Analysis
-
max time kernel
171s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
14/10/2023, 19:13
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.ca10a74e52719d685857b8abd7aaf750.exe
Resource
win7-20230831-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.ca10a74e52719d685857b8abd7aaf750.exe
Resource
win10v2004-20230915-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.ca10a74e52719d685857b8abd7aaf750.exe
-
Size
104KB
-
MD5
ca10a74e52719d685857b8abd7aaf750
-
SHA1
87175a3a8e225682748671a23b587e7a457c1146
-
SHA256
447952a6b049c46bca53cdadef98910f2e391c1aa50edf1ef3e2dce0c03a4111
-
SHA512
a5677111b2095d63c092f9693df6f9f34aeceffa86566c5f348126d8e893653a5be43006e1e6dc523a5cb027072988fa99b0fd1fe59e975cac7d15e553e45736
-
SSDEEP
3072:HtaBmWGT1LtqTpuE05xe51x7cEGrhkngpDvchkqbAIQS:HtMmr9tqTpuE05E51x4brq2Ahn
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nfchjddj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oeahap32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eahomk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Keoeel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hffbfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hkeajn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbjegg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jamhflqq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eofgpikj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcpjnjii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Knpmcl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cocamaam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Blgifbil.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckclfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Inhion32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obcled32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofadlbhj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcbibeki.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhahaiec.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebpjjk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Niohap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Opgloh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hhdhhchf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cfmijkhj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egoomnin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eakdje32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mejijcea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mgbnfb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eakdje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gdbmalja.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihlechfj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibhlmgdj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnkbmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hmjmnpmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lmjkka32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbpihlbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Akccje32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnjaonij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kkaimj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlphnbfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fhjlkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mlbbel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Anobaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hkckoe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdipce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hjedpkne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jbfhne32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kglmbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gikdep32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjoknhbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Debfpd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iolhdn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahpmjejp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lnbdlkje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lfjjqg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dclknkfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ddngdj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gacjkjgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Menpgmap.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkchoaif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nfcoekhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ikagpcof.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klkcmo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgqfmcge.exe -
Executes dropped EXE 64 IoCs
pid Process 760 Mcqjon32.exe 4540 Madjhb32.exe 3868 Mkjnfkma.exe 4156 Mgehfkop.exe 4620 Nlcalieg.exe 1028 Njinmf32.exe 1124 Nnfgcd32.exe 912 Njmhhefi.exe 4792 Nhahaiec.exe 708 Oeehkn32.exe 3128 Onnmdcjm.exe 1820 Ohfami32.exe 4508 Oanfen32.exe 4888 Oldjcg32.exe 3532 Plpjoe32.exe 5112 Phigif32.exe 4296 Qemhbj32.exe 3888 Qlgpod32.exe 412 Qeodhjmo.exe 2348 Ahpmjejp.exe 3352 Akqfkp32.exe 1460 Aonoao32.exe 1696 Aaohcj32.exe 4360 Blgifbil.exe 5056 Bklfgo32.exe 1768 Bllbaa32.exe 4788 Bedgjgkg.exe 4420 Blnoga32.exe 1340 Bdickcpo.exe 4112 Cfipef32.exe 3616 Coadnlnb.exe 5024 Chiigadc.exe 3280 Cnkkjh32.exe 852 Chqogq32.exe 4532 Dfglfdkb.exe 2844 Ddnfmqng.exe 2148 Dbbffdlq.exe 2976 Deqcbpld.exe 4184 Eofgpikj.exe 3848 Efpomccg.exe 4752 Fflohaij.exe 3256 Fpgpgfmh.exe 3876 Gpnfge32.exe 5036 Gejopl32.exe 5032 Gnepna32.exe 4308 Hfcnpn32.exe 2016 Hpnoncim.exe 3904 Ifmqfm32.exe 964 Ipgbdbqb.exe 1160 Iipfmggc.exe 1844 Iefgbh32.exe 2840 Ilcldb32.exe 2308 Jgkmgk32.exe 1684 Jpcapp32.exe 4372 Jepjhg32.exe 1496 Johnamkm.exe 5116 Jniood32.exe 468 Jokkgl32.exe 2944 Jnlkedai.exe 4368 Komhll32.exe 540 Knnhjcog.exe 4464 Kgflcifg.exe 2268 Koaagkcb.exe 1380 Kncaec32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Agbkfood.exe Aokceaoa.exe File created C:\Windows\SysWOW64\Ikechced.exe Iehkpmgl.exe File created C:\Windows\SysWOW64\Chgagfdd.dll Klkcmo32.exe File created C:\Windows\SysWOW64\Diinlj32.dll Bdickcpo.exe File opened for modification C:\Windows\SysWOW64\Cmblhh32.exe Cmpoch32.exe File opened for modification C:\Windows\SysWOW64\Ikqqfm32.exe Idfhibdn.exe File created C:\Windows\SysWOW64\Ibdmph32.dll Mhoiih32.exe File created C:\Windows\SysWOW64\Pbdcac32.dll Lihpbl32.exe File opened for modification C:\Windows\SysWOW64\Hfefdpfe.exe Hmmakk32.exe File opened for modification C:\Windows\SysWOW64\Cmpoch32.exe Cjofambd.exe File opened for modification C:\Windows\SysWOW64\Blnoga32.exe Bedgjgkg.exe File created C:\Windows\SysWOW64\Pnjbcghk.dll Jgkmgk32.exe File created C:\Windows\SysWOW64\Mjnnjedj.dll Lfbpcgbl.exe File opened for modification C:\Windows\SysWOW64\Hjedpkne.exe Hhdhhchf.exe File opened for modification C:\Windows\SysWOW64\Fppjpmim.exe Fieacc32.exe File opened for modification C:\Windows\SysWOW64\Jpkdoq32.exe Jlphnbfe.exe File created C:\Windows\SysWOW64\Hoilao32.dll Ccbhhl32.exe File created C:\Windows\SysWOW64\Cekmph32.dll Moomgl32.exe File created C:\Windows\SysWOW64\Olejcaja.dll Nfeepdbg.exe File created C:\Windows\SysWOW64\Eaeboq32.dll Hpgigj32.exe File created C:\Windows\SysWOW64\Cnjjdelg.dll Jlphnbfe.exe File opened for modification C:\Windows\SysWOW64\Ahpmjejp.exe Qeodhjmo.exe File opened for modification C:\Windows\SysWOW64\Lilbdcfe.exe Locnlmoe.exe File created C:\Windows\SysWOW64\Hegeic32.dll Olidijjf.exe File created C:\Windows\SysWOW64\Keakqeal.exe Khmjga32.exe File created C:\Windows\SysWOW64\Pjpboibb.dll Hpmpgfhd.exe File created C:\Windows\SysWOW64\Bcpblo32.exe Aqoijcbo.exe File opened for modification C:\Windows\SysWOW64\Hhdhhchf.exe Hpmpgfhd.exe File created C:\Windows\SysWOW64\Nlfcoqpl.dll Mkjnfkma.exe File opened for modification C:\Windows\SysWOW64\Onnmdcjm.exe Oeehkn32.exe File opened for modification C:\Windows\SysWOW64\Oanfen32.exe Ohfami32.exe File opened for modification C:\Windows\SysWOW64\Nfchjddj.exe Nnlqig32.exe File created C:\Windows\SysWOW64\Jelplp32.dll Hkehdd32.exe File opened for modification C:\Windows\SysWOW64\Opnglhnd.exe Oidopn32.exe File created C:\Windows\SysWOW64\Qlgpod32.exe Qemhbj32.exe File created C:\Windows\SysWOW64\Lnhadnpe.exe Lkjehbaa.exe File created C:\Windows\SysWOW64\Bllbaa32.exe Bklfgo32.exe File created C:\Windows\SysWOW64\Lkbkkbdj.exe Fqjolfda.exe File created C:\Windows\SysWOW64\Gbjegg32.exe Gnnjgh32.exe File opened for modification C:\Windows\SysWOW64\Ehcfkhel.exe Edemdine.exe File created C:\Windows\SysWOW64\Gdjgppkk.dll Hnjaonij.exe File created C:\Windows\SysWOW64\Nbaefacb.dll Mmahff32.exe File opened for modification C:\Windows\SysWOW64\Oeahap32.exe Obcled32.exe File opened for modification C:\Windows\SysWOW64\Jkkjfa32.exe Jilnjf32.exe File created C:\Windows\SysWOW64\Gkbkna32.exe Ghdoae32.exe File created C:\Windows\SysWOW64\Faebdm32.dll Qofjjb32.exe File created C:\Windows\SysWOW64\Mgbige32.dll Hjedpkne.exe File created C:\Windows\SysWOW64\Flkkjnjg.dll Bedgjgkg.exe File created C:\Windows\SysWOW64\Ejlopmhl.dll Kdipce32.exe File created C:\Windows\SysWOW64\Pfdhao32.dll Nnpjdfpb.exe File opened for modification C:\Windows\SysWOW64\Pehnboko.exe Omkmhlpf.exe File opened for modification C:\Windows\SysWOW64\Hffbfn32.exe Gklenf32.exe File created C:\Windows\SysWOW64\Bhhhma32.dll Oomnmfid.exe File created C:\Windows\SysWOW64\Jjpido32.dll Gifjjacn.exe File created C:\Windows\SysWOW64\Ddnfmqng.exe Dfglfdkb.exe File opened for modification C:\Windows\SysWOW64\Kfmmajed.exe Kkhidaeo.exe File created C:\Windows\SysWOW64\Omqghjnh.dll Npbhqj32.exe File created C:\Windows\SysWOW64\Fimhcbkh.exe Fflobgng.exe File opened for modification C:\Windows\SysWOW64\Hddejjdo.exe Hmjmnpmb.exe File created C:\Windows\SysWOW64\Nnidcg32.exe Nkkggl32.exe File opened for modification C:\Windows\SysWOW64\Mfcmge32.exe Miomnaip.exe File created C:\Windows\SysWOW64\Npbelfjm.dll Aokceaoa.exe File created C:\Windows\SysWOW64\Cppfgnlj.exe Cifmjd32.exe File created C:\Windows\SysWOW64\Gfpdoj32.dll Lblakh32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 8756 3608 WerFault.exe 667 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bagfeioc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kemqhl32.dll" Ogcfncjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lnpopcni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahgobbpl.dll" Knmkak32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Neaokboj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hoilao32.dll" Ccbhhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hicpnnio.dll" Dfglfdkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bqhlpbjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Khmjga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lmmoekem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gejopl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oihkgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lhfmmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kggfmplj.dll" Liecmlno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgkmid32.dll" Lgqfmcge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgpecj32.dll" Koaagkcb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jecoog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gacjkjgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hhfenc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpiafeco.dll" Kkgicccd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bmkcjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Modejj32.dll" Ehcfkhel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekglfk32.dll" Ffkpadga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldjbbc32.dll" Miofcked.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cocamaam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mfhgcbfo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Moomgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igioikpj.dll" Cmpoch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ckclfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kmhejk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmiifb32.dll" Coadgacp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Icfnjcec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bedgjgkg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bdickcpo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Felbhdgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bipohh32.dll" Hmmakk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ecafgo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bllbaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qgkeep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgodho32.dll" Hdmecdlh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Knmkak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdnklomi.dll" Hpkcafjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Debfpd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Klloichl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bfchcijo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lekbmmcq.dll" Dgcmdj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hkgnpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfhphdmq.dll" Bdndik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bedgjgkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bdkghg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbhhoobc.dll" Ckaolcol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bnkbmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clgbhl32.dll" Chiigadc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kjambg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iafogggl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lkjehbaa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aefjbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkemhahj.dll" Njinmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oedeli32.dll" Onakco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gikdep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhbllc32.dll" Fggfghap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Laqhao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khgcdmgm.dll" Nldhpeop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gfjkce32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4224 wrote to memory of 760 4224 NEAS.ca10a74e52719d685857b8abd7aaf750.exe 82 PID 4224 wrote to memory of 760 4224 NEAS.ca10a74e52719d685857b8abd7aaf750.exe 82 PID 4224 wrote to memory of 760 4224 NEAS.ca10a74e52719d685857b8abd7aaf750.exe 82 PID 760 wrote to memory of 4540 760 Mcqjon32.exe 83 PID 760 wrote to memory of 4540 760 Mcqjon32.exe 83 PID 760 wrote to memory of 4540 760 Mcqjon32.exe 83 PID 4540 wrote to memory of 3868 4540 Madjhb32.exe 85 PID 4540 wrote to memory of 3868 4540 Madjhb32.exe 85 PID 4540 wrote to memory of 3868 4540 Madjhb32.exe 85 PID 3868 wrote to memory of 4156 3868 Mkjnfkma.exe 86 PID 3868 wrote to memory of 4156 3868 Mkjnfkma.exe 86 PID 3868 wrote to memory of 4156 3868 Mkjnfkma.exe 86 PID 4156 wrote to memory of 4620 4156 Mgehfkop.exe 87 PID 4156 wrote to memory of 4620 4156 Mgehfkop.exe 87 PID 4156 wrote to memory of 4620 4156 Mgehfkop.exe 87 PID 4620 wrote to memory of 1028 4620 Nlcalieg.exe 88 PID 4620 wrote to memory of 1028 4620 Nlcalieg.exe 88 PID 4620 wrote to memory of 1028 4620 Nlcalieg.exe 88 PID 1028 wrote to memory of 1124 1028 Njinmf32.exe 89 PID 1028 wrote to memory of 1124 1028 Njinmf32.exe 89 PID 1028 wrote to memory of 1124 1028 Njinmf32.exe 89 PID 1124 wrote to memory of 912 1124 Nnfgcd32.exe 90 PID 1124 wrote to memory of 912 1124 Nnfgcd32.exe 90 PID 1124 wrote to memory of 912 1124 Nnfgcd32.exe 90 PID 912 wrote to memory of 4792 912 Njmhhefi.exe 91 PID 912 wrote to memory of 4792 912 Njmhhefi.exe 91 PID 912 wrote to memory of 4792 912 Njmhhefi.exe 91 PID 4792 wrote to memory of 708 4792 Nhahaiec.exe 92 PID 4792 wrote to memory of 708 4792 Nhahaiec.exe 92 PID 4792 wrote to memory of 708 4792 Nhahaiec.exe 92 PID 708 wrote to memory of 3128 708 Oeehkn32.exe 93 PID 708 wrote to memory of 3128 708 Oeehkn32.exe 93 PID 708 wrote to memory of 3128 708 Oeehkn32.exe 93 PID 3128 wrote to memory of 1820 3128 Onnmdcjm.exe 94 PID 3128 wrote to memory of 1820 3128 Onnmdcjm.exe 94 PID 3128 wrote to memory of 1820 3128 Onnmdcjm.exe 94 PID 1820 wrote to memory of 4508 1820 Ohfami32.exe 95 PID 1820 wrote to memory of 4508 1820 Ohfami32.exe 95 PID 1820 wrote to memory of 4508 1820 Ohfami32.exe 95 PID 4508 wrote to memory of 4888 4508 Oanfen32.exe 96 PID 4508 wrote to memory of 4888 4508 Oanfen32.exe 96 PID 4508 wrote to memory of 4888 4508 Oanfen32.exe 96 PID 4888 wrote to memory of 3532 4888 Oldjcg32.exe 97 PID 4888 wrote to memory of 3532 4888 Oldjcg32.exe 97 PID 4888 wrote to memory of 3532 4888 Oldjcg32.exe 97 PID 3532 wrote to memory of 5112 3532 Plpjoe32.exe 98 PID 3532 wrote to memory of 5112 3532 Plpjoe32.exe 98 PID 3532 wrote to memory of 5112 3532 Plpjoe32.exe 98 PID 5112 wrote to memory of 4296 5112 Phigif32.exe 99 PID 5112 wrote to memory of 4296 5112 Phigif32.exe 99 PID 5112 wrote to memory of 4296 5112 Phigif32.exe 99 PID 4296 wrote to memory of 3888 4296 Qemhbj32.exe 100 PID 4296 wrote to memory of 3888 4296 Qemhbj32.exe 100 PID 4296 wrote to memory of 3888 4296 Qemhbj32.exe 100 PID 3888 wrote to memory of 412 3888 Qlgpod32.exe 101 PID 3888 wrote to memory of 412 3888 Qlgpod32.exe 101 PID 3888 wrote to memory of 412 3888 Qlgpod32.exe 101 PID 412 wrote to memory of 2348 412 Qeodhjmo.exe 102 PID 412 wrote to memory of 2348 412 Qeodhjmo.exe 102 PID 412 wrote to memory of 2348 412 Qeodhjmo.exe 102 PID 2348 wrote to memory of 3352 2348 Ahpmjejp.exe 103 PID 2348 wrote to memory of 3352 2348 Ahpmjejp.exe 103 PID 2348 wrote to memory of 3352 2348 Ahpmjejp.exe 103 PID 3352 wrote to memory of 1460 3352 Akqfkp32.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.ca10a74e52719d685857b8abd7aaf750.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.ca10a74e52719d685857b8abd7aaf750.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4224 -
C:\Windows\SysWOW64\Mcqjon32.exeC:\Windows\system32\Mcqjon32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Windows\SysWOW64\Madjhb32.exeC:\Windows\system32\Madjhb32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4540 -
C:\Windows\SysWOW64\Mkjnfkma.exeC:\Windows\system32\Mkjnfkma.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3868 -
C:\Windows\SysWOW64\Mgehfkop.exeC:\Windows\system32\Mgehfkop.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4156 -
C:\Windows\SysWOW64\Nlcalieg.exeC:\Windows\system32\Nlcalieg.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\Windows\SysWOW64\Njinmf32.exeC:\Windows\system32\Njinmf32.exe7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Windows\SysWOW64\Nnfgcd32.exeC:\Windows\system32\Nnfgcd32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1124 -
C:\Windows\SysWOW64\Njmhhefi.exeC:\Windows\system32\Njmhhefi.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:912 -
C:\Windows\SysWOW64\Nhahaiec.exeC:\Windows\system32\Nhahaiec.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4792 -
C:\Windows\SysWOW64\Oeehkn32.exeC:\Windows\system32\Oeehkn32.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:708 -
C:\Windows\SysWOW64\Onnmdcjm.exeC:\Windows\system32\Onnmdcjm.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3128 -
C:\Windows\SysWOW64\Ohfami32.exeC:\Windows\system32\Ohfami32.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\SysWOW64\Oanfen32.exeC:\Windows\system32\Oanfen32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4508 -
C:\Windows\SysWOW64\Oldjcg32.exeC:\Windows\system32\Oldjcg32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Windows\SysWOW64\Plpjoe32.exeC:\Windows\system32\Plpjoe32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3532 -
C:\Windows\SysWOW64\Phigif32.exeC:\Windows\system32\Phigif32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5112 -
C:\Windows\SysWOW64\Qemhbj32.exeC:\Windows\system32\Qemhbj32.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4296 -
C:\Windows\SysWOW64\Qlgpod32.exeC:\Windows\system32\Qlgpod32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3888 -
C:\Windows\SysWOW64\Qeodhjmo.exeC:\Windows\system32\Qeodhjmo.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:412 -
C:\Windows\SysWOW64\Ahpmjejp.exeC:\Windows\system32\Ahpmjejp.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\Akqfkp32.exeC:\Windows\system32\Akqfkp32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3352 -
C:\Windows\SysWOW64\Aonoao32.exeC:\Windows\system32\Aonoao32.exe23⤵
- Executes dropped EXE
PID:1460 -
C:\Windows\SysWOW64\Aaohcj32.exeC:\Windows\system32\Aaohcj32.exe24⤵
- Executes dropped EXE
PID:1696 -
C:\Windows\SysWOW64\Blgifbil.exeC:\Windows\system32\Blgifbil.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4360 -
C:\Windows\SysWOW64\Bklfgo32.exeC:\Windows\system32\Bklfgo32.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5056 -
C:\Windows\SysWOW64\Bllbaa32.exeC:\Windows\system32\Bllbaa32.exe27⤵
- Executes dropped EXE
- Modifies registry class
PID:1768 -
C:\Windows\SysWOW64\Bedgjgkg.exeC:\Windows\system32\Bedgjgkg.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4788 -
C:\Windows\SysWOW64\Blnoga32.exeC:\Windows\system32\Blnoga32.exe29⤵
- Executes dropped EXE
PID:4420 -
C:\Windows\SysWOW64\Bdickcpo.exeC:\Windows\system32\Bdickcpo.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1340 -
C:\Windows\SysWOW64\Cfipef32.exeC:\Windows\system32\Cfipef32.exe31⤵
- Executes dropped EXE
PID:4112 -
C:\Windows\SysWOW64\Coadnlnb.exeC:\Windows\system32\Coadnlnb.exe32⤵
- Executes dropped EXE
PID:3616 -
C:\Windows\SysWOW64\Chiigadc.exeC:\Windows\system32\Chiigadc.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:5024 -
C:\Windows\SysWOW64\Cnkkjh32.exeC:\Windows\system32\Cnkkjh32.exe34⤵
- Executes dropped EXE
PID:3280 -
C:\Windows\SysWOW64\Chqogq32.exeC:\Windows\system32\Chqogq32.exe35⤵
- Executes dropped EXE
PID:852 -
C:\Windows\SysWOW64\Dfglfdkb.exeC:\Windows\system32\Dfglfdkb.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4532 -
C:\Windows\SysWOW64\Ddnfmqng.exeC:\Windows\system32\Ddnfmqng.exe37⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Dbbffdlq.exeC:\Windows\system32\Dbbffdlq.exe38⤵
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\Deqcbpld.exeC:\Windows\system32\Deqcbpld.exe39⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Eofgpikj.exeC:\Windows\system32\Eofgpikj.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4184 -
C:\Windows\SysWOW64\Efpomccg.exeC:\Windows\system32\Efpomccg.exe41⤵
- Executes dropped EXE
PID:3848 -
C:\Windows\SysWOW64\Fflohaij.exeC:\Windows\system32\Fflohaij.exe42⤵
- Executes dropped EXE
PID:4752 -
C:\Windows\SysWOW64\Fpgpgfmh.exeC:\Windows\system32\Fpgpgfmh.exe43⤵
- Executes dropped EXE
PID:3256 -
C:\Windows\SysWOW64\Gpnfge32.exeC:\Windows\system32\Gpnfge32.exe44⤵
- Executes dropped EXE
PID:3876 -
C:\Windows\SysWOW64\Gejopl32.exeC:\Windows\system32\Gejopl32.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:5036 -
C:\Windows\SysWOW64\Gnepna32.exeC:\Windows\system32\Gnepna32.exe46⤵
- Executes dropped EXE
PID:5032 -
C:\Windows\SysWOW64\Hfcnpn32.exeC:\Windows\system32\Hfcnpn32.exe47⤵
- Executes dropped EXE
PID:4308 -
C:\Windows\SysWOW64\Hpnoncim.exeC:\Windows\system32\Hpnoncim.exe48⤵
- Executes dropped EXE
PID:2016 -
C:\Windows\SysWOW64\Ifmqfm32.exeC:\Windows\system32\Ifmqfm32.exe49⤵
- Executes dropped EXE
PID:3904 -
C:\Windows\SysWOW64\Ipgbdbqb.exeC:\Windows\system32\Ipgbdbqb.exe50⤵
- Executes dropped EXE
PID:964 -
C:\Windows\SysWOW64\Iipfmggc.exeC:\Windows\system32\Iipfmggc.exe51⤵
- Executes dropped EXE
PID:1160 -
C:\Windows\SysWOW64\Iefgbh32.exeC:\Windows\system32\Iefgbh32.exe52⤵
- Executes dropped EXE
PID:1844 -
C:\Windows\SysWOW64\Ilcldb32.exeC:\Windows\system32\Ilcldb32.exe53⤵
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\Jgkmgk32.exeC:\Windows\system32\Jgkmgk32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2308 -
C:\Windows\SysWOW64\Jpcapp32.exeC:\Windows\system32\Jpcapp32.exe55⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Jepjhg32.exeC:\Windows\system32\Jepjhg32.exe56⤵
- Executes dropped EXE
PID:4372 -
C:\Windows\SysWOW64\Johnamkm.exeC:\Windows\system32\Johnamkm.exe57⤵
- Executes dropped EXE
PID:1496 -
C:\Windows\SysWOW64\Jniood32.exeC:\Windows\system32\Jniood32.exe58⤵
- Executes dropped EXE
PID:5116 -
C:\Windows\SysWOW64\Jokkgl32.exeC:\Windows\system32\Jokkgl32.exe59⤵
- Executes dropped EXE
PID:468 -
C:\Windows\SysWOW64\Jnlkedai.exeC:\Windows\system32\Jnlkedai.exe60⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Komhll32.exeC:\Windows\system32\Komhll32.exe61⤵
- Executes dropped EXE
PID:4368 -
C:\Windows\SysWOW64\Knnhjcog.exeC:\Windows\system32\Knnhjcog.exe62⤵
- Executes dropped EXE
PID:540 -
C:\Windows\SysWOW64\Kgflcifg.exeC:\Windows\system32\Kgflcifg.exe63⤵
- Executes dropped EXE
PID:4464 -
C:\Windows\SysWOW64\Koaagkcb.exeC:\Windows\system32\Koaagkcb.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:2268 -
C:\Windows\SysWOW64\Kncaec32.exeC:\Windows\system32\Kncaec32.exe65⤵
- Executes dropped EXE
PID:1380 -
C:\Windows\SysWOW64\Kcpjnjii.exeC:\Windows\system32\Kcpjnjii.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4564 -
C:\Windows\SysWOW64\Knenkbio.exeC:\Windows\system32\Knenkbio.exe67⤵PID:4700
-
C:\Windows\SysWOW64\Kcbfcigf.exeC:\Windows\system32\Kcbfcigf.exe68⤵PID:4316
-
C:\Windows\SysWOW64\Kngkqbgl.exeC:\Windows\system32\Kngkqbgl.exe69⤵PID:3608
-
C:\Windows\SysWOW64\Lpfgmnfp.exeC:\Windows\system32\Lpfgmnfp.exe70⤵PID:3292
-
C:\Windows\SysWOW64\Lnjgfb32.exeC:\Windows\system32\Lnjgfb32.exe71⤵PID:4292
-
C:\Windows\SysWOW64\Lokdnjkg.exeC:\Windows\system32\Lokdnjkg.exe72⤵PID:2932
-
C:\Windows\SysWOW64\Llodgnja.exeC:\Windows\system32\Llodgnja.exe73⤵PID:4796
-
C:\Windows\SysWOW64\Lcimdh32.exeC:\Windows\system32\Lcimdh32.exe74⤵PID:2804
-
C:\Windows\SysWOW64\Lnoaaaad.exeC:\Windows\system32\Lnoaaaad.exe75⤵PID:4416
-
C:\Windows\SysWOW64\Lckiihok.exeC:\Windows\system32\Lckiihok.exe76⤵PID:1176
-
C:\Windows\SysWOW64\Lnangaoa.exeC:\Windows\system32\Lnangaoa.exe77⤵PID:3236
-
C:\Windows\SysWOW64\Lgibpf32.exeC:\Windows\system32\Lgibpf32.exe78⤵PID:4768
-
C:\Windows\SysWOW64\Ljhnlb32.exeC:\Windows\system32\Ljhnlb32.exe79⤵PID:2860
-
C:\Windows\SysWOW64\Aiabhj32.exeC:\Windows\system32\Aiabhj32.exe80⤵PID:3704
-
C:\Windows\SysWOW64\Bpbpecen.exeC:\Windows\system32\Bpbpecen.exe81⤵PID:636
-
C:\Windows\SysWOW64\Bcpika32.exeC:\Windows\system32\Bcpika32.exe82⤵PID:1944
-
C:\Windows\SysWOW64\Hgpibdam.exeC:\Windows\system32\Hgpibdam.exe83⤵PID:4704
-
C:\Windows\SysWOW64\Hnjaonij.exeC:\Windows\system32\Hnjaonij.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:840 -
C:\Windows\SysWOW64\Hmmakk32.exeC:\Windows\system32\Hmmakk32.exe85⤵
- Drops file in System32 directory
- Modifies registry class
PID:4172 -
C:\Windows\SysWOW64\Hfefdpfe.exeC:\Windows\system32\Hfefdpfe.exe86⤵PID:3496
-
C:\Windows\SysWOW64\Onakco32.exeC:\Windows\system32\Onakco32.exe87⤵
- Modifies registry class
PID:4568 -
C:\Windows\SysWOW64\Mmpbkm32.exeC:\Windows\system32\Mmpbkm32.exe88⤵PID:4832
-
C:\Windows\SysWOW64\Mfhgcbfo.exeC:\Windows\system32\Mfhgcbfo.exe89⤵
- Modifies registry class
PID:1656 -
C:\Windows\SysWOW64\Pjoknhbe.exeC:\Windows\system32\Pjoknhbe.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1976 -
C:\Windows\SysWOW64\Engaon32.exeC:\Windows\system32\Engaon32.exe91⤵PID:2796
-
C:\Windows\SysWOW64\Eahjqicj.exeC:\Windows\system32\Eahjqicj.exe92⤵PID:912
-
C:\Windows\SysWOW64\Mlbllc32.exeC:\Windows\system32\Mlbllc32.exe93⤵PID:1816
-
C:\Windows\SysWOW64\Mmahff32.exeC:\Windows\system32\Mmahff32.exe94⤵
- Drops file in System32 directory
PID:1032 -
C:\Windows\SysWOW64\Nfcoekhe.exeC:\Windows\system32\Nfcoekhe.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2472 -
C:\Windows\SysWOW64\Bldogjib.exeC:\Windows\system32\Bldogjib.exe96⤵PID:904
-
C:\Windows\SysWOW64\Bdkghg32.exeC:\Windows\system32\Bdkghg32.exe97⤵
- Modifies registry class
PID:4424 -
C:\Windows\SysWOW64\Blflmj32.exeC:\Windows\system32\Blflmj32.exe98⤵PID:680
-
C:\Windows\SysWOW64\Bmhibi32.exeC:\Windows\system32\Bmhibi32.exe99⤵PID:3344
-
C:\Windows\SysWOW64\Cnhell32.exeC:\Windows\system32\Cnhell32.exe100⤵PID:524
-
C:\Windows\SysWOW64\Cjofambd.exeC:\Windows\system32\Cjofambd.exe101⤵
- Drops file in System32 directory
PID:396 -
C:\Windows\SysWOW64\Cmpoch32.exeC:\Windows\system32\Cmpoch32.exe102⤵
- Drops file in System32 directory
- Modifies registry class
PID:4848 -
C:\Windows\SysWOW64\Cmblhh32.exeC:\Windows\system32\Cmblhh32.exe103⤵PID:4752
-
C:\Windows\SysWOW64\Ckclfp32.exeC:\Windows\system32\Ckclfp32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3140 -
C:\Windows\SysWOW64\Djhiglji.exeC:\Windows\system32\Djhiglji.exe105⤵PID:3132
-
C:\Windows\SysWOW64\Dcqmpa32.exeC:\Windows\system32\Dcqmpa32.exe106⤵PID:1436
-
C:\Windows\SysWOW64\Dnfanjqp.exeC:\Windows\system32\Dnfanjqp.exe107⤵PID:4764
-
C:\Windows\SysWOW64\Dgnffp32.exeC:\Windows\system32\Dgnffp32.exe108⤵PID:2684
-
C:\Windows\SysWOW64\Dnhncjom.exeC:\Windows\system32\Dnhncjom.exe109⤵PID:5028
-
C:\Windows\SysWOW64\Debfpd32.exeC:\Windows\system32\Debfpd32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5016 -
C:\Windows\SysWOW64\Dklomnmf.exeC:\Windows\system32\Dklomnmf.exe111⤵PID:964
-
C:\Windows\SysWOW64\Dqigee32.exeC:\Windows\system32\Dqigee32.exe112⤵PID:5012
-
C:\Windows\SysWOW64\Eakdje32.exeC:\Windows\system32\Eakdje32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2972 -
C:\Windows\SysWOW64\Ekahhn32.exeC:\Windows\system32\Ekahhn32.exe114⤵PID:4372
-
C:\Windows\SysWOW64\Eghimo32.exeC:\Windows\system32\Eghimo32.exe115⤵PID:5116
-
C:\Windows\SysWOW64\Emdaee32.exeC:\Windows\system32\Emdaee32.exe116⤵PID:3152
-
C:\Windows\SysWOW64\Endnohdp.exeC:\Windows\system32\Endnohdp.exe117⤵PID:2780
-
C:\Windows\SysWOW64\Ecafgo32.exeC:\Windows\system32\Ecafgo32.exe118⤵
- Modifies registry class
PID:1748 -
C:\Windows\SysWOW64\Enfjdh32.exeC:\Windows\system32\Enfjdh32.exe119⤵PID:1088
-
C:\Windows\SysWOW64\Eaegqc32.exeC:\Windows\system32\Eaegqc32.exe120⤵PID:3788
-
C:\Windows\SysWOW64\Egoomnin.exeC:\Windows\system32\Egoomnin.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5040
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-