Analysis
-
max time kernel
128s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
28/10/2023, 17:53
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.efa013c3413f2db243d94dc0f366fb09.exe
Resource
win7-20231023-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.efa013c3413f2db243d94dc0f366fb09.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.efa013c3413f2db243d94dc0f366fb09.exe
-
Size
262KB
-
MD5
efa013c3413f2db243d94dc0f366fb09
-
SHA1
7906daae8b562345044f5b48dc587e8697bd9d08
-
SHA256
003c82dfddbba6e184072f2d17fd453c5652099b2f2b622d978f4bec2ad25f74
-
SHA512
f49528166c1897a5623edc4f02a6540f19348480a8a4e361f88f2c3cda1ab79eadf2bf26d7b7fc793b8d61685abe9e2ffe1561ede8f2a5f66adadaf0128e7c93
-
SSDEEP
6144:/8TvzKfC3otU75hVRFVEHjTG8uuqQE/cIauiuM:UTQC3jDFVEHj35qQEo5B
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okedmp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbomfokl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkeppeii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kekljlkp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjhjli32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pebfen32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Coadgacp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfpcijlg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojajbdde.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paioplob.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alcofi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anjngp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elbmebbj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghmbib32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnclamqe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgjekc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahonbhig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eplckh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hflclcle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdcplkoe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlihek32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okbhgq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aemqdk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oijqbh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Haaocp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ficgkico.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfimpfmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejiiippb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghmbib32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dadlmanj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Malgmm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjindm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dldlbgbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fldeie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbmoabde.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbkkbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgliapic.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apcead32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Geohdago.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohggah32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgnffp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qagdia32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljnloi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbkblb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlbllc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpbmme32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjmgomjc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkgnpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdfpdc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pignccea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acdbpq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgieajgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hecjej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odjeepna.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqimdomb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chmehhpn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjmcghjj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fijdcljo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phekliab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iqmincia.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olcklj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efopeeao.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjffkhpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdgmga32.exe -
Executes dropped EXE 64 IoCs
pid Process 1132 Kimgba32.exe 2156 Lhopgg32.exe 2764 Mfkcibdl.exe 1324 Mjkiephp.exe 2176 Nalgbi32.exe 2992 Ngklppei.exe 3524 Oaejhh32.exe 2072 Pdofpb32.exe 4220 Qpmmfbfl.exe 4804 Aqpika32.exe 920 Adpogp32.exe 1744 Bhgjcmfi.exe 4396 Cejjdlap.exe 2184 Dgomaf32.exe 4380 Ejiiippb.exe 4464 Ebbmpmnb.exe 4640 Ejnbdp32.exe 4924 Fjpoio32.exe 3628 Fifhbf32.exe 4528 Ghmbib32.exe 4616 Gkeakl32.exe 3896 Hoefgj32.exe 2828 Ihgnfnjl.exe 1520 Jfikaqme.exe 1672 Lihpdj32.exe 2812 Lcbmlbig.exe 4052 Mlbllc32.exe 3772 Mfjlolpp.exe 4108 Nbefolao.exe 3968 Nmmgae32.exe 3332 Nmpdgdmp.exe 2612 Njfafhjf.exe 1012 Odqbdnod.exe 1124 Opjponbf.exe 1408 Pignccea.exe 2220 Ppccemjk.exe 1596 Pindcboi.exe 1000 Qipqibmf.exe 2308 Qpmfklbq.exe 3084 Agikne32.exe 2016 Acbhhf32.exe 1996 Apfhajjf.exe 5084 Acgacegg.exe 392 Bkpfjb32.exe 1616 Bdkghg32.exe 2988 Bnclamqe.exe 3180 Cmkehicj.exe 3736 Cjcolm32.exe 2444 Ckclfp32.exe 2652 Dgliapic.exe 3148 Dgnffp32.exe 744 Dnkkij32.exe 4392 Dmphjfab.exe 528 Emdaee32.exe 4160 Emikpeig.exe 3312 Emlgedge.exe 560 Fhchhm32.exe 3480 Fanigb32.exe 2452 Flfjjkgi.exe 1456 Gaepgacn.exe 3424 Geeecogb.exe 4228 Haaocp32.exe 3952 Ihicah32.exe 5048 Iaahjmkn.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Aqpika32.exe Qpmmfbfl.exe File created C:\Windows\SysWOW64\Aaghnd32.dll Klbgag32.exe File created C:\Windows\SysWOW64\Cpihmmdo.exe Cfaddg32.exe File created C:\Windows\SysWOW64\Gmpqof32.exe Gdglfqjd.exe File opened for modification C:\Windows\SysWOW64\Hnibhp32.exe Hiljpi32.exe File opened for modification C:\Windows\SysWOW64\Mniafbfn.exe Mbbaaapj.exe File opened for modification C:\Windows\SysWOW64\Ppccemjk.exe Pignccea.exe File opened for modification C:\Windows\SysWOW64\Hkhkdjkl.exe Hflclcle.exe File opened for modification C:\Windows\SysWOW64\Hfnpacjb.exe Hkhkdjkl.exe File created C:\Windows\SysWOW64\Cjindm32.exe Bhehmbbj.exe File opened for modification C:\Windows\SysWOW64\Fkmbbajb.exe Fabqdl32.exe File opened for modification C:\Windows\SysWOW64\Dgnffp32.exe Dgliapic.exe File created C:\Windows\SysWOW64\Geeecogb.exe Gaepgacn.exe File opened for modification C:\Windows\SysWOW64\Hdgmga32.exe Giqlbqcc.exe File created C:\Windows\SysWOW64\Heefek32.dll Pmdpok32.exe File opened for modification C:\Windows\SysWOW64\Echbad32.exe Efdbhpbn.exe File created C:\Windows\SysWOW64\Kjffgl32.dll Dbkpokhf.exe File opened for modification C:\Windows\SysWOW64\Gkeonggf.exe Fdijkmbl.exe File opened for modification C:\Windows\SysWOW64\Lihfmb32.exe Lbnnphhk.exe File created C:\Windows\SysWOW64\Pgchep32.dll Chpangnk.exe File created C:\Windows\SysWOW64\Almblpfa.dll Lcggbd32.exe File created C:\Windows\SysWOW64\Bbkbabje.dll Bnclamqe.exe File opened for modification C:\Windows\SysWOW64\Eijiak32.exe Dihllkal.exe File created C:\Windows\SysWOW64\Jnpanb32.dll Kjgenjhe.exe File opened for modification C:\Windows\SysWOW64\Paioplob.exe Pnifoaba.exe File created C:\Windows\SysWOW64\Nmmgae32.exe Nbefolao.exe File opened for modification C:\Windows\SysWOW64\Ebplhp32.exe Ejegdngb.exe File created C:\Windows\SysWOW64\Pfdnol32.dll Iaiddajo.exe File created C:\Windows\SysWOW64\Efnolmmb.dll Fngcfikb.exe File created C:\Windows\SysWOW64\Jecejm32.exe Jlkaahjg.exe File created C:\Windows\SysWOW64\Ibgkdmmh.dll Njdeklca.exe File opened for modification C:\Windows\SysWOW64\Mmfkac32.exe Mflbdibj.exe File created C:\Windows\SysWOW64\Ebdokg32.dll Aamkgpbi.exe File opened for modification C:\Windows\SysWOW64\Mflbdibj.exe Mjeaph32.exe File opened for modification C:\Windows\SysWOW64\Odqbdnod.exe Njfafhjf.exe File created C:\Windows\SysWOW64\Gobicbgf.exe Ffjdjmpf.exe File created C:\Windows\SysWOW64\Iaiddajo.exe Hihimfag.exe File created C:\Windows\SysWOW64\Hblaqjod.dll Qodmdb32.exe File created C:\Windows\SysWOW64\Dihllkal.exe Dldlbgbb.exe File opened for modification C:\Windows\SysWOW64\Gnfmapqo.exe Gpelchhp.exe File created C:\Windows\SysWOW64\Ellliaek.dll Efdbhpbn.exe File created C:\Windows\SysWOW64\Ajnkmjqj.exe Acdbpq32.exe File opened for modification C:\Windows\SysWOW64\Fpjjkh32.exe Fkmbbajb.exe File created C:\Windows\SysWOW64\Mnqfekhi.dll Flkdpnjl.exe File created C:\Windows\SysWOW64\Jfbkijdo.exe Jkmgladi.exe File opened for modification C:\Windows\SysWOW64\Hdhemn32.exe Hbflnl32.exe File opened for modification C:\Windows\SysWOW64\Hdjbcnjo.exe Hmpjfdcb.exe File created C:\Windows\SysWOW64\Oilmhhfd.exe Opdiobod.exe File created C:\Windows\SysWOW64\Aejfjocb.exe Aalndaml.exe File created C:\Windows\SysWOW64\Hdnlmj32.exe Hdlphjaf.exe File opened for modification C:\Windows\SysWOW64\Jndenjmo.exe Jmbhhkoa.exe File created C:\Windows\SysWOW64\Ffjkdc32.exe Fppchile.exe File created C:\Windows\SysWOW64\Jhdlbp32.exe Jddggb32.exe File created C:\Windows\SysWOW64\Nllleapo.exe Njlcdf32.exe File created C:\Windows\SysWOW64\Poackh32.dll Jkmgladi.exe File opened for modification C:\Windows\SysWOW64\Iomood32.exe Iimjan32.exe File opened for modification C:\Windows\SysWOW64\Dcjfpfnh.exe Cibagpgg.exe File opened for modification C:\Windows\SysWOW64\Cjcolm32.exe Cmkehicj.exe File created C:\Windows\SysWOW64\Idnfal32.exe Iiibdc32.exe File opened for modification C:\Windows\SysWOW64\Jdcplkoe.exe Jjklcf32.exe File created C:\Windows\SysWOW64\Bgdcom32.exe Bpjkbcbe.exe File created C:\Windows\SysWOW64\Enfjph32.dll Ljfodd32.exe File created C:\Windows\SysWOW64\Fecmjq32.exe Fgbmliee.exe File created C:\Windows\SysWOW64\Kkjlmn32.dll Jhijjp32.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 4652 6508 WerFault.exe 754 6108 6508 WerFault.exe 754 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bpjkbcbe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnclamqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Acnlqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amfqikko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Combgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hngebq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fifhbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egidim32.dll" Kmbkfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfefikjj.dll" Mlooef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbdebpif.dll" Qhofjbnl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpbdfgge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pebfen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lfpcijlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fnhppa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdpkcnba.dll" Pjcbkbnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qnfkgfdp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olfgbl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojajbdde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjkjdd32.dll" Blnhgn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjhqcmjo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Edemdine.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbplgbbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oildaf32.dll" Ommjnlnd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gnhdea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qldjej32.dll" Igcojdhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dcjnikhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibogbimm.dll" Efepln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dknelf32.dll" Ccfmef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnhemllq.dll" Hameic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Anjngp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekajjh32.dll" Iiffoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okoogdck.dll" Odidld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpankd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hbkgfode.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmloae32.dll" Pebfen32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pcepdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhjgdplo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpmgjf32.dll" Pohilc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fppchile.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pcgmiiii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkhmll32.dll" Anjngp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpimik32.dll" Ibffbnjh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gicndaep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjgenjhe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hngebq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qhinmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgeehc32.dll" Hmpjfdcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cofnba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngaabfio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjklcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qakkgnpi.dll" Clfdcgkj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amfqikko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oampdkbj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkfanqmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncldajki.dll" Gnqflhcg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njfafhjf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofjokc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmkibl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aehpof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mhdjonng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Omcjne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eogegdjd.dll" Hbchnfei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkdbik32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Klbgag32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4408 wrote to memory of 1132 4408 NEAS.efa013c3413f2db243d94dc0f366fb09.exe 92 PID 4408 wrote to memory of 1132 4408 NEAS.efa013c3413f2db243d94dc0f366fb09.exe 92 PID 4408 wrote to memory of 1132 4408 NEAS.efa013c3413f2db243d94dc0f366fb09.exe 92 PID 1132 wrote to memory of 2156 1132 Kimgba32.exe 93 PID 1132 wrote to memory of 2156 1132 Kimgba32.exe 93 PID 1132 wrote to memory of 2156 1132 Kimgba32.exe 93 PID 2156 wrote to memory of 2764 2156 Lhopgg32.exe 94 PID 2156 wrote to memory of 2764 2156 Lhopgg32.exe 94 PID 2156 wrote to memory of 2764 2156 Lhopgg32.exe 94 PID 2764 wrote to memory of 1324 2764 Mfkcibdl.exe 95 PID 2764 wrote to memory of 1324 2764 Mfkcibdl.exe 95 PID 2764 wrote to memory of 1324 2764 Mfkcibdl.exe 95 PID 1324 wrote to memory of 2176 1324 Mjkiephp.exe 96 PID 1324 wrote to memory of 2176 1324 Mjkiephp.exe 96 PID 1324 wrote to memory of 2176 1324 Mjkiephp.exe 96 PID 2176 wrote to memory of 2992 2176 Nalgbi32.exe 97 PID 2176 wrote to memory of 2992 2176 Nalgbi32.exe 97 PID 2176 wrote to memory of 2992 2176 Nalgbi32.exe 97 PID 2992 wrote to memory of 3524 2992 Ngklppei.exe 98 PID 2992 wrote to memory of 3524 2992 Ngklppei.exe 98 PID 2992 wrote to memory of 3524 2992 Ngklppei.exe 98 PID 3524 wrote to memory of 2072 3524 Oaejhh32.exe 99 PID 3524 wrote to memory of 2072 3524 Oaejhh32.exe 99 PID 3524 wrote to memory of 2072 3524 Oaejhh32.exe 99 PID 2072 wrote to memory of 4220 2072 Pdofpb32.exe 100 PID 2072 wrote to memory of 4220 2072 Pdofpb32.exe 100 PID 2072 wrote to memory of 4220 2072 Pdofpb32.exe 100 PID 4220 wrote to memory of 4804 4220 Qpmmfbfl.exe 101 PID 4220 wrote to memory of 4804 4220 Qpmmfbfl.exe 101 PID 4220 wrote to memory of 4804 4220 Qpmmfbfl.exe 101 PID 4804 wrote to memory of 920 4804 Aqpika32.exe 102 PID 4804 wrote to memory of 920 4804 Aqpika32.exe 102 PID 4804 wrote to memory of 920 4804 Aqpika32.exe 102 PID 920 wrote to memory of 1744 920 Adpogp32.exe 103 PID 920 wrote to memory of 1744 920 Adpogp32.exe 103 PID 920 wrote to memory of 1744 920 Adpogp32.exe 103 PID 1744 wrote to memory of 4396 1744 Bhgjcmfi.exe 104 PID 1744 wrote to memory of 4396 1744 Bhgjcmfi.exe 104 PID 1744 wrote to memory of 4396 1744 Bhgjcmfi.exe 104 PID 4396 wrote to memory of 2184 4396 Cejjdlap.exe 105 PID 4396 wrote to memory of 2184 4396 Cejjdlap.exe 105 PID 4396 wrote to memory of 2184 4396 Cejjdlap.exe 105 PID 2184 wrote to memory of 4380 2184 Dgomaf32.exe 106 PID 2184 wrote to memory of 4380 2184 Dgomaf32.exe 106 PID 2184 wrote to memory of 4380 2184 Dgomaf32.exe 106 PID 4380 wrote to memory of 4464 4380 Ejiiippb.exe 107 PID 4380 wrote to memory of 4464 4380 Ejiiippb.exe 107 PID 4380 wrote to memory of 4464 4380 Ejiiippb.exe 107 PID 4464 wrote to memory of 4640 4464 Ebbmpmnb.exe 108 PID 4464 wrote to memory of 4640 4464 Ebbmpmnb.exe 108 PID 4464 wrote to memory of 4640 4464 Ebbmpmnb.exe 108 PID 4640 wrote to memory of 4924 4640 Ejnbdp32.exe 109 PID 4640 wrote to memory of 4924 4640 Ejnbdp32.exe 109 PID 4640 wrote to memory of 4924 4640 Ejnbdp32.exe 109 PID 4924 wrote to memory of 3628 4924 Fjpoio32.exe 110 PID 4924 wrote to memory of 3628 4924 Fjpoio32.exe 110 PID 4924 wrote to memory of 3628 4924 Fjpoio32.exe 110 PID 3628 wrote to memory of 4528 3628 Fifhbf32.exe 111 PID 3628 wrote to memory of 4528 3628 Fifhbf32.exe 111 PID 3628 wrote to memory of 4528 3628 Fifhbf32.exe 111 PID 4276 wrote to memory of 4616 4276 Giokid32.exe 113 PID 4276 wrote to memory of 4616 4276 Giokid32.exe 113 PID 4276 wrote to memory of 4616 4276 Giokid32.exe 113 PID 4616 wrote to memory of 3896 4616 Gkeakl32.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.efa013c3413f2db243d94dc0f366fb09.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.efa013c3413f2db243d94dc0f366fb09.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4408 -
C:\Windows\SysWOW64\Kimgba32.exeC:\Windows\system32\Kimgba32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1132 -
C:\Windows\SysWOW64\Lhopgg32.exeC:\Windows\system32\Lhopgg32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\Mfkcibdl.exeC:\Windows\system32\Mfkcibdl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\Mjkiephp.exeC:\Windows\system32\Mjkiephp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\SysWOW64\Nalgbi32.exeC:\Windows\system32\Nalgbi32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\SysWOW64\Ngklppei.exeC:\Windows\system32\Ngklppei.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\Oaejhh32.exeC:\Windows\system32\Oaejhh32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3524 -
C:\Windows\SysWOW64\Pdofpb32.exeC:\Windows\system32\Pdofpb32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\SysWOW64\Qpmmfbfl.exeC:\Windows\system32\Qpmmfbfl.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4220 -
C:\Windows\SysWOW64\Aqpika32.exeC:\Windows\system32\Aqpika32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4804 -
C:\Windows\SysWOW64\Adpogp32.exeC:\Windows\system32\Adpogp32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:920 -
C:\Windows\SysWOW64\Bhgjcmfi.exeC:\Windows\system32\Bhgjcmfi.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\Cejjdlap.exeC:\Windows\system32\Cejjdlap.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4396 -
C:\Windows\SysWOW64\Dgomaf32.exeC:\Windows\system32\Dgomaf32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\Ejiiippb.exeC:\Windows\system32\Ejiiippb.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4380 -
C:\Windows\SysWOW64\Ebbmpmnb.exeC:\Windows\system32\Ebbmpmnb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4464 -
C:\Windows\SysWOW64\Ejnbdp32.exeC:\Windows\system32\Ejnbdp32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4640 -
C:\Windows\SysWOW64\Fjpoio32.exeC:\Windows\system32\Fjpoio32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4924 -
C:\Windows\SysWOW64\Fifhbf32.exeC:\Windows\system32\Fifhbf32.exe20⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3628 -
C:\Windows\SysWOW64\Ghmbib32.exeC:\Windows\system32\Ghmbib32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4528 -
C:\Windows\SysWOW64\Giokid32.exeC:\Windows\system32\Giokid32.exe22⤵
- Suspicious use of WriteProcessMemory
PID:4276 -
C:\Windows\SysWOW64\Gkeakl32.exeC:\Windows\system32\Gkeakl32.exe23⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4616 -
C:\Windows\SysWOW64\Hoefgj32.exeC:\Windows\system32\Hoefgj32.exe24⤵
- Executes dropped EXE
PID:3896 -
C:\Windows\SysWOW64\Ihgnfnjl.exeC:\Windows\system32\Ihgnfnjl.exe25⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Jfikaqme.exeC:\Windows\system32\Jfikaqme.exe26⤵
- Executes dropped EXE
PID:1520 -
C:\Windows\SysWOW64\Lihpdj32.exeC:\Windows\system32\Lihpdj32.exe27⤵
- Executes dropped EXE
PID:1672 -
C:\Windows\SysWOW64\Lcbmlbig.exeC:\Windows\system32\Lcbmlbig.exe28⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Mlbllc32.exeC:\Windows\system32\Mlbllc32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4052 -
C:\Windows\SysWOW64\Mfjlolpp.exeC:\Windows\system32\Mfjlolpp.exe30⤵
- Executes dropped EXE
PID:3772 -
C:\Windows\SysWOW64\Nbefolao.exeC:\Windows\system32\Nbefolao.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4108 -
C:\Windows\SysWOW64\Nmmgae32.exeC:\Windows\system32\Nmmgae32.exe32⤵
- Executes dropped EXE
PID:3968 -
C:\Windows\SysWOW64\Nmpdgdmp.exeC:\Windows\system32\Nmpdgdmp.exe33⤵
- Executes dropped EXE
PID:3332 -
C:\Windows\SysWOW64\Njfafhjf.exeC:\Windows\system32\Njfafhjf.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2612 -
C:\Windows\SysWOW64\Odqbdnod.exeC:\Windows\system32\Odqbdnod.exe35⤵
- Executes dropped EXE
PID:1012 -
C:\Windows\SysWOW64\Opjponbf.exeC:\Windows\system32\Opjponbf.exe36⤵
- Executes dropped EXE
PID:1124 -
C:\Windows\SysWOW64\Pignccea.exeC:\Windows\system32\Pignccea.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1408 -
C:\Windows\SysWOW64\Ppccemjk.exeC:\Windows\system32\Ppccemjk.exe38⤵
- Executes dropped EXE
PID:2220 -
C:\Windows\SysWOW64\Pindcboi.exeC:\Windows\system32\Pindcboi.exe39⤵
- Executes dropped EXE
PID:1596 -
C:\Windows\SysWOW64\Qipqibmf.exeC:\Windows\system32\Qipqibmf.exe40⤵
- Executes dropped EXE
PID:1000 -
C:\Windows\SysWOW64\Qpmfklbq.exeC:\Windows\system32\Qpmfklbq.exe41⤵
- Executes dropped EXE
PID:2308 -
C:\Windows\SysWOW64\Agikne32.exeC:\Windows\system32\Agikne32.exe42⤵
- Executes dropped EXE
PID:3084 -
C:\Windows\SysWOW64\Acbhhf32.exeC:\Windows\system32\Acbhhf32.exe43⤵
- Executes dropped EXE
PID:2016 -
C:\Windows\SysWOW64\Apfhajjf.exeC:\Windows\system32\Apfhajjf.exe44⤵
- Executes dropped EXE
PID:1996 -
C:\Windows\SysWOW64\Acgacegg.exeC:\Windows\system32\Acgacegg.exe45⤵
- Executes dropped EXE
PID:5084 -
C:\Windows\SysWOW64\Bkpfjb32.exeC:\Windows\system32\Bkpfjb32.exe46⤵
- Executes dropped EXE
PID:392 -
C:\Windows\SysWOW64\Bdkghg32.exeC:\Windows\system32\Bdkghg32.exe47⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Bnclamqe.exeC:\Windows\system32\Bnclamqe.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2988 -
C:\Windows\SysWOW64\Cmkehicj.exeC:\Windows\system32\Cmkehicj.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3180 -
C:\Windows\SysWOW64\Cjcolm32.exeC:\Windows\system32\Cjcolm32.exe50⤵
- Executes dropped EXE
PID:3736 -
C:\Windows\SysWOW64\Ckclfp32.exeC:\Windows\system32\Ckclfp32.exe51⤵
- Executes dropped EXE
PID:2444 -
C:\Windows\SysWOW64\Dgliapic.exeC:\Windows\system32\Dgliapic.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2652 -
C:\Windows\SysWOW64\Dgnffp32.exeC:\Windows\system32\Dgnffp32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3148 -
C:\Windows\SysWOW64\Dnkkij32.exeC:\Windows\system32\Dnkkij32.exe54⤵
- Executes dropped EXE
PID:744 -
C:\Windows\SysWOW64\Dmphjfab.exeC:\Windows\system32\Dmphjfab.exe55⤵
- Executes dropped EXE
PID:4392 -
C:\Windows\SysWOW64\Emdaee32.exeC:\Windows\system32\Emdaee32.exe56⤵
- Executes dropped EXE
PID:528 -
C:\Windows\SysWOW64\Emikpeig.exeC:\Windows\system32\Emikpeig.exe57⤵
- Executes dropped EXE
PID:4160 -
C:\Windows\SysWOW64\Emlgedge.exeC:\Windows\system32\Emlgedge.exe58⤵
- Executes dropped EXE
PID:3312 -
C:\Windows\SysWOW64\Fhchhm32.exeC:\Windows\system32\Fhchhm32.exe59⤵
- Executes dropped EXE
PID:560 -
C:\Windows\SysWOW64\Fanigb32.exeC:\Windows\system32\Fanigb32.exe60⤵
- Executes dropped EXE
PID:3480 -
C:\Windows\SysWOW64\Flfjjkgi.exeC:\Windows\system32\Flfjjkgi.exe61⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Gaepgacn.exeC:\Windows\system32\Gaepgacn.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1456 -
C:\Windows\SysWOW64\Geeecogb.exeC:\Windows\system32\Geeecogb.exe63⤵
- Executes dropped EXE
PID:3424 -
C:\Windows\SysWOW64\Haaocp32.exeC:\Windows\system32\Haaocp32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4228 -
C:\Windows\SysWOW64\Ihicah32.exeC:\Windows\system32\Ihicah32.exe65⤵
- Executes dropped EXE
PID:3952 -
C:\Windows\SysWOW64\Iaahjmkn.exeC:\Windows\system32\Iaahjmkn.exe66⤵
- Executes dropped EXE
PID:5048 -
C:\Windows\SysWOW64\Jlnbhe32.exeC:\Windows\system32\Jlnbhe32.exe67⤵PID:4328
-
C:\Windows\SysWOW64\Neclpamg.exeC:\Windows\system32\Neclpamg.exe68⤵PID:4556
-
C:\Windows\SysWOW64\Ofjokc32.exeC:\Windows\system32\Ofjokc32.exe69⤵
- Modifies registry class
PID:4340 -
C:\Windows\SysWOW64\Opbcdieb.exeC:\Windows\system32\Opbcdieb.exe70⤵PID:4860
-
C:\Windows\SysWOW64\Ongpeejj.exeC:\Windows\system32\Ongpeejj.exe71⤵PID:2464
-
C:\Windows\SysWOW64\Oimdbnip.exeC:\Windows\system32\Oimdbnip.exe72⤵PID:3612
-
C:\Windows\SysWOW64\Obeikc32.exeC:\Windows\system32\Obeikc32.exe73⤵PID:4320
-
C:\Windows\SysWOW64\Onlipd32.exeC:\Windows\system32\Onlipd32.exe74⤵PID:844
-
C:\Windows\SysWOW64\Ommjnlnd.exeC:\Windows\system32\Ommjnlnd.exe75⤵
- Modifies registry class
PID:5056 -
C:\Windows\SysWOW64\Pidjcm32.exeC:\Windows\system32\Pidjcm32.exe76⤵PID:3552
-
C:\Windows\SysWOW64\Pmdpok32.exeC:\Windows\system32\Pmdpok32.exe77⤵
- Drops file in System32 directory
PID:5076 -
C:\Windows\SysWOW64\Pbahgbfc.exeC:\Windows\system32\Pbahgbfc.exe78⤵PID:1076
-
C:\Windows\SysWOW64\Pohilc32.exeC:\Windows\system32\Pohilc32.exe79⤵
- Modifies registry class
PID:4356 -
C:\Windows\SysWOW64\Aemqdk32.exeC:\Windows\system32\Aemqdk32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2088 -
C:\Windows\SysWOW64\Apcead32.exeC:\Windows\system32\Apcead32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4196 -
C:\Windows\SysWOW64\Aebjokda.exeC:\Windows\system32\Aebjokda.exe82⤵PID:4208
-
C:\Windows\SysWOW64\Bllble32.exeC:\Windows\system32\Bllble32.exe83⤵PID:1068
-
C:\Windows\SysWOW64\Bpjkbcbe.exeC:\Windows\system32\Bpjkbcbe.exe84⤵
- Drops file in System32 directory
- Modifies registry class
PID:220 -
C:\Windows\SysWOW64\Bgdcom32.exeC:\Windows\system32\Bgdcom32.exe85⤵PID:5112
-
C:\Windows\SysWOW64\Blqlgdhi.exeC:\Windows\system32\Blqlgdhi.exe86⤵PID:4272
-
C:\Windows\SysWOW64\Benjkijd.exeC:\Windows\system32\Benjkijd.exe87⤵PID:544
-
C:\Windows\SysWOW64\Cjlbag32.exeC:\Windows\system32\Cjlbag32.exe88⤵PID:4856
-
C:\Windows\SysWOW64\Cnjkgf32.exeC:\Windows\system32\Cnjkgf32.exe89⤵PID:1084
-
C:\Windows\SysWOW64\Clohhbli.exeC:\Windows\system32\Clohhbli.exe90⤵PID:2504
-
C:\Windows\SysWOW64\Cgdlfk32.exeC:\Windows\system32\Cgdlfk32.exe91⤵PID:5072
-
C:\Windows\SysWOW64\Dgieajgj.exeC:\Windows\system32\Dgieajgj.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3984 -
C:\Windows\SysWOW64\Dcpffk32.exeC:\Windows\system32\Dcpffk32.exe93⤵PID:2108
-
C:\Windows\SysWOW64\Dqdgop32.exeC:\Windows\system32\Dqdgop32.exe94⤵PID:4956
-
C:\Windows\SysWOW64\Dcdpakii.exeC:\Windows\system32\Dcdpakii.exe95⤵PID:2356
-
C:\Windows\SysWOW64\Dfeibf32.exeC:\Windows\system32\Dfeibf32.exe96⤵PID:3416
-
C:\Windows\SysWOW64\Ejennd32.exeC:\Windows\system32\Ejennd32.exe97⤵PID:1720
-
C:\Windows\SysWOW64\Ecpomiok.exeC:\Windows\system32\Ecpomiok.exe98⤵PID:3912
-
C:\Windows\SysWOW64\Fnhppa32.exeC:\Windows\system32\Fnhppa32.exe99⤵
- Modifies registry class
PID:1468 -
C:\Windows\SysWOW64\Fppchile.exeC:\Windows\system32\Fppchile.exe100⤵
- Drops file in System32 directory
- Modifies registry class
PID:5152 -
C:\Windows\SysWOW64\Ffjkdc32.exeC:\Windows\system32\Ffjkdc32.exe101⤵PID:5196
-
C:\Windows\SysWOW64\Fapobl32.exeC:\Windows\system32\Fapobl32.exe102⤵PID:5240
-
C:\Windows\SysWOW64\Ggjgofkd.exeC:\Windows\system32\Ggjgofkd.exe103⤵PID:5280
-
C:\Windows\SysWOW64\Gpelchhp.exeC:\Windows\system32\Gpelchhp.exe104⤵
- Drops file in System32 directory
PID:5332 -
C:\Windows\SysWOW64\Gnfmapqo.exeC:\Windows\system32\Gnfmapqo.exe105⤵PID:5372
-
C:\Windows\SysWOW64\Gcceifof.exeC:\Windows\system32\Gcceifof.exe106⤵PID:5412
-
C:\Windows\SysWOW64\Gmkibl32.exeC:\Windows\system32\Gmkibl32.exe107⤵
- Modifies registry class
PID:5456 -
C:\Windows\SysWOW64\Galonj32.exeC:\Windows\system32\Galonj32.exe108⤵PID:5500
-
C:\Windows\SysWOW64\Hjdcfp32.exeC:\Windows\system32\Hjdcfp32.exe109⤵PID:5544
-
C:\Windows\SysWOW64\Hpchdf32.exeC:\Windows\system32\Hpchdf32.exe110⤵PID:5584
-
C:\Windows\SysWOW64\Hmginjki.exeC:\Windows\system32\Hmginjki.exe111⤵PID:5664
-
C:\Windows\SysWOW64\Jddggb32.exeC:\Windows\system32\Jddggb32.exe112⤵
- Drops file in System32 directory
PID:5740 -
C:\Windows\SysWOW64\Jhdlbp32.exeC:\Windows\system32\Jhdlbp32.exe113⤵PID:5780
-
C:\Windows\SysWOW64\Jalakeme.exeC:\Windows\system32\Jalakeme.exe114⤵PID:5824
-
C:\Windows\SysWOW64\Jopaejlo.exeC:\Windows\system32\Jopaejlo.exe115⤵PID:5928
-
C:\Windows\SysWOW64\Kphdma32.exeC:\Windows\system32\Kphdma32.exe116⤵PID:6028
-
C:\Windows\SysWOW64\Ldblon32.exeC:\Windows\system32\Ldblon32.exe117⤵PID:6064
-
C:\Windows\SysWOW64\Mqimdomb.exeC:\Windows\system32\Mqimdomb.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6124 -
C:\Windows\SysWOW64\Mbkfcabb.exeC:\Windows\system32\Mbkfcabb.exe119⤵PID:5208
-
C:\Windows\SysWOW64\Mqbpjmeg.exeC:\Windows\system32\Mqbpjmeg.exe120⤵PID:5272
-
C:\Windows\SysWOW64\Ndphpk32.exeC:\Windows\system32\Ndphpk32.exe121⤵PID:5380
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-