Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
33s -
max time network
132s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
05/11/2023, 17:46
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.c175fdb0828444027a43998e5fa33f10_JC.exe
Resource
win7-20231020-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.c175fdb0828444027a43998e5fa33f10_JC.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.c175fdb0828444027a43998e5fa33f10_JC.exe
-
Size
52KB
-
MD5
c175fdb0828444027a43998e5fa33f10
-
SHA1
eafe901d3bac1dcd407a2b422272adbed5f67b66
-
SHA256
dc55e78aad3684e97854bae4ef3a71bb69efa73b1593e7c5ed5e416fc211cc35
-
SHA512
0c78d603993c78f9f683ef70aa68d8c37e2c1f6654c2eab871e5b511d0a7b250486dc28c214dbbb02c67fade92b5da6fdfedfb2cda56bec58b3471a153229ab3
-
SSDEEP
768:QqCl+f7ZcjV46yIjN3XSdic+y4JtpCpqeqJrpMN/1H5F/snoMABvKWe:QqCUZcjxJAI5tpCpQruHAoMAdKZ
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epbpbnan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpcqnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcghof32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qdojgmfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odmabj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Incbgnmc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffkoai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Joiappkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eclbcj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eknmhk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knjegqif.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdbiji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cehfkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgefefnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjcoqdoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Meoell32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imiigiab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibcnojnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nplfdj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdldnomh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmlgfnal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmkeke32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnjbeh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mikjpiim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgbipf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iegjqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bflbigdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnfomn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nplfdj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odbeilbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmgalkcf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kobkpdfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkcpei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmgalkcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjpqpl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbdhjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpmjhk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkhgip32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khoebi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbbgod32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iiecgjba.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbbofjnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oonldcih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Palepb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amcbankf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Caaggpdh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gicdnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhffnk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dojddmec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjllab32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjlheehe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpnmgdli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbnflo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhffnk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elqaca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iipiljgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbnljqic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbjmpcab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjglkm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dejbqb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmkncofl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbmapj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chnbcpmn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmjqpdje.exe -
Executes dropped EXE 64 IoCs
pid Process 1288 Dacnbjml.exe 2732 Daejhjkj.exe 2748 Dhobddbf.exe 2960 Dahgni32.exe 2228 Dgdpfp32.exe 2556 Eckpkamb.exe 2364 Enqdhj32.exe 1692 Epoqde32.exe 2692 Ecpjfq32.exe 732 Ecbfkpfk.exe 1944 Eoigpa32.exe 760 Ehakigbo.exe 1632 Fdhlnhhc.exe 2172 Fblmglgm.exe 2324 Fgiepced.exe 2976 Fmfnhj32.exe 2300 Fqcfnhjb.exe 820 Fiokbjgn.exe 312 Gmmdiind.exe 1756 Gbjlaplk.exe 1832 Gicdnj32.exe 1848 Gnpmfqap.exe 1548 Gifaciae.exe 2880 Gbnflo32.exe 816 Gembhj32.exe 1540 Gbqbaofc.exe 1448 Gdboig32.exe 1604 Hafock32.exe 1964 Hhpgpebh.exe 2964 Hnjplo32.exe 1924 Hicqmmfc.exe 2904 Hdiejfej.exe 2584 Hifmbmda.exe 2568 Hppfog32.exe 3056 Helngnie.exe 864 Hflkaq32.exe 2936 Ihmgiiff.exe 2004 Iaelanmg.exe 1044 Ihpdoh32.exe 1020 Iknpkd32.exe 1728 Iecdhm32.exe 1476 Ikpmpc32.exe 2496 Idiaii32.exe 1652 Iggned32.exe 2468 Idknoi32.exe 1876 Incbgnmc.exe 896 Jglgpdcc.exe 684 Jnfomn32.exe 2376 Jdpgjhbm.exe 1216 Jeadap32.exe 1640 Jpfhoi32.exe 1608 Joihjfnl.exe 2096 Jgqpkc32.exe 1536 Jhamckel.exe 1672 Jcgapdeb.exe 2232 Jjaimn32.exe 2400 Jlpeij32.exe 2784 Jonbee32.exe 2856 Jblnaq32.exe 2644 Jhffnk32.exe 2704 Kopokehd.exe 2652 Kfjggo32.exe 2828 Khiccj32.exe 2524 Kobkpdfa.exe -
Loads dropped DLL 64 IoCs
pid Process 2040 NEAS.c175fdb0828444027a43998e5fa33f10_JC.exe 2040 NEAS.c175fdb0828444027a43998e5fa33f10_JC.exe 1288 Dacnbjml.exe 1288 Dacnbjml.exe 2732 Daejhjkj.exe 2732 Daejhjkj.exe 2748 Dhobddbf.exe 2748 Dhobddbf.exe 2960 Dahgni32.exe 2960 Dahgni32.exe 2228 Dgdpfp32.exe 2228 Dgdpfp32.exe 2556 Eckpkamb.exe 2556 Eckpkamb.exe 2364 Enqdhj32.exe 2364 Enqdhj32.exe 1692 Epoqde32.exe 1692 Epoqde32.exe 2692 Ecpjfq32.exe 2692 Ecpjfq32.exe 732 Ecbfkpfk.exe 732 Ecbfkpfk.exe 1944 Eoigpa32.exe 1944 Eoigpa32.exe 760 Ehakigbo.exe 760 Ehakigbo.exe 1632 Fdhlnhhc.exe 1632 Fdhlnhhc.exe 2172 Fblmglgm.exe 2172 Fblmglgm.exe 2324 Fgiepced.exe 2324 Fgiepced.exe 2976 Fmfnhj32.exe 2976 Fmfnhj32.exe 2300 Fqcfnhjb.exe 2300 Fqcfnhjb.exe 820 Fiokbjgn.exe 820 Fiokbjgn.exe 312 Gmmdiind.exe 312 Gmmdiind.exe 1756 Gbjlaplk.exe 1756 Gbjlaplk.exe 1832 Gicdnj32.exe 1832 Gicdnj32.exe 1848 Gnpmfqap.exe 1848 Gnpmfqap.exe 1548 Gifaciae.exe 1548 Gifaciae.exe 2880 Gbnflo32.exe 2880 Gbnflo32.exe 816 Gembhj32.exe 816 Gembhj32.exe 1540 Gbqbaofc.exe 1540 Gbqbaofc.exe 1448 Gdboig32.exe 1448 Gdboig32.exe 1604 Hafock32.exe 1604 Hafock32.exe 1964 Hhpgpebh.exe 1964 Hhpgpebh.exe 2964 Hnjplo32.exe 2964 Hnjplo32.exe 1924 Hicqmmfc.exe 1924 Hicqmmfc.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Ecbfkpfk.exe Ecpjfq32.exe File created C:\Windows\SysWOW64\Jkkija32.exe Jlhhndno.exe File created C:\Windows\SysWOW64\Adfqgl32.exe Adcdbl32.exe File created C:\Windows\SysWOW64\Iidgma32.dll Hnjbeh32.exe File created C:\Windows\SysWOW64\Aoecna32.dll Hdlkcdog.exe File created C:\Windows\SysWOW64\Npmphinm.exe Nmnclmoj.exe File created C:\Windows\SysWOW64\Mhookbna.dll Jglgpdcc.exe File opened for modification C:\Windows\SysWOW64\Khkpijma.exe Kobkpdfa.exe File created C:\Windows\SysWOW64\Bkijnbae.dll Mjcoqdoc.exe File created C:\Windows\SysWOW64\Ifmnalja.dll Ommfga32.exe File created C:\Windows\SysWOW64\Pkacpihj.exe Pdgkco32.exe File created C:\Windows\SysWOW64\Ffhnoj32.dll Fbbofjnh.exe File created C:\Windows\SysWOW64\Ecgdipbc.dll Bjmbqhif.exe File created C:\Windows\SysWOW64\Eklqcl32.exe Ecploipa.exe File created C:\Windows\SysWOW64\Nfocik32.dll Fmfnhj32.exe File opened for modification C:\Windows\SysWOW64\Ogekpg32.exe Opkccm32.exe File created C:\Windows\SysWOW64\Ldllgiek.exe Lomgjb32.exe File opened for modification C:\Windows\SysWOW64\Bflbigdb.exe Bcmfmlen.exe File created C:\Windows\SysWOW64\Aeeeakip.dll Cgkocj32.exe File opened for modification C:\Windows\SysWOW64\Cmhglq32.exe Cjjkpe32.exe File created C:\Windows\SysWOW64\Nbdmji32.dll Jaoqqflp.exe File opened for modification C:\Windows\SysWOW64\Gnpmfqap.exe Gicdnj32.exe File created C:\Windows\SysWOW64\Idknoi32.exe Iggned32.exe File created C:\Windows\SysWOW64\Jojndakj.dll Jgqpkc32.exe File opened for modification C:\Windows\SysWOW64\Pdldnomh.exe Pkcpei32.exe File opened for modification C:\Windows\SysWOW64\Bmkomchi.exe Bjmbqhif.exe File created C:\Windows\SysWOW64\Mhhigm32.dll Bbjmpcab.exe File opened for modification C:\Windows\SysWOW64\Hifmbmda.exe Hdiejfej.exe File opened for modification C:\Windows\SysWOW64\Acnjnh32.exe Amcbankf.exe File created C:\Windows\SysWOW64\Mdeobp32.dll Fncpef32.exe File opened for modification C:\Windows\SysWOW64\Idkpganf.exe Iamdkfnc.exe File created C:\Windows\SysWOW64\Mpebmc32.exe Mikjpiim.exe File opened for modification C:\Windows\SysWOW64\Nlnpgd32.exe Nbflno32.exe File created C:\Windows\SysWOW64\Kllnhg32.exe Khabghdl.exe File created C:\Windows\SysWOW64\Nagbgl32.exe Nmlgfnal.exe File created C:\Windows\SysWOW64\Qackpado.exe Qododfek.exe File created C:\Windows\SysWOW64\Iaelanmg.exe Ihmgiiff.exe File opened for modification C:\Windows\SysWOW64\Bjmbqhif.exe Bgnfdm32.exe File created C:\Windows\SysWOW64\Oniefifl.dll Bgqcjlhp.exe File created C:\Windows\SysWOW64\Hembkl32.dll Ifffkncm.exe File created C:\Windows\SysWOW64\Lomgjb32.exe Khcomhbi.exe File created C:\Windows\SysWOW64\Dnoldn32.dll Lomgjb32.exe File created C:\Windows\SysWOW64\Bbbgod32.exe Aodkci32.exe File created C:\Windows\SysWOW64\Bbnlpnob.dll Hboddk32.exe File created C:\Windows\SysWOW64\Bikppe32.dll Jpfhoi32.exe File created C:\Windows\SysWOW64\Iggmbm32.dll Mdbiji32.exe File opened for modification C:\Windows\SysWOW64\Ipokcdjn.exe Iiecgjba.exe File created C:\Windows\SysWOW64\Kongke32.dll Nlnpgd32.exe File opened for modification C:\Windows\SysWOW64\Fnacpffh.exe Fhdjgoha.exe File created C:\Windows\SysWOW64\Mjaddn32.exe Lnjcomcf.exe File created C:\Windows\SysWOW64\Gicdnj32.exe Gbjlaplk.exe File opened for modification C:\Windows\SysWOW64\Kdbpnk32.exe Kbcdbp32.exe File created C:\Windows\SysWOW64\Opakbgif.dll Ciifbchf.exe File opened for modification C:\Windows\SysWOW64\Dchmkkkj.exe Dkadjn32.exe File created C:\Windows\SysWOW64\Dlfgcl32.exe Ddpobo32.exe File created C:\Windows\SysWOW64\Fdcfhj32.dll Eklqcl32.exe File created C:\Windows\SysWOW64\Iknpkd32.exe Ihpdoh32.exe File created C:\Windows\SysWOW64\Lidqce32.dll Khcomhbi.exe File opened for modification C:\Windows\SysWOW64\Mbnljqic.exe Mkddnf32.exe File opened for modification C:\Windows\SysWOW64\Fcnkhmdp.exe Fnacpffh.exe File created C:\Windows\SysWOW64\Lhfefgkg.exe Ljddjj32.exe File created C:\Windows\SysWOW64\Pdldnomh.exe Pkcpei32.exe File created C:\Windows\SysWOW64\Mlionk32.dll Ihpfgalh.exe File opened for modification C:\Windows\SysWOW64\Nefbga32.exe Nbhfke32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 972 1128 WerFault.exe 101 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqkfag32.dll" Oidglb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hllmcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jhoice32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpogbgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idkhmgco.dll" Pphkbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfapejnp.dll" Ppkhhjei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dklddhka.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgbipf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgcekola.dll" Kddmdk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ogekpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njifbl32.dll" Cdjmcpnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgcnhf32.dll" Gegabegc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpcqnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iidgma32.dll" Hnjbeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjehmbkc.dll" Hpphhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ecbfkpfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jojkco32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oidglb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfogcjhb.dll" Qqdbiopj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aojojl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpkadj32.dll" Mejlalji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Opfbngfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mapecq32.dll" Okdmjdol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bajqfq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ogekpg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Joiappkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnbkmo32.dll" Kfnmpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfpecqda.dll" Maefamlh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajeeeblb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majdmi32.dll" Jhbold32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhfefgkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfeikcfa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lbogfcjc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpphhp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mdiefffn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gembhj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lfjcfb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qjkjle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhejnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ibmgpoia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jepmgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghjggnbo.dll" Joiappkp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iggned32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkibpkho.dll" Pcghof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bflbigdb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jnfomn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kobkpdfa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdgkco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chnbcpmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Edlfhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdfkqifa.dll" Mkddnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mlhnifmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdakniag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdboig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmjqpdje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fcnkhmdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dljdnm32.dll" Klbdgb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjlheehe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmjnak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phhjblpa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kcdjoaee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kfeikcfa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aibcba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akeijlfq.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2040 wrote to memory of 1288 2040 NEAS.c175fdb0828444027a43998e5fa33f10_JC.exe 28 PID 2040 wrote to memory of 1288 2040 NEAS.c175fdb0828444027a43998e5fa33f10_JC.exe 28 PID 2040 wrote to memory of 1288 2040 NEAS.c175fdb0828444027a43998e5fa33f10_JC.exe 28 PID 2040 wrote to memory of 1288 2040 NEAS.c175fdb0828444027a43998e5fa33f10_JC.exe 28 PID 1288 wrote to memory of 2732 1288 Dacnbjml.exe 29 PID 1288 wrote to memory of 2732 1288 Dacnbjml.exe 29 PID 1288 wrote to memory of 2732 1288 Dacnbjml.exe 29 PID 1288 wrote to memory of 2732 1288 Dacnbjml.exe 29 PID 2732 wrote to memory of 2748 2732 Daejhjkj.exe 30 PID 2732 wrote to memory of 2748 2732 Daejhjkj.exe 30 PID 2732 wrote to memory of 2748 2732 Daejhjkj.exe 30 PID 2732 wrote to memory of 2748 2732 Daejhjkj.exe 30 PID 2748 wrote to memory of 2960 2748 Dhobddbf.exe 31 PID 2748 wrote to memory of 2960 2748 Dhobddbf.exe 31 PID 2748 wrote to memory of 2960 2748 Dhobddbf.exe 31 PID 2748 wrote to memory of 2960 2748 Dhobddbf.exe 31 PID 2960 wrote to memory of 2228 2960 Dahgni32.exe 32 PID 2960 wrote to memory of 2228 2960 Dahgni32.exe 32 PID 2960 wrote to memory of 2228 2960 Dahgni32.exe 32 PID 2960 wrote to memory of 2228 2960 Dahgni32.exe 32 PID 2228 wrote to memory of 2556 2228 Dgdpfp32.exe 33 PID 2228 wrote to memory of 2556 2228 Dgdpfp32.exe 33 PID 2228 wrote to memory of 2556 2228 Dgdpfp32.exe 33 PID 2228 wrote to memory of 2556 2228 Dgdpfp32.exe 33 PID 2556 wrote to memory of 2364 2556 Eckpkamb.exe 34 PID 2556 wrote to memory of 2364 2556 Eckpkamb.exe 34 PID 2556 wrote to memory of 2364 2556 Eckpkamb.exe 34 PID 2556 wrote to memory of 2364 2556 Eckpkamb.exe 34 PID 2364 wrote to memory of 1692 2364 Enqdhj32.exe 35 PID 2364 wrote to memory of 1692 2364 Enqdhj32.exe 35 PID 2364 wrote to memory of 1692 2364 Enqdhj32.exe 35 PID 2364 wrote to memory of 1692 2364 Enqdhj32.exe 35 PID 1692 wrote to memory of 2692 1692 Epoqde32.exe 36 PID 1692 wrote to memory of 2692 1692 Epoqde32.exe 36 PID 1692 wrote to memory of 2692 1692 Epoqde32.exe 36 PID 1692 wrote to memory of 2692 1692 Epoqde32.exe 36 PID 2692 wrote to memory of 732 2692 Ecpjfq32.exe 37 PID 2692 wrote to memory of 732 2692 Ecpjfq32.exe 37 PID 2692 wrote to memory of 732 2692 Ecpjfq32.exe 37 PID 2692 wrote to memory of 732 2692 Ecpjfq32.exe 37 PID 732 wrote to memory of 1944 732 Ecbfkpfk.exe 38 PID 732 wrote to memory of 1944 732 Ecbfkpfk.exe 38 PID 732 wrote to memory of 1944 732 Ecbfkpfk.exe 38 PID 732 wrote to memory of 1944 732 Ecbfkpfk.exe 38 PID 1944 wrote to memory of 760 1944 Eoigpa32.exe 39 PID 1944 wrote to memory of 760 1944 Eoigpa32.exe 39 PID 1944 wrote to memory of 760 1944 Eoigpa32.exe 39 PID 1944 wrote to memory of 760 1944 Eoigpa32.exe 39 PID 760 wrote to memory of 1632 760 Ehakigbo.exe 40 PID 760 wrote to memory of 1632 760 Ehakigbo.exe 40 PID 760 wrote to memory of 1632 760 Ehakigbo.exe 40 PID 760 wrote to memory of 1632 760 Ehakigbo.exe 40 PID 1632 wrote to memory of 2172 1632 Fdhlnhhc.exe 41 PID 1632 wrote to memory of 2172 1632 Fdhlnhhc.exe 41 PID 1632 wrote to memory of 2172 1632 Fdhlnhhc.exe 41 PID 1632 wrote to memory of 2172 1632 Fdhlnhhc.exe 41 PID 2172 wrote to memory of 2324 2172 Fblmglgm.exe 42 PID 2172 wrote to memory of 2324 2172 Fblmglgm.exe 42 PID 2172 wrote to memory of 2324 2172 Fblmglgm.exe 42 PID 2172 wrote to memory of 2324 2172 Fblmglgm.exe 42 PID 2324 wrote to memory of 2976 2324 Fgiepced.exe 43 PID 2324 wrote to memory of 2976 2324 Fgiepced.exe 43 PID 2324 wrote to memory of 2976 2324 Fgiepced.exe 43 PID 2324 wrote to memory of 2976 2324 Fgiepced.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.c175fdb0828444027a43998e5fa33f10_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.c175fdb0828444027a43998e5fa33f10_JC.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\Dacnbjml.exeC:\Windows\system32\Dacnbjml.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1288 -
C:\Windows\SysWOW64\Daejhjkj.exeC:\Windows\system32\Daejhjkj.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Dhobddbf.exeC:\Windows\system32\Dhobddbf.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Dahgni32.exeC:\Windows\system32\Dahgni32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\Dgdpfp32.exeC:\Windows\system32\Dgdpfp32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\SysWOW64\Eckpkamb.exeC:\Windows\system32\Eckpkamb.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\Enqdhj32.exeC:\Windows\system32\Enqdhj32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\Epoqde32.exeC:\Windows\system32\Epoqde32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\SysWOW64\Ecpjfq32.exeC:\Windows\system32\Ecpjfq32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Ecbfkpfk.exeC:\Windows\system32\Ecbfkpfk.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:732 -
C:\Windows\SysWOW64\Eoigpa32.exeC:\Windows\system32\Eoigpa32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\SysWOW64\Ehakigbo.exeC:\Windows\system32\Ehakigbo.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Windows\SysWOW64\Fdhlnhhc.exeC:\Windows\system32\Fdhlnhhc.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\SysWOW64\Fblmglgm.exeC:\Windows\system32\Fblmglgm.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\Fgiepced.exeC:\Windows\system32\Fgiepced.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\Fmfnhj32.exeC:\Windows\system32\Fmfnhj32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2976 -
C:\Windows\SysWOW64\Fqcfnhjb.exeC:\Windows\system32\Fqcfnhjb.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2300 -
C:\Windows\SysWOW64\Fiokbjgn.exeC:\Windows\system32\Fiokbjgn.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:820 -
C:\Windows\SysWOW64\Gmmdiind.exeC:\Windows\system32\Gmmdiind.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:312 -
C:\Windows\SysWOW64\Gbjlaplk.exeC:\Windows\system32\Gbjlaplk.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1756 -
C:\Windows\SysWOW64\Gicdnj32.exeC:\Windows\system32\Gicdnj32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1832 -
C:\Windows\SysWOW64\Gnpmfqap.exeC:\Windows\system32\Gnpmfqap.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1848 -
C:\Windows\SysWOW64\Gifaciae.exeC:\Windows\system32\Gifaciae.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1548 -
C:\Windows\SysWOW64\Gbnflo32.exeC:\Windows\system32\Gbnflo32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2880 -
C:\Windows\SysWOW64\Gembhj32.exeC:\Windows\system32\Gembhj32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:816 -
C:\Windows\SysWOW64\Gbqbaofc.exeC:\Windows\system32\Gbqbaofc.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1540 -
C:\Windows\SysWOW64\Gdboig32.exeC:\Windows\system32\Gdboig32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1448 -
C:\Windows\SysWOW64\Hafock32.exeC:\Windows\system32\Hafock32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1604 -
C:\Windows\SysWOW64\Hhpgpebh.exeC:\Windows\system32\Hhpgpebh.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1964 -
C:\Windows\SysWOW64\Hnjplo32.exeC:\Windows\system32\Hnjplo32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2964 -
C:\Windows\SysWOW64\Hicqmmfc.exeC:\Windows\system32\Hicqmmfc.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1924 -
C:\Windows\SysWOW64\Hdiejfej.exeC:\Windows\system32\Hdiejfej.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2904 -
C:\Windows\SysWOW64\Hifmbmda.exeC:\Windows\system32\Hifmbmda.exe34⤵
- Executes dropped EXE
PID:2584 -
C:\Windows\SysWOW64\Hppfog32.exeC:\Windows\system32\Hppfog32.exe35⤵
- Executes dropped EXE
PID:2568 -
C:\Windows\SysWOW64\Helngnie.exeC:\Windows\system32\Helngnie.exe36⤵
- Executes dropped EXE
PID:3056 -
C:\Windows\SysWOW64\Hflkaq32.exeC:\Windows\system32\Hflkaq32.exe37⤵
- Executes dropped EXE
PID:864 -
C:\Windows\SysWOW64\Ihmgiiff.exeC:\Windows\system32\Ihmgiiff.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2936 -
C:\Windows\SysWOW64\Iaelanmg.exeC:\Windows\system32\Iaelanmg.exe39⤵
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Ihpdoh32.exeC:\Windows\system32\Ihpdoh32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1044 -
C:\Windows\SysWOW64\Iknpkd32.exeC:\Windows\system32\Iknpkd32.exe41⤵
- Executes dropped EXE
PID:1020 -
C:\Windows\SysWOW64\Iecdhm32.exeC:\Windows\system32\Iecdhm32.exe42⤵
- Executes dropped EXE
PID:1728 -
C:\Windows\SysWOW64\Ikpmpc32.exeC:\Windows\system32\Ikpmpc32.exe43⤵
- Executes dropped EXE
PID:1476 -
C:\Windows\SysWOW64\Idiaii32.exeC:\Windows\system32\Idiaii32.exe44⤵
- Executes dropped EXE
PID:2496 -
C:\Windows\SysWOW64\Iggned32.exeC:\Windows\system32\Iggned32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1652 -
C:\Windows\SysWOW64\Idknoi32.exeC:\Windows\system32\Idknoi32.exe46⤵
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\Incbgnmc.exeC:\Windows\system32\Incbgnmc.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1876 -
C:\Windows\SysWOW64\Jglgpdcc.exeC:\Windows\system32\Jglgpdcc.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:896 -
C:\Windows\SysWOW64\Jnfomn32.exeC:\Windows\system32\Jnfomn32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:684 -
C:\Windows\SysWOW64\Jdpgjhbm.exeC:\Windows\system32\Jdpgjhbm.exe50⤵
- Executes dropped EXE
PID:2376 -
C:\Windows\SysWOW64\Jeadap32.exeC:\Windows\system32\Jeadap32.exe51⤵
- Executes dropped EXE
PID:1216 -
C:\Windows\SysWOW64\Jpfhoi32.exeC:\Windows\system32\Jpfhoi32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1640 -
C:\Windows\SysWOW64\Joihjfnl.exeC:\Windows\system32\Joihjfnl.exe53⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\Jgqpkc32.exeC:\Windows\system32\Jgqpkc32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2096 -
C:\Windows\SysWOW64\Jhamckel.exeC:\Windows\system32\Jhamckel.exe55⤵
- Executes dropped EXE
PID:1536 -
C:\Windows\SysWOW64\Jcgapdeb.exeC:\Windows\system32\Jcgapdeb.exe56⤵
- Executes dropped EXE
PID:1672 -
C:\Windows\SysWOW64\Jjaimn32.exeC:\Windows\system32\Jjaimn32.exe57⤵
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\Jlpeij32.exeC:\Windows\system32\Jlpeij32.exe58⤵
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Jonbee32.exeC:\Windows\system32\Jonbee32.exe59⤵
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\Jblnaq32.exeC:\Windows\system32\Jblnaq32.exe60⤵
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Jhffnk32.exeC:\Windows\system32\Jhffnk32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2644 -
C:\Windows\SysWOW64\Kopokehd.exeC:\Windows\system32\Kopokehd.exe62⤵
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Kfjggo32.exeC:\Windows\system32\Kfjggo32.exe63⤵
- Executes dropped EXE
PID:2652 -
C:\Windows\SysWOW64\Khiccj32.exeC:\Windows\system32\Khiccj32.exe64⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Kobkpdfa.exeC:\Windows\system32\Kobkpdfa.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2524 -
C:\Windows\SysWOW64\Khkpijma.exeC:\Windows\system32\Khkpijma.exe66⤵PID:1804
-
C:\Windows\SysWOW64\Kjllab32.exeC:\Windows\system32\Kjllab32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:524 -
C:\Windows\SysWOW64\Kbcdbp32.exeC:\Windows\system32\Kbcdbp32.exe68⤵
- Drops file in System32 directory
PID:1552 -
C:\Windows\SysWOW64\Kdbpnk32.exeC:\Windows\system32\Kdbpnk32.exe69⤵PID:1096
-
C:\Windows\SysWOW64\Kgpmjf32.exeC:\Windows\system32\Kgpmjf32.exe70⤵PID:2308
-
C:\Windows\SysWOW64\Kjoifb32.exeC:\Windows\system32\Kjoifb32.exe71⤵PID:2628
-
C:\Windows\SysWOW64\Knjegqif.exeC:\Windows\system32\Knjegqif.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2864 -
C:\Windows\SysWOW64\Kddmdk32.exeC:\Windows\system32\Kddmdk32.exe73⤵
- Modifies registry class
PID:1092 -
C:\Windows\SysWOW64\Kgbipf32.exeC:\Windows\system32\Kgbipf32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:396 -
C:\Windows\SysWOW64\Kfeikcfa.exeC:\Windows\system32\Kfeikcfa.exe75⤵
- Modifies registry class
PID:1128 -
C:\Windows\SysWOW64\Knmamp32.exeC:\Windows\system32\Knmamp32.exe76⤵PID:1852
-
C:\Windows\SysWOW64\Kqknil32.exeC:\Windows\system32\Kqknil32.exe77⤵PID:1340
-
C:\Windows\SysWOW64\Kgefefnd.exeC:\Windows\system32\Kgefefnd.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1244 -
C:\Windows\SysWOW64\Lifbmn32.exeC:\Windows\system32\Lifbmn32.exe79⤵PID:1460
-
C:\Windows\SysWOW64\Lopkjhko.exeC:\Windows\system32\Lopkjhko.exe80⤵PID:2248
-
C:\Windows\SysWOW64\Lbogfcjc.exeC:\Windows\system32\Lbogfcjc.exe81⤵
- Modifies registry class
PID:2420 -
C:\Windows\SysWOW64\Lfjcfb32.exeC:\Windows\system32\Lfjcfb32.exe82⤵
- Modifies registry class
PID:2844 -
C:\Windows\SysWOW64\Mjcoqdoc.exeC:\Windows\system32\Mjcoqdoc.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2752 -
C:\Windows\SysWOW64\Mmdgbp32.exeC:\Windows\system32\Mmdgbp32.exe84⤵PID:2516
-
C:\Windows\SysWOW64\Mpbdnk32.exeC:\Windows\system32\Mpbdnk32.exe85⤵PID:1780
-
C:\Windows\SysWOW64\Mfoiqe32.exeC:\Windows\system32\Mfoiqe32.exe86⤵PID:1992
-
C:\Windows\SysWOW64\Mjjdacik.exeC:\Windows\system32\Mjjdacik.exe87⤵PID:1972
-
C:\Windows\SysWOW64\Mmhamoho.exeC:\Windows\system32\Mmhamoho.exe88⤵PID:1984
-
C:\Windows\SysWOW64\Mdbiji32.exeC:\Windows\system32\Mdbiji32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1720 -
C:\Windows\SysWOW64\Nmkncofl.exeC:\Windows\system32\Nmkncofl.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3016 -
C:\Windows\SysWOW64\Nbhfke32.exeC:\Windows\system32\Nbhfke32.exe91⤵
- Drops file in System32 directory
PID:2388 -
C:\Windows\SysWOW64\Nefbga32.exeC:\Windows\system32\Nefbga32.exe92⤵PID:792
-
C:\Windows\SysWOW64\Nplfdj32.exeC:\Windows\system32\Nplfdj32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2332 -
C:\Windows\SysWOW64\Naopaa32.exeC:\Windows\system32\Naopaa32.exe94⤵PID:1664
-
C:\Windows\SysWOW64\Ndnlnm32.exeC:\Windows\system32\Ndnlnm32.exe95⤵PID:1856
-
C:\Windows\SysWOW64\Nledoj32.exeC:\Windows\system32\Nledoj32.exe96⤵PID:2032
-
C:\Windows\SysWOW64\Nocpkf32.exeC:\Windows\system32\Nocpkf32.exe97⤵PID:2672
-
C:\Windows\SysWOW64\Noemqe32.exeC:\Windows\system32\Noemqe32.exe98⤵PID:3000
-
C:\Windows\SysWOW64\Nadimacd.exeC:\Windows\system32\Nadimacd.exe99⤵PID:2076
-
C:\Windows\SysWOW64\Odbeilbg.exeC:\Windows\system32\Odbeilbg.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2908 -
C:\Windows\SysWOW64\Ohnaik32.exeC:\Windows\system32\Ohnaik32.exe101⤵PID:2612
-
C:\Windows\SysWOW64\Oionacqo.exeC:\Windows\system32\Oionacqo.exe102⤵PID:2616
-
C:\Windows\SysWOW64\Opifnm32.exeC:\Windows\system32\Opifnm32.exe103⤵PID:2664
-
C:\Windows\SysWOW64\Ommfga32.exeC:\Windows\system32\Ommfga32.exe104⤵
- Drops file in System32 directory
PID:2912 -
C:\Windows\SysWOW64\Opkccm32.exeC:\Windows\system32\Opkccm32.exe105⤵
- Drops file in System32 directory
PID:2540 -
C:\Windows\SysWOW64\Ogekpg32.exeC:\Windows\system32\Ogekpg32.exe106⤵
- Modifies registry class
PID:1492 -
C:\Windows\SysWOW64\Oidglb32.exeC:\Windows\system32\Oidglb32.exe107⤵
- Modifies registry class
PID:608 -
C:\Windows\SysWOW64\Opnpimdf.exeC:\Windows\system32\Opnpimdf.exe108⤵PID:1636
-
C:\Windows\SysWOW64\Ocllehcj.exeC:\Windows\system32\Ocllehcj.exe109⤵PID:2356
-
C:\Windows\SysWOW64\Oekhacbn.exeC:\Windows\system32\Oekhacbn.exe110⤵PID:2336
-
C:\Windows\SysWOW64\Oifdbb32.exeC:\Windows\system32\Oifdbb32.exe111⤵PID:2484
-
C:\Windows\SysWOW64\Ooclji32.exeC:\Windows\system32\Ooclji32.exe112⤵PID:1656
-
C:\Windows\SysWOW64\Ocohkh32.exeC:\Windows\system32\Ocohkh32.exe113⤵PID:1808
-
C:\Windows\SysWOW64\Oihqgbhd.exeC:\Windows\system32\Oihqgbhd.exe114⤵PID:2340
-
C:\Windows\SysWOW64\Pkjmoj32.exeC:\Windows\system32\Pkjmoj32.exe115⤵PID:2204
-
C:\Windows\SysWOW64\Padeldeo.exeC:\Windows\system32\Padeldeo.exe116⤵PID:2780
-
C:\Windows\SysWOW64\Phnnho32.exeC:\Windows\system32\Phnnho32.exe117⤵PID:2436
-
C:\Windows\SysWOW64\Pafbadcm.exeC:\Windows\system32\Pafbadcm.exe118⤵PID:2776
-
C:\Windows\SysWOW64\Pddnnp32.exeC:\Windows\system32\Pddnnp32.exe119⤵PID:2808
-
C:\Windows\SysWOW64\Pkofjijm.exeC:\Windows\system32\Pkofjijm.exe120⤵PID:2016
-
C:\Windows\SysWOW64\Pnmcfeia.exeC:\Windows\system32\Pnmcfeia.exe121⤵PID:1956
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-