Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
72s -
max time network
169s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
13/11/2023, 06:33
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.d0493c927d44676868740ddcb50160a0.exe
Resource
win7-20231020-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.d0493c927d44676868740ddcb50160a0.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.d0493c927d44676868740ddcb50160a0.exe
-
Size
402KB
-
MD5
d0493c927d44676868740ddcb50160a0
-
SHA1
7ba86a0bb2b5dddbc69b01c7c8234292ed430eea
-
SHA256
ba3fbe7668abe5f2c98de3b3c0dbffa9a0fa1b5c7c7a40620e40e246e755cd63
-
SHA512
2915f053464cdb7fc65357ce1e9695e062db7593f4f63c670cdf7b933e577a35886af97167a91480bf592d818c8873e96b4e38a783aced23306f3dba0fe13408
-
SSDEEP
6144:EenZ+NPvTpN0xHuwdkAj51VezfHZ3neNZpGkXo+TCCYOs5PHdC:RIU
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kkgbjkac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Caagpdop.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdffiinp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hkjjfkcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hcflch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mclpbqal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ihfpabbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dmbbaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Anffje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qibfdkgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dabpgbpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gmpcmkaa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnenchoc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcndab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fjoadbbc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Moomgl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hboaql32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knphfklg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mcpjnp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfodpbpl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkjqme32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmopmalc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ghgeoq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jchaoe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofcaab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bpaacblm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eohhie32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imeeohoi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgffci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Googaaej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Miipencp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jaodkk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihfpabbd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhelddln.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccipelcf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgdklb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" NEAS.d0493c927d44676868740ddcb50160a0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Omgabj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pacfjfej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aglnnkid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iefedcmk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klgend32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blkgen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lfpcngdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kpdjbapj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obnbjdfi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dodjemee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fapobl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hnblmnfa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgoboake.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enoddi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqkmpo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjoadbbc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igmjhnej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ehlakjig.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdlhoefk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Deliaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hojibgkm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fekclnif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pnenchoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Enoddi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fhhaclqc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccfcpm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Picchg32.exe -
Executes dropped EXE 64 IoCs
pid Process 3080 Fneoma32.exe 2648 Hqfqfj32.exe 4724 Iggocbke.exe 1276 Imfdaigj.exe 4364 Ifcben32.exe 1136 Jgjeppkp.exe 1560 Kceoppmo.exe 2036 Knmpbi32.exe 4732 Ldhdlnli.exe 2896 Malefbkc.exe 4848 Nnabladg.exe 4268 Ohnljine.exe 1288 Oddmoj32.exe 4320 Oediim32.exe 4716 Pdbiphhi.exe 208 Pdgckg32.exe 3492 Qdllffpo.exe 4712 Ailabddb.exe 2216 Agaoca32.exe 4140 Bgkaip32.exe 2616 Blkgen32.exe 3276 Cbglgg32.exe 1904 Cihjeq32.exe 4224 Dngobghg.exe 552 Dolinf32.exe 3976 Dhgjll32.exe 1152 Elgohj32.exe 1488 Eohhie32.exe 1644 Fefjanml.exe 5028 Fekclnif.exe 2352 Flghognq.exe 4576 Gipbck32.exe 852 Googaaej.exe 4220 Ggilgn32.exe 5052 Hpcmfchg.exe 4064 Hjnndime.exe 2288 Hladlc32.exe 3124 Imcqacfq.exe 4232 Ijgakgej.exe 2072 Ifqoehhl.exe 4784 Iiaggc32.exe 4564 Jmopmalc.exe 4416 Jmamba32.exe 4952 Jjemle32.exe 4760 Jikjmbmb.exe 4736 Kgngqico.exe 2224 Lglcag32.exe 2040 Lpghfi32.exe 2748 Ljoiibbm.exe 2252 Miipencp.exe 2360 Mdaqhf32.exe 4184 Nfdfoala.exe 964 Nieoal32.exe 2772 Nmbhgjoi.exe 4876 Niihlkdm.exe 2280 Omgabj32.exe 1140 Okkalnjm.exe 4228 Oknnanhj.exe 1464 Oggllnkl.exe 4792 Opopdd32.exe 5068 Ppamjcpj.exe 3836 Pnenchoc.exe 2908 Pacfjfej.exe 1376 Pddokabk.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Kgngqico.exe Jikjmbmb.exe File created C:\Windows\SysWOW64\Iefedcmk.exe Hhbdko32.exe File opened for modification C:\Windows\SysWOW64\Hlmiagbo.exe Hoiihcde.exe File created C:\Windows\SysWOW64\Idmhqi32.exe Ioqohb32.exe File created C:\Windows\SysWOW64\Ponfed32.exe Ofcaab32.exe File created C:\Windows\SysWOW64\Bedmha32.dll Hoadecal.exe File created C:\Windows\SysWOW64\Jfalhgni.exe Jinloboo.exe File created C:\Windows\SysWOW64\Lahjag32.dll Jmopmalc.exe File created C:\Windows\SysWOW64\Bflaeggi.dll Dolinf32.exe File created C:\Windows\SysWOW64\Jkomhhae.exe Ijkdkq32.exe File opened for modification C:\Windows\SysWOW64\Anccjp32.exe Alcfpm32.exe File created C:\Windows\SysWOW64\Cglahcbj.dll Hldgkiki.exe File opened for modification C:\Windows\SysWOW64\Iefnjm32.exe Hlmiagbo.exe File opened for modification C:\Windows\SysWOW64\Mkhkblii.exe Mflbjejb.exe File created C:\Windows\SysWOW64\Ccipelcf.exe Eagahnob.exe File opened for modification C:\Windows\SysWOW64\Qdllffpo.exe Pdgckg32.exe File opened for modification C:\Windows\SysWOW64\Lkbkkbdj.exe Lpmfnj32.exe File created C:\Windows\SysWOW64\Nkjqme32.exe Nbbldp32.exe File created C:\Windows\SysWOW64\Cnjambdq.dll Pldcdhpi.exe File opened for modification C:\Windows\SysWOW64\Fcibchgq.exe Ffeaichg.exe File opened for modification C:\Windows\SysWOW64\Nfabok32.exe Mcpjnp32.exe File created C:\Windows\SysWOW64\Knphfklg.exe Khbpndnp.exe File created C:\Windows\SysWOW64\Claenb32.exe Cjbhbf32.exe File created C:\Windows\SysWOW64\Enonclfe.dll Kpdjbapj.exe File created C:\Windows\SysWOW64\Lpmfnj32.exe Libnapmg.exe File created C:\Windows\SysWOW64\Cdicje32.exe Cnmoglij.exe File opened for modification C:\Windows\SysWOW64\Qgdabflp.exe Pcfhlh32.exe File created C:\Windows\SysWOW64\Gpjmbhch.dll Lhelddln.exe File opened for modification C:\Windows\SysWOW64\Moomgl32.exe Momqblgj.exe File created C:\Windows\SysWOW64\Gfodpbpl.exe Bcddlhgo.exe File created C:\Windows\SysWOW64\Gflapl32.exe Foplnb32.exe File created C:\Windows\SysWOW64\Dafhdj32.dll Ppamjcpj.exe File opened for modification C:\Windows\SysWOW64\Bajqpe32.exe Mgoboake.exe File opened for modification C:\Windows\SysWOW64\Cefega32.exe Clnanlhn.exe File created C:\Windows\SysWOW64\Bckddn32.exe Blnoad32.exe File created C:\Windows\SysWOW64\Dmjnljjm.dll Pcaoahio.exe File opened for modification C:\Windows\SysWOW64\Blflmj32.exe Bnaolm32.exe File created C:\Windows\SysWOW64\Iekqnpnc.dll Lndaaj32.exe File created C:\Windows\SysWOW64\Mmlhpaji.exe Lfpcngdo.exe File created C:\Windows\SysWOW64\Pabbjl32.dll Alelkf32.exe File created C:\Windows\SysWOW64\Boimppli.dll Paennh32.exe File created C:\Windows\SysWOW64\Pimcpf32.dll Gcggjp32.exe File created C:\Windows\SysWOW64\Bcdhkd32.dll Fekclnif.exe File opened for modification C:\Windows\SysWOW64\Kdffiinp.exe Kgphje32.exe File opened for modification C:\Windows\SysWOW64\Khbpndnp.exe Kkooep32.exe File opened for modification C:\Windows\SysWOW64\Ldqfddml.exe Lhjeoc32.exe File created C:\Windows\SysWOW64\Obnbjdfi.exe Nmajbnha.exe File created C:\Windows\SysWOW64\Bnmpgabd.dll Hdcnpd32.exe File created C:\Windows\SysWOW64\Igmjhnej.exe Imeeohoi.exe File opened for modification C:\Windows\SysWOW64\Mnjqhcno.exe Lgqhki32.exe File created C:\Windows\SysWOW64\Ihfglhfp.exe Iamoon32.exe File created C:\Windows\SysWOW64\Fdhpoegg.dll Djgbmffn.exe File opened for modification C:\Windows\SysWOW64\Eqkmpo32.exe Qlejnqbj.exe File created C:\Windows\SysWOW64\Bdendn32.dll Fqiiamjp.exe File opened for modification C:\Windows\SysWOW64\Ligglo32.exe Lcmopeae.exe File created C:\Windows\SysWOW64\Edgccoai.dll Jbieebha.exe File created C:\Windows\SysWOW64\Ijgakgej.exe Imcqacfq.exe File created C:\Windows\SysWOW64\Hdlhoefk.exe Hmbpbk32.exe File created C:\Windows\SysWOW64\Laplba32.dll Mkegbfgp.exe File created C:\Windows\SysWOW64\Ebnocpfp.exe Ebkbmqhb.exe File created C:\Windows\SysWOW64\Jaimko32.exe Leipbg32.exe File created C:\Windows\SysWOW64\Bedgejbo.exe Ainfpi32.exe File created C:\Windows\SysWOW64\Qnopjfgi.exe Pnlcdg32.exe File created C:\Windows\SysWOW64\Gjmgjm32.dll Ajaqjfbp.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1880 8672 Process not Found 1133 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ldhdlnli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cnboma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hodioegj.dll" Bkglkapo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iecmlknh.dll" Cjflblll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ofcaab32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ainfpi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fqiiamjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lojgbmpm.dll" Laqlclga.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hembndee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Danoae32.dll" Ainfpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogbifecb.dll" Fapobl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hmlpkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eihijk32.dll" Fmjjqhpn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oknnanhj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lfpcngdo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mnndhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Niqnli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcacmeaa.dll" Aogkhjii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnammclg.dll" Iggocbke.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bkcjjhgp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nlnkgbhp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ioclnblj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgnmff32.dll" Knphfklg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcmghl32.dll" Caagpdop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hladlc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlhhjg32.dll" Hlmbadfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnkqde32.dll" Flghognq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfpahcln.dll" Eclmlpfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mnjqhcno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Igpkjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bfbahcfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdhmhona.dll" Hboaql32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pdbiphhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Niahdf32.dll" Cbglgg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lglcag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abmcod32.dll" Cbiabq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nffielof.dll" Bckknd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnmpgabd.dll" Hdcnpd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ihfpabbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lqkgli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elngne32.dll" Malefbkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Akipic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnhdom32.dll" Gpjfng32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Panhmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Panhmi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lpmfnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cinndkag.dll" Dngobghg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibojmejf.dll" Dgcoaock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Chphhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Iefedcmk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pboblika.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lpghfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nmbhgjoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pmbjcb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cdicje32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gnhifonl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oeqagi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lqkgli32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Caimachg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cbfema32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qgdabflp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kafcadej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hflhco32.dll" Ahdpea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgmhgp32.dll" NEAS.d0493c927d44676868740ddcb50160a0.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3736 wrote to memory of 3080 3736 NEAS.d0493c927d44676868740ddcb50160a0.exe 91 PID 3736 wrote to memory of 3080 3736 NEAS.d0493c927d44676868740ddcb50160a0.exe 91 PID 3736 wrote to memory of 3080 3736 NEAS.d0493c927d44676868740ddcb50160a0.exe 91 PID 3080 wrote to memory of 2648 3080 Fneoma32.exe 92 PID 3080 wrote to memory of 2648 3080 Fneoma32.exe 92 PID 3080 wrote to memory of 2648 3080 Fneoma32.exe 92 PID 2648 wrote to memory of 4724 2648 Hqfqfj32.exe 93 PID 2648 wrote to memory of 4724 2648 Hqfqfj32.exe 93 PID 2648 wrote to memory of 4724 2648 Hqfqfj32.exe 93 PID 4724 wrote to memory of 1276 4724 Iggocbke.exe 94 PID 4724 wrote to memory of 1276 4724 Iggocbke.exe 94 PID 4724 wrote to memory of 1276 4724 Iggocbke.exe 94 PID 1276 wrote to memory of 4364 1276 Imfdaigj.exe 95 PID 1276 wrote to memory of 4364 1276 Imfdaigj.exe 95 PID 1276 wrote to memory of 4364 1276 Imfdaigj.exe 95 PID 4364 wrote to memory of 1136 4364 Ifcben32.exe 96 PID 4364 wrote to memory of 1136 4364 Ifcben32.exe 96 PID 4364 wrote to memory of 1136 4364 Ifcben32.exe 96 PID 1136 wrote to memory of 1560 1136 Jgjeppkp.exe 97 PID 1136 wrote to memory of 1560 1136 Jgjeppkp.exe 97 PID 1136 wrote to memory of 1560 1136 Jgjeppkp.exe 97 PID 1560 wrote to memory of 2036 1560 Kceoppmo.exe 98 PID 1560 wrote to memory of 2036 1560 Kceoppmo.exe 98 PID 1560 wrote to memory of 2036 1560 Kceoppmo.exe 98 PID 2036 wrote to memory of 4732 2036 Knmpbi32.exe 99 PID 2036 wrote to memory of 4732 2036 Knmpbi32.exe 99 PID 2036 wrote to memory of 4732 2036 Knmpbi32.exe 99 PID 4732 wrote to memory of 2896 4732 Ldhdlnli.exe 100 PID 4732 wrote to memory of 2896 4732 Ldhdlnli.exe 100 PID 4732 wrote to memory of 2896 4732 Ldhdlnli.exe 100 PID 2896 wrote to memory of 4848 2896 Malefbkc.exe 101 PID 2896 wrote to memory of 4848 2896 Malefbkc.exe 101 PID 2896 wrote to memory of 4848 2896 Malefbkc.exe 101 PID 4848 wrote to memory of 4268 4848 Nnabladg.exe 102 PID 4848 wrote to memory of 4268 4848 Nnabladg.exe 102 PID 4848 wrote to memory of 4268 4848 Nnabladg.exe 102 PID 4268 wrote to memory of 1288 4268 Ohnljine.exe 103 PID 4268 wrote to memory of 1288 4268 Ohnljine.exe 103 PID 4268 wrote to memory of 1288 4268 Ohnljine.exe 103 PID 1288 wrote to memory of 4320 1288 Oddmoj32.exe 104 PID 1288 wrote to memory of 4320 1288 Oddmoj32.exe 104 PID 1288 wrote to memory of 4320 1288 Oddmoj32.exe 104 PID 4320 wrote to memory of 4716 4320 Oediim32.exe 105 PID 4320 wrote to memory of 4716 4320 Oediim32.exe 105 PID 4320 wrote to memory of 4716 4320 Oediim32.exe 105 PID 4716 wrote to memory of 208 4716 Pdbiphhi.exe 106 PID 4716 wrote to memory of 208 4716 Pdbiphhi.exe 106 PID 4716 wrote to memory of 208 4716 Pdbiphhi.exe 106 PID 208 wrote to memory of 3492 208 Pdgckg32.exe 107 PID 208 wrote to memory of 3492 208 Pdgckg32.exe 107 PID 208 wrote to memory of 3492 208 Pdgckg32.exe 107 PID 3492 wrote to memory of 4712 3492 Qdllffpo.exe 108 PID 3492 wrote to memory of 4712 3492 Qdllffpo.exe 108 PID 3492 wrote to memory of 4712 3492 Qdllffpo.exe 108 PID 4712 wrote to memory of 2216 4712 Ailabddb.exe 109 PID 4712 wrote to memory of 2216 4712 Ailabddb.exe 109 PID 4712 wrote to memory of 2216 4712 Ailabddb.exe 109 PID 2216 wrote to memory of 4140 2216 Agaoca32.exe 110 PID 2216 wrote to memory of 4140 2216 Agaoca32.exe 110 PID 2216 wrote to memory of 4140 2216 Agaoca32.exe 110 PID 4140 wrote to memory of 2616 4140 Bgkaip32.exe 111 PID 4140 wrote to memory of 2616 4140 Bgkaip32.exe 111 PID 4140 wrote to memory of 2616 4140 Bgkaip32.exe 111 PID 2616 wrote to memory of 3276 2616 Blkgen32.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.d0493c927d44676868740ddcb50160a0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.d0493c927d44676868740ddcb50160a0.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3736 -
C:\Windows\SysWOW64\Fneoma32.exeC:\Windows\system32\Fneoma32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3080 -
C:\Windows\SysWOW64\Hqfqfj32.exeC:\Windows\system32\Hqfqfj32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\Iggocbke.exeC:\Windows\system32\Iggocbke.exe4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4724 -
C:\Windows\SysWOW64\Imfdaigj.exeC:\Windows\system32\Imfdaigj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Windows\SysWOW64\Ifcben32.exeC:\Windows\system32\Ifcben32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4364 -
C:\Windows\SysWOW64\Jgjeppkp.exeC:\Windows\system32\Jgjeppkp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Windows\SysWOW64\Kceoppmo.exeC:\Windows\system32\Kceoppmo.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Windows\SysWOW64\Knmpbi32.exeC:\Windows\system32\Knmpbi32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\SysWOW64\Ldhdlnli.exeC:\Windows\system32\Ldhdlnli.exe10⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4732 -
C:\Windows\SysWOW64\Malefbkc.exeC:\Windows\system32\Malefbkc.exe11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\Nnabladg.exeC:\Windows\system32\Nnabladg.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Windows\SysWOW64\Ohnljine.exeC:\Windows\system32\Ohnljine.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4268 -
C:\Windows\SysWOW64\Oddmoj32.exeC:\Windows\system32\Oddmoj32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1288 -
C:\Windows\SysWOW64\Oediim32.exeC:\Windows\system32\Oediim32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4320 -
C:\Windows\SysWOW64\Pdbiphhi.exeC:\Windows\system32\Pdbiphhi.exe16⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4716 -
C:\Windows\SysWOW64\Pdgckg32.exeC:\Windows\system32\Pdgckg32.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:208 -
C:\Windows\SysWOW64\Qdllffpo.exeC:\Windows\system32\Qdllffpo.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3492 -
C:\Windows\SysWOW64\Ailabddb.exeC:\Windows\system32\Ailabddb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4712 -
C:\Windows\SysWOW64\Agaoca32.exeC:\Windows\system32\Agaoca32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\Bgkaip32.exeC:\Windows\system32\Bgkaip32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4140 -
C:\Windows\SysWOW64\Blkgen32.exeC:\Windows\system32\Blkgen32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Cbglgg32.exeC:\Windows\system32\Cbglgg32.exe23⤵
- Executes dropped EXE
- Modifies registry class
PID:3276 -
C:\Windows\SysWOW64\Cihjeq32.exeC:\Windows\system32\Cihjeq32.exe24⤵
- Executes dropped EXE
PID:1904 -
C:\Windows\SysWOW64\Dngobghg.exeC:\Windows\system32\Dngobghg.exe25⤵
- Executes dropped EXE
- Modifies registry class
PID:4224 -
C:\Windows\SysWOW64\Dolinf32.exeC:\Windows\system32\Dolinf32.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:552 -
C:\Windows\SysWOW64\Dhgjll32.exeC:\Windows\system32\Dhgjll32.exe27⤵
- Executes dropped EXE
PID:3976 -
C:\Windows\SysWOW64\Elgohj32.exeC:\Windows\system32\Elgohj32.exe28⤵
- Executes dropped EXE
PID:1152 -
C:\Windows\SysWOW64\Eohhie32.exeC:\Windows\system32\Eohhie32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1488 -
C:\Windows\SysWOW64\Fefjanml.exeC:\Windows\system32\Fefjanml.exe30⤵
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\Fekclnif.exeC:\Windows\system32\Fekclnif.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:5028 -
C:\Windows\SysWOW64\Flghognq.exeC:\Windows\system32\Flghognq.exe32⤵
- Executes dropped EXE
- Modifies registry class
PID:2352 -
C:\Windows\SysWOW64\Gipbck32.exeC:\Windows\system32\Gipbck32.exe33⤵
- Executes dropped EXE
PID:4576 -
C:\Windows\SysWOW64\Googaaej.exeC:\Windows\system32\Googaaej.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:852 -
C:\Windows\SysWOW64\Ggilgn32.exeC:\Windows\system32\Ggilgn32.exe35⤵
- Executes dropped EXE
PID:4220 -
C:\Windows\SysWOW64\Hpcmfchg.exeC:\Windows\system32\Hpcmfchg.exe36⤵
- Executes dropped EXE
PID:5052 -
C:\Windows\SysWOW64\Hjnndime.exeC:\Windows\system32\Hjnndime.exe37⤵
- Executes dropped EXE
PID:4064 -
C:\Windows\SysWOW64\Hladlc32.exeC:\Windows\system32\Hladlc32.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:2288 -
C:\Windows\SysWOW64\Imcqacfq.exeC:\Windows\system32\Imcqacfq.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3124 -
C:\Windows\SysWOW64\Ijgakgej.exeC:\Windows\system32\Ijgakgej.exe40⤵
- Executes dropped EXE
PID:4232 -
C:\Windows\SysWOW64\Ifqoehhl.exeC:\Windows\system32\Ifqoehhl.exe41⤵
- Executes dropped EXE
PID:2072 -
C:\Windows\SysWOW64\Iiaggc32.exeC:\Windows\system32\Iiaggc32.exe42⤵
- Executes dropped EXE
PID:4784 -
C:\Windows\SysWOW64\Jmopmalc.exeC:\Windows\system32\Jmopmalc.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4564 -
C:\Windows\SysWOW64\Jmamba32.exeC:\Windows\system32\Jmamba32.exe44⤵
- Executes dropped EXE
PID:4416 -
C:\Windows\SysWOW64\Jjemle32.exeC:\Windows\system32\Jjemle32.exe45⤵
- Executes dropped EXE
PID:4952 -
C:\Windows\SysWOW64\Jikjmbmb.exeC:\Windows\system32\Jikjmbmb.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4760 -
C:\Windows\SysWOW64\Kgngqico.exeC:\Windows\system32\Kgngqico.exe47⤵
- Executes dropped EXE
PID:4736 -
C:\Windows\SysWOW64\Lglcag32.exeC:\Windows\system32\Lglcag32.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:2224 -
C:\Windows\SysWOW64\Lpghfi32.exeC:\Windows\system32\Lpghfi32.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:2040 -
C:\Windows\SysWOW64\Ljoiibbm.exeC:\Windows\system32\Ljoiibbm.exe50⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Miipencp.exeC:\Windows\system32\Miipencp.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2252 -
C:\Windows\SysWOW64\Mdaqhf32.exeC:\Windows\system32\Mdaqhf32.exe52⤵
- Executes dropped EXE
PID:2360 -
C:\Windows\SysWOW64\Nfdfoala.exeC:\Windows\system32\Nfdfoala.exe53⤵
- Executes dropped EXE
PID:4184 -
C:\Windows\SysWOW64\Nieoal32.exeC:\Windows\system32\Nieoal32.exe54⤵
- Executes dropped EXE
PID:964 -
C:\Windows\SysWOW64\Nmbhgjoi.exeC:\Windows\system32\Nmbhgjoi.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2772 -
C:\Windows\SysWOW64\Niihlkdm.exeC:\Windows\system32\Niihlkdm.exe56⤵
- Executes dropped EXE
PID:4876 -
C:\Windows\SysWOW64\Omgabj32.exeC:\Windows\system32\Omgabj32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2280 -
C:\Windows\SysWOW64\Okkalnjm.exeC:\Windows\system32\Okkalnjm.exe58⤵
- Executes dropped EXE
PID:1140 -
C:\Windows\SysWOW64\Oknnanhj.exeC:\Windows\system32\Oknnanhj.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:4228 -
C:\Windows\SysWOW64\Oggllnkl.exeC:\Windows\system32\Oggllnkl.exe60⤵
- Executes dropped EXE
PID:1464 -
C:\Windows\SysWOW64\Opopdd32.exeC:\Windows\system32\Opopdd32.exe61⤵
- Executes dropped EXE
PID:4792 -
C:\Windows\SysWOW64\Ppamjcpj.exeC:\Windows\system32\Ppamjcpj.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5068 -
C:\Windows\SysWOW64\Pnenchoc.exeC:\Windows\system32\Pnenchoc.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3836 -
C:\Windows\SysWOW64\Pacfjfej.exeC:\Windows\system32\Pacfjfej.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Pddokabk.exeC:\Windows\system32\Pddokabk.exe65⤵
- Executes dropped EXE
PID:1376 -
C:\Windows\SysWOW64\Pnlcdg32.exeC:\Windows\system32\Pnlcdg32.exe66⤵
- Drops file in System32 directory
PID:1668 -
C:\Windows\SysWOW64\Qnopjfgi.exeC:\Windows\system32\Qnopjfgi.exe67⤵PID:2872
-
C:\Windows\SysWOW64\Akenij32.exeC:\Windows\system32\Akenij32.exe68⤵PID:4648
-
C:\Windows\SysWOW64\Aaofedkl.exeC:\Windows\system32\Aaofedkl.exe69⤵PID:4856
-
C:\Windows\SysWOW64\Aglnnkid.exeC:\Windows\system32\Aglnnkid.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1264 -
C:\Windows\SysWOW64\Anffje32.exeC:\Windows\system32\Anffje32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4592 -
C:\Windows\SysWOW64\Aklciimh.exeC:\Windows\system32\Aklciimh.exe72⤵PID:3316
-
C:\Windows\SysWOW64\Ahpdcn32.exeC:\Windows\system32\Ahpdcn32.exe73⤵PID:1452
-
C:\Windows\SysWOW64\Ajaqjfbp.exeC:\Windows\system32\Ajaqjfbp.exe74⤵
- Drops file in System32 directory
PID:452 -
C:\Windows\SysWOW64\Bhbahm32.exeC:\Windows\system32\Bhbahm32.exe75⤵PID:3932
-
C:\Windows\SysWOW64\Bqnemp32.exeC:\Windows\system32\Bqnemp32.exe76⤵PID:996
-
C:\Windows\SysWOW64\Bkcjjhgp.exeC:\Windows\system32\Bkcjjhgp.exe77⤵
- Modifies registry class
PID:3384 -
C:\Windows\SysWOW64\Bdlncn32.exeC:\Windows\system32\Bdlncn32.exe78⤵PID:5132
-
C:\Windows\SysWOW64\Bbpolb32.exeC:\Windows\system32\Bbpolb32.exe79⤵PID:5176
-
C:\Windows\SysWOW64\Bjkcqdje.exeC:\Windows\system32\Bjkcqdje.exe80⤵PID:5240
-
C:\Windows\SysWOW64\Cbdhgaid.exeC:\Windows\system32\Cbdhgaid.exe81⤵PID:5284
-
C:\Windows\SysWOW64\Cinpdl32.exeC:\Windows\system32\Cinpdl32.exe82⤵PID:5344
-
C:\Windows\SysWOW64\Cbfema32.exeC:\Windows\system32\Cbfema32.exe83⤵
- Modifies registry class
PID:5400 -
C:\Windows\SysWOW64\Cbiabq32.exeC:\Windows\system32\Cbiabq32.exe84⤵
- Modifies registry class
PID:5464 -
C:\Windows\SysWOW64\Cnboma32.exeC:\Windows\system32\Cnboma32.exe85⤵
- Modifies registry class
PID:5500 -
C:\Windows\SysWOW64\Djipbbne.exeC:\Windows\system32\Djipbbne.exe86⤵PID:5552
-
C:\Windows\SysWOW64\Dgomaf32.exeC:\Windows\system32\Dgomaf32.exe87⤵PID:5616
-
C:\Windows\SysWOW64\Dnkbcp32.exeC:\Windows\system32\Dnkbcp32.exe88⤵PID:5660
-
C:\Windows\SysWOW64\Deejpjgc.exeC:\Windows\system32\Deejpjgc.exe89⤵PID:5708
-
C:\Windows\SysWOW64\Dnnoip32.exeC:\Windows\system32\Dnnoip32.exe90⤵PID:5784
-
C:\Windows\SysWOW64\Enedio32.exeC:\Windows\system32\Enedio32.exe91⤵PID:5824
-
C:\Windows\SysWOW64\Eijigg32.exeC:\Windows\system32\Eijigg32.exe92⤵PID:5876
-
C:\Windows\SysWOW64\Eoindndf.exeC:\Windows\system32\Eoindndf.exe93⤵PID:5916
-
C:\Windows\SysWOW64\Folkjnbc.exeC:\Windows\system32\Folkjnbc.exe94⤵PID:5964
-
C:\Windows\SysWOW64\Flpkcbqm.exeC:\Windows\system32\Flpkcbqm.exe95⤵PID:6016
-
C:\Windows\SysWOW64\Flddoa32.exeC:\Windows\system32\Flddoa32.exe96⤵PID:6064
-
C:\Windows\SysWOW64\Fhkecb32.exeC:\Windows\system32\Fhkecb32.exe97⤵PID:6108
-
C:\Windows\SysWOW64\Feofmf32.exeC:\Windows\system32\Feofmf32.exe98⤵PID:1064
-
C:\Windows\SysWOW64\Gklnem32.exeC:\Windows\system32\Gklnem32.exe99⤵PID:5200
-
C:\Windows\SysWOW64\Gojgkl32.exeC:\Windows\system32\Gojgkl32.exe100⤵PID:5352
-
C:\Windows\SysWOW64\Golcak32.exeC:\Windows\system32\Golcak32.exe101⤵PID:5452
-
C:\Windows\SysWOW64\Geflne32.exeC:\Windows\system32\Geflne32.exe102⤵PID:5516
-
C:\Windows\SysWOW64\Gbjlgj32.exeC:\Windows\system32\Gbjlgj32.exe103⤵PID:5588
-
C:\Windows\SysWOW64\Ghgeoq32.exeC:\Windows\system32\Ghgeoq32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5696 -
C:\Windows\SysWOW64\Gaoihfoo.exeC:\Windows\system32\Gaoihfoo.exe105⤵PID:2832
-
C:\Windows\SysWOW64\Hkgnalep.exeC:\Windows\system32\Hkgnalep.exe106⤵PID:5820
-
C:\Windows\SysWOW64\Hembndee.exeC:\Windows\system32\Hembndee.exe107⤵
- Modifies registry class
PID:5856 -
C:\Windows\SysWOW64\Hkjjfkcm.exeC:\Windows\system32\Hkjjfkcm.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5956 -
C:\Windows\SysWOW64\Hhnkppbf.exeC:\Windows\system32\Hhnkppbf.exe109⤵PID:5996
-
C:\Windows\SysWOW64\Hafpiehg.exeC:\Windows\system32\Hafpiehg.exe110⤵PID:6088
-
C:\Windows\SysWOW64\Hllcfnhm.exeC:\Windows\system32\Hllcfnhm.exe111⤵PID:6140
-
C:\Windows\SysWOW64\Hcflch32.exeC:\Windows\system32\Hcflch32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5196 -
C:\Windows\SysWOW64\Hhbdko32.exeC:\Windows\system32\Hhbdko32.exe113⤵
- Drops file in System32 directory
PID:5424 -
C:\Windows\SysWOW64\Iefedcmk.exeC:\Windows\system32\Iefedcmk.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5540 -
C:\Windows\SysWOW64\Ilqmam32.exeC:\Windows\system32\Ilqmam32.exe115⤵PID:5692
-
C:\Windows\SysWOW64\Iapbodql.exeC:\Windows\system32\Iapbodql.exe116⤵PID:5808
-
C:\Windows\SysWOW64\Ifnkeb32.exeC:\Windows\system32\Ifnkeb32.exe117⤵PID:5900
-
C:\Windows\SysWOW64\Ilgcblnp.exeC:\Windows\system32\Ilgcblnp.exe118⤵PID:5988
-
C:\Windows\SysWOW64\Ijkdkq32.exeC:\Windows\system32\Ijkdkq32.exe119⤵
- Drops file in System32 directory
PID:6132 -
C:\Windows\SysWOW64\Jkomhhae.exeC:\Windows\system32\Jkomhhae.exe120⤵PID:5376
-
C:\Windows\SysWOW64\Jbieebha.exeC:\Windows\system32\Jbieebha.exe121⤵
- Drops file in System32 directory
PID:5520
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-