Analysis
-
max time kernel
36s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
15/11/2023, 17:07
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.e25592189e2c64bff811fcd69aa47939.exe
Resource
win7-20231025-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.e25592189e2c64bff811fcd69aa47939.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.e25592189e2c64bff811fcd69aa47939.exe
-
Size
242KB
-
MD5
e25592189e2c64bff811fcd69aa47939
-
SHA1
e47ee6fd5b2418264f2a55975489629e63c387c4
-
SHA256
ec852660ac8d75100a0b97a99b15e4c833ac962f675e2571d5fea2d810832ace
-
SHA512
38c10cf8e5f2cad8a4452a085503e39259c6f08fc0498d669c2ad20ed94daf175882f0df412ce4e38013f5283c93baf6c3355082bad3f77d30e8a53d272a038c
-
SSDEEP
3072:UqbwIJOmj5ApMrV6V8ZLB6V16VKcWmjRrzKbKcWmjRrzK8VHkdYaM88KC:1wIJOm9ASrV66LB6X62UyHEYa0
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jinboekc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfqlfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amqhbe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdimqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljdkll32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbaehl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jinboekc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfchlbfd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpogkhnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fqdbdbna.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpcdji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpbpecen.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lckboblp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Geqlhp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hepgkohh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhldbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbnoiqdq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cacckp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iajdgcab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcpnhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khlinedh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjoadbbc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kodnmkap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opclldhj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnjdpaki.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdqcenmg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pokanf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnmopk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehlhih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmmqgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iipfmggc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fndpmndl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojqcnhkl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iagqgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pokanf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbgihaji.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nceefd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhnojl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocdnln32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbpnjdkg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibpgqa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ieidhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jekjcaef.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epaemojk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndpjnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgijkgeh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdkifmjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cocjiehd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdpcal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbgeqmjp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oikjkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjjjgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cajjjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Beippj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbgihaji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmimai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnmaea32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpiqfima.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcapicdj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oiagde32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inmggo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmegkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmeandma.exe -
Executes dropped EXE 64 IoCs
pid Process 2328 Fbgihaji.exe 1776 Gnqfcbnj.exe 4900 Gbnoiqdq.exe 228 Gmimai32.exe 404 Holfoqcm.exe 4200 Hffken32.exe 1648 Hbohpn32.exe 784 Ibcaknbi.exe 4292 Iipfmggc.exe 1880 Imnocf32.exe 2156 Ieidhh32.exe 892 Jekqmhia.exe 4540 Jcoaglhk.exe 4312 Jngbjd32.exe 3744 Jinboekc.exe 4336 Jcfggkac.exe 4056 Jnlkedai.exe 5076 Klahfp32.exe 436 Kncaec32.exe 2500 Kodnmkap.exe 1116 Kpcjgnhb.exe 4280 Kngkqbgl.exe 820 Llmhaold.exe 2824 Llodgnja.exe 2088 Lqmmmmph.exe 2100 Lcnfohmi.exe 1316 Mfnoqc32.exe 2432 Mfqlfb32.exe 4684 Mfchlbfd.exe 4680 Mokmdh32.exe 1468 Mgeakekd.exe 3328 Npbceggm.exe 4844 Nncccnol.exe 3520 Nfohgqlg.exe 3756 Njmqnobn.exe 900 Nceefd32.exe 4356 Ompfej32.exe 4920 Ojdgnn32.exe 4284 Oclkgccf.exe 4368 Opclldhj.exe 3968 Ondljl32.exe 2284 Pmiikh32.exe 216 Pjmjdm32.exe 4536 Pjpfjl32.exe 896 Pnmopk32.exe 3136 Pjdpelnc.exe 2168 Ppahmb32.exe 1680 Qmeigg32.exe 4108 Qjiipk32.exe 1464 Aogbfi32.exe 4696 Adcjop32.exe 2836 Apjkcadp.exe 4084 Amnlme32.exe 1184 Amqhbe32.exe 2884 Akdilipp.exe 2704 Bdmmeo32.exe 2188 Bmeandma.exe 2740 Bkibgh32.exe 4288 Bhmbqm32.exe 4240 Bnlhncgi.exe 1588 Bgelgi32.exe 1412 Cdimqm32.exe 3896 Cdkifmjq.exe 2244 Cpbjkn32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Enkmfolf.exe Edbiniff.exe File created C:\Windows\SysWOW64\Gicgpelg.exe Gbiockdj.exe File created C:\Windows\SysWOW64\Pcgdhkem.exe Piapkbeg.exe File opened for modification C:\Windows\SysWOW64\Eljchpnl.exe Eiijfd32.exe File created C:\Windows\SysWOW64\Hclkag32.dll Gbnhoj32.exe File opened for modification C:\Windows\SysWOW64\Ocnabm32.exe Ojemig32.exe File opened for modification C:\Windows\SysWOW64\Pmphaaln.exe Pcgdhkem.exe File created C:\Windows\SysWOW64\Fgiaemic.exe Famhmfkl.exe File opened for modification C:\Windows\SysWOW64\Mdnebc32.exe Lamlphoo.exe File created C:\Windows\SysWOW64\Apimodmh.exe Abemep32.exe File created C:\Windows\SysWOW64\Llodgnja.exe Llmhaold.exe File opened for modification C:\Windows\SysWOW64\Gacepg32.exe Gihpkd32.exe File created C:\Windows\SysWOW64\Hpceplkl.dll Hnbeeiji.exe File opened for modification C:\Windows\SysWOW64\Pcbkml32.exe Pcpnhl32.exe File created C:\Windows\SysWOW64\Lqmmmmph.exe Llodgnja.exe File opened for modification C:\Windows\SysWOW64\Ehlhih32.exe Enfckp32.exe File opened for modification C:\Windows\SysWOW64\Aaiqcnhg.exe Apeknk32.exe File created C:\Windows\SysWOW64\Ejccgi32.exe Edfknb32.exe File opened for modification C:\Windows\SysWOW64\Gnaecedp.exe Gclafmej.exe File created C:\Windows\SysWOW64\Pneall32.dll Pnmopk32.exe File opened for modification C:\Windows\SysWOW64\Dqbcbkab.exe Dgjoif32.exe File created C:\Windows\SysWOW64\Hpkknmgd.exe Heegad32.exe File opened for modification C:\Windows\SysWOW64\Eiijfd32.exe Epaemojk.exe File created C:\Windows\SysWOW64\Nkgdfb32.dll Opclldhj.exe File created C:\Windows\SysWOW64\Qidpon32.dll Nbphglbe.exe File opened for modification C:\Windows\SysWOW64\Jlanpfkj.exe Jaljbmkd.exe File opened for modification C:\Windows\SysWOW64\Hepgkohh.exe Gbpnjdkg.exe File created C:\Windows\SysWOW64\Mnpkiqbe.dll Jlanpfkj.exe File created C:\Windows\SysWOW64\Jdaaqg32.dll Khlinedh.exe File created C:\Windows\SysWOW64\Bemlhj32.exe Inmggo32.exe File opened for modification C:\Windows\SysWOW64\Egcaod32.exe Enkmfolf.exe File opened for modification C:\Windows\SysWOW64\Nbbeml32.exe Nmfmde32.exe File opened for modification C:\Windows\SysWOW64\Bbdpad32.exe Bdocph32.exe File created C:\Windows\SysWOW64\Gnqfcbnj.exe Fbgihaji.exe File created C:\Windows\SysWOW64\Adcjop32.exe Aogbfi32.exe File created C:\Windows\SysWOW64\Fqkiecpd.dll Abemep32.exe File opened for modification C:\Windows\SysWOW64\Cdimqm32.exe Bgelgi32.exe File opened for modification C:\Windows\SysWOW64\Hnlodjpa.exe Hioflcbj.exe File created C:\Windows\SysWOW64\Amoknh32.exe Locnlmoe.exe File created C:\Windows\SysWOW64\Cdkifmjq.exe Cdimqm32.exe File created C:\Windows\SysWOW64\Aanfno32.dll Iajdgcab.exe File created C:\Windows\SysWOW64\Kplqhmfl.dll Edfknb32.exe File opened for modification C:\Windows\SysWOW64\Mfnoqc32.exe Lcnfohmi.exe File created C:\Windows\SysWOW64\Fhmeii32.dll Fpcdji32.exe File created C:\Windows\SysWOW64\Okolfj32.exe Oohkai32.exe File created C:\Windows\SysWOW64\Ikgbdnie.dll Ibcaknbi.exe File created C:\Windows\SysWOW64\Hegmlnbp.exe Hjaioe32.exe File created C:\Windows\SysWOW64\Abemep32.exe Alkeifga.exe File created C:\Windows\SysWOW64\Pjmjdm32.exe Pmiikh32.exe File created C:\Windows\SysWOW64\Akdilipp.exe Amqhbe32.exe File created C:\Windows\SysWOW64\Famhmfkl.exe Fclhpo32.exe File created C:\Windows\SysWOW64\Fneoma32.exe Fcpkph32.exe File created C:\Windows\SysWOW64\Ajhapb32.dll Njbgmjgl.exe File created C:\Windows\SysWOW64\Kbeibo32.exe Jjgkab32.exe File opened for modification C:\Windows\SysWOW64\Hioflcbj.exe Hpfbcn32.exe File created C:\Windows\SysWOW64\Flfbcndo.exe Fgijkgeh.exe File created C:\Windows\SysWOW64\Hnbeeiji.exe Hejqldci.exe File created C:\Windows\SysWOW64\Icembg32.dll Egnajocq.exe File created C:\Windows\SysWOW64\Mkhpmopi.dll Fqdbdbna.exe File created C:\Windows\SysWOW64\Mdpagc32.exe Mkgmoncl.exe File opened for modification C:\Windows\SysWOW64\Apjkcadp.exe Adcjop32.exe File created C:\Windows\SysWOW64\Nbphglbe.exe Nfihbk32.exe File opened for modification C:\Windows\SysWOW64\Oiagde32.exe Ocdnln32.exe File opened for modification C:\Windows\SysWOW64\Dgjoif32.exe Damfao32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 8544 8536 Process not Found 1408 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dnonkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpkknmgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dnonkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ockdmmoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngmnjok.dll" Qfjjpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efehkimj.dll" Dnngpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbbnhl32.dll" Ilhkigcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfdkqcmb.dll" Klmnkdal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hoiihcde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfmidc32.dll" Lajmmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncbafoge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kncaec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbiockdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpmenm32.dll" Ilkoim32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpqggh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhkacq32.dll" Ejjaqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lapmnano.dll" Hkjohi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Janghmia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhbebj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Adcjop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpcdji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjdpelnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iheocj32.dll" Pcbkml32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Moacbe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hioflcbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gajlgpic.dll" Fjjjgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdocph32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gclafmej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flbldfbp.dll" Gkefmjcj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fohfbpgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eknanh32.dll" Nfknmd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibcaknbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpiqfima.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjgkab32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdkifmjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Foniaq32.dll" Kcapicdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Egcaod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hobbfhjl.dll" Loacdc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ilkoim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghfedh32.dll" Fndpmndl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojdgnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ejccgi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdknpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Idhgkcln.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dbhlikpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nceefd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hejjanpm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Okailj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gimngjie.dll" Eqlfhjig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hnlodjpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hejqldci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oikjkc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dnngpj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bpemkcck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjpfjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfhmgagf.dll" Enhpao32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Edbiniff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kabcopmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abpcicpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcjfjoi.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olieecnn.dll" Jngbjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcqpalio.dll" Hjdedepg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Beippj32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4080 wrote to memory of 2328 4080 NEAS.e25592189e2c64bff811fcd69aa47939.exe 88 PID 4080 wrote to memory of 2328 4080 NEAS.e25592189e2c64bff811fcd69aa47939.exe 88 PID 4080 wrote to memory of 2328 4080 NEAS.e25592189e2c64bff811fcd69aa47939.exe 88 PID 2328 wrote to memory of 1776 2328 Fbgihaji.exe 89 PID 2328 wrote to memory of 1776 2328 Fbgihaji.exe 89 PID 2328 wrote to memory of 1776 2328 Fbgihaji.exe 89 PID 1776 wrote to memory of 4900 1776 Gnqfcbnj.exe 90 PID 1776 wrote to memory of 4900 1776 Gnqfcbnj.exe 90 PID 1776 wrote to memory of 4900 1776 Gnqfcbnj.exe 90 PID 4900 wrote to memory of 228 4900 Gbnoiqdq.exe 91 PID 4900 wrote to memory of 228 4900 Gbnoiqdq.exe 91 PID 4900 wrote to memory of 228 4900 Gbnoiqdq.exe 91 PID 228 wrote to memory of 404 228 Gmimai32.exe 93 PID 228 wrote to memory of 404 228 Gmimai32.exe 93 PID 228 wrote to memory of 404 228 Gmimai32.exe 93 PID 404 wrote to memory of 4200 404 Holfoqcm.exe 94 PID 404 wrote to memory of 4200 404 Holfoqcm.exe 94 PID 404 wrote to memory of 4200 404 Holfoqcm.exe 94 PID 4200 wrote to memory of 1648 4200 Hffken32.exe 96 PID 4200 wrote to memory of 1648 4200 Hffken32.exe 96 PID 4200 wrote to memory of 1648 4200 Hffken32.exe 96 PID 1648 wrote to memory of 784 1648 Hbohpn32.exe 97 PID 1648 wrote to memory of 784 1648 Hbohpn32.exe 97 PID 1648 wrote to memory of 784 1648 Hbohpn32.exe 97 PID 784 wrote to memory of 4292 784 Ibcaknbi.exe 98 PID 784 wrote to memory of 4292 784 Ibcaknbi.exe 98 PID 784 wrote to memory of 4292 784 Ibcaknbi.exe 98 PID 4292 wrote to memory of 1880 4292 Iipfmggc.exe 99 PID 4292 wrote to memory of 1880 4292 Iipfmggc.exe 99 PID 4292 wrote to memory of 1880 4292 Iipfmggc.exe 99 PID 1880 wrote to memory of 2156 1880 Imnocf32.exe 100 PID 1880 wrote to memory of 2156 1880 Imnocf32.exe 100 PID 1880 wrote to memory of 2156 1880 Imnocf32.exe 100 PID 2156 wrote to memory of 892 2156 Ieidhh32.exe 101 PID 2156 wrote to memory of 892 2156 Ieidhh32.exe 101 PID 2156 wrote to memory of 892 2156 Ieidhh32.exe 101 PID 892 wrote to memory of 4540 892 Jekqmhia.exe 102 PID 892 wrote to memory of 4540 892 Jekqmhia.exe 102 PID 892 wrote to memory of 4540 892 Jekqmhia.exe 102 PID 4540 wrote to memory of 4312 4540 Jcoaglhk.exe 103 PID 4540 wrote to memory of 4312 4540 Jcoaglhk.exe 103 PID 4540 wrote to memory of 4312 4540 Jcoaglhk.exe 103 PID 4312 wrote to memory of 3744 4312 Jngbjd32.exe 105 PID 4312 wrote to memory of 3744 4312 Jngbjd32.exe 105 PID 4312 wrote to memory of 3744 4312 Jngbjd32.exe 105 PID 3744 wrote to memory of 4336 3744 Jinboekc.exe 106 PID 3744 wrote to memory of 4336 3744 Jinboekc.exe 106 PID 3744 wrote to memory of 4336 3744 Jinboekc.exe 106 PID 4336 wrote to memory of 4056 4336 Jcfggkac.exe 107 PID 4336 wrote to memory of 4056 4336 Jcfggkac.exe 107 PID 4336 wrote to memory of 4056 4336 Jcfggkac.exe 107 PID 4056 wrote to memory of 5076 4056 Jnlkedai.exe 108 PID 4056 wrote to memory of 5076 4056 Jnlkedai.exe 108 PID 4056 wrote to memory of 5076 4056 Jnlkedai.exe 108 PID 5076 wrote to memory of 436 5076 Klahfp32.exe 109 PID 5076 wrote to memory of 436 5076 Klahfp32.exe 109 PID 5076 wrote to memory of 436 5076 Klahfp32.exe 109 PID 436 wrote to memory of 2500 436 Kncaec32.exe 110 PID 436 wrote to memory of 2500 436 Kncaec32.exe 110 PID 436 wrote to memory of 2500 436 Kncaec32.exe 110 PID 2500 wrote to memory of 1116 2500 Kodnmkap.exe 111 PID 2500 wrote to memory of 1116 2500 Kodnmkap.exe 111 PID 2500 wrote to memory of 1116 2500 Kodnmkap.exe 111 PID 1116 wrote to memory of 4280 1116 Kpcjgnhb.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.e25592189e2c64bff811fcd69aa47939.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.e25592189e2c64bff811fcd69aa47939.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4080 -
C:\Windows\SysWOW64\Fbgihaji.exeC:\Windows\system32\Fbgihaji.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\Gnqfcbnj.exeC:\Windows\system32\Gnqfcbnj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Windows\SysWOW64\Gbnoiqdq.exeC:\Windows\system32\Gbnoiqdq.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4900 -
C:\Windows\SysWOW64\Gmimai32.exeC:\Windows\system32\Gmimai32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:228 -
C:\Windows\SysWOW64\Holfoqcm.exeC:\Windows\system32\Holfoqcm.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:404 -
C:\Windows\SysWOW64\Hffken32.exeC:\Windows\system32\Hffken32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4200 -
C:\Windows\SysWOW64\Hbohpn32.exeC:\Windows\system32\Hbohpn32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\SysWOW64\Ibcaknbi.exeC:\Windows\system32\Ibcaknbi.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:784 -
C:\Windows\SysWOW64\Iipfmggc.exeC:\Windows\system32\Iipfmggc.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4292 -
C:\Windows\SysWOW64\Imnocf32.exeC:\Windows\system32\Imnocf32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Windows\SysWOW64\Ieidhh32.exeC:\Windows\system32\Ieidhh32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\Jekqmhia.exeC:\Windows\system32\Jekqmhia.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:892 -
C:\Windows\SysWOW64\Jcoaglhk.exeC:\Windows\system32\Jcoaglhk.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4540 -
C:\Windows\SysWOW64\Jngbjd32.exeC:\Windows\system32\Jngbjd32.exe15⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4312 -
C:\Windows\SysWOW64\Jinboekc.exeC:\Windows\system32\Jinboekc.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3744 -
C:\Windows\SysWOW64\Jcfggkac.exeC:\Windows\system32\Jcfggkac.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4336 -
C:\Windows\SysWOW64\Jnlkedai.exeC:\Windows\system32\Jnlkedai.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\Windows\SysWOW64\Klahfp32.exeC:\Windows\system32\Klahfp32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Windows\SysWOW64\Kncaec32.exeC:\Windows\system32\Kncaec32.exe20⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:436 -
C:\Windows\SysWOW64\Kodnmkap.exeC:\Windows\system32\Kodnmkap.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\Kpcjgnhb.exeC:\Windows\system32\Kpcjgnhb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1116 -
C:\Windows\SysWOW64\Kngkqbgl.exeC:\Windows\system32\Kngkqbgl.exe23⤵
- Executes dropped EXE
PID:4280 -
C:\Windows\SysWOW64\Llmhaold.exeC:\Windows\system32\Llmhaold.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:820 -
C:\Windows\SysWOW64\Llodgnja.exeC:\Windows\system32\Llodgnja.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2824 -
C:\Windows\SysWOW64\Lqmmmmph.exeC:\Windows\system32\Lqmmmmph.exe26⤵
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\Lcnfohmi.exeC:\Windows\system32\Lcnfohmi.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2100 -
C:\Windows\SysWOW64\Mfnoqc32.exeC:\Windows\system32\Mfnoqc32.exe28⤵
- Executes dropped EXE
PID:1316 -
C:\Windows\SysWOW64\Mfqlfb32.exeC:\Windows\system32\Mfqlfb32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Mfchlbfd.exeC:\Windows\system32\Mfchlbfd.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4684 -
C:\Windows\SysWOW64\Mokmdh32.exeC:\Windows\system32\Mokmdh32.exe31⤵
- Executes dropped EXE
PID:4680 -
C:\Windows\SysWOW64\Mgeakekd.exeC:\Windows\system32\Mgeakekd.exe32⤵
- Executes dropped EXE
PID:1468 -
C:\Windows\SysWOW64\Npbceggm.exeC:\Windows\system32\Npbceggm.exe33⤵
- Executes dropped EXE
PID:3328
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\Pmpmnb32.exeC:\Windows\system32\Pmpmnb32.exe22⤵PID:6648
-
C:\Windows\SysWOW64\Pkdngf32.exeC:\Windows\system32\Pkdngf32.exe23⤵PID:7568
-
C:\Windows\SysWOW64\Pkfjmfld.exeC:\Windows\system32\Pkfjmfld.exe24⤵PID:5736
-
C:\Windows\SysWOW64\Pljcjn32.exeC:\Windows\system32\Pljcjn32.exe25⤵PID:7788
-
C:\Windows\SysWOW64\Pgbdmfnc.exeC:\Windows\system32\Pgbdmfnc.exe26⤵PID:7468
-
C:\Windows\SysWOW64\Qciebg32.exeC:\Windows\system32\Qciebg32.exe27⤵PID:7904
-
C:\Windows\SysWOW64\Akgcdc32.exeC:\Windows\system32\Akgcdc32.exe28⤵PID:4904
-
C:\Windows\SysWOW64\Apcllk32.exeC:\Windows\system32\Apcllk32.exe29⤵PID:7596
-
C:\Windows\SysWOW64\Akkmocjl.exeC:\Windows\system32\Akkmocjl.exe30⤵PID:5812
-
C:\Windows\SysWOW64\Addahh32.exeC:\Windows\system32\Addahh32.exe31⤵PID:7632
-
C:\Windows\SysWOW64\Bpmobi32.exeC:\Windows\system32\Bpmobi32.exe32⤵PID:6820
-
C:\Windows\SysWOW64\Bdkghg32.exeC:\Windows\system32\Bdkghg32.exe33⤵PID:5352
-
C:\Windows\SysWOW64\Bnclamqe.exeC:\Windows\system32\Bnclamqe.exe34⤵PID:2088
-
C:\Windows\SysWOW64\Cmkehicj.exeC:\Windows\system32\Cmkehicj.exe35⤵PID:6860
-
C:\Windows\SysWOW64\Cddjofbj.exeC:\Windows\system32\Cddjofbj.exe36⤵PID:8188
-
C:\Windows\SysWOW64\Cqkkcghn.exeC:\Windows\system32\Cqkkcghn.exe37⤵PID:6360
-
C:\Windows\SysWOW64\Cnokmkfh.exeC:\Windows\system32\Cnokmkfh.exe38⤵PID:8148
-
C:\Windows\SysWOW64\Dkehlo32.exeC:\Windows\system32\Dkehlo32.exe39⤵PID:7404
-
C:\Windows\SysWOW64\Dgliapic.exeC:\Windows\system32\Dgliapic.exe40⤵PID:9264
-
C:\Windows\SysWOW64\Debfpd32.exeC:\Windows\system32\Debfpd32.exe41⤵PID:6288
-
C:\Windows\SysWOW64\Dnkkij32.exeC:\Windows\system32\Dnkkij32.exe42⤵PID:5632
-
C:\Windows\SysWOW64\Enoddi32.exeC:\Windows\system32\Enoddi32.exe43⤵PID:8032
-
C:\Windows\SysWOW64\Emgnje32.exeC:\Windows\system32\Emgnje32.exe44⤵PID:464
-
C:\Windows\SysWOW64\Emikpeig.exeC:\Windows\system32\Emikpeig.exe45⤵PID:6744
-
C:\Windows\SysWOW64\Emlgedge.exeC:\Windows\system32\Emlgedge.exe46⤵PID:440
-
C:\Windows\SysWOW64\Fjphoi32.exeC:\Windows\system32\Fjphoi32.exe47⤵PID:1880
-
C:\Windows\SysWOW64\Fchlhnlo.exeC:\Windows\system32\Fchlhnlo.exe48⤵PID:5228
-
C:\Windows\SysWOW64\Fmpaqd32.exeC:\Windows\system32\Fmpaqd32.exe49⤵PID:3976
-
C:\Windows\SysWOW64\Fhfenmbe.exeC:\Windows\system32\Fhfenmbe.exe50⤵PID:7240
-
C:\Windows\SysWOW64\Fnpmkg32.exeC:\Windows\system32\Fnpmkg32.exe51⤵PID:5720
-
C:\Windows\SysWOW64\Flcndk32.exeC:\Windows\system32\Flcndk32.exe52⤵PID:7860
-
C:\Windows\SysWOW64\Felbmqpl.exeC:\Windows\system32\Felbmqpl.exe53⤵PID:4652
-
C:\Windows\SysWOW64\Geqlhp32.exeC:\Windows\system32\Geqlhp32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6512 -
C:\Windows\SysWOW64\Gajibq32.exeC:\Windows\system32\Gajibq32.exe55⤵PID:2280
-
C:\Windows\SysWOW64\Gdkbdllj.exeC:\Windows\system32\Gdkbdllj.exe56⤵PID:8000
-
C:\Windows\SysWOW64\Haobnpkc.exeC:\Windows\system32\Haobnpkc.exe57⤵PID:5308
-
C:\Windows\SysWOW64\Hmhphqoe.exeC:\Windows\system32\Hmhphqoe.exe58⤵PID:7660
-
C:\Windows\SysWOW64\Hklpaeno.exeC:\Windows\system32\Hklpaeno.exe59⤵PID:5432
-
C:\Windows\SysWOW64\Hoiihcde.exeC:\Windows\system32\Hoiihcde.exe60⤵
- Modifies registry class
PID:7748 -
C:\Windows\SysWOW64\Hhbnqi32.exeC:\Windows\system32\Hhbnqi32.exe61⤵PID:8480
-
C:\Windows\SysWOW64\Ihdjfhhc.exeC:\Windows\system32\Ihdjfhhc.exe62⤵PID:5404
-
C:\Windows\SysWOW64\Incpdodg.exeC:\Windows\system32\Incpdodg.exe63⤵PID:7232
-
C:\Windows\SysWOW64\Inflio32.exeC:\Windows\system32\Inflio32.exe64⤵PID:8708
-
C:\Windows\SysWOW64\Ihkpgg32.exeC:\Windows\system32\Ihkpgg32.exe65⤵PID:5420
-
C:\Windows\SysWOW64\Ieoapl32.exeC:\Windows\system32\Ieoapl32.exe66⤵PID:7436
-
C:\Windows\SysWOW64\Jliimf32.exeC:\Windows\system32\Jliimf32.exe67⤵PID:8440
-
C:\Windows\SysWOW64\Jafaem32.exeC:\Windows\system32\Jafaem32.exe68⤵PID:8848
-
C:\Windows\SysWOW64\Jlkfbe32.exeC:\Windows\system32\Jlkfbe32.exe69⤵PID:6752
-
C:\Windows\SysWOW64\Jahnkl32.exeC:\Windows\system32\Jahnkl32.exe70⤵PID:8944
-
C:\Windows\SysWOW64\Jnoopm32.exeC:\Windows\system32\Jnoopm32.exe71⤵PID:9048
-
C:\Windows\SysWOW64\Jlponebi.exeC:\Windows\system32\Jlponebi.exe72⤵PID:9052
-
C:\Windows\SysWOW64\Jehcfj32.exeC:\Windows\system32\Jehcfj32.exe73⤵PID:8648
-
C:\Windows\SysWOW64\Khlinedh.exeC:\Windows\system32\Khlinedh.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:8712 -
C:\Windows\SysWOW64\Klibdcjo.exeC:\Windows\system32\Klibdcjo.exe75⤵PID:6072
-
C:\Windows\SysWOW64\Kbfjljhf.exeC:\Windows\system32\Kbfjljhf.exe76⤵PID:7940
-
C:\Windows\SysWOW64\Kkooep32.exeC:\Windows\system32\Kkooep32.exe77⤵PID:7484
-
C:\Windows\SysWOW64\Kfdcbiol.exeC:\Windows\system32\Kfdcbiol.exe78⤵PID:7996
-
C:\Windows\SysWOW64\Klnkoc32.exeC:\Windows\system32\Klnkoc32.exe79⤵PID:6592
-
C:\Windows\SysWOW64\Kbkdgj32.exeC:\Windows\system32\Kbkdgj32.exe80⤵PID:8040
-
C:\Windows\SysWOW64\Lkchpoka.exeC:\Windows\system32\Lkchpoka.exe81⤵PID:2756
-
C:\Windows\SysWOW64\Lhgiic32.exeC:\Windows\system32\Lhgiic32.exe82⤵PID:7704
-
C:\Windows\SysWOW64\Lfkich32.exeC:\Windows\system32\Lfkich32.exe83⤵PID:7896
-
C:\Windows\SysWOW64\Locnlmoe.exeC:\Windows\system32\Locnlmoe.exe84⤵
- Drops file in System32 directory
PID:8344 -
C:\Windows\SysWOW64\Ldqfddml.exeC:\Windows\system32\Ldqfddml.exe85⤵PID:8020
-
C:\Windows\SysWOW64\Lnikmjdm.exeC:\Windows\system32\Lnikmjdm.exe86⤵PID:8496
-
C:\Windows\SysWOW64\Lkmkfncf.exeC:\Windows\system32\Lkmkfncf.exe87⤵PID:8536
-
C:\Windows\SysWOW64\Miqlpbap.exeC:\Windows\system32\Miqlpbap.exe88⤵PID:7100
-
C:\Windows\SysWOW64\Mnndhi32.exeC:\Windows\system32\Mnndhi32.exe89⤵PID:8184
-
C:\Windows\SysWOW64\Micheb32.exeC:\Windows\system32\Micheb32.exe90⤵PID:2148
-
C:\Windows\SysWOW64\Momqblgj.exeC:\Windows\system32\Momqblgj.exe91⤵PID:5520
-
C:\Windows\SysWOW64\Mieeka32.exeC:\Windows\system32\Mieeka32.exe92⤵PID:7440
-
C:\Windows\SysWOW64\Mfiedfmd.exeC:\Windows\system32\Mfiedfmd.exe93⤵PID:7576
-
C:\Windows\SysWOW64\Mijofaje.exeC:\Windows\system32\Mijofaje.exe94⤵PID:8268
-
C:\Windows\SysWOW64\Nilkkq32.exeC:\Windows\system32\Nilkkq32.exe95⤵PID:9140
-
C:\Windows\SysWOW64\Nbepdfnc.exeC:\Windows\system32\Nbepdfnc.exe96⤵PID:9248
-
C:\Windows\SysWOW64\Nlmdml32.exeC:\Windows\system32\Nlmdml32.exe97⤵PID:432
-
C:\Windows\SysWOW64\Nmmqgo32.exeC:\Windows\system32\Nmmqgo32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3232 -
C:\Windows\SysWOW64\Nehekq32.exeC:\Windows\system32\Nehekq32.exe99⤵PID:8
-
C:\Windows\SysWOW64\Nejbaqgo.exeC:\Windows\system32\Nejbaqgo.exe100⤵PID:8656
-
C:\Windows\SysWOW64\Nppfnige.exeC:\Windows\system32\Nppfnige.exe101⤵PID:3660
-
C:\Windows\SysWOW64\Oemofpel.exeC:\Windows\system32\Oemofpel.exe102⤵PID:9572
-
C:\Windows\SysWOW64\Opdpih32.exeC:\Windows\system32\Opdpih32.exe103⤵PID:8892
-
C:\Windows\SysWOW64\Oeahap32.exeC:\Windows\system32\Oeahap32.exe104⤵PID:8976
-
C:\Windows\SysWOW64\Omkmhlpf.exeC:\Windows\system32\Omkmhlpf.exe105⤵PID:7628
-
C:\Windows\SysWOW64\Olpjii32.exeC:\Windows\system32\Olpjii32.exe106⤵PID:7148
-
C:\Windows\SysWOW64\Pidjcm32.exeC:\Windows\system32\Pidjcm32.exe107⤵PID:8364
-
C:\Windows\SysWOW64\Pblolb32.exeC:\Windows\system32\Pblolb32.exe108⤵PID:1160
-
C:\Windows\SysWOW64\Pmbcik32.exeC:\Windows\system32\Pmbcik32.exe109⤵PID:5960
-
C:\Windows\SysWOW64\Pemhmn32.exeC:\Windows\system32\Pemhmn32.exe110⤵PID:9024
-
C:\Windows\SysWOW64\Pbcelacq.exeC:\Windows\system32\Pbcelacq.exe111⤵PID:4356
-
C:\Windows\SysWOW64\Pmiijjcf.exeC:\Windows\system32\Pmiijjcf.exe112⤵PID:5348
-
C:\Windows\SysWOW64\Qojeabie.exeC:\Windows\system32\Qojeabie.exe113⤵PID:9044
-
C:\Windows\SysWOW64\Qbhnga32.exeC:\Windows\system32\Qbhnga32.exe114⤵PID:6428
-
C:\Windows\SysWOW64\Qibfdkgh.exeC:\Windows\system32\Qibfdkgh.exe115⤵PID:8772
-
C:\Windows\SysWOW64\Aoalba32.exeC:\Windows\system32\Aoalba32.exe116⤵PID:3020
-
C:\Windows\SysWOW64\Aekdolkj.exeC:\Windows\system32\Aekdolkj.exe117⤵PID:8348
-
C:\Windows\SysWOW64\Abodhpic.exeC:\Windows\system32\Abodhpic.exe118⤵PID:8524
-
C:\Windows\SysWOW64\Agmmnnpj.exeC:\Windows\system32\Agmmnnpj.exe119⤵PID:7960
-
C:\Windows\SysWOW64\Aljefena.exeC:\Windows\system32\Aljefena.exe120⤵PID:7076
-
C:\Windows\SysWOW64\Aebjokda.exeC:\Windows\system32\Aebjokda.exe121⤵PID:7316
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-