Analysis
-
max time kernel
134s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
15/11/2023, 03:10
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.15c62778dc432fa05f4d0ed939b8c5a0.exe
Resource
win7-20231023-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.15c62778dc432fa05f4d0ed939b8c5a0.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.15c62778dc432fa05f4d0ed939b8c5a0.exe
-
Size
163KB
-
MD5
15c62778dc432fa05f4d0ed939b8c5a0
-
SHA1
55ee914e7ef68304ece7784579184f035e192f9e
-
SHA256
e3ca5b5cfb0c798bbb4e0d111f6eb95db1f5bd20584726d0b9c5fc07e444d9f2
-
SHA512
acbff2527bcfa45c9240ac219c52e8ab7adfd58b5361d2aee1ac17072f231ce911aa1cc942fbf474298a573f8f55b0dc9521f7d86bd71978035eef1d568e1dd6
-
SSDEEP
3072:rtRxnHx0Sx1W8bGA9NXj86wRCnltOrWKDBr+yJb:rtR5HJqOh8LCnLOf
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhplpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kceoppmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qdllffpo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqhphq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qnopjfgi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgpcliao.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bflham32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dimcppgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fidbgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfomda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fiheheka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fblpflfg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmdkcnie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oookgbpj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llpofd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfhpilbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmdkcnie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekljpm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dalkek32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkodak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akmjdpac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogdofo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bglgdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbamcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcmedk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Incdem32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ienlbf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhllni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imhjlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfoegm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qmanljfo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khbiello.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Koajmepf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omjnhiiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajodef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmpdgdmp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldfoad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbnbhfde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghcbohpp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icachjbb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Logbigbg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mafofggd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bqpbboeg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eoekde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfaqcclf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcdakd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piceflpi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enllgbcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gegkpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcibca32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijmhkchl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jeneidji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mapgfk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bknlbhhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pomncfge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abjfqpji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdicggla.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Noqofdlj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pklkbl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhmcck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kifojnol.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jaefne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ceehcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ginenk32.exe -
Executes dropped EXE 64 IoCs
pid Process 728 Aggpfkjj.exe 956 Amcehdod.exe 416 Baannc32.exe 112 Bgpcliao.exe 4812 Bknlbhhe.exe 2192 Bgelgi32.exe 3828 Ckbemgcp.exe 2812 Cpdgqmnb.exe 4552 Dakikoom.exe 780 Dnajppda.exe 4456 Dqbcbkab.exe 4488 Eqdpgk32.exe 3080 Eojiqb32.exe 4600 Edgbii32.exe 1916 Enpfan32.exe 2960 Fdnhih32.exe 1600 Fkmjaa32.exe 648 Fajbjh32.exe 4220 Gegkpf32.exe 60 Gbnhoj32.exe 3272 Ggmmlamj.exe 4684 Hnibokbd.exe 4300 Hiacacpg.exe 4728 Halhfe32.exe 2556 Ihkjno32.exe 4592 Iojkeh32.exe 3032 Ibgdlg32.exe 4988 Iondqhpl.exe 4356 Jpnakk32.exe 864 Jaajhb32.exe 768 Jbagbebm.exe 3592 Jbccge32.exe 5028 Jhplpl32.exe 3096 Khbiello.exe 4536 Kakmna32.exe 2908 Klpakj32.exe 3064 Kamjda32.exe 1748 Koajmepf.exe 4624 Kifojnol.exe 2820 Kpccmhdg.exe 3920 Lpepbgbd.exe 1568 Ljpaqmgb.exe 1784 Mhjhmhhd.exe 3184 Mbdiknlb.exe 4788 Mohidbkl.exe 928 Nbnlaldg.exe 3996 Pcgdhkem.exe 4972 Qikbaaml.exe 1868 Afockelf.exe 2560 Amikgpcc.exe 4984 Aiplmq32.exe 700 Amnebo32.exe 3872 Adgmoigj.exe 4236 Aalmimfd.exe 1664 Bboffejp.exe 4076 Bmdkcnie.exe 2408 Bjhkmbho.exe 4232 Bbdpad32.exe 3612 Cbkfbcpb.exe 5108 Ccmcgcmp.exe 1792 Cdmoafdb.exe 4904 Cmedjl32.exe 4732 Cacmpj32.exe 4004 Ccdihbgg.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Bfoegm32.exe Bliajd32.exe File created C:\Windows\SysWOW64\Paomog32.exe Pgihanii.exe File opened for modification C:\Windows\SysWOW64\Iagqgn32.exe Ijmhkchl.exe File created C:\Windows\SysWOW64\Pdnpeh32.exe Pndhhnda.exe File created C:\Windows\SysWOW64\Mpedgghj.exe Miklkm32.exe File created C:\Windows\SysWOW64\Ahinbo32.exe Aaofedkl.exe File created C:\Windows\SysWOW64\Jpnakk32.exe Iondqhpl.exe File opened for modification C:\Windows\SysWOW64\Mohidbkl.exe Mbdiknlb.exe File opened for modification C:\Windows\SysWOW64\Ofijnbkb.exe Obidcdfo.exe File created C:\Windows\SysWOW64\Dajqphlf.dll Kbinlp32.exe File created C:\Windows\SysWOW64\Caajoahp.dll Dinael32.exe File created C:\Windows\SysWOW64\Alfdca32.dll Inkjfk32.exe File created C:\Windows\SysWOW64\Jghhjq32.exe Jakchf32.exe File opened for modification C:\Windows\SysWOW64\Lfaqcclf.exe Lmiljn32.exe File opened for modification C:\Windows\SysWOW64\Cacmpj32.exe Cmedjl32.exe File created C:\Windows\SysWOW64\Cheegm32.dll Jqbbno32.exe File created C:\Windows\SysWOW64\Npldnp32.exe Nfabok32.exe File opened for modification C:\Windows\SysWOW64\Oookgbpj.exe Ohbfeh32.exe File created C:\Windows\SysWOW64\Fhcpildd.dll Qffoejkg.exe File created C:\Windows\SysWOW64\Mcckpooc.dll Kpnepk32.exe File created C:\Windows\SysWOW64\Dalkek32.exe Dgaiffii.exe File created C:\Windows\SysWOW64\Pmmeak32.exe Pcbdcf32.exe File opened for modification C:\Windows\SysWOW64\Incdem32.exe Iggocbke.exe File created C:\Windows\SysWOW64\Kceoppmo.exe Kmlgcf32.exe File created C:\Windows\SysWOW64\Qfhapinj.dll Dpihbjmg.exe File opened for modification C:\Windows\SysWOW64\Gledpe32.exe Geklckkd.exe File opened for modification C:\Windows\SysWOW64\Fongpm32.exe Flmonbbp.exe File created C:\Windows\SysWOW64\Dnfnab32.dll Limioiia.exe File created C:\Windows\SysWOW64\Lcckiibj.dll Aiplmq32.exe File opened for modification C:\Windows\SysWOW64\Ieeimlep.exe Ihaidhgf.exe File created C:\Windows\SysWOW64\Dfonnk32.exe Cleqfb32.exe File opened for modification C:\Windows\SysWOW64\Akmjdpac.exe Ainnhdbp.exe File opened for modification C:\Windows\SysWOW64\Ngklppei.exe Npadcfnl.exe File created C:\Windows\SysWOW64\Nejgbn32.exe Noqofdlj.exe File created C:\Windows\SysWOW64\Amcehdod.exe Aggpfkjj.exe File created C:\Windows\SysWOW64\Dccfkp32.dll Adgmoigj.exe File created C:\Windows\SysWOW64\Fggdpnkf.exe Eajlhg32.exe File created C:\Windows\SysWOW64\Ibbcfa32.exe Icachjbb.exe File created C:\Windows\SysWOW64\Hdicggla.exe Hfcinq32.exe File opened for modification C:\Windows\SysWOW64\Kdjhkp32.exe Kmppneal.exe File opened for modification C:\Windows\SysWOW64\Qffoejkg.exe Pfdbpjmi.exe File opened for modification C:\Windows\SysWOW64\Abipfifn.exe Akmjdpac.exe File created C:\Windows\SysWOW64\Ggdhmo32.dll Aaofedkl.exe File opened for modification C:\Windows\SysWOW64\Mbamcm32.exe Mjehok32.exe File created C:\Windows\SysWOW64\Nbnlaldg.exe Mohidbkl.exe File opened for modification C:\Windows\SysWOW64\Qfgfpp32.exe Pomncfge.exe File created C:\Windows\SysWOW64\Mdmngm32.exe Ldhdlnli.exe File created C:\Windows\SysWOW64\Mnailf32.dll Opjgidfa.exe File created C:\Windows\SysWOW64\Debcil32.dll Mohidbkl.exe File created C:\Windows\SysWOW64\Kialcj32.dll Pbimjb32.exe File created C:\Windows\SysWOW64\Pldnki32.dll Jgcooaah.exe File created C:\Windows\SysWOW64\Ohpefcna.dll Qdihfq32.exe File created C:\Windows\SysWOW64\Nfiagd32.exe Mafofggd.exe File opened for modification C:\Windows\SysWOW64\Egbdjhlp.exe Ephlnn32.exe File opened for modification C:\Windows\SysWOW64\Igneda32.exe Imiagi32.exe File opened for modification C:\Windows\SysWOW64\Jqhphq32.exe Ijngkf32.exe File opened for modification C:\Windows\SysWOW64\Jglkkiea.exe Jqbbno32.exe File created C:\Windows\SysWOW64\Jaefne32.exe Jeneidji.exe File created C:\Windows\SysWOW64\Logbigbg.exe Lacbpccn.exe File created C:\Windows\SysWOW64\Kchjaj32.dll Pndhhnda.exe File opened for modification C:\Windows\SysWOW64\Jopiom32.exe Jifabb32.exe File created C:\Windows\SysWOW64\Ppcjmk32.dll Agmehamp.exe File opened for modification C:\Windows\SysWOW64\Agqhik32.exe Akgjnj32.exe File created C:\Windows\SysWOW64\Eblgon32.exe Dalkek32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5840 6352 WerFault.exe 507 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gklnem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecpfpo32.dll" Baannc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ljpaqmgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgflobdk.dll" Dfcqod32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jglkkiea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Npadcfnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pklkbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djbehfpe.dll" Cdjlap32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fefjanml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fongpm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aiplmq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgimjd32.dll" Gkoplk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mcabej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfoegm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eihcln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggaoeo32.dll" Mmpbkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iccpniqp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jehfcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oiljbjbl.dll" Hhaope32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mffjnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijgjpaao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Noaeqjpe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jqofippg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbnopbdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hiacacpg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nbnlaldg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lhjnfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Necjpgbn.dll" Lmiljn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knfaph32.dll" Mdcmnfop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekakihaj.dll" Kmmedi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgddkelm.dll" Bknlbhhe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ekimjn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lojfin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mafofggd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Noaeqjpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgfjbh32.dll" Cfcoblfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Baannc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgicnp32.dll" Dakikoom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bghddp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ccdihbgg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dalkek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hahlnefd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mikepg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dqbcbkab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejnnldhi.dll" Bbdpad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Goahpc32.dll" Bjkcqdje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjkcqdje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfebnlgm.dll" Hgbonm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmopmalc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lolcnman.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bipnihgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmlgcf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mhmcck32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Elnehifk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Googaaej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jqbbno32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpnepk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhafcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amcehdod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jhplpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Agobna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abkejc32.dll" Cpipkl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dimcppgm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eoekde32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 348 wrote to memory of 728 348 NEAS.15c62778dc432fa05f4d0ed939b8c5a0.exe 88 PID 348 wrote to memory of 728 348 NEAS.15c62778dc432fa05f4d0ed939b8c5a0.exe 88 PID 348 wrote to memory of 728 348 NEAS.15c62778dc432fa05f4d0ed939b8c5a0.exe 88 PID 728 wrote to memory of 956 728 Aggpfkjj.exe 90 PID 728 wrote to memory of 956 728 Aggpfkjj.exe 90 PID 728 wrote to memory of 956 728 Aggpfkjj.exe 90 PID 956 wrote to memory of 416 956 Amcehdod.exe 91 PID 956 wrote to memory of 416 956 Amcehdod.exe 91 PID 956 wrote to memory of 416 956 Amcehdod.exe 91 PID 416 wrote to memory of 112 416 Baannc32.exe 92 PID 416 wrote to memory of 112 416 Baannc32.exe 92 PID 416 wrote to memory of 112 416 Baannc32.exe 92 PID 112 wrote to memory of 4812 112 Bgpcliao.exe 93 PID 112 wrote to memory of 4812 112 Bgpcliao.exe 93 PID 112 wrote to memory of 4812 112 Bgpcliao.exe 93 PID 4812 wrote to memory of 2192 4812 Bknlbhhe.exe 94 PID 4812 wrote to memory of 2192 4812 Bknlbhhe.exe 94 PID 4812 wrote to memory of 2192 4812 Bknlbhhe.exe 94 PID 2192 wrote to memory of 3828 2192 Bgelgi32.exe 95 PID 2192 wrote to memory of 3828 2192 Bgelgi32.exe 95 PID 2192 wrote to memory of 3828 2192 Bgelgi32.exe 95 PID 3828 wrote to memory of 2812 3828 Ckbemgcp.exe 96 PID 3828 wrote to memory of 2812 3828 Ckbemgcp.exe 96 PID 3828 wrote to memory of 2812 3828 Ckbemgcp.exe 96 PID 2812 wrote to memory of 4552 2812 Cpdgqmnb.exe 97 PID 2812 wrote to memory of 4552 2812 Cpdgqmnb.exe 97 PID 2812 wrote to memory of 4552 2812 Cpdgqmnb.exe 97 PID 4552 wrote to memory of 780 4552 Dakikoom.exe 99 PID 4552 wrote to memory of 780 4552 Dakikoom.exe 99 PID 4552 wrote to memory of 780 4552 Dakikoom.exe 99 PID 780 wrote to memory of 4456 780 Dnajppda.exe 101 PID 780 wrote to memory of 4456 780 Dnajppda.exe 101 PID 780 wrote to memory of 4456 780 Dnajppda.exe 101 PID 4456 wrote to memory of 4488 4456 Dqbcbkab.exe 102 PID 4456 wrote to memory of 4488 4456 Dqbcbkab.exe 102 PID 4456 wrote to memory of 4488 4456 Dqbcbkab.exe 102 PID 4488 wrote to memory of 3080 4488 Eqdpgk32.exe 103 PID 4488 wrote to memory of 3080 4488 Eqdpgk32.exe 103 PID 4488 wrote to memory of 3080 4488 Eqdpgk32.exe 103 PID 3080 wrote to memory of 4600 3080 Eojiqb32.exe 104 PID 3080 wrote to memory of 4600 3080 Eojiqb32.exe 104 PID 3080 wrote to memory of 4600 3080 Eojiqb32.exe 104 PID 4600 wrote to memory of 1916 4600 Edgbii32.exe 105 PID 4600 wrote to memory of 1916 4600 Edgbii32.exe 105 PID 4600 wrote to memory of 1916 4600 Edgbii32.exe 105 PID 1916 wrote to memory of 2960 1916 Enpfan32.exe 106 PID 1916 wrote to memory of 2960 1916 Enpfan32.exe 106 PID 1916 wrote to memory of 2960 1916 Enpfan32.exe 106 PID 2960 wrote to memory of 1600 2960 Fdnhih32.exe 107 PID 2960 wrote to memory of 1600 2960 Fdnhih32.exe 107 PID 2960 wrote to memory of 1600 2960 Fdnhih32.exe 107 PID 1600 wrote to memory of 648 1600 Fkmjaa32.exe 108 PID 1600 wrote to memory of 648 1600 Fkmjaa32.exe 108 PID 1600 wrote to memory of 648 1600 Fkmjaa32.exe 108 PID 648 wrote to memory of 4220 648 Fajbjh32.exe 110 PID 648 wrote to memory of 4220 648 Fajbjh32.exe 110 PID 648 wrote to memory of 4220 648 Fajbjh32.exe 110 PID 4220 wrote to memory of 60 4220 Gegkpf32.exe 111 PID 4220 wrote to memory of 60 4220 Gegkpf32.exe 111 PID 4220 wrote to memory of 60 4220 Gegkpf32.exe 111 PID 60 wrote to memory of 3272 60 Gbnhoj32.exe 112 PID 60 wrote to memory of 3272 60 Gbnhoj32.exe 112 PID 60 wrote to memory of 3272 60 Gbnhoj32.exe 112 PID 3272 wrote to memory of 4684 3272 Ggmmlamj.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.15c62778dc432fa05f4d0ed939b8c5a0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.15c62778dc432fa05f4d0ed939b8c5a0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:348 -
C:\Windows\SysWOW64\Aggpfkjj.exeC:\Windows\system32\Aggpfkjj.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:728 -
C:\Windows\SysWOW64\Amcehdod.exeC:\Windows\system32\Amcehdod.exe3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Windows\SysWOW64\Baannc32.exeC:\Windows\system32\Baannc32.exe4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:416 -
C:\Windows\SysWOW64\Bgpcliao.exeC:\Windows\system32\Bgpcliao.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:112 -
C:\Windows\SysWOW64\Bknlbhhe.exeC:\Windows\system32\Bknlbhhe.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Windows\SysWOW64\Bgelgi32.exeC:\Windows\system32\Bgelgi32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\Ckbemgcp.exeC:\Windows\system32\Ckbemgcp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3828 -
C:\Windows\SysWOW64\Cpdgqmnb.exeC:\Windows\system32\Cpdgqmnb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\Dakikoom.exeC:\Windows\system32\Dakikoom.exe10⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4552 -
C:\Windows\SysWOW64\Dnajppda.exeC:\Windows\system32\Dnajppda.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:780 -
C:\Windows\SysWOW64\Dqbcbkab.exeC:\Windows\system32\Dqbcbkab.exe12⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4456 -
C:\Windows\SysWOW64\Eqdpgk32.exeC:\Windows\system32\Eqdpgk32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4488 -
C:\Windows\SysWOW64\Eojiqb32.exeC:\Windows\system32\Eojiqb32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3080 -
C:\Windows\SysWOW64\Edgbii32.exeC:\Windows\system32\Edgbii32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Windows\SysWOW64\Enpfan32.exeC:\Windows\system32\Enpfan32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\SysWOW64\Fdnhih32.exeC:\Windows\system32\Fdnhih32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\Fkmjaa32.exeC:\Windows\system32\Fkmjaa32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Windows\SysWOW64\Fajbjh32.exeC:\Windows\system32\Fajbjh32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:648 -
C:\Windows\SysWOW64\Gegkpf32.exeC:\Windows\system32\Gegkpf32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4220 -
C:\Windows\SysWOW64\Gbnhoj32.exeC:\Windows\system32\Gbnhoj32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:60 -
C:\Windows\SysWOW64\Ggmmlamj.exeC:\Windows\system32\Ggmmlamj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3272 -
C:\Windows\SysWOW64\Hnibokbd.exeC:\Windows\system32\Hnibokbd.exe23⤵
- Executes dropped EXE
PID:4684 -
C:\Windows\SysWOW64\Hiacacpg.exeC:\Windows\system32\Hiacacpg.exe24⤵
- Executes dropped EXE
- Modifies registry class
PID:4300 -
C:\Windows\SysWOW64\Halhfe32.exeC:\Windows\system32\Halhfe32.exe25⤵
- Executes dropped EXE
PID:4728 -
C:\Windows\SysWOW64\Ihkjno32.exeC:\Windows\system32\Ihkjno32.exe26⤵
- Executes dropped EXE
PID:2556 -
C:\Windows\SysWOW64\Iojkeh32.exeC:\Windows\system32\Iojkeh32.exe27⤵
- Executes dropped EXE
PID:4592 -
C:\Windows\SysWOW64\Ibgdlg32.exeC:\Windows\system32\Ibgdlg32.exe28⤵
- Executes dropped EXE
PID:3032 -
C:\Windows\SysWOW64\Iondqhpl.exeC:\Windows\system32\Iondqhpl.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4988 -
C:\Windows\SysWOW64\Jpnakk32.exeC:\Windows\system32\Jpnakk32.exe30⤵
- Executes dropped EXE
PID:4356 -
C:\Windows\SysWOW64\Jaajhb32.exeC:\Windows\system32\Jaajhb32.exe31⤵
- Executes dropped EXE
PID:864 -
C:\Windows\SysWOW64\Jbagbebm.exeC:\Windows\system32\Jbagbebm.exe32⤵
- Executes dropped EXE
PID:768 -
C:\Windows\SysWOW64\Jbccge32.exeC:\Windows\system32\Jbccge32.exe33⤵
- Executes dropped EXE
PID:3592 -
C:\Windows\SysWOW64\Jhplpl32.exeC:\Windows\system32\Jhplpl32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:5028 -
C:\Windows\SysWOW64\Khbiello.exeC:\Windows\system32\Khbiello.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3096 -
C:\Windows\SysWOW64\Kakmna32.exeC:\Windows\system32\Kakmna32.exe36⤵
- Executes dropped EXE
PID:4536 -
C:\Windows\SysWOW64\Klpakj32.exeC:\Windows\system32\Klpakj32.exe37⤵
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Kamjda32.exeC:\Windows\system32\Kamjda32.exe38⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Koajmepf.exeC:\Windows\system32\Koajmepf.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1748 -
C:\Windows\SysWOW64\Kifojnol.exeC:\Windows\system32\Kifojnol.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4624 -
C:\Windows\SysWOW64\Kpccmhdg.exeC:\Windows\system32\Kpccmhdg.exe41⤵
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Kadpdp32.exeC:\Windows\system32\Kadpdp32.exe42⤵PID:4292
-
C:\Windows\SysWOW64\Lpepbgbd.exeC:\Windows\system32\Lpepbgbd.exe43⤵
- Executes dropped EXE
PID:3920 -
C:\Windows\SysWOW64\Ljpaqmgb.exeC:\Windows\system32\Ljpaqmgb.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:1568 -
C:\Windows\SysWOW64\Mhjhmhhd.exeC:\Windows\system32\Mhjhmhhd.exe45⤵
- Executes dropped EXE
PID:1784 -
C:\Windows\SysWOW64\Mbdiknlb.exeC:\Windows\system32\Mbdiknlb.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3184 -
C:\Windows\SysWOW64\Mohidbkl.exeC:\Windows\system32\Mohidbkl.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4788 -
C:\Windows\SysWOW64\Nbnlaldg.exeC:\Windows\system32\Nbnlaldg.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:928 -
C:\Windows\SysWOW64\Pcgdhkem.exeC:\Windows\system32\Pcgdhkem.exe49⤵
- Executes dropped EXE
PID:3996 -
C:\Windows\SysWOW64\Qikbaaml.exeC:\Windows\system32\Qikbaaml.exe50⤵
- Executes dropped EXE
PID:4972 -
C:\Windows\SysWOW64\Afockelf.exeC:\Windows\system32\Afockelf.exe51⤵
- Executes dropped EXE
PID:1868 -
C:\Windows\SysWOW64\Amikgpcc.exeC:\Windows\system32\Amikgpcc.exe52⤵
- Executes dropped EXE
PID:2560 -
C:\Windows\SysWOW64\Aiplmq32.exeC:\Windows\system32\Aiplmq32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4984 -
C:\Windows\SysWOW64\Amnebo32.exeC:\Windows\system32\Amnebo32.exe54⤵
- Executes dropped EXE
PID:700 -
C:\Windows\SysWOW64\Adgmoigj.exeC:\Windows\system32\Adgmoigj.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3872 -
C:\Windows\SysWOW64\Aalmimfd.exeC:\Windows\system32\Aalmimfd.exe56⤵
- Executes dropped EXE
PID:4236 -
C:\Windows\SysWOW64\Bboffejp.exeC:\Windows\system32\Bboffejp.exe57⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\Bmdkcnie.exeC:\Windows\system32\Bmdkcnie.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4076 -
C:\Windows\SysWOW64\Bjhkmbho.exeC:\Windows\system32\Bjhkmbho.exe59⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Bbdpad32.exeC:\Windows\system32\Bbdpad32.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:4232 -
C:\Windows\SysWOW64\Cbkfbcpb.exeC:\Windows\system32\Cbkfbcpb.exe61⤵
- Executes dropped EXE
PID:3612 -
C:\Windows\SysWOW64\Ccmcgcmp.exeC:\Windows\system32\Ccmcgcmp.exe62⤵
- Executes dropped EXE
PID:5108 -
C:\Windows\SysWOW64\Cdmoafdb.exeC:\Windows\system32\Cdmoafdb.exe63⤵
- Executes dropped EXE
PID:1792 -
C:\Windows\SysWOW64\Cmedjl32.exeC:\Windows\system32\Cmedjl32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4904 -
C:\Windows\SysWOW64\Cacmpj32.exeC:\Windows\system32\Cacmpj32.exe65⤵
- Executes dropped EXE
PID:4732 -
C:\Windows\SysWOW64\Ccdihbgg.exeC:\Windows\system32\Ccdihbgg.exe66⤵
- Executes dropped EXE
- Modifies registry class
PID:4004 -
C:\Windows\SysWOW64\Dinael32.exeC:\Windows\system32\Dinael32.exe67⤵
- Drops file in System32 directory
PID:1640 -
C:\Windows\SysWOW64\Dcibca32.exeC:\Windows\system32\Dcibca32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4888 -
C:\Windows\SysWOW64\Dpopbepi.exeC:\Windows\system32\Dpopbepi.exe69⤵PID:3396
-
C:\Windows\SysWOW64\Enemaimp.exeC:\Windows\system32\Enemaimp.exe70⤵PID:3624
-
C:\Windows\SysWOW64\Ekimjn32.exeC:\Windows\system32\Ekimjn32.exe71⤵
- Modifies registry class
PID:500 -
C:\Windows\SysWOW64\Ekljpm32.exeC:\Windows\system32\Ekljpm32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4836 -
C:\Windows\SysWOW64\Eddnic32.exeC:\Windows\system32\Eddnic32.exe73⤵PID:1816
-
C:\Windows\SysWOW64\Eajlhg32.exeC:\Windows\system32\Eajlhg32.exe74⤵
- Drops file in System32 directory
PID:4108 -
C:\Windows\SysWOW64\Fggdpnkf.exeC:\Windows\system32\Fggdpnkf.exe75⤵PID:1464
-
C:\Windows\SysWOW64\Fnalmh32.exeC:\Windows\system32\Fnalmh32.exe76⤵PID:3596
-
C:\Windows\SysWOW64\Fkgillpj.exeC:\Windows\system32\Fkgillpj.exe77⤵PID:3568
-
C:\Windows\SysWOW64\Fbaahf32.exeC:\Windows\system32\Fbaahf32.exe78⤵PID:2032
-
C:\Windows\SysWOW64\Fnhbmgmk.exeC:\Windows\system32\Fnhbmgmk.exe79⤵PID:2344
-
C:\Windows\SysWOW64\Gkoplk32.exeC:\Windows\system32\Gkoplk32.exe80⤵
- Modifies registry class
PID:208 -
C:\Windows\SysWOW64\Gcnnllcg.exeC:\Windows\system32\Gcnnllcg.exe81⤵PID:1408
-
C:\Windows\SysWOW64\Icachjbb.exeC:\Windows\system32\Icachjbb.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1116 -
C:\Windows\SysWOW64\Ibbcfa32.exeC:\Windows\system32\Ibbcfa32.exe83⤵PID:564
-
C:\Windows\SysWOW64\Iccpniqp.exeC:\Windows\system32\Iccpniqp.exe84⤵
- Modifies registry class
PID:5164 -
C:\Windows\SysWOW64\Ijmhkchl.exeC:\Windows\system32\Ijmhkchl.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5208 -
C:\Windows\SysWOW64\Iagqgn32.exeC:\Windows\system32\Iagqgn32.exe86⤵PID:5252
-
C:\Windows\SysWOW64\Ihaidhgf.exeC:\Windows\system32\Ihaidhgf.exe87⤵
- Drops file in System32 directory
PID:5292 -
C:\Windows\SysWOW64\Ieeimlep.exeC:\Windows\system32\Ieeimlep.exe88⤵PID:5348
-
C:\Windows\SysWOW64\Jehfcl32.exeC:\Windows\system32\Jehfcl32.exe89⤵
- Modifies registry class
PID:5388 -
C:\Windows\SysWOW64\Jjdokb32.exeC:\Windows\system32\Jjdokb32.exe90⤵PID:5436
-
C:\Windows\SysWOW64\Jejbhk32.exeC:\Windows\system32\Jejbhk32.exe91⤵PID:5480
-
C:\Windows\SysWOW64\Jlidpe32.exeC:\Windows\system32\Jlidpe32.exe92⤵PID:5528
-
C:\Windows\SysWOW64\Kkbkmqed.exeC:\Windows\system32\Kkbkmqed.exe93⤵PID:5568
-
C:\Windows\SysWOW64\Kalcik32.exeC:\Windows\system32\Kalcik32.exe94⤵PID:5608
-
C:\Windows\SysWOW64\Lhpnlclc.exeC:\Windows\system32\Lhpnlclc.exe95⤵PID:5652
-
C:\Windows\SysWOW64\Lojfin32.exeC:\Windows\system32\Lojfin32.exe96⤵
- Modifies registry class
PID:5692 -
C:\Windows\SysWOW64\Ldfoad32.exeC:\Windows\system32\Ldfoad32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5736 -
C:\Windows\SysWOW64\Lolcnman.exeC:\Windows\system32\Lolcnman.exe98⤵
- Modifies registry class
PID:5780 -
C:\Windows\SysWOW64\Mhknhabf.exeC:\Windows\system32\Mhknhabf.exe99⤵PID:5824
-
C:\Windows\SysWOW64\Mcabej32.exeC:\Windows\system32\Mcabej32.exe100⤵
- Modifies registry class
PID:5864 -
C:\Windows\SysWOW64\Mafofggd.exeC:\Windows\system32\Mafofggd.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5908 -
C:\Windows\SysWOW64\Nfiagd32.exeC:\Windows\system32\Nfiagd32.exe102⤵PID:5948
-
C:\Windows\SysWOW64\Noaeqjpe.exeC:\Windows\system32\Noaeqjpe.exe103⤵
- Modifies registry class
PID:5984 -
C:\Windows\SysWOW64\Nfknmd32.exeC:\Windows\system32\Nfknmd32.exe104⤵PID:6024
-
C:\Windows\SysWOW64\Nocbfjmc.exeC:\Windows\system32\Nocbfjmc.exe105⤵PID:6072
-
C:\Windows\SysWOW64\Okolfj32.exeC:\Windows\system32\Okolfj32.exe106⤵PID:6112
-
C:\Windows\SysWOW64\Obidcdfo.exeC:\Windows\system32\Obidcdfo.exe107⤵
- Drops file in System32 directory
PID:5092 -
C:\Windows\SysWOW64\Ofijnbkb.exeC:\Windows\system32\Ofijnbkb.exe108⤵PID:5148
-
C:\Windows\SysWOW64\Omcbkl32.exeC:\Windows\system32\Omcbkl32.exe109⤵PID:5240
-
C:\Windows\SysWOW64\Pcbdcf32.exeC:\Windows\system32\Pcbdcf32.exe110⤵
- Drops file in System32 directory
PID:5284 -
C:\Windows\SysWOW64\Pmmeak32.exeC:\Windows\system32\Pmmeak32.exe111⤵PID:5344
-
C:\Windows\SysWOW64\Pbimjb32.exeC:\Windows\system32\Pbimjb32.exe112⤵
- Drops file in System32 directory
PID:5424 -
C:\Windows\SysWOW64\Piceflpi.exeC:\Windows\system32\Piceflpi.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5492 -
C:\Windows\SysWOW64\Pomncfge.exeC:\Windows\system32\Pomncfge.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5556 -
C:\Windows\SysWOW64\Qfgfpp32.exeC:\Windows\system32\Qfgfpp32.exe115⤵PID:5620
-
C:\Windows\SysWOW64\Qmanljfo.exeC:\Windows\system32\Qmanljfo.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5704 -
C:\Windows\SysWOW64\Abjfqpji.exeC:\Windows\system32\Abjfqpji.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5764 -
C:\Windows\SysWOW64\Aidomjaf.exeC:\Windows\system32\Aidomjaf.exe118⤵PID:5812
-
C:\Windows\SysWOW64\Bblcfo32.exeC:\Windows\system32\Bblcfo32.exe119⤵PID:5888
-
C:\Windows\SysWOW64\Bifkcioc.exeC:\Windows\system32\Bifkcioc.exe120⤵PID:5976
-
C:\Windows\SysWOW64\Bclppboi.exeC:\Windows\system32\Bclppboi.exe121⤵PID:6052
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-