Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
162s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
16/11/2023, 23:07
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.30a6a7f2ea3c0473151d340528fe2f00.exe
Resource
win7-20231020-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.30a6a7f2ea3c0473151d340528fe2f00.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.30a6a7f2ea3c0473151d340528fe2f00.exe
-
Size
90KB
-
MD5
30a6a7f2ea3c0473151d340528fe2f00
-
SHA1
b1148bc0d3d22d5b80d06a78b6886b795e85d20c
-
SHA256
6308b77a691ad7f5dbe8de3c61656fba81a64172d15760c69325bc51cfc2433f
-
SHA512
2c9c0672b1c30a7c5e9b22bef4a553753b018a0843e9ec7d14d73448a6cc7a13bea9507839a3a4754aa55b76b97fa68b64fc2c0ac1f909b84d452935df10f4c4
-
SSDEEP
1536:gy8lg7ALe0FCyEV9CnDyB58RY3PpR0q8sWDK08M3r1JiNrvVycxT8EibNWT74G5w:X7ibI1BtwDKKmrvz6bUTsG5u/Ub0+NK
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdehho32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofcale32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dafpjf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clihcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gmbmefob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Odfljp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omkmcpgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oidopn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fiilmofe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ohdlke32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnfpbcbf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcpledob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ddbppa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifefbbdj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmkbpk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcggbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mqfpma32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnacfp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdgfmk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnbkeclf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cahdhhep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mmaakpfd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnpjdfpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aakelfhg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hplimpdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ljmfdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fmpjfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gijmlh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbknqeha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fineho32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjicnbba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ibmmbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fiilmofe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fpcdji32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkbddo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mfomda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gmjlmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dnhgcgbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jddggb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Omkmcpgo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbghpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Emfebjgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ciioaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fmmffhnk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfehoj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipmbcm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnbfgh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjpkjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iocliecb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bkibqnah.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpmdabfb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clnopg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjjaci32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Goqkne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kgopbj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hibape32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ompmie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hkaedk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plndma32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aakelfhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hdehho32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkdgqbag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ekkkip32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhdqhp32.exe -
Executes dropped EXE 64 IoCs
pid Process 4856 Cnbfgh32.exe 3164 Flboch32.exe 220 Glnnofhi.exe 4340 Gckcap32.exe 2204 Hjpkjh32.exe 2312 Ihmnldib.exe 3884 Jqmicpbj.exe 1796 Kmkpipaf.exe 3344 Labkempb.exe 1940 Mfhgcbfo.exe 2236 Mfomda32.exe 4348 Pjjaci32.exe 3340 Akenij32.exe 1756 Aglnnkid.exe 2400 Ahpdcn32.exe 5076 Bhennm32.exe 3712 Bdnkhn32.exe 4820 Cbdhgaid.exe 1532 Deqqek32.exe 1620 Elaobdmm.exe 1096 Ejnbdp32.exe 1644 Flmonbbp.exe 4572 Flddoa32.exe 2056 Glbapoqh.exe 4044 Hifaic32.exe 4288 Hchihhng.exe 4192 Iooimi32.exe 1660 Iabodcnj.exe 4716 Jbghpc32.exe 3200 Jbieebha.exe 2360 Jkhpogij.exe 4396 Kcfnqccd.exe 4552 Liabjh32.exe 3444 Mbamcm32.exe 1392 Ndliin32.exe 3504 Pmbjcb32.exe 1376 Pgmkbg32.exe 4584 Pphlpl32.exe 4788 Qpmfklbq.exe 4828 Bgbmdd32.exe 968 Bkepeaaa.exe 2812 Bglpjb32.exe 4528 Cjofambd.exe 3052 Cdfgdf32.exe 2684 Ckclfp32.exe 3804 Dnfanjqp.exe 1976 Dccjfaog.exe 2276 Dnhncjom.exe 4612 Ekcemmgo.exe 1452 Flodilma.exe 692 Falmabki.exe 4332 Fnpmkg32.exe 4628 Fhjoilop.exe 1752 Gdaonmdd.exe 1996 Gmjcgb32.exe 3428 Gajibq32.exe 740 Hoiihcde.exe 2232 Iamoon32.exe 4980 Jliimf32.exe 4316 Jafaem32.exe 2004 Jefgak32.exe 4520 Jamhflqq.exe 1100 Klgend32.exe 3500 Khbpndnp.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Baeenn32.dll Jkhpogij.exe File created C:\Windows\SysWOW64\Mjhqcmjo.exe Mdkhkflh.exe File created C:\Windows\SysWOW64\Bgilfl32.dll Jekqgnno.exe File opened for modification C:\Windows\SysWOW64\Jiiiml32.exe Jcoapami.exe File created C:\Windows\SysWOW64\Fmiajm32.dll Oanodnip.exe File created C:\Windows\SysWOW64\Nbbbggpb.dll Bdmmnd32.exe File opened for modification C:\Windows\SysWOW64\Kmkpipaf.exe Jqmicpbj.exe File created C:\Windows\SysWOW64\Ggaoeo32.dll Labkempb.exe File created C:\Windows\SysWOW64\Obfcghki.dll Fphneijl.exe File opened for modification C:\Windows\SysWOW64\Ipmbcm32.exe Ijcjgcni.exe File created C:\Windows\SysWOW64\Gckcap32.exe Glnnofhi.exe File created C:\Windows\SysWOW64\Bjgple32.dll Lonnfg32.exe File opened for modification C:\Windows\SysWOW64\Ompmie32.exe Odhipp32.exe File created C:\Windows\SysWOW64\Ekmhnpfl.exe Efpofi32.exe File opened for modification C:\Windows\SysWOW64\Mncjffbl.exe Mgibil32.exe File created C:\Windows\SysWOW64\Bibngh32.dll Mgibil32.exe File opened for modification C:\Windows\SysWOW64\Npbcollj.exe Nfjofg32.exe File created C:\Windows\SysWOW64\Gmmome32.exe Gmhfbf32.exe File created C:\Windows\SysWOW64\Nnpalk32.exe Ngehoqdn.exe File opened for modification C:\Windows\SysWOW64\Fineho32.exe Fkihgb32.exe File created C:\Windows\SysWOW64\Hlldaape.exe Gbcohl32.exe File created C:\Windows\SysWOW64\Lbkmod32.dll Lcbngeqo.exe File created C:\Windows\SysWOW64\Ljcldo32.exe Ldgclgcl.exe File created C:\Windows\SysWOW64\Gicndaep.exe Gnnjgh32.exe File opened for modification C:\Windows\SysWOW64\Gicndaep.exe Gnnjgh32.exe File created C:\Windows\SysWOW64\Jpmdabfb.exe Joikdk32.exe File created C:\Windows\SysWOW64\Jhpckehm.dll Goqkne32.exe File created C:\Windows\SysWOW64\Fflngpbn.dll Bkibqnah.exe File created C:\Windows\SysWOW64\Dafpjf32.exe Dklhmlac.exe File created C:\Windows\SysWOW64\Gepkahmm.dll Eimegk32.exe File created C:\Windows\SysWOW64\Odfljp32.exe Neiiiecg.exe File created C:\Windows\SysWOW64\Gbhhoobc.dll Clnopg32.exe File opened for modification C:\Windows\SysWOW64\Jidpblik.exe Jcjgeb32.exe File opened for modification C:\Windows\SysWOW64\Jliimf32.exe Iamoon32.exe File opened for modification C:\Windows\SysWOW64\Jkaadebl.exe Jplmglbf.exe File created C:\Windows\SysWOW64\Jiiiml32.exe Jcoapami.exe File created C:\Windows\SysWOW64\Hplimpdi.exe Hibape32.exe File opened for modification C:\Windows\SysWOW64\Bllbkg32.exe Qejkfp32.exe File created C:\Windows\SysWOW64\Ejkmkh32.dll Gcojoj32.exe File opened for modification C:\Windows\SysWOW64\Gckcap32.exe Glnnofhi.exe File created C:\Windows\SysWOW64\Fbgjeohk.dll Dhjknljl.exe File created C:\Windows\SysWOW64\Kdogbcnn.dll Ompmie32.exe File opened for modification C:\Windows\SysWOW64\Fimhcbkh.exe Fblifijc.exe File opened for modification C:\Windows\SysWOW64\Kjblcj32.exe Kchdfpen.exe File created C:\Windows\SysWOW64\Dnonap32.dll Glbapoqh.exe File opened for modification C:\Windows\SysWOW64\Bomknp32.exe Bedgejbo.exe File opened for modification C:\Windows\SysWOW64\Kdffiinp.exe Jpojml32.exe File created C:\Windows\SysWOW64\Knoonphp.exe Kcikagij.exe File created C:\Windows\SysWOW64\Iffadlme.dll Hblkddmn.exe File opened for modification C:\Windows\SysWOW64\Nnfpbcbf.exe Nglhei32.exe File created C:\Windows\SysWOW64\Bobalm32.exe Bdmmnd32.exe File created C:\Windows\SysWOW64\Deqqek32.exe Cbdhgaid.exe File created C:\Windows\SysWOW64\Iabodcnj.exe Iooimi32.exe File created C:\Windows\SysWOW64\Gmjlmo32.exe Gbdgpfni.exe File opened for modification C:\Windows\SysWOW64\Fnipliip.exe Fimhcbkh.exe File created C:\Windows\SysWOW64\Hfmqapcl.exe Hcjkje32.exe File opened for modification C:\Windows\SysWOW64\Jmkdeaee.exe Ibmmbj32.exe File created C:\Windows\SysWOW64\Mqpfofao.dll Clihcm32.exe File created C:\Windows\SysWOW64\Hfljfjpq.exe Hapancai.exe File created C:\Windows\SysWOW64\Lnbkeclf.exe Lhhchi32.exe File opened for modification C:\Windows\SysWOW64\Lkfeeo32.exe Khbpndnp.exe File created C:\Windows\SysWOW64\Ppbkjhqi.dll Bomknp32.exe File created C:\Windows\SysWOW64\Eplgod32.exe Eimegk32.exe File created C:\Windows\SysWOW64\Jpojml32.exe Jkaadebl.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 3444 7148 WerFault.exe 513 4680 7148 WerFault.exe 513 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akpbae32.dll" Kjblcj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ckclfp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Clihcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fmoclg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pkngco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agebpojb.dll" Gpimflqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gfjkce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjdeil32.dll" Jpnhof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ihmnldib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jpoagb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pflpfcbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fineho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jggjpgmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gammgo32.dll" Odhipp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iiepoemj.dll" Jliimf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fcibchgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijjombcn.dll" Meknhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fkihgb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ngehoqdn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ckclacmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beglin32.dll" Ffjdjmpf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mjpbkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pocpqcpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apncei32.dll" Dobffj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dafhghgn.dll" Ejmild32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kgopbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jklkea32.dll" Lgqfmcge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fphneijl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Epndddnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mqbgcd32.dll" Flboch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckdiqnel.dll" Ahpdcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bedpjdoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gafmkp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aokceaoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fiilmofe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Glbapoqh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hifaic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ekmhnpfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehhacc32.dll" Lhdqhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caidhlcb.dll" Pkngco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jcjgeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Miocnm32.dll" Cadcfd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gilajmfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bjicnbba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kmkpipaf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aidcjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fqmlbfbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dajfhepb.dll" Ljcldo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgilfl32.dll" Jekqgnno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bclgnh32.dll" Mkhkblii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Djnhne32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Npbcollj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgedkcjf.dll" Gajibq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gmmome32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jkaadebl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qlejnqbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgdjha32.dll" Boflfiai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pmkfjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Damneiak.dll" Lkfeeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfoflccp.dll" Fmpjfn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hfmqapcl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gafmkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gilajmfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Emfebjgb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1820 wrote to memory of 4856 1820 NEAS.30a6a7f2ea3c0473151d340528fe2f00.exe 92 PID 1820 wrote to memory of 4856 1820 NEAS.30a6a7f2ea3c0473151d340528fe2f00.exe 92 PID 1820 wrote to memory of 4856 1820 NEAS.30a6a7f2ea3c0473151d340528fe2f00.exe 92 PID 4856 wrote to memory of 3164 4856 Cnbfgh32.exe 93 PID 4856 wrote to memory of 3164 4856 Cnbfgh32.exe 93 PID 4856 wrote to memory of 3164 4856 Cnbfgh32.exe 93 PID 3164 wrote to memory of 220 3164 Flboch32.exe 94 PID 3164 wrote to memory of 220 3164 Flboch32.exe 94 PID 3164 wrote to memory of 220 3164 Flboch32.exe 94 PID 220 wrote to memory of 4340 220 Glnnofhi.exe 95 PID 220 wrote to memory of 4340 220 Glnnofhi.exe 95 PID 220 wrote to memory of 4340 220 Glnnofhi.exe 95 PID 4340 wrote to memory of 2204 4340 Gckcap32.exe 96 PID 4340 wrote to memory of 2204 4340 Gckcap32.exe 96 PID 4340 wrote to memory of 2204 4340 Gckcap32.exe 96 PID 2204 wrote to memory of 2312 2204 Hjpkjh32.exe 97 PID 2204 wrote to memory of 2312 2204 Hjpkjh32.exe 97 PID 2204 wrote to memory of 2312 2204 Hjpkjh32.exe 97 PID 2312 wrote to memory of 3884 2312 Ihmnldib.exe 98 PID 2312 wrote to memory of 3884 2312 Ihmnldib.exe 98 PID 2312 wrote to memory of 3884 2312 Ihmnldib.exe 98 PID 3884 wrote to memory of 1796 3884 Jqmicpbj.exe 99 PID 3884 wrote to memory of 1796 3884 Jqmicpbj.exe 99 PID 3884 wrote to memory of 1796 3884 Jqmicpbj.exe 99 PID 1796 wrote to memory of 3344 1796 Kmkpipaf.exe 100 PID 1796 wrote to memory of 3344 1796 Kmkpipaf.exe 100 PID 1796 wrote to memory of 3344 1796 Kmkpipaf.exe 100 PID 3344 wrote to memory of 1940 3344 Labkempb.exe 101 PID 3344 wrote to memory of 1940 3344 Labkempb.exe 101 PID 3344 wrote to memory of 1940 3344 Labkempb.exe 101 PID 1940 wrote to memory of 2236 1940 Mfhgcbfo.exe 102 PID 1940 wrote to memory of 2236 1940 Mfhgcbfo.exe 102 PID 1940 wrote to memory of 2236 1940 Mfhgcbfo.exe 102 PID 2236 wrote to memory of 4348 2236 Mfomda32.exe 103 PID 2236 wrote to memory of 4348 2236 Mfomda32.exe 103 PID 2236 wrote to memory of 4348 2236 Mfomda32.exe 103 PID 4348 wrote to memory of 3340 4348 Pjjaci32.exe 104 PID 4348 wrote to memory of 3340 4348 Pjjaci32.exe 104 PID 4348 wrote to memory of 3340 4348 Pjjaci32.exe 104 PID 3340 wrote to memory of 1756 3340 Akenij32.exe 105 PID 3340 wrote to memory of 1756 3340 Akenij32.exe 105 PID 3340 wrote to memory of 1756 3340 Akenij32.exe 105 PID 1756 wrote to memory of 2400 1756 Aglnnkid.exe 106 PID 1756 wrote to memory of 2400 1756 Aglnnkid.exe 106 PID 1756 wrote to memory of 2400 1756 Aglnnkid.exe 106 PID 2400 wrote to memory of 5076 2400 Ahpdcn32.exe 107 PID 2400 wrote to memory of 5076 2400 Ahpdcn32.exe 107 PID 2400 wrote to memory of 5076 2400 Ahpdcn32.exe 107 PID 5076 wrote to memory of 3712 5076 Bhennm32.exe 108 PID 5076 wrote to memory of 3712 5076 Bhennm32.exe 108 PID 5076 wrote to memory of 3712 5076 Bhennm32.exe 108 PID 3712 wrote to memory of 4820 3712 Bdnkhn32.exe 109 PID 3712 wrote to memory of 4820 3712 Bdnkhn32.exe 109 PID 3712 wrote to memory of 4820 3712 Bdnkhn32.exe 109 PID 4820 wrote to memory of 1532 4820 Cbdhgaid.exe 110 PID 4820 wrote to memory of 1532 4820 Cbdhgaid.exe 110 PID 4820 wrote to memory of 1532 4820 Cbdhgaid.exe 110 PID 1532 wrote to memory of 1620 1532 Deqqek32.exe 111 PID 1532 wrote to memory of 1620 1532 Deqqek32.exe 111 PID 1532 wrote to memory of 1620 1532 Deqqek32.exe 111 PID 1620 wrote to memory of 1096 1620 Elaobdmm.exe 112 PID 1620 wrote to memory of 1096 1620 Elaobdmm.exe 112 PID 1620 wrote to memory of 1096 1620 Elaobdmm.exe 112 PID 1096 wrote to memory of 1644 1096 Ejnbdp32.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.30a6a7f2ea3c0473151d340528fe2f00.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.30a6a7f2ea3c0473151d340528fe2f00.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\SysWOW64\Cnbfgh32.exeC:\Windows\system32\Cnbfgh32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Windows\SysWOW64\Flboch32.exeC:\Windows\system32\Flboch32.exe3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3164 -
C:\Windows\SysWOW64\Glnnofhi.exeC:\Windows\system32\Glnnofhi.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:220 -
C:\Windows\SysWOW64\Gckcap32.exeC:\Windows\system32\Gckcap32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4340 -
C:\Windows\SysWOW64\Hjpkjh32.exeC:\Windows\system32\Hjpkjh32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\SysWOW64\Ihmnldib.exeC:\Windows\system32\Ihmnldib.exe7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\SysWOW64\Jqmicpbj.exeC:\Windows\system32\Jqmicpbj.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3884 -
C:\Windows\SysWOW64\Kmkpipaf.exeC:\Windows\system32\Kmkpipaf.exe9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\SysWOW64\Labkempb.exeC:\Windows\system32\Labkempb.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3344 -
C:\Windows\SysWOW64\Mfhgcbfo.exeC:\Windows\system32\Mfhgcbfo.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\SysWOW64\Mfomda32.exeC:\Windows\system32\Mfomda32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\Pjjaci32.exeC:\Windows\system32\Pjjaci32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4348 -
C:\Windows\SysWOW64\Akenij32.exeC:\Windows\system32\Akenij32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3340 -
C:\Windows\SysWOW64\Aglnnkid.exeC:\Windows\system32\Aglnnkid.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\SysWOW64\Ahpdcn32.exeC:\Windows\system32\Ahpdcn32.exe16⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\Bhennm32.exeC:\Windows\system32\Bhennm32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Windows\SysWOW64\Bdnkhn32.exeC:\Windows\system32\Bdnkhn32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3712 -
C:\Windows\SysWOW64\Cbdhgaid.exeC:\Windows\system32\Cbdhgaid.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4820 -
C:\Windows\SysWOW64\Deqqek32.exeC:\Windows\system32\Deqqek32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\SysWOW64\Elaobdmm.exeC:\Windows\system32\Elaobdmm.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\Ejnbdp32.exeC:\Windows\system32\Ejnbdp32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\SysWOW64\Flmonbbp.exeC:\Windows\system32\Flmonbbp.exe23⤵
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\Flddoa32.exeC:\Windows\system32\Flddoa32.exe24⤵
- Executes dropped EXE
PID:4572 -
C:\Windows\SysWOW64\Glbapoqh.exeC:\Windows\system32\Glbapoqh.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2056 -
C:\Windows\SysWOW64\Hifaic32.exeC:\Windows\system32\Hifaic32.exe26⤵
- Executes dropped EXE
- Modifies registry class
PID:4044 -
C:\Windows\SysWOW64\Hchihhng.exeC:\Windows\system32\Hchihhng.exe27⤵
- Executes dropped EXE
PID:4288 -
C:\Windows\SysWOW64\Iooimi32.exeC:\Windows\system32\Iooimi32.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4192 -
C:\Windows\SysWOW64\Iabodcnj.exeC:\Windows\system32\Iabodcnj.exe29⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Jbghpc32.exeC:\Windows\system32\Jbghpc32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4716 -
C:\Windows\SysWOW64\Jbieebha.exeC:\Windows\system32\Jbieebha.exe31⤵
- Executes dropped EXE
PID:3200 -
C:\Windows\SysWOW64\Jkhpogij.exeC:\Windows\system32\Jkhpogij.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2360 -
C:\Windows\SysWOW64\Kcfnqccd.exeC:\Windows\system32\Kcfnqccd.exe33⤵
- Executes dropped EXE
PID:4396 -
C:\Windows\SysWOW64\Liabjh32.exeC:\Windows\system32\Liabjh32.exe34⤵
- Executes dropped EXE
PID:4552 -
C:\Windows\SysWOW64\Mbamcm32.exeC:\Windows\system32\Mbamcm32.exe35⤵
- Executes dropped EXE
PID:3444 -
C:\Windows\SysWOW64\Ndliin32.exeC:\Windows\system32\Ndliin32.exe36⤵
- Executes dropped EXE
PID:1392 -
C:\Windows\SysWOW64\Pmbjcb32.exeC:\Windows\system32\Pmbjcb32.exe37⤵
- Executes dropped EXE
PID:3504 -
C:\Windows\SysWOW64\Pgmkbg32.exeC:\Windows\system32\Pgmkbg32.exe38⤵
- Executes dropped EXE
PID:1376 -
C:\Windows\SysWOW64\Pphlpl32.exeC:\Windows\system32\Pphlpl32.exe39⤵
- Executes dropped EXE
PID:4584 -
C:\Windows\SysWOW64\Qpmfklbq.exeC:\Windows\system32\Qpmfklbq.exe40⤵
- Executes dropped EXE
PID:4788 -
C:\Windows\SysWOW64\Bgbmdd32.exeC:\Windows\system32\Bgbmdd32.exe41⤵
- Executes dropped EXE
PID:4828 -
C:\Windows\SysWOW64\Bkepeaaa.exeC:\Windows\system32\Bkepeaaa.exe42⤵
- Executes dropped EXE
PID:968 -
C:\Windows\SysWOW64\Bglpjb32.exeC:\Windows\system32\Bglpjb32.exe43⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Cjofambd.exeC:\Windows\system32\Cjofambd.exe44⤵
- Executes dropped EXE
PID:4528 -
C:\Windows\SysWOW64\Cdfgdf32.exeC:\Windows\system32\Cdfgdf32.exe45⤵
- Executes dropped EXE
PID:3052 -
C:\Windows\SysWOW64\Ckclfp32.exeC:\Windows\system32\Ckclfp32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:2684 -
C:\Windows\SysWOW64\Dnfanjqp.exeC:\Windows\system32\Dnfanjqp.exe47⤵
- Executes dropped EXE
PID:3804 -
C:\Windows\SysWOW64\Dccjfaog.exeC:\Windows\system32\Dccjfaog.exe48⤵
- Executes dropped EXE
PID:1976 -
C:\Windows\SysWOW64\Dnhncjom.exeC:\Windows\system32\Dnhncjom.exe49⤵
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\Ekcemmgo.exeC:\Windows\system32\Ekcemmgo.exe50⤵
- Executes dropped EXE
PID:4612 -
C:\Windows\SysWOW64\Flodilma.exeC:\Windows\system32\Flodilma.exe51⤵
- Executes dropped EXE
PID:1452 -
C:\Windows\SysWOW64\Falmabki.exeC:\Windows\system32\Falmabki.exe52⤵
- Executes dropped EXE
PID:692 -
C:\Windows\SysWOW64\Fnpmkg32.exeC:\Windows\system32\Fnpmkg32.exe53⤵
- Executes dropped EXE
PID:4332 -
C:\Windows\SysWOW64\Fhjoilop.exeC:\Windows\system32\Fhjoilop.exe54⤵
- Executes dropped EXE
PID:4628 -
C:\Windows\SysWOW64\Gdaonmdd.exeC:\Windows\system32\Gdaonmdd.exe55⤵
- Executes dropped EXE
PID:1752 -
C:\Windows\SysWOW64\Gmjcgb32.exeC:\Windows\system32\Gmjcgb32.exe56⤵
- Executes dropped EXE
PID:1996 -
C:\Windows\SysWOW64\Gajibq32.exeC:\Windows\system32\Gajibq32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:3428 -
C:\Windows\SysWOW64\Hoiihcde.exeC:\Windows\system32\Hoiihcde.exe58⤵
- Executes dropped EXE
PID:740 -
C:\Windows\SysWOW64\Iamoon32.exeC:\Windows\system32\Iamoon32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2232 -
C:\Windows\SysWOW64\Jliimf32.exeC:\Windows\system32\Jliimf32.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:4980 -
C:\Windows\SysWOW64\Jafaem32.exeC:\Windows\system32\Jafaem32.exe61⤵
- Executes dropped EXE
PID:4316 -
C:\Windows\SysWOW64\Jefgak32.exeC:\Windows\system32\Jefgak32.exe62⤵
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Jamhflqq.exeC:\Windows\system32\Jamhflqq.exe63⤵
- Executes dropped EXE
PID:4520 -
C:\Windows\SysWOW64\Klgend32.exeC:\Windows\system32\Klgend32.exe64⤵
- Executes dropped EXE
PID:1100 -
C:\Windows\SysWOW64\Khbpndnp.exeC:\Windows\system32\Khbpndnp.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3500 -
C:\Windows\SysWOW64\Lkfeeo32.exeC:\Windows\system32\Lkfeeo32.exe66⤵
- Modifies registry class
PID:4228 -
C:\Windows\SysWOW64\Lfkich32.exeC:\Windows\system32\Lfkich32.exe67⤵PID:1428
-
C:\Windows\SysWOW64\Miqlpbap.exeC:\Windows\system32\Miqlpbap.exe68⤵PID:4684
-
C:\Windows\SysWOW64\Mmaakpfd.exeC:\Windows\system32\Mmaakpfd.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2968 -
C:\Windows\SysWOW64\Mndjhhjp.exeC:\Windows\system32\Mndjhhjp.exe70⤵PID:4636
-
C:\Windows\SysWOW64\Mkhkblii.exeC:\Windows\system32\Mkhkblii.exe71⤵
- Modifies registry class
PID:3716 -
C:\Windows\SysWOW64\Nnpjdfpb.exeC:\Windows\system32\Nnpjdfpb.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3744 -
C:\Windows\SysWOW64\Nppfnige.exeC:\Windows\system32\Nppfnige.exe73⤵PID:412
-
C:\Windows\SysWOW64\Omdghmfo.exeC:\Windows\system32\Omdghmfo.exe74⤵PID:1264
-
C:\Windows\SysWOW64\Pocpqcpm.exeC:\Windows\system32\Pocpqcpm.exe75⤵
- Modifies registry class
PID:3332 -
C:\Windows\SysWOW64\Pllieg32.exeC:\Windows\system32\Pllieg32.exe76⤵PID:2060
-
C:\Windows\SysWOW64\Qmkfoj32.exeC:\Windows\system32\Qmkfoj32.exe77⤵PID:3008
-
C:\Windows\SysWOW64\Qfcjhphd.exeC:\Windows\system32\Qfcjhphd.exe78⤵PID:3508
-
C:\Windows\SysWOW64\Qmnbej32.exeC:\Windows\system32\Qmnbej32.exe79⤵PID:4232
-
C:\Windows\SysWOW64\Aooolbep.exeC:\Windows\system32\Aooolbep.exe80⤵PID:3684
-
C:\Windows\SysWOW64\Aidcjk32.exeC:\Windows\system32\Aidcjk32.exe81⤵
- Modifies registry class
PID:2240 -
C:\Windows\SysWOW64\Abmhbplf.exeC:\Windows\system32\Abmhbplf.exe82⤵PID:5064
-
C:\Windows\SysWOW64\Aifpoj32.exeC:\Windows\system32\Aifpoj32.exe83⤵PID:3204
-
C:\Windows\SysWOW64\Abodhpic.exeC:\Windows\system32\Abodhpic.exe84⤵PID:1768
-
C:\Windows\SysWOW64\Bedgejbo.exeC:\Windows\system32\Bedgejbo.exe85⤵
- Drops file in System32 directory
PID:4436 -
C:\Windows\SysWOW64\Bomknp32.exeC:\Windows\system32\Bomknp32.exe86⤵
- Drops file in System32 directory
PID:4400 -
C:\Windows\SysWOW64\Bgkipl32.exeC:\Windows\system32\Bgkipl32.exe87⤵PID:1824
-
C:\Windows\SysWOW64\Clhbhc32.exeC:\Windows\system32\Clhbhc32.exe88⤵PID:3568
-
C:\Windows\SysWOW64\Cgmfel32.exeC:\Windows\system32\Cgmfel32.exe89⤵PID:4220
-
C:\Windows\SysWOW64\Cpfkna32.exeC:\Windows\system32\Cpfkna32.exe90⤵PID:5192
-
C:\Windows\SysWOW64\Dlcaca32.exeC:\Windows\system32\Dlcaca32.exe91⤵PID:5236
-
C:\Windows\SysWOW64\Dgkbfjeg.exeC:\Windows\system32\Dgkbfjeg.exe92⤵PID:5296
-
C:\Windows\SysWOW64\Djnhne32.exeC:\Windows\system32\Djnhne32.exe93⤵
- Modifies registry class
PID:5340 -
C:\Windows\SysWOW64\Dokqfl32.exeC:\Windows\system32\Dokqfl32.exe94⤵PID:5424
-
C:\Windows\SysWOW64\Eggbbhkj.exeC:\Windows\system32\Eggbbhkj.exe95⤵PID:5464
-
C:\Windows\SysWOW64\Emdjjo32.exeC:\Windows\system32\Emdjjo32.exe96⤵PID:5512
-
C:\Windows\SysWOW64\Egiohh32.exeC:\Windows\system32\Egiohh32.exe97⤵PID:5572
-
C:\Windows\SysWOW64\Epgpajdp.exeC:\Windows\system32\Epgpajdp.exe98⤵PID:5644
-
C:\Windows\SysWOW64\Fmpjfn32.exeC:\Windows\system32\Fmpjfn32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5684 -
C:\Windows\SysWOW64\Fcibchgq.exeC:\Windows\system32\Fcibchgq.exe100⤵
- Modifies registry class
PID:5752 -
C:\Windows\SysWOW64\Fnacfp32.exeC:\Windows\system32\Fnacfp32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5808 -
C:\Windows\SysWOW64\Ggoaje32.exeC:\Windows\system32\Ggoaje32.exe102⤵PID:5856
-
C:\Windows\SysWOW64\Hcjkje32.exeC:\Windows\system32\Hcjkje32.exe103⤵
- Drops file in System32 directory
PID:5900 -
C:\Windows\SysWOW64\Hfmqapcl.exeC:\Windows\system32\Hfmqapcl.exe104⤵
- Modifies registry class
PID:5944 -
C:\Windows\SysWOW64\Jddggb32.exeC:\Windows\system32\Jddggb32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5980 -
C:\Windows\SysWOW64\Joikdk32.exeC:\Windows\system32\Joikdk32.exe106⤵
- Drops file in System32 directory
PID:6032 -
C:\Windows\SysWOW64\Jpmdabfb.exeC:\Windows\system32\Jpmdabfb.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6072 -
C:\Windows\SysWOW64\Jkbhok32.exeC:\Windows\system32\Jkbhok32.exe108⤵PID:6116
-
C:\Windows\SysWOW64\Jpoagb32.exeC:\Windows\system32\Jpoagb32.exe109⤵
- Modifies registry class
PID:5148 -
C:\Windows\SysWOW64\Jopaejlo.exeC:\Windows\system32\Jopaejlo.exe110⤵PID:5224
-
C:\Windows\SysWOW64\Kdmjmqjf.exeC:\Windows\system32\Kdmjmqjf.exe111⤵PID:5324
-
C:\Windows\SysWOW64\Lonnfg32.exeC:\Windows\system32\Lonnfg32.exe112⤵
- Drops file in System32 directory
PID:5436 -
C:\Windows\SysWOW64\Mbfmha32.exeC:\Windows\system32\Mbfmha32.exe113⤵PID:5504
-
C:\Windows\SysWOW64\Mgceqh32.exeC:\Windows\system32\Mgceqh32.exe114⤵PID:5652
-
C:\Windows\SysWOW64\Oeqagi32.exeC:\Windows\system32\Oeqagi32.exe115⤵PID:5704
-
C:\Windows\SysWOW64\Apkhfo32.exeC:\Windows\system32\Apkhfo32.exe116⤵PID:5784
-
C:\Windows\SysWOW64\Aoqegk32.exeC:\Windows\system32\Aoqegk32.exe117⤵PID:2228
-
C:\Windows\SysWOW64\Aogkhjii.exeC:\Windows\system32\Aogkhjii.exe118⤵PID:5880
-
C:\Windows\SysWOW64\Bedpjdoc.exeC:\Windows\system32\Bedpjdoc.exe119⤵
- Modifies registry class
PID:5932 -
C:\Windows\SysWOW64\Bhgeao32.exeC:\Windows\system32\Bhgeao32.exe120⤵PID:5988
-
C:\Windows\SysWOW64\Bbljoh32.exeC:\Windows\system32\Bbljoh32.exe121⤵PID:6084
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-