Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
166s -
max time network
168s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
02/11/2023, 19:57
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.91f0a765df52041943f140f9994de2e0.exe
Resource
win7-20231020-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.91f0a765df52041943f140f9994de2e0.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.91f0a765df52041943f140f9994de2e0.exe
-
Size
220KB
-
MD5
91f0a765df52041943f140f9994de2e0
-
SHA1
f55b99677fd7584b457f2a7e11e140af388750bd
-
SHA256
3b74726e3656abe026a71de9c3108989adfdc79f5a99a8d4ae193699bb549dfa
-
SHA512
c05527bdbc51f60e478946ce03cefcd9a02bdbaaf99e48fbd942561a9432d06e7455fe89a3c042d9869b8331f2faa37d5671de03efb046d78c0e0b1b97195734
-
SSDEEP
3072:gYMfzXsff2O6+bWQALHLQGApetVEkjkdwTNKIW96+bWQALHLQGA:64uO6CbArLActV9jkdwZY6CbArLA
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aimhfqmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iekpfmpl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alcfpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldhbnhlm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Babmjj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncekjp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkeakl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cccppgcp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkbjchio.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkkdci32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpfkiepp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Liekgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcijoh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Liecmlno.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkbfafel.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hboaql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qekbaf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Micheb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qlejnqbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qdmkbmnl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkahba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qifiph32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbqiak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofaeffpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbcpkjkg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnjmoqmk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eeiddl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjolck32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clbdjh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deoabj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lekeajmm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehlpjikd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gklcpqab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjijgead.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fldnoo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppgofcff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdhbilde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkhpogij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igfkpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npgalidl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhegblcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnjmoqmk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blpnmk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aacjofkp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekpmljin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkahba32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iaaakj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dopiqj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhnjgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blpnmk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nffdkkqe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfgopcfm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnggnh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Caebfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghgbakhb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olphlcdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oqakln32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cleeafbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obfhgj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifhbcejp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhhkjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jakkplbc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egiohh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qpfokpoo.exe -
Executes dropped EXE 64 IoCs
pid Process 1424 Bglgdi32.exe 1360 Eacaej32.exe 768 Engaon32.exe 1484 Eoindndf.exe 4300 Fhbbmc32.exe 1992 Fbqiak32.exe 1448 Gkcdfl32.exe 1764 Gkeakl32.exe 4568 Hohcmjic.exe 4984 Hkaqgjme.exe 5040 Iooimi32.exe 876 Jhqqlmba.exe 4884 Jhejgl32.exe 892 Jkfcigkm.exe 3268 Jkhpogij.exe 2992 Kkkldg32.exe 2844 Kfbmgo32.exe 3804 Lbnggpfj.exe 2696 Opefdo32.exe 4092 Pmbjcb32.exe 4136 Alcfpm32.exe 2764 Agndidce.exe 3736 Bcngddao.exe 3608 Cdfgdf32.exe 1472 Ddpjjd32.exe 1824 Eelifc32.exe 2364 Gngckfdj.exe 3976 Glompi32.exe 4624 Gkdjaf32.exe 1488 Hhhkjj32.exe 1640 Ilpfgg32.exe 2152 Iehkpmgl.exe 3236 Iaokdn32.exe 3568 Jknfnbmi.exe 2908 Jakkplbc.exe 4112 Jehcfj32.exe 3612 Jndhkmfe.exe 1600 Knfepldb.exe 380 Koeajo32.exe 780 Khnfce32.exe 4460 Lhgiic32.exe 4088 Lbpmbipk.exe 4244 Lmhnea32.exe 5104 Micheb32.exe 4432 Mieeka32.exe 4200 Mnggnh32.exe 4756 Nlbnhkqo.exe 2440 Olnmdi32.exe 4436 Olpjii32.exe 4160 Pfenga32.exe 1724 Poelfc32.exe 1880 Qfanbpjg.exe 1144 Qefkcl32.exe 4896 Aekdolkj.exe 4320 Bplhhc32.exe 3924 Boaeioej.exe 1924 Bpaacblm.exe 1428 Cngnbfid.exe 4820 Dqomdppm.exe 4932 Dokqfl32.exe 884 Eonmkkmj.exe 3000 Egiohh32.exe 1520 Ffcedd32.exe 1836 Fqiiamjp.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Qfanbpjg.exe Poelfc32.exe File created C:\Windows\SysWOW64\Mnkhlpmj.dll Ocihqc32.exe File opened for modification C:\Windows\SysWOW64\Apfqbj32.exe Aimhfqmk.exe File created C:\Windows\SysWOW64\Fjccel32.exe Fofigd32.exe File created C:\Windows\SysWOW64\Coepob32.exe Baocpnmf.exe File opened for modification C:\Windows\SysWOW64\Jndhkmfe.exe Jehcfj32.exe File opened for modification C:\Windows\SysWOW64\Gcgndf32.exe Gagebknp.exe File opened for modification C:\Windows\SysWOW64\Ijqmacpl.exe Idceim32.exe File opened for modification C:\Windows\SysWOW64\Ohfafn32.exe Nelfnd32.exe File opened for modification C:\Windows\SysWOW64\Hbflnl32.exe Hlldaape.exe File created C:\Windows\SysWOW64\Eekanh32.exe Eoaianan.exe File created C:\Windows\SysWOW64\Cfhkolhc.dll Pfanmcao.exe File opened for modification C:\Windows\SysWOW64\Hbdgnilo.exe Hccgqa32.exe File created C:\Windows\SysWOW64\Dlcljnif.dll Blpnmk32.exe File opened for modification C:\Windows\SysWOW64\Ebkbmqhb.exe Djkdnool.exe File created C:\Windows\SysWOW64\Pgfljqia.exe Pphjbgfj.exe File opened for modification C:\Windows\SysWOW64\Pkkdci32.exe Ohkkanbe.exe File created C:\Windows\SysWOW64\Lemkmhpd.dll Nhegblcd.exe File opened for modification C:\Windows\SysWOW64\Fbihdhhf.exe Fafkoiji.exe File created C:\Windows\SysWOW64\Ddqbkebo.exe Clbdjh32.exe File created C:\Windows\SysWOW64\Njhcba32.dll Dmnpojej.exe File opened for modification C:\Windows\SysWOW64\Gngckfdj.exe Eelifc32.exe File created C:\Windows\SysWOW64\Naohpdqd.dll Ncbaabom.exe File created C:\Windows\SysWOW64\Neofcpmo.dll Clbdjh32.exe File created C:\Windows\SysWOW64\Olnmdi32.exe Nlbnhkqo.exe File created C:\Windows\SysWOW64\Pkpeal32.dll Eeqclfaa.exe File created C:\Windows\SysWOW64\Adapqk32.exe Abkjnd32.exe File created C:\Windows\SysWOW64\Pnondecb.dll Onekeb32.exe File created C:\Windows\SysWOW64\Hggqniih.dll Ehecpgbi.exe File opened for modification C:\Windows\SysWOW64\Femndhgh.exe Eekanh32.exe File created C:\Windows\SysWOW64\Aoghcj32.dll Ejmild32.exe File created C:\Windows\SysWOW64\Kjkpio32.dll Olcbfp32.exe File created C:\Windows\SysWOW64\Pmfhbm32.exe Pcncjh32.exe File opened for modification C:\Windows\SysWOW64\Dmpfla32.exe Cimckcoe.exe File opened for modification C:\Windows\SysWOW64\Adapqk32.exe Abkjnd32.exe File created C:\Windows\SysWOW64\Dafbhkhl.exe Deoabj32.exe File created C:\Windows\SysWOW64\Enacadhc.dll Jmhaek32.exe File opened for modification C:\Windows\SysWOW64\Ifglmlol.exe Igfkpd32.exe File created C:\Windows\SysWOW64\Gedaobdo.dll Ohnelj32.exe File created C:\Windows\SysWOW64\Oobfhh32.exe Oejbpb32.exe File created C:\Windows\SysWOW64\Ohlqij32.dll Jangaboo.exe File opened for modification C:\Windows\SysWOW64\Kddinm32.exe Kogqff32.exe File created C:\Windows\SysWOW64\Lfbqdb32.dll Khifno32.exe File opened for modification C:\Windows\SysWOW64\Hdjbcnjo.exe Hbflnl32.exe File opened for modification C:\Windows\SysWOW64\Bbcpkjkg.exe Biklbe32.exe File created C:\Windows\SysWOW64\Aiojijfj.dll Lekeajmm.exe File opened for modification C:\Windows\SysWOW64\Dbicjlji.exe Dhnbkfek.exe File opened for modification C:\Windows\SysWOW64\Bplhhc32.exe Aekdolkj.exe File opened for modification C:\Windows\SysWOW64\Gclapb32.exe Gkqlkp32.exe File opened for modification C:\Windows\SysWOW64\Ncifdlii.exe Nfeekgjo.exe File created C:\Windows\SysWOW64\Iaahaiad.dll Ggfombmd.exe File opened for modification C:\Windows\SysWOW64\Mhoiih32.exe Lnbkeclf.exe File created C:\Windows\SysWOW64\Lfmdljaf.dll Ekhncp32.exe File created C:\Windows\SysWOW64\Igjbmnbk.exe Iapjpd32.exe File opened for modification C:\Windows\SysWOW64\Oggqho32.exe Ncbaabom.exe File created C:\Windows\SysWOW64\Eklmdakb.dll Kjhlipla.exe File created C:\Windows\SysWOW64\Alfdoj32.dll Lcfimheb.exe File created C:\Windows\SysWOW64\Alanch32.dll Pfenga32.exe File created C:\Windows\SysWOW64\Qdmkbmnl.exe Qkegiggl.exe File created C:\Windows\SysWOW64\Bpibglde.dll Ecanhpmi.exe File created C:\Windows\SysWOW64\Engjol32.exe Ekhncp32.exe File opened for modification C:\Windows\SysWOW64\Obfhgj32.exe Okmpjpfa.exe File opened for modification C:\Windows\SysWOW64\Djkdnool.exe Dpqcoj32.exe File created C:\Windows\SysWOW64\Ejldginl.dll Ojhijjll.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1620 5160 WerFault.exe 764 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gkcdfl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Okmpjpfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lojeld32.dll" Clgbfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbcpkjkg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ilhkcmib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qldjej32.dll" Inmggo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ejmild32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hlldaape.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nccdpf32.dll" Kopcld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoibfj32.dll" Pkbjchio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pckcao32.dll" Dkahba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qkegiggl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nemjgo32.dll" Hjolck32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfkbpjgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iifodmak.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gekckpgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dkahba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gqhdnaln.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jiphebml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddqbkebo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leecmgpa.dll" Nombnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhpfffan.dll" Hboaql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pliidmmf.dll" Ldleoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmpdhk32.dll" Pmhkpacg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpifoh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibffbnjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdjbpgom.dll" Jlpklg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfeiedhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohkhmjae.dll" Joamlacj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bapgmb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aohpek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ejoogm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dabhmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hbdgnilo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgopog32.dll" Hbegakcb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ekcplp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Keabkkdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlocei32.dll" Imjddmpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djdpbope.dll" Bglgdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lnnakg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbbodj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deaced32.dll" Pehnaqid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkhlkj32.dll" Abkjnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opnpdlep.dll" Lmhnea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Poimigfm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fldnoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhlkbe32.dll" Bbjfjepf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Liekgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeqckmec.dll" Qjijgead.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdogbcnn.dll" Nelfnd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhegblcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Poelfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ejofacfb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jnhinq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ncmajo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plppnk32.dll" Hohcmjic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Obdbqm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhdqhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cbbnim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eaohihfd.dll" Fckaoneo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odqjnmoo.dll" Jkeedk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cimckcoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lkiage32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdjkeo32.dll" Igjlbhop.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1896 wrote to memory of 1424 1896 NEAS.91f0a765df52041943f140f9994de2e0.exe 91 PID 1896 wrote to memory of 1424 1896 NEAS.91f0a765df52041943f140f9994de2e0.exe 91 PID 1896 wrote to memory of 1424 1896 NEAS.91f0a765df52041943f140f9994de2e0.exe 91 PID 1424 wrote to memory of 1360 1424 Bglgdi32.exe 92 PID 1424 wrote to memory of 1360 1424 Bglgdi32.exe 92 PID 1424 wrote to memory of 1360 1424 Bglgdi32.exe 92 PID 1360 wrote to memory of 768 1360 Eacaej32.exe 93 PID 1360 wrote to memory of 768 1360 Eacaej32.exe 93 PID 1360 wrote to memory of 768 1360 Eacaej32.exe 93 PID 768 wrote to memory of 1484 768 Engaon32.exe 94 PID 768 wrote to memory of 1484 768 Engaon32.exe 94 PID 768 wrote to memory of 1484 768 Engaon32.exe 94 PID 1484 wrote to memory of 4300 1484 Eoindndf.exe 95 PID 1484 wrote to memory of 4300 1484 Eoindndf.exe 95 PID 1484 wrote to memory of 4300 1484 Eoindndf.exe 95 PID 4300 wrote to memory of 1992 4300 Fhbbmc32.exe 96 PID 4300 wrote to memory of 1992 4300 Fhbbmc32.exe 96 PID 4300 wrote to memory of 1992 4300 Fhbbmc32.exe 96 PID 1992 wrote to memory of 1448 1992 Fbqiak32.exe 97 PID 1992 wrote to memory of 1448 1992 Fbqiak32.exe 97 PID 1992 wrote to memory of 1448 1992 Fbqiak32.exe 97 PID 1448 wrote to memory of 1764 1448 Gkcdfl32.exe 98 PID 1448 wrote to memory of 1764 1448 Gkcdfl32.exe 98 PID 1448 wrote to memory of 1764 1448 Gkcdfl32.exe 98 PID 1764 wrote to memory of 4568 1764 Gkeakl32.exe 99 PID 1764 wrote to memory of 4568 1764 Gkeakl32.exe 99 PID 1764 wrote to memory of 4568 1764 Gkeakl32.exe 99 PID 4568 wrote to memory of 4984 4568 Hohcmjic.exe 100 PID 4568 wrote to memory of 4984 4568 Hohcmjic.exe 100 PID 4568 wrote to memory of 4984 4568 Hohcmjic.exe 100 PID 4984 wrote to memory of 5040 4984 Hkaqgjme.exe 101 PID 4984 wrote to memory of 5040 4984 Hkaqgjme.exe 101 PID 4984 wrote to memory of 5040 4984 Hkaqgjme.exe 101 PID 5040 wrote to memory of 876 5040 Iooimi32.exe 102 PID 5040 wrote to memory of 876 5040 Iooimi32.exe 102 PID 5040 wrote to memory of 876 5040 Iooimi32.exe 102 PID 876 wrote to memory of 4884 876 Jhqqlmba.exe 103 PID 876 wrote to memory of 4884 876 Jhqqlmba.exe 103 PID 876 wrote to memory of 4884 876 Jhqqlmba.exe 103 PID 4884 wrote to memory of 892 4884 Jhejgl32.exe 104 PID 4884 wrote to memory of 892 4884 Jhejgl32.exe 104 PID 4884 wrote to memory of 892 4884 Jhejgl32.exe 104 PID 892 wrote to memory of 3268 892 Jkfcigkm.exe 105 PID 892 wrote to memory of 3268 892 Jkfcigkm.exe 105 PID 892 wrote to memory of 3268 892 Jkfcigkm.exe 105 PID 3268 wrote to memory of 2992 3268 Jkhpogij.exe 106 PID 3268 wrote to memory of 2992 3268 Jkhpogij.exe 106 PID 3268 wrote to memory of 2992 3268 Jkhpogij.exe 106 PID 2992 wrote to memory of 2844 2992 Kkkldg32.exe 107 PID 2992 wrote to memory of 2844 2992 Kkkldg32.exe 107 PID 2992 wrote to memory of 2844 2992 Kkkldg32.exe 107 PID 2844 wrote to memory of 3804 2844 Kfbmgo32.exe 109 PID 2844 wrote to memory of 3804 2844 Kfbmgo32.exe 109 PID 2844 wrote to memory of 3804 2844 Kfbmgo32.exe 109 PID 3804 wrote to memory of 2696 3804 Lbnggpfj.exe 111 PID 3804 wrote to memory of 2696 3804 Lbnggpfj.exe 111 PID 3804 wrote to memory of 2696 3804 Lbnggpfj.exe 111 PID 2696 wrote to memory of 4092 2696 Opefdo32.exe 112 PID 2696 wrote to memory of 4092 2696 Opefdo32.exe 112 PID 2696 wrote to memory of 4092 2696 Opefdo32.exe 112 PID 2280 wrote to memory of 4136 2280 Qpmfklbq.exe 114 PID 2280 wrote to memory of 4136 2280 Qpmfklbq.exe 114 PID 2280 wrote to memory of 4136 2280 Qpmfklbq.exe 114 PID 4136 wrote to memory of 2764 4136 Alcfpm32.exe 115
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.91f0a765df52041943f140f9994de2e0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.91f0a765df52041943f140f9994de2e0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\SysWOW64\Bglgdi32.exeC:\Windows\system32\Bglgdi32.exe2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Windows\SysWOW64\Eacaej32.exeC:\Windows\system32\Eacaej32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1360 -
C:\Windows\SysWOW64\Engaon32.exeC:\Windows\system32\Engaon32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Windows\SysWOW64\Eoindndf.exeC:\Windows\system32\Eoindndf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\SysWOW64\Fhbbmc32.exeC:\Windows\system32\Fhbbmc32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4300 -
C:\Windows\SysWOW64\Fbqiak32.exeC:\Windows\system32\Fbqiak32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\SysWOW64\Gkcdfl32.exeC:\Windows\system32\Gkcdfl32.exe8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Windows\SysWOW64\Gkeakl32.exeC:\Windows\system32\Gkeakl32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Windows\SysWOW64\Hohcmjic.exeC:\Windows\system32\Hohcmjic.exe10⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\Windows\SysWOW64\Hkaqgjme.exeC:\Windows\system32\Hkaqgjme.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4984 -
C:\Windows\SysWOW64\Iooimi32.exeC:\Windows\system32\Iooimi32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\Windows\SysWOW64\Jhqqlmba.exeC:\Windows\system32\Jhqqlmba.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:876 -
C:\Windows\SysWOW64\Jhejgl32.exeC:\Windows\system32\Jhejgl32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4884 -
C:\Windows\SysWOW64\Jkfcigkm.exeC:\Windows\system32\Jkfcigkm.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:892 -
C:\Windows\SysWOW64\Jkhpogij.exeC:\Windows\system32\Jkhpogij.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3268 -
C:\Windows\SysWOW64\Kkkldg32.exeC:\Windows\system32\Kkkldg32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\Kfbmgo32.exeC:\Windows\system32\Kfbmgo32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\Lbnggpfj.exeC:\Windows\system32\Lbnggpfj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3804 -
C:\Windows\SysWOW64\Opefdo32.exeC:\Windows\system32\Opefdo32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\Pmbjcb32.exeC:\Windows\system32\Pmbjcb32.exe21⤵
- Executes dropped EXE
PID:4092 -
C:\Windows\SysWOW64\Qpmfklbq.exeC:\Windows\system32\Qpmfklbq.exe22⤵
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\Alcfpm32.exeC:\Windows\system32\Alcfpm32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4136 -
C:\Windows\SysWOW64\Agndidce.exeC:\Windows\system32\Agndidce.exe24⤵
- Executes dropped EXE
PID:2764 -
C:\Windows\SysWOW64\Bcngddao.exeC:\Windows\system32\Bcngddao.exe25⤵
- Executes dropped EXE
PID:3736 -
C:\Windows\SysWOW64\Cdfgdf32.exeC:\Windows\system32\Cdfgdf32.exe26⤵
- Executes dropped EXE
PID:3608 -
C:\Windows\SysWOW64\Ddpjjd32.exeC:\Windows\system32\Ddpjjd32.exe27⤵
- Executes dropped EXE
PID:1472 -
C:\Windows\SysWOW64\Eelifc32.exeC:\Windows\system32\Eelifc32.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1824 -
C:\Windows\SysWOW64\Gngckfdj.exeC:\Windows\system32\Gngckfdj.exe29⤵
- Executes dropped EXE
PID:2364 -
C:\Windows\SysWOW64\Glompi32.exeC:\Windows\system32\Glompi32.exe30⤵
- Executes dropped EXE
PID:3976 -
C:\Windows\SysWOW64\Gkdjaf32.exeC:\Windows\system32\Gkdjaf32.exe31⤵
- Executes dropped EXE
PID:4624 -
C:\Windows\SysWOW64\Hhhkjj32.exeC:\Windows\system32\Hhhkjj32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1488 -
C:\Windows\SysWOW64\Ilpfgg32.exeC:\Windows\system32\Ilpfgg32.exe33⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Iehkpmgl.exeC:\Windows\system32\Iehkpmgl.exe34⤵
- Executes dropped EXE
PID:2152 -
C:\Windows\SysWOW64\Iaokdn32.exeC:\Windows\system32\Iaokdn32.exe35⤵
- Executes dropped EXE
PID:3236 -
C:\Windows\SysWOW64\Jknfnbmi.exeC:\Windows\system32\Jknfnbmi.exe36⤵
- Executes dropped EXE
PID:3568 -
C:\Windows\SysWOW64\Jakkplbc.exeC:\Windows\system32\Jakkplbc.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Jehcfj32.exeC:\Windows\system32\Jehcfj32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4112 -
C:\Windows\SysWOW64\Jndhkmfe.exeC:\Windows\system32\Jndhkmfe.exe39⤵
- Executes dropped EXE
PID:3612 -
C:\Windows\SysWOW64\Knfepldb.exeC:\Windows\system32\Knfepldb.exe40⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\Koeajo32.exeC:\Windows\system32\Koeajo32.exe41⤵
- Executes dropped EXE
PID:380 -
C:\Windows\SysWOW64\Khnfce32.exeC:\Windows\system32\Khnfce32.exe42⤵
- Executes dropped EXE
PID:780 -
C:\Windows\SysWOW64\Lhgiic32.exeC:\Windows\system32\Lhgiic32.exe43⤵
- Executes dropped EXE
PID:4460 -
C:\Windows\SysWOW64\Lbpmbipk.exeC:\Windows\system32\Lbpmbipk.exe44⤵
- Executes dropped EXE
PID:4088 -
C:\Windows\SysWOW64\Lmhnea32.exeC:\Windows\system32\Lmhnea32.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:4244 -
C:\Windows\SysWOW64\Micheb32.exeC:\Windows\system32\Micheb32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5104 -
C:\Windows\SysWOW64\Mieeka32.exeC:\Windows\system32\Mieeka32.exe47⤵
- Executes dropped EXE
PID:4432 -
C:\Windows\SysWOW64\Mnggnh32.exeC:\Windows\system32\Mnggnh32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4200 -
C:\Windows\SysWOW64\Nlbnhkqo.exeC:\Windows\system32\Nlbnhkqo.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4756 -
C:\Windows\SysWOW64\Olnmdi32.exeC:\Windows\system32\Olnmdi32.exe50⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Olpjii32.exeC:\Windows\system32\Olpjii32.exe51⤵
- Executes dropped EXE
PID:4436 -
C:\Windows\SysWOW64\Pfenga32.exeC:\Windows\system32\Pfenga32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4160 -
C:\Windows\SysWOW64\Poelfc32.exeC:\Windows\system32\Poelfc32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1724 -
C:\Windows\SysWOW64\Qfanbpjg.exeC:\Windows\system32\Qfanbpjg.exe54⤵
- Executes dropped EXE
PID:1880 -
C:\Windows\SysWOW64\Qefkcl32.exeC:\Windows\system32\Qefkcl32.exe55⤵
- Executes dropped EXE
PID:1144 -
C:\Windows\SysWOW64\Aekdolkj.exeC:\Windows\system32\Aekdolkj.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4896 -
C:\Windows\SysWOW64\Bplhhc32.exeC:\Windows\system32\Bplhhc32.exe57⤵
- Executes dropped EXE
PID:4320 -
C:\Windows\SysWOW64\Boaeioej.exeC:\Windows\system32\Boaeioej.exe58⤵
- Executes dropped EXE
PID:3924 -
C:\Windows\SysWOW64\Bpaacblm.exeC:\Windows\system32\Bpaacblm.exe59⤵
- Executes dropped EXE
PID:1924 -
C:\Windows\SysWOW64\Cngnbfid.exeC:\Windows\system32\Cngnbfid.exe60⤵
- Executes dropped EXE
PID:1428 -
C:\Windows\SysWOW64\Dqomdppm.exeC:\Windows\system32\Dqomdppm.exe61⤵
- Executes dropped EXE
PID:4820 -
C:\Windows\SysWOW64\Dokqfl32.exeC:\Windows\system32\Dokqfl32.exe62⤵
- Executes dropped EXE
PID:4932 -
C:\Windows\SysWOW64\Eonmkkmj.exeC:\Windows\system32\Eonmkkmj.exe63⤵
- Executes dropped EXE
PID:884 -
C:\Windows\SysWOW64\Egiohh32.exeC:\Windows\system32\Egiohh32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Ffcedd32.exeC:\Windows\system32\Ffcedd32.exe65⤵
- Executes dropped EXE
PID:1520 -
C:\Windows\SysWOW64\Fqiiamjp.exeC:\Windows\system32\Fqiiamjp.exe66⤵
- Executes dropped EXE
PID:1836 -
C:\Windows\SysWOW64\Fjfgealk.exeC:\Windows\system32\Fjfgealk.exe67⤵PID:3144
-
C:\Windows\SysWOW64\Gagebknp.exeC:\Windows\system32\Gagebknp.exe68⤵
- Drops file in System32 directory
PID:400 -
C:\Windows\SysWOW64\Gcgndf32.exeC:\Windows\system32\Gcgndf32.exe69⤵PID:3816
-
C:\Windows\SysWOW64\Hnpognhd.exeC:\Windows\system32\Hnpognhd.exe70⤵PID:3576
-
C:\Windows\SysWOW64\Hjfplo32.exeC:\Windows\system32\Hjfplo32.exe71⤵PID:1656
-
C:\Windows\SysWOW64\Hndibn32.exeC:\Windows\system32\Hndibn32.exe72⤵PID:1884
-
C:\Windows\SysWOW64\Ikbphn32.exeC:\Windows\system32\Ikbphn32.exe73⤵PID:4108
-
C:\Windows\SysWOW64\Jaekkfcm.exeC:\Windows\system32\Jaekkfcm.exe74⤵PID:3844
-
C:\Windows\SysWOW64\Jkeedk32.exeC:\Windows\system32\Jkeedk32.exe75⤵
- Modifies registry class
PID:3904 -
C:\Windows\SysWOW64\Khifno32.exeC:\Windows\system32\Khifno32.exe76⤵
- Drops file in System32 directory
PID:4848 -
C:\Windows\SysWOW64\Lkenkhec.exeC:\Windows\system32\Lkenkhec.exe77⤵PID:2508
-
C:\Windows\SysWOW64\Mbpoop32.exeC:\Windows\system32\Mbpoop32.exe78⤵PID:3884
-
C:\Windows\SysWOW64\Nqdlpmce.exeC:\Windows\system32\Nqdlpmce.exe79⤵PID:1176
-
C:\Windows\SysWOW64\Ninafj32.exeC:\Windows\system32\Ninafj32.exe80⤵PID:4368
-
C:\Windows\SysWOW64\Nqifkl32.exeC:\Windows\system32\Nqifkl32.exe81⤵PID:456
-
C:\Windows\SysWOW64\Nombnc32.exeC:\Windows\system32\Nombnc32.exe82⤵
- Modifies registry class
PID:4908 -
C:\Windows\SysWOW64\Okcccdkp.exeC:\Windows\system32\Okcccdkp.exe83⤵PID:2736
-
C:\Windows\SysWOW64\Ogoncd32.exeC:\Windows\system32\Ogoncd32.exe84⤵PID:4464
-
C:\Windows\SysWOW64\Obdbqm32.exeC:\Windows\system32\Obdbqm32.exe85⤵
- Modifies registry class
PID:2084 -
C:\Windows\SysWOW64\Onkbenbi.exeC:\Windows\system32\Onkbenbi.exe86⤵PID:3372
-
C:\Windows\SysWOW64\Plapdb32.exeC:\Windows\system32\Plapdb32.exe87⤵PID:5188
-
C:\Windows\SysWOW64\Ppdbfpaa.exeC:\Windows\system32\Ppdbfpaa.exe88⤵PID:5240
-
C:\Windows\SysWOW64\Qpfokpoo.exeC:\Windows\system32\Qpfokpoo.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5312 -
C:\Windows\SysWOW64\Ahkffqdo.exeC:\Windows\system32\Ahkffqdo.exe90⤵PID:5360
-
C:\Windows\SysWOW64\Aacjofkp.exeC:\Windows\system32\Aacjofkp.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5428 -
C:\Windows\SysWOW64\Blbabnbk.exeC:\Windows\system32\Blbabnbk.exe92⤵PID:5472
-
C:\Windows\SysWOW64\Bifblbad.exeC:\Windows\system32\Bifblbad.exe93⤵PID:5512
-
C:\Windows\SysWOW64\Clgkmm32.exeC:\Windows\system32\Clgkmm32.exe94⤵PID:5552
-
C:\Windows\SysWOW64\Cccppgcp.exeC:\Windows\system32\Cccppgcp.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5600 -
C:\Windows\SysWOW64\Ccfmef32.exeC:\Windows\system32\Ccfmef32.exe96⤵PID:5640
-
C:\Windows\SysWOW64\Dpqcoj32.exeC:\Windows\system32\Dpqcoj32.exe97⤵
- Drops file in System32 directory
PID:5684 -
C:\Windows\SysWOW64\Djkdnool.exeC:\Windows\system32\Djkdnool.exe98⤵
- Drops file in System32 directory
PID:5732 -
C:\Windows\SysWOW64\Ebkbmqhb.exeC:\Windows\system32\Ebkbmqhb.exe99⤵PID:5772
-
C:\Windows\SysWOW64\Elagjihh.exeC:\Windows\system32\Elagjihh.exe100⤵PID:5820
-
C:\Windows\SysWOW64\Ejgdim32.exeC:\Windows\system32\Ejgdim32.exe101⤵PID:5868
-
C:\Windows\SysWOW64\Ecphbckp.exeC:\Windows\system32\Ecphbckp.exe102⤵PID:5912
-
C:\Windows\SysWOW64\Fofigd32.exeC:\Windows\system32\Fofigd32.exe103⤵
- Drops file in System32 directory
PID:5952 -
C:\Windows\SysWOW64\Fjccel32.exeC:\Windows\system32\Fjccel32.exe104⤵PID:6000
-
C:\Windows\SysWOW64\Hboaql32.exeC:\Windows\system32\Hboaql32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:6044 -
C:\Windows\SysWOW64\Hbegakcb.exeC:\Windows\system32\Hbegakcb.exe106⤵
- Modifies registry class
PID:6124 -
C:\Windows\SysWOW64\Iiffoc32.exeC:\Windows\system32\Iiffoc32.exe107⤵PID:5340
-
C:\Windows\SysWOW64\Jbfphh32.exeC:\Windows\system32\Jbfphh32.exe108⤵PID:5440
-
C:\Windows\SysWOW64\Jiphebml.exeC:\Windows\system32\Jiphebml.exe109⤵
- Modifies registry class
PID:5500 -
C:\Windows\SysWOW64\Jdembk32.exeC:\Windows\system32\Jdembk32.exe110⤵PID:5608
-
C:\Windows\SysWOW64\Jpojml32.exeC:\Windows\system32\Jpojml32.exe111⤵PID:5716
-
C:\Windows\SysWOW64\Kinefp32.exeC:\Windows\system32\Kinefp32.exe112⤵PID:5852
-
C:\Windows\SysWOW64\Ldhbnhlm.exeC:\Windows\system32\Ldhbnhlm.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4808 -
C:\Windows\SysWOW64\Liekgo32.exeC:\Windows\system32\Liekgo32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5988 -
C:\Windows\SysWOW64\Lkdgqbag.exeC:\Windows\system32\Lkdgqbag.exe115⤵PID:6060
-
C:\Windows\SysWOW64\Njjmil32.exeC:\Windows\system32\Njjmil32.exe116⤵PID:6108
-
C:\Windows\SysWOW64\Ncbaabom.exeC:\Windows\system32\Ncbaabom.exe117⤵
- Drops file in System32 directory
PID:6100 -
C:\Windows\SysWOW64\Oggqho32.exeC:\Windows\system32\Oggqho32.exe118⤵PID:4540
-
C:\Windows\SysWOW64\Odkaac32.exeC:\Windows\system32\Odkaac32.exe119⤵PID:6132
-
C:\Windows\SysWOW64\Ojhijjll.exeC:\Windows\system32\Ojhijjll.exe120⤵
- Drops file in System32 directory
PID:5232 -
C:\Windows\SysWOW64\Pqihgcma.exeC:\Windows\system32\Pqihgcma.exe121⤵PID:5356
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-