Analysis
-
max time kernel
141s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
21/10/2023, 21:29
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.b501b4c63d024ba813b3f5260338ae80.exe
Resource
win7-20231020-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.b501b4c63d024ba813b3f5260338ae80.exe
Resource
win10v2004-20231020-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.b501b4c63d024ba813b3f5260338ae80.exe
-
Size
172KB
-
MD5
b501b4c63d024ba813b3f5260338ae80
-
SHA1
5f1535d79e7f5a2f499de32a11925222ec0b15b0
-
SHA256
ae9efae9be3747dbc7db64cffb88265102a2f8bb5250e62b885559140b68d273
-
SHA512
72ef68bac293b1899d7802b4195cf3277989f27ba006623372ecd03d5243fb71772076db6ab8c70f1e4e63ccb74d06c56cfa46a8223464664a880a23bccaa74d
-
SSDEEP
3072:UswG4WVTnPxgu+tAcrbFAJc+RsUi1aVDkOvhJjvJ:zwGPP8rtMsQB
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clciod32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cklpml32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmpdmfff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chjjde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Liblfl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdfgmnpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npiiafpa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nianjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nickoldp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Faonqiod.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pndalkgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adekhkng.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Panpgn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mchadifq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eefdgeig.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgmnpn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekjgpm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aompambg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aeiecfga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lilomj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pigklmqc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nickoldp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgfjjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbojdmcd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmdkkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlgcncli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npechhgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdfjnkne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhdjdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcbjon32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojakdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbkaee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjnkac32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbghhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckiiiine.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ephhmn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pifakj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Appfggjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Codbqonk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgnjqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oqennbbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lomidgkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehgmiq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehiiop32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpkdca32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppnmbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cedpbd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fblpnepn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bheaiekc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Biccfalm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nahfkigd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afcghbgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qajfmbna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbfhjfdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdfhdfgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmgokcja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgphke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipimic32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfjgopop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkhnmfle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fagqed32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmoqfi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbooen32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Docopbaf.exe -
Executes dropped EXE 64 IoCs
pid Process 1528 Fncmmmma.exe 2120 Ffqofohj.exe 2804 Gmmdiind.exe 2728 Gnpmfqap.exe 2576 Gbnflo32.exe 2548 Gnefapmj.exe 2128 Hafock32.exe 524 Hdfhdfgl.exe 1476 Hmaick32.exe 2900 Hfjnla32.exe 2004 Hpbbdfik.exe 1040 Ilicig32.exe 1384 Ieagbm32.exe 1804 Ioilkblq.exe 1764 Imoilo32.exe 2648 Ionefb32.exe 2924 Ihfjognl.exe 2444 Iaonhm32.exe 2236 Jjjclobg.exe 1776 Jpdkii32.exe 2848 Jeadap32.exe 1772 Joihjfnl.exe 1516 Jjomgo32.exe 1964 Jolepe32.exe 2920 Jhdihkcj.exe 2156 Jcjnfdbp.exe 1480 Kbokgpgg.exe 2468 Knekla32.exe 2024 Kjllab32.exe 2136 Kqfdnljm.exe 1604 Kfeikcfa.exe 1932 Kcijeg32.exe 2840 Ljfogake.exe 2788 Liklhmom.exe 2756 Lnhdqdnd.exe 2996 Leammn32.exe 2724 Lahmbo32.exe 2556 Nkegeg32.exe 2628 Ogqaehak.exe 1036 Opifnm32.exe 528 Ogcnkgoh.exe 1048 Opkccm32.exe 2876 Opnpimdf.exe 2880 Oifdbb32.exe 1860 Oaaifdhb.exe 1612 Oihqgbhd.exe 1828 Peoalc32.exe 2652 Pohfehdi.exe 108 Pddnnp32.exe 1712 Pojbkh32.exe 2944 Phbgcnig.exe 3060 Pnopldgn.exe 1720 Pclhdl32.exe 3008 Pnalad32.exe 2296 Pqphnp32.exe 1916 Qoeeolig.exe 692 Qqdbiopj.exe 1460 Abfnpg32.exe 1972 Amkbnp32.exe 1740 Aibcba32.exe 2168 Anolkh32.exe 2316 Aeidgbaf.exe 1196 Aapemc32.exe 1288 Agjmim32.exe -
Loads dropped DLL 64 IoCs
pid Process 2492 NEAS.b501b4c63d024ba813b3f5260338ae80.exe 2492 NEAS.b501b4c63d024ba813b3f5260338ae80.exe 1528 Fncmmmma.exe 1528 Fncmmmma.exe 2120 Ffqofohj.exe 2120 Ffqofohj.exe 2804 Gmmdiind.exe 2804 Gmmdiind.exe 2728 Gnpmfqap.exe 2728 Gnpmfqap.exe 2576 Gbnflo32.exe 2576 Gbnflo32.exe 2548 Gnefapmj.exe 2548 Gnefapmj.exe 2128 Hafock32.exe 2128 Hafock32.exe 524 Hdfhdfgl.exe 524 Hdfhdfgl.exe 1476 Hmaick32.exe 1476 Hmaick32.exe 2900 Hfjnla32.exe 2900 Hfjnla32.exe 2004 Hpbbdfik.exe 2004 Hpbbdfik.exe 1040 Ilicig32.exe 1040 Ilicig32.exe 1384 Ieagbm32.exe 1384 Ieagbm32.exe 1804 Ioilkblq.exe 1804 Ioilkblq.exe 1764 Imoilo32.exe 1764 Imoilo32.exe 2648 Ionefb32.exe 2648 Ionefb32.exe 2924 Ihfjognl.exe 2924 Ihfjognl.exe 2444 Iaonhm32.exe 2444 Iaonhm32.exe 2236 Jjjclobg.exe 2236 Jjjclobg.exe 1776 Jpdkii32.exe 1776 Jpdkii32.exe 2848 Jeadap32.exe 2848 Jeadap32.exe 1772 Joihjfnl.exe 1772 Joihjfnl.exe 1516 Jjomgo32.exe 1516 Jjomgo32.exe 1964 Jolepe32.exe 1964 Jolepe32.exe 2920 Jhdihkcj.exe 2920 Jhdihkcj.exe 2156 Jcjnfdbp.exe 2156 Jcjnfdbp.exe 1480 Kbokgpgg.exe 1480 Kbokgpgg.exe 2468 Knekla32.exe 2468 Knekla32.exe 2024 Kjllab32.exe 2024 Kjllab32.exe 2136 Kqfdnljm.exe 2136 Kqfdnljm.exe 1604 Kfeikcfa.exe 1604 Kfeikcfa.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ahdkhp32.exe Anngkg32.exe File opened for modification C:\Windows\SysWOW64\Adekhkng.exe Ankckagj.exe File opened for modification C:\Windows\SysWOW64\Kfeikcfa.exe Kqfdnljm.exe File opened for modification C:\Windows\SysWOW64\Lahmbo32.exe Leammn32.exe File created C:\Windows\SysWOW64\Hngpchih.dll Cffljlpc.exe File created C:\Windows\SysWOW64\Anbmbi32.exe Ahedjb32.exe File created C:\Windows\SysWOW64\Nhdjdk32.exe Niaihojk.exe File created C:\Windows\SysWOW64\Amaiklki.exe Qhdabemb.exe File opened for modification C:\Windows\SysWOW64\Mlgiiaij.exe Mfmqmgbm.exe File created C:\Windows\SysWOW64\Fkjjjgij.dll Codbqonk.exe File created C:\Windows\SysWOW64\Lbpolb32.exe Lkffohon.exe File opened for modification C:\Windows\SysWOW64\Mdkcgk32.exe Mookod32.exe File created C:\Windows\SysWOW64\Qpjchicb.exe Pipklo32.exe File created C:\Windows\SysWOW64\Peoalc32.exe Oihqgbhd.exe File created C:\Windows\SysWOW64\Fajplnhf.dll Anolkh32.exe File created C:\Windows\SysWOW64\Gimkklpe.dll Pnimpcke.exe File opened for modification C:\Windows\SysWOW64\Mkelcenm.exe Mdkcgk32.exe File created C:\Windows\SysWOW64\Bpbokj32.exe Bonenbgj.exe File created C:\Windows\SysWOW64\Heljgd32.dll Ckijdm32.exe File opened for modification C:\Windows\SysWOW64\Kbokgpgg.exe Jcjnfdbp.exe File created C:\Windows\SysWOW64\Oeajjfgn.dll Ekjgpm32.exe File created C:\Windows\SysWOW64\Mplfpn32.dll Fnipkkdl.exe File created C:\Windows\SysWOW64\Cqleifna.exe Cnnimkom.exe File created C:\Windows\SysWOW64\Ahancp32.exe Aoijjjcl.exe File created C:\Windows\SysWOW64\Ehncceog.dll Bgddam32.exe File opened for modification C:\Windows\SysWOW64\Cbfhjfdk.exe Cklpml32.exe File created C:\Windows\SysWOW64\Lecjaf32.dll Ceanmc32.exe File created C:\Windows\SysWOW64\Eiocbd32.exe Eahkag32.exe File created C:\Windows\SysWOW64\Glhkoaij.dll Bgqqcd32.exe File created C:\Windows\SysWOW64\Fkllaj32.dll Bidlgdlk.exe File opened for modification C:\Windows\SysWOW64\Dbafjlaa.exe Dlgnmb32.exe File created C:\Windows\SysWOW64\Mcodqkbi.exe Jnmiag32.exe File created C:\Windows\SysWOW64\Neikpfdc.dll Malmllfb.exe File opened for modification C:\Windows\SysWOW64\Bpbokj32.exe Bonenbgj.exe File created C:\Windows\SysWOW64\Kamedlhf.dll Ilicig32.exe File created C:\Windows\SysWOW64\Fgjdgifj.dll Bheaiekc.exe File opened for modification C:\Windows\SysWOW64\Ipecndab.exe Igioiacg.exe File created C:\Windows\SysWOW64\Ngafdepl.exe Njmejaqb.exe File created C:\Windows\SysWOW64\Lgfjoqnd.dll Akejdp32.exe File opened for modification C:\Windows\SysWOW64\Bigimdjh.exe Bbmapj32.exe File created C:\Windows\SysWOW64\Pahbckfe.dll Efdmohmm.exe File opened for modification C:\Windows\SysWOW64\Fjbdmbmb.exe Fmnccn32.exe File opened for modification C:\Windows\SysWOW64\Pohfehdi.exe Peoalc32.exe File created C:\Windows\SysWOW64\Nakikpin.exe Nkaane32.exe File created C:\Windows\SysWOW64\Pgodcich.exe Peqhgmdd.exe File created C:\Windows\SysWOW64\Kehglhah.dll Dgfpni32.exe File opened for modification C:\Windows\SysWOW64\Gnmdfi32.exe Ggbljogc.exe File opened for modification C:\Windows\SysWOW64\Dcnchg32.exe Dmdkkm32.exe File created C:\Windows\SysWOW64\Bodgdaah.dll Dpgcip32.exe File created C:\Windows\SysWOW64\Mqpfnk32.dll Pkojoghl.exe File created C:\Windows\SysWOW64\Ajipkb32.exe Qaqlbmbn.exe File opened for modification C:\Windows\SysWOW64\Peaibajp.exe Pmjaadjm.exe File created C:\Windows\SysWOW64\Dglmdppi.dll Chmlfj32.exe File opened for modification C:\Windows\SysWOW64\Nkjdcp32.exe Edjlgq32.exe File opened for modification C:\Windows\SysWOW64\Chqoipkk.exe Cohkpj32.exe File created C:\Windows\SysWOW64\Diibag32.exe Dbojdmcd.exe File created C:\Windows\SysWOW64\Gpblmp32.dll Mcodqkbi.exe File created C:\Windows\SysWOW64\Anfdhfiq.dll Bldpiifb.exe File opened for modification C:\Windows\SysWOW64\Cenmfbml.exe Ckiiiine.exe File created C:\Windows\SysWOW64\Bedpgc32.dll Dqobnf32.exe File opened for modification C:\Windows\SysWOW64\Degqka32.exe Dnmhogjo.exe File created C:\Windows\SysWOW64\Bcobdgoj.exe Bfkakbpp.exe File created C:\Windows\SysWOW64\Obilip32.exe Oiahpkdj.exe File created C:\Windows\SysWOW64\Adkbiook.dll Pligbekc.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Laknfmgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phelnhnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ihfjognl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bphkjefo.dll" Liblfl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lljkif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdnipekj.dll" Pkfghh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Npiiafpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ceanmc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qigebglj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Codbqonk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ipecndab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dieiap32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cqfdem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffbnkppp.dll" Bepjha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbmapj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emlhfb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fianpp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djgfgkbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhocnhce.dll" Odmgnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gcakbjpl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fgcpkldh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhcdgfop.dll" Pjhaec32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pojbkh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgqcjlhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpaem32.dll" Ngoinfao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pkfghh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekjqfj32.dll" Jbooen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qamnbhdj.dll" Bfpmog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chhpgn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cenmfbml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpmeojbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhpnlnon.dll" Flpkll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fgohna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jflomd32.dll" Fdbhge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pahemgbf.dll" Pjchjcmf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Apapcnaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpmggm32.dll" Jhikhefb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmiqhhnn.dll" Mliibj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eleobngo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Noojdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnfpjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeiakl32.dll" Bglghdbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djflcfqi.dll" Eelinm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddiibc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nijcgp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkelcenm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnkmkbpj.dll" Nkaane32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihgmjcla.dll" Pkihpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlilhb32.dll" Ckiiiine.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Npngng32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lahmbo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdedde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idpademd.dll" Ijmdql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nbhkmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pndalkgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjeace32.dll" Khjkiikl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Heljgd32.dll" Ckijdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idebfofe.dll" Fmegncpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Piipgfbo.dll" Dncdqcbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kejahn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlmobpjk.dll" Ghmohcbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Igioiacg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Obdjjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cohkpj32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2492 wrote to memory of 1528 2492 NEAS.b501b4c63d024ba813b3f5260338ae80.exe 28 PID 2492 wrote to memory of 1528 2492 NEAS.b501b4c63d024ba813b3f5260338ae80.exe 28 PID 2492 wrote to memory of 1528 2492 NEAS.b501b4c63d024ba813b3f5260338ae80.exe 28 PID 2492 wrote to memory of 1528 2492 NEAS.b501b4c63d024ba813b3f5260338ae80.exe 28 PID 1528 wrote to memory of 2120 1528 Fncmmmma.exe 29 PID 1528 wrote to memory of 2120 1528 Fncmmmma.exe 29 PID 1528 wrote to memory of 2120 1528 Fncmmmma.exe 29 PID 1528 wrote to memory of 2120 1528 Fncmmmma.exe 29 PID 2120 wrote to memory of 2804 2120 Ffqofohj.exe 30 PID 2120 wrote to memory of 2804 2120 Ffqofohj.exe 30 PID 2120 wrote to memory of 2804 2120 Ffqofohj.exe 30 PID 2120 wrote to memory of 2804 2120 Ffqofohj.exe 30 PID 2804 wrote to memory of 2728 2804 Gmmdiind.exe 31 PID 2804 wrote to memory of 2728 2804 Gmmdiind.exe 31 PID 2804 wrote to memory of 2728 2804 Gmmdiind.exe 31 PID 2804 wrote to memory of 2728 2804 Gmmdiind.exe 31 PID 2728 wrote to memory of 2576 2728 Gnpmfqap.exe 32 PID 2728 wrote to memory of 2576 2728 Gnpmfqap.exe 32 PID 2728 wrote to memory of 2576 2728 Gnpmfqap.exe 32 PID 2728 wrote to memory of 2576 2728 Gnpmfqap.exe 32 PID 2576 wrote to memory of 2548 2576 Gbnflo32.exe 33 PID 2576 wrote to memory of 2548 2576 Gbnflo32.exe 33 PID 2576 wrote to memory of 2548 2576 Gbnflo32.exe 33 PID 2576 wrote to memory of 2548 2576 Gbnflo32.exe 33 PID 2548 wrote to memory of 2128 2548 Gnefapmj.exe 34 PID 2548 wrote to memory of 2128 2548 Gnefapmj.exe 34 PID 2548 wrote to memory of 2128 2548 Gnefapmj.exe 34 PID 2548 wrote to memory of 2128 2548 Gnefapmj.exe 34 PID 2128 wrote to memory of 524 2128 Hafock32.exe 35 PID 2128 wrote to memory of 524 2128 Hafock32.exe 35 PID 2128 wrote to memory of 524 2128 Hafock32.exe 35 PID 2128 wrote to memory of 524 2128 Hafock32.exe 35 PID 524 wrote to memory of 1476 524 Hdfhdfgl.exe 36 PID 524 wrote to memory of 1476 524 Hdfhdfgl.exe 36 PID 524 wrote to memory of 1476 524 Hdfhdfgl.exe 36 PID 524 wrote to memory of 1476 524 Hdfhdfgl.exe 36 PID 1476 wrote to memory of 2900 1476 Hmaick32.exe 37 PID 1476 wrote to memory of 2900 1476 Hmaick32.exe 37 PID 1476 wrote to memory of 2900 1476 Hmaick32.exe 37 PID 1476 wrote to memory of 2900 1476 Hmaick32.exe 37 PID 2900 wrote to memory of 2004 2900 Hfjnla32.exe 38 PID 2900 wrote to memory of 2004 2900 Hfjnla32.exe 38 PID 2900 wrote to memory of 2004 2900 Hfjnla32.exe 38 PID 2900 wrote to memory of 2004 2900 Hfjnla32.exe 38 PID 2004 wrote to memory of 1040 2004 Hpbbdfik.exe 39 PID 2004 wrote to memory of 1040 2004 Hpbbdfik.exe 39 PID 2004 wrote to memory of 1040 2004 Hpbbdfik.exe 39 PID 2004 wrote to memory of 1040 2004 Hpbbdfik.exe 39 PID 1040 wrote to memory of 1384 1040 Ilicig32.exe 40 PID 1040 wrote to memory of 1384 1040 Ilicig32.exe 40 PID 1040 wrote to memory of 1384 1040 Ilicig32.exe 40 PID 1040 wrote to memory of 1384 1040 Ilicig32.exe 40 PID 1384 wrote to memory of 1804 1384 Ieagbm32.exe 41 PID 1384 wrote to memory of 1804 1384 Ieagbm32.exe 41 PID 1384 wrote to memory of 1804 1384 Ieagbm32.exe 41 PID 1384 wrote to memory of 1804 1384 Ieagbm32.exe 41 PID 1804 wrote to memory of 1764 1804 Ioilkblq.exe 42 PID 1804 wrote to memory of 1764 1804 Ioilkblq.exe 42 PID 1804 wrote to memory of 1764 1804 Ioilkblq.exe 42 PID 1804 wrote to memory of 1764 1804 Ioilkblq.exe 42 PID 1764 wrote to memory of 2648 1764 Imoilo32.exe 43 PID 1764 wrote to memory of 2648 1764 Imoilo32.exe 43 PID 1764 wrote to memory of 2648 1764 Imoilo32.exe 43 PID 1764 wrote to memory of 2648 1764 Imoilo32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.b501b4c63d024ba813b3f5260338ae80.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.b501b4c63d024ba813b3f5260338ae80.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\SysWOW64\Fncmmmma.exeC:\Windows\system32\Fncmmmma.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\SysWOW64\Ffqofohj.exeC:\Windows\system32\Ffqofohj.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\Gmmdiind.exeC:\Windows\system32\Gmmdiind.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\Gnpmfqap.exeC:\Windows\system32\Gnpmfqap.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Gbnflo32.exeC:\Windows\system32\Gbnflo32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\Gnefapmj.exeC:\Windows\system32\Gnefapmj.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\Hafock32.exeC:\Windows\system32\Hafock32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\Hdfhdfgl.exeC:\Windows\system32\Hdfhdfgl.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:524 -
C:\Windows\SysWOW64\Hmaick32.exeC:\Windows\system32\Hmaick32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Windows\SysWOW64\Hfjnla32.exeC:\Windows\system32\Hfjnla32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\Hpbbdfik.exeC:\Windows\system32\Hpbbdfik.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\Ilicig32.exeC:\Windows\system32\Ilicig32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Windows\SysWOW64\Ieagbm32.exeC:\Windows\system32\Ieagbm32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Windows\SysWOW64\Ioilkblq.exeC:\Windows\system32\Ioilkblq.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\SysWOW64\Imoilo32.exeC:\Windows\system32\Imoilo32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Windows\SysWOW64\Ionefb32.exeC:\Windows\system32\Ionefb32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2648 -
C:\Windows\SysWOW64\Ihfjognl.exeC:\Windows\system32\Ihfjognl.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2924 -
C:\Windows\SysWOW64\Iaonhm32.exeC:\Windows\system32\Iaonhm32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2444 -
C:\Windows\SysWOW64\Jjjclobg.exeC:\Windows\system32\Jjjclobg.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2236 -
C:\Windows\SysWOW64\Jpdkii32.exeC:\Windows\system32\Jpdkii32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1776 -
C:\Windows\SysWOW64\Jeadap32.exeC:\Windows\system32\Jeadap32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2848 -
C:\Windows\SysWOW64\Joihjfnl.exeC:\Windows\system32\Joihjfnl.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1772 -
C:\Windows\SysWOW64\Jjomgo32.exeC:\Windows\system32\Jjomgo32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1516 -
C:\Windows\SysWOW64\Jolepe32.exeC:\Windows\system32\Jolepe32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1964 -
C:\Windows\SysWOW64\Jhdihkcj.exeC:\Windows\system32\Jhdihkcj.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2920 -
C:\Windows\SysWOW64\Jcjnfdbp.exeC:\Windows\system32\Jcjnfdbp.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2156 -
C:\Windows\SysWOW64\Kbokgpgg.exeC:\Windows\system32\Kbokgpgg.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1480 -
C:\Windows\SysWOW64\Knekla32.exeC:\Windows\system32\Knekla32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2468 -
C:\Windows\SysWOW64\Kjllab32.exeC:\Windows\system32\Kjllab32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2024 -
C:\Windows\SysWOW64\Kqfdnljm.exeC:\Windows\system32\Kqfdnljm.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2136 -
C:\Windows\SysWOW64\Kfeikcfa.exeC:\Windows\system32\Kfeikcfa.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1604 -
C:\Windows\SysWOW64\Kcijeg32.exeC:\Windows\system32\Kcijeg32.exe33⤵
- Executes dropped EXE
PID:1932 -
C:\Windows\SysWOW64\Ljfogake.exeC:\Windows\system32\Ljfogake.exe34⤵
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\Liklhmom.exeC:\Windows\system32\Liklhmom.exe35⤵
- Executes dropped EXE
PID:2788 -
C:\Windows\SysWOW64\Lnhdqdnd.exeC:\Windows\system32\Lnhdqdnd.exe36⤵
- Executes dropped EXE
PID:2756 -
C:\Windows\SysWOW64\Leammn32.exeC:\Windows\system32\Leammn32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2996 -
C:\Windows\SysWOW64\Lahmbo32.exeC:\Windows\system32\Lahmbo32.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:2724 -
C:\Windows\SysWOW64\Nkegeg32.exeC:\Windows\system32\Nkegeg32.exe39⤵
- Executes dropped EXE
PID:2556 -
C:\Windows\SysWOW64\Ogqaehak.exeC:\Windows\system32\Ogqaehak.exe40⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Opifnm32.exeC:\Windows\system32\Opifnm32.exe41⤵
- Executes dropped EXE
PID:1036 -
C:\Windows\SysWOW64\Ogcnkgoh.exeC:\Windows\system32\Ogcnkgoh.exe42⤵
- Executes dropped EXE
PID:528 -
C:\Windows\SysWOW64\Opkccm32.exeC:\Windows\system32\Opkccm32.exe43⤵
- Executes dropped EXE
PID:1048 -
C:\Windows\SysWOW64\Opnpimdf.exeC:\Windows\system32\Opnpimdf.exe44⤵
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Oifdbb32.exeC:\Windows\system32\Oifdbb32.exe45⤵
- Executes dropped EXE
PID:2880 -
C:\Windows\SysWOW64\Oaaifdhb.exeC:\Windows\system32\Oaaifdhb.exe46⤵
- Executes dropped EXE
PID:1860 -
C:\Windows\SysWOW64\Oihqgbhd.exeC:\Windows\system32\Oihqgbhd.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1612 -
C:\Windows\SysWOW64\Peoalc32.exeC:\Windows\system32\Peoalc32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1828 -
C:\Windows\SysWOW64\Pohfehdi.exeC:\Windows\system32\Pohfehdi.exe49⤵
- Executes dropped EXE
PID:2652 -
C:\Windows\SysWOW64\Pddnnp32.exeC:\Windows\system32\Pddnnp32.exe50⤵
- Executes dropped EXE
PID:108 -
C:\Windows\SysWOW64\Pojbkh32.exeC:\Windows\system32\Pojbkh32.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:1712 -
C:\Windows\SysWOW64\Phbgcnig.exeC:\Windows\system32\Phbgcnig.exe52⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Pnopldgn.exeC:\Windows\system32\Pnopldgn.exe53⤵
- Executes dropped EXE
PID:3060 -
C:\Windows\SysWOW64\Pclhdl32.exeC:\Windows\system32\Pclhdl32.exe54⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Pnalad32.exeC:\Windows\system32\Pnalad32.exe55⤵
- Executes dropped EXE
PID:3008 -
C:\Windows\SysWOW64\Pqphnp32.exeC:\Windows\system32\Pqphnp32.exe56⤵
- Executes dropped EXE
PID:2296 -
C:\Windows\SysWOW64\Qoeeolig.exeC:\Windows\system32\Qoeeolig.exe57⤵
- Executes dropped EXE
PID:1916 -
C:\Windows\SysWOW64\Qqdbiopj.exeC:\Windows\system32\Qqdbiopj.exe58⤵
- Executes dropped EXE
PID:692 -
C:\Windows\SysWOW64\Abfnpg32.exeC:\Windows\system32\Abfnpg32.exe59⤵
- Executes dropped EXE
PID:1460 -
C:\Windows\SysWOW64\Amkbnp32.exeC:\Windows\system32\Amkbnp32.exe60⤵
- Executes dropped EXE
PID:1972 -
C:\Windows\SysWOW64\Aibcba32.exeC:\Windows\system32\Aibcba32.exe61⤵
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\Anolkh32.exeC:\Windows\system32\Anolkh32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2168 -
C:\Windows\SysWOW64\Aeidgbaf.exeC:\Windows\system32\Aeidgbaf.exe63⤵
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Aapemc32.exeC:\Windows\system32\Aapemc32.exe64⤵
- Executes dropped EXE
PID:1196 -
C:\Windows\SysWOW64\Agjmim32.exeC:\Windows\system32\Agjmim32.exe65⤵
- Executes dropped EXE
PID:1288 -
C:\Windows\SysWOW64\Aennba32.exeC:\Windows\system32\Aennba32.exe66⤵PID:1680
-
C:\Windows\SysWOW64\Akhfoldn.exeC:\Windows\system32\Akhfoldn.exe67⤵PID:2360
-
C:\Windows\SysWOW64\Bepjha32.exeC:\Windows\system32\Bepjha32.exe68⤵
- Modifies registry class
PID:2656 -
C:\Windows\SysWOW64\Bfagpiam.exeC:\Windows\system32\Bfagpiam.exe69⤵PID:2772
-
C:\Windows\SysWOW64\Bgqcjlhp.exeC:\Windows\system32\Bgqcjlhp.exe70⤵
- Modifies registry class
PID:1272 -
C:\Windows\SysWOW64\Bplhnoej.exeC:\Windows\system32\Bplhnoej.exe71⤵PID:2292
-
C:\Windows\SysWOW64\Bidlgdlk.exeC:\Windows\system32\Bidlgdlk.exe72⤵
- Drops file in System32 directory
PID:2812 -
C:\Windows\SysWOW64\Bbmapj32.exeC:\Windows\system32\Bbmapj32.exe73⤵
- Drops file in System32 directory
- Modifies registry class
PID:2104 -
C:\Windows\SysWOW64\Bigimdjh.exeC:\Windows\system32\Bigimdjh.exe74⤵PID:472
-
C:\Windows\SysWOW64\Bncaekhp.exeC:\Windows\system32\Bncaekhp.exe75⤵PID:1156
-
C:\Windows\SysWOW64\Chlfnp32.exeC:\Windows\system32\Chlfnp32.exe76⤵PID:2916
-
C:\Windows\SysWOW64\Cadjgf32.exeC:\Windows\system32\Cadjgf32.exe77⤵PID:1336
-
C:\Windows\SysWOW64\Cohkpj32.exeC:\Windows\system32\Cohkpj32.exe78⤵
- Drops file in System32 directory
- Modifies registry class
PID:2464 -
C:\Windows\SysWOW64\Chqoipkk.exeC:\Windows\system32\Chqoipkk.exe79⤵PID:1044
-
C:\Windows\SysWOW64\Cedpbd32.exeC:\Windows\system32\Cedpbd32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2172 -
C:\Windows\SysWOW64\Cffljlpc.exeC:\Windows\system32\Cffljlpc.exe81⤵
- Drops file in System32 directory
PID:1020 -
C:\Windows\SysWOW64\Cheido32.exeC:\Windows\system32\Cheido32.exe82⤵PID:2984
-
C:\Windows\SysWOW64\Cmbalfem.exeC:\Windows\system32\Cmbalfem.exe83⤵PID:2056
-
C:\Windows\SysWOW64\Dbojdmcd.exeC:\Windows\system32\Dbojdmcd.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2432 -
C:\Windows\SysWOW64\Diibag32.exeC:\Windows\system32\Diibag32.exe85⤵PID:1344
-
C:\Windows\SysWOW64\Dlgnmb32.exeC:\Windows\system32\Dlgnmb32.exe86⤵
- Drops file in System32 directory
PID:700 -
C:\Windows\SysWOW64\Dbafjlaa.exeC:\Windows\system32\Dbafjlaa.exe87⤵PID:1052
-
C:\Windows\SysWOW64\Dikogf32.exeC:\Windows\system32\Dikogf32.exe88⤵PID:776
-
C:\Windows\SysWOW64\Dpegcq32.exeC:\Windows\system32\Dpegcq32.exe89⤵PID:2308
-
C:\Windows\SysWOW64\Dcccpl32.exeC:\Windows\system32\Dcccpl32.exe90⤵PID:2412
-
C:\Windows\SysWOW64\Dpgcip32.exeC:\Windows\system32\Dpgcip32.exe91⤵
- Drops file in System32 directory
PID:2592 -
C:\Windows\SysWOW64\Daipqhdg.exeC:\Windows\system32\Daipqhdg.exe92⤵PID:888
-
C:\Windows\SysWOW64\Dhbhmb32.exeC:\Windows\system32\Dhbhmb32.exe93⤵PID:1600
-
C:\Windows\SysWOW64\Dchmkkkj.exeC:\Windows\system32\Dchmkkkj.exe94⤵PID:2228
-
C:\Windows\SysWOW64\Ddiibc32.exeC:\Windows\system32\Ddiibc32.exe95⤵
- Modifies registry class
PID:2692 -
C:\Windows\SysWOW64\Enbnkigh.exeC:\Windows\system32\Enbnkigh.exe96⤵PID:2708
-
C:\Windows\SysWOW64\Eeielfhk.exeC:\Windows\system32\Eeielfhk.exe97⤵PID:1224
-
C:\Windows\SysWOW64\Ekfndmfb.exeC:\Windows\system32\Ekfndmfb.exe98⤵PID:2600
-
C:\Windows\SysWOW64\Ekjgpm32.exeC:\Windows\system32\Ekjgpm32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1624 -
C:\Windows\SysWOW64\Eniclh32.exeC:\Windows\system32\Eniclh32.exe100⤵PID:2424
-
C:\Windows\SysWOW64\Egahen32.exeC:\Windows\system32\Egahen32.exe101⤵PID:1640
-
C:\Windows\SysWOW64\Enkpahon.exeC:\Windows\system32\Enkpahon.exe102⤵PID:752
-
C:\Windows\SysWOW64\Eqjmncna.exeC:\Windows\system32\Eqjmncna.exe103⤵PID:1844
-
C:\Windows\SysWOW64\Fffefjmi.exeC:\Windows\system32\Fffefjmi.exe104⤵PID:2912
-
C:\Windows\SysWOW64\Flqmbd32.exeC:\Windows\system32\Flqmbd32.exe105⤵PID:1812
-
C:\Windows\SysWOW64\Foafdoag.exeC:\Windows\system32\Foafdoag.exe106⤵PID:320
-
C:\Windows\SysWOW64\Fbpbpkpj.exeC:\Windows\system32\Fbpbpkpj.exe107⤵PID:2992
-
C:\Windows\SysWOW64\Fmegncpp.exeC:\Windows\system32\Fmegncpp.exe108⤵
- Modifies registry class
PID:2252 -
C:\Windows\SysWOW64\Fnfcel32.exeC:\Windows\system32\Fnfcel32.exe109⤵PID:2084
-
C:\Windows\SysWOW64\Fgohna32.exeC:\Windows\system32\Fgohna32.exe110⤵
- Modifies registry class
PID:824 -
C:\Windows\SysWOW64\Fnipkkdl.exeC:\Windows\system32\Fnipkkdl.exe111⤵
- Drops file in System32 directory
PID:1864 -
C:\Windows\SysWOW64\Fdbhge32.exeC:\Windows\system32\Fdbhge32.exe112⤵
- Modifies registry class
PID:1396 -
C:\Windows\SysWOW64\Ghlfjq32.exeC:\Windows\system32\Ghlfjq32.exe113⤵PID:2676
-
C:\Windows\SysWOW64\Qoeamo32.exeC:\Windows\system32\Qoeamo32.exe114⤵PID:2160
-
C:\Windows\SysWOW64\Dgnjqe32.exeC:\Windows\system32\Dgnjqe32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:908 -
C:\Windows\SysWOW64\Jnmiag32.exeC:\Windows\system32\Jnmiag32.exe116⤵
- Drops file in System32 directory
PID:2804 -
C:\Windows\SysWOW64\Mcodqkbi.exeC:\Windows\system32\Mcodqkbi.exe117⤵
- Drops file in System32 directory
PID:2128 -
C:\Windows\SysWOW64\Mfmqmgbm.exeC:\Windows\system32\Mfmqmgbm.exe118⤵
- Drops file in System32 directory
PID:1532 -
C:\Windows\SysWOW64\Mlgiiaij.exeC:\Windows\system32\Mlgiiaij.exe119⤵PID:2972
-
C:\Windows\SysWOW64\Mcaafk32.exeC:\Windows\system32\Mcaafk32.exe120⤵PID:3068
-
C:\Windows\SysWOW64\Mfpmbf32.exeC:\Windows\system32\Mfpmbf32.exe121⤵PID:2848
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-