Analysis
-
max time kernel
161s -
max time network
169s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
07/11/2023, 17:00
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.c9b9e3e39232f874925d4ea4ffba1110.exe
Resource
win7-20231020-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.c9b9e3e39232f874925d4ea4ffba1110.exe
Resource
win10v2004-20231020-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
NEAS.c9b9e3e39232f874925d4ea4ffba1110.exe
-
Size
1.6MB
-
MD5
c9b9e3e39232f874925d4ea4ffba1110
-
SHA1
9790f37a7da1e23f7a041599967f78fd0b8b80a3
-
SHA256
18d591ef65e7e78ff127a01cd6778e706b44912c03f50b6a7ea4f8c88e04e7fd
-
SHA512
c834aca3b793148e7896463e30bb5f4eca013c5a4548f6d7afb2d603eb44c776135ed9169512918edeb6ef79cdff07a83a14a9a6407caf191d1d1473c40cf2df
-
SSDEEP
24576:x/PF5h3q5hrq5h3q5hFw75h3q5hrq5h3q5hs:xp
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgencf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdodeedi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aochga32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plijbblh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alnmdojp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfeqnf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Faemjl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hphglf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnkgakpp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbhina32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdloelpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijnqld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fikbhiaf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpabho32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plhcglil.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfimmhkg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikijenab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pahppihl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojdnbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onjmjegg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iobecl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhihnihm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgeiokao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnbifmla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nllleapo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fapdomgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhijjp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkjpek32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qoecol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbkdgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bllble32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofijifbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olfolp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oheienli.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pilpfm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfjcep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gilajmfp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Keoeel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Didjkbim.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehcfkhel.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Naejcl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmikoggm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgapmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnbfjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Neoink32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkqliaki.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kafcadej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohfhqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inecac32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkegbfgp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nccqbeec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nknolaob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofcaab32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Didjkbim.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdfobe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blecdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmjefkap.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmpjfdcb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obidcdfo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfodpbpl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkmgladi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlohjpoi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgebfhcl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmoagk32.exe -
Executes dropped EXE 64 IoCs
pid Process 552 Pejkmk32.exe 3552 Paiogf32.exe 1508 Ieccbbkn.exe 2820 Joekag32.exe 4892 Jikoopij.exe 2664 Kakmna32.exe 2608 Llnnmhfe.exe 1600 Mhjhmhhd.exe 3684 Mjidgkog.exe 3472 Ocgkan32.exe 3584 Ojqcnhkl.exe 2500 Oqoefand.exe 1520 Djegekil.exe 2256 Daollh32.exe 5028 Ephbhd32.exe 3500 Fjeplijj.exe 4244 Fgnjqm32.exe 1568 Fqikob32.exe 3368 Gqkhda32.exe 920 Ggjjlk32.exe 4016 Hgapmj32.exe 2412 Hgeihiac.exe 3672 Ibnjkbog.exe 448 Ibbcfa32.exe 3000 Ijpepcfj.exe 1780 Jehfcl32.exe 3528 Jaemilci.exe 2556 Kahinkaf.exe 1004 Kajfdk32.exe 724 Kalcik32.exe 4496 Kaopoj32.exe 2840 Kaaldjil.exe 1232 Ldbefe32.exe 4552 Lhpnlclc.exe 2896 Lahbei32.exe 1284 Llpchaqg.exe 1412 Moalil32.exe 3960 Mahklf32.exe 1560 Nkapelka.exe 1592 Ncjdki32.exe 1076 Noaeqjpe.exe 3444 Nbbnbemf.exe 4184 Oljoen32.exe 1256 Obidcdfo.exe 2952 Obkahddl.exe 2172 Oheienli.exe 4704 Odljjo32.exe 3972 Ooangh32.exe 2900 Pkholi32.exe 3176 Pilpfm32.exe 3816 Pecpknke.exe 4996 Pfbmdabh.exe 3652 Pbimjb32.exe 2804 Pmoagk32.exe 2472 Pbljoafi.exe 900 Qifbll32.exe 4948 Qfjcep32.exe 4800 Qpbgnecp.exe 1344 Ojhnlh32.exe 956 Akdfndpd.exe 1600 Idmhqi32.exe 548 Jnjednnp.exe 640 Jkqccbkf.exe 1252 Jamhflqq.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Dajfhepb.dll Lkqliaki.exe File opened for modification C:\Windows\SysWOW64\Moalil32.exe Llpchaqg.exe File created C:\Windows\SysWOW64\Nmommn32.exe Nbiioe32.exe File opened for modification C:\Windows\SysWOW64\Gfimpfmj.exe Alplfpbp.exe File created C:\Windows\SysWOW64\Lapcan32.dll Iklgkmop.exe File created C:\Windows\SysWOW64\Pkcannmj.exe Pahppihl.exe File created C:\Windows\SysWOW64\Mahklf32.exe Moalil32.exe File opened for modification C:\Windows\SysWOW64\Oljoen32.exe Nbbnbemf.exe File created C:\Windows\SysWOW64\Koceep32.exe Jamhflqq.exe File opened for modification C:\Windows\SysWOW64\Empococc.exe Ehcfkhel.exe File opened for modification C:\Windows\SysWOW64\Phodlm32.exe Plhcglil.exe File created C:\Windows\SysWOW64\Emkeho32.exe Edcqojqh.exe File created C:\Windows\SysWOW64\Mbhpjd32.dll Kiejfo32.exe File opened for modification C:\Windows\SysWOW64\Malgmm32.exe Mhdbdgjl.exe File created C:\Windows\SysWOW64\Bfbjhh32.dll Idahcm32.exe File created C:\Windows\SysWOW64\Gqkhda32.exe Fqikob32.exe File opened for modification C:\Windows\SysWOW64\Klgend32.exe Koceep32.exe File created C:\Windows\SysWOW64\Ionlhlld.exe Ihcclb32.exe File created C:\Windows\SysWOW64\Hnkkaaai.dll Nebdighb.exe File opened for modification C:\Windows\SysWOW64\Mgebfhcl.exe Mbhina32.exe File opened for modification C:\Windows\SysWOW64\Plocob32.exe Ongijo32.exe File created C:\Windows\SysWOW64\Ifmfdg32.dll Cglgck32.exe File created C:\Windows\SysWOW64\Gjmgafni.dll Hhiacb32.exe File opened for modification C:\Windows\SysWOW64\Ikqqfm32.exe Ibhlmgdj.exe File created C:\Windows\SysWOW64\Ldeakhad.dll Dcdnce32.exe File created C:\Windows\SysWOW64\Elnoifjg.exe Efafqolp.exe File opened for modification C:\Windows\SysWOW64\Pmoagk32.exe Pbimjb32.exe File created C:\Windows\SysWOW64\Ffihqa32.dll Kafcadej.exe File created C:\Windows\SysWOW64\Mkcjlf32.exe Mqnfon32.exe File created C:\Windows\SysWOW64\Kimgad32.exe Kfnkeh32.exe File opened for modification C:\Windows\SysWOW64\Bkmmkj32.exe Bfpdcc32.exe File opened for modification C:\Windows\SysWOW64\Lkfeeo32.exe Lfimmhkg.exe File created C:\Windows\SysWOW64\Ejohcl32.dll Mflgff32.exe File created C:\Windows\SysWOW64\Cglgck32.exe Bciebm32.exe File created C:\Windows\SysWOW64\Ikndpm32.exe Iklgkmop.exe File opened for modification C:\Windows\SysWOW64\Kdigkjpl.exe Kjccna32.exe File created C:\Windows\SysWOW64\Llmpco32.exe Liocgc32.exe File created C:\Windows\SysWOW64\Ibcmbpec.dll Gighom32.exe File created C:\Windows\SysWOW64\Kbhedopp.dll Noeaaqlq.exe File created C:\Windows\SysWOW64\Hmpjfdcb.exe Hgfaij32.exe File created C:\Windows\SysWOW64\Emihbp32.exe Edqdij32.exe File created C:\Windows\SysWOW64\Gilajmfp.exe Gdoiaf32.exe File created C:\Windows\SysWOW64\Egcpch32.dll Pkpmnh32.exe File created C:\Windows\SysWOW64\Eeeaodnk.dll Kakmna32.exe File opened for modification C:\Windows\SysWOW64\Hgapmj32.exe Ggjjlk32.exe File opened for modification C:\Windows\SysWOW64\Lhpnlclc.exe Ldbefe32.exe File opened for modification C:\Windows\SysWOW64\Llqhdb32.exe Kbkdgj32.exe File created C:\Windows\SysWOW64\Iobecl32.exe Idmafc32.exe File created C:\Windows\SysWOW64\Ongijo32.exe Oijqbh32.exe File opened for modification C:\Windows\SysWOW64\Ifbbbl32.exe Ifpemmdd.exe File created C:\Windows\SysWOW64\Hpmpgfhd.exe Hkpgooim.exe File created C:\Windows\SysWOW64\Kaaldjil.exe Kaopoj32.exe File created C:\Windows\SysWOW64\Pecpknke.exe Pilpfm32.exe File created C:\Windows\SysWOW64\Oagoeala.dll Lilbdcfe.exe File created C:\Windows\SysWOW64\Mfjddb32.dll Hdodeedi.exe File created C:\Windows\SysWOW64\Phblmhjl.dll Mgoboake.exe File opened for modification C:\Windows\SysWOW64\Mlohjpoi.exe Meepne32.exe File created C:\Windows\SysWOW64\Nnpalk32.exe Nalpbf32.exe File opened for modification C:\Windows\SysWOW64\Mkcjlf32.exe Mqnfon32.exe File created C:\Windows\SysWOW64\Cmanfl32.dll Kpbfbo32.exe File created C:\Windows\SysWOW64\Deehck32.dll Gijedm32.exe File created C:\Windows\SysWOW64\Bpbnelgn.dll Ecpmod32.exe File opened for modification C:\Windows\SysWOW64\Ndcoeq32.exe Nmighf32.exe File created C:\Windows\SysWOW64\Gocofijd.dll Ohceqo32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kakmna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmjjlh32.dll" Hnfafpfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibnlbm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fqiiamjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lkenkhec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neimao32.dll" Plocob32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pblhalfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fljfei32.dll" Ahpdnaci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ldbefe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lkfeeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdodeedi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Habeni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Midfiq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohceqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" NEAS.c9b9e3e39232f874925d4ea4ffba1110.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnoand32.dll" Oemofpel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qefkcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odbblp32.dll" Kflnpild.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gackgo32.dll" Aohpek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojqcnhkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paohbmke.dll" Llqhdb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kflnpild.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpjlgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fleqmmon.dll" Hplimpdi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjidgkog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ocgkan32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmodfqhf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qpikao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbbhajkd.dll" Ghhhmebd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oceidi32.dll" Jncfmgfi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhdqhp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fabqdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kqpoja32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Naejcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bckdggcn.dll" Cofemg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mqpqghgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijpcbn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iobecl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngdmhimb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jdkadb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kepdfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlhkqngo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nijmbbnl.dll" Ggjjlk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kahinkaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oijgmokc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Clhbhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcacpg32.dll" Emhdeoel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iciaji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieknccaj.dll" Mqpqghgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgpfqchb.dll" Joekag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jihdmd32.dll" Jbdbcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jligio32.dll" Ncfmhecp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fgpilc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nimbdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pimkkfka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgofoamj.dll" Odjeepna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gqkhda32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Llqhdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehkbbn32.dll" Mbkmngfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgekepjo.dll" Onecof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mqbpjmeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmpfmc32.dll" Kicdke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpbfbo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gilajmfp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4796 wrote to memory of 552 4796 NEAS.c9b9e3e39232f874925d4ea4ffba1110.exe 88 PID 4796 wrote to memory of 552 4796 NEAS.c9b9e3e39232f874925d4ea4ffba1110.exe 88 PID 4796 wrote to memory of 552 4796 NEAS.c9b9e3e39232f874925d4ea4ffba1110.exe 88 PID 552 wrote to memory of 3552 552 Pejkmk32.exe 91 PID 552 wrote to memory of 3552 552 Pejkmk32.exe 91 PID 552 wrote to memory of 3552 552 Pejkmk32.exe 91 PID 3552 wrote to memory of 1508 3552 Paiogf32.exe 92 PID 3552 wrote to memory of 1508 3552 Paiogf32.exe 92 PID 3552 wrote to memory of 1508 3552 Paiogf32.exe 92 PID 1508 wrote to memory of 2820 1508 Ieccbbkn.exe 93 PID 1508 wrote to memory of 2820 1508 Ieccbbkn.exe 93 PID 1508 wrote to memory of 2820 1508 Ieccbbkn.exe 93 PID 2820 wrote to memory of 4892 2820 Joekag32.exe 94 PID 2820 wrote to memory of 4892 2820 Joekag32.exe 94 PID 2820 wrote to memory of 4892 2820 Joekag32.exe 94 PID 4892 wrote to memory of 2664 4892 Jikoopij.exe 97 PID 4892 wrote to memory of 2664 4892 Jikoopij.exe 97 PID 4892 wrote to memory of 2664 4892 Jikoopij.exe 97 PID 2664 wrote to memory of 2608 2664 Kakmna32.exe 98 PID 2664 wrote to memory of 2608 2664 Kakmna32.exe 98 PID 2664 wrote to memory of 2608 2664 Kakmna32.exe 98 PID 2608 wrote to memory of 1600 2608 Llnnmhfe.exe 99 PID 2608 wrote to memory of 1600 2608 Llnnmhfe.exe 99 PID 2608 wrote to memory of 1600 2608 Llnnmhfe.exe 99 PID 1600 wrote to memory of 3684 1600 Mhjhmhhd.exe 101 PID 1600 wrote to memory of 3684 1600 Mhjhmhhd.exe 101 PID 1600 wrote to memory of 3684 1600 Mhjhmhhd.exe 101 PID 3684 wrote to memory of 3472 3684 Mjidgkog.exe 102 PID 3684 wrote to memory of 3472 3684 Mjidgkog.exe 102 PID 3684 wrote to memory of 3472 3684 Mjidgkog.exe 102 PID 3472 wrote to memory of 3584 3472 Ocgkan32.exe 103 PID 3472 wrote to memory of 3584 3472 Ocgkan32.exe 103 PID 3472 wrote to memory of 3584 3472 Ocgkan32.exe 103 PID 3584 wrote to memory of 2500 3584 Ojqcnhkl.exe 105 PID 3584 wrote to memory of 2500 3584 Ojqcnhkl.exe 105 PID 3584 wrote to memory of 2500 3584 Ojqcnhkl.exe 105 PID 2500 wrote to memory of 1520 2500 Oqoefand.exe 106 PID 2500 wrote to memory of 1520 2500 Oqoefand.exe 106 PID 2500 wrote to memory of 1520 2500 Oqoefand.exe 106 PID 1520 wrote to memory of 2256 1520 Djegekil.exe 108 PID 1520 wrote to memory of 2256 1520 Djegekil.exe 108 PID 1520 wrote to memory of 2256 1520 Djegekil.exe 108 PID 2256 wrote to memory of 5028 2256 Daollh32.exe 110 PID 2256 wrote to memory of 5028 2256 Daollh32.exe 110 PID 2256 wrote to memory of 5028 2256 Daollh32.exe 110 PID 5028 wrote to memory of 3500 5028 Ephbhd32.exe 111 PID 5028 wrote to memory of 3500 5028 Ephbhd32.exe 111 PID 5028 wrote to memory of 3500 5028 Ephbhd32.exe 111 PID 3500 wrote to memory of 4244 3500 Fjeplijj.exe 112 PID 3500 wrote to memory of 4244 3500 Fjeplijj.exe 112 PID 3500 wrote to memory of 4244 3500 Fjeplijj.exe 112 PID 4244 wrote to memory of 1568 4244 Fgnjqm32.exe 113 PID 4244 wrote to memory of 1568 4244 Fgnjqm32.exe 113 PID 4244 wrote to memory of 1568 4244 Fgnjqm32.exe 113 PID 1568 wrote to memory of 3368 1568 Fqikob32.exe 114 PID 1568 wrote to memory of 3368 1568 Fqikob32.exe 114 PID 1568 wrote to memory of 3368 1568 Fqikob32.exe 114 PID 3368 wrote to memory of 920 3368 Gqkhda32.exe 115 PID 3368 wrote to memory of 920 3368 Gqkhda32.exe 115 PID 3368 wrote to memory of 920 3368 Gqkhda32.exe 115 PID 920 wrote to memory of 4016 920 Ggjjlk32.exe 116 PID 920 wrote to memory of 4016 920 Ggjjlk32.exe 116 PID 920 wrote to memory of 4016 920 Ggjjlk32.exe 116 PID 4016 wrote to memory of 2412 4016 Hgapmj32.exe 117
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.c9b9e3e39232f874925d4ea4ffba1110.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.c9b9e3e39232f874925d4ea4ffba1110.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4796 -
C:\Windows\SysWOW64\Pejkmk32.exeC:\Windows\system32\Pejkmk32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Windows\SysWOW64\Paiogf32.exeC:\Windows\system32\Paiogf32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3552 -
C:\Windows\SysWOW64\Ieccbbkn.exeC:\Windows\system32\Ieccbbkn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\SysWOW64\Joekag32.exeC:\Windows\system32\Joekag32.exe5⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\Jikoopij.exeC:\Windows\system32\Jikoopij.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4892 -
C:\Windows\SysWOW64\Kakmna32.exeC:\Windows\system32\Kakmna32.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Llnnmhfe.exeC:\Windows\system32\Llnnmhfe.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Mhjhmhhd.exeC:\Windows\system32\Mhjhmhhd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Windows\SysWOW64\Mjidgkog.exeC:\Windows\system32\Mjidgkog.exe10⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3684 -
C:\Windows\SysWOW64\Ocgkan32.exeC:\Windows\system32\Ocgkan32.exe11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3472 -
C:\Windows\SysWOW64\Ojqcnhkl.exeC:\Windows\system32\Ojqcnhkl.exe12⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3584 -
C:\Windows\SysWOW64\Oqoefand.exeC:\Windows\system32\Oqoefand.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\Djegekil.exeC:\Windows\system32\Djegekil.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\SysWOW64\Daollh32.exeC:\Windows\system32\Daollh32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\SysWOW64\Ephbhd32.exeC:\Windows\system32\Ephbhd32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5028 -
C:\Windows\SysWOW64\Fjeplijj.exeC:\Windows\system32\Fjeplijj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3500 -
C:\Windows\SysWOW64\Fgnjqm32.exeC:\Windows\system32\Fgnjqm32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4244 -
C:\Windows\SysWOW64\Fqikob32.exeC:\Windows\system32\Fqikob32.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Windows\SysWOW64\Gqkhda32.exeC:\Windows\system32\Gqkhda32.exe20⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3368 -
C:\Windows\SysWOW64\Ggjjlk32.exeC:\Windows\system32\Ggjjlk32.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:920 -
C:\Windows\SysWOW64\Hgapmj32.exeC:\Windows\system32\Hgapmj32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4016 -
C:\Windows\SysWOW64\Hgeihiac.exeC:\Windows\system32\Hgeihiac.exe23⤵
- Executes dropped EXE
PID:2412 -
C:\Windows\SysWOW64\Ibnjkbog.exeC:\Windows\system32\Ibnjkbog.exe24⤵
- Executes dropped EXE
PID:3672 -
C:\Windows\SysWOW64\Ibbcfa32.exeC:\Windows\system32\Ibbcfa32.exe25⤵
- Executes dropped EXE
PID:448 -
C:\Windows\SysWOW64\Ijpepcfj.exeC:\Windows\system32\Ijpepcfj.exe26⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Jehfcl32.exeC:\Windows\system32\Jehfcl32.exe27⤵
- Executes dropped EXE
PID:1780 -
C:\Windows\SysWOW64\Jaemilci.exeC:\Windows\system32\Jaemilci.exe28⤵
- Executes dropped EXE
PID:3528 -
C:\Windows\SysWOW64\Kahinkaf.exeC:\Windows\system32\Kahinkaf.exe29⤵
- Executes dropped EXE
- Modifies registry class
PID:2556 -
C:\Windows\SysWOW64\Kajfdk32.exeC:\Windows\system32\Kajfdk32.exe30⤵
- Executes dropped EXE
PID:1004 -
C:\Windows\SysWOW64\Kalcik32.exeC:\Windows\system32\Kalcik32.exe31⤵
- Executes dropped EXE
PID:724 -
C:\Windows\SysWOW64\Kaopoj32.exeC:\Windows\system32\Kaopoj32.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4496 -
C:\Windows\SysWOW64\Kaaldjil.exeC:\Windows\system32\Kaaldjil.exe33⤵
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\Ldbefe32.exeC:\Windows\system32\Ldbefe32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1232 -
C:\Windows\SysWOW64\Lhpnlclc.exeC:\Windows\system32\Lhpnlclc.exe35⤵
- Executes dropped EXE
PID:4552 -
C:\Windows\SysWOW64\Lahbei32.exeC:\Windows\system32\Lahbei32.exe36⤵
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\Llpchaqg.exeC:\Windows\system32\Llpchaqg.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1284 -
C:\Windows\SysWOW64\Moalil32.exeC:\Windows\system32\Moalil32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1412 -
C:\Windows\SysWOW64\Mahklf32.exeC:\Windows\system32\Mahklf32.exe39⤵
- Executes dropped EXE
PID:3960 -
C:\Windows\SysWOW64\Nkapelka.exeC:\Windows\system32\Nkapelka.exe40⤵
- Executes dropped EXE
PID:1560 -
C:\Windows\SysWOW64\Ncjdki32.exeC:\Windows\system32\Ncjdki32.exe41⤵
- Executes dropped EXE
PID:1592 -
C:\Windows\SysWOW64\Noaeqjpe.exeC:\Windows\system32\Noaeqjpe.exe42⤵
- Executes dropped EXE
PID:1076 -
C:\Windows\SysWOW64\Nbbnbemf.exeC:\Windows\system32\Nbbnbemf.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3444 -
C:\Windows\SysWOW64\Oljoen32.exeC:\Windows\system32\Oljoen32.exe44⤵
- Executes dropped EXE
PID:4184 -
C:\Windows\SysWOW64\Obidcdfo.exeC:\Windows\system32\Obidcdfo.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1256 -
C:\Windows\SysWOW64\Obkahddl.exeC:\Windows\system32\Obkahddl.exe46⤵
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\Oheienli.exeC:\Windows\system32\Oheienli.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Odljjo32.exeC:\Windows\system32\Odljjo32.exe48⤵
- Executes dropped EXE
PID:4704 -
C:\Windows\SysWOW64\Ooangh32.exeC:\Windows\system32\Ooangh32.exe49⤵
- Executes dropped EXE
PID:3972 -
C:\Windows\SysWOW64\Pkholi32.exeC:\Windows\system32\Pkholi32.exe50⤵
- Executes dropped EXE
PID:2900 -
C:\Windows\SysWOW64\Pilpfm32.exeC:\Windows\system32\Pilpfm32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3176 -
C:\Windows\SysWOW64\Pecpknke.exeC:\Windows\system32\Pecpknke.exe52⤵
- Executes dropped EXE
PID:3816 -
C:\Windows\SysWOW64\Pfbmdabh.exeC:\Windows\system32\Pfbmdabh.exe53⤵
- Executes dropped EXE
PID:4996 -
C:\Windows\SysWOW64\Pbimjb32.exeC:\Windows\system32\Pbimjb32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3652 -
C:\Windows\SysWOW64\Pmoagk32.exeC:\Windows\system32\Pmoagk32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2804 -
C:\Windows\SysWOW64\Pbljoafi.exeC:\Windows\system32\Pbljoafi.exe56⤵
- Executes dropped EXE
PID:2472 -
C:\Windows\SysWOW64\Qifbll32.exeC:\Windows\system32\Qifbll32.exe57⤵
- Executes dropped EXE
PID:900 -
C:\Windows\SysWOW64\Qfjcep32.exeC:\Windows\system32\Qfjcep32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4948 -
C:\Windows\SysWOW64\Qpbgnecp.exeC:\Windows\system32\Qpbgnecp.exe59⤵
- Executes dropped EXE
PID:4800 -
C:\Windows\SysWOW64\Ojhnlh32.exeC:\Windows\system32\Ojhnlh32.exe60⤵
- Executes dropped EXE
PID:1344 -
C:\Windows\SysWOW64\Akdfndpd.exeC:\Windows\system32\Akdfndpd.exe61⤵
- Executes dropped EXE
PID:956 -
C:\Windows\SysWOW64\Idmhqi32.exeC:\Windows\system32\Idmhqi32.exe62⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\Jnjednnp.exeC:\Windows\system32\Jnjednnp.exe63⤵
- Executes dropped EXE
PID:548 -
C:\Windows\SysWOW64\Jkqccbkf.exeC:\Windows\system32\Jkqccbkf.exe64⤵
- Executes dropped EXE
PID:640 -
C:\Windows\SysWOW64\Jamhflqq.exeC:\Windows\system32\Jamhflqq.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1252 -
C:\Windows\SysWOW64\Koceep32.exeC:\Windows\system32\Koceep32.exe66⤵
- Drops file in System32 directory
PID:1232 -
C:\Windows\SysWOW64\Klgend32.exeC:\Windows\system32\Klgend32.exe67⤵PID:3456
-
C:\Windows\SysWOW64\Khnfce32.exeC:\Windows\system32\Khnfce32.exe68⤵PID:4384
-
C:\Windows\SysWOW64\Knkokl32.exeC:\Windows\system32\Knkokl32.exe69⤵PID:4256
-
C:\Windows\SysWOW64\Kdeghfhj.exeC:\Windows\system32\Kdeghfhj.exe70⤵PID:3556
-
C:\Windows\SysWOW64\Kkooep32.exeC:\Windows\system32\Kkooep32.exe71⤵PID:1584
-
C:\Windows\SysWOW64\Khbpndnp.exeC:\Windows\system32\Khbpndnp.exe72⤵PID:2412
-
C:\Windows\SysWOW64\Kbkdgj32.exeC:\Windows\system32\Kbkdgj32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:920 -
C:\Windows\SysWOW64\Llqhdb32.exeC:\Windows\system32\Llqhdb32.exe74⤵
- Modifies registry class
PID:452 -
C:\Windows\SysWOW64\Lfimmhkg.exeC:\Windows\system32\Lfimmhkg.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3972 -
C:\Windows\SysWOW64\Lkfeeo32.exeC:\Windows\system32\Lkfeeo32.exe76⤵
- Modifies registry class
PID:4292 -
C:\Windows\SysWOW64\Lhjeoc32.exeC:\Windows\system32\Lhjeoc32.exe77⤵PID:3684
-
C:\Windows\SysWOW64\Lnfngj32.exeC:\Windows\system32\Lnfngj32.exe78⤵PID:1528
-
C:\Windows\SysWOW64\Lilbdcfe.exeC:\Windows\system32\Lilbdcfe.exe79⤵
- Drops file in System32 directory
PID:3348 -
C:\Windows\SysWOW64\Mbiphhhq.exeC:\Windows\system32\Mbiphhhq.exe80⤵PID:2472
-
C:\Windows\SysWOW64\Mmodfqhf.exeC:\Windows\system32\Mmodfqhf.exe81⤵
- Modifies registry class
PID:2664 -
C:\Windows\SysWOW64\Mbkmngfn.exeC:\Windows\system32\Mbkmngfn.exe82⤵
- Modifies registry class
PID:2264 -
C:\Windows\SysWOW64\Mieeka32.exeC:\Windows\system32\Mieeka32.exe83⤵PID:5064
-
C:\Windows\SysWOW64\Moomgl32.exeC:\Windows\system32\Moomgl32.exe84⤵PID:4496
-
C:\Windows\SysWOW64\Melfpb32.exeC:\Windows\system32\Melfpb32.exe85⤵PID:1308
-
C:\Windows\SysWOW64\Mmcnap32.exeC:\Windows\system32\Mmcnap32.exe86⤵PID:3000
-
C:\Windows\SysWOW64\Mndjhhjp.exeC:\Windows\system32\Mndjhhjp.exe87⤵PID:4512
-
C:\Windows\SysWOW64\Mijofaje.exeC:\Windows\system32\Mijofaje.exe88⤵PID:808
-
C:\Windows\SysWOW64\Mpdgbkab.exeC:\Windows\system32\Mpdgbkab.exe89⤵PID:2504
-
C:\Windows\SysWOW64\Nkkggl32.exeC:\Windows\system32\Nkkggl32.exe90⤵PID:400
-
C:\Windows\SysWOW64\Nfpled32.exeC:\Windows\system32\Nfpled32.exe91⤵PID:2908
-
C:\Windows\SysWOW64\Nbgljf32.exeC:\Windows\system32\Nbgljf32.exe92⤵PID:2036
-
C:\Windows\SysWOW64\Nmmqgo32.exeC:\Windows\system32\Nmmqgo32.exe93⤵PID:900
-
C:\Windows\SysWOW64\Nbiioe32.exeC:\Windows\system32\Nbiioe32.exe94⤵
- Drops file in System32 directory
PID:4232 -
C:\Windows\SysWOW64\Nmommn32.exeC:\Windows\system32\Nmommn32.exe95⤵PID:980
-
C:\Windows\SysWOW64\Nfgbec32.exeC:\Windows\system32\Nfgbec32.exe96⤵PID:2544
-
C:\Windows\SysWOW64\Nnbfjf32.exeC:\Windows\system32\Nnbfjf32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2516 -
C:\Windows\SysWOW64\Oemofpel.exeC:\Windows\system32\Oemofpel.exe98⤵
- Modifies registry class
PID:2192 -
C:\Windows\SysWOW64\Onecof32.exeC:\Windows\system32\Onecof32.exe99⤵
- Modifies registry class
PID:2784 -
C:\Windows\SysWOW64\Oijgmokc.exeC:\Windows\system32\Oijgmokc.exe100⤵
- Modifies registry class
PID:2804 -
C:\Windows\SysWOW64\Oimdbnip.exeC:\Windows\system32\Oimdbnip.exe101⤵PID:4796
-
C:\Windows\SysWOW64\Onjmjegg.exeC:\Windows\system32\Onjmjegg.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2672 -
C:\Windows\SysWOW64\Omkmhlpf.exeC:\Windows\system32\Omkmhlpf.exe103⤵PID:2420
-
C:\Windows\SysWOW64\Ofcaab32.exeC:\Windows\system32\Ofcaab32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4596 -
C:\Windows\SysWOW64\Opkfjgmh.exeC:\Windows\system32\Opkfjgmh.exe105⤵PID:3572
-
C:\Windows\SysWOW64\Pehnboko.exeC:\Windows\system32\Pehnboko.exe106⤵PID:3576
-
C:\Windows\SysWOW64\Qefkcl32.exeC:\Windows\system32\Qefkcl32.exe107⤵
- Modifies registry class
PID:2736 -
C:\Windows\SysWOW64\Aidcjk32.exeC:\Windows\system32\Aidcjk32.exe108⤵PID:1212
-
C:\Windows\SysWOW64\Aoalba32.exeC:\Windows\system32\Aoalba32.exe109⤵PID:3704
-
C:\Windows\SysWOW64\Aekdolkj.exeC:\Windows\system32\Aekdolkj.exe110⤵PID:1780
-
C:\Windows\SysWOW64\Aochga32.exeC:\Windows\system32\Aochga32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4428 -
C:\Windows\SysWOW64\Aofemaog.exeC:\Windows\system32\Aofemaog.exe112⤵PID:3420
-
C:\Windows\SysWOW64\Bllble32.exeC:\Windows\system32\Bllble32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1744 -
C:\Windows\SysWOW64\Bgfpdmho.exeC:\Windows\system32\Bgfpdmho.exe114⤵PID:2464
-
C:\Windows\SysWOW64\Clhbhc32.exeC:\Windows\system32\Clhbhc32.exe115⤵
- Modifies registry class
PID:4756 -
C:\Windows\SysWOW64\Cngnbfid.exeC:\Windows\system32\Cngnbfid.exe116⤵PID:3564
-
C:\Windows\SysWOW64\Cggikk32.exeC:\Windows\system32\Cggikk32.exe117⤵PID:5132
-
C:\Windows\SysWOW64\Djjobedk.exeC:\Windows\system32\Djjobedk.exe118⤵PID:5172
-
C:\Windows\SysWOW64\Dgnolj32.exeC:\Windows\system32\Dgnolj32.exe119⤵PID:5212
-
C:\Windows\SysWOW64\Djnhne32.exeC:\Windows\system32\Djnhne32.exe120⤵PID:5252
-
C:\Windows\SysWOW64\Dcglfjgf.exeC:\Windows\system32\Dcglfjgf.exe121⤵PID:5292
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-