Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
162s -
max time network
175s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
13/10/2023, 20:40
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.cd4dfe1255f80f8fa251d395d00b48f0.exe
Resource
win7-20230831-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.cd4dfe1255f80f8fa251d395d00b48f0.exe
Resource
win10v2004-20230915-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.cd4dfe1255f80f8fa251d395d00b48f0.exe
-
Size
75KB
-
MD5
cd4dfe1255f80f8fa251d395d00b48f0
-
SHA1
6e721ddf72f9697d6f19b2d0fafd6d3e11427267
-
SHA256
45ddf3eb68e7708a7f0198fac7d7c29e6c52f4dd995141ec8a490155cb04a53d
-
SHA512
f7484fe414d16c1ac5507054ab8a4308ca1331ea56e088b8af86f63d14d02f5f47bb3bfef5c1210b599ce9094be9cd51e1b4e30ddb7336c201b83d4cc560ae39
-
SSDEEP
1536:ntahSWTB/UQWmcufCfugJKoyqchJxKJgHrYyWuJ0OO53q52IrFH:cIWZWmcuafH4JxKiLYydJ0Og3qv
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnifoaba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gngnjk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbkkpb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oeccijoh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmdjjemp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lofklp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccdgjm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fndpfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bekfkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbahgbfc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fafddb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdccka32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnlhhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bekmei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgggaamn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qcepem32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lldfcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnhinq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odocbmfd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjmgomjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efbllhfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fndgfffm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hapancai.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgdklb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaccdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Heochp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnafgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpaanfce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odjeepna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eodjdocj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfeahffl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljncnhhk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajmgof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qcepem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acgfpf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmjlpnpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcdcbokq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfeekgjo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdhklgnf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkechjib.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjpjoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkechjib.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmcabd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlkmfkli.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljncnhhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfeoijbi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpghfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hapancai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fadoii32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ioeineap.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgliie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ioopfa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hienee32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plimpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfeqnf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqgldb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgjicb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjaefc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmkanmel.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohdlke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpnncl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bekfkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhfhnfhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmfkin32.exe -
Executes dropped EXE 64 IoCs
pid Process 1556 Fnnimbaj.exe 568 Gloejmld.exe 4936 Gflcnanp.exe 3904 Hjoeoo32.exe 976 Ijmapm32.exe 1716 Jjakkmpk.exe 3268 Jjhalkjc.exe 236 Jnfjbj32.exe 3896 Ljncnhhk.exe 3436 Mginniij.exe 3160 Mkicjgnn.exe 1532 Oamgcm32.exe 1860 Pbdmdlie.exe 1664 Qffoejkg.exe 2084 Aoapcood.exe 1032 Akhaipei.exe 2236 Bnbmqjjo.exe 4120 Dpnbmi32.exe 2008 Eoekde32.exe 3720 Fekclnif.exe 1672 Gchflq32.exe 5052 Ghgljg32.exe 4988 Hfeoijbi.exe 2588 Iqaiga32.exe 4256 Jokpcmmj.exe 3024 Lpghfi32.exe 1016 Lpjelibg.exe 3848 Omgabj32.exe 2980 Odfcjc32.exe 2800 Oalpigkb.exe 2264 Pdmikb32.exe 5076 Pjjaci32.exe 740 Pkinmlnm.exe 4464 Pjoknhbe.exe 4244 Pddokabk.exe 4220 Pahpee32.exe 3588 Qjcdih32.exe 2244 Anffje32.exe 5108 Ajmgof32.exe 4644 Aklciimh.exe 2208 Bbkeacqo.exe 4732 Bbmbgb32.exe 1660 Cqghcn32.exe 4360 Cjaiac32.exe 4224 Ckfofe32.exe 2896 Dijppjfd.exe 4196 Deejpjgc.exe 4148 Ejkenpnp.exe 1436 Fjpoio32.exe 2368 Fefcgh32.exe 1652 Fehplggn.exe 3288 Gogjflhf.exe 2404 Giahndcf.exe 2020 Hhbdko32.exe 3980 Icakofel.exe 3152 Kkofofbb.exe 1760 Lpdefc32.exe 4312 Ndgpnogo.exe 844 Nfhipj32.exe 3000 Ndliin32.exe 4212 Pdchakoo.exe 3744 Bdfnmhnj.exe 4648 Bkglkapo.exe 3488 Dmnkdfce.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Bidefbcg.exe Aikbpckb.exe File opened for modification C:\Windows\SysWOW64\Lbghpinc.exe Liocgc32.exe File opened for modification C:\Windows\SysWOW64\Pmgcidqm.exe Odmbkolo.exe File created C:\Windows\SysWOW64\Fljcfa32.exe Fadoii32.exe File opened for modification C:\Windows\SysWOW64\Dajlafon.exe Cjpcel32.exe File created C:\Windows\SysWOW64\Bgeabloo.exe Bmomecoi.exe File opened for modification C:\Windows\SysWOW64\Bmliem32.exe Bbgehd32.exe File created C:\Windows\SysWOW64\Enopgj32.dll Elnoifjg.exe File created C:\Windows\SysWOW64\Gaddifhc.dll Kgeiokao.exe File created C:\Windows\SysWOW64\Giahndcf.exe Gogjflhf.exe File created C:\Windows\SysWOW64\Pneakj32.dll Eijiak32.exe File created C:\Windows\SysWOW64\Mopoei32.dll Hkdjph32.exe File opened for modification C:\Windows\SysWOW64\Jmplbk32.exe Jcjgeb32.exe File opened for modification C:\Windows\SysWOW64\Clknnf32.exe Boknic32.exe File created C:\Windows\SysWOW64\Lefllfkj.dll Bmjlpnpb.exe File created C:\Windows\SysWOW64\Jkgpleaf.exe Jpalomaq.exe File opened for modification C:\Windows\SysWOW64\Ckfofe32.exe Cjaiac32.exe File opened for modification C:\Windows\SysWOW64\Imkbglei.exe Iojbid32.exe File created C:\Windows\SysWOW64\Mgmjad32.dll Pjjaci32.exe File created C:\Windows\SysWOW64\Fjbopnqa.dll Doageg32.exe File created C:\Windows\SysWOW64\Lfafobpd.dll Kqknekjf.exe File created C:\Windows\SysWOW64\Peiqme32.dll Njkklk32.exe File opened for modification C:\Windows\SysWOW64\Bmqhlk32.exe Aajggjap.exe File opened for modification C:\Windows\SysWOW64\Lfpcijlg.exe Lofklp32.exe File opened for modification C:\Windows\SysWOW64\Ahmjce32.exe Amgefl32.exe File created C:\Windows\SysWOW64\Iaahjmkn.exe Iaokdn32.exe File created C:\Windows\SysWOW64\Cqghcn32.exe Bbmbgb32.exe File created C:\Windows\SysWOW64\Gipgea32.dll Occkhp32.exe File opened for modification C:\Windows\SysWOW64\Lmdihgkl.exe Jimeelkc.exe File opened for modification C:\Windows\SysWOW64\Kaehepeg.exe Kijcanhl.exe File opened for modification C:\Windows\SysWOW64\Madjbg32.exe Mjkbemll.exe File opened for modification C:\Windows\SysWOW64\Johnkbaj.exe Jikfbkbc.exe File opened for modification C:\Windows\SysWOW64\Amgefl32.exe Afmmibga.exe File opened for modification C:\Windows\SysWOW64\Lggeej32.exe Lajmmc32.exe File opened for modification C:\Windows\SysWOW64\Jklpakam.exe Jqgldb32.exe File created C:\Windows\SysWOW64\Alelkf32.exe Aifpoj32.exe File created C:\Windows\SysWOW64\Okgjno32.dll Phmjdbpo.exe File created C:\Windows\SysWOW64\Pajlieni.dll Dbqqeahl.exe File created C:\Windows\SysWOW64\Eiacljhl.dll Pogpcghp.exe File created C:\Windows\SysWOW64\Iiipfnch.exe Ilepmjdo.exe File created C:\Windows\SysWOW64\Nbepdfnc.exe Neaokboj.exe File created C:\Windows\SysWOW64\Ohiajebm.dll Cpbgnlfo.exe File opened for modification C:\Windows\SysWOW64\Neiiiecg.exe Nmbaggce.exe File created C:\Windows\SysWOW64\Pcjoki32.dll Plkpmlfi.exe File created C:\Windows\SysWOW64\Hlalhlfd.dll Efkfkilj.exe File created C:\Windows\SysWOW64\Bofojign.dll Fhpmql32.exe File created C:\Windows\SysWOW64\Nfbcpgeg.dll Nabfcegi.exe File opened for modification C:\Windows\SysWOW64\Khnfce32.exe Jekpljgg.exe File created C:\Windows\SysWOW64\Bhcpbp32.dll Jcjgeb32.exe File created C:\Windows\SysWOW64\Mkicjgnn.exe Mginniij.exe File created C:\Windows\SysWOW64\Qoqbbhcm.dll Chebcmna.exe File created C:\Windows\SysWOW64\Qpdhhmkg.dll Gloejmld.exe File created C:\Windows\SysWOW64\Dmmblkpm.exe Dkmebh32.exe File created C:\Windows\SysWOW64\Jacnegep.exe Hdcnpd32.exe File opened for modification C:\Windows\SysWOW64\Oamgcm32.exe Mkicjgnn.exe File created C:\Windows\SysWOW64\Dpnbmi32.exe Bnbmqjjo.exe File opened for modification C:\Windows\SysWOW64\Hdcnpd32.exe Gcgndf32.exe File created C:\Windows\SysWOW64\Njkklk32.exe Nabfcegi.exe File opened for modification C:\Windows\SysWOW64\Ebpjjk32.exe Dmcabd32.exe File opened for modification C:\Windows\SysWOW64\Iojbid32.exe Iimjan32.exe File created C:\Windows\SysWOW64\Kchdfpen.exe Kloljf32.exe File opened for modification C:\Windows\SysWOW64\Nfhipj32.exe Ndgpnogo.exe File created C:\Windows\SysWOW64\Mnoqeq32.dll Doqpkq32.exe File created C:\Windows\SysWOW64\Lkjehbaa.exe Lqdakjak.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3812 772 WerFault.exe 613 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fqnbgpmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Johnkbaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fenhcnaf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Foclpf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ldoadabi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hlipal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjmgomjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjiipd32.dll" Ccinggcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgqcnjba.dll" Dcigneeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnojad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdcaahbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oennph32.dll" Qffoejkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Doqpkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajikhfpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pciidjdb.dll" Ojjfpjjj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ilpaei32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghgljg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjndbb32.dll" Nfeekgjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Opnbjk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lejngd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhmllhmp.dll" Geohdago.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Plimpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qjfmda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cpmajdig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mllabgnk.dll" Emhkmcbd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efkfkilj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnafgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nalhph32.dll" Onhmhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcehpf32.dll" Cjpcel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kccgocfc.dll" Mdibplaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfela32.dll" Dhfhnfhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jcdafg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opjjgdim.dll" Kllodfpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gcbnopkj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mgggaamn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Omgabj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ceeehf32.dll" Dgcoaock.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afmmibga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Imkbglei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hoheefad.dll" Jmbhhkoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjhndf32.dll" Neaokboj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mbhina32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lkjehbaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onccdj32.dll" Decmjjie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjaendej.dll" Jmfdpkeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nmenmgab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kancjm32.dll" Anmjmojl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebbfpjbn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kckqlpck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mginniij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jmplbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmmbbodp.dll" Qjcdih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nbepdfnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enmcgg32.dll" NEAS.cd4dfe1255f80f8fa251d395d00b48f0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eknodnil.dll" Dmcabd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lbghpinc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kohhopdk.dll" Oblmnmjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmkbpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncifdlii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkinmlnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ibdiln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljjjqd32.dll" Hlkmfkli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Doeghk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fahajbek.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2056 wrote to memory of 1556 2056 NEAS.cd4dfe1255f80f8fa251d395d00b48f0.exe 88 PID 2056 wrote to memory of 1556 2056 NEAS.cd4dfe1255f80f8fa251d395d00b48f0.exe 88 PID 2056 wrote to memory of 1556 2056 NEAS.cd4dfe1255f80f8fa251d395d00b48f0.exe 88 PID 1556 wrote to memory of 568 1556 Fnnimbaj.exe 89 PID 1556 wrote to memory of 568 1556 Fnnimbaj.exe 89 PID 1556 wrote to memory of 568 1556 Fnnimbaj.exe 89 PID 568 wrote to memory of 4936 568 Gloejmld.exe 90 PID 568 wrote to memory of 4936 568 Gloejmld.exe 90 PID 568 wrote to memory of 4936 568 Gloejmld.exe 90 PID 4936 wrote to memory of 3904 4936 Gflcnanp.exe 91 PID 4936 wrote to memory of 3904 4936 Gflcnanp.exe 91 PID 4936 wrote to memory of 3904 4936 Gflcnanp.exe 91 PID 3904 wrote to memory of 976 3904 Hjoeoo32.exe 92 PID 3904 wrote to memory of 976 3904 Hjoeoo32.exe 92 PID 3904 wrote to memory of 976 3904 Hjoeoo32.exe 92 PID 976 wrote to memory of 1716 976 Ijmapm32.exe 93 PID 976 wrote to memory of 1716 976 Ijmapm32.exe 93 PID 976 wrote to memory of 1716 976 Ijmapm32.exe 93 PID 1716 wrote to memory of 3268 1716 Jjakkmpk.exe 94 PID 1716 wrote to memory of 3268 1716 Jjakkmpk.exe 94 PID 1716 wrote to memory of 3268 1716 Jjakkmpk.exe 94 PID 3268 wrote to memory of 236 3268 Jjhalkjc.exe 95 PID 3268 wrote to memory of 236 3268 Jjhalkjc.exe 95 PID 3268 wrote to memory of 236 3268 Jjhalkjc.exe 95 PID 236 wrote to memory of 3896 236 Jnfjbj32.exe 96 PID 236 wrote to memory of 3896 236 Jnfjbj32.exe 96 PID 236 wrote to memory of 3896 236 Jnfjbj32.exe 96 PID 3896 wrote to memory of 3436 3896 Ljncnhhk.exe 97 PID 3896 wrote to memory of 3436 3896 Ljncnhhk.exe 97 PID 3896 wrote to memory of 3436 3896 Ljncnhhk.exe 97 PID 3436 wrote to memory of 3160 3436 Mginniij.exe 98 PID 3436 wrote to memory of 3160 3436 Mginniij.exe 98 PID 3436 wrote to memory of 3160 3436 Mginniij.exe 98 PID 3160 wrote to memory of 1532 3160 Mkicjgnn.exe 99 PID 3160 wrote to memory of 1532 3160 Mkicjgnn.exe 99 PID 3160 wrote to memory of 1532 3160 Mkicjgnn.exe 99 PID 1532 wrote to memory of 1860 1532 Oamgcm32.exe 100 PID 1532 wrote to memory of 1860 1532 Oamgcm32.exe 100 PID 1532 wrote to memory of 1860 1532 Oamgcm32.exe 100 PID 1860 wrote to memory of 1664 1860 Pbdmdlie.exe 101 PID 1860 wrote to memory of 1664 1860 Pbdmdlie.exe 101 PID 1860 wrote to memory of 1664 1860 Pbdmdlie.exe 101 PID 1664 wrote to memory of 2084 1664 Qffoejkg.exe 102 PID 1664 wrote to memory of 2084 1664 Qffoejkg.exe 102 PID 1664 wrote to memory of 2084 1664 Qffoejkg.exe 102 PID 2084 wrote to memory of 1032 2084 Aoapcood.exe 103 PID 2084 wrote to memory of 1032 2084 Aoapcood.exe 103 PID 2084 wrote to memory of 1032 2084 Aoapcood.exe 103 PID 1032 wrote to memory of 2236 1032 Akhaipei.exe 104 PID 1032 wrote to memory of 2236 1032 Akhaipei.exe 104 PID 1032 wrote to memory of 2236 1032 Akhaipei.exe 104 PID 2236 wrote to memory of 4120 2236 Bnbmqjjo.exe 105 PID 2236 wrote to memory of 4120 2236 Bnbmqjjo.exe 105 PID 2236 wrote to memory of 4120 2236 Bnbmqjjo.exe 105 PID 4120 wrote to memory of 2008 4120 Dpnbmi32.exe 106 PID 4120 wrote to memory of 2008 4120 Dpnbmi32.exe 106 PID 4120 wrote to memory of 2008 4120 Dpnbmi32.exe 106 PID 2008 wrote to memory of 3720 2008 Eoekde32.exe 107 PID 2008 wrote to memory of 3720 2008 Eoekde32.exe 107 PID 2008 wrote to memory of 3720 2008 Eoekde32.exe 107 PID 3720 wrote to memory of 1672 3720 Fekclnif.exe 108 PID 3720 wrote to memory of 1672 3720 Fekclnif.exe 108 PID 3720 wrote to memory of 1672 3720 Fekclnif.exe 108 PID 1672 wrote to memory of 5052 1672 Gchflq32.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.cd4dfe1255f80f8fa251d395d00b48f0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.cd4dfe1255f80f8fa251d395d00b48f0.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\Fnnimbaj.exeC:\Windows\system32\Fnnimbaj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Windows\SysWOW64\Gloejmld.exeC:\Windows\system32\Gloejmld.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:568 -
C:\Windows\SysWOW64\Gflcnanp.exeC:\Windows\system32\Gflcnanp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\Windows\SysWOW64\Hjoeoo32.exeC:\Windows\system32\Hjoeoo32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3904 -
C:\Windows\SysWOW64\Ijmapm32.exeC:\Windows\system32\Ijmapm32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:976 -
C:\Windows\SysWOW64\Jjakkmpk.exeC:\Windows\system32\Jjakkmpk.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\SysWOW64\Jjhalkjc.exeC:\Windows\system32\Jjhalkjc.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3268 -
C:\Windows\SysWOW64\Jnfjbj32.exeC:\Windows\system32\Jnfjbj32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:236 -
C:\Windows\SysWOW64\Ljncnhhk.exeC:\Windows\system32\Ljncnhhk.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3896 -
C:\Windows\SysWOW64\Mginniij.exeC:\Windows\system32\Mginniij.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3436 -
C:\Windows\SysWOW64\Mkicjgnn.exeC:\Windows\system32\Mkicjgnn.exe12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3160 -
C:\Windows\SysWOW64\Oamgcm32.exeC:\Windows\system32\Oamgcm32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\SysWOW64\Pbdmdlie.exeC:\Windows\system32\Pbdmdlie.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\SysWOW64\Qffoejkg.exeC:\Windows\system32\Qffoejkg.exe15⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\SysWOW64\Aoapcood.exeC:\Windows\system32\Aoapcood.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\Akhaipei.exeC:\Windows\system32\Akhaipei.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Windows\SysWOW64\Bnbmqjjo.exeC:\Windows\system32\Bnbmqjjo.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\Dpnbmi32.exeC:\Windows\system32\Dpnbmi32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4120 -
C:\Windows\SysWOW64\Eoekde32.exeC:\Windows\system32\Eoekde32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\Fekclnif.exeC:\Windows\system32\Fekclnif.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3720 -
C:\Windows\SysWOW64\Gchflq32.exeC:\Windows\system32\Gchflq32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\SysWOW64\Ghgljg32.exeC:\Windows\system32\Ghgljg32.exe23⤵
- Executes dropped EXE
- Modifies registry class
PID:5052 -
C:\Windows\SysWOW64\Hfeoijbi.exeC:\Windows\system32\Hfeoijbi.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4988 -
C:\Windows\SysWOW64\Iqaiga32.exeC:\Windows\system32\Iqaiga32.exe25⤵
- Executes dropped EXE
PID:2588 -
C:\Windows\SysWOW64\Jokpcmmj.exeC:\Windows\system32\Jokpcmmj.exe26⤵
- Executes dropped EXE
PID:4256 -
C:\Windows\SysWOW64\Lpghfi32.exeC:\Windows\system32\Lpghfi32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3024 -
C:\Windows\SysWOW64\Lpjelibg.exeC:\Windows\system32\Lpjelibg.exe28⤵
- Executes dropped EXE
PID:1016 -
C:\Windows\SysWOW64\Omgabj32.exeC:\Windows\system32\Omgabj32.exe29⤵
- Executes dropped EXE
- Modifies registry class
PID:3848 -
C:\Windows\SysWOW64\Odfcjc32.exeC:\Windows\system32\Odfcjc32.exe30⤵
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\Oalpigkb.exeC:\Windows\system32\Oalpigkb.exe31⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Pdmikb32.exeC:\Windows\system32\Pdmikb32.exe32⤵
- Executes dropped EXE
PID:2264 -
C:\Windows\SysWOW64\Pjjaci32.exeC:\Windows\system32\Pjjaci32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5076 -
C:\Windows\SysWOW64\Pkinmlnm.exeC:\Windows\system32\Pkinmlnm.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:740 -
C:\Windows\SysWOW64\Pjoknhbe.exeC:\Windows\system32\Pjoknhbe.exe35⤵
- Executes dropped EXE
PID:4464 -
C:\Windows\SysWOW64\Pddokabk.exeC:\Windows\system32\Pddokabk.exe36⤵
- Executes dropped EXE
PID:4244 -
C:\Windows\SysWOW64\Pahpee32.exeC:\Windows\system32\Pahpee32.exe37⤵
- Executes dropped EXE
PID:4220 -
C:\Windows\SysWOW64\Qjcdih32.exeC:\Windows\system32\Qjcdih32.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:3588 -
C:\Windows\SysWOW64\Anffje32.exeC:\Windows\system32\Anffje32.exe39⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Ajmgof32.exeC:\Windows\system32\Ajmgof32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5108 -
C:\Windows\SysWOW64\Aklciimh.exeC:\Windows\system32\Aklciimh.exe41⤵
- Executes dropped EXE
PID:4644 -
C:\Windows\SysWOW64\Bbkeacqo.exeC:\Windows\system32\Bbkeacqo.exe42⤵
- Executes dropped EXE
PID:2208 -
C:\Windows\SysWOW64\Bbmbgb32.exeC:\Windows\system32\Bbmbgb32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4732 -
C:\Windows\SysWOW64\Cqghcn32.exeC:\Windows\system32\Cqghcn32.exe44⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Cjaiac32.exeC:\Windows\system32\Cjaiac32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4360 -
C:\Windows\SysWOW64\Ckfofe32.exeC:\Windows\system32\Ckfofe32.exe46⤵
- Executes dropped EXE
PID:4224 -
C:\Windows\SysWOW64\Dijppjfd.exeC:\Windows\system32\Dijppjfd.exe47⤵
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\Decmjjie.exeC:\Windows\system32\Decmjjie.exe48⤵
- Modifies registry class
PID:1896 -
C:\Windows\SysWOW64\Deejpjgc.exeC:\Windows\system32\Deejpjgc.exe49⤵
- Executes dropped EXE
PID:4196 -
C:\Windows\SysWOW64\Ejkenpnp.exeC:\Windows\system32\Ejkenpnp.exe50⤵
- Executes dropped EXE
PID:4148 -
C:\Windows\SysWOW64\Fjpoio32.exeC:\Windows\system32\Fjpoio32.exe51⤵
- Executes dropped EXE
PID:1436 -
C:\Windows\SysWOW64\Fefcgh32.exeC:\Windows\system32\Fefcgh32.exe52⤵
- Executes dropped EXE
PID:2368 -
C:\Windows\SysWOW64\Fehplggn.exeC:\Windows\system32\Fehplggn.exe53⤵
- Executes dropped EXE
PID:1652 -
C:\Windows\SysWOW64\Gogjflhf.exeC:\Windows\system32\Gogjflhf.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3288 -
C:\Windows\SysWOW64\Giahndcf.exeC:\Windows\system32\Giahndcf.exe55⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Hhbdko32.exeC:\Windows\system32\Hhbdko32.exe56⤵
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Icakofel.exeC:\Windows\system32\Icakofel.exe57⤵
- Executes dropped EXE
PID:3980 -
C:\Windows\SysWOW64\Kkofofbb.exeC:\Windows\system32\Kkofofbb.exe58⤵
- Executes dropped EXE
PID:3152 -
C:\Windows\SysWOW64\Lpdefc32.exeC:\Windows\system32\Lpdefc32.exe59⤵
- Executes dropped EXE
PID:1760 -
C:\Windows\SysWOW64\Ndgpnogo.exeC:\Windows\system32\Ndgpnogo.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4312 -
C:\Windows\SysWOW64\Nfhipj32.exeC:\Windows\system32\Nfhipj32.exe61⤵
- Executes dropped EXE
PID:844 -
C:\Windows\SysWOW64\Ndliin32.exeC:\Windows\system32\Ndliin32.exe62⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Pdchakoo.exeC:\Windows\system32\Pdchakoo.exe63⤵
- Executes dropped EXE
PID:4212 -
C:\Windows\SysWOW64\Bdfnmhnj.exeC:\Windows\system32\Bdfnmhnj.exe64⤵
- Executes dropped EXE
PID:3744 -
C:\Windows\SysWOW64\Bkglkapo.exeC:\Windows\system32\Bkglkapo.exe65⤵
- Executes dropped EXE
PID:4648 -
C:\Windows\SysWOW64\Dmnkdfce.exeC:\Windows\system32\Dmnkdfce.exe66⤵
- Executes dropped EXE
PID:3488 -
C:\Windows\SysWOW64\Dgcoaock.exeC:\Windows\system32\Dgcoaock.exe67⤵
- Modifies registry class
PID:1736 -
C:\Windows\SysWOW64\Eeimqc32.exeC:\Windows\system32\Eeimqc32.exe68⤵PID:208
-
C:\Windows\SysWOW64\Fndgfffm.exeC:\Windows\system32\Fndgfffm.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2436 -
C:\Windows\SysWOW64\Hlipfh32.exeC:\Windows\system32\Hlipfh32.exe70⤵PID:3344
-
C:\Windows\SysWOW64\Iaokdn32.exeC:\Windows\system32\Iaokdn32.exe71⤵
- Drops file in System32 directory
PID:4772 -
C:\Windows\SysWOW64\Iaahjmkn.exeC:\Windows\system32\Iaahjmkn.exe72⤵PID:1320
-
C:\Windows\SysWOW64\Jojboa32.exeC:\Windows\system32\Jojboa32.exe73⤵PID:3756
-
C:\Windows\SysWOW64\Jefgak32.exeC:\Windows\system32\Jefgak32.exe74⤵PID:4208
-
C:\Windows\SysWOW64\Jehcfj32.exeC:\Windows\system32\Jehcfj32.exe75⤵PID:3928
-
C:\Windows\SysWOW64\Jkeloa32.exeC:\Windows\system32\Jkeloa32.exe76⤵PID:2124
-
C:\Windows\SysWOW64\Jekpljgg.exeC:\Windows\system32\Jekpljgg.exe77⤵
- Drops file in System32 directory
PID:2576 -
C:\Windows\SysWOW64\Khnfce32.exeC:\Windows\system32\Khnfce32.exe78⤵PID:1432
-
C:\Windows\SysWOW64\Lfbpcgbl.exeC:\Windows\system32\Lfbpcgbl.exe79⤵PID:1232
-
C:\Windows\SysWOW64\Mndjhhjp.exeC:\Windows\system32\Mndjhhjp.exe80⤵PID:1808
-
C:\Windows\SysWOW64\Neaokboj.exeC:\Windows\system32\Neaokboj.exe81⤵
- Drops file in System32 directory
- Modifies registry class
PID:2892 -
C:\Windows\SysWOW64\Nbepdfnc.exeC:\Windows\system32\Nbepdfnc.exe82⤵
- Modifies registry class
PID:4324 -
C:\Windows\SysWOW64\Nmmqgo32.exeC:\Windows\system32\Nmmqgo32.exe83⤵PID:3352
-
C:\Windows\SysWOW64\Oflkqc32.exeC:\Windows\system32\Oflkqc32.exe84⤵PID:4204
-
C:\Windows\SysWOW64\Ommjnlnd.exeC:\Windows\system32\Ommjnlnd.exe85⤵PID:2820
-
C:\Windows\SysWOW64\Pbahgbfc.exeC:\Windows\system32\Pbahgbfc.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1992 -
C:\Windows\SysWOW64\Plimpg32.exeC:\Windows\system32\Plimpg32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2120 -
C:\Windows\SysWOW64\Aifpoj32.exeC:\Windows\system32\Aifpoj32.exe88⤵
- Drops file in System32 directory
PID:4824 -
C:\Windows\SysWOW64\Alelkf32.exeC:\Windows\system32\Alelkf32.exe89⤵PID:748
-
C:\Windows\SysWOW64\Blnoad32.exeC:\Windows\system32\Blnoad32.exe90⤵PID:2976
-
C:\Windows\SysWOW64\Bekmei32.exeC:\Windows\system32\Bekmei32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3948 -
C:\Windows\SysWOW64\Ccdgjm32.exeC:\Windows\system32\Ccdgjm32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1156 -
C:\Windows\SysWOW64\Dmhkoaco.exeC:\Windows\system32\Dmhkoaco.exe93⤵PID:1716
-
C:\Windows\SysWOW64\Dfeibf32.exeC:\Windows\system32\Dfeibf32.exe94⤵PID:3752
-
C:\Windows\SysWOW64\Emoaopnf.exeC:\Windows\system32\Emoaopnf.exe95⤵PID:792
-
C:\Windows\SysWOW64\Ecblbi32.exeC:\Windows\system32\Ecblbi32.exe96⤵PID:2860
-
C:\Windows\SysWOW64\Fnhppa32.exeC:\Windows\system32\Fnhppa32.exe97⤵PID:2024
-
C:\Windows\SysWOW64\Ffhnocfd.exeC:\Windows\system32\Ffhnocfd.exe98⤵PID:1648
-
C:\Windows\SysWOW64\Fmbflm32.exeC:\Windows\system32\Fmbflm32.exe99⤵PID:2036
-
C:\Windows\SysWOW64\Fggkifmg.exeC:\Windows\system32\Fggkifmg.exe100⤵PID:236
-
C:\Windows\SysWOW64\Fnacfp32.exeC:\Windows\system32\Fnacfp32.exe101⤵PID:1496
-
C:\Windows\SysWOW64\Fpbpmhjb.exeC:\Windows\system32\Fpbpmhjb.exe102⤵PID:3652
-
C:\Windows\SysWOW64\Gmfpgmil.exeC:\Windows\system32\Gmfpgmil.exe103⤵PID:2084
-
C:\Windows\SysWOW64\Gcgndf32.exeC:\Windows\system32\Gcgndf32.exe104⤵
- Drops file in System32 directory
PID:1484 -
C:\Windows\SysWOW64\Hdcnpd32.exeC:\Windows\system32\Hdcnpd32.exe105⤵
- Drops file in System32 directory
PID:1364 -
C:\Windows\SysWOW64\Jacnegep.exeC:\Windows\system32\Jacnegep.exe106⤵PID:232
-
C:\Windows\SysWOW64\Jkplilgk.exeC:\Windows\system32\Jkplilgk.exe107⤵PID:2072
-
C:\Windows\SysWOW64\Kobnji32.exeC:\Windows\system32\Kobnji32.exe108⤵PID:772
-
C:\Windows\SysWOW64\Kgeiokao.exeC:\Windows\system32\Kgeiokao.exe109⤵
- Drops file in System32 directory
PID:2764 -
C:\Windows\SysWOW64\Lajmmc32.exeC:\Windows\system32\Lajmmc32.exe110⤵
- Drops file in System32 directory
PID:2008 -
C:\Windows\SysWOW64\Lggeej32.exeC:\Windows\system32\Lggeej32.exe111⤵PID:3064
-
C:\Windows\SysWOW64\Locgagli.exeC:\Windows\system32\Locgagli.exe112⤵PID:848
-
C:\Windows\SysWOW64\Mkoaagmh.exeC:\Windows\system32\Mkoaagmh.exe113⤵PID:2476
-
C:\Windows\SysWOW64\Mbhina32.exeC:\Windows\system32\Mbhina32.exe114⤵
- Modifies registry class
PID:1388 -
C:\Windows\SysWOW64\Mgebfhcl.exeC:\Windows\system32\Mgebfhcl.exe115⤵PID:3812
-
C:\Windows\SysWOW64\Mdibplaf.exeC:\Windows\system32\Mdibplaf.exe116⤵
- Modifies registry class
PID:2132 -
C:\Windows\SysWOW64\Oendaipn.exeC:\Windows\system32\Oendaipn.exe117⤵PID:3808
-
C:\Windows\SysWOW64\Phmjdbpo.exeC:\Windows\system32\Phmjdbpo.exe118⤵
- Drops file in System32 directory
PID:4540 -
C:\Windows\SysWOW64\Pbbnbkpe.exeC:\Windows\system32\Pbbnbkpe.exe119⤵PID:3956
-
C:\Windows\SysWOW64\Qhbcpb32.exeC:\Windows\system32\Qhbcpb32.exe120⤵PID:1984
-
C:\Windows\SysWOW64\Aikbpckb.exeC:\Windows\system32\Aikbpckb.exe121⤵
- Drops file in System32 directory
PID:3336
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-