Analysis
-
max time kernel
177s -
max time network
165s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
07-11-2023 19:15
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.76662570d8c21b3ac2f7cc1d4479c170.exe
Resource
win7-20231023-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.76662570d8c21b3ac2f7cc1d4479c170.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
NEAS.76662570d8c21b3ac2f7cc1d4479c170.exe
-
Size
440KB
-
MD5
76662570d8c21b3ac2f7cc1d4479c170
-
SHA1
a5f2d6a90ab4bc20c083b5b877e29a00768515f8
-
SHA256
aae58d1150211fbbb285fb2df6edfb0604291a2566449d186413c426c6bcacfc
-
SHA512
6f9fc7fbbf2865009653bef31f94433bb1ba8931c1e81c97b07291c9cca5a1d9581b14fdd86bd2c7c3c1f3b05640c6e40ee795d04fffd4d82f6d920bb6e3d5a3
-
SSDEEP
6144:21pn8fvlsHdkiOBUykxrjfPXIfvlsHdkiOGigX3IOA12jfvlsHdkiOBUykxrjfPw:2GvboivbwIOeYvboivb
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idahcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlcchn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibegpmah.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggoike32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfknfj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gckjel32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meedjgkl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eldblpdc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdheol32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anmagenh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbibpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpnnnp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghnimn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kblomcja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhbcbfak.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amanfpkl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blgdnjba.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdffiinp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jepjbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jacggh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qmbepfoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nonajj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knkcfobb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkgfnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Haeino32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhablf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgigfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aaenlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mipchg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjlijp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmndjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aohfnd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kaihhdmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfhnfkio.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ininloda.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggnenagl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbkkpb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmdefi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kolakkii.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khakje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfnnfl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhdfgo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dihllkal.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elienf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffaogm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbgkno32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfcmbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anadcbno.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkgeao32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcjimnjl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mipchg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhephfpi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgiibnib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnpjegpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lobign32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Leqkog32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnmojj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gklenf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpabho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhheepbk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhkggadh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clbmobdi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cifmif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anjikoip.exe -
Executes dropped EXE 64 IoCs
pid Process 2212 Mihikgod.exe 380 Ajggjq32.exe 3476 Apfhajjf.exe 228 Anjikoip.exe 4012 Cmkehicj.exe 5080 Dkgeao32.exe 2704 Dkjbgooi.exe 2376 Eepbabjj.exe 3576 Fcjimnjl.exe 1764 Gdheol32.exe 2876 Haeino32.exe 3424 Peaahmcd.exe 3296 Cgbppknb.exe 1828 Dgplai32.exe 2892 Eciilj32.exe 1612 Eglkmh32.exe 2172 Gablgk32.exe 3096 Gpgihh32.exe 2468 Ghcjedcj.exe 4044 Hjfplo32.exe 2900 Hnfehm32.exe 1196 Idjdqc32.exe 4916 Jahgpf32.exe 4336 Khifno32.exe 2600 Kdbchp32.exe 2648 Loqjlg32.exe 4836 Lgqhki32.exe 3388 Mbkfcabb.exe 4444 Aihfjd32.exe 1952 Bbhqdhnm.exe 4900 Bbjmih32.exe 4320 Chnlbndj.exe 3784 Fihqfh32.exe 1436 Kmegkp32.exe 4852 Kgmlde32.exe 3380 Kinefp32.exe 2924 Kmlmlo32.exe 1360 Kdffiinp.exe 4364 Lgkhec32.exe 720 Nglala32.exe 3084 Nneiikqe.exe 1304 Nnmojj32.exe 3972 Occkhp32.exe 688 Pbpjbe32.exe 3900 Qaegcb32.exe 2980 Anmagenh.exe 1092 Aejfjocb.exe 4372 Anbkbe32.exe 3008 Adapqk32.exe 392 Flqigq32.exe 4120 Icgjfgef.exe 2732 Kbaiip32.exe 4252 Lpjcnd32.exe 4332 Lbhojo32.exe 1504 Libggiik.exe 2776 Lboeknkf.exe 4684 Mipchg32.exe 4628 Ndagao32.exe 3476 Nciahk32.exe 1076 Odkjgm32.exe 4544 Ofqpje32.exe 2784 Pmoabn32.exe 1936 Pggbdgmm.exe 5024 Qmkanmel.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ljpdiidf.dll Mmdefi32.exe File created C:\Windows\SysWOW64\Peaahmcd.exe Haeino32.exe File created C:\Windows\SysWOW64\Nelcka32.dll Mjafhgfh.exe File opened for modification C:\Windows\SysWOW64\Mocihb32.exe Mlbpggdb.exe File opened for modification C:\Windows\SysWOW64\Gfaikoad.exe Gklenf32.exe File opened for modification C:\Windows\SysWOW64\Gpmgph32.exe Fhablf32.exe File created C:\Windows\SysWOW64\Glbakchp.exe Gbjlbm32.exe File opened for modification C:\Windows\SysWOW64\Mmdefi32.exe Lgglnb32.exe File created C:\Windows\SysWOW64\Nameql32.exe Nhephfpi.exe File opened for modification C:\Windows\SysWOW64\Khakje32.exe Jcniighd.exe File created C:\Windows\SysWOW64\Mophab32.dll Noqnpi32.exe File created C:\Windows\SysWOW64\Mihikgod.exe NEAS.76662570d8c21b3ac2f7cc1d4479c170.exe File created C:\Windows\SysWOW64\Nciahk32.exe Ndagao32.exe File created C:\Windows\SysWOW64\Iommojml.dll Gklenf32.exe File created C:\Windows\SysWOW64\Cihjpd32.exe Bpkllo32.exe File created C:\Windows\SysWOW64\Dhphfppl.exe Bgbpkoej.exe File created C:\Windows\SysWOW64\Cofplf32.dll Bgbpkoej.exe File opened for modification C:\Windows\SysWOW64\Aiekkkph.exe Qbkcna32.exe File created C:\Windows\SysWOW64\Qaegcb32.exe Pbpjbe32.exe File created C:\Windows\SysWOW64\Lpjcnd32.exe Kbaiip32.exe File created C:\Windows\SysWOW64\Idfcibho.dll Kbbodj32.exe File created C:\Windows\SysWOW64\Gklenf32.exe Gkjhif32.exe File created C:\Windows\SysWOW64\Aighqk32.exe Anadcbno.exe File created C:\Windows\SysWOW64\Eldblpdc.exe Eoqbbkej.exe File created C:\Windows\SysWOW64\Cjlijp32.exe Ccmgbf32.exe File opened for modification C:\Windows\SysWOW64\Jiiiml32.exe Ipjocgdm.exe File created C:\Windows\SysWOW64\Nefmadmi.exe Ndfagaff.exe File created C:\Windows\SysWOW64\Jmcfpkid.dll Jepjbm32.exe File created C:\Windows\SysWOW64\Qkobck32.dll Mokmnm32.exe File opened for modification C:\Windows\SysWOW64\Bbhqdhnm.exe Aihfjd32.exe File created C:\Windows\SysWOW64\Gkjhif32.exe Gaadpqmp.exe File created C:\Windows\SysWOW64\Ffaogm32.exe Elnoifjg.exe File opened for modification C:\Windows\SysWOW64\Ilafcomm.exe Igdnkhoe.exe File opened for modification C:\Windows\SysWOW64\Kgdpgo32.exe Jepjbm32.exe File created C:\Windows\SysWOW64\Lcfimheb.exe Kolakkii.exe File created C:\Windows\SysWOW64\Ialeehof.dll Nhbcbfak.exe File created C:\Windows\SysWOW64\Kjhejk32.dll Ghbbhmem.exe File created C:\Windows\SysWOW64\Kjabbqjp.dll Aihfjd32.exe File created C:\Windows\SysWOW64\Jfpocjfa.exe Ininloda.exe File created C:\Windows\SysWOW64\Bnodgf32.dll Kgjggkqi.exe File created C:\Windows\SysWOW64\Jepnij32.dll Hjghmp32.exe File created C:\Windows\SysWOW64\Cfnnfl32.exe Bbpepn32.exe File created C:\Windows\SysWOW64\Qekkij32.dll Clbmobdi.exe File opened for modification C:\Windows\SysWOW64\Gcfjpfge.exe Ggoike32.exe File created C:\Windows\SysWOW64\Ljkldp32.dll Ldpmlh32.exe File opened for modification C:\Windows\SysWOW64\Jefpahoi.exe Ibegpmah.exe File opened for modification C:\Windows\SysWOW64\Lfmnlpie.exe Lobign32.exe File created C:\Windows\SysWOW64\Lfmgaj32.exe Ljfflipe.exe File opened for modification C:\Windows\SysWOW64\Lbekjipe.exe Khpgmqpp.exe File opened for modification C:\Windows\SysWOW64\Ggbmkk32.exe Fjeikh32.exe File opened for modification C:\Windows\SysWOW64\Ehpmlpeb.exe Eoghcj32.exe File opened for modification C:\Windows\SysWOW64\Ffaogm32.exe Elnoifjg.exe File opened for modification C:\Windows\SysWOW64\Odfljp32.exe Nhheepbk.exe File created C:\Windows\SysWOW64\Mchpibng.exe Mgaoda32.exe File created C:\Windows\SysWOW64\Hlkngb32.dll Nonajj32.exe File created C:\Windows\SysWOW64\Agiegh32.dll Cnicko32.exe File opened for modification C:\Windows\SysWOW64\Cpklja32.exe Ceehmh32.exe File created C:\Windows\SysWOW64\Cegokpkf.dll Kakenckg.exe File opened for modification C:\Windows\SysWOW64\Gdheol32.exe Fcjimnjl.exe File opened for modification C:\Windows\SysWOW64\Pggbdgmm.exe Pmoabn32.exe File created C:\Windows\SysWOW64\Hpabho32.exe Hkbmjhdo.exe File created C:\Windows\SysWOW64\Loqjlg32.exe Kdbchp32.exe File opened for modification C:\Windows\SysWOW64\Dkcnnk32.exe Dhphfppl.exe File created C:\Windows\SysWOW64\Akjnhehc.exe Ailaljip.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlcgam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jcgbhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lobign32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odkjgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chnlbndj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dalhgfmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnaifaqa.dll" Neiiiecg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifabik32.dll" Oajmdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Epkeaopb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkkaqcod.dll" Eepbabjj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmoabn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cihjpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jiiiml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dghhgcfc.dll" Madbjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ggbmkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pciidjdb.dll" Nnmojj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hbgkno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbedkn32.dll" Gjcfmfpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmbmmkdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aiekkkph.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbnikn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hjghmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Klahof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kipibn32.dll" Dhphfppl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qifnaecf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Elienf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blihca32.dll" Elnoifjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jppnjpji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcgbhh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jegobkeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndjeld32.dll" Jghhcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhdfgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jimedokp.dll" Djbpjl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljfflipe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Anmjmojl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbmehf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpnnnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhfmla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpbich32.dll" Lcqgkndc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjhlifpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkhmll32.dll" Qmkanmel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekqgenqi.dll" Jiokpfee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgjggkqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhbcmqog.dll" Igdnkhoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lccdpnbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hjfplo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oleiga32.dll" Ccmgbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Madbjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkdfomba.dll" Cekhbnne.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qfdbipbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqnpdf32.dll" Bjodch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igppip32.dll" Ddkbfp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dibdok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkbmjhdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpbbblhf.dll" Jlcchn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmaojl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dnljdqkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndfagaff.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Epbkbnjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idfcibho.dll" Kbbodj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlifgfnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ffaogm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gcaqeg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kblomcja.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2556 wrote to memory of 2212 2556 NEAS.76662570d8c21b3ac2f7cc1d4479c170.exe 94 PID 2556 wrote to memory of 2212 2556 NEAS.76662570d8c21b3ac2f7cc1d4479c170.exe 94 PID 2556 wrote to memory of 2212 2556 NEAS.76662570d8c21b3ac2f7cc1d4479c170.exe 94 PID 2212 wrote to memory of 380 2212 Mihikgod.exe 95 PID 2212 wrote to memory of 380 2212 Mihikgod.exe 95 PID 2212 wrote to memory of 380 2212 Mihikgod.exe 95 PID 380 wrote to memory of 3476 380 Ajggjq32.exe 96 PID 380 wrote to memory of 3476 380 Ajggjq32.exe 96 PID 380 wrote to memory of 3476 380 Ajggjq32.exe 96 PID 3476 wrote to memory of 228 3476 Apfhajjf.exe 97 PID 3476 wrote to memory of 228 3476 Apfhajjf.exe 97 PID 3476 wrote to memory of 228 3476 Apfhajjf.exe 97 PID 228 wrote to memory of 4012 228 Anjikoip.exe 98 PID 228 wrote to memory of 4012 228 Anjikoip.exe 98 PID 228 wrote to memory of 4012 228 Anjikoip.exe 98 PID 4012 wrote to memory of 5080 4012 Cmkehicj.exe 99 PID 4012 wrote to memory of 5080 4012 Cmkehicj.exe 99 PID 4012 wrote to memory of 5080 4012 Cmkehicj.exe 99 PID 5080 wrote to memory of 2704 5080 Dkgeao32.exe 100 PID 5080 wrote to memory of 2704 5080 Dkgeao32.exe 100 PID 5080 wrote to memory of 2704 5080 Dkgeao32.exe 100 PID 2704 wrote to memory of 2376 2704 Dkjbgooi.exe 101 PID 2704 wrote to memory of 2376 2704 Dkjbgooi.exe 101 PID 2704 wrote to memory of 2376 2704 Dkjbgooi.exe 101 PID 2376 wrote to memory of 3576 2376 Eepbabjj.exe 102 PID 2376 wrote to memory of 3576 2376 Eepbabjj.exe 102 PID 2376 wrote to memory of 3576 2376 Eepbabjj.exe 102 PID 3576 wrote to memory of 1764 3576 Fcjimnjl.exe 103 PID 3576 wrote to memory of 1764 3576 Fcjimnjl.exe 103 PID 3576 wrote to memory of 1764 3576 Fcjimnjl.exe 103 PID 1764 wrote to memory of 2876 1764 Gdheol32.exe 106 PID 1764 wrote to memory of 2876 1764 Gdheol32.exe 106 PID 1764 wrote to memory of 2876 1764 Gdheol32.exe 106 PID 2876 wrote to memory of 3424 2876 Haeino32.exe 107 PID 2876 wrote to memory of 3424 2876 Haeino32.exe 107 PID 2876 wrote to memory of 3424 2876 Haeino32.exe 107 PID 3424 wrote to memory of 3296 3424 Peaahmcd.exe 108 PID 3424 wrote to memory of 3296 3424 Peaahmcd.exe 108 PID 3424 wrote to memory of 3296 3424 Peaahmcd.exe 108 PID 3296 wrote to memory of 1828 3296 Cgbppknb.exe 109 PID 3296 wrote to memory of 1828 3296 Cgbppknb.exe 109 PID 3296 wrote to memory of 1828 3296 Cgbppknb.exe 109 PID 1828 wrote to memory of 2892 1828 Dgplai32.exe 110 PID 1828 wrote to memory of 2892 1828 Dgplai32.exe 110 PID 1828 wrote to memory of 2892 1828 Dgplai32.exe 110 PID 2892 wrote to memory of 1612 2892 Eciilj32.exe 111 PID 2892 wrote to memory of 1612 2892 Eciilj32.exe 111 PID 2892 wrote to memory of 1612 2892 Eciilj32.exe 111 PID 1612 wrote to memory of 2172 1612 Eglkmh32.exe 112 PID 1612 wrote to memory of 2172 1612 Eglkmh32.exe 112 PID 1612 wrote to memory of 2172 1612 Eglkmh32.exe 112 PID 2172 wrote to memory of 3096 2172 Gablgk32.exe 113 PID 2172 wrote to memory of 3096 2172 Gablgk32.exe 113 PID 2172 wrote to memory of 3096 2172 Gablgk32.exe 113 PID 3096 wrote to memory of 2468 3096 Gpgihh32.exe 114 PID 3096 wrote to memory of 2468 3096 Gpgihh32.exe 114 PID 3096 wrote to memory of 2468 3096 Gpgihh32.exe 114 PID 2468 wrote to memory of 4044 2468 Ghcjedcj.exe 115 PID 2468 wrote to memory of 4044 2468 Ghcjedcj.exe 115 PID 2468 wrote to memory of 4044 2468 Ghcjedcj.exe 115 PID 4044 wrote to memory of 2900 4044 Hjfplo32.exe 116 PID 4044 wrote to memory of 2900 4044 Hjfplo32.exe 116 PID 4044 wrote to memory of 2900 4044 Hjfplo32.exe 116 PID 2900 wrote to memory of 1196 2900 Hnfehm32.exe 117
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.76662570d8c21b3ac2f7cc1d4479c170.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.76662570d8c21b3ac2f7cc1d4479c170.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\Mihikgod.exeC:\Windows\system32\Mihikgod.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\Ajggjq32.exeC:\Windows\system32\Ajggjq32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:380 -
C:\Windows\SysWOW64\Apfhajjf.exeC:\Windows\system32\Apfhajjf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3476 -
C:\Windows\SysWOW64\Anjikoip.exeC:\Windows\system32\Anjikoip.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:228 -
C:\Windows\SysWOW64\Cmkehicj.exeC:\Windows\system32\Cmkehicj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4012 -
C:\Windows\SysWOW64\Dkgeao32.exeC:\Windows\system32\Dkgeao32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5080 -
C:\Windows\SysWOW64\Dkjbgooi.exeC:\Windows\system32\Dkjbgooi.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Eepbabjj.exeC:\Windows\system32\Eepbabjj.exe9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\SysWOW64\Fcjimnjl.exeC:\Windows\system32\Fcjimnjl.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3576 -
C:\Windows\SysWOW64\Gdheol32.exeC:\Windows\system32\Gdheol32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Windows\SysWOW64\Haeino32.exeC:\Windows\system32\Haeino32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\Peaahmcd.exeC:\Windows\system32\Peaahmcd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3424 -
C:\Windows\SysWOW64\Cgbppknb.exeC:\Windows\system32\Cgbppknb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3296 -
C:\Windows\SysWOW64\Dgplai32.exeC:\Windows\system32\Dgplai32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Windows\SysWOW64\Eciilj32.exeC:\Windows\system32\Eciilj32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\Eglkmh32.exeC:\Windows\system32\Eglkmh32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\SysWOW64\Gablgk32.exeC:\Windows\system32\Gablgk32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\Gpgihh32.exeC:\Windows\system32\Gpgihh32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3096 -
C:\Windows\SysWOW64\Ghcjedcj.exeC:\Windows\system32\Ghcjedcj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\Hjfplo32.exeC:\Windows\system32\Hjfplo32.exe21⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4044 -
C:\Windows\SysWOW64\Hnfehm32.exeC:\Windows\system32\Hnfehm32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\Idjdqc32.exeC:\Windows\system32\Idjdqc32.exe23⤵
- Executes dropped EXE
PID:1196 -
C:\Windows\SysWOW64\Jahgpf32.exeC:\Windows\system32\Jahgpf32.exe24⤵
- Executes dropped EXE
PID:4916 -
C:\Windows\SysWOW64\Khifno32.exeC:\Windows\system32\Khifno32.exe25⤵
- Executes dropped EXE
PID:4336 -
C:\Windows\SysWOW64\Kdbchp32.exeC:\Windows\system32\Kdbchp32.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2600 -
C:\Windows\SysWOW64\Loqjlg32.exeC:\Windows\system32\Loqjlg32.exe27⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Lgqhki32.exeC:\Windows\system32\Lgqhki32.exe28⤵
- Executes dropped EXE
PID:4836 -
C:\Windows\SysWOW64\Mbkfcabb.exeC:\Windows\system32\Mbkfcabb.exe29⤵
- Executes dropped EXE
PID:3388 -
C:\Windows\SysWOW64\Aihfjd32.exeC:\Windows\system32\Aihfjd32.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4444 -
C:\Windows\SysWOW64\Bbhqdhnm.exeC:\Windows\system32\Bbhqdhnm.exe31⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Bbjmih32.exeC:\Windows\system32\Bbjmih32.exe32⤵
- Executes dropped EXE
PID:4900 -
C:\Windows\SysWOW64\Chnlbndj.exeC:\Windows\system32\Chnlbndj.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:4320 -
C:\Windows\SysWOW64\Fihqfh32.exeC:\Windows\system32\Fihqfh32.exe34⤵
- Executes dropped EXE
PID:3784 -
C:\Windows\SysWOW64\Kmegkp32.exeC:\Windows\system32\Kmegkp32.exe35⤵
- Executes dropped EXE
PID:1436 -
C:\Windows\SysWOW64\Kgmlde32.exeC:\Windows\system32\Kgmlde32.exe36⤵
- Executes dropped EXE
PID:4852 -
C:\Windows\SysWOW64\Kinefp32.exeC:\Windows\system32\Kinefp32.exe37⤵
- Executes dropped EXE
PID:3380 -
C:\Windows\SysWOW64\Kmlmlo32.exeC:\Windows\system32\Kmlmlo32.exe38⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Kdffiinp.exeC:\Windows\system32\Kdffiinp.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1360 -
C:\Windows\SysWOW64\Lgkhec32.exeC:\Windows\system32\Lgkhec32.exe40⤵
- Executes dropped EXE
PID:4364 -
C:\Windows\SysWOW64\Nglala32.exeC:\Windows\system32\Nglala32.exe41⤵
- Executes dropped EXE
PID:720 -
C:\Windows\SysWOW64\Nneiikqe.exeC:\Windows\system32\Nneiikqe.exe42⤵
- Executes dropped EXE
PID:3084 -
C:\Windows\SysWOW64\Nnmojj32.exeC:\Windows\system32\Nnmojj32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1304 -
C:\Windows\SysWOW64\Occkhp32.exeC:\Windows\system32\Occkhp32.exe44⤵
- Executes dropped EXE
PID:3972 -
C:\Windows\SysWOW64\Pbpjbe32.exeC:\Windows\system32\Pbpjbe32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:688 -
C:\Windows\SysWOW64\Qaegcb32.exeC:\Windows\system32\Qaegcb32.exe46⤵
- Executes dropped EXE
PID:3900 -
C:\Windows\SysWOW64\Anmagenh.exeC:\Windows\system32\Anmagenh.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\Aejfjocb.exeC:\Windows\system32\Aejfjocb.exe48⤵
- Executes dropped EXE
PID:1092 -
C:\Windows\SysWOW64\Anbkbe32.exeC:\Windows\system32\Anbkbe32.exe49⤵
- Executes dropped EXE
PID:4372 -
C:\Windows\SysWOW64\Adapqk32.exeC:\Windows\system32\Adapqk32.exe50⤵
- Executes dropped EXE
PID:3008 -
C:\Windows\SysWOW64\Flqigq32.exeC:\Windows\system32\Flqigq32.exe51⤵
- Executes dropped EXE
PID:392 -
C:\Windows\SysWOW64\Icgjfgef.exeC:\Windows\system32\Icgjfgef.exe52⤵
- Executes dropped EXE
PID:4120 -
C:\Windows\SysWOW64\Kbaiip32.exeC:\Windows\system32\Kbaiip32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2732 -
C:\Windows\SysWOW64\Lpjcnd32.exeC:\Windows\system32\Lpjcnd32.exe54⤵
- Executes dropped EXE
PID:4252 -
C:\Windows\SysWOW64\Lbhojo32.exeC:\Windows\system32\Lbhojo32.exe55⤵
- Executes dropped EXE
PID:4332 -
C:\Windows\SysWOW64\Libggiik.exeC:\Windows\system32\Libggiik.exe56⤵
- Executes dropped EXE
PID:1504 -
C:\Windows\SysWOW64\Lboeknkf.exeC:\Windows\system32\Lboeknkf.exe57⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Mipchg32.exeC:\Windows\system32\Mipchg32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4684 -
C:\Windows\SysWOW64\Ndagao32.exeC:\Windows\system32\Ndagao32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4628 -
C:\Windows\SysWOW64\Nciahk32.exeC:\Windows\system32\Nciahk32.exe60⤵
- Executes dropped EXE
PID:3476 -
C:\Windows\SysWOW64\Odkjgm32.exeC:\Windows\system32\Odkjgm32.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:1076 -
C:\Windows\SysWOW64\Ofqpje32.exeC:\Windows\system32\Ofqpje32.exe62⤵
- Executes dropped EXE
PID:4544 -
C:\Windows\SysWOW64\Pmoabn32.exeC:\Windows\system32\Pmoabn32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2784 -
C:\Windows\SysWOW64\Pggbdgmm.exeC:\Windows\system32\Pggbdgmm.exe64⤵
- Executes dropped EXE
PID:1936 -
C:\Windows\SysWOW64\Pncggqbg.exeC:\Windows\system32\Pncggqbg.exe65⤵PID:2252
-
C:\Windows\SysWOW64\Qmkanmel.exeC:\Windows\system32\Qmkanmel.exe66⤵
- Executes dropped EXE
- Modifies registry class
PID:5024 -
C:\Windows\SysWOW64\Anmjmojl.exeC:\Windows\system32\Anmjmojl.exe67⤵
- Modifies registry class
PID:2552 -
C:\Windows\SysWOW64\Bagfeioc.exeC:\Windows\system32\Bagfeioc.exe68⤵PID:4496
-
C:\Windows\SysWOW64\Cnicpk32.exeC:\Windows\system32\Cnicpk32.exe69⤵PID:2376
-
C:\Windows\SysWOW64\Djbpjl32.exeC:\Windows\system32\Djbpjl32.exe70⤵
- Modifies registry class
PID:3576 -
C:\Windows\SysWOW64\Dalhgfmk.exeC:\Windows\system32\Dalhgfmk.exe71⤵
- Modifies registry class
PID:4436 -
C:\Windows\SysWOW64\Dfiaomkb.exeC:\Windows\system32\Dfiaomkb.exe72⤵PID:4480
-
C:\Windows\SysWOW64\Dhmgdo32.exeC:\Windows\system32\Dhmgdo32.exe73⤵PID:1244
-
C:\Windows\SysWOW64\Eeagnc32.exeC:\Windows\system32\Eeagnc32.exe74⤵PID:228
-
C:\Windows\SysWOW64\Emaemefo.exeC:\Windows\system32\Emaemefo.exe75⤵PID:2140
-
C:\Windows\SysWOW64\Fdpgen32.exeC:\Windows\system32\Fdpgen32.exe76⤵PID:1268
-
C:\Windows\SysWOW64\Fkiobhac.exeC:\Windows\system32\Fkiobhac.exe77⤵PID:184
-
C:\Windows\SysWOW64\Gaadpqmp.exeC:\Windows\system32\Gaadpqmp.exe78⤵
- Drops file in System32 directory
PID:4984 -
C:\Windows\SysWOW64\Gkjhif32.exeC:\Windows\system32\Gkjhif32.exe79⤵
- Drops file in System32 directory
PID:2476 -
C:\Windows\SysWOW64\Gklenf32.exeC:\Windows\system32\Gklenf32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4072 -
C:\Windows\SysWOW64\Gfaikoad.exeC:\Windows\system32\Gfaikoad.exe81⤵PID:1948
-
C:\Windows\SysWOW64\Hgcfcg32.exeC:\Windows\system32\Hgcfcg32.exe82⤵PID:1144
-
C:\Windows\SysWOW64\Ininloda.exeC:\Windows\system32\Ininloda.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4184 -
C:\Windows\SysWOW64\Jfpocjfa.exeC:\Windows\system32\Jfpocjfa.exe84⤵PID:2404
-
C:\Windows\SysWOW64\Jiokpfee.exeC:\Windows\system32\Jiokpfee.exe85⤵
- Modifies registry class
PID:1956 -
C:\Windows\SysWOW64\Jnnpnl32.exeC:\Windows\system32\Jnnpnl32.exe86⤵PID:764
-
C:\Windows\SysWOW64\Kgfdfbhj.exeC:\Windows\system32\Kgfdfbhj.exe87⤵PID:3016
-
C:\Windows\SysWOW64\Kblidkhp.exeC:\Windows\system32\Kblidkhp.exe88⤵PID:1872
-
C:\Windows\SysWOW64\Kbneij32.exeC:\Windows\system32\Kbneij32.exe89⤵PID:440
-
C:\Windows\SysWOW64\Kbbodj32.exeC:\Windows\system32\Kbbodj32.exe90⤵
- Drops file in System32 directory
- Modifies registry class
PID:3120 -
C:\Windows\SysWOW64\Khpgmqpp.exeC:\Windows\system32\Khpgmqpp.exe91⤵
- Drops file in System32 directory
PID:1196 -
C:\Windows\SysWOW64\Lbekjipe.exeC:\Windows\system32\Lbekjipe.exe92⤵PID:1808
-
C:\Windows\SysWOW64\Lhbdbpnm.exeC:\Windows\system32\Lhbdbpnm.exe93⤵PID:1460
-
C:\Windows\SysWOW64\Ocjgcd32.exeC:\Windows\system32\Ocjgcd32.exe94⤵PID:1604
-
C:\Windows\SysWOW64\Pckpja32.exeC:\Windows\system32\Pckpja32.exe95⤵PID:2648
-
C:\Windows\SysWOW64\Qcbfjqkp.exeC:\Windows\system32\Qcbfjqkp.exe96⤵PID:4728
-
C:\Windows\SysWOW64\Aokceaoa.exeC:\Windows\system32\Aokceaoa.exe97⤵PID:1800
-
C:\Windows\SysWOW64\Bjgncihp.exeC:\Windows\system32\Bjgncihp.exe98⤵PID:5148
-
C:\Windows\SysWOW64\Bjodch32.exeC:\Windows\system32\Bjodch32.exe99⤵
- Modifies registry class
PID:5192 -
C:\Windows\SysWOW64\Bpkllo32.exeC:\Windows\system32\Bpkllo32.exe100⤵
- Drops file in System32 directory
PID:5240 -
C:\Windows\SysWOW64\Cihjpd32.exeC:\Windows\system32\Cihjpd32.exe101⤵
- Modifies registry class
PID:5280 -
C:\Windows\SysWOW64\Ccnnmmbp.exeC:\Windows\system32\Ccnnmmbp.exe102⤵PID:5352
-
C:\Windows\SysWOW64\Fineho32.exeC:\Windows\system32\Fineho32.exe103⤵PID:5388
-
C:\Windows\SysWOW64\Fhofffjo.exeC:\Windows\system32\Fhofffjo.exe104⤵PID:5440
-
C:\Windows\SysWOW64\Fipbnn32.exeC:\Windows\system32\Fipbnn32.exe105⤵PID:5476
-
C:\Windows\SysWOW64\Fhablf32.exeC:\Windows\system32\Fhablf32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5524 -
C:\Windows\SysWOW64\Gpmgph32.exeC:\Windows\system32\Gpmgph32.exe107⤵PID:5572
-
C:\Windows\SysWOW64\Gkbkna32.exeC:\Windows\system32\Gkbkna32.exe108⤵PID:5612
-
C:\Windows\SysWOW64\Gpodfh32.exeC:\Windows\system32\Gpodfh32.exe109⤵PID:5652
-
C:\Windows\SysWOW64\Gkdhcqcj.exeC:\Windows\system32\Gkdhcqcj.exe110⤵PID:5692
-
C:\Windows\SysWOW64\Gaqmej32.exeC:\Windows\system32\Gaqmej32.exe111⤵PID:5732
-
C:\Windows\SysWOW64\Ggnenagl.exeC:\Windows\system32\Ggnenagl.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5772 -
C:\Windows\SysWOW64\Gacjkjgb.exeC:\Windows\system32\Gacjkjgb.exe113⤵PID:5812
-
C:\Windows\SysWOW64\Hpmpgfhd.exeC:\Windows\system32\Hpmpgfhd.exe114⤵PID:5852
-
C:\Windows\SysWOW64\Hnaqqj32.exeC:\Windows\system32\Hnaqqj32.exe115⤵PID:5892
-
C:\Windows\SysWOW64\Inhgaipf.exeC:\Windows\system32\Inhgaipf.exe116⤵PID:5956
-
C:\Windows\SysWOW64\Jbmehf32.exeC:\Windows\system32\Jbmehf32.exe117⤵
- Modifies registry class
PID:6004 -
C:\Windows\SysWOW64\Jqgldb32.exeC:\Windows\system32\Jqgldb32.exe118⤵PID:6056
-
C:\Windows\SysWOW64\Kkomgkoj.exeC:\Windows\system32\Kkomgkoj.exe119⤵PID:6092
-
C:\Windows\SysWOW64\Kqkeoama.exeC:\Windows\system32\Kqkeoama.exe120⤵PID:4916
-
C:\Windows\SysWOW64\Keinepch.exeC:\Windows\system32\Keinepch.exe121⤵PID:1140
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-