Analysis
-
max time kernel
112s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
02/11/2023, 20:13
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.c87a116243a4ef93fcc077f51f6b4290.exe
Resource
win7-20231020-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.c87a116243a4ef93fcc077f51f6b4290.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.c87a116243a4ef93fcc077f51f6b4290.exe
-
Size
64KB
-
MD5
c87a116243a4ef93fcc077f51f6b4290
-
SHA1
9ef96a3d2110be501141d49be1d78c0e1920121f
-
SHA256
f507e46d503acd2d11198c8b72b54ba17644111a81b994159a4d566b8c157ed5
-
SHA512
ba9f98e19d507d159f921f66bd95c876bb7f9c79c3c1b8c169e40f8bb0c7492ca9662866a30b73b7f0a5a72e6dd9f7b7956163e0d175537ed6744bf3178223ed
-
SSDEEP
1536:3C6KE3QM2k/3S089/1MWlOGDfga2LBAMCeW:yfEAdk/C0833lOU4BpW
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmlbij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qniogl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogjmnomi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnmhqh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmliem32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amfqikko.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecoiapdj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djjobedk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npcaie32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qniogl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhdilold.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fineho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdbchp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbkaiddd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Donceaac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hikkdc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhlpom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgfljqia.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cqpdof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fqfeag32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olcbfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgecpa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kklbop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oiglen32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccpdhfmb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iameid32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcdepd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgbccm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khifno32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijolhg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgaboa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omdghmfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Peddhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nboiekjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbkdjh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olndnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Piikhc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaldngqg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Commjgga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcagdj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afeblb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epgenk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihkpgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epgpajdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igoeoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okcogc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhglhi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggnenagl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnjhhpgl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Locgagli.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igoeoe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecdbop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gglfbkin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iqmplbpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmbamdkm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpbojlfd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imknli32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jflgfpkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfeibf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olcbfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikagpcof.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnjjpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlkiaece.exe -
Executes dropped EXE 64 IoCs
pid Process 2892 Kakmna32.exe 2104 Mfpell32.exe 1636 Nqmojd32.exe 3716 Noblkqca.exe 3860 Ocdnln32.exe 3700 Oonlfo32.exe 3864 Omfekbdh.exe 2592 Pcbkml32.exe 1952 Aplaoj32.exe 4844 Bpcgpihi.exe 1204 Bagmdllg.exe 1684 Cpogkhnl.exe 5052 Ccblbb32.exe 1976 Dknnoofg.exe 3952 Dpmcmf32.exe 4768 Dpalgenf.exe 2428 Ecdbop32.exe 4092 Fkemfl32.exe 1480 Gjcmngnj.exe 1876 Gglfbkin.exe 4944 Hkjohi32.exe 2252 Jehfcl32.exe 4340 Jhhodg32.exe 4320 Jelonkph.exe 1136 Jeaiij32.exe 4456 Leoejh32.exe 3948 Nofoki32.exe 4196 Okmpqjad.exe 1600 Ofijnbkb.exe 3412 Pmjhlklg.exe 4400 Afqifo32.exe 4744 Apkjddke.exe 3968 Bblcfo32.exe 4904 Bcnleb32.exe 4756 Bcpika32.exe 3528 Cffkhl32.exe 2820 Cdnelpod.exe 4576 Clijablo.exe 3556 Dghadidj.exe 464 Eebgqe32.exe 212 Fpmeimpn.exe 2060 Fcmnkh32.exe 2164 Fpandm32.exe 4272 Gnjhhpgl.exe 1912 Gqmnpk32.exe 2300 Hnhdjn32.exe 1328 Incdem32.exe 528 Iglhob32.exe 1568 Imknli32.exe 3756 Jgekdq32.exe 1236 Jmdqbg32.exe 3216 Kfkamk32.exe 4472 Lfmnbjcg.exe 1764 Lmjcdd32.exe 3792 Lfbgmj32.exe 1728 Lechkaga.exe 216 Mkgfdgpq.exe 2148 Maehlqch.exe 32 Ngnppfgb.exe 1512 Ogqmee32.exe 368 Odgjdibf.exe 4380 Okcogc32.exe 4512 Ogjpld32.exe 2816 Pdpmkhjl.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Fbggkl32.exe Eoindndf.exe File created C:\Windows\SysWOW64\Nqendklg.dll Oinkmdml.exe File created C:\Windows\SysWOW64\Bpboakjk.dll Ommjnlnd.exe File created C:\Windows\SysWOW64\Iplkje32.exe Idfkednq.exe File opened for modification C:\Windows\SysWOW64\Fhemfbnq.exe Fbkdjh32.exe File created C:\Windows\SysWOW64\Nccqbeec.exe Nhnlelfm.exe File opened for modification C:\Windows\SysWOW64\Pklkbl32.exe Ppffec32.exe File created C:\Windows\SysWOW64\Odcojm32.exe Oinkmdml.exe File created C:\Windows\SysWOW64\Hmebfllk.dll Jfllca32.exe File created C:\Windows\SysWOW64\Ppemmg32.exe Ocamcc32.exe File created C:\Windows\SysWOW64\Dcdpakii.exe Dcbckk32.exe File created C:\Windows\SysWOW64\Oiojmgcb.exe Okkidceh.exe File opened for modification C:\Windows\SysWOW64\Chlomnfl.exe Bppjhl32.exe File opened for modification C:\Windows\SysWOW64\Doqpkq32.exe Dehkbkip.exe File created C:\Windows\SysWOW64\Dajqphlf.dll Kmjinjnj.exe File created C:\Windows\SysWOW64\Bcpdidol.exe Bgicdc32.exe File created C:\Windows\SysWOW64\Bplhhc32.exe Bojohp32.exe File created C:\Windows\SysWOW64\Jgonal32.dll Gndpkp32.exe File created C:\Windows\SysWOW64\Biolkc32.exe Bafgdfim.exe File created C:\Windows\SysWOW64\Bnnank32.dll Pnmhqh32.exe File created C:\Windows\SysWOW64\Podhaopm.dll Ckidoc32.exe File created C:\Windows\SysWOW64\Ncjjbhfe.dll Ecjhmm32.exe File created C:\Windows\SysWOW64\Okacel32.dll Nccqbeec.exe File created C:\Windows\SysWOW64\Cjfclcpg.exe Cejjdlap.exe File opened for modification C:\Windows\SysWOW64\Ggqingie.exe Gdbmalja.exe File created C:\Windows\SysWOW64\Qhghge32.exe Qoocnpag.exe File created C:\Windows\SysWOW64\Gnblfkcj.dll Opgloh32.exe File created C:\Windows\SysWOW64\Dnhdkgcp.dll Ffpadn32.exe File opened for modification C:\Windows\SysWOW64\Pjkofh32.exe Pengna32.exe File created C:\Windows\SysWOW64\Pjhlfb32.exe Pmdkmnkd.exe File created C:\Windows\SysWOW64\Ekneob32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Pllnbh32.exe Pgoejapi.exe File created C:\Windows\SysWOW64\Aelcooap.exe Alcofi32.exe File created C:\Windows\SysWOW64\Pmceobnb.dll Hchihhng.exe File created C:\Windows\SysWOW64\Fajcmcok.dll Meepoc32.exe File created C:\Windows\SysWOW64\Kiifdfig.dll Mnndhi32.exe File created C:\Windows\SysWOW64\Mebncnbm.dll Qlnfkgho.exe File created C:\Windows\SysWOW64\Dbhida32.dll Jggmnmmo.exe File created C:\Windows\SysWOW64\Hidgpjoi.dll Alioloje.exe File created C:\Windows\SysWOW64\Qcepem32.exe Qnihlf32.exe File created C:\Windows\SysWOW64\Jkgmmjgh.dll Inflio32.exe File created C:\Windows\SysWOW64\Nkmmbe32.exe Nqgiel32.exe File created C:\Windows\SysWOW64\Kmbdkj32.exe Kblpnall.exe File opened for modification C:\Windows\SysWOW64\Aqijdk32.exe Aceijg32.exe File created C:\Windows\SysWOW64\Ngajla32.dll Dpckclld.exe File created C:\Windows\SysWOW64\Fqfeag32.exe Ffpadn32.exe File opened for modification C:\Windows\SysWOW64\Fkmbbajb.exe Fphneijl.exe File created C:\Windows\SysWOW64\Fnacfp32.exe Epgpajdp.exe File opened for modification C:\Windows\SysWOW64\Odmgmmhf.exe Oncopcqj.exe File created C:\Windows\SysWOW64\Hmijkj32.dll Cgaqphgl.exe File created C:\Windows\SysWOW64\Ialhdh32.exe Iffcgoka.exe File opened for modification C:\Windows\SysWOW64\Noehlgol.exe Nhlpom32.exe File created C:\Windows\SysWOW64\Pgfljqia.exe Phekliab.exe File created C:\Windows\SysWOW64\Femigg32.exe Fkgejncb.exe File created C:\Windows\SysWOW64\Nifnao32.exe Nblfee32.exe File opened for modification C:\Windows\SysWOW64\Ekngqqol.exe Hingefqa.exe File created C:\Windows\SysWOW64\Mlhnob32.dll Hckjjh32.exe File opened for modification C:\Windows\SysWOW64\Fcmnkh32.exe Fpmeimpn.exe File opened for modification C:\Windows\SysWOW64\Jookjpam.exe Jlnbhe32.exe File opened for modification C:\Windows\SysWOW64\Lamjbc32.exe Lggeej32.exe File opened for modification C:\Windows\SysWOW64\Nhlpom32.exe Ngjcgdba.exe File created C:\Windows\SysWOW64\Qkakhakq.exe Pojjcp32.exe File opened for modification C:\Windows\SysWOW64\Femigg32.exe Fkgejncb.exe File created C:\Windows\SysWOW64\Qnbhhd32.dll Geeecogb.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 7488 492 Process not Found 1231 8312 492 Process not Found 1231 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lihpdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kklbop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpmgqp.dll" Jjhjli32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phekliab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Npcaie32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbdhgaid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnlqig32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Khifno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpeblo32.dll" Qjjhla32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phhecphc.dll" Bgbmdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkfncejn.dll" Oiojmgcb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbbnim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjephe32.dll" Eolhlh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ehecpgbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgdfkqep.dll" Ogjdheqd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Obmeeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Peghgj32.dll" Bbgehd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bqkigp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mgagll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ikagpcof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aphegjhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Agmmnnpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kklkej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggappk32.dll" Aifdcgcp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Epgenk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ophoih32.dll" Pfbfjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpdfpmoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Inflio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfdfjbne.dll" Fhablf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Koiaci32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Edqdij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hanpdgfl.dll" NEAS.c87a116243a4ef93fcc077f51f6b4290.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oonlfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogcho32.dll" Ofijnbkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmobjokj.dll" Feella32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hicgcm32.dll" Lggeej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bodlie32.dll" Ficgkico.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jmlkpgia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olomcacj.dll" Lgibjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfeiedhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhpijldj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iineacpp.dll" Qniogl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jfoihalp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oajccgmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Idbalhho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Habeni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpibai32.dll" Ckghid32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ilafcomm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcblakmh.dll" Mlohjpoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddegbipa.dll" Hnhdjn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkgfdgpq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Agikne32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fcnlng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjenfc32.dll" Gcdkdpih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bejoqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qpoifplb.dll" Ngjcgdba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gpfjfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dknnoofg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndgpnogo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Feella32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ialhdh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Imakdl32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2144 wrote to memory of 2892 2144 NEAS.c87a116243a4ef93fcc077f51f6b4290.exe 89 PID 2144 wrote to memory of 2892 2144 NEAS.c87a116243a4ef93fcc077f51f6b4290.exe 89 PID 2144 wrote to memory of 2892 2144 NEAS.c87a116243a4ef93fcc077f51f6b4290.exe 89 PID 2892 wrote to memory of 2104 2892 Kakmna32.exe 90 PID 2892 wrote to memory of 2104 2892 Kakmna32.exe 90 PID 2892 wrote to memory of 2104 2892 Kakmna32.exe 90 PID 2104 wrote to memory of 1636 2104 Mfpell32.exe 91 PID 2104 wrote to memory of 1636 2104 Mfpell32.exe 91 PID 2104 wrote to memory of 1636 2104 Mfpell32.exe 91 PID 1636 wrote to memory of 3716 1636 Nqmojd32.exe 92 PID 1636 wrote to memory of 3716 1636 Nqmojd32.exe 92 PID 1636 wrote to memory of 3716 1636 Nqmojd32.exe 92 PID 3716 wrote to memory of 3860 3716 Noblkqca.exe 93 PID 3716 wrote to memory of 3860 3716 Noblkqca.exe 93 PID 3716 wrote to memory of 3860 3716 Noblkqca.exe 93 PID 3860 wrote to memory of 3700 3860 Ocdnln32.exe 94 PID 3860 wrote to memory of 3700 3860 Ocdnln32.exe 94 PID 3860 wrote to memory of 3700 3860 Ocdnln32.exe 94 PID 3700 wrote to memory of 3864 3700 Oonlfo32.exe 95 PID 3700 wrote to memory of 3864 3700 Oonlfo32.exe 95 PID 3700 wrote to memory of 3864 3700 Oonlfo32.exe 95 PID 3864 wrote to memory of 2592 3864 Omfekbdh.exe 98 PID 3864 wrote to memory of 2592 3864 Omfekbdh.exe 98 PID 3864 wrote to memory of 2592 3864 Omfekbdh.exe 98 PID 2592 wrote to memory of 1952 2592 Pcbkml32.exe 99 PID 2592 wrote to memory of 1952 2592 Pcbkml32.exe 99 PID 2592 wrote to memory of 1952 2592 Pcbkml32.exe 99 PID 1952 wrote to memory of 4844 1952 Aplaoj32.exe 100 PID 1952 wrote to memory of 4844 1952 Aplaoj32.exe 100 PID 1952 wrote to memory of 4844 1952 Aplaoj32.exe 100 PID 4844 wrote to memory of 1204 4844 Bpcgpihi.exe 101 PID 4844 wrote to memory of 1204 4844 Bpcgpihi.exe 101 PID 4844 wrote to memory of 1204 4844 Bpcgpihi.exe 101 PID 1204 wrote to memory of 1684 1204 Bagmdllg.exe 102 PID 1204 wrote to memory of 1684 1204 Bagmdllg.exe 102 PID 1204 wrote to memory of 1684 1204 Bagmdllg.exe 102 PID 1684 wrote to memory of 5052 1684 Cpogkhnl.exe 103 PID 1684 wrote to memory of 5052 1684 Cpogkhnl.exe 103 PID 1684 wrote to memory of 5052 1684 Cpogkhnl.exe 103 PID 5052 wrote to memory of 1976 5052 Ccblbb32.exe 104 PID 5052 wrote to memory of 1976 5052 Ccblbb32.exe 104 PID 5052 wrote to memory of 1976 5052 Ccblbb32.exe 104 PID 1976 wrote to memory of 3952 1976 Dknnoofg.exe 105 PID 1976 wrote to memory of 3952 1976 Dknnoofg.exe 105 PID 1976 wrote to memory of 3952 1976 Dknnoofg.exe 105 PID 3952 wrote to memory of 4768 3952 Dpmcmf32.exe 106 PID 3952 wrote to memory of 4768 3952 Dpmcmf32.exe 106 PID 3952 wrote to memory of 4768 3952 Dpmcmf32.exe 106 PID 4768 wrote to memory of 2428 4768 Dpalgenf.exe 107 PID 4768 wrote to memory of 2428 4768 Dpalgenf.exe 107 PID 4768 wrote to memory of 2428 4768 Dpalgenf.exe 107 PID 2428 wrote to memory of 4092 2428 Ecdbop32.exe 108 PID 2428 wrote to memory of 4092 2428 Ecdbop32.exe 108 PID 2428 wrote to memory of 4092 2428 Ecdbop32.exe 108 PID 4092 wrote to memory of 1480 4092 Fkemfl32.exe 109 PID 4092 wrote to memory of 1480 4092 Fkemfl32.exe 109 PID 4092 wrote to memory of 1480 4092 Fkemfl32.exe 109 PID 1480 wrote to memory of 1876 1480 Gjcmngnj.exe 110 PID 1480 wrote to memory of 1876 1480 Gjcmngnj.exe 110 PID 1480 wrote to memory of 1876 1480 Gjcmngnj.exe 110 PID 1876 wrote to memory of 4944 1876 Gglfbkin.exe 111 PID 1876 wrote to memory of 4944 1876 Gglfbkin.exe 111 PID 1876 wrote to memory of 4944 1876 Gglfbkin.exe 111 PID 4944 wrote to memory of 2252 4944 Hkjohi32.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.c87a116243a4ef93fcc077f51f6b4290.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.c87a116243a4ef93fcc077f51f6b4290.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\Kakmna32.exeC:\Windows\system32\Kakmna32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\Mfpell32.exeC:\Windows\system32\Mfpell32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\Nqmojd32.exeC:\Windows\system32\Nqmojd32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\Noblkqca.exeC:\Windows\system32\Noblkqca.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3716 -
C:\Windows\SysWOW64\Ocdnln32.exeC:\Windows\system32\Ocdnln32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3860 -
C:\Windows\SysWOW64\Oonlfo32.exeC:\Windows\system32\Oonlfo32.exe7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3700 -
C:\Windows\SysWOW64\Omfekbdh.exeC:\Windows\system32\Omfekbdh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3864 -
C:\Windows\SysWOW64\Pcbkml32.exeC:\Windows\system32\Pcbkml32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\Aplaoj32.exeC:\Windows\system32\Aplaoj32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\SysWOW64\Bpcgpihi.exeC:\Windows\system32\Bpcgpihi.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4844 -
C:\Windows\SysWOW64\Bagmdllg.exeC:\Windows\system32\Bagmdllg.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Windows\SysWOW64\Cpogkhnl.exeC:\Windows\system32\Cpogkhnl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\SysWOW64\Ccblbb32.exeC:\Windows\system32\Ccblbb32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Windows\SysWOW64\Dknnoofg.exeC:\Windows\system32\Dknnoofg.exe15⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\Dpmcmf32.exeC:\Windows\system32\Dpmcmf32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3952 -
C:\Windows\SysWOW64\Dpalgenf.exeC:\Windows\system32\Dpalgenf.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Windows\SysWOW64\Ecdbop32.exeC:\Windows\system32\Ecdbop32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\Fkemfl32.exeC:\Windows\system32\Fkemfl32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4092 -
C:\Windows\SysWOW64\Gjcmngnj.exeC:\Windows\system32\Gjcmngnj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\SysWOW64\Gglfbkin.exeC:\Windows\system32\Gglfbkin.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Windows\SysWOW64\Hkjohi32.exeC:\Windows\system32\Hkjohi32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Windows\SysWOW64\Jehfcl32.exeC:\Windows\system32\Jehfcl32.exe23⤵
- Executes dropped EXE
PID:2252 -
C:\Windows\SysWOW64\Jhhodg32.exeC:\Windows\system32\Jhhodg32.exe24⤵
- Executes dropped EXE
PID:4340 -
C:\Windows\SysWOW64\Jelonkph.exeC:\Windows\system32\Jelonkph.exe25⤵
- Executes dropped EXE
PID:4320 -
C:\Windows\SysWOW64\Jeaiij32.exeC:\Windows\system32\Jeaiij32.exe26⤵
- Executes dropped EXE
PID:1136 -
C:\Windows\SysWOW64\Leoejh32.exeC:\Windows\system32\Leoejh32.exe27⤵
- Executes dropped EXE
PID:4456 -
C:\Windows\SysWOW64\Nofoki32.exeC:\Windows\system32\Nofoki32.exe28⤵
- Executes dropped EXE
PID:3948 -
C:\Windows\SysWOW64\Okmpqjad.exeC:\Windows\system32\Okmpqjad.exe29⤵
- Executes dropped EXE
PID:4196 -
C:\Windows\SysWOW64\Ofijnbkb.exeC:\Windows\system32\Ofijnbkb.exe30⤵
- Executes dropped EXE
- Modifies registry class
PID:1600 -
C:\Windows\SysWOW64\Pmjhlklg.exeC:\Windows\system32\Pmjhlklg.exe31⤵
- Executes dropped EXE
PID:3412 -
C:\Windows\SysWOW64\Afqifo32.exeC:\Windows\system32\Afqifo32.exe32⤵
- Executes dropped EXE
PID:4400 -
C:\Windows\SysWOW64\Apkjddke.exeC:\Windows\system32\Apkjddke.exe33⤵
- Executes dropped EXE
PID:4744 -
C:\Windows\SysWOW64\Bblcfo32.exeC:\Windows\system32\Bblcfo32.exe34⤵
- Executes dropped EXE
PID:3968 -
C:\Windows\SysWOW64\Bcnleb32.exeC:\Windows\system32\Bcnleb32.exe35⤵
- Executes dropped EXE
PID:4904 -
C:\Windows\SysWOW64\Bcpika32.exeC:\Windows\system32\Bcpika32.exe36⤵
- Executes dropped EXE
PID:4756 -
C:\Windows\SysWOW64\Cffkhl32.exeC:\Windows\system32\Cffkhl32.exe37⤵
- Executes dropped EXE
PID:3528 -
C:\Windows\SysWOW64\Cdnelpod.exeC:\Windows\system32\Cdnelpod.exe38⤵
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Clijablo.exeC:\Windows\system32\Clijablo.exe39⤵
- Executes dropped EXE
PID:4576 -
C:\Windows\SysWOW64\Dghadidj.exeC:\Windows\system32\Dghadidj.exe40⤵
- Executes dropped EXE
PID:3556 -
C:\Windows\SysWOW64\Eebgqe32.exeC:\Windows\system32\Eebgqe32.exe41⤵
- Executes dropped EXE
PID:464 -
C:\Windows\SysWOW64\Fpmeimpn.exeC:\Windows\system32\Fpmeimpn.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:212 -
C:\Windows\SysWOW64\Fcmnkh32.exeC:\Windows\system32\Fcmnkh32.exe43⤵
- Executes dropped EXE
PID:2060 -
C:\Windows\SysWOW64\Fpandm32.exeC:\Windows\system32\Fpandm32.exe44⤵
- Executes dropped EXE
PID:2164 -
C:\Windows\SysWOW64\Gnjhhpgl.exeC:\Windows\system32\Gnjhhpgl.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4272 -
C:\Windows\SysWOW64\Gqmnpk32.exeC:\Windows\system32\Gqmnpk32.exe46⤵
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\Hnhdjn32.exeC:\Windows\system32\Hnhdjn32.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:2300 -
C:\Windows\SysWOW64\Incdem32.exeC:\Windows\system32\Incdem32.exe48⤵
- Executes dropped EXE
PID:1328 -
C:\Windows\SysWOW64\Iglhob32.exeC:\Windows\system32\Iglhob32.exe49⤵
- Executes dropped EXE
PID:528 -
C:\Windows\SysWOW64\Imknli32.exeC:\Windows\system32\Imknli32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\Jgekdq32.exeC:\Windows\system32\Jgekdq32.exe51⤵
- Executes dropped EXE
PID:3756 -
C:\Windows\SysWOW64\Jmdqbg32.exeC:\Windows\system32\Jmdqbg32.exe52⤵
- Executes dropped EXE
PID:1236 -
C:\Windows\SysWOW64\Kfkamk32.exeC:\Windows\system32\Kfkamk32.exe53⤵
- Executes dropped EXE
PID:3216 -
C:\Windows\SysWOW64\Lfmnbjcg.exeC:\Windows\system32\Lfmnbjcg.exe54⤵
- Executes dropped EXE
PID:4472 -
C:\Windows\SysWOW64\Lmjcdd32.exeC:\Windows\system32\Lmjcdd32.exe55⤵
- Executes dropped EXE
PID:1764 -
C:\Windows\SysWOW64\Lfbgmj32.exeC:\Windows\system32\Lfbgmj32.exe56⤵
- Executes dropped EXE
PID:3792 -
C:\Windows\SysWOW64\Lechkaga.exeC:\Windows\system32\Lechkaga.exe57⤵
- Executes dropped EXE
PID:1728 -
C:\Windows\SysWOW64\Mkgfdgpq.exeC:\Windows\system32\Mkgfdgpq.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:216 -
C:\Windows\SysWOW64\Maehlqch.exeC:\Windows\system32\Maehlqch.exe59⤵
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\Ngnppfgb.exeC:\Windows\system32\Ngnppfgb.exe60⤵
- Executes dropped EXE
PID:32 -
C:\Windows\SysWOW64\Ogqmee32.exeC:\Windows\system32\Ogqmee32.exe61⤵
- Executes dropped EXE
PID:1512 -
C:\Windows\SysWOW64\Odgjdibf.exeC:\Windows\system32\Odgjdibf.exe62⤵
- Executes dropped EXE
PID:368 -
C:\Windows\SysWOW64\Okcogc32.exeC:\Windows\system32\Okcogc32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4380 -
C:\Windows\SysWOW64\Ogjpld32.exeC:\Windows\system32\Ogjpld32.exe64⤵
- Executes dropped EXE
PID:4512 -
C:\Windows\SysWOW64\Pdpmkhjl.exeC:\Windows\system32\Pdpmkhjl.exe65⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Pfbfjk32.exeC:\Windows\system32\Pfbfjk32.exe66⤵
- Modifies registry class
PID:568 -
C:\Windows\SysWOW64\Pojjcp32.exeC:\Windows\system32\Pojjcp32.exe67⤵
- Drops file in System32 directory
PID:2036 -
C:\Windows\SysWOW64\Qkakhakq.exeC:\Windows\system32\Qkakhakq.exe68⤵PID:1020
-
C:\Windows\SysWOW64\Qffoejkg.exeC:\Windows\system32\Qffoejkg.exe69⤵PID:4636
-
C:\Windows\SysWOW64\Qoocnpag.exeC:\Windows\system32\Qoocnpag.exe70⤵
- Drops file in System32 directory
PID:4256 -
C:\Windows\SysWOW64\Qhghge32.exeC:\Windows\system32\Qhghge32.exe71⤵PID:3560
-
C:\Windows\SysWOW64\Afboah32.exeC:\Windows\system32\Afboah32.exe72⤵PID:972
-
C:\Windows\SysWOW64\Aokcjngj.exeC:\Windows\system32\Aokcjngj.exe73⤵PID:3540
-
C:\Windows\SysWOW64\Bkdqdokk.exeC:\Windows\system32\Bkdqdokk.exe74⤵PID:4832
-
C:\Windows\SysWOW64\Bpdfpmoo.exeC:\Windows\system32\Bpdfpmoo.exe75⤵
- Modifies registry class
PID:3512 -
C:\Windows\SysWOW64\Cbglgg32.exeC:\Windows\system32\Cbglgg32.exe76⤵PID:5100
-
C:\Windows\SysWOW64\Cfedmfqd.exeC:\Windows\system32\Cfedmfqd.exe77⤵PID:1824
-
C:\Windows\SysWOW64\Cpmifkgd.exeC:\Windows\system32\Cpmifkgd.exe78⤵PID:3712
-
C:\Windows\SysWOW64\Dngobghg.exeC:\Windows\system32\Dngobghg.exe79⤵PID:1184
-
C:\Windows\SysWOW64\Diamko32.exeC:\Windows\system32\Diamko32.exe80⤵PID:3292
-
C:\Windows\SysWOW64\Ellicihn.exeC:\Windows\system32\Ellicihn.exe81⤵PID:1840
-
C:\Windows\SysWOW64\Fgffka32.exeC:\Windows\system32\Fgffka32.exe82⤵PID:1980
-
C:\Windows\SysWOW64\Fcmgpbjc.exeC:\Windows\system32\Fcmgpbjc.exe83⤵PID:640
-
C:\Windows\SysWOW64\Flekihpc.exeC:\Windows\system32\Flekihpc.exe84⤵PID:4100
-
C:\Windows\SysWOW64\Gccmaack.exeC:\Windows\system32\Gccmaack.exe85⤵PID:4572
-
C:\Windows\SysWOW64\Gllajf32.exeC:\Windows\system32\Gllajf32.exe86⤵PID:1416
-
C:\Windows\SysWOW64\Hcommoin.exeC:\Windows\system32\Hcommoin.exe87⤵PID:1592
-
C:\Windows\SysWOW64\Hlhaee32.exeC:\Windows\system32\Hlhaee32.exe88⤵PID:5128
-
C:\Windows\SysWOW64\Hcdfho32.exeC:\Windows\system32\Hcdfho32.exe89⤵PID:5172
-
C:\Windows\SysWOW64\Hllkqdli.exeC:\Windows\system32\Hllkqdli.exe90⤵PID:5212
-
C:\Windows\SysWOW64\Hcfcmnce.exeC:\Windows\system32\Hcfcmnce.exe91⤵PID:5256
-
C:\Windows\SysWOW64\Hhckeeam.exeC:\Windows\system32\Hhckeeam.exe92⤵PID:5304
-
C:\Windows\SysWOW64\Hjbhph32.exeC:\Windows\system32\Hjbhph32.exe93⤵PID:5344
-
C:\Windows\SysWOW64\Iqmplbpl.exeC:\Windows\system32\Iqmplbpl.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5396 -
C:\Windows\SysWOW64\Iqdfmajd.exeC:\Windows\system32\Iqdfmajd.exe95⤵PID:5440
-
C:\Windows\SysWOW64\Jicdlc32.exeC:\Windows\system32\Jicdlc32.exe96⤵PID:5484
-
C:\Windows\SysWOW64\Jifabb32.exeC:\Windows\system32\Jifabb32.exe97⤵PID:5528
-
C:\Windows\SysWOW64\Kimgba32.exeC:\Windows\system32\Kimgba32.exe98⤵PID:5572
-
C:\Windows\SysWOW64\Kjopbd32.exeC:\Windows\system32\Kjopbd32.exe99⤵PID:5620
-
C:\Windows\SysWOW64\Kfhnme32.exeC:\Windows\system32\Kfhnme32.exe100⤵PID:5664
-
C:\Windows\SysWOW64\Kanbjn32.exeC:\Windows\system32\Kanbjn32.exe101⤵PID:5704
-
C:\Windows\SysWOW64\Lpbokjho.exeC:\Windows\system32\Lpbokjho.exe102⤵PID:5748
-
C:\Windows\SysWOW64\Lplaaiqd.exeC:\Windows\system32\Lplaaiqd.exe103⤵PID:5792
-
C:\Windows\SysWOW64\Mjafoapj.exeC:\Windows\system32\Mjafoapj.exe104⤵PID:5840
-
C:\Windows\SysWOW64\Mfhgcbfo.exeC:\Windows\system32\Mfhgcbfo.exe105⤵PID:5884
-
C:\Windows\SysWOW64\Mmdlflki.exeC:\Windows\system32\Mmdlflki.exe106⤵PID:5920
-
C:\Windows\SysWOW64\Mhjpceko.exeC:\Windows\system32\Mhjpceko.exe107⤵PID:5968
-
C:\Windows\SysWOW64\Mhoind32.exeC:\Windows\system32\Mhoind32.exe108⤵PID:6012
-
C:\Windows\SysWOW64\Npcaie32.exeC:\Windows\system32\Npcaie32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:6060 -
C:\Windows\SysWOW64\Okiefn32.exeC:\Windows\system32\Okiefn32.exe110⤵PID:6104
-
C:\Windows\SysWOW64\Opfnne32.exeC:\Windows\system32\Opfnne32.exe111⤵PID:5144
-
C:\Windows\SysWOW64\Ogbbqo32.exeC:\Windows\system32\Ogbbqo32.exe112⤵PID:5228
-
C:\Windows\SysWOW64\Ohaokbfd.exeC:\Windows\system32\Ohaokbfd.exe113⤵PID:5312
-
C:\Windows\SysWOW64\Oajccgmd.exeC:\Windows\system32\Oajccgmd.exe114⤵
- Modifies registry class
PID:5380 -
C:\Windows\SysWOW64\Oggllnkl.exeC:\Windows\system32\Oggllnkl.exe115⤵PID:5424
-
C:\Windows\SysWOW64\Phkaqqoi.exeC:\Windows\system32\Phkaqqoi.exe116⤵PID:5480
-
C:\Windows\SysWOW64\Ppffec32.exeC:\Windows\system32\Ppffec32.exe117⤵
- Drops file in System32 directory
PID:3940 -
C:\Windows\SysWOW64\Pklkbl32.exeC:\Windows\system32\Pklkbl32.exe118⤵PID:5604
-
C:\Windows\SysWOW64\Aqpika32.exeC:\Windows\system32\Aqpika32.exe119⤵PID:5696
-
C:\Windows\SysWOW64\Ahinbo32.exeC:\Windows\system32\Ahinbo32.exe120⤵PID:5784
-
C:\Windows\SysWOW64\Bqkigp32.exeC:\Windows\system32\Bqkigp32.exe121⤵
- Modifies registry class
PID:5848
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-