Analysis
-
max time kernel
157s -
max time network
172s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
04-11-2023 15:23
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.91fcea1c1ef809f7ab9f8973f1ec6ad2.exe
Resource
win7-20231023-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.91fcea1c1ef809f7ab9f8973f1ec6ad2.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.91fcea1c1ef809f7ab9f8973f1ec6ad2.exe
-
Size
128KB
-
MD5
91fcea1c1ef809f7ab9f8973f1ec6ad2
-
SHA1
e115462e38311011aab301761845984967db61af
-
SHA256
4a22c3b051b4bf34c7a15dea8d71a6325af2642d49f8e3c89830e6505af50475
-
SHA512
a45d4318fea5679e397625c03beec61a74dd095656333832cf9f1219e5904e4cd27047fcb8e4d940c58aec68a0135a306bd600203ab1f0278bda5b98f87afdcf
-
SSDEEP
3072:Cezt3SPhfGwr/peXp1l27eFSJdEN0s4WE+3S9pui6yYPaI7DX:Ce1SPhOwr/guC8ENm+3Mpui6yYPaI/
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ciaddaaj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hligqnjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kcphpdil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kkkldg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkbnkfei.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjoppf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eebgqe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kocphojh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhlnjpdi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhchhm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcggjp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eiokinbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gbbajjlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nmpdgdmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cfeplh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cejaobel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hligqnjp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkcfch32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Liofdigo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gjqinamq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cejaobel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eeaqfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kkmijf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oflmnh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbonoghb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emgblc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eoconenj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkmijf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mihikgod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ncecioib.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pakdbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jeolckne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qbonoghb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kocphojh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fneoma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jmmcgbnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kkabefqp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djalnkbo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enkdaepb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhkbdmbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ijaimg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljlagndl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fefjanml.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hccomh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igjlibib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dbehienn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inkjfk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncecioib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dfonnk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfhbipdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hhlnjpdi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhqqlmba.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnglcqio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jakchf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfbhhfbg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eoconenj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eedmlo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkfadkgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hddilh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpklql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dpnbmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mlgegcng.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndliin32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cediab32.exe -
Executes dropped EXE 64 IoCs
pid Process 2464 Dmohno32.exe 2956 Dfglfdkb.exe 2972 Dooaoj32.exe 2024 Dkfadkgf.exe 4228 Dbpjaeoc.exe 2016 Dkhnjk32.exe 1660 Dbbffdlq.exe 1516 Emhkdmlg.exe 3440 Eiokinbk.exe 4524 Enkdaepb.exe 2228 Eiahnnph.exe 724 Ennqfenp.exe 4708 Mqdcnl32.exe 1052 Gbbajjlp.exe 1980 Iondqhpl.exe 3820 Jhkbdmbg.exe 2184 Mbdiknlb.exe 1788 Oflmnh32.exe 3144 Pcpnhl32.exe 3480 Pjoppf32.exe 3860 Pfepdg32.exe 4832 Pakdbp32.exe 2164 Pfhmjf32.exe 3756 Qbonoghb.exe 956 Qiiflaoo.exe 4344 Qpbnhl32.exe 2680 Qjhbfd32.exe 3504 Aabkbono.exe 3984 Aimogakj.exe 180 Adjjeieh.exe 3412 Bpqjjjjl.exe 1560 Biiobo32.exe 4176 Bpcgpihi.exe 2616 Bpedeiff.exe 3128 Bkkhbb32.exe 1900 Jelonkph.exe 2808 Jlfhke32.exe 1428 Jeolckne.exe 864 Koimbpbc.exe 4912 Keceoj32.exe 4888 Koljgppp.exe 2416 Kefbdjgm.exe 1528 Klpjad32.exe 1472 Kongmo32.exe 4072 Kdkoef32.exe 2628 Khfkfedn.exe 648 Kopcbo32.exe 2032 Kaopoj32.exe 1188 Kdmlkfjb.exe 4552 Kocphojh.exe 4516 Kaaldjil.exe 4288 Kdpiqehp.exe 4992 Klgqabib.exe 4996 Lbqinm32.exe 4772 Ldbefe32.exe 416 Llimgb32.exe 4352 Logicn32.exe 3184 Laffpi32.exe 2840 Llkjmb32.exe 1164 Lbebilli.exe 3132 Ldfoad32.exe 1712 Cidgdg32.exe 3676 Clbdpc32.exe 2560 Cmbpjfij.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Nmpdgdmp.exe Nffljjfc.exe File opened for modification C:\Windows\SysWOW64\Jlponebi.exe Jdiglgbg.exe File created C:\Windows\SysWOW64\Pcpnhl32.exe Oflmnh32.exe File opened for modification C:\Windows\SysWOW64\Dmifkecb.exe Dfonnk32.exe File opened for modification C:\Windows\SysWOW64\Cpklql32.exe Ciaddaaj.exe File created C:\Windows\SysWOW64\Ohlemeao.dll Iondqhpl.exe File opened for modification C:\Windows\SysWOW64\Jikjmbmb.exe Jmmcgbnf.exe File created C:\Windows\SysWOW64\Flmonbbp.exe Deejpjgc.exe File opened for modification C:\Windows\SysWOW64\Kkdoje32.exe Kfggbope.exe File created C:\Windows\SysWOW64\Ekakgcih.dll Hkodak32.exe File created C:\Windows\SysWOW64\Aldclhie.dll Bpedeiff.exe File opened for modification C:\Windows\SysWOW64\Fpfholhc.exe Fnglcqio.exe File created C:\Windows\SysWOW64\Fkmpjb32.dll Elilmi32.exe File opened for modification C:\Windows\SysWOW64\Dlqpaafg.exe Dbhlikpf.exe File created C:\Windows\SysWOW64\Jqfkba32.dll Flgadake.exe File created C:\Windows\SysWOW64\Jkhpogij.exe Jjgcgo32.exe File created C:\Windows\SysWOW64\Jaepkejo.dll Clgmkbna.exe File created C:\Windows\SysWOW64\Eiijfd32.exe Ecoaijio.exe File created C:\Windows\SysWOW64\Mfeccm32.exe Mcggga32.exe File created C:\Windows\SysWOW64\Lfnmcnjn.exe Lpdefc32.exe File created C:\Windows\SysWOW64\Dmjnkn32.dll Ndliin32.exe File created C:\Windows\SysWOW64\Eghimo32.exe Djalnkbo.exe File created C:\Windows\SysWOW64\Dooaoj32.exe Dfglfdkb.exe File created C:\Windows\SysWOW64\Kaaldjil.exe Kocphojh.exe File created C:\Windows\SysWOW64\Edeanh32.dll Mpenmadn.exe File created C:\Windows\SysWOW64\Daccia32.dll Fhchhm32.exe File created C:\Windows\SysWOW64\Ebplen32.dll Nbbldp32.exe File created C:\Windows\SysWOW64\Jhmchd32.dll Jfgnka32.exe File created C:\Windows\SysWOW64\Limioiia.exe Lfnmcnjn.exe File opened for modification C:\Windows\SysWOW64\Mknjgajl.exe Ljlagndl.exe File opened for modification C:\Windows\SysWOW64\Didjqoae.exe Dpkehi32.exe File created C:\Windows\SysWOW64\Dblnid32.exe Dpnbmi32.exe File created C:\Windows\SysWOW64\Epplai32.dll Ifphkbep.exe File opened for modification C:\Windows\SysWOW64\Jplmglbf.exe Imdndbkn.exe File created C:\Windows\SysWOW64\Ikmcpbbo.dll Elolco32.exe File opened for modification C:\Windows\SysWOW64\Hcifmdeo.exe Hmpnqj32.exe File opened for modification C:\Windows\SysWOW64\Fbjjkble.exe Fefjanml.exe File created C:\Windows\SysWOW64\Kfpqap32.exe Kcbded32.exe File created C:\Windows\SysWOW64\Cqmldgdc.dll Kjnihnmd.exe File opened for modification C:\Windows\SysWOW64\Mfdlif32.exe Jnalem32.exe File opened for modification C:\Windows\SysWOW64\Iaqapggb.exe Iajkohmj.exe File opened for modification C:\Windows\SysWOW64\Eokjke32.exe Denlgq32.exe File created C:\Windows\SysWOW64\Elekoe32.dll Biiobo32.exe File created C:\Windows\SysWOW64\Lajbnn32.dll Kefbdjgm.exe File created C:\Windows\SysWOW64\Dpkehi32.exe Dbgdnelk.exe File created C:\Windows\SysWOW64\Aaokgokp.dll Hdahek32.exe File opened for modification C:\Windows\SysWOW64\Ihkpgg32.exe Inflio32.exe File created C:\Windows\SysWOW64\Cibdlc32.dll Hkgnalep.exe File created C:\Windows\SysWOW64\Egfolf32.dll Lfnmcnjn.exe File opened for modification C:\Windows\SysWOW64\Mminfech.exe Mjjbjjdd.exe File created C:\Windows\SysWOW64\Cnboma32.exe Qnopjfgi.exe File created C:\Windows\SysWOW64\Mknjgajl.exe Ljlagndl.exe File opened for modification C:\Windows\SysWOW64\Clbdpc32.exe Cidgdg32.exe File opened for modification C:\Windows\SysWOW64\Hddilh32.exe Hmmakk32.exe File opened for modification C:\Windows\SysWOW64\Jffokn32.exe Iedbcebd.exe File opened for modification C:\Windows\SysWOW64\Fnglcqio.exe Fgncff32.exe File created C:\Windows\SysWOW64\Jjgcgo32.exe Jflgfpkc.exe File created C:\Windows\SysWOW64\Ekbage32.dll Djalnkbo.exe File opened for modification C:\Windows\SysWOW64\Koljgppp.exe Keceoj32.exe File created C:\Windows\SysWOW64\Llfgke32.dll Khfkfedn.exe File opened for modification C:\Windows\SysWOW64\Ecoaijio.exe Digmqe32.exe File created C:\Windows\SysWOW64\Nohjfifo.dll Pjoppf32.exe File created C:\Windows\SysWOW64\Eknphfld.dll Bpqjjjjl.exe File created C:\Windows\SysWOW64\Imdndbkn.exe Ijaimg32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4836 6832 WerFault.exe 439 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfpmdman.dll" Jjgcgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilaiaejg.dll" Iacepmik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbhgkfkg.dll" Koimbpbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cboibm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oefjnc32.dll" Ifjoop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpbibenl.dll" Digmqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keecjl32.dll" Kokbpe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gcggjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mcnhfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eciilj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nqdeefpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dpglmjoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eakcie32.dll" Deejpjgc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Liofdigo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pgcpdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pjalpida.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mbdiknlb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jelonkph.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Keceoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gmqjga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Obanqgkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cohddjgl.dll" Pcpnhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoedfmpf.dll" Cmbpjfij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hmmakk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kaaldjil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Glmhdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qodhmn32.dll" Hddilh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmeadk32.dll" Eljchpnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbkcnp32.dll" Kaopoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Moqknklp.dll" Jfikaqme.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mbamcm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eiahnnph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cboleq32.dll" Kongmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingkdn32.dll" Dpnbmi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mcnhfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hhlnjpdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cidgdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dfakcj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dfngcdhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ehifak32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eoekde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Glbapoqh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogadadh.dll" Liofdigo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbhppocd.dll" Mcggga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jhkbdmbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idjcam32.dll" Laffpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dpkehi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekbage32.dll" Djalnkbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjhjoq32.dll" Hecadm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nneiikqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngfnnqih.dll" Lanpml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkpdml32.dll" Hembndee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kkmijf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dcmjpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kcbded32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jklihbol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Alplfpbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihjoke32.dll" Gbbajjlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Accheolp.dll" Fgncff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jfgnka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cejaobel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nbbldp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Laffpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnfooh32.dll" Llkjmb32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 676 wrote to memory of 2464 676 NEAS.91fcea1c1ef809f7ab9f8973f1ec6ad2.exe 83 PID 676 wrote to memory of 2464 676 NEAS.91fcea1c1ef809f7ab9f8973f1ec6ad2.exe 83 PID 676 wrote to memory of 2464 676 NEAS.91fcea1c1ef809f7ab9f8973f1ec6ad2.exe 83 PID 2464 wrote to memory of 2956 2464 Dmohno32.exe 84 PID 2464 wrote to memory of 2956 2464 Dmohno32.exe 84 PID 2464 wrote to memory of 2956 2464 Dmohno32.exe 84 PID 2956 wrote to memory of 2972 2956 Dfglfdkb.exe 85 PID 2956 wrote to memory of 2972 2956 Dfglfdkb.exe 85 PID 2956 wrote to memory of 2972 2956 Dfglfdkb.exe 85 PID 2972 wrote to memory of 2024 2972 Dooaoj32.exe 86 PID 2972 wrote to memory of 2024 2972 Dooaoj32.exe 86 PID 2972 wrote to memory of 2024 2972 Dooaoj32.exe 86 PID 2024 wrote to memory of 4228 2024 Dkfadkgf.exe 87 PID 2024 wrote to memory of 4228 2024 Dkfadkgf.exe 87 PID 2024 wrote to memory of 4228 2024 Dkfadkgf.exe 87 PID 4228 wrote to memory of 2016 4228 Dbpjaeoc.exe 88 PID 4228 wrote to memory of 2016 4228 Dbpjaeoc.exe 88 PID 4228 wrote to memory of 2016 4228 Dbpjaeoc.exe 88 PID 2016 wrote to memory of 1660 2016 Dkhnjk32.exe 89 PID 2016 wrote to memory of 1660 2016 Dkhnjk32.exe 89 PID 2016 wrote to memory of 1660 2016 Dkhnjk32.exe 89 PID 1660 wrote to memory of 1516 1660 Dbbffdlq.exe 90 PID 1660 wrote to memory of 1516 1660 Dbbffdlq.exe 90 PID 1660 wrote to memory of 1516 1660 Dbbffdlq.exe 90 PID 1516 wrote to memory of 3440 1516 Emhkdmlg.exe 91 PID 1516 wrote to memory of 3440 1516 Emhkdmlg.exe 91 PID 1516 wrote to memory of 3440 1516 Emhkdmlg.exe 91 PID 3440 wrote to memory of 4524 3440 Eiokinbk.exe 92 PID 3440 wrote to memory of 4524 3440 Eiokinbk.exe 92 PID 3440 wrote to memory of 4524 3440 Eiokinbk.exe 92 PID 4524 wrote to memory of 2228 4524 Enkdaepb.exe 93 PID 4524 wrote to memory of 2228 4524 Enkdaepb.exe 93 PID 4524 wrote to memory of 2228 4524 Enkdaepb.exe 93 PID 2228 wrote to memory of 724 2228 Eiahnnph.exe 98 PID 2228 wrote to memory of 724 2228 Eiahnnph.exe 98 PID 2228 wrote to memory of 724 2228 Eiahnnph.exe 98 PID 724 wrote to memory of 4708 724 Ennqfenp.exe 99 PID 724 wrote to memory of 4708 724 Ennqfenp.exe 99 PID 724 wrote to memory of 4708 724 Ennqfenp.exe 99 PID 4708 wrote to memory of 1052 4708 Mqdcnl32.exe 100 PID 4708 wrote to memory of 1052 4708 Mqdcnl32.exe 100 PID 4708 wrote to memory of 1052 4708 Mqdcnl32.exe 100 PID 1052 wrote to memory of 1980 1052 Gbbajjlp.exe 101 PID 1052 wrote to memory of 1980 1052 Gbbajjlp.exe 101 PID 1052 wrote to memory of 1980 1052 Gbbajjlp.exe 101 PID 1980 wrote to memory of 3820 1980 Iondqhpl.exe 102 PID 1980 wrote to memory of 3820 1980 Iondqhpl.exe 102 PID 1980 wrote to memory of 3820 1980 Iondqhpl.exe 102 PID 3820 wrote to memory of 2184 3820 Jhkbdmbg.exe 103 PID 3820 wrote to memory of 2184 3820 Jhkbdmbg.exe 103 PID 3820 wrote to memory of 2184 3820 Jhkbdmbg.exe 103 PID 2184 wrote to memory of 1788 2184 Mbdiknlb.exe 104 PID 2184 wrote to memory of 1788 2184 Mbdiknlb.exe 104 PID 2184 wrote to memory of 1788 2184 Mbdiknlb.exe 104 PID 1788 wrote to memory of 3144 1788 Oflmnh32.exe 108 PID 1788 wrote to memory of 3144 1788 Oflmnh32.exe 108 PID 1788 wrote to memory of 3144 1788 Oflmnh32.exe 108 PID 3144 wrote to memory of 3480 3144 Pcpnhl32.exe 109 PID 3144 wrote to memory of 3480 3144 Pcpnhl32.exe 109 PID 3144 wrote to memory of 3480 3144 Pcpnhl32.exe 109 PID 3480 wrote to memory of 3860 3480 Pjoppf32.exe 110 PID 3480 wrote to memory of 3860 3480 Pjoppf32.exe 110 PID 3480 wrote to memory of 3860 3480 Pjoppf32.exe 110 PID 3860 wrote to memory of 4832 3860 Pfepdg32.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.91fcea1c1ef809f7ab9f8973f1ec6ad2.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.91fcea1c1ef809f7ab9f8973f1ec6ad2.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:676 -
C:\Windows\SysWOW64\Dmohno32.exeC:\Windows\system32\Dmohno32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\Dfglfdkb.exeC:\Windows\system32\Dfglfdkb.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\Dooaoj32.exeC:\Windows\system32\Dooaoj32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Dkfadkgf.exeC:\Windows\system32\Dkfadkgf.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\Dbpjaeoc.exeC:\Windows\system32\Dbpjaeoc.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4228 -
C:\Windows\SysWOW64\Dkhnjk32.exeC:\Windows\system32\Dkhnjk32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\Dbbffdlq.exeC:\Windows\system32\Dbbffdlq.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\SysWOW64\Emhkdmlg.exeC:\Windows\system32\Emhkdmlg.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\SysWOW64\Eiokinbk.exeC:\Windows\system32\Eiokinbk.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3440 -
C:\Windows\SysWOW64\Enkdaepb.exeC:\Windows\system32\Enkdaepb.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Windows\SysWOW64\Eiahnnph.exeC:\Windows\system32\Eiahnnph.exe12⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\SysWOW64\Ennqfenp.exeC:\Windows\system32\Ennqfenp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:724 -
C:\Windows\SysWOW64\Mqdcnl32.exeC:\Windows\system32\Mqdcnl32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4708 -
C:\Windows\SysWOW64\Gbbajjlp.exeC:\Windows\system32\Gbbajjlp.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\SysWOW64\Iondqhpl.exeC:\Windows\system32\Iondqhpl.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\Jhkbdmbg.exeC:\Windows\system32\Jhkbdmbg.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3820 -
C:\Windows\SysWOW64\Mbdiknlb.exeC:\Windows\system32\Mbdiknlb.exe18⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\Oflmnh32.exeC:\Windows\system32\Oflmnh32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\SysWOW64\Pcpnhl32.exeC:\Windows\system32\Pcpnhl32.exe20⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3144 -
C:\Windows\SysWOW64\Pjoppf32.exeC:\Windows\system32\Pjoppf32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3480 -
C:\Windows\SysWOW64\Pfepdg32.exeC:\Windows\system32\Pfepdg32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3860 -
C:\Windows\SysWOW64\Pakdbp32.exeC:\Windows\system32\Pakdbp32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4832 -
C:\Windows\SysWOW64\Pfhmjf32.exeC:\Windows\system32\Pfhmjf32.exe24⤵
- Executes dropped EXE
PID:2164 -
C:\Windows\SysWOW64\Qbonoghb.exeC:\Windows\system32\Qbonoghb.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3756 -
C:\Windows\SysWOW64\Qiiflaoo.exeC:\Windows\system32\Qiiflaoo.exe26⤵
- Executes dropped EXE
PID:956 -
C:\Windows\SysWOW64\Qpbnhl32.exeC:\Windows\system32\Qpbnhl32.exe27⤵
- Executes dropped EXE
PID:4344 -
C:\Windows\SysWOW64\Qjhbfd32.exeC:\Windows\system32\Qjhbfd32.exe28⤵
- Executes dropped EXE
PID:2680 -
C:\Windows\SysWOW64\Aabkbono.exeC:\Windows\system32\Aabkbono.exe29⤵
- Executes dropped EXE
PID:3504 -
C:\Windows\SysWOW64\Aimogakj.exeC:\Windows\system32\Aimogakj.exe30⤵
- Executes dropped EXE
PID:3984 -
C:\Windows\SysWOW64\Adjjeieh.exeC:\Windows\system32\Adjjeieh.exe31⤵
- Executes dropped EXE
PID:180 -
C:\Windows\SysWOW64\Bpqjjjjl.exeC:\Windows\system32\Bpqjjjjl.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3412 -
C:\Windows\SysWOW64\Biiobo32.exeC:\Windows\system32\Biiobo32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1560 -
C:\Windows\SysWOW64\Bpcgpihi.exeC:\Windows\system32\Bpcgpihi.exe34⤵
- Executes dropped EXE
PID:4176 -
C:\Windows\SysWOW64\Bpedeiff.exeC:\Windows\system32\Bpedeiff.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2616 -
C:\Windows\SysWOW64\Bkkhbb32.exeC:\Windows\system32\Bkkhbb32.exe36⤵
- Executes dropped EXE
PID:3128 -
C:\Windows\SysWOW64\Jelonkph.exeC:\Windows\system32\Jelonkph.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:1900 -
C:\Windows\SysWOW64\Jlfhke32.exeC:\Windows\system32\Jlfhke32.exe38⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Jeolckne.exeC:\Windows\system32\Jeolckne.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1428 -
C:\Windows\SysWOW64\Koimbpbc.exeC:\Windows\system32\Koimbpbc.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:864 -
C:\Windows\SysWOW64\Keceoj32.exeC:\Windows\system32\Keceoj32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4912 -
C:\Windows\SysWOW64\Koljgppp.exeC:\Windows\system32\Koljgppp.exe42⤵
- Executes dropped EXE
PID:4888 -
C:\Windows\SysWOW64\Kefbdjgm.exeC:\Windows\system32\Kefbdjgm.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2416 -
C:\Windows\SysWOW64\Klpjad32.exeC:\Windows\system32\Klpjad32.exe44⤵
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\Kongmo32.exeC:\Windows\system32\Kongmo32.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:1472 -
C:\Windows\SysWOW64\Kdkoef32.exeC:\Windows\system32\Kdkoef32.exe46⤵
- Executes dropped EXE
PID:4072 -
C:\Windows\SysWOW64\Khfkfedn.exeC:\Windows\system32\Khfkfedn.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2628 -
C:\Windows\SysWOW64\Kopcbo32.exeC:\Windows\system32\Kopcbo32.exe48⤵
- Executes dropped EXE
PID:648 -
C:\Windows\SysWOW64\Kaopoj32.exeC:\Windows\system32\Kaopoj32.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:2032 -
C:\Windows\SysWOW64\Kdmlkfjb.exeC:\Windows\system32\Kdmlkfjb.exe50⤵
- Executes dropped EXE
PID:1188 -
C:\Windows\SysWOW64\Kocphojh.exeC:\Windows\system32\Kocphojh.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4552 -
C:\Windows\SysWOW64\Kaaldjil.exeC:\Windows\system32\Kaaldjil.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:4516 -
C:\Windows\SysWOW64\Kdpiqehp.exeC:\Windows\system32\Kdpiqehp.exe53⤵
- Executes dropped EXE
PID:4288 -
C:\Windows\SysWOW64\Klgqabib.exeC:\Windows\system32\Klgqabib.exe54⤵
- Executes dropped EXE
PID:4992 -
C:\Windows\SysWOW64\Lbqinm32.exeC:\Windows\system32\Lbqinm32.exe55⤵
- Executes dropped EXE
PID:4996 -
C:\Windows\SysWOW64\Ldbefe32.exeC:\Windows\system32\Ldbefe32.exe56⤵
- Executes dropped EXE
PID:4772 -
C:\Windows\SysWOW64\Llimgb32.exeC:\Windows\system32\Llimgb32.exe57⤵
- Executes dropped EXE
PID:416 -
C:\Windows\SysWOW64\Logicn32.exeC:\Windows\system32\Logicn32.exe58⤵
- Executes dropped EXE
PID:4352 -
C:\Windows\SysWOW64\Laffpi32.exeC:\Windows\system32\Laffpi32.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:3184 -
C:\Windows\SysWOW64\Llkjmb32.exeC:\Windows\system32\Llkjmb32.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:2840 -
C:\Windows\SysWOW64\Lbebilli.exeC:\Windows\system32\Lbebilli.exe61⤵
- Executes dropped EXE
PID:1164 -
C:\Windows\SysWOW64\Ldfoad32.exeC:\Windows\system32\Ldfoad32.exe62⤵
- Executes dropped EXE
PID:3132 -
C:\Windows\SysWOW64\Cidgdg32.exeC:\Windows\system32\Cidgdg32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1712 -
C:\Windows\SysWOW64\Clbdpc32.exeC:\Windows\system32\Clbdpc32.exe64⤵
- Executes dropped EXE
PID:3676 -
C:\Windows\SysWOW64\Cmbpjfij.exeC:\Windows\system32\Cmbpjfij.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:2560 -
C:\Windows\SysWOW64\Cboibm32.exeC:\Windows\system32\Cboibm32.exe66⤵
- Modifies registry class
PID:4360 -
C:\Windows\SysWOW64\Ciiaogon.exeC:\Windows\system32\Ciiaogon.exe67⤵PID:5076
-
C:\Windows\SysWOW64\Clgmkbna.exeC:\Windows\system32\Clgmkbna.exe68⤵
- Drops file in System32 directory
PID:2692 -
C:\Windows\SysWOW64\Cbaehl32.exeC:\Windows\system32\Cbaehl32.exe69⤵PID:1852
-
C:\Windows\SysWOW64\Dpefaq32.exeC:\Windows\system32\Dpefaq32.exe70⤵PID:544
-
C:\Windows\SysWOW64\Dfonnk32.exeC:\Windows\system32\Dfonnk32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3316 -
C:\Windows\SysWOW64\Dmifkecb.exeC:\Windows\system32\Dmifkecb.exe72⤵PID:4468
-
C:\Windows\SysWOW64\Dfakcj32.exeC:\Windows\system32\Dfakcj32.exe73⤵
- Modifies registry class
PID:4724 -
C:\Windows\SysWOW64\Dpjompqc.exeC:\Windows\system32\Dpjompqc.exe74⤵PID:3528
-
C:\Windows\SysWOW64\Dbhlikpf.exeC:\Windows\system32\Dbhlikpf.exe75⤵
- Drops file in System32 directory
PID:4864 -
C:\Windows\SysWOW64\Dlqpaafg.exeC:\Windows\system32\Dlqpaafg.exe76⤵PID:2116
-
C:\Windows\SysWOW64\Deidjf32.exeC:\Windows\system32\Deidjf32.exe77⤵PID:1756
-
C:\Windows\SysWOW64\Dpoiho32.exeC:\Windows\system32\Dpoiho32.exe78⤵PID:3788
-
C:\Windows\SysWOW64\Dcmedk32.exeC:\Windows\system32\Dcmedk32.exe79⤵PID:1792
-
C:\Windows\SysWOW64\Digmqe32.exeC:\Windows\system32\Digmqe32.exe80⤵
- Drops file in System32 directory
- Modifies registry class
PID:5164 -
C:\Windows\SysWOW64\Ecoaijio.exeC:\Windows\system32\Ecoaijio.exe81⤵
- Drops file in System32 directory
PID:5212 -
C:\Windows\SysWOW64\Eiijfd32.exeC:\Windows\system32\Eiijfd32.exe82⤵PID:5264
-
C:\Windows\SysWOW64\Epcbbohh.exeC:\Windows\system32\Epcbbohh.exe83⤵PID:5312
-
C:\Windows\SysWOW64\Ecanojgl.exeC:\Windows\system32\Ecanojgl.exe84⤵PID:5372
-
C:\Windows\SysWOW64\Emgblc32.exeC:\Windows\system32\Emgblc32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5416 -
C:\Windows\SysWOW64\Eljchpnl.exeC:\Windows\system32\Eljchpnl.exe86⤵
- Modifies registry class
PID:5464 -
C:\Windows\SysWOW64\Eebgqe32.exeC:\Windows\system32\Eebgqe32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5508 -
C:\Windows\SysWOW64\Emioab32.exeC:\Windows\system32\Emioab32.exe88⤵PID:5544
-
C:\Windows\SysWOW64\Ephlnn32.exeC:\Windows\system32\Ephlnn32.exe89⤵PID:5588
-
C:\Windows\SysWOW64\Ecfhji32.exeC:\Windows\system32\Ecfhji32.exe90⤵PID:5640
-
C:\Windows\SysWOW64\Eeddfe32.exeC:\Windows\system32\Eeddfe32.exe91⤵PID:5688
-
C:\Windows\SysWOW64\Elolco32.exeC:\Windows\system32\Elolco32.exe92⤵
- Drops file in System32 directory
PID:5744 -
C:\Windows\SysWOW64\Ecidpiad.exeC:\Windows\system32\Ecidpiad.exe93⤵PID:5808
-
C:\Windows\SysWOW64\Fpandm32.exeC:\Windows\system32\Fpandm32.exe94⤵PID:5844
-
C:\Windows\SysWOW64\Fcpkph32.exeC:\Windows\system32\Fcpkph32.exe95⤵PID:5904
-
C:\Windows\SysWOW64\Ffnglc32.exeC:\Windows\system32\Ffnglc32.exe96⤵PID:5944
-
C:\Windows\SysWOW64\Fneoma32.exeC:\Windows\system32\Fneoma32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6000 -
C:\Windows\SysWOW64\Fpckjlje.exeC:\Windows\system32\Fpckjlje.exe98⤵PID:6064
-
C:\Windows\SysWOW64\Fgncff32.exeC:\Windows\system32\Fgncff32.exe99⤵
- Drops file in System32 directory
- Modifies registry class
PID:6100 -
C:\Windows\SysWOW64\Fnglcqio.exeC:\Windows\system32\Fnglcqio.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2084 -
C:\Windows\SysWOW64\Fpfholhc.exeC:\Windows\system32\Fpfholhc.exe101⤵PID:2132
-
C:\Windows\SysWOW64\Fcddkggf.exeC:\Windows\system32\Fcddkggf.exe102⤵PID:2880
-
C:\Windows\SysWOW64\Ffcpgcfj.exeC:\Windows\system32\Ffcpgcfj.exe103⤵PID:1500
-
C:\Windows\SysWOW64\Glmhdm32.exeC:\Windows\system32\Glmhdm32.exe104⤵
- Modifies registry class
PID:5296 -
C:\Windows\SysWOW64\Gcgqag32.exeC:\Windows\system32\Gcgqag32.exe105⤵PID:1568
-
C:\Windows\SysWOW64\Gjqinamq.exeC:\Windows\system32\Gjqinamq.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5436 -
C:\Windows\SysWOW64\Gloejmld.exeC:\Windows\system32\Gloejmld.exe107⤵PID:5532
-
C:\Windows\SysWOW64\Gdfmkjlg.exeC:\Windows\system32\Gdfmkjlg.exe108⤵PID:5628
-
C:\Windows\SysWOW64\Ggdigekj.exeC:\Windows\system32\Ggdigekj.exe109⤵PID:5680
-
C:\Windows\SysWOW64\Gjcfcakn.exeC:\Windows\system32\Gjcfcakn.exe110⤵PID:1660
-
C:\Windows\SysWOW64\Gglpgd32.exeC:\Windows\system32\Gglpgd32.exe111⤵PID:5796
-
C:\Windows\SysWOW64\Hmhhpkcj.exeC:\Windows\system32\Hmhhpkcj.exe112⤵PID:5872
-
C:\Windows\SysWOW64\Hdppaidl.exeC:\Windows\system32\Hdppaidl.exe113⤵PID:5936
-
C:\Windows\SysWOW64\Hfamia32.exeC:\Windows\system32\Hfamia32.exe114⤵PID:6072
-
C:\Windows\SysWOW64\Hmkeekag.exeC:\Windows\system32\Hmkeekag.exe115⤵PID:6120
-
C:\Windows\SysWOW64\Hgpibdam.exeC:\Windows\system32\Hgpibdam.exe116⤵PID:828
-
C:\Windows\SysWOW64\Hjoeoo32.exeC:\Windows\system32\Hjoeoo32.exe117⤵PID:3712
-
C:\Windows\SysWOW64\Hmmakk32.exeC:\Windows\system32\Hmmakk32.exe118⤵
- Drops file in System32 directory
- Modifies registry class
PID:5356 -
C:\Windows\SysWOW64\Hddilh32.exeC:\Windows\system32\Hddilh32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5476 -
C:\Windows\SysWOW64\Hgbfhc32.exeC:\Windows\system32\Hgbfhc32.exe120⤵PID:2916
-
C:\Windows\SysWOW64\Hjabdo32.exeC:\Windows\system32\Hjabdo32.exe121⤵PID:4988
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-