Analysis
-
max time kernel
157s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
01-11-2023 08:28
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.ab45878c8209857c44ab942b27d85ccd.exe
Resource
win7-20231025-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.ab45878c8209857c44ab942b27d85ccd.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
NEAS.ab45878c8209857c44ab942b27d85ccd.exe
-
Size
442KB
-
MD5
ab45878c8209857c44ab942b27d85ccd
-
SHA1
bd0e0941750f0ddeaec909dd817306109f0317d2
-
SHA256
85bec334249e033ea8fb1b0eaa5a3c0628da4fb20f14635c6a8fd01fb87bec0b
-
SHA512
773163ac7597ed2db5acb618337f7f560c1a2db71571e493703c075c84270d265c3dfd78c9b776c60f27f60c05046bc9de10c4cb1d92e705142fbc69306a258f
-
SSDEEP
6144:LNiYnWAZmApgo8ujZhjTVqmWdrK86S1oikXXjZhjTVqmWdS+l/G49eMOwCHZ:LNiYnW8mTj/G49eMOwEZ
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgimjmfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oaeegjeb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpcpei32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Indkih32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkcmdaol.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkajnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elhnhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aepmjk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omjhgoco.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djnfppqi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icoglp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oofoeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fndgfffm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iehkpmgl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odkjgm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jookdcie.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Loigap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnahbk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbbdad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfcmge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgkbfjeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fckhnaab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfmghdpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgpggm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdhkefnj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbqmbo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nddklhke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgicdc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cqinng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhibgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Capikhgh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkqebg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbmigm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inbndi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jaqcgbml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnenchoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hifaic32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjhlfb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdpkoalc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbenfq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qoecol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckkilhjm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fikbhiaf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aeigilml.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fckhnaab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjadck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qldccjno.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqfokblg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkbddo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkeglfio.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmjojh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hndbbkhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlidkh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qifnaecf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjbfdakf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjgpoq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jidigfeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nqmocjdf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnienqbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eijigg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olcklj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojkepmqp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhoiih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjlijp32.exe -
Executes dropped EXE 64 IoCs
pid Process 3544 Bpomem32.exe 3480 Hcommoin.exe 1272 Iqmplbpl.exe 4476 Jqhphq32.exe 5056 Kpgoolbl.exe 4932 Kiaqnagj.exe 4500 Lfmghdpl.exe 3500 Mapgfk32.exe 4336 Nmnnlk32.exe 2808 Oinbgk32.exe 4620 Pnenchoc.exe 4952 Qdflaa32.exe 772 Aaofedkl.exe 324 Agqhik32.exe 4568 Cbdhgaid.exe 852 Dnienqbi.exe 2336 Dlobmd32.exe 932 Eijigg32.exe 1852 Flbhia32.exe 4244 Facjlhil.exe 4296 Hifaic32.exe 3412 Hklglk32.exe 2460 Ilqmam32.exe 1300 Jfbdpabn.exe 1604 Jkajnh32.exe 1688 Kbedaand.exe 1896 Ljephmgl.exe 2028 Lcdjba32.exe 1132 Mjheejff.exe 3340 Nmkkle32.exe 1028 Ofmbkipk.exe 1772 Okodlgbl.exe 2468 Bgicdc32.exe 4012 Cjlilndf.exe 208 Cqinng32.exe 388 Cnahbk32.exe 1004 Dmiaig32.exe 4312 Emdaee32.exe 2200 Elhnhm32.exe 3088 Fnpmkg32.exe 4056 Fndgfffm.exe 3860 Hdfapjbl.exe 2792 Iehkpmgl.exe 2432 Jeanfkob.exe 1244 Mfiedfmd.exe 4108 Nlbnhkqo.exe 3540 Nifnao32.exe 4084 Ppnbpg32.exe 3360 Pimmil32.exe 2148 Aeigilml.exe 2124 Abodhpic.exe 3080 Aepmjk32.exe 1996 Bllble32.exe 3724 Bplhhc32.exe 3556 Bidlqhgc.exe 1336 Bgimjmfl.exe 3488 Dcmjpl32.exe 3684 Dncnnd32.exe 3000 Dgkbfjeg.exe 1948 Emfgpo32.exe 824 Ghanoeel.exe 4372 Hnblmnfa.exe 4716 Hdcnpd32.exe 4048 Iokocmnf.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Mgdklb32.exe Ldmlih32.exe File opened for modification C:\Windows\SysWOW64\Bdmpljlj.exe Bngdndfn.exe File created C:\Windows\SysWOW64\Jmknkk32.exe Jfaenqjm.exe File created C:\Windows\SysWOW64\Eiblooad.dll Jlfpnn32.exe File created C:\Windows\SysWOW64\Lhhoncne.dll Mhdgqh32.exe File created C:\Windows\SysWOW64\Pbgpmedl.dll Mhialhjf.exe File created C:\Windows\SysWOW64\Odiekomi.dll Cqinng32.exe File created C:\Windows\SysWOW64\Hmdend32.exe Giacmggo.exe File created C:\Windows\SysWOW64\Lfijafpp.dll Bahkcn32.exe File created C:\Windows\SysWOW64\Ifkppk32.dll Hmdend32.exe File opened for modification C:\Windows\SysWOW64\Hnblmnfa.exe Ghanoeel.exe File opened for modification C:\Windows\SysWOW64\Goqkne32.exe Gehfepio.exe File created C:\Windows\SysWOW64\Bdkaiilp.dll Ikndpm32.exe File created C:\Windows\SysWOW64\Gifcfc32.dll Boflfiai.exe File created C:\Windows\SysWOW64\Ppnbpg32.exe Nifnao32.exe File created C:\Windows\SysWOW64\Bhkohd32.dll Elepei32.exe File created C:\Windows\SysWOW64\Edpogbee.dll Libnapmg.exe File created C:\Windows\SysWOW64\Lgandg32.dll Jlidkh32.exe File created C:\Windows\SysWOW64\Oomeenke.exe Ofdpmi32.exe File opened for modification C:\Windows\SysWOW64\Agqhik32.exe Aaofedkl.exe File created C:\Windows\SysWOW64\Jmjojh32.exe Ipaeedpp.exe File created C:\Windows\SysWOW64\Fmmloo32.dll Qfaiabnp.exe File created C:\Windows\SysWOW64\Lapcan32.dll Igpkjo32.exe File created C:\Windows\SysWOW64\Ljibdifc.exe Kedcml32.exe File opened for modification C:\Windows\SysWOW64\Ipihiaqa.exe Gpolld32.exe File created C:\Windows\SysWOW64\Hmncqhpd.dll Mckbhg32.exe File created C:\Windows\SysWOW64\Cnglpdin.dll Qdflaa32.exe File created C:\Windows\SysWOW64\Elopkgoa.dll Lhnhkpgo.exe File created C:\Windows\SysWOW64\Icmgjj32.dll Dnqcop32.exe File created C:\Windows\SysWOW64\Eojmki32.dll Odpjhfag.exe File created C:\Windows\SysWOW64\Pcknlmal.exe Omqeobjo.exe File opened for modification C:\Windows\SysWOW64\Chphhn32.exe Coegih32.exe File created C:\Windows\SysWOW64\Hkohmnal.exe Hgapfpjf.exe File created C:\Windows\SysWOW64\Gbambkif.dll Ahdpea32.exe File created C:\Windows\SysWOW64\Cljopo32.dll Badipiae.exe File created C:\Windows\SysWOW64\Qoecol32.exe Qifnaecf.exe File opened for modification C:\Windows\SysWOW64\Logimckp.exe Ldbepklj.exe File opened for modification C:\Windows\SysWOW64\Dmiaig32.exe Cnahbk32.exe File opened for modification C:\Windows\SysWOW64\Dgpllm32.exe Dnhgcgbi.exe File opened for modification C:\Windows\SysWOW64\Qjiaak32.exe Pjehflie.exe File opened for modification C:\Windows\SysWOW64\Ppnbpg32.exe Nifnao32.exe File opened for modification C:\Windows\SysWOW64\Libnapmg.exe Kigoeagd.exe File created C:\Windows\SysWOW64\Jfcbcp32.exe Jmknkk32.exe File opened for modification C:\Windows\SysWOW64\Bganac32.exe Bjmnho32.exe File created C:\Windows\SysWOW64\Egflpjbk.dll Lebalokn.exe File opened for modification C:\Windows\SysWOW64\Lddbej32.exe Logimckp.exe File created C:\Windows\SysWOW64\Mjheejff.exe Lcdjba32.exe File created C:\Windows\SysWOW64\Llmpco32.exe Lbekjipe.exe File created C:\Windows\SysWOW64\Bicjjncd.exe Bcddlhgo.exe File opened for modification C:\Windows\SysWOW64\Okodlgbl.exe Ofmbkipk.exe File opened for modification C:\Windows\SysWOW64\Capikhgh.exe Bganac32.exe File created C:\Windows\SysWOW64\Knpdlo32.dll Jbppaedo.exe File created C:\Windows\SysWOW64\Kngoob32.dll Llfqkhno.exe File opened for modification C:\Windows\SysWOW64\Nlbnhkqo.exe Mfiedfmd.exe File created C:\Windows\SysWOW64\Bimhihen.dll Afinbdon.exe File created C:\Windows\SysWOW64\Emfebjgb.exe Diccal32.exe File created C:\Windows\SysWOW64\Qoamab32.dll Jdaajkfd.exe File opened for modification C:\Windows\SysWOW64\Icoglp32.exe Inbndi32.exe File created C:\Windows\SysWOW64\Mhialhjf.exe Moqlcbce.exe File opened for modification C:\Windows\SysWOW64\Jqihjbod.exe Jdpkoalc.exe File created C:\Windows\SysWOW64\Oiboklin.dll Bhibgo32.exe File created C:\Windows\SysWOW64\Eekkllpk.dll Nnpalk32.exe File created C:\Windows\SysWOW64\Qdflaa32.exe Pnenchoc.exe File opened for modification C:\Windows\SysWOW64\Bngnmjql.exe Bobalm32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nifnao32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dngqia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nboojpcb.dll" Logimckp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajbegg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Enjfen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ampkil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnlelpgj.dll" Bjmnho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joioak32.dll" Fjjnblhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iqmplbpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Knenffqf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Negoaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ablahjhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdbnmj32.dll" Chphhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nkcmdaol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dljqjjnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpgico32.dll" Jlpklg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmfgid32.dll" Gdbmalja.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Icdhojka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnfconak.dll" Ecphmfbg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jlidkh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jqihjbod.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qoecol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpomem32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pimmil32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bllble32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hnblmnfa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbcieqpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjbfdakf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gpmofe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pbndgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjiqlpeo.dll" Ajbegg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Odkjgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmmloo32.dll" Qfaiabnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjkipdpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjgneg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dnienqbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjmcem32.dll" Ofmbkipk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aepmjk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Klkcmo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ekdolcbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hceook32.dll" Cbdhgaid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eqopqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akchlk32.dll" Mallojmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aklgbhpo.dll" Dejamdca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mapgfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipniemf.dll" Mdhkefnj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjhlfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Didoqi32.dll" Bobalm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fnacqc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mhialhjf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iaiddajo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mgdklb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emaemefo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bqfokblg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgenlldo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcakilpk.dll" Abodhpic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgjngclb.dll" Dljqjjnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glegijdk.dll" Cjkjjmlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Okolppdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bplhhc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjehflie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmkbcppg.dll" Ggkiha32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qpahghbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnjdgp32.dll" Lejlioie.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3304 wrote to memory of 3544 3304 NEAS.ab45878c8209857c44ab942b27d85ccd.exe 93 PID 3304 wrote to memory of 3544 3304 NEAS.ab45878c8209857c44ab942b27d85ccd.exe 93 PID 3304 wrote to memory of 3544 3304 NEAS.ab45878c8209857c44ab942b27d85ccd.exe 93 PID 3544 wrote to memory of 3480 3544 Bpomem32.exe 94 PID 3544 wrote to memory of 3480 3544 Bpomem32.exe 94 PID 3544 wrote to memory of 3480 3544 Bpomem32.exe 94 PID 3480 wrote to memory of 1272 3480 Hcommoin.exe 95 PID 3480 wrote to memory of 1272 3480 Hcommoin.exe 95 PID 3480 wrote to memory of 1272 3480 Hcommoin.exe 95 PID 1272 wrote to memory of 4476 1272 Iqmplbpl.exe 96 PID 1272 wrote to memory of 4476 1272 Iqmplbpl.exe 96 PID 1272 wrote to memory of 4476 1272 Iqmplbpl.exe 96 PID 4476 wrote to memory of 5056 4476 Jqhphq32.exe 97 PID 4476 wrote to memory of 5056 4476 Jqhphq32.exe 97 PID 4476 wrote to memory of 5056 4476 Jqhphq32.exe 97 PID 5056 wrote to memory of 4932 5056 Kpgoolbl.exe 98 PID 5056 wrote to memory of 4932 5056 Kpgoolbl.exe 98 PID 5056 wrote to memory of 4932 5056 Kpgoolbl.exe 98 PID 4932 wrote to memory of 4500 4932 Kiaqnagj.exe 99 PID 4932 wrote to memory of 4500 4932 Kiaqnagj.exe 99 PID 4932 wrote to memory of 4500 4932 Kiaqnagj.exe 99 PID 4500 wrote to memory of 3500 4500 Lfmghdpl.exe 100 PID 4500 wrote to memory of 3500 4500 Lfmghdpl.exe 100 PID 4500 wrote to memory of 3500 4500 Lfmghdpl.exe 100 PID 3500 wrote to memory of 4336 3500 Mapgfk32.exe 101 PID 3500 wrote to memory of 4336 3500 Mapgfk32.exe 101 PID 3500 wrote to memory of 4336 3500 Mapgfk32.exe 101 PID 4336 wrote to memory of 2808 4336 Nmnnlk32.exe 102 PID 4336 wrote to memory of 2808 4336 Nmnnlk32.exe 102 PID 4336 wrote to memory of 2808 4336 Nmnnlk32.exe 102 PID 2808 wrote to memory of 4620 2808 Oinbgk32.exe 103 PID 2808 wrote to memory of 4620 2808 Oinbgk32.exe 103 PID 2808 wrote to memory of 4620 2808 Oinbgk32.exe 103 PID 4620 wrote to memory of 4952 4620 Pnenchoc.exe 104 PID 4620 wrote to memory of 4952 4620 Pnenchoc.exe 104 PID 4620 wrote to memory of 4952 4620 Pnenchoc.exe 104 PID 4952 wrote to memory of 772 4952 Qdflaa32.exe 105 PID 4952 wrote to memory of 772 4952 Qdflaa32.exe 105 PID 4952 wrote to memory of 772 4952 Qdflaa32.exe 105 PID 772 wrote to memory of 324 772 Aaofedkl.exe 106 PID 772 wrote to memory of 324 772 Aaofedkl.exe 106 PID 772 wrote to memory of 324 772 Aaofedkl.exe 106 PID 324 wrote to memory of 4568 324 Agqhik32.exe 107 PID 324 wrote to memory of 4568 324 Agqhik32.exe 107 PID 324 wrote to memory of 4568 324 Agqhik32.exe 107 PID 4568 wrote to memory of 852 4568 Cbdhgaid.exe 108 PID 4568 wrote to memory of 852 4568 Cbdhgaid.exe 108 PID 4568 wrote to memory of 852 4568 Cbdhgaid.exe 108 PID 852 wrote to memory of 2336 852 Dnienqbi.exe 109 PID 852 wrote to memory of 2336 852 Dnienqbi.exe 109 PID 852 wrote to memory of 2336 852 Dnienqbi.exe 109 PID 2336 wrote to memory of 932 2336 Dlobmd32.exe 110 PID 2336 wrote to memory of 932 2336 Dlobmd32.exe 110 PID 2336 wrote to memory of 932 2336 Dlobmd32.exe 110 PID 932 wrote to memory of 1852 932 Eijigg32.exe 111 PID 932 wrote to memory of 1852 932 Eijigg32.exe 111 PID 932 wrote to memory of 1852 932 Eijigg32.exe 111 PID 1852 wrote to memory of 4244 1852 Flbhia32.exe 112 PID 1852 wrote to memory of 4244 1852 Flbhia32.exe 112 PID 1852 wrote to memory of 4244 1852 Flbhia32.exe 112 PID 4244 wrote to memory of 4296 4244 Facjlhil.exe 113 PID 4244 wrote to memory of 4296 4244 Facjlhil.exe 113 PID 4244 wrote to memory of 4296 4244 Facjlhil.exe 113 PID 4296 wrote to memory of 3412 4296 Hifaic32.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.ab45878c8209857c44ab942b27d85ccd.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.ab45878c8209857c44ab942b27d85ccd.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3304 -
C:\Windows\SysWOW64\Bpomem32.exeC:\Windows\system32\Bpomem32.exe2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3544 -
C:\Windows\SysWOW64\Hcommoin.exeC:\Windows\system32\Hcommoin.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3480 -
C:\Windows\SysWOW64\Iqmplbpl.exeC:\Windows\system32\Iqmplbpl.exe4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Windows\SysWOW64\Jqhphq32.exeC:\Windows\system32\Jqhphq32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4476 -
C:\Windows\SysWOW64\Kpgoolbl.exeC:\Windows\system32\Kpgoolbl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Windows\SysWOW64\Kiaqnagj.exeC:\Windows\system32\Kiaqnagj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4932 -
C:\Windows\SysWOW64\Lfmghdpl.exeC:\Windows\system32\Lfmghdpl.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4500 -
C:\Windows\SysWOW64\Mapgfk32.exeC:\Windows\system32\Mapgfk32.exe9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3500 -
C:\Windows\SysWOW64\Nmnnlk32.exeC:\Windows\system32\Nmnnlk32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4336 -
C:\Windows\SysWOW64\Oinbgk32.exeC:\Windows\system32\Oinbgk32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\Pnenchoc.exeC:\Windows\system32\Pnenchoc.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\Windows\SysWOW64\Qdflaa32.exeC:\Windows\system32\Qdflaa32.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\Windows\SysWOW64\Aaofedkl.exeC:\Windows\system32\Aaofedkl.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:772 -
C:\Windows\SysWOW64\Agqhik32.exeC:\Windows\system32\Agqhik32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:324 -
C:\Windows\SysWOW64\Cbdhgaid.exeC:\Windows\system32\Cbdhgaid.exe16⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\Windows\SysWOW64\Dnienqbi.exeC:\Windows\system32\Dnienqbi.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:852 -
C:\Windows\SysWOW64\Dlobmd32.exeC:\Windows\system32\Dlobmd32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\Eijigg32.exeC:\Windows\system32\Eijigg32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:932 -
C:\Windows\SysWOW64\Flbhia32.exeC:\Windows\system32\Flbhia32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Windows\SysWOW64\Facjlhil.exeC:\Windows\system32\Facjlhil.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4244 -
C:\Windows\SysWOW64\Hifaic32.exeC:\Windows\system32\Hifaic32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4296 -
C:\Windows\SysWOW64\Hklglk32.exeC:\Windows\system32\Hklglk32.exe23⤵
- Executes dropped EXE
PID:3412 -
C:\Windows\SysWOW64\Ilqmam32.exeC:\Windows\system32\Ilqmam32.exe24⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Jfbdpabn.exeC:\Windows\system32\Jfbdpabn.exe25⤵
- Executes dropped EXE
PID:1300 -
C:\Windows\SysWOW64\Jkajnh32.exeC:\Windows\system32\Jkajnh32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1604 -
C:\Windows\SysWOW64\Kbedaand.exeC:\Windows\system32\Kbedaand.exe27⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Ljephmgl.exeC:\Windows\system32\Ljephmgl.exe28⤵
- Executes dropped EXE
PID:1896 -
C:\Windows\SysWOW64\Lcdjba32.exeC:\Windows\system32\Lcdjba32.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2028 -
C:\Windows\SysWOW64\Mjheejff.exeC:\Windows\system32\Mjheejff.exe30⤵
- Executes dropped EXE
PID:1132 -
C:\Windows\SysWOW64\Nmkkle32.exeC:\Windows\system32\Nmkkle32.exe31⤵
- Executes dropped EXE
PID:3340 -
C:\Windows\SysWOW64\Ofmbkipk.exeC:\Windows\system32\Ofmbkipk.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1028 -
C:\Windows\SysWOW64\Okodlgbl.exeC:\Windows\system32\Okodlgbl.exe33⤵
- Executes dropped EXE
PID:1772 -
C:\Windows\SysWOW64\Bgicdc32.exeC:\Windows\system32\Bgicdc32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\Cjlilndf.exeC:\Windows\system32\Cjlilndf.exe35⤵
- Executes dropped EXE
PID:4012 -
C:\Windows\SysWOW64\Cqinng32.exeC:\Windows\system32\Cqinng32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:208 -
C:\Windows\SysWOW64\Cnahbk32.exeC:\Windows\system32\Cnahbk32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:388 -
C:\Windows\SysWOW64\Dmiaig32.exeC:\Windows\system32\Dmiaig32.exe38⤵
- Executes dropped EXE
PID:1004 -
C:\Windows\SysWOW64\Emdaee32.exeC:\Windows\system32\Emdaee32.exe39⤵
- Executes dropped EXE
PID:4312 -
C:\Windows\SysWOW64\Elhnhm32.exeC:\Windows\system32\Elhnhm32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2200 -
C:\Windows\SysWOW64\Fnpmkg32.exeC:\Windows\system32\Fnpmkg32.exe41⤵
- Executes dropped EXE
PID:3088 -
C:\Windows\SysWOW64\Fndgfffm.exeC:\Windows\system32\Fndgfffm.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4056 -
C:\Windows\SysWOW64\Hdfapjbl.exeC:\Windows\system32\Hdfapjbl.exe43⤵
- Executes dropped EXE
PID:3860 -
C:\Windows\SysWOW64\Iehkpmgl.exeC:\Windows\system32\Iehkpmgl.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2792 -
C:\Windows\SysWOW64\Jeanfkob.exeC:\Windows\system32\Jeanfkob.exe45⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Mfiedfmd.exeC:\Windows\system32\Mfiedfmd.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1244 -
C:\Windows\SysWOW64\Nlbnhkqo.exeC:\Windows\system32\Nlbnhkqo.exe47⤵
- Executes dropped EXE
PID:4108 -
C:\Windows\SysWOW64\Nifnao32.exeC:\Windows\system32\Nifnao32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3540 -
C:\Windows\SysWOW64\Ppnbpg32.exeC:\Windows\system32\Ppnbpg32.exe49⤵
- Executes dropped EXE
PID:4084 -
C:\Windows\SysWOW64\Pimmil32.exeC:\Windows\system32\Pimmil32.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:3360 -
C:\Windows\SysWOW64\Aeigilml.exeC:\Windows\system32\Aeigilml.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\Abodhpic.exeC:\Windows\system32\Abodhpic.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:2124 -
C:\Windows\SysWOW64\Aepmjk32.exeC:\Windows\system32\Aepmjk32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3080 -
C:\Windows\SysWOW64\Bllble32.exeC:\Windows\system32\Bllble32.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:1996 -
C:\Windows\SysWOW64\Bplhhc32.exeC:\Windows\system32\Bplhhc32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:3724 -
C:\Windows\SysWOW64\Bidlqhgc.exeC:\Windows\system32\Bidlqhgc.exe56⤵
- Executes dropped EXE
PID:3556 -
C:\Windows\SysWOW64\Bgimjmfl.exeC:\Windows\system32\Bgimjmfl.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1336 -
C:\Windows\SysWOW64\Dcmjpl32.exeC:\Windows\system32\Dcmjpl32.exe58⤵
- Executes dropped EXE
PID:3488 -
C:\Windows\SysWOW64\Dncnnd32.exeC:\Windows\system32\Dncnnd32.exe59⤵
- Executes dropped EXE
PID:3684 -
C:\Windows\SysWOW64\Dgkbfjeg.exeC:\Windows\system32\Dgkbfjeg.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Emfgpo32.exeC:\Windows\system32\Emfgpo32.exe61⤵
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\Ghanoeel.exeC:\Windows\system32\Ghanoeel.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:824 -
C:\Windows\SysWOW64\Hnblmnfa.exeC:\Windows\system32\Hnblmnfa.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:4372 -
C:\Windows\SysWOW64\Hdcnpd32.exeC:\Windows\system32\Hdcnpd32.exe64⤵
- Executes dropped EXE
PID:4716 -
C:\Windows\SysWOW64\Iokocmnf.exeC:\Windows\system32\Iokocmnf.exe65⤵
- Executes dropped EXE
PID:4048 -
C:\Windows\SysWOW64\Ipaeedpp.exeC:\Windows\system32\Ipaeedpp.exe66⤵
- Drops file in System32 directory
PID:4432 -
C:\Windows\SysWOW64\Jmjojh32.exeC:\Windows\system32\Jmjojh32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4416 -
C:\Windows\SysWOW64\Knenffqf.exeC:\Windows\system32\Knenffqf.exe68⤵
- Modifies registry class
PID:3304 -
C:\Windows\SysWOW64\Negoaj32.exeC:\Windows\system32\Negoaj32.exe69⤵
- Modifies registry class
PID:3592 -
C:\Windows\SysWOW64\Oijqbh32.exeC:\Windows\system32\Oijqbh32.exe70⤵PID:4580
-
C:\Windows\SysWOW64\Oaeegjeb.exeC:\Windows\system32\Oaeegjeb.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3084 -
C:\Windows\SysWOW64\Pgdgodhj.exeC:\Windows\system32\Pgdgodhj.exe72⤵PID:1276
-
C:\Windows\SysWOW64\Pbndgl32.exeC:\Windows\system32\Pbndgl32.exe73⤵
- Modifies registry class
PID:2996 -
C:\Windows\SysWOW64\Qlkbka32.exeC:\Windows\system32\Qlkbka32.exe74⤵PID:556
-
C:\Windows\SysWOW64\Ahdpea32.exeC:\Windows\system32\Ahdpea32.exe75⤵
- Drops file in System32 directory
PID:1632 -
C:\Windows\SysWOW64\Ablahjhj.exeC:\Windows\system32\Ablahjhj.exe76⤵
- Modifies registry class
PID:2380 -
C:\Windows\SysWOW64\Aikbpckb.exeC:\Windows\system32\Aikbpckb.exe77⤵PID:2032
-
C:\Windows\SysWOW64\Bhibgo32.exeC:\Windows\system32\Bhibgo32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:988 -
C:\Windows\SysWOW64\Coegih32.exeC:\Windows\system32\Coegih32.exe79⤵
- Drops file in System32 directory
PID:1396 -
C:\Windows\SysWOW64\Chphhn32.exeC:\Windows\system32\Chphhn32.exe80⤵
- Modifies registry class
PID:4148 -
C:\Windows\SysWOW64\Clnanlhn.exeC:\Windows\system32\Clnanlhn.exe81⤵PID:2908
-
C:\Windows\SysWOW64\Dpcpei32.exeC:\Windows\system32\Dpcpei32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4256 -
C:\Windows\SysWOW64\Dljqjjnp.exeC:\Windows\system32\Dljqjjnp.exe83⤵
- Modifies registry class
PID:2056 -
C:\Windows\SysWOW64\Eqopqh32.exeC:\Windows\system32\Eqopqh32.exe84⤵
- Modifies registry class
PID:944 -
C:\Windows\SysWOW64\Elepei32.exeC:\Windows\system32\Elepei32.exe85⤵
- Drops file in System32 directory
PID:3816 -
C:\Windows\SysWOW64\Ehlakjig.exeC:\Windows\system32\Ehlakjig.exe86⤵PID:3672
-
C:\Windows\SysWOW64\Fcbehbim.exeC:\Windows\system32\Fcbehbim.exe87⤵PID:2888
-
C:\Windows\SysWOW64\Fiajfi32.exeC:\Windows\system32\Fiajfi32.exe88⤵PID:4568
-
C:\Windows\SysWOW64\Ficgkico.exeC:\Windows\system32\Ficgkico.exe89⤵PID:3932
-
C:\Windows\SysWOW64\Ffggdmbi.exeC:\Windows\system32\Ffggdmbi.exe90⤵PID:540
-
C:\Windows\SysWOW64\Fckhnaab.exeC:\Windows\system32\Fckhnaab.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3052 -
C:\Windows\SysWOW64\Gijmlh32.exeC:\Windows\system32\Gijmlh32.exe92⤵PID:2260
-
C:\Windows\SysWOW64\Giacmggo.exeC:\Windows\system32\Giacmggo.exe93⤵
- Drops file in System32 directory
PID:3196 -
C:\Windows\SysWOW64\Hmdend32.exeC:\Windows\system32\Hmdend32.exe94⤵
- Drops file in System32 directory
PID:4336 -
C:\Windows\SysWOW64\Hfoflj32.exeC:\Windows\system32\Hfoflj32.exe95⤵PID:1288
-
C:\Windows\SysWOW64\Iaiddajo.exeC:\Windows\system32\Iaiddajo.exe96⤵
- Modifies registry class
PID:2788 -
C:\Windows\SysWOW64\Ijaimg32.exeC:\Windows\system32\Ijaimg32.exe97⤵PID:2632
-
C:\Windows\SysWOW64\Imbaobmp.exeC:\Windows\system32\Imbaobmp.exe98⤵PID:4892
-
C:\Windows\SysWOW64\Ibagmiie.exeC:\Windows\system32\Ibagmiie.exe99⤵PID:4060
-
C:\Windows\SysWOW64\Jpegfm32.exeC:\Windows\system32\Jpegfm32.exe100⤵PID:1620
-
C:\Windows\SysWOW64\Jjmhie32.exeC:\Windows\system32\Jjmhie32.exe101⤵PID:5148
-
C:\Windows\SysWOW64\Jmpnppap.exeC:\Windows\system32\Jmpnppap.exe102⤵PID:5192
-
C:\Windows\SysWOW64\Kigoeagd.exeC:\Windows\system32\Kigoeagd.exe103⤵
- Drops file in System32 directory
PID:5244 -
C:\Windows\SysWOW64\Libnapmg.exeC:\Windows\system32\Libnapmg.exe104⤵
- Drops file in System32 directory
PID:5312 -
C:\Windows\SysWOW64\Ldmlih32.exeC:\Windows\system32\Ldmlih32.exe105⤵
- Drops file in System32 directory
PID:5360 -
C:\Windows\SysWOW64\Mgdklb32.exeC:\Windows\system32\Mgdklb32.exe106⤵
- Modifies registry class
PID:5412 -
C:\Windows\SysWOW64\Mdhkefnj.exeC:\Windows\system32\Mdhkefnj.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5456 -
C:\Windows\SysWOW64\Mallojmd.exeC:\Windows\system32\Mallojmd.exe108⤵
- Modifies registry class
PID:5540 -
C:\Windows\SysWOW64\Pbkagfba.exeC:\Windows\system32\Pbkagfba.exe109⤵PID:5580
-
C:\Windows\SysWOW64\Pgjfdm32.exeC:\Windows\system32\Pgjfdm32.exe110⤵PID:5640
-
C:\Windows\SysWOW64\Ajbegg32.exeC:\Windows\system32\Ajbegg32.exe111⤵
- Modifies registry class
PID:5696 -
C:\Windows\SysWOW64\Abpcicpi.exeC:\Windows\system32\Abpcicpi.exe112⤵PID:5752
-
C:\Windows\SysWOW64\Bngdndfn.exeC:\Windows\system32\Bngdndfn.exe113⤵
- Drops file in System32 directory
PID:5816 -
C:\Windows\SysWOW64\Bdmpljlj.exeC:\Windows\system32\Bdmpljlj.exe114⤵PID:5884
-
C:\Windows\SysWOW64\Cbcieqpd.exeC:\Windows\system32\Cbcieqpd.exe115⤵
- Modifies registry class
PID:5940 -
C:\Windows\SysWOW64\Cajblmci.exeC:\Windows\system32\Cajblmci.exe116⤵PID:6008
-
C:\Windows\SysWOW64\Dhfhnfhc.exeC:\Windows\system32\Dhfhnfhc.exe117⤵PID:6048
-
C:\Windows\SysWOW64\Ddmhcg32.exeC:\Windows\system32\Ddmhcg32.exe118⤵PID:3412
-
C:\Windows\SysWOW64\Elkfed32.exeC:\Windows\system32\Elkfed32.exe119⤵PID:5232
-
C:\Windows\SysWOW64\Edihof32.exeC:\Windows\system32\Edihof32.exe120⤵PID:5524
-
C:\Windows\SysWOW64\Hbbdad32.exeC:\Windows\system32\Hbbdad32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5620 -
C:\Windows\SysWOW64\Jlidkh32.exeC:\Windows\system32\Jlidkh32.exe122⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5672
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-