Analysis
-
max time kernel
162s -
max time network
172s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
13-10-2023 20:29
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.7cae0cac28a804065bec3f7c9b3d9eb0.exe
Resource
win7-20230831-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.7cae0cac28a804065bec3f7c9b3d9eb0.exe
Resource
win10v2004-20230915-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.7cae0cac28a804065bec3f7c9b3d9eb0.exe
-
Size
368KB
-
MD5
7cae0cac28a804065bec3f7c9b3d9eb0
-
SHA1
51a966f962db7dddc9d56855d9187f5a44bc429b
-
SHA256
28a822d9e869715fa72c66fc2e5a649d1956930802dd27519df715f3af083fa5
-
SHA512
ecf194f64c0096ed8515d2a5b0ef9a700a4c4cdf239a3a90491fb957a7f5febc80f0775b4b0439a6972c062304a016ec205f03c5a76bf1cfff3851e5c68d8fc7
-
SSDEEP
6144:4pMCxCAHH19s7YsDnE4f9FIUpOVw86CmOJfTo9FIUIhrcflDMxy9FIUpOVw86CmH:MxCAn19s7YvaAD6RrI1+lDMEAD6Rr2Na
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onkbenbi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohjlqklp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gffhbljh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfonfp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbjnlfnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jeidan32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aoioeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ngdmhimb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmepkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aehghn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nflkkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jdkkjl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfoahd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbjbfclk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmpgfjmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pmafpchb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcoapami.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdaigi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofaeffpa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijadljdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Knofif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iohlcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aploae32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dadlmanj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fcbehbim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cpajdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Onkbenbi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmkbpk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmpoemef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ckealm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jnjednnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bhpopb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dplebmbl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dabhmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Noijmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bdpanj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enmjedpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cmblhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Knioij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ahjmne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ggldde32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Legjgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Flfjjkgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kobnji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dljqjjnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qmepkb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgibil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nmajmaoi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olidijjf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpnncl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfklamii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kjhccf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dgeegled.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jmpgfjmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nmfchq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ojcghc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gahcgg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjhlipla.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjgneg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Adcjhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Amnlfk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaoihfoo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjjgbhlm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blieeglf.exe -
Executes dropped EXE 64 IoCs
pid Process 1988 Qpkppbho.exe 2272 Bgeadjai.exe 2480 Bndblcdq.exe 1436 Ckafkfkp.exe 1536 Dbdano32.exe 5052 Deejpjgc.exe 1112 Dicbfhni.exe 4964 Elfhmc32.exe 836 Flpkcbqm.exe 1568 Fhkecb32.exe 3600 Ghpooanf.exe 4904 Gahcgg32.exe 3800 Gaoihfoo.exe 784 Hembndee.exe 1920 Hakidd32.exe 744 Icooig32.exe 2212 Iohlcg32.exe 3424 Jhcmbm32.exe 3780 Jfgnka32.exe 1348 Kbgafqla.exe 2604 Lmfhjhdm.exe 2644 Lbgjmnno.exe 4808 Niblafgi.exe 232 Ppoijn32.exe 1948 Pllppnnm.exe 2056 Admkgifd.exe 1500 Bgbmdd32.exe 2648 Bnaolm32.exe 4412 Bcpdidol.exe 3972 Cmblhh32.exe 2396 Dgliapic.exe 2808 Dcegkamd.exe 4952 Dnmgni32.exe 4180 Ejfeij32.exe 488 Elhnhm32.exe 2780 Enigjh32.exe 2192 Flcndk32.exe 3740 Flfjjkgi.exe 3668 Glmqjj32.exe 3472 Glompi32.exe 2496 Haeino32.exe 3888 Hdfapjbl.exe 4924 Ikbfbdgf.exe 2932 Iamoon32.exe 4760 Ikgpmc32.exe 1856 Jnjednnp.exe 1736 Jojboa32.exe 3296 Kaaaak32.exe 32 Kkjejqcl.exe 2420 Lofjam32.exe 4588 Mnpami32.exe 2064 Mpdgbkab.exe 4880 Nlmdml32.exe 5100 Nlbnhkqo.exe 3360 Omdghmfo.exe 2956 Olidijjf.exe 704 Ofcaab32.exe 4864 Pbjbfclk.exe 3516 Ppnbpg32.exe 2960 Pemhmn32.exe 4452 Pmfldkei.exe 2120 Peaahmcd.exe 1620 Qfanbpjg.exe 5084 Aploae32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Dfcqjg32.exe Cikgecag.exe File created C:\Windows\SysWOW64\Kgjlgghg.dll Pmfldkei.exe File created C:\Windows\SysWOW64\Qmepkb32.exe Qdmkbmnl.exe File created C:\Windows\SysWOW64\Diclff32.exe Dohkhq32.exe File opened for modification C:\Windows\SysWOW64\Phcgmffo.exe Pmnbpm32.exe File created C:\Windows\SysWOW64\Mgddal32.exe Mmlphfed.exe File created C:\Windows\SysWOW64\Dadlmanj.exe Dlegokbe.exe File created C:\Windows\SysWOW64\Aaeomcoo.dll Maefnk32.exe File opened for modification C:\Windows\SysWOW64\Lgamhjja.exe Lnihod32.exe File created C:\Windows\SysWOW64\Flplcjpa.dll Gmnfglcd.exe File created C:\Windows\SysWOW64\Obhmpl32.dll Gpnfak32.exe File opened for modification C:\Windows\SysWOW64\Iefgln32.exe Ipjocgdm.exe File created C:\Windows\SysWOW64\Hmifcjif.exe Hfonfp32.exe File created C:\Windows\SysWOW64\Jbilnkjc.exe Jkkjfa32.exe File created C:\Windows\SysWOW64\Medqmb32.exe Mojhphij.exe File opened for modification C:\Windows\SysWOW64\Fmkgdgej.exe Ffaogm32.exe File opened for modification C:\Windows\SysWOW64\Oijqbh32.exe Obphenpj.exe File opened for modification C:\Windows\SysWOW64\Dapcab32.exe Cafpkc32.exe File created C:\Windows\SysWOW64\Bnlfli32.dll Mjjkkghp.exe File opened for modification C:\Windows\SysWOW64\Ofaeffpa.exe Npgmjl32.exe File created C:\Windows\SysWOW64\Amegnd32.dll Ebapednb.exe File created C:\Windows\SysWOW64\Mfomiaim.dll Qpkppbho.exe File created C:\Windows\SysWOW64\Onkbenbi.exe Ogoncd32.exe File created C:\Windows\SysWOW64\Ggcphj32.dll Biolkc32.exe File opened for modification C:\Windows\SysWOW64\Bpnncl32.exe Bbjmih32.exe File opened for modification C:\Windows\SysWOW64\Mnochl32.exe Mciokcgg.exe File created C:\Windows\SysWOW64\Lnqdkljp.dll Eggbbhkj.exe File opened for modification C:\Windows\SysWOW64\Blkkaohc.exe Algbfo32.exe File created C:\Windows\SysWOW64\Jeolonem.exe Ifefbbdj.exe File created C:\Windows\SysWOW64\Afboll32.exe Ohjlqklp.exe File created C:\Windows\SysWOW64\Cqgojchn.dll Knmicfnn.exe File opened for modification C:\Windows\SysWOW64\Akamol32.exe Aepklffh.exe File created C:\Windows\SysWOW64\Qfilee32.dll Fechhcal.exe File created C:\Windows\SysWOW64\Bgeadjai.exe Qpkppbho.exe File created C:\Windows\SysWOW64\Abodhpic.exe Aghdco32.exe File created C:\Windows\SysWOW64\Gfcnka32.exe Ggldde32.exe File created C:\Windows\SysWOW64\Ipenifka.dll Iplkje32.exe File created C:\Windows\SysWOW64\Jkimgh32.dll Plijbblh.exe File created C:\Windows\SysWOW64\Jkbfafel.exe Jdhndlno.exe File created C:\Windows\SysWOW64\Emanepld.exe Cfglahbj.exe File created C:\Windows\SysWOW64\Ojfbof32.dll Kbgafqla.exe File created C:\Windows\SysWOW64\Ogoncd32.exe Ongijo32.exe File opened for modification C:\Windows\SysWOW64\Lmppmh32.exe Libggiik.exe File opened for modification C:\Windows\SysWOW64\Bminokil.exe Afmhma32.exe File opened for modification C:\Windows\SysWOW64\Ohboeenl.exe Noijmp32.exe File opened for modification C:\Windows\SysWOW64\Abodhpic.exe Aghdco32.exe File opened for modification C:\Windows\SysWOW64\Hfklamii.exe Hkehdd32.exe File created C:\Windows\SysWOW64\Jcjkma32.dll Hlqmla32.exe File created C:\Windows\SysWOW64\Dopkkhlp.dll Ibohid32.exe File opened for modification C:\Windows\SysWOW64\Jfaenqjm.exe Jpdqlgdc.exe File opened for modification C:\Windows\SysWOW64\Gifadggi.exe Gffhbljh.exe File created C:\Windows\SysWOW64\Aijjfpab.dll Hdclbopg.exe File created C:\Windows\SysWOW64\Mjcjof32.dll Ekkkip32.exe File created C:\Windows\SysWOW64\Ggldde32.exe Fpnfbi32.exe File created C:\Windows\SysWOW64\Mgbnfb32.exe Maefnk32.exe File created C:\Windows\SysWOW64\Cifmjd32.exe Bgbdml32.exe File opened for modification C:\Windows\SysWOW64\Plndma32.exe Pkngco32.exe File created C:\Windows\SysWOW64\Nmfchq32.exe Nflkkf32.exe File created C:\Windows\SysWOW64\Hkccibof.dll Glompi32.exe File created C:\Windows\SysWOW64\Kigmbohp.dll Bfqkmj32.exe File created C:\Windows\SysWOW64\Mffnilka.dll Cjecjahd.exe File opened for modification C:\Windows\SysWOW64\Aafefq32.exe Alimnj32.exe File created C:\Windows\SysWOW64\Cfglahbj.exe Cjpllgme.exe File created C:\Windows\SysWOW64\Ajikhfpg.exe Ahhbfkbf.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 8792 8680 WerFault.exe 617 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aecpnk32.dll" Ejjgic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kghjakbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hebpje32.dll" Kbbhjc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kjhlipla.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Conagl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dbdano32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pceihj32.dll" Opqopj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqcahm32.dll" Jcoapami.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbdckd32.dll" Fmcjiagf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Niblafgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hjeiai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jgqdal32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dohkhq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mplhjabe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bmeagjbo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pcgdcome.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ifefbbdj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dfknem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pmjpod32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Llmhkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Babgcniq.dll" Liaqlcep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acedfl32.dll" Ljfodd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lnjnjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oijqbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fblifijc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfmpgi32.dll" Hbchnfei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdiimbin.dll" Hifcqo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Amnlfk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dhdaao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdfeigjf.dll" Aohbbqme.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jipqkopf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ehpamnaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkihhq32.dll" Fdiohnek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kolaqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dadlmanj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aekpqihf.dll" Lbmheomi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Omegdebp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fgpilc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pihggn32.dll" Qdjgbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beceljkb.dll" Pijiif32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bjodch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlpefa32.dll" Phodlm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Phaabm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifmfpgbc.dll" Kkjejqcl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oijqbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knlfkb32.dll" Dhnlapbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Enmjedpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fdiohnek.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Knmicfnn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID NEAS.7cae0cac28a804065bec3f7c9b3d9eb0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ikgpmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eccoloed.dll" Mnpami32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mhenpk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Coldbl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dkdmpl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Edjgpi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nladpo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qfanbpjg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oiagcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Afmhma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cneknh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Abodhpic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmmfha32.dll" Afmhma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iepako32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1916 wrote to memory of 1988 1916 NEAS.7cae0cac28a804065bec3f7c9b3d9eb0.exe 86 PID 1916 wrote to memory of 1988 1916 NEAS.7cae0cac28a804065bec3f7c9b3d9eb0.exe 86 PID 1916 wrote to memory of 1988 1916 NEAS.7cae0cac28a804065bec3f7c9b3d9eb0.exe 86 PID 1988 wrote to memory of 2272 1988 Qpkppbho.exe 87 PID 1988 wrote to memory of 2272 1988 Qpkppbho.exe 87 PID 1988 wrote to memory of 2272 1988 Qpkppbho.exe 87 PID 2272 wrote to memory of 2480 2272 Bgeadjai.exe 88 PID 2272 wrote to memory of 2480 2272 Bgeadjai.exe 88 PID 2272 wrote to memory of 2480 2272 Bgeadjai.exe 88 PID 2480 wrote to memory of 1436 2480 Bndblcdq.exe 89 PID 2480 wrote to memory of 1436 2480 Bndblcdq.exe 89 PID 2480 wrote to memory of 1436 2480 Bndblcdq.exe 89 PID 1436 wrote to memory of 1536 1436 Ckafkfkp.exe 90 PID 1436 wrote to memory of 1536 1436 Ckafkfkp.exe 90 PID 1436 wrote to memory of 1536 1436 Ckafkfkp.exe 90 PID 1536 wrote to memory of 5052 1536 Dbdano32.exe 91 PID 1536 wrote to memory of 5052 1536 Dbdano32.exe 91 PID 1536 wrote to memory of 5052 1536 Dbdano32.exe 91 PID 5052 wrote to memory of 1112 5052 Deejpjgc.exe 92 PID 5052 wrote to memory of 1112 5052 Deejpjgc.exe 92 PID 5052 wrote to memory of 1112 5052 Deejpjgc.exe 92 PID 1112 wrote to memory of 4964 1112 Dicbfhni.exe 93 PID 1112 wrote to memory of 4964 1112 Dicbfhni.exe 93 PID 1112 wrote to memory of 4964 1112 Dicbfhni.exe 93 PID 4964 wrote to memory of 836 4964 Elfhmc32.exe 94 PID 4964 wrote to memory of 836 4964 Elfhmc32.exe 94 PID 4964 wrote to memory of 836 4964 Elfhmc32.exe 94 PID 836 wrote to memory of 1568 836 Flpkcbqm.exe 95 PID 836 wrote to memory of 1568 836 Flpkcbqm.exe 95 PID 836 wrote to memory of 1568 836 Flpkcbqm.exe 95 PID 1568 wrote to memory of 3600 1568 Fhkecb32.exe 96 PID 1568 wrote to memory of 3600 1568 Fhkecb32.exe 96 PID 1568 wrote to memory of 3600 1568 Fhkecb32.exe 96 PID 3600 wrote to memory of 4904 3600 Ghpooanf.exe 97 PID 3600 wrote to memory of 4904 3600 Ghpooanf.exe 97 PID 3600 wrote to memory of 4904 3600 Ghpooanf.exe 97 PID 4904 wrote to memory of 3800 4904 Gahcgg32.exe 99 PID 4904 wrote to memory of 3800 4904 Gahcgg32.exe 99 PID 4904 wrote to memory of 3800 4904 Gahcgg32.exe 99 PID 3800 wrote to memory of 784 3800 Gaoihfoo.exe 101 PID 3800 wrote to memory of 784 3800 Gaoihfoo.exe 101 PID 3800 wrote to memory of 784 3800 Gaoihfoo.exe 101 PID 784 wrote to memory of 1920 784 Hembndee.exe 102 PID 784 wrote to memory of 1920 784 Hembndee.exe 102 PID 784 wrote to memory of 1920 784 Hembndee.exe 102 PID 1920 wrote to memory of 744 1920 Hakidd32.exe 103 PID 1920 wrote to memory of 744 1920 Hakidd32.exe 103 PID 1920 wrote to memory of 744 1920 Hakidd32.exe 103 PID 744 wrote to memory of 2212 744 Icooig32.exe 104 PID 744 wrote to memory of 2212 744 Icooig32.exe 104 PID 744 wrote to memory of 2212 744 Icooig32.exe 104 PID 2212 wrote to memory of 3424 2212 Iohlcg32.exe 105 PID 2212 wrote to memory of 3424 2212 Iohlcg32.exe 105 PID 2212 wrote to memory of 3424 2212 Iohlcg32.exe 105 PID 3424 wrote to memory of 3780 3424 Jhcmbm32.exe 106 PID 3424 wrote to memory of 3780 3424 Jhcmbm32.exe 106 PID 3424 wrote to memory of 3780 3424 Jhcmbm32.exe 106 PID 3780 wrote to memory of 1348 3780 Jfgnka32.exe 107 PID 3780 wrote to memory of 1348 3780 Jfgnka32.exe 107 PID 3780 wrote to memory of 1348 3780 Jfgnka32.exe 107 PID 1348 wrote to memory of 2604 1348 Kbgafqla.exe 108 PID 1348 wrote to memory of 2604 1348 Kbgafqla.exe 108 PID 1348 wrote to memory of 2604 1348 Kbgafqla.exe 108 PID 2604 wrote to memory of 2644 2604 Lmfhjhdm.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.7cae0cac28a804065bec3f7c9b3d9eb0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.7cae0cac28a804065bec3f7c9b3d9eb0.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\SysWOW64\Qpkppbho.exeC:\Windows\system32\Qpkppbho.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\Bgeadjai.exeC:\Windows\system32\Bgeadjai.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\Bndblcdq.exeC:\Windows\system32\Bndblcdq.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\Ckafkfkp.exeC:\Windows\system32\Ckafkfkp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Windows\SysWOW64\Dbdano32.exeC:\Windows\system32\Dbdano32.exe6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Windows\SysWOW64\Deejpjgc.exeC:\Windows\system32\Deejpjgc.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Windows\SysWOW64\Dicbfhni.exeC:\Windows\system32\Dicbfhni.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1112 -
C:\Windows\SysWOW64\Elfhmc32.exeC:\Windows\system32\Elfhmc32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Windows\SysWOW64\Flpkcbqm.exeC:\Windows\system32\Flpkcbqm.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:836 -
C:\Windows\SysWOW64\Fhkecb32.exeC:\Windows\system32\Fhkecb32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Windows\SysWOW64\Ghpooanf.exeC:\Windows\system32\Ghpooanf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3600 -
C:\Windows\SysWOW64\Gahcgg32.exeC:\Windows\system32\Gahcgg32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4904 -
C:\Windows\SysWOW64\Gaoihfoo.exeC:\Windows\system32\Gaoihfoo.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3800 -
C:\Windows\SysWOW64\Hembndee.exeC:\Windows\system32\Hembndee.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:784 -
C:\Windows\SysWOW64\Hakidd32.exeC:\Windows\system32\Hakidd32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\SysWOW64\Icooig32.exeC:\Windows\system32\Icooig32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:744 -
C:\Windows\SysWOW64\Iohlcg32.exeC:\Windows\system32\Iohlcg32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\Jhcmbm32.exeC:\Windows\system32\Jhcmbm32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3424 -
C:\Windows\SysWOW64\Jfgnka32.exeC:\Windows\system32\Jfgnka32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3780 -
C:\Windows\SysWOW64\Kbgafqla.exeC:\Windows\system32\Kbgafqla.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Windows\SysWOW64\Lmfhjhdm.exeC:\Windows\system32\Lmfhjhdm.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\Lbgjmnno.exeC:\Windows\system32\Lbgjmnno.exe23⤵
- Executes dropped EXE
PID:2644 -
C:\Windows\SysWOW64\Niblafgi.exeC:\Windows\system32\Niblafgi.exe24⤵
- Executes dropped EXE
- Modifies registry class
PID:4808 -
C:\Windows\SysWOW64\Ppoijn32.exeC:\Windows\system32\Ppoijn32.exe25⤵
- Executes dropped EXE
PID:232 -
C:\Windows\SysWOW64\Pllppnnm.exeC:\Windows\system32\Pllppnnm.exe26⤵
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\Admkgifd.exeC:\Windows\system32\Admkgifd.exe27⤵
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Bgbmdd32.exeC:\Windows\system32\Bgbmdd32.exe28⤵
- Executes dropped EXE
PID:1500 -
C:\Windows\SysWOW64\Bnaolm32.exeC:\Windows\system32\Bnaolm32.exe29⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Bcpdidol.exeC:\Windows\system32\Bcpdidol.exe30⤵
- Executes dropped EXE
PID:4412 -
C:\Windows\SysWOW64\Cmblhh32.exeC:\Windows\system32\Cmblhh32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3972 -
C:\Windows\SysWOW64\Dgliapic.exeC:\Windows\system32\Dgliapic.exe32⤵
- Executes dropped EXE
PID:2396 -
C:\Windows\SysWOW64\Dcegkamd.exeC:\Windows\system32\Dcegkamd.exe33⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Dnmgni32.exeC:\Windows\system32\Dnmgni32.exe34⤵
- Executes dropped EXE
PID:4952 -
C:\Windows\SysWOW64\Ejfeij32.exeC:\Windows\system32\Ejfeij32.exe35⤵
- Executes dropped EXE
PID:4180 -
C:\Windows\SysWOW64\Elhnhm32.exeC:\Windows\system32\Elhnhm32.exe36⤵
- Executes dropped EXE
PID:488 -
C:\Windows\SysWOW64\Enigjh32.exeC:\Windows\system32\Enigjh32.exe37⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Flcndk32.exeC:\Windows\system32\Flcndk32.exe38⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Flfjjkgi.exeC:\Windows\system32\Flfjjkgi.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3740 -
C:\Windows\SysWOW64\Glmqjj32.exeC:\Windows\system32\Glmqjj32.exe40⤵
- Executes dropped EXE
PID:3668 -
C:\Windows\SysWOW64\Glompi32.exeC:\Windows\system32\Glompi32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3472 -
C:\Windows\SysWOW64\Haeino32.exeC:\Windows\system32\Haeino32.exe42⤵
- Executes dropped EXE
PID:2496 -
C:\Windows\SysWOW64\Hdfapjbl.exeC:\Windows\system32\Hdfapjbl.exe43⤵
- Executes dropped EXE
PID:3888 -
C:\Windows\SysWOW64\Ikbfbdgf.exeC:\Windows\system32\Ikbfbdgf.exe44⤵
- Executes dropped EXE
PID:4924 -
C:\Windows\SysWOW64\Iamoon32.exeC:\Windows\system32\Iamoon32.exe45⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Ikgpmc32.exeC:\Windows\system32\Ikgpmc32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:4760 -
C:\Windows\SysWOW64\Jnjednnp.exeC:\Windows\system32\Jnjednnp.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1856 -
C:\Windows\SysWOW64\Jojboa32.exeC:\Windows\system32\Jojboa32.exe48⤵
- Executes dropped EXE
PID:1736 -
C:\Windows\SysWOW64\Kaaaak32.exeC:\Windows\system32\Kaaaak32.exe49⤵
- Executes dropped EXE
PID:3296 -
C:\Windows\SysWOW64\Kkjejqcl.exeC:\Windows\system32\Kkjejqcl.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:32 -
C:\Windows\SysWOW64\Lofjam32.exeC:\Windows\system32\Lofjam32.exe51⤵
- Executes dropped EXE
PID:2420 -
C:\Windows\SysWOW64\Mnpami32.exeC:\Windows\system32\Mnpami32.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:4588 -
C:\Windows\SysWOW64\Mpdgbkab.exeC:\Windows\system32\Mpdgbkab.exe53⤵
- Executes dropped EXE
PID:2064 -
C:\Windows\SysWOW64\Nlmdml32.exeC:\Windows\system32\Nlmdml32.exe54⤵
- Executes dropped EXE
PID:4880 -
C:\Windows\SysWOW64\Nlbnhkqo.exeC:\Windows\system32\Nlbnhkqo.exe55⤵
- Executes dropped EXE
PID:5100 -
C:\Windows\SysWOW64\Omdghmfo.exeC:\Windows\system32\Omdghmfo.exe56⤵
- Executes dropped EXE
PID:3360 -
C:\Windows\SysWOW64\Olidijjf.exeC:\Windows\system32\Olidijjf.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Ofcaab32.exeC:\Windows\system32\Ofcaab32.exe58⤵
- Executes dropped EXE
PID:704 -
C:\Windows\SysWOW64\Pbjbfclk.exeC:\Windows\system32\Pbjbfclk.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4864 -
C:\Windows\SysWOW64\Ppnbpg32.exeC:\Windows\system32\Ppnbpg32.exe60⤵
- Executes dropped EXE
PID:3516 -
C:\Windows\SysWOW64\Pemhmn32.exeC:\Windows\system32\Pemhmn32.exe61⤵
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\Pmfldkei.exeC:\Windows\system32\Pmfldkei.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4452 -
C:\Windows\SysWOW64\Peaahmcd.exeC:\Windows\system32\Peaahmcd.exe63⤵
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Qfanbpjg.exeC:\Windows\system32\Qfanbpjg.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:1620 -
C:\Windows\SysWOW64\Aploae32.exeC:\Windows\system32\Aploae32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5084 -
C:\Windows\SysWOW64\Aidcjk32.exeC:\Windows\system32\Aidcjk32.exe66⤵PID:3620
-
C:\Windows\SysWOW64\Aghdco32.exeC:\Windows\system32\Aghdco32.exe67⤵
- Drops file in System32 directory
PID:840 -
C:\Windows\SysWOW64\Abodhpic.exeC:\Windows\system32\Abodhpic.exe68⤵
- Modifies registry class
PID:4424 -
C:\Windows\SysWOW64\Aohbbqme.exeC:\Windows\system32\Aohbbqme.exe69⤵
- Modifies registry class
PID:4664 -
C:\Windows\SysWOW64\Bojohp32.exeC:\Windows\system32\Bojohp32.exe70⤵PID:3968
-
C:\Windows\SysWOW64\Boohcpgm.exeC:\Windows\system32\Boohcpgm.exe71⤵PID:4700
-
C:\Windows\SysWOW64\Cpcnhbjj.exeC:\Windows\system32\Cpcnhbjj.exe72⤵PID:3004
-
C:\Windows\SysWOW64\Cjpllgme.exeC:\Windows\system32\Cjpllgme.exe73⤵
- Drops file in System32 directory
PID:4012 -
C:\Windows\SysWOW64\Cfglahbj.exeC:\Windows\system32\Cfglahbj.exe74⤵
- Drops file in System32 directory
PID:4296 -
C:\Windows\SysWOW64\Emanepld.exeC:\Windows\system32\Emanepld.exe75⤵PID:3452
-
C:\Windows\SysWOW64\Eggbbhkj.exeC:\Windows\system32\Eggbbhkj.exe76⤵
- Drops file in System32 directory
PID:2600 -
C:\Windows\SysWOW64\Ejhkdc32.exeC:\Windows\system32\Ejhkdc32.exe77⤵PID:5076
-
C:\Windows\SysWOW64\Ejjgic32.exeC:\Windows\system32\Ejjgic32.exe78⤵
- Modifies registry class
PID:2680 -
C:\Windows\SysWOW64\Egnhcgeb.exeC:\Windows\system32\Egnhcgeb.exe79⤵PID:4912
-
C:\Windows\SysWOW64\Fmkqknci.exeC:\Windows\system32\Fmkqknci.exe80⤵PID:2380
-
C:\Windows\SysWOW64\Fpnfbi32.exeC:\Windows\system32\Fpnfbi32.exe81⤵
- Drops file in System32 directory
PID:4124 -
C:\Windows\SysWOW64\Ggldde32.exeC:\Windows\system32\Ggldde32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3864 -
C:\Windows\SysWOW64\Gfcnka32.exeC:\Windows\system32\Gfcnka32.exe83⤵PID:4048
-
C:\Windows\SysWOW64\Gmnfglcd.exeC:\Windows\system32\Gmnfglcd.exe84⤵
- Drops file in System32 directory
PID:3148 -
C:\Windows\SysWOW64\Gjagapbn.exeC:\Windows\system32\Gjagapbn.exe85⤵PID:2176
-
C:\Windows\SysWOW64\Hcjkje32.exeC:\Windows\system32\Hcjkje32.exe86⤵PID:100
-
C:\Windows\SysWOW64\Hmginjki.exeC:\Windows\system32\Hmginjki.exe87⤵PID:5088
-
C:\Windows\SysWOW64\Hfonfp32.exeC:\Windows\system32\Hfonfp32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4604 -
C:\Windows\SysWOW64\Hmifcjif.exeC:\Windows\system32\Hmifcjif.exe89⤵PID:1268
-
C:\Windows\SysWOW64\Iplkje32.exeC:\Windows\system32\Iplkje32.exe90⤵
- Drops file in System32 directory
PID:3488 -
C:\Windows\SysWOW64\Imbhiial.exeC:\Windows\system32\Imbhiial.exe91⤵PID:4616
-
C:\Windows\SysWOW64\Ihhmgaqb.exeC:\Windows\system32\Ihhmgaqb.exe92⤵PID:1540
-
C:\Windows\SysWOW64\Ipcakd32.exeC:\Windows\system32\Ipcakd32.exe93⤵PID:404
-
C:\Windows\SysWOW64\Ikifhm32.exeC:\Windows\system32\Ikifhm32.exe94⤵PID:2528
-
C:\Windows\SysWOW64\Jkkbnl32.exeC:\Windows\system32\Jkkbnl32.exe95⤵PID:3440
-
C:\Windows\SysWOW64\Jmnheggo.exeC:\Windows\system32\Jmnheggo.exe96⤵PID:700
-
C:\Windows\SysWOW64\Kobnji32.exeC:\Windows\system32\Kobnji32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4576 -
C:\Windows\SysWOW64\Knjhae32.exeC:\Windows\system32\Knjhae32.exe98⤵PID:3804
-
C:\Windows\SysWOW64\Khplnn32.exeC:\Windows\system32\Khplnn32.exe99⤵PID:380
-
C:\Windows\SysWOW64\Kolaqh32.exeC:\Windows\system32\Kolaqh32.exe100⤵
- Modifies registry class
PID:4076 -
C:\Windows\SysWOW64\Lkjhfh32.exeC:\Windows\system32\Lkjhfh32.exe101⤵PID:4684
-
C:\Windows\SysWOW64\Mhenpk32.exeC:\Windows\system32\Mhenpk32.exe102⤵
- Modifies registry class
PID:2928 -
C:\Windows\SysWOW64\Mnaghb32.exeC:\Windows\system32\Mnaghb32.exe103⤵PID:1876
-
C:\Windows\SysWOW64\Mhihkjfj.exeC:\Windows\system32\Mhihkjfj.exe104⤵PID:5140
-
C:\Windows\SysWOW64\Ngcngfgl.exeC:\Windows\system32\Ngcngfgl.exe105⤵PID:5184
-
C:\Windows\SysWOW64\Ngekmf32.exeC:\Windows\system32\Ngekmf32.exe106⤵PID:5224
-
C:\Windows\SysWOW64\Nbkojo32.exeC:\Windows\system32\Nbkojo32.exe107⤵PID:5276
-
C:\Windows\SysWOW64\Obphenpj.exeC:\Windows\system32\Obphenpj.exe108⤵
- Drops file in System32 directory
PID:5316 -
C:\Windows\SysWOW64\Oijqbh32.exeC:\Windows\system32\Oijqbh32.exe109⤵
- Modifies registry class
PID:5360 -
C:\Windows\SysWOW64\Ongijo32.exeC:\Windows\system32\Ongijo32.exe110⤵
- Drops file in System32 directory
PID:5404 -
C:\Windows\SysWOW64\Ogoncd32.exeC:\Windows\system32\Ogoncd32.exe111⤵
- Drops file in System32 directory
PID:5448 -
C:\Windows\SysWOW64\Onkbenbi.exeC:\Windows\system32\Onkbenbi.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5484 -
C:\Windows\SysWOW64\Oiagcg32.exeC:\Windows\system32\Oiagcg32.exe113⤵
- Modifies registry class
PID:5524 -
C:\Windows\SysWOW64\Pnnokn32.exeC:\Windows\system32\Pnnokn32.exe114⤵PID:5584
-
C:\Windows\SysWOW64\Pijiif32.exeC:\Windows\system32\Pijiif32.exe115⤵
- Modifies registry class
PID:5624 -
C:\Windows\SysWOW64\Qimfoe32.exeC:\Windows\system32\Qimfoe32.exe116⤵PID:5668
-
C:\Windows\SysWOW64\Qniogl32.exeC:\Windows\system32\Qniogl32.exe117⤵PID:5712
-
C:\Windows\SysWOW64\Qpikao32.exeC:\Windows\system32\Qpikao32.exe118⤵PID:5748
-
C:\Windows\SysWOW64\Qajhigcj.exeC:\Windows\system32\Qajhigcj.exe119⤵PID:5800
-
C:\Windows\SysWOW64\Ahfmka32.exeC:\Windows\system32\Ahfmka32.exe120⤵PID:5844
-
C:\Windows\SysWOW64\Algbfo32.exeC:\Windows\system32\Algbfo32.exe121⤵
- Drops file in System32 directory
PID:5888
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-