Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
152s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
28/10/2023, 19:57
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.95091183886bec1ab01952d238ffd730.exe
Resource
win7-20231023-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.95091183886bec1ab01952d238ffd730.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
NEAS.95091183886bec1ab01952d238ffd730.exe
-
Size
59KB
-
MD5
95091183886bec1ab01952d238ffd730
-
SHA1
d37771f5ebe9555dd640c1e1b7a25424d828df0c
-
SHA256
242510eb8827b0ff71a68f80d5a767a4479dab5a00a1be3fa43e1c91d1e5e36e
-
SHA512
3a86eca82c3346fbab98b683887ea911b6d325dc1512d0e0bd590fdc7d33a72c2b5e772ad5da0f40ee682201e143bc4cbd8c18e488de31ed17fe445dcdb4aa04
-
SSDEEP
1536:KDKwGKwCKEe3aIj0yyZt7IRfNtQOXn8t2LWO:KDFwjaPAfNtQOXn8+WO
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmhijd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbepdfnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eniokh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jedblkga.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmkfoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okgabpgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnadkmhj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmmadpea.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojemig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbjbfclk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Koonak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfjlolpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmgcoaie.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khbioa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acmomgoa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgcoaock.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lilbdcfe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dipgik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mljmhflh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Illmho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anaofa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdahek32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Loodqn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imiapo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnadkmhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkokma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bglpjb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdfhil32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aifpoj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlnbhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ionbcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aifpoj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qekbaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkqliaki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njdeklca.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpkbmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgdjicmn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bglpjb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imakpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmlmdd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cedbbo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcmndncl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojgjhicl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bafnmnjn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfnccg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkhbko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkkggl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qipjokik.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onkphi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alfpijll.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cffcilob.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpiqpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdkghg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjpaffhl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhjbjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgcoaock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nppfnige.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojbamj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipdnna32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccmcgcmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Falcli32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dqigee32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jafaem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pocpqcpm.exe -
Executes dropped EXE 64 IoCs
pid Process 1412 Mofmobmo.exe 4040 Mljmhflh.exe 4456 Mjnnbk32.exe 2028 Mhckcgpj.exe 1848 Nfgklkoc.exe 4328 Nbnlaldg.exe 224 Nqoloc32.exe 4216 Nfldgk32.exe 1132 Nodiqp32.exe 2792 Nbbeml32.exe 3384 Nmhijd32.exe 3908 Niojoeel.exe 1216 Ooibkpmi.exe 1380 Oiagde32.exe 1188 Ookoaokf.exe 4784 Omopjcjp.exe 3748 Ofgdcipq.exe 1000 Oqmhqapg.exe 4496 Ojemig32.exe 1544 Obqanjdb.exe 1836 Omfekbdh.exe 5116 Bmidnm32.exe 4788 Bdcmkgmm.exe 4596 Bagmdllg.exe 2136 Ckpamabg.exe 3580 Cpljehpo.exe 1108 Cbkfbcpb.exe 4356 Cienon32.exe 1980 Ccmcgcmp.exe 1852 Cigkdmel.exe 4828 Ckggnp32.exe 2092 Cildom32.exe 4336 Cdaile32.exe 4008 Dmjmekgn.exe 2104 Dknnoofg.exe 1556 Ddfbgelh.exe 1484 Dickplko.exe 3884 Gjqinamq.exe 3184 Onakco32.exe 744 Gebimmco.exe 1336 Dgaiffii.exe 2000 Falcli32.exe 3868 Fhflhcfa.exe 1568 Fkehdnee.exe 1924 Fifhbf32.exe 2120 Fhiinbdo.exe 4744 Focakm32.exe 2084 Fiheheka.exe 2064 Fbqiak32.exe 464 Lflpmn32.exe 1344 Ljoboloa.exe 3972 Mmokpglb.exe 680 Mjcljk32.exe 5004 Mfjlolpp.exe 4064 Mcnmhpoj.exe 2924 Mlialb32.exe 2928 Nbefolao.exe 5016 Nbhcdl32.exe 1644 Nmmgae32.exe 4172 Npldnp32.exe 1860 Npnqcpmc.exe 2244 Njceqili.exe 4492 Olgnnqpe.exe 2804 Ofmbkipk.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Mnbnchlb.exe Mmaakpfd.exe File created C:\Windows\SysWOW64\Hgokikan.exe Gmggpekm.exe File created C:\Windows\SysWOW64\Dfpppj32.dll Jnhinq32.exe File created C:\Windows\SysWOW64\Dehcjghn.dll Cofnba32.exe File opened for modification C:\Windows\SysWOW64\Mjnnbk32.exe Mljmhflh.exe File created C:\Windows\SysWOW64\Gkbnkfei.exe Ghdaokfe.exe File created C:\Windows\SysWOW64\Ipjenn32.exe Idceim32.exe File created C:\Windows\SysWOW64\Lfafobpd.dll Kcikagij.exe File created C:\Windows\SysWOW64\Jdgjgh32.exe Jnmbjnlm.exe File created C:\Windows\SysWOW64\Qfanbpjg.exe Ppgeff32.exe File created C:\Windows\SysWOW64\Hckeikcl.exe Hlqmla32.exe File opened for modification C:\Windows\SysWOW64\Aogije32.exe Alimnj32.exe File created C:\Windows\SysWOW64\Abonhkgf.dll Fpoahbdh.exe File created C:\Windows\SysWOW64\Febogbhg.exe Enigjh32.exe File created C:\Windows\SysWOW64\Qfoadqde.dll Hdehho32.exe File opened for modification C:\Windows\SysWOW64\Mnbnchlb.exe Mmaakpfd.exe File created C:\Windows\SysWOW64\Ahpnbdnc.dll Hgokikan.exe File opened for modification C:\Windows\SysWOW64\Bdpanj32.exe Baadbo32.exe File created C:\Windows\SysWOW64\Clgbfe32.exe Chepehne.exe File created C:\Windows\SysWOW64\Ifcmmg32.dll Omfekbdh.exe File created C:\Windows\SysWOW64\Jlponebi.exe Jdiglgbg.exe File created C:\Windows\SysWOW64\Mlghfp32.dll Cdbmifdl.exe File created C:\Windows\SysWOW64\Pekkhn32.exe Poqckdap.exe File opened for modification C:\Windows\SysWOW64\Ojbamj32.exe Ohceqo32.exe File opened for modification C:\Windows\SysWOW64\Bgdjicmn.exe Bpkbmi32.exe File created C:\Windows\SysWOW64\Lkqliaki.exe Lcjchd32.exe File opened for modification C:\Windows\SysWOW64\Nkkggl32.exe Nilkkq32.exe File opened for modification C:\Windows\SysWOW64\Fgpilc32.exe Mfaqafjl.exe File opened for modification C:\Windows\SysWOW64\Lcjchd32.exe Ljaooodf.exe File created C:\Windows\SysWOW64\Kpiqpo32.exe Khbioa32.exe File created C:\Windows\SysWOW64\Bbmbkj32.dll Cedbbo32.exe File created C:\Windows\SysWOW64\Hgnlgjim.exe Hqddjp32.exe File created C:\Windows\SysWOW64\Plcnfpfp.dll Aphegjhc.exe File opened for modification C:\Windows\SysWOW64\Blflmj32.exe Bdkghg32.exe File created C:\Windows\SysWOW64\Keppcl32.dll Nehekq32.exe File created C:\Windows\SysWOW64\Pbjbfclk.exe Opkfjgmh.exe File opened for modification C:\Windows\SysWOW64\Iiigqdfd.exe Icoodj32.exe File opened for modification C:\Windows\SysWOW64\Onkphi32.exe Odfljp32.exe File opened for modification C:\Windows\SysWOW64\Cbkfbcpb.exe Cpljehpo.exe File opened for modification C:\Windows\SysWOW64\Gaccbaeq.exe Flfjjkgi.exe File opened for modification C:\Windows\SysWOW64\Aikijjon.exe Aifpoj32.exe File opened for modification C:\Windows\SysWOW64\Kcikagij.exe Kjafha32.exe File opened for modification C:\Windows\SysWOW64\Hfnpmgaj.exe Hjgohf32.exe File created C:\Windows\SysWOW64\Bccahbge.dll Jffodc32.exe File created C:\Windows\SysWOW64\Hhbnqi32.exe Hdfapjbl.exe File created C:\Windows\SysWOW64\Anlqcl32.dll Miqlpbap.exe File opened for modification C:\Windows\SysWOW64\Ihpgda32.exe Fgpilc32.exe File created C:\Windows\SysWOW64\Mghaofkn.dll Piknfgmd.exe File created C:\Windows\SysWOW64\Jhcipkpg.dll Nhokeolc.exe File created C:\Windows\SysWOW64\Obhlkjaj.exe Olndnp32.exe File opened for modification C:\Windows\SysWOW64\Pdalkk32.exe Pmgcoaie.exe File created C:\Windows\SysWOW64\Cikqab32.dll Nbhcdl32.exe File opened for modification C:\Windows\SysWOW64\Megldcgd.exe Mnndhi32.exe File created C:\Windows\SysWOW64\Ommjnlnd.exe Oefamoma.exe File created C:\Windows\SysWOW64\Cakoeq32.dll Ddhhldlf.exe File created C:\Windows\SysWOW64\Cienon32.exe Cbkfbcpb.exe File created C:\Windows\SysWOW64\Agecdgmk.dll Dknnoofg.exe File created C:\Windows\SysWOW64\Geleenbj.dll Alpboida.exe File created C:\Windows\SysWOW64\Bkggjg32.dll Cmkehicj.exe File created C:\Windows\SysWOW64\Cddjofbj.exe Cjofambd.exe File created C:\Windows\SysWOW64\Dhimoldn.dll Nmjdaoni.exe File created C:\Windows\SysWOW64\Odooqo32.exe Oaqbdc32.exe File opened for modification C:\Windows\SysWOW64\Adfnhlfa.exe Aecnmo32.exe File opened for modification C:\Windows\SysWOW64\Omopjcjp.exe Ookoaokf.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Boeelcmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbfmpp32.dll" Iqkjkokh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqhopp32.dll" Jmknfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmidnm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmgcoaie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pphlpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mminaikp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hoiihcde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhlkkb32.dll" Jdhndlno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jnhinq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifcmmg32.dll" Omfekbdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Igebgi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iefnjm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkdjph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfnjlh32.dll" Fdhaca32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddhhldlf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdipce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaidib32.dll" Obqanjdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmqqnelh.dll" Olndnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqpcbbed.dll" Kbkdgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfoadqde.dll" Hdehho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Doeifpkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajjcoqdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkiclepa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkfllami.dll" Koeajo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkdaij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khnhkdjh.dll" Mklkepal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Minbgdmm.dll" Lmcejbbd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmjdaoni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ampojimo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ipdnna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lglekg32.dll" Jacggh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkcpjk32.dll" Feimkjdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqhob32.dll" Dnkkij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfmmajed.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aeigilml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnlfqngm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmodfqhf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hienee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kggcgeop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Addabl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bqdechnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcfmla32.dll" Pocpqcpm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmndjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Khbioa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddhhldlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmlfjj32.dll" Kdipce32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oflkqc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bekdmnio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohcdlepj.dll" Hlipfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Anaofa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dehcjghn.dll" Cofnba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdaile32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghmkol32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qhinmb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofgdcipq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgbcilhf.dll" Oanfodmk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hfnpmgaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhhkjj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gideogil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hfcihf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Galfhpmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lkjoqnei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aojepe32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4836 wrote to memory of 1412 4836 NEAS.95091183886bec1ab01952d238ffd730.exe 89 PID 4836 wrote to memory of 1412 4836 NEAS.95091183886bec1ab01952d238ffd730.exe 89 PID 4836 wrote to memory of 1412 4836 NEAS.95091183886bec1ab01952d238ffd730.exe 89 PID 1412 wrote to memory of 4040 1412 Mofmobmo.exe 91 PID 1412 wrote to memory of 4040 1412 Mofmobmo.exe 91 PID 1412 wrote to memory of 4040 1412 Mofmobmo.exe 91 PID 4040 wrote to memory of 4456 4040 Mljmhflh.exe 92 PID 4040 wrote to memory of 4456 4040 Mljmhflh.exe 92 PID 4040 wrote to memory of 4456 4040 Mljmhflh.exe 92 PID 4456 wrote to memory of 2028 4456 Mjnnbk32.exe 93 PID 4456 wrote to memory of 2028 4456 Mjnnbk32.exe 93 PID 4456 wrote to memory of 2028 4456 Mjnnbk32.exe 93 PID 2028 wrote to memory of 1848 2028 Mhckcgpj.exe 94 PID 2028 wrote to memory of 1848 2028 Mhckcgpj.exe 94 PID 2028 wrote to memory of 1848 2028 Mhckcgpj.exe 94 PID 1848 wrote to memory of 4328 1848 Nfgklkoc.exe 95 PID 1848 wrote to memory of 4328 1848 Nfgklkoc.exe 95 PID 1848 wrote to memory of 4328 1848 Nfgklkoc.exe 95 PID 4328 wrote to memory of 224 4328 Nbnlaldg.exe 96 PID 4328 wrote to memory of 224 4328 Nbnlaldg.exe 96 PID 4328 wrote to memory of 224 4328 Nbnlaldg.exe 96 PID 224 wrote to memory of 4216 224 Nqoloc32.exe 97 PID 224 wrote to memory of 4216 224 Nqoloc32.exe 97 PID 224 wrote to memory of 4216 224 Nqoloc32.exe 97 PID 4216 wrote to memory of 1132 4216 Nfldgk32.exe 98 PID 4216 wrote to memory of 1132 4216 Nfldgk32.exe 98 PID 4216 wrote to memory of 1132 4216 Nfldgk32.exe 98 PID 1132 wrote to memory of 2792 1132 Nodiqp32.exe 99 PID 1132 wrote to memory of 2792 1132 Nodiqp32.exe 99 PID 1132 wrote to memory of 2792 1132 Nodiqp32.exe 99 PID 2792 wrote to memory of 3384 2792 Nbbeml32.exe 100 PID 2792 wrote to memory of 3384 2792 Nbbeml32.exe 100 PID 2792 wrote to memory of 3384 2792 Nbbeml32.exe 100 PID 3384 wrote to memory of 3908 3384 Nmhijd32.exe 101 PID 3384 wrote to memory of 3908 3384 Nmhijd32.exe 101 PID 3384 wrote to memory of 3908 3384 Nmhijd32.exe 101 PID 3908 wrote to memory of 1216 3908 Niojoeel.exe 102 PID 3908 wrote to memory of 1216 3908 Niojoeel.exe 102 PID 3908 wrote to memory of 1216 3908 Niojoeel.exe 102 PID 1216 wrote to memory of 1380 1216 Ooibkpmi.exe 103 PID 1216 wrote to memory of 1380 1216 Ooibkpmi.exe 103 PID 1216 wrote to memory of 1380 1216 Ooibkpmi.exe 103 PID 1380 wrote to memory of 1188 1380 Oiagde32.exe 104 PID 1380 wrote to memory of 1188 1380 Oiagde32.exe 104 PID 1380 wrote to memory of 1188 1380 Oiagde32.exe 104 PID 1188 wrote to memory of 4784 1188 Ookoaokf.exe 105 PID 1188 wrote to memory of 4784 1188 Ookoaokf.exe 105 PID 1188 wrote to memory of 4784 1188 Ookoaokf.exe 105 PID 4784 wrote to memory of 3748 4784 Omopjcjp.exe 106 PID 4784 wrote to memory of 3748 4784 Omopjcjp.exe 106 PID 4784 wrote to memory of 3748 4784 Omopjcjp.exe 106 PID 3748 wrote to memory of 1000 3748 Ofgdcipq.exe 107 PID 3748 wrote to memory of 1000 3748 Ofgdcipq.exe 107 PID 3748 wrote to memory of 1000 3748 Ofgdcipq.exe 107 PID 1000 wrote to memory of 4496 1000 Oqmhqapg.exe 108 PID 1000 wrote to memory of 4496 1000 Oqmhqapg.exe 108 PID 1000 wrote to memory of 4496 1000 Oqmhqapg.exe 108 PID 4496 wrote to memory of 1544 4496 Ojemig32.exe 109 PID 4496 wrote to memory of 1544 4496 Ojemig32.exe 109 PID 4496 wrote to memory of 1544 4496 Ojemig32.exe 109 PID 1544 wrote to memory of 1836 1544 Obqanjdb.exe 110 PID 1544 wrote to memory of 1836 1544 Obqanjdb.exe 110 PID 1544 wrote to memory of 1836 1544 Obqanjdb.exe 110 PID 1836 wrote to memory of 5116 1836 Omfekbdh.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.95091183886bec1ab01952d238ffd730.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.95091183886bec1ab01952d238ffd730.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4836 -
C:\Windows\SysWOW64\Mofmobmo.exeC:\Windows\system32\Mofmobmo.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Windows\SysWOW64\Mljmhflh.exeC:\Windows\system32\Mljmhflh.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4040 -
C:\Windows\SysWOW64\Mjnnbk32.exeC:\Windows\system32\Mjnnbk32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4456 -
C:\Windows\SysWOW64\Mhckcgpj.exeC:\Windows\system32\Mhckcgpj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\Nfgklkoc.exeC:\Windows\system32\Nfgklkoc.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\SysWOW64\Nbnlaldg.exeC:\Windows\system32\Nbnlaldg.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4328 -
C:\Windows\SysWOW64\Nqoloc32.exeC:\Windows\system32\Nqoloc32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:224 -
C:\Windows\SysWOW64\Nfldgk32.exeC:\Windows\system32\Nfldgk32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4216 -
C:\Windows\SysWOW64\Nodiqp32.exeC:\Windows\system32\Nodiqp32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1132 -
C:\Windows\SysWOW64\Nbbeml32.exeC:\Windows\system32\Nbbeml32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Nmhijd32.exeC:\Windows\system32\Nmhijd32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3384 -
C:\Windows\SysWOW64\Niojoeel.exeC:\Windows\system32\Niojoeel.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3908 -
C:\Windows\SysWOW64\Ooibkpmi.exeC:\Windows\system32\Ooibkpmi.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Windows\SysWOW64\Oiagde32.exeC:\Windows\system32\Oiagde32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Windows\SysWOW64\Ookoaokf.exeC:\Windows\system32\Ookoaokf.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Windows\SysWOW64\Omopjcjp.exeC:\Windows\system32\Omopjcjp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4784 -
C:\Windows\SysWOW64\Ofgdcipq.exeC:\Windows\system32\Ofgdcipq.exe18⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3748 -
C:\Windows\SysWOW64\Oqmhqapg.exeC:\Windows\system32\Oqmhqapg.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1000 -
C:\Windows\SysWOW64\Ojemig32.exeC:\Windows\system32\Ojemig32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4496 -
C:\Windows\SysWOW64\Obqanjdb.exeC:\Windows\system32\Obqanjdb.exe21⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\SysWOW64\Omfekbdh.exeC:\Windows\system32\Omfekbdh.exe22⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Windows\SysWOW64\Bmidnm32.exeC:\Windows\system32\Bmidnm32.exe23⤵
- Executes dropped EXE
- Modifies registry class
PID:5116 -
C:\Windows\SysWOW64\Bdcmkgmm.exeC:\Windows\system32\Bdcmkgmm.exe24⤵
- Executes dropped EXE
PID:4788 -
C:\Windows\SysWOW64\Bagmdllg.exeC:\Windows\system32\Bagmdllg.exe25⤵
- Executes dropped EXE
PID:4596 -
C:\Windows\SysWOW64\Ckpamabg.exeC:\Windows\system32\Ckpamabg.exe26⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Cpljehpo.exeC:\Windows\system32\Cpljehpo.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3580 -
C:\Windows\SysWOW64\Cbkfbcpb.exeC:\Windows\system32\Cbkfbcpb.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1108 -
C:\Windows\SysWOW64\Cienon32.exeC:\Windows\system32\Cienon32.exe29⤵
- Executes dropped EXE
PID:4356 -
C:\Windows\SysWOW64\Ccmcgcmp.exeC:\Windows\system32\Ccmcgcmp.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1980 -
C:\Windows\SysWOW64\Cigkdmel.exeC:\Windows\system32\Cigkdmel.exe31⤵
- Executes dropped EXE
PID:1852 -
C:\Windows\SysWOW64\Ckggnp32.exeC:\Windows\system32\Ckggnp32.exe32⤵
- Executes dropped EXE
PID:4828 -
C:\Windows\SysWOW64\Cildom32.exeC:\Windows\system32\Cildom32.exe33⤵
- Executes dropped EXE
PID:2092 -
C:\Windows\SysWOW64\Cdaile32.exeC:\Windows\system32\Cdaile32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:4336 -
C:\Windows\SysWOW64\Dmjmekgn.exeC:\Windows\system32\Dmjmekgn.exe35⤵
- Executes dropped EXE
PID:4008 -
C:\Windows\SysWOW64\Dknnoofg.exeC:\Windows\system32\Dknnoofg.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2104 -
C:\Windows\SysWOW64\Ddfbgelh.exeC:\Windows\system32\Ddfbgelh.exe37⤵
- Executes dropped EXE
PID:1556 -
C:\Windows\SysWOW64\Dickplko.exeC:\Windows\system32\Dickplko.exe38⤵
- Executes dropped EXE
PID:1484 -
C:\Windows\SysWOW64\Gjqinamq.exeC:\Windows\system32\Gjqinamq.exe39⤵
- Executes dropped EXE
PID:3884 -
C:\Windows\SysWOW64\Onakco32.exeC:\Windows\system32\Onakco32.exe40⤵
- Executes dropped EXE
PID:3184 -
C:\Windows\SysWOW64\Gebimmco.exeC:\Windows\system32\Gebimmco.exe41⤵
- Executes dropped EXE
PID:744 -
C:\Windows\SysWOW64\Dgaiffii.exeC:\Windows\system32\Dgaiffii.exe42⤵
- Executes dropped EXE
PID:1336 -
C:\Windows\SysWOW64\Falcli32.exeC:\Windows\system32\Falcli32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\Fhflhcfa.exeC:\Windows\system32\Fhflhcfa.exe44⤵
- Executes dropped EXE
PID:3868 -
C:\Windows\SysWOW64\Fkehdnee.exeC:\Windows\system32\Fkehdnee.exe45⤵
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\Fifhbf32.exeC:\Windows\system32\Fifhbf32.exe46⤵
- Executes dropped EXE
PID:1924 -
C:\Windows\SysWOW64\Fhiinbdo.exeC:\Windows\system32\Fhiinbdo.exe47⤵
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Focakm32.exeC:\Windows\system32\Focakm32.exe48⤵
- Executes dropped EXE
PID:4744 -
C:\Windows\SysWOW64\Fiheheka.exeC:\Windows\system32\Fiheheka.exe49⤵
- Executes dropped EXE
PID:2084 -
C:\Windows\SysWOW64\Fbqiak32.exeC:\Windows\system32\Fbqiak32.exe50⤵
- Executes dropped EXE
PID:2064 -
C:\Windows\SysWOW64\Lflpmn32.exeC:\Windows\system32\Lflpmn32.exe51⤵
- Executes dropped EXE
PID:464 -
C:\Windows\SysWOW64\Ljoboloa.exeC:\Windows\system32\Ljoboloa.exe52⤵
- Executes dropped EXE
PID:1344 -
C:\Windows\SysWOW64\Mmokpglb.exeC:\Windows\system32\Mmokpglb.exe53⤵
- Executes dropped EXE
PID:3972 -
C:\Windows\SysWOW64\Mjcljk32.exeC:\Windows\system32\Mjcljk32.exe54⤵
- Executes dropped EXE
PID:680 -
C:\Windows\SysWOW64\Mfjlolpp.exeC:\Windows\system32\Mfjlolpp.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5004 -
C:\Windows\SysWOW64\Mcnmhpoj.exeC:\Windows\system32\Mcnmhpoj.exe56⤵
- Executes dropped EXE
PID:4064 -
C:\Windows\SysWOW64\Mlialb32.exeC:\Windows\system32\Mlialb32.exe57⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Nbefolao.exeC:\Windows\system32\Nbefolao.exe58⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Nbhcdl32.exeC:\Windows\system32\Nbhcdl32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5016 -
C:\Windows\SysWOW64\Nmmgae32.exeC:\Windows\system32\Nmmgae32.exe60⤵
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\Npldnp32.exeC:\Windows\system32\Npldnp32.exe61⤵
- Executes dropped EXE
PID:4172 -
C:\Windows\SysWOW64\Npnqcpmc.exeC:\Windows\system32\Npnqcpmc.exe62⤵
- Executes dropped EXE
PID:1860 -
C:\Windows\SysWOW64\Njceqili.exeC:\Windows\system32\Njceqili.exe63⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Olgnnqpe.exeC:\Windows\system32\Olgnnqpe.exe64⤵
- Executes dropped EXE
PID:4492 -
C:\Windows\SysWOW64\Ofmbkipk.exeC:\Windows\system32\Ofmbkipk.exe65⤵
- Executes dropped EXE
PID:2804 -
C:\Windows\SysWOW64\Odqbdnod.exeC:\Windows\system32\Odqbdnod.exe66⤵PID:3748
-
C:\Windows\SysWOW64\Ofooqinh.exeC:\Windows\system32\Ofooqinh.exe67⤵PID:1108
-
C:\Windows\SysWOW64\Opgciodi.exeC:\Windows\system32\Opgciodi.exe68⤵PID:4456
-
C:\Windows\SysWOW64\Obfpejcl.exeC:\Windows\system32\Obfpejcl.exe69⤵PID:2760
-
C:\Windows\SysWOW64\Olndnp32.exeC:\Windows\system32\Olndnp32.exe70⤵
- Drops file in System32 directory
- Modifies registry class
PID:1656 -
C:\Windows\SysWOW64\Obhlkjaj.exeC:\Windows\system32\Obhlkjaj.exe71⤵PID:4868
-
C:\Windows\SysWOW64\Oplmdnpc.exeC:\Windows\system32\Oplmdnpc.exe72⤵PID:2932
-
C:\Windows\SysWOW64\Okaabg32.exeC:\Windows\system32\Okaabg32.exe73⤵PID:2496
-
C:\Windows\SysWOW64\Pghaghfn.exeC:\Windows\system32\Pghaghfn.exe74⤵PID:2104
-
C:\Windows\SysWOW64\Pdlbpldg.exeC:\Windows\system32\Pdlbpldg.exe75⤵PID:1044
-
C:\Windows\SysWOW64\Piikhc32.exeC:\Windows\system32\Piikhc32.exe76⤵PID:1772
-
C:\Windows\SysWOW64\Pcaoahio.exeC:\Windows\system32\Pcaoahio.exe77⤵PID:1692
-
C:\Windows\SysWOW64\Pkigbfja.exeC:\Windows\system32\Pkigbfja.exe78⤵PID:4380
-
C:\Windows\SysWOW64\Pmgcoaie.exeC:\Windows\system32\Pmgcoaie.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1476 -
C:\Windows\SysWOW64\Pdalkk32.exeC:\Windows\system32\Pdalkk32.exe80⤵PID:2564
-
C:\Windows\SysWOW64\Pphlpl32.exeC:\Windows\system32\Pphlpl32.exe81⤵
- Modifies registry class
PID:2196 -
C:\Windows\SysWOW64\Qkmqne32.exeC:\Windows\system32\Qkmqne32.exe82⤵PID:3680
-
C:\Windows\SysWOW64\Qmlmjq32.exeC:\Windows\system32\Qmlmjq32.exe83⤵PID:4412
-
C:\Windows\SysWOW64\Qpjifl32.exeC:\Windows\system32\Qpjifl32.exe84⤵PID:3048
-
C:\Windows\SysWOW64\Qibmoa32.exeC:\Windows\system32\Qibmoa32.exe85⤵PID:4796
-
C:\Windows\SysWOW64\Qlajkm32.exeC:\Windows\system32\Qlajkm32.exe86⤵PID:4092
-
C:\Windows\SysWOW64\Akbjidbf.exeC:\Windows\system32\Akbjidbf.exe87⤵PID:2296
-
C:\Windows\SysWOW64\Acmomgoa.exeC:\Windows\system32\Acmomgoa.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4804 -
C:\Windows\SysWOW64\Agikne32.exeC:\Windows\system32\Agikne32.exe89⤵PID:4844
-
C:\Windows\SysWOW64\Ajggjq32.exeC:\Windows\system32\Ajggjq32.exe90⤵PID:1268
-
C:\Windows\SysWOW64\Admkgifd.exeC:\Windows\system32\Admkgifd.exe91⤵PID:4596
-
C:\Windows\SysWOW64\Ajjcoqdl.exeC:\Windows\system32\Ajjcoqdl.exe92⤵
- Modifies registry class
PID:5088 -
C:\Windows\SysWOW64\Alhpkldp.exeC:\Windows\system32\Alhpkldp.exe93⤵PID:1424
-
C:\Windows\SysWOW64\Aljmal32.exeC:\Windows\system32\Aljmal32.exe94⤵PID:4360
-
C:\Windows\SysWOW64\Adadbi32.exeC:\Windows\system32\Adadbi32.exe95⤵PID:4268
-
C:\Windows\SysWOW64\Ajnmjp32.exeC:\Windows\system32\Ajnmjp32.exe96⤵PID:2820
-
C:\Windows\SysWOW64\Aphegjhc.exeC:\Windows\system32\Aphegjhc.exe97⤵
- Drops file in System32 directory
PID:2212 -
C:\Windows\SysWOW64\Bnlfqngm.exeC:\Windows\system32\Bnlfqngm.exe98⤵
- Modifies registry class
PID:3076 -
C:\Windows\SysWOW64\Bpkbmi32.exeC:\Windows\system32\Bpkbmi32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1640 -
C:\Windows\SysWOW64\Bgdjicmn.exeC:\Windows\system32\Bgdjicmn.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2816 -
C:\Windows\SysWOW64\Bjcfeola.exeC:\Windows\system32\Bjcfeola.exe101⤵PID:4532
-
C:\Windows\SysWOW64\Bckknd32.exeC:\Windows\system32\Bckknd32.exe102⤵PID:2568
-
C:\Windows\SysWOW64\Bnaolm32.exeC:\Windows\system32\Bnaolm32.exe103⤵PID:992
-
C:\Windows\SysWOW64\Bdkghg32.exeC:\Windows\system32\Bdkghg32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4852 -
C:\Windows\SysWOW64\Blflmj32.exeC:\Windows\system32\Blflmj32.exe105⤵PID:4328
-
C:\Windows\SysWOW64\Bglpjb32.exeC:\Windows\system32\Bglpjb32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4076 -
C:\Windows\SysWOW64\Bqdechnf.exeC:\Windows\system32\Bqdechnf.exe107⤵
- Modifies registry class
PID:4600 -
C:\Windows\SysWOW64\Ckiipa32.exeC:\Windows\system32\Ckiipa32.exe108⤵PID:4336
-
C:\Windows\SysWOW64\Cmkehicj.exeC:\Windows\system32\Cmkehicj.exe109⤵
- Drops file in System32 directory
PID:4912 -
C:\Windows\SysWOW64\Cdbmifdl.exeC:\Windows\system32\Cdbmifdl.exe110⤵
- Drops file in System32 directory
PID:2192 -
C:\Windows\SysWOW64\Cjofambd.exeC:\Windows\system32\Cjofambd.exe111⤵
- Drops file in System32 directory
PID:1752 -
C:\Windows\SysWOW64\Cddjofbj.exeC:\Windows\system32\Cddjofbj.exe112⤵PID:2204
-
C:\Windows\SysWOW64\Dgliapic.exeC:\Windows\system32\Dgliapic.exe113⤵PID:220
-
C:\Windows\SysWOW64\Djjemlhf.exeC:\Windows\system32\Djjemlhf.exe114⤵PID:1436
-
C:\Windows\SysWOW64\Dmiaig32.exeC:\Windows\system32\Dmiaig32.exe115⤵PID:2272
-
C:\Windows\SysWOW64\Ddpjjd32.exeC:\Windows\system32\Ddpjjd32.exe116⤵PID:4892
-
C:\Windows\SysWOW64\Dkjbgooi.exeC:\Windows\system32\Dkjbgooi.exe117⤵PID:3544
-
C:\Windows\SysWOW64\Dnhncjom.exeC:\Windows\system32\Dnhncjom.exe118⤵PID:3940
-
C:\Windows\SysWOW64\Dcegkamd.exeC:\Windows\system32\Dcegkamd.exe119⤵PID:4200
-
C:\Windows\SysWOW64\Dklomnmf.exeC:\Windows\system32\Dklomnmf.exe120⤵PID:4788
-
C:\Windows\SysWOW64\Dnkkij32.exeC:\Windows\system32\Dnkkij32.exe121⤵
- Modifies registry class
PID:1148
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-