Analysis
-
max time kernel
169s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
14-11-2023 23:21
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.0daefddef28fa4123c1b9cced1798970.exe
Resource
win7-20231023-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.0daefddef28fa4123c1b9cced1798970.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
NEAS.0daefddef28fa4123c1b9cced1798970.exe
-
Size
319KB
-
MD5
0daefddef28fa4123c1b9cced1798970
-
SHA1
35ed1e6bfbda8f9ba222140b7e7b080c430dd9de
-
SHA256
98e2df3c367a63ee18c4f263684ca032d99b7cfbef0ca310102cc8b58377d87f
-
SHA512
34e357f4c35d27c3b62a8cdaa0cf16be5f7b0dca6ccb902b8059593ac9d9f6b23f19659b476189e535ae7f7deba004b87c7f30ae05cb5763a951185f70340488
-
SSDEEP
6144:VchHwlHlp4PlXj4IyqrQ///NR5fLYG3eujPQ///NR5f:VchS7YxxC/NcZ7/N
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olfgcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbhojo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npcokpln.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cabofaaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nflkkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apeagd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfnqdale.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dojqcjgi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aeemop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Paaaeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kadfhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfnqdale.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cionbnmf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmjheaad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cflkihbd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecipeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qjfmda32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adfgne32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pigfdcoc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nelmik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlikdq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nckkoe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdikpjeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhehmbbj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Degdgd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qemhlp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkmcgnmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmiqfoie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpkllo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmhggbgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppgeqijb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfojmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkiiee32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbbacobm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajohpifg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohgokknb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aqmldddb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpifoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eghanoih.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mknjgajl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qjjhla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fibocnnj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aimhfqmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hipdpbgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpjjgl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idjdqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nelmik32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhephfpi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipgbngfp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baephacf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcaiif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpplpgnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojefjd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anogbohj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icfediio.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doojni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdkolm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkhofold.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbqlkdio.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odbgbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfiffd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjlpcbqo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogcnfheb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abcgdm32.exe -
Executes dropped EXE 64 IoCs
pid Process 888 Dgmpkg32.exe 1496 Hipdpbgf.exe 1800 Jkajnh32.exe 4896 Jjefao32.exe 2872 Kofheeoq.exe 2632 Kkdoje32.exe 4920 Lkiiee32.exe 3088 Npgjbabk.exe 4980 Oljkcpnb.exe 3664 Dnhncjom.exe 4292 Ghohdk32.exe 3140 Incpdodg.exe 1124 Inflio32.exe 2164 Jedjkkmo.exe 2644 Kdpmmf32.exe 112 Meepoc32.exe 4276 Mmaakpfd.exe 4004 Nnpjdfpb.exe 4876 Olfgcj32.exe 2688 Ofadlbhj.exe 4532 Pmbcik32.exe 980 Alelkf32.exe 2408 Apeagd32.exe 2740 Bllble32.exe 2176 Benjkijd.exe 4644 Cgmfel32.exe 2924 Cjbhbf32.exe 4852 Dcpffk32.exe 3488 Dcdpakii.exe 2416 Enomic32.exe 2492 Ejennd32.exe 3676 Ecpomiok.exe 496 Fnmjkahi.exe 4468 Fppchile.exe 524 Fmdcamko.exe 3172 Gmimll32.exe 2240 Hjimaole.exe 4148 Hdaajd32.exe 1528 Idjdqc32.exe 4400 Lnfgmc32.exe 2308 Mhpeelnd.exe 2664 Nnkioq32.exe 4032 Oapllk32.exe 3740 Abcgii32.exe 4716 Fcdbmb32.exe 1136 Hfoflj32.exe 4340 Jpegfm32.exe 1772 Jbhmnhcm.exe 3512 Jdjfmjhm.exe 4484 Kmgdaokh.exe 3996 Kgphje32.exe 3936 Kmiqfoie.exe 2140 Libnapmg.exe 3288 Ldhbnhlm.exe 3060 Ldjodh32.exe 400 Lkdgqbag.exe 2168 Maefnk32.exe 5000 Mknjgajl.exe 2936 Naaejj32.exe 3776 Nbjhph32.exe 3560 Odbgbb32.exe 700 Pcjaio32.exe 1496 Aeemop32.exe 1060 Balfko32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Fbkblb32.exe Fibncmpg.exe File created C:\Windows\SysWOW64\Mamcddhg.exe Ljbnpbkl.exe File opened for modification C:\Windows\SysWOW64\Fnllqh32.exe Ephlgc32.exe File opened for modification C:\Windows\SysWOW64\Maefnk32.exe Lkdgqbag.exe File created C:\Windows\SysWOW64\Acjnfh32.dll Aeemop32.exe File created C:\Windows\SysWOW64\Hodgdijp.dll Bjlpcbqo.exe File created C:\Windows\SysWOW64\Ggnolcfa.dll Ekjdnj32.exe File opened for modification C:\Windows\SysWOW64\Haceil32.exe Gelddk32.exe File created C:\Windows\SysWOW64\Defcbiec.dll Cpifoh32.exe File created C:\Windows\SysWOW64\Cpplpgnk.exe Cefogo32.exe File created C:\Windows\SysWOW64\Aaakfokk.dll Mkbmbn32.exe File created C:\Windows\SysWOW64\Pnqlfh32.dll Naaejj32.exe File created C:\Windows\SysWOW64\Gfgfmp32.dll Degdgd32.exe File created C:\Windows\SysWOW64\Ocmfjf32.dll Cflkihbd.exe File created C:\Windows\SysWOW64\Ofjqbndk.exe Omalii32.exe File created C:\Windows\SysWOW64\Oomeenke.exe Ofdpmi32.exe File opened for modification C:\Windows\SysWOW64\Aimhfqmk.exe Amfhao32.exe File created C:\Windows\SysWOW64\Lacioppf.dll Pcjaio32.exe File created C:\Windows\SysWOW64\Iokmgk32.dll Feoomd32.exe File created C:\Windows\SysWOW64\Ofqnlplf.exe Njjmgo32.exe File opened for modification C:\Windows\SysWOW64\Hblkddmn.exe Holfhfij.exe File created C:\Windows\SysWOW64\Bkogmaid.dll Haceil32.exe File created C:\Windows\SysWOW64\Bakmbcka.exe Bdgmio32.exe File created C:\Windows\SysWOW64\Aekeif32.dll Mgkjmnme.exe File created C:\Windows\SysWOW64\Fmfnig32.exe Fifhmi32.exe File opened for modification C:\Windows\SysWOW64\Kdigkjpl.exe Jdodekhg.exe File created C:\Windows\SysWOW64\Hblkddmn.exe Holfhfij.exe File created C:\Windows\SysWOW64\Mfkcec32.dll Hfoflj32.exe File created C:\Windows\SysWOW64\Gepbbmjj.dll Cjcmognb.exe File opened for modification C:\Windows\SysWOW64\Fbkblb32.exe Fibncmpg.exe File opened for modification C:\Windows\SysWOW64\Kolakkii.exe Kedlbf32.exe File created C:\Windows\SysWOW64\Ajhboj32.exe Aapnfe32.exe File created C:\Windows\SysWOW64\Dgmpkg32.exe NEAS.0daefddef28fa4123c1b9cced1798970.exe File created C:\Windows\SysWOW64\Doikfb32.dll Meepoc32.exe File created C:\Windows\SysWOW64\Nnkioq32.exe Mhpeelnd.exe File created C:\Windows\SysWOW64\Mgingoog.exe Mehapf32.exe File opened for modification C:\Windows\SysWOW64\Bikdgn32.exe Bbqlkdio.exe File created C:\Windows\SysWOW64\Jgbgcf32.dll Oemcac32.exe File opened for modification C:\Windows\SysWOW64\Dcpffk32.exe Cjbhbf32.exe File opened for modification C:\Windows\SysWOW64\Mhldlnko.exe Mcolcgmh.exe File created C:\Windows\SysWOW64\Nmofmk32.exe Nfenpafc.exe File created C:\Windows\SysWOW64\Geifpj32.dll Inmplh32.exe File opened for modification C:\Windows\SysWOW64\Nmacbk32.exe Nciojeem.exe File created C:\Windows\SysWOW64\Oicccj32.exe Obgoaq32.exe File created C:\Windows\SysWOW64\Hpbglkge.dll Baephacf.exe File created C:\Windows\SysWOW64\Igehen32.dll Piaijbgi.exe File opened for modification C:\Windows\SysWOW64\Lkiiee32.exe Kkdoje32.exe File opened for modification C:\Windows\SysWOW64\Fnmjkahi.exe Ecpomiok.exe File created C:\Windows\SysWOW64\Npljkdlo.dll Mhpeelnd.exe File created C:\Windows\SysWOW64\Qpmnml32.exe Qfeicffb.exe File opened for modification C:\Windows\SysWOW64\Koajfk32.exe Klpaep32.exe File created C:\Windows\SysWOW64\Oaalfihk.dll Lcocmi32.exe File created C:\Windows\SysWOW64\Bmbngd32.exe Bakmbcka.exe File opened for modification C:\Windows\SysWOW64\Ohbfonpm.exe Oahnbc32.exe File created C:\Windows\SysWOW64\Kpncbemh.exe Jpgmaf32.exe File opened for modification C:\Windows\SysWOW64\Jocepc32.exe Iedjfodg.exe File opened for modification C:\Windows\SysWOW64\Mjeaph32.exe Lnnakg32.exe File created C:\Windows\SysWOW64\Hdaajd32.exe Hjimaole.exe File opened for modification C:\Windows\SysWOW64\Gfgnnedj.exe Gicndaep.exe File created C:\Windows\SysWOW64\Qdldlp32.dll Adbdml32.exe File created C:\Windows\SysWOW64\Cknqppmi.dll Kfgpblda.exe File created C:\Windows\SysWOW64\Ljenkd32.dll Ddkbfp32.exe File opened for modification C:\Windows\SysWOW64\Klpaep32.exe Kolakkii.exe File created C:\Windows\SysWOW64\Mmgoohbo.exe Mgkjmnme.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kifodcej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bpedoold.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pbnngi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Glgckl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfahlfko.dll" Bgkijp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjalbh32.dll" Edjgpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Libnapmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibkpmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gelddk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pacmbj32.dll" Bmbngd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkhkfhnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Conhfaeh.dll" Hjimaole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohoibjmh.dll" Pmoabn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nemcca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deihhbnd.dll" Gnblgani.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fcmndncl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghohdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mcaiif32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mhjhfnma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Meknhh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlnijmhc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qdjgbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aocbgkic.dll" Kmiqfoie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aojbdqid.dll" Bopefnnf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmhmmmgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfofee32.dll" Gloecbaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mgingoog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndcoeq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nliakd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hdhemn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlcnoajl.dll" Ejennd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjdghj32.dll" Ppeikjle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aajggjap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oomeenke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cpplpgnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjfakoad.dll" Ndmghqpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lnfgmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obhnaa32.dll" Ipgbngfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdfhedpo.dll" Aajggjap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aapnfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aiabap32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID NEAS.0daefddef28fa4123c1b9cced1798970.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfmpgi32.dll" Hbchnfei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfhkolhc.dll" Amibklml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbkblb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcapgfnb.dll" Nfiaajob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pigfdcoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lecgdgmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlcnnhjo.dll" Npjelo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igehen32.dll" Piaijbgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkhhfk32.dll" Mmgoohbo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Edplapnf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adbdml32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fibocnnj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgephccp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcdeof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pifjfofk.dll" Bkkhlhlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icfgmmbo.dll" Bifkloeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hiefmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdldlp32.dll" Adbdml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iemdep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnkbdqpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fndpfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beoeco32.dll" Pkhofold.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4912 wrote to memory of 888 4912 NEAS.0daefddef28fa4123c1b9cced1798970.exe 94 PID 4912 wrote to memory of 888 4912 NEAS.0daefddef28fa4123c1b9cced1798970.exe 94 PID 4912 wrote to memory of 888 4912 NEAS.0daefddef28fa4123c1b9cced1798970.exe 94 PID 888 wrote to memory of 1496 888 Dgmpkg32.exe 95 PID 888 wrote to memory of 1496 888 Dgmpkg32.exe 95 PID 888 wrote to memory of 1496 888 Dgmpkg32.exe 95 PID 1496 wrote to memory of 1800 1496 Hipdpbgf.exe 96 PID 1496 wrote to memory of 1800 1496 Hipdpbgf.exe 96 PID 1496 wrote to memory of 1800 1496 Hipdpbgf.exe 96 PID 1800 wrote to memory of 4896 1800 Jkajnh32.exe 97 PID 1800 wrote to memory of 4896 1800 Jkajnh32.exe 97 PID 1800 wrote to memory of 4896 1800 Jkajnh32.exe 97 PID 4896 wrote to memory of 2872 4896 Jjefao32.exe 98 PID 4896 wrote to memory of 2872 4896 Jjefao32.exe 98 PID 4896 wrote to memory of 2872 4896 Jjefao32.exe 98 PID 2872 wrote to memory of 2632 2872 Kofheeoq.exe 99 PID 2872 wrote to memory of 2632 2872 Kofheeoq.exe 99 PID 2872 wrote to memory of 2632 2872 Kofheeoq.exe 99 PID 2632 wrote to memory of 4920 2632 Kkdoje32.exe 100 PID 2632 wrote to memory of 4920 2632 Kkdoje32.exe 100 PID 2632 wrote to memory of 4920 2632 Kkdoje32.exe 100 PID 4920 wrote to memory of 3088 4920 Lkiiee32.exe 101 PID 4920 wrote to memory of 3088 4920 Lkiiee32.exe 101 PID 4920 wrote to memory of 3088 4920 Lkiiee32.exe 101 PID 3088 wrote to memory of 4980 3088 Npgjbabk.exe 103 PID 3088 wrote to memory of 4980 3088 Npgjbabk.exe 103 PID 3088 wrote to memory of 4980 3088 Npgjbabk.exe 103 PID 4980 wrote to memory of 3664 4980 Oljkcpnb.exe 105 PID 4980 wrote to memory of 3664 4980 Oljkcpnb.exe 105 PID 4980 wrote to memory of 3664 4980 Oljkcpnb.exe 105 PID 3664 wrote to memory of 4292 3664 Dnhncjom.exe 106 PID 3664 wrote to memory of 4292 3664 Dnhncjom.exe 106 PID 3664 wrote to memory of 4292 3664 Dnhncjom.exe 106 PID 4292 wrote to memory of 3140 4292 Ghohdk32.exe 107 PID 4292 wrote to memory of 3140 4292 Ghohdk32.exe 107 PID 4292 wrote to memory of 3140 4292 Ghohdk32.exe 107 PID 3140 wrote to memory of 1124 3140 Incpdodg.exe 108 PID 3140 wrote to memory of 1124 3140 Incpdodg.exe 108 PID 3140 wrote to memory of 1124 3140 Incpdodg.exe 108 PID 1124 wrote to memory of 2164 1124 Inflio32.exe 109 PID 1124 wrote to memory of 2164 1124 Inflio32.exe 109 PID 1124 wrote to memory of 2164 1124 Inflio32.exe 109 PID 2164 wrote to memory of 2644 2164 Jedjkkmo.exe 110 PID 2164 wrote to memory of 2644 2164 Jedjkkmo.exe 110 PID 2164 wrote to memory of 2644 2164 Jedjkkmo.exe 110 PID 2644 wrote to memory of 112 2644 Kdpmmf32.exe 111 PID 2644 wrote to memory of 112 2644 Kdpmmf32.exe 111 PID 2644 wrote to memory of 112 2644 Kdpmmf32.exe 111 PID 112 wrote to memory of 4276 112 Meepoc32.exe 112 PID 112 wrote to memory of 4276 112 Meepoc32.exe 112 PID 112 wrote to memory of 4276 112 Meepoc32.exe 112 PID 4276 wrote to memory of 4004 4276 Mmaakpfd.exe 113 PID 4276 wrote to memory of 4004 4276 Mmaakpfd.exe 113 PID 4276 wrote to memory of 4004 4276 Mmaakpfd.exe 113 PID 4004 wrote to memory of 4876 4004 Nnpjdfpb.exe 114 PID 4004 wrote to memory of 4876 4004 Nnpjdfpb.exe 114 PID 4004 wrote to memory of 4876 4004 Nnpjdfpb.exe 114 PID 4876 wrote to memory of 2688 4876 Olfgcj32.exe 115 PID 4876 wrote to memory of 2688 4876 Olfgcj32.exe 115 PID 4876 wrote to memory of 2688 4876 Olfgcj32.exe 115 PID 2688 wrote to memory of 4532 2688 Ofadlbhj.exe 116 PID 2688 wrote to memory of 4532 2688 Ofadlbhj.exe 116 PID 2688 wrote to memory of 4532 2688 Ofadlbhj.exe 116 PID 4532 wrote to memory of 980 4532 Pmbcik32.exe 117
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.0daefddef28fa4123c1b9cced1798970.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.0daefddef28fa4123c1b9cced1798970.exe"1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\Windows\SysWOW64\Dgmpkg32.exeC:\Windows\system32\Dgmpkg32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:888 -
C:\Windows\SysWOW64\Hipdpbgf.exeC:\Windows\system32\Hipdpbgf.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Windows\SysWOW64\Jkajnh32.exeC:\Windows\system32\Jkajnh32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\SysWOW64\Jjefao32.exeC:\Windows\system32\Jjefao32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4896 -
C:\Windows\SysWOW64\Kofheeoq.exeC:\Windows\system32\Kofheeoq.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\Kkdoje32.exeC:\Windows\system32\Kkdoje32.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Lkiiee32.exeC:\Windows\system32\Lkiiee32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Windows\SysWOW64\Npgjbabk.exeC:\Windows\system32\Npgjbabk.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3088 -
C:\Windows\SysWOW64\Oljkcpnb.exeC:\Windows\system32\Oljkcpnb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4980 -
C:\Windows\SysWOW64\Dnhncjom.exeC:\Windows\system32\Dnhncjom.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3664 -
C:\Windows\SysWOW64\Ghohdk32.exeC:\Windows\system32\Ghohdk32.exe12⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4292 -
C:\Windows\SysWOW64\Incpdodg.exeC:\Windows\system32\Incpdodg.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3140 -
C:\Windows\SysWOW64\Inflio32.exeC:\Windows\system32\Inflio32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1124 -
C:\Windows\SysWOW64\Jedjkkmo.exeC:\Windows\system32\Jedjkkmo.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\Kdpmmf32.exeC:\Windows\system32\Kdpmmf32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Meepoc32.exeC:\Windows\system32\Meepoc32.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:112 -
C:\Windows\SysWOW64\Mmaakpfd.exeC:\Windows\system32\Mmaakpfd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4276 -
C:\Windows\SysWOW64\Nnpjdfpb.exeC:\Windows\system32\Nnpjdfpb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4004 -
C:\Windows\SysWOW64\Olfgcj32.exeC:\Windows\system32\Olfgcj32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4876 -
C:\Windows\SysWOW64\Ofadlbhj.exeC:\Windows\system32\Ofadlbhj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Pmbcik32.exeC:\Windows\system32\Pmbcik32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Windows\SysWOW64\Alelkf32.exeC:\Windows\system32\Alelkf32.exe23⤵
- Executes dropped EXE
PID:980 -
C:\Windows\SysWOW64\Apeagd32.exeC:\Windows\system32\Apeagd32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Bllble32.exeC:\Windows\system32\Bllble32.exe25⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Benjkijd.exeC:\Windows\system32\Benjkijd.exe26⤵
- Executes dropped EXE
PID:2176 -
C:\Windows\SysWOW64\Cgmfel32.exeC:\Windows\system32\Cgmfel32.exe27⤵
- Executes dropped EXE
PID:4644 -
C:\Windows\SysWOW64\Cjbhbf32.exeC:\Windows\system32\Cjbhbf32.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2924 -
C:\Windows\SysWOW64\Dcpffk32.exeC:\Windows\system32\Dcpffk32.exe29⤵
- Executes dropped EXE
PID:4852 -
C:\Windows\SysWOW64\Dcdpakii.exeC:\Windows\system32\Dcdpakii.exe30⤵
- Executes dropped EXE
PID:3488 -
C:\Windows\SysWOW64\Enomic32.exeC:\Windows\system32\Enomic32.exe31⤵
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\Ejennd32.exeC:\Windows\system32\Ejennd32.exe32⤵
- Executes dropped EXE
- Modifies registry class
PID:2492 -
C:\Windows\SysWOW64\Ecpomiok.exeC:\Windows\system32\Ecpomiok.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3676 -
C:\Windows\SysWOW64\Fnmjkahi.exeC:\Windows\system32\Fnmjkahi.exe34⤵
- Executes dropped EXE
PID:496 -
C:\Windows\SysWOW64\Fppchile.exeC:\Windows\system32\Fppchile.exe35⤵
- Executes dropped EXE
PID:4468 -
C:\Windows\SysWOW64\Fmdcamko.exeC:\Windows\system32\Fmdcamko.exe36⤵
- Executes dropped EXE
PID:524 -
C:\Windows\SysWOW64\Gmimll32.exeC:\Windows\system32\Gmimll32.exe37⤵
- Executes dropped EXE
PID:3172 -
C:\Windows\SysWOW64\Hjimaole.exeC:\Windows\system32\Hjimaole.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2240 -
C:\Windows\SysWOW64\Hdaajd32.exeC:\Windows\system32\Hdaajd32.exe39⤵
- Executes dropped EXE
PID:4148 -
C:\Windows\SysWOW64\Idjdqc32.exeC:\Windows\system32\Idjdqc32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\Lnfgmc32.exeC:\Windows\system32\Lnfgmc32.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:4400 -
C:\Windows\SysWOW64\Mhpeelnd.exeC:\Windows\system32\Mhpeelnd.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2308 -
C:\Windows\SysWOW64\Nnkioq32.exeC:\Windows\system32\Nnkioq32.exe43⤵
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\Oapllk32.exeC:\Windows\system32\Oapllk32.exe44⤵
- Executes dropped EXE
PID:4032 -
C:\Windows\SysWOW64\Abcgii32.exeC:\Windows\system32\Abcgii32.exe45⤵
- Executes dropped EXE
PID:3740 -
C:\Windows\SysWOW64\Fcdbmb32.exeC:\Windows\system32\Fcdbmb32.exe46⤵
- Executes dropped EXE
PID:4716 -
C:\Windows\SysWOW64\Hfoflj32.exeC:\Windows\system32\Hfoflj32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1136 -
C:\Windows\SysWOW64\Jpegfm32.exeC:\Windows\system32\Jpegfm32.exe48⤵
- Executes dropped EXE
PID:4340 -
C:\Windows\SysWOW64\Jbhmnhcm.exeC:\Windows\system32\Jbhmnhcm.exe49⤵
- Executes dropped EXE
PID:1772 -
C:\Windows\SysWOW64\Jdjfmjhm.exeC:\Windows\system32\Jdjfmjhm.exe50⤵
- Executes dropped EXE
PID:3512 -
C:\Windows\SysWOW64\Kmgdaokh.exeC:\Windows\system32\Kmgdaokh.exe51⤵
- Executes dropped EXE
PID:4484 -
C:\Windows\SysWOW64\Kgphje32.exeC:\Windows\system32\Kgphje32.exe52⤵
- Executes dropped EXE
PID:3996 -
C:\Windows\SysWOW64\Kmiqfoie.exeC:\Windows\system32\Kmiqfoie.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3936 -
C:\Windows\SysWOW64\Libnapmg.exeC:\Windows\system32\Libnapmg.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2140 -
C:\Windows\SysWOW64\Ldhbnhlm.exeC:\Windows\system32\Ldhbnhlm.exe55⤵
- Executes dropped EXE
PID:3288 -
C:\Windows\SysWOW64\Ldjodh32.exeC:\Windows\system32\Ldjodh32.exe56⤵
- Executes dropped EXE
PID:3060 -
C:\Windows\SysWOW64\Lkdgqbag.exeC:\Windows\system32\Lkdgqbag.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:400 -
C:\Windows\SysWOW64\Maefnk32.exeC:\Windows\system32\Maefnk32.exe58⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Mknjgajl.exeC:\Windows\system32\Mknjgajl.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5000 -
C:\Windows\SysWOW64\Naaejj32.exeC:\Windows\system32\Naaejj32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2936 -
C:\Windows\SysWOW64\Nbjhph32.exeC:\Windows\system32\Nbjhph32.exe61⤵
- Executes dropped EXE
PID:3776 -
C:\Windows\SysWOW64\Odbgbb32.exeC:\Windows\system32\Odbgbb32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3560 -
C:\Windows\SysWOW64\Pcjaio32.exeC:\Windows\system32\Pcjaio32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:700 -
C:\Windows\SysWOW64\Aeemop32.exeC:\Windows\system32\Aeemop32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1496 -
C:\Windows\SysWOW64\Balfko32.exeC:\Windows\system32\Balfko32.exe65⤵
- Executes dropped EXE
PID:1060 -
C:\Windows\SysWOW64\Dacebkko.exeC:\Windows\system32\Dacebkko.exe66⤵PID:4880
-
C:\Windows\SysWOW64\Eceoanpo.exeC:\Windows\system32\Eceoanpo.exe67⤵PID:3100
-
C:\Windows\SysWOW64\Fhljpcfk.exeC:\Windows\system32\Fhljpcfk.exe68⤵PID:4328
-
C:\Windows\SysWOW64\Fdgdpdgj.exeC:\Windows\system32\Fdgdpdgj.exe69⤵PID:1892
-
C:\Windows\SysWOW64\Gbpnegbo.exeC:\Windows\system32\Gbpnegbo.exe70⤵PID:212
-
C:\Windows\SysWOW64\Glebbpbd.exeC:\Windows\system32\Glebbpbd.exe71⤵PID:1876
-
C:\Windows\SysWOW64\Gdcdlb32.exeC:\Windows\system32\Gdcdlb32.exe72⤵PID:4272
-
C:\Windows\SysWOW64\Hiefmp32.exeC:\Windows\system32\Hiefmp32.exe73⤵
- Modifies registry class
PID:4288 -
C:\Windows\SysWOW64\Hfiffd32.exeC:\Windows\system32\Hfiffd32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5096 -
C:\Windows\SysWOW64\Ifefbbdj.exeC:\Windows\system32\Ifefbbdj.exe75⤵PID:3064
-
C:\Windows\SysWOW64\Jmfdpkeo.exeC:\Windows\system32\Jmfdpkeo.exe76⤵PID:2828
-
C:\Windows\SysWOW64\Jpgmaf32.exeC:\Windows\system32\Jpgmaf32.exe77⤵
- Drops file in System32 directory
PID:4976 -
C:\Windows\SysWOW64\Kpncbemh.exeC:\Windows\system32\Kpncbemh.exe78⤵PID:1800
-
C:\Windows\SysWOW64\Kmfmfigl.exeC:\Windows\system32\Kmfmfigl.exe79⤵PID:880
-
C:\Windows\SysWOW64\Lbhojo32.exeC:\Windows\system32\Lbhojo32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1888 -
C:\Windows\SysWOW64\Mpebjb32.exeC:\Windows\system32\Mpebjb32.exe81⤵PID:5152
-
C:\Windows\SysWOW64\Meknhh32.exeC:\Windows\system32\Meknhh32.exe82⤵
- Modifies registry class
PID:5196 -
C:\Windows\SysWOW64\Nenjng32.exeC:\Windows\system32\Nenjng32.exe83⤵PID:5244
-
C:\Windows\SysWOW64\Npcokpln.exeC:\Windows\system32\Npcokpln.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5288 -
C:\Windows\SysWOW64\Ngmggj32.exeC:\Windows\system32\Ngmggj32.exe85⤵PID:5332
-
C:\Windows\SysWOW64\Npjelo32.exeC:\Windows\system32\Npjelo32.exe86⤵
- Modifies registry class
PID:5372 -
C:\Windows\SysWOW64\Ojcidelf.exeC:\Windows\system32\Ojcidelf.exe87⤵PID:5420
-
C:\Windows\SysWOW64\Opmaaodc.exeC:\Windows\system32\Opmaaodc.exe88⤵PID:5452
-
C:\Windows\SysWOW64\Ojefjd32.exeC:\Windows\system32\Ojefjd32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5524 -
C:\Windows\SysWOW64\Odaphl32.exeC:\Windows\system32\Odaphl32.exe90⤵PID:5560
-
C:\Windows\SysWOW64\Pfcmpdjp.exeC:\Windows\system32\Pfcmpdjp.exe91⤵PID:5612
-
C:\Windows\SysWOW64\Pgbijg32.exeC:\Windows\system32\Pgbijg32.exe92⤵PID:5660
-
C:\Windows\SysWOW64\Pmoabn32.exeC:\Windows\system32\Pmoabn32.exe93⤵
- Modifies registry class
PID:5712 -
C:\Windows\SysWOW64\Pcncjh32.exeC:\Windows\system32\Pcncjh32.exe94⤵PID:5768
-
C:\Windows\SysWOW64\Qjjhla32.exeC:\Windows\system32\Qjjhla32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5832 -
C:\Windows\SysWOW64\Ammnclcj.exeC:\Windows\system32\Ammnclcj.exe96⤵PID:5884
-
C:\Windows\SysWOW64\Ageofe32.exeC:\Windows\system32\Ageofe32.exe97⤵PID:5924
-
C:\Windows\SysWOW64\Anogbohj.exeC:\Windows\system32\Anogbohj.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5976 -
C:\Windows\SysWOW64\Bnhjinpo.exeC:\Windows\system32\Bnhjinpo.exe99⤵PID:6024
-
C:\Windows\SysWOW64\Bcebadof.exeC:\Windows\system32\Bcebadof.exe100⤵PID:6080
-
C:\Windows\SysWOW64\Bhehmbbj.exeC:\Windows\system32\Bhehmbbj.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6132 -
C:\Windows\SysWOW64\Celelf32.exeC:\Windows\system32\Celelf32.exe102⤵PID:5184
-
C:\Windows\SysWOW64\Ddhhnana.exeC:\Windows\system32\Ddhhnana.exe103⤵PID:3424
-
C:\Windows\SysWOW64\Degdgd32.exeC:\Windows\system32\Degdgd32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1524 -
C:\Windows\SysWOW64\Ikokkc32.exeC:\Windows\system32\Ikokkc32.exe105⤵PID:5600
-
C:\Windows\SysWOW64\Inmggo32.exeC:\Windows\system32\Inmggo32.exe106⤵PID:5644
-
C:\Windows\SysWOW64\Ibkpmm32.exeC:\Windows\system32\Ibkpmm32.exe107⤵
- Modifies registry class
PID:5708 -
C:\Windows\SysWOW64\Ikcdfbmc.exeC:\Windows\system32\Ikcdfbmc.exe108⤵PID:5792
-
C:\Windows\SysWOW64\Ifihckmi.exeC:\Windows\system32\Ifihckmi.exe109⤵PID:5920
-
C:\Windows\SysWOW64\Klfjbpmn.exeC:\Windows\system32\Klfjbpmn.exe110⤵PID:2688
-
C:\Windows\SysWOW64\Kijjldkh.exeC:\Windows\system32\Kijjldkh.exe111⤵PID:1400
-
C:\Windows\SysWOW64\Medqmb32.exeC:\Windows\system32\Medqmb32.exe112⤵PID:6112
-
C:\Windows\SysWOW64\Mlnijmhc.exeC:\Windows\system32\Mlnijmhc.exe113⤵
- Modifies registry class
PID:3536 -
C:\Windows\SysWOW64\Mbhafgpp.exeC:\Windows\system32\Mbhafgpp.exe114⤵PID:5192
-
C:\Windows\SysWOW64\Mhdjonng.exeC:\Windows\system32\Mhdjonng.exe115⤵PID:2676
-
C:\Windows\SysWOW64\Mpnnek32.exeC:\Windows\system32\Mpnnek32.exe116⤵PID:4508
-
C:\Windows\SysWOW64\Nemcca32.exeC:\Windows\system32\Nemcca32.exe117⤵
- Modifies registry class
PID:2400 -
C:\Windows\SysWOW64\Nlglpkpi.exeC:\Windows\system32\Nlglpkpi.exe118⤵PID:2416
-
C:\Windows\SysWOW64\Nlihek32.exeC:\Windows\system32\Nlihek32.exe119⤵PID:4732
-
C:\Windows\SysWOW64\Ohgokknb.exeC:\Windows\system32\Ohgokknb.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5568 -
C:\Windows\SysWOW64\Aqmldddb.exeC:\Windows\system32\Aqmldddb.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5764
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-