Analysis
-
max time kernel
178s -
max time network
192s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
01/11/2023, 14:17
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.b1293148607a053c852d0aaa2bcdc770.exe
Resource
win7-20231020-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.b1293148607a053c852d0aaa2bcdc770.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
NEAS.b1293148607a053c852d0aaa2bcdc770.exe
-
Size
383KB
-
MD5
b1293148607a053c852d0aaa2bcdc770
-
SHA1
c98fb0fe6c26de199381a85c3105604b81133cc3
-
SHA256
65eca1a9107e9f8c2fa82d1f828c729ec4b98df36d93d71e8336c4dbe89a6d70
-
SHA512
a450bb4aebf578818dee298fefdbdc9c8b9aa1a2075fd137e27339294f1eca5269636f45cebf7a7ca28db6249c65e9bf11fa11203967bd8a243843c9b7276b0c
-
SSDEEP
6144:WaX08zyP15rrDyDF8/C5w0Os3BMm+LN3K3UYA5ADwr2n1SJS0oTEUF7q3QC:WaRzyPbrrDyD+uOrm+LN3K3VA5ADwr26
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfgkfadq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okmpjpfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pebfen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbiamd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkcehaof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Holfhfij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhijcohe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adfnhlfa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aficoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aealea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfoclflo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Illmho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipjocgdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Locgljca.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnopqnjc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjapamfj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ongpeejj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgnipi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkopgn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alqjiohm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmkgdgej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdcldmbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abgjdeai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mikepg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pimkkfka.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmfkac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njpjap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nklbfaae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chiipg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfcbcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Liikiccg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pifghmae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aegidp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klpjji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mohbcamn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhogkc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Beeofk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mojhphij.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Combgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecdbhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jknocljn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imklncch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fclmkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dphikllo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lapeci32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmejlcoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihkpgg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmfhbm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dacmjpgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omlldc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Manaegon.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgiibnib.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnnakg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gggmqa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmkeoqgd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mikepg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knefnkla.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnkgakpp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iccpgofm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbecnipp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aobieq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdfpdc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mohingqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmjlehpl.exe -
Executes dropped EXE 64 IoCs
pid Process 4420 Mikepg32.exe 4124 Qciebg32.exe 1160 Emdaee32.exe 5092 Fmejlcoj.exe 4852 Gokmfe32.exe 4676 Ikpjmd32.exe 4376 Iefnjm32.exe 2092 Ihkpgg32.exe 4872 Jnmbjnlm.exe 1020 Jekpljgg.exe 1368 Khnfce32.exe 2508 Knmkak32.exe 632 Kbkdgj32.exe 4600 Lmhnea32.exe 4952 Mejijcea.exe 4032 Npkmcj32.exe 2752 Ongpeejj.exe 3388 Pifghmae.exe 3888 Pbahgbfc.exe 4964 Acaanp32.exe 4480 Bgdcom32.exe 4456 Dncnnd32.exe 4832 Djnhne32.exe 2872 Eqmjen32.exe 1092 Ggjgofkd.exe 1708 Gjkqpa32.exe 4240 Gffkpa32.exe 2412 Gpnoigpe.exe 4652 Hfmqapcl.exe 416 Hphbpehj.exe 5028 Ijpcbn32.exe 4388 Ipaeedpp.exe 2320 Jphkfc32.exe 1940 Jknocljn.exe 4072 Jncapf32.exe 736 Khplnn32.exe 3856 Kgeiokao.exe 3108 Mndcnafd.exe 3960 Ngodlgka.exe 4132 Nnpcjplf.exe 4972 Obphenpj.exe 1804 Paennh32.exe 4464 Qniogl32.exe 2900 Qbggmk32.exe 3820 Apkhfo32.exe 1140 Apndloif.exe 2336 Aejmdegn.exe 2408 Abnnnjfh.exe 4500 Bbecnipp.exe 4084 Boldcj32.exe 1552 Bekfkc32.exe 1392 Cpedckdl.exe 4716 Clnanlhn.exe 3628 Dhjknljl.exe 4076 Fmoclg32.exe 4772 Gpioca32.exe 4724 Gcggjp32.exe 4496 Hfhqkk32.exe 2836 Imklncch.exe 216 Kdlcbjfj.exe 1048 Pgcpdn32.exe 4556 Agcikk32.exe 4564 Abimhd32.exe 1316 Aegidp32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Miabik32.exe Majjgmco.exe File created C:\Windows\SysWOW64\Nnmmleja.exe Mogccnfg.exe File created C:\Windows\SysWOW64\Cpcahb32.dll Lhkghofb.exe File opened for modification C:\Windows\SysWOW64\Dpcppm32.exe Cgklggic.exe File opened for modification C:\Windows\SysWOW64\Ocbdni32.exe Ocknmjcf.exe File created C:\Windows\SysWOW64\Bmocmggl.dll Iefgln32.exe File created C:\Windows\SysWOW64\Jlclnhho.exe Iefgln32.exe File opened for modification C:\Windows\SysWOW64\Mohbcamn.exe Meonklfm.exe File opened for modification C:\Windows\SysWOW64\Pgnipi32.exe Pocdlg32.exe File opened for modification C:\Windows\SysWOW64\Amgefl32.exe Akiijq32.exe File opened for modification C:\Windows\SysWOW64\Ckealm32.exe Cdfpdc32.exe File created C:\Windows\SysWOW64\Gcedcl32.dll Epokojbg.exe File created C:\Windows\SysWOW64\Hgmcpdqc.dll Fpejec32.exe File created C:\Windows\SysWOW64\Lnnakg32.exe Ljloii32.exe File opened for modification C:\Windows\SysWOW64\Bfedhihl.exe Agiagn32.exe File created C:\Windows\SysWOW64\Pgkmhn32.dll Kicdke32.exe File created C:\Windows\SysWOW64\Lhbcmqog.dll Illmho32.exe File opened for modification C:\Windows\SysWOW64\Pebfen32.exe Oiihkncb.exe File opened for modification C:\Windows\SysWOW64\Glbakchp.exe Gffhbljh.exe File opened for modification C:\Windows\SysWOW64\Fjjjanla.exe Fgiqocoq.exe File created C:\Windows\SysWOW64\Gidmfhlj.dll Qniogl32.exe File created C:\Windows\SysWOW64\Pojccmii.exe Pimkkfka.exe File opened for modification C:\Windows\SysWOW64\Bpcgionf.exe Biiole32.exe File created C:\Windows\SysWOW64\Ddkbfp32.exe Dnajjfjo.exe File created C:\Windows\SysWOW64\Njjmgo32.exe Nodijffl.exe File opened for modification C:\Windows\SysWOW64\Hmkeoqgd.exe Hnehndbl.exe File opened for modification C:\Windows\SysWOW64\Hcpcqkbf.exe Gmconaml.exe File opened for modification C:\Windows\SysWOW64\Fachob32.exe Fgncaj32.exe File opened for modification C:\Windows\SysWOW64\Fdbdkn32.exe Fachob32.exe File created C:\Windows\SysWOW64\Bjlpcbqo.exe Alqjiohm.exe File created C:\Windows\SysWOW64\Bllpffkg.dll Mhjhfnma.exe File opened for modification C:\Windows\SysWOW64\Iniddhfc.exe Iccpgofm.exe File created C:\Windows\SysWOW64\Ijilbdnp.dll Fjhaml32.exe File created C:\Windows\SysWOW64\Dnajjfjo.exe Dhdaao32.exe File opened for modification C:\Windows\SysWOW64\Kpnjknni.exe Kcjjajop.exe File created C:\Windows\SysWOW64\Jkednp32.dll Hchqlqpj.exe File created C:\Windows\SysWOW64\Onbbaboi.dll Gcddemmd.exe File opened for modification C:\Windows\SysWOW64\Ikpjmd32.exe Gokmfe32.exe File opened for modification C:\Windows\SysWOW64\Knofif32.exe Jqihjbod.exe File created C:\Windows\SysWOW64\Ckealm32.exe Cdfpdc32.exe File created C:\Windows\SysWOW64\Fbcblo32.dll Pfoahd32.exe File created C:\Windows\SysWOW64\Pjjihggb.dll Abnnnjfh.exe File opened for modification C:\Windows\SysWOW64\Mjpbkc32.exe Mniafbfn.exe File opened for modification C:\Windows\SysWOW64\Afddge32.exe Qekbaf32.exe File created C:\Windows\SysWOW64\Mflbdibj.exe Mqojlbcb.exe File created C:\Windows\SysWOW64\Fegqejfe.exe Fdfdmbpf.exe File created C:\Windows\SysWOW64\Addiiq32.dll Pmlekq32.exe File created C:\Windows\SysWOW64\Bpomoc32.exe Beeofk32.exe File created C:\Windows\SysWOW64\Kllpihkg.dll Npkmcj32.exe File created C:\Windows\SysWOW64\Lnadkmhj.exe Lgglnb32.exe File opened for modification C:\Windows\SysWOW64\Biiole32.exe Bpqjcp32.exe File opened for modification C:\Windows\SysWOW64\Abgjdeai.exe Afqipdle.exe File opened for modification C:\Windows\SysWOW64\Knmplopo.exe Keekci32.exe File created C:\Windows\SysWOW64\Pcbjln32.dll Keghiigl.exe File opened for modification C:\Windows\SysWOW64\Ganppk32.exe Gkbkna32.exe File created C:\Windows\SysWOW64\Ipdfheal.exe Hhbkccji.exe File created C:\Windows\SysWOW64\Omlldc32.exe Ofbcgifh.exe File created C:\Windows\SysWOW64\Nophma32.dll Amhlpb32.exe File opened for modification C:\Windows\SysWOW64\Anaofa32.exe Ahdgnj32.exe File opened for modification C:\Windows\SysWOW64\Qcfmgkgo.exe Pmlekq32.exe File created C:\Windows\SysWOW64\Gpnoigpe.exe Gffkpa32.exe File created C:\Windows\SysWOW64\Jlocei32.dll Hbpgle32.exe File created C:\Windows\SysWOW64\Qjakpc32.dll Bfedhihl.exe File created C:\Windows\SysWOW64\Andqia32.exe Pbfjcalp.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Beeofk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijpcbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Knefnkla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kinnei32.dll" Ocbdni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gjcfmfpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjkkfj32.dll" Leabincm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gglnjknn.dll" Eennoknp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eojcao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afhoaahg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhfacp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kdlcbjfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdfhedpo.dll" Apmhbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idngkghj.dll" Cadllq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hoobnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nfldap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dddehmba.dll" Ndnnbgcj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ocbdni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkmaja32.dll" Pojccmii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcgphc32.dll" Eeodjeha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fgiqocoq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Apndloif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aegidp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lelcbmcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbpfckie.dll" Gpnfak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lnnakg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emkhonph.dll" Nnafgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmnmdboi.dll" Bmliem32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hnkhcjbc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhbkkipn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbeffcei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lapeci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nncokfha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acemfcjn.dll" Ijpcbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjofcb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkkabeng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpcahb32.dll" Lhkghofb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaeadj32.dll" Bkhkfhnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfelpi32.dll" Enhipo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdkmaicl.dll" Bblcpe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gjcfmfpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkgmmjgh.dll" Iefnjm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bopgdcnc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kngcdkjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ibmjdgdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjdqapec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pimkkfka.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjofcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pifghmae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qekbaf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckmeag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdfdmbpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjhaok32.dll" Onekqf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofkclkhn.dll" Leoedn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iefnjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mndcnafd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fkflbb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gffhbljh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkkofn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Objnfe32.dll" Nodijffl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opneig32.dll" Chhndcjm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hlnqfanb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abgbjpga.dll" Nncokfha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpodilpi.dll" Ihkpgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidmfhlj.dll" Qniogl32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4416 wrote to memory of 4420 4416 NEAS.b1293148607a053c852d0aaa2bcdc770.exe 94 PID 4416 wrote to memory of 4420 4416 NEAS.b1293148607a053c852d0aaa2bcdc770.exe 94 PID 4416 wrote to memory of 4420 4416 NEAS.b1293148607a053c852d0aaa2bcdc770.exe 94 PID 4420 wrote to memory of 4124 4420 Mikepg32.exe 95 PID 4420 wrote to memory of 4124 4420 Mikepg32.exe 95 PID 4420 wrote to memory of 4124 4420 Mikepg32.exe 95 PID 4124 wrote to memory of 1160 4124 Qciebg32.exe 96 PID 4124 wrote to memory of 1160 4124 Qciebg32.exe 96 PID 4124 wrote to memory of 1160 4124 Qciebg32.exe 96 PID 1160 wrote to memory of 5092 1160 Emdaee32.exe 97 PID 1160 wrote to memory of 5092 1160 Emdaee32.exe 97 PID 1160 wrote to memory of 5092 1160 Emdaee32.exe 97 PID 5092 wrote to memory of 4852 5092 Fmejlcoj.exe 98 PID 5092 wrote to memory of 4852 5092 Fmejlcoj.exe 98 PID 5092 wrote to memory of 4852 5092 Fmejlcoj.exe 98 PID 4852 wrote to memory of 4676 4852 Gokmfe32.exe 99 PID 4852 wrote to memory of 4676 4852 Gokmfe32.exe 99 PID 4852 wrote to memory of 4676 4852 Gokmfe32.exe 99 PID 4676 wrote to memory of 4376 4676 Ikpjmd32.exe 100 PID 4676 wrote to memory of 4376 4676 Ikpjmd32.exe 100 PID 4676 wrote to memory of 4376 4676 Ikpjmd32.exe 100 PID 4376 wrote to memory of 2092 4376 Iefnjm32.exe 101 PID 4376 wrote to memory of 2092 4376 Iefnjm32.exe 101 PID 4376 wrote to memory of 2092 4376 Iefnjm32.exe 101 PID 2092 wrote to memory of 4872 2092 Ihkpgg32.exe 102 PID 2092 wrote to memory of 4872 2092 Ihkpgg32.exe 102 PID 2092 wrote to memory of 4872 2092 Ihkpgg32.exe 102 PID 4872 wrote to memory of 1020 4872 Jnmbjnlm.exe 103 PID 4872 wrote to memory of 1020 4872 Jnmbjnlm.exe 103 PID 4872 wrote to memory of 1020 4872 Jnmbjnlm.exe 103 PID 1020 wrote to memory of 1368 1020 Jekpljgg.exe 104 PID 1020 wrote to memory of 1368 1020 Jekpljgg.exe 104 PID 1020 wrote to memory of 1368 1020 Jekpljgg.exe 104 PID 1368 wrote to memory of 2508 1368 Khnfce32.exe 105 PID 1368 wrote to memory of 2508 1368 Khnfce32.exe 105 PID 1368 wrote to memory of 2508 1368 Khnfce32.exe 105 PID 2508 wrote to memory of 632 2508 Knmkak32.exe 106 PID 2508 wrote to memory of 632 2508 Knmkak32.exe 106 PID 2508 wrote to memory of 632 2508 Knmkak32.exe 106 PID 632 wrote to memory of 4600 632 Kbkdgj32.exe 107 PID 632 wrote to memory of 4600 632 Kbkdgj32.exe 107 PID 632 wrote to memory of 4600 632 Kbkdgj32.exe 107 PID 4600 wrote to memory of 4952 4600 Lmhnea32.exe 108 PID 4600 wrote to memory of 4952 4600 Lmhnea32.exe 108 PID 4600 wrote to memory of 4952 4600 Lmhnea32.exe 108 PID 4952 wrote to memory of 4032 4952 Mejijcea.exe 109 PID 4952 wrote to memory of 4032 4952 Mejijcea.exe 109 PID 4952 wrote to memory of 4032 4952 Mejijcea.exe 109 PID 4032 wrote to memory of 2752 4032 Npkmcj32.exe 110 PID 4032 wrote to memory of 2752 4032 Npkmcj32.exe 110 PID 4032 wrote to memory of 2752 4032 Npkmcj32.exe 110 PID 2752 wrote to memory of 3388 2752 Ongpeejj.exe 111 PID 2752 wrote to memory of 3388 2752 Ongpeejj.exe 111 PID 2752 wrote to memory of 3388 2752 Ongpeejj.exe 111 PID 3388 wrote to memory of 3888 3388 Pifghmae.exe 112 PID 3388 wrote to memory of 3888 3388 Pifghmae.exe 112 PID 3388 wrote to memory of 3888 3388 Pifghmae.exe 112 PID 3888 wrote to memory of 4964 3888 Pbahgbfc.exe 113 PID 3888 wrote to memory of 4964 3888 Pbahgbfc.exe 113 PID 3888 wrote to memory of 4964 3888 Pbahgbfc.exe 113 PID 4964 wrote to memory of 4480 4964 Acaanp32.exe 115 PID 4964 wrote to memory of 4480 4964 Acaanp32.exe 115 PID 4964 wrote to memory of 4480 4964 Acaanp32.exe 115 PID 4480 wrote to memory of 4456 4480 Bgdcom32.exe 116
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.b1293148607a053c852d0aaa2bcdc770.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.b1293148607a053c852d0aaa2bcdc770.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4416 -
C:\Windows\SysWOW64\Mikepg32.exeC:\Windows\system32\Mikepg32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4420 -
C:\Windows\SysWOW64\Qciebg32.exeC:\Windows\system32\Qciebg32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4124 -
C:\Windows\SysWOW64\Emdaee32.exeC:\Windows\system32\Emdaee32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Windows\SysWOW64\Fmejlcoj.exeC:\Windows\system32\Fmejlcoj.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5092 -
C:\Windows\SysWOW64\Gokmfe32.exeC:\Windows\system32\Gokmfe32.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4852 -
C:\Windows\SysWOW64\Ikpjmd32.exeC:\Windows\system32\Ikpjmd32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4676 -
C:\Windows\SysWOW64\Iefnjm32.exeC:\Windows\system32\Iefnjm32.exe8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4376 -
C:\Windows\SysWOW64\Ihkpgg32.exeC:\Windows\system32\Ihkpgg32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\Jnmbjnlm.exeC:\Windows\system32\Jnmbjnlm.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Windows\SysWOW64\Jekpljgg.exeC:\Windows\system32\Jekpljgg.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Windows\SysWOW64\Khnfce32.exeC:\Windows\system32\Khnfce32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\SysWOW64\Knmkak32.exeC:\Windows\system32\Knmkak32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\Kbkdgj32.exeC:\Windows\system32\Kbkdgj32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Windows\SysWOW64\Lmhnea32.exeC:\Windows\system32\Lmhnea32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Windows\SysWOW64\Mejijcea.exeC:\Windows\system32\Mejijcea.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\Windows\SysWOW64\Npkmcj32.exeC:\Windows\system32\Npkmcj32.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4032 -
C:\Windows\SysWOW64\Ongpeejj.exeC:\Windows\system32\Ongpeejj.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Pifghmae.exeC:\Windows\system32\Pifghmae.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3388 -
C:\Windows\SysWOW64\Pbahgbfc.exeC:\Windows\system32\Pbahgbfc.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3888 -
C:\Windows\SysWOW64\Acaanp32.exeC:\Windows\system32\Acaanp32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Windows\SysWOW64\Bgdcom32.exeC:\Windows\system32\Bgdcom32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4480 -
C:\Windows\SysWOW64\Dncnnd32.exeC:\Windows\system32\Dncnnd32.exe23⤵
- Executes dropped EXE
PID:4456 -
C:\Windows\SysWOW64\Djnhne32.exeC:\Windows\system32\Djnhne32.exe24⤵
- Executes dropped EXE
PID:4832 -
C:\Windows\SysWOW64\Eqmjen32.exeC:\Windows\system32\Eqmjen32.exe25⤵
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Ggjgofkd.exeC:\Windows\system32\Ggjgofkd.exe26⤵
- Executes dropped EXE
PID:1092 -
C:\Windows\SysWOW64\Gjkqpa32.exeC:\Windows\system32\Gjkqpa32.exe27⤵
- Executes dropped EXE
PID:1708 -
C:\Windows\SysWOW64\Gffkpa32.exeC:\Windows\system32\Gffkpa32.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4240 -
C:\Windows\SysWOW64\Gpnoigpe.exeC:\Windows\system32\Gpnoigpe.exe29⤵
- Executes dropped EXE
PID:2412 -
C:\Windows\SysWOW64\Hfmqapcl.exeC:\Windows\system32\Hfmqapcl.exe30⤵
- Executes dropped EXE
PID:4652 -
C:\Windows\SysWOW64\Hphbpehj.exeC:\Windows\system32\Hphbpehj.exe31⤵
- Executes dropped EXE
PID:416 -
C:\Windows\SysWOW64\Ijpcbn32.exeC:\Windows\system32\Ijpcbn32.exe32⤵
- Executes dropped EXE
- Modifies registry class
PID:5028 -
C:\Windows\SysWOW64\Ipaeedpp.exeC:\Windows\system32\Ipaeedpp.exe33⤵
- Executes dropped EXE
PID:4388 -
C:\Windows\SysWOW64\Jphkfc32.exeC:\Windows\system32\Jphkfc32.exe34⤵
- Executes dropped EXE
PID:2320 -
C:\Windows\SysWOW64\Jknocljn.exeC:\Windows\system32\Jknocljn.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1940 -
C:\Windows\SysWOW64\Jncapf32.exeC:\Windows\system32\Jncapf32.exe36⤵
- Executes dropped EXE
PID:4072 -
C:\Windows\SysWOW64\Khplnn32.exeC:\Windows\system32\Khplnn32.exe37⤵
- Executes dropped EXE
PID:736 -
C:\Windows\SysWOW64\Kgeiokao.exeC:\Windows\system32\Kgeiokao.exe38⤵
- Executes dropped EXE
PID:3856 -
C:\Windows\SysWOW64\Mndcnafd.exeC:\Windows\system32\Mndcnafd.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:3108 -
C:\Windows\SysWOW64\Ngodlgka.exeC:\Windows\system32\Ngodlgka.exe40⤵
- Executes dropped EXE
PID:3960 -
C:\Windows\SysWOW64\Nnpcjplf.exeC:\Windows\system32\Nnpcjplf.exe41⤵
- Executes dropped EXE
PID:4132 -
C:\Windows\SysWOW64\Obphenpj.exeC:\Windows\system32\Obphenpj.exe42⤵
- Executes dropped EXE
PID:4972 -
C:\Windows\SysWOW64\Paennh32.exeC:\Windows\system32\Paennh32.exe43⤵
- Executes dropped EXE
PID:1804 -
C:\Windows\SysWOW64\Qniogl32.exeC:\Windows\system32\Qniogl32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4464 -
C:\Windows\SysWOW64\Qbggmk32.exeC:\Windows\system32\Qbggmk32.exe45⤵
- Executes dropped EXE
PID:2900 -
C:\Windows\SysWOW64\Apkhfo32.exeC:\Windows\system32\Apkhfo32.exe46⤵
- Executes dropped EXE
PID:3820 -
C:\Windows\SysWOW64\Apndloif.exeC:\Windows\system32\Apndloif.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:1140 -
C:\Windows\SysWOW64\Aejmdegn.exeC:\Windows\system32\Aejmdegn.exe48⤵
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\Abnnnjfh.exeC:\Windows\system32\Abnnnjfh.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2408 -
C:\Windows\SysWOW64\Bbecnipp.exeC:\Windows\system32\Bbecnipp.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4500 -
C:\Windows\SysWOW64\Boldcj32.exeC:\Windows\system32\Boldcj32.exe51⤵
- Executes dropped EXE
PID:4084 -
C:\Windows\SysWOW64\Bekfkc32.exeC:\Windows\system32\Bekfkc32.exe52⤵
- Executes dropped EXE
PID:1552 -
C:\Windows\SysWOW64\Cpedckdl.exeC:\Windows\system32\Cpedckdl.exe53⤵
- Executes dropped EXE
PID:1392 -
C:\Windows\SysWOW64\Clnanlhn.exeC:\Windows\system32\Clnanlhn.exe54⤵
- Executes dropped EXE
PID:4716 -
C:\Windows\SysWOW64\Dhjknljl.exeC:\Windows\system32\Dhjknljl.exe55⤵
- Executes dropped EXE
PID:3628 -
C:\Windows\SysWOW64\Fmoclg32.exeC:\Windows\system32\Fmoclg32.exe56⤵
- Executes dropped EXE
PID:4076 -
C:\Windows\SysWOW64\Gpioca32.exeC:\Windows\system32\Gpioca32.exe57⤵
- Executes dropped EXE
PID:4772 -
C:\Windows\SysWOW64\Gcggjp32.exeC:\Windows\system32\Gcggjp32.exe58⤵
- Executes dropped EXE
PID:4724 -
C:\Windows\SysWOW64\Hfhqkk32.exeC:\Windows\system32\Hfhqkk32.exe59⤵
- Executes dropped EXE
PID:4496 -
C:\Windows\SysWOW64\Imklncch.exeC:\Windows\system32\Imklncch.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Kdlcbjfj.exeC:\Windows\system32\Kdlcbjfj.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:216 -
C:\Windows\SysWOW64\Pgcpdn32.exeC:\Windows\system32\Pgcpdn32.exe62⤵
- Executes dropped EXE
PID:1048 -
C:\Windows\SysWOW64\Agcikk32.exeC:\Windows\system32\Agcikk32.exe63⤵
- Executes dropped EXE
PID:4556 -
C:\Windows\SysWOW64\Abimhd32.exeC:\Windows\system32\Abimhd32.exe64⤵
- Executes dropped EXE
PID:4564 -
C:\Windows\SysWOW64\Aegidp32.exeC:\Windows\system32\Aegidp32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1316 -
C:\Windows\SysWOW64\Aenpeoom.exeC:\Windows\system32\Aenpeoom.exe66⤵PID:4540
-
C:\Windows\SysWOW64\Bagmpoco.exeC:\Windows\system32\Bagmpoco.exe67⤵PID:3756
-
C:\Windows\SysWOW64\Bopgdcnc.exeC:\Windows\system32\Bopgdcnc.exe68⤵
- Modifies registry class
PID:4508 -
C:\Windows\SysWOW64\Cldgmgml.exeC:\Windows\system32\Cldgmgml.exe69⤵PID:4992
-
C:\Windows\SysWOW64\Ckidoc32.exeC:\Windows\system32\Ckidoc32.exe70⤵PID:840
-
C:\Windows\SysWOW64\Cbqlpabf.exeC:\Windows\system32\Cbqlpabf.exe71⤵PID:4512
-
C:\Windows\SysWOW64\Cdaigi32.exeC:\Windows\system32\Cdaigi32.exe72⤵PID:388
-
C:\Windows\SysWOW64\Ceaealoh.exeC:\Windows\system32\Ceaealoh.exe73⤵PID:4312
-
C:\Windows\SysWOW64\Dampal32.exeC:\Windows\system32\Dampal32.exe74⤵PID:2232
-
C:\Windows\SysWOW64\Dememj32.exeC:\Windows\system32\Dememj32.exe75⤵PID:3396
-
C:\Windows\SysWOW64\Dkjmea32.exeC:\Windows\system32\Dkjmea32.exe76⤵PID:516
-
C:\Windows\SysWOW64\Deoabj32.exeC:\Windows\system32\Deoabj32.exe77⤵PID:3768
-
C:\Windows\SysWOW64\Dafbhkhl.exeC:\Windows\system32\Dafbhkhl.exe78⤵PID:4416
-
C:\Windows\SysWOW64\Eojcao32.exeC:\Windows\system32\Eojcao32.exe79⤵
- Modifies registry class
PID:768 -
C:\Windows\SysWOW64\Eolpfo32.exeC:\Windows\system32\Eolpfo32.exe80⤵PID:4700
-
C:\Windows\SysWOW64\Ecjhmm32.exeC:\Windows\system32\Ecjhmm32.exe81⤵PID:1028
-
C:\Windows\SysWOW64\Fkopgn32.exeC:\Windows\system32\Fkopgn32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:448 -
C:\Windows\SysWOW64\Gfkjef32.exeC:\Windows\system32\Gfkjef32.exe83⤵PID:1556
-
C:\Windows\SysWOW64\Hbpgle32.exeC:\Windows\system32\Hbpgle32.exe84⤵
- Drops file in System32 directory
PID:1896 -
C:\Windows\SysWOW64\Ibgmldnd.exeC:\Windows\system32\Ibgmldnd.exe85⤵PID:2432
-
C:\Windows\SysWOW64\Jpijgf32.exeC:\Windows\system32\Jpijgf32.exe86⤵PID:3864
-
C:\Windows\SysWOW64\Jfcbcp32.exeC:\Windows\system32\Jfcbcp32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2924 -
C:\Windows\SysWOW64\Kfhkop32.exeC:\Windows\system32\Kfhkop32.exe88⤵PID:2724
-
C:\Windows\SysWOW64\Kikafjoc.exeC:\Windows\system32\Kikafjoc.exe89⤵PID:4340
-
C:\Windows\SysWOW64\Kdqecc32.exeC:\Windows\system32\Kdqecc32.exe90⤵PID:3200
-
C:\Windows\SysWOW64\Kpgfhddn.exeC:\Windows\system32\Kpgfhddn.exe91⤵PID:1428
-
C:\Windows\SysWOW64\Kedoqkbe.exeC:\Windows\system32\Kedoqkbe.exe92⤵PID:2092
-
C:\Windows\SysWOW64\Llemnd32.exeC:\Windows\system32\Llemnd32.exe93⤵PID:4064
-
C:\Windows\SysWOW64\Lgkakm32.exeC:\Windows\system32\Lgkakm32.exe94⤵PID:4900
-
C:\Windows\SysWOW64\Mljficpd.exeC:\Windows\system32\Mljficpd.exe95⤵PID:4736
-
C:\Windows\SysWOW64\Mgokflpj.exeC:\Windows\system32\Mgokflpj.exe96⤵PID:3748
-
C:\Windows\SysWOW64\Mlnpdc32.exeC:\Windows\system32\Mlnpdc32.exe97⤵PID:3440
-
C:\Windows\SysWOW64\Mchhamcl.exeC:\Windows\system32\Mchhamcl.exe98⤵PID:4520
-
C:\Windows\SysWOW64\Nenjng32.exeC:\Windows\system32\Nenjng32.exe99⤵PID:5092
-
C:\Windows\SysWOW64\Nloikqnl.exeC:\Windows\system32\Nloikqnl.exe100⤵PID:3576
-
C:\Windows\SysWOW64\Ojcidelf.exeC:\Windows\system32\Ojcidelf.exe101⤵PID:224
-
C:\Windows\SysWOW64\Ocknmjcf.exeC:\Windows\system32\Ocknmjcf.exe102⤵
- Drops file in System32 directory
PID:4292 -
C:\Windows\SysWOW64\Ocbdni32.exeC:\Windows\system32\Ocbdni32.exe103⤵
- Modifies registry class
PID:3596 -
C:\Windows\SysWOW64\Ojllkcdk.exeC:\Windows\system32\Ojllkcdk.exe104⤵PID:2132
-
C:\Windows\SysWOW64\Pmmelo32.exeC:\Windows\system32\Pmmelo32.exe105⤵PID:5036
-
C:\Windows\SysWOW64\Pmfhbm32.exeC:\Windows\system32\Pmfhbm32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4228 -
C:\Windows\SysWOW64\Afhoaahg.exeC:\Windows\system32\Afhoaahg.exe107⤵
- Modifies registry class
PID:3388 -
C:\Windows\SysWOW64\Ceckleii.exeC:\Windows\system32\Ceckleii.exe108⤵PID:5160
-
C:\Windows\SysWOW64\Dffdjmme.exeC:\Windows\system32\Dffdjmme.exe109⤵PID:5200
-
C:\Windows\SysWOW64\Dhfacp32.exeC:\Windows\system32\Dhfacp32.exe110⤵
- Modifies registry class
PID:5244 -
C:\Windows\SysWOW64\Dmcilgco.exeC:\Windows\system32\Dmcilgco.exe111⤵PID:5284
-
C:\Windows\SysWOW64\Dhhnipbe.exeC:\Windows\system32\Dhhnipbe.exe112⤵PID:5332
-
C:\Windows\SysWOW64\Daqbbe32.exeC:\Windows\system32\Daqbbe32.exe113⤵PID:5380
-
C:\Windows\SysWOW64\Ehdmenhh.exeC:\Windows\system32\Ehdmenhh.exe114⤵PID:5440
-
C:\Windows\SysWOW64\Eehnnb32.exeC:\Windows\system32\Eehnnb32.exe115⤵PID:5540
-
C:\Windows\SysWOW64\Egkgljkm.exeC:\Windows\system32\Egkgljkm.exe116⤵PID:5576
-
C:\Windows\SysWOW64\Fdpgen32.exeC:\Windows\system32\Fdpgen32.exe117⤵PID:5620
-
C:\Windows\SysWOW64\Fgncaj32.exeC:\Windows\system32\Fgncaj32.exe118⤵
- Drops file in System32 directory
PID:5660 -
C:\Windows\SysWOW64\Fachob32.exeC:\Windows\system32\Fachob32.exe119⤵
- Drops file in System32 directory
PID:5704 -
C:\Windows\SysWOW64\Fdbdkn32.exeC:\Windows\system32\Fdbdkn32.exe120⤵PID:5768
-
C:\Windows\SysWOW64\Gekckpgl.exeC:\Windows\system32\Gekckpgl.exe121⤵PID:5828
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-