Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
171s -
max time network
177s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
14/10/2023, 11:51
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.d7b6e3d5325d28f1d48fcedc7ef58f9c_JC.exe
Resource
win7-20230831-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.d7b6e3d5325d28f1d48fcedc7ef58f9c_JC.exe
Resource
win10v2004-20230915-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
NEAS.d7b6e3d5325d28f1d48fcedc7ef58f9c_JC.exe
-
Size
379KB
-
MD5
d7b6e3d5325d28f1d48fcedc7ef58f9c
-
SHA1
206937f0f9d659ca32725659ee6c69acd60d5467
-
SHA256
0e4626bf8b6a1c2e09292052b147a8de19371212f3693cb9de9c67425c56fceb
-
SHA512
b35413802ae281a86e5db9c79301f0cd8a41ee1a07047528e67cb709546340dd937a3e0e22154639eb009090a4e2b9ceab0ebf3d3f83c77ea45e1471cca7e54d
-
SSDEEP
6144:mL8X5Jnli7O/0xLxli7O//yb1c3ccU0S6GyTgfiEkrE:UGz6vxr6lGHaXyTg6EkrE
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkceokii.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejfeij32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkmdecbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhbfgflc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pojccmii.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oloaamqf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcblpdgg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqfbpb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmkkgh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpgbna32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgnekcei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilnbch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbeaib32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibcadcgf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmhdkknd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ioeicajh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmfhkf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Popbpqjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpcfmkff.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmggfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejoogm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efamkepl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cckkmg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebgpad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcpqafba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffmfchle.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lenicahg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahippdbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdpjlb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plndcl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgobel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlcalieg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfnbgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dimenegi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lknojl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgehfkop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Baadiiif.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahpdnaci.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijqmacpl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Himqjpme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkmdecbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Feoodn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gncchb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jeaidn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iildfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kinefp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdhkchlg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igajka32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgpmmp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bklfgo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfhndpol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpphcf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnfanjqp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eidlhj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfpffeaj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idnfal32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmkbfeab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgqfdnah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jokpcmmj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afddge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjahfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljobiofi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdopkhfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lplpcc32.exe -
Executes dropped EXE 64 IoCs
pid Process 388 Maodigil.exe 5096 Nihipdhl.exe 4336 Nbqmiinl.exe 992 Nafjjf32.exe 1004 Nbefdijg.exe 3108 Nkqkhk32.exe 3536 Nlphbnoe.exe 2764 Oidhlb32.exe 1184 Oldamm32.exe 1300 Oaajed32.exe 4188 Okjnnj32.exe 1132 Oiknlagg.exe 3376 Oeaoab32.exe 1056 Pcepkfld.exe 4836 Plndcl32.exe 1496 Phedhmhi.exe 4108 Pcjiff32.exe 2244 Poajkgnc.exe 4548 Pabblb32.exe 4992 Qhlkilba.exe 3492 Qcaofebg.exe 3584 Qcclld32.exe 3804 Aaiimadl.exe 2660 Achegd32.exe 3076 Aanbhp32.exe 4224 Ahgjejhd.exe 1604 Aleckinj.exe 4104 Acokhc32.exe 3336 Boflmdkk.exe 4924 Bcddcbab.exe 3352 Bcfahbpo.exe 3864 Bmofagfp.exe 4620 Bmabggdm.exe 3412 Bbnkonbd.exe 2044 Ckfphc32.exe 4192 Cfldelik.exe 1560 Ccpdoqgd.exe 540 Cmhigf32.exe 4552 Cfqmpl32.exe 436 Coiaiakf.exe 3788 Cmmbbejp.exe 2988 Dbjkkl32.exe 4996 Dkbocbog.exe 4604 Djcoai32.exe 3196 Dmalne32.exe 1768 Dbndfl32.exe 2648 Dlghoa32.exe 1656 Dbqqkkbo.exe 1228 Dlieda32.exe 4528 Dimenegi.exe 3112 Ecbjkngo.exe 3104 Eciplm32.exe 3288 Efjimhnh.exe 4236 Elgaeolp.exe 1140 Ffmfchle.exe 2840 Fmikeaap.exe 4640 Ffaong32.exe 768 Fmkgkapm.exe 4360 Fjohde32.exe 1096 Fplpll32.exe 4180 Fffhifdk.exe 3520 Gpnmbl32.exe 1384 Gjdaodja.exe 1996 Glengm32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Kmnkaeeg.dll Jiphebml.exe File created C:\Windows\SysWOW64\Kilhqq32.exe Kkihedld.exe File opened for modification C:\Windows\SysWOW64\Kkelmc32.exe Kdkdqinj.exe File created C:\Windows\SysWOW64\Fdnnlj32.dll Ckjbhmad.exe File created C:\Windows\SysWOW64\Cmgqklcf.dll Bgdjicmn.exe File created C:\Windows\SysWOW64\Ampjmigd.dll Hejono32.exe File created C:\Windows\SysWOW64\Ahnghafl.exe Aadokg32.exe File opened for modification C:\Windows\SysWOW64\Gikkof32.exe Gifadggi.exe File created C:\Windows\SysWOW64\Ilafiihp.exe Ikpjbq32.exe File created C:\Windows\SysWOW64\Nnbnhedj.exe Nlcalieg.exe File created C:\Windows\SysWOW64\Mfbjdgmg.dll Dfnbgc32.exe File opened for modification C:\Windows\SysWOW64\Egjebn32.exe Ejfeij32.exe File created C:\Windows\SysWOW64\Mbfola32.dll Hdfapjbl.exe File opened for modification C:\Windows\SysWOW64\Ioeicajh.exe Ilglgfjd.exe File created C:\Windows\SysWOW64\Pchljlpo.exe Pkqdhnom.exe File opened for modification C:\Windows\SysWOW64\Fpjcpbdn.exe Fipkch32.exe File created C:\Windows\SysWOW64\Fhgcme32.dll Boeebnhp.exe File created C:\Windows\SysWOW64\Hicpnnio.dll Doaneiop.exe File created C:\Windows\SysWOW64\Dgqblp32.exe Dqgjoenq.exe File created C:\Windows\SysWOW64\Lbqdmodg.exe Lmcldhfp.exe File opened for modification C:\Windows\SysWOW64\Jlblcdpf.exe Jdkdbgpd.exe File opened for modification C:\Windows\SysWOW64\Mddbjg32.exe Maefnk32.exe File created C:\Windows\SysWOW64\Anqdigmo.dll Objphn32.exe File created C:\Windows\SysWOW64\Nchfpmcd.dll Qocfjlan.exe File opened for modification C:\Windows\SysWOW64\Idahjg32.exe Ingpmmgm.exe File created C:\Windows\SysWOW64\Plmmif32.exe Pecellgl.exe File created C:\Windows\SysWOW64\Aojefobm.exe Alkijdci.exe File opened for modification C:\Windows\SysWOW64\Jahnkl32.exe Jojboa32.exe File created C:\Windows\SysWOW64\Jhbfgflc.exe Jahnkl32.exe File created C:\Windows\SysWOW64\Ecieja32.dll Kdqecc32.exe File opened for modification C:\Windows\SysWOW64\Qlggcp32.exe Qjijgead.exe File created C:\Windows\SysWOW64\Oeaoab32.exe Oiknlagg.exe File opened for modification C:\Windows\SysWOW64\Oanfen32.exe Ohfami32.exe File created C:\Windows\SysWOW64\Icinkkcp.dll Dnmhpg32.exe File created C:\Windows\SysWOW64\Eljknl32.exe Eepbabjj.exe File opened for modification C:\Windows\SysWOW64\Jiphebml.exe Jdcplkoe.exe File opened for modification C:\Windows\SysWOW64\Oboicmhj.exe Oldagc32.exe File opened for modification C:\Windows\SysWOW64\Icfediio.exe Illmho32.exe File opened for modification C:\Windows\SysWOW64\Ckfphc32.exe Bbnkonbd.exe File opened for modification C:\Windows\SysWOW64\Alpbecod.exe Adikdfna.exe File opened for modification C:\Windows\SysWOW64\Fiodpl32.exe Fpgpgfmh.exe File opened for modification C:\Windows\SysWOW64\Pefhfgoc.exe Pchljlpo.exe File created C:\Windows\SysWOW64\Jebqacjl.dll Nihipdhl.exe File opened for modification C:\Windows\SysWOW64\Meiioonj.exe Mjdebfnd.exe File created C:\Windows\SysWOW64\Dqgjoenq.exe Dkjbgooi.exe File created C:\Windows\SysWOW64\Majoikof.exe Mgdklb32.exe File opened for modification C:\Windows\SysWOW64\Elpknehe.exe Ejoogm32.exe File created C:\Windows\SysWOW64\Gibhihko.exe Fbhplnca.exe File created C:\Windows\SysWOW64\Lemjlcgo.exe Lejngd32.exe File created C:\Windows\SysWOW64\Blfnkb32.dll Qlggcp32.exe File created C:\Windows\SysWOW64\Hanolipa.dll Fifhmi32.exe File created C:\Windows\SysWOW64\Pcmdcg32.dll Fikbhiaf.exe File opened for modification C:\Windows\SysWOW64\Hlefgphj.exe Hkdjph32.exe File created C:\Windows\SysWOW64\Cboeai32.dll Ddnfmqng.exe File created C:\Windows\SysWOW64\Nbaefacb.dll Mjjbjjdd.exe File created C:\Windows\SysWOW64\Cgbfka32.exe Cmmbmiag.exe File created C:\Windows\SysWOW64\Ibcadcgf.exe Iliihipi.exe File opened for modification C:\Windows\SysWOW64\Lknocb32.exe Lmmoekem.exe File created C:\Windows\SysWOW64\Gdlgjg32.dll Hlnjlkjf.exe File created C:\Windows\SysWOW64\Kqmfklog.dll Alkijdci.exe File created C:\Windows\SysWOW64\Cdicje32.exe Cnokmkfh.exe File created C:\Windows\SysWOW64\Egikekfa.dll Fmbnfcam.exe File opened for modification C:\Windows\SysWOW64\Bllbaa32.exe Bddjpd32.exe File created C:\Windows\SysWOW64\Jdiglgbg.exe Jkqccbkf.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgqfdnah.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljfhqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elmmem32.dll" Kpccgk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mikcbb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kcfiof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kcpqafba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Okjnnj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Icgjfgef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pcmeek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mnkgakpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beiopegj.dll" Jdnqgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcqdkcfn.dll" Jgigfg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node NEAS.d7b6e3d5325d28f1d48fcedc7ef58f9c_JC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmjpbc32.dll" Bdgged32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddnfmqng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fngcmcfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmkmlmnl.dll" Gfhndpol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bpkbmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kabpan32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhldio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Achegd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmlephen.dll" Cndeii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fnlmhc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmdlolmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 NEAS.d7b6e3d5325d28f1d48fcedc7ef58f9c_JC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cckkmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iehialmj.dll" Lmbhqj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ekmhejao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ennqfenp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Noobch32.dll" Egelgoah.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aebhaede.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dahjdc32.dll" Aaiimadl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbopqlen.dll" Phigif32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kcfnqccd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deehpjfk.dll" Anjikoip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljobiofi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gjdaodja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aoalgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Faqflb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djcfee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbhplnca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mokmqben.dll" Akqfkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eehicoel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eaddcnad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jknfcofa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Meepdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofgogm32.dll" Headon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phbhlcpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Poliea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Obafim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dpmknf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkpqdifa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmggfp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ikkpgafg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iakajagl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekglfk32.dll" Fhhpfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqjmdflo.dll" Lgqfdnah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qbajeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbdmnl32.dll" Jfllca32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Liddligi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Klkcmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fgpilc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fajbjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbdnne32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 756 wrote to memory of 388 756 NEAS.d7b6e3d5325d28f1d48fcedc7ef58f9c_JC.exe 85 PID 756 wrote to memory of 388 756 NEAS.d7b6e3d5325d28f1d48fcedc7ef58f9c_JC.exe 85 PID 756 wrote to memory of 388 756 NEAS.d7b6e3d5325d28f1d48fcedc7ef58f9c_JC.exe 85 PID 388 wrote to memory of 5096 388 Maodigil.exe 87 PID 388 wrote to memory of 5096 388 Maodigil.exe 87 PID 388 wrote to memory of 5096 388 Maodigil.exe 87 PID 5096 wrote to memory of 4336 5096 Nihipdhl.exe 88 PID 5096 wrote to memory of 4336 5096 Nihipdhl.exe 88 PID 5096 wrote to memory of 4336 5096 Nihipdhl.exe 88 PID 4336 wrote to memory of 992 4336 Nbqmiinl.exe 89 PID 4336 wrote to memory of 992 4336 Nbqmiinl.exe 89 PID 4336 wrote to memory of 992 4336 Nbqmiinl.exe 89 PID 992 wrote to memory of 1004 992 Nafjjf32.exe 90 PID 992 wrote to memory of 1004 992 Nafjjf32.exe 90 PID 992 wrote to memory of 1004 992 Nafjjf32.exe 90 PID 1004 wrote to memory of 3108 1004 Nbefdijg.exe 91 PID 1004 wrote to memory of 3108 1004 Nbefdijg.exe 91 PID 1004 wrote to memory of 3108 1004 Nbefdijg.exe 91 PID 3108 wrote to memory of 3536 3108 Nkqkhk32.exe 92 PID 3108 wrote to memory of 3536 3108 Nkqkhk32.exe 92 PID 3108 wrote to memory of 3536 3108 Nkqkhk32.exe 92 PID 3536 wrote to memory of 2764 3536 Nlphbnoe.exe 93 PID 3536 wrote to memory of 2764 3536 Nlphbnoe.exe 93 PID 3536 wrote to memory of 2764 3536 Nlphbnoe.exe 93 PID 2764 wrote to memory of 1184 2764 Oidhlb32.exe 94 PID 2764 wrote to memory of 1184 2764 Oidhlb32.exe 94 PID 2764 wrote to memory of 1184 2764 Oidhlb32.exe 94 PID 1184 wrote to memory of 1300 1184 Oldamm32.exe 95 PID 1184 wrote to memory of 1300 1184 Oldamm32.exe 95 PID 1184 wrote to memory of 1300 1184 Oldamm32.exe 95 PID 1300 wrote to memory of 4188 1300 Oaajed32.exe 96 PID 1300 wrote to memory of 4188 1300 Oaajed32.exe 96 PID 1300 wrote to memory of 4188 1300 Oaajed32.exe 96 PID 4188 wrote to memory of 1132 4188 Okjnnj32.exe 97 PID 4188 wrote to memory of 1132 4188 Okjnnj32.exe 97 PID 4188 wrote to memory of 1132 4188 Okjnnj32.exe 97 PID 1132 wrote to memory of 3376 1132 Oiknlagg.exe 98 PID 1132 wrote to memory of 3376 1132 Oiknlagg.exe 98 PID 1132 wrote to memory of 3376 1132 Oiknlagg.exe 98 PID 3376 wrote to memory of 1056 3376 Oeaoab32.exe 99 PID 3376 wrote to memory of 1056 3376 Oeaoab32.exe 99 PID 3376 wrote to memory of 1056 3376 Oeaoab32.exe 99 PID 1056 wrote to memory of 4836 1056 Pcepkfld.exe 100 PID 1056 wrote to memory of 4836 1056 Pcepkfld.exe 100 PID 1056 wrote to memory of 4836 1056 Pcepkfld.exe 100 PID 4836 wrote to memory of 1496 4836 Plndcl32.exe 101 PID 4836 wrote to memory of 1496 4836 Plndcl32.exe 101 PID 4836 wrote to memory of 1496 4836 Plndcl32.exe 101 PID 1496 wrote to memory of 4108 1496 Phedhmhi.exe 102 PID 1496 wrote to memory of 4108 1496 Phedhmhi.exe 102 PID 1496 wrote to memory of 4108 1496 Phedhmhi.exe 102 PID 4108 wrote to memory of 2244 4108 Pcjiff32.exe 103 PID 4108 wrote to memory of 2244 4108 Pcjiff32.exe 103 PID 4108 wrote to memory of 2244 4108 Pcjiff32.exe 103 PID 2244 wrote to memory of 4548 2244 Poajkgnc.exe 104 PID 2244 wrote to memory of 4548 2244 Poajkgnc.exe 104 PID 2244 wrote to memory of 4548 2244 Poajkgnc.exe 104 PID 4548 wrote to memory of 4992 4548 Pabblb32.exe 105 PID 4548 wrote to memory of 4992 4548 Pabblb32.exe 105 PID 4548 wrote to memory of 4992 4548 Pabblb32.exe 105 PID 4992 wrote to memory of 3492 4992 Qhlkilba.exe 106 PID 4992 wrote to memory of 3492 4992 Qhlkilba.exe 106 PID 4992 wrote to memory of 3492 4992 Qhlkilba.exe 106 PID 3492 wrote to memory of 3584 3492 Qcaofebg.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.d7b6e3d5325d28f1d48fcedc7ef58f9c_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.d7b6e3d5325d28f1d48fcedc7ef58f9c_JC.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Windows\SysWOW64\Maodigil.exeC:\Windows\system32\Maodigil.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:388 -
C:\Windows\SysWOW64\Nihipdhl.exeC:\Windows\system32\Nihipdhl.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5096 -
C:\Windows\SysWOW64\Nbqmiinl.exeC:\Windows\system32\Nbqmiinl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4336 -
C:\Windows\SysWOW64\Nafjjf32.exeC:\Windows\system32\Nafjjf32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:992 -
C:\Windows\SysWOW64\Nbefdijg.exeC:\Windows\system32\Nbefdijg.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1004 -
C:\Windows\SysWOW64\Nkqkhk32.exeC:\Windows\system32\Nkqkhk32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3108 -
C:\Windows\SysWOW64\Nlphbnoe.exeC:\Windows\system32\Nlphbnoe.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3536 -
C:\Windows\SysWOW64\Oidhlb32.exeC:\Windows\system32\Oidhlb32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\Oldamm32.exeC:\Windows\system32\Oldamm32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Windows\SysWOW64\Oaajed32.exeC:\Windows\system32\Oaajed32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Windows\SysWOW64\Okjnnj32.exeC:\Windows\system32\Okjnnj32.exe12⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4188 -
C:\Windows\SysWOW64\Oiknlagg.exeC:\Windows\system32\Oiknlagg.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1132 -
C:\Windows\SysWOW64\Oeaoab32.exeC:\Windows\system32\Oeaoab32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3376 -
C:\Windows\SysWOW64\Pcepkfld.exeC:\Windows\system32\Pcepkfld.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Windows\SysWOW64\Plndcl32.exeC:\Windows\system32\Plndcl32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4836 -
C:\Windows\SysWOW64\Phedhmhi.exeC:\Windows\system32\Phedhmhi.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Windows\SysWOW64\Pcjiff32.exeC:\Windows\system32\Pcjiff32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4108 -
C:\Windows\SysWOW64\Poajkgnc.exeC:\Windows\system32\Poajkgnc.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\Pabblb32.exeC:\Windows\system32\Pabblb32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4548 -
C:\Windows\SysWOW64\Qhlkilba.exeC:\Windows\system32\Qhlkilba.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\Windows\SysWOW64\Qcaofebg.exeC:\Windows\system32\Qcaofebg.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3492 -
C:\Windows\SysWOW64\Qcclld32.exeC:\Windows\system32\Qcclld32.exe23⤵
- Executes dropped EXE
PID:3584 -
C:\Windows\SysWOW64\Aaiimadl.exeC:\Windows\system32\Aaiimadl.exe24⤵
- Executes dropped EXE
- Modifies registry class
PID:3804 -
C:\Windows\SysWOW64\Achegd32.exeC:\Windows\system32\Achegd32.exe25⤵
- Executes dropped EXE
- Modifies registry class
PID:2660 -
C:\Windows\SysWOW64\Aanbhp32.exeC:\Windows\system32\Aanbhp32.exe26⤵
- Executes dropped EXE
PID:3076 -
C:\Windows\SysWOW64\Ahgjejhd.exeC:\Windows\system32\Ahgjejhd.exe27⤵
- Executes dropped EXE
PID:4224 -
C:\Windows\SysWOW64\Aleckinj.exeC:\Windows\system32\Aleckinj.exe28⤵
- Executes dropped EXE
PID:1604 -
C:\Windows\SysWOW64\Acokhc32.exeC:\Windows\system32\Acokhc32.exe29⤵
- Executes dropped EXE
PID:4104 -
C:\Windows\SysWOW64\Boflmdkk.exeC:\Windows\system32\Boflmdkk.exe30⤵
- Executes dropped EXE
PID:3336 -
C:\Windows\SysWOW64\Bcddcbab.exeC:\Windows\system32\Bcddcbab.exe31⤵
- Executes dropped EXE
PID:4924 -
C:\Windows\SysWOW64\Bmlilh32.exeC:\Windows\system32\Bmlilh32.exe32⤵PID:4348
-
C:\Windows\SysWOW64\Bcfahbpo.exeC:\Windows\system32\Bcfahbpo.exe33⤵
- Executes dropped EXE
PID:3352 -
C:\Windows\SysWOW64\Bmofagfp.exeC:\Windows\system32\Bmofagfp.exe34⤵
- Executes dropped EXE
PID:3864 -
C:\Windows\SysWOW64\Bmabggdm.exeC:\Windows\system32\Bmabggdm.exe35⤵
- Executes dropped EXE
PID:4620 -
C:\Windows\SysWOW64\Bbnkonbd.exeC:\Windows\system32\Bbnkonbd.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3412 -
C:\Windows\SysWOW64\Ckfphc32.exeC:\Windows\system32\Ckfphc32.exe37⤵
- Executes dropped EXE
PID:2044 -
C:\Windows\SysWOW64\Cfldelik.exeC:\Windows\system32\Cfldelik.exe38⤵
- Executes dropped EXE
PID:4192 -
C:\Windows\SysWOW64\Ccpdoqgd.exeC:\Windows\system32\Ccpdoqgd.exe39⤵
- Executes dropped EXE
PID:1560 -
C:\Windows\SysWOW64\Cmhigf32.exeC:\Windows\system32\Cmhigf32.exe40⤵
- Executes dropped EXE
PID:540 -
C:\Windows\SysWOW64\Cfqmpl32.exeC:\Windows\system32\Cfqmpl32.exe41⤵
- Executes dropped EXE
PID:4552 -
C:\Windows\SysWOW64\Coiaiakf.exeC:\Windows\system32\Coiaiakf.exe42⤵
- Executes dropped EXE
PID:436 -
C:\Windows\SysWOW64\Cmmbbejp.exeC:\Windows\system32\Cmmbbejp.exe43⤵
- Executes dropped EXE
PID:3788 -
C:\Windows\SysWOW64\Dbjkkl32.exeC:\Windows\system32\Dbjkkl32.exe44⤵
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\Dkbocbog.exeC:\Windows\system32\Dkbocbog.exe45⤵
- Executes dropped EXE
PID:4996 -
C:\Windows\SysWOW64\Djcoai32.exeC:\Windows\system32\Djcoai32.exe46⤵
- Executes dropped EXE
PID:4604 -
C:\Windows\SysWOW64\Dmalne32.exeC:\Windows\system32\Dmalne32.exe47⤵
- Executes dropped EXE
PID:3196 -
C:\Windows\SysWOW64\Dbndfl32.exeC:\Windows\system32\Dbndfl32.exe48⤵
- Executes dropped EXE
PID:1768 -
C:\Windows\SysWOW64\Dlghoa32.exeC:\Windows\system32\Dlghoa32.exe49⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Dbqqkkbo.exeC:\Windows\system32\Dbqqkkbo.exe50⤵
- Executes dropped EXE
PID:1656 -
C:\Windows\SysWOW64\Dlieda32.exeC:\Windows\system32\Dlieda32.exe51⤵
- Executes dropped EXE
PID:1228 -
C:\Windows\SysWOW64\Dimenegi.exeC:\Windows\system32\Dimenegi.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4528 -
C:\Windows\SysWOW64\Ecbjkngo.exeC:\Windows\system32\Ecbjkngo.exe53⤵
- Executes dropped EXE
PID:3112 -
C:\Windows\SysWOW64\Eciplm32.exeC:\Windows\system32\Eciplm32.exe54⤵
- Executes dropped EXE
PID:3104 -
C:\Windows\SysWOW64\Efjimhnh.exeC:\Windows\system32\Efjimhnh.exe55⤵
- Executes dropped EXE
PID:3288 -
C:\Windows\SysWOW64\Elgaeolp.exeC:\Windows\system32\Elgaeolp.exe56⤵
- Executes dropped EXE
PID:4236 -
C:\Windows\SysWOW64\Ffmfchle.exeC:\Windows\system32\Ffmfchle.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1140 -
C:\Windows\SysWOW64\Fmikeaap.exeC:\Windows\system32\Fmikeaap.exe58⤵
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\Ffaong32.exeC:\Windows\system32\Ffaong32.exe59⤵
- Executes dropped EXE
PID:4640 -
C:\Windows\SysWOW64\Fmkgkapm.exeC:\Windows\system32\Fmkgkapm.exe60⤵
- Executes dropped EXE
PID:768 -
C:\Windows\SysWOW64\Fjohde32.exeC:\Windows\system32\Fjohde32.exe61⤵
- Executes dropped EXE
PID:4360 -
C:\Windows\SysWOW64\Fplpll32.exeC:\Windows\system32\Fplpll32.exe62⤵
- Executes dropped EXE
PID:1096 -
C:\Windows\SysWOW64\Fffhifdk.exeC:\Windows\system32\Fffhifdk.exe63⤵
- Executes dropped EXE
PID:4180 -
C:\Windows\SysWOW64\Gpnmbl32.exeC:\Windows\system32\Gpnmbl32.exe64⤵
- Executes dropped EXE
PID:3520 -
C:\Windows\SysWOW64\Gjdaodja.exeC:\Windows\system32\Gjdaodja.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:1384 -
C:\Windows\SysWOW64\Glengm32.exeC:\Windows\system32\Glengm32.exe66⤵
- Executes dropped EXE
PID:1996 -
C:\Windows\SysWOW64\Giinpa32.exeC:\Windows\system32\Giinpa32.exe67⤵PID:4376
-
C:\Windows\SysWOW64\Gpcfmkff.exeC:\Windows\system32\Gpcfmkff.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4112 -
C:\Windows\SysWOW64\Gfmojenc.exeC:\Windows\system32\Gfmojenc.exe69⤵PID:4444
-
C:\Windows\SysWOW64\Gmggfp32.exeC:\Windows\system32\Gmggfp32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4748 -
C:\Windows\SysWOW64\Gbdoof32.exeC:\Windows\system32\Gbdoof32.exe71⤵PID:1444
-
C:\Windows\SysWOW64\Gingkqkd.exeC:\Windows\system32\Gingkqkd.exe72⤵PID:3760
-
C:\Windows\SysWOW64\Gphphj32.exeC:\Windows\system32\Gphphj32.exe73⤵PID:2936
-
C:\Windows\SysWOW64\Gkmdecbg.exeC:\Windows\system32\Gkmdecbg.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2900 -
C:\Windows\SysWOW64\Hpjmnjqn.exeC:\Windows\system32\Hpjmnjqn.exe75⤵PID:3348
-
C:\Windows\SysWOW64\Hbhijepa.exeC:\Windows\system32\Hbhijepa.exe76⤵PID:2292
-
C:\Windows\SysWOW64\Hlambk32.exeC:\Windows\system32\Hlambk32.exe77⤵PID:2208
-
C:\Windows\SysWOW64\Hienlpel.exeC:\Windows\system32\Hienlpel.exe78⤵PID:3448
-
C:\Windows\SysWOW64\Hcmbee32.exeC:\Windows\system32\Hcmbee32.exe79⤵PID:5148
-
C:\Windows\SysWOW64\Hmbfbn32.exeC:\Windows\system32\Hmbfbn32.exe80⤵PID:5188
-
C:\Windows\SysWOW64\Hdmoohbo.exeC:\Windows\system32\Hdmoohbo.exe81⤵PID:5232
-
C:\Windows\SysWOW64\Hmechmip.exeC:\Windows\system32\Hmechmip.exe82⤵PID:5284
-
C:\Windows\SysWOW64\Hcblpdgg.exeC:\Windows\system32\Hcblpdgg.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5328 -
C:\Windows\SysWOW64\Ingpmmgm.exeC:\Windows\system32\Ingpmmgm.exe84⤵
- Drops file in System32 directory
PID:5384 -
C:\Windows\SysWOW64\Idahjg32.exeC:\Windows\system32\Idahjg32.exe85⤵PID:5428
-
C:\Windows\SysWOW64\Ikkpgafg.exeC:\Windows\system32\Ikkpgafg.exe86⤵
- Modifies registry class
PID:5496 -
C:\Windows\SysWOW64\Iphioh32.exeC:\Windows\system32\Iphioh32.exe87⤵PID:5560
-
C:\Windows\SysWOW64\Icfekc32.exeC:\Windows\system32\Icfekc32.exe88⤵PID:5612
-
C:\Windows\SysWOW64\Ijqmhnko.exeC:\Windows\system32\Ijqmhnko.exe89⤵PID:5656
-
C:\Windows\SysWOW64\Ipjedh32.exeC:\Windows\system32\Ipjedh32.exe90⤵PID:5704
-
C:\Windows\SysWOW64\Ikpjbq32.exeC:\Windows\system32\Ikpjbq32.exe91⤵
- Drops file in System32 directory
PID:5752 -
C:\Windows\SysWOW64\Ilafiihp.exeC:\Windows\system32\Ilafiihp.exe92⤵PID:5796
-
C:\Windows\SysWOW64\Icknfcol.exeC:\Windows\system32\Icknfcol.exe93⤵PID:5836
-
C:\Windows\SysWOW64\Ijegcm32.exeC:\Windows\system32\Ijegcm32.exe94⤵PID:5884
-
C:\Windows\SysWOW64\Ipoopgnf.exeC:\Windows\system32\Ipoopgnf.exe95⤵PID:5920
-
C:\Windows\SysWOW64\Icnklbmj.exeC:\Windows\system32\Icnklbmj.exe96⤵PID:5972
-
C:\Windows\SysWOW64\Jncoikmp.exeC:\Windows\system32\Jncoikmp.exe97⤵PID:6016
-
C:\Windows\SysWOW64\Jgkdbacp.exeC:\Windows\system32\Jgkdbacp.exe98⤵PID:6060
-
C:\Windows\SysWOW64\Jgpmmp32.exeC:\Windows\system32\Jgpmmp32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6104 -
C:\Windows\SysWOW64\Jjoiil32.exeC:\Windows\system32\Jjoiil32.exe100⤵PID:5136
-
C:\Windows\SysWOW64\Jqhafffk.exeC:\Windows\system32\Jqhafffk.exe101⤵PID:5228
-
C:\Windows\SysWOW64\Jknfcofa.exeC:\Windows\system32\Jknfcofa.exe102⤵
- Modifies registry class
PID:5272 -
C:\Windows\SysWOW64\Jnlbojee.exeC:\Windows\system32\Jnlbojee.exe103⤵PID:5360
-
C:\Windows\SysWOW64\Jcikgacl.exeC:\Windows\system32\Jcikgacl.exe104⤵PID:5420
-
C:\Windows\SysWOW64\Kjccdkki.exeC:\Windows\system32\Kjccdkki.exe105⤵PID:4884
-
C:\Windows\SysWOW64\Kclgmq32.exeC:\Windows\system32\Kclgmq32.exe106⤵PID:5572
-
C:\Windows\SysWOW64\Kkconn32.exeC:\Windows\system32\Kkconn32.exe107⤵PID:5640
-
C:\Windows\SysWOW64\Kgipcogp.exeC:\Windows\system32\Kgipcogp.exe108⤵PID:5732
-
C:\Windows\SysWOW64\Kmfhkf32.exeC:\Windows\system32\Kmfhkf32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5788 -
C:\Windows\SysWOW64\Kglmio32.exeC:\Windows\system32\Kglmio32.exe110⤵PID:5872
-
C:\Windows\SysWOW64\Knfeeimj.exeC:\Windows\system32\Knfeeimj.exe111⤵PID:5944
-
C:\Windows\SysWOW64\Kdpmbc32.exeC:\Windows\system32\Kdpmbc32.exe112⤵PID:6008
-
C:\Windows\SysWOW64\Kkjeomld.exeC:\Windows\system32\Kkjeomld.exe113⤵PID:3228
-
C:\Windows\SysWOW64\Kmkbfeab.exeC:\Windows\system32\Kmkbfeab.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6088 -
C:\Windows\SysWOW64\Lgqfdnah.exeC:\Windows\system32\Lgqfdnah.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5172 -
C:\Windows\SysWOW64\Ljobpiql.exeC:\Windows\system32\Ljobpiql.exe116⤵PID:5252
-
C:\Windows\SysWOW64\Lqikmc32.exeC:\Windows\system32\Lqikmc32.exe117⤵PID:5408
-
C:\Windows\SysWOW64\Lknojl32.exeC:\Windows\system32\Lknojl32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5480 -
C:\Windows\SysWOW64\Lnmkfh32.exeC:\Windows\system32\Lnmkfh32.exe119⤵PID:5648
-
C:\Windows\SysWOW64\Lqkgbcff.exeC:\Windows\system32\Lqkgbcff.exe120⤵PID:5744
-
C:\Windows\SysWOW64\Lgepom32.exeC:\Windows\system32\Lgepom32.exe121⤵PID:5860
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-