Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
164s -
max time network
197s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
31/10/2023, 08:50
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.01cf2695cbe14bb373acad48ea5076a0.exe
Resource
win7-20231020-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.01cf2695cbe14bb373acad48ea5076a0.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
NEAS.01cf2695cbe14bb373acad48ea5076a0.exe
-
Size
74KB
-
MD5
01cf2695cbe14bb373acad48ea5076a0
-
SHA1
2b2a633513596498548069b839bf0a6779a077da
-
SHA256
3fc9c4b95ad116f7a9ba54258c2284a5301ea6f896b45528aafff5a2ca95d08a
-
SHA512
09ea3739b2926faefc3286de377b229857aa49c264d4a39e2afa2a0cdc530a9e07287e3cd50385aa5b494e6eadf80ca561e42c713e7cd6d37cef4f1e13e8af1f
-
SSDEEP
1536:BES5k9FmdT0Fk4uPi6JqBNw0pqMAAQftK:d5k9F4Tcu3J0w0pNAAQFK
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Legjgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jnjecp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqmfnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fqkogiki.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oohkko32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfjhocij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jfmeebgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Knkokl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olidijjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fkcibnmd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llnglg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abbpif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iefgln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pjcbkbnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cpeobn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lomqmoob.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpbief32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Odfljp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jlclnhho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ilfomm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dfongpab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ijhhocnc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfgloiqf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nqnofkkj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkdjph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qmphkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Moqlcbce.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahdpea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ipaeedpp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdppllld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dddlfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Igpkok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pkaijl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aggean32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkbfikkq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhpeelnd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbljaf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjlijp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mkgfnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cfgjcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nnpalk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amibklml.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egnacd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oohkko32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdffkgpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Giinjg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcmkehcg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogndki32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofqnlplf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kkkdjcjb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnifbmfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dbnbaljc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppepkmhi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nombnc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klapgq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlqohhja.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilglgfjd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nleojlbk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oplkgi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgkfhngo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Becipn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iipfgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kdalni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Egkgljkm.exe -
Executes dropped EXE 64 IoCs
pid Process 2700 Hfgloiqf.exe 5080 Igpkok32.exe 3000 Jgbhdkml.exe 2884 Jjhjae32.exe 3396 Kjamhd32.exe 216 Kclnfi32.exe 5112 Lpelqj32.exe 2400 Mdjjgggk.exe 1788 Ndejcemn.exe 4168 Ndjcne32.exe 4508 Ohmepbki.exe 724 Ogbbqo32.exe 2164 Oggllnkl.exe 2716 Pgihanii.exe 3132 Pjlnhi32.exe 748 Pgbkgmao.exe 1548 Bhbahm32.exe 2356 Bqbohocd.exe 4268 Bqdlmo32.exe 4100 Cejjdlap.exe 3760 Dagajlal.exe 5056 Ehhpge32.exe 4996 Fhflhcfa.exe 4208 Faamghko.exe 3972 Ghmbib32.exe 2852 Goamlkpk.exe 1908 Hhbdko32.exe 3960 Iibaeb32.exe 1108 Ihlgan32.exe 3744 Jcfejfag.exe 976 Jkajnh32.exe 3956 Kcdakd32.exe 2732 Lkflpe32.exe 180 Ljglnmdi.exe 600 Lcdjba32.exe 4872 Mmdekf32.exe 3188 Ncbfcp32.exe 4480 Npighq32.exe 4624 Npldnp32.exe 924 Nmpdgdmp.exe 2312 Nfhipj32.exe 4324 Ojhnlh32.exe 4284 Odqbdnod.exe 4712 Oibdhd32.exe 692 Okaabg32.exe 2740 Pmbjcb32.exe 436 Ppepkmhi.exe 4360 Apobakpn.exe 2240 Bcinie32.exe 4024 Cklffq32.exe 2032 Cjcolm32.exe 2128 Dmfecgim.exe 4244 Dqdnjfpc.exe 4296 Fmndkd32.exe 3312 Fmpaqd32.exe 1996 Gmlplbib.exe 4020 Hdahek32.exe 2220 Hmjmnpmb.exe 2972 Iejgelej.exe 4836 Ilglgfjd.exe 1456 Jafaem32.exe 3008 Jolodqcp.exe 744 Knkokl32.exe 4708 Kkooep32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Epmmjnkp.exe Ebimqi32.exe File opened for modification C:\Windows\SysWOW64\Mbbloc32.exe Mpapgknd.exe File created C:\Windows\SysWOW64\Mmkhci32.dll Mekdplkb.exe File opened for modification C:\Windows\SysWOW64\Cbeokmbn.exe Ciljbh32.exe File created C:\Windows\SysWOW64\Mlejao32.dll Bhbahm32.exe File opened for modification C:\Windows\SysWOW64\Knhkkfod.exe Knenffqf.exe File created C:\Windows\SysWOW64\Eakfnd32.dll Cagmnaad.exe File opened for modification C:\Windows\SysWOW64\Mamcddhg.exe Lhenko32.exe File opened for modification C:\Windows\SysWOW64\Bjaeei32.exe Aiplff32.exe File opened for modification C:\Windows\SysWOW64\Pgcpdn32.exe Nglala32.exe File created C:\Windows\SysWOW64\Qofjjb32.exe Qgkeep32.exe File opened for modification C:\Windows\SysWOW64\Jjmcghjj.exe Jgngkmkf.exe File opened for modification C:\Windows\SysWOW64\Mgclja32.exe Mmnglh32.exe File created C:\Windows\SysWOW64\Qhcpmn32.dll Lkcaeige.exe File created C:\Windows\SysWOW64\Fdbdkn32.exe Fkiobhac.exe File created C:\Windows\SysWOW64\Epjadk32.exe Dpehikja.exe File opened for modification C:\Windows\SysWOW64\Halmaiog.exe Hhdhhchf.exe File created C:\Windows\SysWOW64\Obackhcd.dll Fcpkjn32.exe File opened for modification C:\Windows\SysWOW64\Dagajlal.exe Cejjdlap.exe File created C:\Windows\SysWOW64\Gdgiknio.dll Pgihppgo.exe File opened for modification C:\Windows\SysWOW64\Dlkpealn.exe Dfngmjnf.exe File opened for modification C:\Windows\SysWOW64\Aebjokda.exe Qojeabie.exe File opened for modification C:\Windows\SysWOW64\Bnfmcn32.exe Bglefdke.exe File opened for modification C:\Windows\SysWOW64\Hehkjpod.exe Hoobnf32.exe File opened for modification C:\Windows\SysWOW64\Hjghmp32.exe Hcmpqe32.exe File created C:\Windows\SysWOW64\Omegdebp.exe Odmbkolo.exe File created C:\Windows\SysWOW64\Ancbnhae.dll Ohkkanbe.exe File created C:\Windows\SysWOW64\Llploh32.dll Ibnaonhp.exe File created C:\Windows\SysWOW64\Nojoiakk.exe Nllcmelg.exe File opened for modification C:\Windows\SysWOW64\Ndbefkjk.exe Nofmndkd.exe File created C:\Windows\SysWOW64\Bbpoge32.exe Ajbmmcii.exe File opened for modification C:\Windows\SysWOW64\Mjokpm32.exe Mmkkgh32.exe File created C:\Windows\SysWOW64\Pfcchmlq.exe Ppiklc32.exe File created C:\Windows\SysWOW64\Hldnegjg.dll Mhgfdmle.exe File opened for modification C:\Windows\SysWOW64\Noehlgol.exe Nhlpom32.exe File created C:\Windows\SysWOW64\Ngodlgka.exe Nnfpcada.exe File created C:\Windows\SysWOW64\Lajodnfo.exe Llnglg32.exe File created C:\Windows\SysWOW64\Apobakpn.exe Ppepkmhi.exe File opened for modification C:\Windows\SysWOW64\Ipaeedpp.exe Ifipmo32.exe File opened for modification C:\Windows\SysWOW64\Jijaef32.exe Inmggo32.exe File created C:\Windows\SysWOW64\Nhjbjp32.exe Nmenmgab.exe File created C:\Windows\SysWOW64\Pdpndo32.dll Gnlmai32.exe File created C:\Windows\SysWOW64\Kfhdqa32.exe Kallhjoc.exe File created C:\Windows\SysWOW64\Gimjag32.exe Gqaeme32.exe File created C:\Windows\SysWOW64\Fcleopbe.dll Gehfepio.exe File opened for modification C:\Windows\SysWOW64\Fncbag32.exe Fcmndncl.exe File created C:\Windows\SysWOW64\Macdgn32.exe Mlflog32.exe File opened for modification C:\Windows\SysWOW64\Egnacd32.exe Epdigjaa.exe File created C:\Windows\SysWOW64\Igbhpned.exe Igpkjo32.exe File created C:\Windows\SysWOW64\Bkjpek32.exe Bjicnbba.exe File opened for modification C:\Windows\SysWOW64\Dkmebh32.exe Cjlijp32.exe File created C:\Windows\SysWOW64\Gcggec32.exe Fkgiea32.exe File opened for modification C:\Windows\SysWOW64\Jangaboo.exe Jhfbim32.exe File created C:\Windows\SysWOW64\Kbeild32.exe Kaemba32.exe File created C:\Windows\SysWOW64\Hmejje32.dll Jgonfcnb.exe File created C:\Windows\SysWOW64\Oiglen32.exe Opnglhnd.exe File opened for modification C:\Windows\SysWOW64\Bikdgn32.exe Bpbpoi32.exe File opened for modification C:\Windows\SysWOW64\Hjlhcehq.exe Hfnpmgaj.exe File created C:\Windows\SysWOW64\Lnkedd32.exe Lagekp32.exe File opened for modification C:\Windows\SysWOW64\Qkgcog32.exe Qdmkbmnl.exe File created C:\Windows\SysWOW64\Mbgejcpm.exe Mljmblae.exe File opened for modification C:\Windows\SysWOW64\Obgoaq32.exe Ofqnlplf.exe File opened for modification C:\Windows\SysWOW64\Jjonobhk.exe Jcefbhpo.exe File opened for modification C:\Windows\SysWOW64\Hfemkdbm.exe Gfbpfedp.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Knabne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ajbmmcii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofpfmaai.dll" Lmmoekem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mmfalimb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bmdkmdoc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cbhifj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jamiaq32.dll" Igpkok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npbelfjm.dll" Ammgifpn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mdaglb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmcgke32.dll" Ndddaahi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bbcpkjkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebiogg32.dll" Abqjci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcghbheo.dll" Nlknqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pamgmcdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpikla32.dll" Gfbpfedp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljgngaia.dll" Jeocgfgn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Adcjhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpncng32.dll" Okolppdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oigebnnl.dll" Gpcdil32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jqgldb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojfbfmbf.dll" Eimegk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pcojdnfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpbmbidf.dll" Aiplff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imcpcmcg.dll" Ohcmid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qpmnml32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kjamhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iejgelej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nalhph32.dll" Onhmhc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oofepe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fncbag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Caeiam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dpknhfoq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ammgifpn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Omegdebp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mfchehla.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jamafidm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ecdbhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgjbemei.dll" Lnpman32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oihdab32.dll" Faamghko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pbpjbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijdlfdfj.dll" Fhgclopj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aocokj32.dll" Pdifcoea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cpipea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fhngfcdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfglomin.dll" Oidopn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqhopg32.dll" Lnjgpgkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ljnddb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cagmnaad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpchjkdg.dll" Cpljonfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lhnhplpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjfobp32.dll" Majoikof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Didpdkmp.dll" Japmmlip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Olhlaoea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nmdgbamf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fcneod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hqfqpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkcancmc.dll" Bqdlmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nlbnhkqo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cacmkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjopnl32.dll" Hmoehojj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hddbmedc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nnpalk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kojdflkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obmbbh32.dll" Ldleje32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 920 wrote to memory of 2700 920 NEAS.01cf2695cbe14bb373acad48ea5076a0.exe 93 PID 920 wrote to memory of 2700 920 NEAS.01cf2695cbe14bb373acad48ea5076a0.exe 93 PID 920 wrote to memory of 2700 920 NEAS.01cf2695cbe14bb373acad48ea5076a0.exe 93 PID 2700 wrote to memory of 5080 2700 Hfgloiqf.exe 94 PID 2700 wrote to memory of 5080 2700 Hfgloiqf.exe 94 PID 2700 wrote to memory of 5080 2700 Hfgloiqf.exe 94 PID 5080 wrote to memory of 3000 5080 Igpkok32.exe 95 PID 5080 wrote to memory of 3000 5080 Igpkok32.exe 95 PID 5080 wrote to memory of 3000 5080 Igpkok32.exe 95 PID 3000 wrote to memory of 2884 3000 Jgbhdkml.exe 96 PID 3000 wrote to memory of 2884 3000 Jgbhdkml.exe 96 PID 3000 wrote to memory of 2884 3000 Jgbhdkml.exe 96 PID 2884 wrote to memory of 3396 2884 Jjhjae32.exe 97 PID 2884 wrote to memory of 3396 2884 Jjhjae32.exe 97 PID 2884 wrote to memory of 3396 2884 Jjhjae32.exe 97 PID 3396 wrote to memory of 216 3396 Kjamhd32.exe 98 PID 3396 wrote to memory of 216 3396 Kjamhd32.exe 98 PID 3396 wrote to memory of 216 3396 Kjamhd32.exe 98 PID 216 wrote to memory of 5112 216 Kclnfi32.exe 99 PID 216 wrote to memory of 5112 216 Kclnfi32.exe 99 PID 216 wrote to memory of 5112 216 Kclnfi32.exe 99 PID 5112 wrote to memory of 2400 5112 Lpelqj32.exe 100 PID 5112 wrote to memory of 2400 5112 Lpelqj32.exe 100 PID 5112 wrote to memory of 2400 5112 Lpelqj32.exe 100 PID 2400 wrote to memory of 1788 2400 Mdjjgggk.exe 101 PID 2400 wrote to memory of 1788 2400 Mdjjgggk.exe 101 PID 2400 wrote to memory of 1788 2400 Mdjjgggk.exe 101 PID 1788 wrote to memory of 4168 1788 Ndejcemn.exe 102 PID 1788 wrote to memory of 4168 1788 Ndejcemn.exe 102 PID 1788 wrote to memory of 4168 1788 Ndejcemn.exe 102 PID 4168 wrote to memory of 4508 4168 Ndjcne32.exe 103 PID 4168 wrote to memory of 4508 4168 Ndjcne32.exe 103 PID 4168 wrote to memory of 4508 4168 Ndjcne32.exe 103 PID 4508 wrote to memory of 724 4508 Ohmepbki.exe 104 PID 4508 wrote to memory of 724 4508 Ohmepbki.exe 104 PID 4508 wrote to memory of 724 4508 Ohmepbki.exe 104 PID 724 wrote to memory of 2164 724 Ogbbqo32.exe 105 PID 724 wrote to memory of 2164 724 Ogbbqo32.exe 105 PID 724 wrote to memory of 2164 724 Ogbbqo32.exe 105 PID 2164 wrote to memory of 2716 2164 Oggllnkl.exe 106 PID 2164 wrote to memory of 2716 2164 Oggllnkl.exe 106 PID 2164 wrote to memory of 2716 2164 Oggllnkl.exe 106 PID 2716 wrote to memory of 3132 2716 Pgihanii.exe 107 PID 2716 wrote to memory of 3132 2716 Pgihanii.exe 107 PID 2716 wrote to memory of 3132 2716 Pgihanii.exe 107 PID 3132 wrote to memory of 748 3132 Pjlnhi32.exe 108 PID 3132 wrote to memory of 748 3132 Pjlnhi32.exe 108 PID 3132 wrote to memory of 748 3132 Pjlnhi32.exe 108 PID 748 wrote to memory of 1548 748 Pgbkgmao.exe 109 PID 748 wrote to memory of 1548 748 Pgbkgmao.exe 109 PID 748 wrote to memory of 1548 748 Pgbkgmao.exe 109 PID 1548 wrote to memory of 2356 1548 Bhbahm32.exe 110 PID 1548 wrote to memory of 2356 1548 Bhbahm32.exe 110 PID 1548 wrote to memory of 2356 1548 Bhbahm32.exe 110 PID 2356 wrote to memory of 4268 2356 Bqbohocd.exe 111 PID 2356 wrote to memory of 4268 2356 Bqbohocd.exe 111 PID 2356 wrote to memory of 4268 2356 Bqbohocd.exe 111 PID 4268 wrote to memory of 4100 4268 Bqdlmo32.exe 112 PID 4268 wrote to memory of 4100 4268 Bqdlmo32.exe 112 PID 4268 wrote to memory of 4100 4268 Bqdlmo32.exe 112 PID 4100 wrote to memory of 3760 4100 Cejjdlap.exe 113 PID 4100 wrote to memory of 3760 4100 Cejjdlap.exe 113 PID 4100 wrote to memory of 3760 4100 Cejjdlap.exe 113 PID 3760 wrote to memory of 5056 3760 Dagajlal.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.01cf2695cbe14bb373acad48ea5076a0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.01cf2695cbe14bb373acad48ea5076a0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:920 -
C:\Windows\SysWOW64\Hfgloiqf.exeC:\Windows\system32\Hfgloiqf.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\Igpkok32.exeC:\Windows\system32\Igpkok32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5080 -
C:\Windows\SysWOW64\Jgbhdkml.exeC:\Windows\system32\Jgbhdkml.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\Jjhjae32.exeC:\Windows\system32\Jjhjae32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\Kjamhd32.exeC:\Windows\system32\Kjamhd32.exe6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3396 -
C:\Windows\SysWOW64\Kclnfi32.exeC:\Windows\system32\Kclnfi32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:216 -
C:\Windows\SysWOW64\Lpelqj32.exeC:\Windows\system32\Lpelqj32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5112 -
C:\Windows\SysWOW64\Mdjjgggk.exeC:\Windows\system32\Mdjjgggk.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\Ndejcemn.exeC:\Windows\system32\Ndejcemn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\SysWOW64\Ndjcne32.exeC:\Windows\system32\Ndjcne32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4168 -
C:\Windows\SysWOW64\Ohmepbki.exeC:\Windows\system32\Ohmepbki.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4508 -
C:\Windows\SysWOW64\Ogbbqo32.exeC:\Windows\system32\Ogbbqo32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:724 -
C:\Windows\SysWOW64\Oggllnkl.exeC:\Windows\system32\Oggllnkl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\Pgihanii.exeC:\Windows\system32\Pgihanii.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Pjlnhi32.exeC:\Windows\system32\Pjlnhi32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3132 -
C:\Windows\SysWOW64\Pgbkgmao.exeC:\Windows\system32\Pgbkgmao.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:748 -
C:\Windows\SysWOW64\Bhbahm32.exeC:\Windows\system32\Bhbahm32.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Windows\SysWOW64\Bqbohocd.exeC:\Windows\system32\Bqbohocd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\Bqdlmo32.exeC:\Windows\system32\Bqdlmo32.exe20⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4268 -
C:\Windows\SysWOW64\Cejjdlap.exeC:\Windows\system32\Cejjdlap.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4100 -
C:\Windows\SysWOW64\Dagajlal.exeC:\Windows\system32\Dagajlal.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3760 -
C:\Windows\SysWOW64\Ehhpge32.exeC:\Windows\system32\Ehhpge32.exe23⤵
- Executes dropped EXE
PID:5056 -
C:\Windows\SysWOW64\Fhflhcfa.exeC:\Windows\system32\Fhflhcfa.exe24⤵
- Executes dropped EXE
PID:4996 -
C:\Windows\SysWOW64\Faamghko.exeC:\Windows\system32\Faamghko.exe25⤵
- Executes dropped EXE
- Modifies registry class
PID:4208 -
C:\Windows\SysWOW64\Ghmbib32.exeC:\Windows\system32\Ghmbib32.exe26⤵
- Executes dropped EXE
PID:3972 -
C:\Windows\SysWOW64\Goamlkpk.exeC:\Windows\system32\Goamlkpk.exe27⤵
- Executes dropped EXE
PID:2852 -
C:\Windows\SysWOW64\Hhbdko32.exeC:\Windows\system32\Hhbdko32.exe28⤵
- Executes dropped EXE
PID:1908 -
C:\Windows\SysWOW64\Iibaeb32.exeC:\Windows\system32\Iibaeb32.exe29⤵
- Executes dropped EXE
PID:3960 -
C:\Windows\SysWOW64\Ihlgan32.exeC:\Windows\system32\Ihlgan32.exe30⤵
- Executes dropped EXE
PID:1108 -
C:\Windows\SysWOW64\Jcfejfag.exeC:\Windows\system32\Jcfejfag.exe31⤵
- Executes dropped EXE
PID:3744 -
C:\Windows\SysWOW64\Jkajnh32.exeC:\Windows\system32\Jkajnh32.exe32⤵
- Executes dropped EXE
PID:976 -
C:\Windows\SysWOW64\Kcdakd32.exeC:\Windows\system32\Kcdakd32.exe33⤵
- Executes dropped EXE
PID:3956 -
C:\Windows\SysWOW64\Lkflpe32.exeC:\Windows\system32\Lkflpe32.exe34⤵
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\Ljglnmdi.exeC:\Windows\system32\Ljglnmdi.exe35⤵
- Executes dropped EXE
PID:180 -
C:\Windows\SysWOW64\Lcdjba32.exeC:\Windows\system32\Lcdjba32.exe36⤵
- Executes dropped EXE
PID:600 -
C:\Windows\SysWOW64\Mmdekf32.exeC:\Windows\system32\Mmdekf32.exe37⤵
- Executes dropped EXE
PID:4872 -
C:\Windows\SysWOW64\Ncbfcp32.exeC:\Windows\system32\Ncbfcp32.exe38⤵
- Executes dropped EXE
PID:3188 -
C:\Windows\SysWOW64\Npighq32.exeC:\Windows\system32\Npighq32.exe39⤵
- Executes dropped EXE
PID:4480 -
C:\Windows\SysWOW64\Npldnp32.exeC:\Windows\system32\Npldnp32.exe40⤵
- Executes dropped EXE
PID:4624 -
C:\Windows\SysWOW64\Nmpdgdmp.exeC:\Windows\system32\Nmpdgdmp.exe41⤵
- Executes dropped EXE
PID:924 -
C:\Windows\SysWOW64\Nfhipj32.exeC:\Windows\system32\Nfhipj32.exe42⤵
- Executes dropped EXE
PID:2312 -
C:\Windows\SysWOW64\Ojhnlh32.exeC:\Windows\system32\Ojhnlh32.exe43⤵
- Executes dropped EXE
PID:4324 -
C:\Windows\SysWOW64\Odqbdnod.exeC:\Windows\system32\Odqbdnod.exe44⤵
- Executes dropped EXE
PID:4284 -
C:\Windows\SysWOW64\Oibdhd32.exeC:\Windows\system32\Oibdhd32.exe45⤵
- Executes dropped EXE
PID:4712 -
C:\Windows\SysWOW64\Okaabg32.exeC:\Windows\system32\Okaabg32.exe46⤵
- Executes dropped EXE
PID:692 -
C:\Windows\SysWOW64\Pmbjcb32.exeC:\Windows\system32\Pmbjcb32.exe47⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Ppepkmhi.exeC:\Windows\system32\Ppepkmhi.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:436 -
C:\Windows\SysWOW64\Apobakpn.exeC:\Windows\system32\Apobakpn.exe49⤵
- Executes dropped EXE
PID:4360 -
C:\Windows\SysWOW64\Bcinie32.exeC:\Windows\system32\Bcinie32.exe50⤵
- Executes dropped EXE
PID:2240 -
C:\Windows\SysWOW64\Cklffq32.exeC:\Windows\system32\Cklffq32.exe51⤵
- Executes dropped EXE
PID:4024 -
C:\Windows\SysWOW64\Cjcolm32.exeC:\Windows\system32\Cjcolm32.exe52⤵
- Executes dropped EXE
PID:2032 -
C:\Windows\SysWOW64\Dmfecgim.exeC:\Windows\system32\Dmfecgim.exe53⤵
- Executes dropped EXE
PID:2128 -
C:\Windows\SysWOW64\Dqdnjfpc.exeC:\Windows\system32\Dqdnjfpc.exe54⤵
- Executes dropped EXE
PID:4244 -
C:\Windows\SysWOW64\Fmndkd32.exeC:\Windows\system32\Fmndkd32.exe55⤵
- Executes dropped EXE
PID:4296 -
C:\Windows\SysWOW64\Fmpaqd32.exeC:\Windows\system32\Fmpaqd32.exe56⤵
- Executes dropped EXE
PID:3312 -
C:\Windows\SysWOW64\Gmlplbib.exeC:\Windows\system32\Gmlplbib.exe57⤵
- Executes dropped EXE
PID:1996 -
C:\Windows\SysWOW64\Hdahek32.exeC:\Windows\system32\Hdahek32.exe58⤵
- Executes dropped EXE
PID:4020 -
C:\Windows\SysWOW64\Hmjmnpmb.exeC:\Windows\system32\Hmjmnpmb.exe59⤵
- Executes dropped EXE
PID:2220 -
C:\Windows\SysWOW64\Iejgelej.exeC:\Windows\system32\Iejgelej.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:2972 -
C:\Windows\SysWOW64\Ilglgfjd.exeC:\Windows\system32\Ilglgfjd.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4836 -
C:\Windows\SysWOW64\Jafaem32.exeC:\Windows\system32\Jafaem32.exe62⤵
- Executes dropped EXE
PID:1456 -
C:\Windows\SysWOW64\Jolodqcp.exeC:\Windows\system32\Jolodqcp.exe63⤵
- Executes dropped EXE
PID:3008 -
C:\Windows\SysWOW64\Kfpjgi32.exeC:\Windows\system32\Kfpjgi32.exe64⤵PID:2000
-
C:\Windows\SysWOW64\Knkokl32.exeC:\Windows\system32\Knkokl32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:744 -
C:\Windows\SysWOW64\Kkooep32.exeC:\Windows\system32\Kkooep32.exe66⤵
- Executes dropped EXE
PID:4708 -
C:\Windows\SysWOW64\Loaafnah.exeC:\Windows\system32\Loaafnah.exe67⤵PID:1392
-
C:\Windows\SysWOW64\Lnikmjdm.exeC:\Windows\system32\Lnikmjdm.exe68⤵PID:4860
-
C:\Windows\SysWOW64\Mbiphhhq.exeC:\Windows\system32\Mbiphhhq.exe69⤵PID:1368
-
C:\Windows\SysWOW64\Mndjhhjp.exeC:\Windows\system32\Mndjhhjp.exe70⤵PID:2480
-
C:\Windows\SysWOW64\Nkkggl32.exeC:\Windows\system32\Nkkggl32.exe71⤵PID:1516
-
C:\Windows\SysWOW64\Nlbnhkqo.exeC:\Windows\system32\Nlbnhkqo.exe72⤵
- Modifies registry class
PID:1684 -
C:\Windows\SysWOW64\Nblfee32.exeC:\Windows\system32\Nblfee32.exe73⤵PID:3036
-
C:\Windows\SysWOW64\Oemofpel.exeC:\Windows\system32\Oemofpel.exe74⤵PID:4988
-
C:\Windows\SysWOW64\Olidijjf.exeC:\Windows\system32\Olidijjf.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2236 -
C:\Windows\SysWOW64\Oimdbnip.exeC:\Windows\system32\Oimdbnip.exe76⤵PID:4584
-
C:\Windows\SysWOW64\Pehnboko.exeC:\Windows\system32\Pehnboko.exe77⤵PID:772
-
C:\Windows\SysWOW64\Pekkhn32.exeC:\Windows\system32\Pekkhn32.exe78⤵PID:1740
-
C:\Windows\SysWOW64\Pbokab32.exeC:\Windows\system32\Pbokab32.exe79⤵PID:2580
-
C:\Windows\SysWOW64\Ppblkffp.exeC:\Windows\system32\Ppblkffp.exe80⤵PID:4264
-
C:\Windows\SysWOW64\Pmfldkei.exeC:\Windows\system32\Pmfldkei.exe81⤵PID:1148
-
C:\Windows\SysWOW64\Pohilc32.exeC:\Windows\system32\Pohilc32.exe82⤵PID:2036
-
C:\Windows\SysWOW64\Pimmil32.exeC:\Windows\system32\Pimmil32.exe83⤵PID:1844
-
C:\Windows\SysWOW64\Qojeabie.exeC:\Windows\system32\Qojeabie.exe84⤵
- Drops file in System32 directory
PID:368 -
C:\Windows\SysWOW64\Aebjokda.exeC:\Windows\system32\Aebjokda.exe85⤵PID:4000
-
C:\Windows\SysWOW64\Bllble32.exeC:\Windows\system32\Bllble32.exe86⤵PID:4880
-
C:\Windows\SysWOW64\Bchgnoai.exeC:\Windows\system32\Bchgnoai.exe87⤵PID:3136
-
C:\Windows\SysWOW64\Bgkipl32.exeC:\Windows\system32\Bgkipl32.exe88⤵PID:492
-
C:\Windows\SysWOW64\Dodjemee.exeC:\Windows\system32\Dodjemee.exe89⤵PID:1364
-
C:\Windows\SysWOW64\Dnekcd32.exeC:\Windows\system32\Dnekcd32.exe90⤵PID:3680
-
C:\Windows\SysWOW64\Dmmdjp32.exeC:\Windows\system32\Dmmdjp32.exe91⤵PID:3920
-
C:\Windows\SysWOW64\Dfeibf32.exeC:\Windows\system32\Dfeibf32.exe92⤵PID:2660
-
C:\Windows\SysWOW64\Fceihh32.exeC:\Windows\system32\Fceihh32.exe93⤵PID:3904
-
C:\Windows\SysWOW64\Fqiiamjp.exeC:\Windows\system32\Fqiiamjp.exe94⤵PID:740
-
C:\Windows\SysWOW64\Gjkqpa32.exeC:\Windows\system32\Gjkqpa32.exe95⤵PID:5136
-
C:\Windows\SysWOW64\Gadimkpb.exeC:\Windows\system32\Gadimkpb.exe96⤵PID:5192
-
C:\Windows\SysWOW64\Gfcnka32.exeC:\Windows\system32\Gfcnka32.exe97⤵PID:5232
-
C:\Windows\SysWOW64\Gaibhj32.exeC:\Windows\system32\Gaibhj32.exe98⤵PID:5292
-
C:\Windows\SysWOW64\Hjfplo32.exeC:\Windows\system32\Hjfplo32.exe99⤵PID:5340
-
C:\Windows\SysWOW64\Haphiiee.exeC:\Windows\system32\Haphiiee.exe100⤵PID:5380
-
C:\Windows\SysWOW64\Hfmqapcl.exeC:\Windows\system32\Hfmqapcl.exe101⤵PID:5448
-
C:\Windows\SysWOW64\Hfonfp32.exeC:\Windows\system32\Hfonfp32.exe102⤵PID:5492
-
C:\Windows\SysWOW64\Hmlbij32.exeC:\Windows\system32\Hmlbij32.exe103⤵PID:5536
-
C:\Windows\SysWOW64\Imnoni32.exeC:\Windows\system32\Imnoni32.exe104⤵PID:5580
-
C:\Windows\SysWOW64\Ifipmo32.exeC:\Windows\system32\Ifipmo32.exe105⤵
- Drops file in System32 directory
PID:5616 -
C:\Windows\SysWOW64\Ipaeedpp.exeC:\Windows\system32\Ipaeedpp.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5780 -
C:\Windows\SysWOW64\Jolhjj32.exeC:\Windows\system32\Jolhjj32.exe107⤵PID:5828
-
C:\Windows\SysWOW64\Jhdlbp32.exeC:\Windows\system32\Jhdlbp32.exe108⤵PID:5884
-
C:\Windows\SysWOW64\Jopaejlo.exeC:\Windows\system32\Jopaejlo.exe109⤵PID:5932
-
C:\Windows\SysWOW64\Kpanmb32.exeC:\Windows\system32\Kpanmb32.exe110⤵PID:5980
-
C:\Windows\SysWOW64\Knenffqf.exeC:\Windows\system32\Knenffqf.exe111⤵
- Drops file in System32 directory
PID:6024 -
C:\Windows\SysWOW64\Knhkkfod.exeC:\Windows\system32\Knhkkfod.exe112⤵PID:6076
-
C:\Windows\SysWOW64\Knjhae32.exeC:\Windows\system32\Knjhae32.exe113⤵PID:5164
-
C:\Windows\SysWOW64\Kpkqbq32.exeC:\Windows\system32\Kpkqbq32.exe114⤵PID:5224
-
C:\Windows\SysWOW64\Kolaqh32.exeC:\Windows\system32\Kolaqh32.exe115⤵PID:5304
-
C:\Windows\SysWOW64\Lkcaeige.exeC:\Windows\system32\Lkcaeige.exe116⤵
- Drops file in System32 directory
PID:5420 -
C:\Windows\SysWOW64\Lhnhplpg.exeC:\Windows\system32\Lhnhplpg.exe117⤵
- Modifies registry class
PID:5476 -
C:\Windows\SysWOW64\Mnjqhcno.exeC:\Windows\system32\Mnjqhcno.exe118⤵PID:780
-
C:\Windows\SysWOW64\Mhpeelnd.exeC:\Windows\system32\Mhpeelnd.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5676 -
C:\Windows\SysWOW64\Mgebfhcl.exeC:\Windows\system32\Mgebfhcl.exe120⤵PID:4976
-
C:\Windows\SysWOW64\Mdibplaf.exeC:\Windows\system32\Mdibplaf.exe121⤵PID:5860
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-