Analysis
-
max time kernel
153s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
21/10/2023, 21:37
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.f50e24e9a01b71e75aa92e6a9f44e7e0.exe
Resource
win7-20231020-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.f50e24e9a01b71e75aa92e6a9f44e7e0.exe
Resource
win10v2004-20231020-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
NEAS.f50e24e9a01b71e75aa92e6a9f44e7e0.exe
-
Size
45KB
-
MD5
f50e24e9a01b71e75aa92e6a9f44e7e0
-
SHA1
699d7863596d5035885d9004fc5cf02512a70080
-
SHA256
da539b2f15a3d058f271fb2c86968f5fc8a81ab5dbd0b77598c2801d642a5247
-
SHA512
1cd24cc5ed92db6b7b65b4bd617180054703faf76fa61cbef549fb442e231cc3dde8cb024bb1b44936f74c9b3b3df9fd93d987e17a32f6abdf810f37fd75de97
-
SSDEEP
768:YtsidqVD/yrG8aaNQq0jKAMrOJ/gyYyWFJcpegCWWiwqAZ/1H5B:/bD/J8aaO59/gbyWgpFC1iwqWr
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qnfkgfdp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qkjgomgb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pofjpl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acjjpllp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kifhkkci.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkieab32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bppcpc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmgfod32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnfkgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgbdcgld.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dclkee32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmjfodne.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhbmnj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afboah32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npgabc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epaemojk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Biadeoce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akamol32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ophjiaql.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Coadnlnb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggjjlk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oeffnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibnligoc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncjginjn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phbolflm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qgopplkq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Behbkmgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dapkni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nogngp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mojhgbdl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdknpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmnpfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nijeoikf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dakacjdb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emlenj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blakhgoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njlcdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmijnfgd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Maealn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmijnfgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npgabc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aggegh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfkkqmiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgcooaah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agcikk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkoplk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nofefp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Podkmgop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aiqkmd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aobilkcl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdngpo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Digmqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ioambknl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clbmfm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncdgmkio.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aeemop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Noijmp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkbfpeec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndcdfnpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohnebd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oondhocf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnppkj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhppik32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deokja32.exe -
Executes dropped EXE 64 IoCs
pid Process 3908 Hbdjchgn.exe 5096 Hkmnln32.exe 1300 Ibffhhek.exe 2412 Ikokan32.exe 2088 Ifdonfka.exe 1340 Ikaggmii.exe 1520 Iiehpahb.exe 2884 Ibnligoc.exe 3332 Ioambknl.exe 1464 Ifleoe32.exe 956 Jkhngl32.exe 3092 Jkkjmlan.exe 3688 Jnifigpa.exe 2700 Joiccj32.exe 2780 Jiaglp32.exe 1212 Jfehed32.exe 1372 Jkaqnk32.exe 4476 Jghabl32.exe 2244 Knbiofhg.exe 2536 Kgknhl32.exe 3620 Kbpbed32.exe 3448 Khmknk32.exe 1508 Kfnkkb32.exe 3456 Kpgodhkd.exe 4852 Klmpiiai.exe 3616 Kfcdfbqo.exe 5100 Lnnikdnj.exe 2264 Lehaho32.exe 532 Llbidimc.exe 2164 Lblaabdp.exe 4436 Lhijijbg.exe 2304 Lppbkgcj.exe 1976 Lemkcnaa.exe 4500 Lhkgoiqe.exe 2320 Leoghn32.exe 4580 Mhppji32.exe 3324 Mojhgbdl.exe 2796 Miomdk32.exe 3548 Molelb32.exe 4700 Noehba32.exe 4968 Neppokal.exe 2380 Nbcqiope.exe 2836 Npgabc32.exe 1304 Nedjjj32.exe 1776 Nomncpcg.exe 4912 Nibbqicm.exe 4708 Ncjginjn.exe 2812 Ohgoaehe.exe 4576 Oghppm32.exe 3180 Opadhb32.exe 1748 Oiihahme.exe 1336 Olgemcli.exe 4260 Ohnebd32.exe 3824 Ojnblg32.exe 1648 Ophjiaql.exe 1724 Pedbahod.exe 4220 Pcicklnn.exe 3088 Phelcc32.exe 624 Pfillg32.exe 1088 Pcmlfl32.exe 1720 Phjenbhp.exe 4396 Pcpikkge.exe 3352 Plhnda32.exe 3532 Pofjpl32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Gndbie32.exe Ggjjlk32.exe File created C:\Windows\SysWOW64\Podkmgop.exe Pdngpo32.exe File created C:\Windows\SysWOW64\Geflmjjg.dll Poeahaib.exe File created C:\Windows\SysWOW64\Imikmhae.dll Qbddmejf.exe File opened for modification C:\Windows\SysWOW64\Oocmcn32.exe Ohiefdhd.exe File created C:\Windows\SysWOW64\Gackgo32.dll Aaflag32.exe File opened for modification C:\Windows\SysWOW64\Lehaho32.exe Lnnikdnj.exe File opened for modification C:\Windows\SysWOW64\Lhadgmge.exe Ldckan32.exe File created C:\Windows\SysWOW64\Negpqn32.dll Nhbmnj32.exe File opened for modification C:\Windows\SysWOW64\Qcccom32.exe Qaegcb32.exe File created C:\Windows\SysWOW64\Miiflecc.dll Jkhngl32.exe File created C:\Windows\SysWOW64\Ggmookkn.dll Neppokal.exe File created C:\Windows\SysWOW64\Mdokmm32.exe Mkgfdgpq.exe File created C:\Windows\SysWOW64\Anncek32.exe Aiqkmd32.exe File created C:\Windows\SysWOW64\Blkgen32.exe Biljib32.exe File created C:\Windows\SysWOW64\Bmpdfl32.dll Ccqkigkp.exe File created C:\Windows\SysWOW64\Laiiombp.dll Dcmedk32.exe File created C:\Windows\SysWOW64\Lmqiec32.exe Lajhpbme.exe File created C:\Windows\SysWOW64\Mefiblfk.dll Ccchof32.exe File opened for modification C:\Windows\SysWOW64\Ononmo32.exe Odbpij32.exe File created C:\Windows\SysWOW64\Miomdk32.exe Mojhgbdl.exe File opened for modification C:\Windows\SysWOW64\Coadnlnb.exe Odhifjkg.exe File created C:\Windows\SysWOW64\Mnfgko32.dll Ibcjqgnm.exe File created C:\Windows\SysWOW64\Fcqlqnpo.dll Cifmoa32.exe File created C:\Windows\SysWOW64\Ognpoheh.exe Nloikqnl.exe File created C:\Windows\SysWOW64\Bgbdcgld.exe Biadeoce.exe File created C:\Windows\SysWOW64\Kagbdenk.exe Jmijnfgd.exe File opened for modification C:\Windows\SysWOW64\Dcmcfeke.exe Obnlpnbm.exe File created C:\Windows\SysWOW64\Jhcalb32.dll Nhmejf32.exe File created C:\Windows\SysWOW64\Lpochfji.exe Ljdkll32.exe File opened for modification C:\Windows\SysWOW64\Mjlalkmd.exe Mpclce32.exe File created C:\Windows\SysWOW64\Ammnhilb.exe Aiabhj32.exe File opened for modification C:\Windows\SysWOW64\Aohfdnil.exe Agaoca32.exe File created C:\Windows\SysWOW64\Meknhh32.exe Mgfqgkib.exe File created C:\Windows\SysWOW64\Qlggcp32.exe Qjijgead.exe File created C:\Windows\SysWOW64\Cgeqej32.dll Qqfmnk32.exe File created C:\Windows\SysWOW64\Lppbkgcj.exe Lhijijbg.exe File created C:\Windows\SysWOW64\Odhifjkg.exe Jkgpbp32.exe File opened for modification C:\Windows\SysWOW64\Gqnejaff.exe Gbkdod32.exe File opened for modification C:\Windows\SysWOW64\Bppcpc32.exe Bfhofnpp.exe File created C:\Windows\SysWOW64\Hlhkja32.dll Dinjjf32.exe File created C:\Windows\SysWOW64\Pfbfjk32.exe Pnknim32.exe File created C:\Windows\SysWOW64\Ffhoaoie.dll Qdpmij32.exe File created C:\Windows\SysWOW64\Jedodcbl.dll Jidkek32.exe File created C:\Windows\SysWOW64\Iojfje32.dll Kfnkkb32.exe File opened for modification C:\Windows\SysWOW64\Pofjpl32.exe Plhnda32.exe File opened for modification C:\Windows\SysWOW64\Gdknpp32.exe Gnaecedp.exe File opened for modification C:\Windows\SysWOW64\Ofbdncaj.exe Nfpghccm.exe File created C:\Windows\SysWOW64\Piceflpi.exe Pbimjb32.exe File opened for modification C:\Windows\SysWOW64\Pkabbgol.exe Piceflpi.exe File created C:\Windows\SysWOW64\Dbjkkjkc.dll Lhadgmge.exe File created C:\Windows\SysWOW64\Mdnlip32.dll Ahnghafl.exe File opened for modification C:\Windows\SysWOW64\Ajhniccb.exe Aobilkcl.exe File created C:\Windows\SysWOW64\Amcpgoem.dll Lhenai32.exe File opened for modification C:\Windows\SysWOW64\Mfkkqmiq.exe Lpochfji.exe File opened for modification C:\Windows\SysWOW64\Anncek32.exe Aiqkmd32.exe File opened for modification C:\Windows\SysWOW64\Mpclce32.exe Mhldbh32.exe File created C:\Windows\SysWOW64\Gfdcpb32.dll Ggjjlk32.exe File opened for modification C:\Windows\SysWOW64\Qhghge32.exe Qkchna32.exe File created C:\Windows\SysWOW64\Qebpipij.exe Qbddmejf.exe File opened for modification C:\Windows\SysWOW64\Kicdke32.exe Kfehoj32.exe File created C:\Windows\SysWOW64\Nneilmna.dll Gbhhieao.exe File created C:\Windows\SysWOW64\Pmmfoj32.dll Gnaecedp.exe File created C:\Windows\SysWOW64\Gdngihbo.dll Aohfdnil.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deohpe32.dll" Pcicklnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pcmlfl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lcclncbh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qifbll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjklcf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Npgabc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iefplh32.dll" Lblaabdp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ncjginjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mfkkqmiq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlknqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbgnfajk.dll" Kbpbed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blanhfid.dll" Nibbqicm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ofijnbkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Philfgdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afddge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Einbcgha.dll" Klmpiiai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edcfml32.dll" Dpglmjoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qqfmnk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Noeaaqlq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oehldi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgokfblh.dll" Dpdogj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mefiblfk.dll" Ccchof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nofefp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdknpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aplfmjhg.dll" Maealn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfildi32.dll" Iiehpahb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdjnolfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcaiocbn.dll" Lfpkhjae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcacqeaf.dll" Ndmgnkja.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkhhbbck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnkbbiqp.dll" Anncek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldleoa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qmkanmel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Noiilpik.dll" Bpnihiio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfcdfbqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pidcecbj.dll" Pcpikkge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naqbda32.dll" Bqfoamfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abemep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Befogbik.dll" Clgmkbna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbfoclai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cldjkl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbpbed32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aohpek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mdehep32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qbkcek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dimcppgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdfilkbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kceail32.dll" Qmkanmel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nefmgogl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imqpnq32.dll" Mjpjgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihbdmc32.dll" Pbljoafi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dinjjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jkgpbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmcfkc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dcmcfeke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbckflji.dll" Ojllkcdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfqkddfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdbijb32.dll" Jkgpbp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofbdncaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lookln32.dll" Mdehep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajgfkm32.dll" Kicdke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ikaggmii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edngom32.dll" Hqdkkp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ammnhilb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5004 wrote to memory of 3908 5004 NEAS.f50e24e9a01b71e75aa92e6a9f44e7e0.exe 88 PID 5004 wrote to memory of 3908 5004 NEAS.f50e24e9a01b71e75aa92e6a9f44e7e0.exe 88 PID 5004 wrote to memory of 3908 5004 NEAS.f50e24e9a01b71e75aa92e6a9f44e7e0.exe 88 PID 3908 wrote to memory of 5096 3908 Hbdjchgn.exe 89 PID 3908 wrote to memory of 5096 3908 Hbdjchgn.exe 89 PID 3908 wrote to memory of 5096 3908 Hbdjchgn.exe 89 PID 5096 wrote to memory of 1300 5096 Hkmnln32.exe 90 PID 5096 wrote to memory of 1300 5096 Hkmnln32.exe 90 PID 5096 wrote to memory of 1300 5096 Hkmnln32.exe 90 PID 1300 wrote to memory of 2412 1300 Ibffhhek.exe 91 PID 1300 wrote to memory of 2412 1300 Ibffhhek.exe 91 PID 1300 wrote to memory of 2412 1300 Ibffhhek.exe 91 PID 2412 wrote to memory of 2088 2412 Ikokan32.exe 92 PID 2412 wrote to memory of 2088 2412 Ikokan32.exe 92 PID 2412 wrote to memory of 2088 2412 Ikokan32.exe 92 PID 2088 wrote to memory of 1340 2088 Ifdonfka.exe 93 PID 2088 wrote to memory of 1340 2088 Ifdonfka.exe 93 PID 2088 wrote to memory of 1340 2088 Ifdonfka.exe 93 PID 1340 wrote to memory of 1520 1340 Ikaggmii.exe 94 PID 1340 wrote to memory of 1520 1340 Ikaggmii.exe 94 PID 1340 wrote to memory of 1520 1340 Ikaggmii.exe 94 PID 1520 wrote to memory of 2884 1520 Iiehpahb.exe 95 PID 1520 wrote to memory of 2884 1520 Iiehpahb.exe 95 PID 1520 wrote to memory of 2884 1520 Iiehpahb.exe 95 PID 2884 wrote to memory of 3332 2884 Ibnligoc.exe 96 PID 2884 wrote to memory of 3332 2884 Ibnligoc.exe 96 PID 2884 wrote to memory of 3332 2884 Ibnligoc.exe 96 PID 3332 wrote to memory of 1464 3332 Ioambknl.exe 97 PID 3332 wrote to memory of 1464 3332 Ioambknl.exe 97 PID 3332 wrote to memory of 1464 3332 Ioambknl.exe 97 PID 1464 wrote to memory of 956 1464 Ifleoe32.exe 98 PID 1464 wrote to memory of 956 1464 Ifleoe32.exe 98 PID 1464 wrote to memory of 956 1464 Ifleoe32.exe 98 PID 956 wrote to memory of 3092 956 Jkhngl32.exe 99 PID 956 wrote to memory of 3092 956 Jkhngl32.exe 99 PID 956 wrote to memory of 3092 956 Jkhngl32.exe 99 PID 3092 wrote to memory of 3688 3092 Jkkjmlan.exe 101 PID 3092 wrote to memory of 3688 3092 Jkkjmlan.exe 101 PID 3092 wrote to memory of 3688 3092 Jkkjmlan.exe 101 PID 3688 wrote to memory of 2700 3688 Jnifigpa.exe 102 PID 3688 wrote to memory of 2700 3688 Jnifigpa.exe 102 PID 3688 wrote to memory of 2700 3688 Jnifigpa.exe 102 PID 2700 wrote to memory of 2780 2700 Joiccj32.exe 103 PID 2700 wrote to memory of 2780 2700 Joiccj32.exe 103 PID 2700 wrote to memory of 2780 2700 Joiccj32.exe 103 PID 2780 wrote to memory of 1212 2780 Jiaglp32.exe 104 PID 2780 wrote to memory of 1212 2780 Jiaglp32.exe 104 PID 2780 wrote to memory of 1212 2780 Jiaglp32.exe 104 PID 1212 wrote to memory of 1372 1212 Jfehed32.exe 105 PID 1212 wrote to memory of 1372 1212 Jfehed32.exe 105 PID 1212 wrote to memory of 1372 1212 Jfehed32.exe 105 PID 1372 wrote to memory of 4476 1372 Jkaqnk32.exe 106 PID 1372 wrote to memory of 4476 1372 Jkaqnk32.exe 106 PID 1372 wrote to memory of 4476 1372 Jkaqnk32.exe 106 PID 4476 wrote to memory of 2244 4476 Jghabl32.exe 107 PID 4476 wrote to memory of 2244 4476 Jghabl32.exe 107 PID 4476 wrote to memory of 2244 4476 Jghabl32.exe 107 PID 2244 wrote to memory of 2536 2244 Knbiofhg.exe 108 PID 2244 wrote to memory of 2536 2244 Knbiofhg.exe 108 PID 2244 wrote to memory of 2536 2244 Knbiofhg.exe 108 PID 2536 wrote to memory of 3620 2536 Kgknhl32.exe 109 PID 2536 wrote to memory of 3620 2536 Kgknhl32.exe 109 PID 2536 wrote to memory of 3620 2536 Kgknhl32.exe 109 PID 3620 wrote to memory of 3448 3620 Kbpbed32.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.f50e24e9a01b71e75aa92e6a9f44e7e0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.f50e24e9a01b71e75aa92e6a9f44e7e0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Windows\SysWOW64\Hbdjchgn.exeC:\Windows\system32\Hbdjchgn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3908 -
C:\Windows\SysWOW64\Hkmnln32.exeC:\Windows\system32\Hkmnln32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5096 -
C:\Windows\SysWOW64\Ibffhhek.exeC:\Windows\system32\Ibffhhek.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Windows\SysWOW64\Ikokan32.exeC:\Windows\system32\Ikokan32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\Ifdonfka.exeC:\Windows\system32\Ifdonfka.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\Ikaggmii.exeC:\Windows\system32\Ikaggmii.exe7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1340 -
C:\Windows\SysWOW64\Iiehpahb.exeC:\Windows\system32\Iiehpahb.exe8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\SysWOW64\Ibnligoc.exeC:\Windows\system32\Ibnligoc.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\Ioambknl.exeC:\Windows\system32\Ioambknl.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3332 -
C:\Windows\SysWOW64\Ifleoe32.exeC:\Windows\system32\Ifleoe32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Windows\SysWOW64\Jkhngl32.exeC:\Windows\system32\Jkhngl32.exe12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Windows\SysWOW64\Jkkjmlan.exeC:\Windows\system32\Jkkjmlan.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3092 -
C:\Windows\SysWOW64\Jnifigpa.exeC:\Windows\system32\Jnifigpa.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3688 -
C:\Windows\SysWOW64\Joiccj32.exeC:\Windows\system32\Joiccj32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\Jiaglp32.exeC:\Windows\system32\Jiaglp32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\Jfehed32.exeC:\Windows\system32\Jfehed32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Windows\SysWOW64\Jkaqnk32.exeC:\Windows\system32\Jkaqnk32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Windows\SysWOW64\Jghabl32.exeC:\Windows\system32\Jghabl32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4476 -
C:\Windows\SysWOW64\Knbiofhg.exeC:\Windows\system32\Knbiofhg.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\Kgknhl32.exeC:\Windows\system32\Kgknhl32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\Kbpbed32.exeC:\Windows\system32\Kbpbed32.exe22⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3620 -
C:\Windows\SysWOW64\Khmknk32.exeC:\Windows\system32\Khmknk32.exe23⤵
- Executes dropped EXE
PID:3448 -
C:\Windows\SysWOW64\Kfnkkb32.exeC:\Windows\system32\Kfnkkb32.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1508 -
C:\Windows\SysWOW64\Kpgodhkd.exeC:\Windows\system32\Kpgodhkd.exe25⤵
- Executes dropped EXE
PID:3456 -
C:\Windows\SysWOW64\Klmpiiai.exeC:\Windows\system32\Klmpiiai.exe26⤵
- Executes dropped EXE
- Modifies registry class
PID:4852 -
C:\Windows\SysWOW64\Kfcdfbqo.exeC:\Windows\system32\Kfcdfbqo.exe27⤵
- Executes dropped EXE
- Modifies registry class
PID:3616 -
C:\Windows\SysWOW64\Lnnikdnj.exeC:\Windows\system32\Lnnikdnj.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5100 -
C:\Windows\SysWOW64\Lehaho32.exeC:\Windows\system32\Lehaho32.exe29⤵
- Executes dropped EXE
PID:2264 -
C:\Windows\SysWOW64\Llbidimc.exeC:\Windows\system32\Llbidimc.exe30⤵
- Executes dropped EXE
PID:532 -
C:\Windows\SysWOW64\Lblaabdp.exeC:\Windows\system32\Lblaabdp.exe31⤵
- Executes dropped EXE
- Modifies registry class
PID:2164 -
C:\Windows\SysWOW64\Lhijijbg.exeC:\Windows\system32\Lhijijbg.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4436 -
C:\Windows\SysWOW64\Lppbkgcj.exeC:\Windows\system32\Lppbkgcj.exe33⤵
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Lemkcnaa.exeC:\Windows\system32\Lemkcnaa.exe34⤵
- Executes dropped EXE
PID:1976 -
C:\Windows\SysWOW64\Lhkgoiqe.exeC:\Windows\system32\Lhkgoiqe.exe35⤵
- Executes dropped EXE
PID:4500 -
C:\Windows\SysWOW64\Leoghn32.exeC:\Windows\system32\Leoghn32.exe36⤵
- Executes dropped EXE
PID:2320 -
C:\Windows\SysWOW64\Mhppji32.exeC:\Windows\system32\Mhppji32.exe37⤵
- Executes dropped EXE
PID:4580 -
C:\Windows\SysWOW64\Mojhgbdl.exeC:\Windows\system32\Mojhgbdl.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3324 -
C:\Windows\SysWOW64\Miomdk32.exeC:\Windows\system32\Miomdk32.exe39⤵
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\Molelb32.exeC:\Windows\system32\Molelb32.exe40⤵
- Executes dropped EXE
PID:3548 -
C:\Windows\SysWOW64\Noehba32.exeC:\Windows\system32\Noehba32.exe41⤵
- Executes dropped EXE
PID:4700 -
C:\Windows\SysWOW64\Neppokal.exeC:\Windows\system32\Neppokal.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4968 -
C:\Windows\SysWOW64\Nbcqiope.exeC:\Windows\system32\Nbcqiope.exe43⤵
- Executes dropped EXE
PID:2380 -
C:\Windows\SysWOW64\Npgabc32.exeC:\Windows\system32\Npgabc32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2836 -
C:\Windows\SysWOW64\Nedjjj32.exeC:\Windows\system32\Nedjjj32.exe45⤵
- Executes dropped EXE
PID:1304 -
C:\Windows\SysWOW64\Nomncpcg.exeC:\Windows\system32\Nomncpcg.exe46⤵
- Executes dropped EXE
PID:1776 -
C:\Windows\SysWOW64\Nibbqicm.exeC:\Windows\system32\Nibbqicm.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:4912 -
C:\Windows\SysWOW64\Ncjginjn.exeC:\Windows\system32\Ncjginjn.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4708 -
C:\Windows\SysWOW64\Ohgoaehe.exeC:\Windows\system32\Ohgoaehe.exe49⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Oghppm32.exeC:\Windows\system32\Oghppm32.exe50⤵
- Executes dropped EXE
PID:4576 -
C:\Windows\SysWOW64\Opadhb32.exeC:\Windows\system32\Opadhb32.exe51⤵
- Executes dropped EXE
PID:3180 -
C:\Windows\SysWOW64\Oiihahme.exeC:\Windows\system32\Oiihahme.exe52⤵
- Executes dropped EXE
PID:1748 -
C:\Windows\SysWOW64\Olgemcli.exeC:\Windows\system32\Olgemcli.exe53⤵
- Executes dropped EXE
PID:1336 -
C:\Windows\SysWOW64\Ohnebd32.exeC:\Windows\system32\Ohnebd32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4260 -
C:\Windows\SysWOW64\Ojnblg32.exeC:\Windows\system32\Ojnblg32.exe55⤵
- Executes dropped EXE
PID:3824 -
C:\Windows\SysWOW64\Ophjiaql.exeC:\Windows\system32\Ophjiaql.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\Pedbahod.exeC:\Windows\system32\Pedbahod.exe57⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Pcicklnn.exeC:\Windows\system32\Pcicklnn.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:4220 -
C:\Windows\SysWOW64\Phelcc32.exeC:\Windows\system32\Phelcc32.exe59⤵
- Executes dropped EXE
PID:3088 -
C:\Windows\SysWOW64\Pfillg32.exeC:\Windows\system32\Pfillg32.exe60⤵
- Executes dropped EXE
PID:624 -
C:\Windows\SysWOW64\Pcmlfl32.exeC:\Windows\system32\Pcmlfl32.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:1088 -
C:\Windows\SysWOW64\Phjenbhp.exeC:\Windows\system32\Phjenbhp.exe62⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Pcpikkge.exeC:\Windows\system32\Pcpikkge.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:4396 -
C:\Windows\SysWOW64\Plhnda32.exeC:\Windows\system32\Plhnda32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3352 -
C:\Windows\SysWOW64\Pofjpl32.exeC:\Windows\system32\Pofjpl32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3532 -
C:\Windows\SysWOW64\Aqkpeopg.exeC:\Windows\system32\Aqkpeopg.exe66⤵PID:4684
-
C:\Windows\SysWOW64\Amaqjp32.exeC:\Windows\system32\Amaqjp32.exe67⤵PID:2364
-
C:\Windows\SysWOW64\Aggegh32.exeC:\Windows\system32\Aggegh32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4996 -
C:\Windows\SysWOW64\Aihaoqlp.exeC:\Windows\system32\Aihaoqlp.exe69⤵PID:3300
-
C:\Windows\SysWOW64\Aobilkcl.exeC:\Windows\system32\Aobilkcl.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2784 -
C:\Windows\SysWOW64\Ajhniccb.exeC:\Windows\system32\Ajhniccb.exe71⤵PID:1200
-
C:\Windows\SysWOW64\Aglnbhal.exeC:\Windows\system32\Aglnbhal.exe72⤵PID:2236
-
C:\Windows\SysWOW64\Amhfkopc.exeC:\Windows\system32\Amhfkopc.exe73⤵PID:4168
-
C:\Windows\SysWOW64\Bogcgj32.exeC:\Windows\system32\Bogcgj32.exe74⤵PID:1284
-
C:\Windows\SysWOW64\Bfqkddfd.exeC:\Windows\system32\Bfqkddfd.exe75⤵
- Modifies registry class
PID:2372 -
C:\Windows\SysWOW64\Bqfoamfj.exeC:\Windows\system32\Bqfoamfj.exe76⤵
- Modifies registry class
PID:1900 -
C:\Windows\SysWOW64\Biadeoce.exeC:\Windows\system32\Biadeoce.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4268 -
C:\Windows\SysWOW64\Bgbdcgld.exeC:\Windows\system32\Bgbdcgld.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3476 -
C:\Windows\SysWOW64\Bpnihiio.exeC:\Windows\system32\Bpnihiio.exe79⤵
- Modifies registry class
PID:2752 -
C:\Windows\SysWOW64\Bggnof32.exeC:\Windows\system32\Bggnof32.exe80⤵PID:3160
-
C:\Windows\SysWOW64\Bihjfnmm.exeC:\Windows\system32\Bihjfnmm.exe81⤵PID:3380
-
C:\Windows\SysWOW64\Cikglnkj.exeC:\Windows\system32\Cikglnkj.exe82⤵PID:4732
-
C:\Windows\SysWOW64\Ccqkigkp.exeC:\Windows\system32\Ccqkigkp.exe83⤵
- Drops file in System32 directory
PID:2248 -
C:\Windows\SysWOW64\Cjjcfabm.exeC:\Windows\system32\Cjjcfabm.exe84⤵PID:4132
-
C:\Windows\SysWOW64\Ccchof32.exeC:\Windows\system32\Ccchof32.exe85⤵
- Drops file in System32 directory
- Modifies registry class
PID:376 -
C:\Windows\SysWOW64\Cippgm32.exeC:\Windows\system32\Cippgm32.exe86⤵PID:4200
-
C:\Windows\SysWOW64\Cgqqdeod.exeC:\Windows\system32\Cgqqdeod.exe87⤵PID:2716
-
C:\Windows\SysWOW64\Cibmlmeb.exeC:\Windows\system32\Cibmlmeb.exe88⤵PID:2604
-
C:\Windows\SysWOW64\Caienjfd.exeC:\Windows\system32\Caienjfd.exe89⤵PID:5164
-
C:\Windows\SysWOW64\Cffmfadl.exeC:\Windows\system32\Cffmfadl.exe90⤵PID:5208
-
C:\Windows\SysWOW64\Cidjbmcp.exeC:\Windows\system32\Cidjbmcp.exe91⤵PID:5252
-
C:\Windows\SysWOW64\Dakacjdb.exeC:\Windows\system32\Dakacjdb.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5296 -
C:\Windows\SysWOW64\Dcjnoece.exeC:\Windows\system32\Dcjnoece.exe93⤵PID:5340
-
C:\Windows\SysWOW64\Dfhjkabi.exeC:\Windows\system32\Dfhjkabi.exe94⤵PID:5384
-
C:\Windows\SysWOW64\Diffglam.exeC:\Windows\system32\Diffglam.exe95⤵PID:5428
-
C:\Windows\SysWOW64\Dclkee32.exeC:\Windows\system32\Dclkee32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5472 -
C:\Windows\SysWOW64\Diicml32.exeC:\Windows\system32\Diicml32.exe97⤵PID:5516
-
C:\Windows\SysWOW64\Dapkni32.exeC:\Windows\system32\Dapkni32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5560 -
C:\Windows\SysWOW64\Dcogje32.exeC:\Windows\system32\Dcogje32.exe99⤵PID:5604
-
C:\Windows\SysWOW64\Dmihij32.exeC:\Windows\system32\Dmihij32.exe100⤵PID:5648
-
C:\Windows\SysWOW64\Dhomfc32.exeC:\Windows\system32\Dhomfc32.exe101⤵PID:5692
-
C:\Windows\SysWOW64\Emlenj32.exeC:\Windows\system32\Emlenj32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5736 -
C:\Windows\SysWOW64\Efdjgo32.exeC:\Windows\system32\Efdjgo32.exe103⤵PID:5960
-
C:\Windows\SysWOW64\Jkgpbp32.exeC:\Windows\system32\Jkgpbp32.exe104⤵
- Drops file in System32 directory
- Modifies registry class
PID:6136 -
C:\Windows\SysWOW64\Odhifjkg.exeC:\Windows\system32\Odhifjkg.exe105⤵
- Drops file in System32 directory
PID:5152 -
C:\Windows\SysWOW64\Coadnlnb.exeC:\Windows\system32\Coadnlnb.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5956 -
C:\Windows\SysWOW64\Mfchlbfd.exeC:\Windows\system32\Mfchlbfd.exe107⤵PID:6056
-
C:\Windows\SysWOW64\Fbgbnkfm.exeC:\Windows\system32\Fbgbnkfm.exe108⤵PID:5220
-
C:\Windows\SysWOW64\Ibcjqgnm.exeC:\Windows\system32\Ibcjqgnm.exe109⤵
- Drops file in System32 directory
PID:6108 -
C:\Windows\SysWOW64\Lpepbgbd.exeC:\Windows\system32\Lpepbgbd.exe110⤵PID:3816
-
C:\Windows\SysWOW64\Lcclncbh.exeC:\Windows\system32\Lcclncbh.exe111⤵
- Modifies registry class
PID:3876 -
C:\Windows\SysWOW64\Lafmjp32.exeC:\Windows\system32\Lafmjp32.exe112⤵PID:5188
-
C:\Windows\SysWOW64\Lindkm32.exeC:\Windows\system32\Lindkm32.exe113⤵PID:4356
-
C:\Windows\SysWOW64\Lhcali32.exeC:\Windows\system32\Lhcali32.exe114⤵PID:2960
-
C:\Windows\SysWOW64\Lakfeodm.exeC:\Windows\system32\Lakfeodm.exe115⤵PID:100
-
C:\Windows\SysWOW64\Lhenai32.exeC:\Windows\system32\Lhenai32.exe116⤵
- Drops file in System32 directory
PID:2724 -
C:\Windows\SysWOW64\Lckboblp.exeC:\Windows\system32\Lckboblp.exe117⤵PID:5440
-
C:\Windows\SysWOW64\Ljdkll32.exeC:\Windows\system32\Ljdkll32.exe118⤵
- Drops file in System32 directory
PID:5480 -
C:\Windows\SysWOW64\Lpochfji.exeC:\Windows\system32\Lpochfji.exe119⤵
- Drops file in System32 directory
PID:1276 -
C:\Windows\SysWOW64\Mfkkqmiq.exeC:\Windows\system32\Mfkkqmiq.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:636 -
C:\Windows\SysWOW64\Mhldbh32.exeC:\Windows\system32\Mhldbh32.exe121⤵
- Drops file in System32 directory
PID:1476
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-