Analysis
-
max time kernel
178s -
max time network
201s -
platform
windows10-2004_x64 -
resource
win10v2004-20231025-en -
resource tags
arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system -
submitted
07/11/2023, 20:52
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.b547586976bc491ff8025ac71bcaa090.exe
Resource
win7-20231020-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.b547586976bc491ff8025ac71bcaa090.exe
Resource
win10v2004-20231025-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
NEAS.b547586976bc491ff8025ac71bcaa090.exe
-
Size
52KB
-
MD5
b547586976bc491ff8025ac71bcaa090
-
SHA1
896b7d98d71a2ea8420bf6945bb6b976c0c0dc2b
-
SHA256
b5325824cef550474b4e5247ad95c4aea20113373f7600b4779c16584f19e018
-
SHA512
ecf23752001f5401c69a884ed9d9d47d25468666c471ce95895480815e0c52efd817fc8184743a531566af7935d5090c3191bb33ea655a8c17e543af8d7f57fc
-
SSDEEP
1536:cIx1524GHBz5SmvZELflO4nf/bWTrfRVqMAdKZ:X152d+mxELflOCbWLqMRZ
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cknbkpif.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fakfglhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dffmogji.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikjmcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plijbblh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acqgojmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eclmlpfl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iddlccfp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eenflbll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jafaem32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iajkohmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oocdme32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhmejf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaiqcnhg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdaonmdd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbpmbipk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pchcdbck.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nejpckgc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhhlog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plndma32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmjpod32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbhgoh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckpamabg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agndidce.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjbddh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbiphhhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phcogice.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnjdigpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihaidhgf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfaqafjl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pljalipc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kflink32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cggpfa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfodpbpl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehaieh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggilbb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apbnbali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijpepcfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnblmnfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olqofjhn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Diffabgj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iacbbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pndhhnda.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Falmabki.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlmiagbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpeejfjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qamago32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iabglnco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khlinedh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjkigojc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfgopnbo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmcnap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihdaoajd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cimckcoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eagahnob.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjgenjhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Miofcked.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnqcfjae.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgjeppkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcibchgq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifglmlol.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opcqgh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lelcbmcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opbean32.exe -
Executes dropped EXE 64 IoCs
pid Process 3820 Opbean32.exe 3392 Pimfpc32.exe 2428 Ppgomnai.exe 4532 Pfagighf.exe 3676 Pmkofa32.exe 2836 Pbhgoh32.exe 1488 Pmmlla32.exe 5000 Pcgdhkem.exe 1112 Pakdbp32.exe 3816 Pciqnk32.exe 1352 Pfhmjf32.exe 364 Qamago32.exe 4152 Qfjjpf32.exe 5076 Qcnjijoe.exe 4856 Qikbaaml.exe 2760 Acqgojmb.exe 1612 Aimogakj.exe 3548 Acccdj32.exe 4428 Amkhmoap.exe 3856 Ajohfcpj.exe 2076 Aaiqcnhg.exe 1484 Ajaelc32.exe 864 Adjjeieh.exe 3380 Bigbmpco.exe 2620 Bboffejp.exe 3924 Bbaclegm.exe 3436 Bpedeiff.exe 1408 Bphqji32.exe 2420 Bmladm32.exe 1416 Ckpamabg.exe 3360 Cajjjk32.exe 4192 Cgfbbb32.exe 1980 Cmpjoloh.exe 3760 Cgiohbfi.exe 1400 Cmbgdl32.exe 1428 Ccppmc32.exe 3944 Dcibca32.exe 2740 Dickplko.exe 4808 Ddhomdje.exe 2252 Dnqcfjae.exe 3088 Ddklbd32.exe 2384 Dncpkjoc.exe 2940 Dpalgenf.exe 3276 Ekgqennl.exe 3564 Ecbeip32.exe 224 Enhifi32.exe 2796 Ecdbop32.exe 3352 Enjfli32.exe 3660 Ephbhd32.exe 2288 Ekngemhd.exe 1180 Enlcahgh.exe 720 Edfknb32.exe 2424 Ejccgi32.exe 5068 Hkmlnimb.exe 2408 Hbfdjc32.exe 3416 Heepfn32.exe 1160 Hjaioe32.exe 4480 Ielfgmnj.exe 4100 Ilfodgeg.exe 4348 Iabglnco.exe 2036 Igmoih32.exe 3208 Infhebbh.exe 4128 Iaedanal.exe 1292 Iholohii.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Bpodilpi.dll Jknfnbmi.exe File opened for modification C:\Windows\SysWOW64\Jnfcbg32.exe Jkggfl32.exe File opened for modification C:\Windows\SysWOW64\Fakfglhm.exe Fjanjb32.exe File opened for modification C:\Windows\SysWOW64\Neoink32.exe Nkieab32.exe File created C:\Windows\SysWOW64\Pfbmnf32.exe Pohdamqh.exe File created C:\Windows\SysWOW64\Cjmnoo32.dll Pgphggpe.exe File created C:\Windows\SysWOW64\Gijcclkf.dll Endnohdp.exe File opened for modification C:\Windows\SysWOW64\Oehldi32.exe Oiakpheo.exe File created C:\Windows\SysWOW64\Klapgq32.exe Jeekeg32.exe File created C:\Windows\SysWOW64\Mimphakb.exe Mbchkg32.exe File created C:\Windows\SysWOW64\Mokhmm32.dll Noehlgol.exe File opened for modification C:\Windows\SysWOW64\Mbpdkabl.exe Mjiljdaj.exe File opened for modification C:\Windows\SysWOW64\Enlcahgh.exe Ekngemhd.exe File opened for modification C:\Windows\SysWOW64\Felbmqpl.exe Falmabki.exe File created C:\Windows\SysWOW64\Ipomlcnc.dll Lilbdcfe.exe File opened for modification C:\Windows\SysWOW64\Pndhhnda.exe Jgjeppkp.exe File opened for modification C:\Windows\SysWOW64\Mjiljdaj.exe Mhjpnibf.exe File opened for modification C:\Windows\SysWOW64\Bcpdidol.exe Blflmj32.exe File opened for modification C:\Windows\SysWOW64\Pohnhdog.exe Pljalipc.exe File opened for modification C:\Windows\SysWOW64\Hkpgooim.exe Hahcfi32.exe File created C:\Windows\SysWOW64\Bbaclegm.exe Bboffejp.exe File opened for modification C:\Windows\SysWOW64\Ghdoae32.exe Fpjjkh32.exe File created C:\Windows\SysWOW64\Bdbhbf32.dll Fnhppa32.exe File opened for modification C:\Windows\SysWOW64\Mimphakb.exe Mbchkg32.exe File created C:\Windows\SysWOW64\Gpjmbhch.dll Lkchpoka.exe File created C:\Windows\SysWOW64\Ilfodgeg.exe Ielfgmnj.exe File created C:\Windows\SysWOW64\Babgcniq.dll Lefdld32.exe File opened for modification C:\Windows\SysWOW64\Lebalokn.exe Lagekp32.exe File created C:\Windows\SysWOW64\Hgeiao32.exe Dnjmoqmk.exe File opened for modification C:\Windows\SysWOW64\Cgfbbb32.exe Cajjjk32.exe File opened for modification C:\Windows\SysWOW64\Hkmlnimb.exe Ejccgi32.exe File created C:\Windows\SysWOW64\Lbgongoo.dll Ehomph32.exe File opened for modification C:\Windows\SysWOW64\Bpmobi32.exe Blabakle.exe File opened for modification C:\Windows\SysWOW64\Emikpeig.exe Elhnhm32.exe File created C:\Windows\SysWOW64\Fmiaimki.exe Fhmiqfma.exe File created C:\Windows\SysWOW64\Ecdbop32.exe Enhifi32.exe File created C:\Windows\SysWOW64\Oookbega.exe Olqofjhn.exe File created C:\Windows\SysWOW64\Linojbdc.exe Ldccid32.exe File created C:\Windows\SysWOW64\Lboklcod.dll Mimphakb.exe File opened for modification C:\Windows\SysWOW64\Plcdbghi.exe Pjehflie.exe File opened for modification C:\Windows\SysWOW64\Omldnfkj.exe Qoecol32.exe File opened for modification C:\Windows\SysWOW64\Nfnafpni.exe Ebapednb.exe File opened for modification C:\Windows\SysWOW64\Dncpkjoc.exe Ddklbd32.exe File created C:\Windows\SysWOW64\Cjofambd.exe Ccendc32.exe File created C:\Windows\SysWOW64\Obddmc32.dll Gdclcmba.exe File created C:\Windows\SysWOW64\Hbcbcc32.dll Hjdcfp32.exe File created C:\Windows\SysWOW64\Gmqgjl32.exe Ghdoae32.exe File created C:\Windows\SysWOW64\Fdaiegkj.dll Hknkiokp.exe File opened for modification C:\Windows\SysWOW64\Pimkkfka.exe Poggnnkk.exe File created C:\Windows\SysWOW64\Jnblgj32.dll Cmbgdl32.exe File created C:\Windows\SysWOW64\Jhnmjk32.dll Fnkdpgnh.exe File created C:\Windows\SysWOW64\Ehkbbn32.dll Mbkmngfn.exe File opened for modification C:\Windows\SysWOW64\Ohiefdhd.exe Oejijiip.exe File created C:\Windows\SysWOW64\Qjijgead.exe Qemoff32.exe File created C:\Windows\SysWOW64\Dnjdigpf.exe Dklhmlac.exe File created C:\Windows\SysWOW64\Dohnnkjk.dll Acqgojmb.exe File created C:\Windows\SysWOW64\Epgobe32.dll Iaokdn32.exe File created C:\Windows\SysWOW64\Mdcodl32.dll Nojagf32.exe File opened for modification C:\Windows\SysWOW64\Oookbega.exe Olqofjhn.exe File opened for modification C:\Windows\SysWOW64\Iddlccfp.exe Ihnkobpl.exe File created C:\Windows\SysWOW64\Ielfgmnj.exe Hjaioe32.exe File created C:\Windows\SysWOW64\Iabglnco.exe Ilfodgeg.exe File opened for modification C:\Windows\SysWOW64\Joahop32.exe Jlblcdpf.exe File created C:\Windows\SysWOW64\Lbhoolef.dll Ggpbcaei.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iekqnpnc.dll" Lbpmbipk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nkieab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obhmcdfq.dll" Dnqcfjae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emlgedge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ifglmlol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdlijc32.dll" Hdhlhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkagaa32.dll" Ooqqmoac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cmpjoloh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgphggpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kleiid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohkbldfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Poggnnkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcjdilmf.dll" Cgiohbfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dohnnkjk.dll" Acqgojmb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Plejoode.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnomkf32.dll" Noaoagca.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ocamcc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ehcfkhel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjaofnii.dll" Bpedeiff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pedfeccm.dll" Ddhomdje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ponfed32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjehflie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fkihgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Foolmeif.dll" Dcibca32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpdbhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehoegjcf.dll" Ohiefdhd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddfikaeq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdalim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pakdbp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emikpeig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mghbke32.dll" Kadnfkji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fphneijl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kijicm32.dll" Kfmmajed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iffcgoka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hgghdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npfcfghe.dll" Dnondf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omhicj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnkibcle.dll" Opbean32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhaofb32.dll" Cqpdof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofgogm32.dll" Haeino32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpimgjbm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knefnkla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgccdbdj.dll" Kleajegi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beijfp32.dll" Koceep32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eglkmh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qmlmjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igioikpj.dll" Cgecpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eglkmh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lagekp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kleajegi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhdneppe.dll" Pfbmnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ielfgmnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hejono32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Impppk32.dll" Nmommn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hagqiofj.dll" Ggilbb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ihbdja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pencqe32.dll" Pmmlla32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kijjldkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgenlldo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pcjioknl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bloflk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Falmabki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gccccb32.dll" Jkcpia32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bloflk32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2736 wrote to memory of 3820 2736 NEAS.b547586976bc491ff8025ac71bcaa090.exe 88 PID 2736 wrote to memory of 3820 2736 NEAS.b547586976bc491ff8025ac71bcaa090.exe 88 PID 2736 wrote to memory of 3820 2736 NEAS.b547586976bc491ff8025ac71bcaa090.exe 88 PID 3820 wrote to memory of 3392 3820 Opbean32.exe 90 PID 3820 wrote to memory of 3392 3820 Opbean32.exe 90 PID 3820 wrote to memory of 3392 3820 Opbean32.exe 90 PID 3392 wrote to memory of 2428 3392 Pimfpc32.exe 91 PID 3392 wrote to memory of 2428 3392 Pimfpc32.exe 91 PID 3392 wrote to memory of 2428 3392 Pimfpc32.exe 91 PID 2428 wrote to memory of 4532 2428 Ppgomnai.exe 92 PID 2428 wrote to memory of 4532 2428 Ppgomnai.exe 92 PID 2428 wrote to memory of 4532 2428 Ppgomnai.exe 92 PID 4532 wrote to memory of 3676 4532 Pfagighf.exe 93 PID 4532 wrote to memory of 3676 4532 Pfagighf.exe 93 PID 4532 wrote to memory of 3676 4532 Pfagighf.exe 93 PID 3676 wrote to memory of 2836 3676 Pmkofa32.exe 94 PID 3676 wrote to memory of 2836 3676 Pmkofa32.exe 94 PID 3676 wrote to memory of 2836 3676 Pmkofa32.exe 94 PID 2836 wrote to memory of 1488 2836 Pbhgoh32.exe 95 PID 2836 wrote to memory of 1488 2836 Pbhgoh32.exe 95 PID 2836 wrote to memory of 1488 2836 Pbhgoh32.exe 95 PID 1488 wrote to memory of 5000 1488 Pmmlla32.exe 96 PID 1488 wrote to memory of 5000 1488 Pmmlla32.exe 96 PID 1488 wrote to memory of 5000 1488 Pmmlla32.exe 96 PID 5000 wrote to memory of 1112 5000 Pcgdhkem.exe 97 PID 5000 wrote to memory of 1112 5000 Pcgdhkem.exe 97 PID 5000 wrote to memory of 1112 5000 Pcgdhkem.exe 97 PID 1112 wrote to memory of 3816 1112 Pakdbp32.exe 99 PID 1112 wrote to memory of 3816 1112 Pakdbp32.exe 99 PID 1112 wrote to memory of 3816 1112 Pakdbp32.exe 99 PID 3816 wrote to memory of 1352 3816 Pciqnk32.exe 100 PID 3816 wrote to memory of 1352 3816 Pciqnk32.exe 100 PID 3816 wrote to memory of 1352 3816 Pciqnk32.exe 100 PID 1352 wrote to memory of 364 1352 Pfhmjf32.exe 101 PID 1352 wrote to memory of 364 1352 Pfhmjf32.exe 101 PID 1352 wrote to memory of 364 1352 Pfhmjf32.exe 101 PID 364 wrote to memory of 4152 364 Qamago32.exe 102 PID 364 wrote to memory of 4152 364 Qamago32.exe 102 PID 364 wrote to memory of 4152 364 Qamago32.exe 102 PID 4152 wrote to memory of 5076 4152 Qfjjpf32.exe 103 PID 4152 wrote to memory of 5076 4152 Qfjjpf32.exe 103 PID 4152 wrote to memory of 5076 4152 Qfjjpf32.exe 103 PID 5076 wrote to memory of 4856 5076 Qcnjijoe.exe 104 PID 5076 wrote to memory of 4856 5076 Qcnjijoe.exe 104 PID 5076 wrote to memory of 4856 5076 Qcnjijoe.exe 104 PID 4856 wrote to memory of 2760 4856 Qikbaaml.exe 106 PID 4856 wrote to memory of 2760 4856 Qikbaaml.exe 106 PID 4856 wrote to memory of 2760 4856 Qikbaaml.exe 106 PID 2760 wrote to memory of 1612 2760 Acqgojmb.exe 107 PID 2760 wrote to memory of 1612 2760 Acqgojmb.exe 107 PID 2760 wrote to memory of 1612 2760 Acqgojmb.exe 107 PID 1612 wrote to memory of 3548 1612 Aimogakj.exe 108 PID 1612 wrote to memory of 3548 1612 Aimogakj.exe 108 PID 1612 wrote to memory of 3548 1612 Aimogakj.exe 108 PID 3548 wrote to memory of 4428 3548 Acccdj32.exe 109 PID 3548 wrote to memory of 4428 3548 Acccdj32.exe 109 PID 3548 wrote to memory of 4428 3548 Acccdj32.exe 109 PID 4428 wrote to memory of 3856 4428 Amkhmoap.exe 110 PID 4428 wrote to memory of 3856 4428 Amkhmoap.exe 110 PID 4428 wrote to memory of 3856 4428 Amkhmoap.exe 110 PID 3856 wrote to memory of 2076 3856 Ajohfcpj.exe 111 PID 3856 wrote to memory of 2076 3856 Ajohfcpj.exe 111 PID 3856 wrote to memory of 2076 3856 Ajohfcpj.exe 111 PID 2076 wrote to memory of 1484 2076 Aaiqcnhg.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.b547586976bc491ff8025ac71bcaa090.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.b547586976bc491ff8025ac71bcaa090.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Opbean32.exeC:\Windows\system32\Opbean32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3820 -
C:\Windows\SysWOW64\Pimfpc32.exeC:\Windows\system32\Pimfpc32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3392 -
C:\Windows\SysWOW64\Ppgomnai.exeC:\Windows\system32\Ppgomnai.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\Pfagighf.exeC:\Windows\system32\Pfagighf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Windows\SysWOW64\Pmkofa32.exeC:\Windows\system32\Pmkofa32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3676 -
C:\Windows\SysWOW64\Pbhgoh32.exeC:\Windows\system32\Pbhgoh32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\Pmmlla32.exeC:\Windows\system32\Pmmlla32.exe8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Windows\SysWOW64\Pcgdhkem.exeC:\Windows\system32\Pcgdhkem.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Windows\SysWOW64\Pakdbp32.exeC:\Windows\system32\Pakdbp32.exe10⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1112 -
C:\Windows\SysWOW64\Pciqnk32.exeC:\Windows\system32\Pciqnk32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3816 -
C:\Windows\SysWOW64\Pfhmjf32.exeC:\Windows\system32\Pfhmjf32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Windows\SysWOW64\Qamago32.exeC:\Windows\system32\Qamago32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:364 -
C:\Windows\SysWOW64\Qfjjpf32.exeC:\Windows\system32\Qfjjpf32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4152 -
C:\Windows\SysWOW64\Qcnjijoe.exeC:\Windows\system32\Qcnjijoe.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Windows\SysWOW64\Qikbaaml.exeC:\Windows\system32\Qikbaaml.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Windows\SysWOW64\Acqgojmb.exeC:\Windows\system32\Acqgojmb.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Aimogakj.exeC:\Windows\system32\Aimogakj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\SysWOW64\Acccdj32.exeC:\Windows\system32\Acccdj32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3548 -
C:\Windows\SysWOW64\Amkhmoap.exeC:\Windows\system32\Amkhmoap.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4428 -
C:\Windows\SysWOW64\Ajohfcpj.exeC:\Windows\system32\Ajohfcpj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3856 -
C:\Windows\SysWOW64\Aaiqcnhg.exeC:\Windows\system32\Aaiqcnhg.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\SysWOW64\Ajaelc32.exeC:\Windows\system32\Ajaelc32.exe23⤵
- Executes dropped EXE
PID:1484 -
C:\Windows\SysWOW64\Adjjeieh.exeC:\Windows\system32\Adjjeieh.exe24⤵
- Executes dropped EXE
PID:864 -
C:\Windows\SysWOW64\Bigbmpco.exeC:\Windows\system32\Bigbmpco.exe25⤵
- Executes dropped EXE
PID:3380 -
C:\Windows\SysWOW64\Bboffejp.exeC:\Windows\system32\Bboffejp.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2620 -
C:\Windows\SysWOW64\Bbaclegm.exeC:\Windows\system32\Bbaclegm.exe27⤵
- Executes dropped EXE
PID:3924 -
C:\Windows\SysWOW64\Bpedeiff.exeC:\Windows\system32\Bpedeiff.exe28⤵
- Executes dropped EXE
- Modifies registry class
PID:3436 -
C:\Windows\SysWOW64\Bphqji32.exeC:\Windows\system32\Bphqji32.exe29⤵
- Executes dropped EXE
PID:1408 -
C:\Windows\SysWOW64\Bmladm32.exeC:\Windows\system32\Bmladm32.exe30⤵
- Executes dropped EXE
PID:2420 -
C:\Windows\SysWOW64\Ckpamabg.exeC:\Windows\system32\Ckpamabg.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1416 -
C:\Windows\SysWOW64\Cajjjk32.exeC:\Windows\system32\Cajjjk32.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3360 -
C:\Windows\SysWOW64\Cgfbbb32.exeC:\Windows\system32\Cgfbbb32.exe33⤵
- Executes dropped EXE
PID:4192 -
C:\Windows\SysWOW64\Cmpjoloh.exeC:\Windows\system32\Cmpjoloh.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:1980 -
C:\Windows\SysWOW64\Cgiohbfi.exeC:\Windows\system32\Cgiohbfi.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:3760 -
C:\Windows\SysWOW64\Cmbgdl32.exeC:\Windows\system32\Cmbgdl32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1400 -
C:\Windows\SysWOW64\Ccppmc32.exeC:\Windows\system32\Ccppmc32.exe37⤵
- Executes dropped EXE
PID:1428 -
C:\Windows\SysWOW64\Dcibca32.exeC:\Windows\system32\Dcibca32.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:3944 -
C:\Windows\SysWOW64\Dickplko.exeC:\Windows\system32\Dickplko.exe39⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Ddhomdje.exeC:\Windows\system32\Ddhomdje.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:4808 -
C:\Windows\SysWOW64\Dnqcfjae.exeC:\Windows\system32\Dnqcfjae.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2252 -
C:\Windows\SysWOW64\Ddklbd32.exeC:\Windows\system32\Ddklbd32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3088 -
C:\Windows\SysWOW64\Dncpkjoc.exeC:\Windows\system32\Dncpkjoc.exe43⤵
- Executes dropped EXE
PID:2384 -
C:\Windows\SysWOW64\Dpalgenf.exeC:\Windows\system32\Dpalgenf.exe44⤵
- Executes dropped EXE
PID:2940 -
C:\Windows\SysWOW64\Ekgqennl.exeC:\Windows\system32\Ekgqennl.exe45⤵
- Executes dropped EXE
PID:3276 -
C:\Windows\SysWOW64\Ecbeip32.exeC:\Windows\system32\Ecbeip32.exe46⤵
- Executes dropped EXE
PID:3564 -
C:\Windows\SysWOW64\Enhifi32.exeC:\Windows\system32\Enhifi32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:224 -
C:\Windows\SysWOW64\Ecdbop32.exeC:\Windows\system32\Ecdbop32.exe48⤵
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\Enjfli32.exeC:\Windows\system32\Enjfli32.exe49⤵
- Executes dropped EXE
PID:3352 -
C:\Windows\SysWOW64\Ephbhd32.exeC:\Windows\system32\Ephbhd32.exe50⤵
- Executes dropped EXE
PID:3660 -
C:\Windows\SysWOW64\Ekngemhd.exeC:\Windows\system32\Ekngemhd.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2288 -
C:\Windows\SysWOW64\Enlcahgh.exeC:\Windows\system32\Enlcahgh.exe52⤵
- Executes dropped EXE
PID:1180 -
C:\Windows\SysWOW64\Edfknb32.exeC:\Windows\system32\Edfknb32.exe53⤵
- Executes dropped EXE
PID:720 -
C:\Windows\SysWOW64\Ejccgi32.exeC:\Windows\system32\Ejccgi32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2424 -
C:\Windows\SysWOW64\Hkmlnimb.exeC:\Windows\system32\Hkmlnimb.exe55⤵
- Executes dropped EXE
PID:5068 -
C:\Windows\SysWOW64\Hbfdjc32.exeC:\Windows\system32\Hbfdjc32.exe56⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Heepfn32.exeC:\Windows\system32\Heepfn32.exe57⤵
- Executes dropped EXE
PID:3416 -
C:\Windows\SysWOW64\Hjaioe32.exeC:\Windows\system32\Hjaioe32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1160 -
C:\Windows\SysWOW64\Ielfgmnj.exeC:\Windows\system32\Ielfgmnj.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4480 -
C:\Windows\SysWOW64\Ilfodgeg.exeC:\Windows\system32\Ilfodgeg.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4100 -
C:\Windows\SysWOW64\Iabglnco.exeC:\Windows\system32\Iabglnco.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4348 -
C:\Windows\SysWOW64\Igmoih32.exeC:\Windows\system32\Igmoih32.exe62⤵
- Executes dropped EXE
PID:2036 -
C:\Windows\SysWOW64\Infhebbh.exeC:\Windows\system32\Infhebbh.exe63⤵
- Executes dropped EXE
PID:3208 -
C:\Windows\SysWOW64\Iaedanal.exeC:\Windows\system32\Iaedanal.exe64⤵
- Executes dropped EXE
PID:4128 -
C:\Windows\SysWOW64\Iholohii.exeC:\Windows\system32\Iholohii.exe65⤵
- Executes dropped EXE
PID:1292 -
C:\Windows\SysWOW64\Ibdplaho.exeC:\Windows\system32\Ibdplaho.exe66⤵PID:2240
-
C:\Windows\SysWOW64\Iecmhlhb.exeC:\Windows\system32\Iecmhlhb.exe67⤵PID:1752
-
C:\Windows\SysWOW64\Ihaidhgf.exeC:\Windows\system32\Ihaidhgf.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4196 -
C:\Windows\SysWOW64\Ijpepcfj.exeC:\Windows\system32\Ijpepcfj.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5132 -
C:\Windows\SysWOW64\Ibgmaqfl.exeC:\Windows\system32\Ibgmaqfl.exe70⤵PID:5176
-
C:\Windows\SysWOW64\Ieeimlep.exeC:\Windows\system32\Ieeimlep.exe71⤵PID:5300
-
C:\Windows\SysWOW64\Jgjeppkp.exeC:\Windows\system32\Jgjeppkp.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5356 -
C:\Windows\SysWOW64\Pndhhnda.exeC:\Windows\system32\Pndhhnda.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5440 -
C:\Windows\SysWOW64\Ginenk32.exeC:\Windows\system32\Ginenk32.exe74⤵PID:5504
-
C:\Windows\SysWOW64\Ngklppei.exeC:\Windows\system32\Ngklppei.exe75⤵PID:5568
-
C:\Windows\SysWOW64\Dnkbcp32.exeC:\Windows\system32\Dnkbcp32.exe76⤵PID:5644
-
C:\Windows\SysWOW64\Kjlmbnof.exeC:\Windows\system32\Kjlmbnof.exe77⤵PID:5736
-
C:\Windows\SysWOW64\Plejoode.exeC:\Windows\system32\Plejoode.exe78⤵
- Modifies registry class
PID:5800 -
C:\Windows\SysWOW64\Pcaoahio.exeC:\Windows\system32\Pcaoahio.exe79⤵PID:5848
-
C:\Windows\SysWOW64\Pkigbfja.exeC:\Windows\system32\Pkigbfja.exe80⤵PID:5896
-
C:\Windows\SysWOW64\Ppepkmhi.exeC:\Windows\system32\Ppepkmhi.exe81⤵PID:5936
-
C:\Windows\SysWOW64\Pgphggpe.exeC:\Windows\system32\Pgphggpe.exe82⤵
- Drops file in System32 directory
- Modifies registry class
PID:5980 -
C:\Windows\SysWOW64\Pindcboi.exeC:\Windows\system32\Pindcboi.exe83⤵PID:6032
-
C:\Windows\SysWOW64\Pdchakoo.exeC:\Windows\system32\Pdchakoo.exe84⤵PID:6092
-
C:\Windows\SysWOW64\Pgbdmfnc.exeC:\Windows\system32\Pgbdmfnc.exe85⤵PID:6132
-
C:\Windows\SysWOW64\Qmlmjq32.exeC:\Windows\system32\Qmlmjq32.exe86⤵
- Modifies registry class
PID:5184 -
C:\Windows\SysWOW64\Qpjifl32.exeC:\Windows\system32\Qpjifl32.exe87⤵PID:1328
-
C:\Windows\SysWOW64\Qgdabflp.exeC:\Windows\system32\Qgdabflp.exe88⤵PID:5292
-
C:\Windows\SysWOW64\Qibmoa32.exeC:\Windows\system32\Qibmoa32.exe89⤵PID:3216
-
C:\Windows\SysWOW64\Qdhalj32.exeC:\Windows\system32\Qdhalj32.exe90⤵PID:2948
-
C:\Windows\SysWOW64\Aiejda32.exeC:\Windows\system32\Aiejda32.exe91⤵PID:4832
-
C:\Windows\SysWOW64\Alcfpm32.exeC:\Windows\system32\Alcfpm32.exe92⤵PID:5324
-
C:\Windows\SysWOW64\Adjnaj32.exeC:\Windows\system32\Adjnaj32.exe93⤵PID:4296
-
C:\Windows\SysWOW64\Alfcflfb.exeC:\Windows\system32\Alfcflfb.exe94⤵PID:4064
-
C:\Windows\SysWOW64\Admkgifd.exeC:\Windows\system32\Admkgifd.exe95⤵PID:4252
-
C:\Windows\SysWOW64\Aneppo32.exeC:\Windows\system32\Aneppo32.exe96⤵PID:3872
-
C:\Windows\SysWOW64\Apcllk32.exeC:\Windows\system32\Apcllk32.exe97⤵PID:4488
-
C:\Windows\SysWOW64\Agndidce.exeC:\Windows\system32\Agndidce.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:724 -
C:\Windows\SysWOW64\Aljmal32.exeC:\Windows\system32\Aljmal32.exe99⤵PID:3560
-
C:\Windows\SysWOW64\Apfhajjf.exeC:\Windows\system32\Apfhajjf.exe100⤵PID:3864
-
C:\Windows\SysWOW64\Agpqnd32.exeC:\Windows\system32\Agpqnd32.exe101⤵PID:4948
-
C:\Windows\SysWOW64\Akkmocjl.exeC:\Windows\system32\Akkmocjl.exe102⤵PID:3336
-
C:\Windows\SysWOW64\Addahh32.exeC:\Windows\system32\Addahh32.exe103⤵PID:4764
-
C:\Windows\SysWOW64\Bgbmdd32.exeC:\Windows\system32\Bgbmdd32.exe104⤵PID:4428
-
C:\Windows\SysWOW64\Bnlfqngm.exeC:\Windows\system32\Bnlfqngm.exe105⤵PID:2836
-
C:\Windows\SysWOW64\Bloflk32.exeC:\Windows\system32\Bloflk32.exe106⤵
- Modifies registry class
PID:540 -
C:\Windows\SysWOW64\Bgdjicmn.exeC:\Windows\system32\Bgdjicmn.exe107⤵PID:4328
-
C:\Windows\SysWOW64\Blabakle.exeC:\Windows\system32\Blabakle.exe108⤵
- Drops file in System32 directory
PID:1372 -
C:\Windows\SysWOW64\Bpmobi32.exeC:\Windows\system32\Bpmobi32.exe109⤵PID:5596
-
C:\Windows\SysWOW64\Bgggockk.exeC:\Windows\system32\Bgggockk.exe110⤵PID:1852
-
C:\Windows\SysWOW64\Bdkghg32.exeC:\Windows\system32\Bdkghg32.exe111⤵PID:2740
-
C:\Windows\SysWOW64\Bkepeaaa.exeC:\Windows\system32\Bkepeaaa.exe112⤵PID:4848
-
C:\Windows\SysWOW64\Blflmj32.exeC:\Windows\system32\Blflmj32.exe113⤵
- Drops file in System32 directory
PID:3112 -
C:\Windows\SysWOW64\Bcpdidol.exeC:\Windows\system32\Bcpdidol.exe114⤵PID:1272
-
C:\Windows\SysWOW64\Bnehgmob.exeC:\Windows\system32\Bnehgmob.exe115⤵PID:1748
-
C:\Windows\SysWOW64\Bqdechnf.exeC:\Windows\system32\Bqdechnf.exe116⤵PID:720
-
C:\Windows\SysWOW64\Ckiipa32.exeC:\Windows\system32\Ckiipa32.exe117⤵PID:4616
-
C:\Windows\SysWOW64\Cmkehicj.exeC:\Windows\system32\Cmkehicj.exe118⤵PID:1776
-
C:\Windows\SysWOW64\Ccendc32.exeC:\Windows\system32\Ccendc32.exe119⤵
- Drops file in System32 directory
PID:2016 -
C:\Windows\SysWOW64\Cjofambd.exeC:\Windows\system32\Cjofambd.exe120⤵PID:1872
-
C:\Windows\SysWOW64\Cmmbmiag.exeC:\Windows\system32\Cmmbmiag.exe121⤵PID:2240
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-