Analysis
-
max time kernel
165s -
max time network
177s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
16/11/2023, 22:20
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.2605cbc1fff03ec84e3fcee086ccc0f0.exe
Resource
win7-20231025-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.2605cbc1fff03ec84e3fcee086ccc0f0.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.2605cbc1fff03ec84e3fcee086ccc0f0.exe
-
Size
465KB
-
MD5
2605cbc1fff03ec84e3fcee086ccc0f0
-
SHA1
2ed47af68f7d3184d07bc1225be5b1efbb6115ed
-
SHA256
2652a46dd950b2901cb9945f4415ce6880fc4cc031eea9bf6994ecec454704db
-
SHA512
276a4a11d4d8964d0d71d6b82a2150a0eb1a1f2a4c8999f929c3ef57a7e3aeb25b220b252925a6cbeff942b340e263ecaebb623fc12a4623a8e70ec2929aea81
-
SSDEEP
6144:P3jKK0tzu3njPX9ZAkvntd4ljd3rKzwN8Jlljd3njPX9ZAk3fs:rJ0ojP9ZtVkjpKXjtjP9Zt0
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qpolahdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljnloi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjodff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngeaej32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmginjki.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eedkniob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Polpim32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oanfodmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbmoabde.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpagbk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fllplajo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jqpfccgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ommjipel.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqhdlc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnajjfjo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipckqnja.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldgclgcl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipplmh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chmehhpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Meadgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcdcbokq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aebhaede.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djnfppqi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncofjaho.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmdgbamf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plhgdn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bimoecio.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aokceaoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iaodek32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkedjbgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpjcnd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnhkklbb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnjdigpf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opkfjgmh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgbdml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hojibgkm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pogpcghp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmkfjn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpnnek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fagjolao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Baohmo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phhpic32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcjgeb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmcldhfp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dojgnpke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcdjka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipckqnja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkeppeii.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Badaholq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blqlgdhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pihmcflg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lckbje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Beeokgei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmgcidqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnajjfjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfdhdn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dffdjmme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Laqhao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgccccec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efgono32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cppfgnlj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qlggcp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmiaimki.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fieacc32.exe -
Executes dropped EXE 64 IoCs
pid Process 2572 Lmcldhfp.exe 2312 Opjponbf.exe 436 Omnqhbap.exe 2648 Offeahhp.exe 4760 Plhgdn32.exe 3476 Qdhalj32.exe 2552 Ccbaoc32.exe 3964 Enigjh32.exe 1028 Gjpaffhl.exe 4272 Glajeiml.exe 4836 Hmecba32.exe 3640 Iejgelej.exe 3856 Ilglgfjd.exe 4768 Khpcid32.exe 4008 Kbkdgj32.exe 2832 Lnfngj32.exe 4620 Micheb32.exe 4324 Nnlqig32.exe 1536 Nfgbec32.exe 3088 Ofjokc32.exe 4648 Onjmjegg.exe 1844 Opkfjgmh.exe 3060 Pbahgbfc.exe 3996 Acaanp32.exe 780 Blqlgdhi.exe 3432 Clhbhc32.exe 3952 Dofgklcb.exe 3580 Fnhppa32.exe 2852 Gfodpbpl.exe 2720 Gjmmfq32.exe 1176 Hmginjki.exe 2728 Jdajabdc.exe 4156 Jahgpf32.exe 4224 Jkplilgk.exe 1120 Jpmdabfb.exe 232 Kkgbjkac.exe 4320 Kgpodk32.exe 3172 Loecgfjf.exe 4032 Mqkijnkp.exe 4564 Nejkfj32.exe 420 Onbpop32.exe 3076 Oiojmgcb.exe 5032 Palkgi32.exe 4440 Phhpic32.exe 892 Pihmcflg.exe 1048 Pngbam32.exe 2252 Apndloif.exe 4064 Aikbpckb.exe 1348 Abcgii32.exe 660 Bimoecio.exe 1040 Chnlbndj.exe 1912 Chbenm32.exe 3068 Didnmp32.exe 4256 Eokjke32.exe 4904 Efgono32.exe 3244 Ecphbckp.exe 2864 Gmclgghc.exe 3264 Hppedpkf.exe 2304 Ijmobhdd.exe 4548 Idljll32.exe 1296 Ipckqnja.exe 3772 Jbccbi32.exe 4980 Jdembk32.exe 4388 Kpagbk32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Jdajabdc.exe Hmginjki.exe File created C:\Windows\SysWOW64\Njomfedn.dll Diclff32.exe File created C:\Windows\SysWOW64\Aniighkq.dll Ieagfh32.exe File created C:\Windows\SysWOW64\Khpcid32.exe Ilglgfjd.exe File created C:\Windows\SysWOW64\Qejpjp32.dll Lnmkpm32.exe File created C:\Windows\SysWOW64\Amcpdgbe.dll Ojbamj32.exe File created C:\Windows\SysWOW64\Jipqkopf.exe Jjopmh32.exe File opened for modification C:\Windows\SysWOW64\Ldgclgcl.exe Lnmkpm32.exe File created C:\Windows\SysWOW64\Ncjmob32.exe Nmpdbh32.exe File opened for modification C:\Windows\SysWOW64\Badaholq.exe Bkjikd32.exe File opened for modification C:\Windows\SysWOW64\Hbchnfei.exe Gmfpeoga.exe File created C:\Windows\SysWOW64\Mnegkf32.exe Mcpcnm32.exe File opened for modification C:\Windows\SysWOW64\Mjodff32.exe Mfqlph32.exe File created C:\Windows\SysWOW64\Bijnnf32.exe Acilkp32.exe File created C:\Windows\SysWOW64\Gfibfmmi.dll Idgocigi.exe File opened for modification C:\Windows\SysWOW64\Akamol32.exe Acfhkj32.exe File opened for modification C:\Windows\SysWOW64\Nfgbec32.exe Nnlqig32.exe File created C:\Windows\SysWOW64\Phjjdd32.dll Dhkjooqb.exe File created C:\Windows\SysWOW64\Jlmhaq32.dll Objphn32.exe File opened for modification C:\Windows\SysWOW64\Mepfbflb.exe Mglfibmh.exe File created C:\Windows\SysWOW64\Cdlpjicj.exe Coohbbeb.exe File opened for modification C:\Windows\SysWOW64\Mfqlph32.exe Mcbpcm32.exe File created C:\Windows\SysWOW64\Lhkljb32.dll Dkedjbgg.exe File opened for modification C:\Windows\SysWOW64\Bbbpnc32.exe Abfqbdhd.exe File created C:\Windows\SysWOW64\Mnfdkm32.dll Onekeb32.exe File opened for modification C:\Windows\SysWOW64\Ifihckmi.exe Ikagpcof.exe File created C:\Windows\SysWOW64\Dcjnikhc.exe Dibmfb32.exe File opened for modification C:\Windows\SysWOW64\Mglfibmh.exe Mmfalimb.exe File created C:\Windows\SysWOW64\Bdopjfdd.dll Peeakakg.exe File opened for modification C:\Windows\SysWOW64\Fpbfem32.exe Fnbjkj32.exe File created C:\Windows\SysWOW64\Obmeeh32.exe Njacikbd.exe File created C:\Windows\SysWOW64\Gqcahm32.dll Jenmlmll.exe File created C:\Windows\SysWOW64\Npepdl32.exe Nflkkf32.exe File created C:\Windows\SysWOW64\Bdjqienq.exe Qpahghbg.exe File created C:\Windows\SysWOW64\Ohdpkpcl.dll Olgdgibf.exe File opened for modification C:\Windows\SysWOW64\Aahblp32.exe Alkidi32.exe File created C:\Windows\SysWOW64\Cakmkp32.dll Alkidi32.exe File created C:\Windows\SysWOW64\Fffqjfom.exe Fllplajo.exe File created C:\Windows\SysWOW64\Clhbhc32.exe Blqlgdhi.exe File created C:\Windows\SysWOW64\Kkgbjkac.exe Jpmdabfb.exe File created C:\Windows\SysWOW64\Eilgkh32.dll Lgmnqmam.exe File created C:\Windows\SysWOW64\Lafnne32.dll Jbpihlbn.exe File created C:\Windows\SysWOW64\Capkhnhb.dll Bcboan32.exe File created C:\Windows\SysWOW64\Cppfgnlj.exe Cfhani32.exe File opened for modification C:\Windows\SysWOW64\Qlggcp32.exe Qkhjim32.exe File created C:\Windows\SysWOW64\Iejgelej.exe Hmecba32.exe File created C:\Windows\SysWOW64\Ljloii32.exe Kgdpgo32.exe File opened for modification C:\Windows\SysWOW64\Glbakchp.exe Fmikoggm.exe File opened for modification C:\Windows\SysWOW64\Mmdefi32.exe Lclpmdhd.exe File opened for modification C:\Windows\SysWOW64\Blieeglf.exe Badaholq.exe File opened for modification C:\Windows\SysWOW64\Bahkcn32.exe Blieeglf.exe File created C:\Windows\SysWOW64\Aikbpckb.exe Apndloif.exe File created C:\Windows\SysWOW64\Fmflco32.dll Gjmmfq32.exe File created C:\Windows\SysWOW64\Ljmmai32.dll Pkhokkel.exe File opened for modification C:\Windows\SysWOW64\Fooecl32.exe Fffqjfom.exe File created C:\Windows\SysWOW64\Phoaeipj.dll Gpcffalc.exe File opened for modification C:\Windows\SysWOW64\Gpaiadel.exe Gpmofe32.exe File created C:\Windows\SysWOW64\Pjmmohcf.dll Nfgbec32.exe File created C:\Windows\SysWOW64\Bpcnceab.exe Bobalm32.exe File opened for modification C:\Windows\SysWOW64\Kqnbea32.exe Kgenlldo.exe File created C:\Windows\SysWOW64\Cmflkl32.exe Cihcen32.exe File opened for modification C:\Windows\SysWOW64\Fmikoggm.exe Fpejec32.exe File created C:\Windows\SysWOW64\Ekkmhd32.dll Fpejec32.exe File created C:\Windows\SysWOW64\Mjokpm32.exe Mnhkklbb.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 3984 560 WerFault.exe 556 7044 560 WerFault.exe 556 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dofgklcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mccofn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdppllld.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bcboan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fagjolao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgccccec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdimaigf.dll" Coohbbeb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aebhaede.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fafjdb32.dll" Glbakchp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddnigkcd.dll" Kcndlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlhkqngo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjodff32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qfhdnb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmceaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Micheb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfdhao32.dll" Nnlqig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmnkdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebdokg32.dll" Anaofa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qfhdnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apompo32.dll" Cdmfebnk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Okjnhpee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldgclgcl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlhkqngo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qkegiggl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qdhalj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncpelbap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmflkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnaifaqa.dll" Nanmhf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onkphi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ifjoma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Opkfjgmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Clhbhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jeolonem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iabhnedc.dll" Laqhao32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olangmod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbmoabde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Capkhnhb.dll" Bcboan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flbfhigk.dll" Cbbdcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feflikdo.dll" Ahbjij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Alpboida.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbpocegg.dll" Hppedpkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fffqjfom.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mojhphij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eopbgf32.dll" Djcfee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nalhph32.dll" Ogndki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iejgelej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Benijhla.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Engjol32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iaodek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpbcpboc.dll" Imakdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgfomone.dll" Dfglpjqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fclnkgap.dll" Fffqjfom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ioljaael.dll" Einmaaqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngoighje.dll" Higjkehf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nanmhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llhncc32.dll" Eiahhdee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehkhjkkf.dll" Ngeaej32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iobeno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hchbkneg.dll" Pbahgbfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jkplilgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmjlmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Beeokgei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehhjekgq.dll" Mjokpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lidqbadl.dll" Jpqedfne.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1464 wrote to memory of 2572 1464 NEAS.2605cbc1fff03ec84e3fcee086ccc0f0.exe 94 PID 1464 wrote to memory of 2572 1464 NEAS.2605cbc1fff03ec84e3fcee086ccc0f0.exe 94 PID 1464 wrote to memory of 2572 1464 NEAS.2605cbc1fff03ec84e3fcee086ccc0f0.exe 94 PID 2572 wrote to memory of 2312 2572 Lmcldhfp.exe 95 PID 2572 wrote to memory of 2312 2572 Lmcldhfp.exe 95 PID 2572 wrote to memory of 2312 2572 Lmcldhfp.exe 95 PID 2312 wrote to memory of 436 2312 Opjponbf.exe 96 PID 2312 wrote to memory of 436 2312 Opjponbf.exe 96 PID 2312 wrote to memory of 436 2312 Opjponbf.exe 96 PID 436 wrote to memory of 2648 436 Omnqhbap.exe 97 PID 436 wrote to memory of 2648 436 Omnqhbap.exe 97 PID 436 wrote to memory of 2648 436 Omnqhbap.exe 97 PID 2648 wrote to memory of 4760 2648 Offeahhp.exe 98 PID 2648 wrote to memory of 4760 2648 Offeahhp.exe 98 PID 2648 wrote to memory of 4760 2648 Offeahhp.exe 98 PID 4760 wrote to memory of 3476 4760 Plhgdn32.exe 99 PID 4760 wrote to memory of 3476 4760 Plhgdn32.exe 99 PID 4760 wrote to memory of 3476 4760 Plhgdn32.exe 99 PID 3476 wrote to memory of 2552 3476 Qdhalj32.exe 100 PID 3476 wrote to memory of 2552 3476 Qdhalj32.exe 100 PID 3476 wrote to memory of 2552 3476 Qdhalj32.exe 100 PID 2552 wrote to memory of 3964 2552 Ccbaoc32.exe 101 PID 2552 wrote to memory of 3964 2552 Ccbaoc32.exe 101 PID 2552 wrote to memory of 3964 2552 Ccbaoc32.exe 101 PID 3964 wrote to memory of 1028 3964 Enigjh32.exe 102 PID 3964 wrote to memory of 1028 3964 Enigjh32.exe 102 PID 3964 wrote to memory of 1028 3964 Enigjh32.exe 102 PID 1028 wrote to memory of 4272 1028 Gjpaffhl.exe 103 PID 1028 wrote to memory of 4272 1028 Gjpaffhl.exe 103 PID 1028 wrote to memory of 4272 1028 Gjpaffhl.exe 103 PID 4272 wrote to memory of 4836 4272 Glajeiml.exe 104 PID 4272 wrote to memory of 4836 4272 Glajeiml.exe 104 PID 4272 wrote to memory of 4836 4272 Glajeiml.exe 104 PID 4836 wrote to memory of 3640 4836 Hmecba32.exe 105 PID 4836 wrote to memory of 3640 4836 Hmecba32.exe 105 PID 4836 wrote to memory of 3640 4836 Hmecba32.exe 105 PID 3640 wrote to memory of 3856 3640 Iejgelej.exe 106 PID 3640 wrote to memory of 3856 3640 Iejgelej.exe 106 PID 3640 wrote to memory of 3856 3640 Iejgelej.exe 106 PID 3856 wrote to memory of 4768 3856 Ilglgfjd.exe 107 PID 3856 wrote to memory of 4768 3856 Ilglgfjd.exe 107 PID 3856 wrote to memory of 4768 3856 Ilglgfjd.exe 107 PID 4768 wrote to memory of 4008 4768 Khpcid32.exe 108 PID 4768 wrote to memory of 4008 4768 Khpcid32.exe 108 PID 4768 wrote to memory of 4008 4768 Khpcid32.exe 108 PID 4008 wrote to memory of 2832 4008 Kbkdgj32.exe 109 PID 4008 wrote to memory of 2832 4008 Kbkdgj32.exe 109 PID 4008 wrote to memory of 2832 4008 Kbkdgj32.exe 109 PID 2832 wrote to memory of 4620 2832 Lnfngj32.exe 110 PID 2832 wrote to memory of 4620 2832 Lnfngj32.exe 110 PID 2832 wrote to memory of 4620 2832 Lnfngj32.exe 110 PID 4620 wrote to memory of 4324 4620 Micheb32.exe 111 PID 4620 wrote to memory of 4324 4620 Micheb32.exe 111 PID 4620 wrote to memory of 4324 4620 Micheb32.exe 111 PID 4324 wrote to memory of 1536 4324 Nnlqig32.exe 113 PID 4324 wrote to memory of 1536 4324 Nnlqig32.exe 113 PID 4324 wrote to memory of 1536 4324 Nnlqig32.exe 113 PID 1536 wrote to memory of 3088 1536 Nfgbec32.exe 114 PID 1536 wrote to memory of 3088 1536 Nfgbec32.exe 114 PID 1536 wrote to memory of 3088 1536 Nfgbec32.exe 114 PID 3088 wrote to memory of 4648 3088 Ofjokc32.exe 115 PID 3088 wrote to memory of 4648 3088 Ofjokc32.exe 115 PID 3088 wrote to memory of 4648 3088 Ofjokc32.exe 115 PID 4648 wrote to memory of 1844 4648 Onjmjegg.exe 116
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.2605cbc1fff03ec84e3fcee086ccc0f0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.2605cbc1fff03ec84e3fcee086ccc0f0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Windows\SysWOW64\Lmcldhfp.exeC:\Windows\system32\Lmcldhfp.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\Opjponbf.exeC:\Windows\system32\Opjponbf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\SysWOW64\Omnqhbap.exeC:\Windows\system32\Omnqhbap.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:436 -
C:\Windows\SysWOW64\Offeahhp.exeC:\Windows\system32\Offeahhp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\Plhgdn32.exeC:\Windows\system32\Plhgdn32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4760 -
C:\Windows\SysWOW64\Qdhalj32.exeC:\Windows\system32\Qdhalj32.exe7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3476 -
C:\Windows\SysWOW64\Ccbaoc32.exeC:\Windows\system32\Ccbaoc32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\Enigjh32.exeC:\Windows\system32\Enigjh32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3964 -
C:\Windows\SysWOW64\Gjpaffhl.exeC:\Windows\system32\Gjpaffhl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Windows\SysWOW64\Glajeiml.exeC:\Windows\system32\Glajeiml.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4272 -
C:\Windows\SysWOW64\Hmecba32.exeC:\Windows\system32\Hmecba32.exe12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4836 -
C:\Windows\SysWOW64\Iejgelej.exeC:\Windows\system32\Iejgelej.exe13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3640 -
C:\Windows\SysWOW64\Ilglgfjd.exeC:\Windows\system32\Ilglgfjd.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3856 -
C:\Windows\SysWOW64\Khpcid32.exeC:\Windows\system32\Khpcid32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Windows\SysWOW64\Kbkdgj32.exeC:\Windows\system32\Kbkdgj32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4008 -
C:\Windows\SysWOW64\Lnfngj32.exeC:\Windows\system32\Lnfngj32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\Micheb32.exeC:\Windows\system32\Micheb32.exe18⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\Windows\SysWOW64\Nnlqig32.exeC:\Windows\system32\Nnlqig32.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4324 -
C:\Windows\SysWOW64\Nfgbec32.exeC:\Windows\system32\Nfgbec32.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Windows\SysWOW64\Ofjokc32.exeC:\Windows\system32\Ofjokc32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3088 -
C:\Windows\SysWOW64\Onjmjegg.exeC:\Windows\system32\Onjmjegg.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4648 -
C:\Windows\SysWOW64\Opkfjgmh.exeC:\Windows\system32\Opkfjgmh.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1844 -
C:\Windows\SysWOW64\Pbahgbfc.exeC:\Windows\system32\Pbahgbfc.exe24⤵
- Executes dropped EXE
- Modifies registry class
PID:3060 -
C:\Windows\SysWOW64\Acaanp32.exeC:\Windows\system32\Acaanp32.exe25⤵
- Executes dropped EXE
PID:3996 -
C:\Windows\SysWOW64\Blqlgdhi.exeC:\Windows\system32\Blqlgdhi.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:780 -
C:\Windows\SysWOW64\Clhbhc32.exeC:\Windows\system32\Clhbhc32.exe27⤵
- Executes dropped EXE
- Modifies registry class
PID:3432 -
C:\Windows\SysWOW64\Dofgklcb.exeC:\Windows\system32\Dofgklcb.exe28⤵
- Executes dropped EXE
- Modifies registry class
PID:3952 -
C:\Windows\SysWOW64\Fnhppa32.exeC:\Windows\system32\Fnhppa32.exe29⤵
- Executes dropped EXE
PID:3580 -
C:\Windows\SysWOW64\Gfodpbpl.exeC:\Windows\system32\Gfodpbpl.exe30⤵
- Executes dropped EXE
PID:2852 -
C:\Windows\SysWOW64\Gjmmfq32.exeC:\Windows\system32\Gjmmfq32.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2720 -
C:\Windows\SysWOW64\Hmginjki.exeC:\Windows\system32\Hmginjki.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1176 -
C:\Windows\SysWOW64\Jdajabdc.exeC:\Windows\system32\Jdajabdc.exe33⤵
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\Jahgpf32.exeC:\Windows\system32\Jahgpf32.exe34⤵
- Executes dropped EXE
PID:4156 -
C:\Windows\SysWOW64\Jkplilgk.exeC:\Windows\system32\Jkplilgk.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:4224 -
C:\Windows\SysWOW64\Jpmdabfb.exeC:\Windows\system32\Jpmdabfb.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1120 -
C:\Windows\SysWOW64\Kkgbjkac.exeC:\Windows\system32\Kkgbjkac.exe37⤵
- Executes dropped EXE
PID:232 -
C:\Windows\SysWOW64\Kgpodk32.exeC:\Windows\system32\Kgpodk32.exe38⤵
- Executes dropped EXE
PID:4320 -
C:\Windows\SysWOW64\Loecgfjf.exeC:\Windows\system32\Loecgfjf.exe39⤵
- Executes dropped EXE
PID:3172 -
C:\Windows\SysWOW64\Mqkijnkp.exeC:\Windows\system32\Mqkijnkp.exe40⤵
- Executes dropped EXE
PID:4032 -
C:\Windows\SysWOW64\Nejkfj32.exeC:\Windows\system32\Nejkfj32.exe41⤵
- Executes dropped EXE
PID:4564 -
C:\Windows\SysWOW64\Onbpop32.exeC:\Windows\system32\Onbpop32.exe42⤵
- Executes dropped EXE
PID:420 -
C:\Windows\SysWOW64\Oiojmgcb.exeC:\Windows\system32\Oiojmgcb.exe43⤵
- Executes dropped EXE
PID:3076 -
C:\Windows\SysWOW64\Palkgi32.exeC:\Windows\system32\Palkgi32.exe44⤵
- Executes dropped EXE
PID:5032 -
C:\Windows\SysWOW64\Phhpic32.exeC:\Windows\system32\Phhpic32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4440 -
C:\Windows\SysWOW64\Pihmcflg.exeC:\Windows\system32\Pihmcflg.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:892 -
C:\Windows\SysWOW64\Pngbam32.exeC:\Windows\system32\Pngbam32.exe47⤵
- Executes dropped EXE
PID:1048 -
C:\Windows\SysWOW64\Apndloif.exeC:\Windows\system32\Apndloif.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2252 -
C:\Windows\SysWOW64\Aikbpckb.exeC:\Windows\system32\Aikbpckb.exe49⤵
- Executes dropped EXE
PID:4064 -
C:\Windows\SysWOW64\Abcgii32.exeC:\Windows\system32\Abcgii32.exe50⤵
- Executes dropped EXE
PID:1348 -
C:\Windows\SysWOW64\Bimoecio.exeC:\Windows\system32\Bimoecio.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:660 -
C:\Windows\SysWOW64\Chnlbndj.exeC:\Windows\system32\Chnlbndj.exe52⤵
- Executes dropped EXE
PID:1040 -
C:\Windows\SysWOW64\Chbenm32.exeC:\Windows\system32\Chbenm32.exe53⤵
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\Didnmp32.exeC:\Windows\system32\Didnmp32.exe54⤵
- Executes dropped EXE
PID:3068 -
C:\Windows\SysWOW64\Eokjke32.exeC:\Windows\system32\Eokjke32.exe55⤵
- Executes dropped EXE
PID:4256 -
C:\Windows\SysWOW64\Efgono32.exeC:\Windows\system32\Efgono32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4904 -
C:\Windows\SysWOW64\Ecphbckp.exeC:\Windows\system32\Ecphbckp.exe57⤵
- Executes dropped EXE
PID:3244 -
C:\Windows\SysWOW64\Gmclgghc.exeC:\Windows\system32\Gmclgghc.exe58⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Hppedpkf.exeC:\Windows\system32\Hppedpkf.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:3264 -
C:\Windows\SysWOW64\Ijmobhdd.exeC:\Windows\system32\Ijmobhdd.exe60⤵
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Idljll32.exeC:\Windows\system32\Idljll32.exe61⤵
- Executes dropped EXE
PID:4548 -
C:\Windows\SysWOW64\Ipckqnja.exeC:\Windows\system32\Ipckqnja.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1296 -
C:\Windows\SysWOW64\Jbccbi32.exeC:\Windows\system32\Jbccbi32.exe63⤵
- Executes dropped EXE
PID:3772 -
C:\Windows\SysWOW64\Jdembk32.exeC:\Windows\system32\Jdembk32.exe64⤵
- Executes dropped EXE
PID:4980 -
C:\Windows\SysWOW64\Kpagbk32.exeC:\Windows\system32\Kpagbk32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4388 -
C:\Windows\SysWOW64\Libnapmg.exeC:\Windows\system32\Libnapmg.exe66⤵PID:5080
-
C:\Windows\SysWOW64\Lckbje32.exeC:\Windows\system32\Lckbje32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2420 -
C:\Windows\SysWOW64\Lcbikd32.exeC:\Windows\system32\Lcbikd32.exe68⤵PID:4460
-
C:\Windows\SysWOW64\Mcgbfcij.exeC:\Windows\system32\Mcgbfcij.exe69⤵PID:2308
-
C:\Windows\SysWOW64\Ncpelbap.exeC:\Windows\system32\Ncpelbap.exe70⤵
- Modifies registry class
PID:2868 -
C:\Windows\SysWOW64\Njacikbd.exeC:\Windows\system32\Njacikbd.exe71⤵
- Drops file in System32 directory
PID:3096 -
C:\Windows\SysWOW64\Obmeeh32.exeC:\Windows\system32\Obmeeh32.exe72⤵PID:784
-
C:\Windows\SysWOW64\Obdkfg32.exeC:\Windows\system32\Obdkfg32.exe73⤵PID:2656
-
C:\Windows\SysWOW64\Okloomoj.exeC:\Windows\system32\Okloomoj.exe74⤵PID:4816
-
C:\Windows\SysWOW64\Pclnon32.exeC:\Windows\system32\Pclnon32.exe75⤵PID:3960
-
C:\Windows\SysWOW64\Pbpjbe32.exeC:\Windows\system32\Pbpjbe32.exe76⤵PID:4784
-
C:\Windows\SysWOW64\Pkhokkel.exeC:\Windows\system32\Pkhokkel.exe77⤵
- Drops file in System32 directory
PID:1016 -
C:\Windows\SysWOW64\Qjmllgjd.exeC:\Windows\system32\Qjmllgjd.exe78⤵PID:3604
-
C:\Windows\SysWOW64\Abfqbdhd.exeC:\Windows\system32\Abfqbdhd.exe79⤵
- Drops file in System32 directory
PID:4016 -
C:\Windows\SysWOW64\Bbbpnc32.exeC:\Windows\system32\Bbbpnc32.exe80⤵PID:3048
-
C:\Windows\SysWOW64\Baocpnmf.exeC:\Windows\system32\Baocpnmf.exe81⤵PID:4020
-
C:\Windows\SysWOW64\Chmehhpn.exeC:\Windows\system32\Chmehhpn.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1396 -
C:\Windows\SysWOW64\Cbcieqpd.exeC:\Windows\system32\Cbcieqpd.exe83⤵PID:3928
-
C:\Windows\SysWOW64\Coijja32.exeC:\Windows\system32\Coijja32.exe84⤵PID:3108
-
C:\Windows\SysWOW64\Chbncg32.exeC:\Windows\system32\Chbncg32.exe85⤵PID:3684
-
C:\Windows\SysWOW64\Dkedjbgg.exeC:\Windows\system32\Dkedjbgg.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2124 -
C:\Windows\SysWOW64\Dejhgkgm.exeC:\Windows\system32\Dejhgkgm.exe87⤵PID:2100
-
C:\Windows\SysWOW64\Eedkniob.exeC:\Windows\system32\Eedkniob.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5164 -
C:\Windows\SysWOW64\Fllplajo.exeC:\Windows\system32\Fllplajo.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5276 -
C:\Windows\SysWOW64\Fffqjfom.exeC:\Windows\system32\Fffqjfom.exe90⤵
- Drops file in System32 directory
- Modifies registry class
PID:5320 -
C:\Windows\SysWOW64\Fooecl32.exeC:\Windows\system32\Fooecl32.exe91⤵PID:5368
-
C:\Windows\SysWOW64\Gdnjabab.exeC:\Windows\system32\Gdnjabab.exe92⤵PID:5416
-
C:\Windows\SysWOW64\Gmjlmo32.exeC:\Windows\system32\Gmjlmo32.exe93⤵
- Modifies registry class
PID:5460 -
C:\Windows\SysWOW64\Gfbpfedp.exeC:\Windows\system32\Gfbpfedp.exe94⤵PID:5508
-
C:\Windows\SysWOW64\Hicihp32.exeC:\Windows\system32\Hicihp32.exe95⤵PID:5600
-
C:\Windows\SysWOW64\Immaimnj.exeC:\Windows\system32\Immaimnj.exe96⤵PID:5668
-
C:\Windows\SysWOW64\Imakdl32.exeC:\Windows\system32\Imakdl32.exe97⤵
- Modifies registry class
PID:5708 -
C:\Windows\SysWOW64\Ifjoma32.exeC:\Windows\system32\Ifjoma32.exe98⤵
- Modifies registry class
PID:5760 -
C:\Windows\SysWOW64\Jeolonem.exeC:\Windows\system32\Jeolonem.exe99⤵
- Modifies registry class
PID:5824 -
C:\Windows\SysWOW64\Jbjciano.exeC:\Windows\system32\Jbjciano.exe100⤵PID:5896
-
C:\Windows\SysWOW64\Kpbmme32.exeC:\Windows\system32\Kpbmme32.exe101⤵PID:5940
-
C:\Windows\SysWOW64\Kikafjoc.exeC:\Windows\system32\Kikafjoc.exe102⤵PID:5980
-
C:\Windows\SysWOW64\Kpeibdfp.exeC:\Windows\system32\Kpeibdfp.exe103⤵PID:6024
-
C:\Windows\SysWOW64\Keabkkdg.exeC:\Windows\system32\Keabkkdg.exe104⤵PID:6072
-
C:\Windows\SysWOW64\Lpjcnd32.exeC:\Windows\system32\Lpjcnd32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6116 -
C:\Windows\SysWOW64\Lbjlpo32.exeC:\Windows\system32\Lbjlpo32.exe106⤵PID:5160
-
C:\Windows\SysWOW64\Lgmnqmam.exeC:\Windows\system32\Lgmnqmam.exe107⤵
- Drops file in System32 directory
PID:5204 -
C:\Windows\SysWOW64\Mccofn32.exeC:\Windows\system32\Mccofn32.exe108⤵
- Modifies registry class
PID:5360 -
C:\Windows\SysWOW64\Meiabh32.exeC:\Windows\system32\Meiabh32.exe109⤵PID:5504
-
C:\Windows\SysWOW64\Onekeb32.exeC:\Windows\system32\Onekeb32.exe110⤵
- Drops file in System32 directory
PID:5536 -
C:\Windows\SysWOW64\Pmangnmg.exeC:\Windows\system32\Pmangnmg.exe111⤵PID:5660
-
C:\Windows\SysWOW64\Pggbdgmm.exeC:\Windows\system32\Pggbdgmm.exe112⤵PID:5736
-
C:\Windows\SysWOW64\Qgnief32.exeC:\Windows\system32\Qgnief32.exe113⤵PID:5820
-
C:\Windows\SysWOW64\Amdddkma.exeC:\Windows\system32\Amdddkma.exe114⤵PID:5872
-
C:\Windows\SysWOW64\Afmhma32.exeC:\Windows\system32\Afmhma32.exe115⤵PID:5928
-
C:\Windows\SysWOW64\Benijhla.exeC:\Windows\system32\Benijhla.exe116⤵
- Modifies registry class
PID:6068 -
C:\Windows\SysWOW64\Beeokgei.exeC:\Windows\system32\Beeokgei.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:6112 -
C:\Windows\SysWOW64\Beglqgcf.exeC:\Windows\system32\Beglqgcf.exe118⤵PID:5140
-
C:\Windows\SysWOW64\Bhehmbbj.exeC:\Windows\system32\Bhehmbbj.exe119⤵PID:5184
-
C:\Windows\SysWOW64\Cmdmki32.exeC:\Windows\system32\Cmdmki32.exe120⤵PID:2624
-
C:\Windows\SysWOW64\Cjkjjmlf.exeC:\Windows\system32\Cjkjjmlf.exe121⤵PID:5380
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-