Analysis
-
max time kernel
151s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
28-10-2023 18:03
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.18fe989a050b3a6cba5da1c60d3a6e00.exe
Resource
win7-20231023-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.18fe989a050b3a6cba5da1c60d3a6e00.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
NEAS.18fe989a050b3a6cba5da1c60d3a6e00.exe
-
Size
45KB
-
MD5
18fe989a050b3a6cba5da1c60d3a6e00
-
SHA1
a6b14f2232995e0fbb29c86f7bf57b1add3a053a
-
SHA256
0f7349f5aae9acc7bd6603815547c1cd177ee321622ab1eab59717aafada2a08
-
SHA512
13a9ec67fe535fe6e3cf860654d37d3da8b54ac8729e2d8b9bbeaccb2227d59bee07a9a1b4c1113804e2d5ec3ba47059b310118c1b5285f029822aff34bf1d50
-
SSDEEP
768:lU7yRpu5UlDTNkQSxqSk2aVdpmUjpRJyxUzXWRn/1H5:lZRpfhNI8xpDmh
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chblebll.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbkdhjdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbbmfdbl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knlbipjb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phajgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djqbeonf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jejbba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lemhnn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lahboo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Koeajo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofijifbj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deliaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gganjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppbekd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbekboej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajanmqbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igcojdhp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekekcjih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhifib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khbioa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhlkep32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akniofoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmcjiagf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nccqbeec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpglgmfa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebfiqcjm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iaodek32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofijifbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odkjgm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfgboc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Komoed32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmqhlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgaoda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnjdigpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihhmaehj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjpejikg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aqijdk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljaooodf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhpeelnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okpkaqmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glpdecjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gffhbljh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffqhmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cocjbkna.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmiaig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pohilc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nedgfk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhlkep32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfhmcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjnnkpqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdeijmph.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oagpne32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chfepa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlhqll32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcjmapng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elnoifjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akkfop32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmmoekem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hedaoa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npldnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abjdbj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Giqlbqcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nagngjmj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnjbdj32.exe -
Executes dropped EXE 64 IoCs
pid Process 4816 Noehac32.exe 3284 Qkchna32.exe 4736 Aohfdnil.exe 4704 Bejhhd32.exe 1240 Clmckmcq.exe 2704 Cfljnejl.exe 2196 Dolinf32.exe 2360 Eihcln32.exe 3888 Fhgccijm.exe 2232 Giboijgb.exe 1724 Hhleefhe.exe 2744 Jjhjae32.exe 2336 Kgemahmg.exe 820 Ladhkmno.exe 3508 Mankaked.exe 4968 Nagngjmj.exe 1164 Ophjdehd.exe 2340 Paomog32.exe 4092 Aqpika32.exe 2968 Bqkigp32.exe 3472 Biigildg.exe 2092 Bjmpfdhb.exe 3300 Ciefek32.exe 4332 Dagajlal.exe 4440 Jfbdpabn.exe 3984 Jjgcgo32.exe 4516 Komoed32.exe 212 Lbenho32.exe 3528 Mcggga32.exe 3376 Npldnp32.exe 4444 Njfafhjf.exe 2716 Piikhc32.exe 852 Pgphggpe.exe 724 Apcllk32.exe 3104 Bpmobi32.exe 4300 Bcngddao.exe 5000 Cggpfa32.exe 5048 Dmiaig32.exe 1640 Dedceddg.exe 4976 Egjebn32.exe 1308 Ikpjmd32.exe 1612 Idpdfija.exe 4208 Ikjmcc32.exe 4528 Jahnkl32.exe 3588 Jehcfj32.exe 4304 Khimhefk.exe 4048 Koeajo32.exe 4404 Knkokl32.exe 4872 Lkhbko32.exe 4220 Miqlpbap.exe 2028 Mbiphhhq.exe 4500 Mbnjcg32.exe 2356 Mmcnap32.exe 1500 Nkkggl32.exe 1196 Omhpcm32.exe 4608 Pohilc32.exe 2452 Affgno32.exe 2212 Aohbbqme.exe 4172 Bgdcom32.exe 3260 Cpfkna32.exe 3720 Cpjdiadb.exe 4280 Djeegf32.exe 1756 Dfqogfjo.exe 624 Eqmjen32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Gklcpqab.exe Gqfochal.exe File created C:\Windows\SysWOW64\Cnkbdjah.dll Gnkflo32.exe File opened for modification C:\Windows\SysWOW64\Fajgekol.exe Fhablf32.exe File created C:\Windows\SysWOW64\Chibfa32.exe Cncnhh32.exe File opened for modification C:\Windows\SysWOW64\Klbgpi32.exe Kkbkffka.exe File created C:\Windows\SysWOW64\Ekekcjih.exe Dnajjfjo.exe File opened for modification C:\Windows\SysWOW64\Faeihogj.exe Fiekhm32.exe File created C:\Windows\SysWOW64\Cacdlf32.dll Ikpjmd32.exe File created C:\Windows\SysWOW64\Cfdbblqn.dll Efnennjc.exe File created C:\Windows\SysWOW64\Bkfelqpk.dll Jeidan32.exe File created C:\Windows\SysWOW64\Ajfejknb.exe Qclmmq32.exe File opened for modification C:\Windows\SysWOW64\Jehcfj32.exe Jahnkl32.exe File created C:\Windows\SysWOW64\Pimkkfka.exe Poggnnkk.exe File created C:\Windows\SysWOW64\Lcegbp32.dll Cofnba32.exe File opened for modification C:\Windows\SysWOW64\Ekddidel.exe Dckobg32.exe File created C:\Windows\SysWOW64\Ciefek32.exe Cqiehnml.exe File created C:\Windows\SysWOW64\Afnhan32.dll Cfipol32.exe File opened for modification C:\Windows\SysWOW64\Mjnnkpqo.exe Mcdeof32.exe File created C:\Windows\SysWOW64\Ngcdji32.dll Dolinf32.exe File opened for modification C:\Windows\SysWOW64\Lgnihd32.exe Kkelmc32.exe File opened for modification C:\Windows\SysWOW64\Lhlkep32.exe Lcocmi32.exe File created C:\Windows\SysWOW64\Njfafhjf.exe Npldnp32.exe File opened for modification C:\Windows\SysWOW64\Jpbdfgge.exe Ipkneh32.exe File created C:\Windows\SysWOW64\Lebfjajb.dll Jikohe32.exe File created C:\Windows\SysWOW64\Ihkkah32.dll Ndbefkjk.exe File created C:\Windows\SysWOW64\Jjpejikg.exe Idfmmo32.exe File opened for modification C:\Windows\SysWOW64\Jejbba32.exe Jjpejikg.exe File created C:\Windows\SysWOW64\Ikpjmd32.exe Egjebn32.exe File created C:\Windows\SysWOW64\Embkhn32.exe Efhcld32.exe File created C:\Windows\SysWOW64\Imdlgm32.exe Hoaocf32.exe File opened for modification C:\Windows\SysWOW64\Igcojdhp.exe Inkjao32.exe File opened for modification C:\Windows\SysWOW64\Bhfmic32.exe Bmqhlk32.exe File created C:\Windows\SysWOW64\Bnjkbi32.exe Bhmbjb32.exe File created C:\Windows\SysWOW64\Bkkabc32.dll Oifpijea.exe File opened for modification C:\Windows\SysWOW64\Nimioo32.exe Nccqbeec.exe File created C:\Windows\SysWOW64\Agiagn32.exe Aqoijcbo.exe File opened for modification C:\Windows\SysWOW64\Dpcppm32.exe Ckfggf32.exe File created C:\Windows\SysWOW64\Nojdmjbg.dll Dckobg32.exe File opened for modification C:\Windows\SysWOW64\Ffqhmf32.exe Fmhcda32.exe File created C:\Windows\SysWOW64\Nifcnpch.exe Mfaqafjl.exe File created C:\Windows\SysWOW64\Dfcjoa32.exe Doiabgqc.exe File created C:\Windows\SysWOW64\Gbkdhjdi.exe Gdgdofep.exe File created C:\Windows\SysWOW64\Iannkd32.exe Hcjmapng.exe File created C:\Windows\SysWOW64\Eekcho32.dll Ihfpabbd.exe File opened for modification C:\Windows\SysWOW64\Dbicjlji.exe Cofnba32.exe File created C:\Windows\SysWOW64\Hehkjpod.exe Hedaoa32.exe File opened for modification C:\Windows\SysWOW64\Dggbmlba.exe Dolmijef.exe File opened for modification C:\Windows\SysWOW64\Nifcnpch.exe Mfaqafjl.exe File created C:\Windows\SysWOW64\Dedceddg.exe Dmiaig32.exe File created C:\Windows\SysWOW64\Mmcnap32.exe Mbnjcg32.exe File created C:\Windows\SysWOW64\Laofhbmp.exe Jmlkpgia.exe File created C:\Windows\SysWOW64\Jmpnppap.exe Jpjqaldi.exe File opened for modification C:\Windows\SysWOW64\Khiopp32.exe Kaofcf32.exe File created C:\Windows\SysWOW64\Omkdqgbq.dll Ffqhmf32.exe File opened for modification C:\Windows\SysWOW64\Pdcaahbk.exe Ppeikjle.exe File opened for modification C:\Windows\SysWOW64\Cocjbkna.exe Chibfa32.exe File opened for modification C:\Windows\SysWOW64\Hcjmapng.exe Halaeeod.exe File created C:\Windows\SysWOW64\Ldbnjl32.dll Mlhqll32.exe File created C:\Windows\SysWOW64\Dgikpi32.dll Pgphggpe.exe File opened for modification C:\Windows\SysWOW64\Cggpfa32.exe Bcngddao.exe File created C:\Windows\SysWOW64\Oimceg32.dll Difpflco.exe File opened for modification C:\Windows\SysWOW64\Mmnglh32.exe Mgaoda32.exe File opened for modification C:\Windows\SysWOW64\Baadbo32.exe Bkgleegf.exe File opened for modification C:\Windows\SysWOW64\Omhpcm32.exe Nkkggl32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbapdfkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dilnnbjn.dll" Aqkgikip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fajgekol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkobfdao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgemahmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qnlcpg32.dll" Ojqchnpj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbbmfdbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flhkeljp.dll" Nhheepbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Elagjihh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcegbp32.dll" Cofnba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbhnln32.dll" Klbnjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qclmmq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pohilc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmhhnmao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijadljdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjpejikg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjgcgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmbiae32.dll" Bdojdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hjaihk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfgddi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckfkioeh.dll" Efdjqeni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jahnkl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhndil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Igcojdhp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhfmic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmiaig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" NEAS.18fe989a050b3a6cba5da1c60d3a6e00.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejqngl32.dll" Cjjlep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehejpnfb.dll" Dhndil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fppqjcli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anffcn32.dll" Ihnbih32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mfaqafjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdgiknio.dll" Nimioo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blbhngfl.dll" Bgeabloo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Colmba32.dll" Conagl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfkenogb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alkckicf.dll" Kpbmme32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hoaocf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nfnafpni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhgccijm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfaddg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmiaimki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Femcdp32.dll" Fpbmpc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chibfa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmifcjif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onochbjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmmakp32.dll" Dhphfppl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjcnjl32.dll" Kpncbemh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbjgocg.dll" Gpnfak32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bddjijia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ljaooodf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oocmcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Omegdebp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmpoemef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeacgp32.dll" Ckfggf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcapgfnb.dll" Nameql32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nifcnpch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnnkaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbomfokl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} NEAS.18fe989a050b3a6cba5da1c60d3a6e00.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ipbahb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbpmbldi.dll" Jondjmei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Blieeglf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Egjebn32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1752 wrote to memory of 4816 1752 NEAS.18fe989a050b3a6cba5da1c60d3a6e00.exe 90 PID 1752 wrote to memory of 4816 1752 NEAS.18fe989a050b3a6cba5da1c60d3a6e00.exe 90 PID 1752 wrote to memory of 4816 1752 NEAS.18fe989a050b3a6cba5da1c60d3a6e00.exe 90 PID 4816 wrote to memory of 3284 4816 Noehac32.exe 91 PID 4816 wrote to memory of 3284 4816 Noehac32.exe 91 PID 4816 wrote to memory of 3284 4816 Noehac32.exe 91 PID 3284 wrote to memory of 4736 3284 Qkchna32.exe 92 PID 3284 wrote to memory of 4736 3284 Qkchna32.exe 92 PID 3284 wrote to memory of 4736 3284 Qkchna32.exe 92 PID 4736 wrote to memory of 4704 4736 Aohfdnil.exe 93 PID 4736 wrote to memory of 4704 4736 Aohfdnil.exe 93 PID 4736 wrote to memory of 4704 4736 Aohfdnil.exe 93 PID 4704 wrote to memory of 1240 4704 Bejhhd32.exe 94 PID 4704 wrote to memory of 1240 4704 Bejhhd32.exe 94 PID 4704 wrote to memory of 1240 4704 Bejhhd32.exe 94 PID 1240 wrote to memory of 2704 1240 Clmckmcq.exe 95 PID 1240 wrote to memory of 2704 1240 Clmckmcq.exe 95 PID 1240 wrote to memory of 2704 1240 Clmckmcq.exe 95 PID 2704 wrote to memory of 2196 2704 Cfljnejl.exe 96 PID 2704 wrote to memory of 2196 2704 Cfljnejl.exe 96 PID 2704 wrote to memory of 2196 2704 Cfljnejl.exe 96 PID 2196 wrote to memory of 2360 2196 Dolinf32.exe 97 PID 2196 wrote to memory of 2360 2196 Dolinf32.exe 97 PID 2196 wrote to memory of 2360 2196 Dolinf32.exe 97 PID 2360 wrote to memory of 3888 2360 Eihcln32.exe 98 PID 2360 wrote to memory of 3888 2360 Eihcln32.exe 98 PID 2360 wrote to memory of 3888 2360 Eihcln32.exe 98 PID 3888 wrote to memory of 2232 3888 Fhgccijm.exe 100 PID 3888 wrote to memory of 2232 3888 Fhgccijm.exe 100 PID 3888 wrote to memory of 2232 3888 Fhgccijm.exe 100 PID 2232 wrote to memory of 1724 2232 Giboijgb.exe 101 PID 2232 wrote to memory of 1724 2232 Giboijgb.exe 101 PID 2232 wrote to memory of 1724 2232 Giboijgb.exe 101 PID 1724 wrote to memory of 2744 1724 Hhleefhe.exe 102 PID 1724 wrote to memory of 2744 1724 Hhleefhe.exe 102 PID 1724 wrote to memory of 2744 1724 Hhleefhe.exe 102 PID 2744 wrote to memory of 2336 2744 Jjhjae32.exe 103 PID 2744 wrote to memory of 2336 2744 Jjhjae32.exe 103 PID 2744 wrote to memory of 2336 2744 Jjhjae32.exe 103 PID 2336 wrote to memory of 820 2336 Kgemahmg.exe 104 PID 2336 wrote to memory of 820 2336 Kgemahmg.exe 104 PID 2336 wrote to memory of 820 2336 Kgemahmg.exe 104 PID 820 wrote to memory of 3508 820 Ladhkmno.exe 105 PID 820 wrote to memory of 3508 820 Ladhkmno.exe 105 PID 820 wrote to memory of 3508 820 Ladhkmno.exe 105 PID 3508 wrote to memory of 4968 3508 Mankaked.exe 106 PID 3508 wrote to memory of 4968 3508 Mankaked.exe 106 PID 3508 wrote to memory of 4968 3508 Mankaked.exe 106 PID 4968 wrote to memory of 1164 4968 Nagngjmj.exe 107 PID 4968 wrote to memory of 1164 4968 Nagngjmj.exe 107 PID 4968 wrote to memory of 1164 4968 Nagngjmj.exe 107 PID 1164 wrote to memory of 2340 1164 Ophjdehd.exe 108 PID 1164 wrote to memory of 2340 1164 Ophjdehd.exe 108 PID 1164 wrote to memory of 2340 1164 Ophjdehd.exe 108 PID 2340 wrote to memory of 4092 2340 Paomog32.exe 109 PID 2340 wrote to memory of 4092 2340 Paomog32.exe 109 PID 2340 wrote to memory of 4092 2340 Paomog32.exe 109 PID 4092 wrote to memory of 2968 4092 Aqpika32.exe 110 PID 4092 wrote to memory of 2968 4092 Aqpika32.exe 110 PID 4092 wrote to memory of 2968 4092 Aqpika32.exe 110 PID 2968 wrote to memory of 3472 2968 Bqkigp32.exe 111 PID 2968 wrote to memory of 3472 2968 Bqkigp32.exe 111 PID 2968 wrote to memory of 3472 2968 Bqkigp32.exe 111 PID 3472 wrote to memory of 2092 3472 Biigildg.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.18fe989a050b3a6cba5da1c60d3a6e00.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.18fe989a050b3a6cba5da1c60d3a6e00.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\SysWOW64\Noehac32.exeC:\Windows\system32\Noehac32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4816 -
C:\Windows\SysWOW64\Qkchna32.exeC:\Windows\system32\Qkchna32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3284 -
C:\Windows\SysWOW64\Aohfdnil.exeC:\Windows\system32\Aohfdnil.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4736 -
C:\Windows\SysWOW64\Bejhhd32.exeC:\Windows\system32\Bejhhd32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4704 -
C:\Windows\SysWOW64\Clmckmcq.exeC:\Windows\system32\Clmckmcq.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1240 -
C:\Windows\SysWOW64\Cfljnejl.exeC:\Windows\system32\Cfljnejl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Dolinf32.exeC:\Windows\system32\Dolinf32.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\Eihcln32.exeC:\Windows\system32\Eihcln32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\Fhgccijm.exeC:\Windows\system32\Fhgccijm.exe10⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3888 -
C:\Windows\SysWOW64\Giboijgb.exeC:\Windows\system32\Giboijgb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\SysWOW64\Hhleefhe.exeC:\Windows\system32\Hhleefhe.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\SysWOW64\Jjhjae32.exeC:\Windows\system32\Jjhjae32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\Kgemahmg.exeC:\Windows\system32\Kgemahmg.exe14⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\Ladhkmno.exeC:\Windows\system32\Ladhkmno.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:820 -
C:\Windows\SysWOW64\Mankaked.exeC:\Windows\system32\Mankaked.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3508 -
C:\Windows\SysWOW64\Nagngjmj.exeC:\Windows\system32\Nagngjmj.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Windows\SysWOW64\Ophjdehd.exeC:\Windows\system32\Ophjdehd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Windows\SysWOW64\Paomog32.exeC:\Windows\system32\Paomog32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\Aqpika32.exeC:\Windows\system32\Aqpika32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4092 -
C:\Windows\SysWOW64\Bqkigp32.exeC:\Windows\system32\Bqkigp32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\Biigildg.exeC:\Windows\system32\Biigildg.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3472 -
C:\Windows\SysWOW64\Bjmpfdhb.exeC:\Windows\system32\Bjmpfdhb.exe23⤵
- Executes dropped EXE
PID:2092 -
C:\Windows\SysWOW64\Cqiehnml.exeC:\Windows\system32\Cqiehnml.exe24⤵
- Drops file in System32 directory
PID:4212 -
C:\Windows\SysWOW64\Ciefek32.exeC:\Windows\system32\Ciefek32.exe25⤵
- Executes dropped EXE
PID:3300 -
C:\Windows\SysWOW64\Dagajlal.exeC:\Windows\system32\Dagajlal.exe26⤵
- Executes dropped EXE
PID:4332 -
C:\Windows\SysWOW64\Jfbdpabn.exeC:\Windows\system32\Jfbdpabn.exe27⤵
- Executes dropped EXE
PID:4440 -
C:\Windows\SysWOW64\Jjgcgo32.exeC:\Windows\system32\Jjgcgo32.exe28⤵
- Executes dropped EXE
- Modifies registry class
PID:3984 -
C:\Windows\SysWOW64\Komoed32.exeC:\Windows\system32\Komoed32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4516 -
C:\Windows\SysWOW64\Lbenho32.exeC:\Windows\system32\Lbenho32.exe30⤵
- Executes dropped EXE
PID:212 -
C:\Windows\SysWOW64\Mcggga32.exeC:\Windows\system32\Mcggga32.exe31⤵
- Executes dropped EXE
PID:3528 -
C:\Windows\SysWOW64\Npldnp32.exeC:\Windows\system32\Npldnp32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3376 -
C:\Windows\SysWOW64\Njfafhjf.exeC:\Windows\system32\Njfafhjf.exe33⤵
- Executes dropped EXE
PID:4444 -
C:\Windows\SysWOW64\Piikhc32.exeC:\Windows\system32\Piikhc32.exe34⤵
- Executes dropped EXE
PID:2716 -
C:\Windows\SysWOW64\Pgphggpe.exeC:\Windows\system32\Pgphggpe.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:852 -
C:\Windows\SysWOW64\Apcllk32.exeC:\Windows\system32\Apcllk32.exe36⤵
- Executes dropped EXE
PID:724 -
C:\Windows\SysWOW64\Bpmobi32.exeC:\Windows\system32\Bpmobi32.exe37⤵
- Executes dropped EXE
PID:3104 -
C:\Windows\SysWOW64\Bcngddao.exeC:\Windows\system32\Bcngddao.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4300 -
C:\Windows\SysWOW64\Cggpfa32.exeC:\Windows\system32\Cggpfa32.exe39⤵
- Executes dropped EXE
PID:5000 -
C:\Windows\SysWOW64\Dmiaig32.exeC:\Windows\system32\Dmiaig32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5048 -
C:\Windows\SysWOW64\Dedceddg.exeC:\Windows\system32\Dedceddg.exe41⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Egjebn32.exeC:\Windows\system32\Egjebn32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4976 -
C:\Windows\SysWOW64\Ikpjmd32.exeC:\Windows\system32\Ikpjmd32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1308 -
C:\Windows\SysWOW64\Idpdfija.exeC:\Windows\system32\Idpdfija.exe44⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Ikjmcc32.exeC:\Windows\system32\Ikjmcc32.exe45⤵
- Executes dropped EXE
PID:4208 -
C:\Windows\SysWOW64\Jahnkl32.exeC:\Windows\system32\Jahnkl32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4528 -
C:\Windows\SysWOW64\Jehcfj32.exeC:\Windows\system32\Jehcfj32.exe47⤵
- Executes dropped EXE
PID:3588 -
C:\Windows\SysWOW64\Khimhefk.exeC:\Windows\system32\Khimhefk.exe48⤵
- Executes dropped EXE
PID:4304 -
C:\Windows\SysWOW64\Koeajo32.exeC:\Windows\system32\Koeajo32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4048 -
C:\Windows\SysWOW64\Knkokl32.exeC:\Windows\system32\Knkokl32.exe50⤵
- Executes dropped EXE
PID:4404 -
C:\Windows\SysWOW64\Lkhbko32.exeC:\Windows\system32\Lkhbko32.exe51⤵
- Executes dropped EXE
PID:4872 -
C:\Windows\SysWOW64\Miqlpbap.exeC:\Windows\system32\Miqlpbap.exe52⤵
- Executes dropped EXE
PID:4220 -
C:\Windows\SysWOW64\Mbiphhhq.exeC:\Windows\system32\Mbiphhhq.exe53⤵
- Executes dropped EXE
PID:2028 -
C:\Windows\SysWOW64\Mbnjcg32.exeC:\Windows\system32\Mbnjcg32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4500 -
C:\Windows\SysWOW64\Mmcnap32.exeC:\Windows\system32\Mmcnap32.exe55⤵
- Executes dropped EXE
PID:2356 -
C:\Windows\SysWOW64\Nkkggl32.exeC:\Windows\system32\Nkkggl32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1500 -
C:\Windows\SysWOW64\Omhpcm32.exeC:\Windows\system32\Omhpcm32.exe57⤵
- Executes dropped EXE
PID:1196 -
C:\Windows\SysWOW64\Pohilc32.exeC:\Windows\system32\Pohilc32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4608 -
C:\Windows\SysWOW64\Affgno32.exeC:\Windows\system32\Affgno32.exe59⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Aohbbqme.exeC:\Windows\system32\Aohbbqme.exe60⤵
- Executes dropped EXE
PID:2212 -
C:\Windows\SysWOW64\Bgdcom32.exeC:\Windows\system32\Bgdcom32.exe61⤵
- Executes dropped EXE
PID:4172 -
C:\Windows\SysWOW64\Cpfkna32.exeC:\Windows\system32\Cpfkna32.exe62⤵
- Executes dropped EXE
PID:3260 -
C:\Windows\SysWOW64\Cpjdiadb.exeC:\Windows\system32\Cpjdiadb.exe63⤵
- Executes dropped EXE
PID:3720 -
C:\Windows\SysWOW64\Djeegf32.exeC:\Windows\system32\Djeegf32.exe64⤵
- Executes dropped EXE
PID:4280 -
C:\Windows\SysWOW64\Dfqogfjo.exeC:\Windows\system32\Dfqogfjo.exe65⤵
- Executes dropped EXE
PID:1756 -
C:\Windows\SysWOW64\Eqmjen32.exeC:\Windows\system32\Eqmjen32.exe66⤵
- Executes dropped EXE
PID:624 -
C:\Windows\SysWOW64\Ecnbgian.exeC:\Windows\system32\Ecnbgian.exe67⤵PID:2820
-
C:\Windows\SysWOW64\Ecblbi32.exeC:\Windows\system32\Ecblbi32.exe68⤵PID:4772
-
C:\Windows\SysWOW64\Fnjmea32.exeC:\Windows\system32\Fnjmea32.exe69⤵PID:4000
-
C:\Windows\SysWOW64\Fjfgealk.exeC:\Windows\system32\Fjfgealk.exe70⤵PID:1808
-
C:\Windows\SysWOW64\Gceaofmc.exeC:\Windows\system32\Gceaofmc.exe71⤵PID:2404
-
C:\Windows\SysWOW64\Gnkflo32.exeC:\Windows\system32\Gnkflo32.exe72⤵
- Drops file in System32 directory
PID:1752 -
C:\Windows\SysWOW64\Hmdlhk32.exeC:\Windows\system32\Hmdlhk32.exe73⤵PID:3820
-
C:\Windows\SysWOW64\Hmifcjif.exeC:\Windows\system32\Hmifcjif.exe74⤵
- Modifies registry class
PID:1788 -
C:\Windows\SysWOW64\Impldi32.exeC:\Windows\system32\Impldi32.exe75⤵PID:4232
-
C:\Windows\SysWOW64\Ihfpabbd.exeC:\Windows\system32\Ihfpabbd.exe76⤵
- Drops file in System32 directory
PID:4640 -
C:\Windows\SysWOW64\Jmlkpgia.exeC:\Windows\system32\Jmlkpgia.exe77⤵
- Drops file in System32 directory
PID:4520 -
C:\Windows\SysWOW64\Laofhbmp.exeC:\Windows\system32\Laofhbmp.exe78⤵PID:2764
-
C:\Windows\SysWOW64\Mhpeelnd.exeC:\Windows\system32\Mhpeelnd.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4040 -
C:\Windows\SysWOW64\Mqkijnkp.exeC:\Windows\system32\Mqkijnkp.exe80⤵PID:2188
-
C:\Windows\SysWOW64\Mkangg32.exeC:\Windows\system32\Mkangg32.exe81⤵PID:3968
-
C:\Windows\SysWOW64\Mglhgg32.exeC:\Windows\system32\Mglhgg32.exe82⤵PID:2740
-
C:\Windows\SysWOW64\Ndbefkjk.exeC:\Windows\system32\Ndbefkjk.exe83⤵
- Drops file in System32 directory
PID:4848 -
C:\Windows\SysWOW64\Ooalibaf.exeC:\Windows\system32\Ooalibaf.exe84⤵PID:1580
-
C:\Windows\SysWOW64\Oajoaj32.exeC:\Windows\system32\Oajoaj32.exe85⤵PID:4136
-
C:\Windows\SysWOW64\Pgdgodhj.exeC:\Windows\system32\Pgdgodhj.exe86⤵PID:4244
-
C:\Windows\SysWOW64\Ppphkq32.exeC:\Windows\system32\Ppphkq32.exe87⤵PID:4496
-
C:\Windows\SysWOW64\Qiocde32.exeC:\Windows\system32\Qiocde32.exe88⤵PID:3756
-
C:\Windows\SysWOW64\Qajhigcj.exeC:\Windows\system32\Qajhigcj.exe89⤵PID:3848
-
C:\Windows\SysWOW64\Abjdbj32.exeC:\Windows\system32\Abjdbj32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3884 -
C:\Windows\SysWOW64\Apdkmn32.exeC:\Windows\system32\Apdkmn32.exe91⤵PID:3124
-
C:\Windows\SysWOW64\Bhblfpng.exeC:\Windows\system32\Bhblfpng.exe92⤵PID:4384
-
C:\Windows\SysWOW64\Bbhqdhnm.exeC:\Windows\system32\Bbhqdhnm.exe93⤵PID:3228
-
C:\Windows\SysWOW64\Bppjhl32.exeC:\Windows\system32\Bppjhl32.exe94⤵PID:4736
-
C:\Windows\SysWOW64\Clldhljp.exeC:\Windows\system32\Clldhljp.exe95⤵PID:3108
-
C:\Windows\SysWOW64\Ccfmef32.exeC:\Windows\system32\Ccfmef32.exe96⤵PID:3832
-
C:\Windows\SysWOW64\Cipebqij.exeC:\Windows\system32\Cipebqij.exe97⤵PID:1668
-
C:\Windows\SysWOW64\Dhndil32.exeC:\Windows\system32\Dhndil32.exe98⤵
- Modifies registry class
PID:1164 -
C:\Windows\SysWOW64\Elagjihh.exeC:\Windows\system32\Elagjihh.exe99⤵
- Modifies registry class
PID:4512 -
C:\Windows\SysWOW64\Efnennjc.exeC:\Windows\system32\Efnennjc.exe100⤵
- Drops file in System32 directory
PID:2460 -
C:\Windows\SysWOW64\Fokbbcmo.exeC:\Windows\system32\Fokbbcmo.exe101⤵PID:4248
-
C:\Windows\SysWOW64\Gpgbna32.exeC:\Windows\system32\Gpgbna32.exe102⤵PID:4092
-
C:\Windows\SysWOW64\Ijcecgnl.exeC:\Windows\system32\Ijcecgnl.exe103⤵PID:1428
-
C:\Windows\SysWOW64\Imbaobmp.exeC:\Windows\system32\Imbaobmp.exe104⤵PID:2864
-
C:\Windows\SysWOW64\Jpjqaldi.exeC:\Windows\system32\Jpjqaldi.exe105⤵
- Drops file in System32 directory
PID:4764 -
C:\Windows\SysWOW64\Jmpnppap.exeC:\Windows\system32\Jmpnppap.exe106⤵PID:5060
-
C:\Windows\SysWOW64\Kbapdfkb.exeC:\Windows\system32\Kbapdfkb.exe107⤵
- Modifies registry class
PID:392 -
C:\Windows\SysWOW64\Ldmlih32.exeC:\Windows\system32\Ldmlih32.exe108⤵PID:3308
-
C:\Windows\SysWOW64\Lkgdfb32.exeC:\Windows\system32\Lkgdfb32.exe109⤵PID:2628
-
C:\Windows\SysWOW64\Lpcmoi32.exeC:\Windows\system32\Lpcmoi32.exe110⤵PID:1532
-
C:\Windows\SysWOW64\Mdhkefnj.exeC:\Windows\system32\Mdhkefnj.exe111⤵PID:5092
-
C:\Windows\SysWOW64\Mdkhkflh.exeC:\Windows\system32\Mdkhkflh.exe112⤵PID:4212
-
C:\Windows\SysWOW64\Maohdj32.exeC:\Windows\system32\Maohdj32.exe113⤵PID:3956
-
C:\Windows\SysWOW64\Nnjbdj32.exeC:\Windows\system32\Nnjbdj32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3208 -
C:\Windows\SysWOW64\Ngbgmpcq.exeC:\Windows\system32\Ngbgmpcq.exe115⤵PID:4068
-
C:\Windows\SysWOW64\Pbfglg32.exeC:\Windows\system32\Pbfglg32.exe116⤵PID:2776
-
C:\Windows\SysWOW64\Qlmhfj32.exeC:\Windows\system32\Qlmhfj32.exe117⤵PID:1040
-
C:\Windows\SysWOW64\Aaianaoo.exeC:\Windows\system32\Aaianaoo.exe118⤵PID:4644
-
C:\Windows\SysWOW64\Anbkbe32.exeC:\Windows\system32\Anbkbe32.exe119⤵PID:4128
-
C:\Windows\SysWOW64\Aenpeoom.exeC:\Windows\system32\Aenpeoom.exe120⤵PID:4820
-
C:\Windows\SysWOW64\Bngdndfn.exeC:\Windows\system32\Bngdndfn.exe121⤵PID:4444
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-