Analysis
-
max time kernel
159s -
max time network
166s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
14-10-2023 19:10
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.ba26e068e8393444da42ccafa9f36840.exe
Resource
win7-20230831-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.ba26e068e8393444da42ccafa9f36840.exe
Resource
win10v2004-20230915-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.ba26e068e8393444da42ccafa9f36840.exe
-
Size
90KB
-
MD5
ba26e068e8393444da42ccafa9f36840
-
SHA1
0ee668a6e0cb1f0a09f03bb4407c06fac4879775
-
SHA256
64e52967af3e5aa9440f9e755706a9eb290383ec31ce078e3c9190b897ecc3c4
-
SHA512
0af3aeba5f4a1ae12829b3db5541663e35f4f4f1fea03dfa2e595a3624024561792077e03926228603d190cdf0b57d1aff0a57c1b90da2ba6c9129044e3a6ca0
-
SSDEEP
1536:VPj2gZoHxe3AaDAL5pM+cVWPcDhd3JvS87HWu38knESl4rHgpPbGB8u/Ub0VkVNK:4guxSAn5FvcTJvtZ3/ESEIbGB8u/Ub05
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmdqai32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bffkcp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhgneqha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ekaaio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Idfhibdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jpgmaf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhjcdimf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lankloml.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhhlog32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knpeii32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aemqdk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jocnem32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Licfgmpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hlblmd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpoljg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahbacq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iajkohmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aacjofkp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejaklmpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ngehoqdn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pabhpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kphmbjhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hkkhjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mpghel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lpcedbjp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnjgpgkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pmkopgep.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpnegbpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nlhbja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Accnco32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emhdeoel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pfmdbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mjdkeaij.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qidljhia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Enomic32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chphhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nfhfbedd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hoonjjgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Licfgmpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mndapl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qopbjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mckefmai.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afghgkdl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkcfbj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iikmlnae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iolfmcbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ijolhg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpaiadel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jnfcbg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbabblkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dohkhq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pkaijl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hoonjjgk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oiihkncb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dbndoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cnahmo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Filicodb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nppfimnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pmmelo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hahcfi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlhkqngo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gqhknd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ekoddodi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gmkbgf32.exe -
Executes dropped EXE 64 IoCs
pid Process 4436 Bkpfjb32.exe 5024 Dqbadf32.exe 4132 Embdofop.exe 400 Eljknl32.exe 2512 Flcndk32.exe 5028 Glompi32.exe 1868 Hlfcqh32.exe 4672 Hhpaki32.exe 3160 Iolfmcbb.exe 4564 Ioeicajh.exe 756 Klloichl.exe 1712 Lfimmhkg.exe 4716 Mkadam32.exe 2200 Mkhkblii.exe 1164 Nppfnige.exe 2848 Ofadlbhj.exe 5076 Ofcaab32.exe 3340 Pmpfcl32.exe 3612 Pfoamp32.exe 1840 Abjkmqni.exe 1340 Aifpoj32.exe 4460 Aemqdk32.exe 3416 Accnco32.exe 2780 Bgfpdmho.exe 2168 Cfpfqiha.exe 4788 Djeegf32.exe 4400 Dmjgdq32.exe 2760 Enomic32.exe 1464 Emhdeoel.exe 3452 Fakfglhm.exe 3764 Fpbpmhjb.exe 3712 Gmpcmkaa.exe 3964 Hjfplo32.exe 552 Iajkohmj.exe 1872 Kkioojpp.exe 2724 Mhbakk32.exe 4908 Nbbldp32.exe 2716 Nkojheoe.exe 3876 Ooalibaf.exe 2260 Ogajid32.exe 1524 Picchg32.exe 3752 Phmjdbpo.exe 4240 Qbggmk32.exe 4448 Aacjofkp.exe 2912 Biolkc32.exe 3016 Biaiqb32.exe 3776 Baojkdqb.exe 4624 Cbofdg32.exe 1384 Cohdoh32.exe 3324 Chphhn32.exe 4028 Chebcmna.exe 4488 Dljqjjnp.exe 1552 Ejegdngb.exe 3192 Ehlakjig.exe 4360 Ffekom32.exe 4744 Gijmlh32.exe 4652 Gmhfbf32.exe 3024 Gmkbgf32.exe 1832 Gqhknd32.exe 4120 Hcidoo32.exe 5088 Hameic32.exe 1920 Hjeiai32.exe 2948 Hbcklkee.exe 1592 Hmioicek.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ijolhg32.exe Hbegakcb.exe File created C:\Windows\SysWOW64\Knoghk32.dll Jijhom32.exe File opened for modification C:\Windows\SysWOW64\Kgfdfbhj.exe Jnkchmdl.exe File opened for modification C:\Windows\SysWOW64\Objphn32.exe Noijmp32.exe File created C:\Windows\SysWOW64\Kgiibnib.exe Knpeii32.exe File created C:\Windows\SysWOW64\Fbcldbpf.dll Nppfnige.exe File created C:\Windows\SysWOW64\Bgfpdmho.exe Accnco32.exe File opened for modification C:\Windows\SysWOW64\Hkkhjj32.exe Hoonjjgk.exe File opened for modification C:\Windows\SysWOW64\Mgimmkgp.exe Mlciobhj.exe File opened for modification C:\Windows\SysWOW64\Fdopkhfk.exe Ffkpadga.exe File opened for modification C:\Windows\SysWOW64\Dbndoa32.exe Dbikdbnd.exe File created C:\Windows\SysWOW64\Mkjmodoi.dll Biaiqb32.exe File opened for modification C:\Windows\SysWOW64\Oqbagd32.exe Nbjhph32.exe File created C:\Windows\SysWOW64\Kipkaj32.exe Kmijliej.exe File created C:\Windows\SysWOW64\Cecdiafb.dll Dbikdbnd.exe File created C:\Windows\SysWOW64\Foapkfco.exe Fqpomo32.exe File created C:\Windows\SysWOW64\Pplhab32.exe Pfcchmlq.exe File created C:\Windows\SysWOW64\Nbjhph32.exe Ndfgfd32.exe File opened for modification C:\Windows\SysWOW64\Qnihlf32.exe Qaegcb32.exe File created C:\Windows\SysWOW64\Diclff32.exe Dnmhim32.exe File created C:\Windows\SysWOW64\Ipihiaqa.exe Iecclhak.exe File created C:\Windows\SysWOW64\Jfoihalp.exe Jijhom32.exe File opened for modification C:\Windows\SysWOW64\Olhlaoea.exe Odmgmmhf.exe File created C:\Windows\SysWOW64\Ommeifdo.dll Fmnkdm32.exe File created C:\Windows\SysWOW64\Bdlijc32.dll Hajpli32.exe File created C:\Windows\SysWOW64\Fdbiad32.dll Nhhlog32.exe File created C:\Windows\SysWOW64\Ekkloi32.dll Mlqjlmjp.exe File opened for modification C:\Windows\SysWOW64\Ooalibaf.exe Nkojheoe.exe File created C:\Windows\SysWOW64\Hkmlgeje.dll Oepipo32.exe File created C:\Windows\SysWOW64\Oofacdaj.exe Oiihkncb.exe File opened for modification C:\Windows\SysWOW64\Djfckenm.exe Dannbogl.exe File created C:\Windows\SysWOW64\Iimcgg32.exe Hlblmd32.exe File created C:\Windows\SysWOW64\Accnco32.exe Aemqdk32.exe File opened for modification C:\Windows\SysWOW64\Occkhp32.exe Ojjfpjjj.exe File created C:\Windows\SysWOW64\Bbemdb32.exe Bdcmfkde.exe File created C:\Windows\SysWOW64\Gpnfak32.exe Gfeahffl.exe File created C:\Windows\SysWOW64\Dhpfffan.dll Hmioicek.exe File created C:\Windows\SysWOW64\Dbjjok32.dll Aalndaml.exe File created C:\Windows\SysWOW64\Kifodcej.exe Koajfk32.exe File opened for modification C:\Windows\SysWOW64\Afjlgafe.exe Anmjmojl.exe File opened for modification C:\Windows\SysWOW64\Knoonphp.exe Kcgnkgkl.exe File created C:\Windows\SysWOW64\Lehaad32.exe Llpmhodc.exe File created C:\Windows\SysWOW64\Fgijikcd.dll Lebalokn.exe File opened for modification C:\Windows\SysWOW64\Naaqhlmg.exe Nhhlog32.exe File opened for modification C:\Windows\SysWOW64\Flinddpj.exe Ffmelmbc.exe File created C:\Windows\SysWOW64\Blmihnln.dll Hgcfcg32.exe File created C:\Windows\SysWOW64\Poeink32.dll Bfedhihl.exe File opened for modification C:\Windows\SysWOW64\Meogbcel.exe Lhkghofb.exe File opened for modification C:\Windows\SysWOW64\Afelal32.exe Pjgellfb.exe File opened for modification C:\Windows\SysWOW64\Bmomecoi.exe Bfedhihl.exe File created C:\Windows\SysWOW64\Kcgnkgkl.exe Jjoibadl.exe File created C:\Windows\SysWOW64\Elphbe32.dll Fepehm32.exe File opened for modification C:\Windows\SysWOW64\Iecclhak.exe Iimcgg32.exe File created C:\Windows\SysWOW64\Cikmbf32.dll Kipkaj32.exe File created C:\Windows\SysWOW64\Lnlloj32.exe Liocgc32.exe File created C:\Windows\SysWOW64\Mmgmnl32.dll Dohkhq32.exe File created C:\Windows\SysWOW64\Bbgalejf.dll Qbggmk32.exe File created C:\Windows\SysWOW64\Mndapl32.exe Mqpqghgn.exe File created C:\Windows\SysWOW64\Fpbpmhjb.exe Fakfglhm.exe File created C:\Windows\SysWOW64\Eimpgo32.dll Mhbakk32.exe File created C:\Windows\SysWOW64\Aokken32.dll Afjlgafe.exe File opened for modification C:\Windows\SysWOW64\Cbbnim32.exe Cdnmphag.exe File created C:\Windows\SysWOW64\Bqkcgq32.dll Nppfimnm.exe File opened for modification C:\Windows\SysWOW64\Flcndk32.exe Eljknl32.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 1348 4808 WerFault.exe 564 4068 4808 WerFault.exe 564 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nkojheoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmkfnp32.dll" Pjffkhpl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nloikqnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Igfkpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfpdoj32.dll" Lblakh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfmpgi32.dll" Gpbplkhh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pnfiia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kclagpia.dll" Pjjfnlho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bjdkcd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ekaaio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pceihj32.dll" Ombcdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndajcnag.dll" Gmkbgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Afmhma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cmdmki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nolbfo32.dll" Oeffip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bfedhihl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Biolkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bbbpnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jnkchmdl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Liocgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lhkghofb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ckaolcol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iikmlnae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojmpkc32.dll" Gmpcmkaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dohkhq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pfmdbd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pabhpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Apjkmgjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcjaam32.dll" Dhgogojd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkbcfm32.dll" Fqpomo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bjdkcd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nhpijldj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ahdgnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jijoiimg.dll" Mbdiecbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eljknl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Abjkmqni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npjpooea.dll" Kphmbjhi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jpgmaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kgfdfbhj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Meogbcel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmlgjo32.dll" Mpghel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Biadoeib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gkianp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hajpli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jnaighhk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jplkig32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Njcnafpe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jocnem32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mjdkeaij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlnfgdnn.dll" Pmmelo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jnaighhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekejap32.dll" Nophfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhjdbg32.dll" Ekoddodi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibdffcmj.dll" Kcepfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pplhab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gkianp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhejhkma.dll" Fldeie32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bekdmnio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fpdckm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncdckahg.dll" Mkhkblii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bindmcbj.dll" Hcidoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mnochl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kmijliej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hphglf32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3008 wrote to memory of 4436 3008 NEAS.ba26e068e8393444da42ccafa9f36840.exe 88 PID 3008 wrote to memory of 4436 3008 NEAS.ba26e068e8393444da42ccafa9f36840.exe 88 PID 3008 wrote to memory of 4436 3008 NEAS.ba26e068e8393444da42ccafa9f36840.exe 88 PID 4436 wrote to memory of 5024 4436 Bkpfjb32.exe 89 PID 4436 wrote to memory of 5024 4436 Bkpfjb32.exe 89 PID 4436 wrote to memory of 5024 4436 Bkpfjb32.exe 89 PID 5024 wrote to memory of 4132 5024 Dqbadf32.exe 90 PID 5024 wrote to memory of 4132 5024 Dqbadf32.exe 90 PID 5024 wrote to memory of 4132 5024 Dqbadf32.exe 90 PID 4132 wrote to memory of 400 4132 Embdofop.exe 91 PID 4132 wrote to memory of 400 4132 Embdofop.exe 91 PID 4132 wrote to memory of 400 4132 Embdofop.exe 91 PID 400 wrote to memory of 2512 400 Eljknl32.exe 92 PID 400 wrote to memory of 2512 400 Eljknl32.exe 92 PID 400 wrote to memory of 2512 400 Eljknl32.exe 92 PID 2512 wrote to memory of 5028 2512 Flcndk32.exe 93 PID 2512 wrote to memory of 5028 2512 Flcndk32.exe 93 PID 2512 wrote to memory of 5028 2512 Flcndk32.exe 93 PID 5028 wrote to memory of 1868 5028 Glompi32.exe 94 PID 5028 wrote to memory of 1868 5028 Glompi32.exe 94 PID 5028 wrote to memory of 1868 5028 Glompi32.exe 94 PID 1868 wrote to memory of 4672 1868 Hlfcqh32.exe 95 PID 1868 wrote to memory of 4672 1868 Hlfcqh32.exe 95 PID 1868 wrote to memory of 4672 1868 Hlfcqh32.exe 95 PID 4672 wrote to memory of 3160 4672 Hhpaki32.exe 96 PID 4672 wrote to memory of 3160 4672 Hhpaki32.exe 96 PID 4672 wrote to memory of 3160 4672 Hhpaki32.exe 96 PID 3160 wrote to memory of 4564 3160 Iolfmcbb.exe 97 PID 3160 wrote to memory of 4564 3160 Iolfmcbb.exe 97 PID 3160 wrote to memory of 4564 3160 Iolfmcbb.exe 97 PID 4564 wrote to memory of 756 4564 Ioeicajh.exe 98 PID 4564 wrote to memory of 756 4564 Ioeicajh.exe 98 PID 4564 wrote to memory of 756 4564 Ioeicajh.exe 98 PID 756 wrote to memory of 1712 756 Klloichl.exe 99 PID 756 wrote to memory of 1712 756 Klloichl.exe 99 PID 756 wrote to memory of 1712 756 Klloichl.exe 99 PID 1712 wrote to memory of 4716 1712 Lfimmhkg.exe 101 PID 1712 wrote to memory of 4716 1712 Lfimmhkg.exe 101 PID 1712 wrote to memory of 4716 1712 Lfimmhkg.exe 101 PID 4716 wrote to memory of 2200 4716 Mkadam32.exe 102 PID 4716 wrote to memory of 2200 4716 Mkadam32.exe 102 PID 4716 wrote to memory of 2200 4716 Mkadam32.exe 102 PID 2200 wrote to memory of 1164 2200 Mkhkblii.exe 103 PID 2200 wrote to memory of 1164 2200 Mkhkblii.exe 103 PID 2200 wrote to memory of 1164 2200 Mkhkblii.exe 103 PID 1164 wrote to memory of 2848 1164 Nppfnige.exe 104 PID 1164 wrote to memory of 2848 1164 Nppfnige.exe 104 PID 1164 wrote to memory of 2848 1164 Nppfnige.exe 104 PID 2848 wrote to memory of 5076 2848 Ofadlbhj.exe 105 PID 2848 wrote to memory of 5076 2848 Ofadlbhj.exe 105 PID 2848 wrote to memory of 5076 2848 Ofadlbhj.exe 105 PID 5076 wrote to memory of 3340 5076 Ofcaab32.exe 106 PID 5076 wrote to memory of 3340 5076 Ofcaab32.exe 106 PID 5076 wrote to memory of 3340 5076 Ofcaab32.exe 106 PID 3340 wrote to memory of 3612 3340 Pmpfcl32.exe 107 PID 3340 wrote to memory of 3612 3340 Pmpfcl32.exe 107 PID 3340 wrote to memory of 3612 3340 Pmpfcl32.exe 107 PID 3612 wrote to memory of 1840 3612 Pfoamp32.exe 108 PID 3612 wrote to memory of 1840 3612 Pfoamp32.exe 108 PID 3612 wrote to memory of 1840 3612 Pfoamp32.exe 108 PID 1840 wrote to memory of 1340 1840 Abjkmqni.exe 109 PID 1840 wrote to memory of 1340 1840 Abjkmqni.exe 109 PID 1840 wrote to memory of 1340 1840 Abjkmqni.exe 109 PID 1340 wrote to memory of 4460 1340 Aifpoj32.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.ba26e068e8393444da42ccafa9f36840.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.ba26e068e8393444da42ccafa9f36840.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\Bkpfjb32.exeC:\Windows\system32\Bkpfjb32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4436 -
C:\Windows\SysWOW64\Dqbadf32.exeC:\Windows\system32\Dqbadf32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5024 -
C:\Windows\SysWOW64\Embdofop.exeC:\Windows\system32\Embdofop.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4132 -
C:\Windows\SysWOW64\Eljknl32.exeC:\Windows\system32\Eljknl32.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:400 -
C:\Windows\SysWOW64\Flcndk32.exeC:\Windows\system32\Flcndk32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\Glompi32.exeC:\Windows\system32\Glompi32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5028 -
C:\Windows\SysWOW64\Hlfcqh32.exeC:\Windows\system32\Hlfcqh32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Windows\SysWOW64\Hhpaki32.exeC:\Windows\system32\Hhpaki32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4672 -
C:\Windows\SysWOW64\Iolfmcbb.exeC:\Windows\system32\Iolfmcbb.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3160 -
C:\Windows\SysWOW64\Ioeicajh.exeC:\Windows\system32\Ioeicajh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\Windows\SysWOW64\Klloichl.exeC:\Windows\system32\Klloichl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Windows\SysWOW64\Lfimmhkg.exeC:\Windows\system32\Lfimmhkg.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\SysWOW64\Mkadam32.exeC:\Windows\system32\Mkadam32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4716 -
C:\Windows\SysWOW64\Mkhkblii.exeC:\Windows\system32\Mkhkblii.exe15⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\Nppfnige.exeC:\Windows\system32\Nppfnige.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Windows\SysWOW64\Ofadlbhj.exeC:\Windows\system32\Ofadlbhj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\Ofcaab32.exeC:\Windows\system32\Ofcaab32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Windows\SysWOW64\Pmpfcl32.exeC:\Windows\system32\Pmpfcl32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3340 -
C:\Windows\SysWOW64\Pfoamp32.exeC:\Windows\system32\Pfoamp32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3612 -
C:\Windows\SysWOW64\Abjkmqni.exeC:\Windows\system32\Abjkmqni.exe21⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1840 -
C:\Windows\SysWOW64\Aifpoj32.exeC:\Windows\system32\Aifpoj32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1340 -
C:\Windows\SysWOW64\Aemqdk32.exeC:\Windows\system32\Aemqdk32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4460 -
C:\Windows\SysWOW64\Accnco32.exeC:\Windows\system32\Accnco32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3416 -
C:\Windows\SysWOW64\Bgfpdmho.exeC:\Windows\system32\Bgfpdmho.exe25⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Cfpfqiha.exeC:\Windows\system32\Cfpfqiha.exe26⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Djeegf32.exeC:\Windows\system32\Djeegf32.exe27⤵
- Executes dropped EXE
PID:4788 -
C:\Windows\SysWOW64\Dmjgdq32.exeC:\Windows\system32\Dmjgdq32.exe28⤵
- Executes dropped EXE
PID:4400 -
C:\Windows\SysWOW64\Enomic32.exeC:\Windows\system32\Enomic32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2760 -
C:\Windows\SysWOW64\Emhdeoel.exeC:\Windows\system32\Emhdeoel.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1464 -
C:\Windows\SysWOW64\Fakfglhm.exeC:\Windows\system32\Fakfglhm.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3452 -
C:\Windows\SysWOW64\Fpbpmhjb.exeC:\Windows\system32\Fpbpmhjb.exe32⤵
- Executes dropped EXE
PID:3764 -
C:\Windows\SysWOW64\Gmpcmkaa.exeC:\Windows\system32\Gmpcmkaa.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:3712 -
C:\Windows\SysWOW64\Hjfplo32.exeC:\Windows\system32\Hjfplo32.exe34⤵
- Executes dropped EXE
PID:3964 -
C:\Windows\SysWOW64\Iajkohmj.exeC:\Windows\system32\Iajkohmj.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:552 -
C:\Windows\SysWOW64\Kkioojpp.exeC:\Windows\system32\Kkioojpp.exe36⤵
- Executes dropped EXE
PID:1872 -
C:\Windows\SysWOW64\Mhbakk32.exeC:\Windows\system32\Mhbakk32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2724 -
C:\Windows\SysWOW64\Nbbldp32.exeC:\Windows\system32\Nbbldp32.exe38⤵
- Executes dropped EXE
PID:4908 -
C:\Windows\SysWOW64\Nkojheoe.exeC:\Windows\system32\Nkojheoe.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2716 -
C:\Windows\SysWOW64\Ooalibaf.exeC:\Windows\system32\Ooalibaf.exe40⤵
- Executes dropped EXE
PID:3876 -
C:\Windows\SysWOW64\Ogajid32.exeC:\Windows\system32\Ogajid32.exe41⤵
- Executes dropped EXE
PID:2260 -
C:\Windows\SysWOW64\Picchg32.exeC:\Windows\system32\Picchg32.exe42⤵
- Executes dropped EXE
PID:1524 -
C:\Windows\SysWOW64\Phmjdbpo.exeC:\Windows\system32\Phmjdbpo.exe43⤵
- Executes dropped EXE
PID:3752 -
C:\Windows\SysWOW64\Qbggmk32.exeC:\Windows\system32\Qbggmk32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4240 -
C:\Windows\SysWOW64\Aacjofkp.exeC:\Windows\system32\Aacjofkp.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4448 -
C:\Windows\SysWOW64\Biolkc32.exeC:\Windows\system32\Biolkc32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:2912 -
C:\Windows\SysWOW64\Biaiqb32.exeC:\Windows\system32\Biaiqb32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3016 -
C:\Windows\SysWOW64\Baojkdqb.exeC:\Windows\system32\Baojkdqb.exe48⤵
- Executes dropped EXE
PID:3776 -
C:\Windows\SysWOW64\Cbofdg32.exeC:\Windows\system32\Cbofdg32.exe49⤵
- Executes dropped EXE
PID:4624 -
C:\Windows\SysWOW64\Cohdoh32.exeC:\Windows\system32\Cohdoh32.exe50⤵
- Executes dropped EXE
PID:1384 -
C:\Windows\SysWOW64\Chphhn32.exeC:\Windows\system32\Chphhn32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3324 -
C:\Windows\SysWOW64\Chebcmna.exeC:\Windows\system32\Chebcmna.exe52⤵
- Executes dropped EXE
PID:4028 -
C:\Windows\SysWOW64\Dljqjjnp.exeC:\Windows\system32\Dljqjjnp.exe53⤵
- Executes dropped EXE
PID:4488 -
C:\Windows\SysWOW64\Ejegdngb.exeC:\Windows\system32\Ejegdngb.exe54⤵
- Executes dropped EXE
PID:1552 -
C:\Windows\SysWOW64\Ehlakjig.exeC:\Windows\system32\Ehlakjig.exe55⤵
- Executes dropped EXE
PID:3192 -
C:\Windows\SysWOW64\Ffekom32.exeC:\Windows\system32\Ffekom32.exe56⤵
- Executes dropped EXE
PID:4360 -
C:\Windows\SysWOW64\Gijmlh32.exeC:\Windows\system32\Gijmlh32.exe57⤵
- Executes dropped EXE
PID:4744 -
C:\Windows\SysWOW64\Gmhfbf32.exeC:\Windows\system32\Gmhfbf32.exe58⤵
- Executes dropped EXE
PID:4652 -
C:\Windows\SysWOW64\Gmkbgf32.exeC:\Windows\system32\Gmkbgf32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3024 -
C:\Windows\SysWOW64\Gqhknd32.exeC:\Windows\system32\Gqhknd32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1832 -
C:\Windows\SysWOW64\Hcidoo32.exeC:\Windows\system32\Hcidoo32.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:4120 -
C:\Windows\SysWOW64\Hameic32.exeC:\Windows\system32\Hameic32.exe62⤵
- Executes dropped EXE
PID:5088 -
C:\Windows\SysWOW64\Hjeiai32.exeC:\Windows\system32\Hjeiai32.exe63⤵
- Executes dropped EXE
PID:1920 -
C:\Windows\SysWOW64\Hbcklkee.exeC:\Windows\system32\Hbcklkee.exe64⤵
- Executes dropped EXE
PID:2948 -
C:\Windows\SysWOW64\Hmioicek.exeC:\Windows\system32\Hmioicek.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1592 -
C:\Windows\SysWOW64\Hbegakcb.exeC:\Windows\system32\Hbegakcb.exe66⤵
- Drops file in System32 directory
PID:4664 -
C:\Windows\SysWOW64\Ijolhg32.exeC:\Windows\system32\Ijolhg32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3800 -
C:\Windows\SysWOW64\Icgqqmib.exeC:\Windows\system32\Icgqqmib.exe68⤵PID:2208
-
C:\Windows\SysWOW64\Iidiidgj.exeC:\Windows\system32\Iidiidgj.exe69⤵PID:4756
-
C:\Windows\SysWOW64\Ipnaen32.exeC:\Windows\system32\Ipnaen32.exe70⤵PID:2248
-
C:\Windows\SysWOW64\Ijcecgnl.exeC:\Windows\system32\Ijcecgnl.exe71⤵PID:1660
-
C:\Windows\SysWOW64\Iiibdc32.exeC:\Windows\system32\Iiibdc32.exe72⤵PID:1392
-
C:\Windows\SysWOW64\Jmgkja32.exeC:\Windows\system32\Jmgkja32.exe73⤵PID:3368
-
C:\Windows\SysWOW64\Jmihpa32.exeC:\Windows\system32\Jmihpa32.exe74⤵PID:3676
-
C:\Windows\SysWOW64\Jplmglbf.exeC:\Windows\system32\Jplmglbf.exe75⤵PID:2504
-
C:\Windows\SysWOW64\Kapclned.exeC:\Windows\system32\Kapclned.exe76⤵PID:2820
-
C:\Windows\SysWOW64\Kabpan32.exeC:\Windows\system32\Kabpan32.exe77⤵PID:4196
-
C:\Windows\SysWOW64\Kphmbjhi.exeC:\Windows\system32\Kphmbjhi.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:8 -
C:\Windows\SysWOW64\Kmlmlo32.exeC:\Windows\system32\Kmlmlo32.exe79⤵PID:1080
-
C:\Windows\SysWOW64\Mknjgajl.exeC:\Windows\system32\Mknjgajl.exe80⤵PID:3428
-
C:\Windows\SysWOW64\Mnochl32.exeC:\Windows\system32\Mnochl32.exe81⤵
- Modifies registry class
PID:376 -
C:\Windows\SysWOW64\Mcklac32.exeC:\Windows\system32\Mcklac32.exe82⤵PID:260
-
C:\Windows\SysWOW64\Mpoljg32.exeC:\Windows\system32\Mpoljg32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1484 -
C:\Windows\SysWOW64\Mjhqcmjo.exeC:\Windows\system32\Mjhqcmjo.exe84⤵PID:1856
-
C:\Windows\SysWOW64\Ncpelbap.exeC:\Windows\system32\Ncpelbap.exe85⤵PID:4472
-
C:\Windows\SysWOW64\Nneiikqe.exeC:\Windows\system32\Nneiikqe.exe86⤵PID:4380
-
C:\Windows\SysWOW64\Nbfoeiei.exeC:\Windows\system32\Nbfoeiei.exe87⤵PID:4556
-
C:\Windows\SysWOW64\Njacikbd.exeC:\Windows\system32\Njacikbd.exe88⤵PID:1264
-
C:\Windows\SysWOW64\Ndfgfd32.exeC:\Windows\system32\Ndfgfd32.exe89⤵
- Drops file in System32 directory
PID:3692 -
C:\Windows\SysWOW64\Nbjhph32.exeC:\Windows\system32\Nbjhph32.exe90⤵
- Drops file in System32 directory
PID:3840 -
C:\Windows\SysWOW64\Oqbagd32.exeC:\Windows\system32\Oqbagd32.exe91⤵PID:2632
-
C:\Windows\SysWOW64\Ojjfpjjj.exeC:\Windows\system32\Ojjfpjjj.exe92⤵
- Drops file in System32 directory
PID:3860 -
C:\Windows\SysWOW64\Occkhp32.exeC:\Windows\system32\Occkhp32.exe93⤵PID:4424
-
C:\Windows\SysWOW64\Pbfglg32.exeC:\Windows\system32\Pbfglg32.exe94⤵PID:4812
-
C:\Windows\SysWOW64\Pkaijl32.exeC:\Windows\system32\Pkaijl32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2440 -
C:\Windows\SysWOW64\Pjffkhpl.exeC:\Windows\system32\Pjffkhpl.exe96⤵
- Modifies registry class
PID:1984 -
C:\Windows\SysWOW64\Qaegcb32.exeC:\Windows\system32\Qaegcb32.exe97⤵
- Drops file in System32 directory
PID:1908 -
C:\Windows\SysWOW64\Qnihlf32.exeC:\Windows\system32\Qnihlf32.exe98⤵PID:728
-
C:\Windows\SysWOW64\Qlmhfj32.exeC:\Windows\system32\Qlmhfj32.exe99⤵PID:5040
-
C:\Windows\SysWOW64\Agcikk32.exeC:\Windows\system32\Agcikk32.exe100⤵PID:2420
-
C:\Windows\SysWOW64\Aalndaml.exeC:\Windows\system32\Aalndaml.exe101⤵
- Drops file in System32 directory
PID:2676 -
C:\Windows\SysWOW64\Bbbpnc32.exeC:\Windows\system32\Bbbpnc32.exe102⤵
- Modifies registry class
PID:3888 -
C:\Windows\SysWOW64\Bdcmfkde.exeC:\Windows\system32\Bdcmfkde.exe103⤵
- Drops file in System32 directory
PID:5012 -
C:\Windows\SysWOW64\Bbemdb32.exeC:\Windows\system32\Bbemdb32.exe104⤵PID:2108
-
C:\Windows\SysWOW64\Balfko32.exeC:\Windows\system32\Balfko32.exe105⤵PID:4760
-
C:\Windows\SysWOW64\Bjdkcd32.exeC:\Windows\system32\Bjdkcd32.exe106⤵
- Modifies registry class
PID:4044 -
C:\Windows\SysWOW64\Chhkmh32.exeC:\Windows\system32\Chhkmh32.exe107⤵PID:2120
-
C:\Windows\SysWOW64\Dkedjbgg.exeC:\Windows\system32\Dkedjbgg.exe108⤵PID:2340
-
C:\Windows\SysWOW64\Gfpcpefb.exeC:\Windows\system32\Gfpcpefb.exe109⤵PID:1972
-
C:\Windows\SysWOW64\Hoonjjgk.exeC:\Windows\system32\Hoonjjgk.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1048 -
C:\Windows\SysWOW64\Hkkhjj32.exeC:\Windows\system32\Hkkhjj32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5132 -
C:\Windows\SysWOW64\Imjddmpl.exeC:\Windows\system32\Imjddmpl.exe112⤵PID:5188
-
C:\Windows\SysWOW64\Iejcco32.exeC:\Windows\system32\Iejcco32.exe113⤵PID:5232
-
C:\Windows\SysWOW64\Iempingp.exeC:\Windows\system32\Iempingp.exe114⤵PID:5272
-
C:\Windows\SysWOW64\Jpbdfgge.exeC:\Windows\system32\Jpbdfgge.exe115⤵PID:5316
-
C:\Windows\SysWOW64\Jijhom32.exeC:\Windows\system32\Jijhom32.exe116⤵
- Drops file in System32 directory
PID:5360 -
C:\Windows\SysWOW64\Jfoihalp.exeC:\Windows\system32\Jfoihalp.exe117⤵PID:5408
-
C:\Windows\SysWOW64\Jpgmaf32.exeC:\Windows\system32\Jpgmaf32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5448 -
C:\Windows\SysWOW64\Jefbomoe.exeC:\Windows\system32\Jefbomoe.exe119⤵PID:5500
-
C:\Windows\SysWOW64\Jfeoip32.exeC:\Windows\system32\Jfeoip32.exe120⤵PID:5544
-
C:\Windows\SysWOW64\Kpncbemh.exeC:\Windows\system32\Kpncbemh.exe121⤵PID:5588
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-