Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
175s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
07/11/2023, 15:54
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.ddf463539b29e45d03e2cac7d5939ef0.exe
Resource
win7-20231023-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.ddf463539b29e45d03e2cac7d5939ef0.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.ddf463539b29e45d03e2cac7d5939ef0.exe
-
Size
429KB
-
MD5
ddf463539b29e45d03e2cac7d5939ef0
-
SHA1
7cffa06a8397617c71eb8b274b0053f070c43a3b
-
SHA256
23374d4a416cbc6d25b19849e7664eaadb271b8d9f7b5200aea20a8d4dce561b
-
SHA512
bcca25d88f10fb225a46ceba6e5a38824b70a24fd2172f460c8cc03eb2cc2358b8fa8fe32bdbfdcdedf8bcfc659b8f90d021fe1b4aea0979902bfe9de8d59ac2
-
SSDEEP
3072:JwhKeuFGwjfKtNQbCnDuR36QI1Z36NQorhaR5sS+vfv:J5DGwjf+2CnDuR36QS3orharSv
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpchbhjl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edihof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnanpfdo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akblpo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Figgnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfngcdhi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibncmchl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glpdecjb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phdngljk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qdphgmlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fflobgng.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pignccea.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnoalehl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkfanqmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmkkgh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhheepbk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Modgnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkhbnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qhjegh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmabpmjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ciioaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkljka32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amnlfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Filailgl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkkhjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igpkjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idpbhc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgimepmd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Heqnokaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nigjifgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmehnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lomjbikf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nndjgjhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knnhdied.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fejegaao.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpjcnd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clqncl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnjhccnd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcejmeol.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngehoqdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fomfpg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epbkhhel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dendok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpmlhoil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnlgekkc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcikagij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eomfae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlhbja32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlihek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kqphpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knioij32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chfepa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Likhoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpchbhjl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbpihlbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkohln32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbnflihq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dakieedj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jppnjpji.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlbfmjqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dehgejep.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Keapmf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knbiil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akamol32.exe -
Executes dropped EXE 64 IoCs
pid Process 3020 Dgfdojfm.exe 4692 Gqagkjne.exe 2396 Hcembe32.exe 3976 Hfhbipdb.exe 5116 Ijfkpnji.exe 2748 Iqbpahpc.exe 3188 Inkjfk32.exe 3728 Jclljaei.exe 3300 Kccbjq32.exe 3504 Kaqejcep.exe 2092 Mgkjch32.exe 4920 Noqofdlj.exe 4996 Pkjegb32.exe 2224 Bichcc32.exe 3800 Blkgen32.exe 3784 Cblebgfh.exe 4348 Dfngcdhi.exe 4860 Dlnlak32.exe 1828 Dlbfmjqi.exe 2104 Epbkhhel.exe 3876 Flpbnh32.exe 3748 Fpeaeedg.exe 4248 Hodqlq32.exe 2592 Hhobjf32.exe 2796 Imfmgcdn.exe 5064 Jgbhdkml.exe 4220 Kcehejic.exe 4928 Liifnp32.exe 2176 Labkempb.exe 2452 Mhefhf32.exe 2080 Mpchbhjl.exe 2364 Nkboeobh.exe 4176 Npognfpo.exe 808 Niglfl32.exe 4888 Ngklppei.exe 560 Onngci32.exe 4116 Pkgaglpp.exe 1832 Pknghk32.exe 4264 Agiahlkf.exe 5088 Aqilaplo.exe 2504 Bgjjoi32.exe 2272 Bbbkbbkg.exe 1740 Dendok32.exe 3844 Daeddlco.exe 1924 Dehgejep.exe 4312 Eaqdpjia.exe 4872 Ebpqjmpd.exe 2704 Ebbmpmnb.exe 3316 Fkgejncb.exe 2664 Faamghko.exe 3440 Fbqiak32.exe 2192 Gbcffk32.exe 4400 Hligqnjp.exe 5004 Ihgnfnjl.exe 2844 Ijgjpaao.exe 2968 Jkajnh32.exe 2728 Jkhpogij.exe 3924 Kbgafqla.exe 1824 Ljleil32.exe 3044 Lmmokgne.exe 4360 Mmokpglb.exe 1788 Ncecioib.exe 4296 Niblafgi.exe 2760 Ndgpnogo.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ipqigjkp.dll Dlnlak32.exe File opened for modification C:\Windows\SysWOW64\Lmmokgne.exe Ljleil32.exe File created C:\Windows\SysWOW64\Kmamhf32.dll Kgiibnib.exe File created C:\Windows\SysWOW64\Pabebdka.dll Lcbfmomc.exe File created C:\Windows\SysWOW64\Opdomjnf.dll Chibfa32.exe File opened for modification C:\Windows\SysWOW64\Offeahhp.exe Omnqhbap.exe File opened for modification C:\Windows\SysWOW64\Mmnlnfcb.exe Mdehep32.exe File opened for modification C:\Windows\SysWOW64\Oijqbh32.exe Obphenpj.exe File created C:\Windows\SysWOW64\Ibeqgdpf.exe Hkkhjj32.exe File created C:\Windows\SysWOW64\Iifodmak.exe Ibgmldnd.exe File created C:\Windows\SysWOW64\Cmabpmjj.exe Cbkncd32.exe File opened for modification C:\Windows\SysWOW64\Mhefhf32.exe Labkempb.exe File created C:\Windows\SysWOW64\Bbbkbbkg.exe Bgjjoi32.exe File opened for modification C:\Windows\SysWOW64\Obgeqcnn.exe Omkmhlpf.exe File opened for modification C:\Windows\SysWOW64\Pcmloa32.exe Phhhbi32.exe File opened for modification C:\Windows\SysWOW64\Kgiibnib.exe Knpeii32.exe File created C:\Windows\SysWOW64\Aachaa32.exe Akipdg32.exe File created C:\Windows\SysWOW64\Oehpnnpl.dll Jdhpba32.exe File opened for modification C:\Windows\SysWOW64\Ciioaa32.exe Behiec32.exe File created C:\Windows\SysWOW64\Cpmajdig.exe Coldbl32.exe File opened for modification C:\Windows\SysWOW64\Hoonjjgk.exe Gfngke32.exe File opened for modification C:\Windows\SysWOW64\Fbcfan32.exe Fjfegl32.exe File opened for modification C:\Windows\SysWOW64\Nqpccp32.exe Nfjofg32.exe File created C:\Windows\SysWOW64\Iqhdoh32.dll Pcpnab32.exe File created C:\Windows\SysWOW64\Pfjgpp32.dll Hlkfle32.exe File created C:\Windows\SysWOW64\Ejjakmcg.dll Jkhpogij.exe File created C:\Windows\SysWOW64\Ibncmchl.exe Iifodmak.exe File created C:\Windows\SysWOW64\Badofb32.dll Adiknkco.exe File created C:\Windows\SysWOW64\Mhekfhho.dll Gegkilik.exe File opened for modification C:\Windows\SysWOW64\Jclljaei.exe Inkjfk32.exe File opened for modification C:\Windows\SysWOW64\Ofadlbhj.exe Obcled32.exe File created C:\Windows\SysWOW64\Eofgioah.exe Eilomd32.exe File opened for modification C:\Windows\SysWOW64\Gqaeme32.exe Gjgmpkfl.exe File opened for modification C:\Windows\SysWOW64\Jimeelkc.exe Ibncmchl.exe File created C:\Windows\SysWOW64\Fqkhidmg.dll Gjgmpkfl.exe File created C:\Windows\SysWOW64\Bagmpoco.exe Anpnmele.exe File created C:\Windows\SysWOW64\Lihpbl32.exe Jjopmh32.exe File opened for modification C:\Windows\SysWOW64\Ahonbhig.exe Qgmbkp32.exe File opened for modification C:\Windows\SysWOW64\Pmafpchb.exe Phdngljk.exe File created C:\Windows\SysWOW64\Hmokkonl.dll Ebbfpjbn.exe File created C:\Windows\SysWOW64\Ligdkl32.dll Hcembe32.exe File created C:\Windows\SysWOW64\Dhjknljl.exe Dapcab32.exe File created C:\Windows\SysWOW64\Ebifha32.exe Dphipidf.exe File created C:\Windows\SysWOW64\Ofbjei32.dll Hdhlhd32.exe File opened for modification C:\Windows\SysWOW64\Glpdecjb.exe Fbcfan32.exe File opened for modification C:\Windows\SysWOW64\Apobakpn.exe Qkmqne32.exe File created C:\Windows\SysWOW64\Enfjph32.dll Lihpbl32.exe File opened for modification C:\Windows\SysWOW64\Epbkhhel.exe Dlbfmjqi.exe File created C:\Windows\SysWOW64\Mebkbi32.exe Lifqbi32.exe File opened for modification C:\Windows\SysWOW64\Agkgceeh.exe Apobakpn.exe File created C:\Windows\SysWOW64\Dlphnk32.dll Dakieedj.exe File created C:\Windows\SysWOW64\Inbfjlbj.dll Fpeaeedg.exe File created C:\Windows\SysWOW64\Jodiaqag.exe Jbpihlbn.exe File created C:\Windows\SysWOW64\Mnknkbdk.exe Mjiljdaj.exe File opened for modification C:\Windows\SysWOW64\Kolakkii.exe Kiphcdkb.exe File opened for modification C:\Windows\SysWOW64\Baegchgb.exe Bkkofn32.exe File created C:\Windows\SysWOW64\Fmpaqd32.exe Flodilma.exe File opened for modification C:\Windows\SysWOW64\Jdhpba32.exe Ihhmgaqb.exe File created C:\Windows\SysWOW64\Mmnadddj.dll Fijknbmk.exe File created C:\Windows\SysWOW64\Fechhcal.exe Fnipliip.exe File created C:\Windows\SysWOW64\Mmfmbpco.dll Napjnfik.exe File created C:\Windows\SysWOW64\Dfbcek32.exe Dmjole32.exe File opened for modification C:\Windows\SysWOW64\Qmphkg32.exe Qfepnmjn.exe File opened for modification C:\Windows\SysWOW64\Dehgejep.exe Daeddlco.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6084 5816 WerFault.exe 659 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgfdojfm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmafpchb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Epbkhhel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpchbhjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fngmjikh.dll" Odbgbb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpmlhoil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fnpmej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efdenq32.dll" Hmpclnof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hiofeigg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njkiaa32.dll" Lqkgli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipqigjkp.dll" Dlnlak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cpdgjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkahmp32.dll" Ildpbfmf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahmqnkbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nkboeobh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ibncmchl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdlpjicj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdagidhi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hlkfle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgfdojfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deeipj32.dll" Ebifha32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hdfobe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anijoaml.dll" Fjfegl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhheepbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Haafcf32.dll" Edplapnf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckghid32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oaifin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hligqnjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dapcab32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebpqjmpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhfenmbe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aihfjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdfobe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkmfmiei.dll" Ebpqjmpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mebkbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lqjqab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bloflk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apncei32.dll" Gehfepio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jiglgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjbfio32.dll" Hlhife32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmndkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdiijemd.dll" Fpdckm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjhpqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eljknl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fgeibicb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lcejmeol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aolmnige.dll" Fbnflihq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cggifn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afeicela.dll" Cmdmki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhjlkg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmkkgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkhaph32.dll" Mgaoda32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ppiklc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Noahcb32.dll" Fgeibicb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Boplmekj.dll" Gmojep32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aogbpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlhjfj32.dll" Fniiabfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pabebdka.dll" Lcbfmomc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahpmckpn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbnflihq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnbhea32.dll" Fomfpg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Plagmh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gpimflqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phhhbi32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1332 wrote to memory of 3020 1332 NEAS.ddf463539b29e45d03e2cac7d5939ef0.exe 94 PID 1332 wrote to memory of 3020 1332 NEAS.ddf463539b29e45d03e2cac7d5939ef0.exe 94 PID 1332 wrote to memory of 3020 1332 NEAS.ddf463539b29e45d03e2cac7d5939ef0.exe 94 PID 3020 wrote to memory of 4692 3020 Dgfdojfm.exe 95 PID 3020 wrote to memory of 4692 3020 Dgfdojfm.exe 95 PID 3020 wrote to memory of 4692 3020 Dgfdojfm.exe 95 PID 4692 wrote to memory of 2396 4692 Gqagkjne.exe 96 PID 4692 wrote to memory of 2396 4692 Gqagkjne.exe 96 PID 4692 wrote to memory of 2396 4692 Gqagkjne.exe 96 PID 2396 wrote to memory of 3976 2396 Hcembe32.exe 97 PID 2396 wrote to memory of 3976 2396 Hcembe32.exe 97 PID 2396 wrote to memory of 3976 2396 Hcembe32.exe 97 PID 3976 wrote to memory of 5116 3976 Hfhbipdb.exe 98 PID 3976 wrote to memory of 5116 3976 Hfhbipdb.exe 98 PID 3976 wrote to memory of 5116 3976 Hfhbipdb.exe 98 PID 5116 wrote to memory of 2748 5116 Ijfkpnji.exe 99 PID 5116 wrote to memory of 2748 5116 Ijfkpnji.exe 99 PID 5116 wrote to memory of 2748 5116 Ijfkpnji.exe 99 PID 2748 wrote to memory of 3188 2748 Iqbpahpc.exe 100 PID 2748 wrote to memory of 3188 2748 Iqbpahpc.exe 100 PID 2748 wrote to memory of 3188 2748 Iqbpahpc.exe 100 PID 3188 wrote to memory of 3728 3188 Inkjfk32.exe 101 PID 3188 wrote to memory of 3728 3188 Inkjfk32.exe 101 PID 3188 wrote to memory of 3728 3188 Inkjfk32.exe 101 PID 3728 wrote to memory of 3300 3728 Jclljaei.exe 102 PID 3728 wrote to memory of 3300 3728 Jclljaei.exe 102 PID 3728 wrote to memory of 3300 3728 Jclljaei.exe 102 PID 3300 wrote to memory of 3504 3300 Kccbjq32.exe 103 PID 3300 wrote to memory of 3504 3300 Kccbjq32.exe 103 PID 3300 wrote to memory of 3504 3300 Kccbjq32.exe 103 PID 3504 wrote to memory of 2092 3504 Kaqejcep.exe 104 PID 3504 wrote to memory of 2092 3504 Kaqejcep.exe 104 PID 3504 wrote to memory of 2092 3504 Kaqejcep.exe 104 PID 2092 wrote to memory of 4920 2092 Mgkjch32.exe 105 PID 2092 wrote to memory of 4920 2092 Mgkjch32.exe 105 PID 2092 wrote to memory of 4920 2092 Mgkjch32.exe 105 PID 4920 wrote to memory of 4996 4920 Noqofdlj.exe 106 PID 4920 wrote to memory of 4996 4920 Noqofdlj.exe 106 PID 4920 wrote to memory of 4996 4920 Noqofdlj.exe 106 PID 4996 wrote to memory of 2224 4996 Pkjegb32.exe 107 PID 4996 wrote to memory of 2224 4996 Pkjegb32.exe 107 PID 4996 wrote to memory of 2224 4996 Pkjegb32.exe 107 PID 2224 wrote to memory of 3800 2224 Bichcc32.exe 108 PID 2224 wrote to memory of 3800 2224 Bichcc32.exe 108 PID 2224 wrote to memory of 3800 2224 Bichcc32.exe 108 PID 3800 wrote to memory of 3784 3800 Blkgen32.exe 109 PID 3800 wrote to memory of 3784 3800 Blkgen32.exe 109 PID 3800 wrote to memory of 3784 3800 Blkgen32.exe 109 PID 3784 wrote to memory of 4348 3784 Cblebgfh.exe 110 PID 3784 wrote to memory of 4348 3784 Cblebgfh.exe 110 PID 3784 wrote to memory of 4348 3784 Cblebgfh.exe 110 PID 4348 wrote to memory of 4860 4348 Dfngcdhi.exe 111 PID 4348 wrote to memory of 4860 4348 Dfngcdhi.exe 111 PID 4348 wrote to memory of 4860 4348 Dfngcdhi.exe 111 PID 4860 wrote to memory of 1828 4860 Dlnlak32.exe 112 PID 4860 wrote to memory of 1828 4860 Dlnlak32.exe 112 PID 4860 wrote to memory of 1828 4860 Dlnlak32.exe 112 PID 1828 wrote to memory of 2104 1828 Dlbfmjqi.exe 113 PID 1828 wrote to memory of 2104 1828 Dlbfmjqi.exe 113 PID 1828 wrote to memory of 2104 1828 Dlbfmjqi.exe 113 PID 2104 wrote to memory of 3876 2104 Epbkhhel.exe 114 PID 2104 wrote to memory of 3876 2104 Epbkhhel.exe 114 PID 2104 wrote to memory of 3876 2104 Epbkhhel.exe 114 PID 3876 wrote to memory of 3748 3876 Flpbnh32.exe 115
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.ddf463539b29e45d03e2cac7d5939ef0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.ddf463539b29e45d03e2cac7d5939ef0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1332 -
C:\Windows\SysWOW64\Dgfdojfm.exeC:\Windows\system32\Dgfdojfm.exe2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\SysWOW64\Gqagkjne.exeC:\Windows\system32\Gqagkjne.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4692 -
C:\Windows\SysWOW64\Hcembe32.exeC:\Windows\system32\Hcembe32.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\SysWOW64\Hfhbipdb.exeC:\Windows\system32\Hfhbipdb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3976 -
C:\Windows\SysWOW64\Ijfkpnji.exeC:\Windows\system32\Ijfkpnji.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5116 -
C:\Windows\SysWOW64\Iqbpahpc.exeC:\Windows\system32\Iqbpahpc.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Inkjfk32.exeC:\Windows\system32\Inkjfk32.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3188 -
C:\Windows\SysWOW64\Jclljaei.exeC:\Windows\system32\Jclljaei.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3728 -
C:\Windows\SysWOW64\Kccbjq32.exeC:\Windows\system32\Kccbjq32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3300 -
C:\Windows\SysWOW64\Kaqejcep.exeC:\Windows\system32\Kaqejcep.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3504 -
C:\Windows\SysWOW64\Mgkjch32.exeC:\Windows\system32\Mgkjch32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\Noqofdlj.exeC:\Windows\system32\Noqofdlj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Windows\SysWOW64\Pkjegb32.exeC:\Windows\system32\Pkjegb32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4996 -
C:\Windows\SysWOW64\Bichcc32.exeC:\Windows\system32\Bichcc32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\Blkgen32.exeC:\Windows\system32\Blkgen32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3800 -
C:\Windows\SysWOW64\Cblebgfh.exeC:\Windows\system32\Cblebgfh.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3784 -
C:\Windows\SysWOW64\Dfngcdhi.exeC:\Windows\system32\Dfngcdhi.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4348 -
C:\Windows\SysWOW64\Dlnlak32.exeC:\Windows\system32\Dlnlak32.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4860 -
C:\Windows\SysWOW64\Dlbfmjqi.exeC:\Windows\system32\Dlbfmjqi.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Windows\SysWOW64\Epbkhhel.exeC:\Windows\system32\Epbkhhel.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\Flpbnh32.exeC:\Windows\system32\Flpbnh32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3876 -
C:\Windows\SysWOW64\Fpeaeedg.exeC:\Windows\system32\Fpeaeedg.exe23⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3748 -
C:\Windows\SysWOW64\Hodqlq32.exeC:\Windows\system32\Hodqlq32.exe24⤵
- Executes dropped EXE
PID:4248 -
C:\Windows\SysWOW64\Hhobjf32.exeC:\Windows\system32\Hhobjf32.exe25⤵
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Imfmgcdn.exeC:\Windows\system32\Imfmgcdn.exe26⤵
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\Jgbhdkml.exeC:\Windows\system32\Jgbhdkml.exe27⤵
- Executes dropped EXE
PID:5064 -
C:\Windows\SysWOW64\Kcehejic.exeC:\Windows\system32\Kcehejic.exe28⤵
- Executes dropped EXE
PID:4220 -
C:\Windows\SysWOW64\Liifnp32.exeC:\Windows\system32\Liifnp32.exe29⤵
- Executes dropped EXE
PID:4928 -
C:\Windows\SysWOW64\Labkempb.exeC:\Windows\system32\Labkempb.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2176 -
C:\Windows\SysWOW64\Mhefhf32.exeC:\Windows\system32\Mhefhf32.exe31⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Mpchbhjl.exeC:\Windows\system32\Mpchbhjl.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2080 -
C:\Windows\SysWOW64\Nkboeobh.exeC:\Windows\system32\Nkboeobh.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:2364 -
C:\Windows\SysWOW64\Npognfpo.exeC:\Windows\system32\Npognfpo.exe34⤵
- Executes dropped EXE
PID:4176 -
C:\Windows\SysWOW64\Niglfl32.exeC:\Windows\system32\Niglfl32.exe35⤵
- Executes dropped EXE
PID:808 -
C:\Windows\SysWOW64\Ngklppei.exeC:\Windows\system32\Ngklppei.exe36⤵
- Executes dropped EXE
PID:4888 -
C:\Windows\SysWOW64\Onngci32.exeC:\Windows\system32\Onngci32.exe37⤵
- Executes dropped EXE
PID:560 -
C:\Windows\SysWOW64\Pkgaglpp.exeC:\Windows\system32\Pkgaglpp.exe38⤵
- Executes dropped EXE
PID:4116 -
C:\Windows\SysWOW64\Pknghk32.exeC:\Windows\system32\Pknghk32.exe39⤵
- Executes dropped EXE
PID:1832 -
C:\Windows\SysWOW64\Agiahlkf.exeC:\Windows\system32\Agiahlkf.exe40⤵
- Executes dropped EXE
PID:4264 -
C:\Windows\SysWOW64\Aqilaplo.exeC:\Windows\system32\Aqilaplo.exe41⤵
- Executes dropped EXE
PID:5088 -
C:\Windows\SysWOW64\Bgjjoi32.exeC:\Windows\system32\Bgjjoi32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2504 -
C:\Windows\SysWOW64\Bbbkbbkg.exeC:\Windows\system32\Bbbkbbkg.exe43⤵
- Executes dropped EXE
PID:2272 -
C:\Windows\SysWOW64\Dendok32.exeC:\Windows\system32\Dendok32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\Daeddlco.exeC:\Windows\system32\Daeddlco.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3844 -
C:\Windows\SysWOW64\Dehgejep.exeC:\Windows\system32\Dehgejep.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1924 -
C:\Windows\SysWOW64\Eaqdpjia.exeC:\Windows\system32\Eaqdpjia.exe47⤵
- Executes dropped EXE
PID:4312 -
C:\Windows\SysWOW64\Ebpqjmpd.exeC:\Windows\system32\Ebpqjmpd.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:4872 -
C:\Windows\SysWOW64\Ebbmpmnb.exeC:\Windows\system32\Ebbmpmnb.exe49⤵
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Fkgejncb.exeC:\Windows\system32\Fkgejncb.exe50⤵
- Executes dropped EXE
PID:3316 -
C:\Windows\SysWOW64\Faamghko.exeC:\Windows\system32\Faamghko.exe51⤵
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\Fbqiak32.exeC:\Windows\system32\Fbqiak32.exe52⤵
- Executes dropped EXE
PID:3440 -
C:\Windows\SysWOW64\Gbcffk32.exeC:\Windows\system32\Gbcffk32.exe53⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Hligqnjp.exeC:\Windows\system32\Hligqnjp.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:4400 -
C:\Windows\SysWOW64\Ihgnfnjl.exeC:\Windows\system32\Ihgnfnjl.exe55⤵
- Executes dropped EXE
PID:5004 -
C:\Windows\SysWOW64\Ijgjpaao.exeC:\Windows\system32\Ijgjpaao.exe56⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Jkajnh32.exeC:\Windows\system32\Jkajnh32.exe57⤵
- Executes dropped EXE
PID:2968 -
C:\Windows\SysWOW64\Jkhpogij.exeC:\Windows\system32\Jkhpogij.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2728 -
C:\Windows\SysWOW64\Kbgafqla.exeC:\Windows\system32\Kbgafqla.exe59⤵
- Executes dropped EXE
PID:3924 -
C:\Windows\SysWOW64\Ljleil32.exeC:\Windows\system32\Ljleil32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1824 -
C:\Windows\SysWOW64\Lmmokgne.exeC:\Windows\system32\Lmmokgne.exe61⤵
- Executes dropped EXE
PID:3044 -
C:\Windows\SysWOW64\Mmokpglb.exeC:\Windows\system32\Mmokpglb.exe62⤵
- Executes dropped EXE
PID:4360 -
C:\Windows\SysWOW64\Ncecioib.exeC:\Windows\system32\Ncecioib.exe63⤵
- Executes dropped EXE
PID:1788 -
C:\Windows\SysWOW64\Niblafgi.exeC:\Windows\system32\Niblafgi.exe64⤵
- Executes dropped EXE
PID:4296 -
C:\Windows\SysWOW64\Ndgpnogo.exeC:\Windows\system32\Ndgpnogo.exe65⤵
- Executes dropped EXE
PID:2760 -
C:\Windows\SysWOW64\Ofmbkipk.exeC:\Windows\system32\Ofmbkipk.exe66⤵PID:4536
-
C:\Windows\SysWOW64\Omnqhbap.exeC:\Windows\system32\Omnqhbap.exe67⤵
- Drops file in System32 directory
PID:2128 -
C:\Windows\SysWOW64\Offeahhp.exeC:\Windows\system32\Offeahhp.exe68⤵PID:5024
-
C:\Windows\SysWOW64\Pignccea.exeC:\Windows\system32\Pignccea.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4152 -
C:\Windows\SysWOW64\Pgknlg32.exeC:\Windows\system32\Pgknlg32.exe70⤵PID:5044
-
C:\Windows\SysWOW64\Pmefiakh.exeC:\Windows\system32\Pmefiakh.exe71⤵PID:1288
-
C:\Windows\SysWOW64\Qkmqne32.exeC:\Windows\system32\Qkmqne32.exe72⤵
- Drops file in System32 directory
PID:5000 -
C:\Windows\SysWOW64\Apobakpn.exeC:\Windows\system32\Apobakpn.exe73⤵
- Drops file in System32 directory
PID:388 -
C:\Windows\SysWOW64\Agkgceeh.exeC:\Windows\system32\Agkgceeh.exe74⤵PID:4488
-
C:\Windows\SysWOW64\Aljmal32.exeC:\Windows\system32\Aljmal32.exe75⤵PID:2392
-
C:\Windows\SysWOW64\Akkmocjl.exeC:\Windows\system32\Akkmocjl.exe76⤵PID:232
-
C:\Windows\SysWOW64\Bloflk32.exeC:\Windows\system32\Bloflk32.exe77⤵
- Modifies registry class
PID:2240 -
C:\Windows\SysWOW64\Bcngddao.exeC:\Windows\system32\Bcngddao.exe78⤵PID:208
-
C:\Windows\SysWOW64\Bjhpqn32.exeC:\Windows\system32\Bjhpqn32.exe79⤵
- Modifies registry class
PID:1372 -
C:\Windows\SysWOW64\Bqdechnf.exeC:\Windows\system32\Bqdechnf.exe80⤵PID:3648
-
C:\Windows\SysWOW64\Ckqoapgd.exeC:\Windows\system32\Ckqoapgd.exe81⤵PID:4836
-
C:\Windows\SysWOW64\Ddkpoelb.exeC:\Windows\system32\Ddkpoelb.exe82⤵PID:4284
-
C:\Windows\SysWOW64\Dkgeao32.exeC:\Windows\system32\Dkgeao32.exe83⤵PID:4876
-
C:\Windows\SysWOW64\Ddpjjd32.exeC:\Windows\system32\Ddpjjd32.exe84⤵PID:4828
-
C:\Windows\SysWOW64\Dgqblp32.exeC:\Windows\system32\Dgqblp32.exe85⤵PID:3228
-
C:\Windows\SysWOW64\Dkokbn32.exeC:\Windows\system32\Dkokbn32.exe86⤵PID:4448
-
C:\Windows\SysWOW64\Eljknl32.exeC:\Windows\system32\Eljknl32.exe87⤵
- Modifies registry class
PID:4604 -
C:\Windows\SysWOW64\Emlgedge.exeC:\Windows\system32\Emlgedge.exe88⤵PID:4916
-
C:\Windows\SysWOW64\Fhalcm32.exeC:\Windows\system32\Fhalcm32.exe89⤵PID:4620
-
C:\Windows\SysWOW64\Fmndkd32.exeC:\Windows\system32\Fmndkd32.exe90⤵
- Modifies registry class
PID:4120 -
C:\Windows\SysWOW64\Flodilma.exeC:\Windows\system32\Flodilma.exe91⤵
- Drops file in System32 directory
PID:5132 -
C:\Windows\SysWOW64\Fmpaqd32.exeC:\Windows\system32\Fmpaqd32.exe92⤵PID:5176
-
C:\Windows\SysWOW64\Fhfenmbe.exeC:\Windows\system32\Fhfenmbe.exe93⤵
- Modifies registry class
PID:5216 -
C:\Windows\SysWOW64\Fnpmkg32.exeC:\Windows\system32\Fnpmkg32.exe94⤵PID:5268
-
C:\Windows\SysWOW64\Fejegaao.exeC:\Windows\system32\Fejegaao.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5308 -
C:\Windows\SysWOW64\Fjfnphpf.exeC:\Windows\system32\Fjfnphpf.exe96⤵PID:5352
-
C:\Windows\SysWOW64\Hhhkjj32.exeC:\Windows\system32\Hhhkjj32.exe97⤵PID:5532
-
C:\Windows\SysWOW64\Ildpbfmf.exeC:\Windows\system32\Ildpbfmf.exe98⤵
- Modifies registry class
PID:5656 -
C:\Windows\SysWOW64\Idbalhho.exeC:\Windows\system32\Idbalhho.exe99⤵PID:5704
-
C:\Windows\SysWOW64\Khlinedh.exeC:\Windows\system32\Khlinedh.exe100⤵PID:5860
-
C:\Windows\SysWOW64\Llqhdb32.exeC:\Windows\system32\Llqhdb32.exe101⤵PID:4764
-
C:\Windows\SysWOW64\Mkohln32.exeC:\Windows\system32\Mkohln32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5340 -
C:\Windows\SysWOW64\Niohap32.exeC:\Windows\system32\Niohap32.exe103⤵PID:5548
-
C:\Windows\SysWOW64\Nbiioe32.exeC:\Windows\system32\Nbiioe32.exe104⤵PID:5848
-
C:\Windows\SysWOW64\Nnbfjf32.exeC:\Windows\system32\Nnbfjf32.exe105⤵PID:5824
-
C:\Windows\SysWOW64\Omdghmfo.exeC:\Windows\system32\Omdghmfo.exe106⤵PID:5912
-
C:\Windows\SysWOW64\Onecof32.exeC:\Windows\system32\Onecof32.exe107⤵PID:6004
-
C:\Windows\SysWOW64\Omfcmm32.exeC:\Windows\system32\Omfcmm32.exe108⤵PID:5100
-
C:\Windows\SysWOW64\Obcled32.exeC:\Windows\system32\Obcled32.exe109⤵
- Drops file in System32 directory
PID:5980 -
C:\Windows\SysWOW64\Ofadlbhj.exeC:\Windows\system32\Ofadlbhj.exe110⤵PID:3188
-
C:\Windows\SysWOW64\Omkmhlpf.exeC:\Windows\system32\Omkmhlpf.exe111⤵
- Drops file in System32 directory
PID:6080 -
C:\Windows\SysWOW64\Obgeqcnn.exeC:\Windows\system32\Obgeqcnn.exe112⤵PID:6124
-
C:\Windows\SysWOW64\Pbjbfclk.exeC:\Windows\system32\Pbjbfclk.exe113⤵PID:5112
-
C:\Windows\SysWOW64\Pidjcm32.exeC:\Windows\system32\Pidjcm32.exe114⤵PID:5140
-
C:\Windows\SysWOW64\Poqckdap.exeC:\Windows\system32\Poqckdap.exe115⤵PID:3504
-
C:\Windows\SysWOW64\Hpchdf32.exeC:\Windows\system32\Hpchdf32.exe116⤵PID:5972
-
C:\Windows\SysWOW64\Hfonfp32.exeC:\Windows\system32\Hfonfp32.exe117⤵PID:3300
-
C:\Windows\SysWOW64\Ihhmgaqb.exeC:\Windows\system32\Ihhmgaqb.exe118⤵
- Drops file in System32 directory
PID:2092 -
C:\Windows\SysWOW64\Jdhpba32.exeC:\Windows\system32\Jdhpba32.exe119⤵
- Drops file in System32 directory
PID:1960 -
C:\Windows\SysWOW64\Jondojna.exeC:\Windows\system32\Jondojna.exe120⤵PID:5804
-
C:\Windows\SysWOW64\Kgpodk32.exeC:\Windows\system32\Kgpodk32.exe121⤵PID:3784
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-