Analysis
-
max time kernel
166s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
02/11/2023, 16:49
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.ce71c1d1e2eef2e830730d536236e000.exe
Resource
win7-20231020-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.ce71c1d1e2eef2e830730d536236e000.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
NEAS.ce71c1d1e2eef2e830730d536236e000.exe
-
Size
64KB
-
MD5
ce71c1d1e2eef2e830730d536236e000
-
SHA1
0ae921c611ca25ed22d1e49a9e19eb86cab69af5
-
SHA256
79340a62431cecad9f04d3cde5da18b7d4229325765707769a09bc73ea5af0c7
-
SHA512
2a24f92e83f1bff2ed47e3d0a2df27924218fdad5ecfdc99a0c821fdf9f5cdfbe89fd55ab497ff5317f51ca6d672f538074b900bf04ab0c6fd47774ce8ef3559
-
SSDEEP
768:aelbEbwfOJ8Gk/tHusyUn8hmc5aTP4O5sBX+ARbfUQ2p/1H5/Xdnh0Usb0DWBi:dblPyUnKmcoTP4CkVf92L3rDWBi
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eaenkj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkmlilej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjjkkghp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lppbdmig.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npkmcj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbkjcgaj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fekcfcnd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcklac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbeece32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjjkkghp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfdfanoa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hijmjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oacdgdle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfaqliad.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpmdabfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hekgppma.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgblhmag.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbpdkabl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cakghn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hiljpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkhblo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngfcnfol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjgneg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddkbfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbenio32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pclnon32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Diccal32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgdinmod.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjhjkk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omgabj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aeigilml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aeigilml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikhghi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdmfebnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obidljll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdiohnek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Janpglkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icmigc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfjaemfo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcnqid32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lokdgpqe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akblpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pppoeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmaafcml.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iaodek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgqfmcge.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mboqnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blqlgdhi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llpmhodc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnajjfjo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgcoigfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lggeej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfoahd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdmfebnk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihpgda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Maiaoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pedlpgqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bojogb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdkipb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcjonh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffjdjmpf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nimioo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibhlmgdj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ommjipel.exe -
Executes dropped EXE 64 IoCs
pid Process 3920 Hhckeeam.exe 2660 Jqbbno32.exe 2200 Kgemahmg.exe 1312 Lmneemaq.exe 3276 Mjkiephp.exe 3828 Omgabj32.exe 2132 Oahgnh32.exe 4648 Ppdjpcng.exe 1004 Adbkmo32.exe 1496 Bhbahm32.exe 4272 Bgjjoi32.exe 1808 Ceeaim32.exe 1012 Cnboma32.exe 3024 Dndlba32.exe 3632 Eieplhlf.exe 2316 Eaenkj32.exe 3360 Fjpoio32.exe 1952 Fbnmkk32.exe 568 Gbhpajlj.exe 4420 Haafnf32.exe 2596 Hommhi32.exe 4292 Ikhghi32.exe 2092 Kkofofbb.exe 260 Komoed32.exe 4376 Kkdoje32.exe 2160 Lkkekdhe.exe 4608 Mboqnm32.exe 396 Odcojm32.exe 5088 Pkigbfja.exe 5104 Pphlpl32.exe 1556 Apobakpn.exe 2816 Anjikoip.exe 2480 Cklffq32.exe 2252 Ekeacmel.exe 2140 Ecafgo32.exe 4224 Gaccbaeq.exe 4392 Hldgkiki.exe 2880 Imabnofj.exe 5004 Iejgelej.exe 1536 Jkeloa32.exe 4932 Kdpmmf32.exe 1228 Knphfklg.exe 1980 Kdipce32.exe 4480 Mkadam32.exe 3912 Npkmcj32.exe 3788 Omfcmm32.exe 4952 Pppoeg32.exe 1888 Plimpg32.exe 932 Peaahmcd.exe 2264 Aeigilml.exe 1628 Begcjjql.exe 2620 Blqlgdhi.exe 4520 Cgbppknb.exe 4448 Ejennd32.exe 1104 Hfhgfaha.exe 1764 Ipjoee32.exe 1240 Iaqapggb.exe 1736 Jphkfc32.exe 2924 Jpmdabfb.exe 892 Jkbhok32.exe 1500 Jhfihp32.exe 1944 Lggeej32.exe 4540 Mddidm32.exe 3156 Mkcjlf32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Gefqdfdn.dll Ipjoee32.exe File created C:\Windows\SysWOW64\Bciddihj.dll Hdicbkci.exe File created C:\Windows\SysWOW64\Lnjnjn32.exe Lgqfmcge.exe File opened for modification C:\Windows\SysWOW64\Hepgedme.exe Hkhblo32.exe File created C:\Windows\SysWOW64\Aekpqihf.dll Lmncgh32.exe File opened for modification C:\Windows\SysWOW64\Bfkkhdlk.exe Alcfoo32.exe File created C:\Windows\SysWOW64\Ldbgealc.dll Dnbadlnj.exe File opened for modification C:\Windows\SysWOW64\Gpimflqb.exe Fmjqjqao.exe File opened for modification C:\Windows\SysWOW64\Henjoe32.exe Gkeffoig.exe File created C:\Windows\SysWOW64\Ehcfdc32.dll Cgbppknb.exe File opened for modification C:\Windows\SysWOW64\Jkbhok32.exe Jpmdabfb.exe File opened for modification C:\Windows\SysWOW64\Dhidcffq.exe Aloekjod.exe File opened for modification C:\Windows\SysWOW64\Aljcip32.exe Aepklffh.exe File opened for modification C:\Windows\SysWOW64\Feddpj32.exe Dcjhhq32.exe File opened for modification C:\Windows\SysWOW64\Janpglkc.exe Jjcgjbdf.exe File opened for modification C:\Windows\SysWOW64\Icpemc32.exe Icmigc32.exe File created C:\Windows\SysWOW64\Omgabj32.exe Mjkiephp.exe File created C:\Windows\SysWOW64\Ejennd32.exe Cgbppknb.exe File created C:\Windows\SysWOW64\Lfmbjg32.dll Hfhgfaha.exe File created C:\Windows\SysWOW64\Ndoihadd.dll Ckphamkp.exe File created C:\Windows\SysWOW64\Eoqbbkej.exe Dfcqhi32.exe File created C:\Windows\SysWOW64\Kmeikl32.dll Fmapag32.exe File created C:\Windows\SysWOW64\Liiiei32.dll Mcklac32.exe File created C:\Windows\SysWOW64\Lmbhqj32.exe Lgephccp.exe File created C:\Windows\SysWOW64\Foocegea.exe Fdiohnek.exe File created C:\Windows\SysWOW64\Lgblhmag.exe Lokdgpqe.exe File created C:\Windows\SysWOW64\Kkofofbb.exe Ikhghi32.exe File opened for modification C:\Windows\SysWOW64\Iomcqa32.exe Iiqooh32.exe File opened for modification C:\Windows\SysWOW64\Fdamph32.exe Fmgecn32.exe File created C:\Windows\SysWOW64\Jjfngi32.exe Idieob32.exe File created C:\Windows\SysWOW64\Milinkgf.exe Mijlhl32.exe File created C:\Windows\SysWOW64\Hpicnh32.dll Milinkgf.exe File created C:\Windows\SysWOW64\Chbcphph.exe Bojogb32.exe File created C:\Windows\SysWOW64\Kimnnbaj.dll Nmdgbamf.exe File created C:\Windows\SysWOW64\Fekcfcnd.exe Foakii32.exe File created C:\Windows\SysWOW64\Kkdoje32.exe Komoed32.exe File opened for modification C:\Windows\SysWOW64\Ehaieh32.exe Eagahnob.exe File created C:\Windows\SysWOW64\Lehiadfj.dll Aomipkic.exe File created C:\Windows\SysWOW64\Bklfqd32.exe Bdbndjld.exe File created C:\Windows\SysWOW64\Gdojmcqa.dll Dnhgcgbi.exe File created C:\Windows\SysWOW64\Enhambbn.dll Opjgcjlo.exe File created C:\Windows\SysWOW64\Blnhgn32.exe Ahnclp32.exe File created C:\Windows\SysWOW64\Padjnado.dll Hbnjfefo.exe File created C:\Windows\SysWOW64\Iciflfcd.exe Hpfdkiac.exe File created C:\Windows\SysWOW64\Cjcohn32.dll Dpjofefp.exe File opened for modification C:\Windows\SysWOW64\Ngfcnfol.exe Nplkal32.exe File created C:\Windows\SysWOW64\Hicpqh32.exe Hnnlcpcl.exe File opened for modification C:\Windows\SysWOW64\Kgemahmg.exe Jqbbno32.exe File created C:\Windows\SysWOW64\Ngedbp32.exe Nnjbdj32.exe File opened for modification C:\Windows\SysWOW64\Ihpgda32.exe Iafogggl.exe File created C:\Windows\SysWOW64\Keonml32.dll Ohiefdhd.exe File opened for modification C:\Windows\SysWOW64\Lmkbpk32.exe Lkjehbaa.exe File created C:\Windows\SysWOW64\Gmolbbcj.dll Cnahmo32.exe File opened for modification C:\Windows\SysWOW64\Hiomppkc.exe Hbeece32.exe File created C:\Windows\SysWOW64\Aagkaj32.exe Amibklml.exe File created C:\Windows\SysWOW64\Ffpfcf32.dll Lmneemaq.exe File opened for modification C:\Windows\SysWOW64\Mecjbl32.exe Milinkgf.exe File opened for modification C:\Windows\SysWOW64\Apmhbf32.exe Agdcja32.exe File created C:\Windows\SysWOW64\Mfgoomid.dll Oinbqpfe.exe File created C:\Windows\SysWOW64\Ehgkdjkq.dll Hnehndbl.exe File opened for modification C:\Windows\SysWOW64\Eaenkj32.exe Eieplhlf.exe File created C:\Windows\SysWOW64\Hcblakmh.dll Hpfdkiac.exe File created C:\Windows\SysWOW64\Eagahnob.exe Dpehikja.exe File created C:\Windows\SysWOW64\Jnhphg32.exe Jqpfccgo.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aohpek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lnmkpm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhpfjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfmpgi32.dll" Hlipal32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmpoemef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jlfhdk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Opfedb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjpfob32.dll" Pnjeqbkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Okolppdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Janpglkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mefmbbod.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bqhlpbjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efkfkilj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ameipl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcblakmh.dll" Hpfdkiac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mflgff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnjapoec.dll" Mbpdkabl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahenip32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Biogieke.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfjgjf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgcgbp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gepmab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnnbig32.dll" Jfjaemfo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aepklffh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmolbbcj.dll" Cnahmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kccgocfc.dll" Nkhdgfen.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dlckik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohgepflm.dll" Hbiakf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmfkin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqqnqo32.dll" Pmgcidqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Anjikoip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eodlkdco.dll" Lggeej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oaajoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfobmgk.dll" Blecdn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lddgghfo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dqkmkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jcniighd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbkjcgaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hbbdad32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Alcfoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knnpieak.dll" Gaqhdmmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocoonp32.dll" Hecjej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcneiljl.dll" Iaodek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jnapqpjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pkbhfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oahgnh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjbopcip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plnple32.dll" Dpnbhl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oookbega.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oepipo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndfpjh32.dll" Ffgegh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hekgppma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acibmado.dll" Pffghc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdiohnek.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hecjej32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gegcaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abmcod32.dll" Ceeaim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gjnnoldm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdhpihbe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibhlmgdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dcigneeg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hhnbdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jphkfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfnnap32.dll" Ihpgda32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2740 wrote to memory of 3920 2740 NEAS.ce71c1d1e2eef2e830730d536236e000.exe 89 PID 2740 wrote to memory of 3920 2740 NEAS.ce71c1d1e2eef2e830730d536236e000.exe 89 PID 2740 wrote to memory of 3920 2740 NEAS.ce71c1d1e2eef2e830730d536236e000.exe 89 PID 3920 wrote to memory of 2660 3920 Hhckeeam.exe 90 PID 3920 wrote to memory of 2660 3920 Hhckeeam.exe 90 PID 3920 wrote to memory of 2660 3920 Hhckeeam.exe 90 PID 2660 wrote to memory of 2200 2660 Jqbbno32.exe 92 PID 2660 wrote to memory of 2200 2660 Jqbbno32.exe 92 PID 2660 wrote to memory of 2200 2660 Jqbbno32.exe 92 PID 2200 wrote to memory of 1312 2200 Kgemahmg.exe 94 PID 2200 wrote to memory of 1312 2200 Kgemahmg.exe 94 PID 2200 wrote to memory of 1312 2200 Kgemahmg.exe 94 PID 1312 wrote to memory of 3276 1312 Lmneemaq.exe 95 PID 1312 wrote to memory of 3276 1312 Lmneemaq.exe 95 PID 1312 wrote to memory of 3276 1312 Lmneemaq.exe 95 PID 3276 wrote to memory of 3828 3276 Mjkiephp.exe 96 PID 3276 wrote to memory of 3828 3276 Mjkiephp.exe 96 PID 3276 wrote to memory of 3828 3276 Mjkiephp.exe 96 PID 3828 wrote to memory of 2132 3828 Omgabj32.exe 97 PID 3828 wrote to memory of 2132 3828 Omgabj32.exe 97 PID 3828 wrote to memory of 2132 3828 Omgabj32.exe 97 PID 2132 wrote to memory of 4648 2132 Oahgnh32.exe 98 PID 2132 wrote to memory of 4648 2132 Oahgnh32.exe 98 PID 2132 wrote to memory of 4648 2132 Oahgnh32.exe 98 PID 4648 wrote to memory of 1004 4648 Ppdjpcng.exe 99 PID 4648 wrote to memory of 1004 4648 Ppdjpcng.exe 99 PID 4648 wrote to memory of 1004 4648 Ppdjpcng.exe 99 PID 1004 wrote to memory of 1496 1004 Adbkmo32.exe 100 PID 1004 wrote to memory of 1496 1004 Adbkmo32.exe 100 PID 1004 wrote to memory of 1496 1004 Adbkmo32.exe 100 PID 1496 wrote to memory of 4272 1496 Bhbahm32.exe 101 PID 1496 wrote to memory of 4272 1496 Bhbahm32.exe 101 PID 1496 wrote to memory of 4272 1496 Bhbahm32.exe 101 PID 4272 wrote to memory of 1808 4272 Bgjjoi32.exe 102 PID 4272 wrote to memory of 1808 4272 Bgjjoi32.exe 102 PID 4272 wrote to memory of 1808 4272 Bgjjoi32.exe 102 PID 1808 wrote to memory of 1012 1808 Ceeaim32.exe 103 PID 1808 wrote to memory of 1012 1808 Ceeaim32.exe 103 PID 1808 wrote to memory of 1012 1808 Ceeaim32.exe 103 PID 1012 wrote to memory of 3024 1012 Cnboma32.exe 104 PID 1012 wrote to memory of 3024 1012 Cnboma32.exe 104 PID 1012 wrote to memory of 3024 1012 Cnboma32.exe 104 PID 3024 wrote to memory of 3632 3024 Dndlba32.exe 105 PID 3024 wrote to memory of 3632 3024 Dndlba32.exe 105 PID 3024 wrote to memory of 3632 3024 Dndlba32.exe 105 PID 3632 wrote to memory of 2316 3632 Eieplhlf.exe 106 PID 3632 wrote to memory of 2316 3632 Eieplhlf.exe 106 PID 3632 wrote to memory of 2316 3632 Eieplhlf.exe 106 PID 2316 wrote to memory of 3360 2316 Eaenkj32.exe 107 PID 2316 wrote to memory of 3360 2316 Eaenkj32.exe 107 PID 2316 wrote to memory of 3360 2316 Eaenkj32.exe 107 PID 3360 wrote to memory of 1952 3360 Fjpoio32.exe 108 PID 3360 wrote to memory of 1952 3360 Fjpoio32.exe 108 PID 3360 wrote to memory of 1952 3360 Fjpoio32.exe 108 PID 1952 wrote to memory of 568 1952 Fbnmkk32.exe 109 PID 1952 wrote to memory of 568 1952 Fbnmkk32.exe 109 PID 1952 wrote to memory of 568 1952 Fbnmkk32.exe 109 PID 568 wrote to memory of 4420 568 Gbhpajlj.exe 110 PID 568 wrote to memory of 4420 568 Gbhpajlj.exe 110 PID 568 wrote to memory of 4420 568 Gbhpajlj.exe 110 PID 4420 wrote to memory of 2596 4420 Haafnf32.exe 111 PID 4420 wrote to memory of 2596 4420 Haafnf32.exe 111 PID 4420 wrote to memory of 2596 4420 Haafnf32.exe 111 PID 2596 wrote to memory of 4292 2596 Hommhi32.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.ce71c1d1e2eef2e830730d536236e000.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.ce71c1d1e2eef2e830730d536236e000.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\Hhckeeam.exeC:\Windows\system32\Hhckeeam.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3920 -
C:\Windows\SysWOW64\Jqbbno32.exeC:\Windows\system32\Jqbbno32.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Kgemahmg.exeC:\Windows\system32\Kgemahmg.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\Lmneemaq.exeC:\Windows\system32\Lmneemaq.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Windows\SysWOW64\Mjkiephp.exeC:\Windows\system32\Mjkiephp.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3276 -
C:\Windows\SysWOW64\Omgabj32.exeC:\Windows\system32\Omgabj32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3828 -
C:\Windows\SysWOW64\Oahgnh32.exeC:\Windows\system32\Oahgnh32.exe8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\Ppdjpcng.exeC:\Windows\system32\Ppdjpcng.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4648 -
C:\Windows\SysWOW64\Adbkmo32.exeC:\Windows\system32\Adbkmo32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1004 -
C:\Windows\SysWOW64\Bhbahm32.exeC:\Windows\system32\Bhbahm32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Windows\SysWOW64\Bgjjoi32.exeC:\Windows\system32\Bgjjoi32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4272 -
C:\Windows\SysWOW64\Ceeaim32.exeC:\Windows\system32\Ceeaim32.exe13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Windows\SysWOW64\Cnboma32.exeC:\Windows\system32\Cnboma32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1012 -
C:\Windows\SysWOW64\Dndlba32.exeC:\Windows\system32\Dndlba32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\Eieplhlf.exeC:\Windows\system32\Eieplhlf.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3632 -
C:\Windows\SysWOW64\Eaenkj32.exeC:\Windows\system32\Eaenkj32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\Fjpoio32.exeC:\Windows\system32\Fjpoio32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3360 -
C:\Windows\SysWOW64\Fbnmkk32.exeC:\Windows\system32\Fbnmkk32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\SysWOW64\Gbhpajlj.exeC:\Windows\system32\Gbhpajlj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:568 -
C:\Windows\SysWOW64\Haafnf32.exeC:\Windows\system32\Haafnf32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4420 -
C:\Windows\SysWOW64\Hommhi32.exeC:\Windows\system32\Hommhi32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Ikhghi32.exeC:\Windows\system32\Ikhghi32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4292 -
C:\Windows\SysWOW64\Kkofofbb.exeC:\Windows\system32\Kkofofbb.exe24⤵
- Executes dropped EXE
PID:2092 -
C:\Windows\SysWOW64\Komoed32.exeC:\Windows\system32\Komoed32.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:260 -
C:\Windows\SysWOW64\Kkdoje32.exeC:\Windows\system32\Kkdoje32.exe26⤵
- Executes dropped EXE
PID:4376 -
C:\Windows\SysWOW64\Lkkekdhe.exeC:\Windows\system32\Lkkekdhe.exe27⤵
- Executes dropped EXE
PID:2160 -
C:\Windows\SysWOW64\Mboqnm32.exeC:\Windows\system32\Mboqnm32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4608 -
C:\Windows\SysWOW64\Odcojm32.exeC:\Windows\system32\Odcojm32.exe29⤵
- Executes dropped EXE
PID:396 -
C:\Windows\SysWOW64\Pkigbfja.exeC:\Windows\system32\Pkigbfja.exe30⤵
- Executes dropped EXE
PID:5088 -
C:\Windows\SysWOW64\Pphlpl32.exeC:\Windows\system32\Pphlpl32.exe31⤵
- Executes dropped EXE
PID:5104 -
C:\Windows\SysWOW64\Apobakpn.exeC:\Windows\system32\Apobakpn.exe32⤵
- Executes dropped EXE
PID:1556 -
C:\Windows\SysWOW64\Anjikoip.exeC:\Windows\system32\Anjikoip.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:2816 -
C:\Windows\SysWOW64\Cklffq32.exeC:\Windows\system32\Cklffq32.exe34⤵
- Executes dropped EXE
PID:2480 -
C:\Windows\SysWOW64\Ekeacmel.exeC:\Windows\system32\Ekeacmel.exe35⤵
- Executes dropped EXE
PID:2252 -
C:\Windows\SysWOW64\Ecafgo32.exeC:\Windows\system32\Ecafgo32.exe36⤵
- Executes dropped EXE
PID:2140 -
C:\Windows\SysWOW64\Gaccbaeq.exeC:\Windows\system32\Gaccbaeq.exe37⤵
- Executes dropped EXE
PID:4224 -
C:\Windows\SysWOW64\Hldgkiki.exeC:\Windows\system32\Hldgkiki.exe38⤵
- Executes dropped EXE
PID:4392 -
C:\Windows\SysWOW64\Imabnofj.exeC:\Windows\system32\Imabnofj.exe39⤵
- Executes dropped EXE
PID:2880 -
C:\Windows\SysWOW64\Iejgelej.exeC:\Windows\system32\Iejgelej.exe40⤵
- Executes dropped EXE
PID:5004 -
C:\Windows\SysWOW64\Jkeloa32.exeC:\Windows\system32\Jkeloa32.exe41⤵
- Executes dropped EXE
PID:1536 -
C:\Windows\SysWOW64\Kdpmmf32.exeC:\Windows\system32\Kdpmmf32.exe42⤵
- Executes dropped EXE
PID:4932 -
C:\Windows\SysWOW64\Knphfklg.exeC:\Windows\system32\Knphfklg.exe43⤵
- Executes dropped EXE
PID:1228 -
C:\Windows\SysWOW64\Kdipce32.exeC:\Windows\system32\Kdipce32.exe44⤵
- Executes dropped EXE
PID:1980 -
C:\Windows\SysWOW64\Mkadam32.exeC:\Windows\system32\Mkadam32.exe45⤵
- Executes dropped EXE
PID:4480 -
C:\Windows\SysWOW64\Npkmcj32.exeC:\Windows\system32\Npkmcj32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3912 -
C:\Windows\SysWOW64\Omfcmm32.exeC:\Windows\system32\Omfcmm32.exe47⤵
- Executes dropped EXE
PID:3788 -
C:\Windows\SysWOW64\Pppoeg32.exeC:\Windows\system32\Pppoeg32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4952 -
C:\Windows\SysWOW64\Plimpg32.exeC:\Windows\system32\Plimpg32.exe49⤵
- Executes dropped EXE
PID:1888 -
C:\Windows\SysWOW64\Peaahmcd.exeC:\Windows\system32\Peaahmcd.exe50⤵
- Executes dropped EXE
PID:932 -
C:\Windows\SysWOW64\Aeigilml.exeC:\Windows\system32\Aeigilml.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2264 -
C:\Windows\SysWOW64\Begcjjql.exeC:\Windows\system32\Begcjjql.exe52⤵
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\Blqlgdhi.exeC:\Windows\system32\Blqlgdhi.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Cgbppknb.exeC:\Windows\system32\Cgbppknb.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4520 -
C:\Windows\SysWOW64\Ejennd32.exeC:\Windows\system32\Ejennd32.exe55⤵
- Executes dropped EXE
PID:4448 -
C:\Windows\SysWOW64\Hfhgfaha.exeC:\Windows\system32\Hfhgfaha.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1104 -
C:\Windows\SysWOW64\Ipjoee32.exeC:\Windows\system32\Ipjoee32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1764 -
C:\Windows\SysWOW64\Iaqapggb.exeC:\Windows\system32\Iaqapggb.exe58⤵
- Executes dropped EXE
PID:1240 -
C:\Windows\SysWOW64\Jphkfc32.exeC:\Windows\system32\Jphkfc32.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:1736 -
C:\Windows\SysWOW64\Jpmdabfb.exeC:\Windows\system32\Jpmdabfb.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2924 -
C:\Windows\SysWOW64\Jkbhok32.exeC:\Windows\system32\Jkbhok32.exe61⤵
- Executes dropped EXE
PID:892 -
C:\Windows\SysWOW64\Jhfihp32.exeC:\Windows\system32\Jhfihp32.exe62⤵
- Executes dropped EXE
PID:1500 -
C:\Windows\SysWOW64\Lggeej32.exeC:\Windows\system32\Lggeej32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1944 -
C:\Windows\SysWOW64\Mddidm32.exeC:\Windows\system32\Mddidm32.exe64⤵
- Executes dropped EXE
PID:4540 -
C:\Windows\SysWOW64\Mkcjlf32.exeC:\Windows\system32\Mkcjlf32.exe65⤵
- Executes dropped EXE
PID:3156 -
C:\Windows\SysWOW64\Nkhdgfen.exeC:\Windows\system32\Nkhdgfen.exe66⤵
- Modifies registry class
PID:4572 -
C:\Windows\SysWOW64\Oendaipn.exeC:\Windows\system32\Oendaipn.exe67⤵PID:2196
-
C:\Windows\SysWOW64\Opfedb32.exeC:\Windows\system32\Opfedb32.exe68⤵
- Modifies registry class
PID:4412 -
C:\Windows\SysWOW64\Onkbenbi.exeC:\Windows\system32\Onkbenbi.exe69⤵PID:3356
-
C:\Windows\SysWOW64\Ppbepp32.exeC:\Windows\system32\Ppbepp32.exe70⤵PID:3520
-
C:\Windows\SysWOW64\Pacahhib.exeC:\Windows\system32\Pacahhib.exe71⤵PID:2228
-
C:\Windows\SysWOW64\Peajngoi.exeC:\Windows\system32\Peajngoi.exe72⤵PID:2776
-
C:\Windows\SysWOW64\Apbngn32.exeC:\Windows\system32\Apbngn32.exe73⤵PID:2200
-
C:\Windows\SysWOW64\Ahnclp32.exeC:\Windows\system32\Ahnclp32.exe74⤵
- Drops file in System32 directory
PID:4652 -
C:\Windows\SysWOW64\Blnhgn32.exeC:\Windows\system32\Blnhgn32.exe75⤵PID:1084
-
C:\Windows\SysWOW64\Befmpdmq.exeC:\Windows\system32\Befmpdmq.exe76⤵PID:3560
-
C:\Windows\SysWOW64\Cafpkc32.exeC:\Windows\system32\Cafpkc32.exe77⤵PID:2104
-
C:\Windows\SysWOW64\Clldhljp.exeC:\Windows\system32\Clldhljp.exe78⤵PID:2840
-
C:\Windows\SysWOW64\Cojqdhid.exeC:\Windows\system32\Cojqdhid.exe79⤵PID:4616
-
C:\Windows\SysWOW64\Cipebqij.exeC:\Windows\system32\Cipebqij.exe80⤵PID:3836
-
C:\Windows\SysWOW64\Cpjmok32.exeC:\Windows\system32\Cpjmok32.exe81⤵PID:1452
-
C:\Windows\SysWOW64\Didnmp32.exeC:\Windows\system32\Didnmp32.exe82⤵PID:1004
-
C:\Windows\SysWOW64\Dlckik32.exeC:\Windows\system32\Dlckik32.exe83⤵
- Modifies registry class
PID:4144 -
C:\Windows\SysWOW64\Dllmoj32.exeC:\Windows\system32\Dllmoj32.exe84⤵PID:1988
-
C:\Windows\SysWOW64\Eokjke32.exeC:\Windows\system32\Eokjke32.exe85⤵PID:3188
-
C:\Windows\SysWOW64\Efdbhpbn.exeC:\Windows\system32\Efdbhpbn.exe86⤵PID:4912
-
C:\Windows\SysWOW64\Elccpife.exeC:\Windows\system32\Elccpife.exe87⤵PID:4368
-
C:\Windows\SysWOW64\Fomohc32.exeC:\Windows\system32\Fomohc32.exe88⤵PID:4512
-
C:\Windows\SysWOW64\Fmapag32.exeC:\Windows\system32\Fmapag32.exe89⤵
- Drops file in System32 directory
PID:3612 -
C:\Windows\SysWOW64\Ffjdjmpf.exeC:\Windows\system32\Ffjdjmpf.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1484 -
C:\Windows\SysWOW64\Hidpbf32.exeC:\Windows\system32\Hidpbf32.exe91⤵PID:1976
-
C:\Windows\SysWOW64\Ifmcmg32.exeC:\Windows\system32\Ifmcmg32.exe92⤵PID:1496
-
C:\Windows\SysWOW64\Jmnakqcc.exeC:\Windows\system32\Jmnakqcc.exe93⤵PID:4988
-
C:\Windows\SysWOW64\Jbkjcgaj.exeC:\Windows\system32\Jbkjcgaj.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3024 -
C:\Windows\SysWOW64\Kcdmifip.exeC:\Windows\system32\Kcdmifip.exe95⤵PID:1720
-
C:\Windows\SysWOW64\Kaemgn32.exeC:\Windows\system32\Kaemgn32.exe96⤵PID:5112
-
C:\Windows\SysWOW64\Lpcmoi32.exeC:\Windows\system32\Lpcmoi32.exe97⤵PID:3280
-
C:\Windows\SysWOW64\Mgpaqbcf.exeC:\Windows\system32\Mgpaqbcf.exe98⤵PID:4288
-
C:\Windows\SysWOW64\Mddbjg32.exeC:\Windows\system32\Mddbjg32.exe99⤵PID:4604
-
C:\Windows\SysWOW64\Mknjgajl.exeC:\Windows\system32\Mknjgajl.exe100⤵PID:4396
-
C:\Windows\SysWOW64\Mcklac32.exeC:\Windows\system32\Mcklac32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1672 -
C:\Windows\SysWOW64\Nnjbdj32.exeC:\Windows\system32\Nnjbdj32.exe102⤵
- Drops file in System32 directory
PID:1340 -
C:\Windows\SysWOW64\Ngedbp32.exeC:\Windows\system32\Ngedbp32.exe103⤵PID:2396
-
C:\Windows\SysWOW64\Onceji32.exeC:\Windows\system32\Onceji32.exe104⤵PID:4764
-
C:\Windows\SysWOW64\Pkaijl32.exeC:\Windows\system32\Pkaijl32.exe105⤵PID:2136
-
C:\Windows\SysWOW64\Pclnon32.exeC:\Windows\system32\Pclnon32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1600 -
C:\Windows\SysWOW64\Pnaalghe.exeC:\Windows\system32\Pnaalghe.exe107⤵PID:5204
-
C:\Windows\SysWOW64\Aloekjod.exeC:\Windows\system32\Aloekjod.exe108⤵
- Drops file in System32 directory
PID:5352 -
C:\Windows\SysWOW64\Dhidcffq.exeC:\Windows\system32\Dhidcffq.exe109⤵PID:5420
-
C:\Windows\SysWOW64\Eaabci32.exeC:\Windows\system32\Eaabci32.exe110⤵PID:5508
-
C:\Windows\SysWOW64\Gkmlilej.exeC:\Windows\system32\Gkmlilej.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5552 -
C:\Windows\SysWOW64\Gmlhbo32.exeC:\Windows\system32\Gmlhbo32.exe112⤵PID:5604
-
C:\Windows\SysWOW64\Hbiakf32.exeC:\Windows\system32\Hbiakf32.exe113⤵
- Modifies registry class
PID:5648 -
C:\Windows\SysWOW64\Hbnjfefo.exeC:\Windows\system32\Hbnjfefo.exe114⤵
- Drops file in System32 directory
PID:5684 -
C:\Windows\SysWOW64\Hoakpi32.exeC:\Windows\system32\Hoakpi32.exe115⤵PID:5736
-
C:\Windows\SysWOW64\Hflclcle.exeC:\Windows\system32\Hflclcle.exe116⤵PID:5776
-
C:\Windows\SysWOW64\Hmfkin32.exeC:\Windows\system32\Hmfkin32.exe117⤵
- Modifies registry class
PID:5820 -
C:\Windows\SysWOW64\Hbbdad32.exeC:\Windows\system32\Hbbdad32.exe118⤵
- Modifies registry class
PID:5864 -
C:\Windows\SysWOW64\Hpfdkiac.exeC:\Windows\system32\Hpfdkiac.exe119⤵
- Drops file in System32 directory
- Modifies registry class
PID:5924 -
C:\Windows\SysWOW64\Iciflfcd.exeC:\Windows\system32\Iciflfcd.exe120⤵PID:5964
-
C:\Windows\SysWOW64\Iifodmak.exeC:\Windows\system32\Iifodmak.exe121⤵PID:6012
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-