Analysis
-
max time kernel
100s -
max time network
132s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
28-10-2023 20:11
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.b2659929bfba48164bc8a958a0e08510.exe
Resource
win7-20231025-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.b2659929bfba48164bc8a958a0e08510.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.b2659929bfba48164bc8a958a0e08510.exe
-
Size
75KB
-
MD5
b2659929bfba48164bc8a958a0e08510
-
SHA1
9a703c541ff360275d006f3661b963ba08312838
-
SHA256
fd336b4e95a5932d164d8061ae209f66b03457227ca5c338c445c591cc8580a0
-
SHA512
55e4c13532a3ab9d4259c4015c442a53e902ab4f426dbd50dc7ba22e820ef45f173e583b562406e4cebe92eec10cf3314c178240ff1212903994a9742933babe
-
SSDEEP
1536:niZIlAKFh5+Oi5hUi4mkPZ5ihN7Sqj1cgCe8uvQGYQzlV:SIlzz565hUTmk6/tjugCe8uvQa
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Camddhoi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pafcofcg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahinbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eejcki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iencmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgcooaah.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fplnogmb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad NEAS.b2659929bfba48164bc8a958a0e08510.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgfmeg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odfcjc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eangjkkd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pocdba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fplnogmb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npadcfnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkgaglpp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgcooaah.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckoifgmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flfkkhid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nqmojd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljffccjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahkkhnpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bochmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggjjlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akfdcq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Homcbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jqhphq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jggapj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmhccpci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pncanhaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Addhbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjfbjdnd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnokjm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijhhenhf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akfdcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dagajlal.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmnnlk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dheibpje.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eiahnnph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhhdnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfojdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjhfif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgokdomj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijgakgej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkdlkope.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pecellgl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phaahggp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfefdpfe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iedbcebd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfdfoala.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dooaoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcfcmnce.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijlkfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfcmhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eppjfgcp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ledepn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmbkfjko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfnnmg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjdfgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjfjee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkaobnio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oonlfo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oflmnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cihjeq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gccmaack.exe -
Executes dropped EXE 64 IoCs
pid Process 4836 Lggldm32.exe 3656 Lqpamb32.exe 1184 Lndagg32.exe 1400 Mcqjon32.exe 4040 Maggnali.exe 2932 Mjokgg32.exe 4828 Mchppmij.exe 5084 Malpia32.exe 2844 Mjdebfnd.exe 4316 Manmoq32.exe 4576 Njfagf32.exe 1236 Ngjbaj32.exe 1772 Nmgjia32.exe 2000 Njkkbehl.exe 3908 Nlkgmh32.exe 860 Nagpeo32.exe 3528 Nlmdbh32.exe 920 Oeehkn32.exe 4784 Onnmdcjm.exe 3748 Oeheqm32.exe 1640 Omcjep32.exe 2368 Ohhnbhok.exe 3884 Oobfob32.exe 3976 Oodcdb32.exe 464 Oeokal32.exe 3828 Okkdic32.exe 1860 Paelfmaf.exe 744 Pecellgl.exe 4372 Phaahggp.exe 4052 Pmoiqneg.exe 4396 Plpjoe32.exe 1112 Pkegpb32.exe 1852 Paoollik.exe 3176 Pldcjeia.exe 4076 Qaalblgi.exe 2808 Qkipkani.exe 4336 Qhmqdemc.exe 1156 Amjillkj.exe 2988 Alkijdci.exe 3520 Aednci32.exe 1556 Aolblopj.exe 32 Akccap32.exe 4320 Aamknj32.exe 2856 Aoalgn32.exe 4248 Bochmn32.exe 1364 Bemqih32.exe 4572 Bkjiao32.exe 408 Badanigc.exe 3756 Bhnikc32.exe 4804 Bebjdgmj.exe 2088 Bojomm32.exe 4356 Bahkih32.exe 1768 Bkaobnio.exe 5000 Bheplb32.exe 3504 Camddhoi.exe 4592 Chglab32.exe 3436 Cndeii32.exe 1736 Cdnmfclj.exe 2496 Cocacl32.exe 2232 Cfnjpfcl.exe 2408 Clgbmp32.exe 2296 Cnindhpg.exe 828 Cdbfab32.exe 3872 Cohkokgj.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Pjaleemj.exe Pcgdhkem.exe File created C:\Windows\SysWOW64\Apjhleik.dll Dlnlak32.exe File opened for modification C:\Windows\SysWOW64\Ckoifgmb.exe Ceeaim32.exe File opened for modification C:\Windows\SysWOW64\Dnghhqdk.exe Dlhlleeh.exe File created C:\Windows\SysWOW64\Nlkgmh32.exe Njkkbehl.exe File created C:\Windows\SysWOW64\Ppadmq32.dll Okkdic32.exe File created C:\Windows\SysWOW64\Npmknd32.dll Ibegfglj.exe File created C:\Windows\SysWOW64\Aqpika32.exe Qnamofdf.exe File created C:\Windows\SysWOW64\Nhoped32.dll Padnaq32.exe File opened for modification C:\Windows\SysWOW64\Hgapmj32.exe Hqghqpnl.exe File created C:\Windows\SysWOW64\Ggdbmoho.exe Gomkkagl.exe File created C:\Windows\SysWOW64\Mpedgghj.exe Miklkm32.exe File created C:\Windows\SysWOW64\Amjillkj.exe Qhmqdemc.exe File opened for modification C:\Windows\SysWOW64\Cndeii32.exe Chglab32.exe File opened for modification C:\Windows\SysWOW64\Dnmhpg32.exe Cdecgbfa.exe File created C:\Windows\SysWOW64\Mpqklh32.exe Mankaked.exe File opened for modification C:\Windows\SysWOW64\Nhcbidcd.exe Nplkhf32.exe File opened for modification C:\Windows\SysWOW64\Jlgoek32.exe Jemfhacc.exe File created C:\Windows\SysWOW64\Gcdnbiac.dll Ohbfeh32.exe File opened for modification C:\Windows\SysWOW64\Gebimmco.exe Gccmaack.exe File created C:\Windows\SysWOW64\Jcnbekok.exe Jqofippg.exe File created C:\Windows\SysWOW64\Jhclcf32.dll Mdodbf32.exe File created C:\Windows\SysWOW64\Pldcjeia.exe Paoollik.exe File created C:\Windows\SysWOW64\Eeddfe32.exe Ephlnn32.exe File created C:\Windows\SysWOW64\Geceqfal.dll Hfamia32.exe File opened for modification C:\Windows\SysWOW64\Ggccllai.exe Apjdikqd.exe File created C:\Windows\SysWOW64\Icncngca.dll Hnokjm32.exe File opened for modification C:\Windows\SysWOW64\Cblebgfh.exe Cehdib32.exe File created C:\Windows\SysWOW64\Dijgjpip.exe Cnebmgjj.exe File created C:\Windows\SysWOW64\Pkedbmab.exe Phfhfa32.exe File created C:\Windows\SysWOW64\Kgiamm32.dll Ophjdehd.exe File created C:\Windows\SysWOW64\Akopoi32.exe Ahpdcn32.exe File created C:\Windows\SysWOW64\Hbknebqi.exe Hkaeih32.exe File created C:\Windows\SysWOW64\Ijjekn32.exe Icqmncof.exe File opened for modification C:\Windows\SysWOW64\Cnindhpg.exe Clgbmp32.exe File created C:\Windows\SysWOW64\Hgapmj32.exe Hqghqpnl.exe File created C:\Windows\SysWOW64\Ononmo32.exe Ohbfeh32.exe File created C:\Windows\SysWOW64\Hcfcmnce.exe Hphfac32.exe File opened for modification C:\Windows\SysWOW64\Jifabb32.exe Jfgefg32.exe File created C:\Windows\SysWOW64\Bpncbp32.dll Lfcmhc32.exe File created C:\Windows\SysWOW64\Bhcdcbcl.dll Cnboma32.exe File created C:\Windows\SysWOW64\Mohjdmko.dll Mcqjon32.exe File created C:\Windows\SysWOW64\Dpnbmi32.exe Didjqoae.exe File created C:\Windows\SysWOW64\Mgmjad32.dll Pdofpb32.exe File created C:\Windows\SysWOW64\Bnbmqjjo.exe Biedhclh.exe File created C:\Windows\SysWOW64\Pgpobmca.exe Ppffec32.exe File opened for modification C:\Windows\SysWOW64\Gdiakp32.exe Gjcmngnj.exe File created C:\Windows\SysWOW64\Bhmoha32.dll Enllgbcl.exe File created C:\Windows\SysWOW64\Hnpnedno.dll Aohfdnil.exe File created C:\Windows\SysWOW64\Kebkgjkg.dll Nqcejcha.exe File opened for modification C:\Windows\SysWOW64\Ijjekn32.exe Icqmncof.exe File created C:\Windows\SysWOW64\Lhjicplp.dll Pddokabk.exe File created C:\Windows\SysWOW64\Omjnhiiq.exe Okkalnjm.exe File opened for modification C:\Windows\SysWOW64\Camddhoi.exe Bheplb32.exe File opened for modification C:\Windows\SysWOW64\Kcoccc32.exe Kpqggh32.exe File opened for modification C:\Windows\SysWOW64\Acccdj32.exe Qclmck32.exe File created C:\Windows\SysWOW64\Lggldm32.exe NEAS.b2659929bfba48164bc8a958a0e08510.exe File opened for modification C:\Windows\SysWOW64\Lfcmhc32.exe Lagepl32.exe File opened for modification C:\Windows\SysWOW64\Eikpan32.exe Ebagdddp.exe File created C:\Windows\SysWOW64\Plphjbim.dll Hfbbdj32.exe File opened for modification C:\Windows\SysWOW64\Pdofpb32.exe Pkgaglpp.exe File opened for modification C:\Windows\SysWOW64\Objkmkjj.exe Oqhoeb32.exe File opened for modification C:\Windows\SysWOW64\Gddqejni.exe Glmhdm32.exe File created C:\Windows\SysWOW64\Dabmnd32.dll Ceeaim32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 10652 10600 WerFault.exe 668 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijlkfg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgkaip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Goahpc32.dll" Bjkcqdje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfbfjk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkhjpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iebfmfdg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Npjnbg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kidben32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhnmaeif.dll" Bnbmqjjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmhhbnla.dll" Bndjfjhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jebdkl32.dll" Bgokdomj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kcehejic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oodcdb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jaajhb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kcmfnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anmfaf32.dll" Jpdbjleo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdjmdkgg.dll" Dhfcae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Manmoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmnfcojj.dll" Fgfmeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbddah32.dll" Fpeaeedg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Minipm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gggfme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjkjpdog.dll" Dblnid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahdjej32.dll" Limpiomm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cejjdlap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdbhncfq.dll" Dnghhqdk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eangjkkd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Minipm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qolmplcl.dll" Oickbjmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbccec32.dll" Bndblcdq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hqghqpnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hejjanpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fgfmeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpdnjd32.dll" Aijeme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emjfif32.dll" Cehdib32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hcfcmnce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dnkbcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbceobam.dll" Njkkbehl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdecgbfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eoideh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhmoha32.dll" Enllgbcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paalgkbb.dll" Gddqejni.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Didjqoae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Elilmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njfagf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nmgjia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhphpicg.dll" Kpnjah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbdgkjib.dll" Pbapom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pbdmdlie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lfaqcclf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnokmj32.dll" Lhcali32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhpdkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dpkehi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eeddfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opfqgkgc.dll" Hljnkdnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jemfhacc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfemoei.dll" Efopjbjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnpnedno.dll" Aohfdnil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgnhmg32.dll" Bkhjpn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eimlgnij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Balenlhn.dll" Omcjep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngcglo32.dll" Jlgoek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nopoighe.dll" Gjcfcakn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gflcnanp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1748 wrote to memory of 4836 1748 NEAS.b2659929bfba48164bc8a958a0e08510.exe 88 PID 1748 wrote to memory of 4836 1748 NEAS.b2659929bfba48164bc8a958a0e08510.exe 88 PID 1748 wrote to memory of 4836 1748 NEAS.b2659929bfba48164bc8a958a0e08510.exe 88 PID 4836 wrote to memory of 3656 4836 Lggldm32.exe 89 PID 4836 wrote to memory of 3656 4836 Lggldm32.exe 89 PID 4836 wrote to memory of 3656 4836 Lggldm32.exe 89 PID 3656 wrote to memory of 1184 3656 Lqpamb32.exe 90 PID 3656 wrote to memory of 1184 3656 Lqpamb32.exe 90 PID 3656 wrote to memory of 1184 3656 Lqpamb32.exe 90 PID 1184 wrote to memory of 1400 1184 Lndagg32.exe 91 PID 1184 wrote to memory of 1400 1184 Lndagg32.exe 91 PID 1184 wrote to memory of 1400 1184 Lndagg32.exe 91 PID 1400 wrote to memory of 4040 1400 Mcqjon32.exe 92 PID 1400 wrote to memory of 4040 1400 Mcqjon32.exe 92 PID 1400 wrote to memory of 4040 1400 Mcqjon32.exe 92 PID 4040 wrote to memory of 2932 4040 Maggnali.exe 94 PID 4040 wrote to memory of 2932 4040 Maggnali.exe 94 PID 4040 wrote to memory of 2932 4040 Maggnali.exe 94 PID 2932 wrote to memory of 4828 2932 Mjokgg32.exe 95 PID 2932 wrote to memory of 4828 2932 Mjokgg32.exe 95 PID 2932 wrote to memory of 4828 2932 Mjokgg32.exe 95 PID 4828 wrote to memory of 5084 4828 Mchppmij.exe 96 PID 4828 wrote to memory of 5084 4828 Mchppmij.exe 96 PID 4828 wrote to memory of 5084 4828 Mchppmij.exe 96 PID 5084 wrote to memory of 2844 5084 Malpia32.exe 97 PID 5084 wrote to memory of 2844 5084 Malpia32.exe 97 PID 5084 wrote to memory of 2844 5084 Malpia32.exe 97 PID 2844 wrote to memory of 4316 2844 Mjdebfnd.exe 98 PID 2844 wrote to memory of 4316 2844 Mjdebfnd.exe 98 PID 2844 wrote to memory of 4316 2844 Mjdebfnd.exe 98 PID 4316 wrote to memory of 4576 4316 Manmoq32.exe 99 PID 4316 wrote to memory of 4576 4316 Manmoq32.exe 99 PID 4316 wrote to memory of 4576 4316 Manmoq32.exe 99 PID 4576 wrote to memory of 1236 4576 Njfagf32.exe 100 PID 4576 wrote to memory of 1236 4576 Njfagf32.exe 100 PID 4576 wrote to memory of 1236 4576 Njfagf32.exe 100 PID 1236 wrote to memory of 1772 1236 Ngjbaj32.exe 101 PID 1236 wrote to memory of 1772 1236 Ngjbaj32.exe 101 PID 1236 wrote to memory of 1772 1236 Ngjbaj32.exe 101 PID 1772 wrote to memory of 2000 1772 Nmgjia32.exe 102 PID 1772 wrote to memory of 2000 1772 Nmgjia32.exe 102 PID 1772 wrote to memory of 2000 1772 Nmgjia32.exe 102 PID 2000 wrote to memory of 3908 2000 Njkkbehl.exe 103 PID 2000 wrote to memory of 3908 2000 Njkkbehl.exe 103 PID 2000 wrote to memory of 3908 2000 Njkkbehl.exe 103 PID 3908 wrote to memory of 860 3908 Nlkgmh32.exe 105 PID 3908 wrote to memory of 860 3908 Nlkgmh32.exe 105 PID 3908 wrote to memory of 860 3908 Nlkgmh32.exe 105 PID 860 wrote to memory of 3528 860 Nagpeo32.exe 106 PID 860 wrote to memory of 3528 860 Nagpeo32.exe 106 PID 860 wrote to memory of 3528 860 Nagpeo32.exe 106 PID 3528 wrote to memory of 920 3528 Nlmdbh32.exe 107 PID 3528 wrote to memory of 920 3528 Nlmdbh32.exe 107 PID 3528 wrote to memory of 920 3528 Nlmdbh32.exe 107 PID 920 wrote to memory of 4784 920 Oeehkn32.exe 108 PID 920 wrote to memory of 4784 920 Oeehkn32.exe 108 PID 920 wrote to memory of 4784 920 Oeehkn32.exe 108 PID 4784 wrote to memory of 3748 4784 Onnmdcjm.exe 109 PID 4784 wrote to memory of 3748 4784 Onnmdcjm.exe 109 PID 4784 wrote to memory of 3748 4784 Onnmdcjm.exe 109 PID 3748 wrote to memory of 1640 3748 Oeheqm32.exe 110 PID 3748 wrote to memory of 1640 3748 Oeheqm32.exe 110 PID 3748 wrote to memory of 1640 3748 Oeheqm32.exe 110 PID 1640 wrote to memory of 2368 1640 Omcjep32.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.b2659929bfba48164bc8a958a0e08510.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.b2659929bfba48164bc8a958a0e08510.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\SysWOW64\Lggldm32.exeC:\Windows\system32\Lggldm32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4836 -
C:\Windows\SysWOW64\Lqpamb32.exeC:\Windows\system32\Lqpamb32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3656 -
C:\Windows\SysWOW64\Lndagg32.exeC:\Windows\system32\Lndagg32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Windows\SysWOW64\Mcqjon32.exeC:\Windows\system32\Mcqjon32.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Windows\SysWOW64\Maggnali.exeC:\Windows\system32\Maggnali.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4040 -
C:\Windows\SysWOW64\Mjokgg32.exeC:\Windows\system32\Mjokgg32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\Mchppmij.exeC:\Windows\system32\Mchppmij.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4828 -
C:\Windows\SysWOW64\Malpia32.exeC:\Windows\system32\Malpia32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5084 -
C:\Windows\SysWOW64\Mjdebfnd.exeC:\Windows\system32\Mjdebfnd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\Manmoq32.exeC:\Windows\system32\Manmoq32.exe11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4316 -
C:\Windows\SysWOW64\Njfagf32.exeC:\Windows\system32\Njfagf32.exe12⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4576 -
C:\Windows\SysWOW64\Ngjbaj32.exeC:\Windows\system32\Ngjbaj32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Windows\SysWOW64\Nmgjia32.exeC:\Windows\system32\Nmgjia32.exe14⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Windows\SysWOW64\Njkkbehl.exeC:\Windows\system32\Njkkbehl.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\SysWOW64\Nlkgmh32.exeC:\Windows\system32\Nlkgmh32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3908 -
C:\Windows\SysWOW64\Nagpeo32.exeC:\Windows\system32\Nagpeo32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Windows\SysWOW64\Nlmdbh32.exeC:\Windows\system32\Nlmdbh32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3528 -
C:\Windows\SysWOW64\Oeehkn32.exeC:\Windows\system32\Oeehkn32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:920 -
C:\Windows\SysWOW64\Onnmdcjm.exeC:\Windows\system32\Onnmdcjm.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4784 -
C:\Windows\SysWOW64\Oeheqm32.exeC:\Windows\system32\Oeheqm32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3748 -
C:\Windows\SysWOW64\Omcjep32.exeC:\Windows\system32\Omcjep32.exe22⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\SysWOW64\Ohhnbhok.exeC:\Windows\system32\Ohhnbhok.exe23⤵
- Executes dropped EXE
PID:2368 -
C:\Windows\SysWOW64\Oobfob32.exeC:\Windows\system32\Oobfob32.exe24⤵
- Executes dropped EXE
PID:3884 -
C:\Windows\SysWOW64\Oodcdb32.exeC:\Windows\system32\Oodcdb32.exe25⤵
- Executes dropped EXE
- Modifies registry class
PID:3976 -
C:\Windows\SysWOW64\Oeokal32.exeC:\Windows\system32\Oeokal32.exe26⤵
- Executes dropped EXE
PID:464 -
C:\Windows\SysWOW64\Okkdic32.exeC:\Windows\system32\Okkdic32.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3828 -
C:\Windows\SysWOW64\Paelfmaf.exeC:\Windows\system32\Paelfmaf.exe28⤵
- Executes dropped EXE
PID:1860 -
C:\Windows\SysWOW64\Pecellgl.exeC:\Windows\system32\Pecellgl.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:744 -
C:\Windows\SysWOW64\Phaahggp.exeC:\Windows\system32\Phaahggp.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4372 -
C:\Windows\SysWOW64\Pmoiqneg.exeC:\Windows\system32\Pmoiqneg.exe31⤵
- Executes dropped EXE
PID:4052 -
C:\Windows\SysWOW64\Plpjoe32.exeC:\Windows\system32\Plpjoe32.exe32⤵
- Executes dropped EXE
PID:4396 -
C:\Windows\SysWOW64\Pkegpb32.exeC:\Windows\system32\Pkegpb32.exe33⤵
- Executes dropped EXE
PID:1112 -
C:\Windows\SysWOW64\Paoollik.exeC:\Windows\system32\Paoollik.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1852 -
C:\Windows\SysWOW64\Pldcjeia.exeC:\Windows\system32\Pldcjeia.exe35⤵
- Executes dropped EXE
PID:3176 -
C:\Windows\SysWOW64\Qaalblgi.exeC:\Windows\system32\Qaalblgi.exe36⤵
- Executes dropped EXE
PID:4076 -
C:\Windows\SysWOW64\Qkipkani.exeC:\Windows\system32\Qkipkani.exe37⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Qhmqdemc.exeC:\Windows\system32\Qhmqdemc.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4336 -
C:\Windows\SysWOW64\Amjillkj.exeC:\Windows\system32\Amjillkj.exe39⤵
- Executes dropped EXE
PID:1156 -
C:\Windows\SysWOW64\Alkijdci.exeC:\Windows\system32\Alkijdci.exe40⤵
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\Aednci32.exeC:\Windows\system32\Aednci32.exe41⤵
- Executes dropped EXE
PID:3520 -
C:\Windows\SysWOW64\Aolblopj.exeC:\Windows\system32\Aolblopj.exe42⤵
- Executes dropped EXE
PID:1556 -
C:\Windows\SysWOW64\Akccap32.exeC:\Windows\system32\Akccap32.exe43⤵
- Executes dropped EXE
PID:32 -
C:\Windows\SysWOW64\Aamknj32.exeC:\Windows\system32\Aamknj32.exe44⤵
- Executes dropped EXE
PID:4320 -
C:\Windows\SysWOW64\Aoalgn32.exeC:\Windows\system32\Aoalgn32.exe45⤵
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Bochmn32.exeC:\Windows\system32\Bochmn32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4248 -
C:\Windows\SysWOW64\Bemqih32.exeC:\Windows\system32\Bemqih32.exe47⤵
- Executes dropped EXE
PID:1364 -
C:\Windows\SysWOW64\Bkjiao32.exeC:\Windows\system32\Bkjiao32.exe48⤵
- Executes dropped EXE
PID:4572 -
C:\Windows\SysWOW64\Badanigc.exeC:\Windows\system32\Badanigc.exe49⤵
- Executes dropped EXE
PID:408 -
C:\Windows\SysWOW64\Bhnikc32.exeC:\Windows\system32\Bhnikc32.exe50⤵
- Executes dropped EXE
PID:3756 -
C:\Windows\SysWOW64\Bebjdgmj.exeC:\Windows\system32\Bebjdgmj.exe51⤵
- Executes dropped EXE
PID:4804 -
C:\Windows\SysWOW64\Bojomm32.exeC:\Windows\system32\Bojomm32.exe52⤵
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\Bahkih32.exeC:\Windows\system32\Bahkih32.exe53⤵
- Executes dropped EXE
PID:4356 -
C:\Windows\SysWOW64\Bkaobnio.exeC:\Windows\system32\Bkaobnio.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1768 -
C:\Windows\SysWOW64\Bheplb32.exeC:\Windows\system32\Bheplb32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5000 -
C:\Windows\SysWOW64\Camddhoi.exeC:\Windows\system32\Camddhoi.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3504 -
C:\Windows\SysWOW64\Chglab32.exeC:\Windows\system32\Chglab32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4592 -
C:\Windows\SysWOW64\Cndeii32.exeC:\Windows\system32\Cndeii32.exe58⤵
- Executes dropped EXE
PID:3436 -
C:\Windows\SysWOW64\Cdnmfclj.exeC:\Windows\system32\Cdnmfclj.exe59⤵
- Executes dropped EXE
PID:1736 -
C:\Windows\SysWOW64\Cocacl32.exeC:\Windows\system32\Cocacl32.exe60⤵
- Executes dropped EXE
PID:2496 -
C:\Windows\SysWOW64\Cfnjpfcl.exeC:\Windows\system32\Cfnjpfcl.exe61⤵
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\Clgbmp32.exeC:\Windows\system32\Clgbmp32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2408 -
C:\Windows\SysWOW64\Cnindhpg.exeC:\Windows\system32\Cnindhpg.exe63⤵
- Executes dropped EXE
PID:2296 -
C:\Windows\SysWOW64\Cdbfab32.exeC:\Windows\system32\Cdbfab32.exe64⤵
- Executes dropped EXE
PID:828 -
C:\Windows\SysWOW64\Cohkokgj.exeC:\Windows\system32\Cohkokgj.exe65⤵
- Executes dropped EXE
PID:3872 -
C:\Windows\SysWOW64\Cdecgbfa.exeC:\Windows\system32\Cdecgbfa.exe66⤵
- Drops file in System32 directory
- Modifies registry class
PID:2264 -
C:\Windows\SysWOW64\Dnmhpg32.exeC:\Windows\system32\Dnmhpg32.exe67⤵PID:1708
-
C:\Windows\SysWOW64\Dfdpad32.exeC:\Windows\system32\Dfdpad32.exe68⤵PID:4332
-
C:\Windows\SysWOW64\Dmohno32.exeC:\Windows\system32\Dmohno32.exe69⤵PID:3672
-
C:\Windows\SysWOW64\Dbkqfe32.exeC:\Windows\system32\Dbkqfe32.exe70⤵PID:1656
-
C:\Windows\SysWOW64\Dheibpje.exeC:\Windows\system32\Dheibpje.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1212 -
C:\Windows\SysWOW64\Dooaoj32.exeC:\Windows\system32\Dooaoj32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5112 -
C:\Windows\SysWOW64\Ddligq32.exeC:\Windows\system32\Ddligq32.exe73⤵PID:3228
-
C:\Windows\SysWOW64\Dflfac32.exeC:\Windows\system32\Dflfac32.exe74⤵PID:1892
-
C:\Windows\SysWOW64\Dmennnni.exeC:\Windows\system32\Dmennnni.exe75⤵PID:4064
-
C:\Windows\SysWOW64\Dbbffdlq.exeC:\Windows\system32\Dbbffdlq.exe76⤵PID:3164
-
C:\Windows\SysWOW64\Eoideh32.exeC:\Windows\system32\Eoideh32.exe77⤵
- Modifies registry class
PID:220 -
C:\Windows\SysWOW64\Eiahnnph.exeC:\Windows\system32\Eiahnnph.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3032 -
C:\Windows\SysWOW64\Ekodjiol.exeC:\Windows\system32\Ekodjiol.exe79⤵PID:2028
-
C:\Windows\SysWOW64\Efeihb32.exeC:\Windows\system32\Efeihb32.exe80⤵PID:4088
-
C:\Windows\SysWOW64\Emoadlfo.exeC:\Windows\system32\Emoadlfo.exe81⤵PID:5052
-
C:\Windows\SysWOW64\Epmmqheb.exeC:\Windows\system32\Epmmqheb.exe82⤵PID:4736
-
C:\Windows\SysWOW64\Efgemb32.exeC:\Windows\system32\Efgemb32.exe83⤵PID:2244
-
C:\Windows\SysWOW64\Emanjldl.exeC:\Windows\system32\Emanjldl.exe84⤵PID:4892
-
C:\Windows\SysWOW64\Eppjfgcp.exeC:\Windows\system32\Eppjfgcp.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3940 -
C:\Windows\SysWOW64\Felbnn32.exeC:\Windows\system32\Felbnn32.exe86⤵PID:1028
-
C:\Windows\SysWOW64\Flfkkhid.exeC:\Windows\system32\Flfkkhid.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4984 -
C:\Windows\SysWOW64\Ppahmb32.exeC:\Windows\system32\Ppahmb32.exe88⤵PID:3808
-
C:\Windows\SysWOW64\Glfmgp32.exeC:\Windows\system32\Glfmgp32.exe89⤵PID:4896
-
C:\Windows\SysWOW64\Ibegfglj.exeC:\Windows\system32\Ibegfglj.exe90⤵
- Drops file in System32 directory
PID:1692 -
C:\Windows\SysWOW64\Jldbpl32.exeC:\Windows\system32\Jldbpl32.exe91⤵PID:5048
-
C:\Windows\SysWOW64\Jocnlg32.exeC:\Windows\system32\Jocnlg32.exe92⤵PID:1484
-
C:\Windows\SysWOW64\Jaajhb32.exeC:\Windows\system32\Jaajhb32.exe93⤵
- Modifies registry class
PID:5108 -
C:\Windows\SysWOW64\Jemfhacc.exeC:\Windows\system32\Jemfhacc.exe94⤵
- Drops file in System32 directory
- Modifies registry class
PID:2208 -
C:\Windows\SysWOW64\Jlgoek32.exeC:\Windows\system32\Jlgoek32.exe95⤵
- Modifies registry class
PID:5136 -
C:\Windows\SysWOW64\Joekag32.exeC:\Windows\system32\Joekag32.exe96⤵PID:5180
-
C:\Windows\SysWOW64\Jikoopij.exeC:\Windows\system32\Jikoopij.exe97⤵PID:5224
-
C:\Windows\SysWOW64\Jpegkj32.exeC:\Windows\system32\Jpegkj32.exe98⤵PID:5268
-
C:\Windows\SysWOW64\Jbccge32.exeC:\Windows\system32\Jbccge32.exe99⤵PID:5312
-
C:\Windows\SysWOW64\Jeapcq32.exeC:\Windows\system32\Jeapcq32.exe100⤵PID:5356
-
C:\Windows\SysWOW64\Jllhpkfk.exeC:\Windows\system32\Jllhpkfk.exe101⤵PID:5400
-
C:\Windows\SysWOW64\Jojdlfeo.exeC:\Windows\system32\Jojdlfeo.exe102⤵PID:5444
-
C:\Windows\SysWOW64\Jahqiaeb.exeC:\Windows\system32\Jahqiaeb.exe103⤵PID:5488
-
C:\Windows\SysWOW64\Kamjda32.exeC:\Windows\system32\Kamjda32.exe104⤵PID:5532
-
C:\Windows\SysWOW64\Kidben32.exeC:\Windows\system32\Kidben32.exe105⤵
- Modifies registry class
PID:5576 -
C:\Windows\SysWOW64\Kpnjah32.exeC:\Windows\system32\Kpnjah32.exe106⤵
- Modifies registry class
PID:5620 -
C:\Windows\SysWOW64\Kcmfnd32.exeC:\Windows\system32\Kcmfnd32.exe107⤵
- Modifies registry class
PID:5664 -
C:\Windows\SysWOW64\Khiofk32.exeC:\Windows\system32\Khiofk32.exe108⤵PID:5704
-
C:\Windows\SysWOW64\Kpqggh32.exeC:\Windows\system32\Kpqggh32.exe109⤵
- Drops file in System32 directory
PID:5748 -
C:\Windows\SysWOW64\Kcoccc32.exeC:\Windows\system32\Kcoccc32.exe110⤵PID:5796
-
C:\Windows\SysWOW64\Khlklj32.exeC:\Windows\system32\Khlklj32.exe111⤵PID:5840
-
C:\Windows\SysWOW64\Laiipofp.exeC:\Windows\system32\Laiipofp.exe112⤵PID:5884
-
C:\Windows\SysWOW64\Ledepn32.exeC:\Windows\system32\Ledepn32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5928 -
C:\Windows\SysWOW64\Lhcali32.exeC:\Windows\system32\Lhcali32.exe114⤵
- Modifies registry class
PID:5972 -
C:\Windows\SysWOW64\Nblolm32.exeC:\Windows\system32\Nblolm32.exe115⤵PID:6012
-
C:\Windows\SysWOW64\Nhegig32.exeC:\Windows\system32\Nhegig32.exe116⤵PID:6048
-
C:\Windows\SysWOW64\Nqmojd32.exeC:\Windows\system32\Nqmojd32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6100 -
C:\Windows\SysWOW64\Nbnlaldg.exeC:\Windows\system32\Nbnlaldg.exe118⤵PID:4744
-
C:\Windows\SysWOW64\Njedbjej.exeC:\Windows\system32\Njedbjej.exe119⤵PID:5188
-
C:\Windows\SysWOW64\Nhhdnf32.exeC:\Windows\system32\Nhhdnf32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5264 -
C:\Windows\SysWOW64\Nqoloc32.exeC:\Windows\system32\Nqoloc32.exe121⤵PID:5320
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-