Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
07/05/2024, 17:06
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e4cae8a64d7b42d128164f6cc4627d40_NEAS.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
e4cae8a64d7b42d128164f6cc4627d40_NEAS.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
e4cae8a64d7b42d128164f6cc4627d40_NEAS.exe
-
Size
1.4MB
-
MD5
e4cae8a64d7b42d128164f6cc4627d40
-
SHA1
6842f3c0b13529938a85029ae6ba81b15b341292
-
SHA256
3af1ac9fcebe6befef39847f54b318b94c123ffccadb7e584c3199c649588b83
-
SHA512
e2066e718309645c77e31c10f5a75228ff2e3af8c36d9bf6834c12f91f1abdea86183b5e963a7793d03a8466d1bd78cde0c7eea39bc7a1afa00493b5011b5a82
-
SSDEEP
12288:43vp6IveDVqvQqC8lMuqICAvUWLSKmaH1a/XWdZeBQTy:Eq5hZ6snARmaH1aUu
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpladg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lilanioo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qbgqio32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aeklkchg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbmhlihl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lepncd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpjlklok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fomonm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hibljoco.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iihkpg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfabnjjp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjokdipf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmjocp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Belebq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oagbbdnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcggpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpgdbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aegikj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olfobjbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Andqdh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bclhhnca.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncgkcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nggqoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kacphh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfnjafap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmficqpc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boepel32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Belebq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcfqfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Daifnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kemhff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfhfan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmbplc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhajlc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfcpncdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjmhppqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijfboafl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iinlemia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jidbflcj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpcmec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aqkgpedc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcekkjcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eamhodmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Heapdjlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aeklkchg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kajfig32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lalcng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onklabip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajkaii32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjepaecb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipckgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agffge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfiafg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfcpncdk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iakaql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcbpab32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgbefoji.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjhqjg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkgmcjld.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhdbhcck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcckif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agglboim.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjhmgeao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipegmg32.exe -
Executes dropped EXE 64 IoCs
pid Process 4972 Okkjjnok.exe 3484 Oagbbdnb.exe 4292 Oajohd32.exe 2828 Ogdgencl.exe 2180 Onnoah32.exe 4588 Opmllk32.exe 2084 Paohccgj.exe 4520 Ppbegkmg.exe 3752 Peonoaln.exe 3112 Piockppb.exe 4180 Qpikgj32.exe 2740 Qamdda32.exe 1064 Apndbici.exe 436 Aaoaja32.exe 3492 Aaanpa32.exe 940 Abcgoc32.exe 2820 Apggihko.exe 3060 Bibigmpl.exe 1524 Bpladg32.exe 1984 Bbjmpb32.exe 540 Bpnnig32.exe 1092 Baojaoke.exe 4764 Bikkml32.exe 3252 Clihig32.exe 864 Chphoh32.exe 4872 Chbedh32.exe 3232 Cpjmee32.exe 3076 Clqnjf32.exe 1592 Dpacfd32.exe 2812 Dcopbp32.exe 4372 Dofpgqji.exe 4692 Dadlclim.exe 4228 Dpemacql.exe 112 Dphifcoi.exe 3656 Daifnk32.exe 3956 Dakbckbe.exe 3292 Ehekqe32.exe 4788 Eoocmoao.exe 2444 Ebnoikqb.exe 4612 Elccfc32.exe 4904 Eoapbo32.exe 3536 Ebploj32.exe 2468 Ejgdpg32.exe 860 Eleplc32.exe 1268 Eodlho32.exe 3124 Ebbidj32.exe 2928 Efneehef.exe 1548 Eqciba32.exe 2304 Ecbenm32.exe 4136 Ebeejijj.exe 3380 Ejlmkgkl.exe 2380 Emjjgbjp.exe 4792 Eoifcnid.exe 4076 Fbgbpihg.exe 3508 Fhajlc32.exe 1164 Fcgoilpj.exe 2440 Ffekegon.exe 3320 Ficgacna.exe 3212 Fqkocpod.exe 4000 Fomonm32.exe 2116 Fbllkh32.exe 1052 Fifdgblo.exe 100 Fqmlhpla.exe 4700 Fjepaecb.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ngfkoo32.dll Aaoaja32.exe File created C:\Windows\SysWOW64\Hdgpjm32.dll Ipldfi32.exe File opened for modification C:\Windows\SysWOW64\Ibccic32.exe Ipegmg32.exe File created C:\Windows\SysWOW64\Nggqoj32.exe Ndidbn32.exe File opened for modification C:\Windows\SysWOW64\Ekjfcipa.exe Edpnfo32.exe File created C:\Windows\SysWOW64\Ijdeiaio.exe Ibmmhdhm.exe File created C:\Windows\SysWOW64\Fdcfcpdf.dll Eqciba32.exe File opened for modification C:\Windows\SysWOW64\Hikfip32.exe Hfljmdjc.exe File opened for modification C:\Windows\SysWOW64\Aldomc32.exe Anpncp32.exe File created C:\Windows\SysWOW64\Peonoaln.exe Ppbegkmg.exe File created C:\Windows\SysWOW64\Aaokiafg.dll Cpjmee32.exe File created C:\Windows\SysWOW64\Ipckgh32.exe Iapjlk32.exe File opened for modification C:\Windows\SysWOW64\Jfkoeppq.exe Jmbklj32.exe File created C:\Windows\SysWOW64\Mbpfgbfp.dll Agglboim.exe File created C:\Windows\SysWOW64\Aeklkchg.exe Amddjegd.exe File opened for modification C:\Windows\SysWOW64\Fifdgblo.exe Fbllkh32.exe File created C:\Windows\SysWOW64\Dnkdikig.dll Ldkojb32.exe File opened for modification C:\Windows\SysWOW64\Ojalgcnd.exe Ocgdji32.exe File created C:\Windows\SysWOW64\Paihpaak.dll Flnlhk32.exe File created C:\Windows\SysWOW64\Bjokdipf.exe Bcebhoii.exe File opened for modification C:\Windows\SysWOW64\Dmjocp32.exe Dfpgffpm.exe File created C:\Windows\SysWOW64\Onnoah32.exe Ogdgencl.exe File created C:\Windows\SysWOW64\Kjifpflk.dll Paohccgj.exe File created C:\Windows\SysWOW64\Kajfig32.exe Kibnhjgj.exe File created C:\Windows\SysWOW64\Bdolhc32.exe Bobcpmfc.exe File created C:\Windows\SysWOW64\Fljcmlfd.exe Edbklofb.exe File opened for modification C:\Windows\SysWOW64\Gmjlcj32.exe Gfpcgpae.exe File opened for modification C:\Windows\SysWOW64\Mgagbf32.exe Lphoelqn.exe File created C:\Windows\SysWOW64\Chagok32.exe Cmlcbbcj.exe File created C:\Windows\SysWOW64\Oagbbdnb.exe Okkjjnok.exe File created C:\Windows\SysWOW64\Eddfam32.dll Qpikgj32.exe File opened for modification C:\Windows\SysWOW64\Chphoh32.exe Clihig32.exe File created C:\Windows\SysWOW64\Gameonno.exe Gjclbc32.exe File opened for modification C:\Windows\SysWOW64\Jjmhppqd.exe Jbfpobpb.exe File created C:\Windows\SysWOW64\Ghiqbiae.dll Kpjjod32.exe File created C:\Windows\SysWOW64\Ogaceh32.exe Onholckc.exe File opened for modification C:\Windows\SysWOW64\Bmbplc32.exe Bcjlcn32.exe File created C:\Windows\SysWOW64\Bfhehdem.dll Clihig32.exe File created C:\Windows\SysWOW64\Cpjljp32.dll Jkdnpo32.exe File created C:\Windows\SysWOW64\Lgbnmm32.exe Lddbqa32.exe File opened for modification C:\Windows\SysWOW64\Mdiklqhm.exe Mpmokb32.exe File opened for modification C:\Windows\SysWOW64\Mdkhapfj.exe Mpolqa32.exe File created C:\Windows\SysWOW64\Pkfhoiaf.dll Ocnjidkf.exe File opened for modification C:\Windows\SysWOW64\Ajkaii32.exe Acqimo32.exe File opened for modification C:\Windows\SysWOW64\Ldaeka32.exe Laciofpa.exe File created C:\Windows\SysWOW64\Hcpclbfa.exe Hflcbngh.exe File created C:\Windows\SysWOW64\Cjkjpgfi.exe Cdabcm32.exe File created C:\Windows\SysWOW64\Lidmdfdo.dll Lpcmec32.exe File opened for modification C:\Windows\SysWOW64\Okhfjh32.exe Ncnadk32.exe File created C:\Windows\SysWOW64\Ijmanlfp.dll Fljcmlfd.exe File created C:\Windows\SysWOW64\Febgea32.exe Fcckif32.exe File opened for modification C:\Windows\SysWOW64\Hflcbngh.exe Hihbijhn.exe File created C:\Windows\SysWOW64\Ebjmif32.dll Dadlclim.exe File created C:\Windows\SysWOW64\Ipegmg32.exe Iabgaklg.exe File created C:\Windows\SysWOW64\Jmbklj32.exe Jkdnpo32.exe File created C:\Windows\SysWOW64\Qcldhk32.dll Mdkhapfj.exe File opened for modification C:\Windows\SysWOW64\Iihkpg32.exe Ildkgc32.exe File created C:\Windows\SysWOW64\Ecaobgnf.dll Mmlpoqpg.exe File created C:\Windows\SysWOW64\Pcppfaka.exe Pjhlml32.exe File created C:\Windows\SysWOW64\Bhicommo.dll Cndikf32.exe File opened for modification C:\Windows\SysWOW64\Oagbbdnb.exe Okkjjnok.exe File created C:\Windows\SysWOW64\Lghekack.dll Fobiilai.exe File created C:\Windows\SysWOW64\Gogbdl32.exe Gmhfhp32.exe File created C:\Windows\SysWOW64\Bgdnaigp.dll Hfcpncdk.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 11228 11144 WerFault.exe 514 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll" Nbkhfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdfbibnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpoddikd.dll" Aeklkchg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eqciba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfpoqooh.dll" Jmbklj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mdiklqhm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdfbibnb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Febgea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihgjcg32.dll" Bpnnig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aacckjaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocalcppo.dll" Eolpmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqjamcpe.dll" Belebq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bikkml32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gcekkjcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dakcla32.dll" Iiibkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kdopod32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kinemkko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mkgmcjld.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Klimip32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjjhbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgabcngj.dll" Hboagf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jibeql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qekdppan.dll" Jidbflcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpolqa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmmjhgem.dll" Pclneicb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhemmlhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjhcgd32.dll" Gmjlcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Deagdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgikfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njkdbljm.dll" Eamhodmf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmjlcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aomaga32.dll" Lmgfda32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olkhmi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afmhck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afmhck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfpgffpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aaoaja32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bibigmpl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Imbaemhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jkdnpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ipknlb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmiciaaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdifoehl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Delnin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Daifnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dofqcl32.dll" Fhajlc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klebid32.dll" Hfljmdjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikjmhmfd.dll" Iapjlk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ncgkcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhqcam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmiflbel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifmcdblq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Liggbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll" Nkjjij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Panjjlqo.dll" Qbgqio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Glhonj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chdfonda.dll" Gdjjckag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmpcfdmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dofpgqji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lnepih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mcpebmkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njcpee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pqpgdfnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfaigm32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1280 wrote to memory of 4972 1280 e4cae8a64d7b42d128164f6cc4627d40_NEAS.exe 82 PID 1280 wrote to memory of 4972 1280 e4cae8a64d7b42d128164f6cc4627d40_NEAS.exe 82 PID 1280 wrote to memory of 4972 1280 e4cae8a64d7b42d128164f6cc4627d40_NEAS.exe 82 PID 4972 wrote to memory of 3484 4972 Okkjjnok.exe 83 PID 4972 wrote to memory of 3484 4972 Okkjjnok.exe 83 PID 4972 wrote to memory of 3484 4972 Okkjjnok.exe 83 PID 3484 wrote to memory of 4292 3484 Oagbbdnb.exe 84 PID 3484 wrote to memory of 4292 3484 Oagbbdnb.exe 84 PID 3484 wrote to memory of 4292 3484 Oagbbdnb.exe 84 PID 4292 wrote to memory of 2828 4292 Oajohd32.exe 85 PID 4292 wrote to memory of 2828 4292 Oajohd32.exe 85 PID 4292 wrote to memory of 2828 4292 Oajohd32.exe 85 PID 2828 wrote to memory of 2180 2828 Ogdgencl.exe 86 PID 2828 wrote to memory of 2180 2828 Ogdgencl.exe 86 PID 2828 wrote to memory of 2180 2828 Ogdgencl.exe 86 PID 2180 wrote to memory of 4588 2180 Onnoah32.exe 87 PID 2180 wrote to memory of 4588 2180 Onnoah32.exe 87 PID 2180 wrote to memory of 4588 2180 Onnoah32.exe 87 PID 4588 wrote to memory of 2084 4588 Opmllk32.exe 91 PID 4588 wrote to memory of 2084 4588 Opmllk32.exe 91 PID 4588 wrote to memory of 2084 4588 Opmllk32.exe 91 PID 2084 wrote to memory of 4520 2084 Paohccgj.exe 92 PID 2084 wrote to memory of 4520 2084 Paohccgj.exe 92 PID 2084 wrote to memory of 4520 2084 Paohccgj.exe 92 PID 4520 wrote to memory of 3752 4520 Ppbegkmg.exe 93 PID 4520 wrote to memory of 3752 4520 Ppbegkmg.exe 93 PID 4520 wrote to memory of 3752 4520 Ppbegkmg.exe 93 PID 3752 wrote to memory of 3112 3752 Peonoaln.exe 94 PID 3752 wrote to memory of 3112 3752 Peonoaln.exe 94 PID 3752 wrote to memory of 3112 3752 Peonoaln.exe 94 PID 3112 wrote to memory of 4180 3112 Piockppb.exe 95 PID 3112 wrote to memory of 4180 3112 Piockppb.exe 95 PID 3112 wrote to memory of 4180 3112 Piockppb.exe 95 PID 4180 wrote to memory of 2740 4180 Qpikgj32.exe 96 PID 4180 wrote to memory of 2740 4180 Qpikgj32.exe 96 PID 4180 wrote to memory of 2740 4180 Qpikgj32.exe 96 PID 2740 wrote to memory of 1064 2740 Qamdda32.exe 97 PID 2740 wrote to memory of 1064 2740 Qamdda32.exe 97 PID 2740 wrote to memory of 1064 2740 Qamdda32.exe 97 PID 1064 wrote to memory of 436 1064 Apndbici.exe 98 PID 1064 wrote to memory of 436 1064 Apndbici.exe 98 PID 1064 wrote to memory of 436 1064 Apndbici.exe 98 PID 436 wrote to memory of 3492 436 Aaoaja32.exe 99 PID 436 wrote to memory of 3492 436 Aaoaja32.exe 99 PID 436 wrote to memory of 3492 436 Aaoaja32.exe 99 PID 3492 wrote to memory of 940 3492 Aaanpa32.exe 100 PID 3492 wrote to memory of 940 3492 Aaanpa32.exe 100 PID 3492 wrote to memory of 940 3492 Aaanpa32.exe 100 PID 940 wrote to memory of 2820 940 Abcgoc32.exe 101 PID 940 wrote to memory of 2820 940 Abcgoc32.exe 101 PID 940 wrote to memory of 2820 940 Abcgoc32.exe 101 PID 2820 wrote to memory of 3060 2820 Apggihko.exe 102 PID 2820 wrote to memory of 3060 2820 Apggihko.exe 102 PID 2820 wrote to memory of 3060 2820 Apggihko.exe 102 PID 3060 wrote to memory of 1524 3060 Bibigmpl.exe 103 PID 3060 wrote to memory of 1524 3060 Bibigmpl.exe 103 PID 3060 wrote to memory of 1524 3060 Bibigmpl.exe 103 PID 1524 wrote to memory of 1984 1524 Bpladg32.exe 104 PID 1524 wrote to memory of 1984 1524 Bpladg32.exe 104 PID 1524 wrote to memory of 1984 1524 Bpladg32.exe 104 PID 1984 wrote to memory of 540 1984 Bbjmpb32.exe 105 PID 1984 wrote to memory of 540 1984 Bbjmpb32.exe 105 PID 1984 wrote to memory of 540 1984 Bbjmpb32.exe 105 PID 540 wrote to memory of 1092 540 Bpnnig32.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\e4cae8a64d7b42d128164f6cc4627d40_NEAS.exe"C:\Users\Admin\AppData\Local\Temp\e4cae8a64d7b42d128164f6cc4627d40_NEAS.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Windows\SysWOW64\Okkjjnok.exeC:\Windows\system32\Okkjjnok.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Windows\SysWOW64\Oagbbdnb.exeC:\Windows\system32\Oagbbdnb.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3484 -
C:\Windows\SysWOW64\Oajohd32.exeC:\Windows\system32\Oajohd32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4292 -
C:\Windows\SysWOW64\Ogdgencl.exeC:\Windows\system32\Ogdgencl.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\Onnoah32.exeC:\Windows\system32\Onnoah32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\Opmllk32.exeC:\Windows\system32\Opmllk32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Windows\SysWOW64\Paohccgj.exeC:\Windows\system32\Paohccgj.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\Ppbegkmg.exeC:\Windows\system32\Ppbegkmg.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4520 -
C:\Windows\SysWOW64\Peonoaln.exeC:\Windows\system32\Peonoaln.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3752 -
C:\Windows\SysWOW64\Piockppb.exeC:\Windows\system32\Piockppb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3112 -
C:\Windows\SysWOW64\Qpikgj32.exeC:\Windows\system32\Qpikgj32.exe12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4180 -
C:\Windows\SysWOW64\Qamdda32.exeC:\Windows\system32\Qamdda32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\Apndbici.exeC:\Windows\system32\Apndbici.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\SysWOW64\Aaoaja32.exeC:\Windows\system32\Aaoaja32.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:436 -
C:\Windows\SysWOW64\Aaanpa32.exeC:\Windows\system32\Aaanpa32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3492 -
C:\Windows\SysWOW64\Abcgoc32.exeC:\Windows\system32\Abcgoc32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:940 -
C:\Windows\SysWOW64\Apggihko.exeC:\Windows\system32\Apggihko.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\Bibigmpl.exeC:\Windows\system32\Bibigmpl.exe19⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\Bpladg32.exeC:\Windows\system32\Bpladg32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Windows\SysWOW64\Bbjmpb32.exeC:\Windows\system32\Bbjmpb32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SysWOW64\Bpnnig32.exeC:\Windows\system32\Bpnnig32.exe22⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Windows\SysWOW64\Baojaoke.exeC:\Windows\system32\Baojaoke.exe23⤵
- Executes dropped EXE
PID:1092 -
C:\Windows\SysWOW64\Bikkml32.exeC:\Windows\system32\Bikkml32.exe24⤵
- Executes dropped EXE
- Modifies registry class
PID:4764 -
C:\Windows\SysWOW64\Clihig32.exeC:\Windows\system32\Clihig32.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3252 -
C:\Windows\SysWOW64\Chphoh32.exeC:\Windows\system32\Chphoh32.exe26⤵
- Executes dropped EXE
PID:864 -
C:\Windows\SysWOW64\Chbedh32.exeC:\Windows\system32\Chbedh32.exe27⤵
- Executes dropped EXE
PID:4872 -
C:\Windows\SysWOW64\Cpjmee32.exeC:\Windows\system32\Cpjmee32.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3232 -
C:\Windows\SysWOW64\Clqnjf32.exeC:\Windows\system32\Clqnjf32.exe29⤵
- Executes dropped EXE
PID:3076 -
C:\Windows\SysWOW64\Dpacfd32.exeC:\Windows\system32\Dpacfd32.exe30⤵
- Executes dropped EXE
PID:1592 -
C:\Windows\SysWOW64\Dcopbp32.exeC:\Windows\system32\Dcopbp32.exe31⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Dofpgqji.exeC:\Windows\system32\Dofpgqji.exe32⤵
- Executes dropped EXE
- Modifies registry class
PID:4372 -
C:\Windows\SysWOW64\Dadlclim.exeC:\Windows\system32\Dadlclim.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4692 -
C:\Windows\SysWOW64\Dpemacql.exeC:\Windows\system32\Dpemacql.exe34⤵
- Executes dropped EXE
PID:4228 -
C:\Windows\SysWOW64\Dphifcoi.exeC:\Windows\system32\Dphifcoi.exe35⤵
- Executes dropped EXE
PID:112 -
C:\Windows\SysWOW64\Daifnk32.exeC:\Windows\system32\Daifnk32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3656 -
C:\Windows\SysWOW64\Dakbckbe.exeC:\Windows\system32\Dakbckbe.exe37⤵
- Executes dropped EXE
PID:3956 -
C:\Windows\SysWOW64\Ehekqe32.exeC:\Windows\system32\Ehekqe32.exe38⤵
- Executes dropped EXE
PID:3292 -
C:\Windows\SysWOW64\Eoocmoao.exeC:\Windows\system32\Eoocmoao.exe39⤵
- Executes dropped EXE
PID:4788 -
C:\Windows\SysWOW64\Ebnoikqb.exeC:\Windows\system32\Ebnoikqb.exe40⤵
- Executes dropped EXE
PID:2444 -
C:\Windows\SysWOW64\Elccfc32.exeC:\Windows\system32\Elccfc32.exe41⤵
- Executes dropped EXE
PID:4612 -
C:\Windows\SysWOW64\Eoapbo32.exeC:\Windows\system32\Eoapbo32.exe42⤵
- Executes dropped EXE
PID:4904 -
C:\Windows\SysWOW64\Ebploj32.exeC:\Windows\system32\Ebploj32.exe43⤵
- Executes dropped EXE
PID:3536 -
C:\Windows\SysWOW64\Ejgdpg32.exeC:\Windows\system32\Ejgdpg32.exe44⤵
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\Eleplc32.exeC:\Windows\system32\Eleplc32.exe45⤵
- Executes dropped EXE
PID:860 -
C:\Windows\SysWOW64\Eodlho32.exeC:\Windows\system32\Eodlho32.exe46⤵
- Executes dropped EXE
PID:1268 -
C:\Windows\SysWOW64\Ebbidj32.exeC:\Windows\system32\Ebbidj32.exe47⤵
- Executes dropped EXE
PID:3124 -
C:\Windows\SysWOW64\Efneehef.exeC:\Windows\system32\Efneehef.exe48⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Eqciba32.exeC:\Windows\system32\Eqciba32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1548 -
C:\Windows\SysWOW64\Ecbenm32.exeC:\Windows\system32\Ecbenm32.exe50⤵
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Ebeejijj.exeC:\Windows\system32\Ebeejijj.exe51⤵
- Executes dropped EXE
PID:4136 -
C:\Windows\SysWOW64\Ejlmkgkl.exeC:\Windows\system32\Ejlmkgkl.exe52⤵
- Executes dropped EXE
PID:3380 -
C:\Windows\SysWOW64\Emjjgbjp.exeC:\Windows\system32\Emjjgbjp.exe53⤵
- Executes dropped EXE
PID:2380 -
C:\Windows\SysWOW64\Eoifcnid.exeC:\Windows\system32\Eoifcnid.exe54⤵
- Executes dropped EXE
PID:4792 -
C:\Windows\SysWOW64\Fbgbpihg.exeC:\Windows\system32\Fbgbpihg.exe55⤵
- Executes dropped EXE
PID:4076 -
C:\Windows\SysWOW64\Fhajlc32.exeC:\Windows\system32\Fhajlc32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3508 -
C:\Windows\SysWOW64\Fcgoilpj.exeC:\Windows\system32\Fcgoilpj.exe57⤵
- Executes dropped EXE
PID:1164 -
C:\Windows\SysWOW64\Ffekegon.exeC:\Windows\system32\Ffekegon.exe58⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Ficgacna.exeC:\Windows\system32\Ficgacna.exe59⤵
- Executes dropped EXE
PID:3320 -
C:\Windows\SysWOW64\Fqkocpod.exeC:\Windows\system32\Fqkocpod.exe60⤵
- Executes dropped EXE
PID:3212 -
C:\Windows\SysWOW64\Fomonm32.exeC:\Windows\system32\Fomonm32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4000 -
C:\Windows\SysWOW64\Fbllkh32.exeC:\Windows\system32\Fbllkh32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2116 -
C:\Windows\SysWOW64\Fifdgblo.exeC:\Windows\system32\Fifdgblo.exe63⤵
- Executes dropped EXE
PID:1052 -
C:\Windows\SysWOW64\Fqmlhpla.exeC:\Windows\system32\Fqmlhpla.exe64⤵
- Executes dropped EXE
PID:100 -
C:\Windows\SysWOW64\Fjepaecb.exeC:\Windows\system32\Fjepaecb.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4700 -
C:\Windows\SysWOW64\Fqohnp32.exeC:\Windows\system32\Fqohnp32.exe66⤵PID:432
-
C:\Windows\SysWOW64\Fobiilai.exeC:\Windows\system32\Fobiilai.exe67⤵
- Drops file in System32 directory
PID:4876 -
C:\Windows\SysWOW64\Fbqefhpm.exeC:\Windows\system32\Fbqefhpm.exe68⤵PID:1036
-
C:\Windows\SysWOW64\Fjhmgeao.exeC:\Windows\system32\Fjhmgeao.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3244 -
C:\Windows\SysWOW64\Fmficqpc.exeC:\Windows\system32\Fmficqpc.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2868 -
C:\Windows\SysWOW64\Fqaeco32.exeC:\Windows\system32\Fqaeco32.exe71⤵PID:2160
-
C:\Windows\SysWOW64\Gbcakg32.exeC:\Windows\system32\Gbcakg32.exe72⤵PID:4908
-
C:\Windows\SysWOW64\Gjjjle32.exeC:\Windows\system32\Gjjjle32.exe73⤵PID:4256
-
C:\Windows\SysWOW64\Gmhfhp32.exeC:\Windows\system32\Gmhfhp32.exe74⤵
- Drops file in System32 directory
PID:4564 -
C:\Windows\SysWOW64\Gogbdl32.exeC:\Windows\system32\Gogbdl32.exe75⤵PID:4472
-
C:\Windows\SysWOW64\Gbenqg32.exeC:\Windows\system32\Gbenqg32.exe76⤵PID:1624
-
C:\Windows\SysWOW64\Giofnacd.exeC:\Windows\system32\Giofnacd.exe77⤵PID:3900
-
C:\Windows\SysWOW64\Gqfooodg.exeC:\Windows\system32\Gqfooodg.exe78⤵PID:3440
-
C:\Windows\SysWOW64\Gcekkjcj.exeC:\Windows\system32\Gcekkjcj.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3920 -
C:\Windows\SysWOW64\Gjocgdkg.exeC:\Windows\system32\Gjocgdkg.exe80⤵PID:3000
-
C:\Windows\SysWOW64\Giacca32.exeC:\Windows\system32\Giacca32.exe81⤵PID:4832
-
C:\Windows\SysWOW64\Gcggpj32.exeC:\Windows\system32\Gcggpj32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4816 -
C:\Windows\SysWOW64\Gfedle32.exeC:\Windows\system32\Gfedle32.exe83⤵PID:4628
-
C:\Windows\SysWOW64\Gqkhjn32.exeC:\Windows\system32\Gqkhjn32.exe84⤵PID:5004
-
C:\Windows\SysWOW64\Gbldaffp.exeC:\Windows\system32\Gbldaffp.exe85⤵PID:4220
-
C:\Windows\SysWOW64\Gjclbc32.exeC:\Windows\system32\Gjclbc32.exe86⤵
- Drops file in System32 directory
PID:2420 -
C:\Windows\SysWOW64\Gameonno.exeC:\Windows\system32\Gameonno.exe87⤵PID:8
-
C:\Windows\SysWOW64\Hboagf32.exeC:\Windows\system32\Hboagf32.exe88⤵
- Modifies registry class
PID:5144 -
C:\Windows\SysWOW64\Hjfihc32.exeC:\Windows\system32\Hjfihc32.exe89⤵PID:5188
-
C:\Windows\SysWOW64\Hmdedo32.exeC:\Windows\system32\Hmdedo32.exe90⤵PID:5232
-
C:\Windows\SysWOW64\Hcnnaikp.exeC:\Windows\system32\Hcnnaikp.exe91⤵PID:5276
-
C:\Windows\SysWOW64\Hfljmdjc.exeC:\Windows\system32\Hfljmdjc.exe92⤵
- Drops file in System32 directory
- Modifies registry class
PID:5320 -
C:\Windows\SysWOW64\Hikfip32.exeC:\Windows\system32\Hikfip32.exe93⤵PID:5364
-
C:\Windows\SysWOW64\Habnjm32.exeC:\Windows\system32\Habnjm32.exe94⤵PID:5408
-
C:\Windows\SysWOW64\Hcqjfh32.exeC:\Windows\system32\Hcqjfh32.exe95⤵PID:5452
-
C:\Windows\SysWOW64\Hfofbd32.exeC:\Windows\system32\Hfofbd32.exe96⤵PID:5500
-
C:\Windows\SysWOW64\Hmioonpn.exeC:\Windows\system32\Hmioonpn.exe97⤵PID:5544
-
C:\Windows\SysWOW64\Hpgkkioa.exeC:\Windows\system32\Hpgkkioa.exe98⤵PID:5584
-
C:\Windows\SysWOW64\Hbeghene.exeC:\Windows\system32\Hbeghene.exe99⤵PID:5632
-
C:\Windows\SysWOW64\Hjmoibog.exeC:\Windows\system32\Hjmoibog.exe100⤵PID:5676
-
C:\Windows\SysWOW64\Hippdo32.exeC:\Windows\system32\Hippdo32.exe101⤵PID:5716
-
C:\Windows\SysWOW64\Haggelfd.exeC:\Windows\system32\Haggelfd.exe102⤵PID:5760
-
C:\Windows\SysWOW64\Hcedaheh.exeC:\Windows\system32\Hcedaheh.exe103⤵PID:5812
-
C:\Windows\SysWOW64\Hfcpncdk.exeC:\Windows\system32\Hfcpncdk.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5856 -
C:\Windows\SysWOW64\Hibljoco.exeC:\Windows\system32\Hibljoco.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5904 -
C:\Windows\SysWOW64\Haidklda.exeC:\Windows\system32\Haidklda.exe106⤵PID:5948
-
C:\Windows\SysWOW64\Ipldfi32.exeC:\Windows\system32\Ipldfi32.exe107⤵
- Drops file in System32 directory
PID:5996 -
C:\Windows\SysWOW64\Ibjqcd32.exeC:\Windows\system32\Ibjqcd32.exe108⤵PID:6036
-
C:\Windows\SysWOW64\Ijaida32.exeC:\Windows\system32\Ijaida32.exe109⤵PID:6084
-
C:\Windows\SysWOW64\Iidipnal.exeC:\Windows\system32\Iidipnal.exe110⤵PID:6124
-
C:\Windows\SysWOW64\Iakaql32.exeC:\Windows\system32\Iakaql32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5180 -
C:\Windows\SysWOW64\Icjmmg32.exeC:\Windows\system32\Icjmmg32.exe112⤵PID:5228
-
C:\Windows\SysWOW64\Ibmmhdhm.exeC:\Windows\system32\Ibmmhdhm.exe113⤵
- Drops file in System32 directory
PID:5272 -
C:\Windows\SysWOW64\Ijdeiaio.exeC:\Windows\system32\Ijdeiaio.exe114⤵PID:5340
-
C:\Windows\SysWOW64\Imbaemhc.exeC:\Windows\system32\Imbaemhc.exe115⤵
- Modifies registry class
PID:5396 -
C:\Windows\SysWOW64\Icljbg32.exeC:\Windows\system32\Icljbg32.exe116⤵PID:5460
-
C:\Windows\SysWOW64\Ibojncfj.exeC:\Windows\system32\Ibojncfj.exe117⤵PID:5128
-
C:\Windows\SysWOW64\Ijfboafl.exeC:\Windows\system32\Ijfboafl.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5572 -
C:\Windows\SysWOW64\Iiibkn32.exeC:\Windows\system32\Iiibkn32.exe119⤵
- Modifies registry class
PID:5620 -
C:\Windows\SysWOW64\Iapjlk32.exeC:\Windows\system32\Iapjlk32.exe120⤵
- Drops file in System32 directory
- Modifies registry class
PID:5696 -
C:\Windows\SysWOW64\Ipckgh32.exeC:\Windows\system32\Ipckgh32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5756
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-