Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
166s -
max time network
174s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2023, 05:47
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.dcde6c1e9d1369a0ddcea902cd4aa6f0.exe
Resource
win7-20231023-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.dcde6c1e9d1369a0ddcea902cd4aa6f0.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
NEAS.dcde6c1e9d1369a0ddcea902cd4aa6f0.exe
-
Size
790KB
-
MD5
dcde6c1e9d1369a0ddcea902cd4aa6f0
-
SHA1
909991a93a37a6b7f91d655a047a4e701d79f7ba
-
SHA256
31395c3427650d8cf387e72afb4f6c5e64540e6417473c7ada9ba76e2d2fb95f
-
SHA512
2e881b524547f154f9b9fb4c880445410285ee731a445701167f23d827bed868b149a50768601bc054a33d3011f640db38d0d260b10a902546da7ff3aee61af0
-
SSDEEP
12288:HAKJFB24lwR45FB24lJ87g7/VycgE81lgxaa79y:gOPLPEoIlg17o
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kalccp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad NEAS.dcde6c1e9d1369a0ddcea902cd4aa6f0.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oookgbpj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laofhbmp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojgjhicl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llhnpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ahjmne32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehklmd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qopbjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fbmoabde.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opnlpdoa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amanfpkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ppccemjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aepmjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cfgjcb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdfjej32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbnhhp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlbecadc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Higjkehf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kalccp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pgbkgmao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ppkopail.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nmpdbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Llhnpe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Offnae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pmeoja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hfamia32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nneboemj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kgopbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hdehho32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmenmgab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adbdml32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgnkamef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pjemcm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okaiep32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Homcbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Efnennjc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gilajmfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oookgbpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Innfgb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcfphn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aajggjap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cncnhh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omalii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gipbck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fobomglo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajnkmjqj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdmohnhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ojdnbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Llddei32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpegfm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnjnjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mclhca32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dimcppgm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igkmbn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmighf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fniiabfd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnphio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Njjmgo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oahgnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kklkej32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ampkil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aobieq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kknfmdko.exe -
Executes dropped EXE 64 IoCs
pid Process 756 Qpbgnecp.exe 5040 Fdhail32.exe 2432 Glmhdm32.exe 1552 Hfamia32.exe 4684 Iepihf32.exe 4536 Kagbdenk.exe 1184 Lndfchdj.exe 2884 Ndkjik32.exe 4424 Oookgbpj.exe 5084 Agaoca32.exe 3744 Bbpeghpe.exe 4844 Cpklql32.exe 3628 Dimcppgm.exe 1492 Elgohj32.exe 3964 Fofdkcmd.exe 4208 Gipbck32.exe 3776 Hpaqqdjj.exe 4108 Hpejlc32.exe 3408 Homcbo32.exe 4900 Ijedehgm.exe 4944 Ioffhn32.exe 3920 Jopiom32.exe 3360 Kqdodo32.exe 1804 Kciaqi32.exe 1892 Ladhkmno.exe 3464 Mankaked.exe 1172 Nmlafk32.exe 1828 Ndomiddc.exe 4960 Oahgnh32.exe 896 Odhppclh.exe 728 Pgbkgmao.exe 4312 Agnkck32.exe 3356 Bjhgke32.exe 564 Cqiehnml.exe 4492 Dabhomea.exe 4088 Elaobdmm.exe 2956 Ehklmd32.exe 4564 Eeailhme.exe 5096 Gklnem32.exe 4252 Hojpbigq.exe 4812 Ilcjgm32.exe 336 Ihjjln32.exe 4552 Ifnkeb32.exe 4028 Iofpnhmc.exe 3416 Jbnopbdl.exe 5072 Jodlof32.exe 4540 Ljglnmdi.exe 2820 Lmkbeg32.exe 3024 Mcnmhpoj.exe 1104 Nipokfil.exe 2556 Obafjk32.exe 3564 Opjponbf.exe 4668 Ppoijn32.exe 3364 Pignccea.exe 432 Pboblika.exe 1564 Ppccemjk.exe 3856 Adjnaj32.exe 2188 Dklomnmf.exe 4412 Enaaiifb.exe 2116 Fanigb32.exe 3376 Ioclnblj.exe 712 Jhbfgflc.exe 4600 Khimhefk.exe 3912 Lhgiic32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Iimcgg32.exe Ilibmcln.exe File opened for modification C:\Windows\SysWOW64\Mkhkblii.exe Mmodfqhf.exe File opened for modification C:\Windows\SysWOW64\Gmfilfep.exe Gmclgghc.exe File created C:\Windows\SysWOW64\Plfdocib.dll Kggcgeop.exe File opened for modification C:\Windows\SysWOW64\Pddhlnfg.exe Phmhgmpc.exe File created C:\Windows\SysWOW64\Koglmqej.dll Gbnhhp32.exe File opened for modification C:\Windows\SysWOW64\Apnkfelb.exe Pfoamp32.exe File created C:\Windows\SysWOW64\Khhalafg.exe Kblidkhp.exe File created C:\Windows\SysWOW64\Iciaji32.exe Inlibb32.exe File created C:\Windows\SysWOW64\Olpjfn32.dll Fldnoo32.exe File created C:\Windows\SysWOW64\Elnipj32.dll Jhbfgflc.exe File opened for modification C:\Windows\SysWOW64\Higjkehf.exe Hdjbcnjo.exe File created C:\Windows\SysWOW64\Egcaij32.exe Ekladi32.exe File created C:\Windows\SysWOW64\Oahgnh32.exe Ndomiddc.exe File opened for modification C:\Windows\SysWOW64\Knoonphp.exe Kdfjej32.exe File created C:\Windows\SysWOW64\Glpblg32.dll Hbihdn32.exe File opened for modification C:\Windows\SysWOW64\Iolhdn32.exe Iioplg32.exe File created C:\Windows\SysWOW64\Kdfjej32.exe Kknfmdko.exe File opened for modification C:\Windows\SysWOW64\Gbnhhp32.exe Giecojpb.exe File created C:\Windows\SysWOW64\Abonimmp.exe Pmkopgep.exe File created C:\Windows\SysWOW64\Ocdddddp.dll Ioclnblj.exe File created C:\Windows\SysWOW64\Jenhmaeh.dll Mggolhaj.exe File created C:\Windows\SysWOW64\Aggean32.exe Amaqde32.exe File created C:\Windows\SysWOW64\Lgeehc32.dll Hkbmjhdo.exe File created C:\Windows\SysWOW64\Lolchc32.exe Lojfbc32.exe File created C:\Windows\SysWOW64\Lpklcffg.dll Iepihf32.exe File opened for modification C:\Windows\SysWOW64\Dabhomea.exe Cqiehnml.exe File created C:\Windows\SysWOW64\Ennaaohb.dll Fanigb32.exe File created C:\Windows\SysWOW64\Hkbmjhdo.exe Hplimpdi.exe File created C:\Windows\SysWOW64\Ppqdpilb.dll Phmhgmpc.exe File opened for modification C:\Windows\SysWOW64\Phajgf32.exe Pjhpccnn.exe File created C:\Windows\SysWOW64\Aabkldcl.exe Acnjbpdb.exe File opened for modification C:\Windows\SysWOW64\Ljcldo32.exe Lnmkpm32.exe File created C:\Windows\SysWOW64\Cmjgba32.dll Njjdae32.exe File created C:\Windows\SysWOW64\Nmlafk32.exe Mankaked.exe File created C:\Windows\SysWOW64\Agnkck32.exe Pgbkgmao.exe File opened for modification C:\Windows\SysWOW64\Lgnleiid.exe Lhiodm32.exe File opened for modification C:\Windows\SysWOW64\Ckaffjbg.exe Aakelfhg.exe File created C:\Windows\SysWOW64\Iocheg32.dll Omnqcfig.exe File opened for modification C:\Windows\SysWOW64\Ekladi32.exe Dddlfa32.exe File opened for modification C:\Windows\SysWOW64\Kcmfgimm.exe Klbnjo32.exe File created C:\Windows\SysWOW64\Olejbnna.dll Efnennjc.exe File created C:\Windows\SysWOW64\Nlfnkoia.exe Nmenmgab.exe File created C:\Windows\SysWOW64\Haebol32.exe Hlhife32.exe File created C:\Windows\SysWOW64\Nmcphkik.exe Nbnlkbje.exe File created C:\Windows\SysWOW64\Dabhomea.exe Cqiehnml.exe File opened for modification C:\Windows\SysWOW64\Aepmjk32.exe Apnkfelb.exe File created C:\Windows\SysWOW64\Pdgkicol.dll Ppkopail.exe File created C:\Windows\SysWOW64\Chnlbndj.exe Bammeebe.exe File opened for modification C:\Windows\SysWOW64\Aabkldcl.exe Acnjbpdb.exe File opened for modification C:\Windows\SysWOW64\Ajjoej32.exe Aabkldcl.exe File created C:\Windows\SysWOW64\Ahfmka32.exe Phkmoc32.exe File created C:\Windows\SysWOW64\Ebldne32.dll Iifmfh32.exe File created C:\Windows\SysWOW64\Onaokmmm.dll Jpbjophf.exe File created C:\Windows\SysWOW64\Jlphnbfe.exe Iolhdn32.exe File created C:\Windows\SysWOW64\Hpejlc32.exe Hpaqqdjj.exe File created C:\Windows\SysWOW64\Bgnkamef.exe Aobieq32.exe File created C:\Windows\SysWOW64\Lnnakg32.exe Lomqmoob.exe File opened for modification C:\Windows\SysWOW64\Opiipkfb.exe Ogndki32.exe File created C:\Windows\SysWOW64\Bbpeghpe.exe Agaoca32.exe File created C:\Windows\SysWOW64\Kfehoj32.exe Goediekj.exe File created C:\Windows\SysWOW64\Poajdlcq.exe Mnknkbdk.exe File created C:\Windows\SysWOW64\Nnccmddi.exe Njekfenc.exe File created C:\Windows\SysWOW64\Pmlmdd32.exe Pddhlnfg.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hjedpkne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdecijld.dll" Mchpibng.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Klpaep32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aanjiqki.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Goediekj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lfnfhg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ajnkmjqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojacqnom.dll" Jnelha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hecjej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lemkmhpd.dll" Nmacbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dokocp32.dll" Njjmgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kplcjb32.dll" Ppoijn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ppccemjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bmpaad32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qgmbkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Omnqcfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ojdnbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgogdc32.dll" Plmmbkdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ighfkpji.dll" Ebiffc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bkkhlhlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jodlof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hidgpjoi.dll" Ahfmka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcalohbe.dll" Lnhadnpe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jemfbgiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mlhqll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkakdg32.dll" Qpbgnecp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hpaqqdjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oflkln32.dll" Qaalkamf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lgpocm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pooaknic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jodlof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Amfqikko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cncnhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ilibmcln.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gkdhcqcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbclgiio.dll" Qhfcbfdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jgigfg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nlfnkoia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gnkfgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oookgbpj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Higjkehf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iofpnhmc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ahfmka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nconal32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ohceqo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cocjbkna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mcdeof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ndkjik32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hpejlc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Elpknehe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Innfgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpbgmpqi.dll" Ffnkggld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ffmmgceo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cobkbhgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpaekgph.dll" Innfgb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dpfcpcam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nojbielj.dll" Jemfbgiq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Apnkfelb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjmchc32.dll" Higjkehf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmeapa32.dll" Acnjbpdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khikgb32.dll" Bigbgehl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kggcgeop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cncnhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lfnfhg32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4572 wrote to memory of 756 4572 NEAS.dcde6c1e9d1369a0ddcea902cd4aa6f0.exe 89 PID 4572 wrote to memory of 756 4572 NEAS.dcde6c1e9d1369a0ddcea902cd4aa6f0.exe 89 PID 4572 wrote to memory of 756 4572 NEAS.dcde6c1e9d1369a0ddcea902cd4aa6f0.exe 89 PID 756 wrote to memory of 5040 756 Qpbgnecp.exe 90 PID 756 wrote to memory of 5040 756 Qpbgnecp.exe 90 PID 756 wrote to memory of 5040 756 Qpbgnecp.exe 90 PID 5040 wrote to memory of 2432 5040 Fdhail32.exe 92 PID 5040 wrote to memory of 2432 5040 Fdhail32.exe 92 PID 5040 wrote to memory of 2432 5040 Fdhail32.exe 92 PID 2432 wrote to memory of 1552 2432 Glmhdm32.exe 93 PID 2432 wrote to memory of 1552 2432 Glmhdm32.exe 93 PID 2432 wrote to memory of 1552 2432 Glmhdm32.exe 93 PID 1552 wrote to memory of 4684 1552 Hfamia32.exe 94 PID 1552 wrote to memory of 4684 1552 Hfamia32.exe 94 PID 1552 wrote to memory of 4684 1552 Hfamia32.exe 94 PID 4684 wrote to memory of 4536 4684 Iepihf32.exe 95 PID 4684 wrote to memory of 4536 4684 Iepihf32.exe 95 PID 4684 wrote to memory of 4536 4684 Iepihf32.exe 95 PID 4536 wrote to memory of 1184 4536 Kagbdenk.exe 96 PID 4536 wrote to memory of 1184 4536 Kagbdenk.exe 96 PID 4536 wrote to memory of 1184 4536 Kagbdenk.exe 96 PID 1184 wrote to memory of 2884 1184 Lndfchdj.exe 97 PID 1184 wrote to memory of 2884 1184 Lndfchdj.exe 97 PID 1184 wrote to memory of 2884 1184 Lndfchdj.exe 97 PID 2884 wrote to memory of 4424 2884 Ndkjik32.exe 98 PID 2884 wrote to memory of 4424 2884 Ndkjik32.exe 98 PID 2884 wrote to memory of 4424 2884 Ndkjik32.exe 98 PID 4424 wrote to memory of 5084 4424 Oookgbpj.exe 99 PID 4424 wrote to memory of 5084 4424 Oookgbpj.exe 99 PID 4424 wrote to memory of 5084 4424 Oookgbpj.exe 99 PID 5084 wrote to memory of 3744 5084 Agaoca32.exe 100 PID 5084 wrote to memory of 3744 5084 Agaoca32.exe 100 PID 5084 wrote to memory of 3744 5084 Agaoca32.exe 100 PID 3744 wrote to memory of 4844 3744 Bbpeghpe.exe 101 PID 3744 wrote to memory of 4844 3744 Bbpeghpe.exe 101 PID 3744 wrote to memory of 4844 3744 Bbpeghpe.exe 101 PID 4844 wrote to memory of 3628 4844 Cpklql32.exe 102 PID 4844 wrote to memory of 3628 4844 Cpklql32.exe 102 PID 4844 wrote to memory of 3628 4844 Cpklql32.exe 102 PID 3628 wrote to memory of 1492 3628 Dimcppgm.exe 104 PID 3628 wrote to memory of 1492 3628 Dimcppgm.exe 104 PID 3628 wrote to memory of 1492 3628 Dimcppgm.exe 104 PID 1492 wrote to memory of 3964 1492 Elgohj32.exe 105 PID 1492 wrote to memory of 3964 1492 Elgohj32.exe 105 PID 1492 wrote to memory of 3964 1492 Elgohj32.exe 105 PID 3964 wrote to memory of 4208 3964 Fofdkcmd.exe 106 PID 3964 wrote to memory of 4208 3964 Fofdkcmd.exe 106 PID 3964 wrote to memory of 4208 3964 Fofdkcmd.exe 106 PID 4208 wrote to memory of 3776 4208 Gipbck32.exe 107 PID 4208 wrote to memory of 3776 4208 Gipbck32.exe 107 PID 4208 wrote to memory of 3776 4208 Gipbck32.exe 107 PID 3776 wrote to memory of 4108 3776 Hpaqqdjj.exe 108 PID 3776 wrote to memory of 4108 3776 Hpaqqdjj.exe 108 PID 3776 wrote to memory of 4108 3776 Hpaqqdjj.exe 108 PID 4108 wrote to memory of 3408 4108 Hpejlc32.exe 109 PID 4108 wrote to memory of 3408 4108 Hpejlc32.exe 109 PID 4108 wrote to memory of 3408 4108 Hpejlc32.exe 109 PID 3408 wrote to memory of 4900 3408 Homcbo32.exe 110 PID 3408 wrote to memory of 4900 3408 Homcbo32.exe 110 PID 3408 wrote to memory of 4900 3408 Homcbo32.exe 110 PID 4900 wrote to memory of 4944 4900 Ijedehgm.exe 111 PID 4900 wrote to memory of 4944 4900 Ijedehgm.exe 111 PID 4900 wrote to memory of 4944 4900 Ijedehgm.exe 111 PID 4944 wrote to memory of 3920 4944 Ioffhn32.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.dcde6c1e9d1369a0ddcea902cd4aa6f0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.dcde6c1e9d1369a0ddcea902cd4aa6f0.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Windows\SysWOW64\Qpbgnecp.exeC:\Windows\system32\Qpbgnecp.exe2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Windows\SysWOW64\Fdhail32.exeC:\Windows\system32\Fdhail32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\Windows\SysWOW64\Glmhdm32.exeC:\Windows\system32\Glmhdm32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\Hfamia32.exeC:\Windows\system32\Hfamia32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Windows\SysWOW64\Iepihf32.exeC:\Windows\system32\Iepihf32.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4684 -
C:\Windows\SysWOW64\Kagbdenk.exeC:\Windows\system32\Kagbdenk.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4536 -
C:\Windows\SysWOW64\Lndfchdj.exeC:\Windows\system32\Lndfchdj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Windows\SysWOW64\Ndkjik32.exeC:\Windows\system32\Ndkjik32.exe9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\Oookgbpj.exeC:\Windows\system32\Oookgbpj.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4424 -
C:\Windows\SysWOW64\Agaoca32.exeC:\Windows\system32\Agaoca32.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5084 -
C:\Windows\SysWOW64\Bbpeghpe.exeC:\Windows\system32\Bbpeghpe.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3744 -
C:\Windows\SysWOW64\Cpklql32.exeC:\Windows\system32\Cpklql32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4844 -
C:\Windows\SysWOW64\Dimcppgm.exeC:\Windows\system32\Dimcppgm.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3628 -
C:\Windows\SysWOW64\Elgohj32.exeC:\Windows\system32\Elgohj32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\SysWOW64\Fofdkcmd.exeC:\Windows\system32\Fofdkcmd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3964 -
C:\Windows\SysWOW64\Gipbck32.exeC:\Windows\system32\Gipbck32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4208 -
C:\Windows\SysWOW64\Hpaqqdjj.exeC:\Windows\system32\Hpaqqdjj.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3776 -
C:\Windows\SysWOW64\Hpejlc32.exeC:\Windows\system32\Hpejlc32.exe19⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4108 -
C:\Windows\SysWOW64\Homcbo32.exeC:\Windows\system32\Homcbo32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3408 -
C:\Windows\SysWOW64\Ijedehgm.exeC:\Windows\system32\Ijedehgm.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4900 -
C:\Windows\SysWOW64\Ioffhn32.exeC:\Windows\system32\Ioffhn32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Windows\SysWOW64\Jopiom32.exeC:\Windows\system32\Jopiom32.exe23⤵
- Executes dropped EXE
PID:3920 -
C:\Windows\SysWOW64\Kqdodo32.exeC:\Windows\system32\Kqdodo32.exe24⤵
- Executes dropped EXE
PID:3360 -
C:\Windows\SysWOW64\Kciaqi32.exeC:\Windows\system32\Kciaqi32.exe25⤵
- Executes dropped EXE
PID:1804 -
C:\Windows\SysWOW64\Ladhkmno.exeC:\Windows\system32\Ladhkmno.exe26⤵
- Executes dropped EXE
PID:1892 -
C:\Windows\SysWOW64\Mankaked.exeC:\Windows\system32\Mankaked.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3464 -
C:\Windows\SysWOW64\Nmlafk32.exeC:\Windows\system32\Nmlafk32.exe28⤵
- Executes dropped EXE
PID:1172 -
C:\Windows\SysWOW64\Ndomiddc.exeC:\Windows\system32\Ndomiddc.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1828 -
C:\Windows\SysWOW64\Oahgnh32.exeC:\Windows\system32\Oahgnh32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4960 -
C:\Windows\SysWOW64\Odhppclh.exeC:\Windows\system32\Odhppclh.exe31⤵
- Executes dropped EXE
PID:896 -
C:\Windows\SysWOW64\Pgbkgmao.exeC:\Windows\system32\Pgbkgmao.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:728 -
C:\Windows\SysWOW64\Agnkck32.exeC:\Windows\system32\Agnkck32.exe33⤵
- Executes dropped EXE
PID:4312 -
C:\Windows\SysWOW64\Bjhgke32.exeC:\Windows\system32\Bjhgke32.exe34⤵
- Executes dropped EXE
PID:3356 -
C:\Windows\SysWOW64\Cqiehnml.exeC:\Windows\system32\Cqiehnml.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:564 -
C:\Windows\SysWOW64\Dabhomea.exeC:\Windows\system32\Dabhomea.exe36⤵
- Executes dropped EXE
PID:4492 -
C:\Windows\SysWOW64\Elaobdmm.exeC:\Windows\system32\Elaobdmm.exe37⤵
- Executes dropped EXE
PID:4088 -
C:\Windows\SysWOW64\Ehklmd32.exeC:\Windows\system32\Ehklmd32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Eeailhme.exeC:\Windows\system32\Eeailhme.exe39⤵
- Executes dropped EXE
PID:4564 -
C:\Windows\SysWOW64\Gklnem32.exeC:\Windows\system32\Gklnem32.exe40⤵
- Executes dropped EXE
PID:5096 -
C:\Windows\SysWOW64\Hojpbigq.exeC:\Windows\system32\Hojpbigq.exe41⤵
- Executes dropped EXE
PID:4252 -
C:\Windows\SysWOW64\Ilcjgm32.exeC:\Windows\system32\Ilcjgm32.exe42⤵
- Executes dropped EXE
PID:4812 -
C:\Windows\SysWOW64\Ihjjln32.exeC:\Windows\system32\Ihjjln32.exe43⤵
- Executes dropped EXE
PID:336 -
C:\Windows\SysWOW64\Ifnkeb32.exeC:\Windows\system32\Ifnkeb32.exe44⤵
- Executes dropped EXE
PID:4552 -
C:\Windows\SysWOW64\Iofpnhmc.exeC:\Windows\system32\Iofpnhmc.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:4028 -
C:\Windows\SysWOW64\Jbnopbdl.exeC:\Windows\system32\Jbnopbdl.exe46⤵
- Executes dropped EXE
PID:3416 -
C:\Windows\SysWOW64\Jodlof32.exeC:\Windows\system32\Jodlof32.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:5072 -
C:\Windows\SysWOW64\Ljglnmdi.exeC:\Windows\system32\Ljglnmdi.exe48⤵
- Executes dropped EXE
PID:4540 -
C:\Windows\SysWOW64\Lmkbeg32.exeC:\Windows\system32\Lmkbeg32.exe49⤵
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Mcnmhpoj.exeC:\Windows\system32\Mcnmhpoj.exe50⤵
- Executes dropped EXE
PID:3024 -
C:\Windows\SysWOW64\Nipokfil.exeC:\Windows\system32\Nipokfil.exe51⤵
- Executes dropped EXE
PID:1104 -
C:\Windows\SysWOW64\Obafjk32.exeC:\Windows\system32\Obafjk32.exe52⤵
- Executes dropped EXE
PID:2556 -
C:\Windows\SysWOW64\Opjponbf.exeC:\Windows\system32\Opjponbf.exe53⤵
- Executes dropped EXE
PID:3564 -
C:\Windows\SysWOW64\Ppoijn32.exeC:\Windows\system32\Ppoijn32.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:4668 -
C:\Windows\SysWOW64\Pignccea.exeC:\Windows\system32\Pignccea.exe55⤵
- Executes dropped EXE
PID:3364 -
C:\Windows\SysWOW64\Pboblika.exeC:\Windows\system32\Pboblika.exe56⤵
- Executes dropped EXE
PID:432 -
C:\Windows\SysWOW64\Ppccemjk.exeC:\Windows\system32\Ppccemjk.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1564 -
C:\Windows\SysWOW64\Adjnaj32.exeC:\Windows\system32\Adjnaj32.exe58⤵
- Executes dropped EXE
PID:3856 -
C:\Windows\SysWOW64\Dklomnmf.exeC:\Windows\system32\Dklomnmf.exe59⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Enaaiifb.exeC:\Windows\system32\Enaaiifb.exe60⤵
- Executes dropped EXE
PID:4412 -
C:\Windows\SysWOW64\Fanigb32.exeC:\Windows\system32\Fanigb32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2116 -
C:\Windows\SysWOW64\Ioclnblj.exeC:\Windows\system32\Ioclnblj.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3376 -
C:\Windows\SysWOW64\Jhbfgflc.exeC:\Windows\system32\Jhbfgflc.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:712 -
C:\Windows\SysWOW64\Khimhefk.exeC:\Windows\system32\Khimhefk.exe64⤵
- Executes dropped EXE
PID:4600 -
C:\Windows\SysWOW64\Lhgiic32.exeC:\Windows\system32\Lhgiic32.exe65⤵
- Executes dropped EXE
PID:3912 -
C:\Windows\SysWOW64\Lkhbko32.exeC:\Windows\system32\Lkhbko32.exe66⤵PID:1464
-
C:\Windows\SysWOW64\Lfnfhg32.exeC:\Windows\system32\Lfnfhg32.exe67⤵
- Modifies registry class
PID:4288 -
C:\Windows\SysWOW64\Mmodfqhf.exeC:\Windows\system32\Mmodfqhf.exe68⤵
- Drops file in System32 directory
PID:4616 -
C:\Windows\SysWOW64\Mkhkblii.exeC:\Windows\system32\Mkhkblii.exe69⤵PID:2528
-
C:\Windows\SysWOW64\Nifnao32.exeC:\Windows\system32\Nifnao32.exe70⤵PID:2300
-
C:\Windows\SysWOW64\Opdpih32.exeC:\Windows\system32\Opdpih32.exe71⤵PID:1976
-
C:\Windows\SysWOW64\Pldcdhpi.exeC:\Windows\system32\Pldcdhpi.exe72⤵PID:2452
-
C:\Windows\SysWOW64\Pfoamp32.exeC:\Windows\system32\Pfoamp32.exe73⤵
- Drops file in System32 directory
PID:2348 -
C:\Windows\SysWOW64\Apnkfelb.exeC:\Windows\system32\Apnkfelb.exe74⤵
- Drops file in System32 directory
- Modifies registry class
PID:4508 -
C:\Windows\SysWOW64\Aepmjk32.exeC:\Windows\system32\Aepmjk32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2432 -
C:\Windows\SysWOW64\Bgafin32.exeC:\Windows\system32\Bgafin32.exe76⤵PID:892
-
C:\Windows\SysWOW64\Dqhpjohb.exeC:\Windows\system32\Dqhpjohb.exe77⤵PID:208
-
C:\Windows\SysWOW64\Eggbbhkj.exeC:\Windows\system32\Eggbbhkj.exe78⤵PID:4608
-
C:\Windows\SysWOW64\Ecnbgian.exeC:\Windows\system32\Ecnbgian.exe79⤵PID:2424
-
C:\Windows\SysWOW64\Hjkigojc.exeC:\Windows\system32\Hjkigojc.exe80⤵PID:3744
-
C:\Windows\SysWOW64\Igkmbn32.exeC:\Windows\system32\Igkmbn32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1588 -
C:\Windows\SysWOW64\Kacgld32.exeC:\Windows\system32\Kacgld32.exe82⤵PID:816
-
C:\Windows\SysWOW64\Kklkej32.exeC:\Windows\system32\Kklkej32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4780 -
C:\Windows\SysWOW64\Kddpnpdn.exeC:\Windows\system32\Kddpnpdn.exe84⤵PID:5084
-
C:\Windows\SysWOW64\Kgeiokao.exeC:\Windows\system32\Kgeiokao.exe85⤵PID:4208
-
C:\Windows\SysWOW64\Laofhbmp.exeC:\Windows\system32\Laofhbmp.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2200 -
C:\Windows\SysWOW64\Lhiodm32.exeC:\Windows\system32\Lhiodm32.exe87⤵
- Drops file in System32 directory
PID:2400 -
C:\Windows\SysWOW64\Lgnleiid.exeC:\Windows\system32\Lgnleiid.exe88⤵PID:4664
-
C:\Windows\SysWOW64\Mnojcb32.exeC:\Windows\system32\Mnojcb32.exe89⤵PID:2240
-
C:\Windows\SysWOW64\Mggolhaj.exeC:\Windows\system32\Mggolhaj.exe90⤵
- Drops file in System32 directory
PID:5100 -
C:\Windows\SysWOW64\Nqdlpmce.exeC:\Windows\system32\Nqdlpmce.exe91⤵PID:4628
-
C:\Windows\SysWOW64\Nkojheoe.exeC:\Windows\system32\Nkojheoe.exe92⤵PID:3884
-
C:\Windows\SysWOW64\Obdbqm32.exeC:\Windows\system32\Obdbqm32.exe93⤵PID:348
-
C:\Windows\SysWOW64\Ppkopail.exeC:\Windows\system32\Ppkopail.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4480 -
C:\Windows\SysWOW64\Phkmoc32.exeC:\Windows\system32\Phkmoc32.exe95⤵
- Drops file in System32 directory
PID:4040 -
C:\Windows\SysWOW64\Ahfmka32.exeC:\Windows\system32\Ahfmka32.exe96⤵
- Modifies registry class
PID:784 -
C:\Windows\SysWOW64\Bafgdfim.exeC:\Windows\system32\Bafgdfim.exe97⤵PID:1492
-
C:\Windows\SysWOW64\Bammeebe.exeC:\Windows\system32\Bammeebe.exe98⤵
- Drops file in System32 directory
PID:3620 -
C:\Windows\SysWOW64\Chnlbndj.exeC:\Windows\system32\Chnlbndj.exe99⤵PID:400
-
C:\Windows\SysWOW64\Efdbhpbn.exeC:\Windows\system32\Efdbhpbn.exe100⤵PID:548
-
C:\Windows\SysWOW64\Epjfehbd.exeC:\Windows\system32\Epjfehbd.exe101⤵PID:2936
-
C:\Windows\SysWOW64\Ejbknnid.exeC:\Windows\system32\Ejbknnid.exe102⤵PID:2380
-
C:\Windows\SysWOW64\Efnennjc.exeC:\Windows\system32\Efnennjc.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:64 -
C:\Windows\SysWOW64\Fbgbione.exeC:\Windows\system32\Fbgbione.exe104⤵PID:3924
-
C:\Windows\SysWOW64\Gmclgghc.exeC:\Windows\system32\Gmclgghc.exe105⤵
- Drops file in System32 directory
PID:1648 -
C:\Windows\SysWOW64\Gmfilfep.exeC:\Windows\system32\Gmfilfep.exe106⤵PID:4928
-
C:\Windows\SysWOW64\Gbgkpm32.exeC:\Windows\system32\Gbgkpm32.exe107⤵PID:3356
-
C:\Windows\SysWOW64\Hidpbf32.exeC:\Windows\system32\Hidpbf32.exe108⤵PID:3820
-
C:\Windows\SysWOW64\Habndbpf.exeC:\Windows\system32\Habndbpf.exe109⤵PID:4024
-
C:\Windows\SysWOW64\Jpegfm32.exeC:\Windows\system32\Jpegfm32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4512 -
C:\Windows\SysWOW64\Mgpaqbcf.exeC:\Windows\system32\Mgpaqbcf.exe111⤵PID:3000
-
C:\Windows\SysWOW64\Aanjiqki.exeC:\Windows\system32\Aanjiqki.exe112⤵
- Modifies registry class
PID:4900 -
C:\Windows\SysWOW64\Kbceoped.exeC:\Windows\system32\Kbceoped.exe113⤵PID:4692
-
C:\Windows\SysWOW64\Kedoqkbe.exeC:\Windows\system32\Kedoqkbe.exe114⤵PID:3556
-
C:\Windows\SysWOW64\Llngmeja.exeC:\Windows\system32\Llngmeja.exe115⤵PID:1028
-
C:\Windows\SysWOW64\Lfhdem32.exeC:\Windows\system32\Lfhdem32.exe116⤵PID:4756
-
C:\Windows\SysWOW64\Mdjapphl.exeC:\Windows\system32\Mdjapphl.exe117⤵PID:1968
-
C:\Windows\SysWOW64\Nnbeie32.exeC:\Windows\system32\Nnbeie32.exe118⤵PID:1032
-
C:\Windows\SysWOW64\Nconal32.exeC:\Windows\system32\Nconal32.exe119⤵
- Modifies registry class
PID:448 -
C:\Windows\SysWOW64\Nneboemj.exeC:\Windows\system32\Nneboemj.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1780 -
C:\Windows\SysWOW64\Ngmggj32.exeC:\Windows\system32\Ngmggj32.exe121⤵PID:1388
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-