Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
133s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
02/11/2023, 16:53
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.f9f824ca55ebe1dd34689436c972f290.exe
Resource
win7-20231020-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.f9f824ca55ebe1dd34689436c972f290.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.f9f824ca55ebe1dd34689436c972f290.exe
-
Size
63KB
-
MD5
f9f824ca55ebe1dd34689436c972f290
-
SHA1
b8954984a91ca5eb08caf04d9a42c00144a9a801
-
SHA256
63a1e8a37ef28ee90cd7adef7f3c76d05faf69062a767fb2592443fb3b1b30d3
-
SHA512
99d20aaeafa55013e455ee9b4fc8339dab4a9216be9be1a3154c2f0107752411bd938f9df630e36a3f78a2537a3c3efbd54c69a8b4beeda36888b845ad7fc933
-
SSDEEP
1536:bG9MKrhOQdyLvEySbohmM9j9veW+Qe78zjH1juIZo:bW9hqErFMM78XH1juIZo
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aajbne32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ioilkblq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlifadkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndggib32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abbeflpf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgjjad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkefbcmf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofafgipc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjembh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blmfea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajehnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajhddk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lljipmdl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pngphgbf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jajala32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckkcep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blfapfpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebnabb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjmnfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enneln32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egfjdchi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgnpeg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Giolnomh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Peeoidik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkgopf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbbomjnn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dijfch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmhideol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Becnhgmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Feddombd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aebobgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anbmbi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbdham32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hclfag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfjbmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aeghng32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jehpna32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Giahhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgefefnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dihmpinj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfhfhbce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnblhddb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oepjoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfkimhhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aajbne32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baadng32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ageompfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eakhdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnqlmq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phaoppja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnpebj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjeefofk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bacihmoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eblelb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnpobefe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdiqpigl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bapfhg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmmpolof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Booiep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pomfkndo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfeikcfa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhdhefpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qmbqcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjkibehc.exe -
Executes dropped EXE 64 IoCs
pid Process 2784 Ocfigjlp.exe 2816 Pngphgbf.exe 2600 Pfbelipa.exe 3028 Pjpnbg32.exe 2592 Pomfkndo.exe 1456 Pjbjhgde.exe 2208 Pckoam32.exe 2368 Pdlkiepd.exe 2040 Qflhbhgg.exe 2848 Qngmgjeb.exe 3032 Abeemhkh.exe 1420 Aajbne32.exe 2112 Amqccfed.exe 1732 Aigchgkh.exe 2984 Abphal32.exe 1664 Alhmjbhj.exe 2132 Abbeflpf.exe 1516 Bmhideol.exe 1272 Bbdallnd.exe 1804 Becnhgmg.exe 344 Blmfea32.exe 1620 Bajomhbl.exe 700 Blobjaba.exe 2172 Bonoflae.exe 2028 Blaopqpo.exe 1108 Bejdiffp.exe 1968 Bkglameg.exe 1136 Baadng32.exe 2804 Cdoajb32.exe 2716 Cgdcgm32.exe 2852 Ddajoelp.exe 1796 Dnjngk32.exe 2664 Dhobddbf.exe 2572 Dnlkmkpn.exe 2424 Dciceaoe.exe 2012 Ddhpod32.exe 1884 Eobapbbg.exe 2768 Ejgemkbm.exe 548 Elfaifaq.exe 2024 Efnfbl32.exe 1772 Elhnof32.exe 2044 Eogjka32.exe 2820 Ebefgm32.exe 1400 Edccch32.exe 636 Ebgclm32.exe 2340 Edfpih32.exe 2980 Ekpheb32.exe 1960 Fqmpni32.exe 2552 Fidhof32.exe 1072 Fjeefofk.exe 2184 Fdjidgfa.exe 1460 Fncmmmma.exe 1612 Fcpfedki.exe 2384 Ffnbaojm.exe 2812 Fmhjni32.exe 2696 Fcbbjcif.exe 2844 Ffqofohj.exe 2612 Fafcdh32.exe 3040 Fcdopc32.exe 1152 Giahhj32.exe 1904 Gbjlaplk.exe 364 Gmoqnhla.exe 3056 Gejebk32.exe 588 Gnbjlpom.exe -
Loads dropped DLL 64 IoCs
pid Process 1140 NEAS.f9f824ca55ebe1dd34689436c972f290.exe 1140 NEAS.f9f824ca55ebe1dd34689436c972f290.exe 2784 Ocfigjlp.exe 2784 Ocfigjlp.exe 2816 Pngphgbf.exe 2816 Pngphgbf.exe 2600 Pfbelipa.exe 2600 Pfbelipa.exe 3028 Pjpnbg32.exe 3028 Pjpnbg32.exe 2592 Pomfkndo.exe 2592 Pomfkndo.exe 1456 Pjbjhgde.exe 1456 Pjbjhgde.exe 2208 Pckoam32.exe 2208 Pckoam32.exe 2368 Pdlkiepd.exe 2368 Pdlkiepd.exe 2040 Qflhbhgg.exe 2040 Qflhbhgg.exe 2848 Qngmgjeb.exe 2848 Qngmgjeb.exe 3032 Abeemhkh.exe 3032 Abeemhkh.exe 1420 Aajbne32.exe 1420 Aajbne32.exe 2112 Amqccfed.exe 2112 Amqccfed.exe 1732 Aigchgkh.exe 1732 Aigchgkh.exe 2984 Abphal32.exe 2984 Abphal32.exe 1664 Alhmjbhj.exe 1664 Alhmjbhj.exe 2132 Abbeflpf.exe 2132 Abbeflpf.exe 1516 Bmhideol.exe 1516 Bmhideol.exe 1272 Bbdallnd.exe 1272 Bbdallnd.exe 1804 Becnhgmg.exe 1804 Becnhgmg.exe 344 Blmfea32.exe 344 Blmfea32.exe 1620 Bajomhbl.exe 1620 Bajomhbl.exe 700 Blobjaba.exe 700 Blobjaba.exe 2172 Bonoflae.exe 2172 Bonoflae.exe 2028 Blaopqpo.exe 2028 Blaopqpo.exe 1108 Bejdiffp.exe 1108 Bejdiffp.exe 1968 Bkglameg.exe 1968 Bkglameg.exe 1136 Baadng32.exe 1136 Baadng32.exe 2804 Cdoajb32.exe 2804 Cdoajb32.exe 2716 Cgdcgm32.exe 2716 Cgdcgm32.exe 2852 Ddajoelp.exe 2852 Ddajoelp.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Enadon32.dll Nqpdcc32.exe File created C:\Windows\SysWOW64\Icmqhn32.dll Qngmgjeb.exe File opened for modification C:\Windows\SysWOW64\Gjlgfaco.exe Gdboig32.exe File created C:\Windows\SysWOW64\Bnapnm32.exe Bkbdabog.exe File created C:\Windows\SysWOW64\Mnpobefe.exe Lohelidp.exe File created C:\Windows\SysWOW64\Ahhaobfe.exe Aeiecfga.exe File created C:\Windows\SysWOW64\Dfbqgldn.exe Dnkhfnck.exe File opened for modification C:\Windows\SysWOW64\Qkeofnfk.exe Jehpna32.exe File created C:\Windows\SysWOW64\Blmfea32.exe Becnhgmg.exe File created C:\Windows\SysWOW64\Cbnach32.dll Ndnmialh.exe File created C:\Windows\SysWOW64\Obmhmmga.dll Qiiahgjh.exe File created C:\Windows\SysWOW64\Dnpebj32.exe Dfinam32.exe File created C:\Windows\SysWOW64\Nncgkioi.dll Gaojnq32.exe File created C:\Windows\SysWOW64\Ghcmae32.dll Hfhfhbce.exe File created C:\Windows\SysWOW64\Nckpfbjj.dll Baneak32.exe File created C:\Windows\SysWOW64\Qfclkmib.dll Elhnof32.exe File created C:\Windows\SysWOW64\Ajhddk32.exe Aobpfb32.exe File created C:\Windows\SysWOW64\Blinefnd.exe Bjjaikoa.exe File opened for modification C:\Windows\SysWOW64\Ebnabb32.exe Eldiehbk.exe File created C:\Windows\SysWOW64\Ddhpod32.exe Dciceaoe.exe File created C:\Windows\SysWOW64\Kqdhhm32.exe Knekla32.exe File created C:\Windows\SysWOW64\Okmqlhnm.dll Kgefefnd.exe File created C:\Windows\SysWOW64\Blnpddeo.exe Bnlphh32.exe File created C:\Windows\SysWOW64\Fgocmc32.exe Fpdkpiik.exe File created C:\Windows\SysWOW64\Dfcllk32.dll Hmdkjmip.exe File created C:\Windows\SysWOW64\Ieponofk.exe Iocgfhhc.exe File created C:\Windows\SysWOW64\Elfaifaq.exe Ejgemkbm.exe File created C:\Windows\SysWOW64\Lopkjhko.exe Lmbonmll.exe File created C:\Windows\SysWOW64\Lkgkoiqc.exe Lmdkcl32.exe File created C:\Windows\SysWOW64\Bjjaikoa.exe Bacihmoo.exe File created C:\Windows\SysWOW64\Opjkpo32.exe Oninhgae.exe File created C:\Windows\SysWOW64\Geqakadc.dll Fjeefofk.exe File created C:\Windows\SysWOW64\Ccnifd32.exe Bnapnm32.exe File created C:\Windows\SysWOW64\Gocbagqd.dll Efedga32.exe File opened for modification C:\Windows\SysWOW64\Hgciff32.exe Hnkdnqhm.exe File opened for modification C:\Windows\SysWOW64\Lfolaang.exe Lnhdqdnd.exe File created C:\Windows\SysWOW64\Aknpmobg.dll Pjmnfk32.exe File opened for modification C:\Windows\SysWOW64\Pnkglj32.exe Phaoppja.exe File created C:\Windows\SysWOW64\Bqfbdfga.dll Ofafgipc.exe File created C:\Windows\SysWOW64\Bgkaom32.dll Fidhof32.exe File created C:\Windows\SysWOW64\Fcpfedki.exe Fncmmmma.exe File created C:\Windows\SysWOW64\Apkgpf32.exe Ojeobm32.exe File created C:\Windows\SysWOW64\Njmokcbh.dll Dihmpinj.exe File opened for modification C:\Windows\SysWOW64\Omiand32.exe Okhefl32.exe File opened for modification C:\Windows\SysWOW64\Bfgdmjlp.exe Bomlppdb.exe File created C:\Windows\SysWOW64\Nfebijjj.dll Lnhdqdnd.exe File created C:\Windows\SysWOW64\Cfmhdpnc.exe Ledibnco.exe File opened for modification C:\Windows\SysWOW64\Ccgklc32.exe Cmmcpi32.exe File created C:\Windows\SysWOW64\Hgqlafap.exe Hqgddm32.exe File created C:\Windows\SysWOW64\Nmmfff32.dll Blaopqpo.exe File opened for modification C:\Windows\SysWOW64\Bhdhefpc.exe Bkpglbaj.exe File created C:\Windows\SysWOW64\Gmcefh32.dll Cqjhcfpc.exe File created C:\Windows\SysWOW64\Glnhjjml.exe Giolnomh.exe File created C:\Windows\SysWOW64\Bhjneadb.exe Bapfhg32.exe File created C:\Windows\SysWOW64\Glhnji32.dll Fncmmmma.exe File created C:\Windows\SysWOW64\Iahhgnkd.exe Ioilkblq.exe File created C:\Windows\SysWOW64\Ginaep32.dll Bjjaikoa.exe File opened for modification C:\Windows\SysWOW64\Ccnifd32.exe Bnapnm32.exe File created C:\Windows\SysWOW64\Bemkcnno.dll Dnjngk32.exe File opened for modification C:\Windows\SysWOW64\Eoebgcol.exe Elgfkhpi.exe File opened for modification C:\Windows\SysWOW64\Amgjnepn.exe Afmbak32.exe File created C:\Windows\SysWOW64\Cenbegcl.dll Ahchdb32.exe File opened for modification C:\Windows\SysWOW64\Gonale32.exe Ghdiokbq.exe File created C:\Windows\SysWOW64\Galfie32.dll Mnblhddb.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ieponofk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Enneln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkkmocpf.dll" Giahhj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knekla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohpjoahj.dll" Coicfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnbbcale.dll" Gcgqgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agmdmp32.dll" Opjkpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbfflo32.dll" Dmgoif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhbkpgbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hccadd32.dll" Cmkfji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eckfklnl.dll" Dncibp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fqmpni32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pnkglj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qboikm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkjmqqkd.dll" Ioilkblq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgiaefgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oqfopomn.dll" Honnki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dnpebj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ocfigjlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdqfkmom.dll" Bejdiffp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmhjni32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfanmogq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hnkdnqhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Loldpieb.dll" Oplgeoea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkaegg32.dll" Cgdqpq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fncmmmma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbjlaplk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cncmcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aobpfb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eakhdj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Glnhjjml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baajep32.dll" Gdnfjl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akfnkmei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifbgfk32.dll" Ocfigjlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ilicig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jajala32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Blinefnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Epeoaffo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhpfdaml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pebbcdkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bemkcnno.dll" Dnjngk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfclkmib.dll" Elhnof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Apppkekc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fcpfedki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcmgmfld.dll" Lkgkoiqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nclgkc32.dll" Penihe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaihlkop.dll" Phobjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Apefjqob.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gjijqa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cmhjdiap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gaojnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfebijjj.dll" Lnhdqdnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chjjde32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eegmhhie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebefgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Konndhmb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lnhdqdnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dncibp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnkglj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkobdolo.dll" Abhlak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pckoam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odifibfn.dll" Fkefbcmf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abhlak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcnaga32.dll" NEAS.f9f824ca55ebe1dd34689436c972f290.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1140 wrote to memory of 2784 1140 NEAS.f9f824ca55ebe1dd34689436c972f290.exe 28 PID 1140 wrote to memory of 2784 1140 NEAS.f9f824ca55ebe1dd34689436c972f290.exe 28 PID 1140 wrote to memory of 2784 1140 NEAS.f9f824ca55ebe1dd34689436c972f290.exe 28 PID 1140 wrote to memory of 2784 1140 NEAS.f9f824ca55ebe1dd34689436c972f290.exe 28 PID 2784 wrote to memory of 2816 2784 Ocfigjlp.exe 29 PID 2784 wrote to memory of 2816 2784 Ocfigjlp.exe 29 PID 2784 wrote to memory of 2816 2784 Ocfigjlp.exe 29 PID 2784 wrote to memory of 2816 2784 Ocfigjlp.exe 29 PID 2816 wrote to memory of 2600 2816 Pngphgbf.exe 30 PID 2816 wrote to memory of 2600 2816 Pngphgbf.exe 30 PID 2816 wrote to memory of 2600 2816 Pngphgbf.exe 30 PID 2816 wrote to memory of 2600 2816 Pngphgbf.exe 30 PID 2600 wrote to memory of 3028 2600 Pfbelipa.exe 31 PID 2600 wrote to memory of 3028 2600 Pfbelipa.exe 31 PID 2600 wrote to memory of 3028 2600 Pfbelipa.exe 31 PID 2600 wrote to memory of 3028 2600 Pfbelipa.exe 31 PID 3028 wrote to memory of 2592 3028 Pjpnbg32.exe 32 PID 3028 wrote to memory of 2592 3028 Pjpnbg32.exe 32 PID 3028 wrote to memory of 2592 3028 Pjpnbg32.exe 32 PID 3028 wrote to memory of 2592 3028 Pjpnbg32.exe 32 PID 2592 wrote to memory of 1456 2592 Pomfkndo.exe 33 PID 2592 wrote to memory of 1456 2592 Pomfkndo.exe 33 PID 2592 wrote to memory of 1456 2592 Pomfkndo.exe 33 PID 2592 wrote to memory of 1456 2592 Pomfkndo.exe 33 PID 1456 wrote to memory of 2208 1456 Pjbjhgde.exe 34 PID 1456 wrote to memory of 2208 1456 Pjbjhgde.exe 34 PID 1456 wrote to memory of 2208 1456 Pjbjhgde.exe 34 PID 1456 wrote to memory of 2208 1456 Pjbjhgde.exe 34 PID 2208 wrote to memory of 2368 2208 Pckoam32.exe 35 PID 2208 wrote to memory of 2368 2208 Pckoam32.exe 35 PID 2208 wrote to memory of 2368 2208 Pckoam32.exe 35 PID 2208 wrote to memory of 2368 2208 Pckoam32.exe 35 PID 2368 wrote to memory of 2040 2368 Pdlkiepd.exe 36 PID 2368 wrote to memory of 2040 2368 Pdlkiepd.exe 36 PID 2368 wrote to memory of 2040 2368 Pdlkiepd.exe 36 PID 2368 wrote to memory of 2040 2368 Pdlkiepd.exe 36 PID 2040 wrote to memory of 2848 2040 Qflhbhgg.exe 37 PID 2040 wrote to memory of 2848 2040 Qflhbhgg.exe 37 PID 2040 wrote to memory of 2848 2040 Qflhbhgg.exe 37 PID 2040 wrote to memory of 2848 2040 Qflhbhgg.exe 37 PID 2848 wrote to memory of 3032 2848 Qngmgjeb.exe 38 PID 2848 wrote to memory of 3032 2848 Qngmgjeb.exe 38 PID 2848 wrote to memory of 3032 2848 Qngmgjeb.exe 38 PID 2848 wrote to memory of 3032 2848 Qngmgjeb.exe 38 PID 3032 wrote to memory of 1420 3032 Abeemhkh.exe 39 PID 3032 wrote to memory of 1420 3032 Abeemhkh.exe 39 PID 3032 wrote to memory of 1420 3032 Abeemhkh.exe 39 PID 3032 wrote to memory of 1420 3032 Abeemhkh.exe 39 PID 1420 wrote to memory of 2112 1420 Aajbne32.exe 40 PID 1420 wrote to memory of 2112 1420 Aajbne32.exe 40 PID 1420 wrote to memory of 2112 1420 Aajbne32.exe 40 PID 1420 wrote to memory of 2112 1420 Aajbne32.exe 40 PID 2112 wrote to memory of 1732 2112 Amqccfed.exe 41 PID 2112 wrote to memory of 1732 2112 Amqccfed.exe 41 PID 2112 wrote to memory of 1732 2112 Amqccfed.exe 41 PID 2112 wrote to memory of 1732 2112 Amqccfed.exe 41 PID 1732 wrote to memory of 2984 1732 Aigchgkh.exe 42 PID 1732 wrote to memory of 2984 1732 Aigchgkh.exe 42 PID 1732 wrote to memory of 2984 1732 Aigchgkh.exe 42 PID 1732 wrote to memory of 2984 1732 Aigchgkh.exe 42 PID 2984 wrote to memory of 1664 2984 Abphal32.exe 43 PID 2984 wrote to memory of 1664 2984 Abphal32.exe 43 PID 2984 wrote to memory of 1664 2984 Abphal32.exe 43 PID 2984 wrote to memory of 1664 2984 Abphal32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.f9f824ca55ebe1dd34689436c972f290.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.f9f824ca55ebe1dd34689436c972f290.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Windows\SysWOW64\Ocfigjlp.exeC:\Windows\system32\Ocfigjlp.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\Pngphgbf.exeC:\Windows\system32\Pngphgbf.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\Pfbelipa.exeC:\Windows\system32\Pfbelipa.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Pjpnbg32.exeC:\Windows\system32\Pjpnbg32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\SysWOW64\Pomfkndo.exeC:\Windows\system32\Pomfkndo.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\Pjbjhgde.exeC:\Windows\system32\Pjbjhgde.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Windows\SysWOW64\Pckoam32.exeC:\Windows\system32\Pckoam32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\Pdlkiepd.exeC:\Windows\system32\Pdlkiepd.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\Qflhbhgg.exeC:\Windows\system32\Qflhbhgg.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\Qngmgjeb.exeC:\Windows\system32\Qngmgjeb.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\Abeemhkh.exeC:\Windows\system32\Abeemhkh.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\Aajbne32.exeC:\Windows\system32\Aajbne32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Windows\SysWOW64\Amqccfed.exeC:\Windows\system32\Amqccfed.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\Aigchgkh.exeC:\Windows\system32\Aigchgkh.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\SysWOW64\Abphal32.exeC:\Windows\system32\Abphal32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\Alhmjbhj.exeC:\Windows\system32\Alhmjbhj.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1664 -
C:\Windows\SysWOW64\Abbeflpf.exeC:\Windows\system32\Abbeflpf.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2132 -
C:\Windows\SysWOW64\Bmhideol.exeC:\Windows\system32\Bmhideol.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1516 -
C:\Windows\SysWOW64\Bbdallnd.exeC:\Windows\system32\Bbdallnd.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1272 -
C:\Windows\SysWOW64\Becnhgmg.exeC:\Windows\system32\Becnhgmg.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1804 -
C:\Windows\SysWOW64\Blmfea32.exeC:\Windows\system32\Blmfea32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:344 -
C:\Windows\SysWOW64\Bajomhbl.exeC:\Windows\system32\Bajomhbl.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1620 -
C:\Windows\SysWOW64\Blobjaba.exeC:\Windows\system32\Blobjaba.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:700 -
C:\Windows\SysWOW64\Bonoflae.exeC:\Windows\system32\Bonoflae.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2172 -
C:\Windows\SysWOW64\Blaopqpo.exeC:\Windows\system32\Blaopqpo.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2028 -
C:\Windows\SysWOW64\Bejdiffp.exeC:\Windows\system32\Bejdiffp.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1108 -
C:\Windows\SysWOW64\Bkglameg.exeC:\Windows\system32\Bkglameg.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1968 -
C:\Windows\SysWOW64\Baadng32.exeC:\Windows\system32\Baadng32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1136 -
C:\Windows\SysWOW64\Cdoajb32.exeC:\Windows\system32\Cdoajb32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2804 -
C:\Windows\SysWOW64\Cgdcgm32.exeC:\Windows\system32\Cgdcgm32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2716 -
C:\Windows\SysWOW64\Ddajoelp.exeC:\Windows\system32\Ddajoelp.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2852 -
C:\Windows\SysWOW64\Dnjngk32.exeC:\Windows\system32\Dnjngk32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1796 -
C:\Windows\SysWOW64\Dhobddbf.exeC:\Windows\system32\Dhobddbf.exe34⤵
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\Dnlkmkpn.exeC:\Windows\system32\Dnlkmkpn.exe35⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Dciceaoe.exeC:\Windows\system32\Dciceaoe.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2424 -
C:\Windows\SysWOW64\Ddhpod32.exeC:\Windows\system32\Ddhpod32.exe37⤵
- Executes dropped EXE
PID:2012 -
C:\Windows\SysWOW64\Eobapbbg.exeC:\Windows\system32\Eobapbbg.exe38⤵
- Executes dropped EXE
PID:1884 -
C:\Windows\SysWOW64\Ejgemkbm.exeC:\Windows\system32\Ejgemkbm.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2768 -
C:\Windows\SysWOW64\Elfaifaq.exeC:\Windows\system32\Elfaifaq.exe40⤵
- Executes dropped EXE
PID:548 -
C:\Windows\SysWOW64\Efnfbl32.exeC:\Windows\system32\Efnfbl32.exe41⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Elhnof32.exeC:\Windows\system32\Elhnof32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1772 -
C:\Windows\SysWOW64\Eogjka32.exeC:\Windows\system32\Eogjka32.exe43⤵
- Executes dropped EXE
PID:2044 -
C:\Windows\SysWOW64\Ebefgm32.exeC:\Windows\system32\Ebefgm32.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:2820 -
C:\Windows\SysWOW64\Edccch32.exeC:\Windows\system32\Edccch32.exe45⤵
- Executes dropped EXE
PID:1400 -
C:\Windows\SysWOW64\Ebgclm32.exeC:\Windows\system32\Ebgclm32.exe46⤵
- Executes dropped EXE
PID:636 -
C:\Windows\SysWOW64\Edfpih32.exeC:\Windows\system32\Edfpih32.exe47⤵
- Executes dropped EXE
PID:2340 -
C:\Windows\SysWOW64\Ekpheb32.exeC:\Windows\system32\Ekpheb32.exe48⤵
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\Fqmpni32.exeC:\Windows\system32\Fqmpni32.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:1960 -
C:\Windows\SysWOW64\Fidhof32.exeC:\Windows\system32\Fidhof32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2552 -
C:\Windows\SysWOW64\Fjeefofk.exeC:\Windows\system32\Fjeefofk.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1072 -
C:\Windows\SysWOW64\Fdjidgfa.exeC:\Windows\system32\Fdjidgfa.exe52⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Fncmmmma.exeC:\Windows\system32\Fncmmmma.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1460 -
C:\Windows\SysWOW64\Fcpfedki.exeC:\Windows\system32\Fcpfedki.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:1612 -
C:\Windows\SysWOW64\Ffnbaojm.exeC:\Windows\system32\Ffnbaojm.exe55⤵
- Executes dropped EXE
PID:2384 -
C:\Windows\SysWOW64\Fmhjni32.exeC:\Windows\system32\Fmhjni32.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:2812 -
C:\Windows\SysWOW64\Fcbbjcif.exeC:\Windows\system32\Fcbbjcif.exe57⤵
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\Ffqofohj.exeC:\Windows\system32\Ffqofohj.exe58⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Fafcdh32.exeC:\Windows\system32\Fafcdh32.exe59⤵
- Executes dropped EXE
PID:2612 -
C:\Windows\SysWOW64\Fcdopc32.exeC:\Windows\system32\Fcdopc32.exe60⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Giahhj32.exeC:\Windows\system32\Giahhj32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1152 -
C:\Windows\SysWOW64\Gbjlaplk.exeC:\Windows\system32\Gbjlaplk.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:1904 -
C:\Windows\SysWOW64\Gmoqnhla.exeC:\Windows\system32\Gmoqnhla.exe63⤵
- Executes dropped EXE
PID:364 -
C:\Windows\SysWOW64\Gejebk32.exeC:\Windows\system32\Gejebk32.exe64⤵
- Executes dropped EXE
PID:3056 -
C:\Windows\SysWOW64\Gnbjlpom.exeC:\Windows\system32\Gnbjlpom.exe65⤵
- Executes dropped EXE
PID:588 -
C:\Windows\SysWOW64\Ghkndf32.exeC:\Windows\system32\Ghkndf32.exe66⤵PID:1640
-
C:\Windows\SysWOW64\Gjijqa32.exeC:\Windows\system32\Gjijqa32.exe67⤵
- Modifies registry class
PID:2484 -
C:\Windows\SysWOW64\Gacbmk32.exeC:\Windows\system32\Gacbmk32.exe68⤵PID:1656
-
C:\Windows\SysWOW64\Gdboig32.exeC:\Windows\system32\Gdboig32.exe69⤵
- Drops file in System32 directory
PID:2312 -
C:\Windows\SysWOW64\Gjlgfaco.exeC:\Windows\system32\Gjlgfaco.exe70⤵PID:1464
-
C:\Windows\SysWOW64\Gmjcblbb.exeC:\Windows\system32\Gmjcblbb.exe71⤵PID:2036
-
C:\Windows\SysWOW64\Hddlof32.exeC:\Windows\system32\Hddlof32.exe72⤵PID:1216
-
C:\Windows\SysWOW64\Hnjplo32.exeC:\Windows\system32\Hnjplo32.exe73⤵PID:388
-
C:\Windows\SysWOW64\Hpmiig32.exeC:\Windows\system32\Hpmiig32.exe74⤵PID:2280
-
C:\Windows\SysWOW64\Hfgafadm.exeC:\Windows\system32\Hfgafadm.exe75⤵PID:1488
-
C:\Windows\SysWOW64\Hifmbmda.exeC:\Windows\system32\Hifmbmda.exe76⤵PID:1068
-
C:\Windows\SysWOW64\Hppfog32.exeC:\Windows\system32\Hppfog32.exe77⤵PID:1520
-
C:\Windows\SysWOW64\Hbnbkbja.exeC:\Windows\system32\Hbnbkbja.exe78⤵PID:1668
-
C:\Windows\SysWOW64\Hihjhl32.exeC:\Windows\system32\Hihjhl32.exe79⤵PID:2956
-
C:\Windows\SysWOW64\Hpbbdfik.exeC:\Windows\system32\Hpbbdfik.exe80⤵PID:2792
-
C:\Windows\SysWOW64\Hbqoqbho.exeC:\Windows\system32\Hbqoqbho.exe81⤵PID:2648
-
C:\Windows\SysWOW64\Hijgml32.exeC:\Windows\system32\Hijgml32.exe82⤵PID:2176
-
C:\Windows\SysWOW64\Ilicig32.exeC:\Windows\system32\Ilicig32.exe83⤵
- Modifies registry class
PID:2372 -
C:\Windows\SysWOW64\Ibckfa32.exeC:\Windows\system32\Ibckfa32.exe84⤵PID:2896
-
C:\Windows\SysWOW64\Iimcclni.exeC:\Windows\system32\Iimcclni.exe85⤵PID:1084
-
C:\Windows\SysWOW64\Ioilkblq.exeC:\Windows\system32\Ioilkblq.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2008 -
C:\Windows\SysWOW64\Iahhgnkd.exeC:\Windows\system32\Iahhgnkd.exe87⤵PID:2264
-
C:\Windows\SysWOW64\Ihbqdh32.exeC:\Windows\system32\Ihbqdh32.exe88⤵PID:1412
-
C:\Windows\SysWOW64\Ioliqbjn.exeC:\Windows\system32\Ioliqbjn.exe89⤵PID:1764
-
C:\Windows\SysWOW64\Iefamlak.exeC:\Windows\system32\Iefamlak.exe90⤵PID:1064
-
C:\Windows\SysWOW64\Ihdmihpn.exeC:\Windows\system32\Ihdmihpn.exe91⤵PID:1888
-
C:\Windows\SysWOW64\Ionefb32.exeC:\Windows\system32\Ionefb32.exe92⤵PID:1180
-
C:\Windows\SysWOW64\Inafbooe.exeC:\Windows\system32\Inafbooe.exe93⤵PID:1712
-
C:\Windows\SysWOW64\Jeadap32.exeC:\Windows\system32\Jeadap32.exe94⤵PID:2376
-
C:\Windows\SysWOW64\Jlklnjoh.exeC:\Windows\system32\Jlklnjoh.exe95⤵PID:1720
-
C:\Windows\SysWOW64\Jcedkd32.exeC:\Windows\system32\Jcedkd32.exe96⤵PID:2684
-
C:\Windows\SysWOW64\Jfcqgpfi.exeC:\Windows\system32\Jfcqgpfi.exe97⤵PID:2796
-
C:\Windows\SysWOW64\Jhamckel.exeC:\Windows\system32\Jhamckel.exe98⤵PID:2880
-
C:\Windows\SysWOW64\Jpiedieo.exeC:\Windows\system32\Jpiedieo.exe99⤵PID:2588
-
C:\Windows\SysWOW64\Jajala32.exeC:\Windows\system32\Jajala32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2200 -
C:\Windows\SysWOW64\Jhdihkcj.exeC:\Windows\system32\Jhdihkcj.exe101⤵PID:2004
-
C:\Windows\SysWOW64\Jcjnfdbp.exeC:\Windows\system32\Jcjnfdbp.exe102⤵PID:1700
-
C:\Windows\SysWOW64\Jdkjnl32.exeC:\Windows\system32\Jdkjnl32.exe103⤵PID:2828
-
C:\Windows\SysWOW64\Jlbboiip.exeC:\Windows\system32\Jlbboiip.exe104⤵PID:2392
-
C:\Windows\SysWOW64\Kopokehd.exeC:\Windows\system32\Kopokehd.exe105⤵PID:1652
-
C:\Windows\SysWOW64\Kfjggo32.exeC:\Windows\system32\Kfjggo32.exe106⤵PID:2940
-
C:\Windows\SysWOW64\Kdmgclfk.exeC:\Windows\system32\Kdmgclfk.exe107⤵PID:1104
-
C:\Windows\SysWOW64\Kkgopf32.exeC:\Windows\system32\Kkgopf32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2168 -
C:\Windows\SysWOW64\Knekla32.exeC:\Windows\system32\Knekla32.exe109⤵
- Drops file in System32 directory
- Modifies registry class
PID:1028 -
C:\Windows\SysWOW64\Kqdhhm32.exeC:\Windows\system32\Kqdhhm32.exe110⤵PID:1992
-
C:\Windows\SysWOW64\Kgnpeg32.exeC:\Windows\system32\Kgnpeg32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1608 -
C:\Windows\SysWOW64\Kfeikcfa.exeC:\Windows\system32\Kfeikcfa.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2488 -
C:\Windows\SysWOW64\Knmamp32.exeC:\Windows\system32\Knmamp32.exe113⤵PID:1976
-
C:\Windows\SysWOW64\Konndhmb.exeC:\Windows\system32\Konndhmb.exe114⤵
- Modifies registry class
PID:2864 -
C:\Windows\SysWOW64\Kgefefnd.exeC:\Windows\system32\Kgefefnd.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2404 -
C:\Windows\SysWOW64\Lmbonmll.exeC:\Windows\system32\Lmbonmll.exe116⤵
- Drops file in System32 directory
PID:2832 -
C:\Windows\SysWOW64\Lopkjhko.exeC:\Windows\system32\Lopkjhko.exe117⤵PID:1912
-
-
-
-
-
-
C:\Windows\SysWOW64\Pnfnajed.exeC:\Windows\system32\Pnfnajed.exe113⤵PID:1592
-
C:\Windows\SysWOW64\Pepfnd32.exeC:\Windows\system32\Pepfnd32.exe114⤵PID:3096
-
C:\Windows\SysWOW64\Phobjp32.exeC:\Windows\system32\Phobjp32.exe115⤵
- Modifies registry class
PID:3136 -
C:\Windows\SysWOW64\Pjmnfk32.exeC:\Windows\system32\Pjmnfk32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3176 -
C:\Windows\SysWOW64\Pnhjgj32.exeC:\Windows\system32\Pnhjgj32.exe117⤵PID:3216
-
C:\Windows\SysWOW64\Pebbcdkn.exeC:\Windows\system32\Pebbcdkn.exe118⤵
- Modifies registry class
PID:3256 -
C:\Windows\SysWOW64\Phaoppja.exeC:\Windows\system32\Phaoppja.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3296 -
C:\Windows\SysWOW64\Pnkglj32.exeC:\Windows\system32\Pnkglj32.exe120⤵
- Modifies registry class
PID:3336 -
C:\Windows\SysWOW64\Peeoidik.exeC:\Windows\system32\Peeoidik.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3376
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-