Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
138s -
max time network
107s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
07/05/2024, 11:56
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
67d39019e8ba962837f7da10e7f3fc90_NEAS.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
67d39019e8ba962837f7da10e7f3fc90_NEAS.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
67d39019e8ba962837f7da10e7f3fc90_NEAS.exe
-
Size
96KB
-
MD5
67d39019e8ba962837f7da10e7f3fc90
-
SHA1
0cf6a46165698717191788b2e95bc6b5d7c56092
-
SHA256
288eee3970b902ff4ab5a70f4d255a1f64ee9e3000f2206bf0430879100f5f7a
-
SHA512
c11bdeaf02f441fc4047f2d7527eba4651e507ef44189fe3ab46ddeb429898ce7f022e9f61e00bda1650a4c87c792ce3743d4f4ba653e4aaba8023283dcd18f4
-
SSDEEP
1536:htEPtZDgVr/uL5bHH2nFLev87m6xxbW/BOmVCMy0QiLiizHNQNdq:zEPL6uBH2FLcYxxC5OmVCMyELiAHONdq
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obfhba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pjjhbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ifjfnb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aelcfilb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ickchq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnihcq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eofbch32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hofdacke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ldohebqh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Afoeiklb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fljcmlfd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcijeb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgbefoji.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bajjli32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baaplhef.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhidjpqc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddgkpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ckcgkldl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dojcgi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfembo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cmlcbbcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Klngdpdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mdjagjco.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icgqggce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kdaldd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hecmijim.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dknpmdfc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfpgffpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kmgdgjek.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cahfmgoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Chbnia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bjokdipf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Delnin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lmccchkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qjpiha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dddojq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Miemjaci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jplmmfmi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnaikd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hfifmnij.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klljnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qnhahj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojhiqefo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abbpem32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eolpmi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npcoakfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Onfbfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cbjoljdo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdeqhl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbgmcnhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kaqcbi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qchmagie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aanjpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Njacpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Imgkql32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Heapdjlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mjeddggd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njogjfoj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dddojq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekhjmiad.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpaghf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kgdbkohf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hbpgbo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbjlfi32.exe -
Executes dropped EXE 64 IoCs
pid Process 4432 Hccglh32.exe 2552 Hippdo32.exe 2648 Hpihai32.exe 2672 Hfcpncdk.exe 1268 Hjolnb32.exe 4280 Hmmhjm32.exe 1692 Icgqggce.exe 3180 Iffmccbi.exe 2324 Impepm32.exe 4472 Ibmmhdhm.exe 1536 Iiffen32.exe 1352 Iannfk32.exe 4604 Ibojncfj.exe 2040 Ifjfnb32.exe 3640 Ipckgh32.exe 1216 Ijhodq32.exe 2728 Imgkql32.exe 4900 Ifopiajn.exe 3600 Ijkljp32.exe 2996 Jaedgjjd.exe 4652 Jbfpobpb.exe 3736 Jagqlj32.exe 2440 Jfdida32.exe 4436 Jibeql32.exe 1208 Jmnaakne.exe 1212 Jplmmfmi.exe 4624 Jbkjjblm.exe 1452 Jjbako32.exe 1020 Jdjfcecp.exe 1956 Jmbklj32.exe 3936 Jpaghf32.exe 3316 Jiikak32.exe 692 Kaqcbi32.exe 4260 Kdopod32.exe 4416 Kilhgk32.exe 3328 Kmgdgjek.exe 3088 Kdaldd32.exe 2132 Kkkdan32.exe 3256 Kmjqmi32.exe 3388 Kaemnhla.exe 5096 Kgbefoji.exe 3204 Kknafn32.exe 1044 Kmlnbi32.exe 4696 Kpjjod32.exe 1724 Kgdbkohf.exe 4008 Kajfig32.exe 4892 Kdhbec32.exe 2364 Kkbkamnl.exe 4592 Lalcng32.exe 4408 Lpocjdld.exe 2188 Lkdggmlj.exe 4036 Lmccchkn.exe 1496 Lpappc32.exe 2096 Lgkhlnbn.exe 1228 Lnepih32.exe 3160 Ldohebqh.exe 2532 Lgneampk.exe 4980 Laciofpa.exe 612 Lpfijcfl.exe 3508 Lklnhlfb.exe 1060 Lgbnmm32.exe 3324 Mjqjih32.exe 5000 Mahbje32.exe 876 Mdfofakp.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Aaqfok32.dll Ifllil32.exe File created C:\Windows\SysWOW64\Inpocg32.dll Kbfbkj32.exe File created C:\Windows\SysWOW64\Ngpccdlj.exe Ndaggimg.exe File created C:\Windows\SysWOW64\Jkageheh.dll 67d39019e8ba962837f7da10e7f3fc90_NEAS.exe File opened for modification C:\Windows\SysWOW64\Nqpego32.exe Nnaikd32.exe File created C:\Windows\SysWOW64\Jbllbm32.dll Pkceffcd.exe File created C:\Windows\SysWOW64\Fafkecel.exe Fohoigfh.exe File created C:\Windows\SysWOW64\Ffddka32.exe Faihkbci.exe File created C:\Windows\SysWOW64\Dpmdoo32.dll Aqncedbp.exe File created C:\Windows\SysWOW64\Dfpgffpm.exe Ddakjkqi.exe File created C:\Windows\SysWOW64\Maohkd32.exe Mncmjfmk.exe File created C:\Windows\SysWOW64\Mdpalp32.exe Maaepd32.exe File opened for modification C:\Windows\SysWOW64\Bejogg32.exe Bblckl32.exe File created C:\Windows\SysWOW64\Kldggoeb.dll Fcfhof32.exe File opened for modification C:\Windows\SysWOW64\Cjpckf32.exe Cagobalc.exe File opened for modification C:\Windows\SysWOW64\Mdkhapfj.exe Mamleegg.exe File created C:\Windows\SysWOW64\Cliaoq32.exe Chmeobkq.exe File opened for modification C:\Windows\SysWOW64\Gcimkc32.exe Gmoeoidl.exe File created C:\Windows\SysWOW64\Pqknig32.exe Ojaelm32.exe File created C:\Windows\SysWOW64\Bchdhnom.dll Mcpnhfhf.exe File opened for modification C:\Windows\SysWOW64\Jaedgjjd.exe Ijkljp32.exe File created C:\Windows\SysWOW64\Ndbnboqb.exe Nacbfdao.exe File created C:\Windows\SysWOW64\Lpkman32.dll Pqpnombl.exe File created C:\Windows\SysWOW64\Iiggphnk.dll Aacckjaf.exe File created C:\Windows\SysWOW64\Dejpjp32.dll Fhgjblfq.exe File created C:\Windows\SysWOW64\Ekhjmiad.exe Eleiam32.exe File opened for modification C:\Windows\SysWOW64\Imakkfdg.exe Iifokh32.exe File opened for modification C:\Windows\SysWOW64\Mdhdajea.exe Mibpda32.exe File created C:\Windows\SysWOW64\Mgghhlhq.exe Mdiklqhm.exe File created C:\Windows\SysWOW64\Nqpego32.exe Nnaikd32.exe File created C:\Windows\SysWOW64\Abbpem32.exe Adapgfqj.exe File opened for modification C:\Windows\SysWOW64\Bblckl32.exe Blbknaib.exe File created C:\Windows\SysWOW64\Hlpijopg.dll Cahfmgoo.exe File created C:\Windows\SysWOW64\Qmmnjfnl.exe Qgqeappe.exe File created C:\Windows\SysWOW64\Ljbncc32.dll Afoeiklb.exe File created C:\Windows\SysWOW64\Mkgmcjld.exe Mglack32.exe File opened for modification C:\Windows\SysWOW64\Qchmagie.exe Qajadlja.exe File opened for modification C:\Windows\SysWOW64\Hfifmnij.exe Hmabdibj.exe File created C:\Windows\SysWOW64\Heapdjlp.exe Hijooifk.exe File created C:\Windows\SysWOW64\Nnjlpo32.exe Ngpccdlj.exe File created C:\Windows\SysWOW64\Njacpf32.exe Ngcgcjnc.exe File opened for modification C:\Windows\SysWOW64\Flqimk32.exe Ffgqqaip.exe File created C:\Windows\SysWOW64\Jhondp32.dll Gdcdbl32.exe File created C:\Windows\SysWOW64\Hkmefd32.exe Hioiji32.exe File opened for modification C:\Windows\SysWOW64\Menjdbgj.exe Mcpnhfhf.exe File created C:\Windows\SysWOW64\Llcpoo32.exe Liddbc32.exe File created C:\Windows\SysWOW64\Kpdobeck.dll Mdfofakp.exe File opened for modification C:\Windows\SysWOW64\Mjcgohig.exe Mgekbljc.exe File opened for modification C:\Windows\SysWOW64\Ogcpjhoq.exe Odednmpm.exe File created C:\Windows\SysWOW64\Jglkll32.dll Ogcpjhoq.exe File created C:\Windows\SysWOW64\Iicbehnq.exe Ifefimom.exe File created C:\Windows\SysWOW64\Hjolnb32.exe Hfcpncdk.exe File created C:\Windows\SysWOW64\Mdmegp32.exe Maohkd32.exe File created C:\Windows\SysWOW64\Fpaeonmc.dll Boepel32.exe File created C:\Windows\SysWOW64\Jlednamo.exe Jifhaenk.exe File opened for modification C:\Windows\SysWOW64\Nnjlpo32.exe Ngpccdlj.exe File opened for modification C:\Windows\SysWOW64\Jlednamo.exe Jifhaenk.exe File created C:\Windows\SysWOW64\Mpjlklok.exe Medgncoe.exe File opened for modification C:\Windows\SysWOW64\Dfpgffpm.exe Ddakjkqi.exe File created C:\Windows\SysWOW64\Eplmgmol.dll Kaqcbi32.exe File created C:\Windows\SysWOW64\Kgdbkohf.exe Kpjjod32.exe File created C:\Windows\SysWOW64\Imdhga32.dll Cafigg32.exe File created C:\Windows\SysWOW64\Chdfonda.dll Gcimkc32.exe File created C:\Windows\SysWOW64\Hjakkfbf.dll Iifokh32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 10284 11168 WerFault.exe 524 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcogch32.dll" Ocegdjij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ndaggimg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Banllbdn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Amddjegd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bfkedibe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ehljfnpn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ogifjcdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmfpfmmm.dll" Ogkcpbam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qddfkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Colffknh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ndaggimg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpjljp32.dll" Jdjfcecp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ogjmdigk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bjghpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Blfdia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jflepa32.dll" Jpaghf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aacckjaf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Daekdooc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gdeqhl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Heapdjlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ageolo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nqiogp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehjgecbe.dll" Pbbgnpgl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bbnpqk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Chmeobkq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Icgqggce.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Maaepd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Odednmpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fiknll32.dll" Fhqcam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kdaldd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iefioj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Imakkfdg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Neeqea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjmidh32.dll" Obangb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fljcmlfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ceacpg32.dll" Ikpaldog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfiloih.dll" Anfmjhmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kkbkamnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Becifhfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fafkecel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gdqgmmjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehifigof.dll" Jjbako32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihoofe32.dll" Ickchq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll" Calhnpgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jmbklj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjjgia32.dll" Acjjfggb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aogmoeik.dll" Ffddka32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nphhmj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hbgmcnhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbhnnj32.dll" Kgdbkohf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpflfc32.dll" Alabgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gcagkdba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gdcdbl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ddakjkqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmbkmemo.dll" Impepm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mdpalp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fbpnkama.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pemfincl.dll" Nnjlpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jmnaakne.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pqpnombl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fomhdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Banllbdn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jmhale32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jedeph32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4852 wrote to memory of 4432 4852 67d39019e8ba962837f7da10e7f3fc90_NEAS.exe 86 PID 4852 wrote to memory of 4432 4852 67d39019e8ba962837f7da10e7f3fc90_NEAS.exe 86 PID 4852 wrote to memory of 4432 4852 67d39019e8ba962837f7da10e7f3fc90_NEAS.exe 86 PID 4432 wrote to memory of 2552 4432 Hccglh32.exe 87 PID 4432 wrote to memory of 2552 4432 Hccglh32.exe 87 PID 4432 wrote to memory of 2552 4432 Hccglh32.exe 87 PID 2552 wrote to memory of 2648 2552 Hippdo32.exe 88 PID 2552 wrote to memory of 2648 2552 Hippdo32.exe 88 PID 2552 wrote to memory of 2648 2552 Hippdo32.exe 88 PID 2648 wrote to memory of 2672 2648 Hpihai32.exe 89 PID 2648 wrote to memory of 2672 2648 Hpihai32.exe 89 PID 2648 wrote to memory of 2672 2648 Hpihai32.exe 89 PID 2672 wrote to memory of 1268 2672 Hfcpncdk.exe 90 PID 2672 wrote to memory of 1268 2672 Hfcpncdk.exe 90 PID 2672 wrote to memory of 1268 2672 Hfcpncdk.exe 90 PID 1268 wrote to memory of 4280 1268 Hjolnb32.exe 91 PID 1268 wrote to memory of 4280 1268 Hjolnb32.exe 91 PID 1268 wrote to memory of 4280 1268 Hjolnb32.exe 91 PID 4280 wrote to memory of 1692 4280 Hmmhjm32.exe 93 PID 4280 wrote to memory of 1692 4280 Hmmhjm32.exe 93 PID 4280 wrote to memory of 1692 4280 Hmmhjm32.exe 93 PID 1692 wrote to memory of 3180 1692 Icgqggce.exe 94 PID 1692 wrote to memory of 3180 1692 Icgqggce.exe 94 PID 1692 wrote to memory of 3180 1692 Icgqggce.exe 94 PID 3180 wrote to memory of 2324 3180 Iffmccbi.exe 95 PID 3180 wrote to memory of 2324 3180 Iffmccbi.exe 95 PID 3180 wrote to memory of 2324 3180 Iffmccbi.exe 95 PID 2324 wrote to memory of 4472 2324 Impepm32.exe 96 PID 2324 wrote to memory of 4472 2324 Impepm32.exe 96 PID 2324 wrote to memory of 4472 2324 Impepm32.exe 96 PID 4472 wrote to memory of 1536 4472 Ibmmhdhm.exe 97 PID 4472 wrote to memory of 1536 4472 Ibmmhdhm.exe 97 PID 4472 wrote to memory of 1536 4472 Ibmmhdhm.exe 97 PID 1536 wrote to memory of 1352 1536 Iiffen32.exe 98 PID 1536 wrote to memory of 1352 1536 Iiffen32.exe 98 PID 1536 wrote to memory of 1352 1536 Iiffen32.exe 98 PID 1352 wrote to memory of 4604 1352 Iannfk32.exe 100 PID 1352 wrote to memory of 4604 1352 Iannfk32.exe 100 PID 1352 wrote to memory of 4604 1352 Iannfk32.exe 100 PID 4604 wrote to memory of 2040 4604 Ibojncfj.exe 101 PID 4604 wrote to memory of 2040 4604 Ibojncfj.exe 101 PID 4604 wrote to memory of 2040 4604 Ibojncfj.exe 101 PID 2040 wrote to memory of 3640 2040 Ifjfnb32.exe 102 PID 2040 wrote to memory of 3640 2040 Ifjfnb32.exe 102 PID 2040 wrote to memory of 3640 2040 Ifjfnb32.exe 102 PID 3640 wrote to memory of 1216 3640 Ipckgh32.exe 103 PID 3640 wrote to memory of 1216 3640 Ipckgh32.exe 103 PID 3640 wrote to memory of 1216 3640 Ipckgh32.exe 103 PID 1216 wrote to memory of 2728 1216 Ijhodq32.exe 104 PID 1216 wrote to memory of 2728 1216 Ijhodq32.exe 104 PID 1216 wrote to memory of 2728 1216 Ijhodq32.exe 104 PID 2728 wrote to memory of 4900 2728 Imgkql32.exe 106 PID 2728 wrote to memory of 4900 2728 Imgkql32.exe 106 PID 2728 wrote to memory of 4900 2728 Imgkql32.exe 106 PID 4900 wrote to memory of 3600 4900 Ifopiajn.exe 107 PID 4900 wrote to memory of 3600 4900 Ifopiajn.exe 107 PID 4900 wrote to memory of 3600 4900 Ifopiajn.exe 107 PID 3600 wrote to memory of 2996 3600 Ijkljp32.exe 108 PID 3600 wrote to memory of 2996 3600 Ijkljp32.exe 108 PID 3600 wrote to memory of 2996 3600 Ijkljp32.exe 108 PID 2996 wrote to memory of 4652 2996 Jaedgjjd.exe 109 PID 2996 wrote to memory of 4652 2996 Jaedgjjd.exe 109 PID 2996 wrote to memory of 4652 2996 Jaedgjjd.exe 109 PID 4652 wrote to memory of 3736 4652 Jbfpobpb.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\67d39019e8ba962837f7da10e7f3fc90_NEAS.exe"C:\Users\Admin\AppData\Local\Temp\67d39019e8ba962837f7da10e7f3fc90_NEAS.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4852 -
C:\Windows\SysWOW64\Hccglh32.exeC:\Windows\system32\Hccglh32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4432 -
C:\Windows\SysWOW64\Hippdo32.exeC:\Windows\system32\Hippdo32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\Hpihai32.exeC:\Windows\system32\Hpihai32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\Hfcpncdk.exeC:\Windows\system32\Hfcpncdk.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Hjolnb32.exeC:\Windows\system32\Hjolnb32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Windows\SysWOW64\Hmmhjm32.exeC:\Windows\system32\Hmmhjm32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4280 -
C:\Windows\SysWOW64\Icgqggce.exeC:\Windows\system32\Icgqggce.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\SysWOW64\Iffmccbi.exeC:\Windows\system32\Iffmccbi.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3180 -
C:\Windows\SysWOW64\Impepm32.exeC:\Windows\system32\Impepm32.exe10⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\Ibmmhdhm.exeC:\Windows\system32\Ibmmhdhm.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4472 -
C:\Windows\SysWOW64\Iiffen32.exeC:\Windows\system32\Iiffen32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Windows\SysWOW64\Iannfk32.exeC:\Windows\system32\Iannfk32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Windows\SysWOW64\Ibojncfj.exeC:\Windows\system32\Ibojncfj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4604 -
C:\Windows\SysWOW64\Ifjfnb32.exeC:\Windows\system32\Ifjfnb32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\Ipckgh32.exeC:\Windows\system32\Ipckgh32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3640 -
C:\Windows\SysWOW64\Ijhodq32.exeC:\Windows\system32\Ijhodq32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Windows\SysWOW64\Imgkql32.exeC:\Windows\system32\Imgkql32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Ifopiajn.exeC:\Windows\system32\Ifopiajn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4900 -
C:\Windows\SysWOW64\Ijkljp32.exeC:\Windows\system32\Ijkljp32.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3600 -
C:\Windows\SysWOW64\Jaedgjjd.exeC:\Windows\system32\Jaedgjjd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\Jbfpobpb.exeC:\Windows\system32\Jbfpobpb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4652 -
C:\Windows\SysWOW64\Jagqlj32.exeC:\Windows\system32\Jagqlj32.exe23⤵
- Executes dropped EXE
PID:3736 -
C:\Windows\SysWOW64\Jfdida32.exeC:\Windows\system32\Jfdida32.exe24⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Jibeql32.exeC:\Windows\system32\Jibeql32.exe25⤵
- Executes dropped EXE
PID:4436 -
C:\Windows\SysWOW64\Jmnaakne.exeC:\Windows\system32\Jmnaakne.exe26⤵
- Executes dropped EXE
- Modifies registry class
PID:1208 -
C:\Windows\SysWOW64\Jplmmfmi.exeC:\Windows\system32\Jplmmfmi.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1212 -
C:\Windows\SysWOW64\Jbkjjblm.exeC:\Windows\system32\Jbkjjblm.exe28⤵
- Executes dropped EXE
PID:4624 -
C:\Windows\SysWOW64\Jjbako32.exeC:\Windows\system32\Jjbako32.exe29⤵
- Executes dropped EXE
- Modifies registry class
PID:1452 -
C:\Windows\SysWOW64\Jdjfcecp.exeC:\Windows\system32\Jdjfcecp.exe30⤵
- Executes dropped EXE
- Modifies registry class
PID:1020 -
C:\Windows\SysWOW64\Jmbklj32.exeC:\Windows\system32\Jmbklj32.exe31⤵
- Executes dropped EXE
- Modifies registry class
PID:1956 -
C:\Windows\SysWOW64\Jpaghf32.exeC:\Windows\system32\Jpaghf32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3936 -
C:\Windows\SysWOW64\Jiikak32.exeC:\Windows\system32\Jiikak32.exe33⤵
- Executes dropped EXE
PID:3316 -
C:\Windows\SysWOW64\Kaqcbi32.exeC:\Windows\system32\Kaqcbi32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:692 -
C:\Windows\SysWOW64\Kdopod32.exeC:\Windows\system32\Kdopod32.exe35⤵
- Executes dropped EXE
PID:4260 -
C:\Windows\SysWOW64\Kilhgk32.exeC:\Windows\system32\Kilhgk32.exe36⤵
- Executes dropped EXE
PID:4416 -
C:\Windows\SysWOW64\Kmgdgjek.exeC:\Windows\system32\Kmgdgjek.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3328 -
C:\Windows\SysWOW64\Kdaldd32.exeC:\Windows\system32\Kdaldd32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3088 -
C:\Windows\SysWOW64\Kkkdan32.exeC:\Windows\system32\Kkkdan32.exe39⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Kmjqmi32.exeC:\Windows\system32\Kmjqmi32.exe40⤵
- Executes dropped EXE
PID:3256 -
C:\Windows\SysWOW64\Kaemnhla.exeC:\Windows\system32\Kaemnhla.exe41⤵
- Executes dropped EXE
PID:3388 -
C:\Windows\SysWOW64\Kgbefoji.exeC:\Windows\system32\Kgbefoji.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5096 -
C:\Windows\SysWOW64\Kknafn32.exeC:\Windows\system32\Kknafn32.exe43⤵
- Executes dropped EXE
PID:3204 -
C:\Windows\SysWOW64\Kmlnbi32.exeC:\Windows\system32\Kmlnbi32.exe44⤵
- Executes dropped EXE
PID:1044 -
C:\Windows\SysWOW64\Kpjjod32.exeC:\Windows\system32\Kpjjod32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4696 -
C:\Windows\SysWOW64\Kgdbkohf.exeC:\Windows\system32\Kgdbkohf.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1724 -
C:\Windows\SysWOW64\Kajfig32.exeC:\Windows\system32\Kajfig32.exe47⤵
- Executes dropped EXE
PID:4008 -
C:\Windows\SysWOW64\Kdhbec32.exeC:\Windows\system32\Kdhbec32.exe48⤵
- Executes dropped EXE
PID:4892 -
C:\Windows\SysWOW64\Kkbkamnl.exeC:\Windows\system32\Kkbkamnl.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:2364 -
C:\Windows\SysWOW64\Lalcng32.exeC:\Windows\system32\Lalcng32.exe50⤵
- Executes dropped EXE
PID:4592 -
C:\Windows\SysWOW64\Lpocjdld.exeC:\Windows\system32\Lpocjdld.exe51⤵
- Executes dropped EXE
PID:4408 -
C:\Windows\SysWOW64\Lkdggmlj.exeC:\Windows\system32\Lkdggmlj.exe52⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Lmccchkn.exeC:\Windows\system32\Lmccchkn.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4036 -
C:\Windows\SysWOW64\Lpappc32.exeC:\Windows\system32\Lpappc32.exe54⤵
- Executes dropped EXE
PID:1496 -
C:\Windows\SysWOW64\Lgkhlnbn.exeC:\Windows\system32\Lgkhlnbn.exe55⤵
- Executes dropped EXE
PID:2096 -
C:\Windows\SysWOW64\Lnepih32.exeC:\Windows\system32\Lnepih32.exe56⤵
- Executes dropped EXE
PID:1228 -
C:\Windows\SysWOW64\Ldohebqh.exeC:\Windows\system32\Ldohebqh.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3160 -
C:\Windows\SysWOW64\Lgneampk.exeC:\Windows\system32\Lgneampk.exe58⤵
- Executes dropped EXE
PID:2532 -
C:\Windows\SysWOW64\Laciofpa.exeC:\Windows\system32\Laciofpa.exe59⤵
- Executes dropped EXE
PID:4980 -
C:\Windows\SysWOW64\Lpfijcfl.exeC:\Windows\system32\Lpfijcfl.exe60⤵
- Executes dropped EXE
PID:612 -
C:\Windows\SysWOW64\Lklnhlfb.exeC:\Windows\system32\Lklnhlfb.exe61⤵
- Executes dropped EXE
PID:3508 -
C:\Windows\SysWOW64\Lgbnmm32.exeC:\Windows\system32\Lgbnmm32.exe62⤵
- Executes dropped EXE
PID:1060 -
C:\Windows\SysWOW64\Mjqjih32.exeC:\Windows\system32\Mjqjih32.exe63⤵
- Executes dropped EXE
PID:3324 -
C:\Windows\SysWOW64\Mahbje32.exeC:\Windows\system32\Mahbje32.exe64⤵
- Executes dropped EXE
PID:5000 -
C:\Windows\SysWOW64\Mdfofakp.exeC:\Windows\system32\Mdfofakp.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:876 -
C:\Windows\SysWOW64\Mgekbljc.exeC:\Windows\system32\Mgekbljc.exe66⤵
- Drops file in System32 directory
PID:1116 -
C:\Windows\SysWOW64\Mjcgohig.exeC:\Windows\system32\Mjcgohig.exe67⤵PID:1472
-
C:\Windows\SysWOW64\Mdiklqhm.exeC:\Windows\system32\Mdiklqhm.exe68⤵
- Drops file in System32 directory
PID:4732 -
C:\Windows\SysWOW64\Mgghhlhq.exeC:\Windows\system32\Mgghhlhq.exe69⤵PID:4596
-
C:\Windows\SysWOW64\Mjeddggd.exeC:\Windows\system32\Mjeddggd.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1468 -
C:\Windows\SysWOW64\Mamleegg.exeC:\Windows\system32\Mamleegg.exe71⤵
- Drops file in System32 directory
PID:5088 -
C:\Windows\SysWOW64\Mdkhapfj.exeC:\Windows\system32\Mdkhapfj.exe72⤵PID:3184
-
C:\Windows\SysWOW64\Mgidml32.exeC:\Windows\system32\Mgidml32.exe73⤵PID:4668
-
C:\Windows\SysWOW64\Mncmjfmk.exeC:\Windows\system32\Mncmjfmk.exe74⤵
- Drops file in System32 directory
PID:4404 -
C:\Windows\SysWOW64\Maohkd32.exeC:\Windows\system32\Maohkd32.exe75⤵
- Drops file in System32 directory
PID:2676 -
C:\Windows\SysWOW64\Mdmegp32.exeC:\Windows\system32\Mdmegp32.exe76⤵PID:3276
-
C:\Windows\SysWOW64\Mglack32.exeC:\Windows\system32\Mglack32.exe77⤵
- Drops file in System32 directory
PID:1220 -
C:\Windows\SysWOW64\Mkgmcjld.exeC:\Windows\system32\Mkgmcjld.exe78⤵PID:1932
-
C:\Windows\SysWOW64\Mnfipekh.exeC:\Windows\system32\Mnfipekh.exe79⤵PID:1880
-
C:\Windows\SysWOW64\Maaepd32.exeC:\Windows\system32\Maaepd32.exe80⤵
- Drops file in System32 directory
- Modifies registry class
PID:1460 -
C:\Windows\SysWOW64\Mdpalp32.exeC:\Windows\system32\Mdpalp32.exe81⤵
- Modifies registry class
PID:4296 -
C:\Windows\SysWOW64\Mgnnhk32.exeC:\Windows\system32\Mgnnhk32.exe82⤵PID:1996
-
C:\Windows\SysWOW64\Nkjjij32.exeC:\Windows\system32\Nkjjij32.exe83⤵PID:2160
-
C:\Windows\SysWOW64\Nnhfee32.exeC:\Windows\system32\Nnhfee32.exe84⤵PID:2352
-
C:\Windows\SysWOW64\Nacbfdao.exeC:\Windows\system32\Nacbfdao.exe85⤵
- Drops file in System32 directory
PID:4580 -
C:\Windows\SysWOW64\Ndbnboqb.exeC:\Windows\system32\Ndbnboqb.exe86⤵PID:1660
-
C:\Windows\SysWOW64\Nceonl32.exeC:\Windows\system32\Nceonl32.exe87⤵PID:2540
-
C:\Windows\SysWOW64\Ngpjnkpf.exeC:\Windows\system32\Ngpjnkpf.exe88⤵PID:5128
-
C:\Windows\SysWOW64\Njogjfoj.exeC:\Windows\system32\Njogjfoj.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5172 -
C:\Windows\SysWOW64\Nafokcol.exeC:\Windows\system32\Nafokcol.exe90⤵PID:5216
-
C:\Windows\SysWOW64\Nqiogp32.exeC:\Windows\system32\Nqiogp32.exe91⤵
- Modifies registry class
PID:5260 -
C:\Windows\SysWOW64\Ncgkcl32.exeC:\Windows\system32\Ncgkcl32.exe92⤵PID:5304
-
C:\Windows\SysWOW64\Ngcgcjnc.exeC:\Windows\system32\Ngcgcjnc.exe93⤵
- Drops file in System32 directory
PID:5344 -
C:\Windows\SysWOW64\Njacpf32.exeC:\Windows\system32\Njacpf32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5388 -
C:\Windows\SysWOW64\Nbhkac32.exeC:\Windows\system32\Nbhkac32.exe95⤵PID:5432
-
C:\Windows\SysWOW64\Nqklmpdd.exeC:\Windows\system32\Nqklmpdd.exe96⤵PID:5476
-
C:\Windows\SysWOW64\Ncihikcg.exeC:\Windows\system32\Ncihikcg.exe97⤵PID:5520
-
C:\Windows\SysWOW64\Nkqpjidj.exeC:\Windows\system32\Nkqpjidj.exe98⤵PID:5564
-
C:\Windows\SysWOW64\Ncldnkae.exeC:\Windows\system32\Ncldnkae.exe99⤵PID:5608
-
C:\Windows\SysWOW64\Nnaikd32.exeC:\Windows\system32\Nnaikd32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5652 -
C:\Windows\SysWOW64\Nqpego32.exeC:\Windows\system32\Nqpego32.exe101⤵PID:5696
-
C:\Windows\SysWOW64\Ncnadk32.exeC:\Windows\system32\Ncnadk32.exe102⤵PID:5740
-
C:\Windows\SysWOW64\Ogjmdigk.exeC:\Windows\system32\Ogjmdigk.exe103⤵
- Modifies registry class
PID:5800 -
C:\Windows\SysWOW64\Ojhiqefo.exeC:\Windows\system32\Ojhiqefo.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5840 -
C:\Windows\SysWOW64\Oboaabga.exeC:\Windows\system32\Oboaabga.exe105⤵PID:5892
-
C:\Windows\SysWOW64\Odnnnnfe.exeC:\Windows\system32\Odnnnnfe.exe106⤵PID:5948
-
C:\Windows\SysWOW64\Ogljjiei.exeC:\Windows\system32\Ogljjiei.exe107⤵PID:6012
-
C:\Windows\SysWOW64\Okhfjh32.exeC:\Windows\system32\Okhfjh32.exe108⤵PID:6064
-
C:\Windows\SysWOW64\Onfbfc32.exeC:\Windows\system32\Onfbfc32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6116 -
C:\Windows\SysWOW64\Obangb32.exeC:\Windows\system32\Obangb32.exe110⤵
- Modifies registry class
PID:5144 -
C:\Windows\SysWOW64\Odpjcm32.exeC:\Windows\system32\Odpjcm32.exe111⤵PID:5256
-
C:\Windows\SysWOW64\Ogogoi32.exeC:\Windows\system32\Ogogoi32.exe112⤵PID:5336
-
C:\Windows\SysWOW64\Ojmcld32.exeC:\Windows\system32\Ojmcld32.exe113⤵PID:5448
-
C:\Windows\SysWOW64\Onholckc.exeC:\Windows\system32\Onholckc.exe114⤵PID:5540
-
C:\Windows\SysWOW64\Oqgkhnjf.exeC:\Windows\system32\Oqgkhnjf.exe115⤵PID:5584
-
C:\Windows\SysWOW64\Ocegdjij.exeC:\Windows\system32\Ocegdjij.exe116⤵
- Modifies registry class
PID:5668 -
C:\Windows\SysWOW64\Okloegjl.exeC:\Windows\system32\Okloegjl.exe117⤵PID:5752
-
C:\Windows\SysWOW64\Ojopad32.exeC:\Windows\system32\Ojopad32.exe118⤵PID:5824
-
C:\Windows\SysWOW64\Obfhba32.exeC:\Windows\system32\Obfhba32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5932 -
C:\Windows\SysWOW64\Odednmpm.exeC:\Windows\system32\Odednmpm.exe120⤵
- Drops file in System32 directory
- Modifies registry class
PID:6048 -
C:\Windows\SysWOW64\Ogcpjhoq.exeC:\Windows\system32\Ogcpjhoq.exe121⤵
- Drops file in System32 directory
PID:6124
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-