Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
155s -
max time network
165s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
16/11/2023, 17:36
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.0f33f4d2843d87be015cb286f6ea53de.exe
Resource
win7-20231020-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.0f33f4d2843d87be015cb286f6ea53de.exe
Resource
win10v2004-20231020-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
NEAS.0f33f4d2843d87be015cb286f6ea53de.exe
-
Size
172KB
-
MD5
0f33f4d2843d87be015cb286f6ea53de
-
SHA1
34c0d6ab80d23e2ae2db8a650f4beceac42b0d43
-
SHA256
bd1153aad1f743b6e538ce8fb1ad494f3daf381432540d031a4dafa5bb0e0726
-
SHA512
df95200523afadeaf199939ddbd88b69607bd947dadbe68c63265daec18487331009f01c561c3e1463b595f5b3f1d3299d82f39cfe7b3c84b7248d22b6bb72a1
-
SSDEEP
3072:OKL/zkvPRaQPS1LjnT6AZm0aHEV4sxgu+tAcrbFAJc+RsUi1aVDkOvhJjvJ:O+ovPR7S1Lv4s8rtMsQB
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efmmmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmkgkapm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncmhko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jokiig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajpqnneo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcddcbab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lqpamb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okkdic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gikdkj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpkkgbmi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dabhomea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlhlleeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phedhmhi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgfapd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hoaojp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efopjbjg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eangjkkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fajgfiag.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Koiejemn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmechmip.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emjgim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcpcdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbnopbdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obcceg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgpoihnl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcpcgfmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhbqalle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flpbnh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljilqnlm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnmkfh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cemndbci.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Folkjnbc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Foqdem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icdhdfcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnfjbdmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikndgg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmoohe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmpcdfll.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iqgjmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Decdeama.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijkdkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbpkkn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Famhmfkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kiggbhda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnnjmbpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibcaknbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnjjfegi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljdceo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aanbhp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggdbmoho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paoollik.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebimgcfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkjjlhle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfaajnfb.exe -
Executes dropped EXE 64 IoCs
pid Process 184 Ackigjmh.exe 3928 Aobilkcl.exe 4044 Aijnep32.exe 1892 Aodfajaj.exe 3608 Afnnnd32.exe 5044 Bgnkhg32.exe 1056 Bqilgmdg.exe 5004 Bidqko32.exe 4968 Bciehh32.exe 1552 Bifmqo32.exe 2236 Bggnof32.exe 2080 Bihjfnmm.exe 2448 Cflkpblf.exe 4532 Cabomkll.exe 4516 Cjjcfabm.exe 4844 Cgndoeag.exe 3612 Cpihcgoa.exe 4212 Cjomap32.exe 1348 Cpleig32.exe 2164 Dmpfbk32.exe 3796 Dmbbhkjf.exe 1084 Dannij32.exe 4520 Dmdonkgc.exe 3292 Dikpbl32.exe 1792 Ddadpdmn.exe 3832 Djklmo32.exe 3028 Dhomfc32.exe 1076 Eipinkib.exe 4276 Eaindh32.exe 4660 Ehfcfb32.exe 5088 Eigonjcj.exe 3168 Eiildjag.exe 3328 Epcdqd32.exe 2288 Efmmmn32.exe 1668 Facqkg32.exe 3464 Fineoi32.exe 4932 Fhofmq32.exe 3244 Fipbdikp.exe 4564 Fpjjac32.exe 3324 Fgdbnmji.exe 1500 Fmnkkg32.exe 3096 Fhdohp32.exe 3204 Fielph32.exe 3116 Fpodlbng.exe 4436 Gmcdffmq.exe 4232 Ghhhcomg.exe 3240 Gijekg32.exe 380 Gpfjma32.exe 3604 Ggpbjkpl.exe 4196 Gnjjfegi.exe 4400 Giqkkf32.exe 1360 Gpkchqdj.exe 1172 Hgelek32.exe 5060 Hnodaecc.exe 3736 Hpmpnp32.exe 1028 Hhdhon32.exe 1260 Hjedffig.exe 3228 Hdkidohn.exe 732 Hjhalefe.exe 2088 Hpbiip32.exe 2336 Hglaej32.exe 1768 Hnfjbdmk.exe 2700 Hdpbon32.exe 4716 Hkjjlhle.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Iqpfjnba.exe Ijfnmc32.exe File created C:\Windows\SysWOW64\Oljoen32.exe Odbgdp32.exe File created C:\Windows\SysWOW64\Lhgdahgp.dll Pnhjig32.exe File opened for modification C:\Windows\SysWOW64\Gimoce32.exe Gaffbg32.exe File opened for modification C:\Windows\SysWOW64\Hbbdad32.exe Process not Found File created C:\Windows\SysWOW64\Ankdbf32.exe Process not Found File created C:\Windows\SysWOW64\Aakebqbj.exe Akamff32.exe File created C:\Windows\SysWOW64\Hdjbiheb.exe Hmpjmn32.exe File opened for modification C:\Windows\SysWOW64\Bafndi32.exe Blielbfi.exe File opened for modification C:\Windows\SysWOW64\Mhmcck32.exe Mgkjch32.exe File opened for modification C:\Windows\SysWOW64\Bcfkiock.exe Process not Found File opened for modification C:\Windows\SysWOW64\Miofjepg.exe Mniallpq.exe File created C:\Windows\SysWOW64\Kpdjljdk.dll Lopmii32.exe File created C:\Windows\SysWOW64\Eqpfknbj.exe Process not Found File created C:\Windows\SysWOW64\Pbobep32.dll Process not Found File created C:\Windows\SysWOW64\Mfplpfib.dll Dpphjp32.exe File opened for modification C:\Windows\SysWOW64\Hifaic32.exe Gaoihfoo.exe File created C:\Windows\SysWOW64\Oioldk32.dll Process not Found File created C:\Windows\SysWOW64\Jmknkk32.exe Process not Found File created C:\Windows\SysWOW64\Gflcnanp.exe Gjebiq32.exe File created C:\Windows\SysWOW64\Ioppho32.exe Hfgloiqf.exe File opened for modification C:\Windows\SysWOW64\Ikhghi32.exe Ihjjln32.exe File created C:\Windows\SysWOW64\Mkellk32.dll Akhcfe32.exe File created C:\Windows\SysWOW64\Aolece32.dll Fmmmfj32.exe File created C:\Windows\SysWOW64\Jponoqjl.dll Pfandnla.exe File opened for modification C:\Windows\SysWOW64\Pdjgha32.exe Pffgom32.exe File opened for modification C:\Windows\SysWOW64\Dllffa32.exe Cmgjee32.exe File created C:\Windows\SysWOW64\Olieecnn.dll Johnamkm.exe File opened for modification C:\Windows\SysWOW64\Bcomonkq.exe Process not Found File created C:\Windows\SysWOW64\Abhaaf32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Cmcolgbj.exe Cihclh32.exe File created C:\Windows\SysWOW64\Fcniglmb.exe Elgaeolp.exe File created C:\Windows\SysWOW64\Colbef32.dll Ffpcbchm.exe File opened for modification C:\Windows\SysWOW64\Hkgnalep.exe Hhiaepfl.exe File opened for modification C:\Windows\SysWOW64\Cfeplh32.exe Process not Found File created C:\Windows\SysWOW64\Ljkifn32.exe Lijlof32.exe File created C:\Windows\SysWOW64\Lpefcn32.dll Jcmdaljn.exe File created C:\Windows\SysWOW64\Qjiipk32.exe Qaqegecm.exe File created C:\Windows\SysWOW64\Dpkhci32.dll Fcbgfhii.exe File opened for modification C:\Windows\SysWOW64\Gqaeme32.exe Process not Found File created C:\Windows\SysWOW64\Dqboip32.dll Bbiado32.exe File created C:\Windows\SysWOW64\Ojenek32.dll Oanokhdb.exe File created C:\Windows\SysWOW64\Cpbbak32.exe Chkjpm32.exe File created C:\Windows\SysWOW64\Glqkefff.exe Gegchl32.exe File created C:\Windows\SysWOW64\Ohmkjd32.dll Cpleig32.exe File opened for modification C:\Windows\SysWOW64\Dmbbhkjf.exe Dmpfbk32.exe File created C:\Windows\SysWOW64\Mopabjci.dll Ijkdkq32.exe File created C:\Windows\SysWOW64\Qiobpljq.dll Jfdafa32.exe File opened for modification C:\Windows\SysWOW64\Aadghn32.exe Qmdblp32.exe File opened for modification C:\Windows\SysWOW64\Djeegf32.exe Process not Found File created C:\Windows\SysWOW64\Npjfngdm.dll Ldipha32.exe File created C:\Windows\SysWOW64\Paoollik.exe Plbfdekd.exe File created C:\Windows\SysWOW64\Hiinoc32.exe Hcofbifb.exe File created C:\Windows\SysWOW64\Ijkdkq32.exe Ikjcmi32.exe File opened for modification C:\Windows\SysWOW64\Ncmhko32.exe Nfihbk32.exe File created C:\Windows\SysWOW64\Bjdlfi32.dll Fpimlfke.exe File created C:\Windows\SysWOW64\Aplaoj32.exe Ajohfcpj.exe File opened for modification C:\Windows\SysWOW64\Nhlfoodc.exe Lamlphoo.exe File created C:\Windows\SysWOW64\Bllble32.exe Process not Found File created C:\Windows\SysWOW64\Iahlcaol.exe Ikndgg32.exe File created C:\Windows\SysWOW64\Cpjmok32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Blmamh32.exe Process not Found File created C:\Windows\SysWOW64\Fjdiliki.dll Afkknogn.exe File created C:\Windows\SysWOW64\Nmnpml32.dll Eplgeokq.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oanokhdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qpdhhmkg.dll" Gjebiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pbmffi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjgeedch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hfniikha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Opopdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eklgldgf.dll" Kfejmobh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kicomdnf.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkhkjd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmnbfhal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dlkplk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gafnik32.dll" Aaofedkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmkjpklj.dll" Mjcljk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlfkfcja.dll" Piphgq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pidabppl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Epndknin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hnhdjn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bidqko32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ppffec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njahki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfggld32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijcjmmil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbjlkd32.dll" Fnffhgon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqboal32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inmdohhp.dll" Jojdlfeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ikejbjip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmcckk32.dll" Jocefm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fielph32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgkmgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhhlki32.dll" Qaqegecm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ildolk32.dll" Nmfmde32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eedmlo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oebdml32.dll" Ggdbmoho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjbidk32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdnmfclj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lblldc32.dll" Iebngial.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjbofkpn.dll" Ellicihn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jhijqj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjmhfb32.dll" Obafpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kicfijal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Icjengld.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Polppg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofpnmakg.dll" Enpmld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpiaimfg.dll" Hnlodjpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnenchoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hipdpbgf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmdmqp32.dll" Lbkkgl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efepbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mcpcdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjehnm32.dll" Pmnbfhal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jendmajn.dll" Qaflgago.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfplpfib.dll" Dpphjp32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1984 wrote to memory of 184 1984 NEAS.0f33f4d2843d87be015cb286f6ea53de.exe 86 PID 1984 wrote to memory of 184 1984 NEAS.0f33f4d2843d87be015cb286f6ea53de.exe 86 PID 1984 wrote to memory of 184 1984 NEAS.0f33f4d2843d87be015cb286f6ea53de.exe 86 PID 184 wrote to memory of 3928 184 Ackigjmh.exe 87 PID 184 wrote to memory of 3928 184 Ackigjmh.exe 87 PID 184 wrote to memory of 3928 184 Ackigjmh.exe 87 PID 3928 wrote to memory of 4044 3928 Aobilkcl.exe 88 PID 3928 wrote to memory of 4044 3928 Aobilkcl.exe 88 PID 3928 wrote to memory of 4044 3928 Aobilkcl.exe 88 PID 4044 wrote to memory of 1892 4044 Aijnep32.exe 89 PID 4044 wrote to memory of 1892 4044 Aijnep32.exe 89 PID 4044 wrote to memory of 1892 4044 Aijnep32.exe 89 PID 1892 wrote to memory of 3608 1892 Aodfajaj.exe 90 PID 1892 wrote to memory of 3608 1892 Aodfajaj.exe 90 PID 1892 wrote to memory of 3608 1892 Aodfajaj.exe 90 PID 3608 wrote to memory of 5044 3608 Afnnnd32.exe 91 PID 3608 wrote to memory of 5044 3608 Afnnnd32.exe 91 PID 3608 wrote to memory of 5044 3608 Afnnnd32.exe 91 PID 5044 wrote to memory of 1056 5044 Bgnkhg32.exe 92 PID 5044 wrote to memory of 1056 5044 Bgnkhg32.exe 92 PID 5044 wrote to memory of 1056 5044 Bgnkhg32.exe 92 PID 1056 wrote to memory of 5004 1056 Bqilgmdg.exe 93 PID 1056 wrote to memory of 5004 1056 Bqilgmdg.exe 93 PID 1056 wrote to memory of 5004 1056 Bqilgmdg.exe 93 PID 5004 wrote to memory of 4968 5004 Bidqko32.exe 94 PID 5004 wrote to memory of 4968 5004 Bidqko32.exe 94 PID 5004 wrote to memory of 4968 5004 Bidqko32.exe 94 PID 4968 wrote to memory of 1552 4968 Bciehh32.exe 96 PID 4968 wrote to memory of 1552 4968 Bciehh32.exe 96 PID 4968 wrote to memory of 1552 4968 Bciehh32.exe 96 PID 1552 wrote to memory of 2236 1552 Bifmqo32.exe 97 PID 1552 wrote to memory of 2236 1552 Bifmqo32.exe 97 PID 1552 wrote to memory of 2236 1552 Bifmqo32.exe 97 PID 2236 wrote to memory of 2080 2236 Bggnof32.exe 98 PID 2236 wrote to memory of 2080 2236 Bggnof32.exe 98 PID 2236 wrote to memory of 2080 2236 Bggnof32.exe 98 PID 2080 wrote to memory of 2448 2080 Bihjfnmm.exe 99 PID 2080 wrote to memory of 2448 2080 Bihjfnmm.exe 99 PID 2080 wrote to memory of 2448 2080 Bihjfnmm.exe 99 PID 2448 wrote to memory of 4532 2448 Cflkpblf.exe 100 PID 2448 wrote to memory of 4532 2448 Cflkpblf.exe 100 PID 2448 wrote to memory of 4532 2448 Cflkpblf.exe 100 PID 4532 wrote to memory of 4516 4532 Cabomkll.exe 101 PID 4532 wrote to memory of 4516 4532 Cabomkll.exe 101 PID 4532 wrote to memory of 4516 4532 Cabomkll.exe 101 PID 4516 wrote to memory of 4844 4516 Cjjcfabm.exe 102 PID 4516 wrote to memory of 4844 4516 Cjjcfabm.exe 102 PID 4516 wrote to memory of 4844 4516 Cjjcfabm.exe 102 PID 4844 wrote to memory of 3612 4844 Cgndoeag.exe 103 PID 4844 wrote to memory of 3612 4844 Cgndoeag.exe 103 PID 4844 wrote to memory of 3612 4844 Cgndoeag.exe 103 PID 3612 wrote to memory of 4212 3612 Cpihcgoa.exe 104 PID 3612 wrote to memory of 4212 3612 Cpihcgoa.exe 104 PID 3612 wrote to memory of 4212 3612 Cpihcgoa.exe 104 PID 4212 wrote to memory of 1348 4212 Cjomap32.exe 106 PID 4212 wrote to memory of 1348 4212 Cjomap32.exe 106 PID 4212 wrote to memory of 1348 4212 Cjomap32.exe 106 PID 1348 wrote to memory of 2164 1348 Cpleig32.exe 107 PID 1348 wrote to memory of 2164 1348 Cpleig32.exe 107 PID 1348 wrote to memory of 2164 1348 Cpleig32.exe 107 PID 2164 wrote to memory of 3796 2164 Dmpfbk32.exe 108 PID 2164 wrote to memory of 3796 2164 Dmpfbk32.exe 108 PID 2164 wrote to memory of 3796 2164 Dmpfbk32.exe 108 PID 3796 wrote to memory of 1084 3796 Dmbbhkjf.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.0f33f4d2843d87be015cb286f6ea53de.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.0f33f4d2843d87be015cb286f6ea53de.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SysWOW64\Ackigjmh.exeC:\Windows\system32\Ackigjmh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:184 -
C:\Windows\SysWOW64\Aobilkcl.exeC:\Windows\system32\Aobilkcl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3928 -
C:\Windows\SysWOW64\Aijnep32.exeC:\Windows\system32\Aijnep32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4044 -
C:\Windows\SysWOW64\Aodfajaj.exeC:\Windows\system32\Aodfajaj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Windows\SysWOW64\Afnnnd32.exeC:\Windows\system32\Afnnnd32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3608 -
C:\Windows\SysWOW64\Bgnkhg32.exeC:\Windows\system32\Bgnkhg32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5044 -
C:\Windows\SysWOW64\Bqilgmdg.exeC:\Windows\system32\Bqilgmdg.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Windows\SysWOW64\Bidqko32.exeC:\Windows\system32\Bidqko32.exe9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Windows\SysWOW64\Bciehh32.exeC:\Windows\system32\Bciehh32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Windows\SysWOW64\Bifmqo32.exeC:\Windows\system32\Bifmqo32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Windows\SysWOW64\Bggnof32.exeC:\Windows\system32\Bggnof32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\Bihjfnmm.exeC:\Windows\system32\Bihjfnmm.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\SysWOW64\Cflkpblf.exeC:\Windows\system32\Cflkpblf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\SysWOW64\Cabomkll.exeC:\Windows\system32\Cabomkll.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Windows\SysWOW64\Cjjcfabm.exeC:\Windows\system32\Cjjcfabm.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4516 -
C:\Windows\SysWOW64\Cgndoeag.exeC:\Windows\system32\Cgndoeag.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4844 -
C:\Windows\SysWOW64\Cpihcgoa.exeC:\Windows\system32\Cpihcgoa.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3612 -
C:\Windows\SysWOW64\Cjomap32.exeC:\Windows\system32\Cjomap32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4212 -
C:\Windows\SysWOW64\Cpleig32.exeC:\Windows\system32\Cpleig32.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Windows\SysWOW64\Dmpfbk32.exeC:\Windows\system32\Dmpfbk32.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\Dmbbhkjf.exeC:\Windows\system32\Dmbbhkjf.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3796 -
C:\Windows\SysWOW64\Dannij32.exeC:\Windows\system32\Dannij32.exe23⤵
- Executes dropped EXE
PID:1084 -
C:\Windows\SysWOW64\Dmdonkgc.exeC:\Windows\system32\Dmdonkgc.exe24⤵
- Executes dropped EXE
PID:4520 -
C:\Windows\SysWOW64\Dikpbl32.exeC:\Windows\system32\Dikpbl32.exe25⤵
- Executes dropped EXE
PID:3292 -
C:\Windows\SysWOW64\Ddadpdmn.exeC:\Windows\system32\Ddadpdmn.exe26⤵
- Executes dropped EXE
PID:1792 -
C:\Windows\SysWOW64\Djklmo32.exeC:\Windows\system32\Djklmo32.exe27⤵
- Executes dropped EXE
PID:3832 -
C:\Windows\SysWOW64\Dhomfc32.exeC:\Windows\system32\Dhomfc32.exe28⤵
- Executes dropped EXE
PID:3028 -
C:\Windows\SysWOW64\Eipinkib.exeC:\Windows\system32\Eipinkib.exe29⤵
- Executes dropped EXE
PID:1076 -
C:\Windows\SysWOW64\Eaindh32.exeC:\Windows\system32\Eaindh32.exe30⤵
- Executes dropped EXE
PID:4276 -
C:\Windows\SysWOW64\Ehfcfb32.exeC:\Windows\system32\Ehfcfb32.exe31⤵
- Executes dropped EXE
PID:4660 -
C:\Windows\SysWOW64\Eigonjcj.exeC:\Windows\system32\Eigonjcj.exe32⤵
- Executes dropped EXE
PID:5088 -
C:\Windows\SysWOW64\Eiildjag.exeC:\Windows\system32\Eiildjag.exe33⤵
- Executes dropped EXE
PID:3168 -
C:\Windows\SysWOW64\Epcdqd32.exeC:\Windows\system32\Epcdqd32.exe34⤵
- Executes dropped EXE
PID:3328 -
C:\Windows\SysWOW64\Efmmmn32.exeC:\Windows\system32\Efmmmn32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Facqkg32.exeC:\Windows\system32\Facqkg32.exe36⤵
- Executes dropped EXE
PID:1668 -
C:\Windows\SysWOW64\Fineoi32.exeC:\Windows\system32\Fineoi32.exe37⤵
- Executes dropped EXE
PID:3464 -
C:\Windows\SysWOW64\Fhofmq32.exeC:\Windows\system32\Fhofmq32.exe38⤵
- Executes dropped EXE
PID:4932 -
C:\Windows\SysWOW64\Fipbdikp.exeC:\Windows\system32\Fipbdikp.exe39⤵
- Executes dropped EXE
PID:3244 -
C:\Windows\SysWOW64\Fpjjac32.exeC:\Windows\system32\Fpjjac32.exe40⤵
- Executes dropped EXE
PID:4564 -
C:\Windows\SysWOW64\Fgdbnmji.exeC:\Windows\system32\Fgdbnmji.exe41⤵
- Executes dropped EXE
PID:3324 -
C:\Windows\SysWOW64\Fmnkkg32.exeC:\Windows\system32\Fmnkkg32.exe42⤵
- Executes dropped EXE
PID:1500 -
C:\Windows\SysWOW64\Fhdohp32.exeC:\Windows\system32\Fhdohp32.exe43⤵
- Executes dropped EXE
PID:3096 -
C:\Windows\SysWOW64\Fielph32.exeC:\Windows\system32\Fielph32.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:3204 -
C:\Windows\SysWOW64\Fpodlbng.exeC:\Windows\system32\Fpodlbng.exe45⤵
- Executes dropped EXE
PID:3116 -
C:\Windows\SysWOW64\Gmcdffmq.exeC:\Windows\system32\Gmcdffmq.exe46⤵
- Executes dropped EXE
PID:4436 -
C:\Windows\SysWOW64\Ghhhcomg.exeC:\Windows\system32\Ghhhcomg.exe47⤵
- Executes dropped EXE
PID:4232 -
C:\Windows\SysWOW64\Gijekg32.exeC:\Windows\system32\Gijekg32.exe48⤵
- Executes dropped EXE
PID:3240 -
C:\Windows\SysWOW64\Gpfjma32.exeC:\Windows\system32\Gpfjma32.exe49⤵
- Executes dropped EXE
PID:380 -
C:\Windows\SysWOW64\Ggpbjkpl.exeC:\Windows\system32\Ggpbjkpl.exe50⤵
- Executes dropped EXE
PID:3604 -
C:\Windows\SysWOW64\Gnjjfegi.exeC:\Windows\system32\Gnjjfegi.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4196 -
C:\Windows\SysWOW64\Giqkkf32.exeC:\Windows\system32\Giqkkf32.exe52⤵
- Executes dropped EXE
PID:4400 -
C:\Windows\SysWOW64\Gpkchqdj.exeC:\Windows\system32\Gpkchqdj.exe53⤵
- Executes dropped EXE
PID:1360 -
C:\Windows\SysWOW64\Hgelek32.exeC:\Windows\system32\Hgelek32.exe54⤵
- Executes dropped EXE
PID:1172 -
C:\Windows\SysWOW64\Hnodaecc.exeC:\Windows\system32\Hnodaecc.exe55⤵
- Executes dropped EXE
PID:5060 -
C:\Windows\SysWOW64\Hpmpnp32.exeC:\Windows\system32\Hpmpnp32.exe56⤵
- Executes dropped EXE
PID:3736 -
C:\Windows\SysWOW64\Hhdhon32.exeC:\Windows\system32\Hhdhon32.exe57⤵
- Executes dropped EXE
PID:1028 -
C:\Windows\SysWOW64\Hjedffig.exeC:\Windows\system32\Hjedffig.exe58⤵
- Executes dropped EXE
PID:1260 -
C:\Windows\SysWOW64\Hdkidohn.exeC:\Windows\system32\Hdkidohn.exe59⤵
- Executes dropped EXE
PID:3228 -
C:\Windows\SysWOW64\Hjhalefe.exeC:\Windows\system32\Hjhalefe.exe60⤵
- Executes dropped EXE
PID:732 -
C:\Windows\SysWOW64\Hpbiip32.exeC:\Windows\system32\Hpbiip32.exe61⤵
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\Hglaej32.exeC:\Windows\system32\Hglaej32.exe62⤵
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\Hnfjbdmk.exeC:\Windows\system32\Hnfjbdmk.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1768 -
C:\Windows\SysWOW64\Hdpbon32.exeC:\Windows\system32\Hdpbon32.exe64⤵
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\Hkjjlhle.exeC:\Windows\system32\Hkjjlhle.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4716 -
C:\Windows\SysWOW64\Hacbhb32.exeC:\Windows\system32\Hacbhb32.exe66⤵PID:3560
-
C:\Windows\SysWOW64\Idbodn32.exeC:\Windows\system32\Idbodn32.exe67⤵PID:4160
-
C:\Windows\SysWOW64\Iklgah32.exeC:\Windows\system32\Iklgah32.exe68⤵PID:3936
-
C:\Windows\SysWOW64\Iqipio32.exeC:\Windows\system32\Iqipio32.exe69⤵PID:860
-
C:\Windows\SysWOW64\Ihphkl32.exeC:\Windows\system32\Ihphkl32.exe70⤵PID:1484
-
C:\Windows\SysWOW64\Ikndgg32.exeC:\Windows\system32\Ikndgg32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2360 -
C:\Windows\SysWOW64\Iahlcaol.exeC:\Windows\system32\Iahlcaol.exe72⤵PID:4144
-
C:\Windows\SysWOW64\Igedlh32.exeC:\Windows\system32\Igedlh32.exe73⤵PID:4052
-
C:\Windows\SysWOW64\Ijcahd32.exeC:\Windows\system32\Ijcahd32.exe74⤵PID:1824
-
C:\Windows\SysWOW64\Iqmidndd.exeC:\Windows\system32\Iqmidndd.exe75⤵PID:1516
-
C:\Windows\SysWOW64\Ikcmbfcj.exeC:\Windows\system32\Ikcmbfcj.exe76⤵PID:5132
-
C:\Windows\SysWOW64\Ijfnmc32.exeC:\Windows\system32\Ijfnmc32.exe77⤵
- Drops file in System32 directory
PID:5188 -
C:\Windows\SysWOW64\Iqpfjnba.exeC:\Windows\system32\Iqpfjnba.exe78⤵PID:5264
-
C:\Windows\SysWOW64\Ihgnkkbd.exeC:\Windows\system32\Ihgnkkbd.exe79⤵PID:5300
-
C:\Windows\SysWOW64\Ijhjcchb.exeC:\Windows\system32\Ijhjcchb.exe80⤵PID:5348
-
C:\Windows\SysWOW64\Ibobdqid.exeC:\Windows\system32\Ibobdqid.exe81⤵PID:5384
-
C:\Windows\SysWOW64\Jhijqj32.exeC:\Windows\system32\Jhijqj32.exe82⤵
- Modifies registry class
PID:5440 -
C:\Windows\SysWOW64\Jjjghcfp.exeC:\Windows\system32\Jjjghcfp.exe83⤵PID:5484
-
C:\Windows\SysWOW64\Jbaojpgb.exeC:\Windows\system32\Jbaojpgb.exe84⤵PID:5532
-
C:\Windows\SysWOW64\Jdpkflfe.exeC:\Windows\system32\Jdpkflfe.exe85⤵PID:5572
-
C:\Windows\SysWOW64\Jkjcbe32.exeC:\Windows\system32\Jkjcbe32.exe86⤵PID:5624
-
C:\Windows\SysWOW64\Jnhpoamf.exeC:\Windows\system32\Jnhpoamf.exe87⤵PID:5672
-
C:\Windows\SysWOW64\Jdbhkk32.exeC:\Windows\system32\Jdbhkk32.exe88⤵PID:5712
-
C:\Windows\SysWOW64\Jjopcb32.exeC:\Windows\system32\Jjopcb32.exe89⤵PID:5760
-
C:\Windows\SysWOW64\Jhpqaiji.exeC:\Windows\system32\Jhpqaiji.exe90⤵PID:5824
-
C:\Windows\SysWOW64\Jkomneim.exeC:\Windows\system32\Jkomneim.exe91⤵PID:5868
-
C:\Windows\SysWOW64\Jqlefl32.exeC:\Windows\system32\Jqlefl32.exe92⤵PID:5908
-
C:\Windows\SysWOW64\Jibmgi32.exeC:\Windows\system32\Jibmgi32.exe93⤵PID:5956
-
C:\Windows\SysWOW64\Jbkbpoog.exeC:\Windows\system32\Jbkbpoog.exe94⤵PID:6000
-
C:\Windows\SysWOW64\Kiejmi32.exeC:\Windows\system32\Kiejmi32.exe95⤵PID:6044
-
C:\Windows\SysWOW64\Kkcfid32.exeC:\Windows\system32\Kkcfid32.exe96⤵PID:6084
-
C:\Windows\SysWOW64\Kjffdalb.exeC:\Windows\system32\Kjffdalb.exe97⤵PID:6132
-
C:\Windows\SysWOW64\Kqpoakco.exeC:\Windows\system32\Kqpoakco.exe98⤵PID:5176
-
C:\Windows\SysWOW64\Kiggbhda.exeC:\Windows\system32\Kiggbhda.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5308 -
C:\Windows\SysWOW64\Kkfcndce.exeC:\Windows\system32\Kkfcndce.exe100⤵PID:5372
-
C:\Windows\SysWOW64\Kbpkkn32.exeC:\Windows\system32\Kbpkkn32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5424 -
C:\Windows\SysWOW64\Kijchhbo.exeC:\Windows\system32\Kijchhbo.exe102⤵PID:5508
-
C:\Windows\SysWOW64\Knflpoqf.exeC:\Windows\system32\Knflpoqf.exe103⤵PID:5564
-
C:\Windows\SysWOW64\Keqdmihc.exeC:\Windows\system32\Keqdmihc.exe104⤵PID:5668
-
C:\Windows\SysWOW64\Kkjlic32.exeC:\Windows\system32\Kkjlic32.exe105⤵PID:5748
-
C:\Windows\SysWOW64\Kageaj32.exeC:\Windows\system32\Kageaj32.exe106⤵PID:5796
-
C:\Windows\SysWOW64\Lbinam32.exeC:\Windows\system32\Lbinam32.exe107⤵PID:5896
-
C:\Windows\SysWOW64\Licfngjd.exeC:\Windows\system32\Licfngjd.exe108⤵PID:5968
-
C:\Windows\SysWOW64\Ljdceo32.exeC:\Windows\system32\Ljdceo32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6032 -
C:\Windows\SysWOW64\Lbkkgl32.exeC:\Windows\system32\Lbkkgl32.exe110⤵
- Modifies registry class
PID:6124 -
C:\Windows\SysWOW64\Lghcocol.exeC:\Windows\system32\Lghcocol.exe111⤵PID:5164
-
C:\Windows\SysWOW64\Lelchgne.exeC:\Windows\system32\Lelchgne.exe112⤵PID:5328
-
C:\Windows\SysWOW64\Ljilqnlm.exeC:\Windows\system32\Ljilqnlm.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5452 -
C:\Windows\SysWOW64\Lacdmh32.exeC:\Windows\system32\Lacdmh32.exe114⤵PID:5560
-
C:\Windows\SysWOW64\Lijlof32.exeC:\Windows\system32\Lijlof32.exe115⤵
- Drops file in System32 directory
PID:5688 -
C:\Windows\SysWOW64\Ljkifn32.exeC:\Windows\system32\Ljkifn32.exe116⤵PID:5808
-
C:\Windows\SysWOW64\Meamcg32.exeC:\Windows\system32\Meamcg32.exe117⤵PID:5932
-
C:\Windows\SysWOW64\Mlkepaam.exeC:\Windows\system32\Mlkepaam.exe118⤵PID:6024
-
C:\Windows\SysWOW64\Mniallpq.exeC:\Windows\system32\Mniallpq.exe119⤵
- Drops file in System32 directory
PID:5124 -
C:\Windows\SysWOW64\Miofjepg.exeC:\Windows\system32\Miofjepg.exe120⤵PID:5324
-
C:\Windows\SysWOW64\Miaboe32.exeC:\Windows\system32\Miaboe32.exe121⤵PID:5548
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-