Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2023, 12:43
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.f00d25fc8ad3dd41c91337b4ca135e90.exe
Resource
win7-20231023-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.f00d25fc8ad3dd41c91337b4ca135e90.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.f00d25fc8ad3dd41c91337b4ca135e90.exe
-
Size
91KB
-
MD5
f00d25fc8ad3dd41c91337b4ca135e90
-
SHA1
11a0c7140d641a45feb4b887031629f605659d0d
-
SHA256
fd846ed888495b914bd728eff1430e4fa104f290c42f5d1cbea575b79005d137
-
SHA512
29f206fa9d72f6d9b86d102488d577698278d6f688a515ff02fe2a6da9fad3a93f1199e3b3552bc730f2244aa58a2a8e968cf367507529f5907e55229ac32730
-
SSDEEP
1536:VJY7KE2czrmPnsnN38A8tNpAK4bkhiCraluE8xnxWRVkeyyVr3iwcHf:Y7KE2yrILT/GPCrzFY3kremwc/
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Plhgdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oagbljcp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Foifmcoa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdkmgali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mohplf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnjjmmkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hcgjhega.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cpmqoqbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hdaajd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Femigg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oihkgo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjagapbn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boldcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ghohdk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knhkkfod.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgjpfqpi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlkmlhea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kgkooeen.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igmjhnej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ojfmdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ojjfpjjj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkjpkg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhjqec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gjapfjnb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blkkaohc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fpnkdfko.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcfejfag.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mglhgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jepbodhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gooqfkan.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhdcmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ipldpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cknbkpif.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmlhpaji.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hndibn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcdpakii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ondleo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nhffijdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jklihbol.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aghdco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dqomdppm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gcgndf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fjlmdmqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kgqdfi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcggga32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cknbkpif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Agmmnnpj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjjbjjdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jnmbjnlm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdgjgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hbcklkee.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hofmaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Olnmdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kgbljkca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pejdmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jmffnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Addahh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdaajd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Apndloif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Imklncch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iannpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nhkpdi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gikbneio.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfmmajed.exe -
Executes dropped EXE 64 IoCs
pid Process 948 Hcgjhega.exe 3276 Igqbiacj.exe 3080 Jffokn32.exe 2648 Jfhlpnfp.exe 4724 Jclljaei.exe 4188 Jfmekm32.exe 4364 Jepbodhg.exe 1336 Knmpbi32.exe 4568 Knpmhh32.exe 2352 Lndfchdj.exe 3060 Lhadgmge.exe 4800 Mgkjch32.exe 2564 Moglpedd.exe 4184 Necqbo32.exe 4960 Nefmgogl.exe 3548 Nnabladg.exe 2392 Nhffijdm.exe 5100 Nglcjfie.exe 2064 Nhkpdi32.exe 180 Oojalb32.exe 4128 Pfkpiled.exe 468 Pfmlok32.exe 4564 Pnhacn32.exe 2616 Agjhbbob.exe 3976 Anncek32.exe 1992 Cldjkl32.exe 1448 Dimcppgm.exe 1640 Diamko32.exe 1048 Didjqoae.exe 3272 Ebcdjc32.exe 400 Fgcjea32.exe 4796 Fpnkdfko.exe 1288 Fgjpfqpi.exe 2780 Fofdkcmd.exe 4044 Fhnichde.exe 4996 Gcfjfqah.exe 3472 Hofmaq32.exe 4824 Hljnkdnk.exe 4460 Ijedehgm.exe 3584 Ihjafd32.exe 4212 Imhjlb32.exe 4836 Iiaggc32.exe 500 Jfgefg32.exe 1692 Jcnbekok.exe 3672 Jmffnq32.exe 1276 Jjjggede.exe 4936 Kgqdfi32.exe 2860 Kaihonhl.exe 3332 Kjamhd32.exe 4068 Kifjip32.exe 4112 Lcnkli32.exe 2288 Lfodmdni.exe 3924 Malnklgg.exe 4580 Mhhcne32.exe 2300 Ohkijc32.exe 2440 Oiehhjjp.exe 3100 Ppdjpcng.exe 1904 Pafcofcg.exe 4792 Bqpbboeg.exe 3528 Bkjpkg32.exe 3612 Cnboma32.exe 2976 Dgmpkg32.exe 1456 Dajnol32.exe 408 Enpknplq.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ojlnphpd.dll Flddoa32.exe File created C:\Windows\SysWOW64\Nejlok32.dll Cklffq32.exe File created C:\Windows\SysWOW64\Mmlhpaji.exe Lbgcch32.exe File created C:\Windows\SysWOW64\Ollklain.dll Apcead32.exe File created C:\Windows\SysWOW64\Dboljifq.dll Lhnhplpg.exe File created C:\Windows\SysWOW64\Oenfbj32.dll Mmfaafej.exe File opened for modification C:\Windows\SysWOW64\Gngckfdj.exe Ghmkol32.exe File created C:\Windows\SysWOW64\Lonnfg32.exe Kgbljkca.exe File created C:\Windows\SysWOW64\Iapjeq32.exe Ifjfhh32.exe File created C:\Windows\SysWOW64\Djnaco32.exe Dhndil32.exe File created C:\Windows\SysWOW64\Mmdcde32.dll Dajnol32.exe File opened for modification C:\Windows\SysWOW64\Mcggga32.exe Lmmokgne.exe File created C:\Windows\SysWOW64\Fmheplno.dll Opjponbf.exe File created C:\Windows\SysWOW64\Qpjifl32.exe Pgbdmfnc.exe File created C:\Windows\SysWOW64\Qpmfklbq.exe Qkpmcddi.exe File created C:\Windows\SysWOW64\Jkeedk32.exe Jdkmgali.exe File created C:\Windows\SysWOW64\Nicjaino.exe Nbibeo32.exe File created C:\Windows\SysWOW64\Mmmohhoj.dll Gijmlh32.exe File opened for modification C:\Windows\SysWOW64\Jclljaei.exe Jfhlpnfp.exe File opened for modification C:\Windows\SysWOW64\Lndfchdj.exe Knpmhh32.exe File opened for modification C:\Windows\SysWOW64\Mbamcm32.exe Mmdekf32.exe File created C:\Windows\SysWOW64\Hgcccmnm.dll Mkbcbp32.exe File opened for modification C:\Windows\SysWOW64\Mkepgp32.exe Mpoljg32.exe File created C:\Windows\SysWOW64\Ocqncp32.exe Ojhijjll.exe File created C:\Windows\SysWOW64\Pjalpida.exe Onklkhnn.exe File created C:\Windows\SysWOW64\Jcfejfag.exe Jjnqap32.exe File created C:\Windows\SysWOW64\Cqkgbc32.dll Pgphggpe.exe File opened for modification C:\Windows\SysWOW64\Kkhidaeo.exe Jekpljgg.exe File created C:\Windows\SysWOW64\Hgjngclb.dll Eckogc32.exe File created C:\Windows\SysWOW64\Fcqlqnpo.dll Anncek32.exe File created C:\Windows\SysWOW64\Gmlplbib.exe Ghohdk32.exe File opened for modification C:\Windows\SysWOW64\Kkgbjkac.exe Kpanmb32.exe File created C:\Windows\SysWOW64\Ngaabfio.exe Nofmndkd.exe File created C:\Windows\SysWOW64\Cefega32.exe Clnanlhn.exe File opened for modification C:\Windows\SysWOW64\Mpoljg32.exe Mkbcbp32.exe File created C:\Windows\SysWOW64\Pqkdmc32.exe Pjalpida.exe File created C:\Windows\SysWOW64\Kklfkfie.dll Hifmhf32.exe File opened for modification C:\Windows\SysWOW64\Nnabladg.exe Nefmgogl.exe File created C:\Windows\SysWOW64\Pkigbfja.exe Plhgdn32.exe File opened for modification C:\Windows\SysWOW64\Ghohdk32.exe Gngckfdj.exe File created C:\Windows\SysWOW64\Dfcjogeh.dll Gagebknp.exe File opened for modification C:\Windows\SysWOW64\Haeadi32.exe Hjkigojc.exe File opened for modification C:\Windows\SysWOW64\Oilmhhfd.exe Oaeegjeb.exe File created C:\Windows\SysWOW64\Gijmlh32.exe Gcneca32.exe File created C:\Windows\SysWOW64\Pofbggpf.dll Jkajnh32.exe File created C:\Windows\SysWOW64\Mfhpilbc.exe Mpnglbkf.exe File opened for modification C:\Windows\SysWOW64\Gmnmbbgp.exe Gjpaffhl.exe File created C:\Windows\SysWOW64\Jahbefmn.dll Nicjaino.exe File created C:\Windows\SysWOW64\Qegapl32.dll Ecphbckp.exe File created C:\Windows\SysWOW64\Hmeqhlfm.dll Jidbpa32.exe File created C:\Windows\SysWOW64\Nofoflhf.dll Nglala32.exe File opened for modification C:\Windows\SysWOW64\Nhkpdi32.exe Nglcjfie.exe File created C:\Windows\SysWOW64\Pdlbpldg.exe Pidamcgd.exe File created C:\Windows\SysWOW64\Dlmbgm32.dll Moacbe32.exe File created C:\Windows\SysWOW64\Mmdekf32.exe Mldhacpj.exe File created C:\Windows\SysWOW64\Mmnklgqn.dll Eelifc32.exe File created C:\Windows\SysWOW64\Efjbne32.exe Efgehe32.exe File created C:\Windows\SysWOW64\Ffeaichg.exe Efjbne32.exe File opened for modification C:\Windows\SysWOW64\Ejgdim32.exe Eqopqh32.exe File opened for modification C:\Windows\SysWOW64\Icedkn32.exe Imklncch.exe File created C:\Windows\SysWOW64\Dpenjqca.dll Jcnbekok.exe File created C:\Windows\SysWOW64\Cpfhbh32.dll Qpmfklbq.exe File created C:\Windows\SysWOW64\Iomgjk32.dll Loaafnah.exe File created C:\Windows\SysWOW64\Pogcnafk.dll Aiimejap.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3664 10220 WerFault.exe 534 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjdbeodm.dll" Opdpih32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Djnhne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfcjogeh.dll" Gagebknp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mndonl32.dll" Lqbgcp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gjapfjnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiaofa32.dll" Agjhbbob.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Opjponbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Blchmdff.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oagbljcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dcopke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nbhkjicf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naohpdqd.dll" Njcpok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emmdjc32.dll" Jcfejfag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cknbkpif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ghmkol32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mldhacpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ocqncp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kaihonhl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jcfejfag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aghdco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbbalgak.dll" Fppchile.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oiclbdlc.dll" Djgkbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jmnakqcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnnkldlf.dll" Lfodmdni.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bhblfpng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pliaqdlp.dll" Ldjodh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ikechced.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Phkmoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lkgkqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nnbfjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jmlkpgia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hbcklkee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pjalpida.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nphkadgc.dll" Jdgjgh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Njokei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Boohcpgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eekcho32.dll" Jhocgqjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Addcbd32.dll" Kgbljkca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hihimfag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dgmpkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kjamhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hlkmlhea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mmlhpaji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jdfcla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chlhnbnb.dll" Clqncl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqnfigal.dll" Iannpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Igqbiacj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bleebc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eckogc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjqhl32.dll" Fqmlbfbo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kgkooeen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Opjponbf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Blchmdff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hjkigojc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akicfe32.dll" Godehbed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfieepcf.dll" Gcbnopkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgcccmnm.dll" Mkbcbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqlhniij.dll" Lbgcch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mjjbjjdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pemfgkid.dll" Bppjhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jclljaei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olbpjb32.dll" Hlkmlhea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iaokdn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jklihbol.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3076 wrote to memory of 948 3076 NEAS.f00d25fc8ad3dd41c91337b4ca135e90.exe 91 PID 3076 wrote to memory of 948 3076 NEAS.f00d25fc8ad3dd41c91337b4ca135e90.exe 91 PID 3076 wrote to memory of 948 3076 NEAS.f00d25fc8ad3dd41c91337b4ca135e90.exe 91 PID 948 wrote to memory of 3276 948 Hcgjhega.exe 92 PID 948 wrote to memory of 3276 948 Hcgjhega.exe 92 PID 948 wrote to memory of 3276 948 Hcgjhega.exe 92 PID 3276 wrote to memory of 3080 3276 Igqbiacj.exe 93 PID 3276 wrote to memory of 3080 3276 Igqbiacj.exe 93 PID 3276 wrote to memory of 3080 3276 Igqbiacj.exe 93 PID 3080 wrote to memory of 2648 3080 Jffokn32.exe 94 PID 3080 wrote to memory of 2648 3080 Jffokn32.exe 94 PID 3080 wrote to memory of 2648 3080 Jffokn32.exe 94 PID 2648 wrote to memory of 4724 2648 Jfhlpnfp.exe 95 PID 2648 wrote to memory of 4724 2648 Jfhlpnfp.exe 95 PID 2648 wrote to memory of 4724 2648 Jfhlpnfp.exe 95 PID 4724 wrote to memory of 4188 4724 Jclljaei.exe 96 PID 4724 wrote to memory of 4188 4724 Jclljaei.exe 96 PID 4724 wrote to memory of 4188 4724 Jclljaei.exe 96 PID 4188 wrote to memory of 4364 4188 Jfmekm32.exe 97 PID 4188 wrote to memory of 4364 4188 Jfmekm32.exe 97 PID 4188 wrote to memory of 4364 4188 Jfmekm32.exe 97 PID 4364 wrote to memory of 1336 4364 Jepbodhg.exe 98 PID 4364 wrote to memory of 1336 4364 Jepbodhg.exe 98 PID 4364 wrote to memory of 1336 4364 Jepbodhg.exe 98 PID 1336 wrote to memory of 4568 1336 Knmpbi32.exe 99 PID 1336 wrote to memory of 4568 1336 Knmpbi32.exe 99 PID 1336 wrote to memory of 4568 1336 Knmpbi32.exe 99 PID 4568 wrote to memory of 2352 4568 Knpmhh32.exe 100 PID 4568 wrote to memory of 2352 4568 Knpmhh32.exe 100 PID 4568 wrote to memory of 2352 4568 Knpmhh32.exe 100 PID 2352 wrote to memory of 3060 2352 Lndfchdj.exe 101 PID 2352 wrote to memory of 3060 2352 Lndfchdj.exe 101 PID 2352 wrote to memory of 3060 2352 Lndfchdj.exe 101 PID 3060 wrote to memory of 4800 3060 Lhadgmge.exe 102 PID 3060 wrote to memory of 4800 3060 Lhadgmge.exe 102 PID 3060 wrote to memory of 4800 3060 Lhadgmge.exe 102 PID 4800 wrote to memory of 2564 4800 Mgkjch32.exe 103 PID 4800 wrote to memory of 2564 4800 Mgkjch32.exe 103 PID 4800 wrote to memory of 2564 4800 Mgkjch32.exe 103 PID 2564 wrote to memory of 4184 2564 Moglpedd.exe 104 PID 2564 wrote to memory of 4184 2564 Moglpedd.exe 104 PID 2564 wrote to memory of 4184 2564 Moglpedd.exe 104 PID 4184 wrote to memory of 4960 4184 Necqbo32.exe 105 PID 4184 wrote to memory of 4960 4184 Necqbo32.exe 105 PID 4184 wrote to memory of 4960 4184 Necqbo32.exe 105 PID 4960 wrote to memory of 3548 4960 Nefmgogl.exe 106 PID 4960 wrote to memory of 3548 4960 Nefmgogl.exe 106 PID 4960 wrote to memory of 3548 4960 Nefmgogl.exe 106 PID 3548 wrote to memory of 2392 3548 Nnabladg.exe 107 PID 3548 wrote to memory of 2392 3548 Nnabladg.exe 107 PID 3548 wrote to memory of 2392 3548 Nnabladg.exe 107 PID 2392 wrote to memory of 5100 2392 Nhffijdm.exe 108 PID 2392 wrote to memory of 5100 2392 Nhffijdm.exe 108 PID 2392 wrote to memory of 5100 2392 Nhffijdm.exe 108 PID 5100 wrote to memory of 2064 5100 Nglcjfie.exe 109 PID 5100 wrote to memory of 2064 5100 Nglcjfie.exe 109 PID 5100 wrote to memory of 2064 5100 Nglcjfie.exe 109 PID 2064 wrote to memory of 180 2064 Nhkpdi32.exe 110 PID 2064 wrote to memory of 180 2064 Nhkpdi32.exe 110 PID 2064 wrote to memory of 180 2064 Nhkpdi32.exe 110 PID 180 wrote to memory of 4128 180 Oojalb32.exe 111 PID 180 wrote to memory of 4128 180 Oojalb32.exe 111 PID 180 wrote to memory of 4128 180 Oojalb32.exe 111 PID 4128 wrote to memory of 468 4128 Pfkpiled.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.f00d25fc8ad3dd41c91337b4ca135e90.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.f00d25fc8ad3dd41c91337b4ca135e90.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3076 -
C:\Windows\SysWOW64\Hcgjhega.exeC:\Windows\system32\Hcgjhega.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:948 -
C:\Windows\SysWOW64\Igqbiacj.exeC:\Windows\system32\Igqbiacj.exe3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3276 -
C:\Windows\SysWOW64\Jffokn32.exeC:\Windows\system32\Jffokn32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3080 -
C:\Windows\SysWOW64\Jfhlpnfp.exeC:\Windows\system32\Jfhlpnfp.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\Jclljaei.exeC:\Windows\system32\Jclljaei.exe6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4724 -
C:\Windows\SysWOW64\Jfmekm32.exeC:\Windows\system32\Jfmekm32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4188 -
C:\Windows\SysWOW64\Jepbodhg.exeC:\Windows\system32\Jepbodhg.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4364 -
C:\Windows\SysWOW64\Knmpbi32.exeC:\Windows\system32\Knmpbi32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Windows\SysWOW64\Knpmhh32.exeC:\Windows\system32\Knpmhh32.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\Windows\SysWOW64\Lndfchdj.exeC:\Windows\system32\Lndfchdj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\Lhadgmge.exeC:\Windows\system32\Lhadgmge.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\Mgkjch32.exeC:\Windows\system32\Mgkjch32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4800 -
C:\Windows\SysWOW64\Moglpedd.exeC:\Windows\system32\Moglpedd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\Necqbo32.exeC:\Windows\system32\Necqbo32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4184 -
C:\Windows\SysWOW64\Nefmgogl.exeC:\Windows\system32\Nefmgogl.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4960 -
C:\Windows\SysWOW64\Nnabladg.exeC:\Windows\system32\Nnabladg.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3548 -
C:\Windows\SysWOW64\Nhffijdm.exeC:\Windows\system32\Nhffijdm.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\Nglcjfie.exeC:\Windows\system32\Nglcjfie.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Windows\SysWOW64\Nhkpdi32.exeC:\Windows\system32\Nhkpdi32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\Oojalb32.exeC:\Windows\system32\Oojalb32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:180 -
C:\Windows\SysWOW64\Pfkpiled.exeC:\Windows\system32\Pfkpiled.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4128 -
C:\Windows\SysWOW64\Pfmlok32.exeC:\Windows\system32\Pfmlok32.exe23⤵
- Executes dropped EXE
PID:468 -
C:\Windows\SysWOW64\Pnhacn32.exeC:\Windows\system32\Pnhacn32.exe24⤵
- Executes dropped EXE
PID:4564 -
C:\Windows\SysWOW64\Agjhbbob.exeC:\Windows\system32\Agjhbbob.exe25⤵
- Executes dropped EXE
- Modifies registry class
PID:2616 -
C:\Windows\SysWOW64\Anncek32.exeC:\Windows\system32\Anncek32.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3976 -
C:\Windows\SysWOW64\Cldjkl32.exeC:\Windows\system32\Cldjkl32.exe27⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Dimcppgm.exeC:\Windows\system32\Dimcppgm.exe28⤵
- Executes dropped EXE
PID:1448 -
C:\Windows\SysWOW64\Diamko32.exeC:\Windows\system32\Diamko32.exe29⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Didjqoae.exeC:\Windows\system32\Didjqoae.exe30⤵
- Executes dropped EXE
PID:1048 -
C:\Windows\SysWOW64\Ebcdjc32.exeC:\Windows\system32\Ebcdjc32.exe31⤵
- Executes dropped EXE
PID:3272 -
C:\Windows\SysWOW64\Fgcjea32.exeC:\Windows\system32\Fgcjea32.exe32⤵
- Executes dropped EXE
PID:400 -
C:\Windows\SysWOW64\Fpnkdfko.exeC:\Windows\system32\Fpnkdfko.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4796 -
C:\Windows\SysWOW64\Fgjpfqpi.exeC:\Windows\system32\Fgjpfqpi.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1288 -
C:\Windows\SysWOW64\Fofdkcmd.exeC:\Windows\system32\Fofdkcmd.exe35⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Fhnichde.exeC:\Windows\system32\Fhnichde.exe36⤵
- Executes dropped EXE
PID:4044 -
C:\Windows\SysWOW64\Gcfjfqah.exeC:\Windows\system32\Gcfjfqah.exe37⤵
- Executes dropped EXE
PID:4996 -
C:\Windows\SysWOW64\Hofmaq32.exeC:\Windows\system32\Hofmaq32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3472 -
C:\Windows\SysWOW64\Hljnkdnk.exeC:\Windows\system32\Hljnkdnk.exe39⤵
- Executes dropped EXE
PID:4824 -
C:\Windows\SysWOW64\Ijedehgm.exeC:\Windows\system32\Ijedehgm.exe40⤵
- Executes dropped EXE
PID:4460 -
C:\Windows\SysWOW64\Ihjafd32.exeC:\Windows\system32\Ihjafd32.exe41⤵
- Executes dropped EXE
PID:3584 -
C:\Windows\SysWOW64\Imhjlb32.exeC:\Windows\system32\Imhjlb32.exe42⤵
- Executes dropped EXE
PID:4212 -
C:\Windows\SysWOW64\Iiaggc32.exeC:\Windows\system32\Iiaggc32.exe43⤵
- Executes dropped EXE
PID:4836 -
C:\Windows\SysWOW64\Jfgefg32.exeC:\Windows\system32\Jfgefg32.exe44⤵
- Executes dropped EXE
PID:500 -
C:\Windows\SysWOW64\Jcnbekok.exeC:\Windows\system32\Jcnbekok.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1692 -
C:\Windows\SysWOW64\Jmffnq32.exeC:\Windows\system32\Jmffnq32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3672 -
C:\Windows\SysWOW64\Jjjggede.exeC:\Windows\system32\Jjjggede.exe47⤵
- Executes dropped EXE
PID:1276 -
C:\Windows\SysWOW64\Kgqdfi32.exeC:\Windows\system32\Kgqdfi32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4936 -
C:\Windows\SysWOW64\Kaihonhl.exeC:\Windows\system32\Kaihonhl.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:2860 -
C:\Windows\SysWOW64\Kjamhd32.exeC:\Windows\system32\Kjamhd32.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:3332 -
C:\Windows\SysWOW64\Kifjip32.exeC:\Windows\system32\Kifjip32.exe51⤵
- Executes dropped EXE
PID:4068 -
C:\Windows\SysWOW64\Lcnkli32.exeC:\Windows\system32\Lcnkli32.exe52⤵
- Executes dropped EXE
PID:4112 -
C:\Windows\SysWOW64\Lfodmdni.exeC:\Windows\system32\Lfodmdni.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:2288 -
C:\Windows\SysWOW64\Malnklgg.exeC:\Windows\system32\Malnklgg.exe54⤵
- Executes dropped EXE
PID:3924 -
C:\Windows\SysWOW64\Mhhcne32.exeC:\Windows\system32\Mhhcne32.exe55⤵
- Executes dropped EXE
PID:4580 -
C:\Windows\SysWOW64\Ohkijc32.exeC:\Windows\system32\Ohkijc32.exe56⤵
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Oiehhjjp.exeC:\Windows\system32\Oiehhjjp.exe57⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Ppdjpcng.exeC:\Windows\system32\Ppdjpcng.exe58⤵
- Executes dropped EXE
PID:3100 -
C:\Windows\SysWOW64\Pafcofcg.exeC:\Windows\system32\Pafcofcg.exe59⤵
- Executes dropped EXE
PID:1904 -
C:\Windows\SysWOW64\Bqpbboeg.exeC:\Windows\system32\Bqpbboeg.exe60⤵
- Executes dropped EXE
PID:4792 -
C:\Windows\SysWOW64\Bkjpkg32.exeC:\Windows\system32\Bkjpkg32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3528 -
C:\Windows\SysWOW64\Cnboma32.exeC:\Windows\system32\Cnboma32.exe62⤵
- Executes dropped EXE
PID:3612 -
C:\Windows\SysWOW64\Dgmpkg32.exeC:\Windows\system32\Dgmpkg32.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:2976 -
C:\Windows\SysWOW64\Dajnol32.exeC:\Windows\system32\Dajnol32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1456 -
C:\Windows\SysWOW64\Enpknplq.exeC:\Windows\system32\Enpknplq.exe65⤵
- Executes dropped EXE
PID:408 -
C:\Windows\SysWOW64\Ehhpge32.exeC:\Windows\system32\Ehhpge32.exe66⤵PID:1472
-
C:\Windows\SysWOW64\Eelpqi32.exeC:\Windows\system32\Eelpqi32.exe67⤵PID:5092
-
C:\Windows\SysWOW64\Fiaogfai.exeC:\Windows\system32\Fiaogfai.exe68⤵PID:4100
-
C:\Windows\SysWOW64\Fhflhcfa.exeC:\Windows\system32\Fhflhcfa.exe69⤵PID:3144
-
C:\Windows\SysWOW64\Flddoa32.exeC:\Windows\system32\Flddoa32.exe70⤵
- Drops file in System32 directory
PID:1728 -
C:\Windows\SysWOW64\Femigg32.exeC:\Windows\system32\Femigg32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3088 -
C:\Windows\SysWOW64\Flgadake.exeC:\Windows\system32\Flgadake.exe72⤵PID:2280
-
C:\Windows\SysWOW64\Gikbneio.exeC:\Windows\system32\Gikbneio.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1836 -
C:\Windows\SysWOW64\Gooqfkan.exeC:\Windows\system32\Gooqfkan.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:64 -
C:\Windows\SysWOW64\Hlgjko32.exeC:\Windows\system32\Hlgjko32.exe75⤵PID:980
-
C:\Windows\SysWOW64\Jjnqap32.exeC:\Windows\system32\Jjnqap32.exe76⤵
- Drops file in System32 directory
PID:216 -
C:\Windows\SysWOW64\Jcfejfag.exeC:\Windows\system32\Jcfejfag.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1560 -
C:\Windows\SysWOW64\Jkajnh32.exeC:\Windows\system32\Jkajnh32.exe78⤵
- Drops file in System32 directory
PID:228 -
C:\Windows\SysWOW64\Jcknee32.exeC:\Windows\system32\Jcknee32.exe79⤵PID:2832
-
C:\Windows\SysWOW64\Jjgcgo32.exeC:\Windows\system32\Jjgcgo32.exe80⤵PID:1484
-
C:\Windows\SysWOW64\Jodlof32.exeC:\Windows\system32\Jodlof32.exe81⤵PID:4388
-
C:\Windows\SysWOW64\Kjipmoai.exeC:\Windows\system32\Kjipmoai.exe82⤵PID:5164
-
C:\Windows\SysWOW64\Kkkldg32.exeC:\Windows\system32\Kkkldg32.exe83⤵PID:5212
-
C:\Windows\SysWOW64\Ljephmgl.exeC:\Windows\system32\Ljephmgl.exe84⤵PID:5264
-
C:\Windows\SysWOW64\Lmfhjhdm.exeC:\Windows\system32\Lmfhjhdm.exe85⤵PID:5304
-
C:\Windows\SysWOW64\Limioiia.exeC:\Windows\system32\Limioiia.exe86⤵PID:5340
-
C:\Windows\SysWOW64\Lcbmlbig.exeC:\Windows\system32\Lcbmlbig.exe87⤵PID:5388
-
C:\Windows\SysWOW64\Llmbqdfb.exeC:\Windows\system32\Llmbqdfb.exe88⤵PID:5440
-
C:\Windows\SysWOW64\Lmmokgne.exeC:\Windows\system32\Lmmokgne.exe89⤵
- Drops file in System32 directory
PID:5480 -
C:\Windows\SysWOW64\Mcggga32.exeC:\Windows\system32\Mcggga32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5528 -
C:\Windows\SysWOW64\Mpnglbkf.exeC:\Windows\system32\Mpnglbkf.exe91⤵
- Drops file in System32 directory
PID:5572 -
C:\Windows\SysWOW64\Mfhpilbc.exeC:\Windows\system32\Mfhpilbc.exe92⤵PID:5616
-
C:\Windows\SysWOW64\Mldhacpj.exeC:\Windows\system32\Mldhacpj.exe93⤵
- Drops file in System32 directory
- Modifies registry class
PID:5660 -
C:\Windows\SysWOW64\Mmdekf32.exeC:\Windows\system32\Mmdekf32.exe94⤵
- Drops file in System32 directory
PID:5700 -
C:\Windows\SysWOW64\Mbamcm32.exeC:\Windows\system32\Mbamcm32.exe95⤵PID:5744
-
C:\Windows\SysWOW64\Mmfaafej.exeC:\Windows\system32\Mmfaafej.exe96⤵
- Drops file in System32 directory
PID:5784 -
C:\Windows\SysWOW64\Mcpjnp32.exeC:\Windows\system32\Mcpjnp32.exe97⤵PID:5832
-
C:\Windows\SysWOW64\Mjjbjjdd.exeC:\Windows\system32\Mjjbjjdd.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5880 -
C:\Windows\SysWOW64\Nlknbb32.exeC:\Windows\system32\Nlknbb32.exe99⤵PID:5920
-
C:\Windows\SysWOW64\Nfabok32.exeC:\Windows\system32\Nfabok32.exe100⤵PID:5964
-
C:\Windows\SysWOW64\Nmkkle32.exeC:\Windows\system32\Nmkkle32.exe101⤵PID:6012
-
C:\Windows\SysWOW64\Njokei32.exeC:\Windows\system32\Njokei32.exe102⤵
- Modifies registry class
PID:6056 -
C:\Windows\SysWOW64\Ndgpnogo.exeC:\Windows\system32\Ndgpnogo.exe103⤵PID:6104
-
C:\Windows\SysWOW64\Nmpdgdmp.exeC:\Windows\system32\Nmpdgdmp.exe104⤵PID:4972
-
C:\Windows\SysWOW64\Ojhnlh32.exeC:\Windows\system32\Ojhnlh32.exe105⤵PID:5160
-
C:\Windows\SysWOW64\Oljkcpnb.exeC:\Windows\system32\Oljkcpnb.exe106⤵PID:5248
-
C:\Windows\SysWOW64\Ofooqinh.exeC:\Windows\system32\Ofooqinh.exe107⤵PID:5300
-
C:\Windows\SysWOW64\Ollgiplp.exeC:\Windows\system32\Ollgiplp.exe108⤵PID:5376
-
C:\Windows\SysWOW64\Opjponbf.exeC:\Windows\system32\Opjponbf.exe109⤵
- Drops file in System32 directory
- Modifies registry class
PID:5448 -
C:\Windows\SysWOW64\Oibdhd32.exeC:\Windows\system32\Oibdhd32.exe110⤵PID:5504
-
C:\Windows\SysWOW64\Obkiqi32.exeC:\Windows\system32\Obkiqi32.exe111⤵PID:5520
-
C:\Windows\SysWOW64\Pidamcgd.exeC:\Windows\system32\Pidamcgd.exe112⤵
- Drops file in System32 directory
PID:5584 -
C:\Windows\SysWOW64\Pdlbpldg.exeC:\Windows\system32\Pdlbpldg.exe113⤵PID:5640
-
C:\Windows\SysWOW64\Plhgdn32.exeC:\Windows\system32\Plhgdn32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5728 -
C:\Windows\SysWOW64\Pkigbfja.exeC:\Windows\system32\Pkigbfja.exe115⤵PID:5780
-
C:\Windows\SysWOW64\Pljcjn32.exeC:\Windows\system32\Pljcjn32.exe116⤵PID:5864
-
C:\Windows\SysWOW64\Pgphggpe.exeC:\Windows\system32\Pgphggpe.exe117⤵
- Drops file in System32 directory
PID:5900 -
C:\Windows\SysWOW64\Pmipdq32.exeC:\Windows\system32\Pmipdq32.exe118⤵PID:6000
-
C:\Windows\SysWOW64\Pgbdmfnc.exeC:\Windows\system32\Pgbdmfnc.exe119⤵
- Drops file in System32 directory
PID:6068 -
C:\Windows\SysWOW64\Qpjifl32.exeC:\Windows\system32\Qpjifl32.exe120⤵PID:6128
-
C:\Windows\SysWOW64\Qkpmcddi.exeC:\Windows\system32\Qkpmcddi.exe121⤵
- Drops file in System32 directory
PID:5144
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-