Analysis
-
max time kernel
163s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
01-11-2023 14:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.90f7602ff7c2caaeb8e424815b4da550.exe
Resource
win7-20231023-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.90f7602ff7c2caaeb8e424815b4da550.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
NEAS.90f7602ff7c2caaeb8e424815b4da550.exe
-
Size
479KB
-
MD5
90f7602ff7c2caaeb8e424815b4da550
-
SHA1
ba29889ef2ded67c73b1abec095aebf99bc4f4fe
-
SHA256
c78571f53cc254b0297106e516977972c265c51a069e9626e4bad0b0ece6b5d9
-
SHA512
2ea4fd7ab853cc65b81a454e2379fed2e7a6e7978f36991264eeb351502387139440aa70d2ffdbaf981bce15e482c77bc38a08c6e3decba79b4394093288bcb8
-
SSDEEP
6144:JYnmCh+sycRJ6EQnT2leTLgNPx33fpu2leTLg:sOuRJ6EQ6Q2drQ
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnicai32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Liifnp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obccpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmhkflnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kejeebpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Maeaajpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kokbpe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebggep32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgdgodhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mccokj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obkiqi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnafgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccajdmin.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmpcmkaa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oagbljcp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdfmkjlg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cggpfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffahnd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpqlof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blnhgn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlfhke32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anhcpeon.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqdlpmce.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gglfbkin.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Loiong32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fikihlmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lipmoo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oecego32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Panhmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpejlc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccendc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pemhmn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Negoaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qfgfpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihmnldib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcehejic.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmahff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmmdjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhenpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnenchoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkfcigkm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhmdeink.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdgjgh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcnlng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igkmbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpoiho32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgknlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hahedoci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckmmpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jojboa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emkeho32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijpepcfj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gchflq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjpkjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjcjmclj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcjimnjl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdbiphhi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbnlim32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcihjl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hejono32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnjjpk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpnkdfko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akipic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkefphem.exe -
Executes dropped EXE 64 IoCs
pid Process 4536 Fqikob32.exe 2052 Gjhfif32.exe 4640 Gglfbkin.exe 2120 Hnmeodjc.exe 3060 Hejjanpm.exe 1976 Ijpepcfj.exe 768 Jehfcl32.exe 3804 Jlfhke32.exe 1040 Jdalog32.exe 4088 Kdffjgpj.exe 1980 Kajfdk32.exe 3344 Khfkfedn.exe 2036 Kaopoj32.exe 3456 Kbnlim32.exe 2904 Maoifh32.exe 2176 Mccokj32.exe 3616 Nchhfild.exe 4256 Nfpghccm.exe 3704 Oheienli.exe 4272 Pijcpmhc.exe 4388 Pmhkflnj.exe 1620 Qfgfpp32.exe 4836 Qbngeadf.exe 472 Aioebj32.exe 1224 Abjfqpji.exe 420 Bpbpecen.exe 3316 Bcpika32.exe 4396 Blknpdho.exe 3264 Cdnelpod.exe 3068 Dedkogqm.exe 4780 Defheg32.exe 672 Dpoiho32.exe 892 Ecoaijio.exe 1780 Elhfbp32.exe 3348 Emgblc32.exe 780 Egdqph32.exe 1272 Feimadoe.exe 3900 Fpandm32.exe 3632 Fcbgfhii.exe 4476 Fcddkggf.exe 4412 Gphddlfp.exe 972 Gdfmkjlg.exe 4568 Gdhjpjjd.exe 4068 Ggicbe32.exe 3156 Gglpgd32.exe 5000 Hdppaidl.exe 1512 Hjlhipbc.exe 380 Hddilh32.exe 4328 Hjabdo32.exe 1912 Hfhbipdb.exe 4968 Ifjoop32.exe 2080 Imfdaigj.exe 4900 Iqdmghnp.exe 2068 Jmbdmg32.exe 1600 Jgjeppkp.exe 2416 Jmgmhgig.exe 2688 Khonkogj.exe 2480 Keekjc32.exe 3108 Kmppneal.exe 4560 Kejeebpl.exe 4200 Leqkeajd.exe 4324 Loiong32.exe 3372 Lokldg32.exe 2576 Lmqiec32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Kpfkkl32.dll Ofcaab32.exe File created C:\Windows\SysWOW64\Pldljbmn.exe Panhmi32.exe File opened for modification C:\Windows\SysWOW64\Kjlmbnof.exe Kfndlphp.exe File created C:\Windows\SysWOW64\Kllpihkg.dll Oijgmokc.exe File opened for modification C:\Windows\SysWOW64\Cnlhme32.exe Gekckpgl.exe File opened for modification C:\Windows\SysWOW64\Nkhdgfen.exe Mlflog32.exe File opened for modification C:\Windows\SysWOW64\Ppkopail.exe Pgdgodhj.exe File created C:\Windows\SysWOW64\Eifffoob.exe Didjqoae.exe File created C:\Windows\SysWOW64\Bbbkbbkg.exe Bdnkhn32.exe File created C:\Windows\SysWOW64\Hocjaj32.exe Hifaic32.exe File opened for modification C:\Windows\SysWOW64\Ahdpea32.exe Nnafgd32.exe File opened for modification C:\Windows\SysWOW64\Bpbpecen.exe Bejobk32.exe File created C:\Windows\SysWOW64\Pllieg32.exe Peodcmeg.exe File created C:\Windows\SysWOW64\Mkegbfgp.exe Mhenpk32.exe File created C:\Windows\SysWOW64\Ehlolk32.dll Cbdhgaid.exe File created C:\Windows\SysWOW64\Diahic32.dll Faiplcmk.exe File opened for modification C:\Windows\SysWOW64\Cllkcbnl.exe Ccajdmin.exe File opened for modification C:\Windows\SysWOW64\Dcmjpl32.exe Cggikk32.exe File opened for modification C:\Windows\SysWOW64\Kbnlim32.exe Kaopoj32.exe File opened for modification C:\Windows\SysWOW64\Laiafl32.exe Lipmoo32.exe File opened for modification C:\Windows\SysWOW64\Mmdlflki.exe Mhhcne32.exe File created C:\Windows\SysWOW64\Bcomonkq.exe Blchmdff.exe File opened for modification C:\Windows\SysWOW64\Mhenpk32.exe Mhbakk32.exe File created C:\Windows\SysWOW64\Fpdggeba.dll Elilmi32.exe File created C:\Windows\SysWOW64\Maeaajpl.exe Mhmmieil.exe File created C:\Windows\SysWOW64\Cejjdlap.exe Cicjokll.exe File created C:\Windows\SysWOW64\Qghlmbae.exe Qkakhakq.exe File created C:\Windows\SysWOW64\Ongpeejj.exe Oijgmokc.exe File created C:\Windows\SysWOW64\Pphbql32.dll Mkgfdgpq.exe File opened for modification C:\Windows\SysWOW64\Pindcboi.exe Ppepkmhi.exe File created C:\Windows\SysWOW64\Efgehe32.exe Eqkmpo32.exe File created C:\Windows\SysWOW64\Gkcjcf32.dll Jgjeppkp.exe File opened for modification C:\Windows\SysWOW64\Pocdba32.exe Onakco32.exe File created C:\Windows\SysWOW64\Agbmiaob.dll Fknimh32.exe File created C:\Windows\SysWOW64\Kfdqfbai.dll Ebnddn32.exe File opened for modification C:\Windows\SysWOW64\Jehfcl32.exe Ijpepcfj.exe File opened for modification C:\Windows\SysWOW64\Jmbdmg32.exe Iqdmghnp.exe File created C:\Windows\SysWOW64\Jahadh32.dll Qkakhakq.exe File created C:\Windows\SysWOW64\Hicgcm32.dll Cfaddg32.exe File opened for modification C:\Windows\SysWOW64\Aihfjd32.exe Aldeap32.exe File opened for modification C:\Windows\SysWOW64\Akfdcq32.exe Qbmpjkqk.exe File created C:\Windows\SysWOW64\Mmdlflki.exe Mhhcne32.exe File created C:\Windows\SysWOW64\Edcijq32.dll Dgomaf32.exe File created C:\Windows\SysWOW64\Efcicm32.dll Keekjc32.exe File created C:\Windows\SysWOW64\Ppnbpg32.exe Fknimh32.exe File opened for modification C:\Windows\SysWOW64\Palkgi32.exe Dpckclld.exe File created C:\Windows\SysWOW64\Mkdkdafo.dll Fongpm32.exe File created C:\Windows\SysWOW64\Obkiqi32.exe Ofdhlh32.exe File created C:\Windows\SysWOW64\Bnaolm32.exe Bpmobi32.exe File created C:\Windows\SysWOW64\Lceajc32.dll Ccendc32.exe File opened for modification C:\Windows\SysWOW64\Ongpeejj.exe Oijgmokc.exe File created C:\Windows\SysWOW64\Jmbdmg32.exe Iqdmghnp.exe File opened for modification C:\Windows\SysWOW64\Eflceb32.exe Eoconenj.exe File created C:\Windows\SysWOW64\Oejhoq32.dll Oajccgmd.exe File created C:\Windows\SysWOW64\Pndalh32.dll Fgcang32.exe File created C:\Windows\SysWOW64\Bhjabbic.dll Fgcjea32.exe File created C:\Windows\SysWOW64\Agcdnjcl.exe Anjpeelk.exe File created C:\Windows\SysWOW64\Nfgbec32.exe Nmommn32.exe File opened for modification C:\Windows\SysWOW64\Opbcdieb.exe Oemofpel.exe File created C:\Windows\SysWOW64\Kcehejic.exe Kpgoolbl.exe File created C:\Windows\SysWOW64\Ileflmpb.exe Himgjbii.exe File created C:\Windows\SysWOW64\Jhgpbf32.exe Jnalem32.exe File created C:\Windows\SysWOW64\Doklblnq.dll Aioebj32.exe File created C:\Windows\SysWOW64\Pggnnqmk.dll Feifgnki.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qnniopcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bcomonkq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fcnlng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ppmleagi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phlikg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lflpmn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pnhjig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Endnohdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ilglgfjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oagbljcp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bahdje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dpoiho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nglcjfie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkdkdafo.dll" Fongpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnonap32.dll" Gclimi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hifaic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmgmhgig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnolia32.dll" Mfhgcbfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pemhmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Momael32.dll" Deejpjgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfffnphj.dll" Jlafhkfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plmamn32.dll" Abipfifn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cggikk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phkaqqoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqkale32.dll" Alcfpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lfnfhg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nilkkq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Panhmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qfgfpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mfhgcbfo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mfhgcbfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oajccgmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbkggg32.dll" Jhjcbljf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ofmbkipk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pgbdmfnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfpmokej.dll" Egdqph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dpihbjmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hahedoci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lfpcngdo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fjfgealk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpgoolbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdmikb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dbphcpog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mihbpalh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afgfhaab.dll" Jehfcl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfdbpjmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnpnedno.dll" Ainnhdbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmcfkc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hhegjdag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dellcg32.dll" Ipohpdbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpbibenl.dll" Dpoiho32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gphddlfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fongpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gaibhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqhiiapq.dll" Mgoboake.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ifdgaond.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 NEAS.90f7602ff7c2caaeb8e424815b4da550.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adnilfnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fgcjea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgomaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpoo32.dll" Dmmdjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gefqdfdn.dll" Igkmbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hejjanpm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Leqkeajd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4964 wrote to memory of 4536 4964 NEAS.90f7602ff7c2caaeb8e424815b4da550.exe 91 PID 4964 wrote to memory of 4536 4964 NEAS.90f7602ff7c2caaeb8e424815b4da550.exe 91 PID 4964 wrote to memory of 4536 4964 NEAS.90f7602ff7c2caaeb8e424815b4da550.exe 91 PID 4536 wrote to memory of 2052 4536 Fqikob32.exe 92 PID 4536 wrote to memory of 2052 4536 Fqikob32.exe 92 PID 4536 wrote to memory of 2052 4536 Fqikob32.exe 92 PID 2052 wrote to memory of 4640 2052 Gjhfif32.exe 93 PID 2052 wrote to memory of 4640 2052 Gjhfif32.exe 93 PID 2052 wrote to memory of 4640 2052 Gjhfif32.exe 93 PID 4640 wrote to memory of 2120 4640 Gglfbkin.exe 94 PID 4640 wrote to memory of 2120 4640 Gglfbkin.exe 94 PID 4640 wrote to memory of 2120 4640 Gglfbkin.exe 94 PID 2120 wrote to memory of 3060 2120 Hnmeodjc.exe 95 PID 2120 wrote to memory of 3060 2120 Hnmeodjc.exe 95 PID 2120 wrote to memory of 3060 2120 Hnmeodjc.exe 95 PID 3060 wrote to memory of 1976 3060 Hejjanpm.exe 96 PID 3060 wrote to memory of 1976 3060 Hejjanpm.exe 96 PID 3060 wrote to memory of 1976 3060 Hejjanpm.exe 96 PID 1976 wrote to memory of 768 1976 Ijpepcfj.exe 97 PID 1976 wrote to memory of 768 1976 Ijpepcfj.exe 97 PID 1976 wrote to memory of 768 1976 Ijpepcfj.exe 97 PID 768 wrote to memory of 3804 768 Jehfcl32.exe 98 PID 768 wrote to memory of 3804 768 Jehfcl32.exe 98 PID 768 wrote to memory of 3804 768 Jehfcl32.exe 98 PID 3804 wrote to memory of 1040 3804 Jlfhke32.exe 99 PID 3804 wrote to memory of 1040 3804 Jlfhke32.exe 99 PID 3804 wrote to memory of 1040 3804 Jlfhke32.exe 99 PID 1040 wrote to memory of 4088 1040 Jdalog32.exe 100 PID 1040 wrote to memory of 4088 1040 Jdalog32.exe 100 PID 1040 wrote to memory of 4088 1040 Jdalog32.exe 100 PID 4088 wrote to memory of 1980 4088 Kdffjgpj.exe 101 PID 4088 wrote to memory of 1980 4088 Kdffjgpj.exe 101 PID 4088 wrote to memory of 1980 4088 Kdffjgpj.exe 101 PID 1980 wrote to memory of 3344 1980 Kajfdk32.exe 102 PID 1980 wrote to memory of 3344 1980 Kajfdk32.exe 102 PID 1980 wrote to memory of 3344 1980 Kajfdk32.exe 102 PID 3344 wrote to memory of 2036 3344 Khfkfedn.exe 103 PID 3344 wrote to memory of 2036 3344 Khfkfedn.exe 103 PID 3344 wrote to memory of 2036 3344 Khfkfedn.exe 103 PID 2036 wrote to memory of 3456 2036 Kaopoj32.exe 104 PID 2036 wrote to memory of 3456 2036 Kaopoj32.exe 104 PID 2036 wrote to memory of 3456 2036 Kaopoj32.exe 104 PID 3456 wrote to memory of 2904 3456 Kbnlim32.exe 105 PID 3456 wrote to memory of 2904 3456 Kbnlim32.exe 105 PID 3456 wrote to memory of 2904 3456 Kbnlim32.exe 105 PID 2904 wrote to memory of 2176 2904 Maoifh32.exe 106 PID 2904 wrote to memory of 2176 2904 Maoifh32.exe 106 PID 2904 wrote to memory of 2176 2904 Maoifh32.exe 106 PID 2176 wrote to memory of 3616 2176 Mccokj32.exe 107 PID 2176 wrote to memory of 3616 2176 Mccokj32.exe 107 PID 2176 wrote to memory of 3616 2176 Mccokj32.exe 107 PID 3616 wrote to memory of 4256 3616 Nchhfild.exe 108 PID 3616 wrote to memory of 4256 3616 Nchhfild.exe 108 PID 3616 wrote to memory of 4256 3616 Nchhfild.exe 108 PID 4256 wrote to memory of 3704 4256 Nfpghccm.exe 109 PID 4256 wrote to memory of 3704 4256 Nfpghccm.exe 109 PID 4256 wrote to memory of 3704 4256 Nfpghccm.exe 109 PID 3704 wrote to memory of 4272 3704 Oheienli.exe 110 PID 3704 wrote to memory of 4272 3704 Oheienli.exe 110 PID 3704 wrote to memory of 4272 3704 Oheienli.exe 110 PID 4272 wrote to memory of 4388 4272 Pijcpmhc.exe 111 PID 4272 wrote to memory of 4388 4272 Pijcpmhc.exe 111 PID 4272 wrote to memory of 4388 4272 Pijcpmhc.exe 111 PID 4388 wrote to memory of 1620 4388 Pmhkflnj.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.90f7602ff7c2caaeb8e424815b4da550.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.90f7602ff7c2caaeb8e424815b4da550.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Windows\SysWOW64\Fqikob32.exeC:\Windows\system32\Fqikob32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4536 -
C:\Windows\SysWOW64\Gjhfif32.exeC:\Windows\system32\Gjhfif32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\Gglfbkin.exeC:\Windows\system32\Gglfbkin.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4640 -
C:\Windows\SysWOW64\Hnmeodjc.exeC:\Windows\system32\Hnmeodjc.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\Hejjanpm.exeC:\Windows\system32\Hejjanpm.exe6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\Ijpepcfj.exeC:\Windows\system32\Ijpepcfj.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\Jehfcl32.exeC:\Windows\system32\Jehfcl32.exe8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Windows\SysWOW64\Jlfhke32.exeC:\Windows\system32\Jlfhke32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3804 -
C:\Windows\SysWOW64\Jdalog32.exeC:\Windows\system32\Jdalog32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Windows\SysWOW64\Kdffjgpj.exeC:\Windows\system32\Kdffjgpj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4088 -
C:\Windows\SysWOW64\Kajfdk32.exeC:\Windows\system32\Kajfdk32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\Khfkfedn.exeC:\Windows\system32\Khfkfedn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3344 -
C:\Windows\SysWOW64\Kaopoj32.exeC:\Windows\system32\Kaopoj32.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\SysWOW64\Kbnlim32.exeC:\Windows\system32\Kbnlim32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3456 -
C:\Windows\SysWOW64\Maoifh32.exeC:\Windows\system32\Maoifh32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\Mccokj32.exeC:\Windows\system32\Mccokj32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\SysWOW64\Nchhfild.exeC:\Windows\system32\Nchhfild.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3616 -
C:\Windows\SysWOW64\Nfpghccm.exeC:\Windows\system32\Nfpghccm.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4256 -
C:\Windows\SysWOW64\Oheienli.exeC:\Windows\system32\Oheienli.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3704 -
C:\Windows\SysWOW64\Pijcpmhc.exeC:\Windows\system32\Pijcpmhc.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4272 -
C:\Windows\SysWOW64\Pmhkflnj.exeC:\Windows\system32\Pmhkflnj.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4388 -
C:\Windows\SysWOW64\Qfgfpp32.exeC:\Windows\system32\Qfgfpp32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1620 -
C:\Windows\SysWOW64\Qbngeadf.exeC:\Windows\system32\Qbngeadf.exe24⤵
- Executes dropped EXE
PID:4836 -
C:\Windows\SysWOW64\Aioebj32.exeC:\Windows\system32\Aioebj32.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:472 -
C:\Windows\SysWOW64\Abjfqpji.exeC:\Windows\system32\Abjfqpji.exe26⤵
- Executes dropped EXE
PID:1224 -
C:\Windows\SysWOW64\Bejobk32.exeC:\Windows\system32\Bejobk32.exe27⤵
- Drops file in System32 directory
PID:4436 -
C:\Windows\SysWOW64\Bpbpecen.exeC:\Windows\system32\Bpbpecen.exe28⤵
- Executes dropped EXE
PID:420 -
C:\Windows\SysWOW64\Bcpika32.exeC:\Windows\system32\Bcpika32.exe29⤵
- Executes dropped EXE
PID:3316 -
C:\Windows\SysWOW64\Blknpdho.exeC:\Windows\system32\Blknpdho.exe30⤵
- Executes dropped EXE
PID:4396 -
C:\Windows\SysWOW64\Cdnelpod.exeC:\Windows\system32\Cdnelpod.exe31⤵
- Executes dropped EXE
PID:3264 -
C:\Windows\SysWOW64\Dedkogqm.exeC:\Windows\system32\Dedkogqm.exe32⤵
- Executes dropped EXE
PID:3068 -
C:\Windows\SysWOW64\Defheg32.exeC:\Windows\system32\Defheg32.exe33⤵
- Executes dropped EXE
PID:4780 -
C:\Windows\SysWOW64\Dpoiho32.exeC:\Windows\system32\Dpoiho32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:672 -
C:\Windows\SysWOW64\Ecoaijio.exeC:\Windows\system32\Ecoaijio.exe35⤵
- Executes dropped EXE
PID:892 -
C:\Windows\SysWOW64\Elhfbp32.exeC:\Windows\system32\Elhfbp32.exe36⤵
- Executes dropped EXE
PID:1780 -
C:\Windows\SysWOW64\Emgblc32.exeC:\Windows\system32\Emgblc32.exe37⤵
- Executes dropped EXE
PID:3348 -
C:\Windows\SysWOW64\Egdqph32.exeC:\Windows\system32\Egdqph32.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:780 -
C:\Windows\SysWOW64\Feimadoe.exeC:\Windows\system32\Feimadoe.exe39⤵
- Executes dropped EXE
PID:1272 -
C:\Windows\SysWOW64\Fpandm32.exeC:\Windows\system32\Fpandm32.exe40⤵
- Executes dropped EXE
PID:3900 -
C:\Windows\SysWOW64\Fcbgfhii.exeC:\Windows\system32\Fcbgfhii.exe41⤵
- Executes dropped EXE
PID:3632 -
C:\Windows\SysWOW64\Fcddkggf.exeC:\Windows\system32\Fcddkggf.exe42⤵
- Executes dropped EXE
PID:4476 -
C:\Windows\SysWOW64\Gphddlfp.exeC:\Windows\system32\Gphddlfp.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:4412 -
C:\Windows\SysWOW64\Gdfmkjlg.exeC:\Windows\system32\Gdfmkjlg.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:972 -
C:\Windows\SysWOW64\Gdhjpjjd.exeC:\Windows\system32\Gdhjpjjd.exe45⤵
- Executes dropped EXE
PID:4568 -
C:\Windows\SysWOW64\Ggicbe32.exeC:\Windows\system32\Ggicbe32.exe46⤵
- Executes dropped EXE
PID:4068 -
C:\Windows\SysWOW64\Gglpgd32.exeC:\Windows\system32\Gglpgd32.exe47⤵
- Executes dropped EXE
PID:3156 -
C:\Windows\SysWOW64\Hdppaidl.exeC:\Windows\system32\Hdppaidl.exe48⤵
- Executes dropped EXE
PID:5000 -
C:\Windows\SysWOW64\Hjlhipbc.exeC:\Windows\system32\Hjlhipbc.exe49⤵
- Executes dropped EXE
PID:1512 -
C:\Windows\SysWOW64\Hddilh32.exeC:\Windows\system32\Hddilh32.exe50⤵
- Executes dropped EXE
PID:380 -
C:\Windows\SysWOW64\Hjabdo32.exeC:\Windows\system32\Hjabdo32.exe51⤵
- Executes dropped EXE
PID:4328 -
C:\Windows\SysWOW64\Hfhbipdb.exeC:\Windows\system32\Hfhbipdb.exe52⤵
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\Ifjoop32.exeC:\Windows\system32\Ifjoop32.exe53⤵
- Executes dropped EXE
PID:4968 -
C:\Windows\SysWOW64\Imfdaigj.exeC:\Windows\system32\Imfdaigj.exe54⤵
- Executes dropped EXE
PID:2080 -
C:\Windows\SysWOW64\Iqdmghnp.exeC:\Windows\system32\Iqdmghnp.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4900 -
C:\Windows\SysWOW64\Jmbdmg32.exeC:\Windows\system32\Jmbdmg32.exe56⤵
- Executes dropped EXE
PID:2068 -
C:\Windows\SysWOW64\Jgjeppkp.exeC:\Windows\system32\Jgjeppkp.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1600 -
C:\Windows\SysWOW64\Jmgmhgig.exeC:\Windows\system32\Jmgmhgig.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:2416 -
C:\Windows\SysWOW64\Khonkogj.exeC:\Windows\system32\Khonkogj.exe59⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Keekjc32.exeC:\Windows\system32\Keekjc32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2480 -
C:\Windows\SysWOW64\Kmppneal.exeC:\Windows\system32\Kmppneal.exe61⤵
- Executes dropped EXE
PID:3108 -
C:\Windows\SysWOW64\Kejeebpl.exeC:\Windows\system32\Kejeebpl.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4560 -
C:\Windows\SysWOW64\Leqkeajd.exeC:\Windows\system32\Leqkeajd.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:4200 -
C:\Windows\SysWOW64\Loiong32.exeC:\Windows\system32\Loiong32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4324 -
C:\Windows\SysWOW64\Lokldg32.exeC:\Windows\system32\Lokldg32.exe65⤵
- Executes dropped EXE
PID:3372 -
C:\Windows\SysWOW64\Lmqiec32.exeC:\Windows\system32\Lmqiec32.exe66⤵
- Executes dropped EXE
PID:2576 -
C:\Windows\SysWOW64\Mmcfkc32.exeC:\Windows\system32\Mmcfkc32.exe67⤵
- Modifies registry class
PID:3948 -
C:\Windows\SysWOW64\Mkgfdgpq.exeC:\Windows\system32\Mkgfdgpq.exe68⤵
- Drops file in System32 directory
PID:3360 -
C:\Windows\SysWOW64\Mmhofbma.exeC:\Windows\system32\Mmhofbma.exe69⤵PID:2204
-
C:\Windows\SysWOW64\Moglpedd.exeC:\Windows\system32\Moglpedd.exe70⤵PID:3192
-
C:\Windows\SysWOW64\Nmlhaa32.exeC:\Windows\system32\Nmlhaa32.exe71⤵PID:4796
-
C:\Windows\SysWOW64\Najagp32.exeC:\Windows\system32\Najagp32.exe72⤵PID:1748
-
C:\Windows\SysWOW64\Ngifef32.exeC:\Windows\system32\Ngifef32.exe73⤵PID:5104
-
C:\Windows\SysWOW64\Nglcjfie.exeC:\Windows\system32\Nglcjfie.exe74⤵
- Modifies registry class
PID:2420 -
C:\Windows\SysWOW64\Ogqmee32.exeC:\Windows\system32\Ogqmee32.exe75⤵PID:3848
-
C:\Windows\SysWOW64\Okneldkf.exeC:\Windows\system32\Okneldkf.exe76⤵PID:5144
-
C:\Windows\SysWOW64\Odgjdibf.exeC:\Windows\system32\Odgjdibf.exe77⤵PID:5184
-
C:\Windows\SysWOW64\Oolnabal.exeC:\Windows\system32\Oolnabal.exe78⤵PID:5220
-
C:\Windows\SysWOW64\Ohdbkh32.exeC:\Windows\system32\Ohdbkh32.exe79⤵PID:5264
-
C:\Windows\SysWOW64\Onakco32.exeC:\Windows\system32\Onakco32.exe80⤵
- Drops file in System32 directory
PID:5304 -
C:\Windows\SysWOW64\Pocdba32.exeC:\Windows\system32\Pocdba32.exe81⤵PID:5344
-
C:\Windows\SysWOW64\Phlikg32.exeC:\Windows\system32\Phlikg32.exe82⤵
- Modifies registry class
PID:5388 -
C:\Windows\SysWOW64\Pdbiphhi.exeC:\Windows\system32\Pdbiphhi.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5448 -
C:\Windows\SysWOW64\Pklamb32.exeC:\Windows\system32\Pklamb32.exe84⤵PID:5496
-
C:\Windows\SysWOW64\Pbfjjlgc.exeC:\Windows\system32\Pbfjjlgc.exe85⤵PID:5548
-
C:\Windows\SysWOW64\Pgcbbc32.exeC:\Windows\system32\Pgcbbc32.exe86⤵PID:5588
-
C:\Windows\SysWOW64\Pfdbpjmi.exeC:\Windows\system32\Pfdbpjmi.exe87⤵
- Modifies registry class
PID:5632 -
C:\Windows\SysWOW64\Qkakhakq.exeC:\Windows\system32\Qkakhakq.exe88⤵
- Drops file in System32 directory
PID:5672 -
C:\Windows\SysWOW64\Qghlmbae.exeC:\Windows\system32\Qghlmbae.exe89⤵PID:5716
-
C:\Windows\SysWOW64\Qbmpjkqk.exeC:\Windows\system32\Qbmpjkqk.exe90⤵
- Drops file in System32 directory
PID:5756 -
C:\Windows\SysWOW64\Akfdcq32.exeC:\Windows\system32\Akfdcq32.exe91⤵PID:5796
-
C:\Windows\SysWOW64\Adnilfnl.exeC:\Windows\system32\Adnilfnl.exe92⤵
- Modifies registry class
PID:5840 -
C:\Windows\SysWOW64\Aocmio32.exeC:\Windows\system32\Aocmio32.exe93⤵PID:5880
-
C:\Windows\SysWOW64\Agobna32.exeC:\Windows\system32\Agobna32.exe94⤵PID:5924
-
C:\Windows\SysWOW64\Ainnhdbp.exeC:\Windows\system32\Ainnhdbp.exe95⤵
- Modifies registry class
PID:5964 -
C:\Windows\SysWOW64\Abgcqjhp.exeC:\Windows\system32\Abgcqjhp.exe96⤵PID:6000
-
C:\Windows\SysWOW64\Abipfifn.exeC:\Windows\system32\Abipfifn.exe97⤵
- Modifies registry class
PID:6048 -
C:\Windows\SysWOW64\Bbklli32.exeC:\Windows\system32\Bbklli32.exe98⤵PID:6096
-
C:\Windows\SysWOW64\Bbniai32.exeC:\Windows\system32\Bbniai32.exe99⤵PID:6140
-
C:\Windows\SysWOW64\Bgkaip32.exeC:\Windows\system32\Bgkaip32.exe100⤵PID:5168
-
C:\Windows\SysWOW64\Bbpeghpe.exeC:\Windows\system32\Bbpeghpe.exe101⤵PID:5248
-
C:\Windows\SysWOW64\Bkhjpn32.exeC:\Windows\system32\Bkhjpn32.exe102⤵PID:5316
-
C:\Windows\SysWOW64\Beaohcmf.exeC:\Windows\system32\Beaohcmf.exe103⤵PID:5404
-
C:\Windows\SysWOW64\Bnicai32.exeC:\Windows\system32\Bnicai32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5480 -
C:\Windows\SysWOW64\Becknc32.exeC:\Windows\system32\Becknc32.exe105⤵PID:5540
-
C:\Windows\SysWOW64\Ceehcc32.exeC:\Windows\system32\Ceehcc32.exe106⤵PID:5620
-
C:\Windows\SysWOW64\Cbihmg32.exeC:\Windows\system32\Cbihmg32.exe107⤵PID:5680
-
C:\Windows\SysWOW64\Clbmfm32.exeC:\Windows\system32\Clbmfm32.exe108⤵PID:5740
-
C:\Windows\SysWOW64\Cldjkl32.exeC:\Windows\system32\Cldjkl32.exe109⤵PID:5824
-
C:\Windows\SysWOW64\Cemndbci.exeC:\Windows\system32\Cemndbci.exe110⤵PID:5892
-
C:\Windows\SysWOW64\Clffalkf.exeC:\Windows\system32\Clffalkf.exe111⤵PID:5952
-
C:\Windows\SysWOW64\Cfljnejl.exeC:\Windows\system32\Cfljnejl.exe112⤵PID:6036
-
C:\Windows\SysWOW64\Dngobghg.exeC:\Windows\system32\Dngobghg.exe113⤵PID:6080
-
C:\Windows\SysWOW64\Dpihbjmg.exeC:\Windows\system32\Dpihbjmg.exe114⤵
- Modifies registry class
PID:5216 -
C:\Windows\SysWOW64\Diamko32.exeC:\Windows\system32\Diamko32.exe115⤵PID:5260
-
C:\Windows\SysWOW64\Didjqoae.exeC:\Windows\system32\Didjqoae.exe116⤵
- Drops file in System32 directory
PID:5380 -
C:\Windows\SysWOW64\Eifffoob.exeC:\Windows\system32\Eifffoob.exe117⤵PID:5536
-
C:\Windows\SysWOW64\Eoconenj.exeC:\Windows\system32\Eoconenj.exe118⤵
- Drops file in System32 directory
PID:5664 -
C:\Windows\SysWOW64\Eflceb32.exeC:\Windows\system32\Eflceb32.exe119⤵PID:5780
-
C:\Windows\SysWOW64\Elilmi32.exeC:\Windows\system32\Elilmi32.exe120⤵
- Drops file in System32 directory
PID:5872 -
C:\Windows\SysWOW64\Ellicihn.exeC:\Windows\system32\Ellicihn.exe121⤵PID:6032
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-