Analysis
-
max time kernel
157s -
max time network
174s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
21/10/2023, 21:29
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.b501b4c63d024ba813b3f5260338ae80.exe
Resource
win7-20231020-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.b501b4c63d024ba813b3f5260338ae80.exe
Resource
win10v2004-20231020-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.b501b4c63d024ba813b3f5260338ae80.exe
-
Size
172KB
-
MD5
b501b4c63d024ba813b3f5260338ae80
-
SHA1
5f1535d79e7f5a2f499de32a11925222ec0b15b0
-
SHA256
ae9efae9be3747dbc7db64cffb88265102a2f8bb5250e62b885559140b68d273
-
SHA512
72ef68bac293b1899d7802b4195cf3277989f27ba006623372ecd03d5243fb71772076db6ab8c70f1e4e63ccb74d06c56cfa46a8223464664a880a23bccaa74d
-
SSDEEP
3072:UswG4WVTnPxgu+tAcrbFAJc+RsUi1aVDkOvhJjvJ:zwGPP8rtMsQB
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfjofg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnbnjc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hejono32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjejdglp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgbfbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdafgefe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nijeoikf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emmkci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjcfeola.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gagebknp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cklffq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oolgbpei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccbanfko.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkkaiphj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enaaiifb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idjdqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kqpoja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Peobeh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmiidnko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afnljenh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkehlo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnkdpgnh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jookjpam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bipcei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acnefoac.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Injcginc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acmchj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhhaclqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjbhbf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eeimqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnnmogae.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kacgld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Malgmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Difpflco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iebnqofj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmnomk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnpaec32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oalpigkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgbfka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnekcd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfchcijo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlkejgfj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfedhihl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmedjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhqmdoef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abmhbplf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afgame32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjjnblhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qdflaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnhppa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdibplaf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djegekil.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fklcgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhdbdgjl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpdlajfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpgigj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdclcmba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blhpjnbe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bicogo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbngeadf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oknnanhj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pddokabk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjicnbba.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfefeq32.exe -
Executes dropped EXE 64 IoCs
pid Process 2744 Cmnnimak.exe 2672 Cbkfbcpb.exe 4380 Ckbncapd.exe 3480 Cpogkhnl.exe 1356 Ckdkhq32.exe 3748 Cpacqg32.exe 3528 Cmedjl32.exe 3408 Ckidcpjl.exe 4808 Cdaile32.exe 1700 Dkkaiphj.exe 644 Ddcebe32.exe 4076 Ddfbgelh.exe 3948 Djegekil.exe 3888 Dcnlnaom.exe 4472 Ddmhhd32.exe 1796 Ejjaqk32.exe 4080 Egnajocq.exe 3640 Eaceghcg.exe 1108 Eafbmgad.exe 3048 Ecgodpgb.exe 3792 Ecikjoep.exe 1792 Eajlhg32.exe 820 Fkcpql32.exe 4140 Fcneeo32.exe 2532 Fqbeoc32.exe 4868 Fjjjgh32.exe 1476 Fkjfakng.exe 3264 Fklcgk32.exe 768 Hebcao32.exe 4352 Haidfpki.exe 3836 Hgcmbj32.exe 2148 Hbiapb32.exe 4532 Hkaeih32.exe 1852 Hnpaec32.exe 3776 Hnbnjc32.exe 1940 Icogcjde.exe 1936 Pmoagk32.exe 4020 Pcijce32.exe 1424 Qejfkmem.exe 2564 Qkdohg32.exe 2528 Qbngeadf.exe 4588 Qkfkng32.exe 880 Qcncodki.exe 4316 Aijlgkjq.exe 3376 Hcgjhega.exe 3360 Mgpcohcb.exe 2288 Hcaibo32.exe 2092 Mphamg32.exe 2052 Odaiodbp.exe 4296 Ogpfko32.exe 4424 Ophjdehd.exe 3240 Oknnanhj.exe 2732 Opjgidfa.exe 4992 Odhppclh.exe 2228 Oalpigkb.exe 1628 Pgkegn32.exe 3440 Pjlnhi32.exe 3728 Pdbbfadn.exe 432 Pklkbl32.exe 4620 Pddokabk.exe 3704 Pjahchpb.exe 3976 Qdflaa32.exe 4556 Qdihfq32.exe 1272 Agnkck32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Acmqdh32.dll Dfhjefhf.exe File opened for modification C:\Windows\SysWOW64\Fmiaimki.exe Fhmiqfma.exe File created C:\Windows\SysWOW64\Bmbmffan.dll Oapljmgm.exe File opened for modification C:\Windows\SysWOW64\Hbiapb32.exe Hgcmbj32.exe File opened for modification C:\Windows\SysWOW64\Incpdodg.exe Ilbclg32.exe File opened for modification C:\Windows\SysWOW64\Lncjgddf.exe Lgibjj32.exe File created C:\Windows\SysWOW64\Magnbnea.exe Mlkejgfj.exe File created C:\Windows\SysWOW64\Ipkmbe32.dll Aakelfhg.exe File opened for modification C:\Windows\SysWOW64\Ecpmod32.exe Elienf32.exe File opened for modification C:\Windows\SysWOW64\Ipbhch32.exe Imdlgm32.exe File created C:\Windows\SysWOW64\Qejfkmem.exe Pcijce32.exe File created C:\Windows\SysWOW64\Hnpcna32.dll Bfchcijo.exe File created C:\Windows\SysWOW64\Laqhao32.exe Lankloml.exe File opened for modification C:\Windows\SysWOW64\Nijeoikf.exe Nkieab32.exe File opened for modification C:\Windows\SysWOW64\Jghpkq32.exe Jlclnhho.exe File created C:\Windows\SysWOW64\Bbjfjepf.exe Bpkjnjqc.exe File opened for modification C:\Windows\SysWOW64\Cgpcklpd.exe Cjlbag32.exe File created C:\Windows\SysWOW64\Afjemkbi.exe Acilkp32.exe File created C:\Windows\SysWOW64\Cpholohh.dll Dgcmdj32.exe File created C:\Windows\SysWOW64\Oecego32.exe Obeikc32.exe File opened for modification C:\Windows\SysWOW64\Pfhklabb.exe Poqckdap.exe File created C:\Windows\SysWOW64\Fmehnn32.exe Fkflbb32.exe File created C:\Windows\SysWOW64\Eelbhc32.dll Pcjioknl.exe File created C:\Windows\SysWOW64\Fhchhm32.exe Faiplcmk.exe File opened for modification C:\Windows\SysWOW64\Obafim32.exe Oihapg32.exe File opened for modification C:\Windows\SysWOW64\Pojccmii.exe Plijbblh.exe File opened for modification C:\Windows\SysWOW64\Lqfgfclm.exe Lngkjhmi.exe File created C:\Windows\SysWOW64\Idhdieal.dll Onhmhc32.exe File created C:\Windows\SysWOW64\Jghnge32.dll Nbepdfnc.exe File opened for modification C:\Windows\SysWOW64\Ifipmo32.exe Idjdqc32.exe File opened for modification C:\Windows\SysWOW64\Mbpdkabl.exe Mlflog32.exe File created C:\Windows\SysWOW64\Gccbgclj.dll Plijbblh.exe File created C:\Windows\SysWOW64\Eckhkgmf.dll Qhlkbaho.exe File opened for modification C:\Windows\SysWOW64\Ofcale32.exe Oafido32.exe File opened for modification C:\Windows\SysWOW64\Oeoklp32.exe Olfgcj32.exe File opened for modification C:\Windows\SysWOW64\Acilkp32.exe Feocoaai.exe File opened for modification C:\Windows\SysWOW64\Kiggln32.exe Kqpoja32.exe File created C:\Windows\SysWOW64\Fmfnig32.exe Fikbhiaf.exe File created C:\Windows\SysWOW64\Hdedfgcg.dll Ipbhch32.exe File opened for modification C:\Windows\SysWOW64\Npbcollj.exe Nnafgd32.exe File created C:\Windows\SysWOW64\Aoonpe32.dll Agnkck32.exe File created C:\Windows\SysWOW64\Jkidkeeb.dll Mnpami32.exe File created C:\Windows\SysWOW64\Hiimpa32.dll Cokgonmp.exe File created C:\Windows\SysWOW64\Dgjpce32.dll Dobnpm32.exe File created C:\Windows\SysWOW64\Dmglmpkn.exe Ddngdj32.exe File created C:\Windows\SysWOW64\Bjgpqila.dll Hifcqo32.exe File created C:\Windows\SysWOW64\Opgloh32.exe Oimdbnip.exe File created C:\Windows\SysWOW64\Fnhppa32.exe Egnhcgeb.exe File created C:\Windows\SysWOW64\Ipffjg32.dll Onapnbhi.exe File opened for modification C:\Windows\SysWOW64\Maealn32.exe Mjkipdpg.exe File created C:\Windows\SysWOW64\Hnboao32.dll Afgame32.exe File opened for modification C:\Windows\SysWOW64\Lngkjhmi.exe Lgmbmn32.exe File opened for modification C:\Windows\SysWOW64\Acmchj32.exe Alfkgm32.exe File created C:\Windows\SysWOW64\Flpbbbdk.dll Egnajocq.exe File created C:\Windows\SysWOW64\Necphcfk.dll Miofcked.exe File created C:\Windows\SysWOW64\Majjgmco.exe Mjpbkc32.exe File opened for modification C:\Windows\SysWOW64\Bmfjodgc.exe Aflabj32.exe File created C:\Windows\SysWOW64\Qhjakc32.dll Iemdep32.exe File opened for modification C:\Windows\SysWOW64\Pfnccg32.exe Pdljce32.exe File created C:\Windows\SysWOW64\Hhcecm32.dll Cgpcklpd.exe File created C:\Windows\SysWOW64\Olomcacj.dll Lgibjj32.exe File opened for modification C:\Windows\SysWOW64\Feocoaai.exe Bjokno32.exe File opened for modification C:\Windows\SysWOW64\Hfhgdc32.exe Hoaocf32.exe File created C:\Windows\SysWOW64\Ikpndppf.dll Ddfbgelh.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6900 4512 WerFault.exe 820 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hfhgdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgekcecd.dll" Bjcfeola.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccaagm32.dll" Cgbfka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Impldi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndphpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qccnll32.dll" Kiggln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmmekboo.dll" Jghpkq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amjalo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddnmeejo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lnfngj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egoqkpqo.dll" Mnggnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbkekk32.dll" Kbpkdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Difpflco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paohbmke.dll" Lkchpoka.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mdibplaf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpejec32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amanfpkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghjdclhp.dll" Hndibn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkioojpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ekdolcbm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ldiiio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbhpjd32.dll" Kghjakbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egnqbobf.dll" Eimegk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dcglfjgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hfekoc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aihoka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hnbnjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djinjg32.dll" Haefqjeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pplehage.dll" Melfpb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Effffd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Imofip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhegjdag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hjdcfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnpfnp32.dll" Kgpodk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofqiil32.dll" Bimkde32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eangimij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhdbdgjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Poomom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Illfmi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmhmmmgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbandfpf.dll" Obcled32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifipmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnfmno32.dll" Dfgcjpdk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Geohdago.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmpclnof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbpkdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jookdcie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnojad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeoiagbk.dll" Falmabki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekficilg.dll" Dqajjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acemfcjn.dll" Ifipmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibchnb32.dll" Kdfmcobk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbhjfk32.dll" Lkjhfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbjfjepf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fcneeo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eobffk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Acilkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmoihc32.dll" Peobeh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kphkee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dcnlnaom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kodeje32.dll" Obeikc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Poqckdap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egflpjbk.dll" Mbpdkabl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kghjakbl.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3192 wrote to memory of 2744 3192 NEAS.b501b4c63d024ba813b3f5260338ae80.exe 88 PID 3192 wrote to memory of 2744 3192 NEAS.b501b4c63d024ba813b3f5260338ae80.exe 88 PID 3192 wrote to memory of 2744 3192 NEAS.b501b4c63d024ba813b3f5260338ae80.exe 88 PID 2744 wrote to memory of 2672 2744 Cmnnimak.exe 89 PID 2744 wrote to memory of 2672 2744 Cmnnimak.exe 89 PID 2744 wrote to memory of 2672 2744 Cmnnimak.exe 89 PID 2672 wrote to memory of 4380 2672 Cbkfbcpb.exe 90 PID 2672 wrote to memory of 4380 2672 Cbkfbcpb.exe 90 PID 2672 wrote to memory of 4380 2672 Cbkfbcpb.exe 90 PID 4380 wrote to memory of 3480 4380 Ckbncapd.exe 92 PID 4380 wrote to memory of 3480 4380 Ckbncapd.exe 92 PID 4380 wrote to memory of 3480 4380 Ckbncapd.exe 92 PID 3480 wrote to memory of 1356 3480 Cpogkhnl.exe 93 PID 3480 wrote to memory of 1356 3480 Cpogkhnl.exe 93 PID 3480 wrote to memory of 1356 3480 Cpogkhnl.exe 93 PID 1356 wrote to memory of 3748 1356 Ckdkhq32.exe 94 PID 1356 wrote to memory of 3748 1356 Ckdkhq32.exe 94 PID 1356 wrote to memory of 3748 1356 Ckdkhq32.exe 94 PID 3748 wrote to memory of 3528 3748 Cpacqg32.exe 95 PID 3748 wrote to memory of 3528 3748 Cpacqg32.exe 95 PID 3748 wrote to memory of 3528 3748 Cpacqg32.exe 95 PID 3528 wrote to memory of 3408 3528 Cmedjl32.exe 96 PID 3528 wrote to memory of 3408 3528 Cmedjl32.exe 96 PID 3528 wrote to memory of 3408 3528 Cmedjl32.exe 96 PID 3408 wrote to memory of 4808 3408 Ckidcpjl.exe 97 PID 3408 wrote to memory of 4808 3408 Ckidcpjl.exe 97 PID 3408 wrote to memory of 4808 3408 Ckidcpjl.exe 97 PID 4808 wrote to memory of 1700 4808 Cdaile32.exe 98 PID 4808 wrote to memory of 1700 4808 Cdaile32.exe 98 PID 4808 wrote to memory of 1700 4808 Cdaile32.exe 98 PID 1700 wrote to memory of 644 1700 Dkkaiphj.exe 99 PID 1700 wrote to memory of 644 1700 Dkkaiphj.exe 99 PID 1700 wrote to memory of 644 1700 Dkkaiphj.exe 99 PID 644 wrote to memory of 4076 644 Ddcebe32.exe 100 PID 644 wrote to memory of 4076 644 Ddcebe32.exe 100 PID 644 wrote to memory of 4076 644 Ddcebe32.exe 100 PID 4076 wrote to memory of 3948 4076 Ddfbgelh.exe 101 PID 4076 wrote to memory of 3948 4076 Ddfbgelh.exe 101 PID 4076 wrote to memory of 3948 4076 Ddfbgelh.exe 101 PID 3948 wrote to memory of 3888 3948 Djegekil.exe 102 PID 3948 wrote to memory of 3888 3948 Djegekil.exe 102 PID 3948 wrote to memory of 3888 3948 Djegekil.exe 102 PID 3888 wrote to memory of 4472 3888 Dcnlnaom.exe 103 PID 3888 wrote to memory of 4472 3888 Dcnlnaom.exe 103 PID 3888 wrote to memory of 4472 3888 Dcnlnaom.exe 103 PID 4472 wrote to memory of 1796 4472 Ddmhhd32.exe 104 PID 4472 wrote to memory of 1796 4472 Ddmhhd32.exe 104 PID 4472 wrote to memory of 1796 4472 Ddmhhd32.exe 104 PID 1796 wrote to memory of 4080 1796 Ejjaqk32.exe 105 PID 1796 wrote to memory of 4080 1796 Ejjaqk32.exe 105 PID 1796 wrote to memory of 4080 1796 Ejjaqk32.exe 105 PID 4080 wrote to memory of 3640 4080 Egnajocq.exe 106 PID 4080 wrote to memory of 3640 4080 Egnajocq.exe 106 PID 4080 wrote to memory of 3640 4080 Egnajocq.exe 106 PID 3640 wrote to memory of 1108 3640 Eaceghcg.exe 107 PID 3640 wrote to memory of 1108 3640 Eaceghcg.exe 107 PID 3640 wrote to memory of 1108 3640 Eaceghcg.exe 107 PID 1108 wrote to memory of 3048 1108 Eafbmgad.exe 108 PID 1108 wrote to memory of 3048 1108 Eafbmgad.exe 108 PID 1108 wrote to memory of 3048 1108 Eafbmgad.exe 108 PID 3048 wrote to memory of 3792 3048 Ecgodpgb.exe 109 PID 3048 wrote to memory of 3792 3048 Ecgodpgb.exe 109 PID 3048 wrote to memory of 3792 3048 Ecgodpgb.exe 109 PID 3792 wrote to memory of 1792 3792 Ecikjoep.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.b501b4c63d024ba813b3f5260338ae80.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.b501b4c63d024ba813b3f5260338ae80.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3192 -
C:\Windows\SysWOW64\Cmnnimak.exeC:\Windows\system32\Cmnnimak.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\Cbkfbcpb.exeC:\Windows\system32\Cbkfbcpb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Ckbncapd.exeC:\Windows\system32\Ckbncapd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4380 -
C:\Windows\SysWOW64\Cpogkhnl.exeC:\Windows\system32\Cpogkhnl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3480 -
C:\Windows\SysWOW64\Ckdkhq32.exeC:\Windows\system32\Ckdkhq32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\Windows\SysWOW64\Cpacqg32.exeC:\Windows\system32\Cpacqg32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3748 -
C:\Windows\SysWOW64\Cmedjl32.exeC:\Windows\system32\Cmedjl32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3528 -
C:\Windows\SysWOW64\Ckidcpjl.exeC:\Windows\system32\Ckidcpjl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3408 -
C:\Windows\SysWOW64\Cdaile32.exeC:\Windows\system32\Cdaile32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Windows\SysWOW64\Dkkaiphj.exeC:\Windows\system32\Dkkaiphj.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\Ddcebe32.exeC:\Windows\system32\Ddcebe32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:644 -
C:\Windows\SysWOW64\Ddfbgelh.exeC:\Windows\system32\Ddfbgelh.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4076 -
C:\Windows\SysWOW64\Djegekil.exeC:\Windows\system32\Djegekil.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3948 -
C:\Windows\SysWOW64\Dcnlnaom.exeC:\Windows\system32\Dcnlnaom.exe15⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3888 -
C:\Windows\SysWOW64\Ddmhhd32.exeC:\Windows\system32\Ddmhhd32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4472 -
C:\Windows\SysWOW64\Ejjaqk32.exeC:\Windows\system32\Ejjaqk32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\SysWOW64\Egnajocq.exeC:\Windows\system32\Egnajocq.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4080 -
C:\Windows\SysWOW64\Eaceghcg.exeC:\Windows\system32\Eaceghcg.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3640 -
C:\Windows\SysWOW64\Eafbmgad.exeC:\Windows\system32\Eafbmgad.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Windows\SysWOW64\Ecgodpgb.exeC:\Windows\system32\Ecgodpgb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\Ecikjoep.exeC:\Windows\system32\Ecikjoep.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3792 -
C:\Windows\SysWOW64\Eajlhg32.exeC:\Windows\system32\Eajlhg32.exe23⤵
- Executes dropped EXE
PID:1792 -
C:\Windows\SysWOW64\Fkcpql32.exeC:\Windows\system32\Fkcpql32.exe24⤵
- Executes dropped EXE
PID:820 -
C:\Windows\SysWOW64\Fcneeo32.exeC:\Windows\system32\Fcneeo32.exe25⤵
- Executes dropped EXE
- Modifies registry class
PID:4140 -
C:\Windows\SysWOW64\Fqbeoc32.exeC:\Windows\system32\Fqbeoc32.exe26⤵
- Executes dropped EXE
PID:2532 -
C:\Windows\SysWOW64\Fjjjgh32.exeC:\Windows\system32\Fjjjgh32.exe27⤵
- Executes dropped EXE
PID:4868 -
C:\Windows\SysWOW64\Fkjfakng.exeC:\Windows\system32\Fkjfakng.exe28⤵
- Executes dropped EXE
PID:1476 -
C:\Windows\SysWOW64\Fklcgk32.exeC:\Windows\system32\Fklcgk32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3264 -
C:\Windows\SysWOW64\Hebcao32.exeC:\Windows\system32\Hebcao32.exe30⤵
- Executes dropped EXE
PID:768 -
C:\Windows\SysWOW64\Haidfpki.exeC:\Windows\system32\Haidfpki.exe31⤵
- Executes dropped EXE
PID:4352 -
C:\Windows\SysWOW64\Hgcmbj32.exeC:\Windows\system32\Hgcmbj32.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3836 -
C:\Windows\SysWOW64\Hbiapb32.exeC:\Windows\system32\Hbiapb32.exe33⤵
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\Hkaeih32.exeC:\Windows\system32\Hkaeih32.exe34⤵
- Executes dropped EXE
PID:4532 -
C:\Windows\SysWOW64\Hnpaec32.exeC:\Windows\system32\Hnpaec32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1852 -
C:\Windows\SysWOW64\Hnbnjc32.exeC:\Windows\system32\Hnbnjc32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3776 -
C:\Windows\SysWOW64\Icogcjde.exeC:\Windows\system32\Icogcjde.exe37⤵
- Executes dropped EXE
PID:1940 -
C:\Windows\SysWOW64\Pmoagk32.exeC:\Windows\system32\Pmoagk32.exe38⤵
- Executes dropped EXE
PID:1936 -
C:\Windows\SysWOW64\Pcijce32.exeC:\Windows\system32\Pcijce32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4020 -
C:\Windows\SysWOW64\Qejfkmem.exeC:\Windows\system32\Qejfkmem.exe40⤵
- Executes dropped EXE
PID:1424 -
C:\Windows\SysWOW64\Qkdohg32.exeC:\Windows\system32\Qkdohg32.exe41⤵
- Executes dropped EXE
PID:2564 -
C:\Windows\SysWOW64\Qbngeadf.exeC:\Windows\system32\Qbngeadf.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2528 -
C:\Windows\SysWOW64\Qkfkng32.exeC:\Windows\system32\Qkfkng32.exe43⤵
- Executes dropped EXE
PID:4588 -
C:\Windows\SysWOW64\Qcncodki.exeC:\Windows\system32\Qcncodki.exe44⤵
- Executes dropped EXE
PID:880 -
C:\Windows\SysWOW64\Aijlgkjq.exeC:\Windows\system32\Aijlgkjq.exe45⤵
- Executes dropped EXE
PID:4316 -
C:\Windows\SysWOW64\Hcgjhega.exeC:\Windows\system32\Hcgjhega.exe46⤵
- Executes dropped EXE
PID:3376 -
C:\Windows\SysWOW64\Mgpcohcb.exeC:\Windows\system32\Mgpcohcb.exe47⤵
- Executes dropped EXE
PID:3360 -
C:\Windows\SysWOW64\Hcaibo32.exeC:\Windows\system32\Hcaibo32.exe48⤵
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Mphamg32.exeC:\Windows\system32\Mphamg32.exe49⤵
- Executes dropped EXE
PID:2092 -
C:\Windows\SysWOW64\Odaiodbp.exeC:\Windows\system32\Odaiodbp.exe50⤵
- Executes dropped EXE
PID:2052 -
C:\Windows\SysWOW64\Ogpfko32.exeC:\Windows\system32\Ogpfko32.exe51⤵
- Executes dropped EXE
PID:4296 -
C:\Windows\SysWOW64\Ophjdehd.exeC:\Windows\system32\Ophjdehd.exe52⤵
- Executes dropped EXE
PID:4424 -
C:\Windows\SysWOW64\Oknnanhj.exeC:\Windows\system32\Oknnanhj.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3240 -
C:\Windows\SysWOW64\Opjgidfa.exeC:\Windows\system32\Opjgidfa.exe54⤵
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\Odhppclh.exeC:\Windows\system32\Odhppclh.exe55⤵
- Executes dropped EXE
PID:4992 -
C:\Windows\SysWOW64\Oalpigkb.exeC:\Windows\system32\Oalpigkb.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Pgkegn32.exeC:\Windows\system32\Pgkegn32.exe57⤵
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\Pnenchoc.exeC:\Windows\system32\Pnenchoc.exe58⤵PID:1800
-
C:\Windows\SysWOW64\Pjlnhi32.exeC:\Windows\system32\Pjlnhi32.exe59⤵
- Executes dropped EXE
PID:3440 -
C:\Windows\SysWOW64\Pdbbfadn.exeC:\Windows\system32\Pdbbfadn.exe60⤵
- Executes dropped EXE
PID:3728 -
C:\Windows\SysWOW64\Pklkbl32.exeC:\Windows\system32\Pklkbl32.exe61⤵
- Executes dropped EXE
PID:432 -
C:\Windows\SysWOW64\Pddokabk.exeC:\Windows\system32\Pddokabk.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4620 -
C:\Windows\SysWOW64\Pjahchpb.exeC:\Windows\system32\Pjahchpb.exe63⤵
- Executes dropped EXE
PID:3704 -
C:\Windows\SysWOW64\Qdflaa32.exeC:\Windows\system32\Qdflaa32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3976 -
C:\Windows\SysWOW64\Qdihfq32.exeC:\Windows\system32\Qdihfq32.exe65⤵
- Executes dropped EXE
PID:4556 -
C:\Windows\SysWOW64\Agnkck32.exeC:\Windows\system32\Agnkck32.exe66⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1272 -
C:\Windows\SysWOW64\Bgbmdd32.exeC:\Windows\system32\Bgbmdd32.exe67⤵PID:2392
-
C:\Windows\SysWOW64\Bjcfeola.exeC:\Windows\system32\Bjcfeola.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4856 -
C:\Windows\SysWOW64\Bjjmfn32.exeC:\Windows\system32\Bjjmfn32.exe69⤵PID:3732
-
C:\Windows\SysWOW64\Cnhell32.exeC:\Windows\system32\Cnhell32.exe70⤵PID:4656
-
C:\Windows\SysWOW64\Cqfahh32.exeC:\Windows\system32\Cqfahh32.exe71⤵PID:3264
-
C:\Windows\SysWOW64\Cklffq32.exeC:\Windows\system32\Cklffq32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3208 -
C:\Windows\SysWOW64\Cnjbbl32.exeC:\Windows\system32\Cnjbbl32.exe73⤵PID:3884
-
C:\Windows\SysWOW64\Cgbfka32.exeC:\Windows\system32\Cgbfka32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2068 -
C:\Windows\SysWOW64\Cmpoch32.exeC:\Windows\system32\Cmpoch32.exe75⤵PID:1140
-
C:\Windows\SysWOW64\Ckqoapgd.exeC:\Windows\system32\Ckqoapgd.exe76⤵PID:1012
-
C:\Windows\SysWOW64\Ccldebeo.exeC:\Windows\system32\Ccldebeo.exe77⤵PID:2676
-
C:\Windows\SysWOW64\Cjflblll.exeC:\Windows\system32\Cjflblll.exe78⤵PID:1292
-
C:\Windows\SysWOW64\Ddkpoelb.exeC:\Windows\system32\Ddkpoelb.exe79⤵PID:3756
-
C:\Windows\SysWOW64\Dkehlo32.exeC:\Windows\system32\Dkehlo32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:644 -
C:\Windows\SysWOW64\Dncehk32.exeC:\Windows\system32\Dncehk32.exe81⤵PID:2860
-
C:\Windows\SysWOW64\Ddnmeejo.exeC:\Windows\system32\Ddnmeejo.exe82⤵
- Modifies registry class
PID:1216 -
C:\Windows\SysWOW64\Dgliapic.exeC:\Windows\system32\Dgliapic.exe83⤵PID:820
-
C:\Windows\SysWOW64\Dmiaig32.exeC:\Windows\system32\Dmiaig32.exe84⤵PID:2384
-
C:\Windows\SysWOW64\Dqdnjfpc.exeC:\Windows\system32\Dqdnjfpc.exe85⤵PID:1464
-
C:\Windows\SysWOW64\Djmbbk32.exeC:\Windows\system32\Djmbbk32.exe86⤵PID:924
-
C:\Windows\SysWOW64\Djoohk32.exeC:\Windows\system32\Djoohk32.exe87⤵PID:1644
-
C:\Windows\SysWOW64\Dqigee32.exeC:\Windows\system32\Dqigee32.exe88⤵PID:3552
-
C:\Windows\SysWOW64\Dkokbn32.exeC:\Windows\system32\Dkokbn32.exe89⤵PID:1992
-
C:\Windows\SysWOW64\Dnmgni32.exeC:\Windows\system32\Dnmgni32.exe90⤵PID:1596
-
C:\Windows\SysWOW64\Eegpkcbd.exeC:\Windows\system32\Eegpkcbd.exe91⤵PID:464
-
C:\Windows\SysWOW64\Eeimqc32.exeC:\Windows\system32\Eeimqc32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3812 -
C:\Windows\SysWOW64\Ekcemmgo.exeC:\Windows\system32\Ekcemmgo.exe93⤵PID:1328
-
C:\Windows\SysWOW64\Enaaiifb.exeC:\Windows\system32\Enaaiifb.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1340 -
C:\Windows\SysWOW64\Flmhclod.exeC:\Windows\system32\Flmhclod.exe95⤵PID:4268
-
C:\Windows\SysWOW64\Fnkdpgnh.exeC:\Windows\system32\Fnkdpgnh.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:944 -
C:\Windows\SysWOW64\Faiplcmk.exeC:\Windows\system32\Faiplcmk.exe97⤵
- Drops file in System32 directory
PID:4472 -
C:\Windows\SysWOW64\Fhchhm32.exeC:\Windows\system32\Fhchhm32.exe98⤵PID:3408
-
C:\Windows\SysWOW64\Fjbddh32.exeC:\Windows\system32\Fjbddh32.exe99⤵PID:3528
-
C:\Windows\SysWOW64\Falmabki.exeC:\Windows\system32\Falmabki.exe100⤵
- Modifies registry class
PID:4480 -
C:\Windows\SysWOW64\Fhfenmbe.exeC:\Windows\system32\Fhfenmbe.exe101⤵PID:4768
-
C:\Windows\SysWOW64\Fmbnfcam.exeC:\Windows\system32\Fmbnfcam.exe102⤵PID:5092
-
C:\Windows\SysWOW64\Fejegaao.exeC:\Windows\system32\Fejegaao.exe103⤵PID:656
-
C:\Windows\SysWOW64\Fhhaclqc.exeC:\Windows\system32\Fhhaclqc.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4900 -
C:\Windows\SysWOW64\Faqflb32.exeC:\Windows\system32\Faqflb32.exe105⤵PID:3512
-
C:\Windows\SysWOW64\Fdobhm32.exeC:\Windows\system32\Fdobhm32.exe106⤵PID:4948
-
C:\Windows\SysWOW64\Fjikeg32.exeC:\Windows\system32\Fjikeg32.exe107⤵PID:2452
-
C:\Windows\SysWOW64\Genobp32.exeC:\Windows\system32\Genobp32.exe108⤵PID:1240
-
C:\Windows\SysWOW64\Gjkgkg32.exeC:\Windows\system32\Gjkgkg32.exe109⤵PID:5080
-
C:\Windows\SysWOW64\Gaepgacn.exeC:\Windows\system32\Gaepgacn.exe110⤵PID:1792
-
C:\Windows\SysWOW64\Gdclcmba.exeC:\Windows\system32\Gdclcmba.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2160 -
C:\Windows\SysWOW64\Gjndpg32.exeC:\Windows\system32\Gjndpg32.exe112⤵PID:1852
-
C:\Windows\SysWOW64\Gaglma32.exeC:\Windows\system32\Gaglma32.exe113⤵PID:4544
-
C:\Windows\SysWOW64\Ghadjkhh.exeC:\Windows\system32\Ghadjkhh.exe114⤵PID:4140
-
C:\Windows\SysWOW64\Ghdaokfe.exeC:\Windows\system32\Ghdaokfe.exe115⤵PID:3764
-
C:\Windows\SysWOW64\Gkbnkfei.exeC:\Windows\system32\Gkbnkfei.exe116⤵PID:3088
-
C:\Windows\SysWOW64\Gdkbdllj.exeC:\Windows\system32\Gdkbdllj.exe117⤵PID:716
-
C:\Windows\SysWOW64\Glajeiml.exeC:\Windows\system32\Glajeiml.exe118⤵PID:556
-
C:\Windows\SysWOW64\Hejono32.exeC:\Windows\system32\Hejono32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3640 -
C:\Windows\SysWOW64\Hdokok32.exeC:\Windows\system32\Hdokok32.exe120⤵PID:1636
-
C:\Windows\SysWOW64\Hkiclepa.exeC:\Windows\system32\Hkiclepa.exe121⤵PID:4920
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-