Analysis
-
max time kernel
159s -
max time network
170s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
03/11/2023, 14:28
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.cae89ccacd169e5c6f824c537b232bb0.exe
Resource
win7-20231020-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.cae89ccacd169e5c6f824c537b232bb0.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
NEAS.cae89ccacd169e5c6f824c537b232bb0.exe
-
Size
48KB
-
MD5
cae89ccacd169e5c6f824c537b232bb0
-
SHA1
5254edcb312ea6f31692aeafc5d13d4e33b8b56b
-
SHA256
a17dc779fc5da5346884aea1222dacefb52b948bff99caa417a2af3dc4bf3205
-
SHA512
f81080675def2a07ce151197a15fc9d077faa6489459b45e79dd7dc2e8df04cceed378eaf0ade70ff6867c8c8c6147fe9481a827b66b52473ac016d7e9ba419e
-
SSDEEP
768:vCKwMdQsXURqa+/XQCYvWfGYGR4CHOrlEVyoGLp5/1H5E:vrwMVXiqa+/XQCHfP/THpz
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Geeecogb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofhkgeij.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doojni32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgaqphgl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpkkgbmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojhijjll.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dclknkfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bicjjncd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baldmiom.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clbdpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emenhcdf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfeldj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fefjpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfcqjg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcnfhmcf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmaooihb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eogoaifl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppemmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aqmldddb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okjnhpee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idmhqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgokflpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgqfmcge.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Noijmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opqopj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" NEAS.cae89ccacd169e5c6f824c537b232bb0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hahedoci.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imgbdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlidkh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epjadk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efdjqeni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlbnhkqo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbqmbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmjjqhpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcdmifip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggfombmd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boabkj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mncjffbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhphfppl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikcmmjkb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plbfohbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Boeelcmm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaccdp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqgldb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fikbhiaf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pecefa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iikmlnae.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccigpbga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eaonccme.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngombd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgopbj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efhlan32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glpdecjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbgjlq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obnlpnbm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmglmpkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgkdkg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bochfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpfppl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kimgba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kiaqnagj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iqfcmdpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmpkkjcj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agdcja32.exe -
Executes dropped EXE 64 IoCs
pid Process 4736 Clbdpc32.exe 4956 Ecanojgl.exe 3652 Eegqldqg.exe 460 Gfgjbb32.exe 404 Hgnlmdcp.exe 2400 Kdjhkp32.exe 3360 Lfddci32.exe 2896 Mkicjgnn.exe 4048 Naokbokn.exe 4632 Oeamcmmo.exe 3344 Oookgbpj.exe 4276 Bpdfpmoo.exe 2340 Beaohcmf.exe 1424 Cpklql32.exe 2256 Fhefmjlp.exe 1244 Fiilblom.exe 2304 Hhobjf32.exe 1812 Ijedehgm.exe 1540 Jcgldl32.exe 3720 Jgedjjki.exe 320 Jopiom32.exe 4148 Kimgba32.exe 3912 Kiaqnagj.exe 4844 Lpbokjho.exe 2776 Lhammfci.exe 2112 Ndejcemn.exe 3016 Nandhi32.exe 3040 Nkghqo32.exe 2072 Oknnanhj.exe 4052 Abflfc32.exe 4032 Bdgehobe.exe 4528 Cgaqphgl.exe 836 Dnghhqdk.exe 4332 Dhfcae32.exe 2964 Eeomfioh.exe 2164 Fifhbf32.exe 3248 Glinjqhb.exe 1492 Gbhpajlj.exe 4804 Hiinoc32.exe 1880 Hedhoc32.exe 2932 Ikcmmjkb.exe 1152 Ijgjpaao.exe 4916 Ikjcmi32.exe 4608 Iohlcg32.exe 3580 Jhcmbm32.exe 3800 Jlafhkfe.exe 2124 Jkfcigkm.exe 1136 Jmepcj32.exe 5104 Kmjinjnj.exe 3336 Kicfijal.exe 544 Kmaooihb.exe 1584 Lcndab32.exe 2076 Lmheph32.exe 2660 Liofdigo.exe 3004 Mpkkgbmi.exe 3128 Mcnmhpoj.exe 4768 Nlnkgbhp.exe 3240 Nfcoekhe.exe 2452 Nboiekjd.exe 116 Okaabg32.exe 2116 Pgknlg32.exe 4688 Pdoofl32.exe 60 Qciebg32.exe 1968 Qnniopcm.exe -
Loads dropped DLL 1 IoCs
pid Process 4452 Pgcbbc32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Idfkmkhe.dll Lebalokn.exe File opened for modification C:\Windows\SysWOW64\Okaabg32.exe Nboiekjd.exe File created C:\Windows\SysWOW64\Omdghmfo.exe Nlbnhkqo.exe File created C:\Windows\SysWOW64\Jkmllk32.dll Bkkofn32.exe File created C:\Windows\SysWOW64\Lcmkdd32.dll Lmodqdpo.exe File created C:\Windows\SysWOW64\Jpalomaq.exe Jjgcbb32.exe File created C:\Windows\SysWOW64\Jgabnp32.dll Iioicn32.exe File created C:\Windows\SysWOW64\Gccbgclj.dll Okjnhpee.exe File opened for modification C:\Windows\SysWOW64\Nqioqf32.exe Mdkhkflh.exe File created C:\Windows\SysWOW64\Aegidp32.exe Qcepem32.exe File created C:\Windows\SysWOW64\Gofnqfah.dll Egnhnkmj.exe File opened for modification C:\Windows\SysWOW64\Qciebg32.exe Pdoofl32.exe File created C:\Windows\SysWOW64\Cmelgi32.dll Aaiiffjj.exe File created C:\Windows\SysWOW64\Ldbgealc.dll Dkfanqmd.exe File created C:\Windows\SysWOW64\Lmpkkjcj.exe Lknocb32.exe File created C:\Windows\SysWOW64\Efkfkilj.exe Dkfanqmd.exe File created C:\Windows\SysWOW64\Gpmgph32.exe Ffkpadga.exe File opened for modification C:\Windows\SysWOW64\Opqopj32.exe Ofhkgeij.exe File opened for modification C:\Windows\SysWOW64\Kiaqnagj.exe Kimgba32.exe File opened for modification C:\Windows\SysWOW64\Idebniil.exe Inkjao32.exe File created C:\Windows\SysWOW64\Cmkjpd32.dll Inkjao32.exe File created C:\Windows\SysWOW64\Epjadk32.exe Eipigqop.exe File created C:\Windows\SysWOW64\Ljdboe32.exe Licfgmpa.exe File opened for modification C:\Windows\SysWOW64\Ijcjgcni.exe Iknmfg32.exe File created C:\Windows\SysWOW64\Labcdffd.dll Cahffmel.exe File created C:\Windows\SysWOW64\Ehimkd32.exe Eoaianan.exe File created C:\Windows\SysWOW64\Famipk32.dll Bdndik32.exe File created C:\Windows\SysWOW64\Bkkinj32.dll Oafido32.exe File created C:\Windows\SysWOW64\Dkmogbeo.exe Dhnbkfek.exe File opened for modification C:\Windows\SysWOW64\Fngcfikb.exe Fejebdig.exe File created C:\Windows\SysWOW64\Qciebg32.exe Pdoofl32.exe File opened for modification C:\Windows\SysWOW64\Bpdfpmoo.exe Pgcbbc32.exe File created C:\Windows\SysWOW64\Lenpnjke.dll Jdaajkfd.exe File opened for modification C:\Windows\SysWOW64\Bdmdng32.exe Bjhpqn32.exe File created C:\Windows\SysWOW64\Bbqebono.dll Kfgddi32.exe File opened for modification C:\Windows\SysWOW64\Ofjgmdgg.exe Opqopj32.exe File created C:\Windows\SysWOW64\Galcjkmj.exe Ggfombmd.exe File created C:\Windows\SysWOW64\Pmjpod32.exe Ohceqo32.exe File opened for modification C:\Windows\SysWOW64\Hhobjf32.exe Fiilblom.exe File created C:\Windows\SysWOW64\Lenjfn32.dll Ikjcmi32.exe File opened for modification C:\Windows\SysWOW64\Efhlan32.exe Dckdddcd.exe File created C:\Windows\SysWOW64\Eklgldgf.dll Kmjinjnj.exe File opened for modification C:\Windows\SysWOW64\Ecanojgl.exe Clbdpc32.exe File opened for modification C:\Windows\SysWOW64\Mcdepd32.exe Ljlagndl.exe File opened for modification C:\Windows\SysWOW64\Nlefebfg.exe Mckefmai.exe File opened for modification C:\Windows\SysWOW64\Eogoaifl.exe Bjddinbn.exe File opened for modification C:\Windows\SysWOW64\Okjnhpee.exe Oihapg32.exe File created C:\Windows\SysWOW64\Aohpek32.exe Aepklffh.exe File opened for modification C:\Windows\SysWOW64\Bdgehobe.exe Abflfc32.exe File created C:\Windows\SysWOW64\Flcndk32.exe Eapmedef.exe File created C:\Windows\SysWOW64\Hdedfgcg.dll Ilglbjbl.exe File created C:\Windows\SysWOW64\Fdpabflk.dll Nnfpbcbf.exe File created C:\Windows\SysWOW64\Jcmkehcg.exe Jnqbmadp.exe File opened for modification C:\Windows\SysWOW64\Ohceqo32.exe Omnqcfig.exe File created C:\Windows\SysWOW64\Fbnfgneq.dll Fmpjfn32.exe File created C:\Windows\SysWOW64\Gfahlfko.dll Bpfkiepp.exe File created C:\Windows\SysWOW64\Ipdfheal.exe Hkgnpn32.exe File opened for modification C:\Windows\SysWOW64\Lnmbjd32.exe Leenanik.exe File opened for modification C:\Windows\SysWOW64\Lnhadnpe.exe Lgnihd32.exe File opened for modification C:\Windows\SysWOW64\Alkidi32.exe Ponfdf32.exe File created C:\Windows\SysWOW64\Kfjjhc32.dll Iohede32.exe File created C:\Windows\SysWOW64\Jplkig32.exe Iohede32.exe File created C:\Windows\SysWOW64\Doojni32.exe Ddifaqcn.exe File opened for modification C:\Windows\SysWOW64\Jkfcigkm.exe Jlafhkfe.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3436 3256 WerFault.exe 632 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcmmho32.dll" Jmepcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Johphb32.dll" Qodmdb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lfbpnjjd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhammfci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifcgpk32.dll" Ppgeqijb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndgpii32.dll" Ojhijjll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mgagll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdobgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gedqcjbo.dll" Iknmfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jnqbmadp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daiodkff.dll" Nfcoekhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bqhlpbjd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Inhion32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbllkohi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnfege32.dll" Mgagll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mcqjhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agncocnp.dll" Mfjfoidl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efmned32.dll" Oejijiip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chbjoe32.dll" Efkfkilj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dabpgbpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdpanj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omkdqgbq.dll" Gehbcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qaaljg32.dll" Jhcmbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djaipe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkaimj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qaofphbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdccka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fadoii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gckghp32.dll" Beomhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ocbhjjqn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdigkjpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chkemq32.dll" Lcjchd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckbegmin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgnhmn32.dll" Kdjhkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aocamk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gpimflqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Doojni32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hgliie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Okaabg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oikallbg.dll" Qgopplkq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onapnbhi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckladcoa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlqljb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaikchfj.dll" Ibadoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eglkhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kiaqnagj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faejhf32.dll" Aohpek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nljoheln.dll" Pgknlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfpjlgdl.dll" Hbldkllm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnfahn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhgbdbac.dll" Pejdmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agcbng32.dll" Eglkhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Einmaaqb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fjjnblhi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jnqbmadp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akiijq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oejijiip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpcqee32.dll" Eapmedef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mckefmai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pchljlpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fkgbli32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohboeenl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Diafkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Keoeel32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5044 wrote to memory of 4736 5044 NEAS.cae89ccacd169e5c6f824c537b232bb0.exe 89 PID 5044 wrote to memory of 4736 5044 NEAS.cae89ccacd169e5c6f824c537b232bb0.exe 89 PID 5044 wrote to memory of 4736 5044 NEAS.cae89ccacd169e5c6f824c537b232bb0.exe 89 PID 4736 wrote to memory of 4956 4736 Clbdpc32.exe 90 PID 4736 wrote to memory of 4956 4736 Clbdpc32.exe 90 PID 4736 wrote to memory of 4956 4736 Clbdpc32.exe 90 PID 4956 wrote to memory of 3652 4956 Ecanojgl.exe 91 PID 4956 wrote to memory of 3652 4956 Ecanojgl.exe 91 PID 4956 wrote to memory of 3652 4956 Ecanojgl.exe 91 PID 3652 wrote to memory of 460 3652 Eegqldqg.exe 92 PID 3652 wrote to memory of 460 3652 Eegqldqg.exe 92 PID 3652 wrote to memory of 460 3652 Eegqldqg.exe 92 PID 460 wrote to memory of 404 460 Gfgjbb32.exe 94 PID 460 wrote to memory of 404 460 Gfgjbb32.exe 94 PID 460 wrote to memory of 404 460 Gfgjbb32.exe 94 PID 404 wrote to memory of 2400 404 Hgnlmdcp.exe 95 PID 404 wrote to memory of 2400 404 Hgnlmdcp.exe 95 PID 404 wrote to memory of 2400 404 Hgnlmdcp.exe 95 PID 2400 wrote to memory of 3360 2400 Kdjhkp32.exe 97 PID 2400 wrote to memory of 3360 2400 Kdjhkp32.exe 97 PID 2400 wrote to memory of 3360 2400 Kdjhkp32.exe 97 PID 3360 wrote to memory of 2896 3360 Lfddci32.exe 98 PID 3360 wrote to memory of 2896 3360 Lfddci32.exe 98 PID 3360 wrote to memory of 2896 3360 Lfddci32.exe 98 PID 2896 wrote to memory of 4048 2896 Mkicjgnn.exe 99 PID 2896 wrote to memory of 4048 2896 Mkicjgnn.exe 99 PID 2896 wrote to memory of 4048 2896 Mkicjgnn.exe 99 PID 4048 wrote to memory of 4632 4048 Naokbokn.exe 100 PID 4048 wrote to memory of 4632 4048 Naokbokn.exe 100 PID 4048 wrote to memory of 4632 4048 Naokbokn.exe 100 PID 4632 wrote to memory of 3344 4632 Oeamcmmo.exe 101 PID 4632 wrote to memory of 3344 4632 Oeamcmmo.exe 101 PID 4632 wrote to memory of 3344 4632 Oeamcmmo.exe 101 PID 3344 wrote to memory of 4452 3344 Oookgbpj.exe 103 PID 3344 wrote to memory of 4452 3344 Oookgbpj.exe 103 PID 3344 wrote to memory of 4452 3344 Oookgbpj.exe 103 PID 4452 wrote to memory of 4276 4452 Pgcbbc32.exe 104 PID 4452 wrote to memory of 4276 4452 Pgcbbc32.exe 104 PID 4452 wrote to memory of 4276 4452 Pgcbbc32.exe 104 PID 4276 wrote to memory of 2340 4276 Bpdfpmoo.exe 105 PID 4276 wrote to memory of 2340 4276 Bpdfpmoo.exe 105 PID 4276 wrote to memory of 2340 4276 Bpdfpmoo.exe 105 PID 2340 wrote to memory of 1424 2340 Beaohcmf.exe 107 PID 2340 wrote to memory of 1424 2340 Beaohcmf.exe 107 PID 2340 wrote to memory of 1424 2340 Beaohcmf.exe 107 PID 1424 wrote to memory of 2256 1424 Cpklql32.exe 108 PID 1424 wrote to memory of 2256 1424 Cpklql32.exe 108 PID 1424 wrote to memory of 2256 1424 Cpklql32.exe 108 PID 2256 wrote to memory of 1244 2256 Fhefmjlp.exe 109 PID 2256 wrote to memory of 1244 2256 Fhefmjlp.exe 109 PID 2256 wrote to memory of 1244 2256 Fhefmjlp.exe 109 PID 1244 wrote to memory of 2304 1244 Fiilblom.exe 111 PID 1244 wrote to memory of 2304 1244 Fiilblom.exe 111 PID 1244 wrote to memory of 2304 1244 Fiilblom.exe 111 PID 2304 wrote to memory of 1812 2304 Hhobjf32.exe 114 PID 2304 wrote to memory of 1812 2304 Hhobjf32.exe 114 PID 2304 wrote to memory of 1812 2304 Hhobjf32.exe 114 PID 1812 wrote to memory of 1540 1812 Ijedehgm.exe 115 PID 1812 wrote to memory of 1540 1812 Ijedehgm.exe 115 PID 1812 wrote to memory of 1540 1812 Ijedehgm.exe 115 PID 1540 wrote to memory of 3720 1540 Jcgldl32.exe 116 PID 1540 wrote to memory of 3720 1540 Jcgldl32.exe 116 PID 1540 wrote to memory of 3720 1540 Jcgldl32.exe 116 PID 3720 wrote to memory of 320 3720 Jgedjjki.exe 117
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.cae89ccacd169e5c6f824c537b232bb0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.cae89ccacd169e5c6f824c537b232bb0.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:5044 -
C:\Windows\SysWOW64\Clbdpc32.exeC:\Windows\system32\Clbdpc32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4736 -
C:\Windows\SysWOW64\Ecanojgl.exeC:\Windows\system32\Ecanojgl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4956 -
C:\Windows\SysWOW64\Eegqldqg.exeC:\Windows\system32\Eegqldqg.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3652 -
C:\Windows\SysWOW64\Gfgjbb32.exeC:\Windows\system32\Gfgjbb32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:460 -
C:\Windows\SysWOW64\Hgnlmdcp.exeC:\Windows\system32\Hgnlmdcp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:404 -
C:\Windows\SysWOW64\Kdjhkp32.exeC:\Windows\system32\Kdjhkp32.exe7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\Lfddci32.exeC:\Windows\system32\Lfddci32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3360 -
C:\Windows\SysWOW64\Mkicjgnn.exeC:\Windows\system32\Mkicjgnn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\Naokbokn.exeC:\Windows\system32\Naokbokn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4048 -
C:\Windows\SysWOW64\Oeamcmmo.exeC:\Windows\system32\Oeamcmmo.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4632 -
C:\Windows\SysWOW64\Oookgbpj.exeC:\Windows\system32\Oookgbpj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3344 -
C:\Windows\SysWOW64\Pgcbbc32.exeC:\Windows\system32\Pgcbbc32.exe13⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4452 -
C:\Windows\SysWOW64\Bpdfpmoo.exeC:\Windows\system32\Bpdfpmoo.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4276 -
C:\Windows\SysWOW64\Beaohcmf.exeC:\Windows\system32\Beaohcmf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\Cpklql32.exeC:\Windows\system32\Cpklql32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Windows\SysWOW64\Fhefmjlp.exeC:\Windows\system32\Fhefmjlp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\SysWOW64\Fiilblom.exeC:\Windows\system32\Fiilblom.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Windows\SysWOW64\Hhobjf32.exeC:\Windows\system32\Hhobjf32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\SysWOW64\Ijedehgm.exeC:\Windows\system32\Ijedehgm.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Windows\SysWOW64\Jcgldl32.exeC:\Windows\system32\Jcgldl32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Windows\SysWOW64\Jgedjjki.exeC:\Windows\system32\Jgedjjki.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3720 -
C:\Windows\SysWOW64\Jopiom32.exeC:\Windows\system32\Jopiom32.exe23⤵
- Executes dropped EXE
PID:320 -
C:\Windows\SysWOW64\Kimgba32.exeC:\Windows\system32\Kimgba32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4148 -
C:\Windows\SysWOW64\Kiaqnagj.exeC:\Windows\system32\Kiaqnagj.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3912 -
C:\Windows\SysWOW64\Lpbokjho.exeC:\Windows\system32\Lpbokjho.exe26⤵
- Executes dropped EXE
PID:4844 -
C:\Windows\SysWOW64\Lhammfci.exeC:\Windows\system32\Lhammfci.exe27⤵
- Executes dropped EXE
- Modifies registry class
PID:2776 -
C:\Windows\SysWOW64\Ndejcemn.exeC:\Windows\system32\Ndejcemn.exe28⤵
- Executes dropped EXE
PID:2112 -
C:\Windows\SysWOW64\Nandhi32.exeC:\Windows\system32\Nandhi32.exe29⤵
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\Nkghqo32.exeC:\Windows\system32\Nkghqo32.exe30⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Oknnanhj.exeC:\Windows\system32\Oknnanhj.exe31⤵
- Executes dropped EXE
PID:2072 -
C:\Windows\SysWOW64\Abflfc32.exeC:\Windows\system32\Abflfc32.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4052 -
C:\Windows\SysWOW64\Bdgehobe.exeC:\Windows\system32\Bdgehobe.exe33⤵
- Executes dropped EXE
PID:4032 -
C:\Windows\SysWOW64\Cgaqphgl.exeC:\Windows\system32\Cgaqphgl.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4528 -
C:\Windows\SysWOW64\Dnghhqdk.exeC:\Windows\system32\Dnghhqdk.exe35⤵
- Executes dropped EXE
PID:836 -
C:\Windows\SysWOW64\Dhfcae32.exeC:\Windows\system32\Dhfcae32.exe36⤵
- Executes dropped EXE
PID:4332 -
C:\Windows\SysWOW64\Eeomfioh.exeC:\Windows\system32\Eeomfioh.exe37⤵
- Executes dropped EXE
PID:2964 -
C:\Windows\SysWOW64\Fifhbf32.exeC:\Windows\system32\Fifhbf32.exe38⤵
- Executes dropped EXE
PID:2164 -
C:\Windows\SysWOW64\Glinjqhb.exeC:\Windows\system32\Glinjqhb.exe39⤵
- Executes dropped EXE
PID:3248 -
C:\Windows\SysWOW64\Gbhpajlj.exeC:\Windows\system32\Gbhpajlj.exe40⤵
- Executes dropped EXE
PID:1492 -
C:\Windows\SysWOW64\Hiinoc32.exeC:\Windows\system32\Hiinoc32.exe41⤵
- Executes dropped EXE
PID:4804 -
C:\Windows\SysWOW64\Hedhoc32.exeC:\Windows\system32\Hedhoc32.exe42⤵
- Executes dropped EXE
PID:1880 -
C:\Windows\SysWOW64\Ikcmmjkb.exeC:\Windows\system32\Ikcmmjkb.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Ijgjpaao.exeC:\Windows\system32\Ijgjpaao.exe44⤵
- Executes dropped EXE
PID:1152 -
C:\Windows\SysWOW64\Ikjcmi32.exeC:\Windows\system32\Ikjcmi32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4916 -
C:\Windows\SysWOW64\Iohlcg32.exeC:\Windows\system32\Iohlcg32.exe46⤵
- Executes dropped EXE
PID:4608 -
C:\Windows\SysWOW64\Jhcmbm32.exeC:\Windows\system32\Jhcmbm32.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:3580 -
C:\Windows\SysWOW64\Jlafhkfe.exeC:\Windows\system32\Jlafhkfe.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3800 -
C:\Windows\SysWOW64\Jkfcigkm.exeC:\Windows\system32\Jkfcigkm.exe49⤵
- Executes dropped EXE
PID:2124 -
C:\Windows\SysWOW64\Jmepcj32.exeC:\Windows\system32\Jmepcj32.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:1136 -
C:\Windows\SysWOW64\Kmjinjnj.exeC:\Windows\system32\Kmjinjnj.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5104 -
C:\Windows\SysWOW64\Kicfijal.exeC:\Windows\system32\Kicfijal.exe52⤵
- Executes dropped EXE
PID:3336 -
C:\Windows\SysWOW64\Kmaooihb.exeC:\Windows\system32\Kmaooihb.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:544 -
C:\Windows\SysWOW64\Lcndab32.exeC:\Windows\system32\Lcndab32.exe54⤵
- Executes dropped EXE
PID:1584 -
C:\Windows\SysWOW64\Lmheph32.exeC:\Windows\system32\Lmheph32.exe55⤵
- Executes dropped EXE
PID:2076 -
C:\Windows\SysWOW64\Liofdigo.exeC:\Windows\system32\Liofdigo.exe56⤵
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\Mpkkgbmi.exeC:\Windows\system32\Mpkkgbmi.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Mcnmhpoj.exeC:\Windows\system32\Mcnmhpoj.exe58⤵
- Executes dropped EXE
PID:3128 -
C:\Windows\SysWOW64\Nlnkgbhp.exeC:\Windows\system32\Nlnkgbhp.exe59⤵
- Executes dropped EXE
PID:4768 -
C:\Windows\SysWOW64\Nfcoekhe.exeC:\Windows\system32\Nfcoekhe.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:3240 -
C:\Windows\SysWOW64\Nboiekjd.exeC:\Windows\system32\Nboiekjd.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2452 -
C:\Windows\SysWOW64\Okaabg32.exeC:\Windows\system32\Okaabg32.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:116 -
C:\Windows\SysWOW64\Pgknlg32.exeC:\Windows\system32\Pgknlg32.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:2116 -
C:\Windows\SysWOW64\Pdoofl32.exeC:\Windows\system32\Pdoofl32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4688 -
C:\Windows\SysWOW64\Qciebg32.exeC:\Windows\system32\Qciebg32.exe65⤵
- Executes dropped EXE
PID:60 -
C:\Windows\SysWOW64\Qnniopcm.exeC:\Windows\system32\Qnniopcm.exe66⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Apobakpn.exeC:\Windows\system32\Apobakpn.exe67⤵PID:1164
-
C:\Windows\SysWOW64\Acbhhf32.exeC:\Windows\system32\Acbhhf32.exe68⤵PID:972
-
C:\Windows\SysWOW64\Acdeneij.exeC:\Windows\system32\Acdeneij.exe69⤵PID:1904
-
C:\Windows\SysWOW64\Bjqjpp32.exeC:\Windows\system32\Bjqjpp32.exe70⤵PID:3532
-
C:\Windows\SysWOW64\Bdfnmhnj.exeC:\Windows\system32\Bdfnmhnj.exe71⤵PID:3244
-
C:\Windows\SysWOW64\Bjhpqn32.exeC:\Windows\system32\Bjhpqn32.exe72⤵
- Drops file in System32 directory
PID:4152 -
C:\Windows\SysWOW64\Bdmdng32.exeC:\Windows\system32\Bdmdng32.exe73⤵PID:5056
-
C:\Windows\SysWOW64\Bkglkapo.exeC:\Windows\system32\Bkglkapo.exe74⤵PID:3000
-
C:\Windows\SysWOW64\Bqdechnf.exeC:\Windows\system32\Bqdechnf.exe75⤵PID:1504
-
C:\Windows\SysWOW64\Ccigpbga.exeC:\Windows\system32\Ccigpbga.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1692 -
C:\Windows\SysWOW64\Dkehlo32.exeC:\Windows\system32\Dkehlo32.exe77⤵PID:1624
-
C:\Windows\SysWOW64\Eapmedef.exeC:\Windows\system32\Eapmedef.exe78⤵
- Drops file in System32 directory
- Modifies registry class
PID:1916 -
C:\Windows\SysWOW64\Flcndk32.exeC:\Windows\system32\Flcndk32.exe79⤵PID:5212
-
C:\Windows\SysWOW64\Gjndpg32.exeC:\Windows\system32\Gjndpg32.exe80⤵PID:5260
-
C:\Windows\SysWOW64\Geeecogb.exeC:\Windows\system32\Geeecogb.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5316 -
C:\Windows\SysWOW64\Hdmojkjg.exeC:\Windows\system32\Hdmojkjg.exe82⤵PID:5380
-
C:\Windows\SysWOW64\Heohinog.exeC:\Windows\system32\Heohinog.exe83⤵PID:5440
-
C:\Windows\SysWOW64\Hahedoci.exeC:\Windows\system32\Hahedoci.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5492 -
C:\Windows\SysWOW64\Idinej32.exeC:\Windows\system32\Idinej32.exe85⤵PID:5528
-
C:\Windows\SysWOW64\Ikbfbdgf.exeC:\Windows\system32\Ikbfbdgf.exe86⤵PID:5588
-
C:\Windows\SysWOW64\Idmhqi32.exeC:\Windows\system32\Idmhqi32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5628 -
C:\Windows\SysWOW64\Inhion32.exeC:\Windows\system32\Inhion32.exe88⤵
- Modifies registry class
PID:5676 -
C:\Windows\SysWOW64\Jnalem32.exeC:\Windows\system32\Jnalem32.exe89⤵PID:5724
-
C:\Windows\SysWOW64\Kdgcne32.exeC:\Windows\system32\Kdgcne32.exe90⤵PID:5772
-
C:\Windows\SysWOW64\Komhkn32.exeC:\Windows\system32\Komhkn32.exe91⤵PID:5820
-
C:\Windows\SysWOW64\Lkfeeo32.exeC:\Windows\system32\Lkfeeo32.exe92⤵PID:5872
-
C:\Windows\SysWOW64\Mmodfqhf.exeC:\Windows\system32\Mmodfqhf.exe93⤵PID:5920
-
C:\Windows\SysWOW64\Mejijcea.exeC:\Windows\system32\Mejijcea.exe94⤵PID:5976
-
C:\Windows\SysWOW64\Mijofaje.exeC:\Windows\system32\Mijofaje.exe95⤵PID:6020
-
C:\Windows\SysWOW64\Nmmqgo32.exeC:\Windows\system32\Nmmqgo32.exe96⤵PID:6068
-
C:\Windows\SysWOW64\Nfeepdbg.exeC:\Windows\system32\Nfeepdbg.exe97⤵PID:6112
-
C:\Windows\SysWOW64\Nlbnhkqo.exeC:\Windows\system32\Nlbnhkqo.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:8 -
C:\Windows\SysWOW64\Omdghmfo.exeC:\Windows\system32\Omdghmfo.exe99⤵PID:5188
-
C:\Windows\SysWOW64\Plbfohbl.exeC:\Windows\system32\Plbfohbl.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5244 -
C:\Windows\SysWOW64\Pblolb32.exeC:\Windows\system32\Pblolb32.exe101⤵PID:5300
-
C:\Windows\SysWOW64\Pppoeg32.exeC:\Windows\system32\Pppoeg32.exe102⤵PID:5332
-
C:\Windows\SysWOW64\Pmfldkei.exeC:\Windows\system32\Pmfldkei.exe103⤵PID:5400
-
C:\Windows\SysWOW64\Qolbgbgb.exeC:\Windows\system32\Qolbgbgb.exe104⤵PID:5448
-
C:\Windows\SysWOW64\Aljefena.exeC:\Windows\system32\Aljefena.exe105⤵PID:5548
-
C:\Windows\SysWOW64\Bgfpdmho.exeC:\Windows\system32\Bgfpdmho.exe106⤵PID:5596
-
C:\Windows\SysWOW64\Cnndbecl.exeC:\Windows\system32\Cnndbecl.exe107⤵PID:5640
-
C:\Windows\SysWOW64\Dqajjp32.exeC:\Windows\system32\Dqajjp32.exe108⤵PID:1320
-
C:\Windows\SysWOW64\Dcdpakii.exeC:\Windows\system32\Dcdpakii.exe109⤵PID:5656
-
C:\Windows\SysWOW64\Emdjjo32.exeC:\Windows\system32\Emdjjo32.exe110⤵PID:5720
-
C:\Windows\SysWOW64\Ecnbgian.exeC:\Windows\system32\Ecnbgian.exe111⤵PID:5808
-
C:\Windows\SysWOW64\Ejhkdc32.exeC:\Windows\system32\Ejhkdc32.exe112⤵PID:5844
-
C:\Windows\SysWOW64\Fcgemhic.exeC:\Windows\system32\Fcgemhic.exe113⤵PID:1696
-
C:\Windows\SysWOW64\Fmpjfn32.exeC:\Windows\system32\Fmpjfn32.exe114⤵
- Drops file in System32 directory
PID:5948 -
C:\Windows\SysWOW64\Gnmbao32.exeC:\Windows\system32\Gnmbao32.exe115⤵PID:6108
-
C:\Windows\SysWOW64\Imgbdh32.exeC:\Windows\system32\Imgbdh32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1332 -
C:\Windows\SysWOW64\Kacgld32.exeC:\Windows\system32\Kacgld32.exe117⤵PID:4956
-
C:\Windows\SysWOW64\Kgbljkca.exeC:\Windows\system32\Kgbljkca.exe118⤵PID:5428
-
C:\Windows\SysWOW64\Kahpgcch.exeC:\Windows\system32\Kahpgcch.exe119⤵PID:5540
-
C:\Windows\SysWOW64\Lonnfg32.exeC:\Windows\system32\Lonnfg32.exe120⤵PID:5616
-
C:\Windows\SysWOW64\Lhkkjl32.exeC:\Windows\system32\Lhkkjl32.exe121⤵PID:5672
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-