Analysis
-
max time kernel
128s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
13-11-2023 03:23
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.a1a7fa063e063f440a275e5d2d819b00.exe
Resource
win7-20231023-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.a1a7fa063e063f440a275e5d2d819b00.exe
Resource
win10v2004-20231020-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
NEAS.a1a7fa063e063f440a275e5d2d819b00.exe
-
Size
111KB
-
MD5
a1a7fa063e063f440a275e5d2d819b00
-
SHA1
a025000dc9afdf7a22734b3c469da907b850e162
-
SHA256
53631ac1a88a109981daf6fd23437ebf58d6967f9db17a78bba38c0cac858b3e
-
SHA512
738ac93524939bf03bf80e73ec04be97876d4de16e35aea4ca0345d659d617f2197da518f295dfbedd98446ff36eda9967bceda9bc70ecbefae5784e051de448
-
SSDEEP
3072:QLxycf02JAaYE6+S2YN7ltLeLE9pui6yYPaI7Dehib:Sycf02pYautSapui6yYPaIGcb
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pmhbqbae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dlghoa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqkgbcff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ibhkfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pjpfjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Keifdpif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nfnamjhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gpecbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ngjbaj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akccap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gbeejp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Leabphmp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkbjjbda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hbohpn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljnlecmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bmidnm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gggmgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jacpcl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdickcpo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oaplqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ehlhih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ggmmlamj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qclmck32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckbncapd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mnmdme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Akccap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pfiddm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cbkfbcpb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnqcfjae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hgeihiac.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljaoeini.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gncchb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbeejp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehbnigjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jlbejloe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ddfbgelh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlcjhkdp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgipcogp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eicedn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hbhboolf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qmanljfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hkohchko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Khihld32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eokqkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Emanjldl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ekajec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ilfennic.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjffpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fqfojblo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkcmjlio.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fipkjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iggjga32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohmhmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iinjhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fqgedh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnalmh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dqnjgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bapgdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ojigdcll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Phaahggp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnhenj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dodjjimm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmaamn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckjknfnh.exe -
Executes dropped EXE 64 IoCs
pid Process 2984 Coknoaic.exe 1996 Dmoohe32.exe 5004 Dpnkdq32.exe 4708 Difpmfna.exe 4572 Dpphjp32.exe 3676 Dfjpfj32.exe 2900 Dlghoa32.exe 4884 Dmfeidbe.exe 1496 Dbcmakpl.exe 1184 Dimenegi.exe 1372 Ebejfk32.exe 4340 Elnoopdj.exe 4836 Efccmidp.exe 2400 Elpkep32.exe 3600 Ebjcajjd.exe 3976 Emphocjj.exe 2024 Eppqqn32.exe 1908 Efjimhnh.exe 640 Elgaeolp.exe 1560 Fikbocki.exe 1696 Fdqfll32.exe 760 Fmikeaap.exe 984 Fdccbl32.exe 3188 Fipkjb32.exe 1540 Fdepgkgj.exe 324 Fmndpq32.exe 432 Fffhifdk.exe 3612 Gpqjglii.exe 4280 Gmdjapgb.exe 1648 Gmggfp32.exe 3972 Gpecbk32.exe 3668 Gingkqkd.exe 4108 Gdcliikj.exe 4800 Gipdap32.exe 2568 Hpjmnjqn.exe 3168 Hgdejd32.exe 4312 Hmnmgnoh.exe 2744 Hdhedh32.exe 4056 Hkbmqb32.exe 4856 Hlcjhkdp.exe 4816 Hcmbee32.exe 4888 Hpabni32.exe 4452 Hiiggoaf.exe 4732 Hpcodihc.exe 840 Hgmgqc32.exe 1616 Idahjg32.exe 3920 Injmcmej.exe 1816 Icfekc32.exe 1360 Iknmla32.exe 4336 Idfaefkd.exe 2924 Igdnabjh.exe 436 Innfnl32.exe 4812 Ipmbjgpi.exe 992 Iggjga32.exe 4692 Ikdcmpnl.exe 1256 Jlfpdh32.exe 2300 Jcphab32.exe 3484 Jnelok32.exe 2936 Jcbdgb32.exe 3436 Jnhidk32.exe 2812 Jdaaaeqg.exe 4148 Jklinohd.exe 928 Jlmfeg32.exe 3216 Jgbjbp32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Gpecbk32.exe Gmggfp32.exe File created C:\Windows\SysWOW64\Oibqpk32.dll Ndflak32.exe File opened for modification C:\Windows\SysWOW64\Lnldla32.exe Lfeljd32.exe File created C:\Windows\SysWOW64\Mmihfl32.dll Conanfli.exe File created C:\Windows\SysWOW64\Hecjke32.exe Giljfddl.exe File created C:\Windows\SysWOW64\Kofmfi32.dll Ogcnmc32.exe File created C:\Windows\SysWOW64\Dnqcfjae.exe Dpmcmf32.exe File created C:\Windows\SysWOW64\Enemaimp.exe Egkddo32.exe File created C:\Windows\SysWOW64\Kmkbfeab.exe Kjmfjj32.exe File created C:\Windows\SysWOW64\Pddhbipj.exe Omjpeo32.exe File created C:\Windows\SysWOW64\Mbbiec32.dll Akccap32.exe File created C:\Windows\SysWOW64\Pijmiq32.dll Kodnmkap.exe File opened for modification C:\Windows\SysWOW64\Fipkjb32.exe Fdccbl32.exe File created C:\Windows\SysWOW64\Kngkqbgl.exe Kfpcoefj.exe File created C:\Windows\SysWOW64\Ojfcdnjc.exe Oclkgccf.exe File created C:\Windows\SysWOW64\Aaenbd32.exe Qodeajbg.exe File opened for modification C:\Windows\SysWOW64\Bfkbfd32.exe Bpqjjjjl.exe File opened for modification C:\Windows\SysWOW64\Qkfkng32.exe Qelcamcj.exe File opened for modification C:\Windows\SysWOW64\Kgiiiidd.exe Koaagkcb.exe File opened for modification C:\Windows\SysWOW64\Ogjdmbil.exe Oaplqh32.exe File created C:\Windows\SysWOW64\Ehlhih32.exe Dqbcbkab.exe File created C:\Windows\SysWOW64\Bcoaln32.dll Eklajcmc.exe File created C:\Windows\SysWOW64\Hagapc32.dll Gcqjal32.exe File created C:\Windows\SysWOW64\Jnlbojee.exe Jgbjbp32.exe File created C:\Windows\SysWOW64\Npdhdlin.dll Eqgmmk32.exe File created C:\Windows\SysWOW64\Kakmna32.exe Klndfj32.exe File created C:\Windows\SysWOW64\Niojoeel.exe Ncbafoge.exe File opened for modification C:\Windows\SysWOW64\Gingkqkd.exe Gpecbk32.exe File created C:\Windows\SysWOW64\Pbhafkok.dll Nqbpojnp.exe File opened for modification C:\Windows\SysWOW64\Pplobcpp.exe Pjpfjl32.exe File opened for modification C:\Windows\SysWOW64\Nfnamjhk.exe Nfldgk32.exe File opened for modification C:\Windows\SysWOW64\Gbhhieao.exe Gjaphgpl.exe File created C:\Windows\SysWOW64\Lcgagm32.dll Gbbkocid.exe File created C:\Windows\SysWOW64\Kpdejagg.dll Nheqnpjk.exe File opened for modification C:\Windows\SysWOW64\Kegpifod.exe Jcfggkac.exe File created C:\Windows\SysWOW64\Bkibgh32.exe Baannc32.exe File opened for modification C:\Windows\SysWOW64\Kakmna32.exe Klndfj32.exe File created C:\Windows\SysWOW64\Hhoneioi.dll Jcphab32.exe File created C:\Windows\SysWOW64\Onlche32.dll Nabfjpak.exe File created C:\Windows\SysWOW64\Leabba32.dll Iknmla32.exe File created C:\Windows\SysWOW64\Nbalhp32.dll Bddjpd32.exe File opened for modification C:\Windows\SysWOW64\Deqcbpld.exe Dodjjimm.exe File opened for modification C:\Windows\SysWOW64\Mofmobmo.exe Mpapnfhg.exe File created C:\Windows\SysWOW64\Iheocj32.dll Pmhbqbae.exe File created C:\Windows\SysWOW64\Iophfi32.dll Gbeejp32.exe File opened for modification C:\Windows\SysWOW64\Dkkaiphj.exe Ccdihbgg.exe File created C:\Windows\SysWOW64\Eemeqinf.dll Dgdncplk.exe File created C:\Windows\SysWOW64\Jlanpfkj.exe Jehfcl32.exe File opened for modification C:\Windows\SysWOW64\Piceflpi.exe Pbimjb32.exe File created C:\Windows\SysWOW64\Mkhapk32.exe Lenicahg.exe File opened for modification C:\Windows\SysWOW64\Akqfkp32.exe Adfnofpd.exe File created C:\Windows\SysWOW64\Kigcfhbi.dll Hpchib32.exe File created C:\Windows\SysWOW64\Lljoca32.dll Ckidcpjl.exe File opened for modification C:\Windows\SysWOW64\Mkocol32.exe Mhpgca32.exe File opened for modification C:\Windows\SysWOW64\Conanfli.exe Cdimqm32.exe File opened for modification C:\Windows\SysWOW64\Qjffpe32.exe Qclmck32.exe File opened for modification C:\Windows\SysWOW64\Bfolacnc.exe Bpedeiff.exe File created C:\Windows\SysWOW64\Dcmlbk32.dll Moalil32.exe File created C:\Windows\SysWOW64\Bbikhdcm.dll Pnfiplog.exe File opened for modification C:\Windows\SysWOW64\Afhfaddk.exe Apnndj32.exe File created C:\Windows\SysWOW64\Mkbdql32.dll Ocknbglo.exe File opened for modification C:\Windows\SysWOW64\Pkoemhao.exe Peempn32.exe File created C:\Windows\SysWOW64\Hlkjom32.dll Qppkhfec.exe File created C:\Windows\SysWOW64\Ipmbjgpi.exe Innfnl32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lenicahg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jleijb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eklajcmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naagioah.dll" Nbnlaldg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jejechjg.dll" Fikbocki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ememkjeq.dll" Knooej32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Njmhhefi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plopnh32.dll" Oeokal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcckiibj.dll" Afcmfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kefjdppe.dll" Mohbjkgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Epmmqheb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fmcjpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Glkmmefl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ojdgnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Khabke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" NEAS.a1a7fa063e063f440a275e5d2d819b00.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keoaokpd.dll" Haaaaeim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Egbken32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ecikjoep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjkdkibk.dll" Hchqbkkm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Blgifbil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkdoio32.dll" Iibccgep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mcgiefen.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Halhfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agecdgmk.dll" Dahfkimd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjfkgg32.dll" Jnnnfalp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jcanll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cpfmlghd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dpnkdq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mmnhcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdabnm32.dll" Odjeljhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojmcpd32.dll" Poimpapp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fbgihaji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ibhkfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aeopfl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hpjmnjqn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbbiec32.dll" Akccap32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eofgpikj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lpgmhg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nkcmjlio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pkbjjbda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iophfi32.dll" Gbeejp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fboecfii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ebdcld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Igfclkdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ljnlecmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hgmgqc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Haaaaeim.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Niojoeel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dijbno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ifmqfm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ooibkpmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpjkgoka.dll" Klgqabib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nmcpoedn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfkafocc.dll" Injmcmej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lnohlgep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmcnoekk.dll" Iidphgcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gipbmd32.dll" Nfldgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ijpepcfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpkdfd32.dll" Ojhiogdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ookhfigk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Olanmgig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Copdgb32.dll" Poliea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpmcbhlp.dll" Qmhlgmmm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3120 wrote to memory of 2984 3120 NEAS.a1a7fa063e063f440a275e5d2d819b00.exe 86 PID 3120 wrote to memory of 2984 3120 NEAS.a1a7fa063e063f440a275e5d2d819b00.exe 86 PID 3120 wrote to memory of 2984 3120 NEAS.a1a7fa063e063f440a275e5d2d819b00.exe 86 PID 2984 wrote to memory of 1996 2984 Coknoaic.exe 87 PID 2984 wrote to memory of 1996 2984 Coknoaic.exe 87 PID 2984 wrote to memory of 1996 2984 Coknoaic.exe 87 PID 1996 wrote to memory of 5004 1996 Dmoohe32.exe 88 PID 1996 wrote to memory of 5004 1996 Dmoohe32.exe 88 PID 1996 wrote to memory of 5004 1996 Dmoohe32.exe 88 PID 5004 wrote to memory of 4708 5004 Dpnkdq32.exe 89 PID 5004 wrote to memory of 4708 5004 Dpnkdq32.exe 89 PID 5004 wrote to memory of 4708 5004 Dpnkdq32.exe 89 PID 4708 wrote to memory of 4572 4708 Difpmfna.exe 90 PID 4708 wrote to memory of 4572 4708 Difpmfna.exe 90 PID 4708 wrote to memory of 4572 4708 Difpmfna.exe 90 PID 4572 wrote to memory of 3676 4572 Dpphjp32.exe 91 PID 4572 wrote to memory of 3676 4572 Dpphjp32.exe 91 PID 4572 wrote to memory of 3676 4572 Dpphjp32.exe 91 PID 3676 wrote to memory of 2900 3676 Dfjpfj32.exe 92 PID 3676 wrote to memory of 2900 3676 Dfjpfj32.exe 92 PID 3676 wrote to memory of 2900 3676 Dfjpfj32.exe 92 PID 2900 wrote to memory of 4884 2900 Dlghoa32.exe 93 PID 2900 wrote to memory of 4884 2900 Dlghoa32.exe 93 PID 2900 wrote to memory of 4884 2900 Dlghoa32.exe 93 PID 4884 wrote to memory of 1496 4884 Dmfeidbe.exe 94 PID 4884 wrote to memory of 1496 4884 Dmfeidbe.exe 94 PID 4884 wrote to memory of 1496 4884 Dmfeidbe.exe 94 PID 1496 wrote to memory of 1184 1496 Dbcmakpl.exe 95 PID 1496 wrote to memory of 1184 1496 Dbcmakpl.exe 95 PID 1496 wrote to memory of 1184 1496 Dbcmakpl.exe 95 PID 1184 wrote to memory of 1372 1184 Dimenegi.exe 96 PID 1184 wrote to memory of 1372 1184 Dimenegi.exe 96 PID 1184 wrote to memory of 1372 1184 Dimenegi.exe 96 PID 1372 wrote to memory of 4340 1372 Ebejfk32.exe 97 PID 1372 wrote to memory of 4340 1372 Ebejfk32.exe 97 PID 1372 wrote to memory of 4340 1372 Ebejfk32.exe 97 PID 4340 wrote to memory of 4836 4340 Elnoopdj.exe 98 PID 4340 wrote to memory of 4836 4340 Elnoopdj.exe 98 PID 4340 wrote to memory of 4836 4340 Elnoopdj.exe 98 PID 4836 wrote to memory of 2400 4836 Efccmidp.exe 99 PID 4836 wrote to memory of 2400 4836 Efccmidp.exe 99 PID 4836 wrote to memory of 2400 4836 Efccmidp.exe 99 PID 2400 wrote to memory of 3600 2400 Elpkep32.exe 100 PID 2400 wrote to memory of 3600 2400 Elpkep32.exe 100 PID 2400 wrote to memory of 3600 2400 Elpkep32.exe 100 PID 3600 wrote to memory of 3976 3600 Ebjcajjd.exe 101 PID 3600 wrote to memory of 3976 3600 Ebjcajjd.exe 101 PID 3600 wrote to memory of 3976 3600 Ebjcajjd.exe 101 PID 3976 wrote to memory of 2024 3976 Emphocjj.exe 102 PID 3976 wrote to memory of 2024 3976 Emphocjj.exe 102 PID 3976 wrote to memory of 2024 3976 Emphocjj.exe 102 PID 2024 wrote to memory of 1908 2024 Eppqqn32.exe 103 PID 2024 wrote to memory of 1908 2024 Eppqqn32.exe 103 PID 2024 wrote to memory of 1908 2024 Eppqqn32.exe 103 PID 1908 wrote to memory of 640 1908 Efjimhnh.exe 104 PID 1908 wrote to memory of 640 1908 Efjimhnh.exe 104 PID 1908 wrote to memory of 640 1908 Efjimhnh.exe 104 PID 640 wrote to memory of 1560 640 Elgaeolp.exe 105 PID 640 wrote to memory of 1560 640 Elgaeolp.exe 105 PID 640 wrote to memory of 1560 640 Elgaeolp.exe 105 PID 1560 wrote to memory of 1696 1560 Fikbocki.exe 106 PID 1560 wrote to memory of 1696 1560 Fikbocki.exe 106 PID 1560 wrote to memory of 1696 1560 Fikbocki.exe 106 PID 1696 wrote to memory of 760 1696 Fdqfll32.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.a1a7fa063e063f440a275e5d2d819b00.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.a1a7fa063e063f440a275e5d2d819b00.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3120 -
C:\Windows\SysWOW64\Coknoaic.exeC:\Windows\system32\Coknoaic.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\Dmoohe32.exeC:\Windows\system32\Dmoohe32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\Dpnkdq32.exeC:\Windows\system32\Dpnkdq32.exe4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Windows\SysWOW64\Difpmfna.exeC:\Windows\system32\Difpmfna.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4708 -
C:\Windows\SysWOW64\Dpphjp32.exeC:\Windows\system32\Dpphjp32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Windows\SysWOW64\Dfjpfj32.exeC:\Windows\system32\Dfjpfj32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3676 -
C:\Windows\SysWOW64\Dlghoa32.exeC:\Windows\system32\Dlghoa32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\Dmfeidbe.exeC:\Windows\system32\Dmfeidbe.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4884 -
C:\Windows\SysWOW64\Dbcmakpl.exeC:\Windows\system32\Dbcmakpl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Windows\SysWOW64\Dimenegi.exeC:\Windows\system32\Dimenegi.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Windows\SysWOW64\Ebejfk32.exeC:\Windows\system32\Ebejfk32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Windows\SysWOW64\Elnoopdj.exeC:\Windows\system32\Elnoopdj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4340 -
C:\Windows\SysWOW64\Efccmidp.exeC:\Windows\system32\Efccmidp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4836 -
C:\Windows\SysWOW64\Elpkep32.exeC:\Windows\system32\Elpkep32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\Ebjcajjd.exeC:\Windows\system32\Ebjcajjd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3600 -
C:\Windows\SysWOW64\Emphocjj.exeC:\Windows\system32\Emphocjj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3976 -
C:\Windows\SysWOW64\Eppqqn32.exeC:\Windows\system32\Eppqqn32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\Efjimhnh.exeC:\Windows\system32\Efjimhnh.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Windows\SysWOW64\Elgaeolp.exeC:\Windows\system32\Elgaeolp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Windows\SysWOW64\Fikbocki.exeC:\Windows\system32\Fikbocki.exe21⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Windows\SysWOW64\Fdqfll32.exeC:\Windows\system32\Fdqfll32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\SysWOW64\Fmikeaap.exeC:\Windows\system32\Fmikeaap.exe23⤵
- Executes dropped EXE
PID:760 -
C:\Windows\SysWOW64\Fdccbl32.exeC:\Windows\system32\Fdccbl32.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:984 -
C:\Windows\SysWOW64\Fipkjb32.exeC:\Windows\system32\Fipkjb32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3188 -
C:\Windows\SysWOW64\Fdepgkgj.exeC:\Windows\system32\Fdepgkgj.exe26⤵
- Executes dropped EXE
PID:1540 -
C:\Windows\SysWOW64\Fmndpq32.exeC:\Windows\system32\Fmndpq32.exe27⤵
- Executes dropped EXE
PID:324 -
C:\Windows\SysWOW64\Fffhifdk.exeC:\Windows\system32\Fffhifdk.exe28⤵
- Executes dropped EXE
PID:432 -
C:\Windows\SysWOW64\Gpqjglii.exeC:\Windows\system32\Gpqjglii.exe29⤵
- Executes dropped EXE
PID:3612 -
C:\Windows\SysWOW64\Gmdjapgb.exeC:\Windows\system32\Gmdjapgb.exe30⤵
- Executes dropped EXE
PID:4280 -
C:\Windows\SysWOW64\Gmggfp32.exeC:\Windows\system32\Gmggfp32.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1648 -
C:\Windows\SysWOW64\Gpecbk32.exeC:\Windows\system32\Gpecbk32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3972 -
C:\Windows\SysWOW64\Gingkqkd.exeC:\Windows\system32\Gingkqkd.exe33⤵
- Executes dropped EXE
PID:3668 -
C:\Windows\SysWOW64\Gdcliikj.exeC:\Windows\system32\Gdcliikj.exe34⤵
- Executes dropped EXE
PID:4108 -
C:\Windows\SysWOW64\Gipdap32.exeC:\Windows\system32\Gipdap32.exe35⤵
- Executes dropped EXE
PID:4800 -
C:\Windows\SysWOW64\Hpjmnjqn.exeC:\Windows\system32\Hpjmnjqn.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:2568 -
C:\Windows\SysWOW64\Hgdejd32.exeC:\Windows\system32\Hgdejd32.exe37⤵
- Executes dropped EXE
PID:3168 -
C:\Windows\SysWOW64\Hmnmgnoh.exeC:\Windows\system32\Hmnmgnoh.exe38⤵
- Executes dropped EXE
PID:4312 -
C:\Windows\SysWOW64\Hdhedh32.exeC:\Windows\system32\Hdhedh32.exe39⤵
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Hkbmqb32.exeC:\Windows\system32\Hkbmqb32.exe40⤵
- Executes dropped EXE
PID:4056 -
C:\Windows\SysWOW64\Hlcjhkdp.exeC:\Windows\system32\Hlcjhkdp.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4856 -
C:\Windows\SysWOW64\Hcmbee32.exeC:\Windows\system32\Hcmbee32.exe42⤵
- Executes dropped EXE
PID:4816 -
C:\Windows\SysWOW64\Hpabni32.exeC:\Windows\system32\Hpabni32.exe43⤵
- Executes dropped EXE
PID:4888 -
C:\Windows\SysWOW64\Hiiggoaf.exeC:\Windows\system32\Hiiggoaf.exe44⤵
- Executes dropped EXE
PID:4452 -
C:\Windows\SysWOW64\Hpcodihc.exeC:\Windows\system32\Hpcodihc.exe45⤵
- Executes dropped EXE
PID:4732 -
C:\Windows\SysWOW64\Hgmgqc32.exeC:\Windows\system32\Hgmgqc32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:840 -
C:\Windows\SysWOW64\Idahjg32.exeC:\Windows\system32\Idahjg32.exe47⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Injmcmej.exeC:\Windows\system32\Injmcmej.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:3920 -
C:\Windows\SysWOW64\Icfekc32.exeC:\Windows\system32\Icfekc32.exe49⤵
- Executes dropped EXE
PID:1816 -
C:\Windows\SysWOW64\Iknmla32.exeC:\Windows\system32\Iknmla32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1360 -
C:\Windows\SysWOW64\Idfaefkd.exeC:\Windows\system32\Idfaefkd.exe51⤵
- Executes dropped EXE
PID:4336 -
C:\Windows\SysWOW64\Igdnabjh.exeC:\Windows\system32\Igdnabjh.exe52⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Innfnl32.exeC:\Windows\system32\Innfnl32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:436 -
C:\Windows\SysWOW64\Ipmbjgpi.exeC:\Windows\system32\Ipmbjgpi.exe54⤵
- Executes dropped EXE
PID:4812 -
C:\Windows\SysWOW64\Iggjga32.exeC:\Windows\system32\Iggjga32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:992 -
C:\Windows\SysWOW64\Ikdcmpnl.exeC:\Windows\system32\Ikdcmpnl.exe56⤵
- Executes dropped EXE
PID:4692 -
C:\Windows\SysWOW64\Jlfpdh32.exeC:\Windows\system32\Jlfpdh32.exe57⤵
- Executes dropped EXE
PID:1256 -
C:\Windows\SysWOW64\Jcphab32.exeC:\Windows\system32\Jcphab32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2300 -
C:\Windows\SysWOW64\Jnelok32.exeC:\Windows\system32\Jnelok32.exe59⤵
- Executes dropped EXE
PID:3484 -
C:\Windows\SysWOW64\Jcbdgb32.exeC:\Windows\system32\Jcbdgb32.exe60⤵
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Jnhidk32.exeC:\Windows\system32\Jnhidk32.exe61⤵
- Executes dropped EXE
PID:3436 -
C:\Windows\SysWOW64\Jdaaaeqg.exeC:\Windows\system32\Jdaaaeqg.exe62⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Jklinohd.exeC:\Windows\system32\Jklinohd.exe63⤵
- Executes dropped EXE
PID:4148 -
C:\Windows\SysWOW64\Jlmfeg32.exeC:\Windows\system32\Jlmfeg32.exe64⤵
- Executes dropped EXE
PID:928 -
C:\Windows\SysWOW64\Jgbjbp32.exeC:\Windows\system32\Jgbjbp32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3216 -
C:\Windows\SysWOW64\Jnlbojee.exeC:\Windows\system32\Jnlbojee.exe66⤵PID:2032
-
C:\Windows\SysWOW64\Jdfjld32.exeC:\Windows\system32\Jdfjld32.exe67⤵PID:4376
-
C:\Windows\SysWOW64\Kkpbin32.exeC:\Windows\system32\Kkpbin32.exe68⤵PID:4152
-
C:\Windows\SysWOW64\Knooej32.exeC:\Windows\system32\Knooej32.exe69⤵
- Modifies registry class
PID:3292 -
C:\Windows\SysWOW64\Kqmkae32.exeC:\Windows\system32\Kqmkae32.exe70⤵PID:3572
-
C:\Windows\SysWOW64\Kkconn32.exeC:\Windows\system32\Kkconn32.exe71⤵PID:4776
-
C:\Windows\SysWOW64\Kmdlffhj.exeC:\Windows\system32\Kmdlffhj.exe72⤵PID:4488
-
C:\Windows\SysWOW64\Kdkdgchl.exeC:\Windows\system32\Kdkdgchl.exe73⤵PID:3996
-
C:\Windows\SysWOW64\Kgipcogp.exeC:\Windows\system32\Kgipcogp.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4648 -
C:\Windows\SysWOW64\Kjhloj32.exeC:\Windows\system32\Kjhloj32.exe75⤵PID:228
-
C:\Windows\SysWOW64\Kmfhkf32.exeC:\Windows\system32\Kmfhkf32.exe76⤵PID:4140
-
C:\Windows\SysWOW64\Kglmio32.exeC:\Windows\system32\Kglmio32.exe77⤵PID:4300
-
C:\Windows\SysWOW64\Knfeeimj.exeC:\Windows\system32\Knfeeimj.exe78⤵PID:4772
-
C:\Windows\SysWOW64\Kqdaadln.exeC:\Windows\system32\Kqdaadln.exe79⤵PID:5164
-
C:\Windows\SysWOW64\Kgninn32.exeC:\Windows\system32\Kgninn32.exe80⤵PID:5220
-
C:\Windows\SysWOW64\Kjmfjj32.exeC:\Windows\system32\Kjmfjj32.exe81⤵
- Drops file in System32 directory
PID:5268 -
C:\Windows\SysWOW64\Kmkbfeab.exeC:\Windows\system32\Kmkbfeab.exe82⤵PID:5324
-
C:\Windows\SysWOW64\Kcejco32.exeC:\Windows\system32\Kcejco32.exe83⤵PID:5372
-
C:\Windows\SysWOW64\Ljobpiql.exeC:\Windows\system32\Ljobpiql.exe84⤵PID:5432
-
C:\Windows\SysWOW64\Lmmolepp.exeC:\Windows\system32\Lmmolepp.exe85⤵PID:5476
-
C:\Windows\SysWOW64\Lcggio32.exeC:\Windows\system32\Lcggio32.exe86⤵PID:5520
-
C:\Windows\SysWOW64\Ljaoeini.exeC:\Windows\system32\Ljaoeini.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5564 -
C:\Windows\SysWOW64\Lqkgbcff.exeC:\Windows\system32\Lqkgbcff.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5604 -
C:\Windows\SysWOW64\Lcjcnoej.exeC:\Windows\system32\Lcjcnoej.exe89⤵PID:5648
-
C:\Windows\SysWOW64\Lkalplel.exeC:\Windows\system32\Lkalplel.exe90⤵PID:5692
-
C:\Windows\SysWOW64\Lnohlgep.exeC:\Windows\system32\Lnohlgep.exe91⤵
- Modifies registry class
PID:5740 -
C:\Windows\SysWOW64\Ldipha32.exeC:\Windows\system32\Ldipha32.exe92⤵PID:5804
-
C:\Windows\SysWOW64\Lggldm32.exeC:\Windows\system32\Lggldm32.exe93⤵PID:5856
-
C:\Windows\SysWOW64\Lnadagbm.exeC:\Windows\system32\Lnadagbm.exe94⤵PID:5904
-
C:\Windows\SysWOW64\Lqpamb32.exeC:\Windows\system32\Lqpamb32.exe95⤵PID:5972
-
C:\Windows\SysWOW64\Lcnmin32.exeC:\Windows\system32\Lcnmin32.exe96⤵PID:6024
-
C:\Windows\SysWOW64\Lmgabcge.exeC:\Windows\system32\Lmgabcge.exe97⤵PID:6080
-
C:\Windows\SysWOW64\Lenicahg.exeC:\Windows\system32\Lenicahg.exe98⤵
- Drops file in System32 directory
- Modifies registry class
PID:6124 -
C:\Windows\SysWOW64\Mkhapk32.exeC:\Windows\system32\Mkhapk32.exe99⤵PID:3524
-
C:\Windows\SysWOW64\Madjhb32.exeC:\Windows\system32\Madjhb32.exe100⤵PID:5240
-
C:\Windows\SysWOW64\Mkjnfkma.exeC:\Windows\system32\Mkjnfkma.exe101⤵PID:5344
-
C:\Windows\SysWOW64\Mmkkmc32.exeC:\Windows\system32\Mmkkmc32.exe102⤵PID:5416
-
C:\Windows\SysWOW64\Mgaokl32.exeC:\Windows\system32\Mgaokl32.exe103⤵PID:5504
-
C:\Windows\SysWOW64\Mmnhcb32.exeC:\Windows\system32\Mmnhcb32.exe104⤵
- Modifies registry class
PID:5572 -
C:\Windows\SysWOW64\Mkohaj32.exeC:\Windows\system32\Mkohaj32.exe105⤵PID:5680
-
C:\Windows\SysWOW64\Mnmdme32.exeC:\Windows\system32\Mnmdme32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5728 -
C:\Windows\SysWOW64\Megljppl.exeC:\Windows\system32\Megljppl.exe107⤵PID:5848
-
C:\Windows\SysWOW64\Mkadfj32.exeC:\Windows\system32\Mkadfj32.exe108⤵PID:5980
-
C:\Windows\SysWOW64\Ngjbaj32.exeC:\Windows\system32\Ngjbaj32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6060 -
C:\Windows\SysWOW64\Nndjndbh.exeC:\Windows\system32\Nndjndbh.exe110⤵PID:4156
-
C:\Windows\SysWOW64\Nabfjpak.exeC:\Windows\system32\Nabfjpak.exe111⤵
- Drops file in System32 directory
PID:5276 -
C:\Windows\SysWOW64\Nhmofj32.exeC:\Windows\system32\Nhmofj32.exe112⤵PID:5420
-
C:\Windows\SysWOW64\Nnfgcd32.exeC:\Windows\system32\Nnfgcd32.exe113⤵PID:5528
-
C:\Windows\SysWOW64\Nccokk32.exeC:\Windows\system32\Nccokk32.exe114⤵PID:5636
-
C:\Windows\SysWOW64\Njmhhefi.exeC:\Windows\system32\Njmhhefi.exe115⤵
- Modifies registry class
PID:5768 -
C:\Windows\SysWOW64\Nagpeo32.exeC:\Windows\system32\Nagpeo32.exe116⤵PID:5992
-
C:\Windows\SysWOW64\Ndflak32.exeC:\Windows\system32\Ndflak32.exe117⤵
- Drops file in System32 directory
PID:5156 -
C:\Windows\SysWOW64\Nnkpnclp.exeC:\Windows\system32\Nnkpnclp.exe118⤵PID:5440
-
C:\Windows\SysWOW64\Najmjokc.exeC:\Windows\system32\Najmjokc.exe119⤵PID:5512
-
C:\Windows\SysWOW64\Ohcegi32.exeC:\Windows\system32\Ohcegi32.exe120⤵PID:5724
-
C:\Windows\SysWOW64\Omqmop32.exeC:\Windows\system32\Omqmop32.exe121⤵PID:6076
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-