Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
55s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
17/11/2023, 23:27
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.31bfb3f27ff2ec97a31302548825abc0.exe
Resource
win7-20231025-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.31bfb3f27ff2ec97a31302548825abc0.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.31bfb3f27ff2ec97a31302548825abc0.exe
-
Size
462KB
-
MD5
31bfb3f27ff2ec97a31302548825abc0
-
SHA1
40a3c4985a86a38c0d17b33344d2036ff44be4fe
-
SHA256
491489bb3c99b8cbd9f3f016632bb9397fe8aede7f6e5f5ded7db205d28709fc
-
SHA512
21847c947ada377b765f306455cf11837374d9aae540598407ed0da1c63b48b526494cb2a28afc937900d977f81506abc6da07595821e802af3d3f265c8471a9
-
SSDEEP
6144:UhOz0Bw6/eKxSlKKZ74u67nryz6/eKxff0qjwszeX9z6/ojwszeXmOEgHixuqjw2:mIlr54u8nrTjgj+HiPj
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcdqhecd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agjhbbob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbkfcabb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnfpinmi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbjddh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbdpad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Geklckkd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjepkk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfnnmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gledpe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjieii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbdpad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjeplijj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmbnnn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcabej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgjhpcmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iajdgcab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnlcdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Meadlo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kifjip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chmnnamb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmbmdeoj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghojbq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inidkb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohncdobq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acdioc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgekdq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Geoapenf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhckeeam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khknaa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obpkcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aflpkpjm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lechkaga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcfidb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imklncch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkgeainn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfkbfd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Majoikof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Majoikof.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbfoclai.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iepihf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fekclnif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbdiknlb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Piocecgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kaflio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhfbog32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Loniiflo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlqpaafg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hphglf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Giahndcf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bagmdllg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdolgfbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgoigcip.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Namnmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjjggede.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iojkeh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhgkgijg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aalmimfd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnnimbaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmnjan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cehdib32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpqgjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imklncch.exe -
Executes dropped EXE 64 IoCs
pid Process 3876 Lmaamn32.exe 1248 Mnjqmpgg.exe 1500 Nclbpf32.exe 3716 Nnfpinmi.exe 4036 Omnjojpo.exe 3200 Ogekbb32.exe 3452 Ondljl32.exe 2020 Paiogf32.exe 2556 Pjbcplpe.exe 1012 Qjfmkk32.exe 948 Qpeahb32.exe 3892 Aoioli32.exe 3412 Amnlme32.exe 1772 Bkgeainn.exe 3340 Bacjdbch.exe 3972 Bhpofl32.exe 3868 Ckbemgcp.exe 3808 Chiblk32.exe 816 Cogddd32.exe 1724 Dkndie32.exe 380 Dqnjgl32.exe 2652 Dgjoif32.exe 4324 Ebaplnie.exe 760 Enhpao32.exe 5092 Edgbii32.exe 3500 Eghkjdoa.exe 2356 Fgjhpcmo.exe 4228 Fkmjaa32.exe 4500 Fgcjfbed.exe 3484 Gpolbo32.exe 3964 Geoapenf.exe 4164 Ghojbq32.exe 1628 Halhfe32.exe 1860 Ipbaol32.exe 4180 Ihmfco32.exe 4708 Iafkld32.exe 2240 Iojkeh32.exe 3516 Ilnlom32.exe 2492 Iajdgcab.exe 3928 Iehmmb32.exe 2688 Jhifomdj.exe 4308 Jocnlg32.exe 3408 Jhkbdmbg.exe 2348 Jlikkkhn.exe 2380 Jllhpkfk.exe 792 Jahqiaeb.exe 3548 Kcjjhdjb.exe 412 Kcapicdj.exe 1288 Lebijnak.exe 692 Lcfidb32.exe 2516 Lhcali32.exe 3420 Legben32.exe 1956 Lckboblp.exe 2184 Lhgkgijg.exe 2840 Mjggal32.exe 4376 Mjidgkog.exe 2528 Mbdiknlb.exe 3080 Mcfbkpab.exe 1708 Njbgmjgl.exe 3260 Nckkfp32.exe 3780 Nmcpoedn.exe 4296 Njgqhicg.exe 4372 Nfnamjhk.exe 4628 Nofefp32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Obhmcdfq.dll Dkbgjo32.exe File created C:\Windows\SysWOW64\Pqgpcnpb.dll Fcekfnkb.exe File created C:\Windows\SysWOW64\Qpbgnecp.exe Qihoak32.exe File opened for modification C:\Windows\SysWOW64\Geklckkd.exe Giboijgb.exe File created C:\Windows\SysWOW64\Giahndcf.exe Gkqhpmkg.exe File created C:\Windows\SysWOW64\Jhfbog32.exe Jnnnfalp.exe File created C:\Windows\SysWOW64\Iqgjmg32.exe Ifaepolg.exe File opened for modification C:\Windows\SysWOW64\Lmgfod32.exe Lfmnbjcg.exe File created C:\Windows\SysWOW64\Lfbgmj32.exe Laeoec32.exe File opened for modification C:\Windows\SysWOW64\Onjebpml.exe Oeopnmoa.exe File created C:\Windows\SysWOW64\Bihancje.exe Bfghlhmd.exe File created C:\Windows\SysWOW64\Ganjgf32.dll Ihheqd32.exe File opened for modification C:\Windows\SysWOW64\Akenij32.exe Dpknhfoq.exe File opened for modification C:\Windows\SysWOW64\Nnfpinmi.exe Nclbpf32.exe File opened for modification C:\Windows\SysWOW64\Njbgmjgl.exe Mcfbkpab.exe File created C:\Windows\SysWOW64\Hlkjom32.dll Pbljoafi.exe File created C:\Windows\SysWOW64\Mknlef32.exe Meadlo32.exe File created C:\Windows\SysWOW64\Pjmlhkgb.dll Dpknhfoq.exe File created C:\Windows\SysWOW64\Mnpofk32.dll Cogddd32.exe File created C:\Windows\SysWOW64\Ipecicga.dll Bbdpad32.exe File opened for modification C:\Windows\SysWOW64\Jogqlpde.exe Jeolckne.exe File created C:\Windows\SysWOW64\Agjhbbob.exe Bidefbcg.exe File opened for modification C:\Windows\SysWOW64\Cpifeb32.exe Bedbhi32.exe File opened for modification C:\Windows\SysWOW64\Egmjpi32.exe Elhfbp32.exe File opened for modification C:\Windows\SysWOW64\Hfamia32.exe Hqddqj32.exe File created C:\Windows\SysWOW64\Necqbo32.exe Mknlef32.exe File opened for modification C:\Windows\SysWOW64\Pgihanii.exe Acmfel32.exe File created C:\Windows\SysWOW64\Mbdiknlb.exe Mjidgkog.exe File created C:\Windows\SysWOW64\Ecbeip32.exe Enemaimp.exe File created C:\Windows\SysWOW64\Kakednfj.exe Kmmmnp32.exe File created C:\Windows\SysWOW64\Oakojnlp.dll Ndejcemn.exe File opened for modification C:\Windows\SysWOW64\Dbcbnlcl.exe Clijablo.exe File created C:\Windows\SysWOW64\Qffoejkg.exe Pgeogb32.exe File opened for modification C:\Windows\SysWOW64\Clffalkf.exe Chinkndp.exe File created C:\Windows\SysWOW64\Nlpnapfn.dll Ghcbohpp.exe File created C:\Windows\SysWOW64\Kmmmnp32.exe Kaflio32.exe File opened for modification C:\Windows\SysWOW64\Nandhi32.exe Nmpkakak.exe File opened for modification C:\Windows\SysWOW64\Mdghhb32.exe Mhpgca32.exe File created C:\Windows\SysWOW64\Abbbel32.dll Dbcbnlcl.exe File created C:\Windows\SysWOW64\Dabhomea.exe Ckcbaf32.exe File opened for modification C:\Windows\SysWOW64\Eghkjdoa.exe Edgbii32.exe File created C:\Windows\SysWOW64\Maaoaa32.exe Mgkjch32.exe File opened for modification C:\Windows\SysWOW64\Eekjep32.exe Dpnbmi32.exe File opened for modification C:\Windows\SysWOW64\Imfmgcdn.exe Icminm32.exe File created C:\Windows\SysWOW64\Qglobbdg.dll Iajdgcab.exe File opened for modification C:\Windows\SysWOW64\Gnohnffc.exe Gbhhieao.exe File opened for modification C:\Windows\SysWOW64\Ocknbglo.exe Ofgmib32.exe File created C:\Windows\SysWOW64\Honhbgej.dll Mopeofjl.exe File created C:\Windows\SysWOW64\Dlnlak32.exe Dlkplk32.exe File created C:\Windows\SysWOW64\Fglnkm32.exe Fjhmbihg.exe File created C:\Windows\SysWOW64\Hgnlgdfg.dll Hjieii32.exe File opened for modification C:\Windows\SysWOW64\Paiogf32.exe Ondljl32.exe File created C:\Windows\SysWOW64\Ckbemgcp.exe Bhpofl32.exe File created C:\Windows\SysWOW64\Nodeaima.dll Binhnomg.exe File opened for modification C:\Windows\SysWOW64\Loopdmpk.exe Lahbei32.exe File opened for modification C:\Windows\SysWOW64\Ohcmpn32.exe Ohqpjo32.exe File created C:\Windows\SysWOW64\Flcfnn32.exe Fnnimbaj.exe File opened for modification C:\Windows\SysWOW64\Fjgfgbek.exe Flcfnn32.exe File created C:\Windows\SysWOW64\Pjegen32.dll Jgekdq32.exe File created C:\Windows\SysWOW64\Jnfjbj32.exe Jglaepim.exe File created C:\Windows\SysWOW64\Ldpbaelj.dll Jglaepim.exe File created C:\Windows\SysWOW64\Lmaedcfh.dll Dhnnoe32.exe File opened for modification C:\Windows\SysWOW64\Bfkbfd32.exe Bmbnnn32.exe File created C:\Windows\SysWOW64\Ebjjgd32.dll Dkndie32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2308 4276 Process not Found 1314 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kapclned.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghpooanf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kcapicdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nocbfjmc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pgefogop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lokldg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmangnmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkpjdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qpbgnecp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lokldg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lagqnoge.dll" Kmmmnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfeijqqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chmehhpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Igghilhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdaajd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfnnmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iejecf32.dll" Ankdbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inpoggcb.dll" Qcnjijoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Denlcd32.dll" Iccpniqp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oijflc32.dll" Obpkcc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Laeoec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lechkaga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjegpf32.dll" Mbfmha32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfcqod32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eemgkpef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmbnnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjekja32.dll" Gbbkocid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hfamia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eohhie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njbgmjgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhpgca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohncdobq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opepqban.dll" Qpbgnecp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmekbhdn.dll" Naokbokn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghojbq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnjfof32.dll" Halhfe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njbgmjgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oejcki32.dll" Onjebpml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mdaedgdb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omnjojpo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Egmjpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lipmoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Loniiflo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jhfbog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mhpgca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lampbohh.dll" Kmbmdeoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cienon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdnkhn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aalmimfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jnnnfalp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fnofpqff.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckbemgcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ifaepolg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Flcfnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Honhbgej.dll" Mopeofjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hjieii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eocfgq32.dll" Igghilhi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jhkbdmbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icpjna32.dll" Ccppmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdmkfp32.dll" Ddklbd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmpkakak.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jocnlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cildom32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3252 wrote to memory of 3876 3252 NEAS.31bfb3f27ff2ec97a31302548825abc0.exe 88 PID 3252 wrote to memory of 3876 3252 NEAS.31bfb3f27ff2ec97a31302548825abc0.exe 88 PID 3252 wrote to memory of 3876 3252 NEAS.31bfb3f27ff2ec97a31302548825abc0.exe 88 PID 3876 wrote to memory of 1248 3876 Lmaamn32.exe 89 PID 3876 wrote to memory of 1248 3876 Lmaamn32.exe 89 PID 3876 wrote to memory of 1248 3876 Lmaamn32.exe 89 PID 1248 wrote to memory of 1500 1248 Mnjqmpgg.exe 90 PID 1248 wrote to memory of 1500 1248 Mnjqmpgg.exe 90 PID 1248 wrote to memory of 1500 1248 Mnjqmpgg.exe 90 PID 1500 wrote to memory of 3716 1500 Nclbpf32.exe 92 PID 1500 wrote to memory of 3716 1500 Nclbpf32.exe 92 PID 1500 wrote to memory of 3716 1500 Nclbpf32.exe 92 PID 3716 wrote to memory of 4036 3716 Nnfpinmi.exe 93 PID 3716 wrote to memory of 4036 3716 Nnfpinmi.exe 93 PID 3716 wrote to memory of 4036 3716 Nnfpinmi.exe 93 PID 4036 wrote to memory of 3200 4036 Omnjojpo.exe 95 PID 4036 wrote to memory of 3200 4036 Omnjojpo.exe 95 PID 4036 wrote to memory of 3200 4036 Omnjojpo.exe 95 PID 3200 wrote to memory of 3452 3200 Ogekbb32.exe 96 PID 3200 wrote to memory of 3452 3200 Ogekbb32.exe 96 PID 3200 wrote to memory of 3452 3200 Ogekbb32.exe 96 PID 3452 wrote to memory of 2020 3452 Ondljl32.exe 97 PID 3452 wrote to memory of 2020 3452 Ondljl32.exe 97 PID 3452 wrote to memory of 2020 3452 Ondljl32.exe 97 PID 2020 wrote to memory of 2556 2020 Paiogf32.exe 98 PID 2020 wrote to memory of 2556 2020 Paiogf32.exe 98 PID 2020 wrote to memory of 2556 2020 Paiogf32.exe 98 PID 2556 wrote to memory of 1012 2556 Pjbcplpe.exe 99 PID 2556 wrote to memory of 1012 2556 Pjbcplpe.exe 99 PID 2556 wrote to memory of 1012 2556 Pjbcplpe.exe 99 PID 1012 wrote to memory of 948 1012 Qjfmkk32.exe 100 PID 1012 wrote to memory of 948 1012 Qjfmkk32.exe 100 PID 1012 wrote to memory of 948 1012 Qjfmkk32.exe 100 PID 948 wrote to memory of 3892 948 Qpeahb32.exe 101 PID 948 wrote to memory of 3892 948 Qpeahb32.exe 101 PID 948 wrote to memory of 3892 948 Qpeahb32.exe 101 PID 3892 wrote to memory of 3412 3892 Aoioli32.exe 102 PID 3892 wrote to memory of 3412 3892 Aoioli32.exe 102 PID 3892 wrote to memory of 3412 3892 Aoioli32.exe 102 PID 3412 wrote to memory of 1772 3412 Amnlme32.exe 104 PID 3412 wrote to memory of 1772 3412 Amnlme32.exe 104 PID 3412 wrote to memory of 1772 3412 Amnlme32.exe 104 PID 1772 wrote to memory of 3340 1772 Bkgeainn.exe 105 PID 1772 wrote to memory of 3340 1772 Bkgeainn.exe 105 PID 1772 wrote to memory of 3340 1772 Bkgeainn.exe 105 PID 3340 wrote to memory of 3972 3340 Bacjdbch.exe 106 PID 3340 wrote to memory of 3972 3340 Bacjdbch.exe 106 PID 3340 wrote to memory of 3972 3340 Bacjdbch.exe 106 PID 3972 wrote to memory of 3868 3972 Bhpofl32.exe 107 PID 3972 wrote to memory of 3868 3972 Bhpofl32.exe 107 PID 3972 wrote to memory of 3868 3972 Bhpofl32.exe 107 PID 3868 wrote to memory of 3808 3868 Ckbemgcp.exe 108 PID 3868 wrote to memory of 3808 3868 Ckbemgcp.exe 108 PID 3868 wrote to memory of 3808 3868 Ckbemgcp.exe 108 PID 3808 wrote to memory of 816 3808 Chiblk32.exe 109 PID 3808 wrote to memory of 816 3808 Chiblk32.exe 109 PID 3808 wrote to memory of 816 3808 Chiblk32.exe 109 PID 816 wrote to memory of 1724 816 Cogddd32.exe 110 PID 816 wrote to memory of 1724 816 Cogddd32.exe 110 PID 816 wrote to memory of 1724 816 Cogddd32.exe 110 PID 1724 wrote to memory of 380 1724 Dkndie32.exe 111 PID 1724 wrote to memory of 380 1724 Dkndie32.exe 111 PID 1724 wrote to memory of 380 1724 Dkndie32.exe 111 PID 380 wrote to memory of 2652 380 Dqnjgl32.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.31bfb3f27ff2ec97a31302548825abc0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.31bfb3f27ff2ec97a31302548825abc0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3252 -
C:\Windows\SysWOW64\Lmaamn32.exeC:\Windows\system32\Lmaamn32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3876 -
C:\Windows\SysWOW64\Mnjqmpgg.exeC:\Windows\system32\Mnjqmpgg.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Windows\SysWOW64\Nclbpf32.exeC:\Windows\system32\Nclbpf32.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Windows\SysWOW64\Nnfpinmi.exeC:\Windows\system32\Nnfpinmi.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3716 -
C:\Windows\SysWOW64\Omnjojpo.exeC:\Windows\system32\Omnjojpo.exe6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4036 -
C:\Windows\SysWOW64\Ogekbb32.exeC:\Windows\system32\Ogekbb32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3200 -
C:\Windows\SysWOW64\Ondljl32.exeC:\Windows\system32\Ondljl32.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3452 -
C:\Windows\SysWOW64\Paiogf32.exeC:\Windows\system32\Paiogf32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\SysWOW64\Pjbcplpe.exeC:\Windows\system32\Pjbcplpe.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\Qjfmkk32.exeC:\Windows\system32\Qjfmkk32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1012 -
C:\Windows\SysWOW64\Qpeahb32.exeC:\Windows\system32\Qpeahb32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:948 -
C:\Windows\SysWOW64\Aoioli32.exeC:\Windows\system32\Aoioli32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3892 -
C:\Windows\SysWOW64\Amnlme32.exeC:\Windows\system32\Amnlme32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3412 -
C:\Windows\SysWOW64\Bkgeainn.exeC:\Windows\system32\Bkgeainn.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Windows\SysWOW64\Bacjdbch.exeC:\Windows\system32\Bacjdbch.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3340 -
C:\Windows\SysWOW64\Bhpofl32.exeC:\Windows\system32\Bhpofl32.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3972 -
C:\Windows\SysWOW64\Ckbemgcp.exeC:\Windows\system32\Ckbemgcp.exe18⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3868 -
C:\Windows\SysWOW64\Chiblk32.exeC:\Windows\system32\Chiblk32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3808 -
C:\Windows\SysWOW64\Cogddd32.exeC:\Windows\system32\Cogddd32.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:816 -
C:\Windows\SysWOW64\Dkndie32.exeC:\Windows\system32\Dkndie32.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\SysWOW64\Dqnjgl32.exeC:\Windows\system32\Dqnjgl32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:380 -
C:\Windows\SysWOW64\Dgjoif32.exeC:\Windows\system32\Dgjoif32.exe23⤵
- Executes dropped EXE
PID:2652 -
C:\Windows\SysWOW64\Ebaplnie.exeC:\Windows\system32\Ebaplnie.exe24⤵
- Executes dropped EXE
PID:4324 -
C:\Windows\SysWOW64\Enhpao32.exeC:\Windows\system32\Enhpao32.exe25⤵
- Executes dropped EXE
PID:760 -
C:\Windows\SysWOW64\Edgbii32.exeC:\Windows\system32\Edgbii32.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5092 -
C:\Windows\SysWOW64\Eghkjdoa.exeC:\Windows\system32\Eghkjdoa.exe27⤵
- Executes dropped EXE
PID:3500 -
C:\Windows\SysWOW64\Fgjhpcmo.exeC:\Windows\system32\Fgjhpcmo.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2356 -
C:\Windows\SysWOW64\Fkmjaa32.exeC:\Windows\system32\Fkmjaa32.exe29⤵
- Executes dropped EXE
PID:4228 -
C:\Windows\SysWOW64\Fgcjfbed.exeC:\Windows\system32\Fgcjfbed.exe30⤵
- Executes dropped EXE
PID:4500 -
C:\Windows\SysWOW64\Gpolbo32.exeC:\Windows\system32\Gpolbo32.exe31⤵
- Executes dropped EXE
PID:3484 -
C:\Windows\SysWOW64\Geoapenf.exeC:\Windows\system32\Geoapenf.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3964 -
C:\Windows\SysWOW64\Ghojbq32.exeC:\Windows\system32\Ghojbq32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4164 -
C:\Windows\SysWOW64\Halhfe32.exeC:\Windows\system32\Halhfe32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:1628 -
C:\Windows\SysWOW64\Ipbaol32.exeC:\Windows\system32\Ipbaol32.exe35⤵
- Executes dropped EXE
PID:1860 -
C:\Windows\SysWOW64\Ihmfco32.exeC:\Windows\system32\Ihmfco32.exe36⤵
- Executes dropped EXE
PID:4180 -
C:\Windows\SysWOW64\Iafkld32.exeC:\Windows\system32\Iafkld32.exe37⤵
- Executes dropped EXE
PID:4708 -
C:\Windows\SysWOW64\Iojkeh32.exeC:\Windows\system32\Iojkeh32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2240 -
C:\Windows\SysWOW64\Ilnlom32.exeC:\Windows\system32\Ilnlom32.exe39⤵
- Executes dropped EXE
PID:3516 -
C:\Windows\SysWOW64\Iajdgcab.exeC:\Windows\system32\Iajdgcab.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2492 -
C:\Windows\SysWOW64\Iehmmb32.exeC:\Windows\system32\Iehmmb32.exe41⤵
- Executes dropped EXE
PID:3928 -
C:\Windows\SysWOW64\Jhifomdj.exeC:\Windows\system32\Jhifomdj.exe42⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Jocnlg32.exeC:\Windows\system32\Jocnlg32.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:4308 -
C:\Windows\SysWOW64\Jhkbdmbg.exeC:\Windows\system32\Jhkbdmbg.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:3408 -
C:\Windows\SysWOW64\Jlikkkhn.exeC:\Windows\system32\Jlikkkhn.exe45⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Jllhpkfk.exeC:\Windows\system32\Jllhpkfk.exe46⤵
- Executes dropped EXE
PID:2380 -
C:\Windows\SysWOW64\Jahqiaeb.exeC:\Windows\system32\Jahqiaeb.exe47⤵
- Executes dropped EXE
PID:792 -
C:\Windows\SysWOW64\Kcjjhdjb.exeC:\Windows\system32\Kcjjhdjb.exe48⤵
- Executes dropped EXE
PID:3548 -
C:\Windows\SysWOW64\Kcapicdj.exeC:\Windows\system32\Kcapicdj.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:412 -
C:\Windows\SysWOW64\Lebijnak.exeC:\Windows\system32\Lebijnak.exe50⤵
- Executes dropped EXE
PID:1288 -
C:\Windows\SysWOW64\Lcfidb32.exeC:\Windows\system32\Lcfidb32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:692 -
C:\Windows\SysWOW64\Lhcali32.exeC:\Windows\system32\Lhcali32.exe52⤵
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Legben32.exeC:\Windows\system32\Legben32.exe53⤵
- Executes dropped EXE
PID:3420 -
C:\Windows\SysWOW64\Lckboblp.exeC:\Windows\system32\Lckboblp.exe54⤵
- Executes dropped EXE
PID:1956 -
C:\Windows\SysWOW64\Lhgkgijg.exeC:\Windows\system32\Lhgkgijg.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Mjggal32.exeC:\Windows\system32\Mjggal32.exe56⤵
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\Mjidgkog.exeC:\Windows\system32\Mjidgkog.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4376 -
C:\Windows\SysWOW64\Mbdiknlb.exeC:\Windows\system32\Mbdiknlb.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2528 -
C:\Windows\SysWOW64\Mcfbkpab.exeC:\Windows\system32\Mcfbkpab.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3080 -
C:\Windows\SysWOW64\Njbgmjgl.exeC:\Windows\system32\Njbgmjgl.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:1708 -
C:\Windows\SysWOW64\Nckkfp32.exeC:\Windows\system32\Nckkfp32.exe61⤵
- Executes dropped EXE
PID:3260 -
C:\Windows\SysWOW64\Nmcpoedn.exeC:\Windows\system32\Nmcpoedn.exe62⤵
- Executes dropped EXE
PID:3780 -
C:\Windows\SysWOW64\Njgqhicg.exeC:\Windows\system32\Njgqhicg.exe63⤵
- Executes dropped EXE
PID:4296 -
C:\Windows\SysWOW64\Nfnamjhk.exeC:\Windows\system32\Nfnamjhk.exe64⤵
- Executes dropped EXE
PID:4372 -
C:\Windows\SysWOW64\Nofefp32.exeC:\Windows\system32\Nofefp32.exe65⤵
- Executes dropped EXE
PID:4628 -
C:\Windows\SysWOW64\Ojnfihmo.exeC:\Windows\system32\Ojnfihmo.exe66⤵PID:3008
-
C:\Windows\SysWOW64\Oblhcj32.exeC:\Windows\system32\Oblhcj32.exe67⤵PID:4668
-
C:\Windows\SysWOW64\Oophlo32.exeC:\Windows\system32\Oophlo32.exe68⤵PID:3648
-
C:\Windows\SysWOW64\Obqanjdb.exeC:\Windows\system32\Obqanjdb.exe69⤵PID:1432
-
C:\Windows\SysWOW64\Ppdbgncl.exeC:\Windows\system32\Ppdbgncl.exe70⤵PID:1620
-
C:\Windows\SysWOW64\Pfojdh32.exeC:\Windows\system32\Pfojdh32.exe71⤵PID:2260
-
C:\Windows\SysWOW64\Pcbkml32.exeC:\Windows\system32\Pcbkml32.exe72⤵PID:2460
-
C:\Windows\SysWOW64\Piocecgj.exeC:\Windows\system32\Piocecgj.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2724 -
C:\Windows\SysWOW64\Pbhgoh32.exeC:\Windows\system32\Pbhgoh32.exe74⤵PID:2012
-
C:\Windows\SysWOW64\Pbjddh32.exeC:\Windows\system32\Pbjddh32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5148 -
C:\Windows\SysWOW64\Ppnenlka.exeC:\Windows\system32\Ppnenlka.exe76⤵PID:5184
-
C:\Windows\SysWOW64\Pmbegqjk.exeC:\Windows\system32\Pmbegqjk.exe77⤵PID:5232
-
C:\Windows\SysWOW64\Qbonoghb.exeC:\Windows\system32\Qbonoghb.exe78⤵PID:5272
-
C:\Windows\SysWOW64\Qmdblp32.exeC:\Windows\system32\Qmdblp32.exe79⤵PID:5308
-
C:\Windows\SysWOW64\Qcnjijoe.exeC:\Windows\system32\Qcnjijoe.exe80⤵
- Modifies registry class
PID:5356 -
C:\Windows\SysWOW64\Amfobp32.exeC:\Windows\system32\Amfobp32.exe81⤵PID:5396
-
C:\Windows\SysWOW64\Ajjokd32.exeC:\Windows\system32\Ajjokd32.exe82⤵PID:5436
-
C:\Windows\SysWOW64\Adgmoigj.exeC:\Windows\system32\Adgmoigj.exe83⤵PID:5488
-
C:\Windows\SysWOW64\Aalmimfd.exeC:\Windows\system32\Aalmimfd.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5544 -
C:\Windows\SysWOW64\Abmjqe32.exeC:\Windows\system32\Abmjqe32.exe85⤵PID:5580
-
C:\Windows\SysWOW64\Bmbnnn32.exeC:\Windows\system32\Bmbnnn32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5644 -
C:\Windows\SysWOW64\Bfkbfd32.exeC:\Windows\system32\Bfkbfd32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5692 -
C:\Windows\SysWOW64\Bapgdm32.exeC:\Windows\system32\Bapgdm32.exe88⤵PID:5740
-
C:\Windows\SysWOW64\Biklho32.exeC:\Windows\system32\Biklho32.exe89⤵PID:5780
-
C:\Windows\SysWOW64\Bbdpad32.exeC:\Windows\system32\Bbdpad32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5824 -
C:\Windows\SysWOW64\Binhnomg.exeC:\Windows\system32\Binhnomg.exe91⤵
- Drops file in System32 directory
PID:5868 -
C:\Windows\SysWOW64\Bfaigclq.exeC:\Windows\system32\Bfaigclq.exe92⤵PID:5912
-
C:\Windows\SysWOW64\Bagmdllg.exeC:\Windows\system32\Bagmdllg.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5948 -
C:\Windows\SysWOW64\Cmnnimak.exeC:\Windows\system32\Cmnnimak.exe94⤵PID:5988
-
C:\Windows\SysWOW64\Cienon32.exeC:\Windows\system32\Cienon32.exe95⤵
- Modifies registry class
PID:6036 -
C:\Windows\SysWOW64\Cgiohbfi.exeC:\Windows\system32\Cgiohbfi.exe96⤵PID:6092
-
C:\Windows\SysWOW64\Ccppmc32.exeC:\Windows\system32\Ccppmc32.exe97⤵
- Modifies registry class
PID:6136 -
C:\Windows\SysWOW64\Cdolgfbp.exeC:\Windows\system32\Cdolgfbp.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5172 -
C:\Windows\SysWOW64\Cildom32.exeC:\Windows\system32\Cildom32.exe99⤵
- Modifies registry class
PID:5296 -
C:\Windows\SysWOW64\Cdaile32.exeC:\Windows\system32\Cdaile32.exe100⤵PID:5344
-
C:\Windows\SysWOW64\Dmjmekgn.exeC:\Windows\system32\Dmjmekgn.exe101⤵PID:5432
-
C:\Windows\SysWOW64\Dahfkimd.exeC:\Windows\system32\Dahfkimd.exe102⤵PID:5552
-
C:\Windows\SysWOW64\Dkpjdo32.exeC:\Windows\system32\Dkpjdo32.exe103⤵
- Modifies registry class
PID:5484 -
C:\Windows\SysWOW64\Dpmcmf32.exeC:\Windows\system32\Dpmcmf32.exe104⤵PID:5724
-
C:\Windows\SysWOW64\Dkbgjo32.exeC:\Windows\system32\Dkbgjo32.exe105⤵
- Drops file in System32 directory
PID:5812 -
C:\Windows\SysWOW64\Ddklbd32.exeC:\Windows\system32\Ddklbd32.exe106⤵
- Modifies registry class
PID:5876 -
C:\Windows\SysWOW64\Dpalgenf.exeC:\Windows\system32\Dpalgenf.exe107⤵PID:5932
-
C:\Windows\SysWOW64\Enemaimp.exeC:\Windows\system32\Enemaimp.exe108⤵
- Drops file in System32 directory
PID:6044 -
C:\Windows\SysWOW64\Ecbeip32.exeC:\Windows\system32\Ecbeip32.exe109⤵PID:5264
-
C:\Windows\SysWOW64\Ejccgi32.exeC:\Windows\system32\Ejccgi32.exe110⤵PID:5336
-
C:\Windows\SysWOW64\Edihdb32.exeC:\Windows\system32\Edihdb32.exe111⤵PID:5508
-
C:\Windows\SysWOW64\Fjeplijj.exeC:\Windows\system32\Fjeplijj.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5688 -
C:\Windows\SysWOW64\Fjhmbihg.exeC:\Windows\system32\Fjhmbihg.exe113⤵
- Drops file in System32 directory
PID:5768 -
C:\Windows\SysWOW64\Fglnkm32.exeC:\Windows\system32\Fglnkm32.exe114⤵PID:5960
-
C:\Windows\SysWOW64\Fjmfmh32.exeC:\Windows\system32\Fjmfmh32.exe115⤵PID:6028
-
C:\Windows\SysWOW64\Fcekfnkb.exeC:\Windows\system32\Fcekfnkb.exe116⤵
- Drops file in System32 directory
PID:4120 -
C:\Windows\SysWOW64\Gcghkm32.exeC:\Windows\system32\Gcghkm32.exe117⤵PID:4176
-
C:\Windows\SysWOW64\Gbhhieao.exeC:\Windows\system32\Gbhhieao.exe118⤵
- Drops file in System32 directory
PID:6104 -
C:\Windows\SysWOW64\Gnohnffc.exeC:\Windows\system32\Gnohnffc.exe119⤵PID:5444
-
C:\Windows\SysWOW64\Gdiakp32.exeC:\Windows\system32\Gdiakp32.exe120⤵PID:5748
-
C:\Windows\SysWOW64\Gnaecedp.exeC:\Windows\system32\Gnaecedp.exe121⤵PID:5860
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-