Analysis
-
max time kernel
138s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
15/11/2023, 09:05
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.930f051f4e78bbae071a849513124830.exe
Resource
win7-20231023-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.930f051f4e78bbae071a849513124830.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.930f051f4e78bbae071a849513124830.exe
-
Size
99KB
-
MD5
930f051f4e78bbae071a849513124830
-
SHA1
b4d2fd9f09dc9d16a0fe506cefab654dd9b37f4c
-
SHA256
7afa7ad662d31ef4b0c2151a81760114aece865cd0579830b207bf4d8e513d5d
-
SHA512
67f9a04db9562c139d8dc48db91d7c8f76a489ccf50c3d8dc1d493a2886738f5c1c7a543d617aa1d22a960fd1510a4c3613a885b12b8e0a814c4608d27b71f06
-
SSDEEP
3072:EBzbz/4Rg07JKWyvVQnrQd8ey5pwoTRBmDRGGurhUI:CbTcL7JKf9Xm7UI
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oalpigkb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lflbkcll.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ielfgmnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Miipencp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nmnnlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ieqpbm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghjhofjg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmbopm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mhmmieil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Imgicgca.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njljch32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Biiobo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgomaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dmlkhofd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqncnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ammnhilb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anijjkbj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hqmggi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kmkpipaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bpfkpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Conanfli.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieqpbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fjjcmbci.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mablfnne.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aocmio32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlnlak32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eijigg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Geabbfoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pkgaglpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eblgon32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aidehpea.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibgmaqfl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmimdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mjiloqjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cifmoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hddilh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hqmggi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhhjhlqm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iodjcnca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" NEAS.930f051f4e78bbae071a849513124830.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckggnp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcjdam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bboplo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Flfbcndo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akkffkhk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkdpbpih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hhfpbpdo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofegni32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgoakc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pmkofa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gcgqag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bdgehobe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ohaokbfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Akblfj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbbmmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cplckbmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Moiheebb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kifojnol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fnqebaog.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjnndime.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kiajck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ehifak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ljffccjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mdcmnfop.exe -
Executes dropped EXE 64 IoCs
pid Process 3256 Aekddhcb.exe 1812 Boeebnhp.exe 2840 Bklfgo32.exe 3880 Bddjpd32.exe 1576 Bkaobnio.exe 1608 Bheplb32.exe 4664 Camddhoi.exe 3140 Cbpajgmf.exe 840 Cnfaohbj.exe 4776 Chnbbqpn.exe 3116 Dmlkhofd.exe 948 Dhclmp32.exe 4432 Dmadco32.exe 4572 Digehphc.exe 1032 Dflfac32.exe 2916 Deqcbpld.exe 2112 Efpomccg.exe 2796 Eeelnp32.exe 2496 Enbjad32.exe 4904 Fmhdkknd.exe 4612 Fbgihaji.exe 1644 Gidnkkpc.exe 884 Gppcmeem.exe 4408 Gpbpbecj.exe 612 Gojiiafp.exe 816 Hpnoncim.exe 2836 Hpqldc32.exe 3500 Hlglidlo.exe 2788 Imgicgca.exe 3792 Igajal32.exe 1260 Iplkpa32.exe 3680 Jmbhoeid.exe 1880 Jcanll32.exe 3876 Jgpfbjlo.exe 2804 Jcfggkac.exe 3608 Klahfp32.exe 4616 Kcmmhj32.exe 4628 Kodnmkap.exe 4360 Kcbfcigf.exe 2056 Loighj32.exe 4604 Lokdnjkg.exe 4920 Lnoaaaad.exe 3040 Ljeafb32.exe 5004 Lobjni32.exe 2092 Lflbkcll.exe 5112 Modgdicm.exe 3516 Mgnlkfal.exe 3280 Mgphpe32.exe 2912 Mjaabq32.exe 3380 Mjcngpjh.exe 5072 Nnhmnn32.exe 4596 Onkidm32.exe 3844 Ocgbld32.exe 4588 Oakbehfe.exe 1660 Onocomdo.exe 1632 Opclldhj.exe 3080 Opeiadfg.exe 3588 Pmiikh32.exe 1220 Akkffkhk.exe 4156 Aaenbd32.exe 4944 Aoioli32.exe 3568 Apmhiq32.exe 3064 Akblfj32.exe 2168 Aopemh32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Omdieb32.exe Ofjqihnn.exe File created C:\Windows\SysWOW64\Dpjompqc.exe Dllffa32.exe File created C:\Windows\SysWOW64\Mbnjicfj.dll Anhcpeon.exe File opened for modification C:\Windows\SysWOW64\Eblgon32.exe Elaobdmm.exe File created C:\Windows\SysWOW64\Jchaoe32.exe Jloibkhh.exe File created C:\Windows\SysWOW64\Fbfkceca.exe Fklcgk32.exe File created C:\Windows\SysWOW64\Noldbk32.dll Niglfl32.exe File opened for modification C:\Windows\SysWOW64\Jfdafa32.exe Jhqqlmba.exe File opened for modification C:\Windows\SysWOW64\Lfaqcclf.exe Lpghfi32.exe File created C:\Windows\SysWOW64\Lbenho32.exe Lfnmcnjn.exe File created C:\Windows\SysWOW64\Gpbpbecj.exe Gppcmeem.exe File opened for modification C:\Windows\SysWOW64\Koajmepf.exe Kidben32.exe File created C:\Windows\SysWOW64\Kaebce32.dll Hnmnengg.exe File created C:\Windows\SysWOW64\Geabbfoc.exe Gklnem32.exe File created C:\Windows\SysWOW64\Bmaioi32.dll Digehphc.exe File created C:\Windows\SysWOW64\Ikjllm32.dll Ocgbld32.exe File created C:\Windows\SysWOW64\Cdkifmjq.exe Conanfli.exe File created C:\Windows\SysWOW64\Bgdemb32.exe Bpjmph32.exe File opened for modification C:\Windows\SysWOW64\Chnbbqpn.exe Cnfaohbj.exe File opened for modification C:\Windows\SysWOW64\Fgpplf32.exe Fljlom32.exe File created C:\Windows\SysWOW64\Ajbfppjh.dll Fplnogmb.exe File created C:\Windows\SysWOW64\Ihdldn32.exe Ipihpkkd.exe File created C:\Windows\SysWOW64\Iekomapo.dll Gdfmkjlg.exe File created C:\Windows\SysWOW64\Oaegbm32.dll Fibfbm32.exe File created C:\Windows\SysWOW64\Clclnfln.dll Ohaokbfd.exe File created C:\Windows\SysWOW64\Jbghpc32.exe Iadljc32.exe File created C:\Windows\SysWOW64\Ljeafb32.exe Lnoaaaad.exe File opened for modification C:\Windows\SysWOW64\Fklcgk32.exe Fdbkja32.exe File created C:\Windows\SysWOW64\Ebldam32.dll Fdjnolfd.exe File opened for modification C:\Windows\SysWOW64\Glkkop32.exe Geabbfoc.exe File created C:\Windows\SysWOW64\Cnnbme32.dll Gppcmeem.exe File created C:\Windows\SysWOW64\Lehhqg32.exe Lajokiaa.exe File created C:\Windows\SysWOW64\Nbjhlcmm.dll Dibdeegc.exe File created C:\Windows\SysWOW64\Eojppe32.dll Nnoefagj.exe File created C:\Windows\SysWOW64\Iecmhlhb.exe Ijmhkchl.exe File created C:\Windows\SysWOW64\Ombkojfh.dll Hfhbipdb.exe File created C:\Windows\SysWOW64\Engaon32.exe Eijigg32.exe File opened for modification C:\Windows\SysWOW64\Akkffkhk.exe Pmiikh32.exe File created C:\Windows\SysWOW64\Binfdh32.dll Epdime32.exe File opened for modification C:\Windows\SysWOW64\Ibgmaqfl.exe Ihaidhgf.exe File created C:\Windows\SysWOW64\Fiinbn32.dll Dllffa32.exe File opened for modification C:\Windows\SysWOW64\Beobcdoi.exe Bgkaip32.exe File created C:\Windows\SysWOW64\Mhckcgpj.exe Mbibfm32.exe File opened for modification C:\Windows\SysWOW64\Anijjkbj.exe Agobna32.exe File opened for modification C:\Windows\SysWOW64\Akmjdpac.exe Aecbge32.exe File opened for modification C:\Windows\SysWOW64\Fpnkdfko.exe Fidbgm32.exe File opened for modification C:\Windows\SysWOW64\Lfcfnm32.exe Lmkbeg32.exe File created C:\Windows\SysWOW64\Cgiohbfi.exe Cmpjoloh.exe File created C:\Windows\SysWOW64\Dhdmfljb.exe Dbgdnelk.exe File opened for modification C:\Windows\SysWOW64\Jqhphq32.exe Ignnjk32.exe File created C:\Windows\SysWOW64\Igajal32.exe Imgicgca.exe File created C:\Windows\SysWOW64\Gcilohid.dll Pidlqb32.exe File created C:\Windows\SysWOW64\Hjeodp32.dll Qhddgofo.exe File created C:\Windows\SysWOW64\Bjlfmfbi.dll Ckebcg32.exe File created C:\Windows\SysWOW64\Hcmhel32.dll Ipihpkkd.exe File created C:\Windows\SysWOW64\Fjoiip32.dll Mpeiie32.exe File created C:\Windows\SysWOW64\Pidlqb32.exe Pcgdhkem.exe File opened for modification C:\Windows\SysWOW64\Lhmafcnf.exe Kbnlim32.exe File created C:\Windows\SysWOW64\Omjbpn32.dll Dgcihgaj.exe File created C:\Windows\SysWOW64\Gaoihfoo.exe Giahndcf.exe File created C:\Windows\SysWOW64\Efmnhl32.dll Lobjni32.exe File opened for modification C:\Windows\SysWOW64\Ncpeaoih.exe Nmfmde32.exe File created C:\Windows\SysWOW64\Jgjjlakk.dll Edfknb32.exe File created C:\Windows\SysWOW64\Ckggnp32.exe Cpacqg32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7752 7792 WerFault.exe 637 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dodipp32.dll" Jnedgq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mmbopm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bdlfjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cajjjk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lfnmcnjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cglbhhga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apqddgbj.dll" Naokbokn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Njmejp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cfedmfqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cqiehnml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Agobna32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cihjeq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikjllm32.dll" Ocgbld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ajmladbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mhhjhlqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohkpigmd.dll" Anffje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hceook32.dll" Dgomaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hnhdjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnbinagj.dll" Jeneidji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ldgnbg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gcpcgfmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gaoihfoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bkaobnio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkgppbgc.dll" Likhem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohjckodg.dll" Dnljkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khjeei32.dll" Glngep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkdgfllg.dll" Boeebnhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fkfcqb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jbbmmo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jjemle32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iadljc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mjlalkmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnhekleo.dll" Aidehpea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gcfjfqah.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kagbdenk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mklpof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Noldbk32.dll" Niglfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqhomdeb.dll" Kbnlim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jjakkmpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbedde32.dll" Ngifef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Miipencp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mjcngpjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gejimf32.dll" Oqklkbbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jeolckne.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iloajfml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jjbjlpga.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gnjhhpgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcldac32.dll" Gajpmg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jhqqlmba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bkibgh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Caqpkjcl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fcbgfhii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aglnnkid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmqljn32.dll" Gklnem32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lobjni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Inhmqlmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Odhppclh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odibfg32.dll" Oikjkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eijigg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ciogobcm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gcfjfqah.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Capkim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lodabb32.dll" Ofgdcipq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cajjjk32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1160 wrote to memory of 3256 1160 NEAS.930f051f4e78bbae071a849513124830.exe 89 PID 1160 wrote to memory of 3256 1160 NEAS.930f051f4e78bbae071a849513124830.exe 89 PID 1160 wrote to memory of 3256 1160 NEAS.930f051f4e78bbae071a849513124830.exe 89 PID 3256 wrote to memory of 1812 3256 Aekddhcb.exe 90 PID 3256 wrote to memory of 1812 3256 Aekddhcb.exe 90 PID 3256 wrote to memory of 1812 3256 Aekddhcb.exe 90 PID 1812 wrote to memory of 2840 1812 Boeebnhp.exe 91 PID 1812 wrote to memory of 2840 1812 Boeebnhp.exe 91 PID 1812 wrote to memory of 2840 1812 Boeebnhp.exe 91 PID 2840 wrote to memory of 3880 2840 Bklfgo32.exe 92 PID 2840 wrote to memory of 3880 2840 Bklfgo32.exe 92 PID 2840 wrote to memory of 3880 2840 Bklfgo32.exe 92 PID 3880 wrote to memory of 1576 3880 Bddjpd32.exe 93 PID 3880 wrote to memory of 1576 3880 Bddjpd32.exe 93 PID 3880 wrote to memory of 1576 3880 Bddjpd32.exe 93 PID 1576 wrote to memory of 1608 1576 Bkaobnio.exe 94 PID 1576 wrote to memory of 1608 1576 Bkaobnio.exe 94 PID 1576 wrote to memory of 1608 1576 Bkaobnio.exe 94 PID 1608 wrote to memory of 4664 1608 Bheplb32.exe 95 PID 1608 wrote to memory of 4664 1608 Bheplb32.exe 95 PID 1608 wrote to memory of 4664 1608 Bheplb32.exe 95 PID 4664 wrote to memory of 3140 4664 Camddhoi.exe 96 PID 4664 wrote to memory of 3140 4664 Camddhoi.exe 96 PID 4664 wrote to memory of 3140 4664 Camddhoi.exe 96 PID 3140 wrote to memory of 840 3140 Cbpajgmf.exe 97 PID 3140 wrote to memory of 840 3140 Cbpajgmf.exe 97 PID 3140 wrote to memory of 840 3140 Cbpajgmf.exe 97 PID 840 wrote to memory of 4776 840 Cnfaohbj.exe 98 PID 840 wrote to memory of 4776 840 Cnfaohbj.exe 98 PID 840 wrote to memory of 4776 840 Cnfaohbj.exe 98 PID 4776 wrote to memory of 3116 4776 Chnbbqpn.exe 99 PID 4776 wrote to memory of 3116 4776 Chnbbqpn.exe 99 PID 4776 wrote to memory of 3116 4776 Chnbbqpn.exe 99 PID 3116 wrote to memory of 948 3116 Dmlkhofd.exe 100 PID 3116 wrote to memory of 948 3116 Dmlkhofd.exe 100 PID 3116 wrote to memory of 948 3116 Dmlkhofd.exe 100 PID 948 wrote to memory of 4432 948 Dhclmp32.exe 101 PID 948 wrote to memory of 4432 948 Dhclmp32.exe 101 PID 948 wrote to memory of 4432 948 Dhclmp32.exe 101 PID 4432 wrote to memory of 4572 4432 Dmadco32.exe 103 PID 4432 wrote to memory of 4572 4432 Dmadco32.exe 103 PID 4432 wrote to memory of 4572 4432 Dmadco32.exe 103 PID 4572 wrote to memory of 1032 4572 Digehphc.exe 104 PID 4572 wrote to memory of 1032 4572 Digehphc.exe 104 PID 4572 wrote to memory of 1032 4572 Digehphc.exe 104 PID 1032 wrote to memory of 2916 1032 Dflfac32.exe 105 PID 1032 wrote to memory of 2916 1032 Dflfac32.exe 105 PID 1032 wrote to memory of 2916 1032 Dflfac32.exe 105 PID 2916 wrote to memory of 2112 2916 Deqcbpld.exe 106 PID 2916 wrote to memory of 2112 2916 Deqcbpld.exe 106 PID 2916 wrote to memory of 2112 2916 Deqcbpld.exe 106 PID 2112 wrote to memory of 2796 2112 Efpomccg.exe 107 PID 2112 wrote to memory of 2796 2112 Efpomccg.exe 107 PID 2112 wrote to memory of 2796 2112 Efpomccg.exe 107 PID 2796 wrote to memory of 2496 2796 Eeelnp32.exe 108 PID 2796 wrote to memory of 2496 2796 Eeelnp32.exe 108 PID 2796 wrote to memory of 2496 2796 Eeelnp32.exe 108 PID 2496 wrote to memory of 4904 2496 Enbjad32.exe 109 PID 2496 wrote to memory of 4904 2496 Enbjad32.exe 109 PID 2496 wrote to memory of 4904 2496 Enbjad32.exe 109 PID 4904 wrote to memory of 4612 4904 Fmhdkknd.exe 110 PID 4904 wrote to memory of 4612 4904 Fmhdkknd.exe 110 PID 4904 wrote to memory of 4612 4904 Fmhdkknd.exe 110 PID 4612 wrote to memory of 1644 4612 Fbgihaji.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.930f051f4e78bbae071a849513124830.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.930f051f4e78bbae071a849513124830.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Windows\SysWOW64\Aekddhcb.exeC:\Windows\system32\Aekddhcb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3256 -
C:\Windows\SysWOW64\Boeebnhp.exeC:\Windows\system32\Boeebnhp.exe3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Windows\SysWOW64\Bklfgo32.exeC:\Windows\system32\Bklfgo32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\Bddjpd32.exeC:\Windows\system32\Bddjpd32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3880 -
C:\Windows\SysWOW64\Bkaobnio.exeC:\Windows\system32\Bkaobnio.exe6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Windows\SysWOW64\Bheplb32.exeC:\Windows\system32\Bheplb32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Windows\SysWOW64\Camddhoi.exeC:\Windows\system32\Camddhoi.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4664 -
C:\Windows\SysWOW64\Cbpajgmf.exeC:\Windows\system32\Cbpajgmf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3140 -
C:\Windows\SysWOW64\Cnfaohbj.exeC:\Windows\system32\Cnfaohbj.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Windows\SysWOW64\Chnbbqpn.exeC:\Windows\system32\Chnbbqpn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4776 -
C:\Windows\SysWOW64\Dmlkhofd.exeC:\Windows\system32\Dmlkhofd.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3116 -
C:\Windows\SysWOW64\Dhclmp32.exeC:\Windows\system32\Dhclmp32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:948 -
C:\Windows\SysWOW64\Dmadco32.exeC:\Windows\system32\Dmadco32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4432 -
C:\Windows\SysWOW64\Digehphc.exeC:\Windows\system32\Digehphc.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Windows\SysWOW64\Dflfac32.exeC:\Windows\system32\Dflfac32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Windows\SysWOW64\Deqcbpld.exeC:\Windows\system32\Deqcbpld.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\Efpomccg.exeC:\Windows\system32\Efpomccg.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\Eeelnp32.exeC:\Windows\system32\Eeelnp32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\Enbjad32.exeC:\Windows\system32\Enbjad32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\Fmhdkknd.exeC:\Windows\system32\Fmhdkknd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4904 -
C:\Windows\SysWOW64\Fbgihaji.exeC:\Windows\system32\Fbgihaji.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4612 -
C:\Windows\SysWOW64\Gidnkkpc.exeC:\Windows\system32\Gidnkkpc.exe23⤵
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\Gppcmeem.exeC:\Windows\system32\Gppcmeem.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:884 -
C:\Windows\SysWOW64\Gpbpbecj.exeC:\Windows\system32\Gpbpbecj.exe25⤵
- Executes dropped EXE
PID:4408 -
C:\Windows\SysWOW64\Gojiiafp.exeC:\Windows\system32\Gojiiafp.exe26⤵
- Executes dropped EXE
PID:612 -
C:\Windows\SysWOW64\Hpnoncim.exeC:\Windows\system32\Hpnoncim.exe27⤵
- Executes dropped EXE
PID:816 -
C:\Windows\SysWOW64\Hpqldc32.exeC:\Windows\system32\Hpqldc32.exe28⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Hlglidlo.exeC:\Windows\system32\Hlglidlo.exe29⤵
- Executes dropped EXE
PID:3500 -
C:\Windows\SysWOW64\Imgicgca.exeC:\Windows\system32\Imgicgca.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2788 -
C:\Windows\SysWOW64\Igajal32.exeC:\Windows\system32\Igajal32.exe31⤵
- Executes dropped EXE
PID:3792 -
C:\Windows\SysWOW64\Iplkpa32.exeC:\Windows\system32\Iplkpa32.exe32⤵
- Executes dropped EXE
PID:1260 -
C:\Windows\SysWOW64\Jmbhoeid.exeC:\Windows\system32\Jmbhoeid.exe33⤵
- Executes dropped EXE
PID:3680 -
C:\Windows\SysWOW64\Jcanll32.exeC:\Windows\system32\Jcanll32.exe34⤵
- Executes dropped EXE
PID:1880 -
C:\Windows\SysWOW64\Jgpfbjlo.exeC:\Windows\system32\Jgpfbjlo.exe35⤵
- Executes dropped EXE
PID:3876 -
C:\Windows\SysWOW64\Jcfggkac.exeC:\Windows\system32\Jcfggkac.exe36⤵
- Executes dropped EXE
PID:2804 -
C:\Windows\SysWOW64\Klahfp32.exeC:\Windows\system32\Klahfp32.exe37⤵
- Executes dropped EXE
PID:3608 -
C:\Windows\SysWOW64\Kcmmhj32.exeC:\Windows\system32\Kcmmhj32.exe38⤵
- Executes dropped EXE
PID:4616 -
C:\Windows\SysWOW64\Kodnmkap.exeC:\Windows\system32\Kodnmkap.exe39⤵
- Executes dropped EXE
PID:4628 -
C:\Windows\SysWOW64\Kcbfcigf.exeC:\Windows\system32\Kcbfcigf.exe40⤵
- Executes dropped EXE
PID:4360 -
C:\Windows\SysWOW64\Loighj32.exeC:\Windows\system32\Loighj32.exe41⤵
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Lokdnjkg.exeC:\Windows\system32\Lokdnjkg.exe42⤵
- Executes dropped EXE
PID:4604 -
C:\Windows\SysWOW64\Lnoaaaad.exeC:\Windows\system32\Lnoaaaad.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4920 -
C:\Windows\SysWOW64\Ljeafb32.exeC:\Windows\system32\Ljeafb32.exe44⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Lobjni32.exeC:\Windows\system32\Lobjni32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5004 -
C:\Windows\SysWOW64\Lflbkcll.exeC:\Windows\system32\Lflbkcll.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2092 -
C:\Windows\SysWOW64\Modgdicm.exeC:\Windows\system32\Modgdicm.exe47⤵
- Executes dropped EXE
PID:5112 -
C:\Windows\SysWOW64\Mgnlkfal.exeC:\Windows\system32\Mgnlkfal.exe48⤵
- Executes dropped EXE
PID:3516 -
C:\Windows\SysWOW64\Mgphpe32.exeC:\Windows\system32\Mgphpe32.exe49⤵
- Executes dropped EXE
PID:3280 -
C:\Windows\SysWOW64\Mjaabq32.exeC:\Windows\system32\Mjaabq32.exe50⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Mjcngpjh.exeC:\Windows\system32\Mjcngpjh.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:3380 -
C:\Windows\SysWOW64\Nnhmnn32.exeC:\Windows\system32\Nnhmnn32.exe52⤵
- Executes dropped EXE
PID:5072 -
C:\Windows\SysWOW64\Onkidm32.exeC:\Windows\system32\Onkidm32.exe53⤵
- Executes dropped EXE
PID:4596 -
C:\Windows\SysWOW64\Ocgbld32.exeC:\Windows\system32\Ocgbld32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3844 -
C:\Windows\SysWOW64\Oakbehfe.exeC:\Windows\system32\Oakbehfe.exe55⤵
- Executes dropped EXE
PID:4588 -
C:\Windows\SysWOW64\Onocomdo.exeC:\Windows\system32\Onocomdo.exe56⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Opclldhj.exeC:\Windows\system32\Opclldhj.exe57⤵
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\Opeiadfg.exeC:\Windows\system32\Opeiadfg.exe58⤵
- Executes dropped EXE
PID:3080 -
C:\Windows\SysWOW64\Pmiikh32.exeC:\Windows\system32\Pmiikh32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3588 -
C:\Windows\SysWOW64\Akkffkhk.exeC:\Windows\system32\Akkffkhk.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1220 -
C:\Windows\SysWOW64\Aaenbd32.exeC:\Windows\system32\Aaenbd32.exe61⤵
- Executes dropped EXE
PID:4156 -
C:\Windows\SysWOW64\Aoioli32.exeC:\Windows\system32\Aoioli32.exe62⤵
- Executes dropped EXE
PID:4944 -
C:\Windows\SysWOW64\Apmhiq32.exeC:\Windows\system32\Apmhiq32.exe63⤵
- Executes dropped EXE
PID:3568 -
C:\Windows\SysWOW64\Akblfj32.exeC:\Windows\system32\Akblfj32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Aopemh32.exeC:\Windows\system32\Aopemh32.exe65⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Bkibgh32.exeC:\Windows\system32\Bkibgh32.exe66⤵
- Modifies registry class
PID:3392 -
C:\Windows\SysWOW64\Bpfkpp32.exeC:\Windows\system32\Bpfkpp32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2040 -
C:\Windows\SysWOW64\Bogkmgba.exeC:\Windows\system32\Bogkmgba.exe68⤵PID:2956
-
C:\Windows\SysWOW64\Boldhf32.exeC:\Windows\system32\Boldhf32.exe69⤵PID:2184
-
C:\Windows\SysWOW64\Conanfli.exeC:\Windows\system32\Conanfli.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2336 -
C:\Windows\SysWOW64\Cdkifmjq.exeC:\Windows\system32\Cdkifmjq.exe71⤵PID:4008
-
C:\Windows\SysWOW64\Ckebcg32.exeC:\Windows\system32\Ckebcg32.exe72⤵
- Drops file in System32 directory
PID:712 -
C:\Windows\SysWOW64\Cglbhhga.exeC:\Windows\system32\Cglbhhga.exe73⤵
- Modifies registry class
PID:2360 -
C:\Windows\SysWOW64\Coegoe32.exeC:\Windows\system32\Coegoe32.exe74⤵PID:4220
-
C:\Windows\SysWOW64\Chnlgjlb.exeC:\Windows\system32\Chnlgjlb.exe75⤵PID:5136
-
C:\Windows\SysWOW64\Dpiplm32.exeC:\Windows\system32\Dpiplm32.exe76⤵PID:5192
-
C:\Windows\SysWOW64\Dgcihgaj.exeC:\Windows\system32\Dgcihgaj.exe77⤵
- Drops file in System32 directory
PID:5236 -
C:\Windows\SysWOW64\Dpkmal32.exeC:\Windows\system32\Dpkmal32.exe78⤵PID:5280
-
C:\Windows\SysWOW64\Dggbcf32.exeC:\Windows\system32\Dggbcf32.exe79⤵PID:5328
-
C:\Windows\SysWOW64\Dqpfmlce.exeC:\Windows\system32\Dqpfmlce.exe80⤵PID:5396
-
C:\Windows\SysWOW64\Dbocfo32.exeC:\Windows\system32\Dbocfo32.exe81⤵PID:5456
-
C:\Windows\SysWOW64\Enfckp32.exeC:\Windows\system32\Enfckp32.exe82⤵PID:5500
-
C:\Windows\SysWOW64\Enhpao32.exeC:\Windows\system32\Enhpao32.exe83⤵PID:5544
-
C:\Windows\SysWOW64\Enkmfolf.exeC:\Windows\system32\Enkmfolf.exe84⤵PID:5588
-
C:\Windows\SysWOW64\Ekonpckp.exeC:\Windows\system32\Ekonpckp.exe85⤵PID:5628
-
C:\Windows\SysWOW64\Ebifmm32.exeC:\Windows\system32\Ebifmm32.exe86⤵PID:5672
-
C:\Windows\SysWOW64\Eomffaag.exeC:\Windows\system32\Eomffaag.exe87⤵PID:5712
-
C:\Windows\SysWOW64\Eqncnj32.exeC:\Windows\system32\Eqncnj32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5756 -
C:\Windows\SysWOW64\Fdlkdhnk.exeC:\Windows\system32\Fdlkdhnk.exe89⤵PID:5804
-
C:\Windows\SysWOW64\Fkfcqb32.exeC:\Windows\system32\Fkfcqb32.exe90⤵
- Modifies registry class
PID:5860 -
C:\Windows\SysWOW64\Foclgq32.exeC:\Windows\system32\Foclgq32.exe91⤵PID:5916
-
C:\Windows\SysWOW64\Fgoakc32.exeC:\Windows\system32\Fgoakc32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5956 -
C:\Windows\SysWOW64\Fniihmpf.exeC:\Windows\system32\Fniihmpf.exe93⤵PID:6004
-
C:\Windows\SysWOW64\Fiqjke32.exeC:\Windows\system32\Fiqjke32.exe94⤵PID:6044
-
C:\Windows\SysWOW64\Ggfglb32.exeC:\Windows\system32\Ggfglb32.exe95⤵PID:6096
-
C:\Windows\SysWOW64\Gejhef32.exeC:\Windows\system32\Gejhef32.exe96⤵PID:3452
-
C:\Windows\SysWOW64\Gkdpbpih.exeC:\Windows\system32\Gkdpbpih.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5184 -
C:\Windows\SysWOW64\Gaqhjggp.exeC:\Windows\system32\Gaqhjggp.exe98⤵PID:5276
-
C:\Windows\SysWOW64\Gacepg32.exeC:\Windows\system32\Gacepg32.exe99⤵PID:5336
-
C:\Windows\SysWOW64\Glhimp32.exeC:\Windows\system32\Glhimp32.exe100⤵PID:5432
-
C:\Windows\SysWOW64\Gbbajjlp.exeC:\Windows\system32\Gbbajjlp.exe101⤵PID:5484
-
C:\Windows\SysWOW64\Hahokfag.exeC:\Windows\system32\Hahokfag.exe102⤵PID:5568
-
C:\Windows\SysWOW64\Hhaggp32.exeC:\Windows\system32\Hhaggp32.exe103⤵PID:5664
-
C:\Windows\SysWOW64\Hiacacpg.exeC:\Windows\system32\Hiacacpg.exe104⤵PID:5744
-
C:\Windows\SysWOW64\Hbihjifh.exeC:\Windows\system32\Hbihjifh.exe105⤵PID:5832
-
C:\Windows\SysWOW64\Hhfpbpdo.exeC:\Windows\system32\Hhfpbpdo.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5944 -
C:\Windows\SysWOW64\Hbldphde.exeC:\Windows\system32\Hbldphde.exe107⤵PID:6012
-
C:\Windows\SysWOW64\Hnbeeiji.exeC:\Windows\system32\Hnbeeiji.exe108⤵PID:6084
-
C:\Windows\SysWOW64\Ihkjno32.exeC:\Windows\system32\Ihkjno32.exe109⤵PID:5308
-
C:\Windows\SysWOW64\Ibegfglj.exeC:\Windows\system32\Ibegfglj.exe110⤵PID:5440
-
C:\Windows\SysWOW64\Ipihpkkd.exeC:\Windows\system32\Ipihpkkd.exe111⤵
- Drops file in System32 directory
PID:5556 -
C:\Windows\SysWOW64\Ihdldn32.exeC:\Windows\system32\Ihdldn32.exe112⤵PID:5696
-
C:\Windows\SysWOW64\Joqafgni.exeC:\Windows\system32\Joqafgni.exe113⤵PID:5844
-
C:\Windows\SysWOW64\Jifecp32.exeC:\Windows\system32\Jifecp32.exe114⤵PID:5992
-
C:\Windows\SysWOW64\Jppnpjel.exeC:\Windows\system32\Jppnpjel.exe115⤵PID:5152
-
C:\Windows\SysWOW64\Jlikkkhn.exeC:\Windows\system32\Jlikkkhn.exe116⤵PID:5468
-
C:\Windows\SysWOW64\Jeapcq32.exeC:\Windows\system32\Jeapcq32.exe117⤵PID:5652
-
C:\Windows\SysWOW64\Jllhpkfk.exeC:\Windows\system32\Jllhpkfk.exe118⤵PID:5928
-
C:\Windows\SysWOW64\Kiphjo32.exeC:\Windows\system32\Kiphjo32.exe119⤵PID:5412
-
C:\Windows\SysWOW64\Kidben32.exeC:\Windows\system32\Kidben32.exe120⤵
- Drops file in System32 directory
PID:5684 -
C:\Windows\SysWOW64\Koajmepf.exeC:\Windows\system32\Koajmepf.exe121⤵PID:5940
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-