Analysis
-
max time kernel
54s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
17-11-2023 18:58
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.2300c736f0002b3b0a436f542919bd70.exe
Resource
win7-20231020-en
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.2300c736f0002b3b0a436f542919bd70.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.2300c736f0002b3b0a436f542919bd70.exe
-
Size
1.0MB
-
MD5
2300c736f0002b3b0a436f542919bd70
-
SHA1
f31912d43e19be2ff430ace776df9baa2bd4f84b
-
SHA256
daa000eb64f3c8b333f37db4dced1c0a55e5c8b5be5b34f1687280b855b0db99
-
SHA512
9770ba1119d9d634ea222533fb1fabe9048f5a30858f1f6ae9c716e83b72a5c67bf3e0c8eed91f8feb087b9075e5767a52f9f93491da5e0140015f236e5ad7e4
-
SSDEEP
12288:POmTsqCCiqCioAiqCAOTsqCCiqC+qCCiqCaTsqCCiqC:POHCMUMACMgCM7CM
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iqaiga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qkmqne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecjpfp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opmaaodc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcembe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgpmffeh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lflpmn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkkekdhe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkdlkope.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onqdhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mclpbqal.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qciebg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdkcnklf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndejcemn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndhgie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fehplggn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfcfnm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcapbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdaqhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmfodn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jckeokan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbfjjlgc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alaaajmb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqmlmiif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bohbackj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qppkhfec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgagll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndinck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Goamlkpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmmmnp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igabdekb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijigfaol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkkekdhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jimeelkc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqbbno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpdefc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbfjjlgc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfbbdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bqnemp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eimelg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmknog32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecoiapdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eaegqc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpbgnecp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmhphqoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dagajlal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcgcaq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nalgbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ciiaogon.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbbgicnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ciogobcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihheqd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Malnklgg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oiqomj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iiigqdfd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogifci32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okmpqjad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmknog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdnkhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agikne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dodbkiho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gomkkagl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igabdekb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecjpfp32.exe -
Executes dropped EXE 64 IoCs
pid Process 4632 Okmpqjad.exe 4356 Okailj32.exe 4788 Pbbgicnd.exe 4952 Pkabbgol.exe 5088 Qppkhfec.exe 4840 Qpbgnecp.exe 2888 Afnlpohj.exe 712 Bmfqngcg.exe 1740 Cmmgof32.exe 1200 Cdjlap32.exe 1928 Ciiaogon.exe 808 Didqkeeq.exe 3172 Eepkkefp.exe 4512 Edcgnmml.exe 3528 Fnqebaog.exe 4224 Gfemmb32.exe 4264 Gcpcgfmi.exe 4024 Hcembe32.exe 1476 Hclccd32.exe 1440 Inkjfk32.exe 216 Jnapgjdo.exe 3060 Jjhalkjc.exe 2200 Kfkamk32.exe 3156 Lhmjlm32.exe 2216 Mgkjch32.exe 4400 Meadlo32.exe 2600 Nahdapae.exe 4068 Ndinck32.exe 1032 Nkjlqd32.exe 636 Ohgopgfj.exe 4340 Philfgdh.exe 1012 Pbfjjlgc.exe 2688 Qomghp32.exe 4988 Qghlmbae.exe 4384 Aoapcood.exe 1096 Aofjoo32.exe 5040 Bnppkj32.exe 2780 Bnbmqjjo.exe 3264 Bgkaip32.exe 4848 Beobcdoi.exe 4292 Biljib32.exe 720 Ciogobcm.exe 5064 Cnlpgibd.exe 1988 Cnnllhpa.exe 1732 Cnpibh32.exe 4000 Cppelkeb.exe 2128 Dlkplk32.exe 1340 Dhdmfljb.exe 1600 Dpnbmi32.exe 2256 Flekihpc.exe 4032 Fgmllpng.exe 2328 Gcfjfqah.exe 1392 Gomkkagl.exe 4912 Gcmpgpkp.exe 4220 Gledpe32.exe 3476 Hgmebnpd.exe 4768 Hfbbdj32.exe 2856 Hjpkjh32.exe 1240 Hladlc32.exe 4376 Ihheqd32.exe 4476 Iqaiga32.exe 1132 Icbbimih.exe 60 Icdoolge.exe 2764 Jjcqffkm.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Hladlc32.exe Hjpkjh32.exe File created C:\Windows\SysWOW64\Hjlkfnim.dll Beobcdoi.exe File created C:\Windows\SysWOW64\Pgihanii.exe Onqdhh32.exe File created C:\Windows\SysWOW64\Bopfdc32.dll Pklkbl32.exe File created C:\Windows\SysWOW64\Djklgb32.exe Dabhomea.exe File created C:\Windows\SysWOW64\Enigjh32.exe Eaegqc32.exe File opened for modification C:\Windows\SysWOW64\Didqkeeq.exe Ciiaogon.exe File created C:\Windows\SysWOW64\Eepkkefp.exe Didqkeeq.exe File created C:\Windows\SysWOW64\Malnklgg.exe Lhammfci.exe File created C:\Windows\SysWOW64\Clbcll32.dll Hpgkeodo.exe File created C:\Windows\SysWOW64\Ijigfaol.exe Ihjjln32.exe File created C:\Windows\SysWOW64\Qgfidb32.dll Mgagll32.exe File opened for modification C:\Windows\SysWOW64\Ecoiapdj.exe Aancojgn.exe File created C:\Windows\SysWOW64\Gmjlak32.dll Kjamhd32.exe File created C:\Windows\SysWOW64\Cbpppcid.dll Lfodmdni.exe File created C:\Windows\SysWOW64\Omhnja32.dll Jhjcbljf.exe File created C:\Windows\SysWOW64\Bjfppe32.dll Mclpbqal.exe File created C:\Windows\SysWOW64\Eflmeb32.dll Cnnllhpa.exe File created C:\Windows\SysWOW64\Jdlbgl32.dll Gledpe32.exe File created C:\Windows\SysWOW64\Mcpooenf.dll Kmmmnp32.exe File created C:\Windows\SysWOW64\Mbfggf32.dll Ckoifgmb.exe File created C:\Windows\SysWOW64\Hpbjkgee.dll Hcembe32.exe File created C:\Windows\SysWOW64\Aeohij32.dll Aofjoo32.exe File opened for modification C:\Windows\SysWOW64\Gcmpgpkp.exe Gomkkagl.exe File created C:\Windows\SysWOW64\Ppffec32.exe Nllleapo.exe File created C:\Windows\SysWOW64\Gbcffk32.exe Fbqiak32.exe File created C:\Windows\SysWOW64\Lflpmn32.exe Jgpmffeh.exe File created C:\Windows\SysWOW64\Afnlpohj.exe Qpbgnecp.exe File created C:\Windows\SysWOW64\Philfgdh.exe Ohgopgfj.exe File created C:\Windows\SysWOW64\Fndjec32.dll Malnklgg.exe File created C:\Windows\SysWOW64\Pnlcdg32.exe Phpklp32.exe File created C:\Windows\SysWOW64\Pmceobnb.dll Mcnhfb32.exe File created C:\Windows\SysWOW64\Bpkbmi32.exe Aphegjhc.exe File created C:\Windows\SysWOW64\Hmlicp32.exe Opmaaodc.exe File created C:\Windows\SysWOW64\Baeaeo32.dll Hlmiagbo.exe File created C:\Windows\SysWOW64\Adkcem32.dll Biljib32.exe File created C:\Windows\SysWOW64\Hqkefo32.dll Hjpkjh32.exe File created C:\Windows\SysWOW64\Lhammfci.exe Lipmoo32.exe File opened for modification C:\Windows\SysWOW64\Onqdhh32.exe Oajccgmd.exe File created C:\Windows\SysWOW64\Fbqiak32.exe Faamghko.exe File created C:\Windows\SysWOW64\Eflmkg32.dll Okailj32.exe File created C:\Windows\SysWOW64\Pbphca32.dll Qppkhfec.exe File created C:\Windows\SysWOW64\Lefngbhd.dll Aljmal32.exe File created C:\Windows\SysWOW64\Boagkmab.dll Gdheol32.exe File opened for modification C:\Windows\SysWOW64\Fgmllpng.exe Flekihpc.exe File created C:\Windows\SysWOW64\Imobclfe.dll Koiejemn.exe File created C:\Windows\SysWOW64\Eonjpqid.dll Ppffec32.exe File created C:\Windows\SysWOW64\Bkefphem.exe Bqnemp32.exe File opened for modification C:\Windows\SysWOW64\Engaon32.exe Ebpqjmpd.exe File created C:\Windows\SysWOW64\Edeanh32.dll Mikepg32.exe File created C:\Windows\SysWOW64\Mipoje32.dll Bniacddk.exe File created C:\Windows\SysWOW64\Gcbnjh32.dll Lipmoo32.exe File opened for modification C:\Windows\SysWOW64\Pgkegn32.exe Pgihanii.exe File opened for modification C:\Windows\SysWOW64\Kaflio32.exe Kcbkpj32.exe File created C:\Windows\SysWOW64\Jgaifgon.dll Bdhkchlg.exe File created C:\Windows\SysWOW64\Lbcoid32.dll Ogifci32.exe File created C:\Windows\SysWOW64\Felbmqpl.exe Jcoapami.exe File opened for modification C:\Windows\SysWOW64\Hclccd32.exe Hcembe32.exe File opened for modification C:\Windows\SysWOW64\Meadlo32.exe Mgkjch32.exe File created C:\Windows\SysWOW64\Jojgkahb.dll Gbcffk32.exe File opened for modification C:\Windows\SysWOW64\Ihjjln32.exe Bfoebq32.exe File opened for modification C:\Windows\SysWOW64\Aqdbfa32.exe Aqbfaa32.exe File created C:\Windows\SysWOW64\Cbfema32.exe Kpjjhj32.exe File created C:\Windows\SysWOW64\Ckoifgmb.exe Cbfema32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6896 8720 Process not Found 1160 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gomkkagl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpnbmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iehkefih.dll" Kaflio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfbgapco.dll" Lcpledob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkehlmll.dll" Ihjjln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khkbdfpg.dll" Jimeelkc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mgkjch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiopdhnf.dll" Bnbmqjjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmmmnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Diafqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hohmmncd.dll" Jifemfcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eepkkefp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Flekihpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmqqnelh.dll" Njhglelp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dcgcaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jimeelkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiagoigj.dll" Cmmgof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qomghp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpnepk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnlcdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcgmnddm.dll" Mgkjch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhgdahgp.dll" Nllleapo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjbkbj32.dll" Hfbbdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkobdqqa.dll" Ckladcoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgkelj32.dll" Goamlkpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkofofbb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Agikne32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjhalkjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnppkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdlbgl32.dll" Gledpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nalgbi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Flgaodbm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hldgkiki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfcojl32.dll" Inkjfk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjamhd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbcffk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnochl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fnqebaog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpbjkgee.dll" Hcembe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjamhd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndhgie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icfhqeeg.dll" Onqdhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jebfjp32.dll" Ojhnlh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjiloqjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mbjgcnll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjfppe32.dll" Mclpbqal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpkbmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ecoiapdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" NEAS.2300c736f0002b3b0a436f542919bd70.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mgkjch32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nibbklke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oaejhh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmhlijpm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lflpmn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofooqinh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qkmqne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lefngbhd.dll" Aljmal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Icdoolge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Malnklgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Migcpneb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgihanii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pblcieig.dll" Gfemmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kaflio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cbfema32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4364 wrote to memory of 4632 4364 NEAS.2300c736f0002b3b0a436f542919bd70.exe 91 PID 4364 wrote to memory of 4632 4364 NEAS.2300c736f0002b3b0a436f542919bd70.exe 91 PID 4364 wrote to memory of 4632 4364 NEAS.2300c736f0002b3b0a436f542919bd70.exe 91 PID 4632 wrote to memory of 4356 4632 Okmpqjad.exe 92 PID 4632 wrote to memory of 4356 4632 Okmpqjad.exe 92 PID 4632 wrote to memory of 4356 4632 Okmpqjad.exe 92 PID 4356 wrote to memory of 4788 4356 Okailj32.exe 93 PID 4356 wrote to memory of 4788 4356 Okailj32.exe 93 PID 4356 wrote to memory of 4788 4356 Okailj32.exe 93 PID 4788 wrote to memory of 4952 4788 Pbbgicnd.exe 94 PID 4788 wrote to memory of 4952 4788 Pbbgicnd.exe 94 PID 4788 wrote to memory of 4952 4788 Pbbgicnd.exe 94 PID 4952 wrote to memory of 5088 4952 Pkabbgol.exe 95 PID 4952 wrote to memory of 5088 4952 Pkabbgol.exe 95 PID 4952 wrote to memory of 5088 4952 Pkabbgol.exe 95 PID 5088 wrote to memory of 4840 5088 Qppkhfec.exe 96 PID 5088 wrote to memory of 4840 5088 Qppkhfec.exe 96 PID 5088 wrote to memory of 4840 5088 Qppkhfec.exe 96 PID 4840 wrote to memory of 2888 4840 Qpbgnecp.exe 97 PID 4840 wrote to memory of 2888 4840 Qpbgnecp.exe 97 PID 4840 wrote to memory of 2888 4840 Qpbgnecp.exe 97 PID 2888 wrote to memory of 712 2888 Afnlpohj.exe 98 PID 2888 wrote to memory of 712 2888 Afnlpohj.exe 98 PID 2888 wrote to memory of 712 2888 Afnlpohj.exe 98 PID 712 wrote to memory of 1740 712 Bmfqngcg.exe 99 PID 712 wrote to memory of 1740 712 Bmfqngcg.exe 99 PID 712 wrote to memory of 1740 712 Bmfqngcg.exe 99 PID 1740 wrote to memory of 1200 1740 Cmmgof32.exe 100 PID 1740 wrote to memory of 1200 1740 Cmmgof32.exe 100 PID 1740 wrote to memory of 1200 1740 Cmmgof32.exe 100 PID 1200 wrote to memory of 1928 1200 Cdjlap32.exe 101 PID 1200 wrote to memory of 1928 1200 Cdjlap32.exe 101 PID 1200 wrote to memory of 1928 1200 Cdjlap32.exe 101 PID 1928 wrote to memory of 808 1928 Ciiaogon.exe 102 PID 1928 wrote to memory of 808 1928 Ciiaogon.exe 102 PID 1928 wrote to memory of 808 1928 Ciiaogon.exe 102 PID 808 wrote to memory of 3172 808 Didqkeeq.exe 103 PID 808 wrote to memory of 3172 808 Didqkeeq.exe 103 PID 808 wrote to memory of 3172 808 Didqkeeq.exe 103 PID 3172 wrote to memory of 4512 3172 Eepkkefp.exe 104 PID 3172 wrote to memory of 4512 3172 Eepkkefp.exe 104 PID 3172 wrote to memory of 4512 3172 Eepkkefp.exe 104 PID 4512 wrote to memory of 3528 4512 Edcgnmml.exe 105 PID 4512 wrote to memory of 3528 4512 Edcgnmml.exe 105 PID 4512 wrote to memory of 3528 4512 Edcgnmml.exe 105 PID 3528 wrote to memory of 4224 3528 Fnqebaog.exe 106 PID 3528 wrote to memory of 4224 3528 Fnqebaog.exe 106 PID 3528 wrote to memory of 4224 3528 Fnqebaog.exe 106 PID 4224 wrote to memory of 4264 4224 Gfemmb32.exe 107 PID 4224 wrote to memory of 4264 4224 Gfemmb32.exe 107 PID 4224 wrote to memory of 4264 4224 Gfemmb32.exe 107 PID 4264 wrote to memory of 4024 4264 Gcpcgfmi.exe 108 PID 4264 wrote to memory of 4024 4264 Gcpcgfmi.exe 108 PID 4264 wrote to memory of 4024 4264 Gcpcgfmi.exe 108 PID 4024 wrote to memory of 1476 4024 Hcembe32.exe 109 PID 4024 wrote to memory of 1476 4024 Hcembe32.exe 109 PID 4024 wrote to memory of 1476 4024 Hcembe32.exe 109 PID 1476 wrote to memory of 1440 1476 Hclccd32.exe 110 PID 1476 wrote to memory of 1440 1476 Hclccd32.exe 110 PID 1476 wrote to memory of 1440 1476 Hclccd32.exe 110 PID 1440 wrote to memory of 216 1440 Inkjfk32.exe 112 PID 1440 wrote to memory of 216 1440 Inkjfk32.exe 112 PID 1440 wrote to memory of 216 1440 Inkjfk32.exe 112 PID 216 wrote to memory of 3060 216 Jnapgjdo.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.2300c736f0002b3b0a436f542919bd70.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.2300c736f0002b3b0a436f542919bd70.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4364 -
C:\Windows\SysWOW64\Okmpqjad.exeC:\Windows\system32\Okmpqjad.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4632 -
C:\Windows\SysWOW64\Okailj32.exeC:\Windows\system32\Okailj32.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4356 -
C:\Windows\SysWOW64\Pbbgicnd.exeC:\Windows\system32\Pbbgicnd.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4788 -
C:\Windows\SysWOW64\Pkabbgol.exeC:\Windows\system32\Pkabbgol.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\Windows\SysWOW64\Qppkhfec.exeC:\Windows\system32\Qppkhfec.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5088 -
C:\Windows\SysWOW64\Qpbgnecp.exeC:\Windows\system32\Qpbgnecp.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4840 -
C:\Windows\SysWOW64\Afnlpohj.exeC:\Windows\system32\Afnlpohj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\Bmfqngcg.exeC:\Windows\system32\Bmfqngcg.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:712 -
C:\Windows\SysWOW64\Cmmgof32.exeC:\Windows\system32\Cmmgof32.exe10⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\SysWOW64\Cdjlap32.exeC:\Windows\system32\Cdjlap32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Windows\SysWOW64\Ciiaogon.exeC:\Windows\system32\Ciiaogon.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\SysWOW64\Didqkeeq.exeC:\Windows\system32\Didqkeeq.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:808 -
C:\Windows\SysWOW64\Eepkkefp.exeC:\Windows\system32\Eepkkefp.exe14⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3172 -
C:\Windows\SysWOW64\Edcgnmml.exeC:\Windows\system32\Edcgnmml.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4512 -
C:\Windows\SysWOW64\Fnqebaog.exeC:\Windows\system32\Fnqebaog.exe16⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3528 -
C:\Windows\SysWOW64\Gfemmb32.exeC:\Windows\system32\Gfemmb32.exe17⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4224 -
C:\Windows\SysWOW64\Gcpcgfmi.exeC:\Windows\system32\Gcpcgfmi.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4264 -
C:\Windows\SysWOW64\Hcembe32.exeC:\Windows\system32\Hcembe32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4024 -
C:\Windows\SysWOW64\Hclccd32.exeC:\Windows\system32\Hclccd32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Windows\SysWOW64\Inkjfk32.exeC:\Windows\system32\Inkjfk32.exe21⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Windows\SysWOW64\Jnapgjdo.exeC:\Windows\system32\Jnapgjdo.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:216
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\Kahqbgjp.exeC:\Windows\system32\Kahqbgjp.exe15⤵PID:5692
-
C:\Windows\SysWOW64\Kefiheqf.exeC:\Windows\system32\Kefiheqf.exe16⤵PID:7688
-
C:\Windows\SysWOW64\Klbnjo32.exeC:\Windows\system32\Klbnjo32.exe17⤵PID:8832
-
C:\Windows\SysWOW64\Kekbce32.exeC:\Windows\system32\Kekbce32.exe18⤵PID:7324
-
C:\Windows\SysWOW64\Locgljca.exeC:\Windows\system32\Locgljca.exe19⤵PID:3872
-
C:\Windows\SysWOW64\Liikiccg.exeC:\Windows\system32\Liikiccg.exe20⤵PID:5804
-
C:\Windows\SysWOW64\Lcapbi32.exeC:\Windows\system32\Lcapbi32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7328 -
C:\Windows\SysWOW64\Lljdkn32.exeC:\Windows\system32\Lljdkn32.exe22⤵PID:4912
-
C:\Windows\SysWOW64\Ljnddb32.exeC:\Windows\system32\Ljnddb32.exe23⤵PID:2572
-
C:\Windows\SysWOW64\Lcfimheb.exeC:\Windows\system32\Lcfimheb.exe24⤵PID:3796
-
C:\Windows\SysWOW64\Lpjjgl32.exeC:\Windows\system32\Lpjjgl32.exe25⤵PID:6288
-
C:\Windows\SysWOW64\Ljbnpbkl.exeC:\Windows\system32\Ljbnpbkl.exe26⤵PID:224
-
C:\Windows\SysWOW64\Mplfll32.exeC:\Windows\system32\Mplfll32.exe27⤵PID:7212
-
C:\Windows\SysWOW64\Mfiodc32.exeC:\Windows\system32\Mfiodc32.exe28⤵PID:3460
-
C:\Windows\SysWOW64\Mpocblpf.exeC:\Windows\system32\Mpocblpf.exe29⤵PID:8
-
C:\Windows\SysWOW64\Mhjhfnma.exeC:\Windows\system32\Mhjhfnma.exe30⤵PID:7444
-
C:\Windows\SysWOW64\Mbbloc32.exeC:\Windows\system32\Mbbloc32.exe31⤵PID:8036
-
C:\Windows\SysWOW64\Mcaiif32.exeC:\Windows\system32\Mcaiif32.exe32⤵PID:2212
-
C:\Windows\SysWOW64\Mhnaam32.exeC:\Windows\system32\Mhnaam32.exe33⤵PID:7768
-
C:\Windows\SysWOW64\Nokfcg32.exeC:\Windows\system32\Nokfcg32.exe34⤵PID:7924
-
C:\Windows\SysWOW64\Njbgfp32.exeC:\Windows\system32\Njbgfp32.exe35⤵PID:2196
-
C:\Windows\SysWOW64\Nfihkq32.exeC:\Windows\system32\Nfihkq32.exe36⤵PID:7500
-
C:\Windows\SysWOW64\Nodijffl.exeC:\Windows\system32\Nodijffl.exe37⤵PID:7388
-
C:\Windows\SysWOW64\Oilmckml.exeC:\Windows\system32\Oilmckml.exe38⤵PID:9208
-
C:\Windows\SysWOW64\Ojljmn32.exeC:\Windows\system32\Ojljmn32.exe39⤵PID:8592
-
C:\Windows\SysWOW64\Obgoaq32.exeC:\Windows\system32\Obgoaq32.exe40⤵PID:5108
-
C:\Windows\SysWOW64\Ookokeqd.exeC:\Windows\system32\Ookokeqd.exe41⤵PID:1476
-
C:\Windows\SysWOW64\Oicccj32.exeC:\Windows\system32\Oicccj32.exe42⤵PID:2980
-
C:\Windows\SysWOW64\Ocihqc32.exeC:\Windows\system32\Ocihqc32.exe43⤵PID:740
-
C:\Windows\SysWOW64\Pcnalbce.exeC:\Windows\system32\Pcnalbce.exe44⤵PID:8076
-
C:\Windows\SysWOW64\Paaaeg32.exeC:\Windows\system32\Paaaeg32.exe45⤵PID:8696
-
C:\Windows\SysWOW64\Pimfji32.exeC:\Windows\system32\Pimfji32.exe46⤵PID:2312
-
C:\Windows\SysWOW64\Pbekboej.exeC:\Windows\system32\Pbekboej.exe47⤵PID:7676
-
C:\Windows\SysWOW64\Paihffkf.exeC:\Windows\system32\Paihffkf.exe48⤵PID:5888
-
C:\Windows\SysWOW64\Qidljhia.exeC:\Windows\system32\Qidljhia.exe49⤵PID:8928
-
C:\Windows\SysWOW64\Qciqga32.exeC:\Windows\system32\Qciqga32.exe50⤵PID:4172
-
C:\Windows\SysWOW64\Abonimmp.exeC:\Windows\system32\Abonimmp.exe51⤵PID:7836
-
C:\Windows\SysWOW64\Amdbffme.exeC:\Windows\system32\Amdbffme.exe52⤵PID:8836
-
C:\Windows\SysWOW64\Afocdkac.exeC:\Windows\system32\Afocdkac.exe53⤵PID:2748
-
C:\Windows\SysWOW64\Amikae32.exeC:\Windows\system32\Amikae32.exe54⤵PID:8388
-
C:\Windows\SysWOW64\Aaiqmc32.exeC:\Windows\system32\Aaiqmc32.exe55⤵PID:2856
-
C:\Windows\SysWOW64\Bpnnnp32.exeC:\Windows\system32\Bpnnnp32.exe56⤵PID:7200
-
C:\Windows\SysWOW64\Bfkbpjgf.exeC:\Windows\system32\Bfkbpjgf.exe57⤵PID:9104
-
C:\Windows\SysWOW64\Bdocin32.exeC:\Windows\system32\Bdocin32.exe58⤵PID:764
-
C:\Windows\SysWOW64\Babccb32.exeC:\Windows\system32\Babccb32.exe59⤵PID:5004
-
C:\Windows\SysWOW64\Binhgd32.exeC:\Windows\system32\Binhgd32.exe60⤵PID:1092
-
C:\Windows\SysWOW64\Cipemdqa.exeC:\Windows\system32\Cipemdqa.exe61⤵PID:9132
-
C:\Windows\SysWOW64\Ckpagg32.exeC:\Windows\system32\Ckpagg32.exe62⤵PID:4764
-
C:\Windows\SysWOW64\Cpljonfl.exeC:\Windows\system32\Cpljonfl.exe63⤵PID:4540
-
C:\Windows\SysWOW64\Cmpjhbee.exeC:\Windows\system32\Cmpjhbee.exe64⤵PID:1032
-
C:\Windows\SysWOW64\Cgioah32.exeC:\Windows\system32\Cgioah32.exe65⤵PID:5036
-
C:\Windows\SysWOW64\Cmedca32.exeC:\Windows\system32\Cmedca32.exe66⤵PID:8488
-
C:\Windows\SysWOW64\Dildibfd.exeC:\Windows\system32\Dildibfd.exe67⤵PID:8372
-
C:\Windows\SysWOW64\Dcdiahme.exeC:\Windows\system32\Dcdiahme.exe68⤵PID:3696
-
C:\Windows\SysWOW64\Dnjmoqmk.exeC:\Windows\system32\Dnjmoqmk.exe69⤵PID:8384
-
C:\Windows\SysWOW64\Dknnhekd.exeC:\Windows\system32\Dknnhekd.exe70⤵PID:8324
-
C:\Windows\SysWOW64\Djckiapl.exeC:\Windows\system32\Djckiapl.exe71⤵PID:8524
-
C:\Windows\SysWOW64\Dggkbeof.exeC:\Windows\system32\Dggkbeof.exe72⤵PID:1120
-
C:\Windows\SysWOW64\Edklljnp.exeC:\Windows\system32\Edklljnp.exe73⤵PID:7800
-
C:\Windows\SysWOW64\Ejgddq32.exeC:\Windows\system32\Ejgddq32.exe74⤵PID:952
-
C:\Windows\SysWOW64\Egkdne32.exeC:\Windows\system32\Egkdne32.exe75⤵PID:1516
-
C:\Windows\SysWOW64\Ecbecfqe.exeC:\Windows\system32\Ecbecfqe.exe76⤵PID:2840
-
C:\Windows\SysWOW64\Ejojepfo.exeC:\Windows\system32\Ejojepfo.exe77⤵PID:3344
-
C:\Windows\SysWOW64\Ejagkodl.exeC:\Windows\system32\Ejagkodl.exe78⤵PID:7828
-
C:\Windows\SysWOW64\Fcikcekm.exeC:\Windows\system32\Fcikcekm.exe79⤵PID:5624
-
C:\Windows\SysWOW64\Fqmlmiif.exeC:\Windows\system32\Fqmlmiif.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2204 -
C:\Windows\SysWOW64\Fkbpjbil.exeC:\Windows\system32\Fkbpjbil.exe81⤵PID:5456
-
C:\Windows\SysWOW64\Fqbehh32.exeC:\Windows\system32\Fqbehh32.exe82⤵PID:9060
-
C:\Windows\SysWOW64\Fkjfkacd.exeC:\Windows\system32\Fkjfkacd.exe83⤵PID:7612
-
C:\Windows\SysWOW64\Ggqgpb32.exeC:\Windows\system32\Ggqgpb32.exe84⤵PID:5596
-
C:\Windows\SysWOW64\Gnjollpe.exeC:\Windows\system32\Gnjollpe.exe85⤵PID:8144
-
C:\Windows\SysWOW64\Gbkdhjdi.exeC:\Windows\system32\Gbkdhjdi.exe86⤵PID:7192
-
C:\Windows\SysWOW64\Gggmqa32.exeC:\Windows\system32\Gggmqa32.exe87⤵PID:5416
-
C:\Windows\SysWOW64\Geknje32.exeC:\Windows\system32\Geknje32.exe88⤵PID:8876
-
C:\Windows\SysWOW64\Hjhfbl32.exeC:\Windows\system32\Hjhfbl32.exe89⤵PID:7956
-
C:\Windows\SysWOW64\Hkhblo32.exeC:\Windows\system32\Hkhblo32.exe90⤵PID:1988
-
C:\Windows\SysWOW64\Hnhknj32.exeC:\Windows\system32\Hnhknj32.exe91⤵PID:8584
-
C:\Windows\SysWOW64\Haidpeaf.exeC:\Windows\system32\Haidpeaf.exe92⤵PID:7932
-
C:\Windows\SysWOW64\Inpaoi32.exeC:\Windows\system32\Inpaoi32.exe93⤵PID:1672
-
C:\Windows\SysWOW64\Icoglp32.exeC:\Windows\system32\Icoglp32.exe94⤵PID:6724
-
C:\Windows\SysWOW64\Iabgfdil.exeC:\Windows\system32\Iabgfdil.exe95⤵PID:8408
-
C:\Windows\SysWOW64\Iaedkcgi.exeC:\Windows\system32\Iaedkcgi.exe96⤵PID:4976
-
C:\Windows\SysWOW64\Jlmenl32.exeC:\Windows\system32\Jlmenl32.exe97⤵PID:5900
-
C:\Windows\SysWOW64\Jbijpfjf.exeC:\Windows\system32\Jbijpfjf.exe98⤵PID:8512
-
C:\Windows\SysWOW64\Jangaboo.exeC:\Windows\system32\Jangaboo.exe99⤵PID:5524
-
C:\Windows\SysWOW64\Jdopcmlp.exeC:\Windows\system32\Jdopcmlp.exe100⤵PID:220
-
C:\Windows\SysWOW64\Kbbmfdbl.exeC:\Windows\system32\Kbbmfdbl.exe101⤵PID:784
-
C:\Windows\SysWOW64\Kbeild32.exeC:\Windows\system32\Kbeild32.exe102⤵PID:7152
-
C:\Windows\SysWOW64\Kkpnqf32.exeC:\Windows\system32\Kkpnqf32.exe103⤵PID:5372
-
C:\Windows\SysWOW64\Khdojk32.exeC:\Windows\system32\Khdojk32.exe104⤵PID:8992
-
C:\Windows\SysWOW64\Kdkool32.exeC:\Windows\system32\Kdkool32.exe105⤵PID:5280
-
C:\Windows\SysWOW64\Lhihejhi.exeC:\Windows\system32\Lhihejhi.exe106⤵PID:4776
-
C:\Windows\SysWOW64\Laalnpoi.exeC:\Windows\system32\Laalnpoi.exe107⤵PID:7760
-
C:\Windows\SysWOW64\Lhkdkj32.exeC:\Windows\system32\Lhkdkj32.exe108⤵PID:1428
-
C:\Windows\SysWOW64\Lbqihb32.exeC:\Windows\system32\Lbqihb32.exe109⤵PID:7968
-
C:\Windows\SysWOW64\Llimqhll.exeC:\Windows\system32\Llimqhll.exe110⤵PID:4456
-
C:\Windows\SysWOW64\Laffio32.exeC:\Windows\system32\Laffio32.exe111⤵PID:8012
-
C:\Windows\SysWOW64\Lknjbdad.exeC:\Windows\system32\Lknjbdad.exe112⤵PID:4416
-
C:\Windows\SysWOW64\Lahboo32.exeC:\Windows\system32\Lahboo32.exe113⤵PID:8972
-
C:\Windows\SysWOW64\Lkqggdoa.exeC:\Windows\system32\Lkqggdoa.exe114⤵PID:2268
-
C:\Windows\SysWOW64\Mefkdm32.exeC:\Windows\system32\Mefkdm32.exe115⤵PID:5956
-
C:\Windows\SysWOW64\Mkccmd32.exeC:\Windows\system32\Mkccmd32.exe116⤵PID:6592
-
C:\Windows\SysWOW64\Mamljndl.exeC:\Windows\system32\Mamljndl.exe117⤵PID:4340
-
C:\Windows\SysWOW64\Mlbpggdb.exeC:\Windows\system32\Mlbpggdb.exe118⤵PID:7712
-
C:\Windows\SysWOW64\Maoionbi.exeC:\Windows\system32\Maoionbi.exe119⤵PID:9184
-
C:\Windows\SysWOW64\Mldmlf32.exeC:\Windows\system32\Mldmlf32.exe120⤵PID:5476
-
C:\Windows\SysWOW64\Memaelip.exeC:\Windows\system32\Memaelip.exe121⤵PID:8148
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-