Analysis
-
max time kernel
144s -
max time network
172s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
02/11/2023, 16:50
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.d2538180d1dff7f669c03d9ecb299030.exe
Resource
win7-20231020-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.d2538180d1dff7f669c03d9ecb299030.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
NEAS.d2538180d1dff7f669c03d9ecb299030.exe
-
Size
95KB
-
MD5
d2538180d1dff7f669c03d9ecb299030
-
SHA1
8065a61d08a5f6a366258b07ad2c781ec3da8d55
-
SHA256
c9298e8aed6f19989d537b52400edac2002a13d32bafb3b52ef662ed5dbc30a3
-
SHA512
a668b499c18f64b76a181a31f99ce79f47445003766a01085bce6f7662c2d73dc7cdef13f2b054e3886524e6ea760ac91a607bc388d42cc291787d410dc008df
-
SSDEEP
1536:3wyRp4aoN7aMh+ezT5Mu+Swr6/2OkDqjJ9u+Tnj9OM6bOLXi8PmCofGV:3LW9NzH+u//22j9DrLXfzoeV
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbmnlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hcmbnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ibohid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jcoapami.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcfgaq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkofofbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gamjea32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fligjnlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hoaocf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cajqng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iimcgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fahajbek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lhkghofb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnegqjne.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhdaao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eohmdhki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eajehd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlkldmjf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfcqjg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lankloml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ihkigd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdgdpdgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Idbonc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkmogbeo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baanhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oqakln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gijedm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kghjakbl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckphamkp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckgnbl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oiehhjjp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Liabjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Libnapmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ljmmnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kjponk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbenfq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdccka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ebdlkdlp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikijenab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igpkjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajndbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Headjael.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckealm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Geabbfoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nojagf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Poliog32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ioebdomd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jndmgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fgoadi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ckphamkp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dqpffaib.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhfogiff.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elnoifjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iphihnjk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plhcglil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jookdcie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kggjghkd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlflog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iiigqdfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ijnqld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fnfmlchf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flfjjkgi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lelcbmcc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdfeandd.exe -
Executes dropped EXE 64 IoCs
pid Process 1192 Pgcbbc32.exe 4952 Belemd32.exe 5092 Bpdfpmoo.exe 1912 Dpihbjmg.exe 4084 Elilmi32.exe 3188 Fhiphi32.exe 3904 Ggdbmoho.exe 2128 Hfniikha.exe 1492 Icpecm32.exe 1592 Jcihjl32.exe 3140 Kggjghkd.exe 3640 Ndjcne32.exe 4004 Oiehhjjp.exe 4792 Pgpobmca.exe 904 Aqfolqna.exe 2608 Dnghhqdk.exe 3928 Eaenkj32.exe 4540 Geabbfoc.exe 4320 Glpdjpbj.exe 4268 Hcflch32.exe 4252 Hhbdko32.exe 216 Ijgjpaao.exe 228 Jokiig32.exe 1748 Jmccnk32.exe 1172 Jflgfpkc.exe 4664 Kcphpdil.exe 2684 Kkofofbb.exe 4204 Ljglnmdi.exe 4640 Liabjh32.exe 1100 Mjcljk32.exe 4600 Mcnmhpoj.exe 3240 Nlnkgbhp.exe 4772 Oikngeoo.exe 4904 Olqqdo32.exe 4472 Qciebg32.exe 3496 Qckbggad.exe 1260 Agndidce.exe 1320 Almifk32.exe 2676 Bqdechnf.exe 3428 Cmmbmiag.exe 3664 Djhiglji.exe 2756 Enfjdh32.exe 3768 Flfjjkgi.exe 2904 Hhpaki32.exe 4296 Jnoopm32.exe 4192 Koeajo32.exe 5012 Kkaljpmd.exe 2840 Kdipce32.exe 3320 Lmhnea32.exe 2312 Mfiedfmd.exe 4796 Nldjnk32.exe 4432 Oihkgo32.exe 3448 Olpjii32.exe 4832 Pppoeg32.exe 3056 Plimpg32.exe 1660 Qfcjhphd.exe 1980 Affgno32.exe 2820 Amdiei32.exe 1788 Agojdnng.exe 1204 Amibqhed.exe 4220 Bpaacblm.exe 4732 Ccdgjm32.exe 3028 Dmjgdq32.exe 4056 Eflocepa.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Idjmfmgp.exe Dadlmanj.exe File created C:\Windows\SysWOW64\Hoobnf32.exe Hmmffnai.exe File opened for modification C:\Windows\SysWOW64\Bddcocff.exe Bnjkbi32.exe File opened for modification C:\Windows\SysWOW64\Kqbdej32.exe Kjhlipla.exe File created C:\Windows\SysWOW64\Gogiac32.dll Hnpognhd.exe File opened for modification C:\Windows\SysWOW64\Dememj32.exe Ddklnh32.exe File created C:\Windows\SysWOW64\Lkfclf32.dll Jgqdal32.exe File created C:\Windows\SysWOW64\Mcnmccfa.exe Leipbg32.exe File opened for modification C:\Windows\SysWOW64\Mnfnfl32.exe Mglfibmh.exe File opened for modification C:\Windows\SysWOW64\Engjol32.exe Emenhcdf.exe File created C:\Windows\SysWOW64\Qhjakc32.dll Ibohid32.exe File opened for modification C:\Windows\SysWOW64\Oiehhjjp.exe Ndjcne32.exe File opened for modification C:\Windows\SysWOW64\Ilnbch32.exe Igajka32.exe File created C:\Windows\SysWOW64\Oggepi32.dll Igajka32.exe File created C:\Windows\SysWOW64\Kcldjicn.dll Dpihbjmg.exe File created C:\Windows\SysWOW64\Mjcljk32.exe Liabjh32.exe File created C:\Windows\SysWOW64\Nlglpkpi.exe Mlbbel32.exe File created C:\Windows\SysWOW64\Lpbgmpqi.dll Fimhcbkh.exe File opened for modification C:\Windows\SysWOW64\Ihkigd32.exe Ibnaonhp.exe File opened for modification C:\Windows\SysWOW64\Ijpcbn32.exe Hdlhoefk.exe File opened for modification C:\Windows\SysWOW64\Fckacknf.exe Fdgdpdgj.exe File opened for modification C:\Windows\SysWOW64\Llmpco32.exe Khpgmqpp.exe File created C:\Windows\SysWOW64\Fqlimneb.dll Nhpijldj.exe File created C:\Windows\SysWOW64\Cjlijp32.exe Cbeaib32.exe File created C:\Windows\SysWOW64\Ddnigkcd.dll Kgipmdmn.exe File opened for modification C:\Windows\SysWOW64\Fnegqjne.exe Efeiahdo.exe File opened for modification C:\Windows\SysWOW64\Nldjnk32.exe Mfiedfmd.exe File opened for modification C:\Windows\SysWOW64\Mlflog32.exe Lelcbmcc.exe File created C:\Windows\SysWOW64\Jghpkq32.exe Joahjcgb.exe File opened for modification C:\Windows\SysWOW64\Dgeegled.exe Dqkmkb32.exe File created C:\Windows\SysWOW64\Jlijdbin.dll Nnafgd32.exe File created C:\Windows\SysWOW64\Pgpobmca.exe Oiehhjjp.exe File created C:\Windows\SysWOW64\Ibdaol32.dll Oikngeoo.exe File created C:\Windows\SysWOW64\Banegc32.dll Qfcjhphd.exe File created C:\Windows\SysWOW64\Ollehp32.dll Pjeoablq.exe File opened for modification C:\Windows\SysWOW64\Ggfombmd.exe Gpmgph32.exe File opened for modification C:\Windows\SysWOW64\Jqgldb32.exe Jjmcghjj.exe File opened for modification C:\Windows\SysWOW64\Ipcomo32.exe Iiigqdfd.exe File created C:\Windows\SysWOW64\Lbddnj32.dll Hmmffnai.exe File opened for modification C:\Windows\SysWOW64\Amibqhed.exe Agojdnng.exe File opened for modification C:\Windows\SysWOW64\Bpaacblm.exe Amibqhed.exe File opened for modification C:\Windows\SysWOW64\Lhkghofb.exe Lfjjqg32.exe File created C:\Windows\SysWOW64\Kkhpmigp.exe Kengqo32.exe File created C:\Windows\SysWOW64\Mbenfq32.exe Mlkejgfj.exe File opened for modification C:\Windows\SysWOW64\Eijiak32.exe Dcnqid32.exe File created C:\Windows\SysWOW64\Engjol32.exe Emenhcdf.exe File created C:\Windows\SysWOW64\Oifigkqc.dll Npbcollj.exe File created C:\Windows\SysWOW64\Imbmlk32.dll Qciebg32.exe File created C:\Windows\SysWOW64\Adelne32.dll Kbbhjc32.exe File created C:\Windows\SysWOW64\Glpdjpbj.exe Geabbfoc.exe File opened for modification C:\Windows\SysWOW64\Hdlhoefk.exe Hnpognhd.exe File opened for modification C:\Windows\SysWOW64\Gpmgph32.exe Fmnkdm32.exe File created C:\Windows\SysWOW64\Ffclml32.exe Fpjcpbdn.exe File opened for modification C:\Windows\SysWOW64\Nlfnkoia.exe Nelfnd32.exe File created C:\Windows\SysWOW64\Oflcnqal.dll Geabbfoc.exe File created C:\Windows\SysWOW64\Iajdladh.dll Dikpla32.exe File created C:\Windows\SysWOW64\Nfmjkpje.dll Emphhhoh.exe File opened for modification C:\Windows\SysWOW64\Jnqbmadp.exe Jkbfafel.exe File opened for modification C:\Windows\SysWOW64\Gnqflhcg.exe Fbellhbi.exe File created C:\Windows\SysWOW64\Dnhgcgbi.exe Chkokq32.exe File created C:\Windows\SysWOW64\Hnnlcpcl.exe Glfmaemc.exe File created C:\Windows\SysWOW64\Amdiei32.exe Affgno32.exe File created C:\Windows\SysWOW64\Phqdjm32.dll Fpimgjbm.exe File created C:\Windows\SysWOW64\Ddklnh32.exe Bhfogiff.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhfhkiqh.dll" Macdgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilndon32.dll" Lcbfmomc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bkkofn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ebdlkdlp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hhbdko32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kdipce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfkanj32.dll" Amibqhed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Leipbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fimhcbkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bppnjc32.dll" Kdipce32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Majjgmco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Efepln32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oofacdaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Glbakchp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pmjpod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Joahjcgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfdkmljj.dll" Ngikpjml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekakgcih.dll" Hhbdko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oqakln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idbmkn32.dll" Eeagnc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iojbid32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bmqhlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cggifn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Djhiglji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adelne32.dll" Kbbhjc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mmkkgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pljalipc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eplgod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmqljn32.dll" Eaenkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Elpppcdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnncad32.dll" Lpbojlfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjakoh32.dll" Gmndjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dqkmkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Elilmi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hdfobe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kkhpmigp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mokhmm32.dll" Nlglpkpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mjidpa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eblpqono.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khfchg32.dll" Faemjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfjfkhe.dll" Fkmbbajb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dekioo32.dll" Chkokq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dccldb32.dll" Hdnlmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdnmaeek.dll" Bpkllo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Diicfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdiqcb32.dll" Ljglnmdi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pdfeandd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imobclfe.dll" Kcphpdil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nedjdp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Blecdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oocmcn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hfcnicjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fiepmfim.dll" Bnjkbi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dqpffaib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kfnkeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dehbljnp.dll" Meqmmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olheak32.dll" Mlkejgfj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Diicfa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nqmfnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ijgjpaao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibdaol32.dll" Oikngeoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffbhnh32.dll" Dfhjefhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhbcmqog.dll" Ikpjkf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ljcldo32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2400 wrote to memory of 1192 2400 NEAS.d2538180d1dff7f669c03d9ecb299030.exe 91 PID 2400 wrote to memory of 1192 2400 NEAS.d2538180d1dff7f669c03d9ecb299030.exe 91 PID 2400 wrote to memory of 1192 2400 NEAS.d2538180d1dff7f669c03d9ecb299030.exe 91 PID 1192 wrote to memory of 4952 1192 Pgcbbc32.exe 92 PID 1192 wrote to memory of 4952 1192 Pgcbbc32.exe 92 PID 1192 wrote to memory of 4952 1192 Pgcbbc32.exe 92 PID 4952 wrote to memory of 5092 4952 Belemd32.exe 93 PID 4952 wrote to memory of 5092 4952 Belemd32.exe 93 PID 4952 wrote to memory of 5092 4952 Belemd32.exe 93 PID 5092 wrote to memory of 1912 5092 Bpdfpmoo.exe 94 PID 5092 wrote to memory of 1912 5092 Bpdfpmoo.exe 94 PID 5092 wrote to memory of 1912 5092 Bpdfpmoo.exe 94 PID 1912 wrote to memory of 4084 1912 Dpihbjmg.exe 95 PID 1912 wrote to memory of 4084 1912 Dpihbjmg.exe 95 PID 1912 wrote to memory of 4084 1912 Dpihbjmg.exe 95 PID 4084 wrote to memory of 3188 4084 Elilmi32.exe 96 PID 4084 wrote to memory of 3188 4084 Elilmi32.exe 96 PID 4084 wrote to memory of 3188 4084 Elilmi32.exe 96 PID 3188 wrote to memory of 3904 3188 Fhiphi32.exe 97 PID 3188 wrote to memory of 3904 3188 Fhiphi32.exe 97 PID 3188 wrote to memory of 3904 3188 Fhiphi32.exe 97 PID 3904 wrote to memory of 2128 3904 Ggdbmoho.exe 98 PID 3904 wrote to memory of 2128 3904 Ggdbmoho.exe 98 PID 3904 wrote to memory of 2128 3904 Ggdbmoho.exe 98 PID 2128 wrote to memory of 1492 2128 Hfniikha.exe 99 PID 2128 wrote to memory of 1492 2128 Hfniikha.exe 99 PID 2128 wrote to memory of 1492 2128 Hfniikha.exe 99 PID 1492 wrote to memory of 1592 1492 Icpecm32.exe 100 PID 1492 wrote to memory of 1592 1492 Icpecm32.exe 100 PID 1492 wrote to memory of 1592 1492 Icpecm32.exe 100 PID 1592 wrote to memory of 3140 1592 Jcihjl32.exe 102 PID 1592 wrote to memory of 3140 1592 Jcihjl32.exe 102 PID 1592 wrote to memory of 3140 1592 Jcihjl32.exe 102 PID 3140 wrote to memory of 3640 3140 Kggjghkd.exe 104 PID 3140 wrote to memory of 3640 3140 Kggjghkd.exe 104 PID 3140 wrote to memory of 3640 3140 Kggjghkd.exe 104 PID 3640 wrote to memory of 4004 3640 Ndjcne32.exe 105 PID 3640 wrote to memory of 4004 3640 Ndjcne32.exe 105 PID 3640 wrote to memory of 4004 3640 Ndjcne32.exe 105 PID 4004 wrote to memory of 4792 4004 Oiehhjjp.exe 106 PID 4004 wrote to memory of 4792 4004 Oiehhjjp.exe 106 PID 4004 wrote to memory of 4792 4004 Oiehhjjp.exe 106 PID 4792 wrote to memory of 904 4792 Pgpobmca.exe 107 PID 4792 wrote to memory of 904 4792 Pgpobmca.exe 107 PID 4792 wrote to memory of 904 4792 Pgpobmca.exe 107 PID 904 wrote to memory of 2608 904 Aqfolqna.exe 108 PID 904 wrote to memory of 2608 904 Aqfolqna.exe 108 PID 904 wrote to memory of 2608 904 Aqfolqna.exe 108 PID 2608 wrote to memory of 3928 2608 Dnghhqdk.exe 109 PID 2608 wrote to memory of 3928 2608 Dnghhqdk.exe 109 PID 2608 wrote to memory of 3928 2608 Dnghhqdk.exe 109 PID 3928 wrote to memory of 4540 3928 Eaenkj32.exe 110 PID 3928 wrote to memory of 4540 3928 Eaenkj32.exe 110 PID 3928 wrote to memory of 4540 3928 Eaenkj32.exe 110 PID 4540 wrote to memory of 4320 4540 Geabbfoc.exe 111 PID 4540 wrote to memory of 4320 4540 Geabbfoc.exe 111 PID 4540 wrote to memory of 4320 4540 Geabbfoc.exe 111 PID 4320 wrote to memory of 4268 4320 Glpdjpbj.exe 112 PID 4320 wrote to memory of 4268 4320 Glpdjpbj.exe 112 PID 4320 wrote to memory of 4268 4320 Glpdjpbj.exe 112 PID 4268 wrote to memory of 4252 4268 Hcflch32.exe 113 PID 4268 wrote to memory of 4252 4268 Hcflch32.exe 113 PID 4268 wrote to memory of 4252 4268 Hcflch32.exe 113 PID 4252 wrote to memory of 216 4252 Hhbdko32.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.d2538180d1dff7f669c03d9ecb299030.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.d2538180d1dff7f669c03d9ecb299030.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\Pgcbbc32.exeC:\Windows\system32\Pgcbbc32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Windows\SysWOW64\Belemd32.exeC:\Windows\system32\Belemd32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\Windows\SysWOW64\Bpdfpmoo.exeC:\Windows\system32\Bpdfpmoo.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5092 -
C:\Windows\SysWOW64\Dpihbjmg.exeC:\Windows\system32\Dpihbjmg.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\SysWOW64\Elilmi32.exeC:\Windows\system32\Elilmi32.exe6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4084 -
C:\Windows\SysWOW64\Fhiphi32.exeC:\Windows\system32\Fhiphi32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3188 -
C:\Windows\SysWOW64\Ggdbmoho.exeC:\Windows\system32\Ggdbmoho.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3904 -
C:\Windows\SysWOW64\Hfniikha.exeC:\Windows\system32\Hfniikha.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\Icpecm32.exeC:\Windows\system32\Icpecm32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\SysWOW64\Jcihjl32.exeC:\Windows\system32\Jcihjl32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Windows\SysWOW64\Kggjghkd.exeC:\Windows\system32\Kggjghkd.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3140 -
C:\Windows\SysWOW64\Ndjcne32.exeC:\Windows\system32\Ndjcne32.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3640 -
C:\Windows\SysWOW64\Oiehhjjp.exeC:\Windows\system32\Oiehhjjp.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4004 -
C:\Windows\SysWOW64\Pgpobmca.exeC:\Windows\system32\Pgpobmca.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4792 -
C:\Windows\SysWOW64\Aqfolqna.exeC:\Windows\system32\Aqfolqna.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:904 -
C:\Windows\SysWOW64\Dnghhqdk.exeC:\Windows\system32\Dnghhqdk.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Eaenkj32.exeC:\Windows\system32\Eaenkj32.exe18⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3928 -
C:\Windows\SysWOW64\Geabbfoc.exeC:\Windows\system32\Geabbfoc.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4540 -
C:\Windows\SysWOW64\Glpdjpbj.exeC:\Windows\system32\Glpdjpbj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4320 -
C:\Windows\SysWOW64\Hcflch32.exeC:\Windows\system32\Hcflch32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4268 -
C:\Windows\SysWOW64\Hhbdko32.exeC:\Windows\system32\Hhbdko32.exe22⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4252 -
C:\Windows\SysWOW64\Ijgjpaao.exeC:\Windows\system32\Ijgjpaao.exe23⤵
- Executes dropped EXE
- Modifies registry class
PID:216 -
C:\Windows\SysWOW64\Jokiig32.exeC:\Windows\system32\Jokiig32.exe24⤵
- Executes dropped EXE
PID:228 -
C:\Windows\SysWOW64\Jmccnk32.exeC:\Windows\system32\Jmccnk32.exe25⤵
- Executes dropped EXE
PID:1748 -
C:\Windows\SysWOW64\Jflgfpkc.exeC:\Windows\system32\Jflgfpkc.exe26⤵
- Executes dropped EXE
PID:1172 -
C:\Windows\SysWOW64\Kcphpdil.exeC:\Windows\system32\Kcphpdil.exe27⤵
- Executes dropped EXE
- Modifies registry class
PID:4664 -
C:\Windows\SysWOW64\Kkofofbb.exeC:\Windows\system32\Kkofofbb.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\Ljglnmdi.exeC:\Windows\system32\Ljglnmdi.exe29⤵
- Executes dropped EXE
- Modifies registry class
PID:4204 -
C:\Windows\SysWOW64\Liabjh32.exeC:\Windows\system32\Liabjh32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4640 -
C:\Windows\SysWOW64\Mjcljk32.exeC:\Windows\system32\Mjcljk32.exe31⤵
- Executes dropped EXE
PID:1100 -
C:\Windows\SysWOW64\Mcnmhpoj.exeC:\Windows\system32\Mcnmhpoj.exe32⤵
- Executes dropped EXE
PID:4600 -
C:\Windows\SysWOW64\Nlnkgbhp.exeC:\Windows\system32\Nlnkgbhp.exe33⤵
- Executes dropped EXE
PID:3240 -
C:\Windows\SysWOW64\Oikngeoo.exeC:\Windows\system32\Oikngeoo.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4772 -
C:\Windows\SysWOW64\Olqqdo32.exeC:\Windows\system32\Olqqdo32.exe35⤵
- Executes dropped EXE
PID:4904 -
C:\Windows\SysWOW64\Qciebg32.exeC:\Windows\system32\Qciebg32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4472 -
C:\Windows\SysWOW64\Qckbggad.exeC:\Windows\system32\Qckbggad.exe37⤵
- Executes dropped EXE
PID:3496 -
C:\Windows\SysWOW64\Agndidce.exeC:\Windows\system32\Agndidce.exe38⤵
- Executes dropped EXE
PID:1260 -
C:\Windows\SysWOW64\Almifk32.exeC:\Windows\system32\Almifk32.exe39⤵
- Executes dropped EXE
PID:1320 -
C:\Windows\SysWOW64\Bqdechnf.exeC:\Windows\system32\Bqdechnf.exe40⤵
- Executes dropped EXE
PID:2676 -
C:\Windows\SysWOW64\Cmmbmiag.exeC:\Windows\system32\Cmmbmiag.exe41⤵
- Executes dropped EXE
PID:3428 -
C:\Windows\SysWOW64\Djhiglji.exeC:\Windows\system32\Djhiglji.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:3664 -
C:\Windows\SysWOW64\Enfjdh32.exeC:\Windows\system32\Enfjdh32.exe43⤵
- Executes dropped EXE
PID:2756 -
C:\Windows\SysWOW64\Flfjjkgi.exeC:\Windows\system32\Flfjjkgi.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3768 -
C:\Windows\SysWOW64\Hhpaki32.exeC:\Windows\system32\Hhpaki32.exe45⤵
- Executes dropped EXE
PID:2904 -
C:\Windows\SysWOW64\Jnoopm32.exeC:\Windows\system32\Jnoopm32.exe46⤵
- Executes dropped EXE
PID:4296 -
C:\Windows\SysWOW64\Koeajo32.exeC:\Windows\system32\Koeajo32.exe47⤵
- Executes dropped EXE
PID:4192 -
C:\Windows\SysWOW64\Kkaljpmd.exeC:\Windows\system32\Kkaljpmd.exe48⤵
- Executes dropped EXE
PID:5012 -
C:\Windows\SysWOW64\Kdipce32.exeC:\Windows\system32\Kdipce32.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:2840 -
C:\Windows\SysWOW64\Lmhnea32.exeC:\Windows\system32\Lmhnea32.exe50⤵
- Executes dropped EXE
PID:3320 -
C:\Windows\SysWOW64\Mfiedfmd.exeC:\Windows\system32\Mfiedfmd.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2312 -
C:\Windows\SysWOW64\Nldjnk32.exeC:\Windows\system32\Nldjnk32.exe52⤵
- Executes dropped EXE
PID:4796 -
C:\Windows\SysWOW64\Oihkgo32.exeC:\Windows\system32\Oihkgo32.exe53⤵
- Executes dropped EXE
PID:4432 -
C:\Windows\SysWOW64\Olpjii32.exeC:\Windows\system32\Olpjii32.exe54⤵
- Executes dropped EXE
PID:3448 -
C:\Windows\SysWOW64\Pppoeg32.exeC:\Windows\system32\Pppoeg32.exe55⤵
- Executes dropped EXE
PID:4832 -
C:\Windows\SysWOW64\Plimpg32.exeC:\Windows\system32\Plimpg32.exe56⤵
- Executes dropped EXE
PID:3056 -
C:\Windows\SysWOW64\Qfcjhphd.exeC:\Windows\system32\Qfcjhphd.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1660 -
C:\Windows\SysWOW64\Affgno32.exeC:\Windows\system32\Affgno32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1980 -
C:\Windows\SysWOW64\Amdiei32.exeC:\Windows\system32\Amdiei32.exe59⤵
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Agojdnng.exeC:\Windows\system32\Agojdnng.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1788 -
C:\Windows\SysWOW64\Amibqhed.exeC:\Windows\system32\Amibqhed.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1204 -
C:\Windows\SysWOW64\Bpaacblm.exeC:\Windows\system32\Bpaacblm.exe62⤵
- Executes dropped EXE
PID:4220 -
C:\Windows\SysWOW64\Ccdgjm32.exeC:\Windows\system32\Ccdgjm32.exe63⤵
- Executes dropped EXE
PID:4732 -
C:\Windows\SysWOW64\Dmjgdq32.exeC:\Windows\system32\Dmjgdq32.exe64⤵
- Executes dropped EXE
PID:3028 -
C:\Windows\SysWOW64\Eflocepa.exeC:\Windows\system32\Eflocepa.exe65⤵
- Executes dropped EXE
PID:4056 -
C:\Windows\SysWOW64\Fpimgjbm.exeC:\Windows\system32\Fpimgjbm.exe66⤵
- Drops file in System32 directory
PID:3544 -
C:\Windows\SysWOW64\Fppchile.exeC:\Windows\system32\Fppchile.exe67⤵PID:4876
-
C:\Windows\SysWOW64\Hnpognhd.exeC:\Windows\system32\Hnpognhd.exe68⤵
- Drops file in System32 directory
PID:4996 -
C:\Windows\SysWOW64\Hdlhoefk.exeC:\Windows\system32\Hdlhoefk.exe69⤵
- Drops file in System32 directory
PID:1420 -
C:\Windows\SysWOW64\Ijpcbn32.exeC:\Windows\system32\Ijpcbn32.exe70⤵PID:3412
-
C:\Windows\SysWOW64\Jkplilgk.exeC:\Windows\system32\Jkplilgk.exe71⤵PID:1044
-
C:\Windows\SysWOW64\Kdpfbp32.exeC:\Windows\system32\Kdpfbp32.exe72⤵PID:5064
-
C:\Windows\SysWOW64\Kphdma32.exeC:\Windows\system32\Kphdma32.exe73⤵PID:1360
-
C:\Windows\SysWOW64\Lglopjkg.exeC:\Windows\system32\Lglopjkg.exe74⤵PID:4012
-
C:\Windows\SysWOW64\Mojmbf32.exeC:\Windows\system32\Mojmbf32.exe75⤵PID:1716
-
C:\Windows\SysWOW64\Moacbe32.exeC:\Windows\system32\Moacbe32.exe76⤵PID:1236
-
C:\Windows\SysWOW64\Nqnofkkj.exeC:\Windows\system32\Nqnofkkj.exe77⤵PID:2704
-
C:\Windows\SysWOW64\Oghgbe32.exeC:\Windows\system32\Oghgbe32.exe78⤵PID:3840
-
C:\Windows\SysWOW64\Oapllk32.exeC:\Windows\system32\Oapllk32.exe79⤵PID:3500
-
C:\Windows\SysWOW64\Olmficce.exeC:\Windows\system32\Olmficce.exe80⤵PID:3976
-
C:\Windows\SysWOW64\Cebllbcc.exeC:\Windows\system32\Cebllbcc.exe81⤵PID:3964
-
C:\Windows\SysWOW64\Dadlmanj.exeC:\Windows\system32\Dadlmanj.exe82⤵
- Drops file in System32 directory
PID:4272 -
C:\Windows\SysWOW64\Idjmfmgp.exeC:\Windows\system32\Idjmfmgp.exe83⤵PID:3640
-
C:\Windows\SysWOW64\Jiphebml.exeC:\Windows\system32\Jiphebml.exe84⤵PID:4084
-
C:\Windows\SysWOW64\Kfhbifgq.exeC:\Windows\system32\Kfhbifgq.exe85⤵PID:4948
-
C:\Windows\SysWOW64\Libnapmg.exeC:\Windows\system32\Libnapmg.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1264 -
C:\Windows\SysWOW64\Mkkmaalo.exeC:\Windows\system32\Mkkmaalo.exe87⤵PID:772
-
C:\Windows\SysWOW64\Nkgmmpab.exeC:\Windows\system32\Nkgmmpab.exe88⤵PID:5036
-
C:\Windows\SysWOW64\Nnhfokoc.exeC:\Windows\system32\Nnhfokoc.exe89⤵PID:1312
-
C:\Windows\SysWOW64\Ncihbaie.exeC:\Windows\system32\Ncihbaie.exe90⤵PID:2136
-
C:\Windows\SysWOW64\Ogljcokf.exeC:\Windows\system32\Ogljcokf.exe91⤵PID:3936
-
C:\Windows\SysWOW64\Peimcaae.exeC:\Windows\system32\Peimcaae.exe92⤵PID:4488
-
C:\Windows\SysWOW64\Pbmnlf32.exeC:\Windows\system32\Pbmnlf32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2208 -
C:\Windows\SysWOW64\Abngccbl.exeC:\Windows\system32\Abngccbl.exe94⤵PID:4408
-
C:\Windows\SysWOW64\Bhdbaihi.exeC:\Windows\system32\Bhdbaihi.exe95⤵PID:1908
-
C:\Windows\SysWOW64\Bbifobho.exeC:\Windows\system32\Bbifobho.exe96⤵PID:4636
-
C:\Windows\SysWOW64\Bhfogiff.exeC:\Windows\system32\Bhfogiff.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1100 -
C:\Windows\SysWOW64\Ddklnh32.exeC:\Windows\system32\Ddklnh32.exe98⤵
- Drops file in System32 directory
PID:4452 -
C:\Windows\SysWOW64\Dememj32.exeC:\Windows\system32\Dememj32.exe99⤵PID:4600
-
C:\Windows\SysWOW64\Echkgnnl.exeC:\Windows\system32\Echkgnnl.exe100⤵PID:500
-
C:\Windows\SysWOW64\Elpppcdl.exeC:\Windows\system32\Elpppcdl.exe101⤵
- Modifies registry class
PID:3812 -
C:\Windows\SysWOW64\Femndhgh.exeC:\Windows\system32\Femndhgh.exe102⤵PID:3100
-
C:\Windows\SysWOW64\Fdgdpdgj.exeC:\Windows\system32\Fdgdpdgj.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2880 -
C:\Windows\SysWOW64\Fckacknf.exeC:\Windows\system32\Fckacknf.exe104⤵PID:2592
-
C:\Windows\SysWOW64\Hckjjh32.exeC:\Windows\system32\Hckjjh32.exe105⤵PID:1320
-
C:\Windows\SysWOW64\Mingbhon.exeC:\Windows\system32\Mingbhon.exe106⤵PID:1684
-
C:\Windows\SysWOW64\Oqakln32.exeC:\Windows\system32\Oqakln32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3244 -
C:\Windows\SysWOW64\Ogkcihgj.exeC:\Windows\system32\Ogkcihgj.exe108⤵PID:2152
-
C:\Windows\SysWOW64\Onekeb32.exeC:\Windows\system32\Onekeb32.exe109⤵PID:4472
-
C:\Windows\SysWOW64\Pjeoablq.exeC:\Windows\system32\Pjeoablq.exe110⤵
- Drops file in System32 directory
PID:4872 -
C:\Windows\SysWOW64\Aekleind.exeC:\Windows\system32\Aekleind.exe111⤵PID:4924
-
C:\Windows\SysWOW64\Bjddinbn.exeC:\Windows\system32\Bjddinbn.exe112⤵PID:2040
-
C:\Windows\SysWOW64\Cjfaon32.exeC:\Windows\system32\Cjfaon32.exe113⤵PID:1208
-
C:\Windows\SysWOW64\Celelf32.exeC:\Windows\system32\Celelf32.exe114⤵PID:3320
-
C:\Windows\SysWOW64\Cjindm32.exeC:\Windows\system32\Cjindm32.exe115⤵PID:1844
-
C:\Windows\SysWOW64\Cdabmcdi.exeC:\Windows\system32\Cdabmcdi.exe116⤵PID:2036
-
C:\Windows\SysWOW64\Dmnpah32.exeC:\Windows\system32\Dmnpah32.exe117⤵PID:4204
-
C:\Windows\SysWOW64\Dhcdnq32.exeC:\Windows\system32\Dhcdnq32.exe118⤵PID:2232
-
C:\Windows\SysWOW64\Dmpmfg32.exeC:\Windows\system32\Dmpmfg32.exe119⤵PID:1064
-
C:\Windows\SysWOW64\Eeagnc32.exeC:\Windows\system32\Eeagnc32.exe120⤵
- Modifies registry class
PID:1704 -
C:\Windows\SysWOW64\Eajehd32.exeC:\Windows\system32\Eajehd32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:796
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-