Analysis
-
max time kernel
169s -
max time network
177s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
14-10-2023 17:50
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.307bb92cb11616a02e6565d328eb92a0.exe
Resource
win7-20230831-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.307bb92cb11616a02e6565d328eb92a0.exe
Resource
win10v2004-20230915-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
NEAS.307bb92cb11616a02e6565d328eb92a0.exe
-
Size
67KB
-
MD5
307bb92cb11616a02e6565d328eb92a0
-
SHA1
7e85a4a3b0d96b28e9b2e556dd06ab06e98726db
-
SHA256
98d24181b1dda6327fc1ae166ff7ac2fc5f8c39dd0193358a43863358074b3e0
-
SHA512
76554d72749cc0c62c83b349b3db09c13c4c2024f68a23bd0aca72142ff610237ca92e25eb4a1e25eed54e76bd23450a910f68fd36c4cfc6a95e1bef1e64ba30
-
SSDEEP
1536:peJxPojFJvxAGQA1/nU4U2n+sJifTduD4oTxw:percF4A1fJZ+sJibdMTxw
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcpffk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nanmhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Banjnm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpacqg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnljkk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqpfknbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nanmhf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohfafn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlbcgj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkchoaif.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnadkmhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgmhcaac.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amibqhed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qmepkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbeejp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmjkka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mndapl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oegejc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aplaoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekngemhd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fboecfii.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkajnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klceeejl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qmgelf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbghpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfdcbiol.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcpffk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfhjefhf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkjfakng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjpmfpid.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmejlcoj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfhjefhf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hedaoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jiiicf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apmhiq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhaggp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppopcf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aachaa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljobiofi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppopcf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qleahgff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpkllo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjaqih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfabhppm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcbfcigf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kikafjoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohnelj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmfcok32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgbjlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mccfnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibaeen32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Caqpkjcl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pplcnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcmodajm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjqdafmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhhgmlli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jedjkkmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmafpchb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mchpibng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emmdom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfchlbfd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pehnboko.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lanpml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akniofoa.exe -
Executes dropped EXE 64 IoCs
pid Process 4864 Eiokinbk.exe 1428 Efblbbqd.exe 4168 Emmdom32.exe 2656 Ebimgcfi.exe 2676 Emoadlfo.exe 4796 Efgemb32.exe 3456 Emanjldl.exe 1912 Felbnn32.exe 1376 Fbpchb32.exe 1448 Fpdcag32.exe 3440 Fimhjl32.exe 4100 Fechomko.exe 3952 Gmojkj32.exe 1944 Gblbca32.exe 4448 Gmafajfi.exe 4068 Gbnoiqdq.exe 1548 Gmdcfidg.exe 3196 Gnepna32.exe 364 Gpelhd32.exe 1840 Gbchdp32.exe 4824 Gmimai32.exe 2964 Gbeejp32.exe 2776 Hpiecd32.exe 1632 Hoobdp32.exe 4744 Hlbcnd32.exe 1684 Hmbphg32.exe 4036 Hoclopne.exe 3756 Hlglidlo.exe 220 Ibaeen32.exe 1612 Iohejo32.exe 4176 Iinjhh32.exe 3600 Iojbpo32.exe 224 Ilnbicff.exe 5048 Ibhkfm32.exe 2748 Jekqmhia.exe 1920 Jpaekqhh.exe 4160 Jiiicf32.exe 2756 Jofalmmp.exe 2872 Jpenfp32.exe 3404 Jinboekc.exe 2204 Jphkkpbp.exe 3348 Jjpode32.exe 4072 Kpjgaoqm.exe 3692 Kgdpni32.exe 412 Knnhjcog.exe 4800 Kckqbj32.exe 4632 Kjeiodek.exe 736 Koaagkcb.exe 4284 Kjgeedch.exe 4260 Kodnmkap.exe 3492 Kfnfjehl.exe 656 Kcbfcigf.exe 4416 Lgdidgjg.exe 3332 Lggejg32.exe 4056 Lnangaoa.exe 1592 Lobjni32.exe 2608 Mjjkaabc.exe 4640 Mmhgmmbf.exe 5104 Mfchlbfd.exe 2640 Mcgiefen.exe 4876 Nmfcok32.exe 3792 Nfohgqlg.exe 3860 Nmkmjjaa.exe 776 Nceefd32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Pjbkal32.exe Phcogice.exe File created C:\Windows\SysWOW64\Cnpfje32.dll Jdhndlno.exe File created C:\Windows\SysWOW64\Glndff32.dll Bdbndjld.exe File opened for modification C:\Windows\SysWOW64\Ibaeen32.exe Hlglidlo.exe File created C:\Windows\SysWOW64\Jjpmfpid.exe Jfdafa32.exe File created C:\Windows\SysWOW64\Kjeiodek.exe Kckqbj32.exe File opened for modification C:\Windows\SysWOW64\Fjocbhbo.exe Fqfojblo.exe File created C:\Windows\SysWOW64\Lhfcek32.dll Jifabb32.exe File opened for modification C:\Windows\SysWOW64\Ckggnp32.exe Cpacqg32.exe File opened for modification C:\Windows\SysWOW64\Lfimmhkg.exe Lnbdlkje.exe File created C:\Windows\SysWOW64\Nfnooe32.exe Mieeka32.exe File created C:\Windows\SysWOW64\Omdghmfo.exe Ofjokc32.exe File opened for modification C:\Windows\SysWOW64\Qfpbfljd.exe Qofjjb32.exe File created C:\Windows\SysWOW64\Cbpedjip.dll Nhjbjp32.exe File opened for modification C:\Windows\SysWOW64\Nfohgqlg.exe Nmfcok32.exe File opened for modification C:\Windows\SysWOW64\Ifnkeb32.exe Iabodcnj.exe File created C:\Windows\SysWOW64\Ckpenokc.dll Eqpfknbj.exe File opened for modification C:\Windows\SysWOW64\Bjaqih32.exe Bpkllo32.exe File opened for modification C:\Windows\SysWOW64\Felbnn32.exe Emanjldl.exe File opened for modification C:\Windows\SysWOW64\Mfchlbfd.exe Mmhgmmbf.exe File created C:\Windows\SysWOW64\Dgfpihkg.dll Opclldhj.exe File created C:\Windows\SysWOW64\Aidehpea.exe Aplaoj32.exe File created C:\Windows\SysWOW64\Pllieg32.exe Pehnboko.exe File created C:\Windows\SysWOW64\Ibgkdmmh.dll Nnpalk32.exe File opened for modification C:\Windows\SysWOW64\Fdpnda32.exe Fbaahf32.exe File created C:\Windows\SysWOW64\Bfdkec32.dll Pplcnf32.exe File created C:\Windows\SysWOW64\Hiajeoip.exe Hbhbie32.exe File created C:\Windows\SysWOW64\Cgmhcaac.exe Caqpkjcl.exe File created C:\Windows\SysWOW64\Fohoiloe.dll Fqfojblo.exe File created C:\Windows\SysWOW64\Jggapj32.exe Jckeokan.exe File created C:\Windows\SysWOW64\Gbbfag32.dll Jedjkkmo.exe File created C:\Windows\SysWOW64\Eqblfm32.dll Ofjokc32.exe File opened for modification C:\Windows\SysWOW64\Bkeppeii.exe Bhgcdjje.exe File created C:\Windows\SysWOW64\Efdenq32.dll Hlbcgj32.exe File created C:\Windows\SysWOW64\Fechomko.exe Fimhjl32.exe File created C:\Windows\SysWOW64\Ccdihbgg.exe Cgmhcaac.exe File opened for modification C:\Windows\SysWOW64\Icmbcg32.exe Ilcjgm32.exe File created C:\Windows\SysWOW64\Cpojik32.dll Kpbmme32.exe File created C:\Windows\SysWOW64\Bccfleqi.exe Bminokil.exe File opened for modification C:\Windows\SysWOW64\Jpnhof32.exe Jcjgeb32.exe File created C:\Windows\SysWOW64\Blghiiea.dll Eqmlccdi.exe File created C:\Windows\SysWOW64\Iefedcmk.exe Hakidd32.exe File opened for modification C:\Windows\SysWOW64\Kdkdqinj.exe Kmdlolmg.exe File created C:\Windows\SysWOW64\Olmdln32.exe Nhjbjp32.exe File created C:\Windows\SysWOW64\Oaqbdc32.exe Oobfhh32.exe File created C:\Windows\SysWOW64\Cnbmaehm.dll Bminokil.exe File opened for modification C:\Windows\SysWOW64\Maggggaf.exe Mnhkklbb.exe File opened for modification C:\Windows\SysWOW64\Dibmfb32.exe Dfcqjg32.exe File opened for modification C:\Windows\SysWOW64\Fpdcag32.exe Fbpchb32.exe File created C:\Windows\SysWOW64\Jbklgfdh.dll Ibaeen32.exe File created C:\Windows\SysWOW64\Jqmicpbj.exe Jifabb32.exe File created C:\Windows\SysWOW64\Cdfbfb32.dll Jfbdpabn.exe File created C:\Windows\SysWOW64\Jhhgmlli.exe Jfikaqme.exe File opened for modification C:\Windows\SysWOW64\Phhhbi32.exe Pckpja32.exe File created C:\Windows\SysWOW64\Qfpbfljd.exe Qofjjb32.exe File created C:\Windows\SysWOW64\Ecipbbbk.dll Kdmqfi32.exe File created C:\Windows\SysWOW64\Mgclja32.exe Mchpibng.exe File opened for modification C:\Windows\SysWOW64\Jjqdafmp.exe Heepfn32.exe File created C:\Windows\SysWOW64\Dmbbmbea.dll Enlqdc32.exe File opened for modification C:\Windows\SysWOW64\Mkeeda32.exe Lnadkmhj.exe File created C:\Windows\SysWOW64\Ahfmpnql.exe Akblfj32.exe File created C:\Windows\SysWOW64\Apmfnbao.dll Kiomnk32.exe File created C:\Windows\SysWOW64\Acahge32.dll Onkphi32.exe File opened for modification C:\Windows\SysWOW64\Hmmffnai.exe Hiajeoip.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Egpnooan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bminokil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkopekaa.dll" Emmdom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldbjah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Biadoeib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpcncmnn.dll" Iojbpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dapgni32.dll" Apmhiq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Niadfpcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egjoap32.dll" Apeagd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpgico32.dll" Kbaiip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fimhjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Migmpjdh.dll" Ibhkfm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmopmalc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfdkec32.dll" Pplcnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnpalk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aolbedeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmimai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Heepfn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kfbmgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Omdghmfo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkeeda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qldccjno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbaahf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ilcjgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mieeka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpboakjk.dll" Obcled32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dcpffk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ginqph32.dll" Dakampio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdogbcnn.dll" Oegejc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjgeedch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmejlcoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opnpdlep.dll" Lohggm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbmpcffh.dll" Dplebmbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecbmle32.dll" Ljobiofi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jofalmmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qbddmejf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkkbpc32.dll" Cmklaaek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Alnfiifd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jabphdjm.dll" Cgnomg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ganbkp32.dll" Iabodcnj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmjkka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aochga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjaqih32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Maggggaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fopgipok.dll" Qdphgmlj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fboecfii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aagkhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckpenokc.dll" Eqpfknbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jqcopdaa.dll" Ohfafn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnfiop32.dll" Iohejo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caaimlpo.dll" Bboffejp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmlddibq.dll" Hakidd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akblfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bboffejp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmccnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paohbmke.dll" Lnbdlkje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnealfkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kodnmkap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqphkjmi.dll" Ffpjihee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phhhbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjbhbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hojncj32.dll" Emanjldl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hoclopne.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Apnkfelb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4020 wrote to memory of 4864 4020 NEAS.307bb92cb11616a02e6565d328eb92a0.exe 86 PID 4020 wrote to memory of 4864 4020 NEAS.307bb92cb11616a02e6565d328eb92a0.exe 86 PID 4020 wrote to memory of 4864 4020 NEAS.307bb92cb11616a02e6565d328eb92a0.exe 86 PID 4864 wrote to memory of 1428 4864 Eiokinbk.exe 87 PID 4864 wrote to memory of 1428 4864 Eiokinbk.exe 87 PID 4864 wrote to memory of 1428 4864 Eiokinbk.exe 87 PID 1428 wrote to memory of 4168 1428 Efblbbqd.exe 88 PID 1428 wrote to memory of 4168 1428 Efblbbqd.exe 88 PID 1428 wrote to memory of 4168 1428 Efblbbqd.exe 88 PID 4168 wrote to memory of 2656 4168 Emmdom32.exe 89 PID 4168 wrote to memory of 2656 4168 Emmdom32.exe 89 PID 4168 wrote to memory of 2656 4168 Emmdom32.exe 89 PID 2656 wrote to memory of 2676 2656 Ebimgcfi.exe 90 PID 2656 wrote to memory of 2676 2656 Ebimgcfi.exe 90 PID 2656 wrote to memory of 2676 2656 Ebimgcfi.exe 90 PID 2676 wrote to memory of 4796 2676 Emoadlfo.exe 91 PID 2676 wrote to memory of 4796 2676 Emoadlfo.exe 91 PID 2676 wrote to memory of 4796 2676 Emoadlfo.exe 91 PID 4796 wrote to memory of 3456 4796 Efgemb32.exe 92 PID 4796 wrote to memory of 3456 4796 Efgemb32.exe 92 PID 4796 wrote to memory of 3456 4796 Efgemb32.exe 92 PID 3456 wrote to memory of 1912 3456 Emanjldl.exe 93 PID 3456 wrote to memory of 1912 3456 Emanjldl.exe 93 PID 3456 wrote to memory of 1912 3456 Emanjldl.exe 93 PID 1912 wrote to memory of 1376 1912 Felbnn32.exe 94 PID 1912 wrote to memory of 1376 1912 Felbnn32.exe 94 PID 1912 wrote to memory of 1376 1912 Felbnn32.exe 94 PID 1376 wrote to memory of 1448 1376 Fbpchb32.exe 95 PID 1376 wrote to memory of 1448 1376 Fbpchb32.exe 95 PID 1376 wrote to memory of 1448 1376 Fbpchb32.exe 95 PID 1448 wrote to memory of 3440 1448 Fpdcag32.exe 96 PID 1448 wrote to memory of 3440 1448 Fpdcag32.exe 96 PID 1448 wrote to memory of 3440 1448 Fpdcag32.exe 96 PID 3440 wrote to memory of 4100 3440 Fimhjl32.exe 97 PID 3440 wrote to memory of 4100 3440 Fimhjl32.exe 97 PID 3440 wrote to memory of 4100 3440 Fimhjl32.exe 97 PID 4100 wrote to memory of 3952 4100 Fechomko.exe 98 PID 4100 wrote to memory of 3952 4100 Fechomko.exe 98 PID 4100 wrote to memory of 3952 4100 Fechomko.exe 98 PID 3952 wrote to memory of 1944 3952 Gmojkj32.exe 99 PID 3952 wrote to memory of 1944 3952 Gmojkj32.exe 99 PID 3952 wrote to memory of 1944 3952 Gmojkj32.exe 99 PID 1944 wrote to memory of 4448 1944 Gblbca32.exe 100 PID 1944 wrote to memory of 4448 1944 Gblbca32.exe 100 PID 1944 wrote to memory of 4448 1944 Gblbca32.exe 100 PID 4448 wrote to memory of 4068 4448 Gmafajfi.exe 101 PID 4448 wrote to memory of 4068 4448 Gmafajfi.exe 101 PID 4448 wrote to memory of 4068 4448 Gmafajfi.exe 101 PID 4068 wrote to memory of 1548 4068 Gbnoiqdq.exe 102 PID 4068 wrote to memory of 1548 4068 Gbnoiqdq.exe 102 PID 4068 wrote to memory of 1548 4068 Gbnoiqdq.exe 102 PID 1548 wrote to memory of 3196 1548 Gmdcfidg.exe 103 PID 1548 wrote to memory of 3196 1548 Gmdcfidg.exe 103 PID 1548 wrote to memory of 3196 1548 Gmdcfidg.exe 103 PID 3196 wrote to memory of 364 3196 Gnepna32.exe 104 PID 3196 wrote to memory of 364 3196 Gnepna32.exe 104 PID 3196 wrote to memory of 364 3196 Gnepna32.exe 104 PID 364 wrote to memory of 1840 364 Gpelhd32.exe 105 PID 364 wrote to memory of 1840 364 Gpelhd32.exe 105 PID 364 wrote to memory of 1840 364 Gpelhd32.exe 105 PID 1840 wrote to memory of 4824 1840 Gbchdp32.exe 106 PID 1840 wrote to memory of 4824 1840 Gbchdp32.exe 106 PID 1840 wrote to memory of 4824 1840 Gbchdp32.exe 106 PID 4824 wrote to memory of 2964 4824 Gmimai32.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.307bb92cb11616a02e6565d328eb92a0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.307bb92cb11616a02e6565d328eb92a0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4020 -
C:\Windows\SysWOW64\Eiokinbk.exeC:\Windows\system32\Eiokinbk.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Windows\SysWOW64\Efblbbqd.exeC:\Windows\system32\Efblbbqd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Windows\SysWOW64\Emmdom32.exeC:\Windows\system32\Emmdom32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4168 -
C:\Windows\SysWOW64\Ebimgcfi.exeC:\Windows\system32\Ebimgcfi.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Emoadlfo.exeC:\Windows\system32\Emoadlfo.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\Efgemb32.exeC:\Windows\system32\Efgemb32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4796 -
C:\Windows\SysWOW64\Emanjldl.exeC:\Windows\system32\Emanjldl.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3456 -
C:\Windows\SysWOW64\Felbnn32.exeC:\Windows\system32\Felbnn32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\SysWOW64\Fbpchb32.exeC:\Windows\system32\Fbpchb32.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Windows\SysWOW64\Fpdcag32.exeC:\Windows\system32\Fpdcag32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Windows\SysWOW64\Fimhjl32.exeC:\Windows\system32\Fimhjl32.exe12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3440 -
C:\Windows\SysWOW64\Fechomko.exeC:\Windows\system32\Fechomko.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4100 -
C:\Windows\SysWOW64\Gmojkj32.exeC:\Windows\system32\Gmojkj32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3952 -
C:\Windows\SysWOW64\Gblbca32.exeC:\Windows\system32\Gblbca32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\SysWOW64\Gmafajfi.exeC:\Windows\system32\Gmafajfi.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4448 -
C:\Windows\SysWOW64\Gbnoiqdq.exeC:\Windows\system32\Gbnoiqdq.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4068 -
C:\Windows\SysWOW64\Gmdcfidg.exeC:\Windows\system32\Gmdcfidg.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Windows\SysWOW64\Gnepna32.exeC:\Windows\system32\Gnepna32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3196 -
C:\Windows\SysWOW64\Gpelhd32.exeC:\Windows\system32\Gpelhd32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:364 -
C:\Windows\SysWOW64\Gbchdp32.exeC:\Windows\system32\Gbchdp32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1840 -
C:\Windows\SysWOW64\Gmimai32.exeC:\Windows\system32\Gmimai32.exe22⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4824 -
C:\Windows\SysWOW64\Gbeejp32.exeC:\Windows\system32\Gbeejp32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2964 -
C:\Windows\SysWOW64\Hpiecd32.exeC:\Windows\system32\Hpiecd32.exe24⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Hoobdp32.exeC:\Windows\system32\Hoobdp32.exe25⤵
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\Hlbcnd32.exeC:\Windows\system32\Hlbcnd32.exe26⤵
- Executes dropped EXE
PID:4744 -
C:\Windows\SysWOW64\Hmbphg32.exeC:\Windows\system32\Hmbphg32.exe27⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Hoclopne.exeC:\Windows\system32\Hoclopne.exe28⤵
- Executes dropped EXE
- Modifies registry class
PID:4036 -
C:\Windows\SysWOW64\Hlglidlo.exeC:\Windows\system32\Hlglidlo.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3756 -
C:\Windows\SysWOW64\Ibaeen32.exeC:\Windows\system32\Ibaeen32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:220 -
C:\Windows\SysWOW64\Iohejo32.exeC:\Windows\system32\Iohejo32.exe31⤵
- Executes dropped EXE
- Modifies registry class
PID:1612 -
C:\Windows\SysWOW64\Iinjhh32.exeC:\Windows\system32\Iinjhh32.exe32⤵
- Executes dropped EXE
PID:4176 -
C:\Windows\SysWOW64\Iojbpo32.exeC:\Windows\system32\Iojbpo32.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:3600 -
C:\Windows\SysWOW64\Ilnbicff.exeC:\Windows\system32\Ilnbicff.exe34⤵
- Executes dropped EXE
PID:224 -
C:\Windows\SysWOW64\Ibhkfm32.exeC:\Windows\system32\Ibhkfm32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:5048 -
C:\Windows\SysWOW64\Jekqmhia.exeC:\Windows\system32\Jekqmhia.exe36⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Jpaekqhh.exeC:\Windows\system32\Jpaekqhh.exe37⤵
- Executes dropped EXE
PID:1920 -
C:\Windows\SysWOW64\Jiiicf32.exeC:\Windows\system32\Jiiicf32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4160 -
C:\Windows\SysWOW64\Jofalmmp.exeC:\Windows\system32\Jofalmmp.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:2756 -
C:\Windows\SysWOW64\Jpenfp32.exeC:\Windows\system32\Jpenfp32.exe40⤵
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Jinboekc.exeC:\Windows\system32\Jinboekc.exe41⤵
- Executes dropped EXE
PID:3404 -
C:\Windows\SysWOW64\Jphkkpbp.exeC:\Windows\system32\Jphkkpbp.exe42⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Jjpode32.exeC:\Windows\system32\Jjpode32.exe43⤵
- Executes dropped EXE
PID:3348 -
C:\Windows\SysWOW64\Kpjgaoqm.exeC:\Windows\system32\Kpjgaoqm.exe44⤵
- Executes dropped EXE
PID:4072 -
C:\Windows\SysWOW64\Kgdpni32.exeC:\Windows\system32\Kgdpni32.exe45⤵
- Executes dropped EXE
PID:3692 -
C:\Windows\SysWOW64\Knnhjcog.exeC:\Windows\system32\Knnhjcog.exe46⤵
- Executes dropped EXE
PID:412 -
C:\Windows\SysWOW64\Kckqbj32.exeC:\Windows\system32\Kckqbj32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4800 -
C:\Windows\SysWOW64\Kjeiodek.exeC:\Windows\system32\Kjeiodek.exe48⤵
- Executes dropped EXE
PID:4632 -
C:\Windows\SysWOW64\Koaagkcb.exeC:\Windows\system32\Koaagkcb.exe49⤵
- Executes dropped EXE
PID:736 -
C:\Windows\SysWOW64\Kjgeedch.exeC:\Windows\system32\Kjgeedch.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:4284 -
C:\Windows\SysWOW64\Kodnmkap.exeC:\Windows\system32\Kodnmkap.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:4260 -
C:\Windows\SysWOW64\Kfnfjehl.exeC:\Windows\system32\Kfnfjehl.exe52⤵
- Executes dropped EXE
PID:3492 -
C:\Windows\SysWOW64\Kcbfcigf.exeC:\Windows\system32\Kcbfcigf.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:656 -
C:\Windows\SysWOW64\Lgdidgjg.exeC:\Windows\system32\Lgdidgjg.exe54⤵
- Executes dropped EXE
PID:4416 -
C:\Windows\SysWOW64\Lggejg32.exeC:\Windows\system32\Lggejg32.exe55⤵
- Executes dropped EXE
PID:3332 -
C:\Windows\SysWOW64\Lnangaoa.exeC:\Windows\system32\Lnangaoa.exe56⤵
- Executes dropped EXE
PID:4056 -
C:\Windows\SysWOW64\Lobjni32.exeC:\Windows\system32\Lobjni32.exe57⤵
- Executes dropped EXE
PID:1592 -
C:\Windows\SysWOW64\Mjjkaabc.exeC:\Windows\system32\Mjjkaabc.exe58⤵
- Executes dropped EXE
PID:2608 -
C:\Windows\SysWOW64\Mmhgmmbf.exeC:\Windows\system32\Mmhgmmbf.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4640 -
C:\Windows\SysWOW64\Mfchlbfd.exeC:\Windows\system32\Mfchlbfd.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5104 -
C:\Windows\SysWOW64\Mnjqmpgg.exeC:\Windows\system32\Mnjqmpgg.exe61⤵PID:3956
-
C:\Windows\SysWOW64\Mcgiefen.exeC:\Windows\system32\Mcgiefen.exe62⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Nmfcok32.exeC:\Windows\system32\Nmfcok32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4876 -
C:\Windows\SysWOW64\Nfohgqlg.exeC:\Windows\system32\Nfohgqlg.exe64⤵
- Executes dropped EXE
PID:3792 -
C:\Windows\SysWOW64\Nmkmjjaa.exeC:\Windows\system32\Nmkmjjaa.exe65⤵
- Executes dropped EXE
PID:3860 -
C:\Windows\SysWOW64\Nceefd32.exeC:\Windows\system32\Nceefd32.exe66⤵
- Executes dropped EXE
PID:776 -
C:\Windows\SysWOW64\Ocgbld32.exeC:\Windows\system32\Ocgbld32.exe67⤵PID:3608
-
C:\Windows\SysWOW64\Onmfimga.exeC:\Windows\system32\Onmfimga.exe68⤵PID:3612
-
C:\Windows\SysWOW64\Opclldhj.exeC:\Windows\system32\Opclldhj.exe69⤵
- Drops file in System32 directory
PID:2336 -
C:\Windows\SysWOW64\Ogjdmbil.exeC:\Windows\system32\Ogjdmbil.exe70⤵PID:5116
-
C:\Windows\SysWOW64\Paeelgnj.exeC:\Windows\system32\Paeelgnj.exe71⤵PID:2992
-
C:\Windows\SysWOW64\Pnifekmd.exeC:\Windows\system32\Pnifekmd.exe72⤵PID:1544
-
C:\Windows\SysWOW64\Pjpfjl32.exeC:\Windows\system32\Pjpfjl32.exe73⤵PID:4892
-
C:\Windows\SysWOW64\Pplobcpp.exeC:\Windows\system32\Pplobcpp.exe74⤵PID:2596
-
C:\Windows\SysWOW64\Pnmopk32.exeC:\Windows\system32\Pnmopk32.exe75⤵PID:4080
-
C:\Windows\SysWOW64\Panhbfep.exeC:\Windows\system32\Panhbfep.exe76⤵PID:2552
-
C:\Windows\SysWOW64\Qpcecb32.exeC:\Windows\system32\Qpcecb32.exe77⤵PID:3240
-
C:\Windows\SysWOW64\Qfmmplad.exeC:\Windows\system32\Qfmmplad.exe78⤵PID:1556
-
C:\Windows\SysWOW64\Qmgelf32.exeC:\Windows\system32\Qmgelf32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3672 -
C:\Windows\SysWOW64\Akkffkhk.exeC:\Windows\system32\Akkffkhk.exe80⤵PID:4408
-
C:\Windows\SysWOW64\Aaenbd32.exeC:\Windows\system32\Aaenbd32.exe81⤵PID:2604
-
C:\Windows\SysWOW64\Afbgkl32.exeC:\Windows\system32\Afbgkl32.exe82⤵PID:2548
-
C:\Windows\SysWOW64\Aoioli32.exeC:\Windows\system32\Aoioli32.exe83⤵PID:5144
-
C:\Windows\SysWOW64\Aagkhd32.exeC:\Windows\system32\Aagkhd32.exe84⤵
- Modifies registry class
PID:5192 -
C:\Windows\SysWOW64\Ahaceo32.exeC:\Windows\system32\Ahaceo32.exe85⤵PID:5256
-
C:\Windows\SysWOW64\Amnlme32.exeC:\Windows\system32\Amnlme32.exe86⤵PID:5296
-
C:\Windows\SysWOW64\Apmhiq32.exeC:\Windows\system32\Apmhiq32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5344 -
C:\Windows\SysWOW64\Akblfj32.exeC:\Windows\system32\Akblfj32.exe88⤵
- Drops file in System32 directory
- Modifies registry class
PID:5388 -
C:\Windows\SysWOW64\Ahfmpnql.exeC:\Windows\system32\Ahfmpnql.exe89⤵PID:5432
-
C:\Windows\SysWOW64\Aopemh32.exeC:\Windows\system32\Aopemh32.exe90⤵PID:5472
-
C:\Windows\SysWOW64\Aaoaic32.exeC:\Windows\system32\Aaoaic32.exe91⤵PID:5520
-
C:\Windows\SysWOW64\Bdmmeo32.exeC:\Windows\system32\Bdmmeo32.exe92⤵PID:5568
-
C:\Windows\SysWOW64\Bdojjo32.exeC:\Windows\system32\Bdojjo32.exe93⤵PID:5632
-
C:\Windows\SysWOW64\Cgnomg32.exeC:\Windows\system32\Cgnomg32.exe94⤵
- Modifies registry class
PID:5672 -
C:\Windows\SysWOW64\Dnonkq32.exeC:\Windows\system32\Dnonkq32.exe95⤵PID:5716
-
C:\Windows\SysWOW64\Dkekjdck.exeC:\Windows\system32\Dkekjdck.exe96⤵PID:5760
-
C:\Windows\SysWOW64\Dndgfpbo.exeC:\Windows\system32\Dndgfpbo.exe97⤵PID:5804
-
C:\Windows\SysWOW64\Ekjded32.exeC:\Windows\system32\Ekjded32.exe98⤵PID:5856
-
C:\Windows\SysWOW64\Hhaggp32.exeC:\Windows\system32\Hhaggp32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5904 -
C:\Windows\SysWOW64\Lcmodajm.exeC:\Windows\system32\Lcmodajm.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5964 -
C:\Windows\SysWOW64\Adepji32.exeC:\Windows\system32\Adepji32.exe101⤵PID:6052
-
C:\Windows\SysWOW64\Aplaoj32.exeC:\Windows\system32\Aplaoj32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:6104 -
C:\Windows\SysWOW64\Aidehpea.exeC:\Windows\system32\Aidehpea.exe103⤵PID:5136
-
C:\Windows\SysWOW64\Adjjeieh.exeC:\Windows\system32\Adjjeieh.exe104⤵PID:5264
-
C:\Windows\SysWOW64\Bigbmpco.exeC:\Windows\system32\Bigbmpco.exe105⤵PID:5368
-
C:\Windows\SysWOW64\Banjnm32.exeC:\Windows\system32\Banjnm32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5484 -
C:\Windows\SysWOW64\Bboffejp.exeC:\Windows\system32\Bboffejp.exe107⤵
- Modifies registry class
PID:5560 -
C:\Windows\SysWOW64\Bjfogbjb.exeC:\Windows\system32\Bjfogbjb.exe108⤵PID:2544
-
C:\Windows\SysWOW64\Cmpjoloh.exeC:\Windows\system32\Cmpjoloh.exe109⤵PID:212
-
C:\Windows\SysWOW64\Cdjblf32.exeC:\Windows\system32\Cdjblf32.exe110⤵PID:3452
-
C:\Windows\SysWOW64\Cgiohbfi.exeC:\Windows\system32\Cgiohbfi.exe111⤵PID:2020
-
C:\Windows\SysWOW64\Cigkdmel.exeC:\Windows\system32\Cigkdmel.exe112⤵PID:5724
-
C:\Windows\SysWOW64\Cpacqg32.exeC:\Windows\system32\Cpacqg32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5796 -
C:\Windows\SysWOW64\Ckggnp32.exeC:\Windows\system32\Ckggnp32.exe114⤵PID:5884
-
C:\Windows\SysWOW64\Caqpkjcl.exeC:\Windows\system32\Caqpkjcl.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5936 -
C:\Windows\SysWOW64\Cgmhcaac.exeC:\Windows\system32\Cgmhcaac.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3496 -
C:\Windows\SysWOW64\Ccdihbgg.exeC:\Windows\system32\Ccdihbgg.exe117⤵PID:6084
-
C:\Windows\SysWOW64\Dnljkk32.exeC:\Windows\system32\Dnljkk32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5188 -
C:\Windows\SysWOW64\Epffbd32.exeC:\Windows\system32\Epffbd32.exe119⤵PID:5460
-
C:\Windows\SysWOW64\Egpnooan.exeC:\Windows\system32\Egpnooan.exe120⤵
- Modifies registry class
PID:5556 -
C:\Windows\SysWOW64\Eddnic32.exeC:\Windows\system32\Eddnic32.exe121⤵PID:1568
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-