Analysis
-
max time kernel
88s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
01-11-2023 14:15
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.97b1f91a4ab8892e35124c1f3d2b3180.exe
Resource
win7-20231025-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.97b1f91a4ab8892e35124c1f3d2b3180.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.97b1f91a4ab8892e35124c1f3d2b3180.exe
-
Size
1.7MB
-
MD5
97b1f91a4ab8892e35124c1f3d2b3180
-
SHA1
02b4525781ec14824193b3e2b452af1e7f78fa4c
-
SHA256
673d9a39d618846371ebd5519296611648c2563cebce2baa8c4b4899ed305962
-
SHA512
96e92d14ed59c98c334db4ad13f6dcdc78e24d7afc83cbd17be517ae4e5a47fe477a044d1f3db801db692ff4fc5838f7ac5df11ce048c2c34be649c35e291f9b
-
SSDEEP
24576:w/jSBq5h3q5hL6X1q5h3q5hM5Dgq5h3q5hL6X1q5h3q5h:l6KI6
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkpbpp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nandhi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecafgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnfehm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lolcnman.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfclmfhl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fakfglhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kipalpoj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbbkjgpl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aiimejap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgebfhcl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmoijcje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjcfcakn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lncjgddf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fckhnaab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Piaiqlak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Miipencp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjcghm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Docckfai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abkjnd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lekeajmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjnaaa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jiokpfee.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oiojmgcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbbkjgpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Paqebike.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bedpjdoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmndkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkcpia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khknaa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebplhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njogdldg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cliahf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdnelpod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jncfmgfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cojqdhid.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgkakm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlipfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onkimc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfoihalp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhofjbnl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eokjke32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nigjifgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcnmhpoj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egeemiml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbnnphhk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apnkfelb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knldfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogjmnomi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eifffoob.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eflceb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jahnkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmcabd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gedfblql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lapopm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcbmlbig.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkflpe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pidamcgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmpgfjmd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nipokfil.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meepoc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qaegcb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dncnnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkqdhnom.exe -
Executes dropped EXE 64 IoCs
pid Process 3856 Iencmm32.exe 1816 Jdjfohjg.exe 2824 Jjnaaa32.exe 820 Leoejh32.exe 2204 Lolcnman.exe 1468 Mahklf32.exe 4932 Ohcmpn32.exe 3132 Oflfdbip.exe 2108 Piaiqlak.exe 3420 Alkeifga.exe 632 Bpbpecen.exe 4736 Cdebfago.exe 2604 Cdnelpod.exe 3972 Dbhlikpf.exe 3396 Eebgqe32.exe 1352 Fnnimbaj.exe 816 Fjjcmbci.exe 1396 Gjcfcakn.exe 4236 Hnehdo32.exe 3432 Imdgljil.exe 3604 Imiagi32.exe 3100 Jelhcd32.exe 4128 Jmijnfgd.exe 1124 Kdjhkp32.exe 2172 Ldanloba.exe 3796 Ldhdlnli.exe 3004 Mdagbl32.exe 3992 Nejgbn32.exe 980 Onhhmpoo.exe 2524 Pgcbbc32.exe 2884 Qomghp32.exe 5048 Adqeaf32.exe 3848 Bkfmjnii.exe 2396 Beobcdoi.exe 4740 Cpklql32.exe 996 Cldjkl32.exe 3040 Dngobghg.exe 4556 Dehnpp32.exe 2288 Eifffoob.exe 3340 Eflceb32.exe 5100 Ellicihn.exe 524 Epiaig32.exe 3556 Fghcqq32.exe 3988 Flghognq.exe 3560 Gccmaack.exe 4572 Gedfblql.exe 3832 Gplged32.exe 2120 Hpcmfchg.exe 4824 Hcdfho32.exe 2856 Hgbonm32.exe 2088 Ioppho32.exe 1548 Iobmmoed.exe 1192 Iqaiga32.exe 3720 Imhjlb32.exe 4544 Iqfcbahb.exe 2408 Jggapj32.exe 664 Jqofippg.exe 2072 Kmhccpci.exe 4428 Kjlcmdbb.exe 4768 Kmpido32.exe 2864 Kanbjn32.exe 2216 Lapopm32.exe 3872 Ljhchc32.exe 3756 Limpiomm.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ldhdlnli.exe Ldanloba.exe File opened for modification C:\Windows\SysWOW64\Giddddad.exe Gahcgg32.exe File created C:\Windows\SysWOW64\Mpnglbkf.exe Mjaodkmo.exe File created C:\Windows\SysWOW64\Oiojmgcb.exe Okkidceh.exe File opened for modification C:\Windows\SysWOW64\Lkflpe32.exe Kfggbope.exe File opened for modification C:\Windows\SysWOW64\Qpmfklbq.exe Qlomemlj.exe File created C:\Windows\SysWOW64\Hanlcjgh.exe Hcjkje32.exe File opened for modification C:\Windows\SysWOW64\Fqhbgf32.exe Fbgbione.exe File opened for modification C:\Windows\SysWOW64\Kdalni32.exe Kgmlde32.exe File created C:\Windows\SysWOW64\Pgchep32.dll Cdfbbhdp.exe File opened for modification C:\Windows\SysWOW64\Ofadlbhj.exe Omhpcm32.exe File created C:\Windows\SysWOW64\Jphkfc32.exe Jpfnqc32.exe File opened for modification C:\Windows\SysWOW64\Odfcjc32.exe Okkalnjm.exe File created C:\Windows\SysWOW64\Gcecfg32.dll Jncapf32.exe File created C:\Windows\SysWOW64\Gfjbcf32.dll Palkgi32.exe File opened for modification C:\Windows\SysWOW64\Flgadake.exe Fkbkoo32.exe File created C:\Windows\SysWOW64\Libadidb.dll Ajjcoqdl.exe File opened for modification C:\Windows\SysWOW64\Oajoaj32.exe Oiojmgcb.exe File opened for modification C:\Windows\SysWOW64\Hfnpacjb.exe Oeclockl.exe File created C:\Windows\SysWOW64\Iofpnhmc.exe Ijigfaol.exe File opened for modification C:\Windows\SysWOW64\Lcbmlbig.exe Lkflpe32.exe File opened for modification C:\Windows\SysWOW64\Piikhc32.exe Ppafpm32.exe File created C:\Windows\SysWOW64\Nnlqig32.exe Mkhkblii.exe File created C:\Windows\SysWOW64\Nlbnhkqo.exe Nmmqgo32.exe File created C:\Windows\SysWOW64\Nifnao32.exe Nlbnhkqo.exe File opened for modification C:\Windows\SysWOW64\Flghognq.exe Fghcqq32.exe File opened for modification C:\Windows\SysWOW64\Gccmaack.exe Flghognq.exe File opened for modification C:\Windows\SysWOW64\Onqdhh32.exe Ohdlpa32.exe File opened for modification C:\Windows\SysWOW64\Jncapf32.exe Jdkmgali.exe File created C:\Windows\SysWOW64\Jileoc32.dll Ejpnin32.exe File created C:\Windows\SysWOW64\Ciqdoj32.dll Ckidoc32.exe File created C:\Windows\SysWOW64\Boaeioej.exe Beippj32.exe File created C:\Windows\SysWOW64\Hlddal32.dll Jkbhok32.exe File created C:\Windows\SysWOW64\Odipjk32.dll Pacahhib.exe File created C:\Windows\SysWOW64\Kboldq32.exe Kekljlkp.exe File created C:\Windows\SysWOW64\Ghlpioak.dll Mllcocna.exe File created C:\Windows\SysWOW64\Fjaecj32.dll Onekeb32.exe File created C:\Windows\SysWOW64\Cngjjm32.dll Iobmmoed.exe File created C:\Windows\SysWOW64\Phmknd32.dll Kjlcmdbb.exe File created C:\Windows\SysWOW64\Diafqi32.exe Dgaiffii.exe File created C:\Windows\SysWOW64\Jpfnqc32.exe Ipcakd32.exe File created C:\Windows\SysWOW64\Pjalpida.exe Ojopki32.exe File created C:\Windows\SysWOW64\Clopal32.dll Jpkfmfok.exe File created C:\Windows\SysWOW64\Negneb32.dll Dmcabd32.exe File opened for modification C:\Windows\SysWOW64\Eolpfo32.exe Eahomk32.exe File created C:\Windows\SysWOW64\Piaiqlak.exe Oflfdbip.exe File created C:\Windows\SysWOW64\Ekpidqbi.dll Mdagbl32.exe File opened for modification C:\Windows\SysWOW64\Ndjcne32.exe Nhcbidcd.exe File created C:\Windows\SysWOW64\Pcdlghgl.exe Pgmkbg32.exe File opened for modification C:\Windows\SysWOW64\Pblhalfm.exe Palkgi32.exe File created C:\Windows\SysWOW64\Achmjmnb.exe Qemhlp32.exe File created C:\Windows\SysWOW64\Mjadokme.dll Cddemi32.exe File created C:\Windows\SysWOW64\Dbkfia32.dll Pkqdhnom.exe File created C:\Windows\SysWOW64\Piikhc32.exe Ppafpm32.exe File created C:\Windows\SysWOW64\Icnmcc32.dll Fdmfcn32.exe File opened for modification C:\Windows\SysWOW64\Kkjejqcl.exe Koceep32.exe File created C:\Windows\SysWOW64\Nmmqgo32.exe Nnlqig32.exe File created C:\Windows\SysWOW64\Ojnhdjoc.dll Egeemiml.exe File opened for modification C:\Windows\SysWOW64\Lnanadfi.exe Ldiiio32.exe File created C:\Windows\SysWOW64\Nicjaino.exe Nnmfdpni.exe File created C:\Windows\SysWOW64\Qaegcb32.exe Pengna32.exe File opened for modification C:\Windows\SysWOW64\Fklcbocl.exe Ffpjihee.exe File created C:\Windows\SysWOW64\Bkfmjnii.exe Adqeaf32.exe File opened for modification C:\Windows\SysWOW64\Beobcdoi.exe Bkfmjnii.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7904 4924 WerFault.exe 930 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iadpjifl.dll" Lmkbeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phhecphc.dll" Acgacegg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Llqhdb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gpgihh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmjaeema.dll" Mahklf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhjoiniq.dll" Odfcjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aohbbqme.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Blqlgdhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aniqpe32.dll" Ofadlbhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohdlpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nidlpi32.dll" Qpmfklbq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Enigjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmcabd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjlcmdbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Olgnnqpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmbflm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eocpmlgp.dll" Fapobl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epeademe.dll" Ndpafe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbkgfa32.dll" Hefneq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cddemi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iqfcbahb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pidamcgd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbbodj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nkncno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jlidkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klgnnd32.dll" Bkfmjnii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Limpiomm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndjcne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klpjgfdg.dll" Ppafpm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Paqebike.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aiapjecl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkkhjj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pploli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdmjlm32.dll" Ldhdlnli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gccmaack.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nkpbpp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bopgdcnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Negneb32.dll" Dmcabd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjkjpdog.dll" Dehnpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgjmif32.dll" Oinkmdml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olgjef32.dll" Hcjkje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdndibdf.dll" Bhdilold.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhaeli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lebgfqmp.dll" Eahomk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eolpfo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhcbidcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deehpjfk.dll" Anjikoip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fblldn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onekeb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jnjednnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jncapf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgnleiid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pacahhib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oeclockl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfmidc32.dll" Bpbpecen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnkcdoia.dll" Cldjkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmacl32.dll" Haafnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ihnmlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alanch32.dll" Pemhmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jiokpfee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hfkdkqeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmoijcje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpmihlcf.dll" Adqeaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Diafqi32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1552 wrote to memory of 3856 1552 NEAS.97b1f91a4ab8892e35124c1f3d2b3180.exe 94 PID 1552 wrote to memory of 3856 1552 NEAS.97b1f91a4ab8892e35124c1f3d2b3180.exe 94 PID 1552 wrote to memory of 3856 1552 NEAS.97b1f91a4ab8892e35124c1f3d2b3180.exe 94 PID 3856 wrote to memory of 1816 3856 Iencmm32.exe 95 PID 3856 wrote to memory of 1816 3856 Iencmm32.exe 95 PID 3856 wrote to memory of 1816 3856 Iencmm32.exe 95 PID 1816 wrote to memory of 2824 1816 Jdjfohjg.exe 96 PID 1816 wrote to memory of 2824 1816 Jdjfohjg.exe 96 PID 1816 wrote to memory of 2824 1816 Jdjfohjg.exe 96 PID 2824 wrote to memory of 820 2824 Jjnaaa32.exe 97 PID 2824 wrote to memory of 820 2824 Jjnaaa32.exe 97 PID 2824 wrote to memory of 820 2824 Jjnaaa32.exe 97 PID 820 wrote to memory of 2204 820 Leoejh32.exe 98 PID 820 wrote to memory of 2204 820 Leoejh32.exe 98 PID 820 wrote to memory of 2204 820 Leoejh32.exe 98 PID 2204 wrote to memory of 1468 2204 Lolcnman.exe 99 PID 2204 wrote to memory of 1468 2204 Lolcnman.exe 99 PID 2204 wrote to memory of 1468 2204 Lolcnman.exe 99 PID 1468 wrote to memory of 4932 1468 Mahklf32.exe 100 PID 1468 wrote to memory of 4932 1468 Mahklf32.exe 100 PID 1468 wrote to memory of 4932 1468 Mahklf32.exe 100 PID 4932 wrote to memory of 3132 4932 Ohcmpn32.exe 101 PID 4932 wrote to memory of 3132 4932 Ohcmpn32.exe 101 PID 4932 wrote to memory of 3132 4932 Ohcmpn32.exe 101 PID 3132 wrote to memory of 2108 3132 Oflfdbip.exe 102 PID 3132 wrote to memory of 2108 3132 Oflfdbip.exe 102 PID 3132 wrote to memory of 2108 3132 Oflfdbip.exe 102 PID 2108 wrote to memory of 3420 2108 Piaiqlak.exe 103 PID 2108 wrote to memory of 3420 2108 Piaiqlak.exe 103 PID 2108 wrote to memory of 3420 2108 Piaiqlak.exe 103 PID 3420 wrote to memory of 632 3420 Alkeifga.exe 104 PID 3420 wrote to memory of 632 3420 Alkeifga.exe 104 PID 3420 wrote to memory of 632 3420 Alkeifga.exe 104 PID 632 wrote to memory of 4736 632 Bpbpecen.exe 105 PID 632 wrote to memory of 4736 632 Bpbpecen.exe 105 PID 632 wrote to memory of 4736 632 Bpbpecen.exe 105 PID 4736 wrote to memory of 2604 4736 Cdebfago.exe 106 PID 4736 wrote to memory of 2604 4736 Cdebfago.exe 106 PID 4736 wrote to memory of 2604 4736 Cdebfago.exe 106 PID 2604 wrote to memory of 3972 2604 Cdnelpod.exe 107 PID 2604 wrote to memory of 3972 2604 Cdnelpod.exe 107 PID 2604 wrote to memory of 3972 2604 Cdnelpod.exe 107 PID 3972 wrote to memory of 3396 3972 Dbhlikpf.exe 108 PID 3972 wrote to memory of 3396 3972 Dbhlikpf.exe 108 PID 3972 wrote to memory of 3396 3972 Dbhlikpf.exe 108 PID 3396 wrote to memory of 1352 3396 Eebgqe32.exe 109 PID 3396 wrote to memory of 1352 3396 Eebgqe32.exe 109 PID 3396 wrote to memory of 1352 3396 Eebgqe32.exe 109 PID 1352 wrote to memory of 816 1352 Fnnimbaj.exe 110 PID 1352 wrote to memory of 816 1352 Fnnimbaj.exe 110 PID 1352 wrote to memory of 816 1352 Fnnimbaj.exe 110 PID 816 wrote to memory of 1396 816 Fjjcmbci.exe 111 PID 816 wrote to memory of 1396 816 Fjjcmbci.exe 111 PID 816 wrote to memory of 1396 816 Fjjcmbci.exe 111 PID 1396 wrote to memory of 4236 1396 Gjcfcakn.exe 112 PID 1396 wrote to memory of 4236 1396 Gjcfcakn.exe 112 PID 1396 wrote to memory of 4236 1396 Gjcfcakn.exe 112 PID 4236 wrote to memory of 3432 4236 Hnehdo32.exe 113 PID 4236 wrote to memory of 3432 4236 Hnehdo32.exe 113 PID 4236 wrote to memory of 3432 4236 Hnehdo32.exe 113 PID 3432 wrote to memory of 3604 3432 Imdgljil.exe 114 PID 3432 wrote to memory of 3604 3432 Imdgljil.exe 114 PID 3432 wrote to memory of 3604 3432 Imdgljil.exe 114 PID 3604 wrote to memory of 3100 3604 Imiagi32.exe 115
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.97b1f91a4ab8892e35124c1f3d2b3180.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.97b1f91a4ab8892e35124c1f3d2b3180.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Windows\SysWOW64\Iencmm32.exeC:\Windows\system32\Iencmm32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3856 -
C:\Windows\SysWOW64\Jdjfohjg.exeC:\Windows\system32\Jdjfohjg.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Windows\SysWOW64\Jjnaaa32.exeC:\Windows\system32\Jjnaaa32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\Leoejh32.exeC:\Windows\system32\Leoejh32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:820 -
C:\Windows\SysWOW64\Lolcnman.exeC:\Windows\system32\Lolcnman.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\SysWOW64\Mahklf32.exeC:\Windows\system32\Mahklf32.exe7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Windows\SysWOW64\Ohcmpn32.exeC:\Windows\system32\Ohcmpn32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4932 -
C:\Windows\SysWOW64\Oflfdbip.exeC:\Windows\system32\Oflfdbip.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3132 -
C:\Windows\SysWOW64\Piaiqlak.exeC:\Windows\system32\Piaiqlak.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\Alkeifga.exeC:\Windows\system32\Alkeifga.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3420 -
C:\Windows\SysWOW64\Bpbpecen.exeC:\Windows\system32\Bpbpecen.exe12⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Windows\SysWOW64\Cdebfago.exeC:\Windows\system32\Cdebfago.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4736 -
C:\Windows\SysWOW64\Cdnelpod.exeC:\Windows\system32\Cdnelpod.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\Dbhlikpf.exeC:\Windows\system32\Dbhlikpf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3972 -
C:\Windows\SysWOW64\Eebgqe32.exeC:\Windows\system32\Eebgqe32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3396 -
C:\Windows\SysWOW64\Fnnimbaj.exeC:\Windows\system32\Fnnimbaj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Windows\SysWOW64\Fjjcmbci.exeC:\Windows\system32\Fjjcmbci.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:816 -
C:\Windows\SysWOW64\Gjcfcakn.exeC:\Windows\system32\Gjcfcakn.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1396 -
C:\Windows\SysWOW64\Hnehdo32.exeC:\Windows\system32\Hnehdo32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4236 -
C:\Windows\SysWOW64\Imdgljil.exeC:\Windows\system32\Imdgljil.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3432 -
C:\Windows\SysWOW64\Imiagi32.exeC:\Windows\system32\Imiagi32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3604 -
C:\Windows\SysWOW64\Jelhcd32.exeC:\Windows\system32\Jelhcd32.exe23⤵
- Executes dropped EXE
PID:3100 -
C:\Windows\SysWOW64\Jmijnfgd.exeC:\Windows\system32\Jmijnfgd.exe24⤵
- Executes dropped EXE
PID:4128 -
C:\Windows\SysWOW64\Kdjhkp32.exeC:\Windows\system32\Kdjhkp32.exe25⤵
- Executes dropped EXE
PID:1124 -
C:\Windows\SysWOW64\Ldanloba.exeC:\Windows\system32\Ldanloba.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2172 -
C:\Windows\SysWOW64\Ldhdlnli.exeC:\Windows\system32\Ldhdlnli.exe27⤵
- Executes dropped EXE
- Modifies registry class
PID:3796 -
C:\Windows\SysWOW64\Mdagbl32.exeC:\Windows\system32\Mdagbl32.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3004 -
C:\Windows\SysWOW64\Nejgbn32.exeC:\Windows\system32\Nejgbn32.exe29⤵
- Executes dropped EXE
PID:3992 -
C:\Windows\SysWOW64\Onhhmpoo.exeC:\Windows\system32\Onhhmpoo.exe30⤵
- Executes dropped EXE
PID:980 -
C:\Windows\SysWOW64\Pgcbbc32.exeC:\Windows\system32\Pgcbbc32.exe31⤵
- Executes dropped EXE
PID:2524 -
C:\Windows\SysWOW64\Qomghp32.exeC:\Windows\system32\Qomghp32.exe32⤵
- Executes dropped EXE
PID:2884 -
C:\Windows\SysWOW64\Adqeaf32.exeC:\Windows\system32\Adqeaf32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5048 -
C:\Windows\SysWOW64\Bkfmjnii.exeC:\Windows\system32\Bkfmjnii.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3848 -
C:\Windows\SysWOW64\Beobcdoi.exeC:\Windows\system32\Beobcdoi.exe35⤵
- Executes dropped EXE
PID:2396 -
C:\Windows\SysWOW64\Cpklql32.exeC:\Windows\system32\Cpklql32.exe36⤵
- Executes dropped EXE
PID:4740 -
C:\Windows\SysWOW64\Cldjkl32.exeC:\Windows\system32\Cldjkl32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:996 -
C:\Windows\SysWOW64\Dngobghg.exeC:\Windows\system32\Dngobghg.exe38⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Dehnpp32.exeC:\Windows\system32\Dehnpp32.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:4556 -
C:\Windows\SysWOW64\Eifffoob.exeC:\Windows\system32\Eifffoob.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Eflceb32.exeC:\Windows\system32\Eflceb32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3340 -
C:\Windows\SysWOW64\Ellicihn.exeC:\Windows\system32\Ellicihn.exe42⤵
- Executes dropped EXE
PID:5100 -
C:\Windows\SysWOW64\Epiaig32.exeC:\Windows\system32\Epiaig32.exe43⤵
- Executes dropped EXE
PID:524 -
C:\Windows\SysWOW64\Fghcqq32.exeC:\Windows\system32\Fghcqq32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3556 -
C:\Windows\SysWOW64\Flghognq.exeC:\Windows\system32\Flghognq.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3988 -
C:\Windows\SysWOW64\Gccmaack.exeC:\Windows\system32\Gccmaack.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:3560 -
C:\Windows\SysWOW64\Gedfblql.exeC:\Windows\system32\Gedfblql.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4572 -
C:\Windows\SysWOW64\Gplged32.exeC:\Windows\system32\Gplged32.exe48⤵
- Executes dropped EXE
PID:3832 -
C:\Windows\SysWOW64\Hpcmfchg.exeC:\Windows\system32\Hpcmfchg.exe49⤵
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Hcdfho32.exeC:\Windows\system32\Hcdfho32.exe50⤵
- Executes dropped EXE
PID:4824 -
C:\Windows\SysWOW64\Hgbonm32.exeC:\Windows\system32\Hgbonm32.exe51⤵
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Ioppho32.exeC:\Windows\system32\Ioppho32.exe52⤵
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\Iobmmoed.exeC:\Windows\system32\Iobmmoed.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1548 -
C:\Windows\SysWOW64\Iqaiga32.exeC:\Windows\system32\Iqaiga32.exe54⤵
- Executes dropped EXE
PID:1192 -
C:\Windows\SysWOW64\Imhjlb32.exeC:\Windows\system32\Imhjlb32.exe55⤵
- Executes dropped EXE
PID:3720 -
C:\Windows\SysWOW64\Iqfcbahb.exeC:\Windows\system32\Iqfcbahb.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:4544 -
C:\Windows\SysWOW64\Jggapj32.exeC:\Windows\system32\Jggapj32.exe57⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Jqofippg.exeC:\Windows\system32\Jqofippg.exe58⤵
- Executes dropped EXE
PID:664 -
C:\Windows\SysWOW64\Kmhccpci.exeC:\Windows\system32\Kmhccpci.exe59⤵
- Executes dropped EXE
PID:2072 -
C:\Windows\SysWOW64\Kjlcmdbb.exeC:\Windows\system32\Kjlcmdbb.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4428 -
C:\Windows\SysWOW64\Kmpido32.exeC:\Windows\system32\Kmpido32.exe61⤵
- Executes dropped EXE
PID:4768 -
C:\Windows\SysWOW64\Kanbjn32.exeC:\Windows\system32\Kanbjn32.exe62⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Lapopm32.exeC:\Windows\system32\Lapopm32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\Ljhchc32.exeC:\Windows\system32\Ljhchc32.exe64⤵
- Executes dropped EXE
PID:3872 -
C:\Windows\SysWOW64\Limpiomm.exeC:\Windows\system32\Limpiomm.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:3756 -
C:\Windows\SysWOW64\Lipmoo32.exeC:\Windows\system32\Lipmoo32.exe66⤵PID:468
-
C:\Windows\SysWOW64\Lfcmhc32.exeC:\Windows\system32\Lfcmhc32.exe67⤵PID:3168
-
C:\Windows\SysWOW64\Lplaaiqd.exeC:\Windows\system32\Lplaaiqd.exe68⤵PID:4360
-
C:\Windows\SysWOW64\Mfhgcbfo.exeC:\Windows\system32\Mfhgcbfo.exe69⤵PID:4832
-
C:\Windows\SysWOW64\Miipencp.exeC:\Windows\system32\Miipencp.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:392 -
C:\Windows\SysWOW64\Mhoind32.exeC:\Windows\system32\Mhoind32.exe71⤵PID:404
-
C:\Windows\SysWOW64\Nmlafk32.exeC:\Windows\system32\Nmlafk32.exe72⤵PID:1632
-
C:\Windows\SysWOW64\Nkpbpp32.exeC:\Windows\system32\Nkpbpp32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4596 -
C:\Windows\SysWOW64\Nhcbidcd.exeC:\Windows\system32\Nhcbidcd.exe74⤵
- Drops file in System32 directory
- Modifies registry class
PID:3208 -
C:\Windows\SysWOW64\Ndjcne32.exeC:\Windows\system32\Ndjcne32.exe75⤵
- Modifies registry class
PID:4296 -
C:\Windows\SysWOW64\Nandhi32.exeC:\Windows\system32\Nandhi32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4376 -
C:\Windows\SysWOW64\Nmedmj32.exeC:\Windows\system32\Nmedmj32.exe77⤵PID:1048
-
C:\Windows\SysWOW64\Oileakbj.exeC:\Windows\system32\Oileakbj.exe78⤵PID:3008
-
C:\Windows\SysWOW64\Okkalnjm.exeC:\Windows\system32\Okkalnjm.exe79⤵
- Drops file in System32 directory
PID:1988 -
C:\Windows\SysWOW64\Odfcjc32.exeC:\Windows\system32\Odfcjc32.exe80⤵
- Modifies registry class
PID:3532 -
C:\Windows\SysWOW64\Ohdlpa32.exeC:\Windows\system32\Ohdlpa32.exe81⤵
- Drops file in System32 directory
- Modifies registry class
PID:4708 -
C:\Windows\SysWOW64\Onqdhh32.exeC:\Windows\system32\Onqdhh32.exe82⤵PID:4168
-
C:\Windows\SysWOW64\Pacfjfej.exeC:\Windows\system32\Pacfjfej.exe83⤵PID:5132
-
C:\Windows\SysWOW64\Pnjgog32.exeC:\Windows\system32\Pnjgog32.exe84⤵PID:5192
-
C:\Windows\SysWOW64\Phpklp32.exeC:\Windows\system32\Phpklp32.exe85⤵PID:5232
-
C:\Windows\SysWOW64\Qpkppbho.exeC:\Windows\system32\Qpkppbho.exe86⤵PID:5288
-
C:\Windows\SysWOW64\Qkqdnkge.exeC:\Windows\system32\Qkqdnkge.exe87⤵PID:5344
-
C:\Windows\SysWOW64\Qggebl32.exeC:\Windows\system32\Qggebl32.exe88⤵PID:5384
-
C:\Windows\SysWOW64\Aaofedkl.exeC:\Windows\system32\Aaofedkl.exe89⤵PID:5428
-
C:\Windows\SysWOW64\Anffje32.exeC:\Windows\system32\Anffje32.exe90⤵PID:5472
-
C:\Windows\SysWOW64\Akjgdjoj.exeC:\Windows\system32\Akjgdjoj.exe91⤵PID:5516
-
C:\Windows\SysWOW64\Aklciimh.exeC:\Windows\system32\Aklciimh.exe92⤵PID:5556
-
C:\Windows\SysWOW64\Bqkigp32.exeC:\Windows\system32\Bqkigp32.exe93⤵PID:5600
-
C:\Windows\SysWOW64\Bqnemp32.exeC:\Windows\system32\Bqnemp32.exe94⤵PID:5644
-
C:\Windows\SysWOW64\Bkefphem.exeC:\Windows\system32\Bkefphem.exe95⤵PID:5688
-
C:\Windows\SysWOW64\Cjomldfp.exeC:\Windows\system32\Cjomldfp.exe96⤵PID:5736
-
C:\Windows\SysWOW64\Cgcmeh32.exeC:\Windows\system32\Cgcmeh32.exe97⤵PID:5792
-
C:\Windows\SysWOW64\Dlhlleeh.exeC:\Windows\system32\Dlhlleeh.exe98⤵PID:5844
-
C:\Windows\SysWOW64\Dgaiffii.exeC:\Windows\system32\Dgaiffii.exe99⤵
- Drops file in System32 directory
PID:5884 -
C:\Windows\SysWOW64\Diafqi32.exeC:\Windows\system32\Diafqi32.exe100⤵
- Modifies registry class
PID:5924 -
C:\Windows\SysWOW64\Dalkek32.exeC:\Windows\system32\Dalkek32.exe101⤵PID:5976
-
C:\Windows\SysWOW64\Ejkenpnp.exeC:\Windows\system32\Ejkenpnp.exe102⤵PID:6032
-
C:\Windows\SysWOW64\Fkbkoo32.exeC:\Windows\system32\Fkbkoo32.exe103⤵
- Drops file in System32 directory
PID:6076 -
C:\Windows\SysWOW64\Flgadake.exeC:\Windows\system32\Flgadake.exe104⤵PID:6140
-
C:\Windows\SysWOW64\Gahcgg32.exeC:\Windows\system32\Gahcgg32.exe105⤵
- Drops file in System32 directory
PID:5168 -
C:\Windows\SysWOW64\Giddddad.exeC:\Windows\system32\Giddddad.exe106⤵PID:5252
-
C:\Windows\SysWOW64\Gaoihfoo.exeC:\Windows\system32\Gaoihfoo.exe107⤵PID:5340
-
C:\Windows\SysWOW64\Haafnf32.exeC:\Windows\system32\Haafnf32.exe108⤵
- Modifies registry class
PID:5416 -
C:\Windows\SysWOW64\Hcabhido.exeC:\Windows\system32\Hcabhido.exe109⤵PID:5480
-
C:\Windows\SysWOW64\Hohcmjic.exeC:\Windows\system32\Hohcmjic.exe110⤵PID:5548
-
C:\Windows\SysWOW64\Hojpbigq.exeC:\Windows\system32\Hojpbigq.exe111⤵PID:5624
-
C:\Windows\SysWOW64\Hlnqln32.exeC:\Windows\system32\Hlnqln32.exe112⤵PID:5672
-
C:\Windows\SysWOW64\Icjengld.exeC:\Windows\system32\Icjengld.exe113⤵PID:5780
-
C:\Windows\SysWOW64\Ieknpb32.exeC:\Windows\system32\Ieknpb32.exe114⤵PID:5852
-
C:\Windows\SysWOW64\Ijigfaol.exeC:\Windows\system32\Ijigfaol.exe115⤵
- Drops file in System32 directory
PID:5904 -
C:\Windows\SysWOW64\Iofpnhmc.exeC:\Windows\system32\Iofpnhmc.exe116⤵PID:5992
-
C:\Windows\SysWOW64\Iljpgl32.exeC:\Windows\system32\Iljpgl32.exe117⤵PID:6088
-
C:\Windows\SysWOW64\Jllmml32.exeC:\Windows\system32\Jllmml32.exe118⤵PID:4052
-
C:\Windows\SysWOW64\Jfdafa32.exeC:\Windows\system32\Jfdafa32.exe119⤵PID:5228
-
C:\Windows\SysWOW64\Jlafhkfe.exeC:\Windows\system32\Jlafhkfe.exe120⤵PID:5372
-
C:\Windows\SysWOW64\Kbgafqla.exeC:\Windows\system32\Kbgafqla.exe121⤵PID:5664
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-