Analysis
-
max time kernel
167s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
07/11/2023, 14:36
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.2a0f159f492ceb4ac95ca22ccd75016d.exe
Resource
win7-20231020-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.2a0f159f492ceb4ac95ca22ccd75016d.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.2a0f159f492ceb4ac95ca22ccd75016d.exe
-
Size
95KB
-
MD5
2a0f159f492ceb4ac95ca22ccd75016d
-
SHA1
3c333dd32d019b3d349820ee4319f172d2fdc218
-
SHA256
88ecdefb8742cb4c5d3d724afd74cb9ffc2ecc9d67de603792f045ac7b15c8b0
-
SHA512
45eef7df50232888618e960f74494405c9dffa3b5d9a78c79f9c3a2c1704ab24ec5cf3804905e29ec5121342a4353f97ed2ab9104ced024105eb67ff6815fdc9
-
SSDEEP
1536:7atuROF/IygJDEmI/fObjI6xnmSiT1ifgTY9RCOM6bOLXi8PmCofGV:Gtu0wJDNH7LCDrLXfzoeV
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Alimnj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnodkjhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ngcngfgl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkbcbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kifhkkci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mmcnlc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpfggang.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kclnfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cjlilndf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aoalba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jefbomoe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcpqafba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nfjofg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dgfdojfm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofnhfbjl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghanoeel.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlldaape.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gmojep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lnldeg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gqmnpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cofnba32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhfmic32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Figgnm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khnfce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ggmock32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jncobabm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paioplob.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqkfapoe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fijdcljo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fgpilc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Afboah32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Falmabki.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdjfmjhm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcdepd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbbmgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nebmnqdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ojkepmqp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjqinamq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfbbdj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpbajp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pjgellfb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlfeeelm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jplkig32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bopefnnf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnlpgibd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kaehepeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Okpkaqmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ennqpkcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Klkcmo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkcbhgii.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igedenca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ggoaje32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdpiqehp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgkegn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbcelacq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pndoagfc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahkdhk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cofnba32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ennqpkcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kciaqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bkgekock.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgpilc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfgopnbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jkplilgk.exe -
Executes dropped EXE 64 IoCs
pid Process 2564 Khabke32.exe 4980 Kdpiqehp.exe 980 Lojfin32.exe 3932 Mdnebc32.exe 1972 Mccokj32.exe 2180 Namegfql.exe 496 Napameoi.exe 5052 Ookhfigk.exe 3780 Pijcpmhc.exe 3884 Pbljoafi.exe 3412 Qpbgnecp.exe 2236 Blgddd32.exe 1452 Clpgkcdj.exe 740 Clgmkbna.exe 1156 Dgfdojfm.exe 4404 Edoncm32.exe 1428 Fpmeimpn.exe 4996 Gjqinamq.exe 1316 Gqmnpk32.exe 4772 Hgbfhc32.exe 2820 Ifoijonj.exe 1904 Icefib32.exe 1828 Keghocao.exe 1584 Kmbmdeoj.exe 5056 Lennpb32.exe 4896 Moglpedd.exe 400 Ndkjik32.exe 4912 Oakjnnap.exe 60 Pkjegb32.exe 3024 Pnknim32.exe 4828 Pgeogb32.exe 2904 Agjhbbob.exe 3612 Akhaipei.exe 832 Afboah32.exe 336 Bpomem32.exe 4688 Ciogobcm.exe 3564 Cnlpgibd.exe 5040 Clpppmqn.exe 2660 Chinkndp.exe 5084 Decdeama.exe 3228 Diamko32.exe 3796 Eoconenj.exe 1808 Eihcln32.exe 4312 Epgdch32.exe 3292 Fpcdof32.exe 4744 Gckcap32.exe 3484 Hcaibo32.exe 3296 Hfbbdj32.exe 2300 Iqmplbpl.exe 3256 Iobmmoed.exe 3568 Ihjafd32.exe 1432 Ignnjk32.exe 1624 Jifabb32.exe 1648 Kciaqi32.exe 2248 Kclnfi32.exe 4352 Mfhgcbfo.exe 4844 Niihlkdm.exe 4088 Ndomiddc.exe 2500 Omjnhiiq.exe 2348 Pgkegn32.exe 1768 Pjoknhbe.exe 4360 Pphckb32.exe 1020 Akgjnj32.exe 784 Bjhgke32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Iokocmnf.exe Hagnihom.exe File created C:\Windows\SysWOW64\Kqgacpqf.dll Hfacai32.exe File opened for modification C:\Windows\SysWOW64\Ngbgmpcq.exe Nqioqf32.exe File created C:\Windows\SysWOW64\Apaagf32.dll Mbpdkabl.exe File created C:\Windows\SysWOW64\Fohkkdoe.dll Iikmlnae.exe File created C:\Windows\SysWOW64\Nkeodibl.dll Ebdlkdlp.exe File opened for modification C:\Windows\SysWOW64\Figgnm32.exe Fbmoabde.exe File created C:\Windows\SysWOW64\Cdpqko32.dll Mdnebc32.exe File created C:\Windows\SysWOW64\Ignnjk32.exe Ihjafd32.exe File created C:\Windows\SysWOW64\Kciaqi32.exe Jifabb32.exe File created C:\Windows\SysWOW64\Acphqk32.dll Dndlba32.exe File opened for modification C:\Windows\SysWOW64\Jggmnmmo.exe Jajdff32.exe File opened for modification C:\Windows\SysWOW64\Jgfcfajg.exe Jplkig32.exe File created C:\Windows\SysWOW64\Fijdcljo.exe Foapkfco.exe File opened for modification C:\Windows\SysWOW64\Dfiaomkb.exe Chagiqhm.exe File created C:\Windows\SysWOW64\Bbjogi32.dll Moglpedd.exe File created C:\Windows\SysWOW64\Khkbdfpg.dll Eegpkcbd.exe File opened for modification C:\Windows\SysWOW64\Gonilenb.exe Gmnmbbgp.exe File opened for modification C:\Windows\SysWOW64\Kedcml32.exe Jngbcj32.exe File created C:\Windows\SysWOW64\Bmaoao32.dll Mfqlph32.exe File created C:\Windows\SysWOW64\Lkcancmc.dll Ciqmjkno.exe File opened for modification C:\Windows\SysWOW64\Pgjfdm32.exe Pcgdcome.exe File created C:\Windows\SysWOW64\Kloaob32.dll Ildpbfmf.exe File created C:\Windows\SysWOW64\Ekokiaoh.dll Mqafbaap.exe File opened for modification C:\Windows\SysWOW64\Hkaoiemi.exe Gaadpqmp.exe File opened for modification C:\Windows\SysWOW64\Ebdlkdlp.exe Egnhnkmj.exe File opened for modification C:\Windows\SysWOW64\Pnknim32.exe Pkjegb32.exe File opened for modification C:\Windows\SysWOW64\Decdeama.exe Chinkndp.exe File created C:\Windows\SysWOW64\Aegphhqg.dll Jofaeb32.exe File created C:\Windows\SysWOW64\Bjhgke32.exe Akgjnj32.exe File opened for modification C:\Windows\SysWOW64\Edhjji32.exe Bpniaool.exe File opened for modification C:\Windows\SysWOW64\Kcndlf32.exe Kmdlolmg.exe File created C:\Windows\SysWOW64\Qhjojdql.dll Iobmmoed.exe File opened for modification C:\Windows\SysWOW64\Jfbdpabn.exe Ihjjln32.exe File opened for modification C:\Windows\SysWOW64\Akbjidbf.exe Pljcjn32.exe File created C:\Windows\SysWOW64\Kjccna32.exe Kqknekjf.exe File opened for modification C:\Windows\SysWOW64\Jplkig32.exe Igcgpalj.exe File opened for modification C:\Windows\SysWOW64\Gqmnpk32.exe Gjqinamq.exe File created C:\Windows\SysWOW64\Jfbdpabn.exe Ihjjln32.exe File created C:\Windows\SysWOW64\Lapcan32.dll Iqipcd32.exe File created C:\Windows\SysWOW64\Gjbpbd32.dll Napameoi.exe File created C:\Windows\SysWOW64\Igajka32.exe Iojbid32.exe File opened for modification C:\Windows\SysWOW64\Kciaqi32.exe Jifabb32.exe File created C:\Windows\SysWOW64\Iocliecb.exe Imbpam32.exe File created C:\Windows\SysWOW64\Mdiqpp32.dll Kloljf32.exe File created C:\Windows\SysWOW64\Hgbfhc32.exe Gqmnpk32.exe File created C:\Windows\SysWOW64\Ndkjik32.exe Moglpedd.exe File created C:\Windows\SysWOW64\Jkimgh32.dll Okpkaqmp.exe File created C:\Windows\SysWOW64\Fihnhc32.exe Ennqpkcm.exe File created C:\Windows\SysWOW64\Lojfin32.exe Kdpiqehp.exe File created C:\Windows\SysWOW64\Jfhbpmjb.dll Elepei32.exe File opened for modification C:\Windows\SysWOW64\Adbiojfo.exe Pmoabn32.exe File opened for modification C:\Windows\SysWOW64\Okpkaqmp.exe Nlfeeelm.exe File opened for modification C:\Windows\SysWOW64\Khmjga32.exe Kieaqe32.exe File opened for modification C:\Windows\SysWOW64\Hlldaape.exe Gmggpekm.exe File created C:\Windows\SysWOW64\Aaeomcoo.dll Maefnk32.exe File created C:\Windows\SysWOW64\Fhmpkmpm.exe Fachob32.exe File created C:\Windows\SysWOW64\Ponfdf32.exe Pajekb32.exe File opened for modification C:\Windows\SysWOW64\Lnldeg32.exe Lgblhmag.exe File opened for modification C:\Windows\SysWOW64\Dnondf32.exe Dhbelp32.exe File created C:\Windows\SysWOW64\Keinepch.exe Kbiede32.exe File opened for modification C:\Windows\SysWOW64\Namegfql.exe Mccokj32.exe File opened for modification C:\Windows\SysWOW64\Hoglmg32.exe Gmfpeoga.exe File created C:\Windows\SysWOW64\Paioplob.exe Pjofcb32.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 7456 7208 WerFault.exe 662 7572 7208 WerFault.exe 662 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lanpml32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hpomme32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cbmdnmdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Egnhnkmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mccokj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkgeam32.dll" Pjoknhbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clpkdlkd.dll" Ookhfigk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fnhppa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqbnpknn.dll" Gqhknd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcnbmdbj.dll" Pgjfdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdommbij.dll" Hhiacb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gmggpekm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Giliddlo.dll" Hndibn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hfacai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekficilg.dll" Bleebc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mahbck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Agjhbbob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjafniab.dll" Kchdfpen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fgbfbc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ljloii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dendok32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lnfgmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Phhhbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gechnpid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lffhpnhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gmnmbbgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmoapqgi.dll" Lnldeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnefpdco.dll" Hchickeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehcfdc32.dll" Enomic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgfpal32.dll" Fgpilc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Njcpok32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kjjinp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ciqmjkno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hipdjfoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Idbonc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jggmnmmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hagbii32.dll" Nocphd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clfbdd32.dll" Faemjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efkbmp32.dll" Kcgnkgkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kboldq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iejlih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bhehmbbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhfajo32.dll" Kicdke32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hlldaape.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Akblpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbphca32.dll" Pbljoafi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kigoeagd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pndoagfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bojogb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Moaojmpa.dll" Njcnafpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elidlmdb.dll" Ehndhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iafgob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfemnonh.dll" Lkdgqbag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Faeihogj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qnbhhd32.dll" Gmnmbbgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amhpbl32.dll" Peonhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kloaob32.dll" Ildpbfmf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Igcgpalj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cnlpgibd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfhdch32.dll" Ahofidlb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hbflnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gonilenb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqdhecgn.dll" Mdkhkflh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kboldq32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2088 wrote to memory of 2564 2088 NEAS.2a0f159f492ceb4ac95ca22ccd75016d.exe 90 PID 2088 wrote to memory of 2564 2088 NEAS.2a0f159f492ceb4ac95ca22ccd75016d.exe 90 PID 2088 wrote to memory of 2564 2088 NEAS.2a0f159f492ceb4ac95ca22ccd75016d.exe 90 PID 2564 wrote to memory of 4980 2564 Khabke32.exe 91 PID 2564 wrote to memory of 4980 2564 Khabke32.exe 91 PID 2564 wrote to memory of 4980 2564 Khabke32.exe 91 PID 4980 wrote to memory of 980 4980 Kdpiqehp.exe 92 PID 4980 wrote to memory of 980 4980 Kdpiqehp.exe 92 PID 4980 wrote to memory of 980 4980 Kdpiqehp.exe 92 PID 980 wrote to memory of 3932 980 Lojfin32.exe 93 PID 980 wrote to memory of 3932 980 Lojfin32.exe 93 PID 980 wrote to memory of 3932 980 Lojfin32.exe 93 PID 3932 wrote to memory of 1972 3932 Mdnebc32.exe 95 PID 3932 wrote to memory of 1972 3932 Mdnebc32.exe 95 PID 3932 wrote to memory of 1972 3932 Mdnebc32.exe 95 PID 1972 wrote to memory of 2180 1972 Mccokj32.exe 96 PID 1972 wrote to memory of 2180 1972 Mccokj32.exe 96 PID 1972 wrote to memory of 2180 1972 Mccokj32.exe 96 PID 2180 wrote to memory of 496 2180 Namegfql.exe 97 PID 2180 wrote to memory of 496 2180 Namegfql.exe 97 PID 2180 wrote to memory of 496 2180 Namegfql.exe 97 PID 496 wrote to memory of 5052 496 Napameoi.exe 98 PID 496 wrote to memory of 5052 496 Napameoi.exe 98 PID 496 wrote to memory of 5052 496 Napameoi.exe 98 PID 5052 wrote to memory of 3780 5052 Ookhfigk.exe 99 PID 5052 wrote to memory of 3780 5052 Ookhfigk.exe 99 PID 5052 wrote to memory of 3780 5052 Ookhfigk.exe 99 PID 3780 wrote to memory of 3884 3780 Pijcpmhc.exe 100 PID 3780 wrote to memory of 3884 3780 Pijcpmhc.exe 100 PID 3780 wrote to memory of 3884 3780 Pijcpmhc.exe 100 PID 3884 wrote to memory of 3412 3884 Pbljoafi.exe 101 PID 3884 wrote to memory of 3412 3884 Pbljoafi.exe 101 PID 3884 wrote to memory of 3412 3884 Pbljoafi.exe 101 PID 3412 wrote to memory of 2236 3412 Qpbgnecp.exe 102 PID 3412 wrote to memory of 2236 3412 Qpbgnecp.exe 102 PID 3412 wrote to memory of 2236 3412 Qpbgnecp.exe 102 PID 2236 wrote to memory of 1452 2236 Blgddd32.exe 104 PID 2236 wrote to memory of 1452 2236 Blgddd32.exe 104 PID 2236 wrote to memory of 1452 2236 Blgddd32.exe 104 PID 1452 wrote to memory of 740 1452 Clpgkcdj.exe 105 PID 1452 wrote to memory of 740 1452 Clpgkcdj.exe 105 PID 1452 wrote to memory of 740 1452 Clpgkcdj.exe 105 PID 740 wrote to memory of 1156 740 Clgmkbna.exe 106 PID 740 wrote to memory of 1156 740 Clgmkbna.exe 106 PID 740 wrote to memory of 1156 740 Clgmkbna.exe 106 PID 1156 wrote to memory of 4404 1156 Dgfdojfm.exe 107 PID 1156 wrote to memory of 4404 1156 Dgfdojfm.exe 107 PID 1156 wrote to memory of 4404 1156 Dgfdojfm.exe 107 PID 4404 wrote to memory of 1428 4404 Edoncm32.exe 108 PID 4404 wrote to memory of 1428 4404 Edoncm32.exe 108 PID 4404 wrote to memory of 1428 4404 Edoncm32.exe 108 PID 1428 wrote to memory of 4996 1428 Fpmeimpn.exe 109 PID 1428 wrote to memory of 4996 1428 Fpmeimpn.exe 109 PID 1428 wrote to memory of 4996 1428 Fpmeimpn.exe 109 PID 4996 wrote to memory of 1316 4996 Gjqinamq.exe 110 PID 4996 wrote to memory of 1316 4996 Gjqinamq.exe 110 PID 4996 wrote to memory of 1316 4996 Gjqinamq.exe 110 PID 1316 wrote to memory of 4772 1316 Gqmnpk32.exe 111 PID 1316 wrote to memory of 4772 1316 Gqmnpk32.exe 111 PID 1316 wrote to memory of 4772 1316 Gqmnpk32.exe 111 PID 4772 wrote to memory of 2820 4772 Hgbfhc32.exe 112 PID 4772 wrote to memory of 2820 4772 Hgbfhc32.exe 112 PID 4772 wrote to memory of 2820 4772 Hgbfhc32.exe 112 PID 2820 wrote to memory of 1904 2820 Ifoijonj.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.2a0f159f492ceb4ac95ca22ccd75016d.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.2a0f159f492ceb4ac95ca22ccd75016d.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\Khabke32.exeC:\Windows\system32\Khabke32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\Kdpiqehp.exeC:\Windows\system32\Kdpiqehp.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4980 -
C:\Windows\SysWOW64\Lojfin32.exeC:\Windows\system32\Lojfin32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:980 -
C:\Windows\SysWOW64\Mdnebc32.exeC:\Windows\system32\Mdnebc32.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3932 -
C:\Windows\SysWOW64\Mccokj32.exeC:\Windows\system32\Mccokj32.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\SysWOW64\Namegfql.exeC:\Windows\system32\Namegfql.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\Napameoi.exeC:\Windows\system32\Napameoi.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:496 -
C:\Windows\SysWOW64\Ookhfigk.exeC:\Windows\system32\Ookhfigk.exe9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Windows\SysWOW64\Pijcpmhc.exeC:\Windows\system32\Pijcpmhc.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3780 -
C:\Windows\SysWOW64\Pbljoafi.exeC:\Windows\system32\Pbljoafi.exe11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3884 -
C:\Windows\SysWOW64\Qpbgnecp.exeC:\Windows\system32\Qpbgnecp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3412 -
C:\Windows\SysWOW64\Blgddd32.exeC:\Windows\system32\Blgddd32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\Clpgkcdj.exeC:\Windows\system32\Clpgkcdj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Windows\SysWOW64\Clgmkbna.exeC:\Windows\system32\Clgmkbna.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:740 -
C:\Windows\SysWOW64\Dgfdojfm.exeC:\Windows\system32\Dgfdojfm.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Windows\SysWOW64\Edoncm32.exeC:\Windows\system32\Edoncm32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4404 -
C:\Windows\SysWOW64\Fpmeimpn.exeC:\Windows\system32\Fpmeimpn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Windows\SysWOW64\Gjqinamq.exeC:\Windows\system32\Gjqinamq.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4996 -
C:\Windows\SysWOW64\Gqmnpk32.exeC:\Windows\system32\Gqmnpk32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Windows\SysWOW64\Hgbfhc32.exeC:\Windows\system32\Hgbfhc32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4772 -
C:\Windows\SysWOW64\Ifoijonj.exeC:\Windows\system32\Ifoijonj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\Icefib32.exeC:\Windows\system32\Icefib32.exe23⤵
- Executes dropped EXE
PID:1904 -
C:\Windows\SysWOW64\Keghocao.exeC:\Windows\system32\Keghocao.exe24⤵
- Executes dropped EXE
PID:1828 -
C:\Windows\SysWOW64\Kmbmdeoj.exeC:\Windows\system32\Kmbmdeoj.exe25⤵
- Executes dropped EXE
PID:1584 -
C:\Windows\SysWOW64\Lennpb32.exeC:\Windows\system32\Lennpb32.exe26⤵
- Executes dropped EXE
PID:5056 -
C:\Windows\SysWOW64\Moglpedd.exeC:\Windows\system32\Moglpedd.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4896 -
C:\Windows\SysWOW64\Ndkjik32.exeC:\Windows\system32\Ndkjik32.exe28⤵
- Executes dropped EXE
PID:400 -
C:\Windows\SysWOW64\Oakjnnap.exeC:\Windows\system32\Oakjnnap.exe29⤵
- Executes dropped EXE
PID:4912 -
C:\Windows\SysWOW64\Pkjegb32.exeC:\Windows\system32\Pkjegb32.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:60 -
C:\Windows\SysWOW64\Pnknim32.exeC:\Windows\system32\Pnknim32.exe31⤵
- Executes dropped EXE
PID:3024 -
C:\Windows\SysWOW64\Pgeogb32.exeC:\Windows\system32\Pgeogb32.exe32⤵
- Executes dropped EXE
PID:4828 -
C:\Windows\SysWOW64\Agjhbbob.exeC:\Windows\system32\Agjhbbob.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:2904 -
C:\Windows\SysWOW64\Akhaipei.exeC:\Windows\system32\Akhaipei.exe34⤵
- Executes dropped EXE
PID:3612 -
C:\Windows\SysWOW64\Afboah32.exeC:\Windows\system32\Afboah32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:832 -
C:\Windows\SysWOW64\Bpomem32.exeC:\Windows\system32\Bpomem32.exe36⤵
- Executes dropped EXE
PID:336 -
C:\Windows\SysWOW64\Ciogobcm.exeC:\Windows\system32\Ciogobcm.exe37⤵
- Executes dropped EXE
PID:4688 -
C:\Windows\SysWOW64\Cnlpgibd.exeC:\Windows\system32\Cnlpgibd.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3564 -
C:\Windows\SysWOW64\Clpppmqn.exeC:\Windows\system32\Clpppmqn.exe39⤵
- Executes dropped EXE
PID:5040 -
C:\Windows\SysWOW64\Chinkndp.exeC:\Windows\system32\Chinkndp.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2660 -
C:\Windows\SysWOW64\Decdeama.exeC:\Windows\system32\Decdeama.exe41⤵
- Executes dropped EXE
PID:5084 -
C:\Windows\SysWOW64\Diamko32.exeC:\Windows\system32\Diamko32.exe42⤵
- Executes dropped EXE
PID:3228 -
C:\Windows\SysWOW64\Eoconenj.exeC:\Windows\system32\Eoconenj.exe43⤵
- Executes dropped EXE
PID:3796 -
C:\Windows\SysWOW64\Eihcln32.exeC:\Windows\system32\Eihcln32.exe44⤵
- Executes dropped EXE
PID:1808 -
C:\Windows\SysWOW64\Epgdch32.exeC:\Windows\system32\Epgdch32.exe45⤵
- Executes dropped EXE
PID:4312 -
C:\Windows\SysWOW64\Fpcdof32.exeC:\Windows\system32\Fpcdof32.exe46⤵
- Executes dropped EXE
PID:3292 -
C:\Windows\SysWOW64\Gckcap32.exeC:\Windows\system32\Gckcap32.exe47⤵
- Executes dropped EXE
PID:4744 -
C:\Windows\SysWOW64\Hcaibo32.exeC:\Windows\system32\Hcaibo32.exe48⤵
- Executes dropped EXE
PID:3484 -
C:\Windows\SysWOW64\Hfbbdj32.exeC:\Windows\system32\Hfbbdj32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3296 -
C:\Windows\SysWOW64\Iqmplbpl.exeC:\Windows\system32\Iqmplbpl.exe50⤵
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Iobmmoed.exeC:\Windows\system32\Iobmmoed.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3256 -
C:\Windows\SysWOW64\Ihjafd32.exeC:\Windows\system32\Ihjafd32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3568 -
C:\Windows\SysWOW64\Ignnjk32.exeC:\Windows\system32\Ignnjk32.exe53⤵
- Executes dropped EXE
PID:1432 -
C:\Windows\SysWOW64\Jifabb32.exeC:\Windows\system32\Jifabb32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1624 -
C:\Windows\SysWOW64\Kciaqi32.exeC:\Windows\system32\Kciaqi32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\Kclnfi32.exeC:\Windows\system32\Kclnfi32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2248 -
C:\Windows\SysWOW64\Mfhgcbfo.exeC:\Windows\system32\Mfhgcbfo.exe57⤵
- Executes dropped EXE
PID:4352 -
C:\Windows\SysWOW64\Niihlkdm.exeC:\Windows\system32\Niihlkdm.exe58⤵
- Executes dropped EXE
PID:4844 -
C:\Windows\SysWOW64\Ndomiddc.exeC:\Windows\system32\Ndomiddc.exe59⤵
- Executes dropped EXE
PID:4088 -
C:\Windows\SysWOW64\Omjnhiiq.exeC:\Windows\system32\Omjnhiiq.exe60⤵
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Pgkegn32.exeC:\Windows\system32\Pgkegn32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Pjoknhbe.exeC:\Windows\system32\Pjoknhbe.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:1768 -
C:\Windows\SysWOW64\Pphckb32.exeC:\Windows\system32\Pphckb32.exe63⤵
- Executes dropped EXE
PID:4360 -
C:\Windows\SysWOW64\Akgjnj32.exeC:\Windows\system32\Akgjnj32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1020 -
C:\Windows\SysWOW64\Bjhgke32.exeC:\Windows\system32\Bjhgke32.exe65⤵
- Executes dropped EXE
PID:784 -
C:\Windows\SysWOW64\Ciqmjkno.exeC:\Windows\system32\Ciqmjkno.exe66⤵
- Drops file in System32 directory
- Modifies registry class
PID:2928 -
C:\Windows\SysWOW64\Cejjdlap.exeC:\Windows\system32\Cejjdlap.exe67⤵PID:1896
-
C:\Windows\SysWOW64\Cnboma32.exeC:\Windows\system32\Cnboma32.exe68⤵PID:1324
-
C:\Windows\SysWOW64\Cigcjj32.exeC:\Windows\system32\Cigcjj32.exe69⤵PID:560
-
C:\Windows\SysWOW64\Dndlba32.exeC:\Windows\system32\Dndlba32.exe70⤵
- Drops file in System32 directory
PID:4128 -
C:\Windows\SysWOW64\Dendok32.exeC:\Windows\system32\Dendok32.exe71⤵
- Modifies registry class
PID:2108 -
C:\Windows\SysWOW64\Diafqi32.exeC:\Windows\system32\Diafqi32.exe72⤵PID:4588
-
C:\Windows\SysWOW64\Fhbbmc32.exeC:\Windows\system32\Fhbbmc32.exe73⤵PID:2836
-
C:\Windows\SysWOW64\Gbecljnl.exeC:\Windows\system32\Gbecljnl.exe74⤵PID:3840
-
C:\Windows\SysWOW64\Ihjjln32.exeC:\Windows\system32\Ihjjln32.exe75⤵
- Drops file in System32 directory
PID:3392 -
C:\Windows\SysWOW64\Jfbdpabn.exeC:\Windows\system32\Jfbdpabn.exe76⤵PID:4992
-
C:\Windows\SysWOW64\Kofheeoq.exeC:\Windows\system32\Kofheeoq.exe77⤵PID:3328
-
C:\Windows\SysWOW64\Kkabefqp.exeC:\Windows\system32\Kkabefqp.exe78⤵PID:2864
-
C:\Windows\SysWOW64\Mfhpilbc.exeC:\Windows\system32\Mfhpilbc.exe79⤵PID:3900
-
C:\Windows\SysWOW64\Mminfech.exeC:\Windows\system32\Mminfech.exe80⤵PID:1680
-
C:\Windows\SysWOW64\Pkdngf32.exeC:\Windows\system32\Pkdngf32.exe81⤵PID:5128
-
C:\Windows\SysWOW64\Ppccemjk.exeC:\Windows\system32\Ppccemjk.exe82⤵PID:5184
-
C:\Windows\SysWOW64\Pljcjn32.exeC:\Windows\system32\Pljcjn32.exe83⤵
- Drops file in System32 directory
PID:5248 -
C:\Windows\SysWOW64\Akbjidbf.exeC:\Windows\system32\Akbjidbf.exe84⤵PID:5300
-
C:\Windows\SysWOW64\Bkbcpb32.exeC:\Windows\system32\Bkbcpb32.exe85⤵PID:5344
-
C:\Windows\SysWOW64\Cjlilndf.exeC:\Windows\system32\Cjlilndf.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5384 -
C:\Windows\SysWOW64\Cklffq32.exeC:\Windows\system32\Cklffq32.exe87⤵PID:5428
-
C:\Windows\SysWOW64\Cjcolm32.exeC:\Windows\system32\Cjcolm32.exe88⤵PID:5472
-
C:\Windows\SysWOW64\Dkgeao32.exeC:\Windows\system32\Dkgeao32.exe89⤵PID:5516
-
C:\Windows\SysWOW64\Eegpkcbd.exeC:\Windows\system32\Eegpkcbd.exe90⤵
- Drops file in System32 directory
PID:5564 -
C:\Windows\SysWOW64\Falmabki.exeC:\Windows\system32\Falmabki.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5604 -
C:\Windows\SysWOW64\Fjdajhbi.exeC:\Windows\system32\Fjdajhbi.exe92⤵PID:5648
-
C:\Windows\SysWOW64\Gechnpid.exeC:\Windows\system32\Gechnpid.exe93⤵
- Modifies registry class
PID:5688 -
C:\Windows\SysWOW64\Gmnmbbgp.exeC:\Windows\system32\Gmnmbbgp.exe94⤵
- Drops file in System32 directory
- Modifies registry class
PID:5728 -
C:\Windows\SysWOW64\Gonilenb.exeC:\Windows\system32\Gonilenb.exe95⤵
- Modifies registry class
PID:5776 -
C:\Windows\SysWOW64\Hoepmd32.exeC:\Windows\system32\Hoepmd32.exe96⤵PID:5816
-
C:\Windows\SysWOW64\Hahedoci.exeC:\Windows\system32\Hahedoci.exe97⤵PID:5856
-
C:\Windows\SysWOW64\Iolfmcbb.exeC:\Windows\system32\Iolfmcbb.exe98⤵PID:5900
-
C:\Windows\SysWOW64\Iaokdn32.exeC:\Windows\system32\Iaokdn32.exe99⤵PID:5940
-
C:\Windows\SysWOW64\Ildpbfmf.exeC:\Windows\system32\Ildpbfmf.exe100⤵
- Drops file in System32 directory
- Modifies registry class
PID:5988 -
C:\Windows\SysWOW64\Jlponebi.exeC:\Windows\system32\Jlponebi.exe101⤵PID:6028
-
C:\Windows\SysWOW64\Khnfce32.exeC:\Windows\system32\Khnfce32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6064 -
C:\Windows\SysWOW64\Knkokl32.exeC:\Windows\system32\Knkokl32.exe103⤵PID:6104
-
C:\Windows\SysWOW64\Klloichl.exeC:\Windows\system32\Klloichl.exe104⤵PID:1552
-
C:\Windows\SysWOW64\Loodqn32.exeC:\Windows\system32\Loodqn32.exe105⤵PID:5136
-
C:\Windows\SysWOW64\Lkhbko32.exeC:\Windows\system32\Lkhbko32.exe106⤵PID:3932
-
C:\Windows\SysWOW64\Lbbjhini.exeC:\Windows\system32\Lbbjhini.exe107⤵PID:5140
-
C:\Windows\SysWOW64\Melfpb32.exeC:\Windows\system32\Melfpb32.exe108⤵PID:496
-
C:\Windows\SysWOW64\Ofnhfbjl.exeC:\Windows\system32\Ofnhfbjl.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5268 -
C:\Windows\SysWOW64\Olkqnjhd.exeC:\Windows\system32\Olkqnjhd.exe110⤵PID:4392
-
C:\Windows\SysWOW64\Pbcelacq.exeC:\Windows\system32\Pbcelacq.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5448 -
C:\Windows\SysWOW64\Aoalba32.exeC:\Windows\system32\Aoalba32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5512 -
C:\Windows\SysWOW64\Agojdnng.exeC:\Windows\system32\Agojdnng.exe113⤵PID:2472
-
C:\Windows\SysWOW64\Amibqhed.exeC:\Windows\system32\Amibqhed.exe114⤵PID:740
-
C:\Windows\SysWOW64\Bmlofhca.exeC:\Windows\system32\Bmlofhca.exe115⤵PID:5620
-
C:\Windows\SysWOW64\Bleebc32.exeC:\Windows\system32\Bleebc32.exe116⤵
- Modifies registry class
PID:5668 -
C:\Windows\SysWOW64\Dcpffk32.exeC:\Windows\system32\Dcpffk32.exe117⤵PID:4508
-
C:\Windows\SysWOW64\Dnekcd32.exeC:\Windows\system32\Dnekcd32.exe118⤵PID:1428
-
C:\Windows\SysWOW64\Dofgklcb.exeC:\Windows\system32\Dofgklcb.exe119⤵PID:5824
-
C:\Windows\SysWOW64\Djlkhe32.exeC:\Windows\system32\Djlkhe32.exe120⤵PID:2280
-
C:\Windows\SysWOW64\Dcdpakii.exeC:\Windows\system32\Dcdpakii.exe121⤵PID:5932
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-