Analysis
-
max time kernel
115s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
02-11-2023 20:04
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.e06398e5b9bdbf0520ae9b4de697f0f0.exe
Resource
win7-20231023-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.e06398e5b9bdbf0520ae9b4de697f0f0.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.e06398e5b9bdbf0520ae9b4de697f0f0.exe
-
Size
182KB
-
MD5
e06398e5b9bdbf0520ae9b4de697f0f0
-
SHA1
83f2fd467d062400dc180b1e92fcfb96f22050b8
-
SHA256
7008f5294e9db2125da3b910be7ca8f1b80145e52136f17e680211d37ad59ec8
-
SHA512
d33a55aed949b3c2fcd2c4ec1d02c8f7707e09294d6a74696a019e977a13ea5a4de3d0fa4e760b766994928dff0255f3b2a774b34a0d2982cd34784a97bf7067
-
SSDEEP
3072:QjUZZwon0j0dG6YjYDDC1CZmXG5X3ZZWlpLWX0j0dG6YjYDDC1CZ:20xns0IjwmXG5X3ZoiXs0Ijw
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iandjg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nofmndkd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imdndbkn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Occkhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idfhibdn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kengqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbqonf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pikqcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bidlqhgc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ionlhlld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imdndbkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gllajf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pllieg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phkmoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cakjfcfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmbpeiaa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkcfbj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkomhhae.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Komoed32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klibdcjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkkmaalo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpbojlfd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccnnmmbp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfcmpdjp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obcled32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocbdni32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jklpakam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcbeqaia.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fehplggn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkbcpb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knjhae32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmmome32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gofkckoe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acgfpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aclpkffa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpghel32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohjlqklp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egeemiml.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmnheggo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eaabci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amodnenk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpagdj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okpkaqmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkjjdmaj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfgnka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Komoed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofadlbhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aohbbqme.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcbnopkj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmlmlo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkaijl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbddmejf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfiiggpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emhdeoel.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Naaejj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mikjmhaq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkangg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgjfdm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdeffgff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eapmedef.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfgiof32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ampojimo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmnheggo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbkagfba.exe -
Executes dropped EXE 64 IoCs
pid Process 1908 Hjmodffo.exe 3656 Jehfcl32.exe 1276 Jjkdlall.exe 4160 Kajfdk32.exe 4196 Maoifh32.exe 4000 Mkjjdmaj.exe 1696 Nkapelka.exe 1468 Nheqnpjk.exe 4932 Okolfj32.exe 692 Ocmjhfjl.exe 2876 Piolkm32.exe 3484 Qihoak32.exe 5040 Bmagch32.exe 3796 Bcbeqaia.exe 1548 Ellpmolj.exe 3944 Fcpkph32.exe 4712 Iqpclh32.exe 952 Jakchf32.exe 2596 Jndmlj32.exe 3784 Kanidd32.exe 4036 Lhogamih.exe 4300 Mopeofjl.exe 1416 Moiheebb.exe 5044 Ndfanlpi.exe 228 Ngnppfgb.exe 1180 Oojalb32.exe 1840 Oolnabal.exe 3560 Odkcpi32.exe 3096 Pfmlok32.exe 2348 Pdeffgff.exe 3404 Qhekaejj.exe 2624 Bbpeghpe.exe 2912 Bfpkbfdi.exe 2492 Ceehcc32.exe 4696 Cbqonf32.exe 344 Dhpdkm32.exe 4232 Dlpigk32.exe 3064 Dhgjll32.exe 4708 Foonjd32.exe 656 Gllajf32.exe 2388 Gheodg32.exe 1052 Hjlaoioh.exe 2420 Jobfdl32.exe 3532 Kpgoolbl.exe 4024 Kpilekqj.exe 4060 Mdaqhf32.exe 3664 Nalgbi32.exe 3808 Ngipjp32.exe 1848 Npadcfnl.exe 220 Odaiodbp.exe 2008 Omlkmign.exe 2156 Ohaokbfd.exe 3816 Opmcod32.exe 4388 Pjgemi32.exe 1932 Pjlnhi32.exe 3004 Pdbbfadn.exe 3188 Phpklp32.exe 380 Pjahchpb.exe 1264 Aamipe32.exe 332 Ahinbo32.exe 4480 Adpogp32.exe 4456 Akjgdjoj.exe 4164 Akopoi32.exe 5024 Bdiamnpc.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Affgmbdd.dll Opmcod32.exe File opened for modification C:\Windows\SysWOW64\Mbpfig32.exe Mmcnap32.exe File opened for modification C:\Windows\SysWOW64\Peonhg32.exe Phkmoc32.exe File created C:\Windows\SysWOW64\Pklkmo32.exe Ohkbldfa.exe File opened for modification C:\Windows\SysWOW64\Fhdocc32.exe Fbggkl32.exe File created C:\Windows\SysWOW64\Oemjonmn.dll Ejkndijd.exe File created C:\Windows\SysWOW64\Gmjcgb32.exe Fhjoilop.exe File created C:\Windows\SysWOW64\Jekpljgg.exe Jehcfj32.exe File created C:\Windows\SysWOW64\Pikqcl32.exe Plgpjhnf.exe File opened for modification C:\Windows\SysWOW64\Clohhbli.exe Cokgonmp.exe File created C:\Windows\SysWOW64\Komoed32.exe Jfgnka32.exe File created C:\Windows\SysWOW64\Qmlmjq32.exe Pdoofl32.exe File created C:\Windows\SysWOW64\Hokdpc32.dll Eomfae32.exe File created C:\Windows\SysWOW64\Njploeoi.exe Njnpie32.exe File created C:\Windows\SysWOW64\Cjpcel32.exe Cmlckhig.exe File opened for modification C:\Windows\SysWOW64\Jndmlj32.exe Jakchf32.exe File created C:\Windows\SysWOW64\Ckcbaf32.exe Cnmebblf.exe File created C:\Windows\SysWOW64\Bcngddao.exe Bkbcpb32.exe File opened for modification C:\Windows\SysWOW64\Hfonfp32.exe Hmginjki.exe File created C:\Windows\SysWOW64\Jalakeme.exe Hjjnkkjp.exe File created C:\Windows\SysWOW64\Kpdjbapj.exe Kgkfil32.exe File opened for modification C:\Windows\SysWOW64\Lgnekcei.exe Lijdbofo.exe File created C:\Windows\SysWOW64\Pollccqh.dll Kbaiip32.exe File opened for modification C:\Windows\SysWOW64\Qhekaejj.exe Pdeffgff.exe File created C:\Windows\SysWOW64\Ahinbo32.exe Aamipe32.exe File opened for modification C:\Windows\SysWOW64\Bcmqin32.exe Bidlqhgc.exe File opened for modification C:\Windows\SysWOW64\Objphn32.exe Okpkaqmp.exe File opened for modification C:\Windows\SysWOW64\Ejmkiiha.exe Ejkndijd.exe File created C:\Windows\SysWOW64\Bhohfj32.exe Aenpeoom.exe File created C:\Windows\SysWOW64\Bijnnf32.exe Ajeami32.exe File created C:\Windows\SysWOW64\Jghlgd32.dll Lqcjqcnp.exe File created C:\Windows\SysWOW64\Ndehdk32.dll Nljopa32.exe File created C:\Windows\SysWOW64\Bipdoedg.dll Mbbaaapj.exe File created C:\Windows\SysWOW64\Iaahjmkn.exe Ikgpmc32.exe File created C:\Windows\SysWOW64\Bnlqlc32.dll Ngmggj32.exe File created C:\Windows\SysWOW64\Dflfoi32.dll Dgmpkg32.exe File created C:\Windows\SysWOW64\Ogkooi32.dll Bokeai32.exe File created C:\Windows\SysWOW64\Hhnkppbf.exe Hcabhido.exe File created C:\Windows\SysWOW64\Imjddmpl.exe Kgflmo32.exe File opened for modification C:\Windows\SysWOW64\Kfhkop32.exe Kgdpgo32.exe File created C:\Windows\SysWOW64\Ehofco32.dll Mopeofjl.exe File created C:\Windows\SysWOW64\Ndfanlpi.exe Moiheebb.exe File created C:\Windows\SysWOW64\Fkjjmpnl.dll Mmfjfp32.exe File created C:\Windows\SysWOW64\Kfgdae32.dll Bidlqhgc.exe File opened for modification C:\Windows\SysWOW64\Onklkhnn.exe Onhoehpp.exe File created C:\Windows\SysWOW64\Nppakcok.dll Hpkcafjg.exe File created C:\Windows\SysWOW64\Jommbpbc.dll Nihiiimi.exe File created C:\Windows\SysWOW64\Ehoegjcf.dll Oaomij32.exe File opened for modification C:\Windows\SysWOW64\Ckcbaf32.exe Cnmebblf.exe File created C:\Windows\SysWOW64\Odmapl32.dll Njdlfbgm.exe File created C:\Windows\SysWOW64\Lfdhhgmj.dll Bgckgcem.exe File opened for modification C:\Windows\SysWOW64\Kpgoolbl.exe Jobfdl32.exe File opened for modification C:\Windows\SysWOW64\Kpilekqj.exe Kpgoolbl.exe File created C:\Windows\SysWOW64\Doepod32.dll Hahedoci.exe File created C:\Windows\SysWOW64\Bdmbfb32.dll Nnmfdpni.exe File created C:\Windows\SysWOW64\Eoapldei.exe Efikco32.exe File created C:\Windows\SysWOW64\Fajanl32.dll Knpmcl32.exe File created C:\Windows\SysWOW64\Hpkcafjg.exe Haefqjeo.exe File opened for modification C:\Windows\SysWOW64\Hjmodffo.exe NEAS.e06398e5b9bdbf0520ae9b4de697f0f0.exe File created C:\Windows\SysWOW64\Qiilbk32.dll Cmlckhig.exe File created C:\Windows\SysWOW64\Cameka32.exe Bijnnf32.exe File created C:\Windows\SysWOW64\Faofbnjg.dll Objphn32.exe File created C:\Windows\SysWOW64\Bmagch32.exe Qihoak32.exe File opened for modification C:\Windows\SysWOW64\Dhfcae32.exe Dbgndoho.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 9040 5392 WerFault.exe 793 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggdhmo32.dll" Aamipe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kingpj32.dll" Iehfno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aohbbqme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Coilnkdh.dll" Nqnofkkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqnkph32.dll" Hbegakcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Goconkah.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahinbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oiijig32.dll" Jhpjbgne.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbaiip32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kehhjfif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cncnbean.dll" Pfhklabb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dcjnikhc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onhoehpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pkhokkel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmfhbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dcjnikhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gedkhf32.dll" Jjkdlall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahinbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Moedgenf.dll" Lhbdbpnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmomfb32.dll" Ccnnmmbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekejap32.dll" Njdlfbgm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hfonfp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Plapdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Coojpg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amdddkma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egcfmlqp.dll" Bfabhppm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Agndidce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnendjam.dll" Hfgjad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ocmjhfjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iefedcmk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mddbjg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omjhgoco.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fgbmliee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjahchpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mfgiof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ifcpgiji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmbpeiaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmfjfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Knjhae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jghlgd32.dll" Lqcjqcnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naiacpeo.dll" Fkopgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngnill32.dll" Dlegokbe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbapdfkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkoinlbg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgqblp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jpgdlm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onoknb32.dll" Eaabci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ellpmolj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dlkiaece.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efikco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdbked32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fehplggn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgkfil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chnfjj32.dll" Behiec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npeego32.dll" Ejabgcdp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Idfhibdn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmdcamko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aecqpp32.dll" Hhegjdag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdqgfbop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdkkcfbf.dll" Iplkje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acpqdd32.dll" Dqbadf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngekmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmangnmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekliod32.dll" Mpkkgbmi.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1036 wrote to memory of 1908 1036 NEAS.e06398e5b9bdbf0520ae9b4de697f0f0.exe 91 PID 1036 wrote to memory of 1908 1036 NEAS.e06398e5b9bdbf0520ae9b4de697f0f0.exe 91 PID 1036 wrote to memory of 1908 1036 NEAS.e06398e5b9bdbf0520ae9b4de697f0f0.exe 91 PID 1908 wrote to memory of 3656 1908 Hjmodffo.exe 92 PID 1908 wrote to memory of 3656 1908 Hjmodffo.exe 92 PID 1908 wrote to memory of 3656 1908 Hjmodffo.exe 92 PID 3656 wrote to memory of 1276 3656 Jehfcl32.exe 93 PID 3656 wrote to memory of 1276 3656 Jehfcl32.exe 93 PID 3656 wrote to memory of 1276 3656 Jehfcl32.exe 93 PID 1276 wrote to memory of 4160 1276 Jjkdlall.exe 94 PID 1276 wrote to memory of 4160 1276 Jjkdlall.exe 94 PID 1276 wrote to memory of 4160 1276 Jjkdlall.exe 94 PID 4160 wrote to memory of 4196 4160 Kajfdk32.exe 95 PID 4160 wrote to memory of 4196 4160 Kajfdk32.exe 95 PID 4160 wrote to memory of 4196 4160 Kajfdk32.exe 95 PID 4196 wrote to memory of 4000 4196 Maoifh32.exe 96 PID 4196 wrote to memory of 4000 4196 Maoifh32.exe 96 PID 4196 wrote to memory of 4000 4196 Maoifh32.exe 96 PID 4000 wrote to memory of 1696 4000 Mkjjdmaj.exe 97 PID 4000 wrote to memory of 1696 4000 Mkjjdmaj.exe 97 PID 4000 wrote to memory of 1696 4000 Mkjjdmaj.exe 97 PID 1696 wrote to memory of 1468 1696 Nkapelka.exe 98 PID 1696 wrote to memory of 1468 1696 Nkapelka.exe 98 PID 1696 wrote to memory of 1468 1696 Nkapelka.exe 98 PID 1468 wrote to memory of 4932 1468 Nheqnpjk.exe 99 PID 1468 wrote to memory of 4932 1468 Nheqnpjk.exe 99 PID 1468 wrote to memory of 4932 1468 Nheqnpjk.exe 99 PID 4932 wrote to memory of 692 4932 Okolfj32.exe 100 PID 4932 wrote to memory of 692 4932 Okolfj32.exe 100 PID 4932 wrote to memory of 692 4932 Okolfj32.exe 100 PID 692 wrote to memory of 2876 692 Ocmjhfjl.exe 101 PID 692 wrote to memory of 2876 692 Ocmjhfjl.exe 101 PID 692 wrote to memory of 2876 692 Ocmjhfjl.exe 101 PID 2876 wrote to memory of 3484 2876 Piolkm32.exe 102 PID 2876 wrote to memory of 3484 2876 Piolkm32.exe 102 PID 2876 wrote to memory of 3484 2876 Piolkm32.exe 102 PID 3484 wrote to memory of 5040 3484 Qihoak32.exe 103 PID 3484 wrote to memory of 5040 3484 Qihoak32.exe 103 PID 3484 wrote to memory of 5040 3484 Qihoak32.exe 103 PID 5040 wrote to memory of 3796 5040 Bmagch32.exe 104 PID 5040 wrote to memory of 3796 5040 Bmagch32.exe 104 PID 5040 wrote to memory of 3796 5040 Bmagch32.exe 104 PID 3796 wrote to memory of 1548 3796 Bcbeqaia.exe 105 PID 3796 wrote to memory of 1548 3796 Bcbeqaia.exe 105 PID 3796 wrote to memory of 1548 3796 Bcbeqaia.exe 105 PID 1548 wrote to memory of 3944 1548 Ellpmolj.exe 106 PID 1548 wrote to memory of 3944 1548 Ellpmolj.exe 106 PID 1548 wrote to memory of 3944 1548 Ellpmolj.exe 106 PID 3944 wrote to memory of 4712 3944 Fcpkph32.exe 107 PID 3944 wrote to memory of 4712 3944 Fcpkph32.exe 107 PID 3944 wrote to memory of 4712 3944 Fcpkph32.exe 107 PID 4712 wrote to memory of 952 4712 Iqpclh32.exe 108 PID 4712 wrote to memory of 952 4712 Iqpclh32.exe 108 PID 4712 wrote to memory of 952 4712 Iqpclh32.exe 108 PID 952 wrote to memory of 2596 952 Jakchf32.exe 109 PID 952 wrote to memory of 2596 952 Jakchf32.exe 109 PID 952 wrote to memory of 2596 952 Jakchf32.exe 109 PID 2596 wrote to memory of 3784 2596 Jndmlj32.exe 110 PID 2596 wrote to memory of 3784 2596 Jndmlj32.exe 110 PID 2596 wrote to memory of 3784 2596 Jndmlj32.exe 110 PID 3784 wrote to memory of 4036 3784 Kanidd32.exe 111 PID 3784 wrote to memory of 4036 3784 Kanidd32.exe 111 PID 3784 wrote to memory of 4036 3784 Kanidd32.exe 111 PID 4036 wrote to memory of 4300 4036 Lhogamih.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.e06398e5b9bdbf0520ae9b4de697f0f0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.e06398e5b9bdbf0520ae9b4de697f0f0.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Windows\SysWOW64\Hjmodffo.exeC:\Windows\system32\Hjmodffo.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Windows\SysWOW64\Jehfcl32.exeC:\Windows\system32\Jehfcl32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3656 -
C:\Windows\SysWOW64\Jjkdlall.exeC:\Windows\system32\Jjkdlall.exe4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Windows\SysWOW64\Kajfdk32.exeC:\Windows\system32\Kajfdk32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4160 -
C:\Windows\SysWOW64\Maoifh32.exeC:\Windows\system32\Maoifh32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4196 -
C:\Windows\SysWOW64\Mkjjdmaj.exeC:\Windows\system32\Mkjjdmaj.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4000 -
C:\Windows\SysWOW64\Nkapelka.exeC:\Windows\system32\Nkapelka.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\SysWOW64\Nheqnpjk.exeC:\Windows\system32\Nheqnpjk.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Windows\SysWOW64\Okolfj32.exeC:\Windows\system32\Okolfj32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4932 -
C:\Windows\SysWOW64\Ocmjhfjl.exeC:\Windows\system32\Ocmjhfjl.exe11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:692 -
C:\Windows\SysWOW64\Piolkm32.exeC:\Windows\system32\Piolkm32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\Qihoak32.exeC:\Windows\system32\Qihoak32.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3484 -
C:\Windows\SysWOW64\Bmagch32.exeC:\Windows\system32\Bmagch32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\Windows\SysWOW64\Bcbeqaia.exeC:\Windows\system32\Bcbeqaia.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3796 -
C:\Windows\SysWOW64\Ellpmolj.exeC:\Windows\system32\Ellpmolj.exe16⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Windows\SysWOW64\Fcpkph32.exeC:\Windows\system32\Fcpkph32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3944 -
C:\Windows\SysWOW64\Iqpclh32.exeC:\Windows\system32\Iqpclh32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4712 -
C:\Windows\SysWOW64\Jakchf32.exeC:\Windows\system32\Jakchf32.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Windows\SysWOW64\Jndmlj32.exeC:\Windows\system32\Jndmlj32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Kanidd32.exeC:\Windows\system32\Kanidd32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3784 -
C:\Windows\SysWOW64\Lhogamih.exeC:\Windows\system32\Lhogamih.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4036 -
C:\Windows\SysWOW64\Mopeofjl.exeC:\Windows\system32\Mopeofjl.exe23⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4300 -
C:\Windows\SysWOW64\Moiheebb.exeC:\Windows\system32\Moiheebb.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1416 -
C:\Windows\SysWOW64\Ndfanlpi.exeC:\Windows\system32\Ndfanlpi.exe25⤵
- Executes dropped EXE
PID:5044 -
C:\Windows\SysWOW64\Ngnppfgb.exeC:\Windows\system32\Ngnppfgb.exe26⤵
- Executes dropped EXE
PID:228 -
C:\Windows\SysWOW64\Oojalb32.exeC:\Windows\system32\Oojalb32.exe27⤵
- Executes dropped EXE
PID:1180 -
C:\Windows\SysWOW64\Oolnabal.exeC:\Windows\system32\Oolnabal.exe28⤵
- Executes dropped EXE
PID:1840 -
C:\Windows\SysWOW64\Odkcpi32.exeC:\Windows\system32\Odkcpi32.exe29⤵
- Executes dropped EXE
PID:3560 -
C:\Windows\SysWOW64\Pfmlok32.exeC:\Windows\system32\Pfmlok32.exe30⤵
- Executes dropped EXE
PID:3096 -
C:\Windows\SysWOW64\Pdeffgff.exeC:\Windows\system32\Pdeffgff.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2348 -
C:\Windows\SysWOW64\Qhekaejj.exeC:\Windows\system32\Qhekaejj.exe32⤵
- Executes dropped EXE
PID:3404 -
C:\Windows\SysWOW64\Bbpeghpe.exeC:\Windows\system32\Bbpeghpe.exe33⤵
- Executes dropped EXE
PID:2624 -
C:\Windows\SysWOW64\Bfpkbfdi.exeC:\Windows\system32\Bfpkbfdi.exe34⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Ceehcc32.exeC:\Windows\system32\Ceehcc32.exe35⤵
- Executes dropped EXE
PID:2492 -
C:\Windows\SysWOW64\Cbqonf32.exeC:\Windows\system32\Cbqonf32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4696 -
C:\Windows\SysWOW64\Dhpdkm32.exeC:\Windows\system32\Dhpdkm32.exe37⤵
- Executes dropped EXE
PID:344 -
C:\Windows\SysWOW64\Dlpigk32.exeC:\Windows\system32\Dlpigk32.exe38⤵
- Executes dropped EXE
PID:4232 -
C:\Windows\SysWOW64\Dhgjll32.exeC:\Windows\system32\Dhgjll32.exe39⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Foonjd32.exeC:\Windows\system32\Foonjd32.exe40⤵
- Executes dropped EXE
PID:4708 -
C:\Windows\SysWOW64\Gllajf32.exeC:\Windows\system32\Gllajf32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:656 -
C:\Windows\SysWOW64\Gheodg32.exeC:\Windows\system32\Gheodg32.exe42⤵
- Executes dropped EXE
PID:2388 -
C:\Windows\SysWOW64\Hjlaoioh.exeC:\Windows\system32\Hjlaoioh.exe43⤵
- Executes dropped EXE
PID:1052 -
C:\Windows\SysWOW64\Jobfdl32.exeC:\Windows\system32\Jobfdl32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2420 -
C:\Windows\SysWOW64\Kpgoolbl.exeC:\Windows\system32\Kpgoolbl.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3532 -
C:\Windows\SysWOW64\Kpilekqj.exeC:\Windows\system32\Kpilekqj.exe46⤵
- Executes dropped EXE
PID:4024 -
C:\Windows\SysWOW64\Mdaqhf32.exeC:\Windows\system32\Mdaqhf32.exe47⤵
- Executes dropped EXE
PID:4060 -
C:\Windows\SysWOW64\Nalgbi32.exeC:\Windows\system32\Nalgbi32.exe48⤵
- Executes dropped EXE
PID:3664 -
C:\Windows\SysWOW64\Ngipjp32.exeC:\Windows\system32\Ngipjp32.exe49⤵
- Executes dropped EXE
PID:3808 -
C:\Windows\SysWOW64\Npadcfnl.exeC:\Windows\system32\Npadcfnl.exe50⤵
- Executes dropped EXE
PID:1848 -
C:\Windows\SysWOW64\Odaiodbp.exeC:\Windows\system32\Odaiodbp.exe51⤵
- Executes dropped EXE
PID:220 -
C:\Windows\SysWOW64\Omlkmign.exeC:\Windows\system32\Omlkmign.exe52⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Ohaokbfd.exeC:\Windows\system32\Ohaokbfd.exe53⤵
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Opmcod32.exeC:\Windows\system32\Opmcod32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3816 -
C:\Windows\SysWOW64\Pjgemi32.exeC:\Windows\system32\Pjgemi32.exe55⤵
- Executes dropped EXE
PID:4388 -
C:\Windows\SysWOW64\Pjlnhi32.exeC:\Windows\system32\Pjlnhi32.exe56⤵
- Executes dropped EXE
PID:1932 -
C:\Windows\SysWOW64\Pdbbfadn.exeC:\Windows\system32\Pdbbfadn.exe57⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Phpklp32.exeC:\Windows\system32\Phpklp32.exe58⤵
- Executes dropped EXE
PID:3188 -
C:\Windows\SysWOW64\Pjahchpb.exeC:\Windows\system32\Pjahchpb.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:380 -
C:\Windows\SysWOW64\Aamipe32.exeC:\Windows\system32\Aamipe32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1264 -
C:\Windows\SysWOW64\Ahinbo32.exeC:\Windows\system32\Ahinbo32.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:332 -
C:\Windows\SysWOW64\Adpogp32.exeC:\Windows\system32\Adpogp32.exe62⤵
- Executes dropped EXE
PID:4480 -
C:\Windows\SysWOW64\Akjgdjoj.exeC:\Windows\system32\Akjgdjoj.exe63⤵
- Executes dropped EXE
PID:4456 -
C:\Windows\SysWOW64\Akopoi32.exeC:\Windows\system32\Akopoi32.exe64⤵
- Executes dropped EXE
PID:4164 -
C:\Windows\SysWOW64\Bdiamnpc.exeC:\Windows\system32\Bdiamnpc.exe65⤵
- Executes dropped EXE
PID:5024 -
C:\Windows\SysWOW64\Ceeaim32.exeC:\Windows\system32\Ceeaim32.exe66⤵PID:2184
-
C:\Windows\SysWOW64\Cnmebblf.exeC:\Windows\system32\Cnmebblf.exe67⤵
- Drops file in System32 directory
PID:2796 -
C:\Windows\SysWOW64\Ckcbaf32.exeC:\Windows\system32\Ckcbaf32.exe68⤵PID:5028
-
C:\Windows\SysWOW64\Dgmpkg32.exeC:\Windows\system32\Dgmpkg32.exe69⤵
- Drops file in System32 directory
PID:2352 -
C:\Windows\SysWOW64\Dnghhqdk.exeC:\Windows\system32\Dnghhqdk.exe70⤵PID:2092
-
C:\Windows\SysWOW64\Dlkiaece.exeC:\Windows\system32\Dlkiaece.exe71⤵
- Modifies registry class
PID:2676 -
C:\Windows\SysWOW64\Dbdano32.exeC:\Windows\system32\Dbdano32.exe72⤵PID:4816
-
C:\Windows\SysWOW64\Dbgndoho.exeC:\Windows\system32\Dbgndoho.exe73⤵
- Drops file in System32 directory
PID:2204 -
C:\Windows\SysWOW64\Dhfcae32.exeC:\Windows\system32\Dhfcae32.exe74⤵PID:2464
-
C:\Windows\SysWOW64\Fbggkl32.exeC:\Windows\system32\Fbggkl32.exe75⤵
- Drops file in System32 directory
PID:2564 -
C:\Windows\SysWOW64\Fhdocc32.exeC:\Windows\system32\Fhdocc32.exe76⤵PID:1844
-
C:\Windows\SysWOW64\Fongpm32.exeC:\Windows\system32\Fongpm32.exe77⤵PID:4576
-
C:\Windows\SysWOW64\Fehplggn.exeC:\Windows\system32\Fehplggn.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4620 -
C:\Windows\SysWOW64\Flgadake.exeC:\Windows\system32\Flgadake.exe79⤵PID:3568
-
C:\Windows\SysWOW64\Gklnem32.exeC:\Windows\system32\Gklnem32.exe80⤵PID:1912
-
C:\Windows\SysWOW64\Hcabhido.exeC:\Windows\system32\Hcabhido.exe81⤵
- Drops file in System32 directory
PID:4444 -
C:\Windows\SysWOW64\Hhnkppbf.exeC:\Windows\system32\Hhnkppbf.exe82⤵PID:2280
-
C:\Windows\SysWOW64\Hafpiehg.exeC:\Windows\system32\Hafpiehg.exe83⤵PID:2628
-
C:\Windows\SysWOW64\Iefedcmk.exeC:\Windows\system32\Iefedcmk.exe84⤵
- Modifies registry class
PID:4368 -
C:\Windows\SysWOW64\Jkomhhae.exeC:\Windows\system32\Jkomhhae.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4996 -
C:\Windows\SysWOW64\Jkajnh32.exeC:\Windows\system32\Jkajnh32.exe86⤵PID:4780
-
C:\Windows\SysWOW64\Jfgnka32.exeC:\Windows\system32\Jfgnka32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1400 -
C:\Windows\SysWOW64\Komoed32.exeC:\Windows\system32\Komoed32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3048 -
C:\Windows\SysWOW64\Mpkkgbmi.exeC:\Windows\system32\Mpkkgbmi.exe89⤵
- Modifies registry class
PID:3748 -
C:\Windows\SysWOW64\Mjcljk32.exeC:\Windows\system32\Mjcljk32.exe90⤵PID:5136
-
C:\Windows\SysWOW64\Mjehok32.exeC:\Windows\system32\Mjehok32.exe91⤵PID:5188
-
C:\Windows\SysWOW64\Mbamcm32.exeC:\Windows\system32\Mbamcm32.exe92⤵PID:5320
-
C:\Windows\SysWOW64\Npnqcpmc.exeC:\Windows\system32\Npnqcpmc.exe93⤵PID:5364
-
C:\Windows\SysWOW64\Njceqili.exeC:\Windows\system32\Njceqili.exe94⤵PID:5408
-
C:\Windows\SysWOW64\Npqmipjq.exeC:\Windows\system32\Npqmipjq.exe95⤵PID:5452
-
C:\Windows\SysWOW64\Niiaae32.exeC:\Windows\system32\Niiaae32.exe96⤵PID:5500
-
C:\Windows\SysWOW64\Opcjno32.exeC:\Windows\system32\Opcjno32.exe97⤵PID:5544
-
C:\Windows\SysWOW64\Ojhnlh32.exeC:\Windows\system32\Ojhnlh32.exe98⤵PID:5584
-
C:\Windows\SysWOW64\Opefdo32.exeC:\Windows\system32\Opefdo32.exe99⤵PID:5628
-
C:\Windows\SysWOW64\Ofooqinh.exeC:\Windows\system32\Ofooqinh.exe100⤵PID:5696
-
C:\Windows\SysWOW64\Odhiemil.exeC:\Windows\system32\Odhiemil.exe101⤵PID:5752
-
C:\Windows\SysWOW64\Pdjeklfj.exeC:\Windows\system32\Pdjeklfj.exe102⤵PID:5792
-
C:\Windows\SysWOW64\Pmbjcb32.exeC:\Windows\system32\Pmbjcb32.exe103⤵PID:5836
-
C:\Windows\SysWOW64\Pboblika.exeC:\Windows\system32\Pboblika.exe104⤵PID:5880
-
C:\Windows\SysWOW64\Piikhc32.exeC:\Windows\system32\Piikhc32.exe105⤵PID:5920
-
C:\Windows\SysWOW64\Pdoofl32.exeC:\Windows\system32\Pdoofl32.exe106⤵
- Drops file in System32 directory
PID:5984 -
C:\Windows\SysWOW64\Qmlmjq32.exeC:\Windows\system32\Qmlmjq32.exe107⤵PID:6024
-
C:\Windows\SysWOW64\Qgdabflp.exeC:\Windows\system32\Qgdabflp.exe108⤵PID:6076
-
C:\Windows\SysWOW64\Qlajkm32.exeC:\Windows\system32\Qlajkm32.exe109⤵PID:6128
-
C:\Windows\SysWOW64\Anccjp32.exeC:\Windows\system32\Anccjp32.exe110⤵PID:3744
-
C:\Windows\SysWOW64\Akgcdc32.exeC:\Windows\system32\Akgcdc32.exe111⤵PID:5168
-
C:\Windows\SysWOW64\Agndidce.exeC:\Windows\system32\Agndidce.exe112⤵
- Modifies registry class
PID:5224 -
C:\Windows\SysWOW64\Almifk32.exeC:\Windows\system32\Almifk32.exe113⤵PID:5264
-
C:\Windows\SysWOW64\Bkbcpb32.exeC:\Windows\system32\Bkbcpb32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5312 -
C:\Windows\SysWOW64\Bcngddao.exeC:\Windows\system32\Bcngddao.exe115⤵PID:5344
-
C:\Windows\SysWOW64\Blflmj32.exeC:\Windows\system32\Blflmj32.exe116⤵PID:5432
-
C:\Windows\SysWOW64\Bqdechnf.exeC:\Windows\system32\Bqdechnf.exe117⤵PID:5524
-
C:\Windows\SysWOW64\Ccigpbga.exeC:\Windows\system32\Ccigpbga.exe118⤵PID:5612
-
C:\Windows\SysWOW64\Dqbadf32.exeC:\Windows\system32\Dqbadf32.exe119⤵
- Modifies registry class
PID:5656 -
C:\Windows\SysWOW64\Dgnffp32.exeC:\Windows\system32\Dgnffp32.exe120⤵PID:5732
-
C:\Windows\SysWOW64\Dmknog32.exeC:\Windows\system32\Dmknog32.exe121⤵PID:5824
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-