Analysis
-
max time kernel
116s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
01/11/2023, 14:20
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.d290d04a256cf459a4b550d5ad313eb0.exe
Resource
win7-20231023-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.d290d04a256cf459a4b550d5ad313eb0.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
NEAS.d290d04a256cf459a4b550d5ad313eb0.exe
-
Size
60KB
-
MD5
d290d04a256cf459a4b550d5ad313eb0
-
SHA1
9c9bdc5e8ac189e1c686348c020dba0d36f70b9f
-
SHA256
22bcb92ba962f09020e47f13b70aa09489a7367131b413482a6f96bd7555daee
-
SHA512
88c887e4298d5154d680413c79857ad9e55883fbb85717c23ef8545b0dcd80cc064dac1c0cf5f2c30a50268c791bc8bde11b0e4102e84f845fc0c4e98d939345
-
SSDEEP
1536:DI1+xwJ6N6I9dt5KlIn89r7770dqk9nBMB86l1r:sw2k6gk772nBMB86l1r
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecmebm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpoepa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkglcfec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Biadoeib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfeoijbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Poelfc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Liekgo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnoefg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fojenfeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajohfcpj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkgeao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpnncl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdabmcdi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fafddb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejklfd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alpnde32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfhofnpp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hladlc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hoglbc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oeopnmoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iempingp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edfdop32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iaqapggb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckladcoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klimbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbbdip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocdqcikl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfaikoad.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Keakqeal.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ophbja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aiclodaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfoihalp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnbeie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnaolm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lajfbmmi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfnpacjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpjfgf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eaceghcg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ignnjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmjinjnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehgqed32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efhjjcpo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cggpfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cggpfa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aoenbkll.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aclpkffa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmbbaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efdjqeni.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpkbmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjlilndf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnikmjdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnoefg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfgfpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpmifkgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbmaog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkjfloeo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckmmpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcjimnjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmhnea32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fofigd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpmlhoil.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmfjodgc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkjbgooi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jncapf32.exe -
Executes dropped EXE 64 IoCs
pid Process 2836 Mjlalkmd.exe 4664 Ojemig32.exe 3760 Ajohfcpj.exe 928 Bkmeha32.exe 5052 Ccblbb32.exe 3972 Dphiaffa.exe 4636 Dpjfgf32.exe 3452 Ddhomdje.exe 1312 Dkedonpo.exe 3832 Eaceghcg.exe 4652 Fncibg32.exe 3588 Fklcgk32.exe 4772 Gkoplk32.exe 3900 Hqdkkp32.exe 3460 Hbfdjc32.exe 3608 Hjdedepg.exe 3356 Indkpcdk.exe 3776 Iaedanal.exe 3568 Jlanpfkj.exe 4392 Kajfdk32.exe 1212 Kblpcndd.exe 4692 Ldbefe32.exe 1360 Llngbabj.exe 2348 Mekdffee.exe 640 Medglemj.exe 3576 Ncmaai32.exe 2556 Odgqopeb.exe 2116 Podkmgop.exe 3792 Poidhg32.exe 4264 Qfgfpp32.exe 1260 Apgqie32.exe 2168 Alpnde32.exe 468 Bfhofnpp.exe 5028 Bldgoeog.exe 3940 Cmmgof32.exe 4268 Clbdpc32.exe 212 Cepadh32.exe 2352 Clijablo.exe 4880 Dpgbgpbe.exe 2892 Didqkeeq.exe 3272 Edoncm32.exe 2336 Fjgfgbek.exe 1744 Fpfholhc.exe 1504 Ggicbe32.exe 1180 Hjjldpdf.exe 472 Hfcinq32.exe 3144 Hdffah32.exe 376 Icnphd32.exe 1808 Janpnfee.exe 2796 Jnapgjdo.exe 3380 Jcaeea32.exe 2156 Khakqo32.exe 3008 Kmbmdeoj.exe 2232 Lmgfod32.exe 1812 Ldckan32.exe 3816 Loiong32.exe 4356 Lhdqml32.exe 3724 Mobbdf32.exe 1032 Mdagbl32.exe 4600 Nnabladg.exe 836 Nncoaq32.exe 1476 Oeopnmoa.exe 1456 Odgjdibf.exe 4824 Oeffnl32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Onoknb32.dll Fkjfloeo.exe File opened for modification C:\Windows\SysWOW64\Mllcocna.exe Mpebjb32.exe File created C:\Windows\SysWOW64\Bkmeha32.exe Ajohfcpj.exe File opened for modification C:\Windows\SysWOW64\Bknidbhi.exe Aljmal32.exe File opened for modification C:\Windows\SysWOW64\Lffhpnhe.exe Kdcbic32.exe File created C:\Windows\SysWOW64\Bknidbhi.exe Aljmal32.exe File opened for modification C:\Windows\SysWOW64\Ifmcmg32.exe Ibojgikg.exe File created C:\Windows\SysWOW64\Glbapoqh.exe Gbjlgj32.exe File created C:\Windows\SysWOW64\Oammna32.dll Iidiidgj.exe File created C:\Windows\SysWOW64\Liekgo32.exe Lckbje32.exe File created C:\Windows\SysWOW64\Ldodop32.dll Hgjldfqj.exe File opened for modification C:\Windows\SysWOW64\Oecnmi32.exe Opfedb32.exe File created C:\Windows\SysWOW64\Odbblp32.dll Kflnpild.exe File created C:\Windows\SysWOW64\Jcaeea32.exe Jnapgjdo.exe File opened for modification C:\Windows\SysWOW64\Odnfonag.exe Njfafhjf.exe File opened for modification C:\Windows\SysWOW64\Mpnngh32.exe Ljoiibbm.exe File created C:\Windows\SysWOW64\Ncmoej32.dll Lmhnea32.exe File created C:\Windows\SysWOW64\Bdifbc32.dll Cibagpgg.exe File opened for modification C:\Windows\SysWOW64\Kicdke32.exe Jpkpbpko.exe File opened for modification C:\Windows\SysWOW64\Hqdkkp32.exe Gkoplk32.exe File created C:\Windows\SysWOW64\Eimlgnij.exe Efhjjcpo.exe File created C:\Windows\SysWOW64\Enjlboph.dll Ccajdmin.exe File created C:\Windows\SysWOW64\Ipfqak32.dll Mfgiof32.exe File created C:\Windows\SysWOW64\Fifdqhal.exe Fblldn32.exe File created C:\Windows\SysWOW64\Dgmfnkfn.dll Hbfdjc32.exe File opened for modification C:\Windows\SysWOW64\Ldiiio32.exe Kdfmcobk.exe File created C:\Windows\SysWOW64\Cdnchk32.dll Hfeoijbi.exe File created C:\Windows\SysWOW64\Fbbjeame.dll Clldhljp.exe File created C:\Windows\SysWOW64\Cndidlfb.exe Celelf32.exe File created C:\Windows\SysWOW64\Jnmbjnlm.exe Ilglgfjd.exe File opened for modification C:\Windows\SysWOW64\Bbemdb32.exe Bhohfj32.exe File created C:\Windows\SysWOW64\Lgnpeenp.dll Moobkh32.exe File created C:\Windows\SysWOW64\Lamgof32.dll Kajfdk32.exe File created C:\Windows\SysWOW64\Pjqgggni.dll Djgbmffn.exe File created C:\Windows\SysWOW64\Mpebjb32.exe Lpqioclc.exe File created C:\Windows\SysWOW64\Mkhelp32.dll Kifcnjpi.exe File created C:\Windows\SysWOW64\Mbjdnm32.dll Mchhamcl.exe File created C:\Windows\SysWOW64\Abgmacde.dll Mplhjabe.exe File created C:\Windows\SysWOW64\Aclpkffa.exe Ambgnl32.exe File created C:\Windows\SysWOW64\Ggicbe32.exe Fpfholhc.exe File opened for modification C:\Windows\SysWOW64\Biljib32.exe Bpomem32.exe File created C:\Windows\SysWOW64\Fndinf32.dll Amibqhed.exe File created C:\Windows\SysWOW64\Cgpcklpd.exe Cljomc32.exe File created C:\Windows\SysWOW64\Fhhaqgln.dll Jnapgjdo.exe File opened for modification C:\Windows\SysWOW64\Ljoiibbm.exe Lmfodn32.exe File opened for modification C:\Windows\SysWOW64\Mgidgakk.exe Mnlfclip.exe File created C:\Windows\SysWOW64\Pnoefg32.exe Pnmhqh32.exe File created C:\Windows\SysWOW64\Nmedfcdd.dll Bjbnndgl.exe File created C:\Windows\SysWOW64\Klimbf32.exe Kdnincal.exe File created C:\Windows\SysWOW64\Fachob32.exe Fneohd32.exe File created C:\Windows\SysWOW64\Lilphejh.dll Didqkeeq.exe File created C:\Windows\SysWOW64\Ngjdppnh.dll Aljmal32.exe File created C:\Windows\SysWOW64\Njfafhjf.exe Nbjpjl32.exe File created C:\Windows\SysWOW64\Jkfncejn.dll Ppmleagi.exe File opened for modification C:\Windows\SysWOW64\Hligqnjp.exe Hcabhido.exe File opened for modification C:\Windows\SysWOW64\Mfhpilbc.exe Lmmokgne.exe File created C:\Windows\SysWOW64\Ekhjgoga.exe Ecmebm32.exe File opened for modification C:\Windows\SysWOW64\Aedfdjdl.exe Qcbmegol.exe File opened for modification C:\Windows\SysWOW64\Jqofippg.exe Jfjakgpa.exe File opened for modification C:\Windows\SysWOW64\Qepccqlm.exe Qnfkgfdp.exe File created C:\Windows\SysWOW64\Jllimj32.dll Bjdkcd32.exe File created C:\Windows\SysWOW64\Foakpc32.exe Eimlgnij.exe File opened for modification C:\Windows\SysWOW64\Ijjnpg32.exe Icpecm32.exe File opened for modification C:\Windows\SysWOW64\Bmkjdj32.exe Bnfmcn32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qebeaf32.dll" Poidhg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aljmal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhkflmfi.dll" Fdbked32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccajdmin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hligqnjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijgjpaao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ippgqg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anmfaf32.dll" Jjhjae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmqpie32.dll" Njfafhjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gqdbbelf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ifmcmg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkglcfec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Haeadi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hfjmajbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmjhaf32.dll" Nqdeefpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dacnkkem.dll" Jopiom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eoilfidj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Indkpcdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpbldapg.dll" Kplijk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmmokgne.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lqbgcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpooc32.dll" Qnfkgfdp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Elncjc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hheoci32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbgkpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlnjek32.dll" Hbkgfode.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmmgof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbelak32.dll" Cepadh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpedckdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kipalpoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geceqfal.dll" Hjjldpdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Accnco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hfonfp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akdfndpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnaolm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkgeao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edngdafi.dll" Gcojoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldodop32.dll" Hgjldfqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbcaemdg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hiefmp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmppmh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpbfbo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ackiqpce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhhaqgln.dll" Jnapgjdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gibpcnbo.dll" Akmjdpac.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfjgbapo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkfkod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kdllhdco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onhhkb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ambgnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmkjpklj.dll" Mfhpilbc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aghdco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggappk32.dll" Ajcdhj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mankaked.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaqjia32.dll" Kaaaak32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbjmih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aobieq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngbmnh32.dll" Emkeho32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oianmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggcphj32.dll" Bedpjdoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oifglb32.dll" Eimlgnij.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jnmbjnlm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hejono32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agpjod32.dll" Kcfiof32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1436 wrote to memory of 2836 1436 NEAS.d290d04a256cf459a4b550d5ad313eb0.exe 91 PID 1436 wrote to memory of 2836 1436 NEAS.d290d04a256cf459a4b550d5ad313eb0.exe 91 PID 1436 wrote to memory of 2836 1436 NEAS.d290d04a256cf459a4b550d5ad313eb0.exe 91 PID 2836 wrote to memory of 4664 2836 Mjlalkmd.exe 92 PID 2836 wrote to memory of 4664 2836 Mjlalkmd.exe 92 PID 2836 wrote to memory of 4664 2836 Mjlalkmd.exe 92 PID 4664 wrote to memory of 3760 4664 Ojemig32.exe 93 PID 4664 wrote to memory of 3760 4664 Ojemig32.exe 93 PID 4664 wrote to memory of 3760 4664 Ojemig32.exe 93 PID 3760 wrote to memory of 928 3760 Ajohfcpj.exe 94 PID 3760 wrote to memory of 928 3760 Ajohfcpj.exe 94 PID 3760 wrote to memory of 928 3760 Ajohfcpj.exe 94 PID 928 wrote to memory of 5052 928 Bkmeha32.exe 95 PID 928 wrote to memory of 5052 928 Bkmeha32.exe 95 PID 928 wrote to memory of 5052 928 Bkmeha32.exe 95 PID 5052 wrote to memory of 3972 5052 Ccblbb32.exe 96 PID 5052 wrote to memory of 3972 5052 Ccblbb32.exe 96 PID 5052 wrote to memory of 3972 5052 Ccblbb32.exe 96 PID 3972 wrote to memory of 4636 3972 Dphiaffa.exe 97 PID 3972 wrote to memory of 4636 3972 Dphiaffa.exe 97 PID 3972 wrote to memory of 4636 3972 Dphiaffa.exe 97 PID 4636 wrote to memory of 3452 4636 Dpjfgf32.exe 98 PID 4636 wrote to memory of 3452 4636 Dpjfgf32.exe 98 PID 4636 wrote to memory of 3452 4636 Dpjfgf32.exe 98 PID 3452 wrote to memory of 1312 3452 Ddhomdje.exe 99 PID 3452 wrote to memory of 1312 3452 Ddhomdje.exe 99 PID 3452 wrote to memory of 1312 3452 Ddhomdje.exe 99 PID 1312 wrote to memory of 3832 1312 Dkedonpo.exe 100 PID 1312 wrote to memory of 3832 1312 Dkedonpo.exe 100 PID 1312 wrote to memory of 3832 1312 Dkedonpo.exe 100 PID 3832 wrote to memory of 4652 3832 Eaceghcg.exe 101 PID 3832 wrote to memory of 4652 3832 Eaceghcg.exe 101 PID 3832 wrote to memory of 4652 3832 Eaceghcg.exe 101 PID 4652 wrote to memory of 3588 4652 Fncibg32.exe 102 PID 4652 wrote to memory of 3588 4652 Fncibg32.exe 102 PID 4652 wrote to memory of 3588 4652 Fncibg32.exe 102 PID 3588 wrote to memory of 4772 3588 Fklcgk32.exe 103 PID 3588 wrote to memory of 4772 3588 Fklcgk32.exe 103 PID 3588 wrote to memory of 4772 3588 Fklcgk32.exe 103 PID 4772 wrote to memory of 3900 4772 Gkoplk32.exe 104 PID 4772 wrote to memory of 3900 4772 Gkoplk32.exe 104 PID 4772 wrote to memory of 3900 4772 Gkoplk32.exe 104 PID 3900 wrote to memory of 3460 3900 Hqdkkp32.exe 105 PID 3900 wrote to memory of 3460 3900 Hqdkkp32.exe 105 PID 3900 wrote to memory of 3460 3900 Hqdkkp32.exe 105 PID 3460 wrote to memory of 3608 3460 Hbfdjc32.exe 106 PID 3460 wrote to memory of 3608 3460 Hbfdjc32.exe 106 PID 3460 wrote to memory of 3608 3460 Hbfdjc32.exe 106 PID 3608 wrote to memory of 3356 3608 Hjdedepg.exe 107 PID 3608 wrote to memory of 3356 3608 Hjdedepg.exe 107 PID 3608 wrote to memory of 3356 3608 Hjdedepg.exe 107 PID 3356 wrote to memory of 3776 3356 Indkpcdk.exe 108 PID 3356 wrote to memory of 3776 3356 Indkpcdk.exe 108 PID 3356 wrote to memory of 3776 3356 Indkpcdk.exe 108 PID 3776 wrote to memory of 3568 3776 Iaedanal.exe 109 PID 3776 wrote to memory of 3568 3776 Iaedanal.exe 109 PID 3776 wrote to memory of 3568 3776 Iaedanal.exe 109 PID 3568 wrote to memory of 4392 3568 Jlanpfkj.exe 110 PID 3568 wrote to memory of 4392 3568 Jlanpfkj.exe 110 PID 3568 wrote to memory of 4392 3568 Jlanpfkj.exe 110 PID 4392 wrote to memory of 1212 4392 Kajfdk32.exe 111 PID 4392 wrote to memory of 1212 4392 Kajfdk32.exe 111 PID 4392 wrote to memory of 1212 4392 Kajfdk32.exe 111 PID 1212 wrote to memory of 4692 1212 Kblpcndd.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.d290d04a256cf459a4b550d5ad313eb0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.d290d04a256cf459a4b550d5ad313eb0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Windows\SysWOW64\Mjlalkmd.exeC:\Windows\system32\Mjlalkmd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\Ojemig32.exeC:\Windows\system32\Ojemig32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4664 -
C:\Windows\SysWOW64\Ajohfcpj.exeC:\Windows\system32\Ajohfcpj.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3760 -
C:\Windows\SysWOW64\Bkmeha32.exeC:\Windows\system32\Bkmeha32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:928 -
C:\Windows\SysWOW64\Ccblbb32.exeC:\Windows\system32\Ccblbb32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Windows\SysWOW64\Dphiaffa.exeC:\Windows\system32\Dphiaffa.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3972 -
C:\Windows\SysWOW64\Dpjfgf32.exeC:\Windows\system32\Dpjfgf32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4636 -
C:\Windows\SysWOW64\Ddhomdje.exeC:\Windows\system32\Ddhomdje.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3452 -
C:\Windows\SysWOW64\Dkedonpo.exeC:\Windows\system32\Dkedonpo.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Windows\SysWOW64\Eaceghcg.exeC:\Windows\system32\Eaceghcg.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3832 -
C:\Windows\SysWOW64\Fncibg32.exeC:\Windows\system32\Fncibg32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4652 -
C:\Windows\SysWOW64\Fklcgk32.exeC:\Windows\system32\Fklcgk32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3588 -
C:\Windows\SysWOW64\Gkoplk32.exeC:\Windows\system32\Gkoplk32.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4772 -
C:\Windows\SysWOW64\Hqdkkp32.exeC:\Windows\system32\Hqdkkp32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3900 -
C:\Windows\SysWOW64\Hbfdjc32.exeC:\Windows\system32\Hbfdjc32.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3460 -
C:\Windows\SysWOW64\Hjdedepg.exeC:\Windows\system32\Hjdedepg.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3608 -
C:\Windows\SysWOW64\Indkpcdk.exeC:\Windows\system32\Indkpcdk.exe18⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3356 -
C:\Windows\SysWOW64\Iaedanal.exeC:\Windows\system32\Iaedanal.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3776 -
C:\Windows\SysWOW64\Jlanpfkj.exeC:\Windows\system32\Jlanpfkj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3568 -
C:\Windows\SysWOW64\Kajfdk32.exeC:\Windows\system32\Kajfdk32.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4392 -
C:\Windows\SysWOW64\Kblpcndd.exeC:\Windows\system32\Kblpcndd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Windows\SysWOW64\Ldbefe32.exeC:\Windows\system32\Ldbefe32.exe23⤵
- Executes dropped EXE
PID:4692 -
C:\Windows\SysWOW64\Llngbabj.exeC:\Windows\system32\Llngbabj.exe24⤵
- Executes dropped EXE
PID:1360 -
C:\Windows\SysWOW64\Mekdffee.exeC:\Windows\system32\Mekdffee.exe25⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Medglemj.exeC:\Windows\system32\Medglemj.exe26⤵
- Executes dropped EXE
PID:640 -
C:\Windows\SysWOW64\Ncmaai32.exeC:\Windows\system32\Ncmaai32.exe27⤵
- Executes dropped EXE
PID:3576 -
C:\Windows\SysWOW64\Odgqopeb.exeC:\Windows\system32\Odgqopeb.exe28⤵
- Executes dropped EXE
PID:2556 -
C:\Windows\SysWOW64\Podkmgop.exeC:\Windows\system32\Podkmgop.exe29⤵
- Executes dropped EXE
PID:2116 -
C:\Windows\SysWOW64\Poidhg32.exeC:\Windows\system32\Poidhg32.exe30⤵
- Executes dropped EXE
- Modifies registry class
PID:3792 -
C:\Windows\SysWOW64\Qfgfpp32.exeC:\Windows\system32\Qfgfpp32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4264 -
C:\Windows\SysWOW64\Apgqie32.exeC:\Windows\system32\Apgqie32.exe32⤵
- Executes dropped EXE
PID:1260 -
C:\Windows\SysWOW64\Alpnde32.exeC:\Windows\system32\Alpnde32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Bfhofnpp.exeC:\Windows\system32\Bfhofnpp.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:468 -
C:\Windows\SysWOW64\Bldgoeog.exeC:\Windows\system32\Bldgoeog.exe35⤵
- Executes dropped EXE
PID:5028 -
C:\Windows\SysWOW64\Cmmgof32.exeC:\Windows\system32\Cmmgof32.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:3940 -
C:\Windows\SysWOW64\Clbdpc32.exeC:\Windows\system32\Clbdpc32.exe37⤵
- Executes dropped EXE
PID:4268 -
C:\Windows\SysWOW64\Cepadh32.exeC:\Windows\system32\Cepadh32.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:212 -
C:\Windows\SysWOW64\Clijablo.exeC:\Windows\system32\Clijablo.exe39⤵
- Executes dropped EXE
PID:2352 -
C:\Windows\SysWOW64\Dpgbgpbe.exeC:\Windows\system32\Dpgbgpbe.exe40⤵
- Executes dropped EXE
PID:4880 -
C:\Windows\SysWOW64\Didqkeeq.exeC:\Windows\system32\Didqkeeq.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2892 -
C:\Windows\SysWOW64\Edoncm32.exeC:\Windows\system32\Edoncm32.exe42⤵
- Executes dropped EXE
PID:3272 -
C:\Windows\SysWOW64\Fjgfgbek.exeC:\Windows\system32\Fjgfgbek.exe43⤵
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\Fpfholhc.exeC:\Windows\system32\Fpfholhc.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1744 -
C:\Windows\SysWOW64\Ggicbe32.exeC:\Windows\system32\Ggicbe32.exe45⤵
- Executes dropped EXE
PID:1504 -
C:\Windows\SysWOW64\Hjjldpdf.exeC:\Windows\system32\Hjjldpdf.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:1180 -
C:\Windows\SysWOW64\Hfcinq32.exeC:\Windows\system32\Hfcinq32.exe47⤵
- Executes dropped EXE
PID:472 -
C:\Windows\SysWOW64\Hdffah32.exeC:\Windows\system32\Hdffah32.exe48⤵
- Executes dropped EXE
PID:3144 -
C:\Windows\SysWOW64\Icnphd32.exeC:\Windows\system32\Icnphd32.exe49⤵
- Executes dropped EXE
PID:376 -
C:\Windows\SysWOW64\Janpnfee.exeC:\Windows\system32\Janpnfee.exe50⤵
- Executes dropped EXE
PID:1808 -
C:\Windows\SysWOW64\Jnapgjdo.exeC:\Windows\system32\Jnapgjdo.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2796 -
C:\Windows\SysWOW64\Jcaeea32.exeC:\Windows\system32\Jcaeea32.exe52⤵
- Executes dropped EXE
PID:3380 -
C:\Windows\SysWOW64\Khakqo32.exeC:\Windows\system32\Khakqo32.exe53⤵
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Kmbmdeoj.exeC:\Windows\system32\Kmbmdeoj.exe54⤵
- Executes dropped EXE
PID:3008 -
C:\Windows\SysWOW64\Lmgfod32.exeC:\Windows\system32\Lmgfod32.exe55⤵
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\Ldckan32.exeC:\Windows\system32\Ldckan32.exe56⤵
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\Loiong32.exeC:\Windows\system32\Loiong32.exe57⤵
- Executes dropped EXE
PID:3816 -
C:\Windows\SysWOW64\Lhdqml32.exeC:\Windows\system32\Lhdqml32.exe58⤵
- Executes dropped EXE
PID:4356 -
C:\Windows\SysWOW64\Mobbdf32.exeC:\Windows\system32\Mobbdf32.exe59⤵
- Executes dropped EXE
PID:3724 -
C:\Windows\SysWOW64\Mdagbl32.exeC:\Windows\system32\Mdagbl32.exe60⤵
- Executes dropped EXE
PID:1032 -
C:\Windows\SysWOW64\Nnabladg.exeC:\Windows\system32\Nnabladg.exe61⤵
- Executes dropped EXE
PID:4600 -
C:\Windows\SysWOW64\Nncoaq32.exeC:\Windows\system32\Nncoaq32.exe62⤵
- Executes dropped EXE
PID:836 -
C:\Windows\SysWOW64\Oeopnmoa.exeC:\Windows\system32\Oeopnmoa.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1476 -
C:\Windows\SysWOW64\Odgjdibf.exeC:\Windows\system32\Odgjdibf.exe64⤵
- Executes dropped EXE
PID:1456 -
C:\Windows\SysWOW64\Oeffnl32.exeC:\Windows\system32\Oeffnl32.exe65⤵
- Executes dropped EXE
PID:4824 -
C:\Windows\SysWOW64\Odkcpi32.exeC:\Windows\system32\Odkcpi32.exe66⤵PID:1448
-
C:\Windows\SysWOW64\Pdgckg32.exeC:\Windows\system32\Pdgckg32.exe67⤵PID:3392
-
C:\Windows\SysWOW64\Adnilfnl.exeC:\Windows\system32\Adnilfnl.exe68⤵PID:4900
-
C:\Windows\SysWOW64\Akmjdpac.exeC:\Windows\system32\Akmjdpac.exe69⤵
- Modifies registry class
PID:2628 -
C:\Windows\SysWOW64\Bejhhd32.exeC:\Windows\system32\Bejhhd32.exe70⤵PID:4332
-
C:\Windows\SysWOW64\Bpomem32.exeC:\Windows\system32\Bpomem32.exe71⤵
- Drops file in System32 directory
PID:1220 -
C:\Windows\SysWOW64\Biljib32.exeC:\Windows\system32\Biljib32.exe72⤵PID:4340
-
C:\Windows\SysWOW64\Cpmifkgd.exeC:\Windows\system32\Cpmifkgd.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3228 -
C:\Windows\SysWOW64\Cifmoa32.exeC:\Windows\system32\Cifmoa32.exe74⤵PID:5148
-
C:\Windows\SysWOW64\Donecfao.exeC:\Windows\system32\Donecfao.exe75⤵PID:5216
-
C:\Windows\SysWOW64\Efhjjcpo.exeC:\Windows\system32\Efhjjcpo.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5284 -
C:\Windows\SysWOW64\Eimlgnij.exeC:\Windows\system32\Eimlgnij.exe77⤵
- Drops file in System32 directory
- Modifies registry class
PID:5328 -
C:\Windows\SysWOW64\Foakpc32.exeC:\Windows\system32\Foakpc32.exe78⤵PID:5372
-
C:\Windows\SysWOW64\Fempbm32.exeC:\Windows\system32\Fempbm32.exe79⤵PID:5420
-
C:\Windows\SysWOW64\Ggoiap32.exeC:\Windows\system32\Ggoiap32.exe80⤵PID:5564
-
C:\Windows\SysWOW64\Hohjgpmo.exeC:\Windows\system32\Hohjgpmo.exe81⤵PID:5612
-
C:\Windows\SysWOW64\Hllkqdli.exeC:\Windows\system32\Hllkqdli.exe82⤵PID:5652
-
C:\Windows\SysWOW64\Hfeoijbi.exeC:\Windows\system32\Hfeoijbi.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5704 -
C:\Windows\SysWOW64\Hgdlcm32.exeC:\Windows\system32\Hgdlcm32.exe84⤵PID:5744
-
C:\Windows\SysWOW64\Hladlc32.exeC:\Windows\system32\Hladlc32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5784 -
C:\Windows\SysWOW64\Icpecm32.exeC:\Windows\system32\Icpecm32.exe86⤵
- Drops file in System32 directory
PID:5824 -
C:\Windows\SysWOW64\Ijjnpg32.exeC:\Windows\system32\Ijjnpg32.exe87⤵PID:5868
-
C:\Windows\SysWOW64\Ignnjk32.exeC:\Windows\system32\Ignnjk32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5916 -
C:\Windows\SysWOW64\Jmmcgbnf.exeC:\Windows\system32\Jmmcgbnf.exe89⤵PID:5964
-
C:\Windows\SysWOW64\Jonlimkg.exeC:\Windows\system32\Jonlimkg.exe90⤵PID:6004
-
C:\Windows\SysWOW64\Jifabb32.exeC:\Windows\system32\Jifabb32.exe91⤵PID:6044
-
C:\Windows\SysWOW64\Jopiom32.exeC:\Windows\system32\Jopiom32.exe92⤵
- Modifies registry class
PID:6084 -
C:\Windows\SysWOW64\Jfjakgpa.exeC:\Windows\system32\Jfjakgpa.exe93⤵
- Drops file in System32 directory
PID:6120 -
C:\Windows\SysWOW64\Jqofippg.exeC:\Windows\system32\Jqofippg.exe94⤵PID:5192
-
C:\Windows\SysWOW64\Jjhjae32.exeC:\Windows\system32\Jjhjae32.exe95⤵
- Modifies registry class
PID:5248 -
C:\Windows\SysWOW64\Jjjggede.exeC:\Windows\system32\Jjjggede.exe96⤵PID:5304
-
C:\Windows\SysWOW64\Kpilekqj.exeC:\Windows\system32\Kpilekqj.exe97⤵PID:5428
-
C:\Windows\SysWOW64\Kplijk32.exeC:\Windows\system32\Kplijk32.exe98⤵
- Modifies registry class
PID:5504 -
C:\Windows\SysWOW64\Kgemahmg.exeC:\Windows\system32\Kgemahmg.exe99⤵PID:5544
-
C:\Windows\SysWOW64\Kanbjn32.exeC:\Windows\system32\Kanbjn32.exe100⤵PID:5576
-
C:\Windows\SysWOW64\Lmfodn32.exeC:\Windows\system32\Lmfodn32.exe101⤵
- Drops file in System32 directory
PID:5644 -
C:\Windows\SysWOW64\Ljoiibbm.exeC:\Windows\system32\Ljoiibbm.exe102⤵
- Drops file in System32 directory
PID:5712 -
C:\Windows\SysWOW64\Mpnngh32.exeC:\Windows\system32\Mpnngh32.exe103⤵PID:5780
-
C:\Windows\SysWOW64\Mankaked.exeC:\Windows\system32\Mankaked.exe104⤵
- Modifies registry class
PID:5816 -
C:\Windows\SysWOW64\Miipencp.exeC:\Windows\system32\Miipencp.exe105⤵PID:5924
-
C:\Windows\SysWOW64\Mpchbhjl.exeC:\Windows\system32\Mpchbhjl.exe106⤵PID:6000
-
C:\Windows\SysWOW64\Mjiloqjb.exeC:\Windows\system32\Mjiloqjb.exe107⤵PID:5204
-
C:\Windows\SysWOW64\Ogmiepcf.exeC:\Windows\system32\Ogmiepcf.exe108⤵PID:5380
-
C:\Windows\SysWOW64\Onngci32.exeC:\Windows\system32\Onngci32.exe109⤵PID:5536
-
C:\Windows\SysWOW64\Pahpee32.exeC:\Windows\system32\Pahpee32.exe110⤵PID:5632
-
C:\Windows\SysWOW64\Ahkkhnpg.exeC:\Windows\system32\Ahkkhnpg.exe111⤵PID:5756
-
C:\Windows\SysWOW64\Bkcjjhgp.exeC:\Windows\system32\Bkcjjhgp.exe112⤵PID:5904
-
C:\Windows\SysWOW64\Ckmmpg32.exeC:\Windows\system32\Ckmmpg32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6068 -
C:\Windows\SysWOW64\Cqiehnml.exeC:\Windows\system32\Cqiehnml.exe114⤵PID:6036
-
C:\Windows\SysWOW64\Cbiabq32.exeC:\Windows\system32\Cbiabq32.exe115⤵PID:2564
-
C:\Windows\SysWOW64\Capkim32.exeC:\Windows\system32\Capkim32.exe116⤵PID:5444
-
C:\Windows\SysWOW64\Dbbdip32.exeC:\Windows\system32\Dbbdip32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4816 -
C:\Windows\SysWOW64\Djpfbahm.exeC:\Windows\system32\Djpfbahm.exe118⤵PID:5668
-
C:\Windows\SysWOW64\Dnnoip32.exeC:\Windows\system32\Dnnoip32.exe119⤵PID:5804
-
C:\Windows\SysWOW64\Eoindndf.exeC:\Windows\system32\Eoindndf.exe120⤵PID:6116
-
C:\Windows\SysWOW64\Falcli32.exeC:\Windows\system32\Falcli32.exe121⤵PID:5864
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-