Analysis
-
max time kernel
109s -
max time network
166s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
14/10/2023, 19:15
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.d7a07fba4e883a3172210405488f7910.exe
Resource
win7-20230831-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.d7a07fba4e883a3172210405488f7910.exe
Resource
win10v2004-20230915-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
NEAS.d7a07fba4e883a3172210405488f7910.exe
-
Size
59KB
-
MD5
d7a07fba4e883a3172210405488f7910
-
SHA1
df3a170c6c806eadd003304b1b05923047cbeb9a
-
SHA256
d92b0a1f97c2be339b315267a13c1c6d5e76104f8f87e63b54a7f048c51f6b04
-
SHA512
a28d7e9e334026a661a1dc238948bd3d78aa1ef4d862ec142434b2317f75675825d495f2c5dea8d08610dfc3a7032ccbc6e09f4b42583b4c3d330b58893a691e
-
SSDEEP
768:QF/A8Oxi6XwLvexuHtj7dzeGGtvDx6NBrGnOn2aI2p/1H5w7XdnhfXaXdnh:QF/AdeH5RGzOhI2LK5O
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bffkcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjcmngnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aefcif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjpaheio.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odfljp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhpaki32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nifnao32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jaddpppa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkpnec32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okjbimal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blonbh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bopgdcnc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blieeglf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Maehlqch.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpccgk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpibke32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjpllgme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hejjmage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdiobd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgpgplej.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cehlcikj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjoeoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlifnphl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Naqqmieo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iafgob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfhlpnfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nombnc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhofjbnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eckogc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfjeej32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dknnoofg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgjglg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofdhlh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffdddg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpmcmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmejlcoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfaglf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmjmnpmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgiiclkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebbinp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clknnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oloipmfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amkabind.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fofigd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcijoh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpmfklbq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnanadfi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebifha32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jiphebml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekcplp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjocbhbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmimll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnpibh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmejlcoj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdkdbgpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enomic32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khiofk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbefln32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okcmingd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmidnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjpllgme.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcpffk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eoapldei.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abkjnd32.exe -
Executes dropped EXE 64 IoCs
pid Process 3968 Adkqoohc.exe 4040 Boenhgdd.exe 4028 Bdfpkm32.exe 3692 Cpbjkn32.exe 2152 Dakikoom.exe 1996 Enhpao32.exe 968 Ebifmm32.exe 5016 Fkfcqb32.exe 784 Fofilp32.exe 1212 Giecfejd.exe 4036 Glfmgp32.exe 4328 Gbbajjlp.exe 4784 Hahokfag.exe 3784 Hhfpbpdo.exe 2088 Hhimhobl.exe 1492 Ipbaol32.exe 3584 Iiopca32.exe 2992 Jaonbc32.exe 4188 Jhnojl32.exe 4624 Khiofk32.exe 4972 Kcapicdj.exe 2856 Ljpaqmgb.exe 4512 Llqjbhdc.exe 4308 Mpapnfhg.exe 3384 Mbgeqmjp.exe 4472 Njedbjej.exe 4832 Ncbafoge.exe 4336 Ojcpdg32.exe 2232 Ojhiogdd.exe 3716 Pjoppf32.exe 3984 Qcnjijoe.exe 556 Afockelf.exe 2464 Ajaelc32.exe 1964 Bdocph32.exe 5104 Bmidnm32.exe 4640 Cgklmacf.exe 1592 Cmgqpkip.exe 3500 Dknnoofg.exe 1316 Dpmcmf32.exe 1808 Ekgqennl.exe 1556 Eddnic32.exe 1880 Fcneeo32.exe 1532 Fkgillpj.exe 3760 Fdpnda32.exe 4884 Fbdnne32.exe 4468 Fjocbhbo.exe 3116 Gjcmngnj.exe 3848 Gglfbkin.exe 220 Hccggl32.exe 2980 Heepfn32.exe 3888 Hbknebqi.exe 1256 Ilfodgeg.exe 4132 Ieqpbm32.exe 2368 Icfmci32.exe 408 Idhiii32.exe 4256 Jejbhk32.exe 4968 Jaqcnl32.exe 1864 Jbbmmo32.exe 4604 Kbgfhnhi.exe 4800 Kehojiej.exe 4052 Klddlckd.exe 652 Leoejh32.exe 3624 Lkqgno32.exe 1088 Lamlphoo.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ncaklhdi.exe Nfiagd32.exe File created C:\Windows\SysWOW64\Aimhmkgn.exe Pmoagk32.exe File created C:\Windows\SysWOW64\Lnanadfi.exe Ldiiio32.exe File created C:\Windows\SysWOW64\Iqhfgqob.dll Cjpcel32.exe File opened for modification C:\Windows\SysWOW64\Nfiagd32.exe Nlqloo32.exe File created C:\Windows\SysWOW64\Plhllf32.dll Pnenchoc.exe File opened for modification C:\Windows\SysWOW64\Dbphcpog.exe Cbknhqbl.exe File opened for modification C:\Windows\SysWOW64\Dbjofp32.exe Dhdkig32.exe File created C:\Windows\SysWOW64\Bnkgomnl.exe Hlbcgj32.exe File created C:\Windows\SysWOW64\Lekjgafi.dll Bfhhho32.exe File created C:\Windows\SysWOW64\Bdfpkm32.exe Boenhgdd.exe File created C:\Windows\SysWOW64\Ilfodgeg.exe Hbknebqi.exe File created C:\Windows\SysWOW64\Icpecm32.exe Ifihdi32.exe File created C:\Windows\SysWOW64\Ppblkffp.exe Pemhmn32.exe File created C:\Windows\SysWOW64\Ekgbbi32.dll Acmfel32.exe File created C:\Windows\SysWOW64\Kdqecc32.exe Kdnincal.exe File created C:\Windows\SysWOW64\Jlkfbe32.exe Idpdfija.exe File created C:\Windows\SysWOW64\Odipjk32.dll Pijiif32.exe File created C:\Windows\SysWOW64\Gbhhlfgd.dll Boenhgdd.exe File created C:\Windows\SysWOW64\Ifcmmg32.dll Bdocph32.exe File opened for modification C:\Windows\SysWOW64\Poagma32.exe Okneldkf.exe File created C:\Windows\SysWOW64\Klgnnd32.dll Bihancje.exe File opened for modification C:\Windows\SysWOW64\Lflpmn32.exe Kbinlp32.exe File created C:\Windows\SysWOW64\Cnhell32.exe Bqdechnf.exe File created C:\Windows\SysWOW64\Elojej32.exe Ebifha32.exe File created C:\Windows\SysWOW64\Gfdhho32.dll Hckjjh32.exe File created C:\Windows\SysWOW64\Ppepkmhi.exe Pdlbpldg.exe File opened for modification C:\Windows\SysWOW64\Dncehk32.exe Cnahbk32.exe File created C:\Windows\SysWOW64\Occlngfm.dll Ecccmo32.exe File created C:\Windows\SysWOW64\Chebcmna.exe Cchikf32.exe File opened for modification C:\Windows\SysWOW64\Fqhbgf32.exe Fcdbmb32.exe File opened for modification C:\Windows\SysWOW64\Bdkbgj32.exe Blonbh32.exe File created C:\Windows\SysWOW64\Cmimlalm.dll Ghmbib32.exe File created C:\Windows\SysWOW64\Jookjpam.exe Jdiglgbg.exe File opened for modification C:\Windows\SysWOW64\Kkgbjkac.exe Kpanmb32.exe File created C:\Windows\SysWOW64\Booaii32.exe Bafgdfim.exe File created C:\Windows\SysWOW64\Kihgqfld.dll Giecfejd.exe File created C:\Windows\SysWOW64\Minipm32.exe Mhmmieil.exe File opened for modification C:\Windows\SysWOW64\Oecnmi32.exe Opfedb32.exe File opened for modification C:\Windows\SysWOW64\Cpcila32.exe Cemeoh32.exe File opened for modification C:\Windows\SysWOW64\Bqdechnf.exe Bglpjb32.exe File opened for modification C:\Windows\SysWOW64\Fjanjb32.exe Epgpajdp.exe File created C:\Windows\SysWOW64\Foqacehl.dll Gcqhcgqi.exe File opened for modification C:\Windows\SysWOW64\Nnfpcada.exe Mggolhaj.exe File opened for modification C:\Windows\SysWOW64\Cclhbcho.exe Bfhhho32.exe File opened for modification C:\Windows\SysWOW64\Dogfkpih.exe Ddbbngjb.exe File created C:\Windows\SysWOW64\Ganikk32.dll Ddbbngjb.exe File opened for modification C:\Windows\SysWOW64\Jaonbc32.exe Iiopca32.exe File created C:\Windows\SysWOW64\Fncbha32.exe Dlcmgqdd.exe File created C:\Windows\SysWOW64\Iplkje32.exe Haeadi32.exe File opened for modification C:\Windows\SysWOW64\Ebbinp32.exe Ejgdim32.exe File opened for modification C:\Windows\SysWOW64\Hpgkeodo.exe Hjjbmhfg.exe File created C:\Windows\SysWOW64\Jjklcf32.exe Iaiddajo.exe File opened for modification C:\Windows\SysWOW64\Nebdighb.exe Pkpmnh32.exe File created C:\Windows\SysWOW64\Macjbdpf.dll Pblhalfm.exe File created C:\Windows\SysWOW64\Hpgkeodo.exe Hjjbmhfg.exe File created C:\Windows\SysWOW64\Ojcpdg32.exe Ncbafoge.exe File created C:\Windows\SysWOW64\Fdpnda32.exe Fkgillpj.exe File created C:\Windows\SysWOW64\Nfeepdbg.exe Nfchjddj.exe File created C:\Windows\SysWOW64\Ieogkc32.dll Bchgnoai.exe File opened for modification C:\Windows\SysWOW64\Eonmkkmj.exe Ejaecdnc.exe File created C:\Windows\SysWOW64\Efolidno.exe Eflocepa.exe File created C:\Windows\SysWOW64\Dgpgplej.exe Dacohegc.exe File created C:\Windows\SysWOW64\Fjocbhbo.exe Fbdnne32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpanmb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qhofjbnl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eoapldei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Icqmncof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oakojnlp.dll" Nfaijand.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dbphcpog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddnmeejo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacdlf32.dll" Inflio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldgkdbia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lekjgafi.dll" Bfhhho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qiilbk32.dll" Ceqngekl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jefbomoe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpcila32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pbdmdlie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbinlp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmgenjm.dll" Mmahff32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oghgbe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Obnlpnbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dahceqce.dll" Fofilp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbknebqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kongimkh.dll" Jejbhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elaciinf.dll" Ppblkffp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ennofanf.dll" Mkangg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjklcf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kfjhdobb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpglmjoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmkbeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaeghn32.dll" Pemhmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dcpffk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbejcm32.dll" Ebifha32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eefhcimp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kknjjmcp.dll" Kdnincal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ammnhilb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lfcmhc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aiimejap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Opfedb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pnaalghe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bglpjb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Flmhclod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmejlcoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oioahn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpfidh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njfaalao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgnnkfll.dll" Llgjcd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cclhbcho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fcneeo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amkabind.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aiqkmd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jdiglgbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjpllgme.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fkfcqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjmmpa32.dll" Hahokfag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbgfhnhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcojaiah.dll" Omkdcccb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fqhbgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aiedaoip.dll" Alaaajmb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hlbcgj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gglfbkin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hccggl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbefln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Idpdfija.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmccncmj.dll" Nnfpcada.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ljpaqmgb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djmima32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4260 wrote to memory of 3968 4260 NEAS.d7a07fba4e883a3172210405488f7910.exe 84 PID 4260 wrote to memory of 3968 4260 NEAS.d7a07fba4e883a3172210405488f7910.exe 84 PID 4260 wrote to memory of 3968 4260 NEAS.d7a07fba4e883a3172210405488f7910.exe 84 PID 3968 wrote to memory of 4040 3968 Adkqoohc.exe 85 PID 3968 wrote to memory of 4040 3968 Adkqoohc.exe 85 PID 3968 wrote to memory of 4040 3968 Adkqoohc.exe 85 PID 4040 wrote to memory of 4028 4040 Boenhgdd.exe 86 PID 4040 wrote to memory of 4028 4040 Boenhgdd.exe 86 PID 4040 wrote to memory of 4028 4040 Boenhgdd.exe 86 PID 4028 wrote to memory of 3692 4028 Bdfpkm32.exe 87 PID 4028 wrote to memory of 3692 4028 Bdfpkm32.exe 87 PID 4028 wrote to memory of 3692 4028 Bdfpkm32.exe 87 PID 3692 wrote to memory of 2152 3692 Cpbjkn32.exe 88 PID 3692 wrote to memory of 2152 3692 Cpbjkn32.exe 88 PID 3692 wrote to memory of 2152 3692 Cpbjkn32.exe 88 PID 2152 wrote to memory of 1996 2152 Dakikoom.exe 89 PID 2152 wrote to memory of 1996 2152 Dakikoom.exe 89 PID 2152 wrote to memory of 1996 2152 Dakikoom.exe 89 PID 1996 wrote to memory of 968 1996 Enhpao32.exe 90 PID 1996 wrote to memory of 968 1996 Enhpao32.exe 90 PID 1996 wrote to memory of 968 1996 Enhpao32.exe 90 PID 968 wrote to memory of 5016 968 Ebifmm32.exe 91 PID 968 wrote to memory of 5016 968 Ebifmm32.exe 91 PID 968 wrote to memory of 5016 968 Ebifmm32.exe 91 PID 5016 wrote to memory of 784 5016 Fkfcqb32.exe 92 PID 5016 wrote to memory of 784 5016 Fkfcqb32.exe 92 PID 5016 wrote to memory of 784 5016 Fkfcqb32.exe 92 PID 784 wrote to memory of 1212 784 Fofilp32.exe 93 PID 784 wrote to memory of 1212 784 Fofilp32.exe 93 PID 784 wrote to memory of 1212 784 Fofilp32.exe 93 PID 1212 wrote to memory of 4036 1212 Giecfejd.exe 94 PID 1212 wrote to memory of 4036 1212 Giecfejd.exe 94 PID 1212 wrote to memory of 4036 1212 Giecfejd.exe 94 PID 4036 wrote to memory of 4328 4036 Glfmgp32.exe 95 PID 4036 wrote to memory of 4328 4036 Glfmgp32.exe 95 PID 4036 wrote to memory of 4328 4036 Glfmgp32.exe 95 PID 4328 wrote to memory of 4784 4328 Gbbajjlp.exe 96 PID 4328 wrote to memory of 4784 4328 Gbbajjlp.exe 96 PID 4328 wrote to memory of 4784 4328 Gbbajjlp.exe 96 PID 4784 wrote to memory of 3784 4784 Hahokfag.exe 97 PID 4784 wrote to memory of 3784 4784 Hahokfag.exe 97 PID 4784 wrote to memory of 3784 4784 Hahokfag.exe 97 PID 3784 wrote to memory of 2088 3784 Hhfpbpdo.exe 98 PID 3784 wrote to memory of 2088 3784 Hhfpbpdo.exe 98 PID 3784 wrote to memory of 2088 3784 Hhfpbpdo.exe 98 PID 2088 wrote to memory of 1492 2088 Hhimhobl.exe 99 PID 2088 wrote to memory of 1492 2088 Hhimhobl.exe 99 PID 2088 wrote to memory of 1492 2088 Hhimhobl.exe 99 PID 1492 wrote to memory of 3584 1492 Ipbaol32.exe 100 PID 1492 wrote to memory of 3584 1492 Ipbaol32.exe 100 PID 1492 wrote to memory of 3584 1492 Ipbaol32.exe 100 PID 3584 wrote to memory of 2992 3584 Iiopca32.exe 101 PID 3584 wrote to memory of 2992 3584 Iiopca32.exe 101 PID 3584 wrote to memory of 2992 3584 Iiopca32.exe 101 PID 2992 wrote to memory of 4188 2992 Jaonbc32.exe 102 PID 2992 wrote to memory of 4188 2992 Jaonbc32.exe 102 PID 2992 wrote to memory of 4188 2992 Jaonbc32.exe 102 PID 4188 wrote to memory of 4624 4188 Jhnojl32.exe 103 PID 4188 wrote to memory of 4624 4188 Jhnojl32.exe 103 PID 4188 wrote to memory of 4624 4188 Jhnojl32.exe 103 PID 4624 wrote to memory of 4972 4624 Khiofk32.exe 104 PID 4624 wrote to memory of 4972 4624 Khiofk32.exe 104 PID 4624 wrote to memory of 4972 4624 Khiofk32.exe 104 PID 4972 wrote to memory of 2856 4972 Kcapicdj.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.d7a07fba4e883a3172210405488f7910.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.d7a07fba4e883a3172210405488f7910.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4260 -
C:\Windows\SysWOW64\Adkqoohc.exeC:\Windows\system32\Adkqoohc.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3968 -
C:\Windows\SysWOW64\Boenhgdd.exeC:\Windows\system32\Boenhgdd.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4040 -
C:\Windows\SysWOW64\Bdfpkm32.exeC:\Windows\system32\Bdfpkm32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4028 -
C:\Windows\SysWOW64\Cpbjkn32.exeC:\Windows\system32\Cpbjkn32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3692 -
C:\Windows\SysWOW64\Dakikoom.exeC:\Windows\system32\Dakikoom.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\Enhpao32.exeC:\Windows\system32\Enhpao32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\Ebifmm32.exeC:\Windows\system32\Ebifmm32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:968 -
C:\Windows\SysWOW64\Fkfcqb32.exeC:\Windows\system32\Fkfcqb32.exe9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Windows\SysWOW64\Fofilp32.exeC:\Windows\system32\Fofilp32.exe10⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:784 -
C:\Windows\SysWOW64\Giecfejd.exeC:\Windows\system32\Giecfejd.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Windows\SysWOW64\Glfmgp32.exeC:\Windows\system32\Glfmgp32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4036 -
C:\Windows\SysWOW64\Gbbajjlp.exeC:\Windows\system32\Gbbajjlp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4328 -
C:\Windows\SysWOW64\Hahokfag.exeC:\Windows\system32\Hahokfag.exe14⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4784 -
C:\Windows\SysWOW64\Hhfpbpdo.exeC:\Windows\system32\Hhfpbpdo.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3784 -
C:\Windows\SysWOW64\Hhimhobl.exeC:\Windows\system32\Hhimhobl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\Ipbaol32.exeC:\Windows\system32\Ipbaol32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\SysWOW64\Iiopca32.exeC:\Windows\system32\Iiopca32.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3584 -
C:\Windows\SysWOW64\Jaonbc32.exeC:\Windows\system32\Jaonbc32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\Jhnojl32.exeC:\Windows\system32\Jhnojl32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4188 -
C:\Windows\SysWOW64\Khiofk32.exeC:\Windows\system32\Khiofk32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4624 -
C:\Windows\SysWOW64\Kcapicdj.exeC:\Windows\system32\Kcapicdj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Windows\SysWOW64\Ljpaqmgb.exeC:\Windows\system32\Ljpaqmgb.exe23⤵
- Executes dropped EXE
- Modifies registry class
PID:2856 -
C:\Windows\SysWOW64\Llqjbhdc.exeC:\Windows\system32\Llqjbhdc.exe24⤵
- Executes dropped EXE
PID:4512 -
C:\Windows\SysWOW64\Mpapnfhg.exeC:\Windows\system32\Mpapnfhg.exe25⤵
- Executes dropped EXE
PID:4308 -
C:\Windows\SysWOW64\Mbgeqmjp.exeC:\Windows\system32\Mbgeqmjp.exe26⤵
- Executes dropped EXE
PID:3384 -
C:\Windows\SysWOW64\Njedbjej.exeC:\Windows\system32\Njedbjej.exe27⤵
- Executes dropped EXE
PID:4472 -
C:\Windows\SysWOW64\Ncbafoge.exeC:\Windows\system32\Ncbafoge.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4832 -
C:\Windows\SysWOW64\Ojcpdg32.exeC:\Windows\system32\Ojcpdg32.exe29⤵
- Executes dropped EXE
PID:4336 -
C:\Windows\SysWOW64\Ojhiogdd.exeC:\Windows\system32\Ojhiogdd.exe30⤵
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\Pjoppf32.exeC:\Windows\system32\Pjoppf32.exe31⤵
- Executes dropped EXE
PID:3716 -
C:\Windows\SysWOW64\Qcnjijoe.exeC:\Windows\system32\Qcnjijoe.exe32⤵
- Executes dropped EXE
PID:3984 -
C:\Windows\SysWOW64\Afockelf.exeC:\Windows\system32\Afockelf.exe33⤵
- Executes dropped EXE
PID:556 -
C:\Windows\SysWOW64\Ajaelc32.exeC:\Windows\system32\Ajaelc32.exe34⤵
- Executes dropped EXE
PID:2464 -
C:\Windows\SysWOW64\Bdocph32.exeC:\Windows\system32\Bdocph32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1964 -
C:\Windows\SysWOW64\Bmidnm32.exeC:\Windows\system32\Bmidnm32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5104 -
C:\Windows\SysWOW64\Cancekeo.exeC:\Windows\system32\Cancekeo.exe37⤵PID:3900
-
C:\Windows\SysWOW64\Cgklmacf.exeC:\Windows\system32\Cgklmacf.exe38⤵
- Executes dropped EXE
PID:4640 -
C:\Windows\SysWOW64\Cmgqpkip.exeC:\Windows\system32\Cmgqpkip.exe39⤵
- Executes dropped EXE
PID:1592 -
C:\Windows\SysWOW64\Dknnoofg.exeC:\Windows\system32\Dknnoofg.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3500 -
C:\Windows\SysWOW64\Dpmcmf32.exeC:\Windows\system32\Dpmcmf32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1316 -
C:\Windows\SysWOW64\Ekgqennl.exeC:\Windows\system32\Ekgqennl.exe42⤵
- Executes dropped EXE
PID:1808 -
C:\Windows\SysWOW64\Eddnic32.exeC:\Windows\system32\Eddnic32.exe43⤵
- Executes dropped EXE
PID:1556 -
C:\Windows\SysWOW64\Fcneeo32.exeC:\Windows\system32\Fcneeo32.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:1880 -
C:\Windows\SysWOW64\Fkgillpj.exeC:\Windows\system32\Fkgillpj.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1532 -
C:\Windows\SysWOW64\Fdpnda32.exeC:\Windows\system32\Fdpnda32.exe46⤵
- Executes dropped EXE
PID:3760 -
C:\Windows\SysWOW64\Fbdnne32.exeC:\Windows\system32\Fbdnne32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4884 -
C:\Windows\SysWOW64\Fjocbhbo.exeC:\Windows\system32\Fjocbhbo.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4468 -
C:\Windows\SysWOW64\Gjcmngnj.exeC:\Windows\system32\Gjcmngnj.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3116 -
C:\Windows\SysWOW64\Gglfbkin.exeC:\Windows\system32\Gglfbkin.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:3848 -
C:\Windows\SysWOW64\Hccggl32.exeC:\Windows\system32\Hccggl32.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:220 -
C:\Windows\SysWOW64\Heepfn32.exeC:\Windows\system32\Heepfn32.exe52⤵
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\Hbknebqi.exeC:\Windows\system32\Hbknebqi.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3888 -
C:\Windows\SysWOW64\Ilfodgeg.exeC:\Windows\system32\Ilfodgeg.exe54⤵
- Executes dropped EXE
PID:1256 -
C:\Windows\SysWOW64\Ieqpbm32.exeC:\Windows\system32\Ieqpbm32.exe55⤵
- Executes dropped EXE
PID:4132 -
C:\Windows\SysWOW64\Icfmci32.exeC:\Windows\system32\Icfmci32.exe56⤵
- Executes dropped EXE
PID:2368 -
C:\Windows\SysWOW64\Idhiii32.exeC:\Windows\system32\Idhiii32.exe57⤵
- Executes dropped EXE
PID:408 -
C:\Windows\SysWOW64\Jejbhk32.exeC:\Windows\system32\Jejbhk32.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:4256 -
C:\Windows\SysWOW64\Jaqcnl32.exeC:\Windows\system32\Jaqcnl32.exe59⤵
- Executes dropped EXE
PID:4968 -
C:\Windows\SysWOW64\Jbbmmo32.exeC:\Windows\system32\Jbbmmo32.exe60⤵
- Executes dropped EXE
PID:1864 -
C:\Windows\SysWOW64\Kbgfhnhi.exeC:\Windows\system32\Kbgfhnhi.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:4604 -
C:\Windows\SysWOW64\Kehojiej.exeC:\Windows\system32\Kehojiej.exe62⤵
- Executes dropped EXE
PID:4800 -
C:\Windows\SysWOW64\Klddlckd.exeC:\Windows\system32\Klddlckd.exe63⤵
- Executes dropped EXE
PID:4052 -
C:\Windows\SysWOW64\Leoejh32.exeC:\Windows\system32\Leoejh32.exe64⤵
- Executes dropped EXE
PID:652 -
C:\Windows\SysWOW64\Lkqgno32.exeC:\Windows\system32\Lkqgno32.exe65⤵
- Executes dropped EXE
PID:3624 -
C:\Windows\SysWOW64\Lamlphoo.exeC:\Windows\system32\Lamlphoo.exe66⤵
- Executes dropped EXE
PID:1088 -
C:\Windows\SysWOW64\Mlifnphl.exeC:\Windows\system32\Mlifnphl.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:820 -
C:\Windows\SysWOW64\Mebkge32.exeC:\Windows\system32\Mebkge32.exe68⤵PID:3540
-
C:\Windows\SysWOW64\Nkapelka.exeC:\Windows\system32\Nkapelka.exe69⤵PID:1544
-
C:\Windows\SysWOW64\Nlqloo32.exeC:\Windows\system32\Nlqloo32.exe70⤵
- Drops file in System32 directory
PID:1656 -
C:\Windows\SysWOW64\Nfiagd32.exeC:\Windows\system32\Nfiagd32.exe71⤵
- Drops file in System32 directory
PID:1508 -
C:\Windows\SysWOW64\Ncaklhdi.exeC:\Windows\system32\Ncaklhdi.exe72⤵PID:1600
-
C:\Windows\SysWOW64\Oloipmfd.exeC:\Windows\system32\Oloipmfd.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4312 -
C:\Windows\SysWOW64\Pdqcenmg.exeC:\Windows\system32\Pdqcenmg.exe74⤵PID:3948
-
C:\Windows\SysWOW64\Pmoagk32.exeC:\Windows\system32\Pmoagk32.exe75⤵
- Drops file in System32 directory
PID:1820 -
C:\Windows\SysWOW64\Aimhmkgn.exeC:\Windows\system32\Aimhmkgn.exe76⤵PID:440
-
C:\Windows\SysWOW64\Abemep32.exeC:\Windows\system32\Abemep32.exe77⤵PID:3176
-
C:\Windows\SysWOW64\Amkabind.exeC:\Windows\system32\Amkabind.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4488 -
C:\Windows\SysWOW64\Ammnhilb.exeC:\Windows\system32\Ammnhilb.exe79⤵
- Modifies registry class
PID:2388 -
C:\Windows\SysWOW64\Apngjd32.exeC:\Windows\system32\Apngjd32.exe80⤵PID:1776
-
C:\Windows\SysWOW64\Bliajd32.exeC:\Windows\system32\Bliajd32.exe81⤵PID:5072
-
C:\Windows\SysWOW64\Bbefln32.exeC:\Windows\system32\Bbefln32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4168 -
C:\Windows\SysWOW64\Cdgolq32.exeC:\Windows\system32\Cdgolq32.exe83⤵PID:2640
-
C:\Windows\SysWOW64\Cehlcikj.exeC:\Windows\system32\Cehlcikj.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3044 -
C:\Windows\SysWOW64\Cemeoh32.exeC:\Windows\system32\Cemeoh32.exe85⤵
- Drops file in System32 directory
PID:3856 -
C:\Windows\SysWOW64\Cpcila32.exeC:\Windows\system32\Cpcila32.exe86⤵
- Modifies registry class
PID:2292 -
C:\Windows\SysWOW64\Dlcmgqdd.exeC:\Windows\system32\Dlcmgqdd.exe87⤵
- Drops file in System32 directory
PID:3944 -
C:\Windows\SysWOW64\Fncbha32.exeC:\Windows\system32\Fncbha32.exe88⤵PID:2864
-
C:\Windows\SysWOW64\Fnglcqio.exeC:\Windows\system32\Fnglcqio.exe89⤵PID:2648
-
C:\Windows\SysWOW64\Fgpplf32.exeC:\Windows\system32\Fgpplf32.exe90⤵PID:1756
-
C:\Windows\SysWOW64\Gnlenp32.exeC:\Windows\system32\Gnlenp32.exe91⤵PID:4584
-
C:\Windows\SysWOW64\Gdkffi32.exeC:\Windows\system32\Gdkffi32.exe92⤵PID:4444
-
C:\Windows\SysWOW64\Hjoeoo32.exeC:\Windows\system32\Hjoeoo32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:916 -
C:\Windows\SysWOW64\Icqmncof.exeC:\Windows\system32\Icqmncof.exe94⤵
- Modifies registry class
PID:4628 -
C:\Windows\SysWOW64\Jfhlpnfp.exeC:\Windows\system32\Jfhlpnfp.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1844 -
C:\Windows\SysWOW64\Lmqiec32.exeC:\Windows\system32\Lmqiec32.exe96⤵PID:1620
-
C:\Windows\SysWOW64\Mginniij.exeC:\Windows\system32\Mginniij.exe97⤵PID:5040
-
C:\Windows\SysWOW64\Maoakaip.exeC:\Windows\system32\Maoakaip.exe98⤵PID:1516
-
C:\Windows\SysWOW64\Mhhjhlqm.exeC:\Windows\system32\Mhhjhlqm.exe99⤵PID:4076
-
C:\Windows\SysWOW64\Maehlqch.exeC:\Windows\system32\Maehlqch.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1812 -
C:\Windows\SysWOW64\Mgbpdgap.exeC:\Windows\system32\Mgbpdgap.exe101⤵PID:3320
-
C:\Windows\SysWOW64\Nejgbn32.exeC:\Windows\system32\Nejgbn32.exe102⤵PID:2364
-
C:\Windows\SysWOW64\Ngnppfgb.exeC:\Windows\system32\Ngnppfgb.exe103⤵PID:3496
-
C:\Windows\SysWOW64\Oogdfc32.exeC:\Windows\system32\Oogdfc32.exe104⤵PID:3260
-
C:\Windows\SysWOW64\Okneldkf.exeC:\Windows\system32\Okneldkf.exe105⤵
- Drops file in System32 directory
PID:2380 -
C:\Windows\SysWOW64\Poagma32.exeC:\Windows\system32\Poagma32.exe106⤵PID:2580
-
C:\Windows\SysWOW64\Pbdmdlie.exeC:\Windows\system32\Pbdmdlie.exe107⤵
- Modifies registry class
PID:1828 -
C:\Windows\SysWOW64\Qbmpjkqk.exeC:\Windows\system32\Qbmpjkqk.exe108⤵PID:4796
-
C:\Windows\SysWOW64\Aiqkmd32.exeC:\Windows\system32\Aiqkmd32.exe109⤵
- Modifies registry class
PID:3464 -
C:\Windows\SysWOW64\Bkdqdokk.exeC:\Windows\system32\Bkdqdokk.exe110⤵PID:3732
-
C:\Windows\SysWOW64\Bihancje.exeC:\Windows\system32\Bihancje.exe111⤵
- Drops file in System32 directory
PID:848 -
C:\Windows\SysWOW64\Beobcdoi.exeC:\Windows\system32\Beobcdoi.exe112⤵PID:856
-
C:\Windows\SysWOW64\Cnpibh32.exeC:\Windows\system32\Cnpibh32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2836 -
C:\Windows\SysWOW64\Cnebmgjj.exeC:\Windows\system32\Cnebmgjj.exe114⤵PID:5052
-
C:\Windows\SysWOW64\Deagoa32.exeC:\Windows\system32\Deagoa32.exe115⤵PID:3932
-
C:\Windows\SysWOW64\Dpglmjoj.exeC:\Windows\system32\Dpglmjoj.exe116⤵
- Modifies registry class
PID:2948 -
C:\Windows\SysWOW64\Efopjbjg.exeC:\Windows\system32\Efopjbjg.exe117⤵PID:1816
-
C:\Windows\SysWOW64\Fhefmjlp.exeC:\Windows\system32\Fhefmjlp.exe118⤵PID:4204
-
C:\Windows\SysWOW64\Fpnkdfko.exeC:\Windows\system32\Fpnkdfko.exe119⤵PID:1728
-
C:\Windows\SysWOW64\Flghognq.exeC:\Windows\system32\Flghognq.exe120⤵PID:3968
-
C:\Windows\SysWOW64\Ggoiap32.exeC:\Windows\system32\Ggoiap32.exe121⤵PID:1016
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-