 2240 808 Kkpnga32.exe 113 PID 808 wrote to memory of 2240 808 Kkpnga32.exe 113 PID 808 wrote to memory of 2240 808 Kkpnga32.exe 113 PID 2240 wrote to memory of 4424 2240 Lhmafcnf.exe 115
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.1cf9567443224eb6478ea16c6b7d5940.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.1cf9567443224eb6478ea16c6b7d5940.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3492 -
C:\Windows\SysWOW64\Jeapcq32.exeC:\Windows\system32\Jeapcq32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Windows\SysWOW64\Mcoljagj.exeC:\Windows\system32\Mcoljagj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5088 -
C:\Windows\SysWOW64\Mjpjgj32.exeC:\Windows\system32\Mjpjgj32.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4480 -
C:\Windows\SysWOW64\Nmfmde32.exeC:\Windows\system32\Nmfmde32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3676 -
C:\Windows\SysWOW64\Nbebbk32.exeC:\Windows\system32\Nbebbk32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\SysWOW64\Ojnfihmo.exeC:\Windows\system32\Ojnfihmo.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Windows\SysWOW64\Ocgkan32.exeC:\Windows\system32\Ocgkan32.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4648 -
C:\Windows\SysWOW64\Oifppdpd.exeC:\Windows\system32\Oifppdpd.exe9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4404 -
C:\Windows\SysWOW64\Oqoefand.exeC:\Windows\system32\Oqoefand.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\Pakdbp32.exeC:\Windows\system32\Pakdbp32.exe11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Windows\SysWOW64\Qcnjijoe.exeC:\Windows\system32\Qcnjijoe.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4220 -
C:\Windows\SysWOW64\Cgfbbb32.exeC:\Windows\system32\Cgfbbb32.exe13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4752 -
C:\Windows\SysWOW64\Dpopbepi.exeC:\Windows\system32\Dpopbepi.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Windows\SysWOW64\Ephbhd32.exeC:\Windows\system32\Ephbhd32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4592 -
C:\Windows\SysWOW64\Egegjn32.exeC:\Windows\system32\Egegjn32.exe16⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Windows\SysWOW64\Gqpapacd.exeC:\Windows\system32\Gqpapacd.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3656 -
C:\Windows\SysWOW64\Gndbie32.exeC:\Windows\system32\Gndbie32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:220 -
C:\Windows\SysWOW64\Hchqbkkm.exeC:\Windows\system32\Hchqbkkm.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Windows\SysWOW64\Iholohii.exeC:\Windows\system32\Iholohii.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:804 -
C:\Windows\SysWOW64\Kkpnga32.exeC:\Windows\system32\Kkpnga32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:808 -
C:\Windows\SysWOW64\Lhmafcnf.exeC:\Windows\system32\Lhmafcnf.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\Mcoepkdo.exeC:\Windows\system32\Mcoepkdo.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4424 -
C:\Windows\SysWOW64\Mlifnphl.exeC:\Windows\system32\Mlifnphl.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1824 -
C:\Windows\SysWOW64\Nkeipk32.exeC:\Windows\system32\Nkeipk32.exe25⤵
- Executes dropped EXE
PID:4492 -
C:\Windows\SysWOW64\Ofdqcc32.exeC:\Windows\system32\Ofdqcc32.exe26⤵
- Executes dropped EXE
PID:884 -
C:\Windows\SysWOW64\Pkklbh32.exeC:\Windows\system32\Pkklbh32.exe27⤵
- Executes dropped EXE
PID:4200 -
C:\Windows\SysWOW64\Pkmhgh32.exeC:\Windows\system32\Pkmhgh32.exe28⤵
- Executes dropped EXE
PID:4496 -
C:\Windows\SysWOW64\Apddce32.exeC:\Windows\system32\Apddce32.exe29⤵
- Executes dropped EXE
PID:660 -
C:\Windows\SysWOW64\Aimhmkgn.exeC:\Windows\system32\Aimhmkgn.exe30⤵
- Executes dropped EXE
PID:3044 -
C:\Windows\SysWOW64\Bbalaoda.exeC:\Windows\system32\Bbalaoda.exe31⤵
- Executes dropped EXE
- Modifies registry class
PID:4520 -
C:\Windows\SysWOW64\Cmmgof32.exeC:\Windows\system32\Cmmgof32.exe32⤵
- Executes dropped EXE
PID:4544 -
C:\Windows\SysWOW64\Cbaehl32.exeC:\Windows\system32\Cbaehl32.exe33⤵
- Executes dropped EXE
PID:4396 -
C:\Windows\SysWOW64\Dbcbnlcl.exeC:\Windows\system32\Dbcbnlcl.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:3896 -
C:\Windows\SysWOW64\Ecanojgl.exeC:\Windows\system32\Ecanojgl.exe35⤵
- Executes dropped EXE
PID:924 -
C:\Windows\SysWOW64\Egpgehnb.exeC:\Windows\system32\Egpgehnb.exe36⤵
- Executes dropped EXE
PID:3100 -
C:\Windows\SysWOW64\Feimadoe.exeC:\Windows\system32\Feimadoe.exe37⤵
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\Fncbha32.exeC:\Windows\system32\Fncbha32.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:940 -
C:\Windows\SysWOW64\Fljlom32.exeC:\Windows\system32\Fljlom32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3248 -
C:\Windows\SysWOW64\Gfemmb32.exeC:\Windows\system32\Gfemmb32.exe40⤵
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\Gjhonp32.exeC:\Windows\system32\Gjhonp32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4588 -
C:\Windows\SysWOW64\Gdmcki32.exeC:\Windows\system32\Gdmcki32.exe42⤵
- Executes dropped EXE
PID:4976 -
C:\Windows\SysWOW64\Hnmnengg.exeC:\Windows\system32\Hnmnengg.exe43⤵
- Executes dropped EXE
PID:4060 -
C:\Windows\SysWOW64\Ijonfmbn.exeC:\Windows\system32\Ijonfmbn.exe44⤵
- Executes dropped EXE
PID:4032 -
C:\Windows\SysWOW64\Jglaepim.exeC:\Windows\system32\Jglaepim.exe45⤵
- Executes dropped EXE
PID:208 -
C:\Windows\SysWOW64\Kccbjq32.exeC:\Windows\system32\Kccbjq32.exe46⤵
- Executes dropped EXE
PID:4540 -
C:\Windows\SysWOW64\Keekjc32.exeC:\Windows\system32\Keekjc32.exe47⤵
- Executes dropped EXE
PID:1172 -
C:\Windows\SysWOW64\Knpmhh32.exeC:\Windows\system32\Knpmhh32.exe48⤵
- Executes dropped EXE
PID:4100 -
C:\Windows\SysWOW64\Laglkb32.exeC:\Windows\system32\Laglkb32.exe49⤵
- Executes dropped EXE
PID:3240 -
C:\Windows\SysWOW64\Lkppchfi.exeC:\Windows\system32\Lkppchfi.exe50⤵
- Executes dropped EXE
PID:1456 -
C:\Windows\SysWOW64\Lajhpbme.exeC:\Windows\system32\Lajhpbme.exe51⤵
- Executes dropped EXE
PID:1780 -
C:\Windows\SysWOW64\Malefbkc.exeC:\Windows\system32\Malefbkc.exe52⤵
- Executes dropped EXE
PID:1828 -
C:\Windows\SysWOW64\Mopeofjl.exeC:\Windows\system32\Mopeofjl.exe53⤵
- Executes dropped EXE
PID:3752 -
C:\Windows\SysWOW64\Mkicjgnn.exeC:\Windows\system32\Mkicjgnn.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2760 -
C:\Windows\SysWOW64\Nahdapae.exeC:\Windows\system32\Nahdapae.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:404 -
C:\Windows\SysWOW64\Nolekd32.exeC:\Windows\system32\Nolekd32.exe56⤵
- Executes dropped EXE
PID:2880 -
C:\Windows\SysWOW64\Namnmp32.exeC:\Windows\system32\Namnmp32.exe57⤵
- Executes dropped EXE
PID:1924 -
C:\Windows\SysWOW64\Oafacn32.exeC:\Windows\system32\Oafacn32.exe58⤵
- Executes dropped EXE
PID:3024 -
C:\Windows\SysWOW64\Ogcike32.exeC:\Windows\system32\Ogcike32.exe59⤵
- Executes dropped EXE
PID:4388 -
C:\Windows\SysWOW64\Pfkpiled.exeC:\Windows\system32\Pfkpiled.exe60⤵
- Executes dropped EXE
PID:4172 -
C:\Windows\SysWOW64\Pnknim32.exeC:\Windows\system32\Pnknim32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2796 -
C:\Windows\SysWOW64\Bichcc32.exeC:\Windows\system32\Bichcc32.exe62⤵
- Executes dropped EXE
PID:3968 -
C:\Windows\SysWOW64\Beobcdoi.exeC:\Windows\system32\Beobcdoi.exe63⤵
- Executes dropped EXE
PID:3596 -
C:\Windows\SysWOW64\Bpdfpmoo.exeC:\Windows\system32\Bpdfpmoo.exe64⤵
- Executes dropped EXE
PID:3332 -
C:\Windows\SysWOW64\Cbglgg32.exeC:\Windows\system32\Cbglgg32.exe65⤵
- Executes dropped EXE
PID:5024 -
C:\Windows\SysWOW64\Cpklql32.exeC:\Windows\system32\Cpklql32.exe66⤵PID:1712
-
C:\Windows\SysWOW64\Dhmgfm32.exeC:\Windows\system32\Dhmgfm32.exe67⤵PID:4044
-
C:\Windows\SysWOW64\Didjqoae.exeC:\Windows\system32\Didjqoae.exe68⤵PID:3208
-
C:\Windows\SysWOW64\Dpnbmi32.exeC:\Windows\system32\Dpnbmi32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1140 -
C:\Windows\SysWOW64\Eoconenj.exeC:\Windows\system32\Eoconenj.exe70⤵
- Drops file in System32 directory
PID:1704 -
C:\Windows\SysWOW64\Ehkcgkdj.exeC:\Windows\system32\Ehkcgkdj.exe71⤵PID:2224
-
C:\Windows\SysWOW64\Ebagdddp.exeC:\Windows\system32\Ebagdddp.exe72⤵PID:1484
-
C:\Windows\SysWOW64\Ebcdjc32.exeC:\Windows\system32\Ebcdjc32.exe73⤵PID:1160
-
C:\Windows\SysWOW64\Ellicihn.exeC:\Windows\system32\Ellicihn.exe74⤵PID:3592
-
C:\Windows\SysWOW64\Fplnogmb.exeC:\Windows\system32\Fplnogmb.exe75⤵PID:1220
-
C:\Windows\SysWOW64\Fhnichde.exeC:\Windows\system32\Fhnichde.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3052 -
C:\Windows\SysWOW64\Hhleefhe.exeC:\Windows\system32\Hhleefhe.exe77⤵PID:4892
-
C:\Windows\SysWOW64\Hcaibo32.exeC:\Windows\system32\Hcaibo32.exe78⤵PID:2536
-
C:\Windows\SysWOW64\Hgpbhmna.exeC:\Windows\system32\Hgpbhmna.exe79⤵PID:1324
-
C:\Windows\SysWOW64\Hgdlcm32.exeC:\Windows\system32\Hgdlcm32.exe80⤵
- Modifies registry class
PID:4328 -
C:\Windows\SysWOW64\Hhehkepj.exeC:\Windows\system32\Hhehkepj.exe81⤵PID:224
-
C:\Windows\SysWOW64\Ifleji32.exeC:\Windows\system32\Ifleji32.exe82⤵PID:2592
-
C:\Windows\SysWOW64\Iqfcbahb.exeC:\Windows\system32\Iqfcbahb.exe83⤵PID:2416
-
C:\Windows\SysWOW64\Iiaggc32.exeC:\Windows\system32\Iiaggc32.exe84⤵PID:3648
-
C:\Windows\SysWOW64\Jcgldl32.exeC:\Windows\system32\Jcgldl32.exe85⤵PID:3048
-
C:\Windows\SysWOW64\Jihngboe.exeC:\Windows\system32\Jihngboe.exe86⤵PID:1132
-
C:\Windows\SysWOW64\Jglkkiea.exeC:\Windows\system32\Jglkkiea.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4008 -
C:\Windows\SysWOW64\Kjlcmdbb.exeC:\Windows\system32\Kjlcmdbb.exe88⤵
- Drops file in System32 directory
PID:2704 -
C:\Windows\SysWOW64\Kcgekjgp.exeC:\Windows\system32\Kcgekjgp.exe89⤵
- Drops file in System32 directory
PID:852 -
C:\Windows\SysWOW64\Kpnepk32.exeC:\Windows\system32\Kpnepk32.exe90⤵
- Modifies registry class
PID:2452 -
C:\Windows\SysWOW64\Kmbfiokn.exeC:\Windows\system32\Kmbfiokn.exe91⤵
- Modifies registry class
PID:5040 -
C:\Windows\SysWOW64\Lfodmdni.exeC:\Windows\system32\Lfodmdni.exe92⤵
- Modifies registry class
PID:2872 -
C:\Windows\SysWOW64\Ladhkmno.exeC:\Windows\system32\Ladhkmno.exe93⤵
- Drops file in System32 directory
- Modifies registry class
PID:2576 -
C:\Windows\SysWOW64\Lplaaiqd.exeC:\Windows\system32\Lplaaiqd.exe94⤵PID:2512
-
C:\Windows\SysWOW64\Mmpbkm32.exeC:\Windows\system32\Mmpbkm32.exe95⤵PID:2076
-
C:\Windows\SysWOW64\Maeaajpl.exeC:\Windows\system32\Maeaajpl.exe96⤵PID:560
-
C:\Windows\SysWOW64\Ndjcne32.exeC:\Windows\system32\Ndjcne32.exe97⤵PID:5136
-
C:\Windows\SysWOW64\Nkghqo32.exeC:\Windows\system32\Nkghqo32.exe98⤵
- Modifies registry class
PID:5176 -
C:\Windows\SysWOW64\Ndomiddc.exeC:\Windows\system32\Ndomiddc.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5220 -
C:\Windows\SysWOW64\Okiefn32.exeC:\Windows\system32\Okiefn32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5264 -
C:\Windows\SysWOW64\Ohaokbfd.exeC:\Windows\system32\Ohaokbfd.exe101⤵PID:5308
-
C:\Windows\SysWOW64\Ppamjcpj.exeC:\Windows\system32\Ppamjcpj.exe102⤵PID:5348
-
C:\Windows\SysWOW64\Pjjaci32.exeC:\Windows\system32\Pjjaci32.exe103⤵PID:5396
-
C:\Windows\SysWOW64\Pjahchpb.exeC:\Windows\system32\Pjahchpb.exe104⤵PID:5432
-
C:\Windows\SysWOW64\Qdflaa32.exeC:\Windows\system32\Qdflaa32.exe105⤵PID:5484
-
C:\Windows\SysWOW64\Akenij32.exeC:\Windows\system32\Akenij32.exe106⤵PID:5528
-
C:\Windows\SysWOW64\Ahkkhnpg.exeC:\Windows\system32\Ahkkhnpg.exe107⤵PID:5576
-
C:\Windows\SysWOW64\Ajmgof32.exeC:\Windows\system32\Ajmgof32.exe108⤵PID:5612
-
C:\Windows\SysWOW64\Ahngmnnd.exeC:\Windows\system32\Ahngmnnd.exe109⤵PID:5660
-
C:\Windows\SysWOW64\Anjpeelk.exeC:\Windows\system32\Anjpeelk.exe110⤵PID:5732
-
C:\Windows\SysWOW64\Bkcjjhgp.exeC:\Windows\system32\Bkcjjhgp.exe111⤵PID:5776
-
C:\Windows\SysWOW64\Bbmbgb32.exeC:\Windows\system32\Bbmbgb32.exe112⤵
- Modifies registry class
PID:5840 -
C:\Windows\SysWOW64\Cebdcmhh.exeC:\Windows\system32\Cebdcmhh.exe113⤵PID:5880
-
C:\Windows\SysWOW64\Ckmmpg32.exeC:\Windows\system32\Ckmmpg32.exe114⤵
- Modifies registry class
PID:5928 -
C:\Windows\SysWOW64\Cqiehnml.exeC:\Windows\system32\Cqiehnml.exe115⤵PID:5976
-
C:\Windows\SysWOW64\Ckoifgmb.exeC:\Windows\system32\Ckoifgmb.exe116⤵PID:6072
-
C:\Windows\SysWOW64\Djipbbne.exeC:\Windows\system32\Djipbbne.exe117⤵PID:6116
-
C:\Windows\SysWOW64\Dlkiaece.exeC:\Windows\system32\Dlkiaece.exe118⤵PID:4512
-
C:\Windows\SysWOW64\Ejglcq32.exeC:\Windows\system32\Ejglcq32.exe119⤵
- Drops file in System32 directory
PID:3624 -
C:\Windows\SysWOW64\Enedio32.exeC:\Windows\system32\Enedio32.exe120⤵PID:5216
-
C:\Windows\SysWOW64\Eeomfioh.exeC:\Windows\system32\Eeomfioh.exe121⤵PID:5248
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-