Analysis
-
max time kernel
166s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
01/11/2023, 14:15
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.a28b3c987523a78c2f2445710c965160.exe
Resource
win7-20231020-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.a28b3c987523a78c2f2445710c965160.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
NEAS.a28b3c987523a78c2f2445710c965160.exe
-
Size
78KB
-
MD5
a28b3c987523a78c2f2445710c965160
-
SHA1
ccf20dcd6e5be27ccfea853e57d73126d34c69a4
-
SHA256
7539a3f5d280178b626e743681e4df7861c2bba500a9e36f9e5601a0375bea4a
-
SHA512
544fcb7c0ed4e1d85d876a5ea759f631e377c8433196629adaeb82dac68a0c3147e171830dcc1307bd227e05922f01585c65a11eadb29e030bcad5a2d55d7046
-
SSDEEP
1536:Aw05+9njKt1YB67LAODsVjC7HRiMjQdo89TLiVcN+zL20gJi1ie:q2m+UDsVjCDjeiVcgzL20WKt
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngpcmj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Menpgmap.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlbkjf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahdpdd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlphnbfe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdnqgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onifpodl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mncmck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iggakn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gahcgg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jaimko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpbfbo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmaikcmf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnlgekkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfchehla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdhmjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpajdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ileflmpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcokah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iioicn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neebkkgi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abnnnjfh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oiglen32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nljopa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdoegcfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpegeo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oemephgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpeclq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iehkpmgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agbkfood.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amcmie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oldjlm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhkbnbhd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpgdjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgeogb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icjengld.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kolakkii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qciqga32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phnoac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cocjbkna.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blbabnbk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lekeajmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpihmmdo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hoglbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekpmljin.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogjmnomi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbjlbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oeopnmoa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqgiel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbahgbfc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad NEAS.a28b3c987523a78c2f2445710c965160.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbfjljhf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cckkmg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlpgiebo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkkjfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkmkfncf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbofmmmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnofkdno.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckladcoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kqkeoama.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhjknljl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qhlamhkj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blkkaohc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkhbnm32.exe -
Executes dropped EXE 64 IoCs
pid Process 2440 Gdgdeppb.exe 3028 Iajmmm32.exe 5076 Kdhbpf32.exe 2640 Lcjldk32.exe 2020 Ndidna32.exe 1764 Nbdkhe32.exe 4104 Okfbgiij.exe 4496 Pcpgmf32.exe 5056 Peempn32.exe 1456 Qcncodki.exe 4488 Aeffgkkp.exe 3948 Apngjd32.exe 1408 Bcpika32.exe 4376 Cplckbmc.exe 4680 Dbhlikpf.exe 2132 Elhfbp32.exe 3588 Fdogjk32.exe 2320 Gckjlf32.exe 4400 Hqfqfj32.exe 3444 Hmbkfjko.exe 844 Icgbob32.exe 5068 Jcoioabf.exe 2312 Kfdklllb.exe 2856 Khfdlnab.exe 4176 Lmjcdd32.exe 3912 Mmhofbma.exe 2896 Najagp32.exe 2872 Nncoaq32.exe 1272 Oeopnmoa.exe 4716 Ononmo32.exe 3548 Pdpmkhjl.exe 1004 Pnhacn32.exe 4852 Pgeogb32.exe 1928 Adqeaf32.exe 3740 Bkadoo32.exe 3312 Bflagg32.exe 4216 Cpklql32.exe 4472 Cfjnhe32.exe 4296 Cbqonf32.exe 804 Didjqoae.exe 3456 Eoekde32.exe 2408 Elilmi32.exe 736 Foakpc32.exe 4464 Gohapb32.exe 1120 Gpodkdll.exe 2232 Hhobjf32.exe 1500 Hgpbhmna.exe 1372 Hgdlcm32.exe 448 Icminm32.exe 1188 Iiokacgp.exe 2484 Jokpcmmj.exe 1308 Jopiom32.exe 2092 Jcpojk32.exe 4300 Kppbejka.exe 2548 Lglcag32.exe 3596 Lmiljn32.exe 1956 Lcealh32.exe 628 Mhefhf32.exe 1204 Oggllnkl.exe 4212 Paaidf32.exe 3672 Ppffec32.exe 1192 Agnkck32.exe 812 Bbpolb32.exe 4012 Cegnol32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ajoagadf.exe Adbiojfo.exe File created C:\Windows\SysWOW64\Icgbob32.exe Hmbkfjko.exe File opened for modification C:\Windows\SysWOW64\Mmhofbma.exe Lmjcdd32.exe File created C:\Windows\SysWOW64\Dcalgbgh.dll Pgeogb32.exe File created C:\Windows\SysWOW64\Hhfplejl.exe Hnnlcpcl.exe File created C:\Windows\SysWOW64\Elilmi32.exe Eoekde32.exe File created C:\Windows\SysWOW64\Jfdinf32.exe Jmkdeaee.exe File created C:\Windows\SysWOW64\Noijmp32.exe Nimbdi32.exe File created C:\Windows\SysWOW64\Knipik32.exe Khpgmqpp.exe File created C:\Windows\SysWOW64\Khdiln32.dll Elbhde32.exe File created C:\Windows\SysWOW64\Cjggaooi.dll Eaonccme.exe File opened for modification C:\Windows\SysWOW64\Kfnkeh32.exe Klifhpjk.exe File created C:\Windows\SysWOW64\Hnbbpd32.dll Llbinnbq.exe File created C:\Windows\SysWOW64\Gmcdolbn.exe Ghflgedf.exe File opened for modification C:\Windows\SysWOW64\Hmbkfjko.exe Hqfqfj32.exe File created C:\Windows\SysWOW64\Igjhce32.dll Iiokacgp.exe File opened for modification C:\Windows\SysWOW64\Opdpih32.exe Nldjnk32.exe File created C:\Windows\SysWOW64\Noajcphe.dll Ijgjpaao.exe File opened for modification C:\Windows\SysWOW64\Ehocjo32.exe Emjomf32.exe File opened for modification C:\Windows\SysWOW64\Kgdpgo32.exe Jgoflpal.exe File created C:\Windows\SysWOW64\Limdkpgg.dll Jjopmh32.exe File created C:\Windows\SysWOW64\Cfdefo32.dll Ileflmpb.exe File created C:\Windows\SysWOW64\Ghcplhoe.dll Bglpjb32.exe File created C:\Windows\SysWOW64\Cdabmcdi.exe Cndidlfb.exe File created C:\Windows\SysWOW64\Ncfqehop.dll Icgbob32.exe File created C:\Windows\SysWOW64\Glkkop32.exe Eacaej32.exe File opened for modification C:\Windows\SysWOW64\Hoglbc32.exe Gdheol32.exe File created C:\Windows\SysWOW64\Hnlgekkc.exe Hhoomd32.exe File created C:\Windows\SysWOW64\Cdfpdc32.exe Bdagidhi.exe File opened for modification C:\Windows\SysWOW64\Mhbakk32.exe Lgibjj32.exe File created C:\Windows\SysWOW64\Ipabdl32.dll Ldjodh32.exe File opened for modification C:\Windows\SysWOW64\Ipjocgdm.exe Hbhbie32.exe File created C:\Windows\SysWOW64\Annbli32.dll Kifhkkci.exe File opened for modification C:\Windows\SysWOW64\Cggnhlml.exe Cmaikcmf.exe File created C:\Windows\SysWOW64\Jjlgpgbf.dll Eiaobjia.exe File created C:\Windows\SysWOW64\Oigcebdh.dll Bflagg32.exe File created C:\Windows\SysWOW64\Dccioa32.dll Qbddmejf.exe File opened for modification C:\Windows\SysWOW64\Hmoehojj.exe Hbiakf32.exe File opened for modification C:\Windows\SysWOW64\Djcoko32.exe Dpmknf32.exe File created C:\Windows\SysWOW64\Gohhik32.exe Gdcdlb32.exe File created C:\Windows\SysWOW64\Idfcibho.dll Kfnkeh32.exe File created C:\Windows\SysWOW64\Apohdjda.dll Lechfeoi.exe File opened for modification C:\Windows\SysWOW64\Hnlgekkc.exe Hhoomd32.exe File opened for modification C:\Windows\SysWOW64\Mnanpfdo.exe Lgdinmod.exe File created C:\Windows\SysWOW64\Ngpcmj32.exe Nljopa32.exe File created C:\Windows\SysWOW64\Amcmie32.exe Ackiqpce.exe File created C:\Windows\SysWOW64\Mogpol32.dll Dcjnikhc.exe File created C:\Windows\SysWOW64\Enhpje32.exe Egnhnkmj.exe File opened for modification C:\Windows\SysWOW64\Oggllnkl.exe Mhefhf32.exe File created C:\Windows\SysWOW64\Likndk32.dll Najagp32.exe File created C:\Windows\SysWOW64\Kmiajk32.dll Cocjbkna.exe File created C:\Windows\SysWOW64\Eoagdi32.exe Dnmaog32.exe File opened for modification C:\Windows\SysWOW64\Fgenoj32.exe Eqkfapoe.exe File created C:\Windows\SysWOW64\Ipmjkh32.exe Iehfno32.exe File created C:\Windows\SysWOW64\Calcbp32.dll Qmhdhm32.exe File created C:\Windows\SysWOW64\Kenmbb32.dll Lqndahiq.exe File created C:\Windows\SysWOW64\Amjjjp32.dll Qcbmegol.exe File created C:\Windows\SysWOW64\Ekdanmkl.dll Pckpja32.exe File opened for modification C:\Windows\SysWOW64\Cioifm32.exe Ccbanfko.exe File created C:\Windows\SysWOW64\Nkeodibl.dll Enhpje32.exe File created C:\Windows\SysWOW64\Aeflknmj.dll Jokpcmmj.exe File created C:\Windows\SysWOW64\Ndajcnag.dll Gjocaj32.exe File created C:\Windows\SysWOW64\Kncmepjq.dll Pdifhkni.exe File created C:\Windows\SysWOW64\Gbpnedga.dll Fdogjk32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgiiclkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oncopcqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omdaai32.dll" Cfaddg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhnlapbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebimqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojaldgoc.dll" Jgmjfpco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbpolb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ncihbaie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohdpkpcl.dll" Ogmidbal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdmmlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnodmijd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Heegjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efqigigj.dll" Cpklql32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hknmgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oefamoma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hnlgekkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jqihjbod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dkahba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knipik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oqjfniad.dll" Oiihkncb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dndnjllg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llofqn32.dll" Khdedapj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iehfno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cmfcfb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpilcnoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gpeclq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qmhdhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ogmidbal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qifiph32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gicgjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akdbojmi.dll" Mallojmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ipmjkh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phqbaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ehomph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqmdhonl.dll" Jghpkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncifdlii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hgdlcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dckafp32.dll" Pacfdila.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgkfhngo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmjkhghe.dll" Bbpolb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emknmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oceepj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eoagdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbpmbldi.dll" Jlphnbfe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fcikhace.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqdhecgn.dll" Mcnhfb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Llhnpe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fihecici.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hbhbie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elidlmdb.dll" Ehndhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mighqkfg.dll" Jlkaahjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnjked32.dll" Npcokpln.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omkmcpgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Agpqnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbhkqe32.dll" Bdcmfkde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggappk32.dll" Acilkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Llhnpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgnndl32.dll" Kfdklllb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gkdaij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdlfod32.dll" Cdabmcdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afnafloe.dll" Kamjmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ejdhcjpl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ioclnblj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aajeigke.dll" Dhjknljl.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2524 wrote to memory of 2440 2524 NEAS.a28b3c987523a78c2f2445710c965160.exe 92 PID 2524 wrote to memory of 2440 2524 NEAS.a28b3c987523a78c2f2445710c965160.exe 92 PID 2524 wrote to memory of 2440 2524 NEAS.a28b3c987523a78c2f2445710c965160.exe 92 PID 2440 wrote to memory of 3028 2440 Gdgdeppb.exe 93 PID 2440 wrote to memory of 3028 2440 Gdgdeppb.exe 93 PID 2440 wrote to memory of 3028 2440 Gdgdeppb.exe 93 PID 3028 wrote to memory of 5076 3028 Iajmmm32.exe 94 PID 3028 wrote to memory of 5076 3028 Iajmmm32.exe 94 PID 3028 wrote to memory of 5076 3028 Iajmmm32.exe 94 PID 5076 wrote to memory of 2640 5076 Kdhbpf32.exe 95 PID 5076 wrote to memory of 2640 5076 Kdhbpf32.exe 95 PID 5076 wrote to memory of 2640 5076 Kdhbpf32.exe 95 PID 2640 wrote to memory of 2020 2640 Lcjldk32.exe 96 PID 2640 wrote to memory of 2020 2640 Lcjldk32.exe 96 PID 2640 wrote to memory of 2020 2640 Lcjldk32.exe 96 PID 2020 wrote to memory of 1764 2020 Ndidna32.exe 97 PID 2020 wrote to memory of 1764 2020 Ndidna32.exe 97 PID 2020 wrote to memory of 1764 2020 Ndidna32.exe 97 PID 1764 wrote to memory of 4104 1764 Nbdkhe32.exe 98 PID 1764 wrote to memory of 4104 1764 Nbdkhe32.exe 98 PID 1764 wrote to memory of 4104 1764 Nbdkhe32.exe 98 PID 4104 wrote to memory of 4496 4104 Okfbgiij.exe 99 PID 4104 wrote to memory of 4496 4104 Okfbgiij.exe 99 PID 4104 wrote to memory of 4496 4104 Okfbgiij.exe 99 PID 4496 wrote to memory of 5056 4496 Pcpgmf32.exe 100 PID 4496 wrote to memory of 5056 4496 Pcpgmf32.exe 100 PID 4496 wrote to memory of 5056 4496 Pcpgmf32.exe 100 PID 5056 wrote to memory of 1456 5056 Peempn32.exe 101 PID 5056 wrote to memory of 1456 5056 Peempn32.exe 101 PID 5056 wrote to memory of 1456 5056 Peempn32.exe 101 PID 1456 wrote to memory of 4488 1456 Qcncodki.exe 102 PID 1456 wrote to memory of 4488 1456 Qcncodki.exe 102 PID 1456 wrote to memory of 4488 1456 Qcncodki.exe 102 PID 4488 wrote to memory of 3948 4488 Aeffgkkp.exe 103 PID 4488 wrote to memory of 3948 4488 Aeffgkkp.exe 103 PID 4488 wrote to memory of 3948 4488 Aeffgkkp.exe 103 PID 3948 wrote to memory of 1408 3948 Apngjd32.exe 104 PID 3948 wrote to memory of 1408 3948 Apngjd32.exe 104 PID 3948 wrote to memory of 1408 3948 Apngjd32.exe 104 PID 1408 wrote to memory of 4376 1408 Bcpika32.exe 105 PID 1408 wrote to memory of 4376 1408 Bcpika32.exe 105 PID 1408 wrote to memory of 4376 1408 Bcpika32.exe 105 PID 4376 wrote to memory of 4680 4376 Cplckbmc.exe 106 PID 4376 wrote to memory of 4680 4376 Cplckbmc.exe 106 PID 4376 wrote to memory of 4680 4376 Cplckbmc.exe 106 PID 4680 wrote to memory of 2132 4680 Dbhlikpf.exe 107 PID 4680 wrote to memory of 2132 4680 Dbhlikpf.exe 107 PID 4680 wrote to memory of 2132 4680 Dbhlikpf.exe 107 PID 2132 wrote to memory of 3588 2132 Elhfbp32.exe 108 PID 2132 wrote to memory of 3588 2132 Elhfbp32.exe 108 PID 2132 wrote to memory of 3588 2132 Elhfbp32.exe 108 PID 3588 wrote to memory of 2320 3588 Fdogjk32.exe 109 PID 3588 wrote to memory of 2320 3588 Fdogjk32.exe 109 PID 3588 wrote to memory of 2320 3588 Fdogjk32.exe 109 PID 2320 wrote to memory of 4400 2320 Gckjlf32.exe 110 PID 2320 wrote to memory of 4400 2320 Gckjlf32.exe 110 PID 2320 wrote to memory of 4400 2320 Gckjlf32.exe 110 PID 4400 wrote to memory of 3444 4400 Hqfqfj32.exe 111 PID 4400 wrote to memory of 3444 4400 Hqfqfj32.exe 111 PID 4400 wrote to memory of 3444 4400 Hqfqfj32.exe 111 PID 3444 wrote to memory of 844 3444 Hmbkfjko.exe 112 PID 3444 wrote to memory of 844 3444 Hmbkfjko.exe 112 PID 3444 wrote to memory of 844 3444 Hmbkfjko.exe 112 PID 844 wrote to memory of 5068 844 Icgbob32.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.a28b3c987523a78c2f2445710c965160.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.a28b3c987523a78c2f2445710c965160.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\Gdgdeppb.exeC:\Windows\system32\Gdgdeppb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\Iajmmm32.exeC:\Windows\system32\Iajmmm32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\SysWOW64\Kdhbpf32.exeC:\Windows\system32\Kdhbpf32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Windows\SysWOW64\Lcjldk32.exeC:\Windows\system32\Lcjldk32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Ndidna32.exeC:\Windows\system32\Ndidna32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\SysWOW64\Nbdkhe32.exeC:\Windows\system32\Nbdkhe32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Windows\SysWOW64\Okfbgiij.exeC:\Windows\system32\Okfbgiij.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4104 -
C:\Windows\SysWOW64\Pcpgmf32.exeC:\Windows\system32\Pcpgmf32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4496 -
C:\Windows\SysWOW64\Peempn32.exeC:\Windows\system32\Peempn32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Windows\SysWOW64\Qcncodki.exeC:\Windows\system32\Qcncodki.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Windows\SysWOW64\Aeffgkkp.exeC:\Windows\system32\Aeffgkkp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4488 -
C:\Windows\SysWOW64\Apngjd32.exeC:\Windows\system32\Apngjd32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3948 -
C:\Windows\SysWOW64\Bcpika32.exeC:\Windows\system32\Bcpika32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Windows\SysWOW64\Cplckbmc.exeC:\Windows\system32\Cplckbmc.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4376 -
C:\Windows\SysWOW64\Dbhlikpf.exeC:\Windows\system32\Dbhlikpf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4680 -
C:\Windows\SysWOW64\Elhfbp32.exeC:\Windows\system32\Elhfbp32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\Fdogjk32.exeC:\Windows\system32\Fdogjk32.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3588 -
C:\Windows\SysWOW64\Gckjlf32.exeC:\Windows\system32\Gckjlf32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\Hqfqfj32.exeC:\Windows\system32\Hqfqfj32.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4400 -
C:\Windows\SysWOW64\Hmbkfjko.exeC:\Windows\system32\Hmbkfjko.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3444 -
C:\Windows\SysWOW64\Icgbob32.exeC:\Windows\system32\Icgbob32.exe22⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:844 -
C:\Windows\SysWOW64\Jcoioabf.exeC:\Windows\system32\Jcoioabf.exe23⤵
- Executes dropped EXE
PID:5068 -
C:\Windows\SysWOW64\Kfdklllb.exeC:\Windows\system32\Kfdklllb.exe24⤵
- Executes dropped EXE
- Modifies registry class
PID:2312 -
C:\Windows\SysWOW64\Khfdlnab.exeC:\Windows\system32\Khfdlnab.exe25⤵
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Lmjcdd32.exeC:\Windows\system32\Lmjcdd32.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4176 -
C:\Windows\SysWOW64\Mmhofbma.exeC:\Windows\system32\Mmhofbma.exe27⤵
- Executes dropped EXE
PID:3912 -
C:\Windows\SysWOW64\Najagp32.exeC:\Windows\system32\Najagp32.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2896 -
C:\Windows\SysWOW64\Nncoaq32.exeC:\Windows\system32\Nncoaq32.exe29⤵
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Oeopnmoa.exeC:\Windows\system32\Oeopnmoa.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1272 -
C:\Windows\SysWOW64\Ononmo32.exeC:\Windows\system32\Ononmo32.exe31⤵
- Executes dropped EXE
PID:4716 -
C:\Windows\SysWOW64\Pdpmkhjl.exeC:\Windows\system32\Pdpmkhjl.exe32⤵
- Executes dropped EXE
PID:3548 -
C:\Windows\SysWOW64\Pnhacn32.exeC:\Windows\system32\Pnhacn32.exe33⤵
- Executes dropped EXE
PID:1004 -
C:\Windows\SysWOW64\Pgeogb32.exeC:\Windows\system32\Pgeogb32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4852 -
C:\Windows\SysWOW64\Adqeaf32.exeC:\Windows\system32\Adqeaf32.exe35⤵
- Executes dropped EXE
PID:1928 -
C:\Windows\SysWOW64\Bkadoo32.exeC:\Windows\system32\Bkadoo32.exe36⤵
- Executes dropped EXE
PID:3740 -
C:\Windows\SysWOW64\Bflagg32.exeC:\Windows\system32\Bflagg32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3312 -
C:\Windows\SysWOW64\Cpklql32.exeC:\Windows\system32\Cpklql32.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:4216 -
C:\Windows\SysWOW64\Cfjnhe32.exeC:\Windows\system32\Cfjnhe32.exe39⤵
- Executes dropped EXE
PID:4472 -
C:\Windows\SysWOW64\Cbqonf32.exeC:\Windows\system32\Cbqonf32.exe40⤵
- Executes dropped EXE
PID:4296 -
C:\Windows\SysWOW64\Didjqoae.exeC:\Windows\system32\Didjqoae.exe41⤵
- Executes dropped EXE
PID:804 -
C:\Windows\SysWOW64\Eoekde32.exeC:\Windows\system32\Eoekde32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3456 -
C:\Windows\SysWOW64\Elilmi32.exeC:\Windows\system32\Elilmi32.exe43⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Foakpc32.exeC:\Windows\system32\Foakpc32.exe44⤵
- Executes dropped EXE
PID:736 -
C:\Windows\SysWOW64\Gohapb32.exeC:\Windows\system32\Gohapb32.exe45⤵
- Executes dropped EXE
PID:4464 -
C:\Windows\SysWOW64\Gpodkdll.exeC:\Windows\system32\Gpodkdll.exe46⤵
- Executes dropped EXE
PID:1120 -
C:\Windows\SysWOW64\Hhobjf32.exeC:\Windows\system32\Hhobjf32.exe47⤵
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\Hgpbhmna.exeC:\Windows\system32\Hgpbhmna.exe48⤵
- Executes dropped EXE
PID:1500 -
C:\Windows\SysWOW64\Hgdlcm32.exeC:\Windows\system32\Hgdlcm32.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:1372 -
C:\Windows\SysWOW64\Icminm32.exeC:\Windows\system32\Icminm32.exe50⤵
- Executes dropped EXE
PID:448 -
C:\Windows\SysWOW64\Iiokacgp.exeC:\Windows\system32\Iiokacgp.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1188 -
C:\Windows\SysWOW64\Jokpcmmj.exeC:\Windows\system32\Jokpcmmj.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2484 -
C:\Windows\SysWOW64\Jopiom32.exeC:\Windows\system32\Jopiom32.exe53⤵
- Executes dropped EXE
PID:1308 -
C:\Windows\SysWOW64\Jcpojk32.exeC:\Windows\system32\Jcpojk32.exe54⤵
- Executes dropped EXE
PID:2092 -
C:\Windows\SysWOW64\Kppbejka.exeC:\Windows\system32\Kppbejka.exe55⤵
- Executes dropped EXE
PID:4300 -
C:\Windows\SysWOW64\Lglcag32.exeC:\Windows\system32\Lglcag32.exe56⤵
- Executes dropped EXE
PID:2548 -
C:\Windows\SysWOW64\Lmiljn32.exeC:\Windows\system32\Lmiljn32.exe57⤵
- Executes dropped EXE
PID:3596 -
C:\Windows\SysWOW64\Lcealh32.exeC:\Windows\system32\Lcealh32.exe58⤵
- Executes dropped EXE
PID:1956 -
C:\Windows\SysWOW64\Mhefhf32.exeC:\Windows\system32\Mhefhf32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:628 -
C:\Windows\SysWOW64\Oggllnkl.exeC:\Windows\system32\Oggllnkl.exe60⤵
- Executes dropped EXE
PID:1204 -
C:\Windows\SysWOW64\Paaidf32.exeC:\Windows\system32\Paaidf32.exe61⤵
- Executes dropped EXE
PID:4212 -
C:\Windows\SysWOW64\Ppffec32.exeC:\Windows\system32\Ppffec32.exe62⤵
- Executes dropped EXE
PID:3672 -
C:\Windows\SysWOW64\Agnkck32.exeC:\Windows\system32\Agnkck32.exe63⤵
- Executes dropped EXE
PID:1192 -
C:\Windows\SysWOW64\Bbpolb32.exeC:\Windows\system32\Bbpolb32.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:812 -
C:\Windows\SysWOW64\Cegnol32.exeC:\Windows\system32\Cegnol32.exe65⤵
- Executes dropped EXE
PID:4012 -
C:\Windows\SysWOW64\Cejjdlap.exeC:\Windows\system32\Cejjdlap.exe66⤵PID:1564
-
C:\Windows\SysWOW64\Dgomaf32.exeC:\Windows\system32\Dgomaf32.exe67⤵PID:2860
-
C:\Windows\SysWOW64\Dajnol32.exeC:\Windows\system32\Dajnol32.exe68⤵PID:4288
-
C:\Windows\SysWOW64\Elfhmc32.exeC:\Windows\system32\Elfhmc32.exe69⤵PID:4752
-
C:\Windows\SysWOW64\Eacaej32.exeC:\Windows\system32\Eacaej32.exe70⤵
- Drops file in System32 directory
PID:4592 -
C:\Windows\SysWOW64\Glkkop32.exeC:\Windows\system32\Glkkop32.exe71⤵PID:3296
-
C:\Windows\SysWOW64\Gahcgg32.exeC:\Windows\system32\Gahcgg32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2272 -
C:\Windows\SysWOW64\Hakidd32.exeC:\Windows\system32\Hakidd32.exe73⤵PID:4224
-
C:\Windows\SysWOW64\Icjengld.exeC:\Windows\system32\Icjengld.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4736 -
C:\Windows\SysWOW64\Ilcjgm32.exeC:\Windows\system32\Ilcjgm32.exe75⤵PID:4820
-
C:\Windows\SysWOW64\Ijgjpaao.exeC:\Windows\system32\Ijgjpaao.exe76⤵
- Drops file in System32 directory
PID:5116 -
C:\Windows\SysWOW64\Ileflmpb.exeC:\Windows\system32\Ileflmpb.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:220 -
C:\Windows\SysWOW64\Ijkdkq32.exeC:\Windows\system32\Ijkdkq32.exe78⤵PID:3208
-
C:\Windows\SysWOW64\Pkigbfja.exeC:\Windows\system32\Pkigbfja.exe79⤵PID:5132
-
C:\Windows\SysWOW64\Agpqnd32.exeC:\Windows\system32\Agpqnd32.exe80⤵
- Modifies registry class
PID:5324 -
C:\Windows\SysWOW64\Bglpjb32.exeC:\Windows\system32\Bglpjb32.exe81⤵
- Drops file in System32 directory
PID:5384 -
C:\Windows\SysWOW64\Dcqmpa32.exeC:\Windows\system32\Dcqmpa32.exe82⤵PID:5428
-
C:\Windows\SysWOW64\Ecjpfp32.exeC:\Windows\system32\Ecjpfp32.exe83⤵PID:5472
-
C:\Windows\SysWOW64\Ejdhcjpl.exeC:\Windows\system32\Ejdhcjpl.exe84⤵
- Modifies registry class
PID:5516 -
C:\Windows\SysWOW64\Enfjdh32.exeC:\Windows\system32\Enfjdh32.exe85⤵PID:5564
-
C:\Windows\SysWOW64\Flmhclod.exeC:\Windows\system32\Flmhclod.exe86⤵PID:5608
-
C:\Windows\SysWOW64\Fmndkd32.exeC:\Windows\system32\Fmndkd32.exe87⤵PID:5652
-
C:\Windows\SysWOW64\Faqflb32.exeC:\Windows\system32\Faqflb32.exe88⤵PID:5696
-
C:\Windows\SysWOW64\Gdheol32.exeC:\Windows\system32\Gdheol32.exe89⤵
- Drops file in System32 directory
PID:5736 -
C:\Windows\SysWOW64\Hoglbc32.exeC:\Windows\system32\Hoglbc32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5772 -
C:\Windows\SysWOW64\Hknmgd32.exeC:\Windows\system32\Hknmgd32.exe91⤵
- Modifies registry class
PID:5848 -
C:\Windows\SysWOW64\Iehkpmgl.exeC:\Windows\system32\Iehkpmgl.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5888 -
C:\Windows\SysWOW64\Ioclnblj.exeC:\Windows\system32\Ioclnblj.exe93⤵
- Modifies registry class
PID:5932 -
C:\Windows\SysWOW64\Jakkplbc.exeC:\Windows\system32\Jakkplbc.exe94⤵PID:5972
-
C:\Windows\SysWOW64\Jkcpia32.exeC:\Windows\system32\Jkcpia32.exe95⤵PID:6012
-
C:\Windows\SysWOW64\Jkeloa32.exeC:\Windows\system32\Jkeloa32.exe96⤵PID:6056
-
C:\Windows\SysWOW64\Jdnqgg32.exeC:\Windows\system32\Jdnqgg32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6100 -
C:\Windows\SysWOW64\Kleiid32.exeC:\Windows\system32\Kleiid32.exe98⤵PID:2948
-
C:\Windows\SysWOW64\Kbfjljhf.exeC:\Windows\system32\Kbfjljhf.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3196 -
C:\Windows\SysWOW64\Kdeghfhj.exeC:\Windows\system32\Kdeghfhj.exe100⤵PID:5192
-
C:\Windows\SysWOW64\Locnlmoe.exeC:\Windows\system32\Locnlmoe.exe101⤵PID:3308
-
C:\Windows\SysWOW64\Lkmkfncf.exeC:\Windows\system32\Lkmkfncf.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4864 -
C:\Windows\SysWOW64\Mmcnap32.exeC:\Windows\system32\Mmcnap32.exe103⤵PID:5400
-
C:\Windows\SysWOW64\Mmfjfp32.exeC:\Windows\system32\Mmfjfp32.exe104⤵PID:5456
-
C:\Windows\SysWOW64\Nldjnk32.exeC:\Windows\system32\Nldjnk32.exe105⤵
- Drops file in System32 directory
PID:5528 -
C:\Windows\SysWOW64\Opdpih32.exeC:\Windows\system32\Opdpih32.exe106⤵PID:5576
-
C:\Windows\SysWOW64\Ofnhfbjl.exeC:\Windows\system32\Ofnhfbjl.exe107⤵PID:5640
-
C:\Windows\SysWOW64\Oefamoma.exeC:\Windows\system32\Oefamoma.exe108⤵
- Modifies registry class
PID:5704 -
C:\Windows\SysWOW64\Pbahgbfc.exeC:\Windows\system32\Pbahgbfc.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5788 -
C:\Windows\SysWOW64\Gcgndf32.exeC:\Windows\system32\Gcgndf32.exe110⤵PID:5928
-
C:\Windows\SysWOW64\Imeeohoi.exeC:\Windows\system32\Imeeohoi.exe111⤵PID:5948
-
C:\Windows\SysWOW64\Jhocgqjj.exeC:\Windows\system32\Jhocgqjj.exe112⤵PID:1020
-
C:\Windows\SysWOW64\Jgiiclkl.exeC:\Windows\system32\Jgiiclkl.exe113⤵
- Modifies registry class
PID:4856 -
C:\Windows\SysWOW64\Lamjbc32.exeC:\Windows\system32\Lamjbc32.exe114⤵PID:1624
-
C:\Windows\SysWOW64\Lgibjj32.exeC:\Windows\system32\Lgibjj32.exe115⤵
- Drops file in System32 directory
PID:5240 -
C:\Windows\SysWOW64\Mhbakk32.exeC:\Windows\system32\Mhbakk32.exe116⤵PID:5268
-
C:\Windows\SysWOW64\Nnfpcada.exeC:\Windows\system32\Nnfpcada.exe117⤵PID:5180
-
C:\Windows\SysWOW64\Nofmndkd.exeC:\Windows\system32\Nofmndkd.exe118⤵PID:5076
-
C:\Windows\SysWOW64\Nqgiel32.exeC:\Windows\system32\Nqgiel32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4332 -
C:\Windows\SysWOW64\Neebkkgi.exeC:\Windows\system32\Neebkkgi.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2856 -
C:\Windows\SysWOW64\Nojfic32.exeC:\Windows\system32\Nojfic32.exe121⤵PID:5504
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-