Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
162s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2023, 05:49
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.1b106e321fe1bf8d6c56cdf2ebfb5fb0.exe
Resource
win7-20231020-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.1b106e321fe1bf8d6c56cdf2ebfb5fb0.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
NEAS.1b106e321fe1bf8d6c56cdf2ebfb5fb0.exe
-
Size
90KB
-
MD5
1b106e321fe1bf8d6c56cdf2ebfb5fb0
-
SHA1
f6f00d01613be1d8b125c151023251626c1969dc
-
SHA256
bf18fc2a8a88202e412ad4f6a16c9d2cc85fd21769299594aaea4293453e42fb
-
SHA512
097bf1c7521c5a59270fd5a09102ad97bd99a28626427cde69b2868d7343dbcda1608dc5fd8efccdb72f76307bf795738120479e536041b8eaf09c202ae40c4e
-
SSDEEP
1536:uDmQ8WZXvss/rBzAOcBMacf33JZfh6JcySTyRigXDfOOQ/4BrGTI5Yxj:3tWu6hwcfJeJcySTyRigbU/4kT0Yxj
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clohhbli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ladpcb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nombnc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nddkaddm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nobdlqnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gdfhil32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehndnh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cldjkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mpenmadn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjpaffhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ngdmhimb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjjbjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Felbmqpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kjjbjd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bchogd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llofnh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfckjnjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dnhncjom.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oefamoma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bfjllnnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cfeplh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hphbpehj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjklcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ihnkobpl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljpideje.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfkbnk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glpmkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ndpcdjho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Malgmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ofcale32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhhphebj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogljcokf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhheepbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nhjbjp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggpbcaei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Abemep32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohgopgfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aaoadg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qcpieamc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddngdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mcdeeq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hqjcgbbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hikkdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nqdlpmce.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmncgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lgglnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fbnflihq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lfgipd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lfckjnjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bfedhihl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iqipcd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajpqhdkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bhpfjh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggcjphja.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npiiffqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hdpicj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ccpkblqn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlflog32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipeehhhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ipeehhhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gccmaack.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkmkfncf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pfanmcao.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhpjbgne.exe -
Executes dropped EXE 64 IoCs
pid Process 1192 Bnoknihb.exe 4976 Hemdlj32.exe 2300 Jcfggkac.exe 2504 Kgflcifg.exe 916 Kjjbjd32.exe 3352 Lfgipd32.exe 2148 Mjlhgaqp.exe 2852 Npiiffqe.exe 2740 Pfiddm32.exe 4236 Bdagpnbk.exe 2824 Ckjknfnh.exe 1484 Ehndnh32.exe 1556 Egened32.exe 372 Fganqbgg.exe 3912 Gbiockdj.exe 3552 Hpfbcn32.exe 4680 Hlblcn32.exe 2476 Ibgdlg32.exe 2036 Jppnpjel.exe 4400 Kemooo32.exe 1376 Lpgmhg32.exe 2152 Loacdc32.exe 4820 Mcdeeq32.exe 1380 Mlofcf32.exe 4924 Nijqcf32.exe 3032 Ommceclc.exe 4304 Piapkbeg.exe 4336 Pakdbp32.exe 3252 Ajjokd32.exe 1604 Abhqefpg.exe 2164 Bbaclegm.exe 2700 Ccblbb32.exe 4216 Dnqcfjae.exe 3292 Fboecfii.exe 5064 Fcbnpnme.exe 4560 Gjhfif32.exe 3348 Hjmodffo.exe 2332 Hkohchko.exe 1552 Infhebbh.exe 1560 Jhkljfok.exe 416 Jacpcl32.exe 560 Jogqlpde.exe 1952 Kkbkmqed.exe 4316 Kdkoef32.exe 3064 Lacijjgi.exe 1336 Lhgdmb32.exe 2744 Nbdkhe32.exe 3996 Podkmgop.exe 2784 Pkklbh32.exe 540 Pbddobla.exe 2468 Piaiqlak.exe 4428 Qfjcep32.exe 976 Qpbgnecp.exe 2952 Abemep32.exe 2588 Alpnde32.exe 4396 Bmagch32.exe 5092 Bfjllnnm.exe 1356 Bpemkcck.exe 2812 Cfmahknh.exe 884 Dllffa32.exe 4588 Ddjehneg.exe 1664 Dmbiackg.exe 3844 Enllgbcl.exe 3876 Jfhlpnfp.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Onohgh32.dll Ccpdhfmb.exe File created C:\Windows\SysWOW64\Ibopfamc.dll Epkpdn32.exe File created C:\Windows\SysWOW64\Bcomonkq.exe Bekmei32.exe File opened for modification C:\Windows\SysWOW64\Pmdkmnkd.exe Pggbdgmm.exe File created C:\Windows\SysWOW64\Fnhlndqg.exe Fneohd32.exe File created C:\Windows\SysWOW64\Ekfokepc.dll Ebapednb.exe File opened for modification C:\Windows\SysWOW64\Kkbkmqed.exe Jogqlpde.exe File created C:\Windows\SysWOW64\Mjoqjkkb.dll Bgmnooom.exe File created C:\Windows\SysWOW64\Kjmefkfa.dll Ffmelmbc.exe File opened for modification C:\Windows\SysWOW64\Kemooo32.exe Jppnpjel.exe File created C:\Windows\SysWOW64\Ffmelmbc.exe Fpbmpc32.exe File created C:\Windows\SysWOW64\Igfpjddb.dll Dalhgfmk.exe File created C:\Windows\SysWOW64\Gohfkemf.exe Gebanm32.exe File opened for modification C:\Windows\SysWOW64\Njkklk32.exe Nndjgjhe.exe File created C:\Windows\SysWOW64\Fjqgpl32.exe Ffpadn32.exe File created C:\Windows\SysWOW64\Bhnchknb.dll Eggmqk32.exe File opened for modification C:\Windows\SysWOW64\Egnhnkmj.exe Ebapednb.exe File opened for modification C:\Windows\SysWOW64\Ogeklh32.exe Ompfnoci.exe File created C:\Windows\SysWOW64\Pceihj32.dll Oanodnip.exe File created C:\Windows\SysWOW64\Gglpbh32.exe Fnhlndqg.exe File opened for modification C:\Windows\SysWOW64\Gccmaack.exe Fljedg32.exe File created C:\Windows\SysWOW64\Nagbcg32.dll Blhhaigj.exe File created C:\Windows\SysWOW64\Ncpelbap.exe Nqaipgal.exe File created C:\Windows\SysWOW64\Ihnkobpl.exe Hahcfi32.exe File created C:\Windows\SysWOW64\Nklbfaae.exe Nbqmbo32.exe File created C:\Windows\SysWOW64\Jhnhek32.dll Flmqem32.exe File created C:\Windows\SysWOW64\Qhfaig32.dll Bfjllnnm.exe File created C:\Windows\SysWOW64\Knpodbbl.dll Imdndbkn.exe File opened for modification C:\Windows\SysWOW64\Mjkbemll.exe Mkeeda32.exe File opened for modification C:\Windows\SysWOW64\Baadbo32.exe Bkgleegf.exe File created C:\Windows\SysWOW64\Kcpjgo32.exe Kfgpblda.exe File created C:\Windows\SysWOW64\Hbbdad32.exe Hkhkdjkl.exe File opened for modification C:\Windows\SysWOW64\Iecmcpoj.exe Hkkhjj32.exe File created C:\Windows\SysWOW64\Dmgbgf32.exe Dmefafql.exe File created C:\Windows\SysWOW64\Bkhcmb32.dll Nmipnp32.exe File created C:\Windows\SysWOW64\Djcoko32.exe Dkbomgde.exe File created C:\Windows\SysWOW64\Jclnmkna.dll Iacepmik.exe File created C:\Windows\SysWOW64\Npjjnkkh.dll Ikndpm32.exe File opened for modification C:\Windows\SysWOW64\Ckaffjbg.exe Bjpjoa32.exe File created C:\Windows\SysWOW64\Bhgcdjje.exe Anaofa32.exe File created C:\Windows\SysWOW64\Akpcfnpa.dll Ggcjphja.exe File opened for modification C:\Windows\SysWOW64\Mflbjejb.exe Mihbpalh.exe File created C:\Windows\SysWOW64\Dmmblkpm.exe Dcdnce32.exe File opened for modification C:\Windows\SysWOW64\Fneohd32.exe Eggmqk32.exe File created C:\Windows\SysWOW64\Feoomd32.exe Fmcjiagf.exe File created C:\Windows\SysWOW64\Ofigcd32.dll Ifnbph32.exe File created C:\Windows\SysWOW64\Fcgemhic.exe Fjoadbbc.exe File created C:\Windows\SysWOW64\Admhlq32.dll Moofmeal.exe File created C:\Windows\SysWOW64\Gagklk32.dll Bmngjj32.exe File created C:\Windows\SysWOW64\Pmpfcl32.exe Opkfjgmh.exe File opened for modification C:\Windows\SysWOW64\Cfeplh32.exe Cokgonmp.exe File created C:\Windows\SysWOW64\Ignnjk32.exe Ifnbph32.exe File created C:\Windows\SysWOW64\Jcohej32.dll Oijgmokc.exe File opened for modification C:\Windows\SysWOW64\Nqaipgal.exe Mjhqcmjo.exe File created C:\Windows\SysWOW64\Hnbbpd32.dll Keakqeal.exe File opened for modification C:\Windows\SysWOW64\Ebocpd32.exe Ekekcjih.exe File created C:\Windows\SysWOW64\Dllffa32.exe Cfmahknh.exe File created C:\Windows\SysWOW64\Nbddah32.dll Fljedg32.exe File created C:\Windows\SysWOW64\Jmkdeaee.exe Jfalhgni.exe File created C:\Windows\SysWOW64\Lfckjnjh.exe Llngmeja.exe File created C:\Windows\SysWOW64\Dfoamm32.dll Iheaqolo.exe File created C:\Windows\SysWOW64\Delcgpmm.dll Idnfal32.exe File created C:\Windows\SysWOW64\Mcnhfb32.exe Mnapnl32.exe File created C:\Windows\SysWOW64\Ginqph32.dll Ccpkblqn.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Papnhbgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpflqjhe.dll" Chglkg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Donecfao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fcgemhic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Knmicfnn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jcjgeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egidim32.dll" Jbkjcgaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dccioa32.dll" Aenpeoom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfkidmkb.dll" Bgeabloo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gckcap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jbkjcgaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pnknim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcegbp32.dll" Ckeigc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hpfbcn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pnknim32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ihgnfnjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aocaod32.dll" Njogdldg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhjmnaoj.dll" Iqmplbpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cokgonmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ngdmhimb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olheak32.dll" Mlhidg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfibjl32.dll" Gbiockdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hodcma32.dll" Cfmahknh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klhglj32.dll" Bhgcdjje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kmncif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jpbdfgge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpaqbf32.dll" Ogljcokf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkgpig32.dll" Imieblgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bdagpnbk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bflagg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iffmmihf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iempingp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjphcf32.dll" Nijqcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhmchd32.dll" Jomeoggk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofblqafh.dll" Lgmbmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfdkmljj.dll" Npbcollj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bgeabloo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Glpmkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Akoqjl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nmipnp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aglnnkid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hkkhjj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kpdjbapj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Llngmeja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ggpbcaei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bhgcdjje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icfjgekh.dll" Gohfkemf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddegdohc.dll" Kmncif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bcomonkq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hoobnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cdolbijg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enfdho32.dll" Ckpjob32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ogifci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkjipj32.dll" Bfoebq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Diclff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dhdaao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbfafplq.dll" Hoiihcde.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Caagpdop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kncmepjq.dll" Pggbdgmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gfjkce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mlhidg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oanodnip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ajjokd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhbiql32.dll" Hhlnjpdi.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4736 wrote to memory of 1192 4736 NEAS.1b106e321fe1bf8d6c56cdf2ebfb5fb0.exe 90 PID 4736 wrote to memory of 1192 4736 NEAS.1b106e321fe1bf8d6c56cdf2ebfb5fb0.exe 90 PID 4736 wrote to memory of 1192 4736 NEAS.1b106e321fe1bf8d6c56cdf2ebfb5fb0.exe 90 PID 1192 wrote to memory of 4976 1192 Bnoknihb.exe 92 PID 1192 wrote to memory of 4976 1192 Bnoknihb.exe 92 PID 1192 wrote to memory of 4976 1192 Bnoknihb.exe 92 PID 4976 wrote to memory of 2300 4976 Hemdlj32.exe 93 PID 4976 wrote to memory of 2300 4976 Hemdlj32.exe 93 PID 4976 wrote to memory of 2300 4976 Hemdlj32.exe 93 PID 2300 wrote to memory of 2504 2300 Jcfggkac.exe 94 PID 2300 wrote to memory of 2504 2300 Jcfggkac.exe 94 PID 2300 wrote to memory of 2504 2300 Jcfggkac.exe 94 PID 2504 wrote to memory of 916 2504 Kgflcifg.exe 95 PID 2504 wrote to memory of 916 2504 Kgflcifg.exe 95 PID 2504 wrote to memory of 916 2504 Kgflcifg.exe 95 PID 916 wrote to memory of 3352 916 Kjjbjd32.exe 96 PID 916 wrote to memory of 3352 916 Kjjbjd32.exe 96 PID 916 wrote to memory of 3352 916 Kjjbjd32.exe 96 PID 3352 wrote to memory of 2148 3352 Lfgipd32.exe 98 PID 3352 wrote to memory of 2148 3352 Lfgipd32.exe 98 PID 3352 wrote to memory of 2148 3352 Lfgipd32.exe 98 PID 2148 wrote to memory of 2852 2148 Mjlhgaqp.exe 99 PID 2148 wrote to memory of 2852 2148 Mjlhgaqp.exe 99 PID 2148 wrote to memory of 2852 2148 Mjlhgaqp.exe 99 PID 2852 wrote to memory of 2740 2852 Npiiffqe.exe 100 PID 2852 wrote to memory of 2740 2852 Npiiffqe.exe 100 PID 2852 wrote to memory of 2740 2852 Npiiffqe.exe 100 PID 2740 wrote to memory of 4236 2740 Pfiddm32.exe 101 PID 2740 wrote to memory of 4236 2740 Pfiddm32.exe 101 PID 2740 wrote to memory of 4236 2740 Pfiddm32.exe 101 PID 4236 wrote to memory of 2824 4236 Bdagpnbk.exe 102 PID 4236 wrote to memory of 2824 4236 Bdagpnbk.exe 102 PID 4236 wrote to memory of 2824 4236 Bdagpnbk.exe 102 PID 2824 wrote to memory of 1484 2824 Ckjknfnh.exe 103 PID 2824 wrote to memory of 1484 2824 Ckjknfnh.exe 103 PID 2824 wrote to memory of 1484 2824 Ckjknfnh.exe 103 PID 1484 wrote to memory of 1556 1484 Ehndnh32.exe 104 PID 1484 wrote to memory of 1556 1484 Ehndnh32.exe 104 PID 1484 wrote to memory of 1556 1484 Ehndnh32.exe 104 PID 1556 wrote to memory of 372 1556 Egened32.exe 105 PID 1556 wrote to memory of 372 1556 Egened32.exe 105 PID 1556 wrote to memory of 372 1556 Egened32.exe 105 PID 372 wrote to memory of 3912 372 Fganqbgg.exe 106 PID 372 wrote to memory of 3912 372 Fganqbgg.exe 106 PID 372 wrote to memory of 3912 372 Fganqbgg.exe 106 PID 3912 wrote to memory of 3552 3912 Gbiockdj.exe 107 PID 3912 wrote to memory of 3552 3912 Gbiockdj.exe 107 PID 3912 wrote to memory of 3552 3912 Gbiockdj.exe 107 PID 3552 wrote to memory of 4680 3552 Hpfbcn32.exe 108 PID 3552 wrote to memory of 4680 3552 Hpfbcn32.exe 108 PID 3552 wrote to memory of 4680 3552 Hpfbcn32.exe 108 PID 4680 wrote to memory of 2476 4680 Hlblcn32.exe 109 PID 4680 wrote to memory of 2476 4680 Hlblcn32.exe 109 PID 4680 wrote to memory of 2476 4680 Hlblcn32.exe 109 PID 2476 wrote to memory of 2036 2476 Ibgdlg32.exe 110 PID 2476 wrote to memory of 2036 2476 Ibgdlg32.exe 110 PID 2476 wrote to memory of 2036 2476 Ibgdlg32.exe 110 PID 2036 wrote to memory of 4400 2036 Jppnpjel.exe 111 PID 2036 wrote to memory of 4400 2036 Jppnpjel.exe 111 PID 2036 wrote to memory of 4400 2036 Jppnpjel.exe 111 PID 4400 wrote to memory of 1376 4400 Kemooo32.exe 112 PID 4400 wrote to memory of 1376 4400 Kemooo32.exe 112 PID 4400 wrote to memory of 1376 4400 Kemooo32.exe 112 PID 1376 wrote to memory of 2152 1376 Lpgmhg32.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.1b106e321fe1bf8d6c56cdf2ebfb5fb0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.1b106e321fe1bf8d6c56cdf2ebfb5fb0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4736 -
C:\Windows\SysWOW64\Bnoknihb.exeC:\Windows\system32\Bnoknihb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Windows\SysWOW64\Hemdlj32.exeC:\Windows\system32\Hemdlj32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4976 -
C:\Windows\SysWOW64\Jcfggkac.exeC:\Windows\system32\Jcfggkac.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\SysWOW64\Kgflcifg.exeC:\Windows\system32\Kgflcifg.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\Kjjbjd32.exeC:\Windows\system32\Kjjbjd32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:916 -
C:\Windows\SysWOW64\Lfgipd32.exeC:\Windows\system32\Lfgipd32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3352 -
C:\Windows\SysWOW64\Mjlhgaqp.exeC:\Windows\system32\Mjlhgaqp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\Npiiffqe.exeC:\Windows\system32\Npiiffqe.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\Pfiddm32.exeC:\Windows\system32\Pfiddm32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\Bdagpnbk.exeC:\Windows\system32\Bdagpnbk.exe11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4236 -
C:\Windows\SysWOW64\Ckjknfnh.exeC:\Windows\system32\Ckjknfnh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\Ehndnh32.exeC:\Windows\system32\Ehndnh32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\SysWOW64\Egened32.exeC:\Windows\system32\Egened32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Windows\SysWOW64\Fganqbgg.exeC:\Windows\system32\Fganqbgg.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:372 -
C:\Windows\SysWOW64\Gbiockdj.exeC:\Windows\system32\Gbiockdj.exe16⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3912 -
C:\Windows\SysWOW64\Hpfbcn32.exeC:\Windows\system32\Hpfbcn32.exe17⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3552 -
C:\Windows\SysWOW64\Hlblcn32.exeC:\Windows\system32\Hlblcn32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4680 -
C:\Windows\SysWOW64\Ibgdlg32.exeC:\Windows\system32\Ibgdlg32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\Jppnpjel.exeC:\Windows\system32\Jppnpjel.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\SysWOW64\Kemooo32.exeC:\Windows\system32\Kemooo32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4400 -
C:\Windows\SysWOW64\Lpgmhg32.exeC:\Windows\system32\Lpgmhg32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Windows\SysWOW64\Loacdc32.exeC:\Windows\system32\Loacdc32.exe23⤵
- Executes dropped EXE
PID:2152 -
C:\Windows\SysWOW64\Mcdeeq32.exeC:\Windows\system32\Mcdeeq32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4820 -
C:\Windows\SysWOW64\Mlofcf32.exeC:\Windows\system32\Mlofcf32.exe25⤵
- Executes dropped EXE
PID:1380 -
C:\Windows\SysWOW64\Nijqcf32.exeC:\Windows\system32\Nijqcf32.exe26⤵
- Executes dropped EXE
- Modifies registry class
PID:4924 -
C:\Windows\SysWOW64\Ommceclc.exeC:\Windows\system32\Ommceclc.exe27⤵
- Executes dropped EXE
PID:3032 -
C:\Windows\SysWOW64\Piapkbeg.exeC:\Windows\system32\Piapkbeg.exe28⤵
- Executes dropped EXE
PID:4304 -
C:\Windows\SysWOW64\Pakdbp32.exeC:\Windows\system32\Pakdbp32.exe29⤵
- Executes dropped EXE
PID:4336 -
C:\Windows\SysWOW64\Ajjokd32.exeC:\Windows\system32\Ajjokd32.exe30⤵
- Executes dropped EXE
- Modifies registry class
PID:3252 -
C:\Windows\SysWOW64\Abhqefpg.exeC:\Windows\system32\Abhqefpg.exe31⤵
- Executes dropped EXE
PID:1604 -
C:\Windows\SysWOW64\Bbaclegm.exeC:\Windows\system32\Bbaclegm.exe32⤵
- Executes dropped EXE
PID:2164 -
C:\Windows\SysWOW64\Ccblbb32.exeC:\Windows\system32\Ccblbb32.exe33⤵
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\Dnqcfjae.exeC:\Windows\system32\Dnqcfjae.exe34⤵
- Executes dropped EXE
PID:4216 -
C:\Windows\SysWOW64\Fboecfii.exeC:\Windows\system32\Fboecfii.exe35⤵
- Executes dropped EXE
PID:3292 -
C:\Windows\SysWOW64\Fcbnpnme.exeC:\Windows\system32\Fcbnpnme.exe36⤵
- Executes dropped EXE
PID:5064 -
C:\Windows\SysWOW64\Gjhfif32.exeC:\Windows\system32\Gjhfif32.exe37⤵
- Executes dropped EXE
PID:4560 -
C:\Windows\SysWOW64\Hjmodffo.exeC:\Windows\system32\Hjmodffo.exe38⤵
- Executes dropped EXE
PID:3348 -
C:\Windows\SysWOW64\Hkohchko.exeC:\Windows\system32\Hkohchko.exe39⤵
- Executes dropped EXE
PID:2332 -
C:\Windows\SysWOW64\Infhebbh.exeC:\Windows\system32\Infhebbh.exe40⤵
- Executes dropped EXE
PID:1552 -
C:\Windows\SysWOW64\Jhkljfok.exeC:\Windows\system32\Jhkljfok.exe41⤵
- Executes dropped EXE
PID:1560 -
C:\Windows\SysWOW64\Jacpcl32.exeC:\Windows\system32\Jacpcl32.exe42⤵
- Executes dropped EXE
PID:416 -
C:\Windows\SysWOW64\Jogqlpde.exeC:\Windows\system32\Jogqlpde.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:560 -
C:\Windows\SysWOW64\Kkbkmqed.exeC:\Windows\system32\Kkbkmqed.exe44⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Kdkoef32.exeC:\Windows\system32\Kdkoef32.exe45⤵
- Executes dropped EXE
PID:4316 -
C:\Windows\SysWOW64\Lacijjgi.exeC:\Windows\system32\Lacijjgi.exe46⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Lhgdmb32.exeC:\Windows\system32\Lhgdmb32.exe47⤵
- Executes dropped EXE
PID:1336 -
C:\Windows\SysWOW64\Nbdkhe32.exeC:\Windows\system32\Nbdkhe32.exe48⤵
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Podkmgop.exeC:\Windows\system32\Podkmgop.exe49⤵
- Executes dropped EXE
PID:3996 -
C:\Windows\SysWOW64\Pkklbh32.exeC:\Windows\system32\Pkklbh32.exe50⤵
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\Pbddobla.exeC:\Windows\system32\Pbddobla.exe51⤵
- Executes dropped EXE
PID:540 -
C:\Windows\SysWOW64\Piaiqlak.exeC:\Windows\system32\Piaiqlak.exe52⤵
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\Qfjcep32.exeC:\Windows\system32\Qfjcep32.exe53⤵
- Executes dropped EXE
PID:4428 -
C:\Windows\SysWOW64\Qpbgnecp.exeC:\Windows\system32\Qpbgnecp.exe54⤵
- Executes dropped EXE
PID:976 -
C:\Windows\SysWOW64\Abemep32.exeC:\Windows\system32\Abemep32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\Alpnde32.exeC:\Windows\system32\Alpnde32.exe56⤵
- Executes dropped EXE
PID:2588 -
C:\Windows\SysWOW64\Bmagch32.exeC:\Windows\system32\Bmagch32.exe57⤵
- Executes dropped EXE
PID:4396 -
C:\Windows\SysWOW64\Bfjllnnm.exeC:\Windows\system32\Bfjllnnm.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:5092 -
C:\Windows\SysWOW64\Bpemkcck.exeC:\Windows\system32\Bpemkcck.exe59⤵
- Executes dropped EXE
PID:1356 -
C:\Windows\SysWOW64\Cfmahknh.exeC:\Windows\system32\Cfmahknh.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2812 -
C:\Windows\SysWOW64\Dllffa32.exeC:\Windows\system32\Dllffa32.exe61⤵
- Executes dropped EXE
PID:884 -
C:\Windows\SysWOW64\Ddjehneg.exeC:\Windows\system32\Ddjehneg.exe62⤵
- Executes dropped EXE
PID:4588 -
C:\Windows\SysWOW64\Dmbiackg.exeC:\Windows\system32\Dmbiackg.exe63⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\Enllgbcl.exeC:\Windows\system32\Enllgbcl.exe64⤵
- Executes dropped EXE
PID:3844 -
C:\Windows\SysWOW64\Jfhlpnfp.exeC:\Windows\system32\Jfhlpnfp.exe65⤵
- Executes dropped EXE
PID:3876 -
C:\Windows\SysWOW64\Jfkhfmdm.exeC:\Windows\system32\Jfkhfmdm.exe66⤵PID:3696
-
C:\Windows\SysWOW64\Jndmlj32.exeC:\Windows\system32\Jndmlj32.exe67⤵PID:4436
-
C:\Windows\SysWOW64\Kmncif32.exeC:\Windows\system32\Kmncif32.exe68⤵
- Modifies registry class
PID:2800 -
C:\Windows\SysWOW64\Kffhakjp.exeC:\Windows\system32\Kffhakjp.exe69⤵PID:4020
-
C:\Windows\SysWOW64\Khfdlnab.exeC:\Windows\system32\Khfdlnab.exe70⤵PID:780
-
C:\Windows\SysWOW64\Knpmhh32.exeC:\Windows\system32\Knpmhh32.exe71⤵PID:3472
-
C:\Windows\SysWOW64\Mhfmbl32.exeC:\Windows\system32\Mhfmbl32.exe72⤵PID:2732
-
C:\Windows\SysWOW64\Mhhjhlqm.exeC:\Windows\system32\Mhhjhlqm.exe73⤵PID:4204
-
C:\Windows\SysWOW64\Mhkgnkoj.exeC:\Windows\system32\Mhkgnkoj.exe74⤵PID:2840
-
C:\Windows\SysWOW64\Nnoefagj.exeC:\Windows\system32\Nnoefagj.exe75⤵PID:2116
-
C:\Windows\SysWOW64\Ndinck32.exeC:\Windows\system32\Ndinck32.exe76⤵PID:2844
-
C:\Windows\SysWOW64\Ndpcdjho.exeC:\Windows\system32\Ndpcdjho.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5056 -
C:\Windows\SysWOW64\Noehac32.exeC:\Windows\system32\Noehac32.exe78⤵PID:4752
-
C:\Windows\SysWOW64\Oahnhncc.exeC:\Windows\system32\Oahnhncc.exe79⤵PID:3620
-
C:\Windows\SysWOW64\Ohgopgfj.exeC:\Windows\system32\Ohgopgfj.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3612 -
C:\Windows\SysWOW64\Pnknim32.exeC:\Windows\system32\Pnknim32.exe81⤵
- Modifies registry class
PID:3492 -
C:\Windows\SysWOW64\Belemd32.exeC:\Windows\system32\Belemd32.exe82⤵PID:4956
-
C:\Windows\SysWOW64\Bpaikm32.exeC:\Windows\system32\Bpaikm32.exe83⤵PID:2148
-
C:\Windows\SysWOW64\Bflagg32.exeC:\Windows\system32\Bflagg32.exe84⤵
- Modifies registry class
PID:4528 -
C:\Windows\SysWOW64\Bgmnooom.exeC:\Windows\system32\Bgmnooom.exe85⤵
- Drops file in System32 directory
PID:4468 -
C:\Windows\SysWOW64\Bbeobhlp.exeC:\Windows\system32\Bbeobhlp.exe86⤵PID:5164
-
C:\Windows\SysWOW64\Cnlpgibd.exeC:\Windows\system32\Cnlpgibd.exe87⤵PID:5204
-
C:\Windows\SysWOW64\Cldjkl32.exeC:\Windows\system32\Cldjkl32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5248 -
C:\Windows\SysWOW64\Dlicflic.exeC:\Windows\system32\Dlicflic.exe89⤵PID:5292
-
C:\Windows\SysWOW64\Donecfao.exeC:\Windows\system32\Donecfao.exe90⤵
- Modifies registry class
PID:5336 -
C:\Windows\SysWOW64\Epiaig32.exeC:\Windows\system32\Epiaig32.exe91⤵PID:5460
-
C:\Windows\SysWOW64\Fljedg32.exeC:\Windows\system32\Fljedg32.exe92⤵
- Drops file in System32 directory
PID:5500 -
C:\Windows\SysWOW64\Gccmaack.exeC:\Windows\system32\Gccmaack.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5584 -
C:\Windows\SysWOW64\Gckcap32.exeC:\Windows\system32\Gckcap32.exe94⤵
- Modifies registry class
PID:5640 -
C:\Windows\SysWOW64\Hpaqqdjj.exeC:\Windows\system32\Hpaqqdjj.exe95⤵PID:5680
-
C:\Windows\SysWOW64\Hfniikha.exeC:\Windows\system32\Hfniikha.exe96⤵PID:5728
-
C:\Windows\SysWOW64\Hqjcgbbo.exeC:\Windows\system32\Hqjcgbbo.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5768 -
C:\Windows\SysWOW64\Hjbhph32.exeC:\Windows\system32\Hjbhph32.exe98⤵PID:5808
-
C:\Windows\SysWOW64\Iqmplbpl.exeC:\Windows\system32\Iqmplbpl.exe99⤵
- Modifies registry class
PID:5852 -
C:\Windows\SysWOW64\Igghilhi.exeC:\Windows\system32\Igghilhi.exe100⤵PID:5904
-
C:\Windows\SysWOW64\Ifnbph32.exeC:\Windows\system32\Ifnbph32.exe101⤵
- Drops file in System32 directory
PID:5948 -
C:\Windows\SysWOW64\Ignnjk32.exeC:\Windows\system32\Ignnjk32.exe102⤵PID:6024
-
C:\Windows\SysWOW64\Npadcfnl.exeC:\Windows\system32\Npadcfnl.exe103⤵PID:6072
-
C:\Windows\SysWOW64\Aamipe32.exeC:\Windows\system32\Aamipe32.exe104⤵PID:6108
-
C:\Windows\SysWOW64\Ahgamo32.exeC:\Windows\system32\Ahgamo32.exe105⤵PID:4692
-
C:\Windows\SysWOW64\Ancjef32.exeC:\Windows\system32\Ancjef32.exe106⤵PID:2852
-
C:\Windows\SysWOW64\Aglnnkid.exeC:\Windows\system32\Aglnnkid.exe107⤵
- Modifies registry class
PID:5240 -
C:\Windows\SysWOW64\Ckafkfkp.exeC:\Windows\system32\Ckafkfkp.exe108⤵PID:5280
-
C:\Windows\SysWOW64\Canocm32.exeC:\Windows\system32\Canocm32.exe109⤵PID:5316
-
C:\Windows\SysWOW64\Ckcbaf32.exeC:\Windows\system32\Ckcbaf32.exe110⤵PID:5376
-
C:\Windows\SysWOW64\Capkim32.exeC:\Windows\system32\Capkim32.exe111⤵PID:5452
-
C:\Windows\SysWOW64\Cgjcfgoa.exeC:\Windows\system32\Cgjcfgoa.exe112⤵PID:5484
-
C:\Windows\SysWOW64\Dgmpkg32.exeC:\Windows\system32\Dgmpkg32.exe113⤵PID:2988
-
C:\Windows\SysWOW64\Dioiki32.exeC:\Windows\system32\Dioiki32.exe114⤵PID:5576
-
C:\Windows\SysWOW64\Gimoce32.exeC:\Windows\system32\Gimoce32.exe115⤵PID:5600
-
C:\Windows\SysWOW64\Giahndcf.exeC:\Windows\system32\Giahndcf.exe116⤵PID:5636
-
C:\Windows\SysWOW64\Gooqfkan.exeC:\Windows\system32\Gooqfkan.exe117⤵PID:5692
-
C:\Windows\SysWOW64\Gehice32.exeC:\Windows\system32\Gehice32.exe118⤵PID:5392
-
C:\Windows\SysWOW64\Hocjaj32.exeC:\Windows\system32\Hocjaj32.exe119⤵PID:1608
-
C:\Windows\SysWOW64\Hhlnjpdi.exeC:\Windows\system32\Hhlnjpdi.exe120⤵
- Modifies registry class
PID:5844 -
C:\Windows\SysWOW64\Hikkdc32.exeC:\Windows\system32\Hikkdc32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:852
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-