Analysis
-
max time kernel
142s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20231025-en -
resource tags
arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system -
submitted
28/10/2023, 19:58
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.9bd008dc79487477054739a8172ee730.exe
Resource
win7-20231020-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.9bd008dc79487477054739a8172ee730.exe
Resource
win10v2004-20231025-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.9bd008dc79487477054739a8172ee730.exe
-
Size
91KB
-
MD5
9bd008dc79487477054739a8172ee730
-
SHA1
7876eeda25fec23f2eb4c983ec3e5b41969d5dfb
-
SHA256
ff55991446ee2fb375215d4727164d82b848facf4e7d84946926c94b141c30d9
-
SHA512
4a75741003e9844881df42c6e8840498ff3ff8851df246b4a2af553be7a0013c65306bd6bc088f026afe54ce86528f025c502ae9101e49d094d7710dbba04edc
-
SSDEEP
1536:6ZfuJ9RnwLEHi0XeneGNhAXpuvKkhwr4Uol5KusGBNTbt7Pu:6pSRnfiLbAXcvtlUuMhCPu
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmfplibd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mogcihaj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgphpe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Objkmkjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhmmjbkf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkfglb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plkpcfal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pldcjeia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmmlla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nclbpf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cihclh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccbadp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Difpmfna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnjgfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gokbgpeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbfldf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmmolepp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dodjjimm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eiekog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aakebqbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebdcld32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knkekn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocohmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpkdjofm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oonlfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aolblopj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppnenlka.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Daediilg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpgpgfmh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pplhhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bqkill32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnmdme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gojiiafp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgphpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bqmeal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljbfpo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkokcl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkhgod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpjjac32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebgpad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dojqjdbl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljbnfleo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Filiii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgmjmjnb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgibpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mqafhl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocdnln32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ookoaokf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlkepaam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhoqeibl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgepom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkphhgfc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kngkqbgl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hihibbjo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfchidda.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fngcmcfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnfiplog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnlhncgi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jimldogg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbjddh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpmggb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlcalieg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oodcdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngqagcag.exe -
Executes dropped EXE 64 IoCs
pid Process 1620 Bfchidda.exe 1148 Bqilgmdg.exe 4160 Bidqko32.exe 1712 Bqkill32.exe 4588 Bfhadc32.exe 2100 Bqmeal32.exe 4760 Bjfjka32.exe 5060 Cflkpblf.exe 3052 Cabomkll.exe 2820 Cpglnhad.exe 2404 Cffmfadl.exe 2728 Dpnbog32.exe 664 Dpckjfgg.exe 4504 Daediilg.exe 1896 Efffmo32.exe 4700 Efkphnbd.exe 1572 Filiii32.exe 4020 Fdamgb32.exe 2104 Fineoi32.exe 3864 Fknbil32.exe 876 Fpjjac32.exe 3200 Fpmggb32.exe 496 Kkjlic32.exe 2868 Kecabifp.exe 3332 Knkekn32.exe 2292 Liqihglg.exe 4016 Ljbfpo32.exe 3128 Legjmh32.exe 3440 Lnpofnhk.exe 2300 Lejgch32.exe 4476 Lldopb32.exe 1580 Laqhhi32.exe 2108 Lihpif32.exe 4572 Lndham32.exe 2496 Lhmmjbkf.exe 440 Mbbagk32.exe 3796 Mlkepaam.exe 1412 Mahnhhod.exe 4988 Mlmbfqoj.exe 3752 Majjng32.exe 4396 Mlpokp32.exe 2932 Mbighjdd.exe 1984 Mlbkap32.exe 4960 Mejpje32.exe 4132 Nobdbkhf.exe 1776 Nemmoe32.exe 2268 Nlphbnoe.exe 1864 Oehlkc32.exe 700 Ooqqdi32.exe 4624 Oldamm32.exe 1432 Oaajed32.exe 1600 Ohkbbn32.exe 1124 Pkadoiip.exe 5044 Pefhlaie.exe 4904 Poomegpf.exe 1728 Peieba32.exe 1952 Phganm32.exe 4088 Papfgbmg.exe 5024 Plejdkmm.exe 3572 Pemomqcn.exe 1972 Qlggjk32.exe 4424 Qepkbpak.exe 3696 Qcclld32.exe 2452 Acfhad32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Mlgjal32.dll Bnkbcj32.exe File opened for modification C:\Windows\SysWOW64\Geaepk32.exe Goglcahb.exe File opened for modification C:\Windows\SysWOW64\Mmkdcm32.exe Mogcihaj.exe File created C:\Windows\SysWOW64\Dpkmal32.exe Dojqjdbl.exe File opened for modification C:\Windows\SysWOW64\Lejgch32.exe Lnpofnhk.exe File created C:\Windows\SysWOW64\Lihpif32.exe Laqhhi32.exe File opened for modification C:\Windows\SysWOW64\Lqpamb32.exe Lkchelci.exe File created C:\Windows\SysWOW64\Efgemb32.exe Epmmqheb.exe File opened for modification C:\Windows\SysWOW64\Aaoaic32.exe Aopemh32.exe File opened for modification C:\Windows\SysWOW64\Eqlfhjig.exe Edeeci32.exe File opened for modification C:\Windows\SysWOW64\Hkicaahi.exe Hcblpdgg.exe File opened for modification C:\Windows\SysWOW64\Maggnali.exe Mgobel32.exe File created C:\Windows\SysWOW64\Goglcahb.exe Gmfplibd.exe File opened for modification C:\Windows\SysWOW64\Lfeljd32.exe Lcgpni32.exe File created C:\Windows\SysWOW64\Ohlqcagj.exe Oabhfg32.exe File created C:\Windows\SysWOW64\Npefkf32.dll Coohhlpe.exe File opened for modification C:\Windows\SysWOW64\Ebdcld32.exe Ekkkoj32.exe File created C:\Windows\SysWOW64\Pblajhje.exe Ppnenlka.exe File created C:\Windows\SysWOW64\Oacoqnci.exe Oodcdb32.exe File created C:\Windows\SysWOW64\Kmhjapnj.dll Hplbickp.exe File opened for modification C:\Windows\SysWOW64\Lggejg32.exe Lmaamn32.exe File created C:\Windows\SysWOW64\Glgjlm32.exe Gbofcghl.exe File opened for modification C:\Windows\SysWOW64\Gbfldf32.exe Gbdoof32.exe File created C:\Windows\SysWOW64\Blafme32.dll Ikpjbq32.exe File opened for modification C:\Windows\SysWOW64\Icknfcol.exe Innfnl32.exe File opened for modification C:\Windows\SysWOW64\Onpjichj.exe Omqmop32.exe File created C:\Windows\SysWOW64\Phganm32.exe Peieba32.exe File created C:\Windows\SysWOW64\Leifdf32.dll Aolblopj.exe File created C:\Windows\SysWOW64\Jkmmde32.dll Bnlhncgi.exe File opened for modification C:\Windows\SysWOW64\Kidben32.exe Kplmliko.exe File created C:\Windows\SysWOW64\Hplbickp.exe Hmmfmhll.exe File created C:\Windows\SysWOW64\Lomqcjie.exe Llodgnja.exe File created C:\Windows\SysWOW64\Lfinqm32.dll Qcclld32.exe File opened for modification C:\Windows\SysWOW64\Cihclh32.exe Bckkca32.exe File created C:\Windows\SysWOW64\Lgqfdnah.exe Kdbjhbbd.exe File created C:\Windows\SysWOW64\Lgepom32.exe Lgccinoe.exe File opened for modification C:\Windows\SysWOW64\Fnlmhc32.exe Flmqlg32.exe File created C:\Windows\SysWOW64\Mogcihaj.exe Mjjkaabc.exe File created C:\Windows\SysWOW64\Agdcpkll.exe Adfgdpmi.exe File created C:\Windows\SysWOW64\Jahqiaeb.exe Jllhpkfk.exe File opened for modification C:\Windows\SysWOW64\Pplhhm32.exe Pmmlla32.exe File created C:\Windows\SysWOW64\Amlkko32.dll Kdbjhbbd.exe File created C:\Windows\SysWOW64\Mdeodj32.dll Ljhefhha.exe File opened for modification C:\Windows\SysWOW64\Coohhlpe.exe Blqllqqa.exe File opened for modification C:\Windows\SysWOW64\Nmcpoedn.exe Mfenglqf.exe File created C:\Windows\SysWOW64\Amoljp32.dll Addaif32.exe File opened for modification C:\Windows\SysWOW64\Omalpc32.exe Ofgdcipq.exe File opened for modification C:\Windows\SysWOW64\Bckkca32.exe Bheffh32.exe File opened for modification C:\Windows\SysWOW64\Ahbjoe32.exe Anmfbl32.exe File created C:\Windows\SysWOW64\Coohhlpe.exe Blqllqqa.exe File created C:\Windows\SysWOW64\Lfmmaj32.dll Geaepk32.exe File created C:\Windows\SysWOW64\Jgmjmjnb.exe Jpcapp32.exe File created C:\Windows\SysWOW64\Dnjfibml.dll Baadiiif.exe File opened for modification C:\Windows\SysWOW64\Dfiildio.exe Dnbakghm.exe File created C:\Windows\SysWOW64\Eqdpgk32.exe Enfckp32.exe File created C:\Windows\SysWOW64\Piocecgj.exe Pbekii32.exe File opened for modification C:\Windows\SysWOW64\Liqihglg.exe Knkekn32.exe File opened for modification C:\Windows\SysWOW64\Jjjpnlbd.exe Jgkdbacp.exe File created C:\Windows\SysWOW64\Iibjhgbi.dll Bkobmnka.exe File created C:\Windows\SysWOW64\Hehdfdek.exe Hahokfag.exe File opened for modification C:\Windows\SysWOW64\Fjadje32.exe Fbjmhh32.exe File created C:\Windows\SysWOW64\Hkfglb32.exe Hpabni32.exe File created C:\Windows\SysWOW64\Mmihfl32.dll Conanfli.exe File opened for modification C:\Windows\SysWOW64\Fganqbgg.exe Fkjmlaac.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 13252 13140 WerFault.exe 698 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Acmobchj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dggbcf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eppqqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncpgam32.dll" Lqhdbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdflknog.dll" Mjggal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hehkga32.dll" Nmgjia32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mogcihaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Geldkfpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keoaokpd.dll" Hihibbjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfedck32.dll" Oaajed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hojpmg32.dll" Olicnfco.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lihpif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpmbai32.dll" Anaomkdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dkokcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjdlfi32.dll" Fnlmhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgepom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Popbpqjh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ffceip32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjdpelnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Filiii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdbijb32.dll" Najmjokc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ponfka32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjpfjl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnoddcef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbdoof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjnppabn.dll" Hdehni32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkpqkcpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbflncid.dll" Hdhedh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jcdala32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Baadiiif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdifpa32.dll" Gblbca32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fganqbgg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hlkfbocp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkpiopih.dll" Qmhlgmmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eiahnnph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fngcmcfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngekilj.dll" Iafkld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jllhpkfk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Obqanjdb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Liqihglg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggpdhj32.dll" Goglcahb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eleqaiga.dll" Mqkiok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijdabh32.dll" Kcbnnpka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mkmkkjko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjjkaabc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knnhjcog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjmjdm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Peieba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mkhapk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdmpmdpj.dll" Kgflcifg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faoiogei.dll" Mpapnfhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Felbnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbiockdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iafkld32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmlpaoaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jnjejjgh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Felbnn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mgphpe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emkndc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Inlihl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljclki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qeodhjmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gpnfge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Egaejeej.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4748 wrote to memory of 1620 4748 NEAS.9bd008dc79487477054739a8172ee730.exe 85 PID 4748 wrote to memory of 1620 4748 NEAS.9bd008dc79487477054739a8172ee730.exe 85 PID 4748 wrote to memory of 1620 4748 NEAS.9bd008dc79487477054739a8172ee730.exe 85 PID 1620 wrote to memory of 1148 1620 Bfchidda.exe 86 PID 1620 wrote to memory of 1148 1620 Bfchidda.exe 86 PID 1620 wrote to memory of 1148 1620 Bfchidda.exe 86 PID 1148 wrote to memory of 4160 1148 Bqilgmdg.exe 87 PID 1148 wrote to memory of 4160 1148 Bqilgmdg.exe 87 PID 1148 wrote to memory of 4160 1148 Bqilgmdg.exe 87 PID 4160 wrote to memory of 1712 4160 Bidqko32.exe 88 PID 4160 wrote to memory of 1712 4160 Bidqko32.exe 88 PID 4160 wrote to memory of 1712 4160 Bidqko32.exe 88 PID 1712 wrote to memory of 4588 1712 Bqkill32.exe 90 PID 1712 wrote to memory of 4588 1712 Bqkill32.exe 90 PID 1712 wrote to memory of 4588 1712 Bqkill32.exe 90 PID 4588 wrote to memory of 2100 4588 Bfhadc32.exe 91 PID 4588 wrote to memory of 2100 4588 Bfhadc32.exe 91 PID 4588 wrote to memory of 2100 4588 Bfhadc32.exe 91 PID 2100 wrote to memory of 4760 2100 Bqmeal32.exe 92 PID 2100 wrote to memory of 4760 2100 Bqmeal32.exe 92 PID 2100 wrote to memory of 4760 2100 Bqmeal32.exe 92 PID 4760 wrote to memory of 5060 4760 Bjfjka32.exe 93 PID 4760 wrote to memory of 5060 4760 Bjfjka32.exe 93 PID 4760 wrote to memory of 5060 4760 Bjfjka32.exe 93 PID 5060 wrote to memory of 3052 5060 Cflkpblf.exe 94 PID 5060 wrote to memory of 3052 5060 Cflkpblf.exe 94 PID 5060 wrote to memory of 3052 5060 Cflkpblf.exe 94 PID 3052 wrote to memory of 2820 3052 Cabomkll.exe 95 PID 3052 wrote to memory of 2820 3052 Cabomkll.exe 95 PID 3052 wrote to memory of 2820 3052 Cabomkll.exe 95 PID 2820 wrote to memory of 2404 2820 Cpglnhad.exe 96 PID 2820 wrote to memory of 2404 2820 Cpglnhad.exe 96 PID 2820 wrote to memory of 2404 2820 Cpglnhad.exe 96 PID 2404 wrote to memory of 2728 2404 Cffmfadl.exe 98 PID 2404 wrote to memory of 2728 2404 Cffmfadl.exe 98 PID 2404 wrote to memory of 2728 2404 Cffmfadl.exe 98 PID 2728 wrote to memory of 664 2728 Dpnbog32.exe 99 PID 2728 wrote to memory of 664 2728 Dpnbog32.exe 99 PID 2728 wrote to memory of 664 2728 Dpnbog32.exe 99 PID 664 wrote to memory of 4504 664 Dpckjfgg.exe 100 PID 664 wrote to memory of 4504 664 Dpckjfgg.exe 100 PID 664 wrote to memory of 4504 664 Dpckjfgg.exe 100 PID 4504 wrote to memory of 1896 4504 Daediilg.exe 101 PID 4504 wrote to memory of 1896 4504 Daediilg.exe 101 PID 4504 wrote to memory of 1896 4504 Daediilg.exe 101 PID 1896 wrote to memory of 4700 1896 Efffmo32.exe 102 PID 1896 wrote to memory of 4700 1896 Efffmo32.exe 102 PID 1896 wrote to memory of 4700 1896 Efffmo32.exe 102 PID 4700 wrote to memory of 1572 4700 Efkphnbd.exe 104 PID 4700 wrote to memory of 1572 4700 Efkphnbd.exe 104 PID 4700 wrote to memory of 1572 4700 Efkphnbd.exe 104 PID 1572 wrote to memory of 4020 1572 Filiii32.exe 105 PID 1572 wrote to memory of 4020 1572 Filiii32.exe 105 PID 1572 wrote to memory of 4020 1572 Filiii32.exe 105 PID 4020 wrote to memory of 2104 4020 Fdamgb32.exe 106 PID 4020 wrote to memory of 2104 4020 Fdamgb32.exe 106 PID 4020 wrote to memory of 2104 4020 Fdamgb32.exe 106 PID 2104 wrote to memory of 3864 2104 Fineoi32.exe 107 PID 2104 wrote to memory of 3864 2104 Fineoi32.exe 107 PID 2104 wrote to memory of 3864 2104 Fineoi32.exe 107 PID 3864 wrote to memory of 876 3864 Fknbil32.exe 108 PID 3864 wrote to memory of 876 3864 Fknbil32.exe 108 PID 3864 wrote to memory of 876 3864 Fknbil32.exe 108 PID 876 wrote to memory of 3200 876 Fpjjac32.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9bd008dc79487477054739a8172ee730.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9bd008dc79487477054739a8172ee730.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4748 -
C:\Windows\SysWOW64\Bfchidda.exeC:\Windows\system32\Bfchidda.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\Bqilgmdg.exeC:\Windows\system32\Bqilgmdg.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\SysWOW64\Bidqko32.exeC:\Windows\system32\Bidqko32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4160 -
C:\Windows\SysWOW64\Bqkill32.exeC:\Windows\system32\Bqkill32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\SysWOW64\Bfhadc32.exeC:\Windows\system32\Bfhadc32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Windows\SysWOW64\Bqmeal32.exeC:\Windows\system32\Bqmeal32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\Bjfjka32.exeC:\Windows\system32\Bjfjka32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4760 -
C:\Windows\SysWOW64\Cflkpblf.exeC:\Windows\system32\Cflkpblf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Windows\SysWOW64\Cabomkll.exeC:\Windows\system32\Cabomkll.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\Cpglnhad.exeC:\Windows\system32\Cpglnhad.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\Cffmfadl.exeC:\Windows\system32\Cffmfadl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\Dpnbog32.exeC:\Windows\system32\Dpnbog32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Dpckjfgg.exeC:\Windows\system32\Dpckjfgg.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:664 -
C:\Windows\SysWOW64\Daediilg.exeC:\Windows\system32\Daediilg.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Windows\SysWOW64\Efffmo32.exeC:\Windows\system32\Efffmo32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\SysWOW64\Efkphnbd.exeC:\Windows\system32\Efkphnbd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4700 -
C:\Windows\SysWOW64\Filiii32.exeC:\Windows\system32\Filiii32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Windows\SysWOW64\Fdamgb32.exeC:\Windows\system32\Fdamgb32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4020 -
C:\Windows\SysWOW64\Fineoi32.exeC:\Windows\system32\Fineoi32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\Fknbil32.exeC:\Windows\system32\Fknbil32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3864 -
C:\Windows\SysWOW64\Fpjjac32.exeC:\Windows\system32\Fpjjac32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:876 -
C:\Windows\SysWOW64\Fpmggb32.exeC:\Windows\system32\Fpmggb32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3200 -
C:\Windows\SysWOW64\Kkjlic32.exeC:\Windows\system32\Kkjlic32.exe24⤵
- Executes dropped EXE
PID:496 -
C:\Windows\SysWOW64\Kecabifp.exeC:\Windows\system32\Kecabifp.exe25⤵
- Executes dropped EXE
PID:2868 -
C:\Windows\SysWOW64\Knkekn32.exeC:\Windows\system32\Knkekn32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3332 -
C:\Windows\SysWOW64\Liqihglg.exeC:\Windows\system32\Liqihglg.exe27⤵
- Executes dropped EXE
- Modifies registry class
PID:2292 -
C:\Windows\SysWOW64\Ljbfpo32.exeC:\Windows\system32\Ljbfpo32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4016 -
C:\Windows\SysWOW64\Legjmh32.exeC:\Windows\system32\Legjmh32.exe29⤵
- Executes dropped EXE
PID:3128 -
C:\Windows\SysWOW64\Lnpofnhk.exeC:\Windows\system32\Lnpofnhk.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3440 -
C:\Windows\SysWOW64\Lejgch32.exeC:\Windows\system32\Lejgch32.exe31⤵
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Lldopb32.exeC:\Windows\system32\Lldopb32.exe32⤵
- Executes dropped EXE
PID:4476 -
C:\Windows\SysWOW64\Laqhhi32.exeC:\Windows\system32\Laqhhi32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1580 -
C:\Windows\SysWOW64\Lihpif32.exeC:\Windows\system32\Lihpif32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:2108 -
C:\Windows\SysWOW64\Lndham32.exeC:\Windows\system32\Lndham32.exe35⤵
- Executes dropped EXE
PID:4572 -
C:\Windows\SysWOW64\Lhmmjbkf.exeC:\Windows\system32\Lhmmjbkf.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2496 -
C:\Windows\SysWOW64\Mbbagk32.exeC:\Windows\system32\Mbbagk32.exe37⤵
- Executes dropped EXE
PID:440 -
C:\Windows\SysWOW64\Mlkepaam.exeC:\Windows\system32\Mlkepaam.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3796 -
C:\Windows\SysWOW64\Mahnhhod.exeC:\Windows\system32\Mahnhhod.exe39⤵
- Executes dropped EXE
PID:1412 -
C:\Windows\SysWOW64\Mlmbfqoj.exeC:\Windows\system32\Mlmbfqoj.exe40⤵
- Executes dropped EXE
PID:4988 -
C:\Windows\SysWOW64\Majjng32.exeC:\Windows\system32\Majjng32.exe41⤵
- Executes dropped EXE
PID:3752 -
C:\Windows\SysWOW64\Mlpokp32.exeC:\Windows\system32\Mlpokp32.exe42⤵
- Executes dropped EXE
PID:4396 -
C:\Windows\SysWOW64\Mbighjdd.exeC:\Windows\system32\Mbighjdd.exe43⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Mlbkap32.exeC:\Windows\system32\Mlbkap32.exe44⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Mejpje32.exeC:\Windows\system32\Mejpje32.exe45⤵
- Executes dropped EXE
PID:4960 -
C:\Windows\SysWOW64\Nobdbkhf.exeC:\Windows\system32\Nobdbkhf.exe46⤵
- Executes dropped EXE
PID:4132 -
C:\Windows\SysWOW64\Nemmoe32.exeC:\Windows\system32\Nemmoe32.exe47⤵
- Executes dropped EXE
PID:1776 -
C:\Windows\SysWOW64\Nlphbnoe.exeC:\Windows\system32\Nlphbnoe.exe48⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Oehlkc32.exeC:\Windows\system32\Oehlkc32.exe49⤵
- Executes dropped EXE
PID:1864 -
C:\Windows\SysWOW64\Ooqqdi32.exeC:\Windows\system32\Ooqqdi32.exe50⤵
- Executes dropped EXE
PID:700 -
C:\Windows\SysWOW64\Oldamm32.exeC:\Windows\system32\Oldamm32.exe51⤵
- Executes dropped EXE
PID:4624 -
C:\Windows\SysWOW64\Oaajed32.exeC:\Windows\system32\Oaajed32.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:1432 -
C:\Windows\SysWOW64\Ohkbbn32.exeC:\Windows\system32\Ohkbbn32.exe53⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\Pkadoiip.exeC:\Windows\system32\Pkadoiip.exe54⤵
- Executes dropped EXE
PID:1124 -
C:\Windows\SysWOW64\Pefhlaie.exeC:\Windows\system32\Pefhlaie.exe55⤵
- Executes dropped EXE
PID:5044 -
C:\Windows\SysWOW64\Poomegpf.exeC:\Windows\system32\Poomegpf.exe56⤵
- Executes dropped EXE
PID:4904 -
C:\Windows\SysWOW64\Peieba32.exeC:\Windows\system32\Peieba32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1728 -
C:\Windows\SysWOW64\Phganm32.exeC:\Windows\system32\Phganm32.exe58⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Papfgbmg.exeC:\Windows\system32\Papfgbmg.exe59⤵
- Executes dropped EXE
PID:4088 -
C:\Windows\SysWOW64\Plejdkmm.exeC:\Windows\system32\Plejdkmm.exe60⤵
- Executes dropped EXE
PID:5024 -
C:\Windows\SysWOW64\Pemomqcn.exeC:\Windows\system32\Pemomqcn.exe61⤵
- Executes dropped EXE
PID:3572 -
C:\Windows\SysWOW64\Qlggjk32.exeC:\Windows\system32\Qlggjk32.exe62⤵
- Executes dropped EXE
PID:1972 -
C:\Windows\SysWOW64\Qepkbpak.exeC:\Windows\system32\Qepkbpak.exe63⤵
- Executes dropped EXE
PID:4424 -
C:\Windows\SysWOW64\Qcclld32.exeC:\Windows\system32\Qcclld32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3696 -
C:\Windows\SysWOW64\Acfhad32.exeC:\Windows\system32\Acfhad32.exe65⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Akamff32.exeC:\Windows\system32\Akamff32.exe66⤵PID:2304
-
C:\Windows\SysWOW64\Aakebqbj.exeC:\Windows\system32\Aakebqbj.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:396 -
C:\Windows\SysWOW64\Akcjkfij.exeC:\Windows\system32\Akcjkfij.exe68⤵PID:4928
-
C:\Windows\SysWOW64\Aanbhp32.exeC:\Windows\system32\Aanbhp32.exe69⤵PID:4048
-
C:\Windows\SysWOW64\Ahgjejhd.exeC:\Windows\system32\Ahgjejhd.exe70⤵PID:1904
-
C:\Windows\SysWOW64\Acmobchj.exeC:\Windows\system32\Acmobchj.exe71⤵
- Modifies registry class
PID:456 -
C:\Windows\SysWOW64\Aleckinj.exeC:\Windows\system32\Aleckinj.exe72⤵PID:3528
-
C:\Windows\SysWOW64\Acokhc32.exeC:\Windows\system32\Acokhc32.exe73⤵PID:2512
-
C:\Windows\SysWOW64\Bhldpj32.exeC:\Windows\system32\Bhldpj32.exe74⤵PID:832
-
C:\Windows\SysWOW64\Bhoqeibl.exeC:\Windows\system32\Bhoqeibl.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4232 -
C:\Windows\SysWOW64\Bokehc32.exeC:\Windows\system32\Bokehc32.exe76⤵PID:1960
-
C:\Windows\SysWOW64\Bhcjqinf.exeC:\Windows\system32\Bhcjqinf.exe77⤵PID:3228
-
C:\Windows\SysWOW64\Bcinna32.exeC:\Windows\system32\Bcinna32.exe78⤵PID:3020
-
C:\Windows\SysWOW64\Bheffh32.exeC:\Windows\system32\Bheffh32.exe79⤵
- Drops file in System32 directory
PID:5008 -
C:\Windows\SysWOW64\Bckkca32.exeC:\Windows\system32\Bckkca32.exe80⤵
- Drops file in System32 directory
PID:4896 -
C:\Windows\SysWOW64\Cihclh32.exeC:\Windows\system32\Cihclh32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3352 -
C:\Windows\SysWOW64\Cobkhb32.exeC:\Windows\system32\Cobkhb32.exe82⤵PID:4696
-
C:\Windows\SysWOW64\Cjgpfk32.exeC:\Windows\system32\Cjgpfk32.exe83⤵PID:4948
-
C:\Windows\SysWOW64\Codhnb32.exeC:\Windows\system32\Codhnb32.exe84⤵PID:3800
-
C:\Windows\SysWOW64\Cimmggfl.exeC:\Windows\system32\Cimmggfl.exe85⤵PID:1564
-
C:\Windows\SysWOW64\Ccbadp32.exeC:\Windows\system32\Ccbadp32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1164 -
C:\Windows\SysWOW64\Cioilg32.exeC:\Windows\system32\Cioilg32.exe87⤵PID:2544
-
C:\Windows\SysWOW64\Coiaiakf.exeC:\Windows\system32\Coiaiakf.exe88⤵PID:1660
-
C:\Windows\SysWOW64\Difpmfna.exeC:\Windows\system32\Difpmfna.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4176 -
C:\Windows\SysWOW64\Dbndfl32.exeC:\Windows\system32\Dbndfl32.exe90⤵PID:3588
-
C:\Windows\SysWOW64\Dihlbf32.exeC:\Windows\system32\Dihlbf32.exe91⤵PID:5124
-
C:\Windows\SysWOW64\Dpbdopck.exeC:\Windows\system32\Dpbdopck.exe92⤵PID:5164
-
C:\Windows\SysWOW64\Dpdaepai.exeC:\Windows\system32\Dpdaepai.exe93⤵PID:5208
-
C:\Windows\SysWOW64\Dfoiaj32.exeC:\Windows\system32\Dfoiaj32.exe94⤵PID:5252
-
C:\Windows\SysWOW64\Dmhand32.exeC:\Windows\system32\Dmhand32.exe95⤵PID:5300
-
C:\Windows\SysWOW64\Ebejfk32.exeC:\Windows\system32\Ebejfk32.exe96⤵PID:5344
-
C:\Windows\SysWOW64\Emkndc32.exeC:\Windows\system32\Emkndc32.exe97⤵
- Modifies registry class
PID:5392 -
C:\Windows\SysWOW64\Ecefqnel.exeC:\Windows\system32\Ecefqnel.exe98⤵PID:5436
-
C:\Windows\SysWOW64\Ejoomhmi.exeC:\Windows\system32\Ejoomhmi.exe99⤵PID:5476
-
C:\Windows\SysWOW64\Emmkiclm.exeC:\Windows\system32\Emmkiclm.exe100⤵PID:5528
-
C:\Windows\SysWOW64\Eplgeokq.exeC:\Windows\system32\Eplgeokq.exe101⤵PID:5568
-
C:\Windows\SysWOW64\Efepbi32.exeC:\Windows\system32\Efepbi32.exe102⤵PID:5616
-
C:\Windows\SysWOW64\Emphocjj.exeC:\Windows\system32\Emphocjj.exe103⤵PID:5656
-
C:\Windows\SysWOW64\Efhlhh32.exeC:\Windows\system32\Efhlhh32.exe104⤵PID:5696
-
C:\Windows\SysWOW64\Eifhdd32.exeC:\Windows\system32\Eifhdd32.exe105⤵PID:5736
-
C:\Windows\SysWOW64\Eppqqn32.exeC:\Windows\system32\Eppqqn32.exe106⤵
- Modifies registry class
PID:5784 -
C:\Windows\SysWOW64\Efjimhnh.exeC:\Windows\system32\Efjimhnh.exe107⤵PID:5828
-
C:\Windows\SysWOW64\Emdajb32.exeC:\Windows\system32\Emdajb32.exe108⤵PID:5872
-
C:\Windows\SysWOW64\Fcniglmb.exeC:\Windows\system32\Fcniglmb.exe109⤵PID:5920
-
C:\Windows\SysWOW64\Ffmfchle.exeC:\Windows\system32\Ffmfchle.exe110⤵PID:5964
-
C:\Windows\SysWOW64\Fmfnpa32.exeC:\Windows\system32\Fmfnpa32.exe111⤵PID:6016
-
C:\Windows\SysWOW64\Fbcfhibj.exeC:\Windows\system32\Fbcfhibj.exe112⤵PID:6060
-
C:\Windows\SysWOW64\Fjjnifbl.exeC:\Windows\system32\Fjjnifbl.exe113⤵PID:6104
-
C:\Windows\SysWOW64\Fllkqn32.exeC:\Windows\system32\Fllkqn32.exe114⤵PID:2584
-
C:\Windows\SysWOW64\Fbfcmhpg.exeC:\Windows\system32\Fbfcmhpg.exe115⤵PID:5188
-
C:\Windows\SysWOW64\Fjmkoeqi.exeC:\Windows\system32\Fjmkoeqi.exe116⤵PID:5232
-
C:\Windows\SysWOW64\Flngfn32.exeC:\Windows\system32\Flngfn32.exe117⤵PID:208
-
C:\Windows\SysWOW64\Fbhpch32.exeC:\Windows\system32\Fbhpch32.exe118⤵PID:5380
-
C:\Windows\SysWOW64\Fmndpq32.exeC:\Windows\system32\Fmndpq32.exe119⤵PID:5484
-
C:\Windows\SysWOW64\Fbjmhh32.exeC:\Windows\system32\Fbjmhh32.exe120⤵
- Drops file in System32 directory
PID:5520 -
C:\Windows\SysWOW64\Fjadje32.exeC:\Windows\system32\Fjadje32.exe121⤵PID:5588
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-