Analysis
-
max time kernel
173s -
max time network
180s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
14/10/2023, 17:59
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.78fcc620c61d60e2cf6590fea66ceac0.exe
Resource
win7-20230831-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.78fcc620c61d60e2cf6590fea66ceac0.exe
Resource
win10v2004-20230915-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.78fcc620c61d60e2cf6590fea66ceac0.exe
-
Size
240KB
-
MD5
78fcc620c61d60e2cf6590fea66ceac0
-
SHA1
7653f787d94b8c5572c397f7ebc9d4f678d4f6c8
-
SHA256
5e174aaa5024a64648409a11ef609be316bdeeac3fe2381ecd5b54eee9552c48
-
SHA512
18d5c3ed7ba6dee76c556855808fb27d970800f941696306b435352399628238207db61cbe0a29176b4663cbf3f8a853cc69b9b3ad72dbc43b1b6bd828b0e9d1
-
SSDEEP
6144:q7yq3yRGCGvVeoFEcAJN+SYSUZCb6M3W8DStQUkA1FiHwSD:K3oPmFtycSly8DSUA1YHVD
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmcoflhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lfcmhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Miqlpbap.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddngdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pnmojp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gbhpajlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kaonaekb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mflbdibj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pddmml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dibmfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cdmokljp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eohhie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fggkifmg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqdeefpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fneohd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdijkmbl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfnfck32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpeplmha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fdpnng32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phpbffnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nejkfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jkaadebl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dejamdca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Faemjl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjlcclfl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jddnah32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkdnjd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njjmil32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cibabdno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lfddci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bgggockk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eefhcimp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gkcbhgii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Meogbcel.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nipedokm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfhmcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cpljonfl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahhbfkbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Flgfqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fafddb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ggkiha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Akamol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cfldob32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eclmlpfl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfodpbpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jjklcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fhefmjlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Adbiojfo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oeicopoo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akamol32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjeflc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dnmgni32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffjdjmpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eehnnb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfpeeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qamaae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ddngdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ckkilhjm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ockdfceh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hgboiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mbkmngfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Acdbpq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpapgknd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Encpeodp.exe -
Executes dropped EXE 64 IoCs
pid Process 4076 Hclccd32.exe 1636 Jepbodhg.exe 3456 Kebodc32.exe 2516 Kaqejcep.exe 3780 Lfddci32.exe 5000 Lmqiec32.exe 3140 Mklpof32.exe 3924 Nefmgogl.exe 1712 Ngnppfgb.exe 3648 Oookgbpj.exe 2988 Pbfjjlgc.exe 1352 Phpbffnp.exe 3320 Qkakhakq.exe 1912 Afkipi32.exe 2068 Bflagg32.exe 432 Beaohcmf.exe 776 Cejaobel.exe 4780 Dhbqalle.exe 3528 Dbjade32.exe 2232 Eohhie32.exe 2976 Fhefmjlp.exe 2828 Gccmaack.exe 672 Ijjnpg32.exe 1428 Ioicnn32.exe 2848 Kgngqico.exe 2248 Kfjjbd32.exe 368 Lgjglg32.exe 2656 Likcdpop.exe 3936 Lfcmhc32.exe 1272 Lhcjbfag.exe 3964 Mdjjgggk.exe 4724 Miipencp.exe 5064 Mphamg32.exe 3872 Omgabj32.exe 3788 Oinbgk32.exe 1236 Phiekaql.exe 804 Pahpee32.exe 4408 Aglnnkid.exe 4956 Agnkck32.exe 3852 Agqhik32.exe 1232 Ahpdcn32.exe 3544 Ajaqjfbp.exe 4196 Bhbahm32.exe 2308 Cegnol32.exe 968 Daeddlco.exe 1444 Ejdonq32.exe 3540 Fbggkl32.exe 2832 Faopah32.exe 3336 Fbnmkk32.exe 3772 Foenplji.exe 3452 Gahcgg32.exe 2328 Gbhpajlj.exe 2900 Gekeie32.exe 3904 Hhlnjpdi.exe 3404 Hikkdc32.exe 1976 Hommhi32.exe 1680 Ieknpb32.exe 812 Ikjcmi32.exe 3848 Jmccnk32.exe 544 Kkofofbb.exe 60 Kjqfmn32.exe 2464 Lbcabo32.exe 3232 Mpkkgbmi.exe 1092 Nfcoekhe.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Cmimlalm.dll Foenplji.exe File opened for modification C:\Windows\SysWOW64\Cclhbcho.exe Bmbpeiaa.exe File created C:\Windows\SysWOW64\Liqibm32.exe Lnkedd32.exe File created C:\Windows\SysWOW64\Ckjpamkc.dll Pfoahd32.exe File created C:\Windows\SysWOW64\Lnleolbk.dll Ebjckppa.exe File created C:\Windows\SysWOW64\Bflagg32.exe Afkipi32.exe File created C:\Windows\SysWOW64\Beaohcmf.exe Bflagg32.exe File opened for modification C:\Windows\SysWOW64\Pahpee32.exe Phiekaql.exe File created C:\Windows\SysWOW64\Mnjnokej.dll Haobnpkc.exe File created C:\Windows\SysWOW64\Iaapnpqn.dll Fojenfeg.exe File opened for modification C:\Windows\SysWOW64\Knkokl32.exe Jnmbjnlm.exe File opened for modification C:\Windows\SysWOW64\Nbiioe32.exe Neaokboj.exe File created C:\Windows\SysWOW64\Ooaghe32.exe Oeicopoo.exe File created C:\Windows\SysWOW64\Gedqcjbo.dll Ipjenn32.exe File created C:\Windows\SysWOW64\Hlpfak32.exe Gihgoq32.exe File opened for modification C:\Windows\SysWOW64\Kcepfj32.exe Kllhjplh.exe File created C:\Windows\SysWOW64\Oblmnmjl.exe Oidhehcl.exe File created C:\Windows\SysWOW64\Mcmongoj.exe Mjdkeaij.exe File created C:\Windows\SysWOW64\Hoglbc32.exe Hdahek32.exe File created C:\Windows\SysWOW64\Eojpjafa.dll Mceccbpj.exe File opened for modification C:\Windows\SysWOW64\Iejqeiif.exe Hnphio32.exe File opened for modification C:\Windows\SysWOW64\Mofmhhcl.exe Mhldlnko.exe File opened for modification C:\Windows\SysWOW64\Oblmnmjl.exe Oidhehcl.exe File created C:\Windows\SysWOW64\Mmkdlbea.exe Mcbpcm32.exe File opened for modification C:\Windows\SysWOW64\Lpeplmha.exe Ladpnepb.exe File opened for modification C:\Windows\SysWOW64\Ekhjgoga.exe Ednajepe.exe File created C:\Windows\SysWOW64\Pjnipc32.exe Odaphl32.exe File opened for modification C:\Windows\SysWOW64\Emaemefo.exe Dkifkkpf.exe File opened for modification C:\Windows\SysWOW64\Hlmbadfk.exe Hecjej32.exe File opened for modification C:\Windows\SysWOW64\Cjjlep32.exe Ccpdhfmb.exe File opened for modification C:\Windows\SysWOW64\Fppqjcli.exe Efhlan32.exe File created C:\Windows\SysWOW64\Dqmjqb32.exe Dahmoefm.exe File created C:\Windows\SysWOW64\Ieknpb32.exe Hommhi32.exe File created C:\Windows\SysWOW64\Ppnlpm32.dll Ollgiplp.exe File created C:\Windows\SysWOW64\Hpbacnci.dll Apbngn32.exe File opened for modification C:\Windows\SysWOW64\Fojenfeg.exe Fhpmql32.exe File opened for modification C:\Windows\SysWOW64\Ggkiha32.exe Fhofffjo.exe File opened for modification C:\Windows\SysWOW64\Agqhik32.exe Agnkck32.exe File opened for modification C:\Windows\SysWOW64\Bnnklg32.exe Bchgnoai.exe File opened for modification C:\Windows\SysWOW64\Gdafgefe.exe Gdoiaf32.exe File created C:\Windows\SysWOW64\Cmflkl32.exe Cfldob32.exe File created C:\Windows\SysWOW64\Bedcpnmi.dll Qfhdnb32.exe File created C:\Windows\SysWOW64\Nhhkhqeo.dll Cmflkl32.exe File opened for modification C:\Windows\SysWOW64\Kafcmglb.exe Jpegeo32.exe File created C:\Windows\SysWOW64\Mnddfh32.dll Mhldlnko.exe File created C:\Windows\SysWOW64\Encpeodp.exe Ecnlhf32.exe File opened for modification C:\Windows\SysWOW64\Lfcmhc32.exe Likcdpop.exe File opened for modification C:\Windows\SysWOW64\Ockdfceh.exe Ocihqc32.exe File opened for modification C:\Windows\SysWOW64\Igoeoe32.exe Hbbmgn32.exe File created C:\Windows\SysWOW64\Acdbpq32.exe Ajlngk32.exe File created C:\Windows\SysWOW64\Bjjfnk32.dll Poaqocgl.exe File created C:\Windows\SysWOW64\Cmbobi32.dll Ammgifpn.exe File created C:\Windows\SysWOW64\Efccfojn.exe Ebcmjqej.exe File opened for modification C:\Windows\SysWOW64\Efccfojn.exe Ebcmjqej.exe File opened for modification C:\Windows\SysWOW64\Mchpibng.exe Mjokpm32.exe File opened for modification C:\Windows\SysWOW64\Hoogpcco.exe Ggicmh32.exe File created C:\Windows\SysWOW64\Giafegnk.dll Mcpcnm32.exe File created C:\Windows\SysWOW64\Jdejnojm.dll Bpcgionf.exe File created C:\Windows\SysWOW64\Gkkndp32.exe Gdafgefe.exe File created C:\Windows\SysWOW64\Kmpbdj32.dll Ajlngk32.exe File created C:\Windows\SysWOW64\Almnebcg.dll Nbnpmp32.exe File created C:\Windows\SysWOW64\Ioicnn32.exe Ijjnpg32.exe File opened for modification C:\Windows\SysWOW64\Gekeie32.exe Gbhpajlj.exe File created C:\Windows\SysWOW64\Loqjlg32.exe Lhgbomfo.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 8052 7684 WerFault.exe 691 8064 7684 WerFault.exe 691 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jjklcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lekjgafi.dll" Bmbpeiaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gehfdaje.dll" Jdnnjane.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obmbfpea.dll" Hommhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efcnhmeg.dll" Fbiooolb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jjhjli32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ljfhjn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pcnhfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Khiopp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nqjbnjfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Anpnmele.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Innfan32.dll" Fdegkdim.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kngcdkjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lafmjb32.dll" Nlglpkpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkkoeh32.dll" Nppfimnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Appdbegc.dll" Bdapon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dnmgni32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lhkkjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ffjdjmpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojqnlp32.dll" Njcpok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fflobgng.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Moofhiid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nbkoeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lmqiec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gekeie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gegilj32.dll" Omhpcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ddkbfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lpeplmha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lnfgmc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bbljoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaepea32.dll" Ckdcli32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Onapnbhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcllmi32.dll" Mphamg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Idieob32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ckfggf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojmpkc32.dll" Hpqlof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhkohd32.dll" Clldhljp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Knfliefc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Onapnbhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gciagdlp.dll" Anpnmele.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cmflkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fflngpbn.dll" Bhkfdcbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dildibfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohbmih32.dll" Gfodpbpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eohhie32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ahpdcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gepkfejp.dll" Cmcoflhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bbjmdlcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Homadjin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdckfe32.dll" Fdijkmbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kppimogj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nifcnpch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ppdbqchi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fnofpqff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Djnfppqi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hjfplo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnecip32.dll" Flgfqb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ooaghe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mfbaka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojqhfb32.dll" Fjdajhbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kaonaekb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bpodhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clibgl32.dll" Hoogpcco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnamikio.dll" Lpqgqn32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2480 wrote to memory of 4076 2480 NEAS.78fcc620c61d60e2cf6590fea66ceac0.exe 87 PID 2480 wrote to memory of 4076 2480 NEAS.78fcc620c61d60e2cf6590fea66ceac0.exe 87 PID 2480 wrote to memory of 4076 2480 NEAS.78fcc620c61d60e2cf6590fea66ceac0.exe 87 PID 4076 wrote to memory of 1636 4076 Hclccd32.exe 88 PID 4076 wrote to memory of 1636 4076 Hclccd32.exe 88 PID 4076 wrote to memory of 1636 4076 Hclccd32.exe 88 PID 1636 wrote to memory of 3456 1636 Jepbodhg.exe 89 PID 1636 wrote to memory of 3456 1636 Jepbodhg.exe 89 PID 1636 wrote to memory of 3456 1636 Jepbodhg.exe 89 PID 3456 wrote to memory of 2516 3456 Kebodc32.exe 90 PID 3456 wrote to memory of 2516 3456 Kebodc32.exe 90 PID 3456 wrote to memory of 2516 3456 Kebodc32.exe 90 PID 2516 wrote to memory of 3780 2516 Kaqejcep.exe 92 PID 2516 wrote to memory of 3780 2516 Kaqejcep.exe 92 PID 2516 wrote to memory of 3780 2516 Kaqejcep.exe 92 PID 3780 wrote to memory of 5000 3780 Lfddci32.exe 93 PID 3780 wrote to memory of 5000 3780 Lfddci32.exe 93 PID 3780 wrote to memory of 5000 3780 Lfddci32.exe 93 PID 5000 wrote to memory of 3140 5000 Lmqiec32.exe 94 PID 5000 wrote to memory of 3140 5000 Lmqiec32.exe 94 PID 5000 wrote to memory of 3140 5000 Lmqiec32.exe 94 PID 3140 wrote to memory of 3924 3140 Mklpof32.exe 95 PID 3140 wrote to memory of 3924 3140 Mklpof32.exe 95 PID 3140 wrote to memory of 3924 3140 Mklpof32.exe 95 PID 3924 wrote to memory of 1712 3924 Nefmgogl.exe 96 PID 3924 wrote to memory of 1712 3924 Nefmgogl.exe 96 PID 3924 wrote to memory of 1712 3924 Nefmgogl.exe 96 PID 1712 wrote to memory of 3648 1712 Ngnppfgb.exe 97 PID 1712 wrote to memory of 3648 1712 Ngnppfgb.exe 97 PID 1712 wrote to memory of 3648 1712 Ngnppfgb.exe 97 PID 3648 wrote to memory of 2988 3648 Oookgbpj.exe 98 PID 3648 wrote to memory of 2988 3648 Oookgbpj.exe 98 PID 3648 wrote to memory of 2988 3648 Oookgbpj.exe 98 PID 2988 wrote to memory of 1352 2988 Pbfjjlgc.exe 99 PID 2988 wrote to memory of 1352 2988 Pbfjjlgc.exe 99 PID 2988 wrote to memory of 1352 2988 Pbfjjlgc.exe 99 PID 1352 wrote to memory of 3320 1352 Phpbffnp.exe 100 PID 1352 wrote to memory of 3320 1352 Phpbffnp.exe 100 PID 1352 wrote to memory of 3320 1352 Phpbffnp.exe 100 PID 3320 wrote to memory of 1912 3320 Qkakhakq.exe 102 PID 3320 wrote to memory of 1912 3320 Qkakhakq.exe 102 PID 3320 wrote to memory of 1912 3320 Qkakhakq.exe 102 PID 1912 wrote to memory of 2068 1912 Afkipi32.exe 103 PID 1912 wrote to memory of 2068 1912 Afkipi32.exe 103 PID 1912 wrote to memory of 2068 1912 Afkipi32.exe 103 PID 2068 wrote to memory of 432 2068 Bflagg32.exe 105 PID 2068 wrote to memory of 432 2068 Bflagg32.exe 105 PID 2068 wrote to memory of 432 2068 Bflagg32.exe 105 PID 432 wrote to memory of 776 432 Beaohcmf.exe 106 PID 432 wrote to memory of 776 432 Beaohcmf.exe 106 PID 432 wrote to memory of 776 432 Beaohcmf.exe 106 PID 776 wrote to memory of 4780 776 Cejaobel.exe 107 PID 776 wrote to memory of 4780 776 Cejaobel.exe 107 PID 776 wrote to memory of 4780 776 Cejaobel.exe 107 PID 4780 wrote to memory of 3528 4780 Dhbqalle.exe 108 PID 4780 wrote to memory of 3528 4780 Dhbqalle.exe 108 PID 4780 wrote to memory of 3528 4780 Dhbqalle.exe 108 PID 3528 wrote to memory of 2232 3528 Dbjade32.exe 109 PID 3528 wrote to memory of 2232 3528 Dbjade32.exe 109 PID 3528 wrote to memory of 2232 3528 Dbjade32.exe 109 PID 2232 wrote to memory of 2976 2232 Eohhie32.exe 110 PID 2232 wrote to memory of 2976 2232 Eohhie32.exe 110 PID 2232 wrote to memory of 2976 2232 Eohhie32.exe 110 PID 2976 wrote to memory of 2828 2976 Fhefmjlp.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.78fcc620c61d60e2cf6590fea66ceac0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.78fcc620c61d60e2cf6590fea66ceac0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\Hclccd32.exeC:\Windows\system32\Hclccd32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4076 -
C:\Windows\SysWOW64\Jepbodhg.exeC:\Windows\system32\Jepbodhg.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\Kebodc32.exeC:\Windows\system32\Kebodc32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3456 -
C:\Windows\SysWOW64\Kaqejcep.exeC:\Windows\system32\Kaqejcep.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\Lfddci32.exeC:\Windows\system32\Lfddci32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3780 -
C:\Windows\SysWOW64\Lmqiec32.exeC:\Windows\system32\Lmqiec32.exe7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Windows\SysWOW64\Mklpof32.exeC:\Windows\system32\Mklpof32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3140 -
C:\Windows\SysWOW64\Nefmgogl.exeC:\Windows\system32\Nefmgogl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3924 -
C:\Windows\SysWOW64\Ngnppfgb.exeC:\Windows\system32\Ngnppfgb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\SysWOW64\Oookgbpj.exeC:\Windows\system32\Oookgbpj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3648 -
C:\Windows\SysWOW64\Pbfjjlgc.exeC:\Windows\system32\Pbfjjlgc.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\Phpbffnp.exeC:\Windows\system32\Phpbffnp.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Windows\SysWOW64\Qkakhakq.exeC:\Windows\system32\Qkakhakq.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3320 -
C:\Windows\SysWOW64\Afkipi32.exeC:\Windows\system32\Afkipi32.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\SysWOW64\Bflagg32.exeC:\Windows\system32\Bflagg32.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\SysWOW64\Beaohcmf.exeC:\Windows\system32\Beaohcmf.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\SysWOW64\Cejaobel.exeC:\Windows\system32\Cejaobel.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:776 -
C:\Windows\SysWOW64\Dhbqalle.exeC:\Windows\system32\Dhbqalle.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4780 -
C:\Windows\SysWOW64\Dbjade32.exeC:\Windows\system32\Dbjade32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3528 -
C:\Windows\SysWOW64\Eohhie32.exeC:\Windows\system32\Eohhie32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\SysWOW64\Fhefmjlp.exeC:\Windows\system32\Fhefmjlp.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\Gccmaack.exeC:\Windows\system32\Gccmaack.exe23⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Hokgmpkl.exeC:\Windows\system32\Hokgmpkl.exe24⤵PID:4704
-
C:\Windows\SysWOW64\Ijjnpg32.exeC:\Windows\system32\Ijjnpg32.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:672 -
C:\Windows\SysWOW64\Ioicnn32.exeC:\Windows\system32\Ioicnn32.exe26⤵
- Executes dropped EXE
PID:1428 -
C:\Windows\SysWOW64\Kgngqico.exeC:\Windows\system32\Kgngqico.exe27⤵
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\Kfjjbd32.exeC:\Windows\system32\Kfjjbd32.exe28⤵
- Executes dropped EXE
PID:2248 -
C:\Windows\SysWOW64\Lgjglg32.exeC:\Windows\system32\Lgjglg32.exe29⤵
- Executes dropped EXE
PID:368 -
C:\Windows\SysWOW64\Likcdpop.exeC:\Windows\system32\Likcdpop.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2656 -
C:\Windows\SysWOW64\Lfcmhc32.exeC:\Windows\system32\Lfcmhc32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3936 -
C:\Windows\SysWOW64\Lhcjbfag.exeC:\Windows\system32\Lhcjbfag.exe32⤵
- Executes dropped EXE
PID:1272 -
C:\Windows\SysWOW64\Mdjjgggk.exeC:\Windows\system32\Mdjjgggk.exe33⤵
- Executes dropped EXE
PID:3964 -
C:\Windows\SysWOW64\Miipencp.exeC:\Windows\system32\Miipencp.exe34⤵
- Executes dropped EXE
PID:4724 -
C:\Windows\SysWOW64\Mphamg32.exeC:\Windows\system32\Mphamg32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:5064 -
C:\Windows\SysWOW64\Omgabj32.exeC:\Windows\system32\Omgabj32.exe36⤵
- Executes dropped EXE
PID:3872 -
C:\Windows\SysWOW64\Oinbgk32.exeC:\Windows\system32\Oinbgk32.exe37⤵
- Executes dropped EXE
PID:3788 -
C:\Windows\SysWOW64\Phiekaql.exeC:\Windows\system32\Phiekaql.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1236 -
C:\Windows\SysWOW64\Pahpee32.exeC:\Windows\system32\Pahpee32.exe39⤵
- Executes dropped EXE
PID:804 -
C:\Windows\SysWOW64\Aglnnkid.exeC:\Windows\system32\Aglnnkid.exe40⤵
- Executes dropped EXE
PID:4408 -
C:\Windows\SysWOW64\Agnkck32.exeC:\Windows\system32\Agnkck32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4956 -
C:\Windows\SysWOW64\Agqhik32.exeC:\Windows\system32\Agqhik32.exe42⤵
- Executes dropped EXE
PID:3852 -
C:\Windows\SysWOW64\Ahpdcn32.exeC:\Windows\system32\Ahpdcn32.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:1232 -
C:\Windows\SysWOW64\Ajaqjfbp.exeC:\Windows\system32\Ajaqjfbp.exe44⤵
- Executes dropped EXE
PID:3544 -
C:\Windows\SysWOW64\Bhbahm32.exeC:\Windows\system32\Bhbahm32.exe45⤵
- Executes dropped EXE
PID:4196 -
C:\Windows\SysWOW64\Cegnol32.exeC:\Windows\system32\Cegnol32.exe46⤵
- Executes dropped EXE
PID:2308 -
C:\Windows\SysWOW64\Daeddlco.exeC:\Windows\system32\Daeddlco.exe47⤵
- Executes dropped EXE
PID:968 -
C:\Windows\SysWOW64\Ejdonq32.exeC:\Windows\system32\Ejdonq32.exe48⤵
- Executes dropped EXE
PID:1444 -
C:\Windows\SysWOW64\Fbggkl32.exeC:\Windows\system32\Fbggkl32.exe49⤵
- Executes dropped EXE
PID:3540 -
C:\Windows\SysWOW64\Faopah32.exeC:\Windows\system32\Faopah32.exe50⤵
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\Fbnmkk32.exeC:\Windows\system32\Fbnmkk32.exe51⤵
- Executes dropped EXE
PID:3336 -
C:\Windows\SysWOW64\Foenplji.exeC:\Windows\system32\Foenplji.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3772 -
C:\Windows\SysWOW64\Gahcgg32.exeC:\Windows\system32\Gahcgg32.exe53⤵
- Executes dropped EXE
PID:3452 -
C:\Windows\SysWOW64\Gbhpajlj.exeC:\Windows\system32\Gbhpajlj.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2328 -
C:\Windows\SysWOW64\Gekeie32.exeC:\Windows\system32\Gekeie32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2900 -
C:\Windows\SysWOW64\Hhlnjpdi.exeC:\Windows\system32\Hhlnjpdi.exe56⤵
- Executes dropped EXE
PID:3904 -
C:\Windows\SysWOW64\Hikkdc32.exeC:\Windows\system32\Hikkdc32.exe57⤵
- Executes dropped EXE
PID:3404 -
C:\Windows\SysWOW64\Hommhi32.exeC:\Windows\system32\Hommhi32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1976 -
C:\Windows\SysWOW64\Ieknpb32.exeC:\Windows\system32\Ieknpb32.exe59⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Ikjcmi32.exeC:\Windows\system32\Ikjcmi32.exe60⤵
- Executes dropped EXE
PID:812 -
C:\Windows\SysWOW64\Jmccnk32.exeC:\Windows\system32\Jmccnk32.exe61⤵
- Executes dropped EXE
PID:3848 -
C:\Windows\SysWOW64\Kkofofbb.exeC:\Windows\system32\Kkofofbb.exe62⤵
- Executes dropped EXE
PID:544 -
C:\Windows\SysWOW64\Kjqfmn32.exeC:\Windows\system32\Kjqfmn32.exe63⤵
- Executes dropped EXE
PID:60 -
C:\Windows\SysWOW64\Lbcabo32.exeC:\Windows\system32\Lbcabo32.exe64⤵
- Executes dropped EXE
PID:2464 -
C:\Windows\SysWOW64\Mpkkgbmi.exeC:\Windows\system32\Mpkkgbmi.exe65⤵
- Executes dropped EXE
PID:3232 -
C:\Windows\SysWOW64\Nfcoekhe.exeC:\Windows\system32\Nfcoekhe.exe66⤵
- Executes dropped EXE
PID:1092 -
C:\Windows\SysWOW64\Nffljjfc.exeC:\Windows\system32\Nffljjfc.exe67⤵PID:4092
-
C:\Windows\SysWOW64\Ollgiplp.exeC:\Windows\system32\Ollgiplp.exe68⤵
- Drops file in System32 directory
PID:4172 -
C:\Windows\SysWOW64\Plhgdn32.exeC:\Windows\system32\Plhgdn32.exe69⤵PID:3552
-
C:\Windows\SysWOW64\Pllppnnm.exeC:\Windows\system32\Pllppnnm.exe70⤵PID:456
-
C:\Windows\SysWOW64\Agfnhf32.exeC:\Windows\system32\Agfnhf32.exe71⤵PID:3416
-
C:\Windows\SysWOW64\Apcllk32.exeC:\Windows\system32\Apcllk32.exe72⤵PID:5024
-
C:\Windows\SysWOW64\Bgggockk.exeC:\Windows\system32\Bgggockk.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1696 -
C:\Windows\SysWOW64\Bnaolm32.exeC:\Windows\system32\Bnaolm32.exe74⤵PID:408
-
C:\Windows\SysWOW64\Blflmj32.exeC:\Windows\system32\Blflmj32.exe75⤵PID:2440
-
C:\Windows\SysWOW64\Bkglkapo.exeC:\Windows\system32\Bkglkapo.exe76⤵PID:4348
-
C:\Windows\SysWOW64\Bqdechnf.exeC:\Windows\system32\Bqdechnf.exe77⤵PID:4636
-
C:\Windows\SysWOW64\Cgpjebcp.exeC:\Windows\system32\Cgpjebcp.exe78⤵PID:3608
-
C:\Windows\SysWOW64\Dmfecgim.exeC:\Windows\system32\Dmfecgim.exe79⤵PID:4116
-
C:\Windows\SysWOW64\Djjemlhf.exeC:\Windows\system32\Djjemlhf.exe80⤵PID:2448
-
C:\Windows\SysWOW64\Dccjfaog.exeC:\Windows\system32\Dccjfaog.exe81⤵PID:3864
-
C:\Windows\SysWOW64\Dnmgni32.exeC:\Windows\system32\Dnmgni32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3012 -
C:\Windows\SysWOW64\Embdofop.exeC:\Windows\system32\Embdofop.exe83⤵PID:1960
-
C:\Windows\SysWOW64\Eclmlpfl.exeC:\Windows\system32\Eclmlpfl.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2528 -
C:\Windows\SysWOW64\Eaegqc32.exeC:\Windows\system32\Eaegqc32.exe85⤵PID:1436
-
C:\Windows\SysWOW64\Eljknl32.exeC:\Windows\system32\Eljknl32.exe86⤵PID:1256
-
C:\Windows\SysWOW64\Fjdajhbi.exeC:\Windows\system32\Fjdajhbi.exe87⤵
- Modifies registry class
PID:1548 -
C:\Windows\SysWOW64\Gngckfdj.exeC:\Windows\system32\Gngckfdj.exe88⤵PID:1752
-
C:\Windows\SysWOW64\Glkdejcd.exeC:\Windows\system32\Glkdejcd.exe89⤵PID:2140
-
C:\Windows\SysWOW64\Haobnpkc.exeC:\Windows\system32\Haobnpkc.exe90⤵
- Drops file in System32 directory
PID:3996 -
C:\Windows\SysWOW64\Hdahek32.exeC:\Windows\system32\Hdahek32.exe91⤵
- Drops file in System32 directory
PID:4488 -
C:\Windows\SysWOW64\Hoglbc32.exeC:\Windows\system32\Hoglbc32.exe92⤵PID:1432
-
C:\Windows\SysWOW64\Hlmiagbo.exeC:\Windows\system32\Hlmiagbo.exe93⤵PID:4924
-
C:\Windows\SysWOW64\Iefnjm32.exeC:\Windows\system32\Iefnjm32.exe94⤵PID:4248
-
C:\Windows\SysWOW64\Inflio32.exeC:\Windows\system32\Inflio32.exe95⤵PID:2724
-
C:\Windows\SysWOW64\Jddnah32.exeC:\Windows\system32\Jddnah32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5012 -
C:\Windows\SysWOW64\Jnmbjnlm.exeC:\Windows\system32\Jnmbjnlm.exe97⤵
- Drops file in System32 directory
PID:4536 -
C:\Windows\SysWOW64\Knkokl32.exeC:\Windows\system32\Knkokl32.exe98⤵PID:3908
-
C:\Windows\SysWOW64\Lfkich32.exeC:\Windows\system32\Lfkich32.exe99⤵PID:4244
-
C:\Windows\SysWOW64\Miqlpbap.exeC:\Windows\system32\Miqlpbap.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1560 -
C:\Windows\SysWOW64\Mbkmngfn.exeC:\Windows\system32\Mbkmngfn.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2480 -
C:\Windows\SysWOW64\Mmaakpfd.exeC:\Windows\system32\Mmaakpfd.exe102⤵PID:1864
-
C:\Windows\SysWOW64\Mnbnchlb.exeC:\Windows\system32\Mnbnchlb.exe103⤵PID:4076
-
C:\Windows\SysWOW64\Mnggnh32.exeC:\Windows\system32\Mnggnh32.exe104⤵PID:4612
-
C:\Windows\SysWOW64\Neaokboj.exeC:\Windows\system32\Neaokboj.exe105⤵
- Drops file in System32 directory
PID:3156 -
C:\Windows\SysWOW64\Nbiioe32.exeC:\Windows\system32\Nbiioe32.exe106⤵PID:744
-
C:\Windows\SysWOW64\Nicalpak.exeC:\Windows\system32\Nicalpak.exe107⤵PID:4292
-
C:\Windows\SysWOW64\Omhpcm32.exeC:\Windows\system32\Omhpcm32.exe108⤵
- Modifies registry class
PID:5124 -
C:\Windows\SysWOW64\Onjmjegg.exeC:\Windows\system32\Onjmjegg.exe109⤵PID:5172
-
C:\Windows\SysWOW64\Oioahn32.exeC:\Windows\system32\Oioahn32.exe110⤵PID:5220
-
C:\Windows\SysWOW64\Pblolb32.exeC:\Windows\system32\Pblolb32.exe111⤵PID:5256
-
C:\Windows\SysWOW64\Pppoeg32.exeC:\Windows\system32\Pppoeg32.exe112⤵PID:5308
-
C:\Windows\SysWOW64\Pfjgbapo.exeC:\Windows\system32\Pfjgbapo.exe113⤵PID:5352
-
C:\Windows\SysWOW64\Qojeabie.exeC:\Windows\system32\Qojeabie.exe114⤵PID:5400
-
C:\Windows\SysWOW64\Amblpikl.exeC:\Windows\system32\Amblpikl.exe115⤵PID:5440
-
C:\Windows\SysWOW64\Bchgnoai.exeC:\Windows\system32\Bchgnoai.exe116⤵
- Drops file in System32 directory
PID:5484 -
C:\Windows\SysWOW64\Bnnklg32.exeC:\Windows\system32\Bnnklg32.exe117⤵PID:5524
-
C:\Windows\SysWOW64\Beippj32.exeC:\Windows\system32\Beippj32.exe118⤵PID:5632
-
C:\Windows\SysWOW64\Fnofpqff.exeC:\Windows\system32\Fnofpqff.exe119⤵
- Modifies registry class
PID:5672 -
C:\Windows\SysWOW64\Fggkifmg.exeC:\Windows\system32\Fggkifmg.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5712 -
C:\Windows\SysWOW64\Fmdcamko.exeC:\Windows\system32\Fmdcamko.exe121⤵PID:5756
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-