Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
102s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
07/05/2024, 10:24
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3e91a500e10054a957499cbb8948b020_NEAS.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
3e91a500e10054a957499cbb8948b020_NEAS.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
3e91a500e10054a957499cbb8948b020_NEAS.exe
-
Size
432KB
-
MD5
3e91a500e10054a957499cbb8948b020
-
SHA1
79fe0f485f0fd43f80276bb9803ffe731df28be6
-
SHA256
2d73011b6cca9f401578b57f5154253abf5d1758a0eff27602d31d9ff0942fbd
-
SHA512
8ffce0038274f940a27fa42e2b54cff65b678bd76719517f99026032659d8a161f1fd850ec6d994607dc0bb4cef42f3048aa5106fa6e10f78049922ad19e2793
-
SSDEEP
12288:BdZpfWAxi//OVLCoooooooooooooooooooooooooYKiUNl:BnpeAaWVLw47
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hbnjmp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcpclbfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nphhmj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hippdo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdmcidam.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecjhcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ecjhcg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imdgqfbd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocnjidkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Clqnjf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbcakg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhfonc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckedalaj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibqpimpl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acnlgp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlojkddn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifmcdblq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjpeepnb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdmpcdfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Chbnia32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmknaell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lpcfkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kgmlkp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qgallfcq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aegikj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Coagla32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hijooifk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lmgfda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mdpalp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dafbne32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olmeci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jbkjjblm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mjeddggd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnbbbabh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eckonn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Angddopp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bemlmgnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jfaedkdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ehljfnpn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iemppiab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieolehop.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dljqpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ebnoikqb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbfpobpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Elhmablc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gbldaffp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jmpngk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cdainc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dldpkoil.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Caebma32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djnaji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Efgodj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jaljgidl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imihfl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qecppkdm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiefcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ojjolnaq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cipehkcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gcekkjcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hpenfjad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lfhdlh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pnbbbabh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bjpaooda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jplfcpin.exe -
Executes dropped EXE 64 IoCs
pid Process 4504 Clldogdc.exe 4000 Cojqkbdf.exe 4656 Caimgncj.exe 3720 Cedihl32.exe 1848 Cipehkcl.exe 3632 Chbedh32.exe 392 Cpjmee32.exe 1540 Commqb32.exe 3528 Cchiaqjm.exe 4920 Cakjmm32.exe 1564 Cefemliq.exe 4568 Cibank32.exe 4156 Clqnjf32.exe 4196 Cpljkdig.exe 3476 Coojfa32.exe 3200 Ccjfgphj.exe 4960 Ceibclgn.exe 5032 Cidncj32.exe 1732 Chgoogfa.exe 4840 Clckpf32.exe 4476 Coagla32.exe 4100 Capchmmb.exe 3500 Cekohk32.exe 4668 Digkijmd.exe 5020 Dlegeemh.exe 1948 Dpacfd32.exe 952 Doccaall.exe 1696 Dcopbp32.exe 2716 Denlnk32.exe 1124 Diihojkb.exe 544 Dhlhjf32.exe 672 Dlgdkeje.exe 2300 Dpcpkc32.exe 4768 Dofpgqji.exe 4644 Dcalgo32.exe 4128 Dadlclim.exe 5000 Djlddi32.exe 732 Dhnepfpj.exe 4448 Dljqpd32.exe 2988 Dpemacql.exe 3092 Dohmlp32.exe 3816 Dcdimopp.exe 3148 Dagiil32.exe 2248 Debeijoc.exe 4632 Djnaji32.exe 2032 Dhqaefng.exe 5016 Dllmfd32.exe 4204 Dokjbp32.exe 4036 Dcfebonm.exe 4904 Daifnk32.exe 1880 Dfdbojmq.exe 684 Djpnohej.exe 1596 Dhcnke32.exe 3800 Dlojkddn.exe 1020 Dpjflb32.exe 1668 Domfgpca.exe 1620 Dakbckbe.exe 1884 Efgodj32.exe 1588 Ejbkehcg.exe 3884 Ehekqe32.exe 2856 Epmcab32.exe 2320 Eoocmoao.exe 924 Eckonn32.exe 3964 Ebnoikqb.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Kdhbec32.exe Kajfig32.exe File created C:\Windows\SysWOW64\Kmncnb32.exe Kefkme32.exe File created C:\Windows\SysWOW64\Lmdina32.exe Liimncmf.exe File opened for modification C:\Windows\SysWOW64\Gjocgdkg.exe Gcekkjcj.exe File created C:\Windows\SysWOW64\Fhqcam32.exe Febgea32.exe File created C:\Windows\SysWOW64\Olpppj32.dll Hckjacjg.exe File created C:\Windows\SysWOW64\Oolpjdob.dll Lfkaag32.exe File created C:\Windows\SysWOW64\Hpoddikd.dll Acnlgp32.exe File created C:\Windows\SysWOW64\Dkifae32.exe Ddonekbl.exe File created C:\Windows\SysWOW64\Bpqnnk32.dll Ipegmg32.exe File opened for modification C:\Windows\SysWOW64\Mjcgohig.exe Mkpgck32.exe File opened for modification C:\Windows\SysWOW64\Cdainc32.exe Ceoibflm.exe File created C:\Windows\SysWOW64\Akalojih.dll Cbgbgj32.exe File created C:\Windows\SysWOW64\Docmgjhp.exe Dldpkoil.exe File created C:\Windows\SysWOW64\Onklabip.exe Okloegjl.exe File created C:\Windows\SysWOW64\Kldggoeb.dll Fkopnh32.exe File created C:\Windows\SysWOW64\Ligqhc32.exe Lfhdlh32.exe File created C:\Windows\SysWOW64\Ldleel32.exe Lpqiemge.exe File created C:\Windows\SysWOW64\Nnlhfn32.exe Nphhmj32.exe File created C:\Windows\SysWOW64\Dagiil32.exe Dcdimopp.exe File created C:\Windows\SysWOW64\Bpcbnd32.dll Kgdbkohf.exe File created C:\Windows\SysWOW64\Hkmgakaf.dll Odpjcm32.exe File created C:\Windows\SysWOW64\Lgdalf32.dll Ehnglm32.exe File created C:\Windows\SysWOW64\Baefid32.dll Lijdhiaa.exe File created C:\Windows\SysWOW64\Cbqlfkmi.exe Blfdia32.exe File created C:\Windows\SysWOW64\Ecjhcg32.exe Ekcpbj32.exe File created C:\Windows\SysWOW64\Ndfqbhia.exe Npjebj32.exe File created C:\Windows\SysWOW64\Maickled.dll Caebma32.exe File created C:\Windows\SysWOW64\Nklfoi32.exe Nceonl32.exe File opened for modification C:\Windows\SysWOW64\Iefioj32.exe Hbgmcnhf.exe File created C:\Windows\SysWOW64\Hhmkaf32.dll Mmlpoqpg.exe File created C:\Windows\SysWOW64\Gmaioo32.exe Gjclbc32.exe File created C:\Windows\SysWOW64\Jmkdlkph.exe Jjmhppqd.exe File opened for modification C:\Windows\SysWOW64\Kdopod32.exe Kmegbjgn.exe File created C:\Windows\SysWOW64\Jjpeepnb.exe Jbhmdbnp.exe File opened for modification C:\Windows\SysWOW64\Acocaf32.exe Anbkio32.exe File created C:\Windows\SysWOW64\Ahgndd32.dll Fijmbb32.exe File created C:\Windows\SysWOW64\Hlcqelac.dll Gjapmdid.exe File created C:\Windows\SysWOW64\Imihfl32.exe Ifopiajn.exe File created C:\Windows\SysWOW64\Fcgoilpj.exe Fokbim32.exe File opened for modification C:\Windows\SysWOW64\Gqikdn32.exe Giacca32.exe File created C:\Windows\SysWOW64\Gidjfdep.dll Chghdqbf.exe File opened for modification C:\Windows\SysWOW64\Kbaipkbi.exe Kpbmco32.exe File created C:\Windows\SysWOW64\Onhhamgg.exe Ognpebpj.exe File opened for modification C:\Windows\SysWOW64\Ebbidj32.exe Eodlho32.exe File opened for modification C:\Windows\SysWOW64\Lcbiao32.exe Lpcmec32.exe File opened for modification C:\Windows\SysWOW64\Balfaiil.exe Blpnib32.exe File created C:\Windows\SysWOW64\Agkbbg32.dll Ddmhja32.exe File opened for modification C:\Windows\SysWOW64\Fqmlhpla.exe Fmapha32.exe File created C:\Windows\SysWOW64\Bclgpkgk.dll Ifmcdblq.exe File created C:\Windows\SysWOW64\Cehkhecb.exe Camphf32.exe File created C:\Windows\SysWOW64\Baaplhef.exe Bobcpmfc.exe File created C:\Windows\SysWOW64\Fmficqpc.exe Fijmbb32.exe File created C:\Windows\SysWOW64\Gpklpkio.exe Gqikdn32.exe File opened for modification C:\Windows\SysWOW64\Lddbqa32.exe Lnjjdgee.exe File created C:\Windows\SysWOW64\Mpnaemnl.dll Hoiafcic.exe File created C:\Windows\SysWOW64\Icnpmp32.exe Ilghlc32.exe File created C:\Windows\SysWOW64\Aaiapmca.dll Nggqoj32.exe File opened for modification C:\Windows\SysWOW64\Aaepqjpd.exe Angddopp.exe File created C:\Windows\SysWOW64\Dmllipeg.exe Dhocqigp.exe File opened for modification C:\Windows\SysWOW64\Gcojed32.exe Gkhbdg32.exe File opened for modification C:\Windows\SysWOW64\Pgllfp32.exe Pcppfaka.exe File created C:\Windows\SysWOW64\Pcppfaka.exe Pmfhig32.exe File opened for modification C:\Windows\SysWOW64\Bjmnoi32.exe Agoabn32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 14996 14792 WerFault.exe 748 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ddmhja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hjfihc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpbbmhgf.dll" Behbag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jlpkba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nnaikd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Meknidfo.dll" Qnnanphk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gkaejf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgbpghdn.dll" Aminee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dobfld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddomph32.dll" Dhqaefng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fldggfbc.dll" Lgpagm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Peimil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Imdgqfbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kepelfam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hihjpn32.dll" Fckhdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aegikj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qddina32.dll" Hkkhqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fplmmdoj.dll" Ldoaklml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pfjcgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggdddife.dll" Gpklpkio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hflcbngh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ibnccmbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ldleel32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fmclmabe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hpgkkioa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Icljbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkmgakaf.dll" Odpjcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoecnk32.dll" Kmdqgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpkqnp32.dll" Gqkhjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ognpebpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ocpgod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdlbjng.dll" Ajhddjfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll" Cdfkolkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Haggelfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ajiknpjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckhindhb.dll" Fcmnpe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ippggbck.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ieolehop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Efikji32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Elhmablc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gjclbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odgdacjh.dll" Npcoakfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnigkegh.dll" Clkndpag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aminee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fflaff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lingibiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ekacmjgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gcojed32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Npjebj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocaapo32.dll" Gbcakg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fklfdo32.dll" Ondeac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcnakq32.dll" Okolkg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bldgdago.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ghlcnk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ejgdpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mjeddggd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gbldaffp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fbnafb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cefofm32.dll" Jioaqfcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kipkhdeq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fcckif32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lepncd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eohipl32.dll" Nnlhfn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Amgapeea.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2876 wrote to memory of 4504 2876 3e91a500e10054a957499cbb8948b020_NEAS.exe 83 PID 2876 wrote to memory of 4504 2876 3e91a500e10054a957499cbb8948b020_NEAS.exe 83 PID 2876 wrote to memory of 4504 2876 3e91a500e10054a957499cbb8948b020_NEAS.exe 83 PID 4504 wrote to memory of 4000 4504 Clldogdc.exe 84 PID 4504 wrote to memory of 4000 4504 Clldogdc.exe 84 PID 4504 wrote to memory of 4000 4504 Clldogdc.exe 84 PID 4000 wrote to memory of 4656 4000 Cojqkbdf.exe 85 PID 4000 wrote to memory of 4656 4000 Cojqkbdf.exe 85 PID 4000 wrote to memory of 4656 4000 Cojqkbdf.exe 85 PID 4656 wrote to memory of 3720 4656 Caimgncj.exe 86 PID 4656 wrote to memory of 3720 4656 Caimgncj.exe 86 PID 4656 wrote to memory of 3720 4656 Caimgncj.exe 86 PID 3720 wrote to memory of 1848 3720 Cedihl32.exe 87 PID 3720 wrote to memory of 1848 3720 Cedihl32.exe 87 PID 3720 wrote to memory of 1848 3720 Cedihl32.exe 87 PID 1848 wrote to memory of 3632 1848 Cipehkcl.exe 88 PID 1848 wrote to memory of 3632 1848 Cipehkcl.exe 88 PID 1848 wrote to memory of 3632 1848 Cipehkcl.exe 88 PID 3632 wrote to memory of 392 3632 Chbedh32.exe 89 PID 3632 wrote to memory of 392 3632 Chbedh32.exe 89 PID 3632 wrote to memory of 392 3632 Chbedh32.exe 89 PID 392 wrote to memory of 1540 392 Cpjmee32.exe 90 PID 392 wrote to memory of 1540 392 Cpjmee32.exe 90 PID 392 wrote to memory of 1540 392 Cpjmee32.exe 90 PID 1540 wrote to memory of 3528 1540 Commqb32.exe 91 PID 1540 wrote to memory of 3528 1540 Commqb32.exe 91 PID 1540 wrote to memory of 3528 1540 Commqb32.exe 91 PID 3528 wrote to memory of 4920 3528 Cchiaqjm.exe 92 PID 3528 wrote to memory of 4920 3528 Cchiaqjm.exe 92 PID 3528 wrote to memory of 4920 3528 Cchiaqjm.exe 92 PID 4920 wrote to memory of 1564 4920 Cakjmm32.exe 93 PID 4920 wrote to memory of 1564 4920 Cakjmm32.exe 93 PID 4920 wrote to memory of 1564 4920 Cakjmm32.exe 93 PID 1564 wrote to memory of 4568 1564 Cefemliq.exe 94 PID 1564 wrote to memory of 4568 1564 Cefemliq.exe 94 PID 1564 wrote to memory of 4568 1564 Cefemliq.exe 94 PID 4568 wrote to memory of 4156 4568 Cibank32.exe 95 PID 4568 wrote to memory of 4156 4568 Cibank32.exe 95 PID 4568 wrote to memory of 4156 4568 Cibank32.exe 95 PID 4156 wrote to memory of 4196 4156 Clqnjf32.exe 96 PID 4156 wrote to memory of 4196 4156 Clqnjf32.exe 96 PID 4156 wrote to memory of 4196 4156 Clqnjf32.exe 96 PID 4196 wrote to memory of 3476 4196 Cpljkdig.exe 97 PID 4196 wrote to memory of 3476 4196 Cpljkdig.exe 97 PID 4196 wrote to memory of 3476 4196 Cpljkdig.exe 97 PID 3476 wrote to memory of 3200 3476 Coojfa32.exe 98 PID 3476 wrote to memory of 3200 3476 Coojfa32.exe 98 PID 3476 wrote to memory of 3200 3476 Coojfa32.exe 98 PID 3200 wrote to memory of 4960 3200 Ccjfgphj.exe 99 PID 3200 wrote to memory of 4960 3200 Ccjfgphj.exe 99 PID 3200 wrote to memory of 4960 3200 Ccjfgphj.exe 99 PID 4960 wrote to memory of 5032 4960 Ceibclgn.exe 100 PID 4960 wrote to memory of 5032 4960 Ceibclgn.exe 100 PID 4960 wrote to memory of 5032 4960 Ceibclgn.exe 100 PID 5032 wrote to memory of 1732 5032 Cidncj32.exe 101 PID 5032 wrote to memory of 1732 5032 Cidncj32.exe 101 PID 5032 wrote to memory of 1732 5032 Cidncj32.exe 101 PID 1732 wrote to memory of 4840 1732 Chgoogfa.exe 102 PID 1732 wrote to memory of 4840 1732 Chgoogfa.exe 102 PID 1732 wrote to memory of 4840 1732 Chgoogfa.exe 102 PID 4840 wrote to memory of 4476 4840 Clckpf32.exe 103 PID 4840 wrote to memory of 4476 4840 Clckpf32.exe 103 PID 4840 wrote to memory of 4476 4840 Clckpf32.exe 103 PID 4476 wrote to memory of 4100 4476 Coagla32.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\3e91a500e10054a957499cbb8948b020_NEAS.exe"C:\Users\Admin\AppData\Local\Temp\3e91a500e10054a957499cbb8948b020_NEAS.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\Clldogdc.exeC:\Windows\system32\Clldogdc.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Windows\SysWOW64\Cojqkbdf.exeC:\Windows\system32\Cojqkbdf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4000 -
C:\Windows\SysWOW64\Caimgncj.exeC:\Windows\system32\Caimgncj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4656 -
C:\Windows\SysWOW64\Cedihl32.exeC:\Windows\system32\Cedihl32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3720 -
C:\Windows\SysWOW64\Cipehkcl.exeC:\Windows\system32\Cipehkcl.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\SysWOW64\Chbedh32.exeC:\Windows\system32\Chbedh32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3632 -
C:\Windows\SysWOW64\Cpjmee32.exeC:\Windows\system32\Cpjmee32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:392 -
C:\Windows\SysWOW64\Commqb32.exeC:\Windows\system32\Commqb32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Windows\SysWOW64\Cchiaqjm.exeC:\Windows\system32\Cchiaqjm.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3528 -
C:\Windows\SysWOW64\Cakjmm32.exeC:\Windows\system32\Cakjmm32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Windows\SysWOW64\Cefemliq.exeC:\Windows\system32\Cefemliq.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Windows\SysWOW64\Cibank32.exeC:\Windows\system32\Cibank32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\Windows\SysWOW64\Clqnjf32.exeC:\Windows\system32\Clqnjf32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4156 -
C:\Windows\SysWOW64\Cpljkdig.exeC:\Windows\system32\Cpljkdig.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4196 -
C:\Windows\SysWOW64\Coojfa32.exeC:\Windows\system32\Coojfa32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3476 -
C:\Windows\SysWOW64\Ccjfgphj.exeC:\Windows\system32\Ccjfgphj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3200 -
C:\Windows\SysWOW64\Ceibclgn.exeC:\Windows\system32\Ceibclgn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4960 -
C:\Windows\SysWOW64\Cidncj32.exeC:\Windows\system32\Cidncj32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Windows\SysWOW64\Chgoogfa.exeC:\Windows\system32\Chgoogfa.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\SysWOW64\Clckpf32.exeC:\Windows\system32\Clckpf32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4840 -
C:\Windows\SysWOW64\Coagla32.exeC:\Windows\system32\Coagla32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4476 -
C:\Windows\SysWOW64\Capchmmb.exeC:\Windows\system32\Capchmmb.exe23⤵
- Executes dropped EXE
PID:4100 -
C:\Windows\SysWOW64\Cekohk32.exeC:\Windows\system32\Cekohk32.exe24⤵
- Executes dropped EXE
PID:3500 -
C:\Windows\SysWOW64\Digkijmd.exeC:\Windows\system32\Digkijmd.exe25⤵
- Executes dropped EXE
PID:4668 -
C:\Windows\SysWOW64\Dlegeemh.exeC:\Windows\system32\Dlegeemh.exe26⤵
- Executes dropped EXE
PID:5020 -
C:\Windows\SysWOW64\Dpacfd32.exeC:\Windows\system32\Dpacfd32.exe27⤵
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\Doccaall.exeC:\Windows\system32\Doccaall.exe28⤵
- Executes dropped EXE
PID:952 -
C:\Windows\SysWOW64\Dcopbp32.exeC:\Windows\system32\Dcopbp32.exe29⤵
- Executes dropped EXE
PID:1696 -
C:\Windows\SysWOW64\Denlnk32.exeC:\Windows\system32\Denlnk32.exe30⤵
- Executes dropped EXE
PID:2716 -
C:\Windows\SysWOW64\Diihojkb.exeC:\Windows\system32\Diihojkb.exe31⤵
- Executes dropped EXE
PID:1124 -
C:\Windows\SysWOW64\Dhlhjf32.exeC:\Windows\system32\Dhlhjf32.exe32⤵
- Executes dropped EXE
PID:544 -
C:\Windows\SysWOW64\Dlgdkeje.exeC:\Windows\system32\Dlgdkeje.exe33⤵
- Executes dropped EXE
PID:672 -
C:\Windows\SysWOW64\Dpcpkc32.exeC:\Windows\system32\Dpcpkc32.exe34⤵
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Dofpgqji.exeC:\Windows\system32\Dofpgqji.exe35⤵
- Executes dropped EXE
PID:4768 -
C:\Windows\SysWOW64\Dcalgo32.exeC:\Windows\system32\Dcalgo32.exe36⤵
- Executes dropped EXE
PID:4644 -
C:\Windows\SysWOW64\Dadlclim.exeC:\Windows\system32\Dadlclim.exe37⤵
- Executes dropped EXE
PID:4128 -
C:\Windows\SysWOW64\Djlddi32.exeC:\Windows\system32\Djlddi32.exe38⤵
- Executes dropped EXE
PID:5000 -
C:\Windows\SysWOW64\Dhnepfpj.exeC:\Windows\system32\Dhnepfpj.exe39⤵
- Executes dropped EXE
PID:732 -
C:\Windows\SysWOW64\Dljqpd32.exeC:\Windows\system32\Dljqpd32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4448 -
C:\Windows\SysWOW64\Dpemacql.exeC:\Windows\system32\Dpemacql.exe41⤵
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\Dohmlp32.exeC:\Windows\system32\Dohmlp32.exe42⤵
- Executes dropped EXE
PID:3092 -
C:\Windows\SysWOW64\Dcdimopp.exeC:\Windows\system32\Dcdimopp.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3816 -
C:\Windows\SysWOW64\Dagiil32.exeC:\Windows\system32\Dagiil32.exe44⤵
- Executes dropped EXE
PID:3148 -
C:\Windows\SysWOW64\Debeijoc.exeC:\Windows\system32\Debeijoc.exe45⤵
- Executes dropped EXE
PID:2248 -
C:\Windows\SysWOW64\Djnaji32.exeC:\Windows\system32\Djnaji32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4632 -
C:\Windows\SysWOW64\Dhqaefng.exeC:\Windows\system32\Dhqaefng.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:2032 -
C:\Windows\SysWOW64\Dllmfd32.exeC:\Windows\system32\Dllmfd32.exe48⤵
- Executes dropped EXE
PID:5016 -
C:\Windows\SysWOW64\Dokjbp32.exeC:\Windows\system32\Dokjbp32.exe49⤵
- Executes dropped EXE
PID:4204 -
C:\Windows\SysWOW64\Dcfebonm.exeC:\Windows\system32\Dcfebonm.exe50⤵
- Executes dropped EXE
PID:4036 -
C:\Windows\SysWOW64\Daifnk32.exeC:\Windows\system32\Daifnk32.exe51⤵
- Executes dropped EXE
PID:4904 -
C:\Windows\SysWOW64\Dfdbojmq.exeC:\Windows\system32\Dfdbojmq.exe52⤵
- Executes dropped EXE
PID:1880 -
C:\Windows\SysWOW64\Djpnohej.exeC:\Windows\system32\Djpnohej.exe53⤵
- Executes dropped EXE
PID:684 -
C:\Windows\SysWOW64\Dhcnke32.exeC:\Windows\system32\Dhcnke32.exe54⤵
- Executes dropped EXE
PID:1596 -
C:\Windows\SysWOW64\Dlojkddn.exeC:\Windows\system32\Dlojkddn.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3800 -
C:\Windows\SysWOW64\Dpjflb32.exeC:\Windows\system32\Dpjflb32.exe56⤵
- Executes dropped EXE
PID:1020 -
C:\Windows\SysWOW64\Domfgpca.exeC:\Windows\system32\Domfgpca.exe57⤵
- Executes dropped EXE
PID:1668 -
C:\Windows\SysWOW64\Dakbckbe.exeC:\Windows\system32\Dakbckbe.exe58⤵
- Executes dropped EXE
PID:1620 -
C:\Windows\SysWOW64\Efgodj32.exeC:\Windows\system32\Efgodj32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1884 -
C:\Windows\SysWOW64\Ejbkehcg.exeC:\Windows\system32\Ejbkehcg.exe60⤵
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\Ehekqe32.exeC:\Windows\system32\Ehekqe32.exe61⤵
- Executes dropped EXE
PID:3884 -
C:\Windows\SysWOW64\Epmcab32.exeC:\Windows\system32\Epmcab32.exe62⤵
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Eoocmoao.exeC:\Windows\system32\Eoocmoao.exe63⤵
- Executes dropped EXE
PID:2320 -
C:\Windows\SysWOW64\Eckonn32.exeC:\Windows\system32\Eckonn32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:924 -
C:\Windows\SysWOW64\Ebnoikqb.exeC:\Windows\system32\Ebnoikqb.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3964 -
C:\Windows\SysWOW64\Efikji32.exeC:\Windows\system32\Efikji32.exe66⤵
- Modifies registry class
PID:1644 -
C:\Windows\SysWOW64\Ehhgfdho.exeC:\Windows\system32\Ehhgfdho.exe67⤵PID:4932
-
C:\Windows\SysWOW64\Epopgbia.exeC:\Windows\system32\Epopgbia.exe68⤵PID:1472
-
C:\Windows\SysWOW64\Eoapbo32.exeC:\Windows\system32\Eoapbo32.exe69⤵PID:2476
-
C:\Windows\SysWOW64\Ebploj32.exeC:\Windows\system32\Ebploj32.exe70⤵PID:2908
-
C:\Windows\SysWOW64\Eflhoigi.exeC:\Windows\system32\Eflhoigi.exe71⤵PID:3380
-
C:\Windows\SysWOW64\Ejgdpg32.exeC:\Windows\system32\Ejgdpg32.exe72⤵
- Modifies registry class
PID:3324 -
C:\Windows\SysWOW64\Ehjdldfl.exeC:\Windows\system32\Ehjdldfl.exe73⤵PID:856
-
C:\Windows\SysWOW64\Eleplc32.exeC:\Windows\system32\Eleplc32.exe74⤵PID:3704
-
C:\Windows\SysWOW64\Eqalmafo.exeC:\Windows\system32\Eqalmafo.exe75⤵PID:2052
-
C:\Windows\SysWOW64\Eodlho32.exeC:\Windows\system32\Eodlho32.exe76⤵
- Drops file in System32 directory
PID:212 -
C:\Windows\SysWOW64\Ebbidj32.exeC:\Windows\system32\Ebbidj32.exe77⤵PID:4760
-
C:\Windows\SysWOW64\Efneehef.exeC:\Windows\system32\Efneehef.exe78⤵PID:3960
-
C:\Windows\SysWOW64\Ejjqeg32.exeC:\Windows\system32\Ejjqeg32.exe79⤵PID:4692
-
C:\Windows\SysWOW64\Ehlaaddj.exeC:\Windows\system32\Ehlaaddj.exe80⤵PID:4528
-
C:\Windows\SysWOW64\Elhmablc.exeC:\Windows\system32\Elhmablc.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4596 -
C:\Windows\SysWOW64\Efpajh32.exeC:\Windows\system32\Efpajh32.exe82⤵PID:3064
-
C:\Windows\SysWOW64\Ffbnph32.exeC:\Windows\system32\Ffbnph32.exe83⤵PID:4728
-
C:\Windows\SysWOW64\Fhajlc32.exeC:\Windows\system32\Fhajlc32.exe84⤵PID:5148
-
C:\Windows\SysWOW64\Fmmfmbhn.exeC:\Windows\system32\Fmmfmbhn.exe85⤵PID:5184
-
C:\Windows\SysWOW64\Fokbim32.exeC:\Windows\system32\Fokbim32.exe86⤵
- Drops file in System32 directory
PID:5220 -
C:\Windows\SysWOW64\Fcgoilpj.exeC:\Windows\system32\Fcgoilpj.exe87⤵PID:5260
-
C:\Windows\SysWOW64\Ffekegon.exeC:\Windows\system32\Ffekegon.exe88⤵PID:5292
-
C:\Windows\SysWOW64\Fjqgff32.exeC:\Windows\system32\Fjqgff32.exe89⤵PID:5332
-
C:\Windows\SysWOW64\Ficgacna.exeC:\Windows\system32\Ficgacna.exe90⤵PID:5368
-
C:\Windows\SysWOW64\Fqkocpod.exeC:\Windows\system32\Fqkocpod.exe91⤵PID:5400
-
C:\Windows\SysWOW64\Fomonm32.exeC:\Windows\system32\Fomonm32.exe92⤵PID:5440
-
C:\Windows\SysWOW64\Fcikolnh.exeC:\Windows\system32\Fcikolnh.exe93⤵PID:5472
-
C:\Windows\SysWOW64\Fbllkh32.exeC:\Windows\system32\Fbllkh32.exe94⤵PID:5512
-
C:\Windows\SysWOW64\Fjcclf32.exeC:\Windows\system32\Fjcclf32.exe95⤵PID:5548
-
C:\Windows\SysWOW64\Fifdgblo.exeC:\Windows\system32\Fifdgblo.exe96⤵PID:5580
-
C:\Windows\SysWOW64\Fmapha32.exeC:\Windows\system32\Fmapha32.exe97⤵
- Drops file in System32 directory
PID:5620 -
C:\Windows\SysWOW64\Fqmlhpla.exeC:\Windows\system32\Fqmlhpla.exe98⤵PID:5656
-
C:\Windows\SysWOW64\Fckhdk32.exeC:\Windows\system32\Fckhdk32.exe99⤵
- Modifies registry class
PID:5688 -
C:\Windows\SysWOW64\Fbnhphbp.exeC:\Windows\system32\Fbnhphbp.exe100⤵PID:5728
-
C:\Windows\SysWOW64\Fjepaecb.exeC:\Windows\system32\Fjepaecb.exe101⤵PID:5764
-
C:\Windows\SysWOW64\Fihqmb32.exeC:\Windows\system32\Fihqmb32.exe102⤵PID:5796
-
C:\Windows\SysWOW64\Fmclmabe.exeC:\Windows\system32\Fmclmabe.exe103⤵
- Modifies registry class
PID:5836 -
C:\Windows\SysWOW64\Fqohnp32.exeC:\Windows\system32\Fqohnp32.exe104⤵PID:5868
-
C:\Windows\SysWOW64\Fobiilai.exeC:\Windows\system32\Fobiilai.exe105⤵PID:5908
-
C:\Windows\SysWOW64\Fcnejk32.exeC:\Windows\system32\Fcnejk32.exe106⤵PID:5944
-
C:\Windows\SysWOW64\Fflaff32.exeC:\Windows\system32\Fflaff32.exe107⤵
- Modifies registry class
PID:5976 -
C:\Windows\SysWOW64\Fjhmgeao.exeC:\Windows\system32\Fjhmgeao.exe108⤵PID:6016
-
C:\Windows\SysWOW64\Fijmbb32.exeC:\Windows\system32\Fijmbb32.exe109⤵
- Drops file in System32 directory
PID:6052 -
C:\Windows\SysWOW64\Fmficqpc.exeC:\Windows\system32\Fmficqpc.exe110⤵PID:6084
-
C:\Windows\SysWOW64\Fqaeco32.exeC:\Windows\system32\Fqaeco32.exe111⤵PID:6124
-
C:\Windows\SysWOW64\Fodeolof.exeC:\Windows\system32\Fodeolof.exe112⤵PID:3344
-
C:\Windows\SysWOW64\Gbcakg32.exeC:\Windows\system32\Gbcakg32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5132 -
C:\Windows\SysWOW64\Gjjjle32.exeC:\Windows\system32\Gjjjle32.exe114⤵PID:5360
-
C:\Windows\SysWOW64\Gimjhafg.exeC:\Windows\system32\Gimjhafg.exe115⤵PID:5424
-
C:\Windows\SysWOW64\Gjlfbd32.exeC:\Windows\system32\Gjlfbd32.exe116⤵PID:2992
-
C:\Windows\SysWOW64\Gcekkjcj.exeC:\Windows\system32\Gcekkjcj.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5536 -
C:\Windows\SysWOW64\Gjocgdkg.exeC:\Windows\system32\Gjocgdkg.exe118⤵PID:5608
-
C:\Windows\SysWOW64\Giacca32.exeC:\Windows\system32\Giacca32.exe119⤵
- Drops file in System32 directory
PID:5684 -
C:\Windows\SysWOW64\Gqikdn32.exeC:\Windows\system32\Gqikdn32.exe120⤵
- Drops file in System32 directory
PID:1544 -
C:\Windows\SysWOW64\Gpklpkio.exeC:\Windows\system32\Gpklpkio.exe121⤵
- Modifies registry class
PID:5804
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-