Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
155s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
12/11/2023, 16:46
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.bc8614894791e691b1d6b6e67ffce313.exe
Resource
win7-20231023-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.bc8614894791e691b1d6b6e67ffce313.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
NEAS.bc8614894791e691b1d6b6e67ffce313.exe
-
Size
101KB
-
MD5
bc8614894791e691b1d6b6e67ffce313
-
SHA1
697cf4bc1c5fce541252b80dd09dbe793ff90a10
-
SHA256
4d22c3249dc235b12f68188c08b9a1cebcc5597d86cf3addc6a34d212a6dec8d
-
SHA512
9c72ce046b9469d73db4a9c7864f24eaa592c2aafd7ee566887c111d31cab0a291f20ace924e2102681c3f689544eeb6ff90e8d1bf079691e70889d5d8d14b3e
-
SSDEEP
3072:+sh06LcJb401gwY/yduXqbyu0sY7q5AnrHY4vDX:+sh06LKUSgwYh853Anr44vDX
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Licfgmpa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mociol32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieiajckh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egnhcgeb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmnpah32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emcbcd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfaqafjl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihbdja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdopjh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Malnklgg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bimkde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alnmdojp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icooig32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cecbgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bqkifb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djomjfde.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbndoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ioafchai.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbjciano.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olehai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gohapb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhpaki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npkmcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pldljbmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hijohoki.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdllhdco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fldeie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfnmcnjn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dabhmo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djnfppqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mociol32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcmgpbjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hohcmjic.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckqoapgd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agcikk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkianp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Haoighmd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qdihfq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akjgdjoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgnkamef.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gohapb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fongpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmpoch32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agbkfood.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Poajdlcq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djnfppqi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbddobla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnnoip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkfkod32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkebekgo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddjecalo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djoohk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfanbpjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhmmkcko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khplnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olehai32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ammgifpn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfenncdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdpmkhjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eoconenj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iodaikfl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Polpim32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opjponbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omhpcm32.exe -
Executes dropped EXE 64 IoCs
pid Process 2348 Jemfhacc.exe 2172 Kibeoo32.exe 3216 Legben32.exe 5056 Mjlalkmd.exe 1304 Mqhfoebo.exe 3744 Nfqnbjfi.exe 2248 Opbean32.exe 4500 Qamago32.exe 4628 Aadghn32.exe 3784 Biklho32.exe 1196 Ddcebe32.exe 3964 Ddmhhd32.exe 752 Eajlhg32.exe 3548 Fcpakn32.exe 1740 Gkhbbi32.exe 4920 Hjaioe32.exe 4328 Hcljmj32.exe 2016 Jdopjh32.exe 4892 Kbeibo32.exe 1484 Klbgfc32.exe 4596 Lkcccn32.exe 4884 Mociol32.exe 3196 Ndnnianm.exe 4120 Obfhmd32.exe 2052 Ofijnbkb.exe 4732 Pbddobla.exe 3808 Qkfkng32.exe 5072 Aecialmb.exe 3852 Bemlhj32.exe 440 Cpifeb32.exe 4852 Cffkhl32.exe 2140 Ddekmo32.exe 4184 Dmplkd32.exe 1604 Emioab32.exe 2396 Fneoma32.exe 3520 Gjebiq32.exe 4176 Hmbkfjko.exe 3116 Icnphd32.exe 468 Igqbiacj.exe 2752 Jcjodbgl.exe 2848 Jcoioabf.exe 4632 Khonkogj.exe 5080 Kejeebpl.exe 2024 Lkbmih32.exe 3532 Maaoaa32.exe 3020 Nonbqd32.exe 4072 Nkjlqd32.exe 1884 Ohpiphlb.exe 4904 Okqbac32.exe 4880 Pdpmkhjl.exe 2476 Pfbfjk32.exe 3496 Pfdbpjmi.exe 3180 Qomghp32.exe 3380 Afkipi32.exe 3408 Aofjoo32.exe 2008 Akmjdpac.exe 2148 Bndjfjhl.exe 3084 Bpfcelml.exe 4240 Cbihmg32.exe 3156 Dhmgfm32.exe 4900 Dhdmfljb.exe 4988 Eoconenj.exe 736 Epgdch32.exe 2600 Epiaig32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Kmbkfp32.exe Kfhbifgq.exe File created C:\Windows\SysWOW64\Flgfqb32.exe Eojcao32.exe File opened for modification C:\Windows\SysWOW64\Lmdihgkl.exe Llbphdfl.exe File created C:\Windows\SysWOW64\Dbcpapne.dll Kieaqe32.exe File created C:\Windows\SysWOW64\Lagekp32.exe Ljmmnf32.exe File opened for modification C:\Windows\SysWOW64\Odqbdnod.exe Oikngeoo.exe File created C:\Windows\SysWOW64\Fhkcfmbp.exe Fobomglo.exe File created C:\Windows\SysWOW64\Bimkde32.exe Bcpblo32.exe File opened for modification C:\Windows\SysWOW64\Cpifeb32.exe Bemlhj32.exe File opened for modification C:\Windows\SysWOW64\Ejdonq32.exe Dnnoip32.exe File opened for modification C:\Windows\SysWOW64\Bjeckojo.exe Bckknd32.exe File created C:\Windows\SysWOW64\Dkkqnnfc.dll Cqmgigfk.exe File opened for modification C:\Windows\SysWOW64\Kelaef32.exe Kppimogj.exe File created C:\Windows\SysWOW64\Qjefmq32.dll Alnmdojp.exe File created C:\Windows\SysWOW64\Kjhpdofp.dll Bopgdcnc.exe File created C:\Windows\SysWOW64\Qkngdp32.dll Ffbgog32.exe File created C:\Windows\SysWOW64\Ngmggj32.exe Nconal32.exe File opened for modification C:\Windows\SysWOW64\Afboll32.exe Pjgellfb.exe File created C:\Windows\SysWOW64\Epagjcpl.dll Aiejda32.exe File created C:\Windows\SysWOW64\Jmnhamog.dll Mqkijnkp.exe File created C:\Windows\SysWOW64\Chhdbb32.exe Bjddinbn.exe File opened for modification C:\Windows\SysWOW64\Cjfclcpg.exe Cnhlgc32.exe File created C:\Windows\SysWOW64\Llebel32.dll Kkhidaeo.exe File opened for modification C:\Windows\SysWOW64\Mckefmai.exe Mgokflpj.exe File created C:\Windows\SysWOW64\Ecgcpc32.exe Emmkci32.exe File created C:\Windows\SysWOW64\Egoomnin.exe Eelifc32.exe File created C:\Windows\SysWOW64\Obeikc32.exe Omhpcm32.exe File opened for modification C:\Windows\SysWOW64\Jeolonem.exe Jcnpgf32.exe File created C:\Windows\SysWOW64\Epikid32.exe Eiobmjkd.exe File created C:\Windows\SysWOW64\Eaqdpjia.exe Eejcki32.exe File opened for modification C:\Windows\SysWOW64\Hhmmkcko.exe Hmginjki.exe File created C:\Windows\SysWOW64\Hjefecei.dll Qajhigcj.exe File created C:\Windows\SysWOW64\Ogcfncjf.exe Nhbfpl32.exe File opened for modification C:\Windows\SysWOW64\Bfenncdp.exe Bmliem32.exe File opened for modification C:\Windows\SysWOW64\Ommjnlnd.exe Onlipd32.exe File opened for modification C:\Windows\SysWOW64\Hhmdeink.exe Hhkgpjqn.exe File created C:\Windows\SysWOW64\Lifmdfkg.dll Ejdonq32.exe File created C:\Windows\SysWOW64\Facjlhil.exe Fiheheka.exe File opened for modification C:\Windows\SysWOW64\Pmiijjcf.exe Ppnbpg32.exe File created C:\Windows\SysWOW64\Ipmjkh32.exe Immaimnj.exe File created C:\Windows\SysWOW64\Plcdbghi.exe Plagmh32.exe File created C:\Windows\SysWOW64\Bndjfjhl.exe Akmjdpac.exe File opened for modification C:\Windows\SysWOW64\Fnmjkahi.exe Fplimi32.exe File created C:\Windows\SysWOW64\Deehck32.dll Ganppk32.exe File created C:\Windows\SysWOW64\Dfpfhg32.dll Kmbkfp32.exe File opened for modification C:\Windows\SysWOW64\Okedmp32.exe Oioojh32.exe File opened for modification C:\Windows\SysWOW64\Aadghn32.exe Qamago32.exe File created C:\Windows\SysWOW64\Hmjmnpmb.exe Hhmdeink.exe File created C:\Windows\SysWOW64\Kijjldkh.exe Knefnkla.exe File created C:\Windows\SysWOW64\Iohlcg32.exe Ijkdkq32.exe File opened for modification C:\Windows\SysWOW64\Cipppc32.exe Cflkihbd.exe File opened for modification C:\Windows\SysWOW64\Jcknee32.exe Jhejgl32.exe File opened for modification C:\Windows\SysWOW64\Incpdodg.exe Hdfapjbl.exe File opened for modification C:\Windows\SysWOW64\Jafaem32.exe Ihnmlg32.exe File opened for modification C:\Windows\SysWOW64\Ahdpea32.exe Qajhigcj.exe File created C:\Windows\SysWOW64\Ndmdbf32.dll Flgfqb32.exe File opened for modification C:\Windows\SysWOW64\Dpnbhl32.exe Dffmogji.exe File created C:\Windows\SysWOW64\Gaklld32.dll Khonkogj.exe File created C:\Windows\SysWOW64\Hhkgpjqn.exe Hhhkjj32.exe File opened for modification C:\Windows\SysWOW64\Hhpaki32.exe Hmjmnpmb.exe File created C:\Windows\SysWOW64\Fgqehgco.exe Fnhppa32.exe File created C:\Windows\SysWOW64\Nonjbeab.dll Ojmcej32.exe File created C:\Windows\SysWOW64\Mpghel32.exe Lbnnphhk.exe File created C:\Windows\SysWOW64\Nekgna32.exe Mlbbel32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kehhjfif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Idpbhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egopbhnc.dll" Kibeoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Npkmcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilmeeglh.dll" Fllplajo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jemfhacc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjphoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhalpn32.dll" Lkcccn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fjphoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bejoqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmijcp32.dll" Jdopjh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gpioca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aochga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cflkihbd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eejcki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiainm32.dll" Kklbop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onlipd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lajfbmmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbhjqp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnjqac32.dll" Emmkci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qamago32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aofjoo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mecjbl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odqbdnod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oehpnnpl.dll" Iodaikfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odpkpbgq.dll" Khplnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fogpoiia.dll" Klbgfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecnnqk32.dll" Qomghp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cggnhlml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aojmda32.dll" Dmplkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcqbmqdi.dll" Pdpmkhjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdmepl32.dll" Eelifc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kaaaak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djcfee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohkbldfa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkhbbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbcffk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jmpgfjmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icncngca.dll" Gjebiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjefao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hohcmjic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oijgmokc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dcnqid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jdopjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Allkjcqn.dll" Lkbmih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bqkifb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fipbnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmbkfjko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enhcamok.dll" Nngoddkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pengna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clopal32.dll" Jbjciano.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjgemi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ocjgcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emphhhoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qajhigcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mklnbgao.dll" Libggiik.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emcbcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndnnianm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abokkkac.dll" Ddekmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jclnmkna.dll" Iacepmik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmppgb32.dll" Abimhd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpeapilo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Igpkjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lfnmcnjn.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4964 wrote to memory of 2348 4964 NEAS.bc8614894791e691b1d6b6e67ffce313.exe 89 PID 4964 wrote to memory of 2348 4964 NEAS.bc8614894791e691b1d6b6e67ffce313.exe 89 PID 4964 wrote to memory of 2348 4964 NEAS.bc8614894791e691b1d6b6e67ffce313.exe 89 PID 2348 wrote to memory of 2172 2348 Jemfhacc.exe 90 PID 2348 wrote to memory of 2172 2348 Jemfhacc.exe 90 PID 2348 wrote to memory of 2172 2348 Jemfhacc.exe 90 PID 2172 wrote to memory of 3216 2172 Kibeoo32.exe 91 PID 2172 wrote to memory of 3216 2172 Kibeoo32.exe 91 PID 2172 wrote to memory of 3216 2172 Kibeoo32.exe 91 PID 3216 wrote to memory of 5056 3216 Legben32.exe 92 PID 3216 wrote to memory of 5056 3216 Legben32.exe 92 PID 3216 wrote to memory of 5056 3216 Legben32.exe 92 PID 5056 wrote to memory of 1304 5056 Mjlalkmd.exe 93 PID 5056 wrote to memory of 1304 5056 Mjlalkmd.exe 93 PID 5056 wrote to memory of 1304 5056 Mjlalkmd.exe 93 PID 1304 wrote to memory of 3744 1304 Mqhfoebo.exe 94 PID 1304 wrote to memory of 3744 1304 Mqhfoebo.exe 94 PID 1304 wrote to memory of 3744 1304 Mqhfoebo.exe 94 PID 3744 wrote to memory of 2248 3744 Nfqnbjfi.exe 95 PID 3744 wrote to memory of 2248 3744 Nfqnbjfi.exe 95 PID 3744 wrote to memory of 2248 3744 Nfqnbjfi.exe 95 PID 2248 wrote to memory of 4500 2248 Opbean32.exe 96 PID 2248 wrote to memory of 4500 2248 Opbean32.exe 96 PID 2248 wrote to memory of 4500 2248 Opbean32.exe 96 PID 4500 wrote to memory of 4628 4500 Qamago32.exe 97 PID 4500 wrote to memory of 4628 4500 Qamago32.exe 97 PID 4500 wrote to memory of 4628 4500 Qamago32.exe 97 PID 4628 wrote to memory of 3784 4628 Aadghn32.exe 98 PID 4628 wrote to memory of 3784 4628 Aadghn32.exe 98 PID 4628 wrote to memory of 3784 4628 Aadghn32.exe 98 PID 3784 wrote to memory of 1196 3784 Biklho32.exe 99 PID 3784 wrote to memory of 1196 3784 Biklho32.exe 99 PID 3784 wrote to memory of 1196 3784 Biklho32.exe 99 PID 1196 wrote to memory of 3964 1196 Ddcebe32.exe 100 PID 1196 wrote to memory of 3964 1196 Ddcebe32.exe 100 PID 1196 wrote to memory of 3964 1196 Ddcebe32.exe 100 PID 3964 wrote to memory of 752 3964 Ddmhhd32.exe 101 PID 3964 wrote to memory of 752 3964 Ddmhhd32.exe 101 PID 3964 wrote to memory of 752 3964 Ddmhhd32.exe 101 PID 752 wrote to memory of 3548 752 Eajlhg32.exe 102 PID 752 wrote to memory of 3548 752 Eajlhg32.exe 102 PID 752 wrote to memory of 3548 752 Eajlhg32.exe 102 PID 3548 wrote to memory of 1740 3548 Fcpakn32.exe 103 PID 3548 wrote to memory of 1740 3548 Fcpakn32.exe 103 PID 3548 wrote to memory of 1740 3548 Fcpakn32.exe 103 PID 1740 wrote to memory of 4920 1740 Gkhbbi32.exe 104 PID 1740 wrote to memory of 4920 1740 Gkhbbi32.exe 104 PID 1740 wrote to memory of 4920 1740 Gkhbbi32.exe 104 PID 4920 wrote to memory of 4328 4920 Hjaioe32.exe 105 PID 4920 wrote to memory of 4328 4920 Hjaioe32.exe 105 PID 4920 wrote to memory of 4328 4920 Hjaioe32.exe 105 PID 4328 wrote to memory of 2016 4328 Hcljmj32.exe 106 PID 4328 wrote to memory of 2016 4328 Hcljmj32.exe 106 PID 4328 wrote to memory of 2016 4328 Hcljmj32.exe 106 PID 2016 wrote to memory of 4892 2016 Jdopjh32.exe 107 PID 2016 wrote to memory of 4892 2016 Jdopjh32.exe 107 PID 2016 wrote to memory of 4892 2016 Jdopjh32.exe 107 PID 4892 wrote to memory of 1484 4892 Kbeibo32.exe 108 PID 4892 wrote to memory of 1484 4892 Kbeibo32.exe 108 PID 4892 wrote to memory of 1484 4892 Kbeibo32.exe 108 PID 1484 wrote to memory of 4596 1484 Klbgfc32.exe 109 PID 1484 wrote to memory of 4596 1484 Klbgfc32.exe 109 PID 1484 wrote to memory of 4596 1484 Klbgfc32.exe 109 PID 4596 wrote to memory of 4884 4596 Lkcccn32.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.bc8614894791e691b1d6b6e67ffce313.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.bc8614894791e691b1d6b6e67ffce313.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Windows\SysWOW64\Jemfhacc.exeC:\Windows\system32\Jemfhacc.exe2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\Kibeoo32.exeC:\Windows\system32\Kibeoo32.exe3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\Legben32.exeC:\Windows\system32\Legben32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3216 -
C:\Windows\SysWOW64\Mjlalkmd.exeC:\Windows\system32\Mjlalkmd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Windows\SysWOW64\Mqhfoebo.exeC:\Windows\system32\Mqhfoebo.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\SysWOW64\Nfqnbjfi.exeC:\Windows\system32\Nfqnbjfi.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3744 -
C:\Windows\SysWOW64\Opbean32.exeC:\Windows\system32\Opbean32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\Qamago32.exeC:\Windows\system32\Qamago32.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4500 -
C:\Windows\SysWOW64\Aadghn32.exeC:\Windows\system32\Aadghn32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4628 -
C:\Windows\SysWOW64\Biklho32.exeC:\Windows\system32\Biklho32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3784 -
C:\Windows\SysWOW64\Ddcebe32.exeC:\Windows\system32\Ddcebe32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Windows\SysWOW64\Ddmhhd32.exeC:\Windows\system32\Ddmhhd32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3964 -
C:\Windows\SysWOW64\Eajlhg32.exeC:\Windows\system32\Eajlhg32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:752 -
C:\Windows\SysWOW64\Fcpakn32.exeC:\Windows\system32\Fcpakn32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3548 -
C:\Windows\SysWOW64\Gkhbbi32.exeC:\Windows\system32\Gkhbbi32.exe16⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\SysWOW64\Hjaioe32.exeC:\Windows\system32\Hjaioe32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Windows\SysWOW64\Hcljmj32.exeC:\Windows\system32\Hcljmj32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4328 -
C:\Windows\SysWOW64\Jdopjh32.exeC:\Windows\system32\Jdopjh32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\Kbeibo32.exeC:\Windows\system32\Kbeibo32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4892 -
C:\Windows\SysWOW64\Klbgfc32.exeC:\Windows\system32\Klbgfc32.exe21⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\SysWOW64\Lkcccn32.exeC:\Windows\system32\Lkcccn32.exe22⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Windows\SysWOW64\Mociol32.exeC:\Windows\system32\Mociol32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4884 -
C:\Windows\SysWOW64\Ndnnianm.exeC:\Windows\system32\Ndnnianm.exe24⤵
- Executes dropped EXE
- Modifies registry class
PID:3196 -
C:\Windows\SysWOW64\Obfhmd32.exeC:\Windows\system32\Obfhmd32.exe25⤵
- Executes dropped EXE
PID:4120 -
C:\Windows\SysWOW64\Ofijnbkb.exeC:\Windows\system32\Ofijnbkb.exe26⤵
- Executes dropped EXE
PID:2052 -
C:\Windows\SysWOW64\Pbddobla.exeC:\Windows\system32\Pbddobla.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4732 -
C:\Windows\SysWOW64\Qkfkng32.exeC:\Windows\system32\Qkfkng32.exe28⤵
- Executes dropped EXE
PID:3808 -
C:\Windows\SysWOW64\Aecialmb.exeC:\Windows\system32\Aecialmb.exe29⤵
- Executes dropped EXE
PID:5072 -
C:\Windows\SysWOW64\Bemlhj32.exeC:\Windows\system32\Bemlhj32.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3852 -
C:\Windows\SysWOW64\Cpifeb32.exeC:\Windows\system32\Cpifeb32.exe31⤵
- Executes dropped EXE
PID:440 -
C:\Windows\SysWOW64\Cffkhl32.exeC:\Windows\system32\Cffkhl32.exe32⤵
- Executes dropped EXE
PID:4852 -
C:\Windows\SysWOW64\Ddekmo32.exeC:\Windows\system32\Ddekmo32.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:2140 -
C:\Windows\SysWOW64\Dmplkd32.exeC:\Windows\system32\Dmplkd32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:4184 -
C:\Windows\SysWOW64\Emioab32.exeC:\Windows\system32\Emioab32.exe35⤵
- Executes dropped EXE
PID:1604 -
C:\Windows\SysWOW64\Fneoma32.exeC:\Windows\system32\Fneoma32.exe36⤵
- Executes dropped EXE
PID:2396 -
C:\Windows\SysWOW64\Gjebiq32.exeC:\Windows\system32\Gjebiq32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:3520 -
C:\Windows\SysWOW64\Hmbkfjko.exeC:\Windows\system32\Hmbkfjko.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:4176 -
C:\Windows\SysWOW64\Icnphd32.exeC:\Windows\system32\Icnphd32.exe39⤵
- Executes dropped EXE
PID:3116 -
C:\Windows\SysWOW64\Igqbiacj.exeC:\Windows\system32\Igqbiacj.exe40⤵
- Executes dropped EXE
PID:468 -
C:\Windows\SysWOW64\Jcjodbgl.exeC:\Windows\system32\Jcjodbgl.exe41⤵
- Executes dropped EXE
PID:2752 -
C:\Windows\SysWOW64\Jcoioabf.exeC:\Windows\system32\Jcoioabf.exe42⤵
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\Khonkogj.exeC:\Windows\system32\Khonkogj.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4632 -
C:\Windows\SysWOW64\Kejeebpl.exeC:\Windows\system32\Kejeebpl.exe44⤵
- Executes dropped EXE
PID:5080 -
C:\Windows\SysWOW64\Lkbmih32.exeC:\Windows\system32\Lkbmih32.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:2024 -
C:\Windows\SysWOW64\Maaoaa32.exeC:\Windows\system32\Maaoaa32.exe46⤵
- Executes dropped EXE
PID:3532 -
C:\Windows\SysWOW64\Nonbqd32.exeC:\Windows\system32\Nonbqd32.exe47⤵
- Executes dropped EXE
PID:3020 -
C:\Windows\SysWOW64\Nkjlqd32.exeC:\Windows\system32\Nkjlqd32.exe48⤵
- Executes dropped EXE
PID:4072 -
C:\Windows\SysWOW64\Ohpiphlb.exeC:\Windows\system32\Ohpiphlb.exe49⤵
- Executes dropped EXE
PID:1884 -
C:\Windows\SysWOW64\Okqbac32.exeC:\Windows\system32\Okqbac32.exe50⤵
- Executes dropped EXE
PID:4904 -
C:\Windows\SysWOW64\Pdpmkhjl.exeC:\Windows\system32\Pdpmkhjl.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4880 -
C:\Windows\SysWOW64\Pfbfjk32.exeC:\Windows\system32\Pfbfjk32.exe52⤵
- Executes dropped EXE
PID:2476 -
C:\Windows\SysWOW64\Pfdbpjmi.exeC:\Windows\system32\Pfdbpjmi.exe53⤵
- Executes dropped EXE
PID:3496 -
C:\Windows\SysWOW64\Qomghp32.exeC:\Windows\system32\Qomghp32.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:3180 -
C:\Windows\SysWOW64\Afkipi32.exeC:\Windows\system32\Afkipi32.exe55⤵
- Executes dropped EXE
PID:3380 -
C:\Windows\SysWOW64\Aofjoo32.exeC:\Windows\system32\Aofjoo32.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:3408 -
C:\Windows\SysWOW64\Akmjdpac.exeC:\Windows\system32\Akmjdpac.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2008 -
C:\Windows\SysWOW64\Bndjfjhl.exeC:\Windows\system32\Bndjfjhl.exe58⤵
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\Bpfcelml.exeC:\Windows\system32\Bpfcelml.exe59⤵
- Executes dropped EXE
PID:3084 -
C:\Windows\SysWOW64\Cbihmg32.exeC:\Windows\system32\Cbihmg32.exe60⤵
- Executes dropped EXE
PID:4240 -
C:\Windows\SysWOW64\Dhmgfm32.exeC:\Windows\system32\Dhmgfm32.exe61⤵
- Executes dropped EXE
PID:3156 -
C:\Windows\SysWOW64\Dhdmfljb.exeC:\Windows\system32\Dhdmfljb.exe62⤵
- Executes dropped EXE
PID:4900 -
C:\Windows\SysWOW64\Eoconenj.exeC:\Windows\system32\Eoconenj.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4988 -
C:\Windows\SysWOW64\Epgdch32.exeC:\Windows\system32\Epgdch32.exe64⤵
- Executes dropped EXE
PID:736 -
C:\Windows\SysWOW64\Epiaig32.exeC:\Windows\system32\Epiaig32.exe65⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Fcmgpbjc.exeC:\Windows\system32\Fcmgpbjc.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1648 -
C:\Windows\SysWOW64\Fifomlap.exeC:\Windows\system32\Fifomlap.exe67⤵PID:4320
-
C:\Windows\SysWOW64\Fikihlmj.exeC:\Windows\system32\Fikihlmj.exe68⤵PID:2292
-
C:\Windows\SysWOW64\Gohapb32.exeC:\Windows\system32\Gohapb32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2612 -
C:\Windows\SysWOW64\Gckcap32.exeC:\Windows\system32\Gckcap32.exe70⤵PID:4772
-
C:\Windows\SysWOW64\Gledpe32.exeC:\Windows\system32\Gledpe32.exe71⤵PID:1124
-
C:\Windows\SysWOW64\Icminm32.exeC:\Windows\system32\Icminm32.exe72⤵PID:2648
-
C:\Windows\SysWOW64\Ihjafd32.exeC:\Windows\system32\Ihjafd32.exe73⤵PID:2300
-
C:\Windows\SysWOW64\Igkadlcd.exeC:\Windows\system32\Igkadlcd.exe74⤵PID:8
-
C:\Windows\SysWOW64\Icbbimih.exeC:\Windows\system32\Icbbimih.exe75⤵PID:4140
-
C:\Windows\SysWOW64\Jfgefg32.exeC:\Windows\system32\Jfgefg32.exe76⤵PID:1040
-
C:\Windows\SysWOW64\Kmmmnp32.exeC:\Windows\system32\Kmmmnp32.exe77⤵PID:2592
-
C:\Windows\SysWOW64\Lcealh32.exeC:\Windows\system32\Lcealh32.exe78⤵PID:1904
-
C:\Windows\SysWOW64\Malnklgg.exeC:\Windows\system32\Malnklgg.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3608 -
C:\Windows\SysWOW64\Mjdbda32.exeC:\Windows\system32\Mjdbda32.exe80⤵PID:5036
-
C:\Windows\SysWOW64\Ndejcemn.exeC:\Windows\system32\Ndejcemn.exe81⤵PID:3348
-
C:\Windows\SysWOW64\Nmedmj32.exeC:\Windows\system32\Nmedmj32.exe82⤵PID:4984
-
C:\Windows\SysWOW64\Oinbgk32.exeC:\Windows\system32\Oinbgk32.exe83⤵PID:2056
-
C:\Windows\SysWOW64\Oajccgmd.exeC:\Windows\system32\Oajccgmd.exe84⤵PID:3216
-
C:\Windows\SysWOW64\Oggllnkl.exeC:\Windows\system32\Oggllnkl.exe85⤵PID:1828
-
C:\Windows\SysWOW64\Pjgemi32.exeC:\Windows\system32\Pjgemi32.exe86⤵
- Modifies registry class
PID:4744 -
C:\Windows\SysWOW64\Pgbkgmao.exeC:\Windows\system32\Pgbkgmao.exe87⤵PID:4924
-
C:\Windows\SysWOW64\Pahpee32.exeC:\Windows\system32\Pahpee32.exe88⤵PID:2536
-
C:\Windows\SysWOW64\Qdihfq32.exeC:\Windows\system32\Qdihfq32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1636 -
C:\Windows\SysWOW64\Qjeaog32.exeC:\Windows\system32\Qjeaog32.exe90⤵PID:5136
-
C:\Windows\SysWOW64\Aqbfaa32.exeC:\Windows\system32\Aqbfaa32.exe91⤵PID:5180
-
C:\Windows\SysWOW64\Akjgdjoj.exeC:\Windows\system32\Akjgdjoj.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5232 -
C:\Windows\SysWOW64\Abdoqd32.exeC:\Windows\system32\Abdoqd32.exe93⤵PID:5272
-
C:\Windows\SysWOW64\Ajodef32.exeC:\Windows\system32\Ajodef32.exe94⤵PID:5312
-
C:\Windows\SysWOW64\Addhbo32.exeC:\Windows\system32\Addhbo32.exe95⤵PID:5356
-
C:\Windows\SysWOW64\Bdgehobe.exeC:\Windows\system32\Bdgehobe.exe96⤵PID:5392
-
C:\Windows\SysWOW64\Bjcmpepm.exeC:\Windows\system32\Bjcmpepm.exe97⤵PID:5444
-
C:\Windows\SysWOW64\Bdiamnpc.exeC:\Windows\system32\Bdiamnpc.exe98⤵PID:5488
-
C:\Windows\SysWOW64\Cnhlgc32.exeC:\Windows\system32\Cnhlgc32.exe99⤵
- Drops file in System32 directory
PID:5580 -
C:\Windows\SysWOW64\Cjfclcpg.exeC:\Windows\system32\Cjfclcpg.exe100⤵PID:5636
-
C:\Windows\SysWOW64\Dgmpkg32.exeC:\Windows\system32\Dgmpkg32.exe101⤵PID:5680
-
C:\Windows\SysWOW64\Dnienqbi.exeC:\Windows\system32\Dnienqbi.exe102⤵PID:5732
-
C:\Windows\SysWOW64\Dajnol32.exeC:\Windows\system32\Dajnol32.exe103⤵PID:5776
-
C:\Windows\SysWOW64\Dnnoip32.exeC:\Windows\system32\Dnnoip32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5820 -
C:\Windows\SysWOW64\Ejdonq32.exeC:\Windows\system32\Ejdonq32.exe105⤵
- Drops file in System32 directory
PID:5868 -
C:\Windows\SysWOW64\Eejcki32.exeC:\Windows\system32\Eejcki32.exe106⤵
- Drops file in System32 directory
- Modifies registry class
PID:5908 -
C:\Windows\SysWOW64\Eaqdpjia.exeC:\Windows\system32\Eaqdpjia.exe107⤵PID:5952
-
C:\Windows\SysWOW64\Elfhmc32.exeC:\Windows\system32\Elfhmc32.exe108⤵PID:5992
-
C:\Windows\SysWOW64\Eacaej32.exeC:\Windows\system32\Eacaej32.exe109⤵PID:6036
-
C:\Windows\SysWOW64\Ejkenpnp.exeC:\Windows\system32\Ejkenpnp.exe110⤵PID:6088
-
C:\Windows\SysWOW64\Ebejem32.exeC:\Windows\system32\Ebejem32.exe111⤵PID:6136
-
C:\Windows\SysWOW64\Fiaogfai.exeC:\Windows\system32\Fiaogfai.exe112⤵PID:2900
-
C:\Windows\SysWOW64\Fongpm32.exeC:\Windows\system32\Fongpm32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5192 -
C:\Windows\SysWOW64\Faopah32.exeC:\Windows\system32\Faopah32.exe114⤵PID:5248
-
C:\Windows\SysWOW64\Fiheheka.exeC:\Windows\system32\Fiheheka.exe115⤵
- Drops file in System32 directory
PID:5344 -
C:\Windows\SysWOW64\Facjlhil.exeC:\Windows\system32\Facjlhil.exe116⤵PID:5380
-
C:\Windows\SysWOW64\Gbcffk32.exeC:\Windows\system32\Gbcffk32.exe117⤵
- Modifies registry class
PID:5480 -
C:\Windows\SysWOW64\Glkkop32.exeC:\Windows\system32\Glkkop32.exe118⤵PID:5524
-
C:\Windows\SysWOW64\Gbecljnl.exeC:\Windows\system32\Gbecljnl.exe119⤵PID:5604
-
C:\Windows\SysWOW64\Geflne32.exeC:\Windows\system32\Geflne32.exe120⤵PID:5676
-
C:\Windows\SysWOW64\Gkcdfl32.exeC:\Windows\system32\Gkcdfl32.exe121⤵PID:4676
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-