Analysis
-
max time kernel
144s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
28/10/2023, 18:01
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.018c199edb2df32ff2dd6f56183153c0.exe
Resource
win7-20231020-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.018c199edb2df32ff2dd6f56183153c0.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.018c199edb2df32ff2dd6f56183153c0.exe
-
Size
59KB
-
MD5
018c199edb2df32ff2dd6f56183153c0
-
SHA1
91c137a9883791c2db3cacb566870d59bef35b3f
-
SHA256
aa7a9c0d05403e16b38ebe4807c7a8f13f5e8489e36dd64b85cb0a21309a61bc
-
SHA512
4c9a991f2eab0259b0cfcf39fb823d143bdaf53752fcceca71f5fc0d8e61ed608ab3d998e3b7c5a1c7a80f0318d54b9f670b98ce564004aeab35d7889471011e
-
SSDEEP
768:8R3BTVZGFpuEpyzSHt9N2IFUk1athJocaCXso1w8nbyyyyyyyyyyyyyyRCh6XQ+h:oWoWHt9N244JxDnt+JQ2L4AO
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nimmifgo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clbmfm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iaedanal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akipic32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okgfdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Homadjin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Faiplcmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iifodmak.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjhmbihg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfjakgpa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pohilc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcpffk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndbefkjk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijdnka32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fegiba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hadkib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljlagndl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipiaphop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbhojo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Digmqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghcbohpp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmdbooik.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehhgpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcibca32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcnnllcg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmhlijpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcedmkmp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lechkaga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncmhko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcabhido.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Picchg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmknkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkoemhao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oeoklp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgdbedmc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnochl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dehkbkip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clgkmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbenjm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdfopf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Maoifh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cifdjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ienlbf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Geqlhp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bammeebe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iaedanal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gaglma32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdnqgg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqlbqlmm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnoefagj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmeapbpa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ongpeejj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bajjeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldjhib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjpoio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfaenqjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhlnjpdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdeqaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hflclcle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Midmcgif.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdolgfbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnpjlajn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebifha32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecphbckp.exe -
Executes dropped EXE 64 IoCs
pid Process 2980 Pdjgha32.exe 1808 Cnfkdb32.exe 1480 Ebaplnie.exe 2464 Ebkbbmqj.exe 3404 Fqbliicp.exe 5040 Fiqjke32.exe 3812 Ipihpkkd.exe 2068 Jhgiim32.exe 4208 Jldbpl32.exe 2644 Johggfha.exe 1836 Kpccmhdg.exe 3564 Mcoljagj.exe 2268 Nhegig32.exe 1472 Ncmhko32.exe 3524 Nimmifgo.exe 4752 Oiccje32.exe 3720 Oikjkc32.exe 280 Pbhgoh32.exe 3808 Qbonoghb.exe 1528 Affikdfn.exe 424 Bigbmpco.exe 4468 Bpcgpihi.exe 3248 Baepolni.exe 1200 Ccppmc32.exe 1752 Cdolgfbp.exe 3044 Dcibca32.exe 936 Ddmhhd32.exe 2752 Eafbmgad.exe 576 Ekqckmfb.exe 3996 Fggdpnkf.exe 2760 Fjhmbihg.exe 3920 Fnffhgon.exe 2496 Fdbkja32.exe 248 Ggccllai.exe 4240 Gcnnllcg.exe 1104 Hqdkkp32.exe 4684 Hcedmkmp.exe 4316 Hchqbkkm.exe 3244 Hejjanpm.exe 1948 Igmoih32.exe 4708 Iaedanal.exe 2032 Iagqgn32.exe 2648 Jnpjlajn.exe 4948 Jdopjh32.exe 3520 Kkbkmqed.exe 2088 Kaopoj32.exe 1768 Khkdad32.exe 3516 Logicn32.exe 2332 Llpchaqg.exe 5032 Maoifh32.exe 4292 Mhiabbdi.exe 1460 Mojopk32.exe 2020 Medglemj.exe 4852 Nhlfoodc.exe 1564 Ohcmpn32.exe 2008 Pijcpmhc.exe 3916 Pkoemhao.exe 3824 Qppkhfec.exe 3356 Akihcfid.exe 1604 Amkabind.exe 1788 Acgfec32.exe 724 Apngjd32.exe 3156 Cifdjg32.exe 4064 Dpjompqc.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Kmhlijpm.exe Kfndlphp.exe File created C:\Windows\SysWOW64\Imobclfe.dll Kfpqap32.exe File created C:\Windows\SysWOW64\Fmkohkha.dll Egelgoah.exe File opened for modification C:\Windows\SysWOW64\Coegih32.exe Clgkmm32.exe File created C:\Windows\SysWOW64\Cohdoh32.exe Coegih32.exe File created C:\Windows\SysWOW64\Lnplbk32.dll Hfemkdbm.exe File created C:\Windows\SysWOW64\Mmgfmg32.exe Lepnli32.exe File created C:\Windows\SysWOW64\Gcojoj32.exe Glebbpbd.exe File created C:\Windows\SysWOW64\Kmjaeema.dll Nhlfoodc.exe File created C:\Windows\SysWOW64\Gmdoel32.exe Gcimfg32.exe File created C:\Windows\SysWOW64\Aikijjon.exe Acaanp32.exe File created C:\Windows\SysWOW64\Gqffmj32.dll Aebjokda.exe File created C:\Windows\SysWOW64\Kdhhfnom.dll Hdcnpd32.exe File opened for modification C:\Windows\SysWOW64\Blbabnbk.exe Bammeebe.exe File opened for modification C:\Windows\SysWOW64\Flnlaahl.exe Fkopgn32.exe File created C:\Windows\SysWOW64\Hfemkdbm.exe Gdeqaa32.exe File created C:\Windows\SysWOW64\Ogegkehh.dll Gcdkdpih.exe File created C:\Windows\SysWOW64\Cmmbmhdc.dll Hllkqdli.exe File created C:\Windows\SysWOW64\Jfjakgpa.exe Jqmicpbj.exe File created C:\Windows\SysWOW64\Foadqnoo.dll Aqfolqna.exe File opened for modification C:\Windows\SysWOW64\Hkiclepa.exe Hdokok32.exe File created C:\Windows\SysWOW64\Klhnij32.dll Hdokok32.exe File created C:\Windows\SysWOW64\Kaehmgbl.dll Hagnihom.exe File created C:\Windows\SysWOW64\Doageg32.exe Damflb32.exe File opened for modification C:\Windows\SysWOW64\Chpangnk.exe Cldgmgml.exe File opened for modification C:\Windows\SysWOW64\Glebbpbd.exe Gcmnijkd.exe File created C:\Windows\SysWOW64\Ipihpkkd.exe Fiqjke32.exe File created C:\Windows\SysWOW64\Hnlnbkcc.dll Oddmoj32.exe File opened for modification C:\Windows\SysWOW64\Nhfoocaa.exe Nmpkakak.exe File opened for modification C:\Windows\SysWOW64\Jflgfpkc.exe Jhhgmlli.exe File created C:\Windows\SysWOW64\Qibfdkgh.exe Qbeaba32.exe File created C:\Windows\SysWOW64\Bmnjkq32.dll Dcglfjgf.exe File opened for modification C:\Windows\SysWOW64\Hkfookmo.exe Helfbqeb.exe File created C:\Windows\SysWOW64\Hholim32.dll Jflgfpkc.exe File opened for modification C:\Windows\SysWOW64\Hfmqapcl.exe Gmpcmkaa.exe File created C:\Windows\SysWOW64\Gmkbgf32.exe Gbenjm32.exe File opened for modification C:\Windows\SysWOW64\Ijfbhflj.exe Iannpa32.exe File opened for modification C:\Windows\SysWOW64\Iioicn32.exe Hpfdkiac.exe File opened for modification C:\Windows\SysWOW64\Kfmejopp.exe Kpncbemh.exe File opened for modification C:\Windows\SysWOW64\Hkhkdjkl.exe Hflclcle.exe File created C:\Windows\SysWOW64\Hmcipf32.dll Fnffhgon.exe File created C:\Windows\SysWOW64\Geloma32.dll Qmlmjq32.exe File opened for modification C:\Windows\SysWOW64\Bidlqhgc.exe Bckddn32.exe File opened for modification C:\Windows\SysWOW64\Boaeioej.exe Bidlqhgc.exe File created C:\Windows\SysWOW64\Dcglfjgf.exe Djjobedk.exe File created C:\Windows\SysWOW64\Mjalkblo.dll Cohdoh32.exe File opened for modification C:\Windows\SysWOW64\Qnfkgfdp.exe Pcagjndj.exe File opened for modification C:\Windows\SysWOW64\Fnffhgon.exe Fjhmbihg.exe File opened for modification C:\Windows\SysWOW64\Fdbkja32.exe Fnffhgon.exe File created C:\Windows\SysWOW64\Kdogqi32.dll Acgfec32.exe File created C:\Windows\SysWOW64\Jdnqgg32.exe Jndhkmfe.exe File created C:\Windows\SysWOW64\Begcjjql.exe Bomknp32.exe File opened for modification C:\Windows\SysWOW64\Npjelo32.exe Nfeqnf32.exe File opened for modification C:\Windows\SysWOW64\Commjgga.exe Cediab32.exe File created C:\Windows\SysWOW64\Giacmggo.exe Gcdkdpih.exe File opened for modification C:\Windows\SysWOW64\Okgfdm32.exe Odnngclb.exe File created C:\Windows\SysWOW64\Dlijodjd.exe Deoabj32.exe File opened for modification C:\Windows\SysWOW64\Helfbqeb.exe Hoonjjgk.exe File created C:\Windows\SysWOW64\Lepnli32.exe Lpcedbjp.exe File created C:\Windows\SysWOW64\Dnhpfk32.dll Dcibca32.exe File created C:\Windows\SysWOW64\Hlmpoh32.dll Blqlgdhi.exe File created C:\Windows\SysWOW64\Nqlbqlmm.exe Nojfic32.exe File created C:\Windows\SysWOW64\Fhoqmllo.dll Qebpipij.exe File created C:\Windows\SysWOW64\Gmjlmo32.exe Gdcdlb32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 8176 7240 WerFault.exe 569 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjcfeola.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkjejqcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifjgobkn.dll" Mdfopf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lbhojo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ellpmolj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dngjpgqp.dll" Bpdfpmoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pibfhink.dll" Nlphmafm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ihndgmdd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Midmcgif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oiccje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fcbgfhii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hllkqdli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Begcjjql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Blqlgdhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dcglfjgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Elojej32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ehhgpj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nimmifgo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bigbmpco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkkdccim.dll" Lechkaga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qnihlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbfokcae.dll" Pflpfcbe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qmlmjq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Apfhajjf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hfljfjpq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkfookmo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmkipncc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknah32.dll" Dbgndoho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omhnja32.dll" Kfndlphp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhjkjd32.dll" Cphgca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hcnnjoam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chbncg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acggngam.dll" Iiaein32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Diopep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Akipic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Goipae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbnhdihe.dll" Ijmobhdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onoknb32.dll" Eaabci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acilcb32.dll" Mmiccf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbgndoho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djjobedk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nojfic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Elepei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbnhjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpammgnc.dll" Dhkaif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Elkfed32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iifodmak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Llpchaqg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jfjakgpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eomjgpen.dll" Commjgga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hholim32.dll" Jflgfpkc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eakdje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Picchg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lajfbmmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdbkja32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iaedanal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gpgnjebd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Obmeeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjpmlp32.dll" Qnfkgfdp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hoonjjgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhnoigkk.dll" Oiccje32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Icmbcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifdgaond.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fcepbooa.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3572 wrote to memory of 2980 3572 NEAS.018c199edb2df32ff2dd6f56183153c0.exe 91 PID 3572 wrote to memory of 2980 3572 NEAS.018c199edb2df32ff2dd6f56183153c0.exe 91 PID 3572 wrote to memory of 2980 3572 NEAS.018c199edb2df32ff2dd6f56183153c0.exe 91 PID 2980 wrote to memory of 1808 2980 Pdjgha32.exe 92 PID 2980 wrote to memory of 1808 2980 Pdjgha32.exe 92 PID 2980 wrote to memory of 1808 2980 Pdjgha32.exe 92 PID 1808 wrote to memory of 1480 1808 Cnfkdb32.exe 93 PID 1808 wrote to memory of 1480 1808 Cnfkdb32.exe 93 PID 1808 wrote to memory of 1480 1808 Cnfkdb32.exe 93 PID 1480 wrote to memory of 2464 1480 Ebaplnie.exe 94 PID 1480 wrote to memory of 2464 1480 Ebaplnie.exe 94 PID 1480 wrote to memory of 2464 1480 Ebaplnie.exe 94 PID 2464 wrote to memory of 3404 2464 Ebkbbmqj.exe 95 PID 2464 wrote to memory of 3404 2464 Ebkbbmqj.exe 95 PID 2464 wrote to memory of 3404 2464 Ebkbbmqj.exe 95 PID 3404 wrote to memory of 5040 3404 Fqbliicp.exe 96 PID 3404 wrote to memory of 5040 3404 Fqbliicp.exe 96 PID 3404 wrote to memory of 5040 3404 Fqbliicp.exe 96 PID 5040 wrote to memory of 3812 5040 Fiqjke32.exe 97 PID 5040 wrote to memory of 3812 5040 Fiqjke32.exe 97 PID 5040 wrote to memory of 3812 5040 Fiqjke32.exe 97 PID 3812 wrote to memory of 2068 3812 Ipihpkkd.exe 98 PID 3812 wrote to memory of 2068 3812 Ipihpkkd.exe 98 PID 3812 wrote to memory of 2068 3812 Ipihpkkd.exe 98 PID 2068 wrote to memory of 4208 2068 Jhgiim32.exe 99 PID 2068 wrote to memory of 4208 2068 Jhgiim32.exe 99 PID 2068 wrote to memory of 4208 2068 Jhgiim32.exe 99 PID 4208 wrote to memory of 2644 4208 Jldbpl32.exe 100 PID 4208 wrote to memory of 2644 4208 Jldbpl32.exe 100 PID 4208 wrote to memory of 2644 4208 Jldbpl32.exe 100 PID 2644 wrote to memory of 1836 2644 Johggfha.exe 101 PID 2644 wrote to memory of 1836 2644 Johggfha.exe 101 PID 2644 wrote to memory of 1836 2644 Johggfha.exe 101 PID 1836 wrote to memory of 3564 1836 Kpccmhdg.exe 102 PID 1836 wrote to memory of 3564 1836 Kpccmhdg.exe 102 PID 1836 wrote to memory of 3564 1836 Kpccmhdg.exe 102 PID 3564 wrote to memory of 2268 3564 Mcoljagj.exe 103 PID 3564 wrote to memory of 2268 3564 Mcoljagj.exe 103 PID 3564 wrote to memory of 2268 3564 Mcoljagj.exe 103 PID 2268 wrote to memory of 1472 2268 Nhegig32.exe 104 PID 2268 wrote to memory of 1472 2268 Nhegig32.exe 104 PID 2268 wrote to memory of 1472 2268 Nhegig32.exe 104 PID 1472 wrote to memory of 3524 1472 Ncmhko32.exe 105 PID 1472 wrote to memory of 3524 1472 Ncmhko32.exe 105 PID 1472 wrote to memory of 3524 1472 Ncmhko32.exe 105 PID 3524 wrote to memory of 4752 3524 Nimmifgo.exe 106 PID 3524 wrote to memory of 4752 3524 Nimmifgo.exe 106 PID 3524 wrote to memory of 4752 3524 Nimmifgo.exe 106 PID 4752 wrote to memory of 3720 4752 Oiccje32.exe 107 PID 4752 wrote to memory of 3720 4752 Oiccje32.exe 107 PID 4752 wrote to memory of 3720 4752 Oiccje32.exe 107 PID 3720 wrote to memory of 280 3720 Oikjkc32.exe 108 PID 3720 wrote to memory of 280 3720 Oikjkc32.exe 108 PID 3720 wrote to memory of 280 3720 Oikjkc32.exe 108 PID 280 wrote to memory of 3808 280 Pbhgoh32.exe 110 PID 280 wrote to memory of 3808 280 Pbhgoh32.exe 110 PID 280 wrote to memory of 3808 280 Pbhgoh32.exe 110 PID 352 wrote to memory of 1528 352 Ajohfcpj.exe 112 PID 352 wrote to memory of 1528 352 Ajohfcpj.exe 112 PID 352 wrote to memory of 1528 352 Ajohfcpj.exe 112 PID 1528 wrote to memory of 424 1528 Affikdfn.exe 114 PID 1528 wrote to memory of 424 1528 Affikdfn.exe 114 PID 1528 wrote to memory of 424 1528 Affikdfn.exe 114 PID 424 wrote to memory of 4468 424 Bigbmpco.exe 115
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.018c199edb2df32ff2dd6f56183153c0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.018c199edb2df32ff2dd6f56183153c0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3572 -
C:\Windows\SysWOW64\Pdjgha32.exeC:\Windows\system32\Pdjgha32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\Cnfkdb32.exeC:\Windows\system32\Cnfkdb32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Windows\SysWOW64\Ebaplnie.exeC:\Windows\system32\Ebaplnie.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\SysWOW64\Ebkbbmqj.exeC:\Windows\system32\Ebkbbmqj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\Fqbliicp.exeC:\Windows\system32\Fqbliicp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3404 -
C:\Windows\SysWOW64\Fiqjke32.exeC:\Windows\system32\Fiqjke32.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\Windows\SysWOW64\Ipihpkkd.exeC:\Windows\system32\Ipihpkkd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3812 -
C:\Windows\SysWOW64\Jhgiim32.exeC:\Windows\system32\Jhgiim32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\SysWOW64\Jldbpl32.exeC:\Windows\system32\Jldbpl32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4208 -
C:\Windows\SysWOW64\Johggfha.exeC:\Windows\system32\Johggfha.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Kpccmhdg.exeC:\Windows\system32\Kpccmhdg.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Windows\SysWOW64\Mcoljagj.exeC:\Windows\system32\Mcoljagj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3564 -
C:\Windows\SysWOW64\Nhegig32.exeC:\Windows\system32\Nhegig32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\SysWOW64\Ncmhko32.exeC:\Windows\system32\Ncmhko32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Windows\SysWOW64\Nimmifgo.exeC:\Windows\system32\Nimmifgo.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3524 -
C:\Windows\SysWOW64\Oiccje32.exeC:\Windows\system32\Oiccje32.exe17⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4752 -
C:\Windows\SysWOW64\Oikjkc32.exeC:\Windows\system32\Oikjkc32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3720 -
C:\Windows\SysWOW64\Pbhgoh32.exeC:\Windows\system32\Pbhgoh32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:280 -
C:\Windows\SysWOW64\Qbonoghb.exeC:\Windows\system32\Qbonoghb.exe20⤵
- Executes dropped EXE
PID:3808 -
C:\Windows\SysWOW64\Ajohfcpj.exeC:\Windows\system32\Ajohfcpj.exe21⤵
- Suspicious use of WriteProcessMemory
PID:352 -
C:\Windows\SysWOW64\Affikdfn.exeC:\Windows\system32\Affikdfn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\SysWOW64\Bigbmpco.exeC:\Windows\system32\Bigbmpco.exe23⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:424 -
C:\Windows\SysWOW64\Bpcgpihi.exeC:\Windows\system32\Bpcgpihi.exe24⤵
- Executes dropped EXE
PID:4468 -
C:\Windows\SysWOW64\Baepolni.exeC:\Windows\system32\Baepolni.exe25⤵
- Executes dropped EXE
PID:3248 -
C:\Windows\SysWOW64\Ccppmc32.exeC:\Windows\system32\Ccppmc32.exe26⤵
- Executes dropped EXE
PID:1200 -
C:\Windows\SysWOW64\Cdolgfbp.exeC:\Windows\system32\Cdolgfbp.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1752 -
C:\Windows\SysWOW64\Dcibca32.exeC:\Windows\system32\Dcibca32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3044 -
C:\Windows\SysWOW64\Ddmhhd32.exeC:\Windows\system32\Ddmhhd32.exe29⤵
- Executes dropped EXE
PID:936 -
C:\Windows\SysWOW64\Eafbmgad.exeC:\Windows\system32\Eafbmgad.exe30⤵
- Executes dropped EXE
PID:2752 -
C:\Windows\SysWOW64\Ekqckmfb.exeC:\Windows\system32\Ekqckmfb.exe31⤵
- Executes dropped EXE
PID:576 -
C:\Windows\SysWOW64\Fggdpnkf.exeC:\Windows\system32\Fggdpnkf.exe32⤵
- Executes dropped EXE
PID:3996 -
C:\Windows\SysWOW64\Fjhmbihg.exeC:\Windows\system32\Fjhmbihg.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2760 -
C:\Windows\SysWOW64\Fnffhgon.exeC:\Windows\system32\Fnffhgon.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3920 -
C:\Windows\SysWOW64\Fdbkja32.exeC:\Windows\system32\Fdbkja32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:2496 -
C:\Windows\SysWOW64\Ggccllai.exeC:\Windows\system32\Ggccllai.exe36⤵
- Executes dropped EXE
PID:248 -
C:\Windows\SysWOW64\Gcnnllcg.exeC:\Windows\system32\Gcnnllcg.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4240 -
C:\Windows\SysWOW64\Hqdkkp32.exeC:\Windows\system32\Hqdkkp32.exe38⤵
- Executes dropped EXE
PID:1104 -
C:\Windows\SysWOW64\Hcedmkmp.exeC:\Windows\system32\Hcedmkmp.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4684 -
C:\Windows\SysWOW64\Hchqbkkm.exeC:\Windows\system32\Hchqbkkm.exe40⤵
- Executes dropped EXE
PID:4316 -
C:\Windows\SysWOW64\Hejjanpm.exeC:\Windows\system32\Hejjanpm.exe41⤵
- Executes dropped EXE
PID:3244 -
C:\Windows\SysWOW64\Igmoih32.exeC:\Windows\system32\Igmoih32.exe42⤵
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\Iaedanal.exeC:\Windows\system32\Iaedanal.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4708 -
C:\Windows\SysWOW64\Iagqgn32.exeC:\Windows\system32\Iagqgn32.exe44⤵
- Executes dropped EXE
PID:2032 -
C:\Windows\SysWOW64\Jnpjlajn.exeC:\Windows\system32\Jnpjlajn.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Jdopjh32.exeC:\Windows\system32\Jdopjh32.exe46⤵
- Executes dropped EXE
PID:4948 -
C:\Windows\SysWOW64\Kkbkmqed.exeC:\Windows\system32\Kkbkmqed.exe47⤵
- Executes dropped EXE
PID:3520 -
C:\Windows\SysWOW64\Kaopoj32.exeC:\Windows\system32\Kaopoj32.exe48⤵
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\Khkdad32.exeC:\Windows\system32\Khkdad32.exe49⤵
- Executes dropped EXE
PID:1768 -
C:\Windows\SysWOW64\Logicn32.exeC:\Windows\system32\Logicn32.exe50⤵
- Executes dropped EXE
PID:3516 -
C:\Windows\SysWOW64\Llpchaqg.exeC:\Windows\system32\Llpchaqg.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:2332 -
C:\Windows\SysWOW64\Maoifh32.exeC:\Windows\system32\Maoifh32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5032 -
C:\Windows\SysWOW64\Mhiabbdi.exeC:\Windows\system32\Mhiabbdi.exe53⤵
- Executes dropped EXE
PID:4292 -
C:\Windows\SysWOW64\Mojopk32.exeC:\Windows\system32\Mojopk32.exe54⤵
- Executes dropped EXE
PID:1460 -
C:\Windows\SysWOW64\Medglemj.exeC:\Windows\system32\Medglemj.exe55⤵
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Nhlfoodc.exeC:\Windows\system32\Nhlfoodc.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4852 -
C:\Windows\SysWOW64\Ohcmpn32.exeC:\Windows\system32\Ohcmpn32.exe57⤵
- Executes dropped EXE
PID:1564 -
C:\Windows\SysWOW64\Pijcpmhc.exeC:\Windows\system32\Pijcpmhc.exe58⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Pkoemhao.exeC:\Windows\system32\Pkoemhao.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3916 -
C:\Windows\SysWOW64\Qppkhfec.exeC:\Windows\system32\Qppkhfec.exe60⤵
- Executes dropped EXE
PID:3824 -
C:\Windows\SysWOW64\Akihcfid.exeC:\Windows\system32\Akihcfid.exe61⤵
- Executes dropped EXE
PID:3356 -
C:\Windows\SysWOW64\Amkabind.exeC:\Windows\system32\Amkabind.exe62⤵
- Executes dropped EXE
PID:1604 -
C:\Windows\SysWOW64\Acgfec32.exeC:\Windows\system32\Acgfec32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1788 -
C:\Windows\SysWOW64\Apngjd32.exeC:\Windows\system32\Apngjd32.exe64⤵
- Executes dropped EXE
PID:724 -
C:\Windows\SysWOW64\Cifdjg32.exeC:\Windows\system32\Cifdjg32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3156 -
C:\Windows\SysWOW64\Dpjompqc.exeC:\Windows\system32\Dpjompqc.exe66⤵
- Executes dropped EXE
PID:4064 -
C:\Windows\SysWOW64\Ddhhbngi.exeC:\Windows\system32\Ddhhbngi.exe67⤵PID:1968
-
C:\Windows\SysWOW64\Deidjf32.exeC:\Windows\system32\Deidjf32.exe68⤵PID:3212
-
C:\Windows\SysWOW64\Dcmedk32.exeC:\Windows\system32\Dcmedk32.exe69⤵PID:1072
-
C:\Windows\SysWOW64\Digmqe32.exeC:\Windows\system32\Digmqe32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3340 -
C:\Windows\SysWOW64\Ellpmolj.exeC:\Windows\system32\Ellpmolj.exe71⤵
- Modifies registry class
PID:408 -
C:\Windows\SysWOW64\Eeddfe32.exeC:\Windows\system32\Eeddfe32.exe72⤵PID:2016
-
C:\Windows\SysWOW64\Fnnimbaj.exeC:\Windows\system32\Fnnimbaj.exe73⤵PID:3232
-
C:\Windows\SysWOW64\Fjeibc32.exeC:\Windows\system32\Fjeibc32.exe74⤵PID:1504
-
C:\Windows\SysWOW64\Fcbgfhii.exeC:\Windows\system32\Fcbgfhii.exe75⤵
- Modifies registry class
PID:3088 -
C:\Windows\SysWOW64\Gcimfg32.exeC:\Windows\system32\Gcimfg32.exe76⤵
- Drops file in System32 directory
PID:5112 -
C:\Windows\SysWOW64\Gmdoel32.exeC:\Windows\system32\Gmdoel32.exe77⤵PID:760
-
C:\Windows\SysWOW64\Gcngafol.exeC:\Windows\system32\Gcngafol.exe78⤵PID:5100
-
C:\Windows\SysWOW64\Hdbmfhbi.exeC:\Windows\system32\Hdbmfhbi.exe79⤵PID:4068
-
C:\Windows\SysWOW64\Hmmakk32.exeC:\Windows\system32\Hmmakk32.exe80⤵PID:4888
-
C:\Windows\SysWOW64\Hclccd32.exeC:\Windows\system32\Hclccd32.exe81⤵PID:4520
-
C:\Windows\SysWOW64\Ienlbf32.exeC:\Windows\system32\Ienlbf32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4864 -
C:\Windows\SysWOW64\Imnjbhaa.exeC:\Windows\system32\Imnjbhaa.exe83⤵PID:4072
-
C:\Windows\SysWOW64\Jgjeppkp.exeC:\Windows\system32\Jgjeppkp.exe84⤵PID:1832
-
C:\Windows\SysWOW64\Kebodc32.exeC:\Windows\system32\Kebodc32.exe85⤵PID:2320
-
C:\Windows\SysWOW64\Kfdklllb.exeC:\Windows\system32\Kfdklllb.exe86⤵PID:3556
-
C:\Windows\SysWOW64\Kjfmminc.exeC:\Windows\system32\Kjfmminc.exe87⤵PID:4884
-
C:\Windows\SysWOW64\Lelajb32.exeC:\Windows\system32\Lelajb32.exe88⤵PID:2288
-
C:\Windows\SysWOW64\Lfpkhjae.exeC:\Windows\system32\Lfpkhjae.exe89⤵PID:1944
-
C:\Windows\SysWOW64\Lechkaga.exeC:\Windows\system32\Lechkaga.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5004 -
C:\Windows\SysWOW64\Nhbmnj32.exeC:\Windows\system32\Nhbmnj32.exe91⤵PID:5140
-
C:\Windows\SysWOW64\Nnoefagj.exeC:\Windows\system32\Nnoefagj.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5192 -
C:\Windows\SysWOW64\Ndkjik32.exeC:\Windows\system32\Ndkjik32.exe93⤵PID:5232
-
C:\Windows\SysWOW64\Oddmoj32.exeC:\Windows\system32\Oddmoj32.exe94⤵
- Drops file in System32 directory
PID:5280 -
C:\Windows\SysWOW64\Paocim32.exeC:\Windows\system32\Paocim32.exe95⤵PID:5324
-
C:\Windows\SysWOW64\Pojjcp32.exeC:\Windows\system32\Pojjcp32.exe96⤵PID:5368
-
C:\Windows\SysWOW64\Agaoca32.exeC:\Windows\system32\Agaoca32.exe97⤵PID:5436
-
C:\Windows\SysWOW64\Bgkaip32.exeC:\Windows\system32\Bgkaip32.exe98⤵PID:5488
-
C:\Windows\SysWOW64\Bpdfpmoo.exeC:\Windows\system32\Bpdfpmoo.exe99⤵
- Modifies registry class
PID:5528 -
C:\Windows\SysWOW64\Cgagjo32.exeC:\Windows\system32\Cgagjo32.exe100⤵PID:5572
-
C:\Windows\SysWOW64\Cfedmfqd.exeC:\Windows\system32\Cfedmfqd.exe101⤵PID:5608
-
C:\Windows\SysWOW64\Clbmfm32.exeC:\Windows\system32\Clbmfm32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5660 -
C:\Windows\SysWOW64\Diopep32.exeC:\Windows\system32\Diopep32.exe103⤵
- Modifies registry class
PID:5708 -
C:\Windows\SysWOW64\Eekjep32.exeC:\Windows\system32\Eekjep32.exe104⤵PID:5760
-
C:\Windows\SysWOW64\Eflceb32.exeC:\Windows\system32\Eflceb32.exe105⤵PID:5800
-
C:\Windows\SysWOW64\Epiaig32.exeC:\Windows\system32\Epiaig32.exe106⤵PID:5884
-
C:\Windows\SysWOW64\Fcaqka32.exeC:\Windows\system32\Fcaqka32.exe107⤵PID:5924
-
C:\Windows\SysWOW64\Fljedg32.exeC:\Windows\system32\Fljedg32.exe108⤵PID:5964
-
C:\Windows\SysWOW64\Gpgnjebd.exeC:\Windows\system32\Gpgnjebd.exe109⤵
- Modifies registry class
PID:6036 -
C:\Windows\SysWOW64\Ghcbohpp.exeC:\Windows\system32\Ghcbohpp.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6076 -
C:\Windows\SysWOW64\Gegchl32.exeC:\Windows\system32\Gegchl32.exe111⤵PID:6116
-
C:\Windows\SysWOW64\Glqkefff.exeC:\Windows\system32\Glqkefff.exe112⤵PID:5136
-
C:\Windows\SysWOW64\Geklckkd.exeC:\Windows\system32\Geklckkd.exe113⤵PID:5224
-
C:\Windows\SysWOW64\Hllkqdli.exeC:\Windows\system32\Hllkqdli.exe114⤵
- Drops file in System32 directory
- Modifies registry class
PID:5256 -
C:\Windows\SysWOW64\Hjbhph32.exeC:\Windows\system32\Hjbhph32.exe115⤵PID:5348
-
C:\Windows\SysWOW64\Ihheqd32.exeC:\Windows\system32\Ihheqd32.exe116⤵PID:5404
-
C:\Windows\SysWOW64\Ifqoehhl.exeC:\Windows\system32\Ifqoehhl.exe117⤵PID:5460
-
C:\Windows\SysWOW64\Jjqdafmp.exeC:\Windows\system32\Jjqdafmp.exe118⤵PID:5540
-
C:\Windows\SysWOW64\Jqklnp32.exeC:\Windows\system32\Jqklnp32.exe119⤵PID:5624
-
C:\Windows\SysWOW64\Jqmicpbj.exeC:\Windows\system32\Jqmicpbj.exe120⤵
- Drops file in System32 directory
PID:3148 -
C:\Windows\SysWOW64\Jfjakgpa.exeC:\Windows\system32\Jfjakgpa.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1712
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-