Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
07/05/2024, 09:02
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
197c41317868e056e59214e3766de350_NEAS.exe
Resource
win7-20240220-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
197c41317868e056e59214e3766de350_NEAS.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
197c41317868e056e59214e3766de350_NEAS.exe
-
Size
398KB
-
MD5
197c41317868e056e59214e3766de350
-
SHA1
adfad41dc640687e72505a6beae793b8daf95467
-
SHA256
545a567e442561c7537ff11f0cd48f7b945a251df8eae944781398774b7fdc7c
-
SHA512
83ea2d7910655e81422637b8fa72020a1b7ec4ca6f230c30051591b1080ab73180a2448644fb4a047a22684f0d913d342bccc9d444e8395a183fd4e44aad49db
-
SSDEEP
12288:kh6t3XGCByvNv54B9f01ZmHByvNv5imipWf0Aq:06t3XGpvr4B9f01ZmQvrimipWf0Aq
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ffkcbgek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idceea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kmjfdejp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgimmm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqijej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nnennj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnomcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Clilkfnb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njgldmdc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbkeib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fmcoja32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlhaqogk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Leajdfnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Okfencna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cdbdjhmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dfoqmo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekelld32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekhhadmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hhmepp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Inljnfkg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdgneh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dggcffhg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebinic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gegfdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lbeknj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppbfpd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alpmfdcb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phjelg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cpjiajeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eilpeooq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lpbefoai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nkaocp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gmjaic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qpgpkcpp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfcampgf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bblogakg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pimkpfeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eqdajkkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Obojhlbq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qabcjgkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Alpmfdcb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lckdanld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lihmjejl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhahlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eajaoq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hahjpbad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kngfih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oqqapjnk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jiakjb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmaled32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hahjpbad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Npdjje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aekodi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nacgdhlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mhgclfje.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppamme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hicodd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Idmhkpml.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldidkbpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hhjhkq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmjfdejp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bafidiio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhbfdjdp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjnfniii.exe -
Executes dropped EXE 64 IoCs
pid Process 1144 Kbalnnam.exe 2552 Kcahhq32.exe 2680 Kmimafop.exe 2112 Kphimanc.exe 2828 Klnjbbdh.exe 2464 Komfnnck.exe 2964 Llccmb32.exe 2976 Lmdpejfq.exe 2060 Lkhpnnej.exe 1980 Lmgmjjdn.exe 2852 Limmokib.exe 2340 Lbfahp32.exe 1200 Lkmjin32.exe 2328 Libgjj32.exe 2440 Llqcfe32.exe 2324 Mgfgdn32.exe 404 Mhgclfje.exe 1104 Mkhmma32.exe 2084 Mochnppo.exe 1124 Mabejlob.exe 852 Mdqafgnf.exe 1328 Mofecpnl.exe 2412 Mhnjle32.exe 1176 Mnkbdlbd.exe 2100 Mpjoqhah.exe 3012 Mkobnqan.exe 2860 Nnnojlpa.exe 2612 Ndgggf32.exe 2604 Nkaocp32.exe 2720 Nlblkhei.exe 2596 Nghphaeo.exe 2972 Njgldmdc.exe 1820 Nleiqhcg.exe 1796 Nocemcbj.exe 2800 Ngkmnacm.exe 2408 Nhlifi32.exe 348 Nqcagfim.exe 2856 Nhnfkigh.exe 2308 Nkmbgdfl.exe 2404 Nbfjdn32.exe 1544 Odegpj32.exe 2080 Okoomd32.exe 1508 Onmkio32.exe 2352 Ogfpbeim.exe 1008 Okalbc32.exe 1636 Onphoo32.exe 1572 Obkdonic.exe 1692 Odjpkihg.exe 2304 Oghlgdgk.exe 2868 Ojficpfn.exe 2224 Oqqapjnk.exe 2488 Ocomlemo.exe 2724 Okfencna.exe 2580 Omgaek32.exe 2064 Oenifh32.exe 2768 Ogmfbd32.exe 2528 Ojkboo32.exe 2804 Paejki32.exe 2232 Pgobhcac.exe 1872 Pfbccp32.exe 604 Pipopl32.exe 2056 Paggai32.exe 1516 Ppjglfon.exe 1832 Pfdpip32.exe -
Loads dropped DLL 64 IoCs
pid Process 2292 197c41317868e056e59214e3766de350_NEAS.exe 2292 197c41317868e056e59214e3766de350_NEAS.exe 1144 Kbalnnam.exe 1144 Kbalnnam.exe 2552 Kcahhq32.exe 2552 Kcahhq32.exe 2680 Kmimafop.exe 2680 Kmimafop.exe 2112 Kphimanc.exe 2112 Kphimanc.exe 2828 Klnjbbdh.exe 2828 Klnjbbdh.exe 2464 Komfnnck.exe 2464 Komfnnck.exe 2964 Llccmb32.exe 2964 Llccmb32.exe 2976 Lmdpejfq.exe 2976 Lmdpejfq.exe 2060 Lkhpnnej.exe 2060 Lkhpnnej.exe 1980 Lmgmjjdn.exe 1980 Lmgmjjdn.exe 2852 Limmokib.exe 2852 Limmokib.exe 2340 Lbfahp32.exe 2340 Lbfahp32.exe 1200 Lkmjin32.exe 1200 Lkmjin32.exe 2328 Libgjj32.exe 2328 Libgjj32.exe 2440 Llqcfe32.exe 2440 Llqcfe32.exe 2324 Mgfgdn32.exe 2324 Mgfgdn32.exe 404 Mhgclfje.exe 404 Mhgclfje.exe 1104 Mkhmma32.exe 1104 Mkhmma32.exe 2084 Mochnppo.exe 2084 Mochnppo.exe 1124 Mabejlob.exe 1124 Mabejlob.exe 852 Mdqafgnf.exe 852 Mdqafgnf.exe 1328 Mofecpnl.exe 1328 Mofecpnl.exe 2412 Mhnjle32.exe 2412 Mhnjle32.exe 1176 Mnkbdlbd.exe 1176 Mnkbdlbd.exe 2100 Mpjoqhah.exe 2100 Mpjoqhah.exe 3012 Mkobnqan.exe 3012 Mkobnqan.exe 2860 Nnnojlpa.exe 2860 Nnnojlpa.exe 2612 Ndgggf32.exe 2612 Ndgggf32.exe 2604 Nkaocp32.exe 2604 Nkaocp32.exe 2720 Nlblkhei.exe 2720 Nlblkhei.exe 2596 Nghphaeo.exe 2596 Nghphaeo.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Obkdonic.exe Onphoo32.exe File created C:\Windows\SysWOW64\Eecqjpee.exe Epfhbign.exe File created C:\Windows\SysWOW64\Fdoclk32.exe Faagpp32.exe File opened for modification C:\Windows\SysWOW64\Bpnbkeld.exe Bmpfojmp.exe File created C:\Windows\SysWOW64\Mghohc32.dll Chbjffad.exe File created C:\Windows\SysWOW64\Kcahhq32.exe Kbalnnam.exe File opened for modification C:\Windows\SysWOW64\Pelipl32.exe Ppoqge32.exe File opened for modification C:\Windows\SysWOW64\Dfijnd32.exe Doobajme.exe File created C:\Windows\SysWOW64\Hgpdcgoc.dll Hicodd32.exe File opened for modification C:\Windows\SysWOW64\Hhjhkq32.exe Hellne32.exe File created C:\Windows\SysWOW64\Bqdgkecq.dll Lollckbk.exe File created C:\Windows\SysWOW64\Gbaoqk32.dll Idklfpon.exe File opened for modification C:\Windows\SysWOW64\Leonofpp.exe Loeebl32.exe File created C:\Windows\SysWOW64\Lmgmjjdn.exe Lkhpnnej.exe File created C:\Windows\SysWOW64\Eemeeh32.dll Llqcfe32.exe File created C:\Windows\SysWOW64\Oghlgdgk.exe Odjpkihg.exe File opened for modification C:\Windows\SysWOW64\Ogmfbd32.exe Oenifh32.exe File opened for modification C:\Windows\SysWOW64\Pmnhfjmg.exe Pjpkjond.exe File opened for modification C:\Windows\SysWOW64\Eajaoq32.exe Enkece32.exe File opened for modification C:\Windows\SysWOW64\Mhdplq32.exe Ldidkbpb.exe File opened for modification C:\Windows\SysWOW64\Alpmfdcb.exe Aibajhdn.exe File created C:\Windows\SysWOW64\Pfioffab.dll Ahgnke32.exe File opened for modification C:\Windows\SysWOW64\Oqqapjnk.exe Ojficpfn.exe File created C:\Windows\SysWOW64\Dgmglh32.exe Dflkdp32.exe File created C:\Windows\SysWOW64\Enlbgc32.dll Hggomh32.exe File created C:\Windows\SysWOW64\Nkbhgojk.exe Nialog32.exe File created C:\Windows\SysWOW64\Lfnbefhd.dll Nkiogn32.exe File opened for modification C:\Windows\SysWOW64\Aibajhdn.exe Afcenm32.exe File created C:\Windows\SysWOW64\Gojbjm32.dll Ccahbp32.exe File created C:\Windows\SysWOW64\Ejkima32.exe Ekhhadmk.exe File created C:\Windows\SysWOW64\Fidoim32.exe Effcma32.exe File created C:\Windows\SysWOW64\Immfnjan.dll Kblhgk32.exe File opened for modification C:\Windows\SysWOW64\Baakhm32.exe Bbokmqie.exe File opened for modification C:\Windows\SysWOW64\Nocemcbj.exe Nleiqhcg.exe File opened for modification C:\Windows\SysWOW64\Fdapak32.exe Fpfdalii.exe File created C:\Windows\SysWOW64\Lfnjef32.dll Ebodiofk.exe File opened for modification C:\Windows\SysWOW64\Pdaoog32.exe Onhgbmfb.exe File created C:\Windows\SysWOW64\Fqiaclmk.dll Pdaoog32.exe File opened for modification C:\Windows\SysWOW64\Bmpfojmp.exe Bfenbpec.exe File opened for modification C:\Windows\SysWOW64\Ekelld32.exe Ehgppi32.exe File opened for modification C:\Windows\SysWOW64\Fidoim32.exe Effcma32.exe File opened for modification C:\Windows\SysWOW64\Ocomlemo.exe Oqqapjnk.exe File created C:\Windows\SysWOW64\Pdfdcg32.dll Bkodhe32.exe File created C:\Windows\SysWOW64\Ccdcec32.dll Cobbhfhg.exe File opened for modification C:\Windows\SysWOW64\Ikpjgkjq.exe Ihankokm.exe File opened for modification C:\Windows\SysWOW64\Afcenm32.exe Anlmmp32.exe File created C:\Windows\SysWOW64\Njmggi32.dll Ejhlgaeh.exe File created C:\Windows\SysWOW64\Lmdpejfq.exe Llccmb32.exe File opened for modification C:\Windows\SysWOW64\Dbbkja32.exe Dodonf32.exe File created C:\Windows\SysWOW64\Fckjalhj.exe Ebinic32.exe File created C:\Windows\SysWOW64\Pqiqnfej.dll Iaeiieeb.exe File opened for modification C:\Windows\SysWOW64\Inljnfkg.exe Ioijbj32.exe File created C:\Windows\SysWOW64\Dggcffhg.exe Ddigjkid.exe File created C:\Windows\SysWOW64\Ampqjm32.exe Ajbdna32.exe File created C:\Windows\SysWOW64\Omabcb32.dll Hknach32.exe File created C:\Windows\SysWOW64\Ipnnggjm.dll Joplbl32.exe File created C:\Windows\SysWOW64\Mmahdggc.exe Monhhk32.exe File created C:\Windows\SysWOW64\Bmpfojmp.exe Bfenbpec.exe File created C:\Windows\SysWOW64\Eeoffcnl.dll Pmdjdh32.exe File created C:\Windows\SysWOW64\Ckblig32.dll Ccfhhffh.exe File created C:\Windows\SysWOW64\Jpajnpao.dll Gddifnbk.exe File created C:\Windows\SysWOW64\Hpkjko32.exe Hahjpbad.exe File created C:\Windows\SysWOW64\Lkncmmle.exe Lhpfqama.exe File opened for modification C:\Windows\SysWOW64\Mmahdggc.exe Monhhk32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5292 5268 WerFault.exe 473 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ckffgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cillgpen.dll" Dchali32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Inqcif32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ppbfpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bekkcljk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eqdajkkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eccmffjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Paggai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gelppaof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Leajdfnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ghmiam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qcpofbjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oegjkb32.dll" Bhndldcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ckjpacfp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dkqbaecc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nbfjdn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ppoqge32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Flabbihl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poaljn32.dll" Onmkio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hckcmjep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffihah32.dll" Ckffgg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fdoclk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Llqcfe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Okalbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqpnhgek.dll" Oqqapjnk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Onphoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Joifam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cnaocmmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Okfencna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcgeaj32.dll" Pmnhfjmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bldcpf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Obkdonic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dejpca32.dll" Icmlam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nneloe32.dll" Nceclqan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfioffab.dll" Ahgnke32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bmmiij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eojnkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Iqmcpahh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jjlnif32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kkgmgmfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgpdcgoc.dll" Hicodd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfojbj32.dll" Icpigm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jbjochdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jbnhng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bneqdoee.dll" Ckjpacfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mpjoqhah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Omgaek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hgdbhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqiaclmk.dll" Pdaoog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bmmiij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dfamcogo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ddigjkid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhbjkfod.dll" Ojkboo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ppjglfon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knlafm32.dll" Omdneebf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijqnib32.dll" Lajhofao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Monhhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfeho32.dll" Ehgppi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhnakg32.dll" Limmokib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdmaibnf.dll" Clomqk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dqjepm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eqpgol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckqfeoma.dll" Lbnemk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gopkmhjk.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2292 wrote to memory of 1144 2292 197c41317868e056e59214e3766de350_NEAS.exe 28 PID 2292 wrote to memory of 1144 2292 197c41317868e056e59214e3766de350_NEAS.exe 28 PID 2292 wrote to memory of 1144 2292 197c41317868e056e59214e3766de350_NEAS.exe 28 PID 2292 wrote to memory of 1144 2292 197c41317868e056e59214e3766de350_NEAS.exe 28 PID 1144 wrote to memory of 2552 1144 Kbalnnam.exe 29 PID 1144 wrote to memory of 2552 1144 Kbalnnam.exe 29 PID 1144 wrote to memory of 2552 1144 Kbalnnam.exe 29 PID 1144 wrote to memory of 2552 1144 Kbalnnam.exe 29 PID 2552 wrote to memory of 2680 2552 Kcahhq32.exe 30 PID 2552 wrote to memory of 2680 2552 Kcahhq32.exe 30 PID 2552 wrote to memory of 2680 2552 Kcahhq32.exe 30 PID 2552 wrote to memory of 2680 2552 Kcahhq32.exe 30 PID 2680 wrote to memory of 2112 2680 Kmimafop.exe 31 PID 2680 wrote to memory of 2112 2680 Kmimafop.exe 31 PID 2680 wrote to memory of 2112 2680 Kmimafop.exe 31 PID 2680 wrote to memory of 2112 2680 Kmimafop.exe 31 PID 2112 wrote to memory of 2828 2112 Kphimanc.exe 32 PID 2112 wrote to memory of 2828 2112 Kphimanc.exe 32 PID 2112 wrote to memory of 2828 2112 Kphimanc.exe 32 PID 2112 wrote to memory of 2828 2112 Kphimanc.exe 32 PID 2828 wrote to memory of 2464 2828 Klnjbbdh.exe 33 PID 2828 wrote to memory of 2464 2828 Klnjbbdh.exe 33 PID 2828 wrote to memory of 2464 2828 Klnjbbdh.exe 33 PID 2828 wrote to memory of 2464 2828 Klnjbbdh.exe 33 PID 2464 wrote to memory of 2964 2464 Komfnnck.exe 34 PID 2464 wrote to memory of 2964 2464 Komfnnck.exe 34 PID 2464 wrote to memory of 2964 2464 Komfnnck.exe 34 PID 2464 wrote to memory of 2964 2464 Komfnnck.exe 34 PID 2964 wrote to memory of 2976 2964 Llccmb32.exe 35 PID 2964 wrote to memory of 2976 2964 Llccmb32.exe 35 PID 2964 wrote to memory of 2976 2964 Llccmb32.exe 35 PID 2964 wrote to memory of 2976 2964 Llccmb32.exe 35 PID 2976 wrote to memory of 2060 2976 Lmdpejfq.exe 36 PID 2976 wrote to memory of 2060 2976 Lmdpejfq.exe 36 PID 2976 wrote to memory of 2060 2976 Lmdpejfq.exe 36 PID 2976 wrote to memory of 2060 2976 Lmdpejfq.exe 36 PID 2060 wrote to memory of 1980 2060 Lkhpnnej.exe 37 PID 2060 wrote to memory of 1980 2060 Lkhpnnej.exe 37 PID 2060 wrote to memory of 1980 2060 Lkhpnnej.exe 37 PID 2060 wrote to memory of 1980 2060 Lkhpnnej.exe 37 PID 1980 wrote to memory of 2852 1980 Lmgmjjdn.exe 38 PID 1980 wrote to memory of 2852 1980 Lmgmjjdn.exe 38 PID 1980 wrote to memory of 2852 1980 Lmgmjjdn.exe 38 PID 1980 wrote to memory of 2852 1980 Lmgmjjdn.exe 38 PID 2852 wrote to memory of 2340 2852 Limmokib.exe 39 PID 2852 wrote to memory of 2340 2852 Limmokib.exe 39 PID 2852 wrote to memory of 2340 2852 Limmokib.exe 39 PID 2852 wrote to memory of 2340 2852 Limmokib.exe 39 PID 2340 wrote to memory of 1200 2340 Lbfahp32.exe 40 PID 2340 wrote to memory of 1200 2340 Lbfahp32.exe 40 PID 2340 wrote to memory of 1200 2340 Lbfahp32.exe 40 PID 2340 wrote to memory of 1200 2340 Lbfahp32.exe 40 PID 1200 wrote to memory of 2328 1200 Lkmjin32.exe 41 PID 1200 wrote to memory of 2328 1200 Lkmjin32.exe 41 PID 1200 wrote to memory of 2328 1200 Lkmjin32.exe 41 PID 1200 wrote to memory of 2328 1200 Lkmjin32.exe 41 PID 2328 wrote to memory of 2440 2328 Libgjj32.exe 42 PID 2328 wrote to memory of 2440 2328 Libgjj32.exe 42 PID 2328 wrote to memory of 2440 2328 Libgjj32.exe 42 PID 2328 wrote to memory of 2440 2328 Libgjj32.exe 42 PID 2440 wrote to memory of 2324 2440 Llqcfe32.exe 43 PID 2440 wrote to memory of 2324 2440 Llqcfe32.exe 43 PID 2440 wrote to memory of 2324 2440 Llqcfe32.exe 43 PID 2440 wrote to memory of 2324 2440 Llqcfe32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\197c41317868e056e59214e3766de350_NEAS.exe"C:\Users\Admin\AppData\Local\Temp\197c41317868e056e59214e3766de350_NEAS.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\Kbalnnam.exeC:\Windows\system32\Kbalnnam.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1144 -
C:\Windows\SysWOW64\Kcahhq32.exeC:\Windows\system32\Kcahhq32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\Kmimafop.exeC:\Windows\system32\Kmimafop.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\Kphimanc.exeC:\Windows\system32\Kphimanc.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\Klnjbbdh.exeC:\Windows\system32\Klnjbbdh.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\Komfnnck.exeC:\Windows\system32\Komfnnck.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\Llccmb32.exeC:\Windows\system32\Llccmb32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\Lmdpejfq.exeC:\Windows\system32\Lmdpejfq.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\Lkhpnnej.exeC:\Windows\system32\Lkhpnnej.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\SysWOW64\Lmgmjjdn.exeC:\Windows\system32\Lmgmjjdn.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\Limmokib.exeC:\Windows\system32\Limmokib.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\Lbfahp32.exeC:\Windows\system32\Lbfahp32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\Lkmjin32.exeC:\Windows\system32\Lkmjin32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Windows\SysWOW64\Libgjj32.exeC:\Windows\system32\Libgjj32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\Llqcfe32.exeC:\Windows\system32\Llqcfe32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\Mgfgdn32.exeC:\Windows\system32\Mgfgdn32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2324 -
C:\Windows\SysWOW64\Mhgclfje.exeC:\Windows\system32\Mhgclfje.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:404 -
C:\Windows\SysWOW64\Mkhmma32.exeC:\Windows\system32\Mkhmma32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1104 -
C:\Windows\SysWOW64\Mochnppo.exeC:\Windows\system32\Mochnppo.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2084 -
C:\Windows\SysWOW64\Mabejlob.exeC:\Windows\system32\Mabejlob.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1124 -
C:\Windows\SysWOW64\Mdqafgnf.exeC:\Windows\system32\Mdqafgnf.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:852 -
C:\Windows\SysWOW64\Mofecpnl.exeC:\Windows\system32\Mofecpnl.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1328 -
C:\Windows\SysWOW64\Mhnjle32.exeC:\Windows\system32\Mhnjle32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2412 -
C:\Windows\SysWOW64\Mnkbdlbd.exeC:\Windows\system32\Mnkbdlbd.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1176 -
C:\Windows\SysWOW64\Mpjoqhah.exeC:\Windows\system32\Mpjoqhah.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2100 -
C:\Windows\SysWOW64\Mkobnqan.exeC:\Windows\system32\Mkobnqan.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3012 -
C:\Windows\SysWOW64\Nnnojlpa.exeC:\Windows\system32\Nnnojlpa.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2860 -
C:\Windows\SysWOW64\Ndgggf32.exeC:\Windows\system32\Ndgggf32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2612 -
C:\Windows\SysWOW64\Nkaocp32.exeC:\Windows\system32\Nkaocp32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2604 -
C:\Windows\SysWOW64\Nlblkhei.exeC:\Windows\system32\Nlblkhei.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2720 -
C:\Windows\SysWOW64\Nghphaeo.exeC:\Windows\system32\Nghphaeo.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2596 -
C:\Windows\SysWOW64\Njgldmdc.exeC:\Windows\system32\Njgldmdc.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2972 -
C:\Windows\SysWOW64\Nleiqhcg.exeC:\Windows\system32\Nleiqhcg.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1820 -
C:\Windows\SysWOW64\Nocemcbj.exeC:\Windows\system32\Nocemcbj.exe35⤵
- Executes dropped EXE
PID:1796 -
C:\Windows\SysWOW64\Ngkmnacm.exeC:\Windows\system32\Ngkmnacm.exe36⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Nhlifi32.exeC:\Windows\system32\Nhlifi32.exe37⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Nqcagfim.exeC:\Windows\system32\Nqcagfim.exe38⤵
- Executes dropped EXE
PID:348 -
C:\Windows\SysWOW64\Nhnfkigh.exeC:\Windows\system32\Nhnfkigh.exe39⤵
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Nkmbgdfl.exeC:\Windows\system32\Nkmbgdfl.exe40⤵
- Executes dropped EXE
PID:2308 -
C:\Windows\SysWOW64\Nbfjdn32.exeC:\Windows\system32\Nbfjdn32.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:2404 -
C:\Windows\SysWOW64\Odegpj32.exeC:\Windows\system32\Odegpj32.exe42⤵
- Executes dropped EXE
PID:1544 -
C:\Windows\SysWOW64\Okoomd32.exeC:\Windows\system32\Okoomd32.exe43⤵
- Executes dropped EXE
PID:2080 -
C:\Windows\SysWOW64\Onmkio32.exeC:\Windows\system32\Onmkio32.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:1508 -
C:\Windows\SysWOW64\Ogfpbeim.exeC:\Windows\system32\Ogfpbeim.exe45⤵
- Executes dropped EXE
PID:2352 -
C:\Windows\SysWOW64\Okalbc32.exeC:\Windows\system32\Okalbc32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:1008 -
C:\Windows\SysWOW64\Onphoo32.exeC:\Windows\system32\Onphoo32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1636 -
C:\Windows\SysWOW64\Obkdonic.exeC:\Windows\system32\Obkdonic.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:1572 -
C:\Windows\SysWOW64\Odjpkihg.exeC:\Windows\system32\Odjpkihg.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1692 -
C:\Windows\SysWOW64\Oghlgdgk.exeC:\Windows\system32\Oghlgdgk.exe50⤵
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Ojficpfn.exeC:\Windows\system32\Ojficpfn.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2868 -
C:\Windows\SysWOW64\Oqqapjnk.exeC:\Windows\system32\Oqqapjnk.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2224 -
C:\Windows\SysWOW64\Ocomlemo.exeC:\Windows\system32\Ocomlemo.exe53⤵
- Executes dropped EXE
PID:2488 -
C:\Windows\SysWOW64\Okfencna.exeC:\Windows\system32\Okfencna.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2724 -
C:\Windows\SysWOW64\Omgaek32.exeC:\Windows\system32\Omgaek32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2580 -
C:\Windows\SysWOW64\Oenifh32.exeC:\Windows\system32\Oenifh32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2064 -
C:\Windows\SysWOW64\Ogmfbd32.exeC:\Windows\system32\Ogmfbd32.exe57⤵
- Executes dropped EXE
PID:2768 -
C:\Windows\SysWOW64\Ojkboo32.exeC:\Windows\system32\Ojkboo32.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:2528 -
C:\Windows\SysWOW64\Paejki32.exeC:\Windows\system32\Paejki32.exe59⤵
- Executes dropped EXE
PID:2804 -
C:\Windows\SysWOW64\Pgobhcac.exeC:\Windows\system32\Pgobhcac.exe60⤵
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\Pfbccp32.exeC:\Windows\system32\Pfbccp32.exe61⤵
- Executes dropped EXE
PID:1872 -
C:\Windows\SysWOW64\Pipopl32.exeC:\Windows\system32\Pipopl32.exe62⤵
- Executes dropped EXE
PID:604 -
C:\Windows\SysWOW64\Paggai32.exeC:\Windows\system32\Paggai32.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:2056 -
C:\Windows\SysWOW64\Ppjglfon.exeC:\Windows\system32\Ppjglfon.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:1516 -
C:\Windows\SysWOW64\Pfdpip32.exeC:\Windows\system32\Pfdpip32.exe65⤵
- Executes dropped EXE
PID:1832 -
C:\Windows\SysWOW64\Pjpkjond.exeC:\Windows\system32\Pjpkjond.exe66⤵
- Drops file in System32 directory
PID:1844 -
C:\Windows\SysWOW64\Pmnhfjmg.exeC:\Windows\system32\Pmnhfjmg.exe67⤵
- Modifies registry class
PID:1044 -
C:\Windows\SysWOW64\Ppmdbe32.exeC:\Windows\system32\Ppmdbe32.exe68⤵PID:2432
-
C:\Windows\SysWOW64\Pfflopdh.exeC:\Windows\system32\Pfflopdh.exe69⤵PID:1528
-
C:\Windows\SysWOW64\Peiljl32.exeC:\Windows\system32\Peiljl32.exe70⤵PID:2540
-
C:\Windows\SysWOW64\Pmqdkj32.exeC:\Windows\system32\Pmqdkj32.exe71⤵PID:2664
-
C:\Windows\SysWOW64\Ppoqge32.exeC:\Windows\system32\Ppoqge32.exe72⤵
- Drops file in System32 directory
- Modifies registry class
PID:2500 -
C:\Windows\SysWOW64\Pelipl32.exeC:\Windows\system32\Pelipl32.exe73⤵PID:2516
-
C:\Windows\SysWOW64\Phjelg32.exeC:\Windows\system32\Phjelg32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1744 -
C:\Windows\SysWOW64\Ppamme32.exeC:\Windows\system32\Ppamme32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2572 -
C:\Windows\SysWOW64\Pbpjiphi.exeC:\Windows\system32\Pbpjiphi.exe76⤵PID:2436
-
C:\Windows\SysWOW64\Qlhnbf32.exeC:\Windows\system32\Qlhnbf32.exe77⤵PID:2348
-
C:\Windows\SysWOW64\Qnfjna32.exeC:\Windows\system32\Qnfjna32.exe78⤵PID:2904
-
C:\Windows\SysWOW64\Qaefjm32.exeC:\Windows\system32\Qaefjm32.exe79⤵PID:2816
-
C:\Windows\SysWOW64\Qdccfh32.exeC:\Windows\system32\Qdccfh32.exe80⤵PID:1504
-
C:\Windows\SysWOW64\Qjmkcbcb.exeC:\Windows\system32\Qjmkcbcb.exe81⤵PID:328
-
C:\Windows\SysWOW64\Qagcpljo.exeC:\Windows\system32\Qagcpljo.exe82⤵PID:1028
-
C:\Windows\SysWOW64\Adeplhib.exeC:\Windows\system32\Adeplhib.exe83⤵PID:412
-
C:\Windows\SysWOW64\Afdlhchf.exeC:\Windows\system32\Afdlhchf.exe84⤵PID:1724
-
C:\Windows\SysWOW64\Aajpelhl.exeC:\Windows\system32\Aajpelhl.exe85⤵PID:2608
-
C:\Windows\SysWOW64\Ahchbf32.exeC:\Windows\system32\Ahchbf32.exe86⤵PID:1152
-
C:\Windows\SysWOW64\Ajbdna32.exeC:\Windows\system32\Ajbdna32.exe87⤵
- Drops file in System32 directory
PID:2796 -
C:\Windows\SysWOW64\Ampqjm32.exeC:\Windows\system32\Ampqjm32.exe88⤵PID:1172
-
C:\Windows\SysWOW64\Adjigg32.exeC:\Windows\system32\Adjigg32.exe89⤵PID:2756
-
C:\Windows\SysWOW64\Ajdadamj.exeC:\Windows\system32\Ajdadamj.exe90⤵PID:1716
-
C:\Windows\SysWOW64\Aigaon32.exeC:\Windows\system32\Aigaon32.exe91⤵PID:2848
-
C:\Windows\SysWOW64\Apajlhka.exeC:\Windows\system32\Apajlhka.exe92⤵PID:880
-
C:\Windows\SysWOW64\Aiinen32.exeC:\Windows\system32\Aiinen32.exe93⤵PID:1768
-
C:\Windows\SysWOW64\Alhjai32.exeC:\Windows\system32\Alhjai32.exe94⤵PID:2268
-
C:\Windows\SysWOW64\Abbbnchb.exeC:\Windows\system32\Abbbnchb.exe95⤵PID:1360
-
C:\Windows\SysWOW64\Aepojo32.exeC:\Windows\system32\Aepojo32.exe96⤵PID:2184
-
C:\Windows\SysWOW64\Bpfcgg32.exeC:\Windows\system32\Bpfcgg32.exe97⤵PID:2356
-
C:\Windows\SysWOW64\Bagpopmj.exeC:\Windows\system32\Bagpopmj.exe98⤵PID:1940
-
C:\Windows\SysWOW64\Bhahlj32.exeC:\Windows\system32\Bhahlj32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2164 -
C:\Windows\SysWOW64\Bkodhe32.exeC:\Windows\system32\Bkodhe32.exe100⤵
- Drops file in System32 directory
PID:2644 -
C:\Windows\SysWOW64\Bokphdld.exeC:\Windows\system32\Bokphdld.exe101⤵PID:2960
-
C:\Windows\SysWOW64\Beehencq.exeC:\Windows\system32\Beehencq.exe102⤵PID:1644
-
C:\Windows\SysWOW64\Bloqah32.exeC:\Windows\system32\Bloqah32.exe103⤵PID:308
-
C:\Windows\SysWOW64\Bhfagipa.exeC:\Windows\system32\Bhfagipa.exe104⤵PID:1948
-
C:\Windows\SysWOW64\Bopicc32.exeC:\Windows\system32\Bopicc32.exe105⤵PID:2444
-
C:\Windows\SysWOW64\Ccfhhffh.exeC:\Windows\system32\Ccfhhffh.exe106⤵
- Drops file in System32 directory
PID:1536 -
C:\Windows\SysWOW64\Clomqk32.exeC:\Windows\system32\Clomqk32.exe107⤵
- Modifies registry class
PID:2136 -
C:\Windows\SysWOW64\Cpjiajeb.exeC:\Windows\system32\Cpjiajeb.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2840 -
C:\Windows\SysWOW64\Cbkeib32.exeC:\Windows\system32\Cbkeib32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2892 -
C:\Windows\SysWOW64\Chemfl32.exeC:\Windows\system32\Chemfl32.exe110⤵PID:1752
-
C:\Windows\SysWOW64\Cdlnkmha.exeC:\Windows\system32\Cdlnkmha.exe111⤵PID:1320
-
C:\Windows\SysWOW64\Clcflkic.exeC:\Windows\system32\Clcflkic.exe112⤵PID:1728
-
C:\Windows\SysWOW64\Ckffgg32.exeC:\Windows\system32\Ckffgg32.exe113⤵
- Modifies registry class
PID:2628 -
C:\Windows\SysWOW64\Cobbhfhg.exeC:\Windows\system32\Cobbhfhg.exe114⤵
- Drops file in System32 directory
PID:2008 -
C:\Windows\SysWOW64\Dflkdp32.exeC:\Windows\system32\Dflkdp32.exe115⤵
- Drops file in System32 directory
PID:1312 -
C:\Windows\SysWOW64\Dgmglh32.exeC:\Windows\system32\Dgmglh32.exe116⤵PID:2312
-
C:\Windows\SysWOW64\Dodonf32.exeC:\Windows\system32\Dodonf32.exe117⤵
- Drops file in System32 directory
PID:2492 -
C:\Windows\SysWOW64\Dbbkja32.exeC:\Windows\system32\Dbbkja32.exe118⤵PID:2052
-
C:\Windows\SysWOW64\Dqelenlc.exeC:\Windows\system32\Dqelenlc.exe119⤵PID:3040
-
C:\Windows\SysWOW64\Dkkpbgli.exeC:\Windows\system32\Dkkpbgli.exe120⤵PID:1356
-
C:\Windows\SysWOW64\Dnilobkm.exeC:\Windows\system32\Dnilobkm.exe121⤵PID:2776
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-