Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
155s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
13/10/2023, 20:12
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.33b18b11edd39ba8b335ed5dff38fc50.exe
Resource
win7-20230831-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.33b18b11edd39ba8b335ed5dff38fc50.exe
Resource
win10v2004-20230915-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
NEAS.33b18b11edd39ba8b335ed5dff38fc50.exe
-
Size
378KB
-
MD5
33b18b11edd39ba8b335ed5dff38fc50
-
SHA1
5c11b1026b33a6e0d62fa3ab0b499f9398b1ed4a
-
SHA256
5f39b39fb4141b5273c2c704b6e867286c6f3373b93179227b8e0c2402ce0e5d
-
SHA512
26d5f76f9b7b9b844822947b064663a078e3137c4f04f2dc33954f1c6b085d59a053d17743d9458c0067206c5091404c666f25101f57fa6ea09370a8e48f0f97
-
SSDEEP
6144:/W/MnjEheYr75lHzpaF2e6UK+42GTQMJSZO5f7M0rx7/hP66qve6UK+42GTQMJSi:/W7heYr75lTefkY660fIaDZkY660f2lO
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqikob32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgmnooom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hjieii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gjficg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhdlbp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kinefp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Giqkkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qbngeadf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Feifgnki.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhbfgflc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcgndf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjpaheio.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdpbon32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oelolmnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jdkmgali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jfopcgpk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eedkniob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dinmhkke.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Giboijgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Doageg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efikco32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjcjpb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljlagndl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hjkigojc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hjjnae32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmkbgf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbegakcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Djelqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ibojgikg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieagmcmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ienlbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cacmkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Chpangnk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkcibnmd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkaadebl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fggocmhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Giboijgb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phmnfp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anpnmele.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ailabddb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Abipfifn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdjfmjhm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qkjlpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Okqbac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Foakpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hbldkllm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acmfel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hdpbon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eangpgcl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Maohdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ceaealoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Docmqp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdnjabab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eijiak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gjocaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dbndoa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fphnlcdo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ginnfgop.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijadbdoj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iepihf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dfemdcba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mhihkjfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Magnbnea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nflkbanj.exe -
Executes dropped EXE 64 IoCs
pid Process 4980 Qljjjqlc.exe 3808 Qlmgopjq.exe 1464 Ajqgidij.exe 3508 Aompak32.exe 4284 Aggegh32.exe 3008 Ajhniccb.exe 4260 Acpbbi32.exe 1912 Bqdblmhl.exe 3560 Bfqkddfd.exe 1836 Bqfoamfj.exe 4804 Bfedoc32.exe 2104 Bpnihiio.exe 3596 Bclang32.exe 568 Ccnncgmc.exe 1628 Cceddf32.exe 4428 Cmniml32.exe 1548 Dcjnoece.exe 2872 Dcogje32.exe 412 Dinmhkke.exe 1896 Eaindh32.exe 1760 Empoiimf.exe 2552 Eangpgcl.exe 1040 Eaqdegaj.exe 1964 Facqkg32.exe 4800 Fphnlcdo.exe 4956 Fknbil32.exe 3680 Fkpool32.exe 1292 Fggocmhf.exe 1140 Falcae32.exe 4564 Gkdhjknm.exe 3456 Ghhhcomg.exe 1156 Gpcmga32.exe 4484 Gdafnpqh.exe 2816 Ginnfgop.exe 2732 Gddbcp32.exe 2596 Giqkkf32.exe 4356 Gdfoio32.exe 392 Hajpbckl.exe 2012 Hncmmd32.exe 4740 Hjjnae32.exe 3412 Hdpbon32.exe 2252 Hjlkge32.exe 5020 Hpfcdojl.exe 3552 Igqkqiai.exe 4092 Injcmc32.exe 4036 Ijadbdoj.exe 1044 Iahlcaol.exe 3180 Ihbdplfi.exe 4400 Iqmidndd.exe 4964 Ikcmbfcj.exe 264 Ibmeoq32.exe 768 Jdpkflfe.exe 8 Jkjcbe32.exe 2640 Jbdlop32.exe 3196 Jdbhkk32.exe 4344 Ccgjopal.exe 2280 Jqhafffk.exe 220 Oelolmnd.exe 4124 Nflkbanj.exe 3572 Nncccnol.exe 1444 Njjdho32.exe 3464 Nmipdk32.exe 4436 Nfaemp32.exe 3956 Nmkmjjaa.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Fdegkdim.exe Fcckcl32.exe File created C:\Windows\SysWOW64\Fqgocidj.dll Dinmhkke.exe File opened for modification C:\Windows\SysWOW64\Nmkmjjaa.exe Nfaemp32.exe File created C:\Windows\SysWOW64\Hokomfqg.dll Ipdndloi.exe File opened for modification C:\Windows\SysWOW64\Ieagmcmq.exe Ibcjqgnm.exe File created C:\Windows\SysWOW64\Pfbfjk32.exe Phneqf32.exe File created C:\Windows\SysWOW64\Nceonmdp.dll Lalchm32.exe File created C:\Windows\SysWOW64\Qkhlkj32.dll Aaccdp32.exe File created C:\Windows\SysWOW64\Bgmnooom.exe Bbpeghpe.exe File created C:\Windows\SysWOW64\Qebpipij.exe Qkjlpk32.exe File created C:\Windows\SysWOW64\Ehgqed32.exe Ehddpdlc.exe File created C:\Windows\SysWOW64\Gmflgn32.dll Fggocmhf.exe File created C:\Windows\SysWOW64\Ohdbkh32.exe Oolnabal.exe File created C:\Windows\SysWOW64\Gcgndf32.exe Gceaofmc.exe File created C:\Windows\SysWOW64\Dbpmfe32.dll Bammeebe.exe File created C:\Windows\SysWOW64\Nncccnol.exe Nflkbanj.exe File created C:\Windows\SysWOW64\Qglobbdg.dll Ihdldn32.exe File created C:\Windows\SysWOW64\Gbmhkn32.dll Bifblbad.exe File created C:\Windows\SysWOW64\Ohfddi32.dll Bjnece32.exe File opened for modification C:\Windows\SysWOW64\Daolgl32.exe Doqpkq32.exe File created C:\Windows\SysWOW64\Pbdgkich.dll Cbcieqpd.exe File opened for modification C:\Windows\SysWOW64\Eangpgcl.exe Empoiimf.exe File created C:\Windows\SysWOW64\Hajpbckl.exe Gdfoio32.exe File created C:\Windows\SysWOW64\Gjcmngnj.exe Ggepalof.exe File opened for modification C:\Windows\SysWOW64\Jncapf32.exe Jdkmgali.exe File opened for modification C:\Windows\SysWOW64\Qcccom32.exe Qaegcb32.exe File opened for modification C:\Windows\SysWOW64\Gddbcp32.exe Ginnfgop.exe File created C:\Windows\SysWOW64\Ieagmcmq.exe Ibcjqgnm.exe File created C:\Windows\SysWOW64\Hcdfho32.exe Hofmaq32.exe File created C:\Windows\SysWOW64\Lnqdkljp.dll Pfoamp32.exe File opened for modification C:\Windows\SysWOW64\Impeib32.exe Ibjqlj32.exe File created C:\Windows\SysWOW64\Gbpnegbo.exe Goabhl32.exe File created C:\Windows\SysWOW64\Aboncdme.dll Hdpbon32.exe File created C:\Windows\SysWOW64\Mefhfm32.dll Fdjnolfd.exe File created C:\Windows\SysWOW64\Cinndkag.dll Dlkplk32.exe File created C:\Windows\SysWOW64\Npaphh32.dll Ecpomiok.exe File created C:\Windows\SysWOW64\Eomfae32.exe Ebifha32.exe File opened for modification C:\Windows\SysWOW64\Abipfifn.exe Abgcqjhp.exe File created C:\Windows\SysWOW64\Ldibcl32.dll Lgibjj32.exe File opened for modification C:\Windows\SysWOW64\Ccacjgfb.exe Clgkmm32.exe File opened for modification C:\Windows\SysWOW64\Mgbnfb32.exe Mnjjmmkc.exe File created C:\Windows\SysWOW64\Fkopgn32.exe Fdegkdim.exe File opened for modification C:\Windows\SysWOW64\Goabhl32.exe Glcelq32.exe File opened for modification C:\Windows\SysWOW64\Ibmeoq32.exe Ikcmbfcj.exe File created C:\Windows\SysWOW64\Jchdqkfl.dll Nmkmjjaa.exe File created C:\Windows\SysWOW64\Hhdcmp32.exe Hnlodjpa.exe File created C:\Windows\SysWOW64\Iafgob32.exe Hbegakcb.exe File created C:\Windows\SysWOW64\Ngnnbq32.exe Ndpafe32.exe File created C:\Windows\SysWOW64\Laiadfap.dll Fbihdhhf.exe File created C:\Windows\SysWOW64\Ghldkkkk.dll Iobmmoed.exe File created C:\Windows\SysWOW64\Olgjef32.dll Gcgndf32.exe File created C:\Windows\SysWOW64\Daolgl32.exe Doqpkq32.exe File created C:\Windows\SysWOW64\Dememj32.exe Docmqp32.exe File created C:\Windows\SysWOW64\Ekngqqol.exe Eddodfhp.exe File created C:\Windows\SysWOW64\Fceihh32.exe Fjldocde.exe File opened for modification C:\Windows\SysWOW64\Mknjgajl.exe Mgbnfb32.exe File created C:\Windows\SysWOW64\Ciqdoj32.dll Cacmkn32.exe File opened for modification C:\Windows\SysWOW64\Dinmhkke.exe Dcogje32.exe File created C:\Windows\SysWOW64\Kfkklk32.dll Gqkhda32.exe File created C:\Windows\SysWOW64\Lgokfblh.dll Cifmoa32.exe File created C:\Windows\SysWOW64\Fcdfimja.dll Ijgakgej.exe File opened for modification C:\Windows\SysWOW64\Phmnfp32.exe Kfaglf32.exe File created C:\Windows\SysWOW64\Qpjjkc32.dll Icpecm32.exe File created C:\Windows\SysWOW64\Ppeipfdm.exe Pmfldkei.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bqfoamfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gnhifonl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gbqeonfj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gbgkpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pliaqdlp.dll" Ldjodh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nqioqf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dldlbgbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qbngeadf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ngpjgpec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdlcde32.dll" Ngedbp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Djelqo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hncmmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gigmlgok.dll" Ijadbdoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqhckhgq.dll" Ijjnpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbienmff.dll" Phmnfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opfjmg32.dll" Fmmmqnaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fklcbocl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gdnjabab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kfaglf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Madbpi32.dll" Lkdgqbag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hckjjh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fhemfbnq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dcjnoece.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nocckb32.dll" Empoiimf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aogbkmdk.dll" Dbckcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqnnomfq.dll" Ehbihj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfdjkn32.dll" Cpedckdl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ebifha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmkhcq32.dll" Anpnmele.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nhkpdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ijolhg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jibejb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ggepalof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkjfda32.dll" Igieoleg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Impeib32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Odpjmcjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ajphagha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Foebmn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ipdndloi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Afpbkicl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pagebpan.dll" Hhaope32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hapancai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mallojmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Beaohcmf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ifihdi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hpeejfjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eedkniob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fkcibnmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Elienf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfkklk32.dll" Gqkhda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oamlkk32.dll" Gbcaemdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnflceji.dll" Acmfel32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bdfilkbb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dkbgeb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bqdblmhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iepihf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Emfgpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmfnki32.dll" Kgkooeen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nneilmna.dll" Gjcmngnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Giboijgb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ijgakgej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpflmkci.dll" Jibejb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Chpangnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dbqqeahl.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1176 wrote to memory of 4980 1176 NEAS.33b18b11edd39ba8b335ed5dff38fc50.exe 86 PID 1176 wrote to memory of 4980 1176 NEAS.33b18b11edd39ba8b335ed5dff38fc50.exe 86 PID 1176 wrote to memory of 4980 1176 NEAS.33b18b11edd39ba8b335ed5dff38fc50.exe 86 PID 4980 wrote to memory of 3808 4980 Qljjjqlc.exe 87 PID 4980 wrote to memory of 3808 4980 Qljjjqlc.exe 87 PID 4980 wrote to memory of 3808 4980 Qljjjqlc.exe 87 PID 3808 wrote to memory of 1464 3808 Qlmgopjq.exe 88 PID 3808 wrote to memory of 1464 3808 Qlmgopjq.exe 88 PID 3808 wrote to memory of 1464 3808 Qlmgopjq.exe 88 PID 1464 wrote to memory of 3508 1464 Ajqgidij.exe 89 PID 1464 wrote to memory of 3508 1464 Ajqgidij.exe 89 PID 1464 wrote to memory of 3508 1464 Ajqgidij.exe 89 PID 3508 wrote to memory of 4284 3508 Aompak32.exe 90 PID 3508 wrote to memory of 4284 3508 Aompak32.exe 90 PID 3508 wrote to memory of 4284 3508 Aompak32.exe 90 PID 4284 wrote to memory of 3008 4284 Aggegh32.exe 91 PID 4284 wrote to memory of 3008 4284 Aggegh32.exe 91 PID 4284 wrote to memory of 3008 4284 Aggegh32.exe 91 PID 3008 wrote to memory of 4260 3008 Ajhniccb.exe 93 PID 3008 wrote to memory of 4260 3008 Ajhniccb.exe 93 PID 3008 wrote to memory of 4260 3008 Ajhniccb.exe 93 PID 4260 wrote to memory of 1912 4260 Acpbbi32.exe 94 PID 4260 wrote to memory of 1912 4260 Acpbbi32.exe 94 PID 4260 wrote to memory of 1912 4260 Acpbbi32.exe 94 PID 1912 wrote to memory of 3560 1912 Bqdblmhl.exe 95 PID 1912 wrote to memory of 3560 1912 Bqdblmhl.exe 95 PID 1912 wrote to memory of 3560 1912 Bqdblmhl.exe 95 PID 3560 wrote to memory of 1836 3560 Bfqkddfd.exe 96 PID 3560 wrote to memory of 1836 3560 Bfqkddfd.exe 96 PID 3560 wrote to memory of 1836 3560 Bfqkddfd.exe 96 PID 1836 wrote to memory of 4804 1836 Bqfoamfj.exe 97 PID 1836 wrote to memory of 4804 1836 Bqfoamfj.exe 97 PID 1836 wrote to memory of 4804 1836 Bqfoamfj.exe 97 PID 4804 wrote to memory of 2104 4804 Bfedoc32.exe 98 PID 4804 wrote to memory of 2104 4804 Bfedoc32.exe 98 PID 4804 wrote to memory of 2104 4804 Bfedoc32.exe 98 PID 2104 wrote to memory of 3596 2104 Bpnihiio.exe 99 PID 2104 wrote to memory of 3596 2104 Bpnihiio.exe 99 PID 2104 wrote to memory of 3596 2104 Bpnihiio.exe 99 PID 3596 wrote to memory of 568 3596 Bclang32.exe 100 PID 3596 wrote to memory of 568 3596 Bclang32.exe 100 PID 3596 wrote to memory of 568 3596 Bclang32.exe 100 PID 568 wrote to memory of 1628 568 Ccnncgmc.exe 101 PID 568 wrote to memory of 1628 568 Ccnncgmc.exe 101 PID 568 wrote to memory of 1628 568 Ccnncgmc.exe 101 PID 1628 wrote to memory of 4428 1628 Cceddf32.exe 102 PID 1628 wrote to memory of 4428 1628 Cceddf32.exe 102 PID 1628 wrote to memory of 4428 1628 Cceddf32.exe 102 PID 4428 wrote to memory of 1548 4428 Cmniml32.exe 103 PID 4428 wrote to memory of 1548 4428 Cmniml32.exe 103 PID 4428 wrote to memory of 1548 4428 Cmniml32.exe 103 PID 1548 wrote to memory of 2872 1548 Dcjnoece.exe 104 PID 1548 wrote to memory of 2872 1548 Dcjnoece.exe 104 PID 1548 wrote to memory of 2872 1548 Dcjnoece.exe 104 PID 2872 wrote to memory of 412 2872 Dcogje32.exe 105 PID 2872 wrote to memory of 412 2872 Dcogje32.exe 105 PID 2872 wrote to memory of 412 2872 Dcogje32.exe 105 PID 412 wrote to memory of 1896 412 Dinmhkke.exe 106 PID 412 wrote to memory of 1896 412 Dinmhkke.exe 106 PID 412 wrote to memory of 1896 412 Dinmhkke.exe 106 PID 1896 wrote to memory of 1760 1896 Eaindh32.exe 107 PID 1896 wrote to memory of 1760 1896 Eaindh32.exe 107 PID 1896 wrote to memory of 1760 1896 Eaindh32.exe 107 PID 1760 wrote to memory of 2552 1760 Empoiimf.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.33b18b11edd39ba8b335ed5dff38fc50.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.33b18b11edd39ba8b335ed5dff38fc50.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Windows\SysWOW64\Qljjjqlc.exeC:\Windows\system32\Qljjjqlc.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4980 -
C:\Windows\SysWOW64\Qlmgopjq.exeC:\Windows\system32\Qlmgopjq.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3808 -
C:\Windows\SysWOW64\Ajqgidij.exeC:\Windows\system32\Ajqgidij.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Windows\SysWOW64\Aompak32.exeC:\Windows\system32\Aompak32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3508 -
C:\Windows\SysWOW64\Aggegh32.exeC:\Windows\system32\Aggegh32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4284 -
C:\Windows\SysWOW64\Ajhniccb.exeC:\Windows\system32\Ajhniccb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\Acpbbi32.exeC:\Windows\system32\Acpbbi32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4260 -
C:\Windows\SysWOW64\Bqdblmhl.exeC:\Windows\system32\Bqdblmhl.exe9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\SysWOW64\Bfqkddfd.exeC:\Windows\system32\Bfqkddfd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3560 -
C:\Windows\SysWOW64\Bqfoamfj.exeC:\Windows\system32\Bqfoamfj.exe11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Windows\SysWOW64\Bfedoc32.exeC:\Windows\system32\Bfedoc32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4804 -
C:\Windows\SysWOW64\Bpnihiio.exeC:\Windows\system32\Bpnihiio.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\Bclang32.exeC:\Windows\system32\Bclang32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3596 -
C:\Windows\SysWOW64\Ccnncgmc.exeC:\Windows\system32\Ccnncgmc.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:568 -
C:\Windows\SysWOW64\Cceddf32.exeC:\Windows\system32\Cceddf32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\SysWOW64\Cmniml32.exeC:\Windows\system32\Cmniml32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4428 -
C:\Windows\SysWOW64\Dcjnoece.exeC:\Windows\system32\Dcjnoece.exe18⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Windows\SysWOW64\Dcogje32.exeC:\Windows\system32\Dcogje32.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\Dinmhkke.exeC:\Windows\system32\Dinmhkke.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:412 -
C:\Windows\SysWOW64\Eaindh32.exeC:\Windows\system32\Eaindh32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\SysWOW64\Empoiimf.exeC:\Windows\system32\Empoiimf.exe22⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\SysWOW64\Eangpgcl.exeC:\Windows\system32\Eangpgcl.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\Eaqdegaj.exeC:\Windows\system32\Eaqdegaj.exe24⤵
- Executes dropped EXE
PID:1040 -
C:\Windows\SysWOW64\Facqkg32.exeC:\Windows\system32\Facqkg32.exe25⤵
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Fphnlcdo.exeC:\Windows\system32\Fphnlcdo.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4800 -
C:\Windows\SysWOW64\Fknbil32.exeC:\Windows\system32\Fknbil32.exe27⤵
- Executes dropped EXE
PID:4956 -
C:\Windows\SysWOW64\Fkpool32.exeC:\Windows\system32\Fkpool32.exe28⤵
- Executes dropped EXE
PID:3680 -
C:\Windows\SysWOW64\Fggocmhf.exeC:\Windows\system32\Fggocmhf.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1292 -
C:\Windows\SysWOW64\Falcae32.exeC:\Windows\system32\Falcae32.exe30⤵
- Executes dropped EXE
PID:1140 -
C:\Windows\SysWOW64\Gkdhjknm.exeC:\Windows\system32\Gkdhjknm.exe31⤵
- Executes dropped EXE
PID:4564 -
C:\Windows\SysWOW64\Ghhhcomg.exeC:\Windows\system32\Ghhhcomg.exe32⤵
- Executes dropped EXE
PID:3456 -
C:\Windows\SysWOW64\Gpcmga32.exeC:\Windows\system32\Gpcmga32.exe33⤵
- Executes dropped EXE
PID:1156 -
C:\Windows\SysWOW64\Gdafnpqh.exeC:\Windows\system32\Gdafnpqh.exe34⤵
- Executes dropped EXE
PID:4484 -
C:\Windows\SysWOW64\Ginnfgop.exeC:\Windows\system32\Ginnfgop.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2816 -
C:\Windows\SysWOW64\Gddbcp32.exeC:\Windows\system32\Gddbcp32.exe36⤵
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\Giqkkf32.exeC:\Windows\system32\Giqkkf32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2596 -
C:\Windows\SysWOW64\Gdfoio32.exeC:\Windows\system32\Gdfoio32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4356 -
C:\Windows\SysWOW64\Hajpbckl.exeC:\Windows\system32\Hajpbckl.exe39⤵
- Executes dropped EXE
PID:392 -
C:\Windows\SysWOW64\Hncmmd32.exeC:\Windows\system32\Hncmmd32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:2012 -
C:\Windows\SysWOW64\Hjjnae32.exeC:\Windows\system32\Hjjnae32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4740 -
C:\Windows\SysWOW64\Hdpbon32.exeC:\Windows\system32\Hdpbon32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3412 -
C:\Windows\SysWOW64\Hjlkge32.exeC:\Windows\system32\Hjlkge32.exe43⤵
- Executes dropped EXE
PID:2252 -
C:\Windows\SysWOW64\Hpfcdojl.exeC:\Windows\system32\Hpfcdojl.exe44⤵
- Executes dropped EXE
PID:5020 -
C:\Windows\SysWOW64\Igqkqiai.exeC:\Windows\system32\Igqkqiai.exe45⤵
- Executes dropped EXE
PID:3552 -
C:\Windows\SysWOW64\Injcmc32.exeC:\Windows\system32\Injcmc32.exe46⤵
- Executes dropped EXE
PID:4092 -
C:\Windows\SysWOW64\Ijadbdoj.exeC:\Windows\system32\Ijadbdoj.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4036 -
C:\Windows\SysWOW64\Iahlcaol.exeC:\Windows\system32\Iahlcaol.exe48⤵
- Executes dropped EXE
PID:1044 -
C:\Windows\SysWOW64\Ihbdplfi.exeC:\Windows\system32\Ihbdplfi.exe49⤵
- Executes dropped EXE
PID:3180 -
C:\Windows\SysWOW64\Iqmidndd.exeC:\Windows\system32\Iqmidndd.exe50⤵
- Executes dropped EXE
PID:4400 -
C:\Windows\SysWOW64\Ikcmbfcj.exeC:\Windows\system32\Ikcmbfcj.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4964 -
C:\Windows\SysWOW64\Ibmeoq32.exeC:\Windows\system32\Ibmeoq32.exe52⤵
- Executes dropped EXE
PID:264 -
C:\Windows\SysWOW64\Jdpkflfe.exeC:\Windows\system32\Jdpkflfe.exe53⤵
- Executes dropped EXE
PID:768 -
C:\Windows\SysWOW64\Jkjcbe32.exeC:\Windows\system32\Jkjcbe32.exe54⤵
- Executes dropped EXE
PID:8 -
C:\Windows\SysWOW64\Jbdlop32.exeC:\Windows\system32\Jbdlop32.exe55⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Jdbhkk32.exeC:\Windows\system32\Jdbhkk32.exe56⤵
- Executes dropped EXE
PID:3196 -
C:\Windows\SysWOW64\Ccgjopal.exeC:\Windows\system32\Ccgjopal.exe57⤵
- Executes dropped EXE
PID:4344 -
C:\Windows\SysWOW64\Jqhafffk.exeC:\Windows\system32\Jqhafffk.exe58⤵
- Executes dropped EXE
PID:2280 -
C:\Windows\SysWOW64\Oelolmnd.exeC:\Windows\system32\Oelolmnd.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:220 -
C:\Windows\SysWOW64\Nflkbanj.exeC:\Windows\system32\Nflkbanj.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4124 -
C:\Windows\SysWOW64\Nncccnol.exeC:\Windows\system32\Nncccnol.exe61⤵
- Executes dropped EXE
PID:3572 -
C:\Windows\SysWOW64\Njjdho32.exeC:\Windows\system32\Njjdho32.exe62⤵
- Executes dropped EXE
PID:1444 -
C:\Windows\SysWOW64\Nmipdk32.exeC:\Windows\system32\Nmipdk32.exe63⤵
- Executes dropped EXE
PID:3464 -
C:\Windows\SysWOW64\Nfaemp32.exeC:\Windows\system32\Nfaemp32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4436 -
C:\Windows\SysWOW64\Nmkmjjaa.exeC:\Windows\system32\Nmkmjjaa.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3956 -
C:\Windows\SysWOW64\Npiiffqe.exeC:\Windows\system32\Npiiffqe.exe66⤵PID:1808
-
C:\Windows\SysWOW64\Egened32.exeC:\Windows\system32\Egened32.exe67⤵PID:1908
-
C:\Windows\SysWOW64\Gaebef32.exeC:\Windows\system32\Gaebef32.exe68⤵PID:3652
-
C:\Windows\SysWOW64\Hpfbcn32.exeC:\Windows\system32\Hpfbcn32.exe69⤵PID:2756
-
C:\Windows\SysWOW64\Hahokfag.exeC:\Windows\system32\Hahokfag.exe70⤵PID:1016
-
C:\Windows\SysWOW64\Hhaggp32.exeC:\Windows\system32\Hhaggp32.exe71⤵PID:5008
-
C:\Windows\SysWOW64\Hnlodjpa.exeC:\Windows\system32\Hnlodjpa.exe72⤵
- Drops file in System32 directory
PID:4004 -
C:\Windows\SysWOW64\Hhdcmp32.exeC:\Windows\system32\Hhdcmp32.exe73⤵PID:3580
-
C:\Windows\SysWOW64\Hpkknmgd.exeC:\Windows\system32\Hpkknmgd.exe74⤵PID:4428
-
C:\Windows\SysWOW64\Halhfe32.exeC:\Windows\system32\Halhfe32.exe75⤵PID:4168
-
C:\Windows\SysWOW64\Hpmhdmea.exeC:\Windows\system32\Hpmhdmea.exe76⤵PID:2752
-
C:\Windows\SysWOW64\Hhimhobl.exeC:\Windows\system32\Hhimhobl.exe77⤵PID:4352
-
C:\Windows\SysWOW64\Hnbeeiji.exeC:\Windows\system32\Hnbeeiji.exe78⤵PID:4440
-
C:\Windows\SysWOW64\Iijfhbhl.exeC:\Windows\system32\Iijfhbhl.exe79⤵PID:2488
-
C:\Windows\SysWOW64\Ipdndloi.exeC:\Windows\system32\Ipdndloi.exe80⤵
- Drops file in System32 directory
- Modifies registry class
PID:3680 -
C:\Windows\SysWOW64\Ibcjqgnm.exeC:\Windows\system32\Ibcjqgnm.exe81⤵
- Drops file in System32 directory
PID:4336 -
C:\Windows\SysWOW64\Ieagmcmq.exeC:\Windows\system32\Ieagmcmq.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4332 -
C:\Windows\SysWOW64\Ihpcinld.exeC:\Windows\system32\Ihpcinld.exe83⤵PID:1040
-
C:\Windows\SysWOW64\Ieccbbkn.exeC:\Windows\system32\Ieccbbkn.exe84⤵PID:1764
-
C:\Windows\SysWOW64\Ilnlom32.exeC:\Windows\system32\Ilnlom32.exe85⤵PID:4852
-
C:\Windows\SysWOW64\Ihdldn32.exeC:\Windows\system32\Ihdldn32.exe86⤵
- Drops file in System32 directory
PID:3636 -
C:\Windows\SysWOW64\Iehmmb32.exeC:\Windows\system32\Iehmmb32.exe87⤵PID:656
-
C:\Windows\SysWOW64\Bkmeha32.exeC:\Windows\system32\Bkmeha32.exe88⤵PID:3808
-
C:\Windows\SysWOW64\Fqikob32.exeC:\Windows\system32\Fqikob32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2940 -
C:\Windows\SysWOW64\Gcghkm32.exeC:\Windows\system32\Gcghkm32.exe90⤵PID:2888
-
C:\Windows\SysWOW64\Gnmlhf32.exeC:\Windows\system32\Gnmlhf32.exe91⤵PID:1920
-
C:\Windows\SysWOW64\Gqkhda32.exeC:\Windows\system32\Gqkhda32.exe92⤵
- Drops file in System32 directory
- Modifies registry class
PID:4952 -
C:\Windows\SysWOW64\Ggepalof.exeC:\Windows\system32\Ggepalof.exe93⤵
- Drops file in System32 directory
- Modifies registry class
PID:2960 -
C:\Windows\SysWOW64\Gjcmngnj.exeC:\Windows\system32\Gjcmngnj.exe94⤵
- Modifies registry class
PID:3644 -
C:\Windows\SysWOW64\Gbkdod32.exeC:\Windows\system32\Gbkdod32.exe95⤵PID:1592
-
C:\Windows\SysWOW64\Gclafmej.exeC:\Windows\system32\Gclafmej.exe96⤵PID:4564
-
C:\Windows\SysWOW64\Gjficg32.exeC:\Windows\system32\Gjficg32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1312 -
C:\Windows\SysWOW64\Okfbgiij.exeC:\Windows\system32\Okfbgiij.exe98⤵PID:1236
-
C:\Windows\SysWOW64\Qbngeadf.exeC:\Windows\system32\Qbngeadf.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3704 -
C:\Windows\SysWOW64\Qihoak32.exeC:\Windows\system32\Qihoak32.exe100⤵PID:4616
-
C:\Windows\SysWOW64\Fdjnolfd.exeC:\Windows\system32\Fdjnolfd.exe101⤵
- Drops file in System32 directory
PID:4400 -
C:\Windows\SysWOW64\Ijhhenhf.exeC:\Windows\system32\Ijhhenhf.exe102⤵PID:4408
-
C:\Windows\SysWOW64\Imfdaigj.exeC:\Windows\system32\Imfdaigj.exe103⤵PID:1760
-
C:\Windows\SysWOW64\Ienlbf32.exeC:\Windows\system32\Ienlbf32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2524 -
C:\Windows\SysWOW64\Iglhob32.exeC:\Windows\system32\Iglhob32.exe105⤵PID:1556
-
C:\Windows\SysWOW64\Ijjekn32.exeC:\Windows\system32\Ijjekn32.exe106⤵PID:1696
-
C:\Windows\SysWOW64\Iqdmghnp.exeC:\Windows\system32\Iqdmghnp.exe107⤵PID:4480
-
C:\Windows\SysWOW64\Iepihf32.exeC:\Windows\system32\Iepihf32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3212 -
C:\Windows\SysWOW64\Iedbcebd.exeC:\Windows\system32\Iedbcebd.exe109⤵PID:768
-
C:\Windows\SysWOW64\Mehafq32.exeC:\Windows\system32\Mehafq32.exe110⤵PID:2280
-
C:\Windows\SysWOW64\Mdokmm32.exeC:\Windows\system32\Mdokmm32.exe111⤵PID:2264
-
C:\Windows\SysWOW64\Moeoje32.exeC:\Windows\system32\Moeoje32.exe112⤵PID:948
-
C:\Windows\SysWOW64\Mgpcohcb.exeC:\Windows\system32\Mgpcohcb.exe113⤵PID:2716
-
C:\Windows\SysWOW64\Mhppik32.exeC:\Windows\system32\Mhppik32.exe114⤵PID:4620
-
C:\Windows\SysWOW64\Nhkpdi32.exeC:\Windows\system32\Nhkpdi32.exe115⤵
- Modifies registry class
PID:4568 -
C:\Windows\SysWOW64\Onjebpml.exeC:\Windows\system32\Onjebpml.exe116⤵PID:4876
-
C:\Windows\SysWOW64\Oeamcmmo.exeC:\Windows\system32\Oeamcmmo.exe117⤵PID:4468
-
C:\Windows\SysWOW64\Onmahojj.exeC:\Windows\system32\Onmahojj.exe118⤵PID:4924
-
C:\Windows\SysWOW64\Oediim32.exeC:\Windows\system32\Oediim32.exe119⤵PID:2252
-
C:\Windows\SysWOW64\Okqbac32.exeC:\Windows\system32\Okqbac32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3412 -
C:\Windows\SysWOW64\Oolnabal.exeC:\Windows\system32\Oolnabal.exe121⤵
- Drops file in System32 directory
PID:2700
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-