Analysis
-
max time kernel
165s -
max time network
183s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
01/11/2023, 14:20
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.d2fa40f40beb54eaabf7d9bc42562dc0.exe
Resource
win7-20231020-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.d2fa40f40beb54eaabf7d9bc42562dc0.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
NEAS.d2fa40f40beb54eaabf7d9bc42562dc0.exe
-
Size
62KB
-
MD5
d2fa40f40beb54eaabf7d9bc42562dc0
-
SHA1
7654cb5d547d58625e3ce286c2c1fa2388c3e79a
-
SHA256
f47de5f27428b075c71de009473b3c17bb92cb49e1128a59b9cdc2c2c53cfad4
-
SHA512
1afbf1122e89178296d2030ea554b7086c872eddb77bf348ab85241bea21b9425ea08092d28ee90bdac03f5a0eead6da05293cf3b2f91bc8adcf601fccb443d0
-
SSDEEP
1536:oS9WbiT8yy+cq2NiNFWaDh9OdSiDqtJUGLwI9l3zYY:EiXyc2UPJh9GugGLwIvzh
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hakidd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihlgan32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laiiie32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlljglpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Haghje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnmkja32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Foenplji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkkldg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndidgg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iefedcmk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifnkeb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abkjnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbicjlji.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpjjgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nocbppcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eglbac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mofjkbcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcofbifb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkfkod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fllplajo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okceko32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkehdnee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mqkijnkp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nokfcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdffdlfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opjgidfa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcojoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfgboc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbfmpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlanikqg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glpdjpbj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hleneo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgfojd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glngep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofgmbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adockl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iiqooh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbqihb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfdcln32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlgjko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oojhpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hchqlqpj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fllplajo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieknpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkohecfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eaolen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpkbaekd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elpppcdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcffggkb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofgmbh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgikpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgnfpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fiaogfai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncdgmkio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcneod32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbnqgc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghhambfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjpoio32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkoaagmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnkhcjbc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijioijao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eihlknoa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbfema32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmknkk32.exe -
Executes dropped EXE 64 IoCs
pid Process 3224 Ogbbqo32.exe 2812 Opjgidfa.exe 3812 Okpkgm32.exe 3624 Oajccgmd.exe 3092 Okbhlm32.exe 3384 Oalpigkb.exe 4216 Pgihanii.exe 2920 Pnenchoc.exe 2304 Pkinmlnm.exe 1720 Pgpobmca.exe 1356 Pnlcdg32.exe 3128 Qjeaog32.exe 4452 Aqpika32.exe 4508 Ancjef32.exe 456 Ahinbo32.exe 4812 Aqdbfa32.exe 4884 Anhcpeon.exe 3584 Agqhik32.exe 2908 Aqilaplo.exe 4840 Anmmkd32.exe 3948 Bhennm32.exe 2272 Bjfjee32.exe 3200 Bhgjcmfi.exe 4208 Bdnkhn32.exe 4256 Bbbkbbkg.exe 1108 Bilcol32.exe 2188 Bjmpfdhb.exe 3608 Cebdcmhh.exe 232 Cgaqphgl.exe 1296 Cbfema32.exe 3792 Cgcmeh32.exe 1776 Cbiabq32.exe 1160 Ckafkfkp.exe 4832 Ckcbaf32.exe 1828 Capkim32.exe 4576 Cigcjj32.exe 1340 Dendok32.exe 3164 Djklgb32.exe 3140 Dilmeida.exe 3824 Djmima32.exe 1396 Dioiki32.exe 1004 Dajnol32.exe 2168 Dhcfleff.exe 4792 Enbhdojn.exe 828 Eelpqi32.exe 3600 Ehklmd32.exe 2016 Enedio32.exe 4004 Eijigg32.exe 2320 Ejkenpnp.exe 3196 Ehofhdli.exe 4412 Eoindndf.exe 4404 Eiobbgcl.exe 2292 Fjpoio32.exe 1548 Fajgfiag.exe 3828 Fiaogfai.exe 1136 Fbjcplhj.exe 1420 Ficlmf32.exe 4824 Flddoa32.exe 4252 Faamghko.exe 316 Fhkecb32.exe 3788 Foenplji.exe 1500 Gahcgg32.exe 3028 Glngep32.exe 2096 Gbhpajlj.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Cjkkfj32.dll Lojfbc32.exe File created C:\Windows\SysWOW64\Mlifgfnj.exe Mamljndl.exe File opened for modification C:\Windows\SysWOW64\Bhgjcmfi.exe Bjfjee32.exe File created C:\Windows\SysWOW64\Gehice32.exe Gooqfkan.exe File created C:\Windows\SysWOW64\Iadljc32.exe Iofpnhmc.exe File opened for modification C:\Windows\SysWOW64\Bpnnnp32.exe Bideafko.exe File created C:\Windows\SysWOW64\Opfpccdk.dll Keaibpap.exe File created C:\Windows\SysWOW64\Oeeanj32.dll Kdhbilde.exe File created C:\Windows\SysWOW64\Nocbppcp.exe Nhijce32.exe File created C:\Windows\SysWOW64\Kmkgjepl.dll Bnmmdjpf.exe File created C:\Windows\SysWOW64\Acbfib32.dll Kfpjqoho.exe File opened for modification C:\Windows\SysWOW64\Hakidd32.exe Hlnqln32.exe File created C:\Windows\SysWOW64\Elpppcdl.exe Eefhcimp.exe File created C:\Windows\SysWOW64\Ncakglka.exe Nneboemj.exe File created C:\Windows\SysWOW64\Klpaep32.exe Kakmhg32.exe File opened for modification C:\Windows\SysWOW64\Mlifgfnj.exe Mamljndl.exe File created C:\Windows\SysWOW64\Nhpgmg32.exe Neakpk32.exe File opened for modification C:\Windows\SysWOW64\Oajccgmd.exe Okpkgm32.exe File opened for modification C:\Windows\SysWOW64\Fhkecb32.exe Faamghko.exe File opened for modification C:\Windows\SysWOW64\Ihjjln32.exe Ieknpb32.exe File created C:\Windows\SysWOW64\Kdmjmqjf.exe Eopjakkg.exe File created C:\Windows\SysWOW64\Jkhmgp32.dll Ncakglka.exe File created C:\Windows\SysWOW64\Okjcdq32.exe Odpjhfag.exe File created C:\Windows\SysWOW64\Kcbknf32.dll Ljpajbmo.exe File created C:\Windows\SysWOW64\Mgfjla32.dll Imdgjlgb.exe File created C:\Windows\SysWOW64\Ldmldk32.exe Kaophp32.exe File opened for modification C:\Windows\SysWOW64\Hembndee.exe Hcofbifb.exe File created C:\Windows\SysWOW64\Ifnkeb32.exe Icooig32.exe File created C:\Windows\SysWOW64\Lmchfocl.dll Behbkmgb.exe File created C:\Windows\SysWOW64\Cefolk32.exe Chbncg32.exe File created C:\Windows\SysWOW64\Bgnhmn32.dll Ehimkd32.exe File opened for modification C:\Windows\SysWOW64\Hijohoki.exe Hmcocn32.exe File created C:\Windows\SysWOW64\Pcogglmf.exe Pdngid32.exe File opened for modification C:\Windows\SysWOW64\Dajnol32.exe Dioiki32.exe File opened for modification C:\Windows\SysWOW64\Nlnpbe32.exe Nedgfk32.exe File created C:\Windows\SysWOW64\Icfhqeeg.dll Oalpigkb.exe File created C:\Windows\SysWOW64\Anmmkd32.exe Aqilaplo.exe File created C:\Windows\SysWOW64\Ghgeoq32.exe Gehice32.exe File created C:\Windows\SysWOW64\Bciddihj.dll Pggbdgmm.exe File created C:\Windows\SysWOW64\Nmlaecik.dll Hnkhcjbc.exe File created C:\Windows\SysWOW64\Mqgpigdf.dll Lhbkkipn.exe File created C:\Windows\SysWOW64\Iimfniei.dll Fejeafgl.exe File created C:\Windows\SysWOW64\Gogcdh32.dll Ghhambfp.exe File opened for modification C:\Windows\SysWOW64\Opjgidfa.exe Ogbbqo32.exe File opened for modification C:\Windows\SysWOW64\Agqhik32.exe Anhcpeon.exe File created C:\Windows\SysWOW64\Bopgdcnc.exe Behbkmgb.exe File created C:\Windows\SysWOW64\Fbkdjh32.exe Fllplajo.exe File opened for modification C:\Windows\SysWOW64\Dpmcfk32.exe Dnnfjp32.exe File opened for modification C:\Windows\SysWOW64\Lkqggdoa.exe Lhbkkipn.exe File created C:\Windows\SysWOW64\Qkngdp32.dll Fdbked32.exe File opened for modification C:\Windows\SysWOW64\Eijigg32.exe Enedio32.exe File opened for modification C:\Windows\SysWOW64\Chhkmh32.exe Bejoqm32.exe File created C:\Windows\SysWOW64\Cbiabq32.exe Cgcmeh32.exe File created C:\Windows\SysWOW64\Djklgb32.exe Dendok32.exe File created C:\Windows\SysWOW64\Gacbag32.dll Dajnol32.exe File created C:\Windows\SysWOW64\Hmcocn32.exe Hoonjjgk.exe File opened for modification C:\Windows\SysWOW64\Lfgboc32.exe Lchfch32.exe File opened for modification C:\Windows\SysWOW64\Knhboahm.exe Kdpmfl32.exe File opened for modification C:\Windows\SysWOW64\Hlnqln32.exe Hcflch32.exe File created C:\Windows\SysWOW64\Iameid32.exe Iooimi32.exe File opened for modification C:\Windows\SysWOW64\Mkoaagmh.exe Mddidm32.exe File opened for modification C:\Windows\SysWOW64\Iiqooh32.exe Pggbdgmm.exe File created C:\Windows\SysWOW64\Aqmldddb.exe Iiqooh32.exe File created C:\Windows\SysWOW64\Ecmjdbfd.dll Ekgqnccj.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckmeag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ihlgan32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lijdbofo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oncfgfpd.dll" Hkohmnal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mebkbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hggijkin.dll" Djckiapl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ecnlhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Faholm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jdjfhnpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Empafb32.dll" Fmikikoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Knkoea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hembndee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ihlgan32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jggjpgmc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpdegdci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjnlfk32.dll" Nhckmmeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbbnfh32.dll" Cbfmpj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhpgmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nojgmmgl.dll" Ogbbqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eelpqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcldac32.dll" Gbhpajlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hlgjko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhjgpn32.dll" Edaamihh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbgmkfli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lnadeppb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnclfaec.dll" Hikkdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adfdinme.dll" Cdolbijg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lfgboc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cipemdqa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Haghje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fajgfiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hlgjko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kapilbaa.dll" Kgmlde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Homadjin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckpagg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dacmjpgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Llnkhhlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hccomh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgmlde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alkdnolh.dll" Nnjljd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deihhbnd.dll" Gbkkbp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nokfcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fnopqnjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghjnbadn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Andghd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nneboemj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qifnaecf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljmolg32.dll" Eaaikn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Peqcodce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Anhcpeon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pggbdgmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imcpcmcg.dll" Okaiep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Okbhlm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eijigg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ejkenpnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mnjqhcno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbjhckfa.dll" Nchhooaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifogknee.dll" Odpjhfag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klnobifl.dll" Pfbmnf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cagmnaad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhcdcbcl.dll" Ckcbaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mbfmha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdfgaa32.dll" Mqkijnkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbbqbo32.dll" Chhkmh32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1796 wrote to memory of 3224 1796 NEAS.d2fa40f40beb54eaabf7d9bc42562dc0.exe 88 PID 1796 wrote to memory of 3224 1796 NEAS.d2fa40f40beb54eaabf7d9bc42562dc0.exe 88 PID 1796 wrote to memory of 3224 1796 NEAS.d2fa40f40beb54eaabf7d9bc42562dc0.exe 88 PID 3224 wrote to memory of 2812 3224 Ogbbqo32.exe 89 PID 3224 wrote to memory of 2812 3224 Ogbbqo32.exe 89 PID 3224 wrote to memory of 2812 3224 Ogbbqo32.exe 89 PID 2812 wrote to memory of 3812 2812 Opjgidfa.exe 90 PID 2812 wrote to memory of 3812 2812 Opjgidfa.exe 90 PID 2812 wrote to memory of 3812 2812 Opjgidfa.exe 90 PID 3812 wrote to memory of 3624 3812 Okpkgm32.exe 91 PID 3812 wrote to memory of 3624 3812 Okpkgm32.exe 91 PID 3812 wrote to memory of 3624 3812 Okpkgm32.exe 91 PID 3624 wrote to memory of 3092 3624 Oajccgmd.exe 92 PID 3624 wrote to memory of 3092 3624 Oajccgmd.exe 92 PID 3624 wrote to memory of 3092 3624 Oajccgmd.exe 92 PID 3092 wrote to memory of 3384 3092 Okbhlm32.exe 93 PID 3092 wrote to memory of 3384 3092 Okbhlm32.exe 93 PID 3092 wrote to memory of 3384 3092 Okbhlm32.exe 93 PID 3384 wrote to memory of 4216 3384 Oalpigkb.exe 94 PID 3384 wrote to memory of 4216 3384 Oalpigkb.exe 94 PID 3384 wrote to memory of 4216 3384 Oalpigkb.exe 94 PID 4216 wrote to memory of 2920 4216 Pgihanii.exe 95 PID 4216 wrote to memory of 2920 4216 Pgihanii.exe 95 PID 4216 wrote to memory of 2920 4216 Pgihanii.exe 95 PID 2920 wrote to memory of 2304 2920 Pnenchoc.exe 96 PID 2920 wrote to memory of 2304 2920 Pnenchoc.exe 96 PID 2920 wrote to memory of 2304 2920 Pnenchoc.exe 96 PID 2304 wrote to memory of 1720 2304 Pkinmlnm.exe 97 PID 2304 wrote to memory of 1720 2304 Pkinmlnm.exe 97 PID 2304 wrote to memory of 1720 2304 Pkinmlnm.exe 97 PID 1720 wrote to memory of 1356 1720 Pgpobmca.exe 98 PID 1720 wrote to memory of 1356 1720 Pgpobmca.exe 98 PID 1720 wrote to memory of 1356 1720 Pgpobmca.exe 98 PID 1356 wrote to memory of 3128 1356 Pnlcdg32.exe 99 PID 1356 wrote to memory of 3128 1356 Pnlcdg32.exe 99 PID 1356 wrote to memory of 3128 1356 Pnlcdg32.exe 99 PID 3128 wrote to memory of 4452 3128 Qjeaog32.exe 100 PID 3128 wrote to memory of 4452 3128 Qjeaog32.exe 100 PID 3128 wrote to memory of 4452 3128 Qjeaog32.exe 100 PID 4452 wrote to memory of 4508 4452 Aqpika32.exe 101 PID 4452 wrote to memory of 4508 4452 Aqpika32.exe 101 PID 4452 wrote to memory of 4508 4452 Aqpika32.exe 101 PID 4508 wrote to memory of 456 4508 Ancjef32.exe 102 PID 4508 wrote to memory of 456 4508 Ancjef32.exe 102 PID 4508 wrote to memory of 456 4508 Ancjef32.exe 102 PID 456 wrote to memory of 4812 456 Ahinbo32.exe 103 PID 456 wrote to memory of 4812 456 Ahinbo32.exe 103 PID 456 wrote to memory of 4812 456 Ahinbo32.exe 103 PID 4812 wrote to memory of 4884 4812 Aqdbfa32.exe 104 PID 4812 wrote to memory of 4884 4812 Aqdbfa32.exe 104 PID 4812 wrote to memory of 4884 4812 Aqdbfa32.exe 104 PID 4884 wrote to memory of 3584 4884 Anhcpeon.exe 105 PID 4884 wrote to memory of 3584 4884 Anhcpeon.exe 105 PID 4884 wrote to memory of 3584 4884 Anhcpeon.exe 105 PID 3584 wrote to memory of 2908 3584 Agqhik32.exe 106 PID 3584 wrote to memory of 2908 3584 Agqhik32.exe 106 PID 3584 wrote to memory of 2908 3584 Agqhik32.exe 106 PID 2908 wrote to memory of 4840 2908 Aqilaplo.exe 107 PID 2908 wrote to memory of 4840 2908 Aqilaplo.exe 107 PID 2908 wrote to memory of 4840 2908 Aqilaplo.exe 107 PID 4840 wrote to memory of 3948 4840 Anmmkd32.exe 108 PID 4840 wrote to memory of 3948 4840 Anmmkd32.exe 108 PID 4840 wrote to memory of 3948 4840 Anmmkd32.exe 108 PID 3948 wrote to memory of 2272 3948 Bhennm32.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.d2fa40f40beb54eaabf7d9bc42562dc0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.d2fa40f40beb54eaabf7d9bc42562dc0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\SysWOW64\Ogbbqo32.exeC:\Windows\system32\Ogbbqo32.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3224 -
C:\Windows\SysWOW64\Opjgidfa.exeC:\Windows\system32\Opjgidfa.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\Okpkgm32.exeC:\Windows\system32\Okpkgm32.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3812 -
C:\Windows\SysWOW64\Oajccgmd.exeC:\Windows\system32\Oajccgmd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3624 -
C:\Windows\SysWOW64\Okbhlm32.exeC:\Windows\system32\Okbhlm32.exe6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3092 -
C:\Windows\SysWOW64\Oalpigkb.exeC:\Windows\system32\Oalpigkb.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3384 -
C:\Windows\SysWOW64\Pgihanii.exeC:\Windows\system32\Pgihanii.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4216 -
C:\Windows\SysWOW64\Pnenchoc.exeC:\Windows\system32\Pnenchoc.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Pkinmlnm.exeC:\Windows\system32\Pkinmlnm.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\SysWOW64\Pgpobmca.exeC:\Windows\system32\Pgpobmca.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\SysWOW64\Pnlcdg32.exeC:\Windows\system32\Pnlcdg32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\Windows\SysWOW64\Qjeaog32.exeC:\Windows\system32\Qjeaog32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3128 -
C:\Windows\SysWOW64\Aqpika32.exeC:\Windows\system32\Aqpika32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4452 -
C:\Windows\SysWOW64\Ancjef32.exeC:\Windows\system32\Ancjef32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4508 -
C:\Windows\SysWOW64\Ahinbo32.exeC:\Windows\system32\Ahinbo32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:456 -
C:\Windows\SysWOW64\Aqdbfa32.exeC:\Windows\system32\Aqdbfa32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Windows\SysWOW64\Anhcpeon.exeC:\Windows\system32\Anhcpeon.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4884 -
C:\Windows\SysWOW64\Agqhik32.exeC:\Windows\system32\Agqhik32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3584 -
C:\Windows\SysWOW64\Aqilaplo.exeC:\Windows\system32\Aqilaplo.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\Anmmkd32.exeC:\Windows\system32\Anmmkd32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4840 -
C:\Windows\SysWOW64\Bhennm32.exeC:\Windows\system32\Bhennm32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3948 -
C:\Windows\SysWOW64\Bjfjee32.exeC:\Windows\system32\Bjfjee32.exe23⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2272 -
C:\Windows\SysWOW64\Bhgjcmfi.exeC:\Windows\system32\Bhgjcmfi.exe24⤵
- Executes dropped EXE
PID:3200 -
C:\Windows\SysWOW64\Bdnkhn32.exeC:\Windows\system32\Bdnkhn32.exe25⤵
- Executes dropped EXE
PID:4208 -
C:\Windows\SysWOW64\Bbbkbbkg.exeC:\Windows\system32\Bbbkbbkg.exe26⤵
- Executes dropped EXE
PID:4256 -
C:\Windows\SysWOW64\Bilcol32.exeC:\Windows\system32\Bilcol32.exe27⤵
- Executes dropped EXE
PID:1108 -
C:\Windows\SysWOW64\Bjmpfdhb.exeC:\Windows\system32\Bjmpfdhb.exe28⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Cebdcmhh.exeC:\Windows\system32\Cebdcmhh.exe29⤵
- Executes dropped EXE
PID:3608 -
C:\Windows\SysWOW64\Cgaqphgl.exeC:\Windows\system32\Cgaqphgl.exe30⤵
- Executes dropped EXE
PID:232
-
-
C:\Windows\SysWOW64\Ckmeag32.exeC:\Windows\system32\Ckmeag32.exe30⤵
- Modifies registry class
PID:4300 -
C:\Windows\SysWOW64\Cipemdqa.exeC:\Windows\system32\Cipemdqa.exe31⤵
- Modifies registry class
PID:5432 -
C:\Windows\SysWOW64\Cagmnaad.exeC:\Windows\system32\Cagmnaad.exe32⤵
- Modifies registry class
PID:5692 -
C:\Windows\SysWOW64\Cpjmjn32.exeC:\Windows\system32\Cpjmjn32.exe33⤵PID:4408
-
C:\Windows\SysWOW64\Ckpagg32.exeC:\Windows\system32\Ckpagg32.exe34⤵
- Modifies registry class
PID:2312 -
C:\Windows\SysWOW64\Cibabdno.exeC:\Windows\system32\Cibabdno.exe35⤵PID:1652
-
C:\Windows\SysWOW64\Cdhfpm32.exeC:\Windows\system32\Cdhfpm32.exe36⤵PID:6360
-
C:\Windows\SysWOW64\Dkidme32.exeC:\Windows\system32\Dkidme32.exe37⤵PID:1720
-
C:\Windows\SysWOW64\Dildibfd.exeC:\Windows\system32\Dildibfd.exe38⤵PID:1276
-
C:\Windows\SysWOW64\Dacmjpgf.exeC:\Windows\system32\Dacmjpgf.exe39⤵
- Modifies registry class
PID:5308 -
C:\Windows\SysWOW64\Ddaifk32.exeC:\Windows\system32\Ddaifk32.exe40⤵PID:6004
-
C:\Windows\SysWOW64\Dgpebf32.exeC:\Windows\system32\Dgpebf32.exe41⤵PID:4412
-
C:\Windows\SysWOW64\Dinanb32.exeC:\Windows\system32\Dinanb32.exe42⤵PID:6588
-
C:\Windows\SysWOW64\Daeioo32.exeC:\Windows\system32\Daeioo32.exe43⤵PID:1792
-
C:\Windows\SysWOW64\Dphikllo.exeC:\Windows\system32\Dphikllo.exe44⤵PID:6512
-
C:\Windows\SysWOW64\Dcffggkb.exeC:\Windows\system32\Dcffggkb.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3500 -
C:\Windows\SysWOW64\Dknnhekd.exeC:\Windows\system32\Dknnhekd.exe46⤵PID:6756
-
C:\Windows\SysWOW64\Diqnda32.exeC:\Windows\system32\Diqnda32.exe47⤵PID:5364
-
C:\Windows\SysWOW64\Dagfeo32.exeC:\Windows\system32\Dagfeo32.exe48⤵PID:1308
-
C:\Windows\SysWOW64\Dpjfqljl.exeC:\Windows\system32\Dpjfqljl.exe49⤵PID:6796
-
C:\Windows\SysWOW64\Dcibmgip.exeC:\Windows\system32\Dcibmgip.exe50⤵PID:4772
-
C:\Windows\SysWOW64\Djckiapl.exeC:\Windows\system32\Djckiapl.exe51⤵
- Modifies registry class
PID:6892 -
C:\Windows\SysWOW64\Dnnfjp32.exeC:\Windows\system32\Dnnfjp32.exe52⤵
- Drops file in System32 directory
PID:5068 -
C:\Windows\SysWOW64\Dpmcfk32.exeC:\Windows\system32\Dpmcfk32.exe53⤵PID:5412
-
C:\Windows\SysWOW64\Djegoanj.exeC:\Windows\system32\Djegoanj.exe54⤵PID:2224
-
C:\Windows\SysWOW64\Ealopnol.exeC:\Windows\system32\Ealopnol.exe55⤵PID:4040
-
C:\Windows\SysWOW64\Ecnlhf32.exeC:\Windows\system32\Ecnlhf32.exe56⤵
- Modifies registry class
PID:4340 -
C:\Windows\SysWOW64\Ekddidel.exeC:\Windows\system32\Ekddidel.exe57⤵PID:7008
-
C:\Windows\SysWOW64\Eaolen32.exeC:\Windows\system32\Eaolen32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2128 -
C:\Windows\SysWOW64\Ecphmfbg.exeC:\Windows\system32\Ecphmfbg.exe59⤵PID:1020
-
C:\Windows\SysWOW64\Ekgqnccj.exeC:\Windows\system32\Ekgqnccj.exe60⤵
- Drops file in System32 directory
PID:6968 -
C:\Windows\SysWOW64\Eaaikn32.exeC:\Windows\system32\Eaaikn32.exe61⤵
- Modifies registry class
PID:7156 -
C:\Windows\SysWOW64\Ekimdc32.exeC:\Windows\system32\Ekimdc32.exe62⤵PID:5048
-
C:\Windows\SysWOW64\Edaamihh.exeC:\Windows\system32\Edaamihh.exe63⤵
- Modifies registry class
PID:3912 -
C:\Windows\SysWOW64\Ekljic32.exeC:\Windows\system32\Ekljic32.exe64⤵PID:6096
-
C:\Windows\SysWOW64\Egbkodei.exeC:\Windows\system32\Egbkodei.exe65⤵PID:4612
-
C:\Windows\SysWOW64\Faholm32.exeC:\Windows\system32\Faholm32.exe66⤵
- Modifies registry class
PID:5244 -
C:\Windows\SysWOW64\Fkpcdbko.exeC:\Windows\system32\Fkpcdbko.exe67⤵PID:1188
-
C:\Windows\SysWOW64\Fnopqnjc.exeC:\Windows\system32\Fnopqnjc.exe68⤵
- Modifies registry class
PID:1548 -
C:\Windows\SysWOW64\Fcneod32.exeC:\Windows\system32\Fcneod32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5324 -
C:\Windows\SysWOW64\Hkjoao32.exeC:\Windows\system32\Hkjoao32.exe70⤵PID:3092
-
C:\Windows\SysWOW64\Hbdgnilo.exeC:\Windows\system32\Hbdgnilo.exe71⤵PID:7044
-
C:\Windows\SysWOW64\Haghje32.exeC:\Windows\system32\Haghje32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5544 -
C:\Windows\SysWOW64\Hkllgnco.exeC:\Windows\system32\Hkllgnco.exe73⤵PID:1508
-
C:\Windows\SysWOW64\Hnkhcjbc.exeC:\Windows\system32\Hnkhcjbc.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1324 -
C:\Windows\SysWOW64\Hchqlqpj.exeC:\Windows\system32\Hchqlqpj.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6200 -
C:\Windows\SysWOW64\Hkohmnal.exeC:\Windows\system32\Hkohmnal.exe76⤵
- Modifies registry class
PID:8 -
C:\Windows\SysWOW64\Halaeeod.exeC:\Windows\system32\Halaeeod.exe77⤵PID:1300
-
C:\Windows\SysWOW64\Ilcbhm32.exeC:\Windows\system32\Ilcbhm32.exe78⤵PID:5920
-
C:\Windows\SysWOW64\Icoglp32.exeC:\Windows\system32\Icoglp32.exe79⤵PID:1224
-
C:\Windows\SysWOW64\Ijioijao.exeC:\Windows\system32\Ijioijao.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1228 -
C:\Windows\SysWOW64\Ibpgjg32.exeC:\Windows\system32\Ibpgjg32.exe81⤵PID:3916
-
C:\Windows\SysWOW64\Iaedkcgi.exeC:\Windows\system32\Iaedkcgi.exe82⤵PID:5336
-
C:\Windows\SysWOW64\Iccpgofm.exeC:\Windows\system32\Iccpgofm.exe83⤵PID:5848
-
C:\Windows\SysWOW64\Iljhhlgo.exeC:\Windows\system32\Iljhhlgo.exe84⤵PID:5468
-
C:\Windows\SysWOW64\Ibdpefnl.exeC:\Windows\system32\Ibdpefnl.exe85⤵PID:2268
-
C:\Windows\SysWOW64\Iecmabmp.exeC:\Windows\system32\Iecmabmp.exe86⤵PID:6048
-
C:\Windows\SysWOW64\Jbgmkfli.exeC:\Windows\system32\Jbgmkfli.exe87⤵
- Modifies registry class
PID:4244 -
C:\Windows\SysWOW64\Jloacl32.exeC:\Windows\system32\Jloacl32.exe88⤵PID:5224
-
C:\Windows\SysWOW64\Jnnnpg32.exeC:\Windows\system32\Jnnnpg32.exe89⤵PID:6972
-
C:\Windows\SysWOW64\Jaljlb32.exeC:\Windows\system32\Jaljlb32.exe90⤵PID:7052
-
C:\Windows\SysWOW64\Jdjfhnpe.exeC:\Windows\system32\Jdjfhnpe.exe91⤵
- Modifies registry class
PID:5216 -
C:\Windows\SysWOW64\Jlanikqg.exeC:\Windows\system32\Jlanikqg.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6380 -
C:\Windows\SysWOW64\Jangaboo.exeC:\Windows\system32\Jangaboo.exe93⤵PID:1796
-
C:\Windows\SysWOW64\Jjgkjh32.exeC:\Windows\system32\Jjgkjh32.exe94⤵PID:3684
-
C:\Windows\SysWOW64\Jbncke32.exeC:\Windows\system32\Jbncke32.exe95⤵PID:6228
-
C:\Windows\SysWOW64\Jjihpgcl.exeC:\Windows\system32\Jjihpgcl.exe96⤵PID:6432
-
C:\Windows\SysWOW64\Jeolmpcb.exeC:\Windows\system32\Jeolmpcb.exe97⤵PID:6480
-
C:\Windows\SysWOW64\Kkkdegaj.exeC:\Windows\system32\Kkkdegaj.exe98⤵PID:6940
-
C:\Windows\SysWOW64\Keaibpap.exeC:\Windows\system32\Keaibpap.exe99⤵
- Drops file in System32 directory
PID:1920 -
C:\Windows\SysWOW64\Klkaojhl.exeC:\Windows\system32\Klkaojhl.exe100⤵PID:3576
-
C:\Windows\SysWOW64\Kbeild32.exeC:\Windows\system32\Kbeild32.exe101⤵PID:1640
-
C:\Windows\SysWOW64\Kdffdlfg.exeC:\Windows\system32\Kdffdlfg.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2784 -
C:\Windows\SysWOW64\Koljaeen.exeC:\Windows\system32\Koljaeen.exe103⤵PID:1756
-
C:\Windows\SysWOW64\Kajfmqda.exeC:\Windows\system32\Kajfmqda.exe104⤵PID:4164
-
C:\Windows\SysWOW64\Kdhbilde.exeC:\Windows\system32\Kdhbilde.exe105⤵
- Drops file in System32 directory
PID:5508 -
C:\Windows\SysWOW64\Kkbkffka.exeC:\Windows\system32\Kkbkffka.exe106⤵PID:6040
-
C:\Windows\SysWOW64\Khfkpjjk.exeC:\Windows\system32\Khfkpjjk.exe107⤵PID:6008
-
C:\Windows\SysWOW64\Kopcld32.exeC:\Windows\system32\Kopcld32.exe108⤵PID:3048
-
C:\Windows\SysWOW64\Kaophp32.exeC:\Windows\system32\Kaophp32.exe109⤵
- Drops file in System32 directory
PID:6932 -
C:\Windows\SysWOW64\Ldmldk32.exeC:\Windows\system32\Ldmldk32.exe110⤵PID:6844
-
C:\Windows\SysWOW64\Lkgdaegl.exeC:\Windows\system32\Lkgdaegl.exe111⤵PID:4680
-
C:\Windows\SysWOW64\Lemhnn32.exeC:\Windows\system32\Lemhnn32.exe112⤵PID:6412
-
C:\Windows\SysWOW64\Lkiage32.exeC:\Windows\system32\Lkiage32.exe113⤵PID:6496
-
C:\Windows\SysWOW64\Lbqihb32.exeC:\Windows\system32\Lbqihb32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1280 -
C:\Windows\SysWOW64\Leoedn32.exeC:\Windows\system32\Leoedn32.exe115⤵PID:3840
-
C:\Windows\SysWOW64\Ldbepklj.exeC:\Windows\system32\Ldbepklj.exe116⤵PID:2816
-
C:\Windows\SysWOW64\Llimqhll.exeC:\Windows\system32\Llimqhll.exe117⤵PID:6552
-
C:\Windows\SysWOW64\Llkjfh32.exeC:\Windows\system32\Llkjfh32.exe118⤵PID:6804
-
C:\Windows\SysWOW64\Lojfbc32.exeC:\Windows\system32\Lojfbc32.exe119⤵
- Drops file in System32 directory
PID:5768 -
C:\Windows\SysWOW64\Lecoomqj.exeC:\Windows\system32\Lecoomqj.exe120⤵PID:6268
-
C:\Windows\SysWOW64\Lhbkkipn.exeC:\Windows\system32\Lhbkkipn.exe121⤵
- Drops file in System32 directory
PID:452
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-