Analysis
-
max time kernel
159s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
01-11-2023 14:12
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.757af56c36628883b1a584a52dbd5460.exe
Resource
win7-20231020-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.757af56c36628883b1a584a52dbd5460.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
NEAS.757af56c36628883b1a584a52dbd5460.exe
-
Size
56KB
-
MD5
757af56c36628883b1a584a52dbd5460
-
SHA1
6d7941f53afbd01321c2afa2151d0d75e70454b4
-
SHA256
ed54afaa2f369959ce8e09d188afb409106b462ae08f1c21293eab820c45e713
-
SHA512
9cd30b41a866b768a5a715028a8d652f6e5e72175b79013d63ca9eff390ad114b3ab16b5633660a93d05824861dc6b364863f248e74cffaaae6bf9819db88e4a
-
SSDEEP
768:+6oselcj3HcdbZOSXigAxhlKmL+Nv2no4tMyz2BwSfFJQ/1H5CoXdnh:+meaQdNOSfAxTXLSenXPz2Bwcnqk6
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffpcbchm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nphhfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdkadb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bokeai32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmkfjn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjdokb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cldjkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhckeeam.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpffgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgaoda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njjdae32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nilkkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhdjonng.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oihapg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phpkgc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qlggcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkpbgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmkfjn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbkkpb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chblebll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbhhieao.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlhaee32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iihkjm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnbeie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdfjcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jigdoglm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klbnjo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggqgpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbkdhjdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nddkaddm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfcbcp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acnefoac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbppaedo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ileflmpb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onekeb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fndpfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkjjfkcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nalpbf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfkcibdl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agqhik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcjimnjl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdfjcl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olehai32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbkdhjdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfoebq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhdhhchf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmagmn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Beaohcmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abkjnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lemoid32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpofdndi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcggec32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jaljlb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gqkhng32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lajhpbme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbgdnelk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhdcmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlegokbe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nddkaddm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kedlbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glfmaemc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oicccj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qdihfq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccldebeo.exe -
Executes dropped EXE 64 IoCs
pid Process 3200 Acccdj32.exe 2732 Cpogkhnl.exe 2040 Dkkaiphj.exe 1808 Dcnlnaom.exe 3484 Fclhpo32.exe 2056 Gbhhieao.exe 1540 Gdnjfojj.exe 4752 Hjmodffo.exe 2396 Igjbci32.exe 540 Iccpniqp.exe 2908 Jjdokb32.exe 2032 Jjnaaa32.exe 2400 Klpjad32.exe 4804 Klgqabib.exe 4840 Llngbabj.exe 5028 Mcoepkdo.exe 636 Obfhmd32.exe 1456 Piceflpi.exe 4524 Qkdohg32.exe 4872 Amkabind.exe 1868 Abgjkpll.exe 4996 Bfjllnnm.exe 4448 Beaecjab.exe 3348 Bpgjpb32.exe 3496 Cibkohef.exe 3728 Cleqfb32.exe 1464 Dlncla32.exe 3252 Dpllbp32.exe 2308 Eennefib.exe 3500 Emgblc32.exe 2672 Ffpcbchm.exe 2288 Gfjfhbpb.exe 2668 Gcpcgfmi.exe 3532 Hdffah32.exe 1632 Iqdmghnp.exe 2636 Jnmglk32.exe 4060 Jfmekm32.exe 4616 Kaioidkh.exe 3860 Kanidd32.exe 1484 Lajhpbme.exe 3780 Nkpijfgf.exe 4796 Nkgoke32.exe 1220 Oacdmo32.exe 4028 Poagma32.exe 1576 Pdpmkhjl.exe 4972 Pdbiphhi.exe 2292 Qbmpjkqk.exe 4016 Anijjkbj.exe 4232 Ankgpk32.exe 1776 Afdkfh32.exe 2612 Bpomem32.exe 5080 Beaohcmf.exe 2716 Bpfcelml.exe 2988 Ciogobcm.exe 848 Cldjkl32.exe 4960 Dbckcf32.exe 2452 Dlkplk32.exe 4332 Dbgdnelk.exe 5036 Eohhie32.exe 2196 Efampahd.exe 3872 Fpnkdfko.exe 4724 Fochecog.exe 548 Fcaqka32.exe 2784 Gchflq32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Mlkhga32.dll Nneboemj.exe File opened for modification C:\Windows\SysWOW64\Jenedhaa.exe Jndmgn32.exe File opened for modification C:\Windows\SysWOW64\Khdedapj.exe Kchmljab.exe File opened for modification C:\Windows\SysWOW64\Lagepl32.exe Ljhchc32.exe File created C:\Windows\SysWOW64\Jpcmei32.dll Dphipidf.exe File created C:\Windows\SysWOW64\Kmbhlfil.dll Pmpfcl32.exe File opened for modification C:\Windows\SysWOW64\Cbjoac32.exe Cimamn32.exe File opened for modification C:\Windows\SysWOW64\Ldnbdnlc.exe Loqjlg32.exe File opened for modification C:\Windows\SysWOW64\Jcplle32.exe Jeolonem.exe File created C:\Windows\SysWOW64\Kbkaiddd.exe Kkaimj32.exe File opened for modification C:\Windows\SysWOW64\Pmkfjn32.exe Pdqelh32.exe File created C:\Windows\SysWOW64\Dkbgcd32.exe Djckiapl.exe File opened for modification C:\Windows\SysWOW64\Mfkcibdl.exe Lagepl32.exe File created C:\Windows\SysWOW64\Cpfhbh32.dll Pcfhlh32.exe File opened for modification C:\Windows\SysWOW64\Oinbgk32.exe Npadcfnl.exe File opened for modification C:\Windows\SysWOW64\Ppmleagi.exe Pbiklmhp.exe File created C:\Windows\SysWOW64\Odelpm32.exe Nboiekjd.exe File opened for modification C:\Windows\SysWOW64\Jfbkijdo.exe Jphcmp32.exe File opened for modification C:\Windows\SysWOW64\Nbhkjicf.exe Nkncno32.exe File created C:\Windows\SysWOW64\Bpcbjg32.dll Oidopn32.exe File created C:\Windows\SysWOW64\Pbiklmhp.exe Plocob32.exe File created C:\Windows\SysWOW64\Pnbifmla.exe Phhpic32.exe File opened for modification C:\Windows\SysWOW64\Ngkjbkem.exe Nnbeie32.exe File created C:\Windows\SysWOW64\Ooaghe32.exe Oidopn32.exe File opened for modification C:\Windows\SysWOW64\Jdkadb32.exe Jjfngi32.exe File created C:\Windows\SysWOW64\Iehqncld.dll Ljbfiegb.exe File created C:\Windows\SysWOW64\Hdffah32.exe Gcpcgfmi.exe File created C:\Windows\SysWOW64\Jmdjha32.exe Iiaggc32.exe File opened for modification C:\Windows\SysWOW64\Klbnjo32.exe Koonak32.exe File created C:\Windows\SysWOW64\Jbjciano.exe Jfcbcp32.exe File created C:\Windows\SysWOW64\Hgeiao32.exe Hbiaih32.exe File opened for modification C:\Windows\SysWOW64\Blabakle.exe Akgcdc32.exe File opened for modification C:\Windows\SysWOW64\Caimachg.exe Cafpkc32.exe File created C:\Windows\SysWOW64\Kjambg32.exe Jdddjq32.exe File opened for modification C:\Windows\SysWOW64\Cpofdndi.exe Cckfkiep.exe File opened for modification C:\Windows\SysWOW64\Dbllkohi.exe Dhdkig32.exe File created C:\Windows\SysWOW64\Dcpacb32.dll Llbinnbq.exe File created C:\Windows\SysWOW64\Debealmo.dll Lakfodjj.exe File opened for modification C:\Windows\SysWOW64\Idebniil.exe Cfkenogb.exe File created C:\Windows\SysWOW64\Efanna32.dll Fndpfc32.exe File created C:\Windows\SysWOW64\Ckfggf32.exe Cdmokljp.exe File created C:\Windows\SysWOW64\Moieopkh.dll Gnjollpe.exe File created C:\Windows\SysWOW64\Pnknoicc.dll Nbnpmp32.exe File created C:\Windows\SysWOW64\Eeojdk32.dll Ebejpp32.exe File created C:\Windows\SysWOW64\Lfgiejmq.dll Mcqjhc32.exe File created C:\Windows\SysWOW64\Cdmokljp.exe Cigknc32.exe File opened for modification C:\Windows\SysWOW64\Jaljlb32.exe Jjbbohid.exe File opened for modification C:\Windows\SysWOW64\Amfqikko.exe Agqekeeb.exe File created C:\Windows\SysWOW64\Analdh32.dll Agqekeeb.exe File opened for modification C:\Windows\SysWOW64\Mekmgg32.exe Lkchoaif.exe File created C:\Windows\SysWOW64\Gjgqcedl.dll Bfjlecdj.exe File created C:\Windows\SysWOW64\Omldnfkj.exe Nalpbf32.exe File created C:\Windows\SysWOW64\Ejagkodl.exe Enjfen32.exe File created C:\Windows\SysWOW64\Kaebce32.dll Gcpcgfmi.exe File opened for modification C:\Windows\SysWOW64\Mbfmha32.exe Ldnbdnlc.exe File created C:\Windows\SysWOW64\Fhonpi32.exe Ffpadn32.exe File created C:\Windows\SysWOW64\Mhgfdmle.exe Mbjnlfnn.exe File created C:\Windows\SysWOW64\Npbhqj32.exe Niipdpae.exe File created C:\Windows\SysWOW64\Jncfmgfi.exe Jdkadb32.exe File created C:\Windows\SysWOW64\Eepbdodb.dll Iccpniqp.exe File created C:\Windows\SysWOW64\Ffpcbchm.exe Emgblc32.exe File opened for modification C:\Windows\SysWOW64\Jajmfc32.exe Jjpejikg.exe File created C:\Windows\SysWOW64\Nejkfj32.exe Nocphd32.exe File created C:\Windows\SysWOW64\Pdfjcl32.exe Pcgmiiii.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kppphe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poackh32.dll" Jphcmp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lokdgpqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibdffcmj.dll" Kpiqpo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkohmnal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djmbbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhoaqa32.dll" Bjkcqdje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Adockl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikfogfco.dll" Mhafoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cofemg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qibldg32.dll" Jnmglk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nkpijfgf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckghid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Elkbcf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Koonak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnkndilc.dll" Kehocokh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gcpcgfmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ehjdejkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhghjpod.dll" Ogajid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lalnfooo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfjcmfbn.dll" Qaofphbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mocjdepa.dll" Pfkfmhnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ljhchc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anaflcjf.dll" Olehai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilaidke.dll" Amfhao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iqdmghnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijmobhdd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kemhpl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qaofphbd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpogkhnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlgjfqgj.dll" Eohhie32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lnepbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpghel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkechjib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gqkhng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbdgkjib.dll" Poagma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kfehoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cglgck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hglaookl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hdcnpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cmklaaek.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onhhkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lifjgb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jnpjegpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbjkkjkc.dll" Kanidd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfcdaehf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daiodkff.dll" Ncecioib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgmnmagm.dll" Phpkgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Midbjmkg.dll" Bpgjpb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngipjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Clfdcgkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mgokflpj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpbojlfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iqmincia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pikkqb32.dll" Iqdmghnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nngoddkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egnfdqjo.dll" Ghhhmebd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nkpijfgf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eennefib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdmcch32.dll" Nhafcd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Llbinnbq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nabpiocm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpofdndi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bpbpoi32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 384 wrote to memory of 3200 384 NEAS.757af56c36628883b1a584a52dbd5460.exe 90 PID 384 wrote to memory of 3200 384 NEAS.757af56c36628883b1a584a52dbd5460.exe 90 PID 384 wrote to memory of 3200 384 NEAS.757af56c36628883b1a584a52dbd5460.exe 90 PID 3200 wrote to memory of 2732 3200 Acccdj32.exe 91 PID 3200 wrote to memory of 2732 3200 Acccdj32.exe 91 PID 3200 wrote to memory of 2732 3200 Acccdj32.exe 91 PID 2732 wrote to memory of 2040 2732 Cpogkhnl.exe 92 PID 2732 wrote to memory of 2040 2732 Cpogkhnl.exe 92 PID 2732 wrote to memory of 2040 2732 Cpogkhnl.exe 92 PID 2040 wrote to memory of 1808 2040 Dkkaiphj.exe 93 PID 2040 wrote to memory of 1808 2040 Dkkaiphj.exe 93 PID 2040 wrote to memory of 1808 2040 Dkkaiphj.exe 93 PID 1808 wrote to memory of 3484 1808 Dcnlnaom.exe 94 PID 1808 wrote to memory of 3484 1808 Dcnlnaom.exe 94 PID 1808 wrote to memory of 3484 1808 Dcnlnaom.exe 94 PID 3484 wrote to memory of 2056 3484 Fclhpo32.exe 95 PID 3484 wrote to memory of 2056 3484 Fclhpo32.exe 95 PID 3484 wrote to memory of 2056 3484 Fclhpo32.exe 95 PID 2056 wrote to memory of 1540 2056 Gbhhieao.exe 96 PID 2056 wrote to memory of 1540 2056 Gbhhieao.exe 96 PID 2056 wrote to memory of 1540 2056 Gbhhieao.exe 96 PID 1540 wrote to memory of 4752 1540 Gdnjfojj.exe 97 PID 1540 wrote to memory of 4752 1540 Gdnjfojj.exe 97 PID 1540 wrote to memory of 4752 1540 Gdnjfojj.exe 97 PID 4752 wrote to memory of 2396 4752 Hjmodffo.exe 98 PID 4752 wrote to memory of 2396 4752 Hjmodffo.exe 98 PID 4752 wrote to memory of 2396 4752 Hjmodffo.exe 98 PID 2396 wrote to memory of 540 2396 Igjbci32.exe 99 PID 2396 wrote to memory of 540 2396 Igjbci32.exe 99 PID 2396 wrote to memory of 540 2396 Igjbci32.exe 99 PID 540 wrote to memory of 2908 540 Iccpniqp.exe 101 PID 540 wrote to memory of 2908 540 Iccpniqp.exe 101 PID 540 wrote to memory of 2908 540 Iccpniqp.exe 101 PID 2908 wrote to memory of 2032 2908 Jjdokb32.exe 102 PID 2908 wrote to memory of 2032 2908 Jjdokb32.exe 102 PID 2908 wrote to memory of 2032 2908 Jjdokb32.exe 102 PID 2032 wrote to memory of 2400 2032 Jjnaaa32.exe 103 PID 2032 wrote to memory of 2400 2032 Jjnaaa32.exe 103 PID 2032 wrote to memory of 2400 2032 Jjnaaa32.exe 103 PID 2400 wrote to memory of 4804 2400 Klpjad32.exe 104 PID 2400 wrote to memory of 4804 2400 Klpjad32.exe 104 PID 2400 wrote to memory of 4804 2400 Klpjad32.exe 104 PID 4804 wrote to memory of 4840 4804 Klgqabib.exe 105 PID 4804 wrote to memory of 4840 4804 Klgqabib.exe 105 PID 4804 wrote to memory of 4840 4804 Klgqabib.exe 105 PID 4840 wrote to memory of 5028 4840 Llngbabj.exe 106 PID 4840 wrote to memory of 5028 4840 Llngbabj.exe 106 PID 4840 wrote to memory of 5028 4840 Llngbabj.exe 106 PID 5028 wrote to memory of 636 5028 Mcoepkdo.exe 107 PID 5028 wrote to memory of 636 5028 Mcoepkdo.exe 107 PID 5028 wrote to memory of 636 5028 Mcoepkdo.exe 107 PID 636 wrote to memory of 1456 636 Obfhmd32.exe 108 PID 636 wrote to memory of 1456 636 Obfhmd32.exe 108 PID 636 wrote to memory of 1456 636 Obfhmd32.exe 108 PID 1456 wrote to memory of 4524 1456 Piceflpi.exe 109 PID 1456 wrote to memory of 4524 1456 Piceflpi.exe 109 PID 1456 wrote to memory of 4524 1456 Piceflpi.exe 109 PID 4524 wrote to memory of 4872 4524 Qkdohg32.exe 110 PID 4524 wrote to memory of 4872 4524 Qkdohg32.exe 110 PID 4524 wrote to memory of 4872 4524 Qkdohg32.exe 110 PID 4872 wrote to memory of 1868 4872 Amkabind.exe 111 PID 4872 wrote to memory of 1868 4872 Amkabind.exe 111 PID 4872 wrote to memory of 1868 4872 Amkabind.exe 111 PID 1868 wrote to memory of 4996 1868 Abgjkpll.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.757af56c36628883b1a584a52dbd5460.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.757af56c36628883b1a584a52dbd5460.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:384 -
C:\Windows\SysWOW64\Acccdj32.exeC:\Windows\system32\Acccdj32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3200 -
C:\Windows\SysWOW64\Cpogkhnl.exeC:\Windows\system32\Cpogkhnl.exe3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Dkkaiphj.exeC:\Windows\system32\Dkkaiphj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\Dcnlnaom.exeC:\Windows\system32\Dcnlnaom.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Windows\SysWOW64\Fclhpo32.exeC:\Windows\system32\Fclhpo32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3484 -
C:\Windows\SysWOW64\Gbhhieao.exeC:\Windows\system32\Gbhhieao.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\Gdnjfojj.exeC:\Windows\system32\Gdnjfojj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Windows\SysWOW64\Hjmodffo.exeC:\Windows\system32\Hjmodffo.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4752 -
C:\Windows\SysWOW64\Igjbci32.exeC:\Windows\system32\Igjbci32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\SysWOW64\Iccpniqp.exeC:\Windows\system32\Iccpniqp.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Windows\SysWOW64\Jjdokb32.exeC:\Windows\system32\Jjdokb32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\Jjnaaa32.exeC:\Windows\system32\Jjnaaa32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\Klpjad32.exeC:\Windows\system32\Klpjad32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\Klgqabib.exeC:\Windows\system32\Klgqabib.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4804 -
C:\Windows\SysWOW64\Llngbabj.exeC:\Windows\system32\Llngbabj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4840 -
C:\Windows\SysWOW64\Mcoepkdo.exeC:\Windows\system32\Mcoepkdo.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5028 -
C:\Windows\SysWOW64\Obfhmd32.exeC:\Windows\system32\Obfhmd32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:636 -
C:\Windows\SysWOW64\Piceflpi.exeC:\Windows\system32\Piceflpi.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Windows\SysWOW64\Qkdohg32.exeC:\Windows\system32\Qkdohg32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Windows\SysWOW64\Amkabind.exeC:\Windows\system32\Amkabind.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Windows\SysWOW64\Abgjkpll.exeC:\Windows\system32\Abgjkpll.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Windows\SysWOW64\Bfjllnnm.exeC:\Windows\system32\Bfjllnnm.exe23⤵
- Executes dropped EXE
PID:4996 -
C:\Windows\SysWOW64\Beaecjab.exeC:\Windows\system32\Beaecjab.exe24⤵
- Executes dropped EXE
PID:4448 -
C:\Windows\SysWOW64\Bpgjpb32.exeC:\Windows\system32\Bpgjpb32.exe25⤵
- Executes dropped EXE
- Modifies registry class
PID:3348 -
C:\Windows\SysWOW64\Cibkohef.exeC:\Windows\system32\Cibkohef.exe26⤵
- Executes dropped EXE
PID:3496 -
C:\Windows\SysWOW64\Cleqfb32.exeC:\Windows\system32\Cleqfb32.exe27⤵
- Executes dropped EXE
PID:3728 -
C:\Windows\SysWOW64\Dlncla32.exeC:\Windows\system32\Dlncla32.exe28⤵
- Executes dropped EXE
PID:1464 -
C:\Windows\SysWOW64\Dpllbp32.exeC:\Windows\system32\Dpllbp32.exe29⤵
- Executes dropped EXE
PID:3252 -
C:\Windows\SysWOW64\Eennefib.exeC:\Windows\system32\Eennefib.exe30⤵
- Executes dropped EXE
- Modifies registry class
PID:2308 -
C:\Windows\SysWOW64\Emgblc32.exeC:\Windows\system32\Emgblc32.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3500 -
C:\Windows\SysWOW64\Ffpcbchm.exeC:\Windows\system32\Ffpcbchm.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Gfjfhbpb.exeC:\Windows\system32\Gfjfhbpb.exe33⤵
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Gcpcgfmi.exeC:\Windows\system32\Gcpcgfmi.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2668 -
C:\Windows\SysWOW64\Hdffah32.exeC:\Windows\system32\Hdffah32.exe35⤵
- Executes dropped EXE
PID:3532 -
C:\Windows\SysWOW64\Iqdmghnp.exeC:\Windows\system32\Iqdmghnp.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:1632 -
C:\Windows\SysWOW64\Jnmglk32.exeC:\Windows\system32\Jnmglk32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:2636 -
C:\Windows\SysWOW64\Jfmekm32.exeC:\Windows\system32\Jfmekm32.exe38⤵
- Executes dropped EXE
PID:4060 -
C:\Windows\SysWOW64\Kagbdenk.exeC:\Windows\system32\Kagbdenk.exe39⤵PID:2112
-
C:\Windows\SysWOW64\Kaioidkh.exeC:\Windows\system32\Kaioidkh.exe40⤵
- Executes dropped EXE
PID:4616 -
C:\Windows\SysWOW64\Kanidd32.exeC:\Windows\system32\Kanidd32.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:3860 -
C:\Windows\SysWOW64\Lajhpbme.exeC:\Windows\system32\Lajhpbme.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1484 -
C:\Windows\SysWOW64\Nkpijfgf.exeC:\Windows\system32\Nkpijfgf.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:3780 -
C:\Windows\SysWOW64\Nkgoke32.exeC:\Windows\system32\Nkgoke32.exe44⤵
- Executes dropped EXE
PID:4796 -
C:\Windows\SysWOW64\Oacdmo32.exeC:\Windows\system32\Oacdmo32.exe45⤵
- Executes dropped EXE
PID:1220 -
C:\Windows\SysWOW64\Poagma32.exeC:\Windows\system32\Poagma32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:4028 -
C:\Windows\SysWOW64\Pdpmkhjl.exeC:\Windows\system32\Pdpmkhjl.exe47⤵
- Executes dropped EXE
PID:1576 -
C:\Windows\SysWOW64\Pdbiphhi.exeC:\Windows\system32\Pdbiphhi.exe48⤵
- Executes dropped EXE
PID:4972 -
C:\Windows\SysWOW64\Qbmpjkqk.exeC:\Windows\system32\Qbmpjkqk.exe49⤵
- Executes dropped EXE
PID:2292 -
C:\Windows\SysWOW64\Anijjkbj.exeC:\Windows\system32\Anijjkbj.exe50⤵
- Executes dropped EXE
PID:4016 -
C:\Windows\SysWOW64\Ankgpk32.exeC:\Windows\system32\Ankgpk32.exe51⤵
- Executes dropped EXE
PID:4232 -
C:\Windows\SysWOW64\Afdkfh32.exeC:\Windows\system32\Afdkfh32.exe52⤵
- Executes dropped EXE
PID:1776 -
C:\Windows\SysWOW64\Bpomem32.exeC:\Windows\system32\Bpomem32.exe53⤵
- Executes dropped EXE
PID:2612 -
C:\Windows\SysWOW64\Beaohcmf.exeC:\Windows\system32\Beaohcmf.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5080 -
C:\Windows\SysWOW64\Bpfcelml.exeC:\Windows\system32\Bpfcelml.exe55⤵
- Executes dropped EXE
PID:2716 -
C:\Windows\SysWOW64\Ciogobcm.exeC:\Windows\system32\Ciogobcm.exe56⤵
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\Cldjkl32.exeC:\Windows\system32\Cldjkl32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:848 -
C:\Windows\SysWOW64\Dbckcf32.exeC:\Windows\system32\Dbckcf32.exe58⤵
- Executes dropped EXE
PID:4960 -
C:\Windows\SysWOW64\Dlkplk32.exeC:\Windows\system32\Dlkplk32.exe59⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Dbgdnelk.exeC:\Windows\system32\Dbgdnelk.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4332 -
C:\Windows\SysWOW64\Eohhie32.exeC:\Windows\system32\Eohhie32.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:5036 -
C:\Windows\SysWOW64\Efampahd.exeC:\Windows\system32\Efampahd.exe62⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\Fpnkdfko.exeC:\Windows\system32\Fpnkdfko.exe63⤵
- Executes dropped EXE
PID:3872 -
C:\Windows\SysWOW64\Fochecog.exeC:\Windows\system32\Fochecog.exe64⤵
- Executes dropped EXE
PID:4724 -
C:\Windows\SysWOW64\Fcaqka32.exeC:\Windows\system32\Fcaqka32.exe65⤵
- Executes dropped EXE
PID:548 -
C:\Windows\SysWOW64\Gchflq32.exeC:\Windows\system32\Gchflq32.exe66⤵
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\Geklckkd.exeC:\Windows\system32\Geklckkd.exe67⤵PID:3080
-
C:\Windows\SysWOW64\Hlhaee32.exeC:\Windows\system32\Hlhaee32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3768 -
C:\Windows\SysWOW64\Hhckeeam.exeC:\Windows\system32\Hhckeeam.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3368 -
C:\Windows\SysWOW64\Ioppho32.exeC:\Windows\system32\Ioppho32.exe70⤵PID:4136
-
C:\Windows\SysWOW64\Igpkok32.exeC:\Windows\system32\Igpkok32.exe71⤵PID:2992
-
C:\Windows\SysWOW64\Iiaggc32.exeC:\Windows\system32\Iiaggc32.exe72⤵
- Drops file in System32 directory
PID:1012 -
C:\Windows\SysWOW64\Jmdjha32.exeC:\Windows\system32\Jmdjha32.exe73⤵PID:3944
-
C:\Windows\SysWOW64\Kiodha32.exeC:\Windows\system32\Kiodha32.exe74⤵PID:1320
-
C:\Windows\SysWOW64\Kpilekqj.exeC:\Windows\system32\Kpilekqj.exe75⤵PID:4500
-
C:\Windows\SysWOW64\Kfcdaehf.exeC:\Windows\system32\Kfcdaehf.exe76⤵
- Modifies registry class
PID:4572 -
C:\Windows\SysWOW64\Kmmmnp32.exeC:\Windows\system32\Kmmmnp32.exe77⤵PID:4984
-
C:\Windows\SysWOW64\Kfeagefd.exeC:\Windows\system32\Kfeagefd.exe78⤵PID:2404
-
C:\Windows\SysWOW64\Ljhchc32.exeC:\Windows\system32\Ljhchc32.exe79⤵
- Drops file in System32 directory
- Modifies registry class
PID:1896 -
C:\Windows\SysWOW64\Lagepl32.exeC:\Windows\system32\Lagepl32.exe80⤵
- Drops file in System32 directory
PID:1076 -
C:\Windows\SysWOW64\Mfkcibdl.exeC:\Windows\system32\Mfkcibdl.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4828 -
C:\Windows\SysWOW64\Nhafcd32.exeC:\Windows\system32\Nhafcd32.exe82⤵
- Modifies registry class
PID:3584 -
C:\Windows\SysWOW64\Nffceq32.exeC:\Windows\system32\Nffceq32.exe83⤵PID:1324
-
C:\Windows\SysWOW64\Nmpkakak.exeC:\Windows\system32\Nmpkakak.exe84⤵PID:3516
-
C:\Windows\SysWOW64\Ngipjp32.exeC:\Windows\system32\Ngipjp32.exe85⤵
- Modifies registry class
PID:4316 -
C:\Windows\SysWOW64\Npadcfnl.exeC:\Windows\system32\Npadcfnl.exe86⤵
- Drops file in System32 directory
PID:5128 -
C:\Windows\SysWOW64\Oinbgk32.exeC:\Windows\system32\Oinbgk32.exe87⤵PID:5168
-
C:\Windows\SysWOW64\Oknnanhj.exeC:\Windows\system32\Oknnanhj.exe88⤵PID:5220
-
C:\Windows\SysWOW64\Pnenchoc.exeC:\Windows\system32\Pnenchoc.exe89⤵PID:5260
-
C:\Windows\SysWOW64\Phkaqqoi.exeC:\Windows\system32\Phkaqqoi.exe90⤵PID:5296
-
C:\Windows\SysWOW64\Pacfjfej.exeC:\Windows\system32\Pacfjfej.exe91⤵PID:5352
-
C:\Windows\SysWOW64\Qdihfq32.exeC:\Windows\system32\Qdihfq32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5404 -
C:\Windows\SysWOW64\Agqhik32.exeC:\Windows\system32\Agqhik32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5456 -
C:\Windows\SysWOW64\Bjkcqdje.exeC:\Windows\system32\Bjkcqdje.exe94⤵
- Modifies registry class
PID:5516 -
C:\Windows\SysWOW64\Calbnnkj.exeC:\Windows\system32\Calbnnkj.exe95⤵PID:5568
-
C:\Windows\SysWOW64\Ebnddn32.exeC:\Windows\system32\Ebnddn32.exe96⤵PID:5612
-
C:\Windows\SysWOW64\Gammbfqa.exeC:\Windows\system32\Gammbfqa.exe97⤵PID:5656
-
C:\Windows\SysWOW64\Hkjjfkcm.exeC:\Windows\system32\Hkjjfkcm.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5700 -
C:\Windows\SysWOW64\Iibaeb32.exeC:\Windows\system32\Iibaeb32.exe99⤵PID:5752
-
C:\Windows\SysWOW64\Icmbcg32.exeC:\Windows\system32\Icmbcg32.exe100⤵PID:5816
-
C:\Windows\SysWOW64\Ileflmpb.exeC:\Windows\system32\Ileflmpb.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5860 -
C:\Windows\SysWOW64\Iabodcnj.exeC:\Windows\system32\Iabodcnj.exe102⤵PID:5904
-
C:\Windows\SysWOW64\Ikjcmi32.exeC:\Windows\system32\Ikjcmi32.exe103⤵PID:5956
-
C:\Windows\SysWOW64\Ihndgmdd.exeC:\Windows\system32\Ihndgmdd.exe104⤵PID:6000
-
C:\Windows\SysWOW64\Jbghpc32.exeC:\Windows\system32\Jbghpc32.exe105⤵PID:6120
-
C:\Windows\SysWOW64\Joaojf32.exeC:\Windows\system32\Joaojf32.exe106⤵PID:5184
-
C:\Windows\SysWOW64\Kfpqap32.exeC:\Windows\system32\Kfpqap32.exe107⤵PID:5368
-
C:\Windows\SysWOW64\Lcpqgbkj.exeC:\Windows\system32\Lcpqgbkj.exe108⤵PID:5608
-
C:\Windows\SysWOW64\Mbamcm32.exeC:\Windows\system32\Mbamcm32.exe109⤵PID:5684
-
C:\Windows\SysWOW64\Ncecioib.exeC:\Windows\system32\Ncecioib.exe110⤵
- Modifies registry class
PID:4356 -
C:\Windows\SysWOW64\Nboiekjd.exeC:\Windows\system32\Nboiekjd.exe111⤵
- Drops file in System32 directory
PID:2024 -
C:\Windows\SysWOW64\Odelpm32.exeC:\Windows\system32\Odelpm32.exe112⤵PID:2056
-
C:\Windows\SysWOW64\Omnqhbap.exeC:\Windows\system32\Omnqhbap.exe113⤵PID:5852
-
C:\Windows\SysWOW64\Okaabg32.exeC:\Windows\system32\Okaabg32.exe114⤵PID:5924
-
C:\Windows\SysWOW64\Pmipdq32.exeC:\Windows\system32\Pmipdq32.exe115⤵PID:5984
-
C:\Windows\SysWOW64\Pcfhlh32.exeC:\Windows\system32\Pcfhlh32.exe116⤵
- Drops file in System32 directory
PID:6060 -
C:\Windows\SysWOW64\Akgcdc32.exeC:\Windows\system32\Akgcdc32.exe117⤵
- Drops file in System32 directory
PID:6032 -
C:\Windows\SysWOW64\Blabakle.exeC:\Windows\system32\Blabakle.exe118⤵PID:5228
-
C:\Windows\SysWOW64\Cdbmifdl.exeC:\Windows\system32\Cdbmifdl.exe119⤵PID:2436
-
C:\Windows\SysWOW64\Cqmgigfk.exeC:\Windows\system32\Cqmgigfk.exe120⤵PID:5204
-
C:\Windows\SysWOW64\Ccldebeo.exeC:\Windows\system32\Ccldebeo.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1800
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-