Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
153s -
max time network
137s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
13/10/2023, 20:36
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.b6619013d6f5eb926bbe737fc8411df0.exe
Resource
win7-20230831-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.b6619013d6f5eb926bbe737fc8411df0.exe
Resource
win10v2004-20230915-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.b6619013d6f5eb926bbe737fc8411df0.exe
-
Size
340KB
-
MD5
b6619013d6f5eb926bbe737fc8411df0
-
SHA1
cd92f32de9dc18043733a19b337ba715da833feb
-
SHA256
c8ed11686117cb72f87cf93ca32d75ea067ff8d1b6ae14c65e95680a4521791d
-
SHA512
cafddd2070c07252a302d15147b7e0a41da0254cabc651a9309b62969a9101c260e4b69f8fe53090d49343764c260652431287b1fd85f90f0fcdcf8df693e9c5
-
SSDEEP
6144:l6mrsNZ49Z3/fc/UmKyIxLDXXoq9FJZCUmKyIxLjh:l6mW32XXf9Do3i
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Chmlfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pcdnpp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbdagg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkihpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pdnihiad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obecld32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olopjddf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lgpjcnhh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oncndnlq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjqdjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nfglfdeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nafiej32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jblpge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bhmonoli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bammlq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hjcppidk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aamhdckg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mhhiiloh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgdmeh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onkmhl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebekej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oomlfpdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cofohkgi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afhcgjkq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqlfhjch.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pecelm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilhlan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ebekej32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gefmcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iokahhac.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nljcflbd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kaaeegkc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Echpaecj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jigbebhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Onkmfofg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdgfpbaf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dabkla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Epjdbn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbljmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Majfcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ipbgci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cqaiph32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecobmg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgqeea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lobbpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pfjiod32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfepod32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Koibpd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpgnoo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meecaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dooqceid.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbcikn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ibeeeijg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aiegpg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Engpfgql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dooqceid.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlmjjo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klbdgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gilhpe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdknfiea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bljeke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dobcekld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pohhna32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eganqo32.exe -
Executes dropped EXE 64 IoCs
pid Process 2544 Hnpbjnpo.exe 1788 Bgdibkam.exe 2516 Bammlq32.exe 2444 Bejfao32.exe 2472 Cjgoje32.exe 1932 Caaggpdh.exe 1408 Clbnhmjo.exe 1412 Eeaepd32.exe 1740 Ggicgopd.exe 2092 Hjcppidk.exe 1424 Ihdpbq32.exe 1748 Klbdgb32.exe 1480 Lnjcomcf.exe 2736 Njhfcp32.exe 2220 Ojmpooah.exe 2176 Pohhna32.exe 2928 Boljgg32.exe 3064 Dphfbiem.exe 1716 Dbiocd32.exe 1300 Feggob32.exe 2008 Gqlhkofn.exe 2796 Hfepod32.exe 2160 Jigbebhb.exe 2884 Keeeje32.exe 2020 Pbemboof.exe 2932 Ageompfe.exe 1872 Bfoeil32.exe 2652 Bgdkkc32.exe 2424 Cqaiph32.exe 2408 Ciagojda.exe 1944 Cehhdkjf.exe 2848 Feddombd.exe 2372 Fkhbgbkc.exe 2052 Gefmcp32.exe 1184 Hcgmfgfd.exe 756 Icncgf32.exe 1616 Ijaaae32.exe 936 Iegeonpc.exe 2324 Kfaalh32.exe 1208 Mebnic32.exe 2672 Ngjlpmnn.exe 2792 Penihe32.exe 2108 Enpban32.exe 2264 Einlmkhp.exe 2144 Fhhbif32.exe 1880 Fodgkp32.exe 1256 Glfgnh32.exe 696 Hkbkpcpd.exe 2768 Igkhjdde.exe 1296 Jnbpqb32.exe 2492 Kbbakc32.exe 2508 Koibpd32.exe 2776 Llkbcl32.exe 2836 Meecaa32.exe 2696 Mcidkf32.exe 1136 Mhhiiloh.exe 2752 Moenkf32.exe 1428 Ndfpnl32.exe 2332 Nfglfdeb.exe 2104 Nldahn32.exe 1752 Obecld32.exe 1700 Ojeakfnd.exe 2212 Pfqlkfoc.exe 2772 Boobki32.exe -
Loads dropped DLL 64 IoCs
pid Process 2844 NEAS.b6619013d6f5eb926bbe737fc8411df0.exe 2844 NEAS.b6619013d6f5eb926bbe737fc8411df0.exe 2544 Hnpbjnpo.exe 2544 Hnpbjnpo.exe 1788 Bgdibkam.exe 1788 Bgdibkam.exe 2516 Bammlq32.exe 2516 Bammlq32.exe 2444 Bejfao32.exe 2444 Bejfao32.exe 2472 Cjgoje32.exe 2472 Cjgoje32.exe 1932 Caaggpdh.exe 1932 Caaggpdh.exe 1408 Clbnhmjo.exe 1408 Clbnhmjo.exe 1412 Eeaepd32.exe 1412 Eeaepd32.exe 1740 Ggicgopd.exe 1740 Ggicgopd.exe 2092 Hjcppidk.exe 2092 Hjcppidk.exe 1424 Ihdpbq32.exe 1424 Ihdpbq32.exe 1748 Klbdgb32.exe 1748 Klbdgb32.exe 1480 Lnjcomcf.exe 1480 Lnjcomcf.exe 2736 Njhfcp32.exe 2736 Njhfcp32.exe 2220 Ojmpooah.exe 2220 Ojmpooah.exe 2176 Pohhna32.exe 2176 Pohhna32.exe 2928 Boljgg32.exe 2928 Boljgg32.exe 3064 Dphfbiem.exe 3064 Dphfbiem.exe 1716 Dbiocd32.exe 1716 Dbiocd32.exe 1300 Feggob32.exe 1300 Feggob32.exe 2008 Gqlhkofn.exe 2008 Gqlhkofn.exe 2796 Hfepod32.exe 2796 Hfepod32.exe 2160 Jigbebhb.exe 2160 Jigbebhb.exe 2884 Keeeje32.exe 2884 Keeeje32.exe 2020 Pbemboof.exe 2020 Pbemboof.exe 2932 Ageompfe.exe 2932 Ageompfe.exe 1872 Bfoeil32.exe 1872 Bfoeil32.exe 2652 Bgdkkc32.exe 2652 Bgdkkc32.exe 2424 Cqaiph32.exe 2424 Cqaiph32.exe 2408 Ciagojda.exe 2408 Ciagojda.exe 1944 Cehhdkjf.exe 1944 Cehhdkjf.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Clbnhmjo.exe Caaggpdh.exe File created C:\Windows\SysWOW64\Qdhjoc32.dll Bfoeil32.exe File created C:\Windows\SysWOW64\Nedamakn.dll Cqaiph32.exe File created C:\Windows\SysWOW64\Qjcmoqlf.exe Pjqdjn32.exe File opened for modification C:\Windows\SysWOW64\Edafjiqe.exe Engnno32.exe File created C:\Windows\SysWOW64\Qeengo32.dll Ajqoqm32.exe File created C:\Windows\SysWOW64\Fbkphjih.dll Ocbnqfln.exe File created C:\Windows\SysWOW64\Jdpkmjnb.dll Pohhna32.exe File created C:\Windows\SysWOW64\Qaacem32.dll Keeeje32.exe File created C:\Windows\SysWOW64\Bbdmljln.exe Bbapgknp.exe File created C:\Windows\SysWOW64\Kqkdjkoi.dll Dhggdcgh.exe File created C:\Windows\SysWOW64\Mdeifinb.dll Fcmdpcle.exe File opened for modification C:\Windows\SysWOW64\Oncndnlq.exe Nfcoel32.exe File created C:\Windows\SysWOW64\Abbknb32.exe Aeokdn32.exe File opened for modification C:\Windows\SysWOW64\Dddmkkpb.exe Dklibf32.exe File opened for modification C:\Windows\SysWOW64\Ghjjoeei.exe Gbmbgngb.exe File created C:\Windows\SysWOW64\Hkbkpcpd.exe Glfgnh32.exe File opened for modification C:\Windows\SysWOW64\Oaaghp32.exe Ojgokflc.exe File created C:\Windows\SysWOW64\Nliqoofa.exe Ncplfj32.exe File created C:\Windows\SysWOW64\Hekhidap.dll Gbmbgngb.exe File created C:\Windows\SysWOW64\Pfqlkfoc.exe Ojeakfnd.exe File opened for modification C:\Windows\SysWOW64\Iiipeb32.exe Iboghh32.exe File created C:\Windows\SysWOW64\Iemlfm32.dll Jlddpkgh.exe File created C:\Windows\SysWOW64\Aeedad32.dll Dodlfmlb.exe File created C:\Windows\SysWOW64\Dabkla32.exe Cccgni32.exe File created C:\Windows\SysWOW64\Jfijmdbh.exe Gdobqgpn.exe File created C:\Windows\SysWOW64\Angohn32.dll Gdobqgpn.exe File opened for modification C:\Windows\SysWOW64\Aieihpgi.exe Abkqle32.exe File created C:\Windows\SysWOW64\Hennhl32.dll Mdoccg32.exe File created C:\Windows\SysWOW64\Gcnemg32.dll Nlbgkgcc.exe File created C:\Windows\SysWOW64\Onbedbmj.dll Liqcei32.exe File opened for modification C:\Windows\SysWOW64\Obdlcjkd.exe Lpqnpacp.exe File created C:\Windows\SysWOW64\Anbckadf.dll Jcmjfiab.exe File opened for modification C:\Windows\SysWOW64\Majfcb32.exe Mkqnghfk.exe File opened for modification C:\Windows\SysWOW64\Feggob32.exe Dbiocd32.exe File opened for modification C:\Windows\SysWOW64\Ecobmg32.exe Dooqceid.exe File opened for modification C:\Windows\SysWOW64\Lkhalo32.exe Kqemeb32.exe File created C:\Windows\SysWOW64\Boolhikf.exe Annpaq32.exe File created C:\Windows\SysWOW64\Apjbpemb.exe Alcclb32.exe File created C:\Windows\SysWOW64\Kbljmd32.exe Kcbcah32.exe File created C:\Windows\SysWOW64\Hpkbmemd.dll Kcbcah32.exe File created C:\Windows\SysWOW64\Oqfeda32.exe Nlmjjo32.exe File opened for modification C:\Windows\SysWOW64\Jigbebhb.exe Hfepod32.exe File created C:\Windows\SysWOW64\Gaeonhdm.dll Pdnihiad.exe File created C:\Windows\SysWOW64\Lcpnpp32.dll Meecaa32.exe File opened for modification C:\Windows\SysWOW64\Olopjddf.exe Odckfb32.exe File created C:\Windows\SysWOW64\Kcbcah32.exe Jcmjfiab.exe File opened for modification C:\Windows\SysWOW64\Gaebfdba.exe Glijnmdj.exe File created C:\Windows\SysWOW64\Noplmlok.exe Nlmffa32.exe File created C:\Windows\SysWOW64\Emlkoknp.exe Efbbba32.exe File created C:\Windows\SysWOW64\Npbpjn32.exe Nihgndip.exe File opened for modification C:\Windows\SysWOW64\Knddcg32.exe Khglkqfj.exe File created C:\Windows\SysWOW64\Nljcflbd.exe Mlbmem32.exe File opened for modification C:\Windows\SysWOW64\Elnonp32.exe Eecgafkj.exe File opened for modification C:\Windows\SysWOW64\Abkqle32.exe Akahokho.exe File created C:\Windows\SysWOW64\Bamoho32.dll Obecld32.exe File created C:\Windows\SysWOW64\Dfpnca32.dll Nafiej32.exe File created C:\Windows\SysWOW64\Hbfdeplh.dll Odckfb32.exe File opened for modification C:\Windows\SysWOW64\Alfdcp32.exe Pdamhocm.exe File created C:\Windows\SysWOW64\Mngnjmjh.dll Clbnhmjo.exe File opened for modification C:\Windows\SysWOW64\Gmlckehe.exe Glkgcmbg.exe File created C:\Windows\SysWOW64\Mdcmbb32.dll Ogjhnp32.exe File created C:\Windows\SysWOW64\Onahokel.dll Bbdmljln.exe File created C:\Windows\SysWOW64\Nkfomk32.dll Bgqeea32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iboghh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bfkobj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqkiai32.dll" Kfenjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fmffhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gealfddm.dll" Pmeemp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qknbpmpk.dll" Caaggpdh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kmabqf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mhlcnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dfjaej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nlmjjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oqbnil32.dll" Fcqoec32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Glkgcmbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Conpielo.dll" Anhdmh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gcimop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dkdhfdnj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dobcekld.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pohhna32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jinfli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pkebgj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dodlfmlb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eocieq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gjgmhaim.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jfijmdbh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ndfbia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hkbkpcpd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mhhiiloh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqcbihdb.dll" Ghjjoeei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ocbnqfln.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nogmkk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gabohk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jkhhpeka.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ocbnqfln.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Olopjddf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibfbna32.dll" Ckgogfmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Caenkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eddkbl32.dll" Lodoefed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Epbamc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnahndjj.dll" Cccgni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gpfpmonn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Chkpakla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pohhna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cehhdkjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Akahokho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmjibdoi.dll" Pkeppngm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qjacai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nlmffa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpchof32.dll" Jcnmme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kefgdj32.dll" Ccolja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qjacai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Djhnmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aekabb32.dll" Ijaaae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mdlfngcc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pfjiod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llcppm32.dll" Gpfpmonn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oalhbc32.dll" Mddidnqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qcdgei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onkhac32.dll" Qfdpgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ogjhnp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ecobmg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nepach32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pccdqloh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikbfmc32.dll" Phklcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmfala32.dll" Kdincdcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnfpfbig.dll" Ibeeeijg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2844 wrote to memory of 2544 2844 NEAS.b6619013d6f5eb926bbe737fc8411df0.exe 28 PID 2844 wrote to memory of 2544 2844 NEAS.b6619013d6f5eb926bbe737fc8411df0.exe 28 PID 2844 wrote to memory of 2544 2844 NEAS.b6619013d6f5eb926bbe737fc8411df0.exe 28 PID 2844 wrote to memory of 2544 2844 NEAS.b6619013d6f5eb926bbe737fc8411df0.exe 28 PID 2544 wrote to memory of 1788 2544 Hnpbjnpo.exe 29 PID 2544 wrote to memory of 1788 2544 Hnpbjnpo.exe 29 PID 2544 wrote to memory of 1788 2544 Hnpbjnpo.exe 29 PID 2544 wrote to memory of 1788 2544 Hnpbjnpo.exe 29 PID 1788 wrote to memory of 2516 1788 Bgdibkam.exe 33 PID 1788 wrote to memory of 2516 1788 Bgdibkam.exe 33 PID 1788 wrote to memory of 2516 1788 Bgdibkam.exe 33 PID 1788 wrote to memory of 2516 1788 Bgdibkam.exe 33 PID 2516 wrote to memory of 2444 2516 Bammlq32.exe 32 PID 2516 wrote to memory of 2444 2516 Bammlq32.exe 32 PID 2516 wrote to memory of 2444 2516 Bammlq32.exe 32 PID 2516 wrote to memory of 2444 2516 Bammlq32.exe 32 PID 2444 wrote to memory of 2472 2444 Bejfao32.exe 31 PID 2444 wrote to memory of 2472 2444 Bejfao32.exe 31 PID 2444 wrote to memory of 2472 2444 Bejfao32.exe 31 PID 2444 wrote to memory of 2472 2444 Bejfao32.exe 31 PID 2472 wrote to memory of 1932 2472 Cjgoje32.exe 30 PID 2472 wrote to memory of 1932 2472 Cjgoje32.exe 30 PID 2472 wrote to memory of 1932 2472 Cjgoje32.exe 30 PID 2472 wrote to memory of 1932 2472 Cjgoje32.exe 30 PID 1932 wrote to memory of 1408 1932 Caaggpdh.exe 34 PID 1932 wrote to memory of 1408 1932 Caaggpdh.exe 34 PID 1932 wrote to memory of 1408 1932 Caaggpdh.exe 34 PID 1932 wrote to memory of 1408 1932 Caaggpdh.exe 34 PID 1408 wrote to memory of 1412 1408 Clbnhmjo.exe 35 PID 1408 wrote to memory of 1412 1408 Clbnhmjo.exe 35 PID 1408 wrote to memory of 1412 1408 Clbnhmjo.exe 35 PID 1408 wrote to memory of 1412 1408 Clbnhmjo.exe 35 PID 1412 wrote to memory of 1740 1412 Eeaepd32.exe 36 PID 1412 wrote to memory of 1740 1412 Eeaepd32.exe 36 PID 1412 wrote to memory of 1740 1412 Eeaepd32.exe 36 PID 1412 wrote to memory of 1740 1412 Eeaepd32.exe 36 PID 1740 wrote to memory of 2092 1740 Ggicgopd.exe 37 PID 1740 wrote to memory of 2092 1740 Ggicgopd.exe 37 PID 1740 wrote to memory of 2092 1740 Ggicgopd.exe 37 PID 1740 wrote to memory of 2092 1740 Ggicgopd.exe 37 PID 2092 wrote to memory of 1424 2092 Hjcppidk.exe 38 PID 2092 wrote to memory of 1424 2092 Hjcppidk.exe 38 PID 2092 wrote to memory of 1424 2092 Hjcppidk.exe 38 PID 2092 wrote to memory of 1424 2092 Hjcppidk.exe 38 PID 1424 wrote to memory of 1748 1424 Ihdpbq32.exe 39 PID 1424 wrote to memory of 1748 1424 Ihdpbq32.exe 39 PID 1424 wrote to memory of 1748 1424 Ihdpbq32.exe 39 PID 1424 wrote to memory of 1748 1424 Ihdpbq32.exe 39 PID 1748 wrote to memory of 1480 1748 Klbdgb32.exe 40 PID 1748 wrote to memory of 1480 1748 Klbdgb32.exe 40 PID 1748 wrote to memory of 1480 1748 Klbdgb32.exe 40 PID 1748 wrote to memory of 1480 1748 Klbdgb32.exe 40 PID 1480 wrote to memory of 2736 1480 Lnjcomcf.exe 41 PID 1480 wrote to memory of 2736 1480 Lnjcomcf.exe 41 PID 1480 wrote to memory of 2736 1480 Lnjcomcf.exe 41 PID 1480 wrote to memory of 2736 1480 Lnjcomcf.exe 41 PID 2736 wrote to memory of 2220 2736 Njhfcp32.exe 42 PID 2736 wrote to memory of 2220 2736 Njhfcp32.exe 42 PID 2736 wrote to memory of 2220 2736 Njhfcp32.exe 42 PID 2736 wrote to memory of 2220 2736 Njhfcp32.exe 42 PID 2220 wrote to memory of 2176 2220 Ojmpooah.exe 43 PID 2220 wrote to memory of 2176 2220 Ojmpooah.exe 43 PID 2220 wrote to memory of 2176 2220 Ojmpooah.exe 43 PID 2220 wrote to memory of 2176 2220 Ojmpooah.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.b6619013d6f5eb926bbe737fc8411df0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.b6619013d6f5eb926bbe737fc8411df0.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\Hnpbjnpo.exeC:\Windows\system32\Hnpbjnpo.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\Bgdibkam.exeC:\Windows\system32\Bgdibkam.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\SysWOW64\Bammlq32.exeC:\Windows\system32\Bammlq32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2516
-
-
-
-
C:\Windows\SysWOW64\Caaggpdh.exeC:\Windows\system32\Caaggpdh.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\SysWOW64\Clbnhmjo.exeC:\Windows\system32\Clbnhmjo.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Windows\SysWOW64\Eeaepd32.exeC:\Windows\system32\Eeaepd32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Windows\SysWOW64\Ggicgopd.exeC:\Windows\system32\Ggicgopd.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\SysWOW64\Hjcppidk.exeC:\Windows\system32\Hjcppidk.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\Ihdpbq32.exeC:\Windows\system32\Ihdpbq32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Windows\SysWOW64\Klbdgb32.exeC:\Windows\system32\Klbdgb32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\SysWOW64\Lnjcomcf.exeC:\Windows\system32\Lnjcomcf.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\SysWOW64\Njhfcp32.exeC:\Windows\system32\Njhfcp32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Ojmpooah.exeC:\Windows\system32\Ojmpooah.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\Pohhna32.exeC:\Windows\system32\Pohhna32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2176 -
C:\Windows\SysWOW64\Boljgg32.exeC:\Windows\system32\Boljgg32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2928 -
C:\Windows\SysWOW64\Dphfbiem.exeC:\Windows\system32\Dphfbiem.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3064 -
C:\Windows\SysWOW64\Dbiocd32.exeC:\Windows\system32\Dbiocd32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1716 -
C:\Windows\SysWOW64\Feggob32.exeC:\Windows\system32\Feggob32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1300 -
C:\Windows\SysWOW64\Gqlhkofn.exeC:\Windows\system32\Gqlhkofn.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2008 -
C:\Windows\SysWOW64\Hfepod32.exeC:\Windows\system32\Hfepod32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2796 -
C:\Windows\SysWOW64\Jigbebhb.exeC:\Windows\system32\Jigbebhb.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2160 -
C:\Windows\SysWOW64\Keeeje32.exeC:\Windows\system32\Keeeje32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2884 -
C:\Windows\SysWOW64\Pbemboof.exeC:\Windows\system32\Pbemboof.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2020 -
C:\Windows\SysWOW64\Ageompfe.exeC:\Windows\system32\Ageompfe.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2932 -
C:\Windows\SysWOW64\Bfoeil32.exeC:\Windows\system32\Bfoeil32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1872 -
C:\Windows\SysWOW64\Bgdkkc32.exeC:\Windows\system32\Bgdkkc32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2652 -
C:\Windows\SysWOW64\Cqaiph32.exeC:\Windows\system32\Cqaiph32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2424 -
C:\Windows\SysWOW64\Ciagojda.exeC:\Windows\system32\Ciagojda.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2408 -
C:\Windows\SysWOW64\Cehhdkjf.exeC:\Windows\system32\Cehhdkjf.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1944 -
C:\Windows\SysWOW64\Feddombd.exeC:\Windows\system32\Feddombd.exe27⤵
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\Fkhbgbkc.exeC:\Windows\system32\Fkhbgbkc.exe28⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Gefmcp32.exeC:\Windows\system32\Gefmcp32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2052 -
C:\Windows\SysWOW64\Hcgmfgfd.exeC:\Windows\system32\Hcgmfgfd.exe30⤵
- Executes dropped EXE
PID:1184 -
C:\Windows\SysWOW64\Icncgf32.exeC:\Windows\system32\Icncgf32.exe31⤵
- Executes dropped EXE
PID:756 -
C:\Windows\SysWOW64\Ijaaae32.exeC:\Windows\system32\Ijaaae32.exe32⤵
- Executes dropped EXE
- Modifies registry class
PID:1616 -
C:\Windows\SysWOW64\Iegeonpc.exeC:\Windows\system32\Iegeonpc.exe33⤵
- Executes dropped EXE
PID:936 -
C:\Windows\SysWOW64\Kfaalh32.exeC:\Windows\system32\Kfaalh32.exe34⤵
- Executes dropped EXE
PID:2324 -
C:\Windows\SysWOW64\Mebnic32.exeC:\Windows\system32\Mebnic32.exe35⤵
- Executes dropped EXE
PID:1208 -
C:\Windows\SysWOW64\Ngjlpmnn.exeC:\Windows\system32\Ngjlpmnn.exe36⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Penihe32.exeC:\Windows\system32\Penihe32.exe37⤵
- Executes dropped EXE
PID:2792 -
C:\Windows\SysWOW64\Enpban32.exeC:\Windows\system32\Enpban32.exe38⤵
- Executes dropped EXE
PID:2108 -
C:\Windows\SysWOW64\Einlmkhp.exeC:\Windows\system32\Einlmkhp.exe39⤵
- Executes dropped EXE
PID:2264 -
C:\Windows\SysWOW64\Fhhbif32.exeC:\Windows\system32\Fhhbif32.exe40⤵
- Executes dropped EXE
PID:2144 -
C:\Windows\SysWOW64\Fodgkp32.exeC:\Windows\system32\Fodgkp32.exe41⤵
- Executes dropped EXE
PID:1880 -
C:\Windows\SysWOW64\Glfgnh32.exeC:\Windows\system32\Glfgnh32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1256 -
C:\Windows\SysWOW64\Hkbkpcpd.exeC:\Windows\system32\Hkbkpcpd.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:696 -
C:\Windows\SysWOW64\Igkhjdde.exeC:\Windows\system32\Igkhjdde.exe44⤵
- Executes dropped EXE
PID:2768 -
C:\Windows\SysWOW64\Jnbpqb32.exeC:\Windows\system32\Jnbpqb32.exe45⤵
- Executes dropped EXE
PID:1296 -
C:\Windows\SysWOW64\Kbbakc32.exeC:\Windows\system32\Kbbakc32.exe46⤵
- Executes dropped EXE
PID:2492 -
C:\Windows\SysWOW64\Koibpd32.exeC:\Windows\system32\Koibpd32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Llkbcl32.exeC:\Windows\system32\Llkbcl32.exe48⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Meecaa32.exeC:\Windows\system32\Meecaa32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2836 -
C:\Windows\SysWOW64\Mcidkf32.exeC:\Windows\system32\Mcidkf32.exe50⤵
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\Mhhiiloh.exeC:\Windows\system32\Mhhiiloh.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1136 -
C:\Windows\SysWOW64\Moenkf32.exeC:\Windows\system32\Moenkf32.exe52⤵
- Executes dropped EXE
PID:2752 -
C:\Windows\SysWOW64\Ndfpnl32.exeC:\Windows\system32\Ndfpnl32.exe53⤵
- Executes dropped EXE
PID:1428 -
C:\Windows\SysWOW64\Nfglfdeb.exeC:\Windows\system32\Nfglfdeb.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2332 -
C:\Windows\SysWOW64\Nldahn32.exeC:\Windows\system32\Nldahn32.exe55⤵
- Executes dropped EXE
PID:2104 -
C:\Windows\SysWOW64\Obecld32.exeC:\Windows\system32\Obecld32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1752 -
C:\Windows\SysWOW64\Ojeakfnd.exeC:\Windows\system32\Ojeakfnd.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1700 -
C:\Windows\SysWOW64\Pfqlkfoc.exeC:\Windows\system32\Pfqlkfoc.exe58⤵
- Executes dropped EXE
PID:2212 -
C:\Windows\SysWOW64\Boobki32.exeC:\Windows\system32\Boobki32.exe59⤵
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\Cojeomee.exeC:\Windows\system32\Cojeomee.exe60⤵PID:2184
-
C:\Windows\SysWOW64\Dkjhjm32.exeC:\Windows\system32\Dkjhjm32.exe61⤵PID:1932
-
C:\Windows\SysWOW64\Dbdagg32.exeC:\Windows\system32\Dbdagg32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1928 -
C:\Windows\SysWOW64\Dklepmal.exeC:\Windows\system32\Dklepmal.exe63⤵PID:1576
-
C:\Windows\SysWOW64\Eddjhb32.exeC:\Windows\system32\Eddjhb32.exe64⤵PID:2024
-
C:\Windows\SysWOW64\Fpgnoo32.exeC:\Windows\system32\Fpgnoo32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:364 -
C:\Windows\SysWOW64\Ffmipmjn.exeC:\Windows\system32\Ffmipmjn.exe66⤵PID:1708
-
C:\Windows\SysWOW64\Gbhcpmkm.exeC:\Windows\system32\Gbhcpmkm.exe67⤵PID:2040
-
C:\Windows\SysWOW64\Gidhbgag.exeC:\Windows\system32\Gidhbgag.exe68⤵PID:1980
-
C:\Windows\SysWOW64\Gbmlkl32.exeC:\Windows\system32\Gbmlkl32.exe69⤵PID:2112
-
C:\Windows\SysWOW64\Hpicbe32.exeC:\Windows\system32\Hpicbe32.exe70⤵PID:3000
-
C:\Windows\SysWOW64\Iklfia32.exeC:\Windows\system32\Iklfia32.exe71⤵PID:2628
-
C:\Windows\SysWOW64\Jinfli32.exeC:\Windows\system32\Jinfli32.exe72⤵
- Modifies registry class
PID:2648 -
C:\Windows\SysWOW64\Kgocid32.exeC:\Windows\system32\Kgocid32.exe73⤵PID:2592
-
C:\Windows\SysWOW64\Lenffl32.exeC:\Windows\system32\Lenffl32.exe74⤵PID:2512
-
C:\Windows\SysWOW64\Manjaldo.exeC:\Windows\system32\Manjaldo.exe75⤵PID:2464
-
C:\Windows\SysWOW64\Mdlfngcc.exeC:\Windows\system32\Mdlfngcc.exe76⤵
- Modifies registry class
PID:3004 -
C:\Windows\SysWOW64\Miiofn32.exeC:\Windows\system32\Miiofn32.exe77⤵PID:580
-
C:\Windows\SysWOW64\Mdoccg32.exeC:\Windows\system32\Mdoccg32.exe78⤵
- Drops file in System32 directory
PID:1940 -
C:\Windows\SysWOW64\Nphpng32.exeC:\Windows\system32\Nphpng32.exe79⤵PID:1516
-
C:\Windows\SysWOW64\Nedifo32.exeC:\Windows\system32\Nedifo32.exe80⤵PID:2348
-
C:\Windows\SysWOW64\Nloachkf.exeC:\Windows\system32\Nloachkf.exe81⤵PID:2344
-
C:\Windows\SysWOW64\Nakikpin.exeC:\Windows\system32\Nakikpin.exe82⤵PID:2664
-
C:\Windows\SysWOW64\Ojndpqpq.exeC:\Windows\system32\Ojndpqpq.exe83⤵PID:1388
-
C:\Windows\SysWOW64\Onkmfofg.exeC:\Windows\system32\Onkmfofg.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2720 -
C:\Windows\SysWOW64\Oqlfhjch.exeC:\Windows\system32\Oqlfhjch.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2668 -
C:\Windows\SysWOW64\Pecelm32.exeC:\Windows\system32\Pecelm32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2516 -
C:\Windows\SysWOW64\Pnnfkb32.exeC:\Windows\system32\Pnnfkb32.exe87⤵PID:2500
-
C:\Windows\SysWOW64\Qmepanje.exeC:\Windows\system32\Qmepanje.exe88⤵PID:2060
-
C:\Windows\SysWOW64\Bmelpa32.exeC:\Windows\system32\Bmelpa32.exe89⤵PID:1560
-
C:\Windows\SysWOW64\Bmjekahk.exeC:\Windows\system32\Bmjekahk.exe90⤵PID:1448
-
C:\Windows\SysWOW64\Bdcnhk32.exeC:\Windows\system32\Bdcnhk32.exe91⤵PID:968
-
C:\Windows\SysWOW64\Clfhml32.exeC:\Windows\system32\Clfhml32.exe92⤵PID:2272
-
C:\Windows\SysWOW64\Ckkenikc.exeC:\Windows\system32\Ckkenikc.exe93⤵PID:2308
-
C:\Windows\SysWOW64\Caenkc32.exeC:\Windows\system32\Caenkc32.exe94⤵
- Modifies registry class
PID:1412 -
C:\Windows\SysWOW64\Dnnkec32.exeC:\Windows\system32\Dnnkec32.exe95⤵PID:1904
-
C:\Windows\SysWOW64\Doijcjde.exeC:\Windows\system32\Doijcjde.exe96⤵PID:2580
-
C:\Windows\SysWOW64\Dbggpfci.exeC:\Windows\system32\Dbggpfci.exe97⤵PID:948
-
C:\Windows\SysWOW64\Egflml32.exeC:\Windows\system32\Egflml32.exe98⤵PID:2128
-
C:\Windows\SysWOW64\Glijnmdj.exeC:\Windows\system32\Glijnmdj.exe99⤵
- Drops file in System32 directory
PID:2524 -
C:\Windows\SysWOW64\Gaebfdba.exeC:\Windows\system32\Gaebfdba.exe100⤵PID:552
-
C:\Windows\SysWOW64\Glkgcmbg.exeC:\Windows\system32\Glkgcmbg.exe101⤵
- Drops file in System32 directory
- Modifies registry class
PID:2448 -
C:\Windows\SysWOW64\Gmlckehe.exeC:\Windows\system32\Gmlckehe.exe102⤵PID:1652
-
C:\Windows\SysWOW64\Gdflgo32.exeC:\Windows\system32\Gdflgo32.exe103⤵PID:2992
-
C:\Windows\SysWOW64\Gnlpeh32.exeC:\Windows\system32\Gnlpeh32.exe104⤵PID:1528
-
C:\Windows\SysWOW64\Hilgfe32.exeC:\Windows\system32\Hilgfe32.exe105⤵PID:1796
-
C:\Windows\SysWOW64\Iecdji32.exeC:\Windows\system32\Iecdji32.exe106⤵PID:2100
-
C:\Windows\SysWOW64\Kmabqf32.exeC:\Windows\system32\Kmabqf32.exe107⤵
- Modifies registry class
PID:1748 -
C:\Windows\SysWOW64\Lnqkjl32.exeC:\Windows\system32\Lnqkjl32.exe108⤵PID:1320
-
C:\Windows\SysWOW64\Mfqiingf.exeC:\Windows\system32\Mfqiingf.exe109⤵PID:1916
-
C:\Windows\SysWOW64\Mddibb32.exeC:\Windows\system32\Mddibb32.exe110⤵PID:1788
-
C:\Windows\SysWOW64\Mldgbcoe.exeC:\Windows\system32\Mldgbcoe.exe111⤵PID:2444
-
C:\Windows\SysWOW64\Noepdo32.exeC:\Windows\system32\Noepdo32.exe112⤵PID:3056
-
C:\Windows\SysWOW64\Neohqicc.exeC:\Windows\system32\Neohqicc.exe113⤵PID:320
-
C:\Windows\SysWOW64\Nafiej32.exeC:\Windows\system32\Nafiej32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1852 -
C:\Windows\SysWOW64\Ngcanq32.exeC:\Windows\system32\Ngcanq32.exe115⤵PID:2932
-
C:\Windows\SysWOW64\Ngencpel.exeC:\Windows\system32\Ngencpel.exe116⤵PID:1216
-
C:\Windows\SysWOW64\Nlbgkgcc.exeC:\Windows\system32\Nlbgkgcc.exe117⤵
- Drops file in System32 directory
PID:604 -
C:\Windows\SysWOW64\Nggkipci.exeC:\Windows\system32\Nggkipci.exe118⤵PID:2964
-
C:\Windows\SysWOW64\Ogjhnp32.exeC:\Windows\system32\Ogjhnp32.exe119⤵
- Drops file in System32 directory
- Modifies registry class
PID:2300 -
C:\Windows\SysWOW64\Onmfin32.exeC:\Windows\system32\Onmfin32.exe120⤵PID:1504
-
C:\Windows\SysWOW64\Ohbjgg32.exeC:\Windows\system32\Ohbjgg32.exe121⤵PID:2084
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-