Analysis
-
max time kernel
173s -
max time network
179s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
14-10-2023 19:12
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.c23402ad4d902e1315bf2312f66e5a00.exe
Resource
win7-20230831-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.c23402ad4d902e1315bf2312f66e5a00.exe
Resource
win10v2004-20230915-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.c23402ad4d902e1315bf2312f66e5a00.exe
-
Size
49KB
-
MD5
c23402ad4d902e1315bf2312f66e5a00
-
SHA1
0cd163902d295fbfb1825d573a37bf314a271d77
-
SHA256
42335fd78b2122dc8f74498c942a1bbb8097e5641e9eef32c70d50f7983b4295
-
SHA512
16a17d5259284f03a268f70745934b045067d990445dc245c42b5f4ee753d62fd8389e19d8bd422467a3356ad55e3532b873d13f311f2764a9eaf996905e0bfe
-
SSDEEP
768:E4h+4hKKHaCLN39FWp8A4j4jzj0CPvCUX5Aomgij4utK/1H5O2Xdnh:E4Fh/LN39FWp8A4j4jzjXCyeomZ8IQt
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhimhobl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpbjfjci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Illfdc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfbped32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Feimadoe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Goadfa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klekfinp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfbaalbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hihibbjo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljdkll32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dendok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eofgpikj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nadleilm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfpcoefj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmkdcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cklhcfle.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlhlleeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcfnqccd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcfbkpab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fipkjb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncmhko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hccomh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phonha32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieknpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fiqjke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbldphde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfbped32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nncccnol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inhmqlmj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfglfdkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Diafqi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjgcgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgcqlh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Giahndcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phonha32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agcdnjcl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffclcgfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gknkkmmj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amqhbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anffje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omcjep32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ennqfenp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebejem32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Foqdem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Femigg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlmchoan.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lflbkcll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fecadghc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihdldn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iomoenej.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lokdnjkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnmopk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipgkjlmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glgjlm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eecphp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfiddm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbbhka32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klhnfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ennqfenp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjcngpjh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpcecb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cocacl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onhhmpoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akhaipei.exe -
Executes dropped EXE 64 IoCs
pid Process 1072 Fdccbl32.exe 1948 Fipkjb32.exe 3744 Fpjcgm32.exe 3456 Ffclcgfn.exe 1472 Flqdlnde.exe 2852 Fffhifdk.exe 552 Gpqjglii.exe 4816 Gjfnedho.exe 4672 Glgjlm32.exe 2140 Gfmojenc.exe 2052 Gmggfp32.exe 3324 Gkkgpc32.exe 3096 Malpia32.exe 2012 Omcjep32.exe 1688 Pmaffnce.exe 1088 Phigif32.exe 4132 Qmepam32.exe 3060 Qlgpod32.exe 3144 Qoelkp32.exe 1656 Qdbdcg32.exe 2192 Aogiap32.exe 1108 Addaif32.exe 2800 Aknifq32.exe 2496 Aednci32.exe 3396 Akqfkp32.exe 3340 Aajohjon.exe 3568 Akccap32.exe 3948 Aamknj32.exe 3792 Aoalgn32.exe 4412 Alelqb32.exe 456 Bdpaeehj.exe 4184 Bepmoh32.exe 1052 Bohbhmfm.exe 4324 Bhpfqcln.exe 2620 Bnmoijje.exe 1840 Blnoga32.exe 1704 Bakgoh32.exe 4768 Bdickcpo.exe 4352 Cnahdi32.exe 1272 Cdlqqcnl.exe 2316 Coadnlnb.exe 3308 Cfkmkf32.exe 872 Cocacl32.exe 1364 Cfnjpfcl.exe 2732 Cnindhpg.exe 1376 Cdbfab32.exe 720 Cbfgkffn.exe 984 Chqogq32.exe 1496 Dnmhpg32.exe 1860 Dkahilkl.exe 5036 Dfglfdkb.exe 1976 Dkceokii.exe 3900 Ddligq32.exe 3804 Dkfadkgf.exe 2132 Dbpjaeoc.exe 4144 Dijbno32.exe 5060 Dngjff32.exe 2180 Deqcbpld.exe 1504 Eofgpikj.exe 4032 Eecphp32.exe 2760 Enkdaepb.exe 4348 Emmdom32.exe 2304 Ennqfenp.exe 4172 Epmmqheb.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Icinkkcp.dll Dnmhpg32.exe File created C:\Windows\SysWOW64\Ifaohg32.dll Amcehdod.exe File created C:\Windows\SysWOW64\Chdialdl.exe Bnoddcef.exe File created C:\Windows\SysWOW64\Giahndcf.exe Gahcgg32.exe File opened for modification C:\Windows\SysWOW64\Gmggfp32.exe Gfmojenc.exe File created C:\Windows\SysWOW64\Coadnlnb.exe Cdlqqcnl.exe File opened for modification C:\Windows\SysWOW64\Phcgcqab.exe Paiogf32.exe File opened for modification C:\Windows\SysWOW64\Cdpcal32.exe Cocjiehd.exe File created C:\Windows\SysWOW64\Cbjeeion.dll Eangjkkd.exe File created C:\Windows\SysWOW64\Kmoiki32.dll Jbieebha.exe File created C:\Windows\SysWOW64\Qmepam32.exe Phigif32.exe File created C:\Windows\SysWOW64\Dicdcemd.dll Npbceggm.exe File created C:\Windows\SysWOW64\Ofmdio32.exe Ocohmc32.exe File created C:\Windows\SysWOW64\Gaagdbfm.dll Ocohmc32.exe File created C:\Windows\SysWOW64\Faoiogei.dll Ljdkll32.exe File created C:\Windows\SysWOW64\Gdngihbo.dll Akhaipei.exe File created C:\Windows\SysWOW64\Fogmlp32.dll Hbjoeojc.exe File opened for modification C:\Windows\SysWOW64\Ddnobj32.exe Dgjoif32.exe File opened for modification C:\Windows\SysWOW64\Fofilp32.exe Filapfbo.exe File created C:\Windows\SysWOW64\Diadam32.dll Lojmcdgl.exe File created C:\Windows\SysWOW64\Iqgjmg32.exe Inhmqlmj.exe File created C:\Windows\SysWOW64\Phhjdncl.dll Lcdjba32.exe File opened for modification C:\Windows\SysWOW64\Lbqdmodg.exe Lkflpe32.exe File opened for modification C:\Windows\SysWOW64\Aednci32.exe Aknifq32.exe File opened for modification C:\Windows\SysWOW64\Ogcnmc32.exe Onkidm32.exe File created C:\Windows\SysWOW64\Hcmhel32.dll Ibgdlg32.exe File opened for modification C:\Windows\SysWOW64\Klekfinp.exe Kifojnol.exe File opened for modification C:\Windows\SysWOW64\Jgjeppkp.exe Japmcfcc.exe File created C:\Windows\SysWOW64\Kmmedi32.exe Kbgafqla.exe File created C:\Windows\SysWOW64\Lfbped32.exe Loighj32.exe File created C:\Windows\SysWOW64\Foclgq32.exe Fijdjfdb.exe File created C:\Windows\SysWOW64\Ganldgib.exe Gpmomo32.exe File opened for modification C:\Windows\SysWOW64\Hlkfbocp.exe Gngeik32.exe File created C:\Windows\SysWOW64\Keecjl32.dll Kcfnqccd.exe File created C:\Windows\SysWOW64\Ombnni32.dll Lfbped32.exe File created C:\Windows\SysWOW64\Ajdggc32.dll Hbgkei32.exe File created C:\Windows\SysWOW64\Kpccmhdg.exe Klekfinp.exe File opened for modification C:\Windows\SysWOW64\Hcofbifb.exe Gaoihfoo.exe File created C:\Windows\SysWOW64\Dbqpfg32.dll Jngbjd32.exe File created C:\Windows\SysWOW64\Bcjfln32.dll Mgnlkfal.exe File opened for modification C:\Windows\SysWOW64\Llmbqdfb.exe Ljleil32.exe File created C:\Windows\SysWOW64\Omcjep32.exe Malpia32.exe File created C:\Windows\SysWOW64\Cghane32.dll Cfkmkf32.exe File created C:\Windows\SysWOW64\Hefnkkkj.exe Gojiiafp.exe File created C:\Windows\SysWOW64\Kgffoo32.dll Iplkpa32.exe File created C:\Windows\SysWOW64\Hihibbjo.exe Hnbeeiji.exe File created C:\Windows\SysWOW64\Khnhommq.dll Jojdlfeo.exe File created C:\Windows\SysWOW64\Fffhifdk.exe Flqdlnde.exe File opened for modification C:\Windows\SysWOW64\Dkceokii.exe Dfglfdkb.exe File opened for modification C:\Windows\SysWOW64\Japmcfcc.exe Jclljaei.exe File created C:\Windows\SysWOW64\Ddnobj32.exe Dgjoif32.exe File opened for modification C:\Windows\SysWOW64\Fhkecb32.exe Femigg32.exe File created C:\Windows\SysWOW64\Mfeccm32.exe Mcggga32.exe File created C:\Windows\SysWOW64\Lahoec32.dll Bkphhgfc.exe File created C:\Windows\SysWOW64\Econlc32.dll Afboah32.exe File created C:\Windows\SysWOW64\Enfckp32.exe Ddnobj32.exe File opened for modification C:\Windows\SysWOW64\Mlhqcgnk.exe Ljdkll32.exe File created C:\Windows\SysWOW64\Jgjeppkp.exe Japmcfcc.exe File opened for modification C:\Windows\SysWOW64\Eeomfioh.exe Enedio32.exe File created C:\Windows\SysWOW64\Lbhppocd.dll Mcggga32.exe File created C:\Windows\SysWOW64\Dahcld32.dll Iomoenej.exe File opened for modification C:\Windows\SysWOW64\Bnoddcef.exe Bkphhgfc.exe File created C:\Windows\SysWOW64\Pkffgpdd.dll Kedlip32.exe File created C:\Windows\SysWOW64\Jfjakgpa.exe Goadfa32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6116 1100 WerFault.exe 488 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkfadkgf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iipfmggc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lopmii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkkcfa32.dll" Eeailhme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkdeofjc.dll" Iqgjmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Glpdjpbj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hcflch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iipfmggc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mqafhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbjpeo32.dll" Mjcngpjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iohmnmmb.dll" Ahfmpnql.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cklhcfle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jinboekc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnmmboed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpaqbf32.dll" Hiacacpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dahkpm32.dll" Ihdldn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lljdai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gammbfqa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lcdjba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icinkkcp.dll" Dnmhpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hefnkkkj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbjoeojc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jeocna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elckbhbj.dll" Lhcali32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfpcoefj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nncccnol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iogopi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Loighj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmlbfbpg.dll" Feimadoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpqfid32.dll" Gpolbo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Halhfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnebjidl.dll" Lljdai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdccbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fklenm32.dll" Omcjep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eglmfnhm.dll" Alelqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogakfe32.dll" Phcgcqab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Conanfli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfpqiega.dll" Mcdeeq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blgmmd32.dll" Ljephmgl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbpchb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffdihjbp.dll" Ipbaol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkjaaljm.dll" Jllhpkfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbkbkbfo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Joobdfei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdbfab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Filclgic.dll" Glipgf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fiqjke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qpmmfbfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddligq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahfmpnql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjqfnh32.dll" Dilmeida.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnooce32.dll" Jkomhhae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hepoddcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kikdcj32.dll" Gkkgpc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Malpia32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lfgipd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgpamjnb.dll" Ggmmlamj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Diafqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckgofgjn.dll" Aajohjon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnhmnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnoddcef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dojqjdbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Filapfbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egbcih32.dll" Ifmqfm32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4024 wrote to memory of 1072 4024 NEAS.c23402ad4d902e1315bf2312f66e5a00.exe 83 PID 4024 wrote to memory of 1072 4024 NEAS.c23402ad4d902e1315bf2312f66e5a00.exe 83 PID 4024 wrote to memory of 1072 4024 NEAS.c23402ad4d902e1315bf2312f66e5a00.exe 83 PID 1072 wrote to memory of 1948 1072 Fdccbl32.exe 84 PID 1072 wrote to memory of 1948 1072 Fdccbl32.exe 84 PID 1072 wrote to memory of 1948 1072 Fdccbl32.exe 84 PID 1948 wrote to memory of 3744 1948 Fipkjb32.exe 85 PID 1948 wrote to memory of 3744 1948 Fipkjb32.exe 85 PID 1948 wrote to memory of 3744 1948 Fipkjb32.exe 85 PID 3744 wrote to memory of 3456 3744 Fpjcgm32.exe 86 PID 3744 wrote to memory of 3456 3744 Fpjcgm32.exe 86 PID 3744 wrote to memory of 3456 3744 Fpjcgm32.exe 86 PID 3456 wrote to memory of 1472 3456 Ffclcgfn.exe 87 PID 3456 wrote to memory of 1472 3456 Ffclcgfn.exe 87 PID 3456 wrote to memory of 1472 3456 Ffclcgfn.exe 87 PID 1472 wrote to memory of 2852 1472 Flqdlnde.exe 89 PID 1472 wrote to memory of 2852 1472 Flqdlnde.exe 89 PID 1472 wrote to memory of 2852 1472 Flqdlnde.exe 89 PID 2852 wrote to memory of 552 2852 Fffhifdk.exe 90 PID 2852 wrote to memory of 552 2852 Fffhifdk.exe 90 PID 2852 wrote to memory of 552 2852 Fffhifdk.exe 90 PID 552 wrote to memory of 4816 552 Gpqjglii.exe 91 PID 552 wrote to memory of 4816 552 Gpqjglii.exe 91 PID 552 wrote to memory of 4816 552 Gpqjglii.exe 91 PID 4816 wrote to memory of 4672 4816 Gjfnedho.exe 92 PID 4816 wrote to memory of 4672 4816 Gjfnedho.exe 92 PID 4816 wrote to memory of 4672 4816 Gjfnedho.exe 92 PID 4672 wrote to memory of 2140 4672 Glgjlm32.exe 93 PID 4672 wrote to memory of 2140 4672 Glgjlm32.exe 93 PID 4672 wrote to memory of 2140 4672 Glgjlm32.exe 93 PID 2140 wrote to memory of 2052 2140 Gfmojenc.exe 94 PID 2140 wrote to memory of 2052 2140 Gfmojenc.exe 94 PID 2140 wrote to memory of 2052 2140 Gfmojenc.exe 94 PID 2052 wrote to memory of 3324 2052 Gmggfp32.exe 96 PID 2052 wrote to memory of 3324 2052 Gmggfp32.exe 96 PID 2052 wrote to memory of 3324 2052 Gmggfp32.exe 96 PID 3324 wrote to memory of 3096 3324 Gkkgpc32.exe 98 PID 3324 wrote to memory of 3096 3324 Gkkgpc32.exe 98 PID 3324 wrote to memory of 3096 3324 Gkkgpc32.exe 98 PID 3096 wrote to memory of 2012 3096 Malpia32.exe 99 PID 3096 wrote to memory of 2012 3096 Malpia32.exe 99 PID 3096 wrote to memory of 2012 3096 Malpia32.exe 99 PID 2012 wrote to memory of 1688 2012 Omcjep32.exe 101 PID 2012 wrote to memory of 1688 2012 Omcjep32.exe 101 PID 2012 wrote to memory of 1688 2012 Omcjep32.exe 101 PID 1688 wrote to memory of 1088 1688 Pmaffnce.exe 102 PID 1688 wrote to memory of 1088 1688 Pmaffnce.exe 102 PID 1688 wrote to memory of 1088 1688 Pmaffnce.exe 102 PID 1088 wrote to memory of 4132 1088 Phigif32.exe 104 PID 1088 wrote to memory of 4132 1088 Phigif32.exe 104 PID 1088 wrote to memory of 4132 1088 Phigif32.exe 104 PID 4132 wrote to memory of 3060 4132 Qmepam32.exe 105 PID 4132 wrote to memory of 3060 4132 Qmepam32.exe 105 PID 4132 wrote to memory of 3060 4132 Qmepam32.exe 105 PID 3060 wrote to memory of 3144 3060 Qlgpod32.exe 106 PID 3060 wrote to memory of 3144 3060 Qlgpod32.exe 106 PID 3060 wrote to memory of 3144 3060 Qlgpod32.exe 106 PID 3144 wrote to memory of 1656 3144 Qoelkp32.exe 107 PID 3144 wrote to memory of 1656 3144 Qoelkp32.exe 107 PID 3144 wrote to memory of 1656 3144 Qoelkp32.exe 107 PID 1656 wrote to memory of 2192 1656 Qdbdcg32.exe 108 PID 1656 wrote to memory of 2192 1656 Qdbdcg32.exe 108 PID 1656 wrote to memory of 2192 1656 Qdbdcg32.exe 108 PID 2192 wrote to memory of 1108 2192 Aogiap32.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.c23402ad4d902e1315bf2312f66e5a00.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.c23402ad4d902e1315bf2312f66e5a00.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4024 -
C:\Windows\SysWOW64\Fdccbl32.exeC:\Windows\system32\Fdccbl32.exe2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Windows\SysWOW64\Fipkjb32.exeC:\Windows\system32\Fipkjb32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\SysWOW64\Fpjcgm32.exeC:\Windows\system32\Fpjcgm32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3744 -
C:\Windows\SysWOW64\Ffclcgfn.exeC:\Windows\system32\Ffclcgfn.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3456 -
C:\Windows\SysWOW64\Flqdlnde.exeC:\Windows\system32\Flqdlnde.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Windows\SysWOW64\Fffhifdk.exeC:\Windows\system32\Fffhifdk.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\Gpqjglii.exeC:\Windows\system32\Gpqjglii.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Windows\SysWOW64\Gjfnedho.exeC:\Windows\system32\Gjfnedho.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4816 -
C:\Windows\SysWOW64\Glgjlm32.exeC:\Windows\system32\Glgjlm32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4672 -
C:\Windows\SysWOW64\Gfmojenc.exeC:\Windows\system32\Gfmojenc.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\SysWOW64\Gmggfp32.exeC:\Windows\system32\Gmggfp32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\Gkkgpc32.exeC:\Windows\system32\Gkkgpc32.exe13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3324 -
C:\Windows\SysWOW64\Malpia32.exeC:\Windows\system32\Malpia32.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3096 -
C:\Windows\SysWOW64\Omcjep32.exeC:\Windows\system32\Omcjep32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\Pmaffnce.exeC:\Windows\system32\Pmaffnce.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\Phigif32.exeC:\Windows\system32\Phigif32.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Windows\SysWOW64\Qmepam32.exeC:\Windows\system32\Qmepam32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4132 -
C:\Windows\SysWOW64\Qlgpod32.exeC:\Windows\system32\Qlgpod32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\Qoelkp32.exeC:\Windows\system32\Qoelkp32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3144 -
C:\Windows\SysWOW64\Qdbdcg32.exeC:\Windows\system32\Qdbdcg32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\Aogiap32.exeC:\Windows\system32\Aogiap32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\Addaif32.exeC:\Windows\system32\Addaif32.exe23⤵
- Executes dropped EXE
PID:1108 -
C:\Windows\SysWOW64\Aknifq32.exeC:\Windows\system32\Aknifq32.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2800 -
C:\Windows\SysWOW64\Aednci32.exeC:\Windows\system32\Aednci32.exe25⤵
- Executes dropped EXE
PID:2496 -
C:\Windows\SysWOW64\Akqfkp32.exeC:\Windows\system32\Akqfkp32.exe26⤵
- Executes dropped EXE
PID:3396 -
C:\Windows\SysWOW64\Aajohjon.exeC:\Windows\system32\Aajohjon.exe27⤵
- Executes dropped EXE
- Modifies registry class
PID:3340 -
C:\Windows\SysWOW64\Akccap32.exeC:\Windows\system32\Akccap32.exe28⤵
- Executes dropped EXE
PID:3568 -
C:\Windows\SysWOW64\Aamknj32.exeC:\Windows\system32\Aamknj32.exe29⤵
- Executes dropped EXE
PID:3948 -
C:\Windows\SysWOW64\Aoalgn32.exeC:\Windows\system32\Aoalgn32.exe30⤵
- Executes dropped EXE
PID:3792 -
C:\Windows\SysWOW64\Alelqb32.exeC:\Windows\system32\Alelqb32.exe31⤵
- Executes dropped EXE
- Modifies registry class
PID:4412 -
C:\Windows\SysWOW64\Bdpaeehj.exeC:\Windows\system32\Bdpaeehj.exe32⤵
- Executes dropped EXE
PID:456 -
C:\Windows\SysWOW64\Bepmoh32.exeC:\Windows\system32\Bepmoh32.exe33⤵
- Executes dropped EXE
PID:4184 -
C:\Windows\SysWOW64\Bohbhmfm.exeC:\Windows\system32\Bohbhmfm.exe34⤵
- Executes dropped EXE
PID:1052 -
C:\Windows\SysWOW64\Bhpfqcln.exeC:\Windows\system32\Bhpfqcln.exe35⤵
- Executes dropped EXE
PID:4324 -
C:\Windows\SysWOW64\Bnmoijje.exeC:\Windows\system32\Bnmoijje.exe36⤵
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Blnoga32.exeC:\Windows\system32\Blnoga32.exe37⤵
- Executes dropped EXE
PID:1840 -
C:\Windows\SysWOW64\Bakgoh32.exeC:\Windows\system32\Bakgoh32.exe38⤵
- Executes dropped EXE
PID:1704 -
C:\Windows\SysWOW64\Bdickcpo.exeC:\Windows\system32\Bdickcpo.exe39⤵
- Executes dropped EXE
PID:4768 -
C:\Windows\SysWOW64\Cnahdi32.exeC:\Windows\system32\Cnahdi32.exe40⤵
- Executes dropped EXE
PID:4352 -
C:\Windows\SysWOW64\Cdlqqcnl.exeC:\Windows\system32\Cdlqqcnl.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1272 -
C:\Windows\SysWOW64\Coadnlnb.exeC:\Windows\system32\Coadnlnb.exe42⤵
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Cfkmkf32.exeC:\Windows\system32\Cfkmkf32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3308 -
C:\Windows\SysWOW64\Cocacl32.exeC:\Windows\system32\Cocacl32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:872 -
C:\Windows\SysWOW64\Cfnjpfcl.exeC:\Windows\system32\Cfnjpfcl.exe45⤵
- Executes dropped EXE
PID:1364 -
C:\Windows\SysWOW64\Cnindhpg.exeC:\Windows\system32\Cnindhpg.exe46⤵
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\Cdbfab32.exeC:\Windows\system32\Cdbfab32.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:1376 -
C:\Windows\SysWOW64\Cbfgkffn.exeC:\Windows\system32\Cbfgkffn.exe48⤵
- Executes dropped EXE
PID:720 -
C:\Windows\SysWOW64\Chqogq32.exeC:\Windows\system32\Chqogq32.exe49⤵
- Executes dropped EXE
PID:984 -
C:\Windows\SysWOW64\Dnmhpg32.exeC:\Windows\system32\Dnmhpg32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1496 -
C:\Windows\SysWOW64\Dkahilkl.exeC:\Windows\system32\Dkahilkl.exe51⤵
- Executes dropped EXE
PID:1860 -
C:\Windows\SysWOW64\Dfglfdkb.exeC:\Windows\system32\Dfglfdkb.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:5036 -
C:\Windows\SysWOW64\Dkceokii.exeC:\Windows\system32\Dkceokii.exe53⤵
- Executes dropped EXE
PID:1976 -
C:\Windows\SysWOW64\Ddligq32.exeC:\Windows\system32\Ddligq32.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:3900 -
C:\Windows\SysWOW64\Dkfadkgf.exeC:\Windows\system32\Dkfadkgf.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:3804 -
C:\Windows\SysWOW64\Dbpjaeoc.exeC:\Windows\system32\Dbpjaeoc.exe56⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Dijbno32.exeC:\Windows\system32\Dijbno32.exe57⤵
- Executes dropped EXE
PID:4144 -
C:\Windows\SysWOW64\Dngjff32.exeC:\Windows\system32\Dngjff32.exe58⤵
- Executes dropped EXE
PID:5060 -
C:\Windows\SysWOW64\Deqcbpld.exeC:\Windows\system32\Deqcbpld.exe59⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Eofgpikj.exeC:\Windows\system32\Eofgpikj.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1504 -
C:\Windows\SysWOW64\Eecphp32.exeC:\Windows\system32\Eecphp32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4032 -
C:\Windows\SysWOW64\Enkdaepb.exeC:\Windows\system32\Enkdaepb.exe62⤵
- Executes dropped EXE
PID:2760 -
C:\Windows\SysWOW64\Emmdom32.exeC:\Windows\system32\Emmdom32.exe63⤵
- Executes dropped EXE
PID:4348 -
C:\Windows\SysWOW64\Ennqfenp.exeC:\Windows\system32\Ennqfenp.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Epmmqheb.exeC:\Windows\system32\Epmmqheb.exe65⤵
- Executes dropped EXE
PID:4172 -
C:\Windows\SysWOW64\Enbjad32.exeC:\Windows\system32\Enbjad32.exe66⤵PID:4892
-
C:\Windows\SysWOW64\Fmcjpl32.exeC:\Windows\system32\Fmcjpl32.exe67⤵PID:4848
-
C:\Windows\SysWOW64\Fbpchb32.exeC:\Windows\system32\Fbpchb32.exe68⤵
- Modifies registry class
PID:4296 -
C:\Windows\SysWOW64\Fngcmcfe.exeC:\Windows\system32\Fngcmcfe.exe69⤵PID:1240
-
C:\Windows\SysWOW64\Fimhjl32.exeC:\Windows\system32\Fimhjl32.exe70⤵PID:2100
-
C:\Windows\SysWOW64\Gnepna32.exeC:\Windows\system32\Gnepna32.exe71⤵PID:3932
-
C:\Windows\SysWOW64\Glipgf32.exeC:\Windows\system32\Glipgf32.exe72⤵
- Modifies registry class
PID:4956 -
C:\Windows\SysWOW64\Gmimai32.exeC:\Windows\system32\Gmimai32.exe73⤵PID:4792
-
C:\Windows\SysWOW64\Gojiiafp.exeC:\Windows\system32\Gojiiafp.exe74⤵
- Drops file in System32 directory
PID:4736 -
C:\Windows\SysWOW64\Hefnkkkj.exeC:\Windows\system32\Hefnkkkj.exe75⤵
- Modifies registry class
PID:2856 -
C:\Windows\SysWOW64\Hbjoeojc.exeC:\Windows\system32\Hbjoeojc.exe76⤵
- Drops file in System32 directory
- Modifies registry class
PID:4120 -
C:\Windows\SysWOW64\Hoclopne.exeC:\Windows\system32\Hoclopne.exe77⤵PID:1304
-
C:\Windows\SysWOW64\Ifmqfm32.exeC:\Windows\system32\Ifmqfm32.exe78⤵
- Modifies registry class
PID:4964 -
C:\Windows\SysWOW64\Iikmbh32.exeC:\Windows\system32\Iikmbh32.exe79⤵PID:1600
-
C:\Windows\SysWOW64\Ifomll32.exeC:\Windows\system32\Ifomll32.exe80⤵PID:836
-
C:\Windows\SysWOW64\Illfdc32.exeC:\Windows\system32\Illfdc32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1352 -
C:\Windows\SysWOW64\Iipfmggc.exeC:\Windows\system32\Iipfmggc.exe82⤵
- Modifies registry class
PID:3016 -
C:\Windows\SysWOW64\Iomoenej.exeC:\Windows\system32\Iomoenej.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1752 -
C:\Windows\SysWOW64\Iibccgep.exeC:\Windows\system32\Iibccgep.exe84⤵PID:3440
-
C:\Windows\SysWOW64\Iplkpa32.exeC:\Windows\system32\Iplkpa32.exe85⤵
- Drops file in System32 directory
PID:4764 -
C:\Windows\SysWOW64\Impliekg.exeC:\Windows\system32\Impliekg.exe86⤵PID:1136
-
C:\Windows\SysWOW64\Ipoheakj.exeC:\Windows\system32\Ipoheakj.exe87⤵PID:2932
-
C:\Windows\SysWOW64\Jekqmhia.exeC:\Windows\system32\Jekqmhia.exe88⤵PID:3748
-
C:\Windows\SysWOW64\Jleijb32.exeC:\Windows\system32\Jleijb32.exe89⤵PID:5160
-
C:\Windows\SysWOW64\Jcoaglhk.exeC:\Windows\system32\Jcoaglhk.exe90⤵PID:5200
-
C:\Windows\SysWOW64\Jpcapp32.exeC:\Windows\system32\Jpcapp32.exe91⤵PID:5244
-
C:\Windows\SysWOW64\Jngbjd32.exeC:\Windows\system32\Jngbjd32.exe92⤵
- Drops file in System32 directory
PID:5284 -
C:\Windows\SysWOW64\Jpenfp32.exeC:\Windows\system32\Jpenfp32.exe93⤵PID:5328
-
C:\Windows\SysWOW64\Jinboekc.exeC:\Windows\system32\Jinboekc.exe94⤵
- Modifies registry class
PID:5376 -
C:\Windows\SysWOW64\Jokkgl32.exeC:\Windows\system32\Jokkgl32.exe95⤵PID:5420
-
C:\Windows\SysWOW64\Jedccfqg.exeC:\Windows\system32\Jedccfqg.exe96⤵PID:5472
-
C:\Windows\SysWOW64\Kpjgaoqm.exeC:\Windows\system32\Kpjgaoqm.exe97⤵PID:5516
-
C:\Windows\SysWOW64\Kgdpni32.exeC:\Windows\system32\Kgdpni32.exe98⤵PID:5560
-
C:\Windows\SysWOW64\Klahfp32.exeC:\Windows\system32\Klahfp32.exe99⤵PID:5604
-
C:\Windows\SysWOW64\Kjeiodek.exeC:\Windows\system32\Kjeiodek.exe100⤵PID:5652
-
C:\Windows\SysWOW64\Klhnfo32.exeC:\Windows\system32\Klhnfo32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5696 -
C:\Windows\SysWOW64\Kfpcoefj.exeC:\Windows\system32\Kfpcoefj.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5740 -
C:\Windows\SysWOW64\Loighj32.exeC:\Windows\system32\Loighj32.exe103⤵
- Drops file in System32 directory
- Modifies registry class
PID:5784 -
C:\Windows\SysWOW64\Lfbped32.exeC:\Windows\system32\Lfbped32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5828 -
C:\Windows\SysWOW64\Lokdnjkg.exeC:\Windows\system32\Lokdnjkg.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5872 -
C:\Windows\SysWOW64\Lqkqhm32.exeC:\Windows\system32\Lqkqhm32.exe106⤵PID:5920
-
C:\Windows\SysWOW64\Lfgipd32.exeC:\Windows\system32\Lfgipd32.exe107⤵
- Modifies registry class
PID:5960 -
C:\Windows\SysWOW64\Lopmii32.exeC:\Windows\system32\Lopmii32.exe108⤵
- Modifies registry class
PID:6004 -
C:\Windows\SysWOW64\Ljeafb32.exeC:\Windows\system32\Ljeafb32.exe109⤵PID:6044
-
C:\Windows\SysWOW64\Lobjni32.exeC:\Windows\system32\Lobjni32.exe110⤵PID:6088
-
C:\Windows\SysWOW64\Lflbkcll.exeC:\Windows\system32\Lflbkcll.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6132 -
C:\Windows\SysWOW64\Mqafhl32.exeC:\Windows\system32\Mqafhl32.exe112⤵
- Modifies registry class
PID:5152 -
C:\Windows\SysWOW64\Mfnoqc32.exeC:\Windows\system32\Mfnoqc32.exe113⤵PID:5228
-
C:\Windows\SysWOW64\Mmhgmmbf.exeC:\Windows\system32\Mmhgmmbf.exe114⤵PID:5316
-
C:\Windows\SysWOW64\Mgnlkfal.exeC:\Windows\system32\Mgnlkfal.exe115⤵
- Drops file in System32 directory
PID:5388 -
C:\Windows\SysWOW64\Mmkdcm32.exeC:\Windows\system32\Mmkdcm32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5440 -
C:\Windows\SysWOW64\Mcelpggq.exeC:\Windows\system32\Mcelpggq.exe117⤵PID:5528
-
C:\Windows\SysWOW64\Mfchlbfd.exeC:\Windows\system32\Mfchlbfd.exe118⤵PID:2740
-
C:\Windows\SysWOW64\Mmmqhl32.exeC:\Windows\system32\Mmmqhl32.exe119⤵PID:3800
-
C:\Windows\SysWOW64\Mcgiefen.exeC:\Windows\system32\Mcgiefen.exe120⤵PID:5616
-
C:\Windows\SysWOW64\Mnmmboed.exeC:\Windows\system32\Mnmmboed.exe121⤵
- Modifies registry class
PID:5688
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-