Analysis
-
max time kernel
163s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
15/11/2023, 08:27
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.15308b0ae3f6e911c70160cd230bfd90.exe
Resource
win7-20231023-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.15308b0ae3f6e911c70160cd230bfd90.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
NEAS.15308b0ae3f6e911c70160cd230bfd90.exe
-
Size
45KB
-
MD5
15308b0ae3f6e911c70160cd230bfd90
-
SHA1
1d8ac9b2744d94f241cc655a993ba5e3cc6aa4af
-
SHA256
81b836c7ff495d587771f299ad32c844f6f89a4bca8c6cc07382970af079eeba
-
SHA512
996d0cace23a04c1d435eaacc8716addb285049261705edb2ba8f4cda52a3f192ee398d8c8074f4b1301ae5849b86b5e8cb36d4f891447f2dc78aef65c5b9dd2
-
SSDEEP
768:hf359NX9Z49Lky3GM5VB1jNoSAx6ye3xrMnvoUJ02SarC1/1H5:hf359NXe72AbmwLraK
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abbiej32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clmjcfdb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hihbco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmpmfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbmclobc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nqcejcha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agckiqgg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkmbbajb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnjhhpgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Leihlj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Biadoeib.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fggdpnkf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmkeekag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcbnopkj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hicpgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgbfhc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odnngclb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgakkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mohbjkgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iibaeb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfnnhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbnjfefo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghgbakhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbbajjlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhbciqln.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgpibdam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebejem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Beaced32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmhogppb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehcfkhel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkmbbajb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkeeda32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dklhmlac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Piceflpi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbmclobc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmbbaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iibccgep.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfknem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Einmaaqb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epgenk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehaieh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipdndloi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhnnoe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Leihlj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhfacp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghiogkfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbppaopp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knkcmild.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfkpiled.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcneca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oqbagd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ighhed32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eainnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnlkedai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggicbe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmheph32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifcimb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anobgl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qaqegecm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebejem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qqamieno.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahpmckpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Haebol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldblon32.exe -
Executes dropped EXE 64 IoCs
pid Process 2984 Kqdaadln.exe 1476 Kkjeomld.exe 2180 Knhakh32.exe 5052 Kcejco32.exe 2044 Lnjnqh32.exe 4584 Lddgmbpb.exe 456 Anobgl32.exe 2896 Coadnlnb.exe 4404 Chiigadc.exe 1284 Cocacl32.exe 2572 Clgbmp32.exe 4460 Gejopl32.exe 4772 Iibccgep.exe 2344 Jnlkedai.exe 4888 Npgmpf32.exe 3200 Pfandnla.exe 4576 Ppjbmc32.exe 2608 Pfdjinjo.exe 3604 Paiogf32.exe 3964 Pjbcplpe.exe 2588 Palklf32.exe 3032 Phfcipoo.exe 2280 Qhhpop32.exe 2892 Qjfmkk32.exe 3144 Qaqegecm.exe 3888 Qjiipk32.exe 1124 Qmgelf32.exe 4184 Ahmjjoig.exe 4328 Aoioli32.exe 3288 Apjkcadp.exe 4904 Aokkahlo.exe 440 Gbbajjlp.exe 4716 Hnibokbd.exe 2568 Hnlodjpa.exe 1660 Heegad32.exe 3040 Hnnljj32.exe 2968 Halhfe32.exe 4872 Hicpgc32.exe 2928 Haodle32.exe 1884 Hldiinke.exe 3248 Haaaaeim.exe 4344 Ipbaol32.exe 4892 Ipdndloi.exe 5032 Nqcejcha.exe 4976 Nbebbk32.exe 3904 Niojoeel.exe 1816 Ofckhj32.exe 4604 Oiagde32.exe 3236 Ookoaokf.exe 1656 Edihdb32.exe 4292 Fggdpnkf.exe 3780 Fjeplijj.exe 2484 Famhmfkl.exe 3576 Fcneeo32.exe 2812 Fkemfl32.exe 4952 Fdmaoahm.exe 2716 Fglnkm32.exe 708 Fnffhgon.exe 1536 Fcbnpnme.exe 228 Fjmfmh32.exe 4796 Fqfojblo.exe 2152 Fjocbhbo.exe 1936 Fqikob32.exe 1780 Ggccllai.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Oddmoj32.exe Oafacn32.exe File created C:\Windows\SysWOW64\Ifadqd32.dll Cemcqcgi.exe File opened for modification C:\Windows\SysWOW64\Gmhfbf32.exe Gfnnel32.exe File created C:\Windows\SysWOW64\Hihbco32.exe Hbnjfefo.exe File created C:\Windows\SysWOW64\Poeink32.dll Bjaqih32.exe File created C:\Windows\SysWOW64\Anplji32.dll Dmmifaci.exe File opened for modification C:\Windows\SysWOW64\Doojni32.exe Ddifaqcn.exe File created C:\Windows\SysWOW64\Qhbkhpqq.dll Qnbdjl32.exe File created C:\Windows\SysWOW64\Gmhfbf32.exe Gfnnel32.exe File opened for modification C:\Windows\SysWOW64\Delnbdao.exe Dobffj32.exe File created C:\Windows\SysWOW64\Hpdegdci.exe Hhmmffbg.exe File created C:\Windows\SysWOW64\Nggddfag.dll Jelioh32.exe File created C:\Windows\SysWOW64\Boipfp32.exe Bmkcjd32.exe File opened for modification C:\Windows\SysWOW64\Dhdkig32.exe Cajblmci.exe File created C:\Windows\SysWOW64\Fgpilc32.exe Fdamph32.exe File created C:\Windows\SysWOW64\Fjocbhbo.exe Fqfojblo.exe File created C:\Windows\SysWOW64\Leihlj32.exe Immaimnj.exe File created C:\Windows\SysWOW64\Eikcmf32.dll Phhhbi32.exe File created C:\Windows\SysWOW64\Aoifoa32.exe Qfpbfljd.exe File created C:\Windows\SysWOW64\Ngbmnh32.dll Ehaieh32.exe File created C:\Windows\SysWOW64\Dolmijef.exe Dnmaog32.exe File opened for modification C:\Windows\SysWOW64\Knhakh32.exe Kkjeomld.exe File opened for modification C:\Windows\SysWOW64\Poagma32.exe Ohdbkh32.exe File created C:\Windows\SysWOW64\Kafcadej.exe Knhkkfod.exe File created C:\Windows\SysWOW64\Oqmgbd32.dll Bmkcjd32.exe File created C:\Windows\SysWOW64\Fphneijl.exe Fineho32.exe File created C:\Windows\SysWOW64\Jqhaolli.exe Gdjilphb.exe File opened for modification C:\Windows\SysWOW64\Fhiinbdo.exe Ebejem32.exe File created C:\Windows\SysWOW64\Foplnb32.exe Chlomnfl.exe File opened for modification C:\Windows\SysWOW64\Dkljka32.exe Dhnnoe32.exe File opened for modification C:\Windows\SysWOW64\Cfkenogb.exe Bmpcpjcd.exe File created C:\Windows\SysWOW64\Iponfm32.dll Bqdbec32.exe File created C:\Windows\SysWOW64\Djcfee32.exe Dhejij32.exe File created C:\Windows\SysWOW64\Anijjkbj.exe Agobna32.exe File created C:\Windows\SysWOW64\Iegpaf32.dll Filicodb.exe File created C:\Windows\SysWOW64\Jpdiag32.dll Fdamph32.exe File created C:\Windows\SysWOW64\Mnpami32.exe Linojbdc.exe File opened for modification C:\Windows\SysWOW64\Keekjc32.exe Knkcmild.exe File opened for modification C:\Windows\SysWOW64\Mebkge32.exe Mohbjkgp.exe File created C:\Windows\SysWOW64\Loodqn32.exe Jogeia32.exe File created C:\Windows\SysWOW64\Kfieepcf.dll Gcbnopkj.exe File opened for modification C:\Windows\SysWOW64\Djcfee32.exe Dhejij32.exe File created C:\Windows\SysWOW64\Ggnlhgkg.exe Gdppllld.exe File created C:\Windows\SysWOW64\Diicfa32.exe Dfjgjf32.exe File opened for modification C:\Windows\SysWOW64\Epgenk32.exe Einmaaqb.exe File created C:\Windows\SysWOW64\Haaaaeim.exe Hldiinke.exe File created C:\Windows\SysWOW64\Goqkne32.exe Ggicmh32.exe File opened for modification C:\Windows\SysWOW64\Cmdfpbkc.exe Cfjnch32.exe File created C:\Windows\SysWOW64\Embkhn32.exe Efhcld32.exe File created C:\Windows\SysWOW64\Cjkhnd32.dll Ofckhj32.exe File opened for modification C:\Windows\SysWOW64\Fjeplijj.exe Fggdpnkf.exe File created C:\Windows\SysWOW64\Lmbhqj32.exe Ljcldo32.exe File opened for modification C:\Windows\SysWOW64\Agckiqgg.exe Abgcqjhp.exe File created C:\Windows\SysWOW64\Bbffohcd.dll Hijohoki.exe File created C:\Windows\SysWOW64\Ibnlbm32.exe Ighhed32.exe File created C:\Windows\SysWOW64\Aqhcid32.exe Ajnkmjqj.exe File opened for modification C:\Windows\SysWOW64\Dmpmfg32.exe Djbpjl32.exe File created C:\Windows\SysWOW64\Nnimkcjf.dll Fglnkm32.exe File created C:\Windows\SysWOW64\Aojbfccl.dll Mohbjkgp.exe File opened for modification C:\Windows\SysWOW64\Gjhonp32.exe Ggicbe32.exe File opened for modification C:\Windows\SysWOW64\Pfpidk32.exe Phlikg32.exe File created C:\Windows\SysWOW64\Jicckpjk.dll Dhnnoe32.exe File opened for modification C:\Windows\SysWOW64\Eagahnob.exe Ejmild32.exe File created C:\Windows\SysWOW64\Mimcmnpn.dll Lddgmbpb.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oeopnmoa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkhhbbck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imdjadgk.dll" Ajjcoqdl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iioicn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebejem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hfgjad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qfpbfljd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekjfgje.dll" Fphneijl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Elbhde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acddjpmd.dll" Fipbnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enndkpea.dll" Hldiinke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hgcfcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fiilmofe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bichcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgbhfhcl.dll" Bkadoo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Plcdbghi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkogmaid.dll" Glfmaemc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kejeebpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oafacn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqcgfpia.dll" Mojopk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmicbcff.dll" Hfemkdbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gejieddc.dll" Icdmqg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hnibokbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcmnmk32.dll" Ainnhdbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Agckiqgg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hdlphjaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cakpih32.dll" Oiehhjjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nfnooe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hldiinke.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkklbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oakaofpm.dll" Anncek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hcimei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbdjeiek.dll" Hkckoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Plcdbghi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbfjfc32.dll" Oojalb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkonbamc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fcbnpnme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adfekcef.dll" Dafbhkhl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aijeme32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpckclld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkachhph.dll" Akqfef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Egcaij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hehhjm32.dll" Palklf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kialcj32.dll" Peempn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Padeem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jicckpjk.dll" Dhnnoe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmcocn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afelal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hggqniih.dll" Fdffkgpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cghane32.dll" Chiigadc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdbphinj.dll" Hflclcle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Immaimnj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eibfmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciolccoc.dll" Bjlgnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nqcejcha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Foaeccgp.dll" Cnpbgajc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjkjjmlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebbchc32.dll" Hgcfcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpnmok32.dll" Hkaoiemi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hnokeqll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hnfafpfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmomecoi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mohbjkgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgjejj32.dll" Dkljka32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3244 wrote to memory of 2984 3244 NEAS.15308b0ae3f6e911c70160cd230bfd90.exe 85 PID 3244 wrote to memory of 2984 3244 NEAS.15308b0ae3f6e911c70160cd230bfd90.exe 85 PID 3244 wrote to memory of 2984 3244 NEAS.15308b0ae3f6e911c70160cd230bfd90.exe 85 PID 2984 wrote to memory of 1476 2984 Kqdaadln.exe 86 PID 2984 wrote to memory of 1476 2984 Kqdaadln.exe 86 PID 2984 wrote to memory of 1476 2984 Kqdaadln.exe 86 PID 1476 wrote to memory of 2180 1476 Kkjeomld.exe 87 PID 1476 wrote to memory of 2180 1476 Kkjeomld.exe 87 PID 1476 wrote to memory of 2180 1476 Kkjeomld.exe 87 PID 2180 wrote to memory of 5052 2180 Knhakh32.exe 88 PID 2180 wrote to memory of 5052 2180 Knhakh32.exe 88 PID 2180 wrote to memory of 5052 2180 Knhakh32.exe 88 PID 5052 wrote to memory of 2044 5052 Kcejco32.exe 89 PID 5052 wrote to memory of 2044 5052 Kcejco32.exe 89 PID 5052 wrote to memory of 2044 5052 Kcejco32.exe 89 PID 2044 wrote to memory of 4584 2044 Lnjnqh32.exe 90 PID 2044 wrote to memory of 4584 2044 Lnjnqh32.exe 90 PID 2044 wrote to memory of 4584 2044 Lnjnqh32.exe 90 PID 4584 wrote to memory of 456 4584 Lddgmbpb.exe 92 PID 4584 wrote to memory of 456 4584 Lddgmbpb.exe 92 PID 4584 wrote to memory of 456 4584 Lddgmbpb.exe 92 PID 456 wrote to memory of 2896 456 Anobgl32.exe 93 PID 456 wrote to memory of 2896 456 Anobgl32.exe 93 PID 456 wrote to memory of 2896 456 Anobgl32.exe 93 PID 2896 wrote to memory of 4404 2896 Coadnlnb.exe 94 PID 2896 wrote to memory of 4404 2896 Coadnlnb.exe 94 PID 2896 wrote to memory of 4404 2896 Coadnlnb.exe 94 PID 4404 wrote to memory of 1284 4404 Chiigadc.exe 95 PID 4404 wrote to memory of 1284 4404 Chiigadc.exe 95 PID 4404 wrote to memory of 1284 4404 Chiigadc.exe 95 PID 1284 wrote to memory of 2572 1284 Cocacl32.exe 97 PID 1284 wrote to memory of 2572 1284 Cocacl32.exe 97 PID 1284 wrote to memory of 2572 1284 Cocacl32.exe 97 PID 2572 wrote to memory of 4460 2572 Clgbmp32.exe 98 PID 2572 wrote to memory of 4460 2572 Clgbmp32.exe 98 PID 2572 wrote to memory of 4460 2572 Clgbmp32.exe 98 PID 4460 wrote to memory of 4772 4460 Gejopl32.exe 99 PID 4460 wrote to memory of 4772 4460 Gejopl32.exe 99 PID 4460 wrote to memory of 4772 4460 Gejopl32.exe 99 PID 4772 wrote to memory of 2344 4772 Iibccgep.exe 100 PID 4772 wrote to memory of 2344 4772 Iibccgep.exe 100 PID 4772 wrote to memory of 2344 4772 Iibccgep.exe 100 PID 2344 wrote to memory of 4888 2344 Jnlkedai.exe 101 PID 2344 wrote to memory of 4888 2344 Jnlkedai.exe 101 PID 2344 wrote to memory of 4888 2344 Jnlkedai.exe 101 PID 4888 wrote to memory of 3200 4888 Npgmpf32.exe 103 PID 4888 wrote to memory of 3200 4888 Npgmpf32.exe 103 PID 4888 wrote to memory of 3200 4888 Npgmpf32.exe 103 PID 3200 wrote to memory of 4576 3200 Pfandnla.exe 104 PID 3200 wrote to memory of 4576 3200 Pfandnla.exe 104 PID 3200 wrote to memory of 4576 3200 Pfandnla.exe 104 PID 4576 wrote to memory of 2608 4576 Ppjbmc32.exe 105 PID 4576 wrote to memory of 2608 4576 Ppjbmc32.exe 105 PID 4576 wrote to memory of 2608 4576 Ppjbmc32.exe 105 PID 2608 wrote to memory of 3604 2608 Pfdjinjo.exe 106 PID 2608 wrote to memory of 3604 2608 Pfdjinjo.exe 106 PID 2608 wrote to memory of 3604 2608 Pfdjinjo.exe 106 PID 3604 wrote to memory of 3964 3604 Paiogf32.exe 107 PID 3604 wrote to memory of 3964 3604 Paiogf32.exe 107 PID 3604 wrote to memory of 3964 3604 Paiogf32.exe 107 PID 3964 wrote to memory of 2588 3964 Pjbcplpe.exe 108 PID 3964 wrote to memory of 2588 3964 Pjbcplpe.exe 108 PID 3964 wrote to memory of 2588 3964 Pjbcplpe.exe 108 PID 2588 wrote to memory of 3032 2588 Palklf32.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.15308b0ae3f6e911c70160cd230bfd90.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.15308b0ae3f6e911c70160cd230bfd90.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3244 -
C:\Windows\SysWOW64\Kqdaadln.exeC:\Windows\system32\Kqdaadln.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\Kkjeomld.exeC:\Windows\system32\Kkjeomld.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Windows\SysWOW64\Knhakh32.exeC:\Windows\system32\Knhakh32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\Kcejco32.exeC:\Windows\system32\Kcejco32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Windows\SysWOW64\Lnjnqh32.exeC:\Windows\system32\Lnjnqh32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\Lddgmbpb.exeC:\Windows\system32\Lddgmbpb.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4584 -
C:\Windows\SysWOW64\Anobgl32.exeC:\Windows\system32\Anobgl32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:456 -
C:\Windows\SysWOW64\Coadnlnb.exeC:\Windows\system32\Coadnlnb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\Chiigadc.exeC:\Windows\system32\Chiigadc.exe10⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4404 -
C:\Windows\SysWOW64\Cocacl32.exeC:\Windows\system32\Cocacl32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Windows\SysWOW64\Clgbmp32.exeC:\Windows\system32\Clgbmp32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\Gejopl32.exeC:\Windows\system32\Gejopl32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4460 -
C:\Windows\SysWOW64\Iibccgep.exeC:\Windows\system32\Iibccgep.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4772 -
C:\Windows\SysWOW64\Jnlkedai.exeC:\Windows\system32\Jnlkedai.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\Npgmpf32.exeC:\Windows\system32\Npgmpf32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Windows\SysWOW64\Pfandnla.exeC:\Windows\system32\Pfandnla.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3200 -
C:\Windows\SysWOW64\Ppjbmc32.exeC:\Windows\system32\Ppjbmc32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4576 -
C:\Windows\SysWOW64\Pfdjinjo.exeC:\Windows\system32\Pfdjinjo.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Paiogf32.exeC:\Windows\system32\Paiogf32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3604 -
C:\Windows\SysWOW64\Pjbcplpe.exeC:\Windows\system32\Pjbcplpe.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3964 -
C:\Windows\SysWOW64\Palklf32.exeC:\Windows\system32\Palklf32.exe22⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\Phfcipoo.exeC:\Windows\system32\Phfcipoo.exe23⤵
- Executes dropped EXE
PID:3032 -
C:\Windows\SysWOW64\Qhhpop32.exeC:\Windows\system32\Qhhpop32.exe24⤵
- Executes dropped EXE
PID:2280 -
C:\Windows\SysWOW64\Qjfmkk32.exeC:\Windows\system32\Qjfmkk32.exe25⤵
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Qaqegecm.exeC:\Windows\system32\Qaqegecm.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3144 -
C:\Windows\SysWOW64\Qjiipk32.exeC:\Windows\system32\Qjiipk32.exe27⤵
- Executes dropped EXE
PID:3888 -
C:\Windows\SysWOW64\Qmgelf32.exeC:\Windows\system32\Qmgelf32.exe28⤵
- Executes dropped EXE
PID:1124 -
C:\Windows\SysWOW64\Ahmjjoig.exeC:\Windows\system32\Ahmjjoig.exe29⤵
- Executes dropped EXE
PID:4184 -
C:\Windows\SysWOW64\Aoioli32.exeC:\Windows\system32\Aoioli32.exe30⤵
- Executes dropped EXE
PID:4328 -
C:\Windows\SysWOW64\Apjkcadp.exeC:\Windows\system32\Apjkcadp.exe31⤵
- Executes dropped EXE
PID:3288 -
C:\Windows\SysWOW64\Aokkahlo.exeC:\Windows\system32\Aokkahlo.exe32⤵
- Executes dropped EXE
PID:4904 -
C:\Windows\SysWOW64\Gbbajjlp.exeC:\Windows\system32\Gbbajjlp.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:440 -
C:\Windows\SysWOW64\Hnibokbd.exeC:\Windows\system32\Hnibokbd.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:4716 -
C:\Windows\SysWOW64\Hnlodjpa.exeC:\Windows\system32\Hnlodjpa.exe35⤵
- Executes dropped EXE
PID:2568 -
C:\Windows\SysWOW64\Heegad32.exeC:\Windows\system32\Heegad32.exe36⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Hnnljj32.exeC:\Windows\system32\Hnnljj32.exe37⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Halhfe32.exeC:\Windows\system32\Halhfe32.exe38⤵
- Executes dropped EXE
PID:2968 -
C:\Windows\SysWOW64\Hicpgc32.exeC:\Windows\system32\Hicpgc32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4872 -
C:\Windows\SysWOW64\Haodle32.exeC:\Windows\system32\Haodle32.exe40⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Hldiinke.exeC:\Windows\system32\Hldiinke.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1884 -
C:\Windows\SysWOW64\Haaaaeim.exeC:\Windows\system32\Haaaaeim.exe42⤵
- Executes dropped EXE
PID:3248 -
C:\Windows\SysWOW64\Ipbaol32.exeC:\Windows\system32\Ipbaol32.exe43⤵
- Executes dropped EXE
PID:4344 -
C:\Windows\SysWOW64\Ipdndloi.exeC:\Windows\system32\Ipdndloi.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4892 -
C:\Windows\SysWOW64\Nqcejcha.exeC:\Windows\system32\Nqcejcha.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:5032 -
C:\Windows\SysWOW64\Nbebbk32.exeC:\Windows\system32\Nbebbk32.exe46⤵
- Executes dropped EXE
PID:4976 -
C:\Windows\SysWOW64\Niojoeel.exeC:\Windows\system32\Niojoeel.exe47⤵
- Executes dropped EXE
PID:3904 -
C:\Windows\SysWOW64\Ofckhj32.exeC:\Windows\system32\Ofckhj32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1816 -
C:\Windows\SysWOW64\Oiagde32.exeC:\Windows\system32\Oiagde32.exe49⤵
- Executes dropped EXE
PID:4604 -
C:\Windows\SysWOW64\Ookoaokf.exeC:\Windows\system32\Ookoaokf.exe50⤵
- Executes dropped EXE
PID:3236 -
C:\Windows\SysWOW64\Edihdb32.exeC:\Windows\system32\Edihdb32.exe51⤵
- Executes dropped EXE
PID:1656 -
C:\Windows\SysWOW64\Fggdpnkf.exeC:\Windows\system32\Fggdpnkf.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4292 -
C:\Windows\SysWOW64\Fjeplijj.exeC:\Windows\system32\Fjeplijj.exe53⤵
- Executes dropped EXE
PID:3780 -
C:\Windows\SysWOW64\Famhmfkl.exeC:\Windows\system32\Famhmfkl.exe54⤵
- Executes dropped EXE
PID:2484 -
C:\Windows\SysWOW64\Fcneeo32.exeC:\Windows\system32\Fcneeo32.exe55⤵
- Executes dropped EXE
PID:3576 -
C:\Windows\SysWOW64\Fkemfl32.exeC:\Windows\system32\Fkemfl32.exe56⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Fdmaoahm.exeC:\Windows\system32\Fdmaoahm.exe57⤵
- Executes dropped EXE
PID:4952 -
C:\Windows\SysWOW64\Fglnkm32.exeC:\Windows\system32\Fglnkm32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2716 -
C:\Windows\SysWOW64\Fnffhgon.exeC:\Windows\system32\Fnffhgon.exe59⤵
- Executes dropped EXE
PID:708 -
C:\Windows\SysWOW64\Fcbnpnme.exeC:\Windows\system32\Fcbnpnme.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:1536 -
C:\Windows\SysWOW64\Fjmfmh32.exeC:\Windows\system32\Fjmfmh32.exe61⤵
- Executes dropped EXE
PID:228 -
C:\Windows\SysWOW64\Fqfojblo.exeC:\Windows\system32\Fqfojblo.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4796 -
C:\Windows\SysWOW64\Fjocbhbo.exeC:\Windows\system32\Fjocbhbo.exe63⤵
- Executes dropped EXE
PID:2152 -
C:\Windows\SysWOW64\Fqikob32.exeC:\Windows\system32\Fqikob32.exe64⤵
- Executes dropped EXE
PID:1936 -
C:\Windows\SysWOW64\Ggccllai.exeC:\Windows\system32\Ggccllai.exe65⤵
- Executes dropped EXE
PID:1780 -
C:\Windows\SysWOW64\Gkalbj32.exeC:\Windows\system32\Gkalbj32.exe66⤵PID:876
-
C:\Windows\SysWOW64\Madbagif.exeC:\Windows\system32\Madbagif.exe67⤵PID:4680
-
C:\Windows\SysWOW64\Mhnjna32.exeC:\Windows\system32\Mhnjna32.exe68⤵PID:4060
-
C:\Windows\SysWOW64\Mohbjkgp.exeC:\Windows\system32\Mohbjkgp.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:4216 -
C:\Windows\SysWOW64\Mebkge32.exeC:\Windows\system32\Mebkge32.exe70⤵PID:1476
-
C:\Windows\SysWOW64\Mojopk32.exeC:\Windows\system32\Mojopk32.exe71⤵
- Modifies registry class
PID:4436 -
C:\Windows\SysWOW64\Nhbciqln.exeC:\Windows\system32\Nhbciqln.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1412 -
C:\Windows\SysWOW64\Pijcpmhc.exeC:\Windows\system32\Pijcpmhc.exe73⤵PID:2584
-
C:\Windows\SysWOW64\Podkmgop.exeC:\Windows\system32\Podkmgop.exe74⤵PID:1036
-
C:\Windows\SysWOW64\Pcpgmf32.exeC:\Windows\system32\Pcpgmf32.exe75⤵PID:2440
-
C:\Windows\SysWOW64\Pdqcenmg.exeC:\Windows\system32\Pdqcenmg.exe76⤵PID:2100
-
C:\Windows\SysWOW64\Pkklbh32.exeC:\Windows\system32\Pkklbh32.exe77⤵
- Modifies registry class
PID:4992 -
C:\Windows\SysWOW64\Pecpknke.exeC:\Windows\system32\Pecpknke.exe78⤵PID:2984
-
C:\Windows\SysWOW64\Pmjhlklg.exeC:\Windows\system32\Pmjhlklg.exe79⤵PID:4760
-
C:\Windows\SysWOW64\Pcdqhecd.exeC:\Windows\system32\Pcdqhecd.exe80⤵PID:3752
-
C:\Windows\SysWOW64\Peempn32.exeC:\Windows\system32\Peempn32.exe81⤵
- Modifies registry class
PID:2728 -
C:\Windows\SysWOW64\Piceflpi.exeC:\Windows\system32\Piceflpi.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:900 -
C:\Windows\SysWOW64\Pomncfge.exeC:\Windows\system32\Pomncfge.exe83⤵PID:1140
-
C:\Windows\SysWOW64\Bipnihgi.exeC:\Windows\system32\Bipnihgi.exe84⤵PID:336
-
C:\Windows\SysWOW64\Ciknefmk.exeC:\Windows\system32\Ciknefmk.exe85⤵PID:2872
-
C:\Windows\SysWOW64\Ellpmolj.exeC:\Windows\system32\Ellpmolj.exe86⤵PID:216
-
C:\Windows\SysWOW64\Gnjhhpgl.exeC:\Windows\system32\Gnjhhpgl.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4368 -
C:\Windows\SysWOW64\Ggicbe32.exeC:\Windows\system32\Ggicbe32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2088 -
C:\Windows\SysWOW64\Gjhonp32.exeC:\Windows\system32\Gjhonp32.exe89⤵PID:2840
-
C:\Windows\SysWOW64\Gcpcgfmi.exeC:\Windows\system32\Gcpcgfmi.exe90⤵PID:540
-
C:\Windows\SysWOW64\Hjjldpdf.exeC:\Windows\system32\Hjjldpdf.exe91⤵PID:5144
-
C:\Windows\SysWOW64\Hmhhpkcj.exeC:\Windows\system32\Hmhhpkcj.exe92⤵PID:5184
-
C:\Windows\SysWOW64\Hdppaidl.exeC:\Windows\system32\Hdppaidl.exe93⤵PID:5236
-
C:\Windows\SysWOW64\Hgnlmdcp.exeC:\Windows\system32\Hgnlmdcp.exe94⤵PID:5280
-
C:\Windows\SysWOW64\Hmkeekag.exeC:\Windows\system32\Hmkeekag.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5340 -
C:\Windows\SysWOW64\Hdbmfhbi.exeC:\Windows\system32\Hdbmfhbi.exe96⤵PID:5376
-
C:\Windows\SysWOW64\Hgpibdam.exeC:\Windows\system32\Hgpibdam.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5424 -
C:\Windows\SysWOW64\Hddilh32.exeC:\Windows\system32\Hddilh32.exe98⤵PID:5472
-
C:\Windows\SysWOW64\Hgbfhc32.exeC:\Windows\system32\Hgbfhc32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5524 -
C:\Windows\SysWOW64\Hjabdo32.exeC:\Windows\system32\Hjabdo32.exe100⤵PID:5564
-
C:\Windows\SysWOW64\Hdffah32.exeC:\Windows\system32\Hdffah32.exe101⤵PID:5604
-
C:\Windows\SysWOW64\Hfhbipdb.exeC:\Windows\system32\Hfhbipdb.exe102⤵PID:5648
-
C:\Windows\SysWOW64\Hnokjm32.exeC:\Windows\system32\Hnokjm32.exe103⤵PID:5696
-
C:\Windows\SysWOW64\Hqmggi32.exeC:\Windows\system32\Hqmggi32.exe104⤵PID:5736
-
C:\Windows\SysWOW64\Iggocbke.exeC:\Windows\system32\Iggocbke.exe105⤵PID:5780
-
C:\Windows\SysWOW64\Inagpm32.exeC:\Windows\system32\Inagpm32.exe106⤵PID:5820
-
C:\Windows\SysWOW64\Icnphd32.exeC:\Windows\system32\Icnphd32.exe107⤵PID:5868
-
C:\Windows\SysWOW64\Knifging.exeC:\Windows\system32\Knifging.exe108⤵PID:5904
-
C:\Windows\SysWOW64\Kebodc32.exeC:\Windows\system32\Kebodc32.exe109⤵PID:5948
-
C:\Windows\SysWOW64\Kfdklllb.exeC:\Windows\system32\Kfdklllb.exe110⤵PID:6000
-
C:\Windows\SysWOW64\Knkcmild.exeC:\Windows\system32\Knkcmild.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:6040 -
C:\Windows\SysWOW64\Keekjc32.exeC:\Windows\system32\Keekjc32.exe112⤵PID:6080
-
C:\Windows\SysWOW64\Kffhakjp.exeC:\Windows\system32\Kffhakjp.exe113⤵PID:6120
-
C:\Windows\SysWOW64\Kmppneal.exeC:\Windows\system32\Kmppneal.exe114⤵PID:3632
-
C:\Windows\SysWOW64\Keghocao.exeC:\Windows\system32\Keghocao.exe115⤵PID:5228
-
C:\Windows\SysWOW64\Kfidgk32.exeC:\Windows\system32\Kfidgk32.exe116⤵PID:5276
-
C:\Windows\SysWOW64\Kejeebpl.exeC:\Windows\system32\Kejeebpl.exe117⤵
- Modifies registry class
PID:5372 -
C:\Windows\SysWOW64\Kjfmminc.exeC:\Windows\system32\Kjfmminc.exe118⤵PID:5400
-
C:\Windows\SysWOW64\Ldoafodd.exeC:\Windows\system32\Ldoafodd.exe119⤵PID:5516
-
C:\Windows\SysWOW64\Oeopnmoa.exeC:\Windows\system32\Oeopnmoa.exe120⤵
- Modifies registry class
PID:5576 -
C:\Windows\SysWOW64\Ogqmee32.exeC:\Windows\system32\Ogqmee32.exe121⤵PID:5632
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-