Analysis
-
max time kernel
168s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
16/11/2023, 21:13
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.ddca609b7e3584c11a306c2d8efa8a70.exe
Resource
win7-20231023-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.ddca609b7e3584c11a306c2d8efa8a70.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.ddca609b7e3584c11a306c2d8efa8a70.exe
-
Size
128KB
-
MD5
ddca609b7e3584c11a306c2d8efa8a70
-
SHA1
49e5203a261e9371446ef91f1a9d7717398114df
-
SHA256
9b42c3ca878739d5e1260e0a2b426f85ecb98814acb2fddc0eb9b1644645bcd4
-
SHA512
4d661533dad188f1212a9f3630770dae12ec45a239a86e82a710ed55b376b33daed0a04ec1cda5a966aefaa1b514780f6d38aac8767ad63ccc0845dfc842ce13
-
SSDEEP
3072:ccAIr14XY80OBTmSDuneIxUEdmjRrz3TIUV4BKi:bA414X70c/ueIGEdGTBI
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qemoff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cgpcklpd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehekjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Doqpkq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mimphakb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmbbaq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njghkb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjocbhbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iebfmfdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jeneidji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ogfccchd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pljalipc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pahppihl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgnleiid.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnffjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ocmchdmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jncfmgfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nobdlqnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ogmidbal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hgieipmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jaekkfcm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phkmoc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cddemi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cahffmel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dhmgdo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Moobkh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohboeenl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hjhaeklb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okjnhpee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qfjjpf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcembe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Emdjjo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpgqik32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meadgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Einmaaqb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgiaemic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gkoplk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eilfldoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Igoeoe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahpdnaci.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgocgjgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ihgnfnjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Chbncg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jgjnpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gjkbnfha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hebcao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ienlbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bmbpeiaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qqcjnell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cppfgnlj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eaceghcg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogcfncjf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pciqnk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcnnllcg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgebnc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cenaaf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikagpcof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pqbdclak.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iggakn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ahfmpnql.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbdgec32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Behiec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Elojej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ffjdjmpf.exe -
Executes dropped EXE 64 IoCs
pid Process 3552 Ahfmpnql.exe 1604 Aopemh32.exe 952 Bkibgh32.exe 3228 Bdagpnbk.exe 4912 Bddcenpi.exe 4444 Cdpcal32.exe 1376 Coegoe32.exe 2816 Cklhcfle.exe 1300 Dpiplm32.exe 1136 Dkndie32.exe 1296 Dpkmal32.exe 3844 Doojec32.exe 3360 Gghdaa32.exe 664 Ieagmcmq.exe 3700 Ljpaqmgb.exe 4304 Nbbeml32.exe 4380 Nofefp32.exe 2004 Nmjfodne.exe 4264 Ocdnln32.exe 1492 Ommceclc.exe 4480 Ofegni32.exe 4696 Omopjcjp.exe 1888 Ofjqihnn.exe 1916 Opbean32.exe 3152 Oflmnh32.exe 4908 Pqbala32.exe 2748 Padnaq32.exe 4028 Pfagighf.exe 4224 Pjoppf32.exe 1524 Paihlpfi.exe 752 Pmphaaln.exe 4620 Pciqnk32.exe 5112 Pmbegqjk.exe 2268 Qfjjpf32.exe 3980 Qiiflaoo.exe 4216 Qfmfefni.exe 1380 Amfobp32.exe 4508 Ccppmc32.exe 1088 Cdolgfbp.exe 4300 Cpfmlghd.exe 860 Dkbgjo32.exe 2992 Dpopbepi.exe 3108 Dncpkjoc.exe 1928 Eaaiahei.exe 4548 Ecbeip32.exe 568 Eaceghcg.exe 116 Ekljpm32.exe 4232 Eddnic32.exe 984 Enlcahgh.exe 3892 Ecikjoep.exe 228 Enopghee.exe 2480 Edihdb32.exe 700 Fkcpql32.exe 4764 Fgiaemic.exe 4544 Fncibg32.exe 3964 Fdmaoahm.exe 3584 Fjjjgh32.exe 2252 Fqdbdbna.exe 4408 Fjmfmh32.exe 1448 Fdbkja32.exe 1732 Fjocbhbo.exe 1080 Fqikob32.exe 4520 Gkoplk32.exe 4840 Gbhhieao.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Cbnbhfde.exe Cnbfgh32.exe File created C:\Windows\SysWOW64\Deagoa32.exe Dngobghg.exe File opened for modification C:\Windows\SysWOW64\Ebeapc32.exe Epgdch32.exe File created C:\Windows\SysWOW64\Ecgidn32.dll Bomknp32.exe File created C:\Windows\SysWOW64\Gfmmle32.dll Ebplhp32.exe File created C:\Windows\SysWOW64\Pjalbh32.dll Ejabgcdp.exe File opened for modification C:\Windows\SysWOW64\Halmaiog.exe Hjedpkne.exe File created C:\Windows\SysWOW64\Kgaljo32.dll Hdppaidl.exe File created C:\Windows\SysWOW64\Cbnepf32.dll Idieob32.exe File opened for modification C:\Windows\SysWOW64\Hbiakf32.exe Gfbpfedp.exe File opened for modification C:\Windows\SysWOW64\Cenaaf32.exe Cndidlfb.exe File created C:\Windows\SysWOW64\Lfkmhe32.dll Nbadmege.exe File created C:\Windows\SysWOW64\Cppfgnlj.exe Bgeabloo.exe File opened for modification C:\Windows\SysWOW64\Nobdlqnc.exe Njghkb32.exe File opened for modification C:\Windows\SysWOW64\Ekljpm32.exe Eaceghcg.exe File created C:\Windows\SysWOW64\Ifoijonj.exe Ienlbf32.exe File opened for modification C:\Windows\SysWOW64\Qiiflaoo.exe Qfjjpf32.exe File opened for modification C:\Windows\SysWOW64\Ifihckmi.exe Ikcdfbmc.exe File created C:\Windows\SysWOW64\Ogfccchd.exe Ogcfncjf.exe File opened for modification C:\Windows\SysWOW64\Pfdbknda.exe Pphjbgfj.exe File opened for modification C:\Windows\SysWOW64\Pgihppgo.exe Poaqocgl.exe File created C:\Windows\SysWOW64\Bgodho32.dll Hglaookl.exe File created C:\Windows\SysWOW64\Eimlgnij.exe Ebcdjc32.exe File opened for modification C:\Windows\SysWOW64\Ehnpmkbg.exe Ebagdddp.exe File opened for modification C:\Windows\SysWOW64\Cpgqik32.exe Ciioaa32.exe File created C:\Windows\SysWOW64\Ogmkmjhc.dll Pgcpdn32.exe File opened for modification C:\Windows\SysWOW64\Bbeobhlp.exe Beaohcmf.exe File opened for modification C:\Windows\SysWOW64\Jnmglk32.exe Icgbob32.exe File created C:\Windows\SysWOW64\Hiemgadg.dll Jimeelkc.exe File opened for modification C:\Windows\SysWOW64\Jpffgp32.exe Jkkjfa32.exe File created C:\Windows\SysWOW64\Gijedm32.exe Ggkiha32.exe File created C:\Windows\SysWOW64\Pakleh32.exe Pchljlpo.exe File opened for modification C:\Windows\SysWOW64\Fjjjgh32.exe Fdmaoahm.exe File created C:\Windows\SysWOW64\Olopjikl.dll Qgalelin.exe File created C:\Windows\SysWOW64\Llelkhhc.dll Hkkhjj32.exe File opened for modification C:\Windows\SysWOW64\Lhfmmp32.exe Jeekeg32.exe File created C:\Windows\SysWOW64\Ljccfoqj.dll Eiobbgcl.exe File opened for modification C:\Windows\SysWOW64\Jeekeg32.exe Jkmgladi.exe File created C:\Windows\SysWOW64\Phqbaj32.exe Pcdjic32.exe File opened for modification C:\Windows\SysWOW64\Einmaaqb.exe Dpehikja.exe File created C:\Windows\SysWOW64\Lijoklol.dll Ajpqhdkl.exe File opened for modification C:\Windows\SysWOW64\Flboch32.exe Fgffka32.exe File created C:\Windows\SysWOW64\Cnpibh32.exe Cpklql32.exe File created C:\Windows\SysWOW64\Dendok32.exe Ciefek32.exe File opened for modification C:\Windows\SysWOW64\Pcgdcome.exe Ocldhqgb.exe File created C:\Windows\SysWOW64\Pegqmbch.exe Pbhdafdd.exe File opened for modification C:\Windows\SysWOW64\Pchljlpo.exe Polpim32.exe File created C:\Windows\SysWOW64\Cohddjgl.dll Pfagighf.exe File created C:\Windows\SysWOW64\Qqdqilph.exe Qnfdlpqd.exe File created C:\Windows\SysWOW64\Ibhjkk32.dll Jbfhne32.exe File created C:\Windows\SysWOW64\Ccefbg32.dll Ddklnh32.exe File created C:\Windows\SysWOW64\Ehopck32.dll Cpjmok32.exe File opened for modification C:\Windows\SysWOW64\Cfgace32.exe Cnpibh32.exe File created C:\Windows\SysWOW64\Nekfnbbc.dll Dngobghg.exe File created C:\Windows\SysWOW64\Bnlfqngm.exe Bjqjpp32.exe File created C:\Windows\SysWOW64\Gmfilfep.exe Gflapl32.exe File opened for modification C:\Windows\SysWOW64\Pbhdafdd.exe Pnmhqh32.exe File opened for modification C:\Windows\SysWOW64\Njdlfbgm.exe Niconj32.exe File created C:\Windows\SysWOW64\Cclbeepo.dll Plijbblh.exe File opened for modification C:\Windows\SysWOW64\Kmeiie32.exe Khhaanop.exe File opened for modification C:\Windows\SysWOW64\Pcagjndj.exe Pengna32.exe File created C:\Windows\SysWOW64\Mimoii32.dll Nboggf32.exe File created C:\Windows\SysWOW64\Ffbhnh32.dll Dcjnikhc.exe File created C:\Windows\SysWOW64\Pkebekgo.exe Papnhbgi.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 8860 2468 Process not Found 1200 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckcaap32.dll" Pomgcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nbbeml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gkhbbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Knkcmild.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ebagdddp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bonjnc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hkaedk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pphjbgfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Iggakn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fckaeioa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bldcodde.dll" Ehbihj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pengna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ichcim32.dll" Afhoaahg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Noncij32.dll" Deokhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkgqdb32.dll" Qemoff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ckclfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kenognbk.dll" Diopep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ifihckmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jecoog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gmcdolbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjkagnii.dll" Nknolaob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oflmnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gfgjbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Noeaaqlq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Paaidf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ddklnh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ifihckmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gjkbnfha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pmpmnb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dehkbkip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gackgo32.dll" Aebhaede.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ellliaek.dll" Elojej32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hbppaopp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cfogohpa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gobicbgf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cndidlfb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Halmaiog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ombonc32.dll" Noeaaqlq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdifbc32.dll" Cibagpgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hkkhjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ihpgda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mlhidg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Daaiml32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iecmcpoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jbpihlbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hahnld32.dll" Cfljnejl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljccfoqj.dll" Eiobbgcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gobicbgf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gflapl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pomgcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhcgba32.dll" Magnbnea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldibcl32.dll" Jknocljn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpci32.dll" Chjaha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dcjnikhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Likage32.dll" Ofjqihnn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fcdbmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oenljoji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjalbh32.dll" Ejabgcdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ogfccchd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chdjpphi.dll" Heepfn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gflcnanp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bnehgmob.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Phkmoc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ckidoc32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 740 wrote to memory of 3552 740 NEAS.ddca609b7e3584c11a306c2d8efa8a70.exe 86 PID 740 wrote to memory of 3552 740 NEAS.ddca609b7e3584c11a306c2d8efa8a70.exe 86 PID 740 wrote to memory of 3552 740 NEAS.ddca609b7e3584c11a306c2d8efa8a70.exe 86 PID 3552 wrote to memory of 1604 3552 Ahfmpnql.exe 88 PID 3552 wrote to memory of 1604 3552 Ahfmpnql.exe 88 PID 3552 wrote to memory of 1604 3552 Ahfmpnql.exe 88 PID 1604 wrote to memory of 952 1604 Aopemh32.exe 89 PID 1604 wrote to memory of 952 1604 Aopemh32.exe 89 PID 1604 wrote to memory of 952 1604 Aopemh32.exe 89 PID 952 wrote to memory of 3228 952 Bkibgh32.exe 90 PID 952 wrote to memory of 3228 952 Bkibgh32.exe 90 PID 952 wrote to memory of 3228 952 Bkibgh32.exe 90 PID 3228 wrote to memory of 4912 3228 Bdagpnbk.exe 92 PID 3228 wrote to memory of 4912 3228 Bdagpnbk.exe 92 PID 3228 wrote to memory of 4912 3228 Bdagpnbk.exe 92 PID 4912 wrote to memory of 4444 4912 Bddcenpi.exe 93 PID 4912 wrote to memory of 4444 4912 Bddcenpi.exe 93 PID 4912 wrote to memory of 4444 4912 Bddcenpi.exe 93 PID 4444 wrote to memory of 1376 4444 Cdpcal32.exe 94 PID 4444 wrote to memory of 1376 4444 Cdpcal32.exe 94 PID 4444 wrote to memory of 1376 4444 Cdpcal32.exe 94 PID 1376 wrote to memory of 2816 1376 Coegoe32.exe 95 PID 1376 wrote to memory of 2816 1376 Coegoe32.exe 95 PID 1376 wrote to memory of 2816 1376 Coegoe32.exe 95 PID 2816 wrote to memory of 1300 2816 Cklhcfle.exe 96 PID 2816 wrote to memory of 1300 2816 Cklhcfle.exe 96 PID 2816 wrote to memory of 1300 2816 Cklhcfle.exe 96 PID 1300 wrote to memory of 1136 1300 Dpiplm32.exe 97 PID 1300 wrote to memory of 1136 1300 Dpiplm32.exe 97 PID 1300 wrote to memory of 1136 1300 Dpiplm32.exe 97 PID 1136 wrote to memory of 1296 1136 Dkndie32.exe 98 PID 1136 wrote to memory of 1296 1136 Dkndie32.exe 98 PID 1136 wrote to memory of 1296 1136 Dkndie32.exe 98 PID 1296 wrote to memory of 3844 1296 Dpkmal32.exe 99 PID 1296 wrote to memory of 3844 1296 Dpkmal32.exe 99 PID 1296 wrote to memory of 3844 1296 Dpkmal32.exe 99 PID 3844 wrote to memory of 3360 3844 Doojec32.exe 100 PID 3844 wrote to memory of 3360 3844 Doojec32.exe 100 PID 3844 wrote to memory of 3360 3844 Doojec32.exe 100 PID 3360 wrote to memory of 664 3360 Gghdaa32.exe 101 PID 3360 wrote to memory of 664 3360 Gghdaa32.exe 101 PID 3360 wrote to memory of 664 3360 Gghdaa32.exe 101 PID 664 wrote to memory of 3700 664 Ieagmcmq.exe 102 PID 664 wrote to memory of 3700 664 Ieagmcmq.exe 102 PID 664 wrote to memory of 3700 664 Ieagmcmq.exe 102 PID 3700 wrote to memory of 4304 3700 Ljpaqmgb.exe 104 PID 3700 wrote to memory of 4304 3700 Ljpaqmgb.exe 104 PID 3700 wrote to memory of 4304 3700 Ljpaqmgb.exe 104 PID 4304 wrote to memory of 4380 4304 Nbbeml32.exe 105 PID 4304 wrote to memory of 4380 4304 Nbbeml32.exe 105 PID 4304 wrote to memory of 4380 4304 Nbbeml32.exe 105 PID 4380 wrote to memory of 2004 4380 Nofefp32.exe 106 PID 4380 wrote to memory of 2004 4380 Nofefp32.exe 106 PID 4380 wrote to memory of 2004 4380 Nofefp32.exe 106 PID 2004 wrote to memory of 4264 2004 Nmjfodne.exe 107 PID 2004 wrote to memory of 4264 2004 Nmjfodne.exe 107 PID 2004 wrote to memory of 4264 2004 Nmjfodne.exe 107 PID 4264 wrote to memory of 1492 4264 Ocdnln32.exe 108 PID 4264 wrote to memory of 1492 4264 Ocdnln32.exe 108 PID 4264 wrote to memory of 1492 4264 Ocdnln32.exe 108 PID 1492 wrote to memory of 4480 1492 Ommceclc.exe 109 PID 1492 wrote to memory of 4480 1492 Ommceclc.exe 109 PID 1492 wrote to memory of 4480 1492 Ommceclc.exe 109 PID 4480 wrote to memory of 4696 4480 Ofegni32.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.ddca609b7e3584c11a306c2d8efa8a70.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.ddca609b7e3584c11a306c2d8efa8a70.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:740 -
C:\Windows\SysWOW64\Ahfmpnql.exeC:\Windows\system32\Ahfmpnql.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3552 -
C:\Windows\SysWOW64\Aopemh32.exeC:\Windows\system32\Aopemh32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Windows\SysWOW64\Bkibgh32.exeC:\Windows\system32\Bkibgh32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Windows\SysWOW64\Bdagpnbk.exeC:\Windows\system32\Bdagpnbk.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3228 -
C:\Windows\SysWOW64\Bddcenpi.exeC:\Windows\system32\Bddcenpi.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\Windows\SysWOW64\Cdpcal32.exeC:\Windows\system32\Cdpcal32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4444 -
C:\Windows\SysWOW64\Coegoe32.exeC:\Windows\system32\Coegoe32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Windows\SysWOW64\Cklhcfle.exeC:\Windows\system32\Cklhcfle.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\Dpiplm32.exeC:\Windows\system32\Dpiplm32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Windows\SysWOW64\Dkndie32.exeC:\Windows\system32\Dkndie32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Windows\SysWOW64\Dpkmal32.exeC:\Windows\system32\Dpkmal32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Windows\SysWOW64\Doojec32.exeC:\Windows\system32\Doojec32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3844 -
C:\Windows\SysWOW64\Gghdaa32.exeC:\Windows\system32\Gghdaa32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3360 -
C:\Windows\SysWOW64\Ieagmcmq.exeC:\Windows\system32\Ieagmcmq.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:664 -
C:\Windows\SysWOW64\Ljpaqmgb.exeC:\Windows\system32\Ljpaqmgb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3700 -
C:\Windows\SysWOW64\Nbbeml32.exeC:\Windows\system32\Nbbeml32.exe17⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4304 -
C:\Windows\SysWOW64\Nofefp32.exeC:\Windows\system32\Nofefp32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4380 -
C:\Windows\SysWOW64\Nmjfodne.exeC:\Windows\system32\Nmjfodne.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\Ocdnln32.exeC:\Windows\system32\Ocdnln32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4264 -
C:\Windows\SysWOW64\Ommceclc.exeC:\Windows\system32\Ommceclc.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\SysWOW64\Ofegni32.exeC:\Windows\system32\Ofegni32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4480 -
C:\Windows\SysWOW64\Omopjcjp.exeC:\Windows\system32\Omopjcjp.exe23⤵
- Executes dropped EXE
PID:4696 -
C:\Windows\SysWOW64\Ofjqihnn.exeC:\Windows\system32\Ofjqihnn.exe24⤵
- Executes dropped EXE
- Modifies registry class
PID:1888 -
C:\Windows\SysWOW64\Opbean32.exeC:\Windows\system32\Opbean32.exe25⤵
- Executes dropped EXE
PID:1916 -
C:\Windows\SysWOW64\Oflmnh32.exeC:\Windows\system32\Oflmnh32.exe26⤵
- Executes dropped EXE
- Modifies registry class
PID:3152 -
C:\Windows\SysWOW64\Pqbala32.exeC:\Windows\system32\Pqbala32.exe27⤵
- Executes dropped EXE
PID:4908 -
C:\Windows\SysWOW64\Padnaq32.exeC:\Windows\system32\Padnaq32.exe28⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Pfagighf.exeC:\Windows\system32\Pfagighf.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4028 -
C:\Windows\SysWOW64\Pjoppf32.exeC:\Windows\system32\Pjoppf32.exe30⤵
- Executes dropped EXE
PID:4224 -
C:\Windows\SysWOW64\Paihlpfi.exeC:\Windows\system32\Paihlpfi.exe31⤵
- Executes dropped EXE
PID:1524 -
C:\Windows\SysWOW64\Pmphaaln.exeC:\Windows\system32\Pmphaaln.exe32⤵
- Executes dropped EXE
PID:752 -
C:\Windows\SysWOW64\Pciqnk32.exeC:\Windows\system32\Pciqnk32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4620 -
C:\Windows\SysWOW64\Pmbegqjk.exeC:\Windows\system32\Pmbegqjk.exe34⤵
- Executes dropped EXE
PID:5112 -
C:\Windows\SysWOW64\Qfjjpf32.exeC:\Windows\system32\Qfjjpf32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2268 -
C:\Windows\SysWOW64\Qiiflaoo.exeC:\Windows\system32\Qiiflaoo.exe36⤵
- Executes dropped EXE
PID:3980 -
C:\Windows\SysWOW64\Qfmfefni.exeC:\Windows\system32\Qfmfefni.exe37⤵
- Executes dropped EXE
PID:4216 -
C:\Windows\SysWOW64\Amfobp32.exeC:\Windows\system32\Amfobp32.exe38⤵
- Executes dropped EXE
PID:1380 -
C:\Windows\SysWOW64\Ccppmc32.exeC:\Windows\system32\Ccppmc32.exe39⤵
- Executes dropped EXE
PID:4508 -
C:\Windows\SysWOW64\Cdolgfbp.exeC:\Windows\system32\Cdolgfbp.exe40⤵
- Executes dropped EXE
PID:1088 -
C:\Windows\SysWOW64\Cpfmlghd.exeC:\Windows\system32\Cpfmlghd.exe41⤵
- Executes dropped EXE
PID:4300 -
C:\Windows\SysWOW64\Dkbgjo32.exeC:\Windows\system32\Dkbgjo32.exe42⤵
- Executes dropped EXE
PID:860 -
C:\Windows\SysWOW64\Dpopbepi.exeC:\Windows\system32\Dpopbepi.exe43⤵
- Executes dropped EXE
PID:2992 -
C:\Windows\SysWOW64\Dncpkjoc.exeC:\Windows\system32\Dncpkjoc.exe44⤵
- Executes dropped EXE
PID:3108 -
C:\Windows\SysWOW64\Eaaiahei.exeC:\Windows\system32\Eaaiahei.exe45⤵
- Executes dropped EXE
PID:1928 -
C:\Windows\SysWOW64\Ecbeip32.exeC:\Windows\system32\Ecbeip32.exe46⤵
- Executes dropped EXE
PID:4548 -
C:\Windows\SysWOW64\Eaceghcg.exeC:\Windows\system32\Eaceghcg.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:568 -
C:\Windows\SysWOW64\Ekljpm32.exeC:\Windows\system32\Ekljpm32.exe48⤵
- Executes dropped EXE
PID:116 -
C:\Windows\SysWOW64\Eddnic32.exeC:\Windows\system32\Eddnic32.exe49⤵
- Executes dropped EXE
PID:4232 -
C:\Windows\SysWOW64\Enlcahgh.exeC:\Windows\system32\Enlcahgh.exe50⤵
- Executes dropped EXE
PID:984 -
C:\Windows\SysWOW64\Ecikjoep.exeC:\Windows\system32\Ecikjoep.exe51⤵
- Executes dropped EXE
PID:3892 -
C:\Windows\SysWOW64\Enopghee.exeC:\Windows\system32\Enopghee.exe52⤵
- Executes dropped EXE
PID:228 -
C:\Windows\SysWOW64\Edihdb32.exeC:\Windows\system32\Edihdb32.exe53⤵
- Executes dropped EXE
PID:2480 -
C:\Windows\SysWOW64\Fkcpql32.exeC:\Windows\system32\Fkcpql32.exe54⤵
- Executes dropped EXE
PID:700 -
C:\Windows\SysWOW64\Fgiaemic.exeC:\Windows\system32\Fgiaemic.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4764 -
C:\Windows\SysWOW64\Fncibg32.exeC:\Windows\system32\Fncibg32.exe56⤵
- Executes dropped EXE
PID:4544 -
C:\Windows\SysWOW64\Fdmaoahm.exeC:\Windows\system32\Fdmaoahm.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3964 -
C:\Windows\SysWOW64\Fjjjgh32.exeC:\Windows\system32\Fjjjgh32.exe58⤵
- Executes dropped EXE
PID:3584 -
C:\Windows\SysWOW64\Fqdbdbna.exeC:\Windows\system32\Fqdbdbna.exe59⤵
- Executes dropped EXE
PID:2252 -
C:\Windows\SysWOW64\Fjmfmh32.exeC:\Windows\system32\Fjmfmh32.exe60⤵
- Executes dropped EXE
PID:4408 -
C:\Windows\SysWOW64\Fdbkja32.exeC:\Windows\system32\Fdbkja32.exe61⤵
- Executes dropped EXE
PID:1448 -
C:\Windows\SysWOW64\Fjocbhbo.exeC:\Windows\system32\Fjocbhbo.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1732 -
C:\Windows\SysWOW64\Fqikob32.exeC:\Windows\system32\Fqikob32.exe63⤵
- Executes dropped EXE
PID:1080 -
C:\Windows\SysWOW64\Gkoplk32.exeC:\Windows\system32\Gkoplk32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4520 -
C:\Windows\SysWOW64\Gbhhieao.exeC:\Windows\system32\Gbhhieao.exe65⤵
- Executes dropped EXE
PID:4840 -
C:\Windows\SysWOW64\Ggepalof.exeC:\Windows\system32\Ggepalof.exe66⤵PID:4324
-
C:\Windows\SysWOW64\Gkalbj32.exeC:\Windows\system32\Gkalbj32.exe67⤵PID:4220
-
C:\Windows\SysWOW64\Gjficg32.exeC:\Windows\system32\Gjficg32.exe68⤵PID:4040
-
C:\Windows\SysWOW64\Gnaecedp.exeC:\Windows\system32\Gnaecedp.exe69⤵PID:5064
-
C:\Windows\SysWOW64\Gcnnllcg.exeC:\Windows\system32\Gcnnllcg.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4080 -
C:\Windows\SysWOW64\Gkefmjcj.exeC:\Windows\system32\Gkefmjcj.exe71⤵PID:2616
-
C:\Windows\SysWOW64\Gqbneq32.exeC:\Windows\system32\Gqbneq32.exe72⤵PID:5136
-
C:\Windows\SysWOW64\Gkhbbi32.exeC:\Windows\system32\Gkhbbi32.exe73⤵
- Modifies registry class
PID:5180 -
C:\Windows\SysWOW64\Gjkbnfha.exeC:\Windows\system32\Gjkbnfha.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5244 -
C:\Windows\SysWOW64\Hqdkkp32.exeC:\Windows\system32\Hqdkkp32.exe75⤵PID:5300
-
C:\Windows\SysWOW64\Hepgkohh.exeC:\Windows\system32\Hepgkohh.exe76⤵PID:5352
-
C:\Windows\SysWOW64\Hgocgjgk.exeC:\Windows\system32\Hgocgjgk.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5404 -
C:\Windows\SysWOW64\Hbdgec32.exeC:\Windows\system32\Hbdgec32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5444 -
C:\Windows\SysWOW64\Hebcao32.exeC:\Windows\system32\Hebcao32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5484 -
C:\Windows\SysWOW64\Hjolie32.exeC:\Windows\system32\Hjolie32.exe80⤵PID:5528
-
C:\Windows\SysWOW64\Heepfn32.exeC:\Windows\system32\Heepfn32.exe81⤵
- Modifies registry class
PID:5624 -
C:\Windows\SysWOW64\Odljjo32.exeC:\Windows\system32\Odljjo32.exe82⤵PID:5720
-
C:\Windows\SysWOW64\Bifkcioc.exeC:\Windows\system32\Bifkcioc.exe83⤵PID:5788
-
C:\Windows\SysWOW64\Cefoni32.exeC:\Windows\system32\Cefoni32.exe84⤵PID:5832
-
C:\Windows\SysWOW64\Dpgbgpbe.exeC:\Windows\system32\Dpgbgpbe.exe85⤵PID:5896
-
C:\Windows\SysWOW64\Didqkeeq.exeC:\Windows\system32\Didqkeeq.exe86⤵PID:5944
-
C:\Windows\SysWOW64\Eennefib.exeC:\Windows\system32\Eennefib.exe87⤵PID:5984
-
C:\Windows\SysWOW64\Elhfbp32.exeC:\Windows\system32\Elhfbp32.exe88⤵PID:6024
-
C:\Windows\SysWOW64\Eilfldoi.exeC:\Windows\system32\Eilfldoi.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6064 -
C:\Windows\SysWOW64\Epeohn32.exeC:\Windows\system32\Epeohn32.exe90⤵PID:6108
-
C:\Windows\SysWOW64\Egpgehnb.exeC:\Windows\system32\Egpgehnb.exe91⤵PID:1820
-
C:\Windows\SysWOW64\Ellpmolj.exeC:\Windows\system32\Ellpmolj.exe92⤵PID:5240
-
C:\Windows\SysWOW64\Ecfhji32.exeC:\Windows\system32\Ecfhji32.exe93⤵PID:5344
-
C:\Windows\SysWOW64\Eippgckc.exeC:\Windows\system32\Eippgckc.exe94⤵PID:5468
-
C:\Windows\SysWOW64\Epjhcnbp.exeC:\Windows\system32\Epjhcnbp.exe95⤵PID:5540
-
C:\Windows\SysWOW64\Ecidpiad.exeC:\Windows\system32\Ecidpiad.exe96⤵PID:2516
-
C:\Windows\SysWOW64\Eegqldqg.exeC:\Windows\system32\Eegqldqg.exe97⤵PID:2080
-
C:\Windows\SysWOW64\Flaiho32.exeC:\Windows\system32\Flaiho32.exe98⤵PID:1112
-
C:\Windows\SysWOW64\Fckaeioa.exeC:\Windows\system32\Fckaeioa.exe99⤵
- Modifies registry class
PID:4268 -
C:\Windows\SysWOW64\Fckaeioa.exeC:\Windows\system32\Fckaeioa.exe100⤵PID:5572
-
C:\Windows\SysWOW64\Flcfnn32.exeC:\Windows\system32\Flcfnn32.exe101⤵PID:5652
-
C:\Windows\SysWOW64\Fcmnkh32.exeC:\Windows\system32\Fcmnkh32.exe102⤵PID:5688
-
C:\Windows\SysWOW64\Flfbcndo.exeC:\Windows\system32\Flfbcndo.exe103⤵PID:5708
-
C:\Windows\SysWOW64\Fjjcmbci.exeC:\Windows\system32\Fjjcmbci.exe104⤵PID:5772
-
C:\Windows\SysWOW64\Fpckjlje.exeC:\Windows\system32\Fpckjlje.exe105⤵PID:5812
-
C:\Windows\SysWOW64\Fjlpbb32.exeC:\Windows\system32\Fjlpbb32.exe106⤵PID:5884
-
C:\Windows\SysWOW64\Fcddkggf.exeC:\Windows\system32\Fcddkggf.exe107⤵PID:5916
-
C:\Windows\SysWOW64\Ffcpgcfj.exeC:\Windows\system32\Ffcpgcfj.exe108⤵PID:5968
-
C:\Windows\SysWOW64\Gcgqag32.exeC:\Windows\system32\Gcgqag32.exe109⤵PID:6060
-
C:\Windows\SysWOW64\Gfemmb32.exeC:\Windows\system32\Gfemmb32.exe110⤵PID:6116
-
C:\Windows\SysWOW64\Gfgjbb32.exeC:\Windows\system32\Gfgjbb32.exe111⤵
- Modifies registry class
PID:5228 -
C:\Windows\SysWOW64\Gmdoel32.exeC:\Windows\system32\Gmdoel32.exe112⤵PID:5428
-
C:\Windows\SysWOW64\Gflcnanp.exeC:\Windows\system32\Gflcnanp.exe113⤵
- Modifies registry class
PID:5576 -
C:\Windows\SysWOW64\Gqagkjne.exeC:\Windows\system32\Gqagkjne.exe114⤵PID:3300
-
C:\Windows\SysWOW64\Gdmcki32.exeC:\Windows\system32\Gdmcki32.exe115⤵PID:5608
-
C:\Windows\SysWOW64\Hjjldpdf.exeC:\Windows\system32\Hjjldpdf.exe116⤵PID:5672
-
C:\Windows\SysWOW64\Hmhhpkcj.exeC:\Windows\system32\Hmhhpkcj.exe117⤵PID:5764
-
C:\Windows\SysWOW64\Hdppaidl.exeC:\Windows\system32\Hdppaidl.exe118⤵
- Drops file in System32 directory
PID:5820 -
C:\Windows\SysWOW64\Hjlhipbc.exeC:\Windows\system32\Hjlhipbc.exe119⤵PID:5924
-
C:\Windows\SysWOW64\Hqfqfj32.exeC:\Windows\system32\Hqfqfj32.exe120⤵PID:6052
-
C:\Windows\SysWOW64\Hcembe32.exeC:\Windows\system32\Hcembe32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5164
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-