Analysis
-
max time kernel
156s -
max time network
183s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
01/11/2023, 08:28
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.c3818ec2b1d70d4eaeaa26b1deaa65f4.exe
Resource
win7-20231025-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.c3818ec2b1d70d4eaeaa26b1deaa65f4.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
NEAS.c3818ec2b1d70d4eaeaa26b1deaa65f4.exe
-
Size
93KB
-
MD5
c3818ec2b1d70d4eaeaa26b1deaa65f4
-
SHA1
8697e747f46d0c799cc8685d34dae09ad20f67b1
-
SHA256
14a5ee7c26ef304c27a0eb23426585b26202963402bf7be784ff2da243591aad
-
SHA512
4eba86c07cfd0a07d73cac484ebedffb09e0d3545befdcd25f32f5801a6b331bb79fac441a11f201ec19f2f91dc8f439b1acbd8a343441cd1b1c47c03e98e1ac
-
SSDEEP
1536:pVi7tTRzKevV0Cg95b7KCtxUbM5PJsRQP3RkRLJzeLD9N0iQGRNQR8RyV+32rR:pVi/KevV0Cgb/KCGM5+ePSJdEN0s4WEd
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blqlgdhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ajndbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kpgdjo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kaophp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad NEAS.c3818ec2b1d70d4eaeaa26b1deaa65f4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cjcmognb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gngnjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qocfjlan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cmmghl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gddigk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kcndlf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnpalk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Phgojm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cpklja32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Negoaj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpmhmbko.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efjgihdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Koljaeen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ldpijknm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ocmjcjad.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oeicopoo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbinkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lgccccec.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipplmh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oojhpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dlgddkpc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hifmhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qkjgomgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ekmhnpfl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Geohdago.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Joicgc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcmopeae.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjahfl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kodnfqgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hnkonpeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qehjoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Blqlgdhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hkmdoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hnnlcpcl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okmpjpfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cnffjl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kglmbd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iqcffg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Djqbeonf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dkokma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Akblpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dpbief32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfpehpll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aiclodaj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odocbmfd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qalkfl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjlplg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mmcfdi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpmpgfhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Higjkehf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lcjchd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gfeahffl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkmhan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cbhbkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ljdboe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjijgead.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Idceim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pmgmonma.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omjfij32.exe -
Executes dropped EXE 64 IoCs
pid Process 2084 Jhbfgflc.exe 3920 Omkmhlpf.exe 400 Qojeabie.exe 5088 Blqlgdhi.exe 2972 Cjnoggoh.exe 3560 Doidql32.exe 3312 Ejennd32.exe 1408 Fgqehgco.exe 4716 Fjanjb32.exe 5040 Gjmmfq32.exe 3612 Gmnfglcd.exe 3808 Hjimaole.exe 544 Idjdqc32.exe 888 Jmqekg32.exe 3076 Knhkkfod.exe 564 Ldkfno32.exe 4736 Lhiodm32.exe 484 Mqimdomb.exe 3480 Mhihkjfj.exe 2368 Negoaj32.exe 1520 Onkbenbi.exe 2600 Paqebike.exe 4652 Aiclodaj.exe 3628 Bhdilold.exe 2572 Dlgddkpc.exe 1968 Dphipidf.exe 3724 Ebplhp32.exe 2488 Ffbnin32.exe 4456 Ffggdmbi.exe 4908 Fjepkk32.exe 1756 Gimjag32.exe 3444 Hifmhf32.exe 4032 Ipihkobl.exe 3012 Jjhonfjg.exe 2676 Jbmfig32.exe 3024 Kbapdfkb.exe 3488 Kgbepdpf.exe 4812 Kdffiinp.exe 1132 Lcmopeae.exe 1472 Mdaedgdb.exe 4932 Mahbck32.exe 980 Mjcghm32.exe 3896 Ncbaabom.exe 2924 Nkncno32.exe 4536 Odkaac32.exe 4856 Onhoehpp.exe 2940 Pnoefg32.exe 1292 Qbbggeli.exe 4060 Becipn32.exe 4228 Bajjeo32.exe 2908 Ckidoc32.exe 1740 Ceoillaj.exe 784 Dlpgiebo.exe 4292 Deoabj32.exe 4640 Fhpckb32.exe 2468 Gfkjef32.exe 1284 Hiefmp32.exe 2008 Hoonjjgk.exe 2756 Ipiaphop.exe 4928 Ilpaei32.exe 3364 Jpdqlgdc.exe 1816 Jpgmaf32.exe 3876 Jlnnfghd.exe 560 Kmijliej.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Kmijliej.exe Jlnnfghd.exe File created C:\Windows\SysWOW64\Jbobnf32.exe Idieob32.exe File created C:\Windows\SysWOW64\Mholgkma.dll Lcnken32.exe File created C:\Windows\SysWOW64\Pffeaqem.dll Pllnbh32.exe File created C:\Windows\SysWOW64\Fhkkcfnf.dll Lfgiii32.exe File opened for modification C:\Windows\SysWOW64\Pbpjmi32.exe Pmcbdb32.exe File created C:\Windows\SysWOW64\Qomgbe32.exe Qkonlg32.exe File created C:\Windows\SysWOW64\Bikqfc32.dll Jlnnfghd.exe File created C:\Windows\SysWOW64\Eqfedn32.dll Debncm32.exe File created C:\Windows\SysWOW64\Cocamaam.exe Cfkmdl32.exe File created C:\Windows\SysWOW64\Gbpenpdp.exe Ggjqqg32.exe File created C:\Windows\SysWOW64\Aoepchfj.dll Pjmjnb32.exe File opened for modification C:\Windows\SysWOW64\Ebplhp32.exe Dphipidf.exe File created C:\Windows\SysWOW64\Epmfgc32.dll Donlkjng.exe File opened for modification C:\Windows\SysWOW64\Dmjefkap.exe Cofemg32.exe File created C:\Windows\SysWOW64\Paoalphk.dll Ipmbcm32.exe File created C:\Windows\SysWOW64\Ldjjhh32.dll Ekggijge.exe File created C:\Windows\SysWOW64\Ijfbcjca.exe Ieijkcej.exe File created C:\Windows\SysWOW64\Cehdbh32.exe Cpklja32.exe File opened for modification C:\Windows\SysWOW64\Ieijkcej.exe Inpaoi32.exe File created C:\Windows\SysWOW64\Qejfeb32.exe Qkablmdj.exe File opened for modification C:\Windows\SysWOW64\Cfhhga32.exe Clbdjh32.exe File opened for modification C:\Windows\SysWOW64\Gfbpahlg.exe Gdadip32.exe File created C:\Windows\SysWOW64\Eopjbfig.dll Ajndbd32.exe File created C:\Windows\SysWOW64\Eefiehmd.dll Ckfggf32.exe File opened for modification C:\Windows\SysWOW64\Mgkjmnme.exe Mmcfdi32.exe File created C:\Windows\SysWOW64\Klbgpi32.exe Kongfe32.exe File created C:\Windows\SysWOW64\Lhiodm32.exe Ldkfno32.exe File created C:\Windows\SysWOW64\Kgkonj32.dll Okiljj32.exe File created C:\Windows\SysWOW64\Jbopjh32.dll Onhoehpp.exe File created C:\Windows\SysWOW64\Pkmhan32.exe Pkhofold.exe File created C:\Windows\SysWOW64\Fcfhco32.exe Eniokh32.exe File created C:\Windows\SysWOW64\Nglhei32.exe Nabpiocm.exe File opened for modification C:\Windows\SysWOW64\Mqimdomb.exe Lhiodm32.exe File opened for modification C:\Windows\SysWOW64\Opjnai32.exe Nedjdp32.exe File created C:\Windows\SysWOW64\Ohlqij32.dll Kdalim32.exe File created C:\Windows\SysWOW64\Dlijjgbl.exe Depanm32.exe File opened for modification C:\Windows\SysWOW64\Hhaoik32.exe Hohjqfbl.exe File created C:\Windows\SysWOW64\Nkncno32.exe Ncbaabom.exe File created C:\Windows\SysWOW64\Pjdhck32.dll Omjfij32.exe File created C:\Windows\SysWOW64\Ekgqnccj.exe Ckfggf32.exe File created C:\Windows\SysWOW64\Hnhknj32.exe Hgocapmi.exe File opened for modification C:\Windows\SysWOW64\Ncjdeooo.exe Nlplhe32.exe File opened for modification C:\Windows\SysWOW64\Fcfhco32.exe Eniokh32.exe File created C:\Windows\SysWOW64\Aoebjc32.dll Mqimdomb.exe File created C:\Windows\SysWOW64\Mgagll32.exe Mljficpd.exe File created C:\Windows\SysWOW64\Inckcj32.dll Jlmfomcp.exe File opened for modification C:\Windows\SysWOW64\Pmnbpm32.exe Phajgf32.exe File created C:\Windows\SysWOW64\Fchdio32.exe Fnllqh32.exe File created C:\Windows\SysWOW64\Eidqdkkn.exe Dpgbqfhc.exe File created C:\Windows\SysWOW64\Jcepnl32.dll Gjmmfq32.exe File opened for modification C:\Windows\SysWOW64\Odocbmfd.exe Ocmjcjad.exe File created C:\Windows\SysWOW64\Mnoimkgg.dll Fplebcfk.exe File opened for modification C:\Windows\SysWOW64\Gkjhif32.exe Gaadpqmp.exe File created C:\Windows\SysWOW64\Eocech32.dll Klbgpi32.exe File created C:\Windows\SysWOW64\Jonlbcpd.exe Jfehjm32.exe File opened for modification C:\Windows\SysWOW64\Jldbiabp.exe Ioebdomd.exe File opened for modification C:\Windows\SysWOW64\Fplebcfk.exe Fjbmfi32.exe File created C:\Windows\SysWOW64\Lhogkc32.exe Jjhaea32.exe File created C:\Windows\SysWOW64\Ngefkh32.dll Pfpinq32.exe File created C:\Windows\SysWOW64\Okqbki32.exe Okneeiac.exe File created C:\Windows\SysWOW64\Gkldjmmq.dll Cbglam32.exe File opened for modification C:\Windows\SysWOW64\Eeqclfaa.exe Engjol32.exe File created C:\Windows\SysWOW64\Cplhdn32.dll Mogccnfg.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Opjnai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Diiailek.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hnhdcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Idieob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npmkla32.dll" Nclida32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbpjgmbe.dll" Eeqclfaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Igajka32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jifakh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nakhkl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hmfkda32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pihmojco.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jnpjegpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acfbnc32.dll" Hnjaic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jkligd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lmaafcml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Clbdjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlbkklqq.dll" Jpalomaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpfqcm32.dll" Jmnomk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pkcannmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Abbiopbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lckegmne.dll" Dmjefkap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Edbhgokc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ipihkobl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mljficpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dhejij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bnppdp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mngepb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Klkaojhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nppfkoae.dll" Fcfhco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oijhncdo.dll" Iqcffg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hoglmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bbqlkdio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gdadip32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Amgefl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hcbpfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iocmoebd.dll" Dhbqjbbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmmebddf.dll" Ahjmne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kahihagd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mahbck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Deoabj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lqfnqjpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnceiefl.dll" Inpaoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hlkmfkli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qpbomngc.dll" Elbffpff.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fjanjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dabbfqog.dll" Djqbeonf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hkmdoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Niclla32.dll" Clbmobdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmjcke32.dll" Iqomkh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mhafoh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oceepj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Joicgc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lcmopeae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Idceim32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ookokeqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlllobad.dll" Pplhab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idbkpb32.dll" Fnllqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibenomhb.dll" Magnbnea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Inpaoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecoagg32.dll" Liifhe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cnffjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cfkmdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhdjmlfb.dll" Clbdjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkkoeo32.dll" Geohdago.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2840 wrote to memory of 2084 2840 NEAS.c3818ec2b1d70d4eaeaa26b1deaa65f4.exe 91 PID 2840 wrote to memory of 2084 2840 NEAS.c3818ec2b1d70d4eaeaa26b1deaa65f4.exe 91 PID 2840 wrote to memory of 2084 2840 NEAS.c3818ec2b1d70d4eaeaa26b1deaa65f4.exe 91 PID 2084 wrote to memory of 3920 2084 Jhbfgflc.exe 92 PID 2084 wrote to memory of 3920 2084 Jhbfgflc.exe 92 PID 2084 wrote to memory of 3920 2084 Jhbfgflc.exe 92 PID 3920 wrote to memory of 400 3920 Omkmhlpf.exe 93 PID 3920 wrote to memory of 400 3920 Omkmhlpf.exe 93 PID 3920 wrote to memory of 400 3920 Omkmhlpf.exe 93 PID 400 wrote to memory of 5088 400 Qojeabie.exe 94 PID 400 wrote to memory of 5088 400 Qojeabie.exe 94 PID 400 wrote to memory of 5088 400 Qojeabie.exe 94 PID 5088 wrote to memory of 2972 5088 Blqlgdhi.exe 95 PID 5088 wrote to memory of 2972 5088 Blqlgdhi.exe 95 PID 5088 wrote to memory of 2972 5088 Blqlgdhi.exe 95 PID 2972 wrote to memory of 3560 2972 Cjnoggoh.exe 96 PID 2972 wrote to memory of 3560 2972 Cjnoggoh.exe 96 PID 2972 wrote to memory of 3560 2972 Cjnoggoh.exe 96 PID 3560 wrote to memory of 3312 3560 Doidql32.exe 97 PID 3560 wrote to memory of 3312 3560 Doidql32.exe 97 PID 3560 wrote to memory of 3312 3560 Doidql32.exe 97 PID 3312 wrote to memory of 1408 3312 Ejennd32.exe 98 PID 3312 wrote to memory of 1408 3312 Ejennd32.exe 98 PID 3312 wrote to memory of 1408 3312 Ejennd32.exe 98 PID 1408 wrote to memory of 4716 1408 Fgqehgco.exe 99 PID 1408 wrote to memory of 4716 1408 Fgqehgco.exe 99 PID 1408 wrote to memory of 4716 1408 Fgqehgco.exe 99 PID 4716 wrote to memory of 5040 4716 Fjanjb32.exe 100 PID 4716 wrote to memory of 5040 4716 Fjanjb32.exe 100 PID 4716 wrote to memory of 5040 4716 Fjanjb32.exe 100 PID 5040 wrote to memory of 3612 5040 Gjmmfq32.exe 102 PID 5040 wrote to memory of 3612 5040 Gjmmfq32.exe 102 PID 5040 wrote to memory of 3612 5040 Gjmmfq32.exe 102 PID 3612 wrote to memory of 3808 3612 Gmnfglcd.exe 104 PID 3612 wrote to memory of 3808 3612 Gmnfglcd.exe 104 PID 3612 wrote to memory of 3808 3612 Gmnfglcd.exe 104 PID 3808 wrote to memory of 544 3808 Hjimaole.exe 105 PID 3808 wrote to memory of 544 3808 Hjimaole.exe 105 PID 3808 wrote to memory of 544 3808 Hjimaole.exe 105 PID 544 wrote to memory of 888 544 Idjdqc32.exe 106 PID 544 wrote to memory of 888 544 Idjdqc32.exe 106 PID 544 wrote to memory of 888 544 Idjdqc32.exe 106 PID 888 wrote to memory of 3076 888 Jmqekg32.exe 107 PID 888 wrote to memory of 3076 888 Jmqekg32.exe 107 PID 888 wrote to memory of 3076 888 Jmqekg32.exe 107 PID 3076 wrote to memory of 564 3076 Knhkkfod.exe 108 PID 3076 wrote to memory of 564 3076 Knhkkfod.exe 108 PID 3076 wrote to memory of 564 3076 Knhkkfod.exe 108 PID 564 wrote to memory of 4736 564 Ldkfno32.exe 109 PID 564 wrote to memory of 4736 564 Ldkfno32.exe 109 PID 564 wrote to memory of 4736 564 Ldkfno32.exe 109 PID 4736 wrote to memory of 484 4736 Lhiodm32.exe 110 PID 4736 wrote to memory of 484 4736 Lhiodm32.exe 110 PID 4736 wrote to memory of 484 4736 Lhiodm32.exe 110 PID 484 wrote to memory of 3480 484 Mqimdomb.exe 111 PID 484 wrote to memory of 3480 484 Mqimdomb.exe 111 PID 484 wrote to memory of 3480 484 Mqimdomb.exe 111 PID 3480 wrote to memory of 2368 3480 Mhihkjfj.exe 112 PID 3480 wrote to memory of 2368 3480 Mhihkjfj.exe 112 PID 3480 wrote to memory of 2368 3480 Mhihkjfj.exe 112 PID 2368 wrote to memory of 1520 2368 Negoaj32.exe 113 PID 2368 wrote to memory of 1520 2368 Negoaj32.exe 113 PID 2368 wrote to memory of 1520 2368 Negoaj32.exe 113 PID 1520 wrote to memory of 2600 1520 Onkbenbi.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.c3818ec2b1d70d4eaeaa26b1deaa65f4.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.c3818ec2b1d70d4eaeaa26b1deaa65f4.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\Jhbfgflc.exeC:\Windows\system32\Jhbfgflc.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\Omkmhlpf.exeC:\Windows\system32\Omkmhlpf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3920 -
C:\Windows\SysWOW64\Qojeabie.exeC:\Windows\system32\Qojeabie.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:400 -
C:\Windows\SysWOW64\Blqlgdhi.exeC:\Windows\system32\Blqlgdhi.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5088 -
C:\Windows\SysWOW64\Cjnoggoh.exeC:\Windows\system32\Cjnoggoh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Doidql32.exeC:\Windows\system32\Doidql32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3560 -
C:\Windows\SysWOW64\Ejennd32.exeC:\Windows\system32\Ejennd32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3312 -
C:\Windows\SysWOW64\Fgqehgco.exeC:\Windows\system32\Fgqehgco.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Windows\SysWOW64\Fjanjb32.exeC:\Windows\system32\Fjanjb32.exe10⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4716 -
C:\Windows\SysWOW64\Gjmmfq32.exeC:\Windows\system32\Gjmmfq32.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\Windows\SysWOW64\Gmnfglcd.exeC:\Windows\system32\Gmnfglcd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3612 -
C:\Windows\SysWOW64\Hjimaole.exeC:\Windows\system32\Hjimaole.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3808 -
C:\Windows\SysWOW64\Idjdqc32.exeC:\Windows\system32\Idjdqc32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:544 -
C:\Windows\SysWOW64\Jmqekg32.exeC:\Windows\system32\Jmqekg32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:888 -
C:\Windows\SysWOW64\Knhkkfod.exeC:\Windows\system32\Knhkkfod.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3076 -
C:\Windows\SysWOW64\Ldkfno32.exeC:\Windows\system32\Ldkfno32.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:564 -
C:\Windows\SysWOW64\Lhiodm32.exeC:\Windows\system32\Lhiodm32.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4736 -
C:\Windows\SysWOW64\Mqimdomb.exeC:\Windows\system32\Mqimdomb.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:484 -
C:\Windows\SysWOW64\Mhihkjfj.exeC:\Windows\system32\Mhihkjfj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3480 -
C:\Windows\SysWOW64\Negoaj32.exeC:\Windows\system32\Negoaj32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\Onkbenbi.exeC:\Windows\system32\Onkbenbi.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\SysWOW64\Paqebike.exeC:\Windows\system32\Paqebike.exe23⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Aiclodaj.exeC:\Windows\system32\Aiclodaj.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4652 -
C:\Windows\SysWOW64\Bhdilold.exeC:\Windows\system32\Bhdilold.exe25⤵
- Executes dropped EXE
PID:3628 -
C:\Windows\SysWOW64\Dlgddkpc.exeC:\Windows\system32\Dlgddkpc.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Dphipidf.exeC:\Windows\system32\Dphipidf.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1968 -
C:\Windows\SysWOW64\Ebplhp32.exeC:\Windows\system32\Ebplhp32.exe28⤵
- Executes dropped EXE
PID:3724 -
C:\Windows\SysWOW64\Ffbnin32.exeC:\Windows\system32\Ffbnin32.exe29⤵
- Executes dropped EXE
PID:2488 -
C:\Windows\SysWOW64\Ffggdmbi.exeC:\Windows\system32\Ffggdmbi.exe30⤵
- Executes dropped EXE
PID:4456 -
C:\Windows\SysWOW64\Fjepkk32.exeC:\Windows\system32\Fjepkk32.exe31⤵
- Executes dropped EXE
PID:4908 -
C:\Windows\SysWOW64\Gimjag32.exeC:\Windows\system32\Gimjag32.exe32⤵
- Executes dropped EXE
PID:1756 -
C:\Windows\SysWOW64\Hifmhf32.exeC:\Windows\system32\Hifmhf32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3444 -
C:\Windows\SysWOW64\Ipihkobl.exeC:\Windows\system32\Ipihkobl.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:4032 -
C:\Windows\SysWOW64\Jjhonfjg.exeC:\Windows\system32\Jjhonfjg.exe35⤵
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\Jbmfig32.exeC:\Windows\system32\Jbmfig32.exe36⤵
- Executes dropped EXE
PID:2676 -
C:\Windows\SysWOW64\Kbapdfkb.exeC:\Windows\system32\Kbapdfkb.exe37⤵
- Executes dropped EXE
PID:3024 -
C:\Windows\SysWOW64\Kgbepdpf.exeC:\Windows\system32\Kgbepdpf.exe38⤵
- Executes dropped EXE
PID:3488 -
C:\Windows\SysWOW64\Kdffiinp.exeC:\Windows\system32\Kdffiinp.exe39⤵
- Executes dropped EXE
PID:4812 -
C:\Windows\SysWOW64\Lcmopeae.exeC:\Windows\system32\Lcmopeae.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1132 -
C:\Windows\SysWOW64\Mdaedgdb.exeC:\Windows\system32\Mdaedgdb.exe41⤵
- Executes dropped EXE
PID:1472 -
C:\Windows\SysWOW64\Mahbck32.exeC:\Windows\system32\Mahbck32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:4932 -
C:\Windows\SysWOW64\Mjcghm32.exeC:\Windows\system32\Mjcghm32.exe43⤵
- Executes dropped EXE
PID:980 -
C:\Windows\SysWOW64\Ncbaabom.exeC:\Windows\system32\Ncbaabom.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3896 -
C:\Windows\SysWOW64\Nkncno32.exeC:\Windows\system32\Nkncno32.exe45⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Odkaac32.exeC:\Windows\system32\Odkaac32.exe46⤵
- Executes dropped EXE
PID:4536 -
C:\Windows\SysWOW64\Onhoehpp.exeC:\Windows\system32\Onhoehpp.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4856 -
C:\Windows\SysWOW64\Pnoefg32.exeC:\Windows\system32\Pnoefg32.exe48⤵
- Executes dropped EXE
PID:2940 -
C:\Windows\SysWOW64\Qbbggeli.exeC:\Windows\system32\Qbbggeli.exe49⤵
- Executes dropped EXE
PID:1292 -
C:\Windows\SysWOW64\Becipn32.exeC:\Windows\system32\Becipn32.exe50⤵
- Executes dropped EXE
PID:4060 -
C:\Windows\SysWOW64\Bajjeo32.exeC:\Windows\system32\Bajjeo32.exe51⤵
- Executes dropped EXE
PID:4228 -
C:\Windows\SysWOW64\Ckidoc32.exeC:\Windows\system32\Ckidoc32.exe52⤵
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Ceoillaj.exeC:\Windows\system32\Ceoillaj.exe53⤵
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\Dlpgiebo.exeC:\Windows\system32\Dlpgiebo.exe54⤵
- Executes dropped EXE
PID:784 -
C:\Windows\SysWOW64\Deoabj32.exeC:\Windows\system32\Deoabj32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:4292 -
C:\Windows\SysWOW64\Fhpckb32.exeC:\Windows\system32\Fhpckb32.exe56⤵
- Executes dropped EXE
PID:4640 -
C:\Windows\SysWOW64\Gfkjef32.exeC:\Windows\system32\Gfkjef32.exe57⤵
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\Hiefmp32.exeC:\Windows\system32\Hiefmp32.exe58⤵
- Executes dropped EXE
PID:1284 -
C:\Windows\SysWOW64\Hoonjjgk.exeC:\Windows\system32\Hoonjjgk.exe59⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Ipiaphop.exeC:\Windows\system32\Ipiaphop.exe60⤵
- Executes dropped EXE
PID:2756 -
C:\Windows\SysWOW64\Ilpaei32.exeC:\Windows\system32\Ilpaei32.exe61⤵
- Executes dropped EXE
PID:4928 -
C:\Windows\SysWOW64\Jpdqlgdc.exeC:\Windows\system32\Jpdqlgdc.exe62⤵
- Executes dropped EXE
PID:3364 -
C:\Windows\SysWOW64\Jpgmaf32.exeC:\Windows\system32\Jpgmaf32.exe63⤵
- Executes dropped EXE
PID:1816 -
C:\Windows\SysWOW64\Jlnnfghd.exeC:\Windows\system32\Jlnnfghd.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3876 -
C:\Windows\SysWOW64\Kmijliej.exeC:\Windows\system32\Kmijliej.exe65⤵
- Executes dropped EXE
PID:560 -
C:\Windows\SysWOW64\Mljficpd.exeC:\Windows\system32\Mljficpd.exe66⤵
- Drops file in System32 directory
- Modifies registry class
PID:4832 -
C:\Windows\SysWOW64\Mgagll32.exeC:\Windows\system32\Mgagll32.exe67⤵PID:2776
-
C:\Windows\SysWOW64\Ngbpbjoe.exeC:\Windows\system32\Ngbpbjoe.exe68⤵PID:4888
-
C:\Windows\SysWOW64\Odhman32.exeC:\Windows\system32\Odhman32.exe69⤵PID:392
-
C:\Windows\SysWOW64\Onqbjccl.exeC:\Windows\system32\Onqbjccl.exe70⤵PID:3688
-
C:\Windows\SysWOW64\Ocmjcjad.exeC:\Windows\system32\Ocmjcjad.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5076 -
C:\Windows\SysWOW64\Odocbmfd.exeC:\Windows\system32\Odocbmfd.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4224 -
C:\Windows\SysWOW64\Pdfjcl32.exeC:\Windows\system32\Pdfjcl32.exe73⤵PID:3948
-
C:\Windows\SysWOW64\Acgfpf32.exeC:\Windows\system32\Acgfpf32.exe74⤵PID:1632
-
C:\Windows\SysWOW64\Bnfmcn32.exeC:\Windows\system32\Bnfmcn32.exe75⤵PID:4824
-
C:\Windows\SysWOW64\Cnffjl32.exeC:\Windows\system32\Cnffjl32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1324 -
C:\Windows\SysWOW64\Donlkjng.exeC:\Windows\system32\Donlkjng.exe77⤵
- Drops file in System32 directory
PID:2840 -
C:\Windows\SysWOW64\Edfdop32.exeC:\Windows\system32\Edfdop32.exe78⤵PID:384
-
C:\Windows\SysWOW64\Fafddb32.exeC:\Windows\system32\Fafddb32.exe79⤵PID:2176
-
C:\Windows\SysWOW64\Gaadpqmp.exeC:\Windows\system32\Gaadpqmp.exe80⤵
- Drops file in System32 directory
PID:5104 -
C:\Windows\SysWOW64\Gkjhif32.exeC:\Windows\system32\Gkjhif32.exe81⤵PID:5088
-
C:\Windows\SysWOW64\Gadqepkn.exeC:\Windows\system32\Gadqepkn.exe82⤵PID:2076
-
C:\Windows\SysWOW64\Gddigk32.exeC:\Windows\system32\Gddigk32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4768 -
C:\Windows\SysWOW64\Hbhjqp32.exeC:\Windows\system32\Hbhjqp32.exe84⤵PID:552
-
C:\Windows\SysWOW64\Igabdekb.exeC:\Windows\system32\Igabdekb.exe85⤵PID:3684
-
C:\Windows\SysWOW64\Ifbbbl32.exeC:\Windows\system32\Ifbbbl32.exe86⤵PID:2860
-
C:\Windows\SysWOW64\Joamlacj.exeC:\Windows\system32\Joamlacj.exe87⤵PID:2992
-
C:\Windows\SysWOW64\Klapgq32.exeC:\Windows\system32\Klapgq32.exe88⤵PID:916
-
C:\Windows\SysWOW64\Nbljaf32.exeC:\Windows\system32\Nbljaf32.exe89⤵PID:3808
-
C:\Windows\SysWOW64\Nlglpkpi.exeC:\Windows\system32\Nlglpkpi.exe90⤵PID:396
-
C:\Windows\SysWOW64\Nohdaf32.exeC:\Windows\system32\Nohdaf32.exe91⤵PID:4716
-
C:\Windows\SysWOW64\Nebmnqdf.exeC:\Windows\system32\Nebmnqdf.exe92⤵PID:4352
-
C:\Windows\SysWOW64\Nedjdp32.exeC:\Windows\system32\Nedjdp32.exe93⤵
- Drops file in System32 directory
PID:2652 -
C:\Windows\SysWOW64\Opjnai32.exeC:\Windows\system32\Opjnai32.exe94⤵
- Modifies registry class
PID:3076 -
C:\Windows\SysWOW64\Oplkgi32.exeC:\Windows\system32\Oplkgi32.exe95⤵PID:2584
-
C:\Windows\SysWOW64\Oeicopoo.exeC:\Windows\system32\Oeicopoo.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4448 -
C:\Windows\SysWOW64\Pcdjic32.exeC:\Windows\system32\Pcdjic32.exe97⤵PID:2348
-
C:\Windows\SysWOW64\Pllnbh32.exeC:\Windows\system32\Pllnbh32.exe98⤵
- Drops file in System32 directory
PID:3612 -
C:\Windows\SysWOW64\Plokgh32.exeC:\Windows\system32\Plokgh32.exe99⤵PID:4676
-
C:\Windows\SysWOW64\Amodnenk.exeC:\Windows\system32\Amodnenk.exe100⤵PID:1596
-
C:\Windows\SysWOW64\Acilkp32.exeC:\Windows\system32\Acilkp32.exe101⤵PID:2244
-
C:\Windows\SysWOW64\Ajcdhj32.exeC:\Windows\system32\Ajcdhj32.exe102⤵PID:5164
-
C:\Windows\SysWOW64\Cjcmognb.exeC:\Windows\system32\Cjcmognb.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5208 -
C:\Windows\SysWOW64\Cameka32.exeC:\Windows\system32\Cameka32.exe104⤵PID:5260
-
C:\Windows\SysWOW64\Dmmifaci.exeC:\Windows\system32\Dmmifaci.exe105⤵PID:5308
-
C:\Windows\SysWOW64\Dhejij32.exeC:\Windows\system32\Dhejij32.exe106⤵
- Modifies registry class
PID:5352 -
C:\Windows\SysWOW64\Dfjgjf32.exeC:\Windows\system32\Dfjgjf32.exe107⤵PID:5416
-
C:\Windows\SysWOW64\Fpeapilo.exeC:\Windows\system32\Fpeapilo.exe108⤵PID:5460
-
C:\Windows\SysWOW64\Fineho32.exeC:\Windows\system32\Fineho32.exe109⤵PID:5504
-
C:\Windows\SysWOW64\Fdcjfg32.exeC:\Windows\system32\Fdcjfg32.exe110⤵PID:5540
-
C:\Windows\SysWOW64\Fkmbbajb.exeC:\Windows\system32\Fkmbbajb.exe111⤵PID:5716
-
C:\Windows\SysWOW64\Gngnjk32.exeC:\Windows\system32\Gngnjk32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5756 -
C:\Windows\SysWOW64\Ggpbcaei.exeC:\Windows\system32\Ggpbcaei.exe113⤵PID:5836
-
C:\Windows\SysWOW64\Hpmpgfhd.exeC:\Windows\system32\Hpmpgfhd.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5900 -
C:\Windows\SysWOW64\Ihpgda32.exeC:\Windows\system32\Ihpgda32.exe115⤵PID:5936
-
C:\Windows\SysWOW64\Ihbdja32.exeC:\Windows\system32\Ihbdja32.exe116⤵PID:5992
-
C:\Windows\SysWOW64\Inombh32.exeC:\Windows\system32\Inombh32.exe117⤵PID:6028
-
C:\Windows\SysWOW64\Idieob32.exeC:\Windows\system32\Idieob32.exe118⤵
- Drops file in System32 directory
- Modifies registry class
PID:6080 -
C:\Windows\SysWOW64\Jbobnf32.exeC:\Windows\system32\Jbobnf32.exe119⤵PID:6132
-
C:\Windows\SysWOW64\Jqgldb32.exeC:\Windows\system32\Jqgldb32.exe120⤵PID:5124
-
C:\Windows\SysWOW64\Jgqdal32.exeC:\Windows\system32\Jgqdal32.exe121⤵PID:984
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-