Analysis
-
max time kernel
187s -
max time network
185s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
14/10/2023, 18:08
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.a27b4dc6482a9dad8188cd8c6ce3a0f0.exe
Resource
win7-20230831-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.a27b4dc6482a9dad8188cd8c6ce3a0f0.exe
Resource
win10v2004-20230915-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.a27b4dc6482a9dad8188cd8c6ce3a0f0.exe
-
Size
340KB
-
MD5
a27b4dc6482a9dad8188cd8c6ce3a0f0
-
SHA1
489002071090bc5a8fee8d459f28c1269557f997
-
SHA256
9724759af2036ed13747a4f507da86a7754d21a8fad19d0510e82c7ec49651c3
-
SHA512
31a2b02dbf725e19b2035bb0c773260b4411536e9157a572882d63f796464710152726eabc55504671bd52041b3ee1abc9caf992fe6798edd5ad2df8a151bdba
-
SSDEEP
6144:xZ5zpEsxTNb3/fc/UmKyIxLDXXoq9FJZCUmKyIxLjh:xZE0I32XXf9Do3i
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Agdcpkll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lmjkka32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdodekhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pjhpccnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nmedmj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qdoacabq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmgjee32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idfhibdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cmhial32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gpeclq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ipdfheal.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Linmlm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nkghqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hhoomd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Inhgaipf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kglcmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lfqgjh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfgopnbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bjaqih32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdpmmf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlolpq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nkdlkope.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkghqo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlihek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bqfokblg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mogcihaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nbcjhobg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nobdlqnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ndmpddfe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkaljpmd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Poajdlcq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ojomcopk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Agkqiobl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnaighhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ljpideje.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjbopcip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mlhidg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbbdcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eoagdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gokbgpeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nalgbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dplebmbl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apaadpng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qmkfoj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikhghi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qdoacabq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Conanfli.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aefcif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jgkdkg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkdlkope.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjaqih32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmpjfdcb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llofnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Effffd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkkndp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jhijjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pokjnd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qofjjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ccmgbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ogcnmc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eohmkb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkqebg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lbddpclj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkmdoi32.exe -
Executes dropped EXE 64 IoCs
pid Process 4984 Jiiicf32.exe 4364 Jgmjmjnb.exe 5116 Jebfng32.exe 1416 Jokkgl32.exe 3224 Jlolpq32.exe 5024 Kpmdfonj.exe 1760 Keimof32.exe 2128 Kgiiiidd.exe 1656 Kodnmkap.exe 788 Kngkqbgl.exe 4744 Lfbped32.exe 1164 Lcgpni32.exe 1064 Lomqcjie.exe 2864 Lopmii32.exe 408 Lobjni32.exe 4736 Mogcihaj.exe 3764 Moipoh32.exe 4104 Mokmdh32.exe 1584 Mnmmboed.exe 400 Mjcngpjh.exe 3184 Nfjola32.exe 2172 Npbceggm.exe 2788 Npepkf32.exe 1112 Nmipdk32.exe 4256 Njmqnobn.exe 3664 Ojomcopk.exe 2980 Ogcnmc32.exe 1992 Ogekbb32.exe 4668 Oclkgccf.exe 4032 Opclldhj.exe 2996 Omgmeigd.exe 3016 Phfcipoo.exe 3624 Qhhpop32.exe 1140 Qdoacabq.exe 984 Qodeajbg.exe 4796 Ahmjjoig.exe 4712 Aaenbd32.exe 4564 Amlogfel.exe 1820 Agdcpkll.exe 792 Adhdjpjf.exe 4596 Akblfj32.exe 2752 Apodoq32.exe 1500 Agimkk32.exe 3888 Apaadpng.exe 3564 Bknlbhhe.exe 2840 Bahdob32.exe 2764 Bnoddcef.exe 4316 Cdimqm32.exe 4252 Conanfli.exe 5052 Cdkifmjq.exe 4304 Coqncejg.exe 1672 Caageq32.exe 4100 Ckjknfnh.exe 1136 Cacckp32.exe 3792 Cogddd32.exe 4964 Dgcihgaj.exe 412 Ddgibkpc.exe 4548 Dndgfpbo.exe 796 Dhikci32.exe 4704 Enfckp32.exe 4416 Edplhjhi.exe 1660 Eoepebho.exe 1588 Edbiniff.exe 4060 Eohmkb32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Kjdjhgdb.exe Kibmqond.exe File opened for modification C:\Windows\SysWOW64\Kbpkdd32.exe Kgjggkqi.exe File created C:\Windows\SysWOW64\Dckajh32.dll Lobjni32.exe File created C:\Windows\SysWOW64\Ajlngk32.exe Qofjjb32.exe File created C:\Windows\SysWOW64\Flbfhigk.dll Cmhial32.exe File created C:\Windows\SysWOW64\Ikickgnf.exe Idoknmfj.exe File opened for modification C:\Windows\SysWOW64\Jdhndlno.exe Innfgb32.exe File opened for modification C:\Windows\SysWOW64\Aebjokda.exe Agkqiobl.exe File created C:\Windows\SysWOW64\Jhgneqha.exe Jnaighhk.exe File opened for modification C:\Windows\SysWOW64\Llofnh32.exe Laiaqp32.exe File created C:\Windows\SysWOW64\Kmfhelke.exe Kjafha32.exe File created C:\Windows\SysWOW64\Gpjmbhch.dll Kkaljpmd.exe File created C:\Windows\SysWOW64\Dplebmbl.exe Dfcqjg32.exe File opened for modification C:\Windows\SysWOW64\Pmhkflnj.exe Jacpcl32.exe File opened for modification C:\Windows\SysWOW64\Menpgmap.exe Mndhkc32.exe File created C:\Windows\SysWOW64\Magnbnea.exe Mlkejgfj.exe File created C:\Windows\SysWOW64\Akfiji32.dll Mjcngpjh.exe File opened for modification C:\Windows\SysWOW64\Omgmeigd.exe Opclldhj.exe File created C:\Windows\SysWOW64\Lbbjhini.exe Lfkich32.exe File created C:\Windows\SysWOW64\Qlhnng32.exe Qodmdb32.exe File created C:\Windows\SysWOW64\Nochannh.dll Bqfokblg.exe File created C:\Windows\SysWOW64\Jokkgl32.exe Jebfng32.exe File opened for modification C:\Windows\SysWOW64\Mogcihaj.exe Lobjni32.exe File created C:\Windows\SysWOW64\Qjefmq32.dll Qjijgead.exe File created C:\Windows\SysWOW64\Noldbk32.dll Nkdlkope.exe File opened for modification C:\Windows\SysWOW64\Ppffec32.exe Pkinmlnm.exe File created C:\Windows\SysWOW64\Oaomij32.exe Ohfhqd32.exe File created C:\Windows\SysWOW64\Khfchg32.dll Fmiaimki.exe File created C:\Windows\SysWOW64\Mlflog32.exe Lelcbmcc.exe File created C:\Windows\SysWOW64\Agcbng32.dll Ebocpd32.exe File created C:\Windows\SysWOW64\Qfeckiie.dll Pcbdcf32.exe File opened for modification C:\Windows\SysWOW64\Dfhjefhf.exe Dpnbhl32.exe File created C:\Windows\SysWOW64\Mnbnchlb.exe Micheb32.exe File created C:\Windows\SysWOW64\Lpbojlfd.exe Lfeaegdi.exe File created C:\Windows\SysWOW64\Dedeij32.dll Magnbnea.exe File created C:\Windows\SysWOW64\Iiicin32.dll Dgeegled.exe File opened for modification C:\Windows\SysWOW64\Adhdjpjf.exe Agdcpkll.exe File opened for modification C:\Windows\SysWOW64\Fgoakc32.exe Fbbicl32.exe File created C:\Windows\SysWOW64\Dabhmo32.exe Dhjcdimf.exe File created C:\Windows\SysWOW64\Flbfjl32.dll Ogcnmc32.exe File created C:\Windows\SysWOW64\Qodeajbg.exe Qdoacabq.exe File created C:\Windows\SysWOW64\Jacpcl32.exe Ihaidhgf.exe File opened for modification C:\Windows\SysWOW64\Jjmcghjj.exe Jdpkoalc.exe File created C:\Windows\SysWOW64\Mndhkc32.exe Mlflog32.exe File created C:\Windows\SysWOW64\Bbbkmebo.exe Blecdn32.exe File opened for modification C:\Windows\SysWOW64\Edplhjhi.exe Enfckp32.exe File opened for modification C:\Windows\SysWOW64\Fbbicl32.exe Fgmdec32.exe File created C:\Windows\SysWOW64\Ehoegjcf.dll Oldagc32.exe File created C:\Windows\SysWOW64\Gkfnnjnl.exe Gdleap32.exe File opened for modification C:\Windows\SysWOW64\Gdobgp32.exe Glgjfb32.exe File opened for modification C:\Windows\SysWOW64\Eqdpaa32.exe Enfceefi.exe File created C:\Windows\SysWOW64\Nmedmj32.exe Nkghqo32.exe File opened for modification C:\Windows\SysWOW64\Oioahn32.exe Opdpih32.exe File created C:\Windows\SysWOW64\Jefgak32.exe Jknfnbmi.exe File opened for modification C:\Windows\SysWOW64\Bcpblo32.exe Aflabj32.exe File created C:\Windows\SysWOW64\Fpdmob32.dll Fdcjfg32.exe File created C:\Windows\SysWOW64\Dnclpelo.dll Jjjgbhlm.exe File opened for modification C:\Windows\SysWOW64\Mnknkbdk.exe Miofcked.exe File opened for modification C:\Windows\SysWOW64\Conanfli.exe Cdimqm32.exe File created C:\Windows\SysWOW64\Hhfpbpdo.exe Halhfe32.exe File created C:\Windows\SysWOW64\Bliioqol.dll Qmkfoj32.exe File created C:\Windows\SysWOW64\Bcmqin32.exe Bpodmb32.exe File opened for modification C:\Windows\SysWOW64\Ikickgnf.exe Idoknmfj.exe File created C:\Windows\SysWOW64\Ddgibkpc.exe Dgcihgaj.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3068 1340 WerFault.exe 508 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gdjpff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amkkai32.dll" Hkpgooim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pcepdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bbpoge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjmejc32.dll" Ddgibkpc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lnbdlkje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ioljaael.dll" Fgpilc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abjllocj.dll" Hdkimdnk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Inmplh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lbkkpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abkkheak.dll" Kmfhelke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kleiid32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Efhcld32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kjdjhgdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Licfgmpa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mlkejgfj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Moipoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fmiaimki.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pcjioknl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hgdedj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeegfibg.dll" Dhikci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cggqjn32.dll" Fmehnn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oboicmhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfpdfnd.dll" Fbplml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfpcgaqk.dll" Mlnijmhc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Heohinog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Blqlgdhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apjmealg.dll" Eainnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keaaicgb.dll" Idfhibdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccbolagk.dll" Gbbajjlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dlnlak32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mnpice32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dmdogpmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lnbkeclf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Naaqhlmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Adhdjpjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Enfckp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Njmqnobn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahhiog32.dll" Qlhnng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bpjkbcbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pndggkbm.dll" Gpeclq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfclf32.dll" Jjmcghjj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jgcafl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mjbopcip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Igpdph32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node NEAS.a27b4dc6482a9dad8188cd8c6ce3a0f0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Phfcipoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afdkme32.dll" Mlkejgfj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ikickgnf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Igpdph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaehfp32.dll" Ijngkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbkekk32.dll" Kbpkdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdfpfdap.dll" Kojkeogp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nlbnhkqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qicnip32.dll" Lnbkeclf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hmnmqdee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klambq32.dll" Fbmohmoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aocafeff.dll" Ndmpddfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Blqlgdhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmdcif32.dll" Dhlhcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mldlmdcd.dll" Laiaqp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oefpoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjefmq32.dll" Qjijgead.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ndhgie32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4852 wrote to memory of 4984 4852 NEAS.a27b4dc6482a9dad8188cd8c6ce3a0f0.exe 85 PID 4852 wrote to memory of 4984 4852 NEAS.a27b4dc6482a9dad8188cd8c6ce3a0f0.exe 85 PID 4852 wrote to memory of 4984 4852 NEAS.a27b4dc6482a9dad8188cd8c6ce3a0f0.exe 85 PID 4984 wrote to memory of 4364 4984 Jiiicf32.exe 86 PID 4984 wrote to memory of 4364 4984 Jiiicf32.exe 86 PID 4984 wrote to memory of 4364 4984 Jiiicf32.exe 86 PID 4364 wrote to memory of 5116 4364 Jgmjmjnb.exe 87 PID 4364 wrote to memory of 5116 4364 Jgmjmjnb.exe 87 PID 4364 wrote to memory of 5116 4364 Jgmjmjnb.exe 87 PID 5116 wrote to memory of 1416 5116 Jebfng32.exe 88 PID 5116 wrote to memory of 1416 5116 Jebfng32.exe 88 PID 5116 wrote to memory of 1416 5116 Jebfng32.exe 88 PID 1416 wrote to memory of 3224 1416 Jokkgl32.exe 89 PID 1416 wrote to memory of 3224 1416 Jokkgl32.exe 89 PID 1416 wrote to memory of 3224 1416 Jokkgl32.exe 89 PID 3224 wrote to memory of 5024 3224 Jlolpq32.exe 90 PID 3224 wrote to memory of 5024 3224 Jlolpq32.exe 90 PID 3224 wrote to memory of 5024 3224 Jlolpq32.exe 90 PID 5024 wrote to memory of 1760 5024 Kpmdfonj.exe 91 PID 5024 wrote to memory of 1760 5024 Kpmdfonj.exe 91 PID 5024 wrote to memory of 1760 5024 Kpmdfonj.exe 91 PID 1760 wrote to memory of 2128 1760 Keimof32.exe 92 PID 1760 wrote to memory of 2128 1760 Keimof32.exe 92 PID 1760 wrote to memory of 2128 1760 Keimof32.exe 92 PID 2128 wrote to memory of 1656 2128 Kgiiiidd.exe 93 PID 2128 wrote to memory of 1656 2128 Kgiiiidd.exe 93 PID 2128 wrote to memory of 1656 2128 Kgiiiidd.exe 93 PID 1656 wrote to memory of 788 1656 Kodnmkap.exe 94 PID 1656 wrote to memory of 788 1656 Kodnmkap.exe 94 PID 1656 wrote to memory of 788 1656 Kodnmkap.exe 94 PID 788 wrote to memory of 4744 788 Kngkqbgl.exe 95 PID 788 wrote to memory of 4744 788 Kngkqbgl.exe 95 PID 788 wrote to memory of 4744 788 Kngkqbgl.exe 95 PID 4744 wrote to memory of 1164 4744 Lfbped32.exe 96 PID 4744 wrote to memory of 1164 4744 Lfbped32.exe 96 PID 4744 wrote to memory of 1164 4744 Lfbped32.exe 96 PID 1164 wrote to memory of 1064 1164 Lcgpni32.exe 97 PID 1164 wrote to memory of 1064 1164 Lcgpni32.exe 97 PID 1164 wrote to memory of 1064 1164 Lcgpni32.exe 97 PID 1064 wrote to memory of 2864 1064 Lomqcjie.exe 98 PID 1064 wrote to memory of 2864 1064 Lomqcjie.exe 98 PID 1064 wrote to memory of 2864 1064 Lomqcjie.exe 98 PID 2864 wrote to memory of 408 2864 Lopmii32.exe 99 PID 2864 wrote to memory of 408 2864 Lopmii32.exe 99 PID 2864 wrote to memory of 408 2864 Lopmii32.exe 99 PID 408 wrote to memory of 4736 408 Lobjni32.exe 100 PID 408 wrote to memory of 4736 408 Lobjni32.exe 100 PID 408 wrote to memory of 4736 408 Lobjni32.exe 100 PID 4736 wrote to memory of 3764 4736 Mogcihaj.exe 101 PID 4736 wrote to memory of 3764 4736 Mogcihaj.exe 101 PID 4736 wrote to memory of 3764 4736 Mogcihaj.exe 101 PID 3764 wrote to memory of 4104 3764 Moipoh32.exe 102 PID 3764 wrote to memory of 4104 3764 Moipoh32.exe 102 PID 3764 wrote to memory of 4104 3764 Moipoh32.exe 102 PID 4104 wrote to memory of 1584 4104 Mokmdh32.exe 103 PID 4104 wrote to memory of 1584 4104 Mokmdh32.exe 103 PID 4104 wrote to memory of 1584 4104 Mokmdh32.exe 103 PID 1584 wrote to memory of 400 1584 Mnmmboed.exe 104 PID 1584 wrote to memory of 400 1584 Mnmmboed.exe 104 PID 1584 wrote to memory of 400 1584 Mnmmboed.exe 104 PID 400 wrote to memory of 3184 400 Mjcngpjh.exe 105 PID 400 wrote to memory of 3184 400 Mjcngpjh.exe 105 PID 400 wrote to memory of 3184 400 Mjcngpjh.exe 105 PID 3184 wrote to memory of 2172 3184 Nfjola32.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.a27b4dc6482a9dad8188cd8c6ce3a0f0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.a27b4dc6482a9dad8188cd8c6ce3a0f0.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4852 -
C:\Windows\SysWOW64\Jiiicf32.exeC:\Windows\system32\Jiiicf32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4984 -
C:\Windows\SysWOW64\Jgmjmjnb.exeC:\Windows\system32\Jgmjmjnb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4364 -
C:\Windows\SysWOW64\Jebfng32.exeC:\Windows\system32\Jebfng32.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5116 -
C:\Windows\SysWOW64\Jokkgl32.exeC:\Windows\system32\Jokkgl32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Windows\SysWOW64\Jlolpq32.exeC:\Windows\system32\Jlolpq32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3224 -
C:\Windows\SysWOW64\Kpmdfonj.exeC:\Windows\system32\Kpmdfonj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5024 -
C:\Windows\SysWOW64\Keimof32.exeC:\Windows\system32\Keimof32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\SysWOW64\Kgiiiidd.exeC:\Windows\system32\Kgiiiidd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\Kodnmkap.exeC:\Windows\system32\Kodnmkap.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\Kngkqbgl.exeC:\Windows\system32\Kngkqbgl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:788 -
C:\Windows\SysWOW64\Lfbped32.exeC:\Windows\system32\Lfbped32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4744 -
C:\Windows\SysWOW64\Lcgpni32.exeC:\Windows\system32\Lcgpni32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Windows\SysWOW64\Lomqcjie.exeC:\Windows\system32\Lomqcjie.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\SysWOW64\Lopmii32.exeC:\Windows\system32\Lopmii32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\Lobjni32.exeC:\Windows\system32\Lobjni32.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:408 -
C:\Windows\SysWOW64\Mogcihaj.exeC:\Windows\system32\Mogcihaj.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4736 -
C:\Windows\SysWOW64\Moipoh32.exeC:\Windows\system32\Moipoh32.exe18⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3764 -
C:\Windows\SysWOW64\Mokmdh32.exeC:\Windows\system32\Mokmdh32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4104 -
C:\Windows\SysWOW64\Mnmmboed.exeC:\Windows\system32\Mnmmboed.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\SysWOW64\Mjcngpjh.exeC:\Windows\system32\Mjcngpjh.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:400 -
C:\Windows\SysWOW64\Nfjola32.exeC:\Windows\system32\Nfjola32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3184 -
C:\Windows\SysWOW64\Npbceggm.exeC:\Windows\system32\Npbceggm.exe23⤵
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Npepkf32.exeC:\Windows\system32\Npepkf32.exe24⤵
- Executes dropped EXE
PID:2788 -
C:\Windows\SysWOW64\Nmipdk32.exeC:\Windows\system32\Nmipdk32.exe25⤵
- Executes dropped EXE
PID:1112 -
C:\Windows\SysWOW64\Njmqnobn.exeC:\Windows\system32\Njmqnobn.exe26⤵
- Executes dropped EXE
- Modifies registry class
PID:4256 -
C:\Windows\SysWOW64\Ojomcopk.exeC:\Windows\system32\Ojomcopk.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3664 -
C:\Windows\SysWOW64\Ogcnmc32.exeC:\Windows\system32\Ogcnmc32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2980 -
C:\Windows\SysWOW64\Ogekbb32.exeC:\Windows\system32\Ogekbb32.exe29⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Oclkgccf.exeC:\Windows\system32\Oclkgccf.exe30⤵
- Executes dropped EXE
PID:4668 -
C:\Windows\SysWOW64\Opclldhj.exeC:\Windows\system32\Opclldhj.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4032 -
C:\Windows\SysWOW64\Omgmeigd.exeC:\Windows\system32\Omgmeigd.exe32⤵
- Executes dropped EXE
PID:2996 -
C:\Windows\SysWOW64\Phfcipoo.exeC:\Windows\system32\Phfcipoo.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:3016 -
C:\Windows\SysWOW64\Qhhpop32.exeC:\Windows\system32\Qhhpop32.exe34⤵
- Executes dropped EXE
PID:3624 -
C:\Windows\SysWOW64\Qdoacabq.exeC:\Windows\system32\Qdoacabq.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1140 -
C:\Windows\SysWOW64\Qodeajbg.exeC:\Windows\system32\Qodeajbg.exe36⤵
- Executes dropped EXE
PID:984 -
C:\Windows\SysWOW64\Ahmjjoig.exeC:\Windows\system32\Ahmjjoig.exe37⤵
- Executes dropped EXE
PID:4796 -
C:\Windows\SysWOW64\Aaenbd32.exeC:\Windows\system32\Aaenbd32.exe38⤵
- Executes dropped EXE
PID:4712 -
C:\Windows\SysWOW64\Amlogfel.exeC:\Windows\system32\Amlogfel.exe39⤵
- Executes dropped EXE
PID:4564 -
C:\Windows\SysWOW64\Agdcpkll.exeC:\Windows\system32\Agdcpkll.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1820 -
C:\Windows\SysWOW64\Adhdjpjf.exeC:\Windows\system32\Adhdjpjf.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:792 -
C:\Windows\SysWOW64\Akblfj32.exeC:\Windows\system32\Akblfj32.exe42⤵
- Executes dropped EXE
PID:4596 -
C:\Windows\SysWOW64\Apodoq32.exeC:\Windows\system32\Apodoq32.exe43⤵
- Executes dropped EXE
PID:2752 -
C:\Windows\SysWOW64\Agimkk32.exeC:\Windows\system32\Agimkk32.exe44⤵
- Executes dropped EXE
PID:1500 -
C:\Windows\SysWOW64\Apaadpng.exeC:\Windows\system32\Apaadpng.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3888 -
C:\Windows\SysWOW64\Bknlbhhe.exeC:\Windows\system32\Bknlbhhe.exe46⤵
- Executes dropped EXE
PID:3564 -
C:\Windows\SysWOW64\Bahdob32.exeC:\Windows\system32\Bahdob32.exe47⤵
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\Bnoddcef.exeC:\Windows\system32\Bnoddcef.exe48⤵
- Executes dropped EXE
PID:2764 -
C:\Windows\SysWOW64\Cdimqm32.exeC:\Windows\system32\Cdimqm32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4316 -
C:\Windows\SysWOW64\Conanfli.exeC:\Windows\system32\Conanfli.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4252 -
C:\Windows\SysWOW64\Cdkifmjq.exeC:\Windows\system32\Cdkifmjq.exe51⤵
- Executes dropped EXE
PID:5052 -
C:\Windows\SysWOW64\Coqncejg.exeC:\Windows\system32\Coqncejg.exe52⤵
- Executes dropped EXE
PID:4304 -
C:\Windows\SysWOW64\Caageq32.exeC:\Windows\system32\Caageq32.exe53⤵
- Executes dropped EXE
PID:1672 -
C:\Windows\SysWOW64\Ckjknfnh.exeC:\Windows\system32\Ckjknfnh.exe54⤵
- Executes dropped EXE
PID:4100 -
C:\Windows\SysWOW64\Cacckp32.exeC:\Windows\system32\Cacckp32.exe55⤵
- Executes dropped EXE
PID:1136 -
C:\Windows\SysWOW64\Cogddd32.exeC:\Windows\system32\Cogddd32.exe56⤵
- Executes dropped EXE
PID:3792 -
C:\Windows\SysWOW64\Dgcihgaj.exeC:\Windows\system32\Dgcihgaj.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4964 -
C:\Windows\SysWOW64\Ddgibkpc.exeC:\Windows\system32\Ddgibkpc.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:412 -
C:\Windows\SysWOW64\Dndgfpbo.exeC:\Windows\system32\Dndgfpbo.exe59⤵
- Executes dropped EXE
PID:4548 -
C:\Windows\SysWOW64\Dhikci32.exeC:\Windows\system32\Dhikci32.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:796 -
C:\Windows\SysWOW64\Enfckp32.exeC:\Windows\system32\Enfckp32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4704 -
C:\Windows\SysWOW64\Edplhjhi.exeC:\Windows\system32\Edplhjhi.exe62⤵
- Executes dropped EXE
PID:4416 -
C:\Windows\SysWOW64\Eoepebho.exeC:\Windows\system32\Eoepebho.exe63⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Edbiniff.exeC:\Windows\system32\Edbiniff.exe64⤵
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\Eohmkb32.exeC:\Windows\system32\Eohmkb32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4060 -
C:\Windows\SysWOW64\Edeeci32.exeC:\Windows\system32\Edeeci32.exe66⤵PID:4288
-
C:\Windows\SysWOW64\Ekonpckp.exeC:\Windows\system32\Ekonpckp.exe67⤵PID:4440
-
C:\Windows\SysWOW64\Eqlfhjig.exeC:\Windows\system32\Eqlfhjig.exe68⤵PID:1876
-
C:\Windows\SysWOW64\Ekajec32.exeC:\Windows\system32\Ekajec32.exe69⤵PID:752
-
C:\Windows\SysWOW64\Eqncnj32.exeC:\Windows\system32\Eqncnj32.exe70⤵PID:3540
-
C:\Windows\SysWOW64\Ekcgkb32.exeC:\Windows\system32\Ekcgkb32.exe71⤵PID:4908
-
C:\Windows\SysWOW64\Fbmohmoh.exeC:\Windows\system32\Fbmohmoh.exe72⤵
- Modifies registry class
PID:4516 -
C:\Windows\SysWOW64\Fkfcqb32.exeC:\Windows\system32\Fkfcqb32.exe73⤵PID:1028
-
C:\Windows\SysWOW64\Fbplml32.exeC:\Windows\system32\Fbplml32.exe74⤵
- Modifies registry class
PID:4640 -
C:\Windows\SysWOW64\Fgmdec32.exeC:\Windows\system32\Fgmdec32.exe75⤵
- Drops file in System32 directory
PID:1256 -
C:\Windows\SysWOW64\Fbbicl32.exeC:\Windows\system32\Fbbicl32.exe76⤵
- Drops file in System32 directory
PID:4940 -
C:\Windows\SysWOW64\Fgoakc32.exeC:\Windows\system32\Fgoakc32.exe77⤵PID:3948
-
C:\Windows\SysWOW64\Fqgedh32.exeC:\Windows\system32\Fqgedh32.exe78⤵PID:2372
-
C:\Windows\SysWOW64\Fganqbgg.exeC:\Windows\system32\Fganqbgg.exe79⤵PID:916
-
C:\Windows\SysWOW64\Fnkfmm32.exeC:\Windows\system32\Fnkfmm32.exe80⤵PID:3708
-
C:\Windows\SysWOW64\Feenjgfq.exeC:\Windows\system32\Feenjgfq.exe81⤵PID:4204
-
C:\Windows\SysWOW64\Gokbgpeg.exeC:\Windows\system32\Gokbgpeg.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1624 -
C:\Windows\SysWOW64\Galoohke.exeC:\Windows\system32\Galoohke.exe83⤵PID:2748
-
C:\Windows\SysWOW64\Ggkqgaol.exeC:\Windows\system32\Ggkqgaol.exe84⤵PID:5132
-
C:\Windows\SysWOW64\Gacepg32.exeC:\Windows\system32\Gacepg32.exe85⤵PID:5184
-
C:\Windows\SysWOW64\Ggmmlamj.exeC:\Windows\system32\Ggmmlamj.exe86⤵PID:5228
-
C:\Windows\SysWOW64\Gbbajjlp.exeC:\Windows\system32\Gbbajjlp.exe87⤵
- Modifies registry class
PID:5280 -
C:\Windows\SysWOW64\Ghojbq32.exeC:\Windows\system32\Ghojbq32.exe88⤵PID:5324
-
C:\Windows\SysWOW64\Hnibokbd.exeC:\Windows\system32\Hnibokbd.exe89⤵PID:5368
-
C:\Windows\SysWOW64\Hahokfag.exeC:\Windows\system32\Hahokfag.exe90⤵PID:5412
-
C:\Windows\SysWOW64\Hpioin32.exeC:\Windows\system32\Hpioin32.exe91⤵PID:5456
-
C:\Windows\SysWOW64\Hajkqfoe.exeC:\Windows\system32\Hajkqfoe.exe92⤵PID:5500
-
C:\Windows\SysWOW64\Hpkknmgd.exeC:\Windows\system32\Hpkknmgd.exe93⤵PID:5544
-
C:\Windows\SysWOW64\Halhfe32.exeC:\Windows\system32\Halhfe32.exe94⤵
- Drops file in System32 directory
PID:5588 -
C:\Windows\SysWOW64\Hhfpbpdo.exeC:\Windows\system32\Hhfpbpdo.exe95⤵PID:5632
-
C:\Windows\SysWOW64\Hbldphde.exeC:\Windows\system32\Hbldphde.exe96⤵PID:5728
-
C:\Windows\SysWOW64\Ihaidhgf.exeC:\Windows\system32\Ihaidhgf.exe97⤵
- Drops file in System32 directory
PID:5780 -
C:\Windows\SysWOW64\Jacpcl32.exeC:\Windows\system32\Jacpcl32.exe98⤵
- Drops file in System32 directory
PID:5844 -
C:\Windows\SysWOW64\Pmhkflnj.exeC:\Windows\system32\Pmhkflnj.exe99⤵PID:5888
-
C:\Windows\SysWOW64\Pcbdcf32.exeC:\Windows\system32\Pcbdcf32.exe100⤵
- Drops file in System32 directory
PID:5952 -
C:\Windows\SysWOW64\Cmgjee32.exeC:\Windows\system32\Cmgjee32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6024 -
C:\Windows\SysWOW64\Ijjekn32.exeC:\Windows\system32\Ijjekn32.exe102⤵PID:6076
-
C:\Windows\SysWOW64\Dlnlak32.exeC:\Windows\system32\Dlnlak32.exe103⤵
- Modifies registry class
PID:5160 -
C:\Windows\SysWOW64\Ijngkf32.exeC:\Windows\system32\Ijngkf32.exe104⤵
- Modifies registry class
PID:5380 -
C:\Windows\SysWOW64\Lccdghmc.exeC:\Windows\system32\Lccdghmc.exe105⤵PID:5660
-
C:\Windows\SysWOW64\Nfdfoala.exeC:\Windows\system32\Nfdfoala.exe106⤵PID:5740
-
C:\Windows\SysWOW64\Nmnnlk32.exeC:\Windows\system32\Nmnnlk32.exe107⤵PID:5788
-
C:\Windows\SysWOW64\Ndhgie32.exeC:\Windows\system32\Ndhgie32.exe108⤵
- Modifies registry class
PID:5856 -
C:\Windows\SysWOW64\Nffceq32.exeC:\Windows\system32\Nffceq32.exe109⤵PID:4352
-
C:\Windows\SysWOW64\Nieoal32.exeC:\Windows\system32\Nieoal32.exe110⤵PID:5996
-
C:\Windows\SysWOW64\Nalgbi32.exeC:\Windows\system32\Nalgbi32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6040 -
C:\Windows\SysWOW64\Nhfoocaa.exeC:\Windows\system32\Nhfoocaa.exe112⤵PID:1988
-
C:\Windows\SysWOW64\Nkdlkope.exeC:\Windows\system32\Nkdlkope.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1264 -
C:\Windows\SysWOW64\Ndmpddfe.exeC:\Windows\system32\Ndmpddfe.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2592 -
C:\Windows\SysWOW64\Nkghqo32.exeC:\Windows\system32\Nkghqo32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4620 -
C:\Windows\SysWOW64\Nmedmj32.exeC:\Windows\system32\Nmedmj32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3936 -
C:\Windows\SysWOW64\Pkinmlnm.exeC:\Windows\system32\Pkinmlnm.exe117⤵
- Drops file in System32 directory
PID:5140 -
C:\Windows\SysWOW64\Ppffec32.exeC:\Windows\system32\Ppffec32.exe118⤵PID:2732
-
C:\Windows\SysWOW64\Pklkbl32.exeC:\Windows\system32\Pklkbl32.exe119⤵PID:5004
-
C:\Windows\SysWOW64\Icmbcg32.exeC:\Windows\system32\Icmbcg32.exe120⤵PID:2524
-
C:\Windows\SysWOW64\Ijgjpaao.exeC:\Windows\system32\Ijgjpaao.exe121⤵PID:5248
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-