Analysis
-
max time kernel
164s -
max time network
175s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
03/11/2023, 08:27
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.028d4a46f5f7dc9eecd4cec3b9f4ecd0.exe
Resource
win7-20231023-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.028d4a46f5f7dc9eecd4cec3b9f4ecd0.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.028d4a46f5f7dc9eecd4cec3b9f4ecd0.exe
-
Size
349KB
-
MD5
028d4a46f5f7dc9eecd4cec3b9f4ecd0
-
SHA1
93753129babaf3977469dcf0ab147482a1d24bad
-
SHA256
69602139437f13133e2edcb697aee7e1574769ca4d74e2cc189634704236cbf1
-
SHA512
f1114a57978850812c26c9e02c85b9d952b44543b6e0896bba6c2e47197f3559186a0a1f104bed3c7e7f5b112ca2a4f7dfa1b229094b6c58ea3ca193a291f384
-
SSDEEP
6144:5uE1HiujTRs+HsoTh3O64JVw/ekxgu8VZtK036E37JPwS0eeaB7DxB6HkM7ADP5B:5HRQ0h3/4JVw/eK98VZtK03937JPwS0q
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fblifijc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgmbmn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkibqnah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkibqnah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aapnfe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cediab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hoglmg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nknolaob.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckclacmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jikohe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ignndo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alnfiifd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldohogfe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iecmcpoj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnodmijd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afapjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlbcoe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efopeeao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afmmibga.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aibilf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Paioplob.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obeikc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmefafql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpilcnoo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbedag32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljnloi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kqbdej32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipihiaqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elhnhm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipldpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipnaen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdhlhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejjelnfl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckladcoa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgbdml32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oagpne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Conagl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onekeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Injmlbkh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncnook32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njjmgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihjjln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjcccm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oghpib32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcjioknl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajbmmcii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nipedokm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpglgmfa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kedcml32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nppfimnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofdhlh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npgalidl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pibdff32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Madjbg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kahqbgjp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iophnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Appaangd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pibdff32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhigbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpnlicne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgdlqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbedaand.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pejdmh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpagbk32.exe -
Executes dropped EXE 64 IoCs
pid Process 3048 Ejiiippb.exe 4996 Fiheheka.exe 2356 Gkcdfl32.exe 3860 Hebkid32.exe 3728 Iooimi32.exe 1580 Ihjjln32.exe 5016 Jjbjlpga.exe 3256 Kbedaand.exe 3088 Kjcccm32.exe 656 Nfhipj32.exe 4784 Ojhnlh32.exe 384 Odcojm32.exe 4524 Ofdhlh32.exe 4120 Qciebg32.exe 4980 Cmkehicj.exe 4768 Cjabgm32.exe 3868 Djalnkbo.exe 2844 Elhnhm32.exe 2288 Fcjimnjl.exe 1724 Felbmqpl.exe 3500 Gaglma32.exe 4648 Hklpaeno.exe 2152 Iaokdn32.exe 3600 Jnmbjnlm.exe 4348 Jamhflqq.exe 2720 Khnfce32.exe 1552 Knkokl32.exe 2836 Lnbdlkje.exe 3800 Lbgcch32.exe 2896 Mokdllim.exe 4376 Meobeb32.exe 2444 Omhpcm32.exe 2136 Obeikc32.exe 1040 Obgeqcnn.exe 4568 Plgpjhnf.exe 4168 Pohilc32.exe 1468 Qolbgbgb.exe 2080 Affgno32.exe 1908 Agojdnng.exe 3356 Bnbeggmi.exe 4044 Benjkijd.exe 4380 Cohkinob.exe 1356 Comddn32.exe 4696 Cfiiggpg.exe 936 Dgnolj32.exe 1440 Eciilj32.exe 1768 Eqdpfm32.exe 2276 Fmmmqnaf.exe 1508 Fclohg32.exe 1300 Gfcnka32.exe 980 Haphiiee.exe 1144 Hmginjki.exe 4652 Hdaajd32.exe 3432 Iophnl32.exe 3416 Iobecl32.exe 824 Ipcakd32.exe 1088 Imgbdh32.exe 4108 Jkkbnl32.exe 1780 Jhocgqjj.exe 1620 Jmqekg32.exe 4904 Kddpnpdn.exe 4796 Knldfe32.exe 2608 Lkcaeige.exe 4792 Lkenkhec.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Nleojlbk.exe Nfhfbedd.exe File created C:\Windows\SysWOW64\Belgbbnd.dll Iaekfjje.exe File opened for modification C:\Windows\SysWOW64\Kddpnpdn.exe Jmqekg32.exe File opened for modification C:\Windows\SysWOW64\Ebpjjk32.exe Dmcabd32.exe File created C:\Windows\SysWOW64\Qpebqm32.dll Njjmgo32.exe File created C:\Windows\SysWOW64\Cikkga32.exe Clgkmm32.exe File opened for modification C:\Windows\SysWOW64\Nleojlbk.exe Nfhfbedd.exe File created C:\Windows\SysWOW64\Mdcodl32.dll Npgalidl.exe File created C:\Windows\SysWOW64\Cpglgmfa.exe Cglgck32.exe File created C:\Windows\SysWOW64\Djaipe32.exe Dplebmbl.exe File created C:\Windows\SysWOW64\Kjblcj32.exe Komhfa32.exe File opened for modification C:\Windows\SysWOW64\Dgbhbm32.exe Dgpllm32.exe File opened for modification C:\Windows\SysWOW64\Dkcnnk32.exe Dnondf32.exe File created C:\Windows\SysWOW64\Jjbjlpga.exe Ihjjln32.exe File opened for modification C:\Windows\SysWOW64\Khknaa32.exe Kfiajinf.exe File created C:\Windows\SysWOW64\Lqjqab32.exe Lcfphn32.exe File created C:\Windows\SysWOW64\Bkibqnah.exe Bhkfdcbd.exe File created C:\Windows\SysWOW64\Hhglhi32.exe Hgcfcg32.exe File created C:\Windows\SysWOW64\Gpdkjdfa.dll Dhkaif32.exe File opened for modification C:\Windows\SysWOW64\Klbgag32.exe Jfeoip32.exe File opened for modification C:\Windows\SysWOW64\Efopeeao.exe Dmglmpkn.exe File created C:\Windows\SysWOW64\Filicodb.exe Fhjlkg32.exe File created C:\Windows\SysWOW64\Phgagb32.exe Pcjioknl.exe File created C:\Windows\SysWOW64\Bhojahae.dll Hiljpi32.exe File created C:\Windows\SysWOW64\Ecphmfbg.exe Cgklggic.exe File opened for modification C:\Windows\SysWOW64\Pclnon32.exe Pnoefg32.exe File created C:\Windows\SysWOW64\Qfoadqde.dll Hgokikan.exe File opened for modification C:\Windows\SysWOW64\Mcbpcm32.exe Mcpcnm32.exe File created C:\Windows\SysWOW64\Banabi32.exe Bdjqienq.exe File opened for modification C:\Windows\SysWOW64\Nebdighb.exe Npfkqpjk.exe File created C:\Windows\SysWOW64\Ifcgpk32.dll Pdcaahbk.exe File created C:\Windows\SysWOW64\Bfdkoabk.dll Paioplob.exe File opened for modification C:\Windows\SysWOW64\Pdcaahbk.exe Pnfiia32.exe File created C:\Windows\SysWOW64\Bajjeo32.exe Blmamh32.exe File created C:\Windows\SysWOW64\Lpnlicne.exe Kmijliej.exe File opened for modification C:\Windows\SysWOW64\Efamkepl.exe Efopeeao.exe File opened for modification C:\Windows\SysWOW64\Ihjjln32.exe Iooimi32.exe File created C:\Windows\SysWOW64\Qmblkmcd.exe Pmpoemef.exe File opened for modification C:\Windows\SysWOW64\Nfenpafc.exe Mfbaka32.exe File created C:\Windows\SysWOW64\Nqendklg.dll Ojhnlh32.exe File opened for modification C:\Windows\SysWOW64\Bfcompnj.exe Bnhjinpo.exe File created C:\Windows\SysWOW64\Qjabfp32.dll Eiokbd32.exe File created C:\Windows\SysWOW64\Ebndbijh.dll Ihjjln32.exe File created C:\Windows\SysWOW64\Madbpi32.dll Lgkhec32.exe File created C:\Windows\SysWOW64\Kdjbpgom.dll Jefbomoe.exe File opened for modification C:\Windows\SysWOW64\Lblakh32.exe Lnnidjcg.exe File created C:\Windows\SysWOW64\Nelfnd32.exe Mklkepal.exe File created C:\Windows\SysWOW64\Hmcocn32.exe Hoonjjgk.exe File created C:\Windows\SysWOW64\Lbgcch32.exe Lnbdlkje.exe File opened for modification C:\Windows\SysWOW64\Pkqdhnom.exe Piphaf32.exe File opened for modification C:\Windows\SysWOW64\Dpbdiehi.exe Dbndoa32.exe File created C:\Windows\SysWOW64\Kedcml32.exe Kokkqbog.exe File created C:\Windows\SysWOW64\Fpbdopdp.dll Aagkaj32.exe File created C:\Windows\SysWOW64\Fmgean32.dll Keapmf32.exe File created C:\Windows\SysWOW64\Lhbafo32.exe Lcfimheb.exe File created C:\Windows\SysWOW64\Jbopjh32.dll Pnmhqh32.exe File created C:\Windows\SysWOW64\Ojllkcdk.exe Onekeb32.exe File opened for modification C:\Windows\SysWOW64\Pfanmcao.exe Pdcaahbk.exe File created C:\Windows\SysWOW64\Knmggo32.dll Jidigfeo.exe File created C:\Windows\SysWOW64\Eleagb32.dll Clfdcgkj.exe File created C:\Windows\SysWOW64\Gciagdlp.dll Pndoagfc.exe File created C:\Windows\SysWOW64\Hfekoc32.exe Hplbbipm.exe File created C:\Windows\SysWOW64\Okgfdm32.exe Oqpeaeel.exe File created C:\Windows\SysWOW64\Jnmbjnlm.exe Iaokdn32.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 5552 4016 WerFault.exe 644 4240 4016 WerFault.exe 644 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jpooimdc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hiljpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjhlnn32.dll" Dgnolj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpmnbbpe.dll" Cocjbkna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nfenpafc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qiokkook.dll" Nebdighb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bedpjdoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npjlfcgj.dll" Mokdllim.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbqlhfgk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhkaif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Injmlbkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cbgbpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paapjc32.dll" Pahiebeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hefneq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qpebqm32.dll" Njjmgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pcojdnfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgbdml32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmnmqdee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pnmhqh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mdloelpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Popbqhhf.dll" Aclpkffa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eofccj32.dll" Ameipl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Felbmqpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbbqbo32.dll" Bdmpljlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Keakqeal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjchjl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njedlojg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofdmgkln.dll" Cdeijmph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnkeanmb.dll" Obanqgkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhkaif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aokken32.dll" Amdddkma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffbhnh32.dll" Dpnbhl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oakbonkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lqdcio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdgmio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abhqolee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fihfgc32.dll" Okedmp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fobomglo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnjkbi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knkokl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeipopip.dll" Cmlamb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lblakh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhkihabc.dll" Nfhfbedd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djaipe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omofpp32.dll" Mklkepal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhachh32.dll" Cfiiggpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmekic32.dll" Bdgmio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpijgf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ejjelnfl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgmbmn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onkimc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieodck32.dll" Nihiiimi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmijliej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onekeb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djalnkbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dclknkfp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kqbdej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoepchfj.dll" Pfanmcao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kiikkada.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpglgmfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ljnloi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qcpieamc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cglgck32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dclknkfp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2020 wrote to memory of 3048 2020 NEAS.028d4a46f5f7dc9eecd4cec3b9f4ecd0.exe 89 PID 2020 wrote to memory of 3048 2020 NEAS.028d4a46f5f7dc9eecd4cec3b9f4ecd0.exe 89 PID 2020 wrote to memory of 3048 2020 NEAS.028d4a46f5f7dc9eecd4cec3b9f4ecd0.exe 89 PID 3048 wrote to memory of 4996 3048 Ejiiippb.exe 90 PID 3048 wrote to memory of 4996 3048 Ejiiippb.exe 90 PID 3048 wrote to memory of 4996 3048 Ejiiippb.exe 90 PID 4996 wrote to memory of 2356 4996 Fiheheka.exe 92 PID 4996 wrote to memory of 2356 4996 Fiheheka.exe 92 PID 4996 wrote to memory of 2356 4996 Fiheheka.exe 92 PID 2356 wrote to memory of 3860 2356 Gkcdfl32.exe 93 PID 2356 wrote to memory of 3860 2356 Gkcdfl32.exe 93 PID 2356 wrote to memory of 3860 2356 Gkcdfl32.exe 93 PID 3860 wrote to memory of 3728 3860 Hebkid32.exe 94 PID 3860 wrote to memory of 3728 3860 Hebkid32.exe 94 PID 3860 wrote to memory of 3728 3860 Hebkid32.exe 94 PID 3728 wrote to memory of 1580 3728 Iooimi32.exe 95 PID 3728 wrote to memory of 1580 3728 Iooimi32.exe 95 PID 3728 wrote to memory of 1580 3728 Iooimi32.exe 95 PID 1580 wrote to memory of 5016 1580 Ihjjln32.exe 96 PID 1580 wrote to memory of 5016 1580 Ihjjln32.exe 96 PID 1580 wrote to memory of 5016 1580 Ihjjln32.exe 96 PID 5016 wrote to memory of 3256 5016 Jjbjlpga.exe 97 PID 5016 wrote to memory of 3256 5016 Jjbjlpga.exe 97 PID 5016 wrote to memory of 3256 5016 Jjbjlpga.exe 97 PID 3256 wrote to memory of 3088 3256 Kbedaand.exe 98 PID 3256 wrote to memory of 3088 3256 Kbedaand.exe 98 PID 3256 wrote to memory of 3088 3256 Kbedaand.exe 98 PID 3088 wrote to memory of 656 3088 Kjcccm32.exe 99 PID 3088 wrote to memory of 656 3088 Kjcccm32.exe 99 PID 3088 wrote to memory of 656 3088 Kjcccm32.exe 99 PID 656 wrote to memory of 4784 656 Nfhipj32.exe 100 PID 656 wrote to memory of 4784 656 Nfhipj32.exe 100 PID 656 wrote to memory of 4784 656 Nfhipj32.exe 100 PID 4784 wrote to memory of 384 4784 Ojhnlh32.exe 101 PID 4784 wrote to memory of 384 4784 Ojhnlh32.exe 101 PID 4784 wrote to memory of 384 4784 Ojhnlh32.exe 101 PID 384 wrote to memory of 4524 384 Odcojm32.exe 102 PID 384 wrote to memory of 4524 384 Odcojm32.exe 102 PID 384 wrote to memory of 4524 384 Odcojm32.exe 102 PID 4524 wrote to memory of 4120 4524 Ofdhlh32.exe 103 PID 4524 wrote to memory of 4120 4524 Ofdhlh32.exe 103 PID 4524 wrote to memory of 4120 4524 Ofdhlh32.exe 103 PID 4120 wrote to memory of 4980 4120 Qciebg32.exe 104 PID 4120 wrote to memory of 4980 4120 Qciebg32.exe 104 PID 4120 wrote to memory of 4980 4120 Qciebg32.exe 104 PID 4980 wrote to memory of 4768 4980 Cmkehicj.exe 105 PID 4980 wrote to memory of 4768 4980 Cmkehicj.exe 105 PID 4980 wrote to memory of 4768 4980 Cmkehicj.exe 105 PID 4768 wrote to memory of 3868 4768 Cjabgm32.exe 106 PID 4768 wrote to memory of 3868 4768 Cjabgm32.exe 106 PID 4768 wrote to memory of 3868 4768 Cjabgm32.exe 106 PID 3868 wrote to memory of 2844 3868 Djalnkbo.exe 107 PID 3868 wrote to memory of 2844 3868 Djalnkbo.exe 107 PID 3868 wrote to memory of 2844 3868 Djalnkbo.exe 107 PID 2844 wrote to memory of 2288 2844 Elhnhm32.exe 108 PID 2844 wrote to memory of 2288 2844 Elhnhm32.exe 108 PID 2844 wrote to memory of 2288 2844 Elhnhm32.exe 108 PID 2288 wrote to memory of 1724 2288 Fcjimnjl.exe 109 PID 2288 wrote to memory of 1724 2288 Fcjimnjl.exe 109 PID 2288 wrote to memory of 1724 2288 Fcjimnjl.exe 109 PID 1724 wrote to memory of 3500 1724 Felbmqpl.exe 110 PID 1724 wrote to memory of 3500 1724 Felbmqpl.exe 110 PID 1724 wrote to memory of 3500 1724 Felbmqpl.exe 110 PID 3500 wrote to memory of 4648 3500 Gaglma32.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.028d4a46f5f7dc9eecd4cec3b9f4ecd0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.028d4a46f5f7dc9eecd4cec3b9f4ecd0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\SysWOW64\Ejiiippb.exeC:\Windows\system32\Ejiiippb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\Fiheheka.exeC:\Windows\system32\Fiheheka.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4996 -
C:\Windows\SysWOW64\Gkcdfl32.exeC:\Windows\system32\Gkcdfl32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\Hebkid32.exeC:\Windows\system32\Hebkid32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3860 -
C:\Windows\SysWOW64\Iooimi32.exeC:\Windows\system32\Iooimi32.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3728 -
C:\Windows\SysWOW64\Ihjjln32.exeC:\Windows\system32\Ihjjln32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\SysWOW64\Jjbjlpga.exeC:\Windows\system32\Jjbjlpga.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Windows\SysWOW64\Kbedaand.exeC:\Windows\system32\Kbedaand.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3256 -
C:\Windows\SysWOW64\Kjcccm32.exeC:\Windows\system32\Kjcccm32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3088 -
C:\Windows\SysWOW64\Nfhipj32.exeC:\Windows\system32\Nfhipj32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:656 -
C:\Windows\SysWOW64\Ojhnlh32.exeC:\Windows\system32\Ojhnlh32.exe12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4784 -
C:\Windows\SysWOW64\Odcojm32.exeC:\Windows\system32\Odcojm32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:384 -
C:\Windows\SysWOW64\Ofdhlh32.exeC:\Windows\system32\Ofdhlh32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Windows\SysWOW64\Qciebg32.exeC:\Windows\system32\Qciebg32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4120 -
C:\Windows\SysWOW64\Cmkehicj.exeC:\Windows\system32\Cmkehicj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4980 -
C:\Windows\SysWOW64\Cjabgm32.exeC:\Windows\system32\Cjabgm32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Windows\SysWOW64\Djalnkbo.exeC:\Windows\system32\Djalnkbo.exe18⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3868 -
C:\Windows\SysWOW64\Elhnhm32.exeC:\Windows\system32\Elhnhm32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\Fcjimnjl.exeC:\Windows\system32\Fcjimnjl.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\Felbmqpl.exeC:\Windows\system32\Felbmqpl.exe21⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\SysWOW64\Gaglma32.exeC:\Windows\system32\Gaglma32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3500 -
C:\Windows\SysWOW64\Hklpaeno.exeC:\Windows\system32\Hklpaeno.exe23⤵
- Executes dropped EXE
PID:4648 -
C:\Windows\SysWOW64\Iaokdn32.exeC:\Windows\system32\Iaokdn32.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2152 -
C:\Windows\SysWOW64\Jnmbjnlm.exeC:\Windows\system32\Jnmbjnlm.exe25⤵
- Executes dropped EXE
PID:3600 -
C:\Windows\SysWOW64\Jamhflqq.exeC:\Windows\system32\Jamhflqq.exe26⤵
- Executes dropped EXE
PID:4348 -
C:\Windows\SysWOW64\Khnfce32.exeC:\Windows\system32\Khnfce32.exe27⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Knkokl32.exeC:\Windows\system32\Knkokl32.exe28⤵
- Executes dropped EXE
- Modifies registry class
PID:1552 -
C:\Windows\SysWOW64\Lnbdlkje.exeC:\Windows\system32\Lnbdlkje.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2836 -
C:\Windows\SysWOW64\Lbgcch32.exeC:\Windows\system32\Lbgcch32.exe30⤵
- Executes dropped EXE
PID:3800 -
C:\Windows\SysWOW64\Mokdllim.exeC:\Windows\system32\Mokdllim.exe31⤵
- Executes dropped EXE
- Modifies registry class
PID:2896 -
C:\Windows\SysWOW64\Meobeb32.exeC:\Windows\system32\Meobeb32.exe32⤵
- Executes dropped EXE
PID:4376 -
C:\Windows\SysWOW64\Omhpcm32.exeC:\Windows\system32\Omhpcm32.exe33⤵
- Executes dropped EXE
PID:2444 -
C:\Windows\SysWOW64\Obeikc32.exeC:\Windows\system32\Obeikc32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Obgeqcnn.exeC:\Windows\system32\Obgeqcnn.exe35⤵
- Executes dropped EXE
PID:1040 -
C:\Windows\SysWOW64\Plgpjhnf.exeC:\Windows\system32\Plgpjhnf.exe36⤵
- Executes dropped EXE
PID:4568 -
C:\Windows\SysWOW64\Pohilc32.exeC:\Windows\system32\Pohilc32.exe37⤵
- Executes dropped EXE
PID:4168 -
C:\Windows\SysWOW64\Qolbgbgb.exeC:\Windows\system32\Qolbgbgb.exe38⤵
- Executes dropped EXE
PID:1468 -
C:\Windows\SysWOW64\Affgno32.exeC:\Windows\system32\Affgno32.exe39⤵
- Executes dropped EXE
PID:2080 -
C:\Windows\SysWOW64\Agojdnng.exeC:\Windows\system32\Agojdnng.exe40⤵
- Executes dropped EXE
PID:1908 -
C:\Windows\SysWOW64\Bnbeggmi.exeC:\Windows\system32\Bnbeggmi.exe41⤵
- Executes dropped EXE
PID:3356 -
C:\Windows\SysWOW64\Benjkijd.exeC:\Windows\system32\Benjkijd.exe42⤵
- Executes dropped EXE
PID:4044 -
C:\Windows\SysWOW64\Cohkinob.exeC:\Windows\system32\Cohkinob.exe43⤵
- Executes dropped EXE
PID:4380 -
C:\Windows\SysWOW64\Comddn32.exeC:\Windows\system32\Comddn32.exe44⤵
- Executes dropped EXE
PID:1356 -
C:\Windows\SysWOW64\Cfiiggpg.exeC:\Windows\system32\Cfiiggpg.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:4696 -
C:\Windows\SysWOW64\Dgnolj32.exeC:\Windows\system32\Dgnolj32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:936 -
C:\Windows\SysWOW64\Eciilj32.exeC:\Windows\system32\Eciilj32.exe47⤵
- Executes dropped EXE
PID:1440 -
C:\Windows\SysWOW64\Eqdpfm32.exeC:\Windows\system32\Eqdpfm32.exe48⤵
- Executes dropped EXE
PID:1768 -
C:\Windows\SysWOW64\Fmmmqnaf.exeC:\Windows\system32\Fmmmqnaf.exe49⤵
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\Fclohg32.exeC:\Windows\system32\Fclohg32.exe50⤵
- Executes dropped EXE
PID:1508 -
C:\Windows\SysWOW64\Gfcnka32.exeC:\Windows\system32\Gfcnka32.exe51⤵
- Executes dropped EXE
PID:1300 -
C:\Windows\SysWOW64\Haphiiee.exeC:\Windows\system32\Haphiiee.exe52⤵
- Executes dropped EXE
PID:980 -
C:\Windows\SysWOW64\Hmginjki.exeC:\Windows\system32\Hmginjki.exe53⤵
- Executes dropped EXE
PID:1144 -
C:\Windows\SysWOW64\Hdaajd32.exeC:\Windows\system32\Hdaajd32.exe54⤵
- Executes dropped EXE
PID:4652 -
C:\Windows\SysWOW64\Iophnl32.exeC:\Windows\system32\Iophnl32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3432 -
C:\Windows\SysWOW64\Iobecl32.exeC:\Windows\system32\Iobecl32.exe56⤵
- Executes dropped EXE
PID:3416 -
C:\Windows\SysWOW64\Ipcakd32.exeC:\Windows\system32\Ipcakd32.exe57⤵
- Executes dropped EXE
PID:824 -
C:\Windows\SysWOW64\Imgbdh32.exeC:\Windows\system32\Imgbdh32.exe58⤵
- Executes dropped EXE
PID:1088 -
C:\Windows\SysWOW64\Jkkbnl32.exeC:\Windows\system32\Jkkbnl32.exe59⤵
- Executes dropped EXE
PID:4108 -
C:\Windows\SysWOW64\Jhocgqjj.exeC:\Windows\system32\Jhocgqjj.exe60⤵
- Executes dropped EXE
PID:1780 -
C:\Windows\SysWOW64\Jmqekg32.exeC:\Windows\system32\Jmqekg32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1620 -
C:\Windows\SysWOW64\Kddpnpdn.exeC:\Windows\system32\Kddpnpdn.exe62⤵
- Executes dropped EXE
PID:4904 -
C:\Windows\SysWOW64\Knldfe32.exeC:\Windows\system32\Knldfe32.exe63⤵
- Executes dropped EXE
PID:4796 -
C:\Windows\SysWOW64\Lkcaeige.exeC:\Windows\system32\Lkcaeige.exe64⤵
- Executes dropped EXE
PID:2608 -
C:\Windows\SysWOW64\Lkenkhec.exeC:\Windows\system32\Lkenkhec.exe65⤵
- Executes dropped EXE
PID:4792 -
C:\Windows\SysWOW64\Lqdcio32.exeC:\Windows\system32\Lqdcio32.exe66⤵
- Modifies registry class
PID:1644 -
C:\Windows\SysWOW64\Lkldlgok.exeC:\Windows\system32\Lkldlgok.exe67⤵PID:792
-
C:\Windows\SysWOW64\Mgceqh32.exeC:\Windows\system32\Mgceqh32.exe68⤵PID:4048
-
C:\Windows\SysWOW64\Mdloelpc.exeC:\Windows\system32\Mdloelpc.exe69⤵
- Modifies registry class
PID:5100 -
C:\Windows\SysWOW64\Ngodlgka.exeC:\Windows\system32\Ngodlgka.exe70⤵PID:4280
-
C:\Windows\SysWOW64\Nqgiel32.exeC:\Windows\system32\Nqgiel32.exe71⤵PID:2992
-
C:\Windows\SysWOW64\Opdiobod.exeC:\Windows\system32\Opdiobod.exe72⤵PID:1680
-
C:\Windows\SysWOW64\Onifpodl.exeC:\Windows\system32\Onifpodl.exe73⤵PID:4828
-
C:\Windows\SysWOW64\Obgofmjb.exeC:\Windows\system32\Obgofmjb.exe74⤵PID:3524
-
C:\Windows\SysWOW64\Plocob32.exeC:\Windows\system32\Plocob32.exe75⤵PID:2828
-
C:\Windows\SysWOW64\Palkgi32.exeC:\Windows\system32\Palkgi32.exe76⤵PID:1932
-
C:\Windows\SysWOW64\Ppmleagi.exeC:\Windows\system32\Ppmleagi.exe77⤵PID:1484
-
C:\Windows\SysWOW64\Pejdmh32.exeC:\Windows\system32\Pejdmh32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1444 -
C:\Windows\SysWOW64\Pldljbmn.exeC:\Windows\system32\Pldljbmn.exe79⤵PID:2860
-
C:\Windows\SysWOW64\Paennh32.exeC:\Windows\system32\Paennh32.exe80⤵PID:4304
-
C:\Windows\SysWOW64\Qlkbka32.exeC:\Windows\system32\Qlkbka32.exe81⤵PID:1560
-
C:\Windows\SysWOW64\Qhbcpb32.exeC:\Windows\system32\Qhbcpb32.exe82⤵PID:4620
-
C:\Windows\SysWOW64\Alplfpbp.exeC:\Windows\system32\Alplfpbp.exe83⤵PID:2292
-
C:\Windows\SysWOW64\Albikp32.exeC:\Windows\system32\Albikp32.exe84⤵PID:2344
-
C:\Windows\SysWOW64\Appaangd.exeC:\Windows\system32\Appaangd.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2628 -
C:\Windows\SysWOW64\Bedpjdoc.exeC:\Windows\system32\Bedpjdoc.exe86⤵
- Modifies registry class
PID:2128 -
C:\Windows\SysWOW64\Clgkmm32.exeC:\Windows\system32\Clgkmm32.exe87⤵
- Drops file in System32 directory
PID:3840 -
C:\Windows\SysWOW64\Cikkga32.exeC:\Windows\system32\Cikkga32.exe88⤵PID:4060
-
C:\Windows\SysWOW64\Cebllbcc.exeC:\Windows\system32\Cebllbcc.exe89⤵PID:1756
-
C:\Windows\SysWOW64\Cediab32.exeC:\Windows\system32\Cediab32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2752 -
C:\Windows\SysWOW64\Dofpqfof.exeC:\Windows\system32\Dofpqfof.exe91⤵PID:3748
-
C:\Windows\SysWOW64\Dpemjifi.exeC:\Windows\system32\Dpemjifi.exe92⤵PID:1012
-
C:\Windows\SysWOW64\Elagjihh.exeC:\Windows\system32\Elagjihh.exe93⤵PID:5144
-
C:\Windows\SysWOW64\Ejgdim32.exeC:\Windows\system32\Ejgdim32.exe94⤵PID:5184
-
C:\Windows\SysWOW64\Fiajfi32.exeC:\Windows\system32\Fiajfi32.exe95⤵PID:5224
-
C:\Windows\SysWOW64\Fokbbcmo.exeC:\Windows\system32\Fokbbcmo.exe96⤵PID:5272
-
C:\Windows\SysWOW64\Gpioca32.exeC:\Windows\system32\Gpioca32.exe97⤵PID:5324
-
C:\Windows\SysWOW64\Gmmome32.exeC:\Windows\system32\Gmmome32.exe98⤵PID:5380
-
C:\Windows\SysWOW64\Hihimfag.exeC:\Windows\system32\Hihimfag.exe99⤵PID:5436
-
C:\Windows\SysWOW64\Hmioicek.exeC:\Windows\system32\Hmioicek.exe100⤵PID:5476
-
C:\Windows\SysWOW64\Ijolhg32.exeC:\Windows\system32\Ijolhg32.exe101⤵PID:5520
-
C:\Windows\SysWOW64\Ipldpo32.exeC:\Windows\system32\Ipldpo32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5564 -
C:\Windows\SysWOW64\Ipnaen32.exeC:\Windows\system32\Ipnaen32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5620 -
C:\Windows\SysWOW64\Jikojcaa.exeC:\Windows\system32\Jikojcaa.exe104⤵PID:5668
-
C:\Windows\SysWOW64\Jjmhie32.exeC:\Windows\system32\Jjmhie32.exe105⤵PID:5712
-
C:\Windows\SysWOW64\Jbhmnhcm.exeC:\Windows\system32\Jbhmnhcm.exe106⤵PID:5760
-
C:\Windows\SysWOW64\Jibejb32.exeC:\Windows\system32\Jibejb32.exe107⤵PID:5800
-
C:\Windows\SysWOW64\Jfffcf32.exeC:\Windows\system32\Jfffcf32.exe108⤵PID:5848
-
C:\Windows\SysWOW64\Kpagbk32.exeC:\Windows\system32\Kpagbk32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5892 -
C:\Windows\SysWOW64\Kiikkada.exeC:\Windows\system32\Kiikkada.exe110⤵
- Modifies registry class
PID:5936 -
C:\Windows\SysWOW64\Kbapdfkb.exeC:\Windows\system32\Kbapdfkb.exe111⤵PID:5976
-
C:\Windows\SysWOW64\Kmgdaokh.exeC:\Windows\system32\Kmgdaokh.exe112⤵PID:6052
-
C:\Windows\SysWOW64\Lgkhec32.exeC:\Windows\system32\Lgkhec32.exe113⤵
- Drops file in System32 directory
PID:6100 -
C:\Windows\SysWOW64\Lnepbm32.exeC:\Windows\system32\Lnepbm32.exe114⤵PID:6140
-
C:\Windows\SysWOW64\Ldohogfe.exeC:\Windows\system32\Ldohogfe.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5164 -
C:\Windows\SysWOW64\Mkpglqgj.exeC:\Windows\system32\Mkpglqgj.exe116⤵PID:5252
-
C:\Windows\SysWOW64\Mgidgakk.exeC:\Windows\system32\Mgidgakk.exe117⤵PID:4240
-
C:\Windows\SysWOW64\Maohdj32.exeC:\Windows\system32\Maohdj32.exe118⤵PID:5408
-
C:\Windows\SysWOW64\Nkncno32.exeC:\Windows\system32\Nkncno32.exe119⤵PID:5496
-
C:\Windows\SysWOW64\Oqpeaeel.exeC:\Windows\system32\Oqpeaeel.exe120⤵
- Drops file in System32 directory
PID:3792 -
C:\Windows\SysWOW64\Okgfdm32.exeC:\Windows\system32\Okgfdm32.exe121⤵PID:2356
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-