Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
58s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
02/11/2023, 11:33
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.e2edc60e7558135441e5dc573897ee10_JC.exe
Resource
win7-20231023-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.e2edc60e7558135441e5dc573897ee10_JC.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
NEAS.e2edc60e7558135441e5dc573897ee10_JC.exe
-
Size
325KB
-
MD5
e2edc60e7558135441e5dc573897ee10
-
SHA1
b032dd5e988755fde83ccfadeef7bb7d0c1bc1bb
-
SHA256
8181de6c7c9c42ba8979e0af4138547597ec6df7dd9a93b14d86ca389012d220
-
SHA512
9a8842937d0d1ba6e8e37889e942e264fe9f61ab360a846664f7af97d34d0dc52fc2e44110ee043f0f2bd38d9011f9c48ff93f3cafecc764c1b8f23b52c5866c
-
SSDEEP
6144:XseoTXhzFMRs+Hsohxd2Quohdbd0zscwIGUKfvUJ43ewmxteZekR+1b/KVC0CLzg:XQ1yHxdzZdxGwsYIL0
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpmomo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbbmmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lamlphoo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lelajb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phfhfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebaplnie.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihceigec.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkfmjnii.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqmicpbj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Moefdljc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eldbbjof.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Canocm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgjcfgoa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilqmam32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfmghdpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abjmkf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knmpbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljpaqmgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkgmoncl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icgbob32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jabiie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qniogl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjakkmpk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aimogakj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgmnooom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdodbf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmpkakak.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcofbifb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbpedjnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qdllffpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elgohj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hqjcgbbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jobfdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oiehhjjp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbbdip32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kajfdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bemlhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cehlcikj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eejcki32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iagqgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajhndgjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gledpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmbnnn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkaeih32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkmhgh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cibkohef.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cehlcikj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcembe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Moeoje32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enedio32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lajhpbme.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmcfkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oahnhncc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fefjanml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpnepk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceeaim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Biklho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibbcfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkghqo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iccpniqp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdnelpod.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bflagg32.exe -
Executes dropped EXE 64 IoCs
pid Process 1928 Kcbfcigf.exe 4228 Lnjgfb32.exe 1140 Lcimdh32.exe 5000 Lggejg32.exe 4900 Lcnfohmi.exe 4452 Mgnlkfal.exe 372 Mcelpggq.exe 3844 Mqkiok32.exe 4528 Npbceggm.exe 3212 Ncqlkemc.exe 4604 Nmkmjjaa.exe 2744 Onkidm32.exe 1372 Oabhfg32.exe 2816 Pnkbkk32.exe 1504 Adhdjpjf.exe 2448 Amcehdod.exe 3276 Bpkdjofm.exe 2736 Cggimh32.exe 3016 Cgifbhid.exe 3448 Cdpcal32.exe 4620 Cacckp32.exe 2444 Cnjdpaki.exe 1824 Dahmfpap.exe 4784 Dnajppda.exe 1652 Dndgfpbo.exe 3740 Ebaplnie.exe 2940 Ebfign32.exe 2832 Ekonpckp.exe 3260 Eomffaag.exe 2600 Eghkjdoa.exe 1740 Fkfcqb32.exe 5016 Fqgedh32.exe 2852 Galoohke.exe 4892 Gpmomo32.exe 1532 Gaqhjggp.exe 4496 Gbpedjnb.exe 4008 Gngeik32.exe 1080 Hpkknmgd.exe 2844 Hpmhdmea.exe 1776 Hejqldci.exe 3116 Hbnaeh32.exe 1732 Ihkjno32.exe 2392 Iogopi32.exe 580 Ilkoim32.exe 3904 Ipkdek32.exe 4316 Jhgiim32.exe 576 Jblmgf32.exe 3028 Kheekkjl.exe 2140 Kpqggh32.exe 3832 Klggli32.exe 3136 Lohqnd32.exe 2740 Lojmcdgl.exe 328 Ljpaqmgb.exe 5100 Llcghg32.exe 4040 Lcmodajm.exe 2028 Mfenglqf.exe 3112 Nmcpoedn.exe 3152 Ncpeaoih.exe 4848 Nqcejcha.exe 4564 Ooibkpmi.exe 648 Oonlfo32.exe 2336 Ockdmmoj.exe 1472 Pjjfdfbb.exe 3712 Pjaleemj.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Cdghfg32.dll Mkgmoncl.exe File created C:\Windows\SysWOW64\Lcoeiajc.dll Oomelheh.exe File created C:\Windows\SysWOW64\Ifoglp32.dll Qpbgnecp.exe File created C:\Windows\SysWOW64\Bnicai32.exe Bgmnooom.exe File created C:\Windows\SysWOW64\Eaenkj32.exe Eeomfioh.exe File created C:\Windows\SysWOW64\Iagqgn32.exe Ilkhog32.exe File opened for modification C:\Windows\SysWOW64\Ohdbkh32.exe Ogefqeaj.exe File opened for modification C:\Windows\SysWOW64\Aofjoo32.exe Adqeaf32.exe File created C:\Windows\SysWOW64\Foonjd32.exe Fefjanml.exe File created C:\Windows\SysWOW64\Meajdj32.dll Fhgccijm.exe File created C:\Windows\SysWOW64\Ajhndgjj.exe Kilhqq32.exe File created C:\Windows\SysWOW64\Ijngkf32.exe Icdoolge.exe File created C:\Windows\SysWOW64\Fbbnhl32.dll Ilhkigcd.exe File created C:\Windows\SysWOW64\Dmplkd32.exe Dgfdojfm.exe File created C:\Windows\SysWOW64\Feljgd32.exe Fdjnolfd.exe File opened for modification C:\Windows\SysWOW64\Icgbob32.exe Ijonfmbn.exe File created C:\Windows\SysWOW64\Bnppkj32.exe Bichcc32.exe File opened for modification C:\Windows\SysWOW64\Bgmnooom.exe Bflagg32.exe File opened for modification C:\Windows\SysWOW64\Jblmgf32.exe Jhgiim32.exe File created C:\Windows\SysWOW64\Dbgdnelk.exe Diopep32.exe File created C:\Windows\SysWOW64\Cfenfhnj.dll Lfmghdpl.exe File created C:\Windows\SysWOW64\Njiccd32.dll Paomog32.exe File created C:\Windows\SysWOW64\Khjeei32.dll Ceoillaj.exe File created C:\Windows\SysWOW64\Coffgmig.dll Gaqhjggp.exe File opened for modification C:\Windows\SysWOW64\Knpmhh32.exe Khfdlnab.exe File opened for modification C:\Windows\SysWOW64\Kmbfiokn.exe Kfhnme32.exe File created C:\Windows\SysWOW64\Qoflodqh.dll Dlhlleeh.exe File opened for modification C:\Windows\SysWOW64\Dnnoip32.exe Hdkimdnk.exe File opened for modification C:\Windows\SysWOW64\Ncpeaoih.exe Nmcpoedn.exe File created C:\Windows\SysWOW64\Ppbeie32.dll Bemlhj32.exe File created C:\Windows\SysWOW64\Fnammclg.dll Idkpmgjo.exe File created C:\Windows\SysWOW64\Gmhklj32.dll Kagbdenk.exe File created C:\Windows\SysWOW64\Llbndn32.dll Cghgpgqd.exe File created C:\Windows\SysWOW64\Egnelfnm.dll Fkemfl32.exe File opened for modification C:\Windows\SysWOW64\Defheg32.exe Dpjompqc.exe File created C:\Windows\SysWOW64\Abokkkac.dll Dgfdojfm.exe File created C:\Windows\SysWOW64\Apqddgbj.dll Naokbokn.exe File created C:\Windows\SysWOW64\Olpigmpg.dll Aeeomegd.exe File opened for modification C:\Windows\SysWOW64\Cejaobel.exe Cpmifkgd.exe File created C:\Windows\SysWOW64\Dngnaa32.dll Fefjanml.exe File opened for modification C:\Windows\SysWOW64\Ggoiap32.exe Fhnichde.exe File opened for modification C:\Windows\SysWOW64\Pjaleemj.exe Pjjfdfbb.exe File opened for modification C:\Windows\SysWOW64\Nfnjbdep.exe Nkhfek32.exe File created C:\Windows\SysWOW64\Lchfjc32.dll Nbdkhe32.exe File opened for modification C:\Windows\SysWOW64\Pmoagk32.exe Pokanf32.exe File opened for modification C:\Windows\SysWOW64\Hqkjaifk.exe Hgbfhc32.exe File created C:\Windows\SysWOW64\Hfhbipdb.exe Hqkjaifk.exe File opened for modification C:\Windows\SysWOW64\Phfhfa32.exe Oiehhjjp.exe File created C:\Windows\SysWOW64\Miagbi32.dll Canocm32.exe File opened for modification C:\Windows\SysWOW64\Gogjflhf.exe Ghmbib32.exe File created C:\Windows\SysWOW64\Jepidp32.dll Nhfoocaa.exe File created C:\Windows\SysWOW64\Hnbkjebd.dll Bdiamnpc.exe File opened for modification C:\Windows\SysWOW64\Eaceghcg.exe Daollh32.exe File opened for modification C:\Windows\SysWOW64\Fgnjqm32.exe Fbaahf32.exe File opened for modification C:\Windows\SysWOW64\Gkalbj32.exe Gbhhieao.exe File opened for modification C:\Windows\SysWOW64\Hcembe32.exe Gglpgd32.exe File created C:\Windows\SysWOW64\Hcalmk32.dll Cemndbci.exe File created C:\Windows\SysWOW64\Fkmpjb32.dll Ehnpmkbg.exe File opened for modification C:\Windows\SysWOW64\Jhgiim32.exe Ipkdek32.exe File created C:\Windows\SysWOW64\Ikfbpdlg.dll Dahfkimd.exe File created C:\Windows\SysWOW64\Qoocnpag.exe Qdipag32.exe File created C:\Windows\SysWOW64\Modkhnci.dll Elccpife.exe File opened for modification C:\Windows\SysWOW64\Ehofhdli.exe Eaenkj32.exe File created C:\Windows\SysWOW64\Eiobbgcl.exe Mlnijmhc.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhlbgmif.dll" Pjjfdfbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmmcco32.dll" Icqmncof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jepidp32.dll" Nhfoocaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ehnpmkbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emamkgpg.dll" Eomffaag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpmheahf.dll" Hbfdjc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkaeih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oacmli32.dll" Kdffjgpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cifdjg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qomghp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nijmbbnl.dll" Gkalbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbnefjjd.dll" Jhhodg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggiipk32.dll" Cpqlfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjakkmpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jabiie32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpqggh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbaahf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iddehb32.dll" Doqbifpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpjelibg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qolmplcl.dll" Oiqomj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pokanf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddcogo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgmnooom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dehgejep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmcipf32.dll" Fgnjqm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jeolckne.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpmeimpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Idkpmgjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gefpidln.dll" Nhbmnj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abhqefpg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpgqik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bliplndi.dll" Ldgnbg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hlnqln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emldnf32.dll" Dijppjfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ilqmam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmoagk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gflcnanp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgcijglg.dll" Jcjodbgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbjkkjkc.dll" Lfddci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jobfdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dnnoip32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lnjgfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Klggli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Biklho32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gegchl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ldgnbg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lcnfohmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fiinbn32.dll" Ddcogo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ifleji32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oileakbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkkgqn32.dll" Ophjdehd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Enedio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lcimdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eghkjdoa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pecpknke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ofhcdlgg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkfmjnii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmkgdlkh.dll" Phfhfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdclbd32.dll" Ajhndgjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkaeih32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cifdjg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ankgpk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhgccijm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4060 wrote to memory of 1928 4060 NEAS.e2edc60e7558135441e5dc573897ee10_JC.exe 91 PID 4060 wrote to memory of 1928 4060 NEAS.e2edc60e7558135441e5dc573897ee10_JC.exe 91 PID 4060 wrote to memory of 1928 4060 NEAS.e2edc60e7558135441e5dc573897ee10_JC.exe 91 PID 1928 wrote to memory of 4228 1928 Kcbfcigf.exe 92 PID 1928 wrote to memory of 4228 1928 Kcbfcigf.exe 92 PID 1928 wrote to memory of 4228 1928 Kcbfcigf.exe 92 PID 4228 wrote to memory of 1140 4228 Lnjgfb32.exe 93 PID 4228 wrote to memory of 1140 4228 Lnjgfb32.exe 93 PID 4228 wrote to memory of 1140 4228 Lnjgfb32.exe 93 PID 1140 wrote to memory of 5000 1140 Lcimdh32.exe 94 PID 1140 wrote to memory of 5000 1140 Lcimdh32.exe 94 PID 1140 wrote to memory of 5000 1140 Lcimdh32.exe 94 PID 5000 wrote to memory of 4900 5000 Lggejg32.exe 95 PID 5000 wrote to memory of 4900 5000 Lggejg32.exe 95 PID 5000 wrote to memory of 4900 5000 Lggejg32.exe 95 PID 4900 wrote to memory of 4452 4900 Lcnfohmi.exe 96 PID 4900 wrote to memory of 4452 4900 Lcnfohmi.exe 96 PID 4900 wrote to memory of 4452 4900 Lcnfohmi.exe 96 PID 4452 wrote to memory of 372 4452 Mgnlkfal.exe 97 PID 4452 wrote to memory of 372 4452 Mgnlkfal.exe 97 PID 4452 wrote to memory of 372 4452 Mgnlkfal.exe 97 PID 372 wrote to memory of 3844 372 Mcelpggq.exe 98 PID 372 wrote to memory of 3844 372 Mcelpggq.exe 98 PID 372 wrote to memory of 3844 372 Mcelpggq.exe 98 PID 3844 wrote to memory of 4528 3844 Mqkiok32.exe 99 PID 3844 wrote to memory of 4528 3844 Mqkiok32.exe 99 PID 3844 wrote to memory of 4528 3844 Mqkiok32.exe 99 PID 4528 wrote to memory of 3212 4528 Npbceggm.exe 100 PID 4528 wrote to memory of 3212 4528 Npbceggm.exe 100 PID 4528 wrote to memory of 3212 4528 Npbceggm.exe 100 PID 3212 wrote to memory of 4604 3212 Ncqlkemc.exe 101 PID 3212 wrote to memory of 4604 3212 Ncqlkemc.exe 101 PID 3212 wrote to memory of 4604 3212 Ncqlkemc.exe 101 PID 4604 wrote to memory of 2744 4604 Nmkmjjaa.exe 102 PID 4604 wrote to memory of 2744 4604 Nmkmjjaa.exe 102 PID 4604 wrote to memory of 2744 4604 Nmkmjjaa.exe 102 PID 2744 wrote to memory of 1372 2744 Onkidm32.exe 103 PID 2744 wrote to memory of 1372 2744 Onkidm32.exe 103 PID 2744 wrote to memory of 1372 2744 Onkidm32.exe 103 PID 1372 wrote to memory of 2816 1372 Oabhfg32.exe 104 PID 1372 wrote to memory of 2816 1372 Oabhfg32.exe 104 PID 1372 wrote to memory of 2816 1372 Oabhfg32.exe 104 PID 2816 wrote to memory of 1504 2816 Pnkbkk32.exe 105 PID 2816 wrote to memory of 1504 2816 Pnkbkk32.exe 105 PID 2816 wrote to memory of 1504 2816 Pnkbkk32.exe 105 PID 1504 wrote to memory of 2448 1504 Adhdjpjf.exe 106 PID 1504 wrote to memory of 2448 1504 Adhdjpjf.exe 106 PID 1504 wrote to memory of 2448 1504 Adhdjpjf.exe 106 PID 2448 wrote to memory of 3276 2448 Amcehdod.exe 107 PID 2448 wrote to memory of 3276 2448 Amcehdod.exe 107 PID 2448 wrote to memory of 3276 2448 Amcehdod.exe 107 PID 3276 wrote to memory of 2736 3276 Bpkdjofm.exe 108 PID 3276 wrote to memory of 2736 3276 Bpkdjofm.exe 108 PID 3276 wrote to memory of 2736 3276 Bpkdjofm.exe 108 PID 2736 wrote to memory of 3016 2736 Cggimh32.exe 109 PID 2736 wrote to memory of 3016 2736 Cggimh32.exe 109 PID 2736 wrote to memory of 3016 2736 Cggimh32.exe 109 PID 3016 wrote to memory of 3448 3016 Cgifbhid.exe 110 PID 3016 wrote to memory of 3448 3016 Cgifbhid.exe 110 PID 3016 wrote to memory of 3448 3016 Cgifbhid.exe 110 PID 3448 wrote to memory of 4620 3448 Cdpcal32.exe 111 PID 3448 wrote to memory of 4620 3448 Cdpcal32.exe 111 PID 3448 wrote to memory of 4620 3448 Cdpcal32.exe 111 PID 4620 wrote to memory of 2444 4620 Cacckp32.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.e2edc60e7558135441e5dc573897ee10_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.e2edc60e7558135441e5dc573897ee10_JC.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4060 -
C:\Windows\SysWOW64\Kcbfcigf.exeC:\Windows\system32\Kcbfcigf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\SysWOW64\Lnjgfb32.exeC:\Windows\system32\Lnjgfb32.exe3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4228 -
C:\Windows\SysWOW64\Lcimdh32.exeC:\Windows\system32\Lcimdh32.exe4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Windows\SysWOW64\Lggejg32.exeC:\Windows\system32\Lggejg32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Windows\SysWOW64\Lcnfohmi.exeC:\Windows\system32\Lcnfohmi.exe6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4900 -
C:\Windows\SysWOW64\Mgnlkfal.exeC:\Windows\system32\Mgnlkfal.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4452 -
C:\Windows\SysWOW64\Mcelpggq.exeC:\Windows\system32\Mcelpggq.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:372 -
C:\Windows\SysWOW64\Mqkiok32.exeC:\Windows\system32\Mqkiok32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3844 -
C:\Windows\SysWOW64\Npbceggm.exeC:\Windows\system32\Npbceggm.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4528 -
C:\Windows\SysWOW64\Ncqlkemc.exeC:\Windows\system32\Ncqlkemc.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3212 -
C:\Windows\SysWOW64\Nmkmjjaa.exeC:\Windows\system32\Nmkmjjaa.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4604 -
C:\Windows\SysWOW64\Onkidm32.exeC:\Windows\system32\Onkidm32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\Oabhfg32.exeC:\Windows\system32\Oabhfg32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Windows\SysWOW64\Pnkbkk32.exeC:\Windows\system32\Pnkbkk32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\Adhdjpjf.exeC:\Windows\system32\Adhdjpjf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\SysWOW64\Amcehdod.exeC:\Windows\system32\Amcehdod.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\SysWOW64\Bpkdjofm.exeC:\Windows\system32\Bpkdjofm.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3276 -
C:\Windows\SysWOW64\Cggimh32.exeC:\Windows\system32\Cggimh32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Cgifbhid.exeC:\Windows\system32\Cgifbhid.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\Cdpcal32.exeC:\Windows\system32\Cdpcal32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3448 -
C:\Windows\SysWOW64\Cacckp32.exeC:\Windows\system32\Cacckp32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\Windows\SysWOW64\Cnjdpaki.exeC:\Windows\system32\Cnjdpaki.exe23⤵
- Executes dropped EXE
PID:2444 -
C:\Windows\SysWOW64\Dahmfpap.exeC:\Windows\system32\Dahmfpap.exe24⤵
- Executes dropped EXE
PID:1824 -
C:\Windows\SysWOW64\Dnajppda.exeC:\Windows\system32\Dnajppda.exe25⤵
- Executes dropped EXE
PID:4784 -
C:\Windows\SysWOW64\Dndgfpbo.exeC:\Windows\system32\Dndgfpbo.exe26⤵
- Executes dropped EXE
PID:1652 -
C:\Windows\SysWOW64\Ebaplnie.exeC:\Windows\system32\Ebaplnie.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3740 -
C:\Windows\SysWOW64\Ebfign32.exeC:\Windows\system32\Ebfign32.exe28⤵
- Executes dropped EXE
PID:2940 -
C:\Windows\SysWOW64\Ekonpckp.exeC:\Windows\system32\Ekonpckp.exe29⤵
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\Eomffaag.exeC:\Windows\system32\Eomffaag.exe30⤵
- Executes dropped EXE
- Modifies registry class
PID:3260 -
C:\Windows\SysWOW64\Eghkjdoa.exeC:\Windows\system32\Eghkjdoa.exe31⤵
- Executes dropped EXE
- Modifies registry class
PID:2600 -
C:\Windows\SysWOW64\Fkfcqb32.exeC:\Windows\system32\Fkfcqb32.exe32⤵
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\Fqgedh32.exeC:\Windows\system32\Fqgedh32.exe33⤵
- Executes dropped EXE
PID:5016 -
C:\Windows\SysWOW64\Galoohke.exeC:\Windows\system32\Galoohke.exe34⤵
- Executes dropped EXE
PID:2852 -
C:\Windows\SysWOW64\Gpmomo32.exeC:\Windows\system32\Gpmomo32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4892 -
C:\Windows\SysWOW64\Gaqhjggp.exeC:\Windows\system32\Gaqhjggp.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1532 -
C:\Windows\SysWOW64\Gbpedjnb.exeC:\Windows\system32\Gbpedjnb.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4496 -
C:\Windows\SysWOW64\Gngeik32.exeC:\Windows\system32\Gngeik32.exe38⤵
- Executes dropped EXE
PID:4008 -
C:\Windows\SysWOW64\Hpkknmgd.exeC:\Windows\system32\Hpkknmgd.exe39⤵
- Executes dropped EXE
PID:1080 -
C:\Windows\SysWOW64\Hpmhdmea.exeC:\Windows\system32\Hpmhdmea.exe40⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Hejqldci.exeC:\Windows\system32\Hejqldci.exe41⤵
- Executes dropped EXE
PID:1776 -
C:\Windows\SysWOW64\Hbnaeh32.exeC:\Windows\system32\Hbnaeh32.exe42⤵
- Executes dropped EXE
PID:3116 -
C:\Windows\SysWOW64\Ihkjno32.exeC:\Windows\system32\Ihkjno32.exe43⤵
- Executes dropped EXE
PID:1732 -
C:\Windows\SysWOW64\Iogopi32.exeC:\Windows\system32\Iogopi32.exe44⤵
- Executes dropped EXE
PID:2392 -
C:\Windows\SysWOW64\Ilkoim32.exeC:\Windows\system32\Ilkoim32.exe45⤵
- Executes dropped EXE
PID:580 -
C:\Windows\SysWOW64\Ipkdek32.exeC:\Windows\system32\Ipkdek32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3904 -
C:\Windows\SysWOW64\Jhgiim32.exeC:\Windows\system32\Jhgiim32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4316 -
C:\Windows\SysWOW64\Jblmgf32.exeC:\Windows\system32\Jblmgf32.exe48⤵
- Executes dropped EXE
PID:576 -
C:\Windows\SysWOW64\Kheekkjl.exeC:\Windows\system32\Kheekkjl.exe49⤵
- Executes dropped EXE
PID:3028 -
C:\Windows\SysWOW64\Kpqggh32.exeC:\Windows\system32\Kpqggh32.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:2140 -
C:\Windows\SysWOW64\Klggli32.exeC:\Windows\system32\Klggli32.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:3832 -
C:\Windows\SysWOW64\Lohqnd32.exeC:\Windows\system32\Lohqnd32.exe52⤵
- Executes dropped EXE
PID:3136 -
C:\Windows\SysWOW64\Lojmcdgl.exeC:\Windows\system32\Lojmcdgl.exe53⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Ljpaqmgb.exeC:\Windows\system32\Ljpaqmgb.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:328 -
C:\Windows\SysWOW64\Llcghg32.exeC:\Windows\system32\Llcghg32.exe55⤵
- Executes dropped EXE
PID:5100 -
C:\Windows\SysWOW64\Lcmodajm.exeC:\Windows\system32\Lcmodajm.exe56⤵
- Executes dropped EXE
PID:4040 -
C:\Windows\SysWOW64\Mfenglqf.exeC:\Windows\system32\Mfenglqf.exe57⤵
- Executes dropped EXE
PID:2028 -
C:\Windows\SysWOW64\Nmcpoedn.exeC:\Windows\system32\Nmcpoedn.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3112 -
C:\Windows\SysWOW64\Ncpeaoih.exeC:\Windows\system32\Ncpeaoih.exe59⤵
- Executes dropped EXE
PID:3152 -
C:\Windows\SysWOW64\Nqcejcha.exeC:\Windows\system32\Nqcejcha.exe60⤵
- Executes dropped EXE
PID:4848 -
C:\Windows\SysWOW64\Ooibkpmi.exeC:\Windows\system32\Ooibkpmi.exe61⤵
- Executes dropped EXE
PID:4564 -
C:\Windows\SysWOW64\Oonlfo32.exeC:\Windows\system32\Oonlfo32.exe62⤵
- Executes dropped EXE
PID:648 -
C:\Windows\SysWOW64\Ockdmmoj.exeC:\Windows\system32\Ockdmmoj.exe63⤵
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\Pjjfdfbb.exeC:\Windows\system32\Pjjfdfbb.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1472 -
C:\Windows\SysWOW64\Pjaleemj.exeC:\Windows\system32\Pjaleemj.exe65⤵
- Executes dropped EXE
PID:3712 -
C:\Windows\SysWOW64\Pblajhje.exeC:\Windows\system32\Pblajhje.exe66⤵PID:4952
-
C:\Windows\SysWOW64\Qfmfefni.exeC:\Windows\system32\Qfmfefni.exe67⤵PID:4012
-
C:\Windows\SysWOW64\Acqgojmb.exeC:\Windows\system32\Acqgojmb.exe68⤵PID:1492
-
C:\Windows\SysWOW64\Aimogakj.exeC:\Windows\system32\Aimogakj.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3812 -
C:\Windows\SysWOW64\Amkhmoap.exeC:\Windows\system32\Amkhmoap.exe70⤵PID:4656
-
C:\Windows\SysWOW64\Abhqefpg.exeC:\Windows\system32\Abhqefpg.exe71⤵
- Modifies registry class
PID:2752 -
C:\Windows\SysWOW64\Abjmkf32.exeC:\Windows\system32\Abjmkf32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:616 -
C:\Windows\SysWOW64\Aidehpea.exeC:\Windows\system32\Aidehpea.exe73⤵PID:3940
-
C:\Windows\SysWOW64\Aalmimfd.exeC:\Windows\system32\Aalmimfd.exe74⤵PID:4304
-
C:\Windows\SysWOW64\Bmbnnn32.exeC:\Windows\system32\Bmbnnn32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3760 -
C:\Windows\SysWOW64\Bboffejp.exeC:\Windows\system32\Bboffejp.exe76⤵PID:4700
-
C:\Windows\SysWOW64\Biiobo32.exeC:\Windows\system32\Biiobo32.exe77⤵PID:3420
-
C:\Windows\SysWOW64\Bfmolc32.exeC:\Windows\system32\Bfmolc32.exe78⤵PID:3580
-
C:\Windows\SysWOW64\Biklho32.exeC:\Windows\system32\Biklho32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1112 -
C:\Windows\SysWOW64\Bkmeha32.exeC:\Windows\system32\Bkmeha32.exe80⤵PID:3884
-
C:\Windows\SysWOW64\Bagmdllg.exeC:\Windows\system32\Bagmdllg.exe81⤵PID:2340
-
C:\Windows\SysWOW64\Bgdemb32.exeC:\Windows\system32\Bgdemb32.exe82⤵PID:788
-
C:\Windows\SysWOW64\Calfpk32.exeC:\Windows\system32\Calfpk32.exe83⤵PID:2884
-
C:\Windows\SysWOW64\Caqpkjcl.exeC:\Windows\system32\Caqpkjcl.exe84⤵PID:1528
-
C:\Windows\SysWOW64\Cmgqpkip.exeC:\Windows\system32\Cmgqpkip.exe85⤵PID:2748
-
C:\Windows\SysWOW64\Dgpeha32.exeC:\Windows\system32\Dgpeha32.exe86⤵PID:3012
-
C:\Windows\SysWOW64\Dahfkimd.exeC:\Windows\system32\Dahfkimd.exe87⤵
- Drops file in System32 directory
PID:3200 -
C:\Windows\SysWOW64\Dgdncplk.exeC:\Windows\system32\Dgdncplk.exe88⤵PID:1480
-
C:\Windows\SysWOW64\Dckoia32.exeC:\Windows\system32\Dckoia32.exe89⤵PID:1696
-
C:\Windows\SysWOW64\Daollh32.exeC:\Windows\system32\Daollh32.exe90⤵
- Drops file in System32 directory
PID:676 -
C:\Windows\SysWOW64\Eaceghcg.exeC:\Windows\system32\Eaceghcg.exe91⤵PID:4372
-
C:\Windows\SysWOW64\Egpnooan.exeC:\Windows\system32\Egpnooan.exe92⤵PID:5008
-
C:\Windows\SysWOW64\Egbken32.exeC:\Windows\system32\Egbken32.exe93⤵PID:5132
-
C:\Windows\SysWOW64\Enlcahgh.exeC:\Windows\system32\Enlcahgh.exe94⤵PID:5180
-
C:\Windows\SysWOW64\Enopghee.exeC:\Windows\system32\Enopghee.exe95⤵PID:5224
-
C:\Windows\SysWOW64\Fqphic32.exeC:\Windows\system32\Fqphic32.exe96⤵PID:5268
-
C:\Windows\SysWOW64\Fkemfl32.exeC:\Windows\system32\Fkemfl32.exe97⤵
- Drops file in System32 directory
PID:5308 -
C:\Windows\SysWOW64\Fbaahf32.exeC:\Windows\system32\Fbaahf32.exe98⤵
- Drops file in System32 directory
- Modifies registry class
PID:5356 -
C:\Windows\SysWOW64\Fgnjqm32.exeC:\Windows\system32\Fgnjqm32.exe99⤵
- Modifies registry class
PID:5396 -
C:\Windows\SysWOW64\Fdbkja32.exeC:\Windows\system32\Fdbkja32.exe100⤵PID:5436
-
C:\Windows\SysWOW64\Fbfkceca.exeC:\Windows\system32\Fbfkceca.exe101⤵PID:5476
-
C:\Windows\SysWOW64\Gkoplk32.exeC:\Windows\system32\Gkoplk32.exe102⤵PID:5532
-
C:\Windows\SysWOW64\Gbhhieao.exeC:\Windows\system32\Gbhhieao.exe103⤵
- Drops file in System32 directory
PID:5580 -
C:\Windows\SysWOW64\Gkalbj32.exeC:\Windows\system32\Gkalbj32.exe104⤵
- Modifies registry class
PID:5640 -
C:\Windows\SysWOW64\Hgapmj32.exeC:\Windows\system32\Hgapmj32.exe105⤵PID:5676
-
C:\Windows\SysWOW64\Hbfdjc32.exeC:\Windows\system32\Hbfdjc32.exe106⤵
- Modifies registry class
PID:5720 -
C:\Windows\SysWOW64\Hegmlnbp.exeC:\Windows\system32\Hegmlnbp.exe107⤵PID:5760
-
C:\Windows\SysWOW64\Hkaeih32.exeC:\Windows\system32\Hkaeih32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5816 -
C:\Windows\SysWOW64\Iencmm32.exeC:\Windows\system32\Iencmm32.exe109⤵PID:5856
-
C:\Windows\SysWOW64\Ilhkigcd.exeC:\Windows\system32\Ilhkigcd.exe110⤵
- Drops file in System32 directory
PID:5896 -
C:\Windows\SysWOW64\Ibbcfa32.exeC:\Windows\system32\Ibbcfa32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5936 -
C:\Windows\SysWOW64\Iccpniqp.exeC:\Windows\system32\Iccpniqp.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5976 -
C:\Windows\SysWOW64\Ilkhog32.exeC:\Windows\system32\Ilkhog32.exe113⤵
- Drops file in System32 directory
PID:6012 -
C:\Windows\SysWOW64\Iagqgn32.exeC:\Windows\system32\Iagqgn32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6060 -
C:\Windows\SysWOW64\Ilmedf32.exeC:\Windows\system32\Ilmedf32.exe115⤵PID:6112
-
C:\Windows\SysWOW64\Ibgmaqfl.exeC:\Windows\system32\Ibgmaqfl.exe116⤵PID:5172
-
C:\Windows\SysWOW64\Ihceigec.exeC:\Windows\system32\Ihceigec.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5212 -
C:\Windows\SysWOW64\Jhhodg32.exeC:\Windows\system32\Jhhodg32.exe118⤵
- Modifies registry class
PID:5280 -
C:\Windows\SysWOW64\Jdopjh32.exeC:\Windows\system32\Jdopjh32.exe119⤵PID:5404
-
C:\Windows\SysWOW64\Jeolckne.exeC:\Windows\system32\Jeolckne.exe120⤵
- Modifies registry class
PID:5520 -
C:\Windows\SysWOW64\Jbbmmo32.exeC:\Windows\system32\Jbbmmo32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5628
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-