Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
124s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
04/11/2023, 10:18
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.b221dbf22ee4e1676a99cef3796720b0_JC.exe
Resource
win7-20231025-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.b221dbf22ee4e1676a99cef3796720b0_JC.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.b221dbf22ee4e1676a99cef3796720b0_JC.exe
-
Size
448KB
-
MD5
b221dbf22ee4e1676a99cef3796720b0
-
SHA1
4030cdac3a17b8b678aa698715e411b6f132014a
-
SHA256
147a6919653d2e0d96b4fac1cac143b3e2079e8c2f6ea48159ff240f3f440acd
-
SHA512
601ae35b0db36b413d8811cb27a22aa57c26db983c70c347060cc570425a50f72cf755b0d7ac94e1718fc6bfa09dc03cea91bb1263bd3e8aff6419f5d3296810
-
SSDEEP
6144:rCrxgyO/IzbsZR3eGLGs3fGEOmbsZR3eGLG/ggBc7hfbsZR3eGLGs3fGEOmbsZRk:rGgssZ5ZvX/sZ5P1sZ5ZvX/sZ5
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Peempn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmdqbg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okneldkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdpiqehp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkeipk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Feimadoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhcali32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cacmpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Decmjjie.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llngbabj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmpgghoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjknakhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckoifgmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kheekkjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdmcdhhe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jglkkiea.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dibdeegc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ienlbf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abdfkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmiealgc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhcali32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckbncapd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afnefieo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egegjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnpjlajn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpalgenf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eibmlc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Homcbo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kidmcqeg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ampaho32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfpghccm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imiagi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oacdmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amkhmoap.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Haidfpki.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohcmpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijmapm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glnnofhi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Miklkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opfnne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbhildae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmbgdl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbhhieao.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfiagd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmfkjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pojjcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qkchna32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gedfblql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qnamofdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgodjiio.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnmebblf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijmapm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jffokn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehkcgkdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfiagd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eohhie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmpkakak.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebagdddp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekimjn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgocgjgk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Loemnnhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekgqennl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbkeacqo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffnglc32.exe -
Executes dropped EXE 64 IoCs
pid Process 4536 Hlmchoan.exe 5032 Hajkqfoe.exe 3608 Hpkknmgd.exe 2080 Hicpgc32.exe 1668 Hbldphde.exe 3732 Hhimhobl.exe 1404 Hemmac32.exe 3768 Iacngdgj.exe 1736 Ihpcinld.exe 3992 Ipihpkkd.exe 2404 Ilphdlqh.exe 1676 Joqafgni.exe 4832 Jihbip32.exe 3464 Jikoopij.exe 3764 Jbepme32.exe 3748 Kheekkjl.exe 3068 Kifojnol.exe 4916 Kabcopmg.exe 3972 Kpccmhdg.exe 1672 Lpgmhg32.exe 2172 Lhcali32.exe 4508 Lplfcf32.exe 5096 Pfagighf.exe 1272 Pmkofa32.exe 3364 Pmmlla32.exe 1408 Pciqnk32.exe 3832 Pmbegqjk.exe 2420 Qfjjpf32.exe 3452 Qikbaaml.exe 180 Apggckbf.exe 3852 Amkhmoap.exe 4348 Ampaho32.exe 4628 Afhfaddk.exe 3944 Bpcgpihi.exe 4752 Bjhkmbho.exe 2152 Binhnomg.exe 60 Bdcmkgmm.exe 400 Bipecnkd.exe 2636 Bbhildae.exe 3576 Cpljehpo.exe 1436 Ckbncapd.exe 940 Ccmcgcmp.exe 2316 Cmbgdl32.exe 3612 Cgklmacf.exe 3840 Cacmpj32.exe 3936 Dkkaiphj.exe 4884 Ddcebe32.exe 2388 Dahfkimd.exe 3560 Dkpjdo32.exe 3564 Dggkipii.exe 3404 Dalofi32.exe 2468 Dkedonpo.exe 3252 Dpalgenf.exe 3344 Ekgqennl.exe 4408 Epdime32.exe 1596 Ekimjn32.exe 4484 Edaaccbj.exe 4792 Ejojljqa.exe 2964 Ecgodpgb.exe 2320 Enlcahgh.exe 3536 Egegjn32.exe 2592 Eqmlccdi.exe 4468 Fnalmh32.exe 1992 Fdkdibjp.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Dghadidj.exe Dpoiho32.exe File opened for modification C:\Windows\SysWOW64\Epjhcnbp.exe Eeddfe32.exe File created C:\Windows\SysWOW64\Oiljbjbl.dll Hjnndime.exe File created C:\Windows\SysWOW64\Cakpih32.dll Bhgjcmfi.exe File created C:\Windows\SysWOW64\Bijncb32.exe Bbpeghpe.exe File created C:\Windows\SysWOW64\Emjfif32.dll Clbmfm32.exe File created C:\Windows\SysWOW64\Eonjpqid.dll Pdbbfadn.exe File created C:\Windows\SysWOW64\Bbhildae.exe Bipecnkd.exe File opened for modification C:\Windows\SysWOW64\Icachjbb.exe Indkpcdk.exe File created C:\Windows\SysWOW64\Kongmo32.exe Kdhbpf32.exe File created C:\Windows\SysWOW64\Fdogjk32.exe Ffnglc32.exe File opened for modification C:\Windows\SysWOW64\Imiagi32.exe Ienlbf32.exe File opened for modification C:\Windows\SysWOW64\Dilmeida.exe Dendok32.exe File created C:\Windows\SysWOW64\Ggajho32.dll Pgeogb32.exe File opened for modification C:\Windows\SysWOW64\Opjgidfa.exe Oiqomj32.exe File created C:\Windows\SysWOW64\Nacmahgc.dll Oogdfc32.exe File opened for modification C:\Windows\SysWOW64\Pocdba32.exe Philfgdh.exe File created C:\Windows\SysWOW64\Bnbmqjjo.exe Biedhclh.exe File created C:\Windows\SysWOW64\Icachjbb.exe Indkpcdk.exe File created C:\Windows\SysWOW64\Kmjaeema.dll Obidcdfo.exe File created C:\Windows\SysWOW64\Cdlhgpag.exe Cmbpjfij.exe File created C:\Windows\SysWOW64\Cbccbiml.dll Dfakcj32.exe File created C:\Windows\SysWOW64\Llqmbp32.dll Feljgd32.exe File created C:\Windows\SysWOW64\Hqfqfj32.exe Hgnlmdcp.exe File created C:\Windows\SysWOW64\Qdqaqhbj.dll Bdcmkgmm.exe File created C:\Windows\SysWOW64\Qekjhmdj.dll Kopcbo32.exe File created C:\Windows\SysWOW64\Gnggfhnm.dll Nfiagd32.exe File opened for modification C:\Windows\SysWOW64\Pcbdcf32.exe Pilpfm32.exe File created C:\Windows\SysWOW64\Gdfmgqph.dll Bpemkcck.exe File opened for modification C:\Windows\SysWOW64\Mffjnc32.exe Laiafl32.exe File opened for modification C:\Windows\SysWOW64\Gjhfif32.exe Gqpapacd.exe File opened for modification C:\Windows\SysWOW64\Jffokn32.exe Iedbcebd.exe File opened for modification C:\Windows\SysWOW64\Nggjog32.exe Najagp32.exe File created C:\Windows\SysWOW64\Didjqoae.exe Donecfao.exe File created C:\Windows\SysWOW64\Jdeoad32.dll Elnehifk.exe File opened for modification C:\Windows\SysWOW64\Qpmmfbfl.exe Qgehml32.exe File created C:\Windows\SysWOW64\Bhgjcmfi.exe Bqpbboeg.exe File opened for modification C:\Windows\SysWOW64\Bgodjiio.exe Bqdlmo32.exe File opened for modification C:\Windows\SysWOW64\Fcekfnkb.exe Fkjfakng.exe File created C:\Windows\SysWOW64\Hkmlnimb.exe Hebcao32.exe File opened for modification C:\Windows\SysWOW64\Kdpiqehp.exe Klddlckd.exe File created C:\Windows\SysWOW64\Dfngcdhi.exe Dlicflic.exe File created C:\Windows\SysWOW64\Pklkbl32.exe Pdbbfadn.exe File opened for modification C:\Windows\SysWOW64\Cbfema32.exe Cnhlgc32.exe File created C:\Windows\SysWOW64\Nffopp32.dll Ddekmo32.exe File opened for modification C:\Windows\SysWOW64\Phneqf32.exe Pbdmdlie.exe File opened for modification C:\Windows\SysWOW64\Pkedbmab.exe Pdklebje.exe File created C:\Windows\SysWOW64\Idjcam32.dll Leabphmp.exe File created C:\Windows\SysWOW64\Ocmjhfjl.exe Ocknbglo.exe File opened for modification C:\Windows\SysWOW64\Gphddlfp.exe Ffcpgcfj.exe File opened for modification C:\Windows\SysWOW64\Ijhhenhf.exe Idkpmgjo.exe File created C:\Windows\SysWOW64\Cpbbak32.exe Cemndbci.exe File created C:\Windows\SysWOW64\Cefoni32.exe Cpifeb32.exe File created C:\Windows\SysWOW64\Gkcjcf32.dll Jcoioabf.exe File created C:\Windows\SysWOW64\Dnqeip32.dll Ngemjg32.exe File created C:\Windows\SysWOW64\Fjohgj32.dll Kheekkjl.exe File opened for modification C:\Windows\SysWOW64\Cgklmacf.exe Cmbgdl32.exe File created C:\Windows\SysWOW64\Bblnengb.dll Hcljmj32.exe File created C:\Windows\SysWOW64\Mhfdfbqe.dll Kdhbpf32.exe File created C:\Windows\SysWOW64\Nnmmnbnl.dll Oomelheh.exe File opened for modification C:\Windows\SysWOW64\Qgehml32.exe Qpkppbho.exe File opened for modification C:\Windows\SysWOW64\Dndlba32.exe Celgjlpn.exe File created C:\Windows\SysWOW64\Kolqioah.dll Djpfbahm.exe File created C:\Windows\SysWOW64\Hjcakafa.dll Lhcali32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 10512 2244 WerFault.exe 561 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lhdqml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acmkkk32.dll" Bngfli32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efampahd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpqklh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Goahpc32.dll" Bjhgke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdakcc32.dll" Cpljehpo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iacngdgj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ihpcinld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dibdeegc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgefmhck.dll" Oamgcm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pojjcp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbklli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmkheljf.dll" Hhobjf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 NEAS.b221dbf22ee4e1676a99cef3796720b0_JC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qgehml32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbfema32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnboma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cempebgi.dll" Labkempb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ecgodpgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jgekdq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 BackgroundTransferHost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Joqafgni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipdkapdh.dll" Mekdffee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Edcgnmml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhgadmdk.dll" Ohnljine.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Npadcfnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjohgj32.dll" Kheekkjl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jghhjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbngnddf.dll" Lmqiec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mngfkf32.dll" Afnefieo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kiodha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhdbfa32.dll" Bbkeacqo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdkoef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jnpjlajn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jmgmhgig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Knbinhfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cakofc32.dll" Pklkbl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adkelplc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hebcao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bechccgd.dll" Ddhhbngi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpmeimpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdmdjkpo.dll" Ffcpgcfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ggdbmoho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bigpblgh.dll" Cacmpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhbch32.dll" Jdmcdhhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eijbed32.dll" Nbbnbemf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pkjegb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pbdmdlie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfagighf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icnbdlfc.dll" Nehjmnei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oeamcmmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Agaoca32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfljnejl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnibpanm.dll" Pjjaci32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbldphde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bejceb32.dll" Fglnkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Akhaipei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhhnfh32.dll" Enlcahgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhkkfnao.dll" Jnnnfalp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kongmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lahbei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mllccpfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cefoni32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Okcogc32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1300 wrote to memory of 4536 1300 NEAS.b221dbf22ee4e1676a99cef3796720b0_JC.exe 84 PID 1300 wrote to memory of 4536 1300 NEAS.b221dbf22ee4e1676a99cef3796720b0_JC.exe 84 PID 1300 wrote to memory of 4536 1300 NEAS.b221dbf22ee4e1676a99cef3796720b0_JC.exe 84 PID 4536 wrote to memory of 5032 4536 Hlmchoan.exe 85 PID 4536 wrote to memory of 5032 4536 Hlmchoan.exe 85 PID 4536 wrote to memory of 5032 4536 Hlmchoan.exe 85 PID 5032 wrote to memory of 3608 5032 Hajkqfoe.exe 86 PID 5032 wrote to memory of 3608 5032 Hajkqfoe.exe 86 PID 5032 wrote to memory of 3608 5032 Hajkqfoe.exe 86 PID 3608 wrote to memory of 2080 3608 Hpkknmgd.exe 87 PID 3608 wrote to memory of 2080 3608 Hpkknmgd.exe 87 PID 3608 wrote to memory of 2080 3608 Hpkknmgd.exe 87 PID 2080 wrote to memory of 1668 2080 Hicpgc32.exe 88 PID 2080 wrote to memory of 1668 2080 Hicpgc32.exe 88 PID 2080 wrote to memory of 1668 2080 Hicpgc32.exe 88 PID 1668 wrote to memory of 3732 1668 Hbldphde.exe 89 PID 1668 wrote to memory of 3732 1668 Hbldphde.exe 89 PID 1668 wrote to memory of 3732 1668 Hbldphde.exe 89 PID 3732 wrote to memory of 1404 3732 Hhimhobl.exe 90 PID 3732 wrote to memory of 1404 3732 Hhimhobl.exe 90 PID 3732 wrote to memory of 1404 3732 Hhimhobl.exe 90 PID 1404 wrote to memory of 3768 1404 Hemmac32.exe 91 PID 1404 wrote to memory of 3768 1404 Hemmac32.exe 91 PID 1404 wrote to memory of 3768 1404 Hemmac32.exe 91 PID 3768 wrote to memory of 1736 3768 Iacngdgj.exe 92 PID 3768 wrote to memory of 1736 3768 Iacngdgj.exe 92 PID 3768 wrote to memory of 1736 3768 Iacngdgj.exe 92 PID 1736 wrote to memory of 3992 1736 Ihpcinld.exe 93 PID 1736 wrote to memory of 3992 1736 Ihpcinld.exe 93 PID 1736 wrote to memory of 3992 1736 Ihpcinld.exe 93 PID 3992 wrote to memory of 2404 3992 Ipihpkkd.exe 94 PID 3992 wrote to memory of 2404 3992 Ipihpkkd.exe 94 PID 3992 wrote to memory of 2404 3992 Ipihpkkd.exe 94 PID 2404 wrote to memory of 1676 2404 Ilphdlqh.exe 95 PID 2404 wrote to memory of 1676 2404 Ilphdlqh.exe 95 PID 2404 wrote to memory of 1676 2404 Ilphdlqh.exe 95 PID 1676 wrote to memory of 4832 1676 Joqafgni.exe 96 PID 1676 wrote to memory of 4832 1676 Joqafgni.exe 96 PID 1676 wrote to memory of 4832 1676 Joqafgni.exe 96 PID 4832 wrote to memory of 3464 4832 Jihbip32.exe 97 PID 4832 wrote to memory of 3464 4832 Jihbip32.exe 97 PID 4832 wrote to memory of 3464 4832 Jihbip32.exe 97 PID 3464 wrote to memory of 3764 3464 Jikoopij.exe 98 PID 3464 wrote to memory of 3764 3464 Jikoopij.exe 98 PID 3464 wrote to memory of 3764 3464 Jikoopij.exe 98 PID 3764 wrote to memory of 3748 3764 Jbepme32.exe 99 PID 3764 wrote to memory of 3748 3764 Jbepme32.exe 99 PID 3764 wrote to memory of 3748 3764 Jbepme32.exe 99 PID 3748 wrote to memory of 3068 3748 Kheekkjl.exe 100 PID 3748 wrote to memory of 3068 3748 Kheekkjl.exe 100 PID 3748 wrote to memory of 3068 3748 Kheekkjl.exe 100 PID 3068 wrote to memory of 4916 3068 Kifojnol.exe 101 PID 3068 wrote to memory of 4916 3068 Kifojnol.exe 101 PID 3068 wrote to memory of 4916 3068 Kifojnol.exe 101 PID 4916 wrote to memory of 3972 4916 Kabcopmg.exe 102 PID 4916 wrote to memory of 3972 4916 Kabcopmg.exe 102 PID 4916 wrote to memory of 3972 4916 Kabcopmg.exe 102 PID 3972 wrote to memory of 1672 3972 Kpccmhdg.exe 103 PID 3972 wrote to memory of 1672 3972 Kpccmhdg.exe 103 PID 3972 wrote to memory of 1672 3972 Kpccmhdg.exe 103 PID 1672 wrote to memory of 2172 1672 Lpgmhg32.exe 104 PID 1672 wrote to memory of 2172 1672 Lpgmhg32.exe 104 PID 1672 wrote to memory of 2172 1672 Lpgmhg32.exe 104 PID 2172 wrote to memory of 4508 2172 Lhcali32.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.b221dbf22ee4e1676a99cef3796720b0_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.b221dbf22ee4e1676a99cef3796720b0_JC.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Windows\SysWOW64\Hlmchoan.exeC:\Windows\system32\Hlmchoan.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4536 -
C:\Windows\SysWOW64\Hajkqfoe.exeC:\Windows\system32\Hajkqfoe.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Windows\SysWOW64\Hpkknmgd.exeC:\Windows\system32\Hpkknmgd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3608 -
C:\Windows\SysWOW64\Hicpgc32.exeC:\Windows\system32\Hicpgc32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\SysWOW64\Hbldphde.exeC:\Windows\system32\Hbldphde.exe6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Windows\SysWOW64\Hhimhobl.exeC:\Windows\system32\Hhimhobl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3732 -
C:\Windows\SysWOW64\Hemmac32.exeC:\Windows\system32\Hemmac32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Windows\SysWOW64\Iacngdgj.exeC:\Windows\system32\Iacngdgj.exe9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3768 -
C:\Windows\SysWOW64\Ihpcinld.exeC:\Windows\system32\Ihpcinld.exe10⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\SysWOW64\Ipihpkkd.exeC:\Windows\system32\Ipihpkkd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3992 -
C:\Windows\SysWOW64\Ilphdlqh.exeC:\Windows\system32\Ilphdlqh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\Joqafgni.exeC:\Windows\system32\Joqafgni.exe13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\SysWOW64\Jihbip32.exeC:\Windows\system32\Jihbip32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4832 -
C:\Windows\SysWOW64\Jikoopij.exeC:\Windows\system32\Jikoopij.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3464 -
C:\Windows\SysWOW64\Jbepme32.exeC:\Windows\system32\Jbepme32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3764 -
C:\Windows\SysWOW64\Kheekkjl.exeC:\Windows\system32\Kheekkjl.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3748 -
C:\Windows\SysWOW64\Kifojnol.exeC:\Windows\system32\Kifojnol.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\SysWOW64\Kabcopmg.exeC:\Windows\system32\Kabcopmg.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4916 -
C:\Windows\SysWOW64\Kpccmhdg.exeC:\Windows\system32\Kpccmhdg.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3972 -
C:\Windows\SysWOW64\Lpgmhg32.exeC:\Windows\system32\Lpgmhg32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\SysWOW64\Lhcali32.exeC:\Windows\system32\Lhcali32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\Lplfcf32.exeC:\Windows\system32\Lplfcf32.exe23⤵
- Executes dropped EXE
PID:4508 -
C:\Windows\SysWOW64\Pfagighf.exeC:\Windows\system32\Pfagighf.exe24⤵
- Executes dropped EXE
- Modifies registry class
PID:5096 -
C:\Windows\SysWOW64\Pmkofa32.exeC:\Windows\system32\Pmkofa32.exe25⤵
- Executes dropped EXE
PID:1272 -
C:\Windows\SysWOW64\Pmmlla32.exeC:\Windows\system32\Pmmlla32.exe26⤵
- Executes dropped EXE
PID:3364 -
C:\Windows\SysWOW64\Pciqnk32.exeC:\Windows\system32\Pciqnk32.exe27⤵
- Executes dropped EXE
PID:1408 -
C:\Windows\SysWOW64\Pmbegqjk.exeC:\Windows\system32\Pmbegqjk.exe28⤵
- Executes dropped EXE
PID:3832 -
C:\Windows\SysWOW64\Qfjjpf32.exeC:\Windows\system32\Qfjjpf32.exe29⤵
- Executes dropped EXE
PID:2420 -
C:\Windows\SysWOW64\Qikbaaml.exeC:\Windows\system32\Qikbaaml.exe30⤵
- Executes dropped EXE
PID:3452 -
C:\Windows\SysWOW64\Apggckbf.exeC:\Windows\system32\Apggckbf.exe31⤵
- Executes dropped EXE
PID:180 -
C:\Windows\SysWOW64\Amkhmoap.exeC:\Windows\system32\Amkhmoap.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3852 -
C:\Windows\SysWOW64\Ampaho32.exeC:\Windows\system32\Ampaho32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4348 -
C:\Windows\SysWOW64\Afhfaddk.exeC:\Windows\system32\Afhfaddk.exe34⤵
- Executes dropped EXE
PID:4628 -
C:\Windows\SysWOW64\Bpcgpihi.exeC:\Windows\system32\Bpcgpihi.exe35⤵
- Executes dropped EXE
PID:3944 -
C:\Windows\SysWOW64\Bjhkmbho.exeC:\Windows\system32\Bjhkmbho.exe36⤵
- Executes dropped EXE
PID:4752 -
C:\Windows\SysWOW64\Binhnomg.exeC:\Windows\system32\Binhnomg.exe37⤵
- Executes dropped EXE
PID:2152 -
C:\Windows\SysWOW64\Bdcmkgmm.exeC:\Windows\system32\Bdcmkgmm.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:60 -
C:\Windows\SysWOW64\Bipecnkd.exeC:\Windows\system32\Bipecnkd.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:400 -
C:\Windows\SysWOW64\Bbhildae.exeC:\Windows\system32\Bbhildae.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Cpljehpo.exeC:\Windows\system32\Cpljehpo.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:3576 -
C:\Windows\SysWOW64\Ckbncapd.exeC:\Windows\system32\Ckbncapd.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1436 -
C:\Windows\SysWOW64\Ccmcgcmp.exeC:\Windows\system32\Ccmcgcmp.exe43⤵
- Executes dropped EXE
PID:940 -
C:\Windows\SysWOW64\Cmbgdl32.exeC:\Windows\system32\Cmbgdl32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2316 -
C:\Windows\SysWOW64\Cgklmacf.exeC:\Windows\system32\Cgklmacf.exe45⤵
- Executes dropped EXE
PID:3612 -
C:\Windows\SysWOW64\Cacmpj32.exeC:\Windows\system32\Cacmpj32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3840 -
C:\Windows\SysWOW64\Dkkaiphj.exeC:\Windows\system32\Dkkaiphj.exe47⤵
- Executes dropped EXE
PID:3936 -
C:\Windows\SysWOW64\Ddcebe32.exeC:\Windows\system32\Ddcebe32.exe48⤵
- Executes dropped EXE
PID:4884 -
C:\Windows\SysWOW64\Dahfkimd.exeC:\Windows\system32\Dahfkimd.exe49⤵
- Executes dropped EXE
PID:2388 -
C:\Windows\SysWOW64\Dkpjdo32.exeC:\Windows\system32\Dkpjdo32.exe50⤵
- Executes dropped EXE
PID:3560 -
C:\Windows\SysWOW64\Dggkipii.exeC:\Windows\system32\Dggkipii.exe51⤵
- Executes dropped EXE
PID:3564 -
C:\Windows\SysWOW64\Dalofi32.exeC:\Windows\system32\Dalofi32.exe52⤵
- Executes dropped EXE
PID:3404 -
C:\Windows\SysWOW64\Dkedonpo.exeC:\Windows\system32\Dkedonpo.exe53⤵
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\Dpalgenf.exeC:\Windows\system32\Dpalgenf.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3252 -
C:\Windows\SysWOW64\Ekgqennl.exeC:\Windows\system32\Ekgqennl.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3344 -
C:\Windows\SysWOW64\Epdime32.exeC:\Windows\system32\Epdime32.exe56⤵
- Executes dropped EXE
PID:4408 -
C:\Windows\SysWOW64\Ekimjn32.exeC:\Windows\system32\Ekimjn32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1596 -
C:\Windows\SysWOW64\Edaaccbj.exeC:\Windows\system32\Edaaccbj.exe58⤵
- Executes dropped EXE
PID:4484 -
C:\Windows\SysWOW64\Ejojljqa.exeC:\Windows\system32\Ejojljqa.exe59⤵
- Executes dropped EXE
PID:4792 -
C:\Windows\SysWOW64\Ecgodpgb.exeC:\Windows\system32\Ecgodpgb.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:2964 -
C:\Windows\SysWOW64\Enlcahgh.exeC:\Windows\system32\Enlcahgh.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:2320 -
C:\Windows\SysWOW64\Egegjn32.exeC:\Windows\system32\Egegjn32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3536 -
C:\Windows\SysWOW64\Eqmlccdi.exeC:\Windows\system32\Eqmlccdi.exe63⤵
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Fnalmh32.exeC:\Windows\system32\Fnalmh32.exe64⤵
- Executes dropped EXE
PID:4468 -
C:\Windows\SysWOW64\Fdkdibjp.exeC:\Windows\system32\Fdkdibjp.exe65⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Fjhmbihg.exeC:\Windows\system32\Fjhmbihg.exe66⤵PID:1864
-
C:\Windows\SysWOW64\Fglnkm32.exeC:\Windows\system32\Fglnkm32.exe67⤵
- Modifies registry class
PID:1080 -
C:\Windows\SysWOW64\Fdpnda32.exeC:\Windows\system32\Fdpnda32.exe68⤵PID:3580
-
C:\Windows\SysWOW64\Fkjfakng.exeC:\Windows\system32\Fkjfakng.exe69⤵
- Drops file in System32 directory
PID:3040 -
C:\Windows\SysWOW64\Fcekfnkb.exeC:\Windows\system32\Fcekfnkb.exe70⤵PID:5008
-
C:\Windows\SysWOW64\Fjocbhbo.exeC:\Windows\system32\Fjocbhbo.exe71⤵PID:1180
-
C:\Windows\SysWOW64\Gkoplk32.exeC:\Windows\system32\Gkoplk32.exe72⤵PID:2868
-
C:\Windows\SysWOW64\Gbhhieao.exeC:\Windows\system32\Gbhhieao.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4016 -
C:\Windows\SysWOW64\Gcjdam32.exeC:\Windows\system32\Gcjdam32.exe74⤵PID:4036
-
C:\Windows\SysWOW64\Gnohnffc.exeC:\Windows\system32\Gnohnffc.exe75⤵PID:2480
-
C:\Windows\SysWOW64\Gkcigjel.exeC:\Windows\system32\Gkcigjel.exe76⤵PID:1060
-
C:\Windows\SysWOW64\Gqpapacd.exeC:\Windows\system32\Gqpapacd.exe77⤵
- Drops file in System32 directory
PID:4924 -
C:\Windows\SysWOW64\Gjhfif32.exeC:\Windows\system32\Gjhfif32.exe78⤵PID:3928
-
C:\Windows\SysWOW64\Gglfbkin.exeC:\Windows\system32\Gglfbkin.exe79⤵PID:1680
-
C:\Windows\SysWOW64\Hgocgjgk.exeC:\Windows\system32\Hgocgjgk.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:768 -
C:\Windows\SysWOW64\Hebcao32.exeC:\Windows\system32\Hebcao32.exe81⤵
- Drops file in System32 directory
- Modifies registry class
PID:4604 -
C:\Windows\SysWOW64\Hkmlnimb.exeC:\Windows\system32\Hkmlnimb.exe82⤵PID:1444
-
C:\Windows\SysWOW64\Haidfpki.exeC:\Windows\system32\Haidfpki.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2012 -
C:\Windows\SysWOW64\Hkohchko.exeC:\Windows\system32\Hkohchko.exe84⤵PID:3328
-
C:\Windows\SysWOW64\Hgeihiac.exeC:\Windows\system32\Hgeihiac.exe85⤵PID:5164
-
C:\Windows\SysWOW64\Hnpaec32.exeC:\Windows\system32\Hnpaec32.exe86⤵PID:5204
-
C:\Windows\SysWOW64\Hcljmj32.exeC:\Windows\system32\Hcljmj32.exe87⤵
- Drops file in System32 directory
PID:5248 -
C:\Windows\SysWOW64\Hnbnjc32.exeC:\Windows\system32\Hnbnjc32.exe88⤵PID:5296
-
C:\Windows\SysWOW64\Ielfgmnj.exeC:\Windows\system32\Ielfgmnj.exe89⤵PID:5344
-
C:\Windows\SysWOW64\Indkpcdk.exeC:\Windows\system32\Indkpcdk.exe90⤵
- Drops file in System32 directory
PID:5384 -
C:\Windows\SysWOW64\Icachjbb.exeC:\Windows\system32\Icachjbb.exe91⤵PID:5428
-
C:\Windows\SysWOW64\Ibbcfa32.exeC:\Windows\system32\Ibbcfa32.exe92⤵PID:5472
-
C:\Windows\SysWOW64\Iccpniqp.exeC:\Windows\system32\Iccpniqp.exe93⤵PID:5520
-
C:\Windows\SysWOW64\Ibdplaho.exeC:\Windows\system32\Ibdplaho.exe94⤵PID:5564
-
C:\Windows\SysWOW64\Ihaidhgf.exeC:\Windows\system32\Ihaidhgf.exe95⤵PID:5632
-
C:\Windows\SysWOW64\Ibgmaqfl.exeC:\Windows\system32\Ibgmaqfl.exe96⤵PID:5692
-
C:\Windows\SysWOW64\Ihceigec.exeC:\Windows\system32\Ihceigec.exe97⤵PID:5740
-
C:\Windows\SysWOW64\Jnnnfalp.exeC:\Windows\system32\Jnnnfalp.exe98⤵
- Modifies registry class
PID:5788 -
C:\Windows\SysWOW64\Jdjfohjg.exeC:\Windows\system32\Jdjfohjg.exe99⤵PID:5836
-
C:\Windows\SysWOW64\Jnpjlajn.exeC:\Windows\system32\Jnpjlajn.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5884 -
C:\Windows\SysWOW64\Jdmcdhhe.exeC:\Windows\system32\Jdmcdhhe.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5924 -
C:\Windows\SysWOW64\Jjgkab32.exeC:\Windows\system32\Jjgkab32.exe102⤵PID:5968
-
C:\Windows\SysWOW64\Jhkljfok.exeC:\Windows\system32\Jhkljfok.exe103⤵PID:6016
-
C:\Windows\SysWOW64\Jnedgq32.exeC:\Windows\system32\Jnedgq32.exe104⤵PID:6056
-
C:\Windows\SysWOW64\Jhmhpfmi.exeC:\Windows\system32\Jhmhpfmi.exe105⤵PID:6096
-
C:\Windows\SysWOW64\Jogqlpde.exeC:\Windows\system32\Jogqlpde.exe106⤵PID:6140
-
C:\Windows\SysWOW64\Jddiegbm.exeC:\Windows\system32\Jddiegbm.exe107⤵PID:5176
-
C:\Windows\SysWOW64\Koimbpbc.exeC:\Windows\system32\Koimbpbc.exe108⤵PID:5244
-
C:\Windows\SysWOW64\Kdffjgpj.exeC:\Windows\system32\Kdffjgpj.exe109⤵PID:5320
-
C:\Windows\SysWOW64\Koljgppp.exeC:\Windows\system32\Koljgppp.exe110⤵PID:5364
-
C:\Windows\SysWOW64\Kdhbpf32.exeC:\Windows\system32\Kdhbpf32.exe111⤵
- Drops file in System32 directory
PID:5440 -
C:\Windows\SysWOW64\Kongmo32.exeC:\Windows\system32\Kongmo32.exe112⤵
- Modifies registry class
PID:5528 -
C:\Windows\SysWOW64\Kdkoef32.exeC:\Windows\system32\Kdkoef32.exe113⤵
- Modifies registry class
PID:5624 -
C:\Windows\SysWOW64\Kopcbo32.exeC:\Windows\system32\Kopcbo32.exe114⤵
- Drops file in System32 directory
PID:5680 -
C:\Windows\SysWOW64\Kejloi32.exeC:\Windows\system32\Kejloi32.exe115⤵PID:5768
-
C:\Windows\SysWOW64\Klddlckd.exeC:\Windows\system32\Klddlckd.exe116⤵
- Drops file in System32 directory
PID:5812 -
C:\Windows\SysWOW64\Kdpiqehp.exeC:\Windows\system32\Kdpiqehp.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5920 -
C:\Windows\SysWOW64\Loemnnhe.exeC:\Windows\system32\Loemnnhe.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5964 -
C:\Windows\SysWOW64\Leoejh32.exeC:\Windows\system32\Leoejh32.exe119⤵PID:6048
-
C:\Windows\SysWOW64\Lklnconj.exeC:\Windows\system32\Lklnconj.exe120⤵PID:6128
-
C:\Windows\SysWOW64\Leabphmp.exeC:\Windows\system32\Leabphmp.exe121⤵
- Drops file in System32 directory
PID:5152
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-