Analysis
-
max time kernel
165s -
max time network
177s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
07/11/2023, 20:42
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.e7de6de421c067e58f731fe7fe2d1850.exe
Resource
win7-20231020-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.e7de6de421c067e58f731fe7fe2d1850.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
NEAS.e7de6de421c067e58f731fe7fe2d1850.exe
-
Size
59KB
-
MD5
e7de6de421c067e58f731fe7fe2d1850
-
SHA1
71fdf224d2d4eeb5f5ed2574becaa3d458d1884f
-
SHA256
c437eb43170b8d02a0ba2d3c4d4c337f23eb06edae2f2a29cba29df1c306ab37
-
SHA512
56661dda06ed0e2bea1c25a749fd76e4d020e60718c8c934483b5b5ada7c6fd71e2bcf5c809d672fc6fe2c5f1d8f6b69166cb67e76d98a8800ed6ece07944b45
-
SSDEEP
1536:Lwk4+xPAXbnbuohLI4ZEaUve8dhbFk6qNCyVso:LdP9ADisdZEnve6hbFkgeso
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bekdmnio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bafnmnjn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkdqndqi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfbhalhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amibqhed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbkjcgaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qodmdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilnbch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nqdlpmce.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gngnjk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kknfmdko.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cqmgigfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kflnpild.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbihfm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgnnca32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aemjjeek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjcllilo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpcnceab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnkioq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pefhfgoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlnqfanb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdkfoo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdnkbc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blchmdff.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihpgda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Maealn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clplff32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enhpje32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peqcodce.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lglopjkg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghpehjph.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdkadb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oaomij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijcjgcni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdlpjicj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnfmlchf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elojej32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aceijg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcebadof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgnldkgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gqmniq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iepako32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpdegdci.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bldljh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akfdmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kflnjldl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjoibadl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icfnjcec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmphjfab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eqdpfm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cglgck32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljjpgh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbnikn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icipldgp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kiodag32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcdafg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbknaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjdajhbi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iklgkmop.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iafogggl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bacjmh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbqogl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhfihp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmpgfjmd.exe -
Executes dropped EXE 64 IoCs
pid Process 5088 Opcjno32.exe 1708 Akkmocjl.exe 5104 Blabakle.exe 712 Ccendc32.exe 740 Cqmgigfk.exe 2512 Dqigee32.exe 1928 Dmphjfab.exe 808 Enfjdh32.exe 2056 Emlgedge.exe 3352 Fnkdpgnh.exe 392 Flodilma.exe 4224 Fjdajhbi.exe 4264 Glkdejcd.exe 3992 Gehbio32.exe 3416 Hejono32.exe 3184 Hmjmnpmb.exe 4868 Kadnfkji.exe 1220 Lnikmjdm.exe 4480 Mnggnh32.exe 860 Nlbnhkqo.exe 4940 Obqopddf.exe 1480 Ponfed32.exe 4152 Qojeabie.exe 2864 Aemqdk32.exe 1896 Accnco32.exe 2860 Amibqhed.exe 2132 Blchmdff.exe 1556 Cokgonmp.exe 3168 Eopjakkg.exe 2060 Eqdpfm32.exe 3996 Fceihh32.exe 892 Gfaaebnj.exe 924 Hjdcfp32.exe 2384 Idhgkcln.exe 548 Jggmnmmo.exe 2128 Jhfihp32.exe 1340 Kafcadej.exe 732 Lggeej32.exe 2596 Lglopjkg.exe 224 Nqdlpmce.exe 3064 Nnkioq32.exe 1140 Oaeegjeb.exe 1840 Oeekbhif.exe 1396 Piepnfnj.exe 3960 Pihmcflg.exe 3804 Pijiif32.exe 212 Pngbam32.exe 4084 Qnlkllcf.exe 1496 Aemjjeek.exe 2560 Bpggbm32.exe 4976 Bammeebe.exe 4904 Bekfkc32.exe 4000 Cebllbcc.exe 3560 Cpgqik32.exe 2836 Didnmp32.exe 3244 Dekobaki.exe 2464 Dcopke32.exe 756 Djkdnool.exe 2340 Dcdifdem.exe 3340 Elojej32.exe 1392 Ejegdngb.exe 4068 Eoapldei.exe 2216 Fbeeco32.exe 3504 Fmjjqhpn.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Dpehikja.exe Dmbbaq32.exe File created C:\Windows\SysWOW64\Jmamlgon.exe Jgdddpaf.exe File created C:\Windows\SysWOW64\Jdqcglqh.exe Iiffoc32.exe File created C:\Windows\SysWOW64\Ojfbfmbf.dll Elkbcf32.exe File created C:\Windows\SysWOW64\Nonajj32.exe Nhdimplm.exe File created C:\Windows\SysWOW64\Bldljh32.exe Bekdmnio.exe File created C:\Windows\SysWOW64\Cgnlblbj.dll Jdqcglqh.exe File created C:\Windows\SysWOW64\Jjbidk32.dll Gmhfbf32.exe File opened for modification C:\Windows\SysWOW64\Bcebadof.exe Bminokil.exe File created C:\Windows\SysWOW64\Fgaddnam.exe Edcghbbi.exe File created C:\Windows\SysWOW64\Oggqho32.exe Ngbgmpcq.exe File opened for modification C:\Windows\SysWOW64\Cpkddd32.exe Cknlln32.exe File created C:\Windows\SysWOW64\Nohaagio.dll Jmjgkh32.exe File created C:\Windows\SysWOW64\Dendiach.exe Djipkhcb.exe File opened for modification C:\Windows\SysWOW64\Nlbnhkqo.exe Mnggnh32.exe File created C:\Windows\SysWOW64\Kllhqkbm.dll Hbldinjb.exe File opened for modification C:\Windows\SysWOW64\Ohpiinbp.exe Odbpcpli.exe File created C:\Windows\SysWOW64\Miajbmbe.dll Pfhcna32.exe File created C:\Windows\SysWOW64\Fbeeco32.exe Eoapldei.exe File created C:\Windows\SysWOW64\Aglmfh32.dll Hgliie32.exe File created C:\Windows\SysWOW64\Ebcdcigk.exe Elilgo32.exe File created C:\Windows\SysWOW64\Bkifnm32.dll Enfjdh32.exe File created C:\Windows\SysWOW64\Okkimnea.dll Jlgeig32.exe File opened for modification C:\Windows\SysWOW64\Aomipkic.exe Ahbacq32.exe File created C:\Windows\SysWOW64\Efdenq32.dll Hmpclnof.exe File created C:\Windows\SysWOW64\Ndjfmf32.dll Ejegdngb.exe File created C:\Windows\SysWOW64\Cnjpgeka.dll Jbbfnlpk.exe File created C:\Windows\SysWOW64\Hbhbie32.exe Hedaoa32.exe File opened for modification C:\Windows\SysWOW64\Enhpje32.exe Ehlhbn32.exe File created C:\Windows\SysWOW64\Lggeej32.exe Kafcadej.exe File opened for modification C:\Windows\SysWOW64\Ipeehhhb.exe Iepako32.exe File opened for modification C:\Windows\SysWOW64\Ngbgmpcq.exe Nnjbdj32.exe File created C:\Windows\SysWOW64\Elkbcf32.exe Ebcmjqej.exe File opened for modification C:\Windows\SysWOW64\Cbakkg32.exe Ckhcomih.exe File created C:\Windows\SysWOW64\Cbialf32.exe Cgcmon32.exe File created C:\Windows\SysWOW64\Fjdajhbi.exe Flodilma.exe File opened for modification C:\Windows\SysWOW64\Jmjgkh32.exe Jgnnca32.exe File created C:\Windows\SysWOW64\Lhdaad32.dll Kmpime32.exe File created C:\Windows\SysWOW64\Moipqi32.dll Nkebokin.exe File opened for modification C:\Windows\SysWOW64\Cgcmon32.exe Caiebc32.exe File created C:\Windows\SysWOW64\Hlfolq32.dll Dldlbgbb.exe File opened for modification C:\Windows\SysWOW64\Haceil32.exe Gpaiadel.exe File created C:\Windows\SysWOW64\Eoapldei.exe Ejegdngb.exe File created C:\Windows\SysWOW64\Coldbl32.exe Cpkddd32.exe File created C:\Windows\SysWOW64\Bflmkk32.dll Iqmpfhfj.exe File opened for modification C:\Windows\SysWOW64\Alfkli32.exe Aaqgop32.exe File opened for modification C:\Windows\SysWOW64\Ildibc32.exe Hbldinjb.exe File created C:\Windows\SysWOW64\Ejbiec32.dll Mldmlf32.exe File created C:\Windows\SysWOW64\Kkomblep.dll Dpgbqfhc.exe File opened for modification C:\Windows\SysWOW64\Gkfnnjnl.exe Gdleap32.exe File created C:\Windows\SysWOW64\Jggaip32.exe Jmamlgon.exe File created C:\Windows\SysWOW64\Dekioo32.dll Cpmajdig.exe File opened for modification C:\Windows\SysWOW64\Aemjjeek.exe Qnlkllcf.exe File created C:\Windows\SysWOW64\Jidbpa32.exe Jbkjcgaj.exe File created C:\Windows\SysWOW64\Aceijg32.exe Pncggqbg.exe File created C:\Windows\SysWOW64\Mjjkkghp.exe Mgkoolil.exe File created C:\Windows\SysWOW64\Nniohegg.dll Nlbnhkqo.exe File created C:\Windows\SysWOW64\Iiffoc32.exe Impeib32.exe File created C:\Windows\SysWOW64\Ifglmlol.exe Inkjao32.exe File created C:\Windows\SysWOW64\Aioelpki.exe Peqcodce.exe File created C:\Windows\SysWOW64\Gfaaebnj.exe Fceihh32.exe File created C:\Windows\SysWOW64\Iajdladh.dll Dmbbaq32.exe File created C:\Windows\SysWOW64\Bpfnkjji.dll Hagodlge.exe File opened for modification C:\Windows\SysWOW64\Mnggnh32.exe Lnikmjdm.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Impeib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acghpmin.dll" Kdiobd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hedaoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dlhlek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmkdlbea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aaqgop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpifoq32.dll" Jmpgfjmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfiajinf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahenip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffhjdnih.dll" Oemcac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hjdcfp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjhjli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmnohphp.dll" Maealn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aljcip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bglefdke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Admemnmi.dll" Onhhfe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Benijhla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gqmniq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhhakddm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nabdep32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mbchkg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcnmccfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqdolf32.dll" Ncofjaho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naiacpeo.dll" Fcckcl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Deokhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkobdeok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hnibhp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnggnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pijiif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nabfcegi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbnikn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obkapcei.dll" Oplkgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjodgmlo.dll" Cfdgcmqd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jikfbkbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oplkgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkjikd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oiiimhqc.dll" Oaajoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfhebncf.dll" Egogoncp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqfedn32.dll" Dlgmehdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekdaamho.dll" Edcghbbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dlicpanq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gcpaiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Echkgnnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjpmabce.dll" Nabfcegi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cpmajdig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oehldi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbqpbbfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Andkcaeg.dll" Foakii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdmmih32.dll" Aemjjeek.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfhhho32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mldmlf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fedmed32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emlgedge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kflnjldl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfoadqde.dll" Hlnqfanb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmonmaem.dll" Iobeno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dimciemj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omkago32.dll" Kpneiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qalejm32.dll" Qbbggeli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pncggqbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aijjfpab.dll" Gmggpekm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebcdcigk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fgaddnam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aocmbdco.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1452 wrote to memory of 5088 1452 NEAS.e7de6de421c067e58f731fe7fe2d1850.exe 93 PID 1452 wrote to memory of 5088 1452 NEAS.e7de6de421c067e58f731fe7fe2d1850.exe 93 PID 1452 wrote to memory of 5088 1452 NEAS.e7de6de421c067e58f731fe7fe2d1850.exe 93 PID 5088 wrote to memory of 1708 5088 Opcjno32.exe 94 PID 5088 wrote to memory of 1708 5088 Opcjno32.exe 94 PID 5088 wrote to memory of 1708 5088 Opcjno32.exe 94 PID 1708 wrote to memory of 5104 1708 Akkmocjl.exe 95 PID 1708 wrote to memory of 5104 1708 Akkmocjl.exe 95 PID 1708 wrote to memory of 5104 1708 Akkmocjl.exe 95 PID 5104 wrote to memory of 712 5104 Blabakle.exe 96 PID 5104 wrote to memory of 712 5104 Blabakle.exe 96 PID 5104 wrote to memory of 712 5104 Blabakle.exe 96 PID 712 wrote to memory of 740 712 Ccendc32.exe 97 PID 712 wrote to memory of 740 712 Ccendc32.exe 97 PID 712 wrote to memory of 740 712 Ccendc32.exe 97 PID 740 wrote to memory of 2512 740 Cqmgigfk.exe 98 PID 740 wrote to memory of 2512 740 Cqmgigfk.exe 98 PID 740 wrote to memory of 2512 740 Cqmgigfk.exe 98 PID 2512 wrote to memory of 1928 2512 Dqigee32.exe 99 PID 2512 wrote to memory of 1928 2512 Dqigee32.exe 99 PID 2512 wrote to memory of 1928 2512 Dqigee32.exe 99 PID 1928 wrote to memory of 808 1928 Dmphjfab.exe 100 PID 1928 wrote to memory of 808 1928 Dmphjfab.exe 100 PID 1928 wrote to memory of 808 1928 Dmphjfab.exe 100 PID 808 wrote to memory of 2056 808 Enfjdh32.exe 101 PID 808 wrote to memory of 2056 808 Enfjdh32.exe 101 PID 808 wrote to memory of 2056 808 Enfjdh32.exe 101 PID 2056 wrote to memory of 3352 2056 Emlgedge.exe 102 PID 2056 wrote to memory of 3352 2056 Emlgedge.exe 102 PID 2056 wrote to memory of 3352 2056 Emlgedge.exe 102 PID 3352 wrote to memory of 392 3352 Fnkdpgnh.exe 103 PID 3352 wrote to memory of 392 3352 Fnkdpgnh.exe 103 PID 3352 wrote to memory of 392 3352 Fnkdpgnh.exe 103 PID 392 wrote to memory of 4224 392 Flodilma.exe 104 PID 392 wrote to memory of 4224 392 Flodilma.exe 104 PID 392 wrote to memory of 4224 392 Flodilma.exe 104 PID 4224 wrote to memory of 4264 4224 Fjdajhbi.exe 105 PID 4224 wrote to memory of 4264 4224 Fjdajhbi.exe 105 PID 4224 wrote to memory of 4264 4224 Fjdajhbi.exe 105 PID 4264 wrote to memory of 3992 4264 Glkdejcd.exe 106 PID 4264 wrote to memory of 3992 4264 Glkdejcd.exe 106 PID 4264 wrote to memory of 3992 4264 Glkdejcd.exe 106 PID 3992 wrote to memory of 3416 3992 Gehbio32.exe 107 PID 3992 wrote to memory of 3416 3992 Gehbio32.exe 107 PID 3992 wrote to memory of 3416 3992 Gehbio32.exe 107 PID 3416 wrote to memory of 3184 3416 Hejono32.exe 108 PID 3416 wrote to memory of 3184 3416 Hejono32.exe 108 PID 3416 wrote to memory of 3184 3416 Hejono32.exe 108 PID 3184 wrote to memory of 4868 3184 Hmjmnpmb.exe 109 PID 3184 wrote to memory of 4868 3184 Hmjmnpmb.exe 109 PID 3184 wrote to memory of 4868 3184 Hmjmnpmb.exe 109 PID 4868 wrote to memory of 1220 4868 Kadnfkji.exe 110 PID 4868 wrote to memory of 1220 4868 Kadnfkji.exe 110 PID 4868 wrote to memory of 1220 4868 Kadnfkji.exe 110 PID 1220 wrote to memory of 4480 1220 Lnikmjdm.exe 111 PID 1220 wrote to memory of 4480 1220 Lnikmjdm.exe 111 PID 1220 wrote to memory of 4480 1220 Lnikmjdm.exe 111 PID 4480 wrote to memory of 860 4480 Mnggnh32.exe 112 PID 4480 wrote to memory of 860 4480 Mnggnh32.exe 112 PID 4480 wrote to memory of 860 4480 Mnggnh32.exe 112 PID 860 wrote to memory of 4940 860 Nlbnhkqo.exe 113 PID 860 wrote to memory of 4940 860 Nlbnhkqo.exe 113 PID 860 wrote to memory of 4940 860 Nlbnhkqo.exe 113 PID 4940 wrote to memory of 1480 4940 Obqopddf.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.e7de6de421c067e58f731fe7fe2d1850.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.e7de6de421c067e58f731fe7fe2d1850.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Windows\SysWOW64\Opcjno32.exeC:\Windows\system32\Opcjno32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5088 -
C:\Windows\SysWOW64\Akkmocjl.exeC:\Windows\system32\Akkmocjl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SysWOW64\Blabakle.exeC:\Windows\system32\Blabakle.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Windows\SysWOW64\Ccendc32.exeC:\Windows\system32\Ccendc32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:712 -
C:\Windows\SysWOW64\Cqmgigfk.exeC:\Windows\system32\Cqmgigfk.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:740 -
C:\Windows\SysWOW64\Dqigee32.exeC:\Windows\system32\Dqigee32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\Dmphjfab.exeC:\Windows\system32\Dmphjfab.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\SysWOW64\Enfjdh32.exeC:\Windows\system32\Enfjdh32.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:808 -
C:\Windows\SysWOW64\Emlgedge.exeC:\Windows\system32\Emlgedge.exe10⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\Fnkdpgnh.exeC:\Windows\system32\Fnkdpgnh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3352 -
C:\Windows\SysWOW64\Flodilma.exeC:\Windows\system32\Flodilma.exe12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:392 -
C:\Windows\SysWOW64\Fjdajhbi.exeC:\Windows\system32\Fjdajhbi.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4224 -
C:\Windows\SysWOW64\Glkdejcd.exeC:\Windows\system32\Glkdejcd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4264 -
C:\Windows\SysWOW64\Gehbio32.exeC:\Windows\system32\Gehbio32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3992 -
C:\Windows\SysWOW64\Hejono32.exeC:\Windows\system32\Hejono32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3416 -
C:\Windows\SysWOW64\Hmjmnpmb.exeC:\Windows\system32\Hmjmnpmb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3184 -
C:\Windows\SysWOW64\Kadnfkji.exeC:\Windows\system32\Kadnfkji.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4868 -
C:\Windows\SysWOW64\Lnikmjdm.exeC:\Windows\system32\Lnikmjdm.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Windows\SysWOW64\Mnggnh32.exeC:\Windows\system32\Mnggnh32.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4480 -
C:\Windows\SysWOW64\Nlbnhkqo.exeC:\Windows\system32\Nlbnhkqo.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Windows\SysWOW64\Obqopddf.exeC:\Windows\system32\Obqopddf.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Windows\SysWOW64\Ponfed32.exeC:\Windows\system32\Ponfed32.exe23⤵
- Executes dropped EXE
PID:1480 -
C:\Windows\SysWOW64\Qojeabie.exeC:\Windows\system32\Qojeabie.exe24⤵
- Executes dropped EXE
PID:4152 -
C:\Windows\SysWOW64\Aemqdk32.exeC:\Windows\system32\Aemqdk32.exe25⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Accnco32.exeC:\Windows\system32\Accnco32.exe26⤵
- Executes dropped EXE
PID:1896 -
C:\Windows\SysWOW64\Amibqhed.exeC:\Windows\system32\Amibqhed.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\Blchmdff.exeC:\Windows\system32\Blchmdff.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Cokgonmp.exeC:\Windows\system32\Cokgonmp.exe29⤵
- Executes dropped EXE
PID:1556 -
C:\Windows\SysWOW64\Eopjakkg.exeC:\Windows\system32\Eopjakkg.exe30⤵
- Executes dropped EXE
PID:3168 -
C:\Windows\SysWOW64\Eqdpfm32.exeC:\Windows\system32\Eqdpfm32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2060 -
C:\Windows\SysWOW64\Fceihh32.exeC:\Windows\system32\Fceihh32.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3996 -
C:\Windows\SysWOW64\Gfaaebnj.exeC:\Windows\system32\Gfaaebnj.exe33⤵
- Executes dropped EXE
PID:892 -
C:\Windows\SysWOW64\Hjdcfp32.exeC:\Windows\system32\Hjdcfp32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:924 -
C:\Windows\SysWOW64\Idhgkcln.exeC:\Windows\system32\Idhgkcln.exe35⤵
- Executes dropped EXE
PID:2384 -
C:\Windows\SysWOW64\Jggmnmmo.exeC:\Windows\system32\Jggmnmmo.exe36⤵
- Executes dropped EXE
PID:548 -
C:\Windows\SysWOW64\Jhfihp32.exeC:\Windows\system32\Jhfihp32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2128 -
C:\Windows\SysWOW64\Kafcadej.exeC:\Windows\system32\Kafcadej.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1340 -
C:\Windows\SysWOW64\Lggeej32.exeC:\Windows\system32\Lggeej32.exe39⤵
- Executes dropped EXE
PID:732 -
C:\Windows\SysWOW64\Lglopjkg.exeC:\Windows\system32\Lglopjkg.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2596 -
C:\Windows\SysWOW64\Nqdlpmce.exeC:\Windows\system32\Nqdlpmce.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:224 -
C:\Windows\SysWOW64\Nnkioq32.exeC:\Windows\system32\Nnkioq32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Oaeegjeb.exeC:\Windows\system32\Oaeegjeb.exe43⤵
- Executes dropped EXE
PID:1140 -
C:\Windows\SysWOW64\Oeekbhif.exeC:\Windows\system32\Oeekbhif.exe44⤵
- Executes dropped EXE
PID:1840 -
C:\Windows\SysWOW64\Piepnfnj.exeC:\Windows\system32\Piepnfnj.exe45⤵
- Executes dropped EXE
PID:1396 -
C:\Windows\SysWOW64\Pihmcflg.exeC:\Windows\system32\Pihmcflg.exe46⤵
- Executes dropped EXE
PID:3960 -
C:\Windows\SysWOW64\Pijiif32.exeC:\Windows\system32\Pijiif32.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:3804 -
C:\Windows\SysWOW64\Pngbam32.exeC:\Windows\system32\Pngbam32.exe48⤵
- Executes dropped EXE
PID:212 -
C:\Windows\SysWOW64\Qnlkllcf.exeC:\Windows\system32\Qnlkllcf.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4084 -
C:\Windows\SysWOW64\Aemjjeek.exeC:\Windows\system32\Aemjjeek.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1496 -
C:\Windows\SysWOW64\Bpggbm32.exeC:\Windows\system32\Bpggbm32.exe51⤵
- Executes dropped EXE
PID:2560 -
C:\Windows\SysWOW64\Bammeebe.exeC:\Windows\system32\Bammeebe.exe52⤵
- Executes dropped EXE
PID:4976 -
C:\Windows\SysWOW64\Bekfkc32.exeC:\Windows\system32\Bekfkc32.exe53⤵
- Executes dropped EXE
PID:4904 -
C:\Windows\SysWOW64\Cebllbcc.exeC:\Windows\system32\Cebllbcc.exe54⤵
- Executes dropped EXE
PID:4000 -
C:\Windows\SysWOW64\Cpgqik32.exeC:\Windows\system32\Cpgqik32.exe55⤵
- Executes dropped EXE
PID:3560 -
C:\Windows\SysWOW64\Didnmp32.exeC:\Windows\system32\Didnmp32.exe56⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Dekobaki.exeC:\Windows\system32\Dekobaki.exe57⤵
- Executes dropped EXE
PID:3244 -
C:\Windows\SysWOW64\Dcopke32.exeC:\Windows\system32\Dcopke32.exe58⤵
- Executes dropped EXE
PID:2464 -
C:\Windows\SysWOW64\Djkdnool.exeC:\Windows\system32\Djkdnool.exe59⤵
- Executes dropped EXE
PID:756 -
C:\Windows\SysWOW64\Dcdifdem.exeC:\Windows\system32\Dcdifdem.exe60⤵
- Executes dropped EXE
PID:2340 -
C:\Windows\SysWOW64\Elojej32.exeC:\Windows\system32\Elojej32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3340 -
C:\Windows\SysWOW64\Ejegdngb.exeC:\Windows\system32\Ejegdngb.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1392 -
C:\Windows\SysWOW64\Eoapldei.exeC:\Windows\system32\Eoapldei.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4068 -
C:\Windows\SysWOW64\Fbeeco32.exeC:\Windows\system32\Fbeeco32.exe64⤵
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\Fmjjqhpn.exeC:\Windows\system32\Fmjjqhpn.exe65⤵
- Executes dropped EXE
PID:3504 -
C:\Windows\SysWOW64\Gcpaiq32.exeC:\Windows\system32\Gcpaiq32.exe66⤵
- Modifies registry class
PID:4444 -
C:\Windows\SysWOW64\Gmhfbf32.exeC:\Windows\system32\Gmhfbf32.exe67⤵
- Drops file in System32 directory
PID:1984 -
C:\Windows\SysWOW64\Gcbnopkj.exeC:\Windows\system32\Gcbnopkj.exe68⤵PID:4992
-
C:\Windows\SysWOW64\Gjlfkj32.exeC:\Windows\system32\Gjlfkj32.exe69⤵PID:2196
-
C:\Windows\SysWOW64\Giacmggo.exeC:\Windows\system32\Giacmggo.exe70⤵PID:3356
-
C:\Windows\SysWOW64\Gfedfk32.exeC:\Windows\system32\Gfedfk32.exe71⤵PID:2980
-
C:\Windows\SysWOW64\Hcidoo32.exeC:\Windows\system32\Hcidoo32.exe72⤵PID:2688
-
C:\Windows\SysWOW64\Hjcllilo.exeC:\Windows\system32\Hjcllilo.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1096 -
C:\Windows\SysWOW64\Hbanfk32.exeC:\Windows\system32\Hbanfk32.exe74⤵PID:4012
-
C:\Windows\SysWOW64\Hmfbcd32.exeC:\Windows\system32\Hmfbcd32.exe75⤵PID:3852
-
C:\Windows\SysWOW64\Ipihkobl.exeC:\Windows\system32\Ipihkobl.exe76⤵PID:4388
-
C:\Windows\SysWOW64\Impeib32.exeC:\Windows\system32\Impeib32.exe77⤵
- Drops file in System32 directory
- Modifies registry class
PID:4452 -
C:\Windows\SysWOW64\Iiffoc32.exeC:\Windows\system32\Iiffoc32.exe78⤵
- Drops file in System32 directory
PID:992 -
C:\Windows\SysWOW64\Jdqcglqh.exeC:\Windows\system32\Jdqcglqh.exe79⤵
- Drops file in System32 directory
PID:4768 -
C:\Windows\SysWOW64\Jinloboo.exeC:\Windows\system32\Jinloboo.exe80⤵PID:748
-
C:\Windows\SysWOW64\Jdcplkoe.exeC:\Windows\system32\Jdcplkoe.exe81⤵PID:2888
-
C:\Windows\SysWOW64\Jbkjcgaj.exeC:\Windows\system32\Jbkjcgaj.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2776 -
C:\Windows\SysWOW64\Jidbpa32.exeC:\Windows\system32\Jidbpa32.exe83⤵PID:4800
-
C:\Windows\SysWOW64\Kabpan32.exeC:\Windows\system32\Kabpan32.exe84⤵PID:4496
-
C:\Windows\SysWOW64\Mdaedgdb.exeC:\Windows\system32\Mdaedgdb.exe85⤵PID:5144
-
C:\Windows\SysWOW64\Mpkbohhd.exeC:\Windows\system32\Mpkbohhd.exe86⤵PID:5192
-
C:\Windows\SysWOW64\Ndpafe32.exeC:\Windows\system32\Ndpafe32.exe87⤵PID:5232
-
C:\Windows\SysWOW64\Nnjbdj32.exeC:\Windows\system32\Nnjbdj32.exe88⤵
- Drops file in System32 directory
PID:5272 -
C:\Windows\SysWOW64\Ngbgmpcq.exeC:\Windows\system32\Ngbgmpcq.exe89⤵
- Drops file in System32 directory
PID:5316 -
C:\Windows\SysWOW64\Oggqho32.exeC:\Windows\system32\Oggqho32.exe90⤵PID:5356
-
C:\Windows\SysWOW64\Obdkfg32.exeC:\Windows\system32\Obdkfg32.exe91⤵PID:5396
-
C:\Windows\SysWOW64\Ocegnoog.exeC:\Windows\system32\Ocegnoog.exe92⤵PID:5436
-
C:\Windows\SysWOW64\Onklkhnn.exeC:\Windows\system32\Onklkhnn.exe93⤵PID:5480
-
C:\Windows\SysWOW64\Pghiomqi.exeC:\Windows\system32\Pghiomqi.exe94⤵PID:5520
-
C:\Windows\SysWOW64\Qbbggeli.exeC:\Windows\system32\Qbbggeli.exe95⤵
- Modifies registry class
PID:5560 -
C:\Windows\SysWOW64\Qcccom32.exeC:\Windows\system32\Qcccom32.exe96⤵PID:5604
-
C:\Windows\SysWOW64\Aeemop32.exeC:\Windows\system32\Aeemop32.exe97⤵PID:5644
-
C:\Windows\SysWOW64\Ahhbfkbf.exeC:\Windows\system32\Ahhbfkbf.exe98⤵PID:5684
-
C:\Windows\SysWOW64\Aaqgop32.exeC:\Windows\system32\Aaqgop32.exe99⤵
- Drops file in System32 directory
- Modifies registry class
PID:5724 -
C:\Windows\SysWOW64\Alfkli32.exeC:\Windows\system32\Alfkli32.exe100⤵PID:5764
-
C:\Windows\SysWOW64\Ckidoc32.exeC:\Windows\system32\Ckidoc32.exe101⤵PID:5844
-
C:\Windows\SysWOW64\Daolgl32.exeC:\Windows\system32\Daolgl32.exe102⤵PID:5896
-
C:\Windows\SysWOW64\Dkjmea32.exeC:\Windows\system32\Dkjmea32.exe103⤵PID:5956
-
C:\Windows\SysWOW64\Dogfkpih.exeC:\Windows\system32\Dogfkpih.exe104⤵PID:6000
-
C:\Windows\SysWOW64\Ehbgjenf.exeC:\Windows\system32\Ehbgjenf.exe105⤵PID:6036
-
C:\Windows\SysWOW64\Echkgnnl.exeC:\Windows\system32\Echkgnnl.exe106⤵
- Modifies registry class
PID:6088 -
C:\Windows\SysWOW64\Fcckcl32.exeC:\Windows\system32\Fcckcl32.exe107⤵
- Modifies registry class
PID:5132 -
C:\Windows\SysWOW64\Goconkah.exeC:\Windows\system32\Goconkah.exe108⤵PID:5224
-
C:\Windows\SysWOW64\Heapmp32.exeC:\Windows\system32\Heapmp32.exe109⤵PID:5296
-
C:\Windows\SysWOW64\Jbqpbbfi.exeC:\Windows\system32\Jbqpbbfi.exe110⤵
- Modifies registry class
PID:5364 -
C:\Windows\SysWOW64\Jmpgfjmd.exeC:\Windows\system32\Jmpgfjmd.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5420 -
C:\Windows\SysWOW64\Kdiobd32.exeC:\Windows\system32\Kdiobd32.exe112⤵
- Modifies registry class
PID:5488 -
C:\Windows\SysWOW64\Klimbf32.exeC:\Windows\system32\Klimbf32.exe113⤵PID:5556
-
C:\Windows\SysWOW64\Lfckjnjh.exeC:\Windows\system32\Lfckjnjh.exe114⤵PID:5636
-
C:\Windows\SysWOW64\Llemnd32.exeC:\Windows\system32\Llemnd32.exe115⤵PID:5692
-
C:\Windows\SysWOW64\Lgkakm32.exeC:\Windows\system32\Lgkakm32.exe116⤵PID:1732
-
C:\Windows\SysWOW64\Lmdihgkl.exeC:\Windows\system32\Lmdihgkl.exe117⤵PID:5836
-
C:\Windows\SysWOW64\Mmgfmg32.exeC:\Windows\system32\Mmgfmg32.exe118⤵PID:5880
-
C:\Windows\SysWOW64\Mplhjabe.exeC:\Windows\system32\Mplhjabe.exe119⤵PID:5944
-
C:\Windows\SysWOW64\Mnpice32.exeC:\Windows\system32\Mnpice32.exe120⤵PID:5104
-
C:\Windows\SysWOW64\Mcmall32.exeC:\Windows\system32\Mcmall32.exe121⤵PID:5988
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-