Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
17/11/2023, 05:19
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.e000b942fb70c94eefd8afeed5cee350.exe
Resource
win7-20231023-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.e000b942fb70c94eefd8afeed5cee350.exe
Resource
win10v2004-20231020-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.e000b942fb70c94eefd8afeed5cee350.exe
-
Size
93KB
-
MD5
e000b942fb70c94eefd8afeed5cee350
-
SHA1
3dabbe4d8172856ee8952b4f2a2f9e5f90d31c87
-
SHA256
af699170f9d23bf82a34b2fb909654475a7ea390d347d2349c8430ab537f09cb
-
SHA512
f7dda585c1d71a94a40519c8a23aa819e1439ca873e51bada13c92e58e013945d7342b1c2a68530290a14feffdc4a70f3acd72b19969a5654c626492e14fc73a
-
SSDEEP
1536:yTKBlyYeLHTq0fxb9zH4SXGsRQfRkRLJzeLD9N0iQGRNQR8RyV+32rR:ymBlkq0fjztefSJdEN0s4WE+3K
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kbkameaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qbbhgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dlgldibq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jofbag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bfcampgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Blgpef32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngibaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ipllekdl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bajomhbl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fiihdlpc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmgocb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npagjpcd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oclilp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Adpkee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Anlfbi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpfeppop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Boplllob.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhehek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hoopae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Leljop32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgfqaiod.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbidgeci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mapjmehi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocdmaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dolnad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fikejl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pqjfoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ejhlgaeh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcmafj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okfgfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Npagjpcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Achojp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agfgqo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Leimip32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mabgcd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dccagcgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qkhpkoen.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfbcbd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbplbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Alnqqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ejkima32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Glgaok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ilncom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Djmicm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpqpjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Amqccfed.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bejdiffp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dolnad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bkglameg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amqccfed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ghelfg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkhofjoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ajbggjfq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecqqpgli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ghqnjk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfffnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jgagfi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lghjel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlfojn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pqjfoa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aajbne32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omfkke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dccagcgk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjbpgd32.exe -
Executes dropped EXE 64 IoCs
pid Process 1752 Onmdoioa.exe 2656 Ogeigofa.exe 2672 Oclilp32.exe 2328 Ohibdf32.exe 2680 Omfkke32.exe 2556 Onhgbmfb.exe 2516 Pogclp32.exe 2892 Pgbhabjp.exe 2400 Pciifc32.exe 2188 Pjcabmga.exe 1880 Peiepfgg.exe 584 Pjenhm32.exe 2084 Qpecfc32.exe 1980 Alnqqd32.exe 2980 Abhimnma.exe 1516 Aplifb32.exe 1900 Aehboi32.exe 2312 Aekodi32.exe 1116 Adpkee32.exe 1564 Aoepcn32.exe 1832 Bfadgq32.exe 308 Bafidiio.exe 1560 Bfcampgf.exe 1032 Blpjegfm.exe 1484 Bfenbpec.exe 1912 Blbfjg32.exe 1716 Bekkcljk.exe 2604 Bldcpf32.exe 2336 Bbokmqie.exe 2968 Blgpef32.exe 2536 Cdbdjhmp.exe 2652 Cnmehnan.exe 2524 Cdgneh32.exe 2136 Cjdfmo32.exe 2844 Cdikkg32.exe 2616 Cjfccn32.exe 1828 Cppkph32.exe 1628 Ccngld32.exe 636 Djhphncm.exe 700 Dlgldibq.exe 2096 Dcadac32.exe 2128 Dliijipn.exe 1696 Dccagcgk.exe 2344 Djmicm32.exe 768 Dlkepi32.exe 644 Dojald32.exe 2412 Dfdjhndl.exe 1924 Dolnad32.exe 280 Dfffnn32.exe 952 Dggcffhg.exe 2484 Dookgcij.exe 996 Ebmgcohn.exe 2592 Egjpkffe.exe 1992 Ejhlgaeh.exe 1668 Eqbddk32.exe 2624 Ecqqpgli.exe 2648 Ejkima32.exe 2540 Eqdajkkb.exe 2512 Egoife32.exe 3036 Enhacojl.exe 2900 Ecejkf32.exe 2384 Efcfga32.exe 896 Eibbcm32.exe 592 Eplkpgnh.exe -
Loads dropped DLL 64 IoCs
pid Process 2472 NEAS.e000b942fb70c94eefd8afeed5cee350.exe 2472 NEAS.e000b942fb70c94eefd8afeed5cee350.exe 1752 Onmdoioa.exe 1752 Onmdoioa.exe 2656 Ogeigofa.exe 2656 Ogeigofa.exe 2672 Oclilp32.exe 2672 Oclilp32.exe 2328 Ohibdf32.exe 2328 Ohibdf32.exe 2680 Omfkke32.exe 2680 Omfkke32.exe 2556 Onhgbmfb.exe 2556 Onhgbmfb.exe 2516 Pogclp32.exe 2516 Pogclp32.exe 2892 Pgbhabjp.exe 2892 Pgbhabjp.exe 2400 Pciifc32.exe 2400 Pciifc32.exe 2188 Pjcabmga.exe 2188 Pjcabmga.exe 1880 Peiepfgg.exe 1880 Peiepfgg.exe 584 Pjenhm32.exe 584 Pjenhm32.exe 2084 Qpecfc32.exe 2084 Qpecfc32.exe 1980 Alnqqd32.exe 1980 Alnqqd32.exe 2980 Abhimnma.exe 2980 Abhimnma.exe 1516 Aplifb32.exe 1516 Aplifb32.exe 1900 Aehboi32.exe 1900 Aehboi32.exe 2312 Aekodi32.exe 2312 Aekodi32.exe 1116 Adpkee32.exe 1116 Adpkee32.exe 1564 Aoepcn32.exe 1564 Aoepcn32.exe 1832 Bfadgq32.exe 1832 Bfadgq32.exe 308 Bafidiio.exe 308 Bafidiio.exe 1560 Bfcampgf.exe 1560 Bfcampgf.exe 1032 Blpjegfm.exe 1032 Blpjegfm.exe 1484 Bfenbpec.exe 1484 Bfenbpec.exe 1912 Blbfjg32.exe 1912 Blbfjg32.exe 1716 Bekkcljk.exe 1716 Bekkcljk.exe 2604 Bldcpf32.exe 2604 Bldcpf32.exe 2336 Bbokmqie.exe 2336 Bbokmqie.exe 2968 Blgpef32.exe 2968 Blgpef32.exe 2536 Cdbdjhmp.exe 2536 Cdbdjhmp.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Qhiphb32.dll Qbplbi32.exe File created C:\Windows\SysWOW64\Hbcicn32.dll Abeemhkh.exe File opened for modification C:\Windows\SysWOW64\Ebjglbml.exe Eplkpgnh.exe File opened for modification C:\Windows\SysWOW64\Gikaio32.exe Gbaileio.exe File opened for modification C:\Windows\SysWOW64\Jgojpjem.exe Jnffgd32.exe File created C:\Windows\SysWOW64\Leljop32.exe Lnbbbffj.exe File opened for modification C:\Windows\SysWOW64\Pjldghjm.exe Okfgfl32.exe File created C:\Windows\SysWOW64\Pfgngh32.exe Pcibkm32.exe File created C:\Windows\SysWOW64\Iifjjk32.dll Dliijipn.exe File opened for modification C:\Windows\SysWOW64\Gfobbc32.exe Gohjaf32.exe File created C:\Windows\SysWOW64\Gccdbl32.dll Ilncom32.exe File opened for modification C:\Windows\SysWOW64\Lcfqkl32.exe Llohjo32.exe File created C:\Windows\SysWOW64\Fahgfoih.dll Cdikkg32.exe File created C:\Windows\SysWOW64\Iamimc32.exe Ipllekdl.exe File created C:\Windows\SysWOW64\Jnmlhchd.exe Jjbpgd32.exe File created C:\Windows\SysWOW64\Hcpbee32.dll Migbnb32.exe File created C:\Windows\SysWOW64\Ogeigofa.exe Onmdoioa.exe File created C:\Windows\SysWOW64\Aekodi32.exe Aehboi32.exe File opened for modification C:\Windows\SysWOW64\Blbfjg32.exe Bfenbpec.exe File created C:\Windows\SysWOW64\Pbkafj32.dll Blgpef32.exe File created C:\Windows\SysWOW64\Pckoam32.exe Pkdgpo32.exe File created C:\Windows\SysWOW64\Onmjak32.dll NEAS.e000b942fb70c94eefd8afeed5cee350.exe File opened for modification C:\Windows\SysWOW64\Ngkogj32.exe Nodgel32.exe File opened for modification C:\Windows\SysWOW64\Apalea32.exe Aigchgkh.exe File opened for modification C:\Windows\SysWOW64\Baohhgnf.exe Boplllob.exe File opened for modification C:\Windows\SysWOW64\Bafidiio.exe Bfadgq32.exe File opened for modification C:\Windows\SysWOW64\Blgpef32.exe Bbokmqie.exe File created C:\Windows\SysWOW64\Lghjel32.exe Leimip32.exe File created C:\Windows\SysWOW64\Pihgic32.exe Pbnoliap.exe File created C:\Windows\SysWOW64\Hqlhpf32.dll Bhdgjb32.exe File created C:\Windows\SysWOW64\Pmmokmik.dll Onmdoioa.exe File created C:\Windows\SysWOW64\Hfjiem32.dll Lghjel32.exe File opened for modification C:\Windows\SysWOW64\Apoooa32.exe Amqccfed.exe File created C:\Windows\SysWOW64\Lmmlmd32.dll Apalea32.exe File created C:\Windows\SysWOW64\Ljmlbfhi.exe Lphhenhc.exe File created C:\Windows\SysWOW64\Nmmfff32.dll Baohhgnf.exe File created C:\Windows\SysWOW64\Jcmafj32.exe Jnpinc32.exe File created C:\Windows\SysWOW64\Nhohda32.exe Nadpgggp.exe File opened for modification C:\Windows\SysWOW64\Oebimf32.exe Ocdmaj32.exe File opened for modification C:\Windows\SysWOW64\Bpfeppop.exe Bmhideol.exe File opened for modification C:\Windows\SysWOW64\Mhloponc.exe Mabgcd32.exe File opened for modification C:\Windows\SysWOW64\Qjnmlk32.exe Qgoapp32.exe File created C:\Windows\SysWOW64\Mbkbki32.dll Apoooa32.exe File created C:\Windows\SysWOW64\Okphjd32.dll Bekkcljk.exe File created C:\Windows\SysWOW64\Ccngld32.exe Cppkph32.exe File created C:\Windows\SysWOW64\Ecjlgm32.dll Iedkbc32.exe File created C:\Windows\SysWOW64\Gdfjcc32.dll Ieidmbcc.exe File created C:\Windows\SysWOW64\Mapjmehi.exe Moanaiie.exe File created C:\Windows\SysWOW64\Jbodgd32.dll Bajomhbl.exe File opened for modification C:\Windows\SysWOW64\Cdoajb32.exe Bmeimhdj.exe File opened for modification C:\Windows\SysWOW64\Dggcffhg.exe Dfffnn32.exe File created C:\Windows\SysWOW64\Efcfga32.exe Ecejkf32.exe File created C:\Windows\SysWOW64\Jofbag32.exe Jgojpjem.exe File created C:\Windows\SysWOW64\Ancjqghh.dll Kfbcbd32.exe File opened for modification C:\Windows\SysWOW64\Abeemhkh.exe Qjnmlk32.exe File created C:\Windows\SysWOW64\Behgcf32.exe Bbikgk32.exe File created C:\Windows\SysWOW64\Ghqnjk32.exe Gfobbc32.exe File created C:\Windows\SysWOW64\Hqalfl32.dll Kofopj32.exe File created C:\Windows\SysWOW64\Leimip32.exe Kbkameaf.exe File created C:\Windows\SysWOW64\Nlpdbghp.dll Pokieo32.exe File created C:\Windows\SysWOW64\Jgagfi32.exe Jofbag32.exe File created C:\Windows\SysWOW64\Mkoleq32.dll Kilfcpqm.exe File created C:\Windows\SysWOW64\Lnbbbffj.exe Lghjel32.exe File created C:\Windows\SysWOW64\Pcibkm32.exe Pqjfoa32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3400 3372 WerFault.exe 252 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kpjhkjde.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aajbne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldhfglad.dll" Bhajdblk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Omfkke32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aoepcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mclgfa32.dll" Blpjegfm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aehboi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Illgimph.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lphhenhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhiphb32.dll" Qbplbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aoepcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hoopae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdkghm32.dll" Iapebchh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Enhacojl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lmgocb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnlmhpjh.dll" Mlfojn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlfdghbq.dll" Lfmffhde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mbkmlh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Incbogkn.dll" Nkpegi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ilncom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bmhideol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ieidmbcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdlhejlj.dll" Jgojpjem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgalgjnb.dll" Jofbag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pjldghjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeqmqeba.dll" Pihgic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fiihdlpc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gpqpjj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ghqnjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhnook32.dll" Bbikgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okbekdoi.dll" Aajbne32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Blbfjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmhbhf32.dll" Hapicp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qjnmlk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gbaileio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hhjapjmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lfmffhde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llcohjcg.dll" Mkhofjoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ndemjoae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Peiepfgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eofjhkoj.dll" Dlgldibq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Efcfga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhhiii32.dll" Ngkogj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cenaioaq.dll" Achojp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpggbq32.dll" Agfgqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Abhimnma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfacfkje.dll" Djhphncm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hkfagfop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjojco32.dll" Qeaedd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pogclp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Badffggh.dll" Jnmlhchd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nadpgggp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pfgngh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhbhji32.dll" Bphbeplm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okphjd32.dll" Bekkcljk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnddig32.dll" Lmikibio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oebimf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blkepk32.dll" Nkmdpm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qeaedd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qeaedd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Biojif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Blaopqpo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ohibdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfnjef32.dll" Ejhlgaeh.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2472 wrote to memory of 1752 2472 NEAS.e000b942fb70c94eefd8afeed5cee350.exe 28 PID 2472 wrote to memory of 1752 2472 NEAS.e000b942fb70c94eefd8afeed5cee350.exe 28 PID 2472 wrote to memory of 1752 2472 NEAS.e000b942fb70c94eefd8afeed5cee350.exe 28 PID 2472 wrote to memory of 1752 2472 NEAS.e000b942fb70c94eefd8afeed5cee350.exe 28 PID 1752 wrote to memory of 2656 1752 Onmdoioa.exe 29 PID 1752 wrote to memory of 2656 1752 Onmdoioa.exe 29 PID 1752 wrote to memory of 2656 1752 Onmdoioa.exe 29 PID 1752 wrote to memory of 2656 1752 Onmdoioa.exe 29 PID 2656 wrote to memory of 2672 2656 Ogeigofa.exe 30 PID 2656 wrote to memory of 2672 2656 Ogeigofa.exe 30 PID 2656 wrote to memory of 2672 2656 Ogeigofa.exe 30 PID 2656 wrote to memory of 2672 2656 Ogeigofa.exe 30 PID 2672 wrote to memory of 2328 2672 Oclilp32.exe 31 PID 2672 wrote to memory of 2328 2672 Oclilp32.exe 31 PID 2672 wrote to memory of 2328 2672 Oclilp32.exe 31 PID 2672 wrote to memory of 2328 2672 Oclilp32.exe 31 PID 2328 wrote to memory of 2680 2328 Ohibdf32.exe 32 PID 2328 wrote to memory of 2680 2328 Ohibdf32.exe 32 PID 2328 wrote to memory of 2680 2328 Ohibdf32.exe 32 PID 2328 wrote to memory of 2680 2328 Ohibdf32.exe 32 PID 2680 wrote to memory of 2556 2680 Omfkke32.exe 33 PID 2680 wrote to memory of 2556 2680 Omfkke32.exe 33 PID 2680 wrote to memory of 2556 2680 Omfkke32.exe 33 PID 2680 wrote to memory of 2556 2680 Omfkke32.exe 33 PID 2556 wrote to memory of 2516 2556 Onhgbmfb.exe 34 PID 2556 wrote to memory of 2516 2556 Onhgbmfb.exe 34 PID 2556 wrote to memory of 2516 2556 Onhgbmfb.exe 34 PID 2556 wrote to memory of 2516 2556 Onhgbmfb.exe 34 PID 2516 wrote to memory of 2892 2516 Pogclp32.exe 35 PID 2516 wrote to memory of 2892 2516 Pogclp32.exe 35 PID 2516 wrote to memory of 2892 2516 Pogclp32.exe 35 PID 2516 wrote to memory of 2892 2516 Pogclp32.exe 35 PID 2892 wrote to memory of 2400 2892 Pgbhabjp.exe 36 PID 2892 wrote to memory of 2400 2892 Pgbhabjp.exe 36 PID 2892 wrote to memory of 2400 2892 Pgbhabjp.exe 36 PID 2892 wrote to memory of 2400 2892 Pgbhabjp.exe 36 PID 2400 wrote to memory of 2188 2400 Pciifc32.exe 37 PID 2400 wrote to memory of 2188 2400 Pciifc32.exe 37 PID 2400 wrote to memory of 2188 2400 Pciifc32.exe 37 PID 2400 wrote to memory of 2188 2400 Pciifc32.exe 37 PID 2188 wrote to memory of 1880 2188 Pjcabmga.exe 38 PID 2188 wrote to memory of 1880 2188 Pjcabmga.exe 38 PID 2188 wrote to memory of 1880 2188 Pjcabmga.exe 38 PID 2188 wrote to memory of 1880 2188 Pjcabmga.exe 38 PID 1880 wrote to memory of 584 1880 Peiepfgg.exe 39 PID 1880 wrote to memory of 584 1880 Peiepfgg.exe 39 PID 1880 wrote to memory of 584 1880 Peiepfgg.exe 39 PID 1880 wrote to memory of 584 1880 Peiepfgg.exe 39 PID 584 wrote to memory of 2084 584 Pjenhm32.exe 40 PID 584 wrote to memory of 2084 584 Pjenhm32.exe 40 PID 584 wrote to memory of 2084 584 Pjenhm32.exe 40 PID 584 wrote to memory of 2084 584 Pjenhm32.exe 40 PID 2084 wrote to memory of 1980 2084 Qpecfc32.exe 41 PID 2084 wrote to memory of 1980 2084 Qpecfc32.exe 41 PID 2084 wrote to memory of 1980 2084 Qpecfc32.exe 41 PID 2084 wrote to memory of 1980 2084 Qpecfc32.exe 41 PID 1980 wrote to memory of 2980 1980 Alnqqd32.exe 42 PID 1980 wrote to memory of 2980 1980 Alnqqd32.exe 42 PID 1980 wrote to memory of 2980 1980 Alnqqd32.exe 42 PID 1980 wrote to memory of 2980 1980 Alnqqd32.exe 42 PID 2980 wrote to memory of 1516 2980 Abhimnma.exe 43 PID 2980 wrote to memory of 1516 2980 Abhimnma.exe 43 PID 2980 wrote to memory of 1516 2980 Abhimnma.exe 43 PID 2980 wrote to memory of 1516 2980 Abhimnma.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.e000b942fb70c94eefd8afeed5cee350.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.e000b942fb70c94eefd8afeed5cee350.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\Onmdoioa.exeC:\Windows\system32\Onmdoioa.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\SysWOW64\Ogeigofa.exeC:\Windows\system32\Ogeigofa.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Oclilp32.exeC:\Windows\system32\Oclilp32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Ohibdf32.exeC:\Windows\system32\Ohibdf32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\Omfkke32.exeC:\Windows\system32\Omfkke32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\Onhgbmfb.exeC:\Windows\system32\Onhgbmfb.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\Pogclp32.exeC:\Windows\system32\Pogclp32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\Pgbhabjp.exeC:\Windows\system32\Pgbhabjp.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\Pciifc32.exeC:\Windows\system32\Pciifc32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\Pjcabmga.exeC:\Windows\system32\Pjcabmga.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\Peiepfgg.exeC:\Windows\system32\Peiepfgg.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Windows\SysWOW64\Pjenhm32.exeC:\Windows\system32\Pjenhm32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:584 -
C:\Windows\SysWOW64\Qpecfc32.exeC:\Windows\system32\Qpecfc32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\Alnqqd32.exeC:\Windows\system32\Alnqqd32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\Abhimnma.exeC:\Windows\system32\Abhimnma.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\Aplifb32.exeC:\Windows\system32\Aplifb32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1516 -
C:\Windows\SysWOW64\Aehboi32.exeC:\Windows\system32\Aehboi32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1900 -
C:\Windows\SysWOW64\Aekodi32.exeC:\Windows\system32\Aekodi32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2312 -
C:\Windows\SysWOW64\Adpkee32.exeC:\Windows\system32\Adpkee32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1116 -
C:\Windows\SysWOW64\Aoepcn32.exeC:\Windows\system32\Aoepcn32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1564 -
C:\Windows\SysWOW64\Bfadgq32.exeC:\Windows\system32\Bfadgq32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1832 -
C:\Windows\SysWOW64\Bafidiio.exeC:\Windows\system32\Bafidiio.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:308 -
C:\Windows\SysWOW64\Bfcampgf.exeC:\Windows\system32\Bfcampgf.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1560 -
C:\Windows\SysWOW64\Blpjegfm.exeC:\Windows\system32\Blpjegfm.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1032 -
C:\Windows\SysWOW64\Bfenbpec.exeC:\Windows\system32\Bfenbpec.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1484 -
C:\Windows\SysWOW64\Blbfjg32.exeC:\Windows\system32\Blbfjg32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1912 -
C:\Windows\SysWOW64\Bekkcljk.exeC:\Windows\system32\Bekkcljk.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1716 -
C:\Windows\SysWOW64\Bldcpf32.exeC:\Windows\system32\Bldcpf32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2604 -
C:\Windows\SysWOW64\Bbokmqie.exeC:\Windows\system32\Bbokmqie.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2336 -
C:\Windows\SysWOW64\Blgpef32.exeC:\Windows\system32\Blgpef32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2968 -
C:\Windows\SysWOW64\Cdbdjhmp.exeC:\Windows\system32\Cdbdjhmp.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2536 -
C:\Windows\SysWOW64\Cnmehnan.exeC:\Windows\system32\Cnmehnan.exe33⤵
- Executes dropped EXE
PID:2652 -
C:\Windows\SysWOW64\Cdgneh32.exeC:\Windows\system32\Cdgneh32.exe34⤵
- Executes dropped EXE
PID:2524 -
C:\Windows\SysWOW64\Cjdfmo32.exeC:\Windows\system32\Cjdfmo32.exe35⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Cdikkg32.exeC:\Windows\system32\Cdikkg32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2844 -
C:\Windows\SysWOW64\Cjfccn32.exeC:\Windows\system32\Cjfccn32.exe37⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Cppkph32.exeC:\Windows\system32\Cppkph32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1828 -
C:\Windows\SysWOW64\Ccngld32.exeC:\Windows\system32\Ccngld32.exe39⤵
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\Djhphncm.exeC:\Windows\system32\Djhphncm.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:636 -
C:\Windows\SysWOW64\Dlgldibq.exeC:\Windows\system32\Dlgldibq.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:700 -
C:\Windows\SysWOW64\Dcadac32.exeC:\Windows\system32\Dcadac32.exe42⤵
- Executes dropped EXE
PID:2096 -
C:\Windows\SysWOW64\Dliijipn.exeC:\Windows\system32\Dliijipn.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2128 -
C:\Windows\SysWOW64\Dccagcgk.exeC:\Windows\system32\Dccagcgk.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1696 -
C:\Windows\SysWOW64\Djmicm32.exeC:\Windows\system32\Djmicm32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Dlkepi32.exeC:\Windows\system32\Dlkepi32.exe46⤵
- Executes dropped EXE
PID:768 -
C:\Windows\SysWOW64\Dojald32.exeC:\Windows\system32\Dojald32.exe47⤵
- Executes dropped EXE
PID:644 -
C:\Windows\SysWOW64\Dfdjhndl.exeC:\Windows\system32\Dfdjhndl.exe48⤵
- Executes dropped EXE
PID:2412 -
C:\Windows\SysWOW64\Dolnad32.exeC:\Windows\system32\Dolnad32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1924 -
C:\Windows\SysWOW64\Dfffnn32.exeC:\Windows\system32\Dfffnn32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:280 -
C:\Windows\SysWOW64\Dggcffhg.exeC:\Windows\system32\Dggcffhg.exe51⤵
- Executes dropped EXE
PID:952 -
C:\Windows\SysWOW64\Dookgcij.exeC:\Windows\system32\Dookgcij.exe52⤵
- Executes dropped EXE
PID:2484 -
C:\Windows\SysWOW64\Ebmgcohn.exeC:\Windows\system32\Ebmgcohn.exe53⤵
- Executes dropped EXE
PID:996 -
C:\Windows\SysWOW64\Egjpkffe.exeC:\Windows\system32\Egjpkffe.exe54⤵
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Ejhlgaeh.exeC:\Windows\system32\Ejhlgaeh.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1992 -
C:\Windows\SysWOW64\Eqbddk32.exeC:\Windows\system32\Eqbddk32.exe56⤵
- Executes dropped EXE
PID:1668 -
C:\Windows\SysWOW64\Ecqqpgli.exeC:\Windows\system32\Ecqqpgli.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2624 -
C:\Windows\SysWOW64\Ejkima32.exeC:\Windows\system32\Ejkima32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Eqdajkkb.exeC:\Windows\system32\Eqdajkkb.exe59⤵
- Executes dropped EXE
PID:2540 -
C:\Windows\SysWOW64\Egoife32.exeC:\Windows\system32\Egoife32.exe60⤵
- Executes dropped EXE
PID:2512 -
C:\Windows\SysWOW64\Enhacojl.exeC:\Windows\system32\Enhacojl.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:3036 -
C:\Windows\SysWOW64\Ecejkf32.exeC:\Windows\system32\Ecejkf32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2900 -
C:\Windows\SysWOW64\Efcfga32.exeC:\Windows\system32\Efcfga32.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:2384 -
C:\Windows\SysWOW64\Eibbcm32.exeC:\Windows\system32\Eibbcm32.exe64⤵
- Executes dropped EXE
PID:896 -
C:\Windows\SysWOW64\Eplkpgnh.exeC:\Windows\system32\Eplkpgnh.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:592 -
C:\Windows\SysWOW64\Ebjglbml.exeC:\Windows\system32\Ebjglbml.exe66⤵PID:840
-
C:\Windows\SysWOW64\Fiihdlpc.exeC:\Windows\system32\Fiihdlpc.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2052 -
C:\Windows\SysWOW64\Fikejl32.exeC:\Windows\system32\Fikejl32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1480 -
C:\Windows\SysWOW64\Fagjnn32.exeC:\Windows\system32\Fagjnn32.exe69⤵PID:1068
-
C:\Windows\SysWOW64\Gjakmc32.exeC:\Windows\system32\Gjakmc32.exe70⤵PID:804
-
C:\Windows\SysWOW64\Ghelfg32.exeC:\Windows\system32\Ghelfg32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1552 -
C:\Windows\SysWOW64\Gifhnpea.exeC:\Windows\system32\Gifhnpea.exe72⤵PID:1092
-
C:\Windows\SysWOW64\Gpqpjj32.exeC:\Windows\system32\Gpqpjj32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1000 -
C:\Windows\SysWOW64\Gjfdhbld.exeC:\Windows\system32\Gjfdhbld.exe74⤵PID:1760
-
C:\Windows\SysWOW64\Glgaok32.exeC:\Windows\system32\Glgaok32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1632 -
C:\Windows\SysWOW64\Gbaileio.exeC:\Windows\system32\Gbaileio.exe76⤵
- Drops file in System32 directory
- Modifies registry class
PID:2264 -
C:\Windows\SysWOW64\Gikaio32.exeC:\Windows\system32\Gikaio32.exe77⤵PID:2788
-
C:\Windows\SysWOW64\Gohjaf32.exeC:\Windows\system32\Gohjaf32.exe78⤵
- Drops file in System32 directory
PID:2640 -
C:\Windows\SysWOW64\Gfobbc32.exeC:\Windows\system32\Gfobbc32.exe79⤵
- Drops file in System32 directory
PID:2548 -
C:\Windows\SysWOW64\Ghqnjk32.exeC:\Windows\system32\Ghqnjk32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:108 -
C:\Windows\SysWOW64\Hlngpjlj.exeC:\Windows\system32\Hlngpjlj.exe81⤵PID:3044
-
C:\Windows\SysWOW64\Hbhomd32.exeC:\Windows\system32\Hbhomd32.exe82⤵PID:1648
-
C:\Windows\SysWOW64\Hhehek32.exeC:\Windows\system32\Hhehek32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1940 -
C:\Windows\SysWOW64\Hoopae32.exeC:\Windows\system32\Hoopae32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2428 -
C:\Windows\SysWOW64\Hanlnp32.exeC:\Windows\system32\Hanlnp32.exe85⤵PID:1572
-
C:\Windows\SysWOW64\Hhgdkjol.exeC:\Windows\system32\Hhgdkjol.exe86⤵PID:684
-
C:\Windows\SysWOW64\Hkfagfop.exeC:\Windows\system32\Hkfagfop.exe87⤵
- Modifies registry class
PID:1956 -
C:\Windows\SysWOW64\Hapicp32.exeC:\Windows\system32\Hapicp32.exe88⤵
- Modifies registry class
PID:2116 -
C:\Windows\SysWOW64\Hhjapjmi.exeC:\Windows\system32\Hhjapjmi.exe89⤵
- Modifies registry class
PID:1908 -
C:\Windows\SysWOW64\Hkhnle32.exeC:\Windows\system32\Hkhnle32.exe90⤵PID:1204
-
C:\Windows\SysWOW64\Hmfjha32.exeC:\Windows\system32\Hmfjha32.exe91⤵PID:440
-
C:\Windows\SysWOW64\Iccbqh32.exeC:\Windows\system32\Iccbqh32.exe92⤵PID:1252
-
C:\Windows\SysWOW64\Illgimph.exeC:\Windows\system32\Illgimph.exe93⤵
- Modifies registry class
PID:1012 -
C:\Windows\SysWOW64\Icfofg32.exeC:\Windows\system32\Icfofg32.exe94⤵PID:3008
-
C:\Windows\SysWOW64\Iedkbc32.exeC:\Windows\system32\Iedkbc32.exe95⤵
- Drops file in System32 directory
PID:1896 -
C:\Windows\SysWOW64\Ilncom32.exeC:\Windows\system32\Ilncom32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2132 -
C:\Windows\SysWOW64\Iefhhbef.exeC:\Windows\system32\Iefhhbef.exe97⤵PID:2752
-
C:\Windows\SysWOW64\Ipllekdl.exeC:\Windows\system32\Ipllekdl.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2704 -
C:\Windows\SysWOW64\Iamimc32.exeC:\Windows\system32\Iamimc32.exe99⤵PID:2708
-
C:\Windows\SysWOW64\Ieidmbcc.exeC:\Windows\system32\Ieidmbcc.exe100⤵
- Drops file in System32 directory
- Modifies registry class
PID:3048 -
C:\Windows\SysWOW64\Ilcmjl32.exeC:\Windows\system32\Ilcmjl32.exe101⤵PID:2908
-
C:\Windows\SysWOW64\Ioaifhid.exeC:\Windows\system32\Ioaifhid.exe102⤵PID:1556
-
C:\Windows\SysWOW64\Iapebchh.exeC:\Windows\system32\Iapebchh.exe103⤵
- Modifies registry class
PID:1528 -
C:\Windows\SysWOW64\Ihjnom32.exeC:\Windows\system32\Ihjnom32.exe104⤵PID:936
-
C:\Windows\SysWOW64\Jnffgd32.exeC:\Windows\system32\Jnffgd32.exe105⤵
- Drops file in System32 directory
PID:2072 -
C:\Windows\SysWOW64\Jgojpjem.exeC:\Windows\system32\Jgojpjem.exe106⤵
- Drops file in System32 directory
- Modifies registry class
PID:1988 -
C:\Windows\SysWOW64\Jofbag32.exeC:\Windows\system32\Jofbag32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1512 -
C:\Windows\SysWOW64\Jgagfi32.exeC:\Windows\system32\Jgagfi32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1800 -
C:\Windows\SysWOW64\Jnkpbcjg.exeC:\Windows\system32\Jnkpbcjg.exe109⤵PID:1284
-
C:\Windows\SysWOW64\Jqilooij.exeC:\Windows\system32\Jqilooij.exe110⤵PID:1160
-
C:\Windows\SysWOW64\Jjbpgd32.exeC:\Windows\system32\Jjbpgd32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2060 -
C:\Windows\SysWOW64\Jnmlhchd.exeC:\Windows\system32\Jnmlhchd.exe112⤵
- Modifies registry class
PID:888 -
C:\Windows\SysWOW64\Jgfqaiod.exeC:\Windows\system32\Jgfqaiod.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1732 -
C:\Windows\SysWOW64\Jnpinc32.exeC:\Windows\system32\Jnpinc32.exe114⤵
- Drops file in System32 directory
PID:2960 -
C:\Windows\SysWOW64\Jcmafj32.exeC:\Windows\system32\Jcmafj32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2544 -
C:\Windows\SysWOW64\Kiijnq32.exeC:\Windows\system32\Kiijnq32.exe116⤵PID:2812
-
C:\Windows\SysWOW64\Kconkibf.exeC:\Windows\system32\Kconkibf.exe117⤵PID:2936
-
C:\Windows\SysWOW64\Kilfcpqm.exeC:\Windows\system32\Kilfcpqm.exe118⤵
- Drops file in System32 directory
PID:1692 -
C:\Windows\SysWOW64\Kofopj32.exeC:\Windows\system32\Kofopj32.exe119⤵
- Drops file in System32 directory
PID:1088 -
C:\Windows\SysWOW64\Kmjojo32.exeC:\Windows\system32\Kmjojo32.exe120⤵PID:2608
-
C:\Windows\SysWOW64\Kbfhbeek.exeC:\Windows\system32\Kbfhbeek.exe121⤵PID:1936
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-