Analysis
-
max time kernel
163s -
max time network
187s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
11-11-2023 04:25
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.e767e1bb3c4bac260812d1d7bc7e0630.exe
Resource
win7-20231023-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.e767e1bb3c4bac260812d1d7bc7e0630.exe
Resource
win10v2004-20231020-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
NEAS.e767e1bb3c4bac260812d1d7bc7e0630.exe
-
Size
55KB
-
MD5
e767e1bb3c4bac260812d1d7bc7e0630
-
SHA1
d4d5971e6752e8b69a63b659a859b324855ffcfb
-
SHA256
1734efe2960fe76855e1666b5cb859b168a04a83ebe7930310375ba3cc6d8f16
-
SHA512
4a9b887fe3c9916a42bc0ea5757cd88272c4f3ddd6c41769561aee33e4ea374d4b9246c483fe6754aecba1e62cdb223be25d7a89695edf90cff62cf876d3cb75
-
SSDEEP
1536:je7TZs97xOOVQV6p817CqYSsgnzyv2L8:jdxOCq6+Vd8
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmooak32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlpfhe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hihibbjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agbkfood.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjmpeffh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlpfhe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knbiil32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfdbknda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhppcn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahonbhig.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gifadggi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdffiinp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oookbega.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opqdbhlb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dannbogl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhldio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jldbpl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikgpmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkflpe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piikhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikbfbdgf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ammgifpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmhial32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmnkdfce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddgplado.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Johnamkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Komhll32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjqdafmp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jekjcaef.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flodilma.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjiaak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbajlo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjejdglp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfjdqmng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iehmmb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Loeoei32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plokgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Boipfp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcjioknl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpeclq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glgcbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilibdmgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hejono32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gamjea32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hefnkkkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gddigk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opnglhnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Giinjg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nboiekjd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iofmpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qleahgff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmmblkpm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmjlpnpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bohiliof.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omnqhbap.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aopmpq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iolhdn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iaokdn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fomhnmgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dckdddcd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jolodqcp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbekjipe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpghel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpbbln32.exe -
Executes dropped EXE 64 IoCs
pid Process 4232 Cfbcke32.exe 3324 Ddgplado.exe 3944 Ddjmba32.exe 2304 Dfiildio.exe 2380 Dkfadkgf.exe 4104 Dmennnni.exe 2572 Eiloco32.exe 3140 Enigke32.exe 3580 Ekmhejao.exe 1660 Eeelnp32.exe 4804 Ekodjiol.exe 1176 Ebimgcfi.exe 1648 Fijkdmhn.exe 3896 Fngcmcfe.exe 3368 Fimhjl32.exe 4740 Fnipbc32.exe 1584 Fmkqpkla.exe 960 Fnnjmbpm.exe 1012 Gfeaopqo.exe 3296 Gfhndpol.exe 4268 Gldglf32.exe 3824 Glgcbf32.exe 3804 Gpelhd32.exe 4192 Gimqajgh.exe 4276 Hfaajnfb.exe 1992 Hefnkkkj.exe 1644 Hlpfhe32.exe 3796 Hffken32.exe 848 Hekgfj32.exe 1552 Hfjdqmng.exe 3508 Iepaaico.exe 2280 Ipeeobbe.exe 4260 Illfdc32.exe 3352 Igajal32.exe 2244 Jlgepanl.exe 2828 Jcanll32.exe 2844 Jilfifme.exe 852 Johnamkm.exe 216 Jinboekc.exe 4788 Jcfggkac.exe 4940 Komhll32.exe 3516 Knnhjcog.exe 5052 Dddllkbf.exe 3044 Hihibbjo.exe 3380 Ipbaol32.exe 1476 Ilibdmgp.exe 1180 Ilkoim32.exe 220 Iahgad32.exe 2196 Iiopca32.exe 4540 Iefphb32.exe 4428 Ilphdlqh.exe 4964 Iehmmb32.exe 3464 Jpnakk32.exe 1128 Jekjcaef.exe 4560 Jaajhb32.exe 676 Jpbjfjci.exe 4896 Jbagbebm.exe 5116 Jhnojl32.exe 4432 Kplmliko.exe 1556 Khgbqkhj.exe 4588 Nbdkhe32.exe 4840 Oakjnnap.exe 4712 Ijedehgm.exe 1384 Imcqacfq.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Iolfmcbb.exe Hdfapjbl.exe File created C:\Windows\SysWOW64\Bfoebq32.exe Afjlgafe.exe File created C:\Windows\SysWOW64\Fggfghap.exe Fdijkmbl.exe File created C:\Windows\SysWOW64\Ecakodpe.dll Dpckclld.exe File created C:\Windows\SysWOW64\Dmnkdfce.exe Debfpd32.exe File created C:\Windows\SysWOW64\Iiqooh32.exe Ibffbnjh.exe File opened for modification C:\Windows\SysWOW64\Oghpib32.exe Opnglhnd.exe File created C:\Windows\SysWOW64\Pmajlb32.dll Dmjefkap.exe File created C:\Windows\SysWOW64\Lpqgqn32.exe Klekpodn.exe File opened for modification C:\Windows\SysWOW64\Dmnkdfce.exe Debfpd32.exe File opened for modification C:\Windows\SysWOW64\Bkpfjb32.exe Bcinie32.exe File created C:\Windows\SysWOW64\Ocfjbk32.dll Egijfjmp.exe File created C:\Windows\SysWOW64\Ofdgbn32.dll Moobkh32.exe File opened for modification C:\Windows\SysWOW64\Jlgepanl.exe Igajal32.exe File created C:\Windows\SysWOW64\Idfcibho.dll Keakqeal.exe File opened for modification C:\Windows\SysWOW64\Aqoijcbo.exe Amcmie32.exe File created C:\Windows\SysWOW64\Ckdnfiai.dll Ccpkblqn.exe File created C:\Windows\SysWOW64\Ciefpn32.exe Ccinggcj.exe File created C:\Windows\SysWOW64\Gpcpel32.dll Jcfggkac.exe File opened for modification C:\Windows\SysWOW64\Npbhqj32.exe Nhlpom32.exe File opened for modification C:\Windows\SysWOW64\Afghgkdl.exe Acilkp32.exe File created C:\Windows\SysWOW64\Bmkcjd32.exe Bcboan32.exe File created C:\Windows\SysWOW64\Cmdfpbkc.exe Cjejdglp.exe File created C:\Windows\SysWOW64\Cglgck32.exe Ccpkblqn.exe File created C:\Windows\SysWOW64\Bkmaja32.dll Piphaf32.exe File opened for modification C:\Windows\SysWOW64\Kojdflkl.exe Kllhjplh.exe File opened for modification C:\Windows\SysWOW64\Gempqo32.exe Gnfhob32.exe File created C:\Windows\SysWOW64\Jcanll32.exe Jlgepanl.exe File created C:\Windows\SysWOW64\Agpoqoaf.exe Aqffdejj.exe File created C:\Windows\SysWOW64\Dfkidmkb.dll Cabofaaj.exe File opened for modification C:\Windows\SysWOW64\Dkfadkgf.exe Dfiildio.exe File created C:\Windows\SysWOW64\Gpmenm32.dll Iahgad32.exe File opened for modification C:\Windows\SysWOW64\Ecoiapdj.exe Eghimo32.exe File created C:\Windows\SysWOW64\Glompi32.exe Glhgojef.exe File opened for modification C:\Windows\SysWOW64\Jbpihlbn.exe Ibnlbm32.exe File opened for modification C:\Windows\SysWOW64\Nbljaf32.exe Mpnnek32.exe File opened for modification C:\Windows\SysWOW64\Pcffoben.exe Pllnbh32.exe File created C:\Windows\SysWOW64\Pjhpfp32.dll Ggmock32.exe File opened for modification C:\Windows\SysWOW64\Hekgfj32.exe Hffken32.exe File created C:\Windows\SysWOW64\Amaqde32.exe Afghgkdl.exe File created C:\Windows\SysWOW64\Ckfpai32.exe Cjecjahd.exe File created C:\Windows\SysWOW64\Ppoijn32.exe Pmpmnb32.exe File created C:\Windows\SysWOW64\Jikjmbmb.exe Jcnbekok.exe File created C:\Windows\SysWOW64\Banlia32.dll Hecadm32.exe File opened for modification C:\Windows\SysWOW64\Fdpgen32.exe Egkgljkm.exe File opened for modification C:\Windows\SysWOW64\Pomgcc32.exe Plokgh32.exe File opened for modification C:\Windows\SysWOW64\Cooolhin.exe Cmabpmjj.exe File created C:\Windows\SysWOW64\Fimhjl32.exe Fngcmcfe.exe File opened for modification C:\Windows\SysWOW64\Kblidkhp.exe Kpmlhoil.exe File created C:\Windows\SysWOW64\Caidhlcb.dll Pllggbje.exe File created C:\Windows\SysWOW64\Acfhkj32.exe Akoqjl32.exe File created C:\Windows\SysWOW64\Gldglf32.exe Gfhndpol.exe File created C:\Windows\SysWOW64\Ipnlpf32.dll Flodilma.exe File opened for modification C:\Windows\SysWOW64\Oenljoji.exe Ocopncke.exe File created C:\Windows\SysWOW64\Bmmljbhc.dll Cclagm32.exe File created C:\Windows\SysWOW64\Dgnned32.dll Ccbhhl32.exe File created C:\Windows\SysWOW64\Fbipejob.dll Giinjg32.exe File opened for modification C:\Windows\SysWOW64\Ejhanj32.exe Ecoiapdj.exe File opened for modification C:\Windows\SysWOW64\Cmfcfb32.exe Cflkihbd.exe File created C:\Windows\SysWOW64\Pblmpm32.dll Lemjlcgo.exe File created C:\Windows\SysWOW64\Hecadm32.exe Hmlicp32.exe File created C:\Windows\SysWOW64\Iaejqcdo.dll Jpnakk32.exe File created C:\Windows\SysWOW64\Pckcmnla.dll Opnglhnd.exe File created C:\Windows\SysWOW64\Hekgfj32.exe Hffken32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ehocjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjpfc32.dll" Gddigk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjecoa32.dll" Pjgellfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ciefpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klpjgfdg.dll" Pdlbpldg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lnfgmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qjiaak32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdffiinp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Anogbohj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gkeonggf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbikdbnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kakmhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doagdn32.dll" Dmphjfab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmhphqoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhbipa32.dll" Mfejme32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afghgkdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejbonb32.dll" Anccjp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlpeol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfjgjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcgmmogb.dll" Ejchbmna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeeobqbq.dll" Dfiildio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ilkoim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmphjfab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Flodilma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laiadfap.dll" Dkjmea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Opqdbhlb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbafjmfi.dll" Ocopncke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgpgfn32.dll" Phgagb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hfjdqmng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nknnda32.dll" Cmdhnhkp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iolhdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cinbhb32.dll" Fjhaml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fijkdmhn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajjcoqdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciebfc32.dll" Akoqjl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfgopnbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npbelfjm.dll" Aokceaoa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Acgacegg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bckknd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Glompi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iacepmik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmhfddeq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ikfgeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iokifhcf.dll" Jldbpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alfall32.dll" Jmamba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkhnna32.dll" Bjagcndq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhejij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dabbfqog.dll" Dmooak32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ejhanj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iolfmcbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Acgacegg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oghpib32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Plokgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpkdbfef.dll" Ajnkmjqj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gimqajgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kplmliko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Boipfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Imabnofj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Moobkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Edhado32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fggfghap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cifmjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmgbginj.dll" Jmmcgbnf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Agpqnd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1788 wrote to memory of 4232 1788 NEAS.e767e1bb3c4bac260812d1d7bc7e0630.exe 88 PID 1788 wrote to memory of 4232 1788 NEAS.e767e1bb3c4bac260812d1d7bc7e0630.exe 88 PID 1788 wrote to memory of 4232 1788 NEAS.e767e1bb3c4bac260812d1d7bc7e0630.exe 88 PID 4232 wrote to memory of 3324 4232 Cfbcke32.exe 89 PID 4232 wrote to memory of 3324 4232 Cfbcke32.exe 89 PID 4232 wrote to memory of 3324 4232 Cfbcke32.exe 89 PID 3324 wrote to memory of 3944 3324 Ddgplado.exe 90 PID 3324 wrote to memory of 3944 3324 Ddgplado.exe 90 PID 3324 wrote to memory of 3944 3324 Ddgplado.exe 90 PID 3944 wrote to memory of 2304 3944 Ddjmba32.exe 91 PID 3944 wrote to memory of 2304 3944 Ddjmba32.exe 91 PID 3944 wrote to memory of 2304 3944 Ddjmba32.exe 91 PID 2304 wrote to memory of 2380 2304 Dfiildio.exe 93 PID 2304 wrote to memory of 2380 2304 Dfiildio.exe 93 PID 2304 wrote to memory of 2380 2304 Dfiildio.exe 93 PID 2380 wrote to memory of 4104 2380 Dkfadkgf.exe 94 PID 2380 wrote to memory of 4104 2380 Dkfadkgf.exe 94 PID 2380 wrote to memory of 4104 2380 Dkfadkgf.exe 94 PID 4104 wrote to memory of 2572 4104 Dmennnni.exe 95 PID 4104 wrote to memory of 2572 4104 Dmennnni.exe 95 PID 4104 wrote to memory of 2572 4104 Dmennnni.exe 95 PID 2572 wrote to memory of 3140 2572 Eiloco32.exe 96 PID 2572 wrote to memory of 3140 2572 Eiloco32.exe 96 PID 2572 wrote to memory of 3140 2572 Eiloco32.exe 96 PID 3140 wrote to memory of 3580 3140 Enigke32.exe 97 PID 3140 wrote to memory of 3580 3140 Enigke32.exe 97 PID 3140 wrote to memory of 3580 3140 Enigke32.exe 97 PID 3580 wrote to memory of 1660 3580 Ekmhejao.exe 98 PID 3580 wrote to memory of 1660 3580 Ekmhejao.exe 98 PID 3580 wrote to memory of 1660 3580 Ekmhejao.exe 98 PID 1660 wrote to memory of 4804 1660 Eeelnp32.exe 99 PID 1660 wrote to memory of 4804 1660 Eeelnp32.exe 99 PID 1660 wrote to memory of 4804 1660 Eeelnp32.exe 99 PID 4804 wrote to memory of 1176 4804 Ekodjiol.exe 100 PID 4804 wrote to memory of 1176 4804 Ekodjiol.exe 100 PID 4804 wrote to memory of 1176 4804 Ekodjiol.exe 100 PID 1176 wrote to memory of 1648 1176 Ebimgcfi.exe 101 PID 1176 wrote to memory of 1648 1176 Ebimgcfi.exe 101 PID 1176 wrote to memory of 1648 1176 Ebimgcfi.exe 101 PID 1648 wrote to memory of 3896 1648 Fijkdmhn.exe 102 PID 1648 wrote to memory of 3896 1648 Fijkdmhn.exe 102 PID 1648 wrote to memory of 3896 1648 Fijkdmhn.exe 102 PID 3896 wrote to memory of 3368 3896 Fngcmcfe.exe 103 PID 3896 wrote to memory of 3368 3896 Fngcmcfe.exe 103 PID 3896 wrote to memory of 3368 3896 Fngcmcfe.exe 103 PID 3368 wrote to memory of 4740 3368 Fimhjl32.exe 104 PID 3368 wrote to memory of 4740 3368 Fimhjl32.exe 104 PID 3368 wrote to memory of 4740 3368 Fimhjl32.exe 104 PID 4740 wrote to memory of 1584 4740 Fnipbc32.exe 105 PID 4740 wrote to memory of 1584 4740 Fnipbc32.exe 105 PID 4740 wrote to memory of 1584 4740 Fnipbc32.exe 105 PID 1584 wrote to memory of 960 1584 Fmkqpkla.exe 106 PID 1584 wrote to memory of 960 1584 Fmkqpkla.exe 106 PID 1584 wrote to memory of 960 1584 Fmkqpkla.exe 106 PID 960 wrote to memory of 1012 960 Fnnjmbpm.exe 107 PID 960 wrote to memory of 1012 960 Fnnjmbpm.exe 107 PID 960 wrote to memory of 1012 960 Fnnjmbpm.exe 107 PID 1012 wrote to memory of 3296 1012 Gfeaopqo.exe 108 PID 1012 wrote to memory of 3296 1012 Gfeaopqo.exe 108 PID 1012 wrote to memory of 3296 1012 Gfeaopqo.exe 108 PID 3296 wrote to memory of 4268 3296 Gfhndpol.exe 109 PID 3296 wrote to memory of 4268 3296 Gfhndpol.exe 109 PID 3296 wrote to memory of 4268 3296 Gfhndpol.exe 109 PID 4268 wrote to memory of 3824 4268 Gldglf32.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.e767e1bb3c4bac260812d1d7bc7e0630.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.e767e1bb3c4bac260812d1d7bc7e0630.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\SysWOW64\Cfbcke32.exeC:\Windows\system32\Cfbcke32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4232 -
C:\Windows\SysWOW64\Ddgplado.exeC:\Windows\system32\Ddgplado.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3324 -
C:\Windows\SysWOW64\Ddjmba32.exeC:\Windows\system32\Ddjmba32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3944 -
C:\Windows\SysWOW64\Dfiildio.exeC:\Windows\system32\Dfiildio.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\SysWOW64\Dkfadkgf.exeC:\Windows\system32\Dkfadkgf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\Dmennnni.exeC:\Windows\system32\Dmennnni.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4104 -
C:\Windows\SysWOW64\Eiloco32.exeC:\Windows\system32\Eiloco32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\Enigke32.exeC:\Windows\system32\Enigke32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3140 -
C:\Windows\SysWOW64\Ekmhejao.exeC:\Windows\system32\Ekmhejao.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3580 -
C:\Windows\SysWOW64\Eeelnp32.exeC:\Windows\system32\Eeelnp32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\SysWOW64\Ekodjiol.exeC:\Windows\system32\Ekodjiol.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4804 -
C:\Windows\SysWOW64\Ebimgcfi.exeC:\Windows\system32\Ebimgcfi.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Windows\SysWOW64\Fijkdmhn.exeC:\Windows\system32\Fijkdmhn.exe14⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\SysWOW64\Fngcmcfe.exeC:\Windows\system32\Fngcmcfe.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3896 -
C:\Windows\SysWOW64\Fimhjl32.exeC:\Windows\system32\Fimhjl32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3368 -
C:\Windows\SysWOW64\Fnipbc32.exeC:\Windows\system32\Fnipbc32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4740 -
C:\Windows\SysWOW64\Fmkqpkla.exeC:\Windows\system32\Fmkqpkla.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\SysWOW64\Fnnjmbpm.exeC:\Windows\system32\Fnnjmbpm.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Windows\SysWOW64\Gfeaopqo.exeC:\Windows\system32\Gfeaopqo.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1012 -
C:\Windows\SysWOW64\Gfhndpol.exeC:\Windows\system32\Gfhndpol.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3296 -
C:\Windows\SysWOW64\Gldglf32.exeC:\Windows\system32\Gldglf32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4268 -
C:\Windows\SysWOW64\Glgcbf32.exeC:\Windows\system32\Glgcbf32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3824 -
C:\Windows\SysWOW64\Gpelhd32.exeC:\Windows\system32\Gpelhd32.exe24⤵
- Executes dropped EXE
PID:3804 -
C:\Windows\SysWOW64\Gimqajgh.exeC:\Windows\system32\Gimqajgh.exe25⤵
- Executes dropped EXE
- Modifies registry class
PID:4192 -
C:\Windows\SysWOW64\Hfaajnfb.exeC:\Windows\system32\Hfaajnfb.exe26⤵
- Executes dropped EXE
PID:4276 -
C:\Windows\SysWOW64\Hefnkkkj.exeC:\Windows\system32\Hefnkkkj.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Hlpfhe32.exeC:\Windows\system32\Hlpfhe32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\Hffken32.exeC:\Windows\system32\Hffken32.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3796 -
C:\Windows\SysWOW64\Hekgfj32.exeC:\Windows\system32\Hekgfj32.exe30⤵
- Executes dropped EXE
PID:848 -
C:\Windows\SysWOW64\Hfjdqmng.exeC:\Windows\system32\Hfjdqmng.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1552 -
C:\Windows\SysWOW64\Iepaaico.exeC:\Windows\system32\Iepaaico.exe32⤵
- Executes dropped EXE
PID:3508 -
C:\Windows\SysWOW64\Ipeeobbe.exeC:\Windows\system32\Ipeeobbe.exe33⤵
- Executes dropped EXE
PID:2280 -
C:\Windows\SysWOW64\Illfdc32.exeC:\Windows\system32\Illfdc32.exe34⤵
- Executes dropped EXE
PID:4260 -
C:\Windows\SysWOW64\Igajal32.exeC:\Windows\system32\Igajal32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3352 -
C:\Windows\SysWOW64\Jlgepanl.exeC:\Windows\system32\Jlgepanl.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2244 -
C:\Windows\SysWOW64\Jcanll32.exeC:\Windows\system32\Jcanll32.exe37⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Jilfifme.exeC:\Windows\system32\Jilfifme.exe38⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Johnamkm.exeC:\Windows\system32\Johnamkm.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:852 -
C:\Windows\SysWOW64\Jinboekc.exeC:\Windows\system32\Jinboekc.exe40⤵
- Executes dropped EXE
PID:216 -
C:\Windows\SysWOW64\Jcfggkac.exeC:\Windows\system32\Jcfggkac.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4788 -
C:\Windows\SysWOW64\Komhll32.exeC:\Windows\system32\Komhll32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4940 -
C:\Windows\SysWOW64\Knnhjcog.exeC:\Windows\system32\Knnhjcog.exe43⤵
- Executes dropped EXE
PID:3516 -
C:\Windows\SysWOW64\Dddllkbf.exeC:\Windows\system32\Dddllkbf.exe44⤵
- Executes dropped EXE
PID:5052 -
C:\Windows\SysWOW64\Hihibbjo.exeC:\Windows\system32\Hihibbjo.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3044 -
C:\Windows\SysWOW64\Ipbaol32.exeC:\Windows\system32\Ipbaol32.exe46⤵
- Executes dropped EXE
PID:3380 -
C:\Windows\SysWOW64\Ilibdmgp.exeC:\Windows\system32\Ilibdmgp.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1476 -
C:\Windows\SysWOW64\Ilkoim32.exeC:\Windows\system32\Ilkoim32.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:1180 -
C:\Windows\SysWOW64\Iahgad32.exeC:\Windows\system32\Iahgad32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:220 -
C:\Windows\SysWOW64\Iiopca32.exeC:\Windows\system32\Iiopca32.exe50⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\Iefphb32.exeC:\Windows\system32\Iefphb32.exe51⤵
- Executes dropped EXE
PID:4540 -
C:\Windows\SysWOW64\Ilphdlqh.exeC:\Windows\system32\Ilphdlqh.exe52⤵
- Executes dropped EXE
PID:4428 -
C:\Windows\SysWOW64\Iehmmb32.exeC:\Windows\system32\Iehmmb32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4964 -
C:\Windows\SysWOW64\Jpnakk32.exeC:\Windows\system32\Jpnakk32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3464 -
C:\Windows\SysWOW64\Jekjcaef.exeC:\Windows\system32\Jekjcaef.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1128 -
C:\Windows\SysWOW64\Jldbpl32.exeC:\Windows\system32\Jldbpl32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3484 -
C:\Windows\SysWOW64\Jaajhb32.exeC:\Windows\system32\Jaajhb32.exe57⤵
- Executes dropped EXE
PID:4560 -
C:\Windows\SysWOW64\Jpbjfjci.exeC:\Windows\system32\Jpbjfjci.exe58⤵
- Executes dropped EXE
PID:676 -
C:\Windows\SysWOW64\Jbagbebm.exeC:\Windows\system32\Jbagbebm.exe59⤵
- Executes dropped EXE
PID:4896 -
C:\Windows\SysWOW64\Jhnojl32.exeC:\Windows\system32\Jhnojl32.exe60⤵
- Executes dropped EXE
PID:5116 -
C:\Windows\SysWOW64\Kplmliko.exeC:\Windows\system32\Kplmliko.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:4432 -
C:\Windows\SysWOW64\Khgbqkhj.exeC:\Windows\system32\Khgbqkhj.exe62⤵
- Executes dropped EXE
PID:1556 -
C:\Windows\SysWOW64\Nbdkhe32.exeC:\Windows\system32\Nbdkhe32.exe63⤵
- Executes dropped EXE
PID:4588 -
C:\Windows\SysWOW64\Oakjnnap.exeC:\Windows\system32\Oakjnnap.exe64⤵
- Executes dropped EXE
PID:4840 -
C:\Windows\SysWOW64\Ijedehgm.exeC:\Windows\system32\Ijedehgm.exe65⤵
- Executes dropped EXE
PID:4712 -
C:\Windows\SysWOW64\Imcqacfq.exeC:\Windows\system32\Imcqacfq.exe66⤵
- Executes dropped EXE
PID:1384 -
C:\Windows\SysWOW64\Icminm32.exeC:\Windows\system32\Icminm32.exe67⤵PID:3136
-
C:\Windows\SysWOW64\Igpkok32.exeC:\Windows\system32\Igpkok32.exe68⤵PID:3496
-
C:\Windows\SysWOW64\Ijngkf32.exeC:\Windows\system32\Ijngkf32.exe69⤵PID:2808
-
C:\Windows\SysWOW64\Jmmcgbnf.exeC:\Windows\system32\Jmmcgbnf.exe70⤵
- Modifies registry class
PID:3172 -
C:\Windows\SysWOW64\Jcgldl32.exeC:\Windows\system32\Jcgldl32.exe71⤵PID:4248
-
C:\Windows\SysWOW64\Jjqdafmp.exeC:\Windows\system32\Jjqdafmp.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5036 -
C:\Windows\SysWOW64\Jfgefg32.exeC:\Windows\system32\Jfgefg32.exe73⤵PID:2508
-
C:\Windows\SysWOW64\Jmamba32.exeC:\Windows\system32\Jmamba32.exe74⤵
- Modifies registry class
PID:3460 -
C:\Windows\SysWOW64\Jckeokan.exeC:\Windows\system32\Jckeokan.exe75⤵PID:3032
-
C:\Windows\SysWOW64\Jggapj32.exeC:\Windows\system32\Jggapj32.exe76⤵PID:4124
-
C:\Windows\SysWOW64\Jcnbekok.exeC:\Windows\system32\Jcnbekok.exe77⤵
- Drops file in System32 directory
PID:1788 -
C:\Windows\SysWOW64\Jikjmbmb.exeC:\Windows\system32\Jikjmbmb.exe78⤵PID:4492
-
C:\Windows\SysWOW64\Jcpojk32.exeC:\Windows\system32\Jcpojk32.exe79⤵PID:228
-
C:\Windows\SysWOW64\Gkcdfl32.exeC:\Windows\system32\Gkcdfl32.exe80⤵PID:1200
-
C:\Windows\SysWOW64\Lkflpe32.exeC:\Windows\system32\Lkflpe32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4472 -
C:\Windows\SysWOW64\Nboiekjd.exeC:\Windows\system32\Nboiekjd.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4444 -
C:\Windows\SysWOW64\Omnqhbap.exeC:\Windows\system32\Omnqhbap.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2480 -
C:\Windows\SysWOW64\Odhiemil.exeC:\Windows\system32\Odhiemil.exe84⤵PID:748
-
C:\Windows\SysWOW64\Pmpmnb32.exeC:\Windows\system32\Pmpmnb32.exe85⤵
- Drops file in System32 directory
PID:3896 -
C:\Windows\SysWOW64\Ppoijn32.exeC:\Windows\system32\Ppoijn32.exe86⤵PID:1584
-
C:\Windows\SysWOW64\Pdlbpldg.exeC:\Windows\system32\Pdlbpldg.exe87⤵
- Modifies registry class
PID:1444 -
C:\Windows\SysWOW64\Piikhc32.exeC:\Windows\system32\Piikhc32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3852 -
C:\Windows\SysWOW64\Pgphggpe.exeC:\Windows\system32\Pgphggpe.exe89⤵PID:2844
-
C:\Windows\SysWOW64\Pmipdq32.exeC:\Windows\system32\Pmipdq32.exe90⤵PID:3356
-
C:\Windows\SysWOW64\Qlomemlj.exeC:\Windows\system32\Qlomemlj.exe91⤵PID:4316
-
C:\Windows\SysWOW64\Qnniopcm.exeC:\Windows\system32\Qnniopcm.exe92⤵PID:428
-
C:\Windows\SysWOW64\Qdhalj32.exeC:\Windows\system32\Qdhalj32.exe93⤵PID:2148
-
C:\Windows\SysWOW64\Anccjp32.exeC:\Windows\system32\Anccjp32.exe94⤵
- Modifies registry class
PID:2656 -
C:\Windows\SysWOW64\Ajjcoqdl.exeC:\Windows\system32\Ajjcoqdl.exe95⤵
- Modifies registry class
PID:4348 -
C:\Windows\SysWOW64\Agpqnd32.exeC:\Windows\system32\Agpqnd32.exe96⤵
- Modifies registry class
PID:2220 -
C:\Windows\SysWOW64\Anjikoip.exeC:\Windows\system32\Anjikoip.exe97⤵PID:1288
-
C:\Windows\SysWOW64\Acgacegg.exeC:\Windows\system32\Acgacegg.exe98⤵
- Modifies registry class
PID:5016 -
C:\Windows\SysWOW64\Bjqjpp32.exeC:\Windows\system32\Bjqjpp32.exe99⤵PID:1832
-
C:\Windows\SysWOW64\Bcinie32.exeC:\Windows\system32\Bcinie32.exe100⤵
- Drops file in System32 directory
PID:556 -
C:\Windows\SysWOW64\Bkpfjb32.exeC:\Windows\system32\Bkpfjb32.exe101⤵PID:4436
-
C:\Windows\SysWOW64\Blabakle.exeC:\Windows\system32\Blabakle.exe102⤵PID:2980
-
C:\Windows\SysWOW64\Bckknd32.exeC:\Windows\system32\Bckknd32.exe103⤵
- Modifies registry class
PID:2224 -
C:\Windows\SysWOW64\Bkbcpb32.exeC:\Windows\system32\Bkbcpb32.exe104⤵PID:4432
-
C:\Windows\SysWOW64\Cjofambd.exeC:\Windows\system32\Cjofambd.exe105⤵PID:3060
-
C:\Windows\SysWOW64\Ccgjjc32.exeC:\Windows\system32\Ccgjjc32.exe106⤵PID:4264
-
C:\Windows\SysWOW64\Cnokmkfh.exeC:\Windows\system32\Cnokmkfh.exe107⤵PID:1308
-
C:\Windows\SysWOW64\Cmdhnhkp.exeC:\Windows\system32\Cmdhnhkp.exe108⤵
- Modifies registry class
PID:1460 -
C:\Windows\SysWOW64\Dmfecgim.exeC:\Windows\system32\Dmfecgim.exe109⤵PID:3976
-
C:\Windows\SysWOW64\Dqdnjfpc.exeC:\Windows\system32\Dqdnjfpc.exe110⤵PID:3944
-
C:\Windows\SysWOW64\Debfpd32.exeC:\Windows\system32\Debfpd32.exe111⤵
- Drops file in System32 directory
PID:3668 -
C:\Windows\SysWOW64\Dmnkdfce.exeC:\Windows\system32\Dmnkdfce.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3484 -
C:\Windows\SysWOW64\Djalnkbo.exeC:\Windows\system32\Djalnkbo.exe113⤵PID:3452
-
C:\Windows\SysWOW64\Dmphjfab.exeC:\Windows\system32\Dmphjfab.exe114⤵
- Modifies registry class
PID:4956 -
C:\Windows\SysWOW64\Ekahhn32.exeC:\Windows\system32\Ekahhn32.exe115⤵PID:628
-
C:\Windows\SysWOW64\Eghimo32.exeC:\Windows\system32\Eghimo32.exe116⤵
- Drops file in System32 directory
PID:5040 -
C:\Windows\SysWOW64\Ecoiapdj.exeC:\Windows\system32\Ecoiapdj.exe117⤵
- Drops file in System32 directory
PID:2504 -
C:\Windows\SysWOW64\Ejhanj32.exeC:\Windows\system32\Ejhanj32.exe118⤵
- Modifies registry class
PID:4480 -
C:\Windows\SysWOW64\Eenflbll.exeC:\Windows\system32\Eenflbll.exe119⤵PID:2072
-
C:\Windows\SysWOW64\Emikpeig.exeC:\Windows\system32\Emikpeig.exe120⤵PID:1964
-
C:\Windows\SysWOW64\Ejmkiiha.exeC:\Windows\system32\Ejmkiiha.exe121⤵PID:3704
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-