Analysis
-
max time kernel
138s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
01/11/2023, 04:13
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.7c193499e4386137656a9dc59cc1bc90.exe
Resource
win7-20231023-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.7c193499e4386137656a9dc59cc1bc90.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.7c193499e4386137656a9dc59cc1bc90.exe
-
Size
100KB
-
MD5
7c193499e4386137656a9dc59cc1bc90
-
SHA1
d4c949b502290ddfda1835b5ac4ceeb2521dfeec
-
SHA256
029e76e268f05b11954b7b36498a2ce5812736daa7f5ddc70c3d97f22d297ad2
-
SHA512
61f7e27901389102c6cb0d160f8cecca361e82c0585d8f3d9a98118d8e107373c4e0c52596caceaf57ff4e4f71dce6042cd828cd1763646ec0b9f537cfff5732
-
SSDEEP
1536:YlT4IY5BtlBVuqkQfK+qRs49Ooeo3NJKg8FgblQQa3+om13XRzT:YBBYdlBoq7K+2FxNJ/egb3a3+X13XRzT
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejpnin32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlphmafm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idljll32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngpjgpec.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggoaje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lfnmcnjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Njfafhjf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jahnkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Apbngn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecmlmcmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ogifci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kifjip32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epgpajdp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qnfkgfdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Abkjnd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Echkgnnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Echkgnnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cnlhme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Okloomoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mckefmai.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aochga32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfggbope.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mphfjhjf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aokcjngj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Npcaie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Capkim32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhflhcfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pbiklmhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kbapdfkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pcgdcome.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Liifnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hcimei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Liddligi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pnonla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ficgkico.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Blchmdff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Comddn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjldocde.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkbhok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fhemfbnq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jcnpgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jlponebi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iebfmfdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Haeino32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpijgf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncakglka.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qkfkng32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnjkgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gmkibl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mndcnafd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klimbf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgmnqmam.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfnmcnjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oioahn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfhklabb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Idonlbff.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpfokpoo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gijmlh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lcpledob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lcbikd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iamoon32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdfbbhdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cofndo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfeibf32.exe -
Executes dropped EXE 64 IoCs
pid Process 2572 Qkfkng32.exe 4772 Cmpcdfll.exe 3048 Eiijfd32.exe 4556 Ecfhji32.exe 2580 Fjgfgbek.exe 2612 Hfnpca32.exe 4340 Hjoeoo32.exe 2044 Imdgljil.exe 3164 Iglhob32.exe 4420 Iqdmghnp.exe 3588 Iebfmfdg.exe 3488 Jcjodbgl.exe 3840 Jndmlj32.exe 3612 Kagbdenk.exe 4232 Kallod32.exe 2268 Lennpb32.exe 4664 Ljncnhhk.exe 952 Leedqa32.exe 2920 Mackfa32.exe 4632 Namnmp32.exe 3572 Nncoaq32.exe 2856 Nemchn32.exe 4808 Oakjnnap.exe 2656 Pfkpiled.exe 2136 Pbapom32.exe 3424 Pnmjomlg.exe 364 Agjhbbob.exe 4992 Aokcjngj.exe 3968 Beaohcmf.exe 2712 Cihjeq32.exe 2488 Diopep32.exe 4360 Ehkcgkdj.exe 740 Flghognq.exe 2508 Gccmaack.exe 3952 Gjghdj32.exe 3152 Hgdlcm32.exe 2368 Ijgakgej.exe 2096 Ihmnldib.exe 1480 Jmmcgbnf.exe 4932 Jgedjjki.exe 3396 Jmamba32.exe 4104 Jggapj32.exe 3108 Jqofippg.exe 2500 Kjlcmdbb.exe 4252 Kjopbd32.exe 1088 Kifjip32.exe 4912 Liifnp32.exe 4260 Limpiomm.exe 544 Mdlgmgdh.exe 3560 Mapgfk32.exe 3980 Nfaijand.exe 3188 Ndhgie32.exe 4224 Npcaie32.exe 4052 Omgabj32.exe 5052 Ogbbqo32.exe 3628 Opmcod32.exe 3360 Opopdd32.exe 3972 Paaidf32.exe 2956 Pafcofcg.exe 3892 Qajlje32.exe 3876 Ahkkhnpg.exe 4456 Aqfolqna.exe 2444 Bdlncn32.exe 1800 Ckafkfkp.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Jfaenqjm.exe Jeaidn32.exe File created C:\Windows\SysWOW64\Oegicjdd.dll Iglhob32.exe File created C:\Windows\SysWOW64\Mlgegcng.exe Mjehok32.exe File opened for modification C:\Windows\SysWOW64\Ajfobfaj.exe Acmfel32.exe File opened for modification C:\Windows\SysWOW64\Mkadam32.exe Mfdlif32.exe File opened for modification C:\Windows\SysWOW64\Ficgkico.exe Fcfocb32.exe File created C:\Windows\SysWOW64\Jlindcmm.dll Qpfokpoo.exe File opened for modification C:\Windows\SysWOW64\Qkjlpk32.exe Qnfkgfdp.exe File created C:\Windows\SysWOW64\Ganikk32.dll Dhnnoe32.exe File opened for modification C:\Windows\SysWOW64\Haclio32.exe Haobnpkc.exe File created C:\Windows\SysWOW64\Khlinedh.exe Jkeloa32.exe File created C:\Windows\SysWOW64\Qcpcmogh.dll Dlegokbe.exe File created C:\Windows\SysWOW64\Idljll32.exe Iiffoc32.exe File created C:\Windows\SysWOW64\Liiiei32.dll Ngpjgpec.exe File created C:\Windows\SysWOW64\Helfbqeb.exe Hkdbik32.exe File created C:\Windows\SysWOW64\Kpgfhddn.exe Kbceoped.exe File created C:\Windows\SysWOW64\Haeino32.exe Haclio32.exe File created C:\Windows\SysWOW64\Ijlamjlh.dll Jkeedk32.exe File opened for modification C:\Windows\SysWOW64\Achmjmnb.exe Abfqbdhd.exe File created C:\Windows\SysWOW64\Opongobp.exe Ofijifbj.exe File created C:\Windows\SysWOW64\Idonlbff.exe Imeeohoi.exe File created C:\Windows\SysWOW64\Mlkfcmki.dll Nneiikqe.exe File created C:\Windows\SysWOW64\Jihgnf32.dll Nblfee32.exe File created C:\Windows\SysWOW64\Hjfgdeic.dll Ecmlmcmb.exe File created C:\Windows\SysWOW64\Qbfmcg32.dll Ebbmpmnb.exe File opened for modification C:\Windows\SysWOW64\Gechnpid.exe Goipae32.exe File opened for modification C:\Windows\SysWOW64\Hjoeoo32.exe Hfnpca32.exe File created C:\Windows\SysWOW64\Hphbpehj.exe Hfonfp32.exe File created C:\Windows\SysWOW64\Iiaein32.exe Ipiaphop.exe File created C:\Windows\SysWOW64\Hldlmc32.dll Jkqccbkf.exe File opened for modification C:\Windows\SysWOW64\Odidld32.exe Ngedbp32.exe File created C:\Windows\SysWOW64\Ogkcihgj.exe Ogifci32.exe File created C:\Windows\SysWOW64\Blchmdff.exe Beippj32.exe File created C:\Windows\SysWOW64\Bjielh32.exe Bcomonkq.exe File created C:\Windows\SysWOW64\Biepoi32.dll Nnlhod32.exe File created C:\Windows\SysWOW64\Hecadm32.exe Hlkmlhea.exe File created C:\Windows\SysWOW64\Jdkkcfbf.dll Ihcclb32.exe File created C:\Windows\SysWOW64\Ejjgic32.exe Eobffk32.exe File created C:\Windows\SysWOW64\Gjhdkajh.exe Fnacfp32.exe File opened for modification C:\Windows\SysWOW64\Jmnakqcc.exe Idljll32.exe File created C:\Windows\SysWOW64\Lkdgqbag.exe Ldjodh32.exe File created C:\Windows\SysWOW64\Pmpmnb32.exe Okodlgbl.exe File created C:\Windows\SysWOW64\Npqplk32.dll Olpjii32.exe File created C:\Windows\SysWOW64\Fmapag32.exe Fblldn32.exe File opened for modification C:\Windows\SysWOW64\Nlhbja32.exe Nconal32.exe File opened for modification C:\Windows\SysWOW64\Cemcqcgi.exe Bocjdiol.exe File created C:\Windows\SysWOW64\Ifhhflhc.dll Eomfae32.exe File created C:\Windows\SysWOW64\Kbapdfkb.exe Kiikkada.exe File created C:\Windows\SysWOW64\Gegilj32.dll Ofnhfbjl.exe File created C:\Windows\SysWOW64\Pnplqn32.exe Pbiklmhp.exe File created C:\Windows\SysWOW64\Jjfedcil.dll Ipiaphop.exe File opened for modification C:\Windows\SysWOW64\Cibagpgg.exe Clldhljp.exe File opened for modification C:\Windows\SysWOW64\Idljll32.exe Iiffoc32.exe File opened for modification C:\Windows\SysWOW64\Acaanp32.exe Aemqdk32.exe File created C:\Windows\SysWOW64\Nlhdkp32.dll Djeegf32.exe File created C:\Windows\SysWOW64\Miocnm32.dll Cemcqcgi.exe File opened for modification C:\Windows\SysWOW64\Ogkcihgj.exe Ogifci32.exe File opened for modification C:\Windows\SysWOW64\Jndmlj32.exe Jcjodbgl.exe File opened for modification C:\Windows\SysWOW64\Ilgcblnp.exe Iooimi32.exe File created C:\Windows\SysWOW64\Mmgfmg32.exe Lgmnqmam.exe File created C:\Windows\SysWOW64\Pamgnckh.dll Dfeibf32.exe File opened for modification C:\Windows\SysWOW64\Gfpcpefb.exe Gofkckoe.exe File opened for modification C:\Windows\SysWOW64\Knenffqf.exe Kdmjmqjf.exe File opened for modification C:\Windows\SysWOW64\Ghlcga32.exe Gbbkjgpl.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7108 2044 WerFault.exe 675 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Enaaiifb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qmkfoj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fqiiamjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pbiklmhp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Begcjjql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehcfdc32.dll" Emanepld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdamkaj.dll" Ofijifbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aboipocj.dll" Ehddpdlc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qblnjopb.dll" Fchlhnlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckegholn.dll" Aoalba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Idonlbff.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pijiif32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mdkhkflh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bocjdiol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nngoddkg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Liifnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkcancmc.dll" Ckafkfkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Flgadake.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mdkhkflh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnkkaaai.dll" Ngpcmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Onecof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gfcgpkhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qagdia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ipiaphop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqendklg.dll" Oinkmdml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caakehij.dll" Ggoaje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cdfbbhdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oipicg32.dll" Njfafhjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpfkkl32.dll" Obgeqcnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnhmbo32.dll" Kipkaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Onfbpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkjfda32.dll" Hgdlcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iihkjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcdhkd32.dll" Ehkcgkdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqfhed32.dll" Dcalae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngehcfci.dll" Egjebn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Apbngn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hfemkdbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgopog32.dll" Ibmmbj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bcomonkq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ajbegg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Didjlnjc.dll" Ildkpiqo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nllleapo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fkbkoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjlddclp.dll" Cngnbfid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baokejco.dll" Fnmqegle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pfhklabb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mackfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpbacnci.dll" Aogkhjii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dapcab32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iciflfcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cihckfoa.dll" Ogbbqo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nmpdgdmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ndliin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mieeka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Caapfnkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ffdddg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkgjbjed.dll" Dgaiffii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcmibojk.dll" Glmqjj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hfkdkqeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kikjjfkp.dll" Beaced32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iciflfcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mncjbnjf.dll" Jpijgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Niahdf32.dll" Beaohcmf.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2828 wrote to memory of 2572 2828 NEAS.7c193499e4386137656a9dc59cc1bc90.exe 93 PID 2828 wrote to memory of 2572 2828 NEAS.7c193499e4386137656a9dc59cc1bc90.exe 93 PID 2828 wrote to memory of 2572 2828 NEAS.7c193499e4386137656a9dc59cc1bc90.exe 93 PID 2572 wrote to memory of 4772 2572 Qkfkng32.exe 94 PID 2572 wrote to memory of 4772 2572 Qkfkng32.exe 94 PID 2572 wrote to memory of 4772 2572 Qkfkng32.exe 94 PID 4772 wrote to memory of 3048 4772 Cmpcdfll.exe 95 PID 4772 wrote to memory of 3048 4772 Cmpcdfll.exe 95 PID 4772 wrote to memory of 3048 4772 Cmpcdfll.exe 95 PID 3048 wrote to memory of 4556 3048 Eiijfd32.exe 96 PID 3048 wrote to memory of 4556 3048 Eiijfd32.exe 96 PID 3048 wrote to memory of 4556 3048 Eiijfd32.exe 96 PID 4556 wrote to memory of 2580 4556 Ecfhji32.exe 97 PID 4556 wrote to memory of 2580 4556 Ecfhji32.exe 97 PID 4556 wrote to memory of 2580 4556 Ecfhji32.exe 97 PID 2580 wrote to memory of 2612 2580 Fjgfgbek.exe 98 PID 2580 wrote to memory of 2612 2580 Fjgfgbek.exe 98 PID 2580 wrote to memory of 2612 2580 Fjgfgbek.exe 98 PID 2612 wrote to memory of 4340 2612 Hfnpca32.exe 99 PID 2612 wrote to memory of 4340 2612 Hfnpca32.exe 99 PID 2612 wrote to memory of 4340 2612 Hfnpca32.exe 99 PID 4340 wrote to memory of 2044 4340 Hjoeoo32.exe 100 PID 4340 wrote to memory of 2044 4340 Hjoeoo32.exe 100 PID 4340 wrote to memory of 2044 4340 Hjoeoo32.exe 100 PID 2044 wrote to memory of 3164 2044 Imdgljil.exe 101 PID 2044 wrote to memory of 3164 2044 Imdgljil.exe 101 PID 2044 wrote to memory of 3164 2044 Imdgljil.exe 101 PID 3164 wrote to memory of 4420 3164 Iglhob32.exe 102 PID 3164 wrote to memory of 4420 3164 Iglhob32.exe 102 PID 3164 wrote to memory of 4420 3164 Iglhob32.exe 102 PID 4420 wrote to memory of 3588 4420 Iqdmghnp.exe 103 PID 4420 wrote to memory of 3588 4420 Iqdmghnp.exe 103 PID 4420 wrote to memory of 3588 4420 Iqdmghnp.exe 103 PID 3588 wrote to memory of 3488 3588 Iebfmfdg.exe 104 PID 3588 wrote to memory of 3488 3588 Iebfmfdg.exe 104 PID 3588 wrote to memory of 3488 3588 Iebfmfdg.exe 104 PID 3488 wrote to memory of 3840 3488 Jcjodbgl.exe 105 PID 3488 wrote to memory of 3840 3488 Jcjodbgl.exe 105 PID 3488 wrote to memory of 3840 3488 Jcjodbgl.exe 105 PID 3840 wrote to memory of 3612 3840 Jndmlj32.exe 106 PID 3840 wrote to memory of 3612 3840 Jndmlj32.exe 106 PID 3840 wrote to memory of 3612 3840 Jndmlj32.exe 106 PID 3612 wrote to memory of 4232 3612 Kagbdenk.exe 107 PID 3612 wrote to memory of 4232 3612 Kagbdenk.exe 107 PID 3612 wrote to memory of 4232 3612 Kagbdenk.exe 107 PID 4232 wrote to memory of 2268 4232 Kallod32.exe 108 PID 4232 wrote to memory of 2268 4232 Kallod32.exe 108 PID 4232 wrote to memory of 2268 4232 Kallod32.exe 108 PID 2268 wrote to memory of 4664 2268 Lennpb32.exe 109 PID 2268 wrote to memory of 4664 2268 Lennpb32.exe 109 PID 2268 wrote to memory of 4664 2268 Lennpb32.exe 109 PID 4664 wrote to memory of 952 4664 Ljncnhhk.exe 110 PID 4664 wrote to memory of 952 4664 Ljncnhhk.exe 110 PID 4664 wrote to memory of 952 4664 Ljncnhhk.exe 110 PID 952 wrote to memory of 2920 952 Leedqa32.exe 111 PID 952 wrote to memory of 2920 952 Leedqa32.exe 111 PID 952 wrote to memory of 2920 952 Leedqa32.exe 111 PID 2920 wrote to memory of 4632 2920 Mackfa32.exe 112 PID 2920 wrote to memory of 4632 2920 Mackfa32.exe 112 PID 2920 wrote to memory of 4632 2920 Mackfa32.exe 112 PID 4632 wrote to memory of 3572 4632 Namnmp32.exe 113 PID 4632 wrote to memory of 3572 4632 Namnmp32.exe 113 PID 4632 wrote to memory of 3572 4632 Namnmp32.exe 113 PID 3572 wrote to memory of 2856 3572 Nncoaq32.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.7c193499e4386137656a9dc59cc1bc90.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.7c193499e4386137656a9dc59cc1bc90.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\Qkfkng32.exeC:\Windows\system32\Qkfkng32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\Cmpcdfll.exeC:\Windows\system32\Cmpcdfll.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4772 -
C:\Windows\SysWOW64\Eiijfd32.exeC:\Windows\system32\Eiijfd32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\Ecfhji32.exeC:\Windows\system32\Ecfhji32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4556 -
C:\Windows\SysWOW64\Fjgfgbek.exeC:\Windows\system32\Fjgfgbek.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\Hfnpca32.exeC:\Windows\system32\Hfnpca32.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\Hjoeoo32.exeC:\Windows\system32\Hjoeoo32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4340 -
C:\Windows\SysWOW64\Imdgljil.exeC:\Windows\system32\Imdgljil.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\Iglhob32.exeC:\Windows\system32\Iglhob32.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3164 -
C:\Windows\SysWOW64\Iqdmghnp.exeC:\Windows\system32\Iqdmghnp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4420 -
C:\Windows\SysWOW64\Iebfmfdg.exeC:\Windows\system32\Iebfmfdg.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3588 -
C:\Windows\SysWOW64\Jcjodbgl.exeC:\Windows\system32\Jcjodbgl.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3488 -
C:\Windows\SysWOW64\Jndmlj32.exeC:\Windows\system32\Jndmlj32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3840 -
C:\Windows\SysWOW64\Kagbdenk.exeC:\Windows\system32\Kagbdenk.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3612 -
C:\Windows\SysWOW64\Kallod32.exeC:\Windows\system32\Kallod32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4232 -
C:\Windows\SysWOW64\Lennpb32.exeC:\Windows\system32\Lennpb32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\SysWOW64\Ljncnhhk.exeC:\Windows\system32\Ljncnhhk.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4664 -
C:\Windows\SysWOW64\Leedqa32.exeC:\Windows\system32\Leedqa32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Windows\SysWOW64\Mackfa32.exeC:\Windows\system32\Mackfa32.exe20⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Namnmp32.exeC:\Windows\system32\Namnmp32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4632 -
C:\Windows\SysWOW64\Nncoaq32.exeC:\Windows\system32\Nncoaq32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3572 -
C:\Windows\SysWOW64\Nemchn32.exeC:\Windows\system32\Nemchn32.exe23⤵
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Oakjnnap.exeC:\Windows\system32\Oakjnnap.exe24⤵
- Executes dropped EXE
PID:4808 -
C:\Windows\SysWOW64\Pfkpiled.exeC:\Windows\system32\Pfkpiled.exe25⤵
- Executes dropped EXE
PID:2656 -
C:\Windows\SysWOW64\Pbapom32.exeC:\Windows\system32\Pbapom32.exe26⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Pnmjomlg.exeC:\Windows\system32\Pnmjomlg.exe27⤵
- Executes dropped EXE
PID:3424 -
C:\Windows\SysWOW64\Agjhbbob.exeC:\Windows\system32\Agjhbbob.exe28⤵
- Executes dropped EXE
PID:364 -
C:\Windows\SysWOW64\Aokcjngj.exeC:\Windows\system32\Aokcjngj.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4992 -
C:\Windows\SysWOW64\Beaohcmf.exeC:\Windows\system32\Beaohcmf.exe30⤵
- Executes dropped EXE
- Modifies registry class
PID:3968 -
C:\Windows\SysWOW64\Cihjeq32.exeC:\Windows\system32\Cihjeq32.exe31⤵
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\Diopep32.exeC:\Windows\system32\Diopep32.exe32⤵
- Executes dropped EXE
PID:2488 -
C:\Windows\SysWOW64\Ehkcgkdj.exeC:\Windows\system32\Ehkcgkdj.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:4360 -
C:\Windows\SysWOW64\Flghognq.exeC:\Windows\system32\Flghognq.exe34⤵
- Executes dropped EXE
PID:740 -
C:\Windows\SysWOW64\Gccmaack.exeC:\Windows\system32\Gccmaack.exe35⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Gjghdj32.exeC:\Windows\system32\Gjghdj32.exe36⤵
- Executes dropped EXE
PID:3952 -
C:\Windows\SysWOW64\Hgdlcm32.exeC:\Windows\system32\Hgdlcm32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:3152 -
C:\Windows\SysWOW64\Ijgakgej.exeC:\Windows\system32\Ijgakgej.exe38⤵
- Executes dropped EXE
PID:2368 -
C:\Windows\SysWOW64\Ihmnldib.exeC:\Windows\system32\Ihmnldib.exe39⤵
- Executes dropped EXE
PID:2096 -
C:\Windows\SysWOW64\Jmmcgbnf.exeC:\Windows\system32\Jmmcgbnf.exe40⤵
- Executes dropped EXE
PID:1480 -
C:\Windows\SysWOW64\Jgedjjki.exeC:\Windows\system32\Jgedjjki.exe41⤵
- Executes dropped EXE
PID:4932 -
C:\Windows\SysWOW64\Jmamba32.exeC:\Windows\system32\Jmamba32.exe42⤵
- Executes dropped EXE
PID:3396 -
C:\Windows\SysWOW64\Jggapj32.exeC:\Windows\system32\Jggapj32.exe43⤵
- Executes dropped EXE
PID:4104 -
C:\Windows\SysWOW64\Jqofippg.exeC:\Windows\system32\Jqofippg.exe44⤵
- Executes dropped EXE
PID:3108 -
C:\Windows\SysWOW64\Kjlcmdbb.exeC:\Windows\system32\Kjlcmdbb.exe45⤵
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Kjopbd32.exeC:\Windows\system32\Kjopbd32.exe46⤵
- Executes dropped EXE
PID:4252 -
C:\Windows\SysWOW64\Kifjip32.exeC:\Windows\system32\Kifjip32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1088 -
C:\Windows\SysWOW64\Liifnp32.exeC:\Windows\system32\Liifnp32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4912 -
C:\Windows\SysWOW64\Limpiomm.exeC:\Windows\system32\Limpiomm.exe49⤵
- Executes dropped EXE
PID:4260 -
C:\Windows\SysWOW64\Mdlgmgdh.exeC:\Windows\system32\Mdlgmgdh.exe50⤵
- Executes dropped EXE
PID:544 -
C:\Windows\SysWOW64\Mapgfk32.exeC:\Windows\system32\Mapgfk32.exe51⤵
- Executes dropped EXE
PID:3560 -
C:\Windows\SysWOW64\Nfaijand.exeC:\Windows\system32\Nfaijand.exe52⤵
- Executes dropped EXE
PID:3980 -
C:\Windows\SysWOW64\Ndhgie32.exeC:\Windows\system32\Ndhgie32.exe53⤵
- Executes dropped EXE
PID:3188 -
C:\Windows\SysWOW64\Npcaie32.exeC:\Windows\system32\Npcaie32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4224 -
C:\Windows\SysWOW64\Omgabj32.exeC:\Windows\system32\Omgabj32.exe55⤵
- Executes dropped EXE
PID:4052 -
C:\Windows\SysWOW64\Ogbbqo32.exeC:\Windows\system32\Ogbbqo32.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:5052 -
C:\Windows\SysWOW64\Opmcod32.exeC:\Windows\system32\Opmcod32.exe57⤵
- Executes dropped EXE
PID:3628 -
C:\Windows\SysWOW64\Opopdd32.exeC:\Windows\system32\Opopdd32.exe58⤵
- Executes dropped EXE
PID:3360 -
C:\Windows\SysWOW64\Paaidf32.exeC:\Windows\system32\Paaidf32.exe59⤵
- Executes dropped EXE
PID:3972 -
C:\Windows\SysWOW64\Pafcofcg.exeC:\Windows\system32\Pafcofcg.exe60⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Qajlje32.exeC:\Windows\system32\Qajlje32.exe61⤵
- Executes dropped EXE
PID:3892 -
C:\Windows\SysWOW64\Ahkkhnpg.exeC:\Windows\system32\Ahkkhnpg.exe62⤵
- Executes dropped EXE
PID:3876 -
C:\Windows\SysWOW64\Aqfolqna.exeC:\Windows\system32\Aqfolqna.exe63⤵
- Executes dropped EXE
PID:4456 -
C:\Windows\SysWOW64\Bdlncn32.exeC:\Windows\system32\Bdlncn32.exe64⤵
- Executes dropped EXE
PID:2444 -
C:\Windows\SysWOW64\Ckafkfkp.exeC:\Windows\system32\Ckafkfkp.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:1800 -
C:\Windows\SysWOW64\Cejjdlap.exeC:\Windows\system32\Cejjdlap.exe66⤵PID:4276
-
C:\Windows\SysWOW64\Capkim32.exeC:\Windows\system32\Capkim32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1608 -
C:\Windows\SysWOW64\Dabhomea.exeC:\Windows\system32\Dabhomea.exe68⤵PID:4904
-
C:\Windows\SysWOW64\Djmima32.exeC:\Windows\system32\Djmima32.exe69⤵PID:768
-
C:\Windows\SysWOW64\Dgaiffii.exeC:\Windows\system32\Dgaiffii.exe70⤵
- Modifies registry class
PID:3080 -
C:\Windows\SysWOW64\Dlobmd32.exeC:\Windows\system32\Dlobmd32.exe71⤵PID:2972
-
C:\Windows\SysWOW64\Eelpqi32.exeC:\Windows\system32\Eelpqi32.exe72⤵PID:1904
-
C:\Windows\SysWOW64\Eliecc32.exeC:\Windows\system32\Eliecc32.exe73⤵PID:4860
-
C:\Windows\SysWOW64\Ebbmpmnb.exeC:\Windows\system32\Ebbmpmnb.exe74⤵
- Drops file in System32 directory
PID:3896 -
C:\Windows\SysWOW64\Fkbkoo32.exeC:\Windows\system32\Fkbkoo32.exe75⤵
- Modifies registry class
PID:4816 -
C:\Windows\SysWOW64\Fhflhcfa.exeC:\Windows\system32\Fhflhcfa.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2652 -
C:\Windows\SysWOW64\Flddoa32.exeC:\Windows\system32\Flddoa32.exe77⤵PID:2156
-
C:\Windows\SysWOW64\Faamghko.exeC:\Windows\system32\Faamghko.exe78⤵PID:3088
-
C:\Windows\SysWOW64\Flgadake.exeC:\Windows\system32\Flgadake.exe79⤵
- Modifies registry class
PID:484 -
C:\Windows\SysWOW64\Gklnem32.exeC:\Windows\system32\Gklnem32.exe80⤵PID:4656
-
C:\Windows\SysWOW64\Gimoce32.exeC:\Windows\system32\Gimoce32.exe81⤵PID:440
-
C:\Windows\SysWOW64\Gbecljnl.exeC:\Windows\system32\Gbecljnl.exe82⤵PID:1740
-
C:\Windows\SysWOW64\Ghbkdald.exeC:\Windows\system32\Ghbkdald.exe83⤵PID:888
-
C:\Windows\SysWOW64\Giahndcf.exeC:\Windows\system32\Giahndcf.exe84⤵PID:2424
-
C:\Windows\SysWOW64\Gkcdfl32.exeC:\Windows\system32\Gkcdfl32.exe85⤵PID:4548
-
C:\Windows\SysWOW64\Gclimi32.exeC:\Windows\system32\Gclimi32.exe86⤵PID:2028
-
C:\Windows\SysWOW64\Hhiaepfl.exeC:\Windows\system32\Hhiaepfl.exe87⤵PID:4408
-
C:\Windows\SysWOW64\Hhlnjpdi.exeC:\Windows\system32\Hhlnjpdi.exe88⤵PID:5132
-
C:\Windows\SysWOW64\Hoefgj32.exeC:\Windows\system32\Hoefgj32.exe89⤵PID:5176
-
C:\Windows\SysWOW64\Hklglk32.exeC:\Windows\system32\Hklglk32.exe90⤵PID:5220
-
C:\Windows\SysWOW64\Iibaeb32.exeC:\Windows\system32\Iibaeb32.exe91⤵PID:5260
-
C:\Windows\SysWOW64\Iooimi32.exeC:\Windows\system32\Iooimi32.exe92⤵
- Drops file in System32 directory
PID:5308 -
C:\Windows\SysWOW64\Ilgcblnp.exeC:\Windows\system32\Ilgcblnp.exe93⤵PID:5352
-
C:\Windows\SysWOW64\Jjgcgo32.exeC:\Windows\system32\Jjgcgo32.exe94⤵PID:5396
-
C:\Windows\SysWOW64\Kkofofbb.exeC:\Windows\system32\Kkofofbb.exe95⤵PID:5440
-
C:\Windows\SysWOW64\Kkabefqp.exeC:\Windows\system32\Kkabefqp.exe96⤵PID:5484
-
C:\Windows\SysWOW64\Kfggbope.exeC:\Windows\system32\Kfggbope.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5532 -
C:\Windows\SysWOW64\Lihpdj32.exeC:\Windows\system32\Lihpdj32.exe98⤵PID:5580
-
C:\Windows\SysWOW64\Lijlii32.exeC:\Windows\system32\Lijlii32.exe99⤵PID:5624
-
C:\Windows\SysWOW64\Lpdefc32.exeC:\Windows\system32\Lpdefc32.exe100⤵PID:5664
-
C:\Windows\SysWOW64\Lfnmcnjn.exeC:\Windows\system32\Lfnmcnjn.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5708 -
C:\Windows\SysWOW64\Lkkekdhe.exeC:\Windows\system32\Lkkekdhe.exe102⤵PID:5752
-
C:\Windows\SysWOW64\Lfqjhmhk.exeC:\Windows\system32\Lfqjhmhk.exe103⤵PID:5796
-
C:\Windows\SysWOW64\Lmkbeg32.exeC:\Windows\system32\Lmkbeg32.exe104⤵PID:5832
-
C:\Windows\SysWOW64\Lbgjmnno.exeC:\Windows\system32\Lbgjmnno.exe105⤵PID:5880
-
C:\Windows\SysWOW64\Llpofd32.exeC:\Windows\system32\Llpofd32.exe106⤵PID:5932
-
C:\Windows\SysWOW64\Mjehok32.exeC:\Windows\system32\Mjehok32.exe107⤵
- Drops file in System32 directory
PID:5976 -
C:\Windows\SysWOW64\Mlgegcng.exeC:\Windows\system32\Mlgegcng.exe108⤵PID:6020
-
C:\Windows\SysWOW64\Nlphmafm.exeC:\Windows\system32\Nlphmafm.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6056 -
C:\Windows\SysWOW64\Nffljjfc.exeC:\Windows\system32\Nffljjfc.exe110⤵PID:6104
-
C:\Windows\SysWOW64\Nmpdgdmp.exeC:\Windows\system32\Nmpdgdmp.exe111⤵
- Modifies registry class
PID:2400 -
C:\Windows\SysWOW64\Nfhipj32.exeC:\Windows\system32\Nfhipj32.exe112⤵PID:5200
-
C:\Windows\SysWOW64\Ndliin32.exeC:\Windows\system32\Ndliin32.exe113⤵
- Modifies registry class
PID:5252 -
C:\Windows\SysWOW64\Njfafhjf.exeC:\Windows\system32\Njfafhjf.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5344 -
C:\Windows\SysWOW64\Oinkmdml.exeC:\Windows\system32\Oinkmdml.exe115⤵
- Modifies registry class
PID:5380 -
C:\Windows\SysWOW64\Odcojm32.exeC:\Windows\system32\Odcojm32.exe116⤵PID:5448
-
C:\Windows\SysWOW64\Omkdcccb.exeC:\Windows\system32\Omkdcccb.exe117⤵PID:5520
-
C:\Windows\SysWOW64\Okodlgbl.exeC:\Windows\system32\Okodlgbl.exe118⤵
- Drops file in System32 directory
PID:5592 -
C:\Windows\SysWOW64\Pmpmnb32.exeC:\Windows\system32\Pmpmnb32.exe119⤵PID:5764
-
C:\Windows\SysWOW64\Anqfepaj.exeC:\Windows\system32\Anqfepaj.exe120⤵PID:5840
-
C:\Windows\SysWOW64\Bdkghg32.exeC:\Windows\system32\Bdkghg32.exe121⤵PID:5892
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-