Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
137s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
13/11/2023, 02:48
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.4b44b960973a8f4a0e58837fe1549760.exe
Resource
win7-20231020-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.4b44b960973a8f4a0e58837fe1549760.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.4b44b960973a8f4a0e58837fe1549760.exe
-
Size
383KB
-
MD5
4b44b960973a8f4a0e58837fe1549760
-
SHA1
cec8b6a0984fd2a81300d2baa682a35b32d20774
-
SHA256
18baadaba098b4ce8ab2b390599235f4cbbb0d681bbc20e34cdd51bbcc0d420e
-
SHA512
767b827d4b6d5d72bc2e80f67c3c6f193f978df1310addc154937b26294f2602820bc72fb0f6912a8152bea6fda93d7b16f452347a4261e2e9ea14e7823a0a5f
-
SSDEEP
6144:34cuitl8zyP15rrDyDF8/C5w0Os3BMm+LN3K3UYA5ADwr2n1SJS0oTEUF7q3QC:3F0zyPbrrDyD+uOrm+LN3K3VA5ADwr26
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnhell32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbkdgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpanmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecikjoep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlcidopb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlobmd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Maoakaip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pndhhnda.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lglopjkg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmneemaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iapbodql.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npmjij32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmphjfab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flodilma.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkjoqnei.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffcedd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gffkpa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jokpcmmj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjnihnmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djjemlhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhgdmb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgnblm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apobakpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngklppei.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjcccm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdgdeppb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgllad32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngklppei.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djjobedk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acbhhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eenflbll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cohkinob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmjojh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laofhbmp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmijnfgd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmqiec32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cokgonmp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fggkifmg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdiglgbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bedgejbo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dqhpjohb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mndcnafd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfniikha.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijngkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nboiekjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qbkcek32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llqhdb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlcidopb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pndhhnda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npmjij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohdbkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enigjh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blqlgdhi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmblhh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djipbbne.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deidjf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mobbdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kidmcqeg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogbbqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejdonq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Geflne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfkich32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olnmdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aifpoj32.exe -
Executes dropped EXE 64 IoCs
pid Process 1456 Cpljehpo.exe 4616 Ccmcgcmp.exe 8 Caqpkjcl.exe 4304 Dknnoofg.exe 3752 Enhifi32.exe 1988 Ephbhd32.exe 1708 Ecikjoep.exe 2888 Fclhpo32.exe 932 Fdbkja32.exe 1740 Gdgdeppb.exe 2816 Gndbie32.exe 892 Hnhkdd32.exe 2568 Hgcmbj32.exe 2252 Ibnjkbog.exe 2688 Ibpgqa32.exe 4408 Ilmedf32.exe 3476 Jdmcdhhe.exe 4712 Jbppgona.exe 3444 Kalcik32.exe 4328 Klddlckd.exe 2740 Lddble32.exe 4396 Lolcnman.exe 3460 Lkcccn32.exe 4920 Lhgdmb32.exe 2836 Mclhjkfa.exe 4976 Mklfjm32.exe 4860 Mahklf32.exe 1888 Nlcidopb.exe 4084 Nfknmd32.exe 3996 Nfnjbdep.exe 1500 Oloipmfd.exe 3812 Oooaah32.exe 1744 Pkholi32.exe 2316 Pokanf32.exe 3252 Pkabbgol.exe 4264 Qihoak32.exe 4556 Amfhgj32.exe 2084 Aimhmkgn.exe 4292 Aioebj32.exe 3636 Alpnde32.exe 964 Amoknh32.exe 4108 Bcbeqaia.exe 868 Cbhbbn32.exe 5088 Cbjogmlf.exe 752 Cbmlmmjd.exe 1648 Clijablo.exe 3108 Dipgpf32.exe 2656 Dibdeegc.exe 2972 Deidjf32.exe 4376 Eennefib.exe 1440 Edoncm32.exe 4348 Egpgehnb.exe 2060 Eippgckc.exe 4756 Eibmlc32.exe 408 Fpandm32.exe 1788 Fjjcmbci.exe 3560 Fgncff32.exe 1952 Fpfholhc.exe 4036 Gnjhhpgl.exe 1096 Gnlenp32.exe 2560 Gfgjbb32.exe 3220 Gmdoel32.exe 4720 Gnckooob.exe 1976 Hqddqj32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Jgekdq32.exe Hmbkfjko.exe File created C:\Windows\SysWOW64\Bedgejbo.exe Ainfpi32.exe File created C:\Windows\SysWOW64\Noedejje.dll Gffkpa32.exe File created C:\Windows\SysWOW64\Lqdcio32.exe Lglopjkg.exe File opened for modification C:\Windows\SysWOW64\Nkjlqd32.exe Naaghoik.exe File created C:\Windows\SysWOW64\Ijblcb32.dll Lagepl32.exe File created C:\Windows\SysWOW64\Eagnpn32.dll Jookjpam.exe File created C:\Windows\SysWOW64\Felbmqpl.exe Fcjimnjl.exe File created C:\Windows\SysWOW64\Qgamdnme.dll Jdiglgbg.exe File opened for modification C:\Windows\SysWOW64\Lonnfg32.exe Ldiiio32.exe File created C:\Windows\SysWOW64\Lmqiec32.exe Lajhpbme.exe File created C:\Windows\SysWOW64\Jcimnfna.dll Ghfnej32.exe File created C:\Windows\SysWOW64\Jdiglgbg.exe Jahnkl32.exe File created C:\Windows\SysWOW64\Lkjoqnei.exe Lbbjhini.exe File opened for modification C:\Windows\SysWOW64\Jmnheggo.exe Jpjhlche.exe File opened for modification C:\Windows\SysWOW64\Niqnli32.exe Nkmmbe32.exe File opened for modification C:\Windows\SysWOW64\Ihagfb32.exe Hmlbij32.exe File created C:\Windows\SysWOW64\Pgllad32.exe Pndhhnda.exe File opened for modification C:\Windows\SysWOW64\Efjgpc32.exe Eldbbjof.exe File created C:\Windows\SysWOW64\Nghhhc32.dll Efampahd.exe File created C:\Windows\SysWOW64\Ljccfoqj.dll Gedohfmp.exe File opened for modification C:\Windows\SysWOW64\Ccbaoc32.exe Bnehgmob.exe File created C:\Windows\SysWOW64\Djjemlhf.exe Dncehk32.exe File opened for modification C:\Windows\SysWOW64\Bpkbmi32.exe Bgbmdd32.exe File opened for modification C:\Windows\SysWOW64\Lqdcio32.exe Lglopjkg.exe File opened for modification C:\Windows\SysWOW64\Hgcmbj32.exe Hnhkdd32.exe File created C:\Windows\SysWOW64\Jbppgona.exe Jdmcdhhe.exe File opened for modification C:\Windows\SysWOW64\Mklfjm32.exe Mclhjkfa.exe File opened for modification C:\Windows\SysWOW64\Agaoca32.exe Agobna32.exe File opened for modification C:\Windows\SysWOW64\Ijngkf32.exe Iiokacgp.exe File created C:\Windows\SysWOW64\Mpnngh32.exe Lmneemaq.exe File created C:\Windows\SysWOW64\Jgedpmpf.dll Nlcidopb.exe File opened for modification C:\Windows\SysWOW64\Eennefib.exe Deidjf32.exe File opened for modification C:\Windows\SysWOW64\Ihlgan32.exe Iapbodql.exe File created C:\Windows\SysWOW64\Iejgelej.exe Ikechced.exe File opened for modification C:\Windows\SysWOW64\Nofmndkd.exe Nqdlpmce.exe File created C:\Windows\SysWOW64\Edkakncg.dll Mahklf32.exe File created C:\Windows\SysWOW64\Doagdn32.dll Dmphjfab.exe File created C:\Windows\SysWOW64\Lfimmhkg.exe Llqhdb32.exe File created C:\Windows\SysWOW64\Lfkich32.exe Loaafnah.exe File opened for modification C:\Windows\SysWOW64\Aidcjk32.exe Qbhnga32.exe File opened for modification C:\Windows\SysWOW64\Cjbhbf32.exe Comddn32.exe File created C:\Windows\SysWOW64\Caqpkjcl.exe Ccmcgcmp.exe File created C:\Windows\SysWOW64\Aoonpe32.dll Akkmocjl.exe File created C:\Windows\SysWOW64\Inflio32.exe Iejgelej.exe File created C:\Windows\SysWOW64\Pnimia32.dll Bodano32.exe File created C:\Windows\SysWOW64\Ephbhd32.exe Enhifi32.exe File created C:\Windows\SysWOW64\Delcme32.dll Iqmplbpl.exe File created C:\Windows\SysWOW64\Hicobn32.dll Jhcmbm32.exe File opened for modification C:\Windows\SysWOW64\Cgbfka32.exe Cnjbbl32.exe File created C:\Windows\SysWOW64\Pkjdhm32.dll Aimhmkgn.exe File created C:\Windows\SysWOW64\Kjmjgk32.exe Jmijnfgd.exe File opened for modification C:\Windows\SysWOW64\Jokpcmmj.exe Ijngkf32.exe File created C:\Windows\SysWOW64\Bfnknk32.dll Dgnffp32.exe File created C:\Windows\SysWOW64\Oecopk32.dll Qbhnga32.exe File opened for modification C:\Windows\SysWOW64\Fjldocde.exe Efolidno.exe File opened for modification C:\Windows\SysWOW64\Ibpgqa32.exe Ibnjkbog.exe File created C:\Windows\SysWOW64\Kalcik32.exe Jbppgona.exe File opened for modification C:\Windows\SysWOW64\Egpgehnb.exe Edoncm32.exe File created C:\Windows\SysWOW64\Ffdcne32.dll Fhnichde.exe File created C:\Windows\SysWOW64\Oaejhh32.exe Ogpfko32.exe File created C:\Windows\SysWOW64\Ieajfd32.dll Jfgnka32.exe File created C:\Windows\SysWOW64\Pkabbgol.exe Pokanf32.exe File created C:\Windows\SysWOW64\Jfkhfmdm.exe Jgekdq32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7108 5592 WerFault.exe 534 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pokanf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qpmmfbfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cibdlc32.dll" Ghgeoq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojhnlh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dodfed32.dll" Ephbhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pklkbl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ficlmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaandh32.dll" Cjlbag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aimhmkgn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndinck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qibmoa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Apobakpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Knjhae32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ephbhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjjcmbci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncieicai.dll" Pgcbbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Donloloo.dll" Cghgpgqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akfhnjnb.dll" Cnjbbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dodjemee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lolcnman.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijngkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgbfka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Agmmnnpj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dibdeegc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgeadjai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oibdhd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gechnpid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dodjemee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fnofpqff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Maoakaip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Deidjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobeniph.dll" Kmkpipaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Akkmocjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dklomnmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkpdnm32.dll" Pkholi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efampahd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjjlchnk.dll" Bckknd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmblhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgamdnme.dll" Jdiglgbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paohbmke.dll" Llqhdb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kaajfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaofbqgi.dll" Nkjlqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eldbbjof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaocfebe.dll" Eenflbll.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbkdgj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbppgona.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aapkgh32.dll" Jjhalkjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Labkempb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmmokgne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfdgep32.dll" Nfnjbdep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omfigmch.dll" Npmjij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pgcbbc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pbdmdlie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhgnka32.dll" Iapbodql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oecopk32.dll" Qbhnga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjhalkjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndinck32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phbolflm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffdcne32.dll" Fhnichde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkhbnh32.dll" Djipbbne.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odelpm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgnolj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lglopjkg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amoknh32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3356 wrote to memory of 1456 3356 NEAS.4b44b960973a8f4a0e58837fe1549760.exe 90 PID 3356 wrote to memory of 1456 3356 NEAS.4b44b960973a8f4a0e58837fe1549760.exe 90 PID 3356 wrote to memory of 1456 3356 NEAS.4b44b960973a8f4a0e58837fe1549760.exe 90 PID 1456 wrote to memory of 4616 1456 Cpljehpo.exe 91 PID 1456 wrote to memory of 4616 1456 Cpljehpo.exe 91 PID 1456 wrote to memory of 4616 1456 Cpljehpo.exe 91 PID 4616 wrote to memory of 8 4616 Ccmcgcmp.exe 92 PID 4616 wrote to memory of 8 4616 Ccmcgcmp.exe 92 PID 4616 wrote to memory of 8 4616 Ccmcgcmp.exe 92 PID 8 wrote to memory of 4304 8 Caqpkjcl.exe 93 PID 8 wrote to memory of 4304 8 Caqpkjcl.exe 93 PID 8 wrote to memory of 4304 8 Caqpkjcl.exe 93 PID 4304 wrote to memory of 3752 4304 Dknnoofg.exe 94 PID 4304 wrote to memory of 3752 4304 Dknnoofg.exe 94 PID 4304 wrote to memory of 3752 4304 Dknnoofg.exe 94 PID 3752 wrote to memory of 1988 3752 Enhifi32.exe 95 PID 3752 wrote to memory of 1988 3752 Enhifi32.exe 95 PID 3752 wrote to memory of 1988 3752 Enhifi32.exe 95 PID 1988 wrote to memory of 1708 1988 Ephbhd32.exe 96 PID 1988 wrote to memory of 1708 1988 Ephbhd32.exe 96 PID 1988 wrote to memory of 1708 1988 Ephbhd32.exe 96 PID 1708 wrote to memory of 2888 1708 Ecikjoep.exe 97 PID 1708 wrote to memory of 2888 1708 Ecikjoep.exe 97 PID 1708 wrote to memory of 2888 1708 Ecikjoep.exe 97 PID 2888 wrote to memory of 932 2888 Fclhpo32.exe 98 PID 2888 wrote to memory of 932 2888 Fclhpo32.exe 98 PID 2888 wrote to memory of 932 2888 Fclhpo32.exe 98 PID 932 wrote to memory of 1740 932 Fdbkja32.exe 99 PID 932 wrote to memory of 1740 932 Fdbkja32.exe 99 PID 932 wrote to memory of 1740 932 Fdbkja32.exe 99 PID 1740 wrote to memory of 2816 1740 Gdgdeppb.exe 100 PID 1740 wrote to memory of 2816 1740 Gdgdeppb.exe 100 PID 1740 wrote to memory of 2816 1740 Gdgdeppb.exe 100 PID 2816 wrote to memory of 892 2816 Gndbie32.exe 101 PID 2816 wrote to memory of 892 2816 Gndbie32.exe 101 PID 2816 wrote to memory of 892 2816 Gndbie32.exe 101 PID 892 wrote to memory of 2568 892 Hnhkdd32.exe 102 PID 892 wrote to memory of 2568 892 Hnhkdd32.exe 102 PID 892 wrote to memory of 2568 892 Hnhkdd32.exe 102 PID 2568 wrote to memory of 2252 2568 Hgcmbj32.exe 103 PID 2568 wrote to memory of 2252 2568 Hgcmbj32.exe 103 PID 2568 wrote to memory of 2252 2568 Hgcmbj32.exe 103 PID 2252 wrote to memory of 2688 2252 Ibnjkbog.exe 104 PID 2252 wrote to memory of 2688 2252 Ibnjkbog.exe 104 PID 2252 wrote to memory of 2688 2252 Ibnjkbog.exe 104 PID 2688 wrote to memory of 4408 2688 Ibpgqa32.exe 105 PID 2688 wrote to memory of 4408 2688 Ibpgqa32.exe 105 PID 2688 wrote to memory of 4408 2688 Ibpgqa32.exe 105 PID 4408 wrote to memory of 3476 4408 Ilmedf32.exe 106 PID 4408 wrote to memory of 3476 4408 Ilmedf32.exe 106 PID 4408 wrote to memory of 3476 4408 Ilmedf32.exe 106 PID 3476 wrote to memory of 4712 3476 Jdmcdhhe.exe 107 PID 3476 wrote to memory of 4712 3476 Jdmcdhhe.exe 107 PID 3476 wrote to memory of 4712 3476 Jdmcdhhe.exe 107 PID 4712 wrote to memory of 3444 4712 Jbppgona.exe 108 PID 4712 wrote to memory of 3444 4712 Jbppgona.exe 108 PID 4712 wrote to memory of 3444 4712 Jbppgona.exe 108 PID 3444 wrote to memory of 4328 3444 Kalcik32.exe 109 PID 3444 wrote to memory of 4328 3444 Kalcik32.exe 109 PID 3444 wrote to memory of 4328 3444 Kalcik32.exe 109 PID 4328 wrote to memory of 2740 4328 Klddlckd.exe 110 PID 4328 wrote to memory of 2740 4328 Klddlckd.exe 110 PID 4328 wrote to memory of 2740 4328 Klddlckd.exe 110 PID 2740 wrote to memory of 4396 2740 Lddble32.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.4b44b960973a8f4a0e58837fe1549760.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.4b44b960973a8f4a0e58837fe1549760.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3356 -
C:\Windows\SysWOW64\Cpljehpo.exeC:\Windows\system32\Cpljehpo.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Windows\SysWOW64\Ccmcgcmp.exeC:\Windows\system32\Ccmcgcmp.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4616 -
C:\Windows\SysWOW64\Caqpkjcl.exeC:\Windows\system32\Caqpkjcl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:8 -
C:\Windows\SysWOW64\Dknnoofg.exeC:\Windows\system32\Dknnoofg.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4304 -
C:\Windows\SysWOW64\Enhifi32.exeC:\Windows\system32\Enhifi32.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3752 -
C:\Windows\SysWOW64\Ephbhd32.exeC:\Windows\system32\Ephbhd32.exe7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\Ecikjoep.exeC:\Windows\system32\Ecikjoep.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SysWOW64\Fclhpo32.exeC:\Windows\system32\Fclhpo32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\Fdbkja32.exeC:\Windows\system32\Fdbkja32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:932 -
C:\Windows\SysWOW64\Gdgdeppb.exeC:\Windows\system32\Gdgdeppb.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\SysWOW64\Gndbie32.exeC:\Windows\system32\Gndbie32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\Hnhkdd32.exeC:\Windows\system32\Hnhkdd32.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:892 -
C:\Windows\SysWOW64\Hgcmbj32.exeC:\Windows\system32\Hgcmbj32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\Ibnjkbog.exeC:\Windows\system32\Ibnjkbog.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\SysWOW64\Ibpgqa32.exeC:\Windows\system32\Ibpgqa32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Ilmedf32.exeC:\Windows\system32\Ilmedf32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4408 -
C:\Windows\SysWOW64\Jdmcdhhe.exeC:\Windows\system32\Jdmcdhhe.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3476 -
C:\Windows\SysWOW64\Jbppgona.exeC:\Windows\system32\Jbppgona.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4712 -
C:\Windows\SysWOW64\Kalcik32.exeC:\Windows\system32\Kalcik32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3444 -
C:\Windows\SysWOW64\Klddlckd.exeC:\Windows\system32\Klddlckd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4328 -
C:\Windows\SysWOW64\Lddble32.exeC:\Windows\system32\Lddble32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\Lolcnman.exeC:\Windows\system32\Lolcnman.exe23⤵
- Executes dropped EXE
- Modifies registry class
PID:4396 -
C:\Windows\SysWOW64\Lkcccn32.exeC:\Windows\system32\Lkcccn32.exe24⤵
- Executes dropped EXE
PID:3460 -
C:\Windows\SysWOW64\Lhgdmb32.exeC:\Windows\system32\Lhgdmb32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4920 -
C:\Windows\SysWOW64\Mclhjkfa.exeC:\Windows\system32\Mclhjkfa.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2836 -
C:\Windows\SysWOW64\Mklfjm32.exeC:\Windows\system32\Mklfjm32.exe27⤵
- Executes dropped EXE
PID:4976 -
C:\Windows\SysWOW64\Mahklf32.exeC:\Windows\system32\Mahklf32.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4860 -
C:\Windows\SysWOW64\Nlcidopb.exeC:\Windows\system32\Nlcidopb.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1888 -
C:\Windows\SysWOW64\Nfknmd32.exeC:\Windows\system32\Nfknmd32.exe30⤵
- Executes dropped EXE
PID:4084 -
C:\Windows\SysWOW64\Nfnjbdep.exeC:\Windows\system32\Nfnjbdep.exe31⤵
- Executes dropped EXE
- Modifies registry class
PID:3996 -
C:\Windows\SysWOW64\Oloipmfd.exeC:\Windows\system32\Oloipmfd.exe32⤵
- Executes dropped EXE
PID:1500 -
C:\Windows\SysWOW64\Oooaah32.exeC:\Windows\system32\Oooaah32.exe33⤵
- Executes dropped EXE
PID:3812 -
C:\Windows\SysWOW64\Pkholi32.exeC:\Windows\system32\Pkholi32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:1744 -
C:\Windows\SysWOW64\Pokanf32.exeC:\Windows\system32\Pokanf32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2316 -
C:\Windows\SysWOW64\Pkabbgol.exeC:\Windows\system32\Pkabbgol.exe36⤵
- Executes dropped EXE
PID:3252 -
C:\Windows\SysWOW64\Qihoak32.exeC:\Windows\system32\Qihoak32.exe37⤵
- Executes dropped EXE
PID:4264 -
C:\Windows\SysWOW64\Amfhgj32.exeC:\Windows\system32\Amfhgj32.exe38⤵
- Executes dropped EXE
PID:4556 -
C:\Windows\SysWOW64\Aimhmkgn.exeC:\Windows\system32\Aimhmkgn.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2084 -
C:\Windows\SysWOW64\Aioebj32.exeC:\Windows\system32\Aioebj32.exe40⤵
- Executes dropped EXE
PID:4292 -
C:\Windows\SysWOW64\Alpnde32.exeC:\Windows\system32\Alpnde32.exe41⤵
- Executes dropped EXE
PID:3636 -
C:\Windows\SysWOW64\Amoknh32.exeC:\Windows\system32\Amoknh32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:964 -
C:\Windows\SysWOW64\Bcbeqaia.exeC:\Windows\system32\Bcbeqaia.exe43⤵
- Executes dropped EXE
PID:4108 -
C:\Windows\SysWOW64\Cbhbbn32.exeC:\Windows\system32\Cbhbbn32.exe44⤵
- Executes dropped EXE
PID:868 -
C:\Windows\SysWOW64\Cbjogmlf.exeC:\Windows\system32\Cbjogmlf.exe45⤵
- Executes dropped EXE
PID:5088 -
C:\Windows\SysWOW64\Cbmlmmjd.exeC:\Windows\system32\Cbmlmmjd.exe46⤵
- Executes dropped EXE
PID:752 -
C:\Windows\SysWOW64\Clijablo.exeC:\Windows\system32\Clijablo.exe47⤵
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\Dipgpf32.exeC:\Windows\system32\Dipgpf32.exe48⤵
- Executes dropped EXE
PID:3108 -
C:\Windows\SysWOW64\Dibdeegc.exeC:\Windows\system32\Dibdeegc.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:2656 -
C:\Windows\SysWOW64\Deidjf32.exeC:\Windows\system32\Deidjf32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2972 -
C:\Windows\SysWOW64\Eennefib.exeC:\Windows\system32\Eennefib.exe51⤵
- Executes dropped EXE
PID:4376 -
C:\Windows\SysWOW64\Edoncm32.exeC:\Windows\system32\Edoncm32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1440 -
C:\Windows\SysWOW64\Egpgehnb.exeC:\Windows\system32\Egpgehnb.exe53⤵
- Executes dropped EXE
PID:4348 -
C:\Windows\SysWOW64\Eippgckc.exeC:\Windows\system32\Eippgckc.exe54⤵
- Executes dropped EXE
PID:2060 -
C:\Windows\SysWOW64\Eibmlc32.exeC:\Windows\system32\Eibmlc32.exe55⤵
- Executes dropped EXE
PID:4756 -
C:\Windows\SysWOW64\Fpandm32.exeC:\Windows\system32\Fpandm32.exe56⤵
- Executes dropped EXE
PID:408 -
C:\Windows\SysWOW64\Fjjcmbci.exeC:\Windows\system32\Fjjcmbci.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:1788 -
C:\Windows\SysWOW64\Fgncff32.exeC:\Windows\system32\Fgncff32.exe58⤵
- Executes dropped EXE
PID:3560 -
C:\Windows\SysWOW64\Fpfholhc.exeC:\Windows\system32\Fpfholhc.exe59⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Gnjhhpgl.exeC:\Windows\system32\Gnjhhpgl.exe60⤵
- Executes dropped EXE
PID:4036 -
C:\Windows\SysWOW64\Gnlenp32.exeC:\Windows\system32\Gnlenp32.exe61⤵
- Executes dropped EXE
PID:1096 -
C:\Windows\SysWOW64\Gfgjbb32.exeC:\Windows\system32\Gfgjbb32.exe62⤵
- Executes dropped EXE
PID:2560 -
C:\Windows\SysWOW64\Gmdoel32.exeC:\Windows\system32\Gmdoel32.exe63⤵
- Executes dropped EXE
PID:3220 -
C:\Windows\SysWOW64\Gnckooob.exeC:\Windows\system32\Gnckooob.exe64⤵
- Executes dropped EXE
PID:4720 -
C:\Windows\SysWOW64\Hqddqj32.exeC:\Windows\system32\Hqddqj32.exe65⤵
- Executes dropped EXE
PID:1976 -
C:\Windows\SysWOW64\Hjlhipbc.exeC:\Windows\system32\Hjlhipbc.exe66⤵PID:5140
-
C:\Windows\SysWOW64\Hdffah32.exeC:\Windows\system32\Hdffah32.exe67⤵PID:5180
-
C:\Windows\SysWOW64\Hmbkfjko.exeC:\Windows\system32\Hmbkfjko.exe68⤵
- Drops file in System32 directory
PID:5320 -
C:\Windows\SysWOW64\Jgekdq32.exeC:\Windows\system32\Jgekdq32.exe69⤵
- Drops file in System32 directory
PID:5368 -
C:\Windows\SysWOW64\Jfkhfmdm.exeC:\Windows\system32\Jfkhfmdm.exe70⤵PID:5416
-
C:\Windows\SysWOW64\Jjhalkjc.exeC:\Windows\system32\Jjhalkjc.exe71⤵
- Modifies registry class
PID:5460 -
C:\Windows\SysWOW64\Jmijnfgd.exeC:\Windows\system32\Jmijnfgd.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5500 -
C:\Windows\SysWOW64\Kjmjgk32.exeC:\Windows\system32\Kjmjgk32.exe73⤵PID:5548
-
C:\Windows\SysWOW64\Keghocao.exeC:\Windows\system32\Keghocao.exe74⤵PID:5608
-
C:\Windows\SysWOW64\Kfkamk32.exeC:\Windows\system32\Kfkamk32.exe75⤵PID:5648
-
C:\Windows\SysWOW64\Ldoafodd.exeC:\Windows\system32\Ldoafodd.exe76⤵PID:5688
-
C:\Windows\SysWOW64\Ljkghi32.exeC:\Windows\system32\Ljkghi32.exe77⤵PID:5732
-
C:\Windows\SysWOW64\Lfbgmj32.exeC:\Windows\system32\Lfbgmj32.exe78⤵PID:5776
-
C:\Windows\SysWOW64\Lajhpbme.exeC:\Windows\system32\Lajhpbme.exe79⤵
- Drops file in System32 directory
PID:5820 -
C:\Windows\SysWOW64\Lmqiec32.exeC:\Windows\system32\Lmqiec32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5880 -
C:\Windows\SysWOW64\Maoakaip.exeC:\Windows\system32\Maoakaip.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5928 -
C:\Windows\SysWOW64\Mobbdf32.exeC:\Windows\system32\Mobbdf32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5980 -
C:\Windows\SysWOW64\Mhkgnkoj.exeC:\Windows\system32\Mhkgnkoj.exe83⤵PID:6016
-
C:\Windows\SysWOW64\Mackfa32.exeC:\Windows\system32\Mackfa32.exe84⤵PID:6072
-
C:\Windows\SysWOW64\Maehlqch.exeC:\Windows\system32\Maehlqch.exe85⤵PID:6116
-
C:\Windows\SysWOW64\Moiheebb.exeC:\Windows\system32\Moiheebb.exe86⤵PID:1220
-
C:\Windows\SysWOW64\Ndinck32.exeC:\Windows\system32\Ndinck32.exe87⤵
- Modifies registry class
PID:5200 -
C:\Windows\SysWOW64\Nnabladg.exeC:\Windows\system32\Nnabladg.exe88⤵PID:5364
-
C:\Windows\SysWOW64\Naaghoik.exeC:\Windows\system32\Naaghoik.exe89⤵
- Drops file in System32 directory
PID:5424 -
C:\Windows\SysWOW64\Nkjlqd32.exeC:\Windows\system32\Nkjlqd32.exe90⤵
- Modifies registry class
PID:5492 -
C:\Windows\SysWOW64\Odbpij32.exeC:\Windows\system32\Odbpij32.exe91⤵PID:5564
-
C:\Windows\SysWOW64\Onjebpml.exeC:\Windows\system32\Onjebpml.exe92⤵PID:5632
-
C:\Windows\SysWOW64\Ohpiphlb.exeC:\Windows\system32\Ohpiphlb.exe93⤵PID:5696
-
C:\Windows\SysWOW64\Ohbfeh32.exeC:\Windows\system32\Ohbfeh32.exe94⤵PID:5760
-
C:\Windows\SysWOW64\Ohdbkh32.exeC:\Windows\system32\Ohdbkh32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5836 -
C:\Windows\SysWOW64\Ohgopgfj.exeC:\Windows\system32\Ohgopgfj.exe96⤵PID:5916
-
C:\Windows\SysWOW64\Pndhhnda.exeC:\Windows\system32\Pndhhnda.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5996 -
C:\Windows\SysWOW64\Pgllad32.exeC:\Windows\system32\Pgllad32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6056 -
C:\Windows\SysWOW64\Pbdmdlie.exeC:\Windows\system32\Pbdmdlie.exe99⤵
- Modifies registry class
PID:6112 -
C:\Windows\SysWOW64\Pgcbbc32.exeC:\Windows\system32\Pgcbbc32.exe100⤵
- Modifies registry class
PID:5168 -
C:\Windows\SysWOW64\Phbolflm.exeC:\Windows\system32\Phbolflm.exe101⤵
- Modifies registry class
PID:5328 -
C:\Windows\SysWOW64\Qbkcek32.exeC:\Windows\system32\Qbkcek32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5388 -
C:\Windows\SysWOW64\Aijeme32.exeC:\Windows\system32\Aijeme32.exe103⤵PID:5536
-
C:\Windows\SysWOW64\Agobna32.exeC:\Windows\system32\Agobna32.exe104⤵
- Drops file in System32 directory
PID:5684 -
C:\Windows\SysWOW64\Agaoca32.exeC:\Windows\system32\Agaoca32.exe105⤵PID:5800
-
C:\Windows\SysWOW64\Agckiqgg.exeC:\Windows\system32\Agckiqgg.exe106⤵PID:5972
-
C:\Windows\SysWOW64\Bichcc32.exeC:\Windows\system32\Bichcc32.exe107⤵PID:4156
-
C:\Windows\SysWOW64\Biedhclh.exeC:\Windows\system32\Biedhclh.exe108⤵PID:684
-
C:\Windows\SysWOW64\Bkfmjnii.exeC:\Windows\system32\Bkfmjnii.exe109⤵PID:2628
-
C:\Windows\SysWOW64\Bijncb32.exeC:\Windows\system32\Bijncb32.exe110⤵PID:5136
-
C:\Windows\SysWOW64\Biljib32.exeC:\Windows\system32\Biljib32.exe111⤵PID:5484
-
C:\Windows\SysWOW64\Bfpkbfdi.exeC:\Windows\system32\Bfpkbfdi.exe112⤵PID:5740
-
C:\Windows\SysWOW64\Cfbhhfbg.exeC:\Windows\system32\Cfbhhfbg.exe113⤵PID:1340
-
C:\Windows\SysWOW64\Cnnllhpa.exeC:\Windows\system32\Cnnllhpa.exe114⤵PID:2160
-
C:\Windows\SysWOW64\Cbnbhfde.exeC:\Windows\system32\Cbnbhfde.exe115⤵PID:5476
-
C:\Windows\SysWOW64\Cbqonf32.exeC:\Windows\system32\Cbqonf32.exe116⤵PID:6004
-
C:\Windows\SysWOW64\Dngobghg.exeC:\Windows\system32\Dngobghg.exe117⤵PID:6124
-
C:\Windows\SysWOW64\Dhpdkm32.exeC:\Windows\system32\Dhpdkm32.exe118⤵PID:536
-
C:\Windows\SysWOW64\Dfqdid32.exeC:\Windows\system32\Dfqdid32.exe119⤵PID:4624
-
C:\Windows\SysWOW64\Dpihbjmg.exeC:\Windows\system32\Dpihbjmg.exe120⤵PID:5352
-
C:\Windows\SysWOW64\Dfemdcba.exeC:\Windows\system32\Dfemdcba.exe121⤵PID:2168
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-