Analysis
-
max time kernel
142s -
max time network
170s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
11/10/2023, 18:25
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.e6d7185802d9f54cac77e7f7cdf71f23_JC.exe
Resource
win7-20230831-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.e6d7185802d9f54cac77e7f7cdf71f23_JC.exe
Resource
win10v2004-20230915-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
NEAS.e6d7185802d9f54cac77e7f7cdf71f23_JC.exe
-
Size
143KB
-
MD5
e6d7185802d9f54cac77e7f7cdf71f23
-
SHA1
0a2b723bcb3780f78568b7959e448fdec3d30d7e
-
SHA256
01e6092002f24b27e4819f21a5fc7955cdd3bad4694868bc6480ebc6bb714464
-
SHA512
aa0c5089ea2cee8d90bc6f47b308f935e0742f08c5b81417dc9db18e8b5af055aa38fb1f13cc4db9bbcf59d1eebd7b30b56334f6c24a57582c13667cdae18e2b
-
SSDEEP
1536:Asqx/E2YAb81VCQ4BJdCv4nBjbUQ5ziJE93isirBUBEVGBtVM2hZV03fca13y:Az/LQJ4BJdBBjb3N93bsGfhv0vt3y
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekbiaigk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkdjph32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jiglgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkcjjhgp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bimoecio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fqhbgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfpdcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plkpmlfi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eofgioah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alcofi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Neafdjak.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pacfdila.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibcadcgf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppmleagi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbpgle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Deliaf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jijaef32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljfodd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qkhjim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbgibgpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhgjcmfi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odqbdnod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dofpqfof.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbpnjdkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmoijcje.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbgdef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnhphg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekmhnpfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecdkdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cofndo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmpcmkaa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggnlhgkg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pogpcghp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Philfgdh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oijgmokc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aelcooap.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gohaod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdffkgpc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmpjfdcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gijmlh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkjpek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifglmlol.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgpplf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Feofmf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdfgdf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eedkniob.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjiaak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijqmacpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aehghn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icachjbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qifbll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbfeoohe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abflfc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfmmajed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Achmjmnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpbdiehi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad NEAS.e6d7185802d9f54cac77e7f7cdf71f23_JC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhogamih.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fikihlmj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgkakm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oolgbpei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdicje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfalhgni.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkglcfec.exe -
Executes dropped EXE 64 IoCs
pid Process 5112 Fdbkja32.exe 4720 Gbpnjdkg.exe 5012 Gnfooe32.exe 3764 Hqghqpnl.exe 4988 Halaloif.exe 4732 Hjfbjdnd.exe 5004 Icachjbb.exe 3944 Infhebbh.exe 224 Jbijgp32.exe 3840 Jdopjh32.exe 2156 Kbeibo32.exe 2864 Kaopoj32.exe 1004 Logicn32.exe 3420 Mcabej32.exe 1836 Nkapelka.exe 5040 Ndlacapp.exe 4152 Napameoi.exe 2232 Nkjckkcg.exe 1696 Ofijnbkb.exe 2168 Oflfdbip.exe 2612 Qifbll32.exe 3620 Acppddig.exe 2728 Bcicjbal.exe 1320 Bmddihfj.exe 1532 Bpgjpb32.exe 1944 Cmpcdfll.exe 4276 Cekhihig.exe 496 Dipgpf32.exe 4784 Dcmedk32.exe 3872 Ecdkdj32.exe 3848 Flfbcndo.exe 3584 Fnglcqio.exe 4764 Fgpplf32.exe 112 Gphddlfp.exe 5076 Gfgjbb32.exe 1040 Hnhdjn32.exe 2828 Hcgjhega.exe 4316 Hgebnc32.exe 1884 Ijmapm32.exe 4208 Icgbob32.exe 916 Jegohe32.exe 4604 Jgjeppkp.exe 4440 Jabiie32.exe 3064 Jmijnfgd.exe 3844 Kffhakjp.exe 2120 Kallod32.exe 1324 Lfpkhjae.exe 2912 Lhogamih.exe 1604 Mehafq32.exe 4628 Meljappg.exe 3116 Mmjlkb32.exe 1400 Nolekd32.exe 2992 Nhdicjfp.exe 4132 Nkjlqd32.exe 4700 Philfgdh.exe 1232 Pbfjjlgc.exe 4284 Qhghge32.exe 3260 Afkipi32.exe 1440 Akogio32.exe 4224 Afdkfh32.exe 852 Bejhhd32.exe 2256 Bkfmjnii.exe 4668 Bpfcelml.exe 4892 Ceehcc32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Cdfgdf32.exe Cnmoglij.exe File created C:\Windows\SysWOW64\Nohlijfb.dll Ihlechfj.exe File created C:\Windows\SysWOW64\Efpofi32.exe Eofgioah.exe File opened for modification C:\Windows\SysWOW64\Flmqem32.exe Ffqhmf32.exe File created C:\Windows\SysWOW64\Qbfbhnnh.dll Hlbcgj32.exe File opened for modification C:\Windows\SysWOW64\Ilnbch32.exe Iedjfodg.exe File opened for modification C:\Windows\SysWOW64\Nkjckkcg.exe Napameoi.exe File opened for modification C:\Windows\SysWOW64\Dcmedk32.exe Dipgpf32.exe File created C:\Windows\SysWOW64\Njanjn32.dll Ebagdddp.exe File opened for modification C:\Windows\SysWOW64\Bpgjpb32.exe Bmddihfj.exe File created C:\Windows\SysWOW64\Nkpbpp32.exe Mabdlk32.exe File opened for modification C:\Windows\SysWOW64\Pehnboko.exe Ponfed32.exe File created C:\Windows\SysWOW64\Ghnikdhc.dll Kjjinp32.exe File created C:\Windows\SysWOW64\Hbeece32.exe Hlkmfkli.exe File opened for modification C:\Windows\SysWOW64\Hcgjhega.exe Hnhdjn32.exe File created C:\Windows\SysWOW64\Gkglcfec.exe Gekckpgl.exe File opened for modification C:\Windows\SysWOW64\Eaddcnad.exe Bodfkpfg.exe File created C:\Windows\SysWOW64\Ogoane32.dll Ahpmckpn.exe File opened for modification C:\Windows\SysWOW64\Ljfodd32.exe Liecmlno.exe File opened for modification C:\Windows\SysWOW64\Halaloif.exe Hqghqpnl.exe File opened for modification C:\Windows\SysWOW64\Phhpic32.exe Pejdmh32.exe File created C:\Windows\SysWOW64\Hagqiofj.dll Ggilbb32.exe File opened for modification C:\Windows\SysWOW64\Cejaobel.exe Cehdib32.exe File opened for modification C:\Windows\SysWOW64\Mceccbpj.exe Mjmokmji.exe File created C:\Windows\SysWOW64\Fmcjiagf.exe Ekmhnpfl.exe File opened for modification C:\Windows\SysWOW64\Hdjbcnjo.exe Hmpjfdcb.exe File created C:\Windows\SysWOW64\Gfgnnedj.exe Gmmmoppl.exe File opened for modification C:\Windows\SysWOW64\Kfimhkbo.exe Knnhdied.exe File created C:\Windows\SysWOW64\Gmjlfbjj.dll Kcpjgo32.exe File created C:\Windows\SysWOW64\Cgecpa32.exe Cdfgdf32.exe File opened for modification C:\Windows\SysWOW64\Gdcdlb32.exe Gofkckoe.exe File opened for modification C:\Windows\SysWOW64\Pgdodq32.exe Ppjghgdg.exe File created C:\Windows\SysWOW64\Mjodff32.exe Mqafbaap.exe File opened for modification C:\Windows\SysWOW64\Cmflkl32.exe Cbphncfo.exe File created C:\Windows\SysWOW64\Ljpdiidf.dll Mnfnfl32.exe File created C:\Windows\SysWOW64\Kjnjip32.dll Lckicnei.exe File created C:\Windows\SysWOW64\Mopoei32.dll Ikfgeh32.exe File created C:\Windows\SysWOW64\Mnaacjha.dll Ingpgcmj.exe File created C:\Windows\SysWOW64\Glebbpbd.exe Gkffhmka.exe File created C:\Windows\SysWOW64\Dcijke32.dll Miabik32.exe File created C:\Windows\SysWOW64\Igmifkhp.dll Oolgbpei.exe File opened for modification C:\Windows\SysWOW64\Dnkkcmdb.exe Dmjole32.exe File opened for modification C:\Windows\SysWOW64\Iblfgc32.exe Imonol32.exe File created C:\Windows\SysWOW64\Mpjpdpob.dll Igmgji32.exe File opened for modification C:\Windows\SysWOW64\Mepfbflb.exe Mnfnfl32.exe File created C:\Windows\SysWOW64\Bnhegp32.exe Blbodh32.exe File created C:\Windows\SysWOW64\Oboakhmo.exe Ogjmnomi.exe File created C:\Windows\SysWOW64\Fklcbocl.exe Ffpjihee.exe File created C:\Windows\SysWOW64\Fdfoblfp.dll Ocamcc32.exe File created C:\Windows\SysWOW64\Qajhigcj.exe Qpikao32.exe File created C:\Windows\SysWOW64\Mpdkol32.exe Mhncnodp.exe File created C:\Windows\SysWOW64\Hblaqjod.dll Qjiaak32.exe File opened for modification C:\Windows\SysWOW64\Alpboida.exe Aefjbo32.exe File opened for modification C:\Windows\SysWOW64\Jcjgeb32.exe Jmnomk32.exe File created C:\Windows\SysWOW64\Fooqlnoa.dll Kaopoj32.exe File created C:\Windows\SysWOW64\Fmenlgog.dll Hcgjhega.exe File created C:\Windows\SysWOW64\Ifjoma32.exe Ippgqg32.exe File created C:\Windows\SysWOW64\Cpbcpboc.dll Ippgqg32.exe File created C:\Windows\SysWOW64\Bipdoedg.dll Meqmmm32.exe File created C:\Windows\SysWOW64\Gkkoeo32.dll Gikdep32.exe File opened for modification C:\Windows\SysWOW64\Pbcelacq.exe Pehnboko.exe File created C:\Windows\SysWOW64\Ogajid32.exe Opfedb32.exe File opened for modification C:\Windows\SysWOW64\Obgofmjb.exe Ogajid32.exe File created C:\Windows\SysWOW64\Ecnnqk32.dll Qhghge32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bpfcelml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qdflaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jponca32.dll" Cdicje32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdiobd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kakednfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qigefl32.dll" Dofpqfof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckkilhjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdlgkm32.dll" Pgnblm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dabeamma.dll" Cgecpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pkaijl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnjdjo32.dll" Aolbedeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebldam32.dll" Ecdkdj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmcdolbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hplimpdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pejdmh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjcllilo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mqhmbqlh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkkoeh32.dll" Njaakf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odqbdnod.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pimmil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Llpmhodc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eedkniob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eehmnind.dll" Ebjckppa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhbqalle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqochl32.dll" Bimoecio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kppimogj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phhpic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Blmamh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Moakbk32.dll" Ojkepmqp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qcpieamc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgdodq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akoqjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eabjkdcc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ogajid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcbhbdoa.dll" Alcofi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lanhgdgm.dll" Glebbpbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idfilp32.dll" Iifodmak.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmknkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Celgjlpn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Addahh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbinda32.dll" Oiagcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okleqm32.dll" Eelpqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alpmdo32.dll" Anaofa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eofgioah.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kleajegi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdjbcnjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hphfac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Donklfgn.dll" Aklciimh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgmpkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nloilnih.dll" Oelhljaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gcdkdpih.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kieaqe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Poodicio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bchgnoai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amdddkma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lagekp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efccfojn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkfanqmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oondhocf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Imfill32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjgneg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjfffd32.dll" Ljglnmdi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ollgiplp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ejegdngb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2620 wrote to memory of 5112 2620 NEAS.e6d7185802d9f54cac77e7f7cdf71f23_JC.exe 88 PID 2620 wrote to memory of 5112 2620 NEAS.e6d7185802d9f54cac77e7f7cdf71f23_JC.exe 88 PID 2620 wrote to memory of 5112 2620 NEAS.e6d7185802d9f54cac77e7f7cdf71f23_JC.exe 88 PID 5112 wrote to memory of 4720 5112 Fdbkja32.exe 89 PID 5112 wrote to memory of 4720 5112 Fdbkja32.exe 89 PID 5112 wrote to memory of 4720 5112 Fdbkja32.exe 89 PID 4720 wrote to memory of 5012 4720 Gbpnjdkg.exe 90 PID 4720 wrote to memory of 5012 4720 Gbpnjdkg.exe 90 PID 4720 wrote to memory of 5012 4720 Gbpnjdkg.exe 90 PID 5012 wrote to memory of 3764 5012 Gnfooe32.exe 91 PID 5012 wrote to memory of 3764 5012 Gnfooe32.exe 91 PID 5012 wrote to memory of 3764 5012 Gnfooe32.exe 91 PID 3764 wrote to memory of 4988 3764 Hqghqpnl.exe 92 PID 3764 wrote to memory of 4988 3764 Hqghqpnl.exe 92 PID 3764 wrote to memory of 4988 3764 Hqghqpnl.exe 92 PID 4988 wrote to memory of 4732 4988 Halaloif.exe 93 PID 4988 wrote to memory of 4732 4988 Halaloif.exe 93 PID 4988 wrote to memory of 4732 4988 Halaloif.exe 93 PID 4732 wrote to memory of 5004 4732 Hjfbjdnd.exe 94 PID 4732 wrote to memory of 5004 4732 Hjfbjdnd.exe 94 PID 4732 wrote to memory of 5004 4732 Hjfbjdnd.exe 94 PID 5004 wrote to memory of 3944 5004 Icachjbb.exe 95 PID 5004 wrote to memory of 3944 5004 Icachjbb.exe 95 PID 5004 wrote to memory of 3944 5004 Icachjbb.exe 95 PID 3944 wrote to memory of 224 3944 Infhebbh.exe 96 PID 3944 wrote to memory of 224 3944 Infhebbh.exe 96 PID 3944 wrote to memory of 224 3944 Infhebbh.exe 96 PID 224 wrote to memory of 3840 224 Jbijgp32.exe 97 PID 224 wrote to memory of 3840 224 Jbijgp32.exe 97 PID 224 wrote to memory of 3840 224 Jbijgp32.exe 97 PID 3840 wrote to memory of 2156 3840 Jdopjh32.exe 98 PID 3840 wrote to memory of 2156 3840 Jdopjh32.exe 98 PID 3840 wrote to memory of 2156 3840 Jdopjh32.exe 98 PID 2156 wrote to memory of 2864 2156 Kbeibo32.exe 99 PID 2156 wrote to memory of 2864 2156 Kbeibo32.exe 99 PID 2156 wrote to memory of 2864 2156 Kbeibo32.exe 99 PID 2864 wrote to memory of 1004 2864 Kaopoj32.exe 100 PID 2864 wrote to memory of 1004 2864 Kaopoj32.exe 100 PID 2864 wrote to memory of 1004 2864 Kaopoj32.exe 100 PID 1004 wrote to memory of 3420 1004 Logicn32.exe 101 PID 1004 wrote to memory of 3420 1004 Logicn32.exe 101 PID 1004 wrote to memory of 3420 1004 Logicn32.exe 101 PID 3420 wrote to memory of 1836 3420 Mcabej32.exe 102 PID 3420 wrote to memory of 1836 3420 Mcabej32.exe 102 PID 3420 wrote to memory of 1836 3420 Mcabej32.exe 102 PID 1836 wrote to memory of 5040 1836 Nkapelka.exe 103 PID 1836 wrote to memory of 5040 1836 Nkapelka.exe 103 PID 1836 wrote to memory of 5040 1836 Nkapelka.exe 103 PID 5040 wrote to memory of 4152 5040 Ndlacapp.exe 104 PID 5040 wrote to memory of 4152 5040 Ndlacapp.exe 104 PID 5040 wrote to memory of 4152 5040 Ndlacapp.exe 104 PID 4152 wrote to memory of 2232 4152 Napameoi.exe 106 PID 4152 wrote to memory of 2232 4152 Napameoi.exe 106 PID 4152 wrote to memory of 2232 4152 Napameoi.exe 106 PID 2232 wrote to memory of 1696 2232 Nkjckkcg.exe 107 PID 2232 wrote to memory of 1696 2232 Nkjckkcg.exe 107 PID 2232 wrote to memory of 1696 2232 Nkjckkcg.exe 107 PID 1696 wrote to memory of 2168 1696 Ofijnbkb.exe 109 PID 1696 wrote to memory of 2168 1696 Ofijnbkb.exe 109 PID 1696 wrote to memory of 2168 1696 Ofijnbkb.exe 109 PID 2168 wrote to memory of 2612 2168 Oflfdbip.exe 110 PID 2168 wrote to memory of 2612 2168 Oflfdbip.exe 110 PID 2168 wrote to memory of 2612 2168 Oflfdbip.exe 110 PID 2612 wrote to memory of 3620 2612 Qifbll32.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.e6d7185802d9f54cac77e7f7cdf71f23_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.e6d7185802d9f54cac77e7f7cdf71f23_JC.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\Fdbkja32.exeC:\Windows\system32\Fdbkja32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5112 -
C:\Windows\SysWOW64\Gbpnjdkg.exeC:\Windows\system32\Gbpnjdkg.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4720 -
C:\Windows\SysWOW64\Gnfooe32.exeC:\Windows\system32\Gnfooe32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Windows\SysWOW64\Hqghqpnl.exeC:\Windows\system32\Hqghqpnl.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3764 -
C:\Windows\SysWOW64\Halaloif.exeC:\Windows\system32\Halaloif.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\Windows\SysWOW64\Hjfbjdnd.exeC:\Windows\system32\Hjfbjdnd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4732 -
C:\Windows\SysWOW64\Icachjbb.exeC:\Windows\system32\Icachjbb.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Windows\SysWOW64\Infhebbh.exeC:\Windows\system32\Infhebbh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3944 -
C:\Windows\SysWOW64\Jbijgp32.exeC:\Windows\system32\Jbijgp32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:224 -
C:\Windows\SysWOW64\Jdopjh32.exeC:\Windows\system32\Jdopjh32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3840 -
C:\Windows\SysWOW64\Kbeibo32.exeC:\Windows\system32\Kbeibo32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\Kaopoj32.exeC:\Windows\system32\Kaopoj32.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\Logicn32.exeC:\Windows\system32\Logicn32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1004 -
C:\Windows\SysWOW64\Mcabej32.exeC:\Windows\system32\Mcabej32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3420 -
C:\Windows\SysWOW64\Nkapelka.exeC:\Windows\system32\Nkapelka.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Windows\SysWOW64\Ndlacapp.exeC:\Windows\system32\Ndlacapp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\Windows\SysWOW64\Napameoi.exeC:\Windows\system32\Napameoi.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4152 -
C:\Windows\SysWOW64\Nkjckkcg.exeC:\Windows\system32\Nkjckkcg.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\SysWOW64\Ofijnbkb.exeC:\Windows\system32\Ofijnbkb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\SysWOW64\Oflfdbip.exeC:\Windows\system32\Oflfdbip.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\Qifbll32.exeC:\Windows\system32\Qifbll32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\Acppddig.exeC:\Windows\system32\Acppddig.exe23⤵
- Executes dropped EXE
PID:3620 -
C:\Windows\SysWOW64\Bcicjbal.exeC:\Windows\system32\Bcicjbal.exe24⤵
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\Bmddihfj.exeC:\Windows\system32\Bmddihfj.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1320 -
C:\Windows\SysWOW64\Bpgjpb32.exeC:\Windows\system32\Bpgjpb32.exe26⤵
- Executes dropped EXE
PID:1532 -
C:\Windows\SysWOW64\Cmpcdfll.exeC:\Windows\system32\Cmpcdfll.exe27⤵
- Executes dropped EXE
PID:1944 -
C:\Windows\SysWOW64\Cekhihig.exeC:\Windows\system32\Cekhihig.exe28⤵
- Executes dropped EXE
PID:4276 -
C:\Windows\SysWOW64\Dipgpf32.exeC:\Windows\system32\Dipgpf32.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:496 -
C:\Windows\SysWOW64\Dcmedk32.exeC:\Windows\system32\Dcmedk32.exe30⤵
- Executes dropped EXE
PID:4784 -
C:\Windows\SysWOW64\Ecdkdj32.exeC:\Windows\system32\Ecdkdj32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3872 -
C:\Windows\SysWOW64\Flfbcndo.exeC:\Windows\system32\Flfbcndo.exe32⤵
- Executes dropped EXE
PID:3848 -
C:\Windows\SysWOW64\Fnglcqio.exeC:\Windows\system32\Fnglcqio.exe33⤵
- Executes dropped EXE
PID:3584 -
C:\Windows\SysWOW64\Fgpplf32.exeC:\Windows\system32\Fgpplf32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4764 -
C:\Windows\SysWOW64\Gphddlfp.exeC:\Windows\system32\Gphddlfp.exe35⤵
- Executes dropped EXE
PID:112 -
C:\Windows\SysWOW64\Gfgjbb32.exeC:\Windows\system32\Gfgjbb32.exe36⤵
- Executes dropped EXE
PID:5076 -
C:\Windows\SysWOW64\Hnhdjn32.exeC:\Windows\system32\Hnhdjn32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1040 -
C:\Windows\SysWOW64\Hcgjhega.exeC:\Windows\system32\Hcgjhega.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2828 -
C:\Windows\SysWOW64\Hgebnc32.exeC:\Windows\system32\Hgebnc32.exe39⤵
- Executes dropped EXE
PID:4316 -
C:\Windows\SysWOW64\Ijmapm32.exeC:\Windows\system32\Ijmapm32.exe40⤵
- Executes dropped EXE
PID:1884 -
C:\Windows\SysWOW64\Icgbob32.exeC:\Windows\system32\Icgbob32.exe41⤵
- Executes dropped EXE
PID:4208 -
C:\Windows\SysWOW64\Jegohe32.exeC:\Windows\system32\Jegohe32.exe42⤵
- Executes dropped EXE
PID:916 -
C:\Windows\SysWOW64\Jgjeppkp.exeC:\Windows\system32\Jgjeppkp.exe43⤵
- Executes dropped EXE
PID:4604 -
C:\Windows\SysWOW64\Jabiie32.exeC:\Windows\system32\Jabiie32.exe44⤵
- Executes dropped EXE
PID:4440 -
C:\Windows\SysWOW64\Jmijnfgd.exeC:\Windows\system32\Jmijnfgd.exe45⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Kffhakjp.exeC:\Windows\system32\Kffhakjp.exe46⤵
- Executes dropped EXE
PID:3844 -
C:\Windows\SysWOW64\Kallod32.exeC:\Windows\system32\Kallod32.exe47⤵
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Lfpkhjae.exeC:\Windows\system32\Lfpkhjae.exe48⤵
- Executes dropped EXE
PID:1324 -
C:\Windows\SysWOW64\Lhogamih.exeC:\Windows\system32\Lhogamih.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Mehafq32.exeC:\Windows\system32\Mehafq32.exe50⤵
- Executes dropped EXE
PID:1604 -
C:\Windows\SysWOW64\Meljappg.exeC:\Windows\system32\Meljappg.exe51⤵
- Executes dropped EXE
PID:4628 -
C:\Windows\SysWOW64\Mmjlkb32.exeC:\Windows\system32\Mmjlkb32.exe52⤵
- Executes dropped EXE
PID:3116 -
C:\Windows\SysWOW64\Nolekd32.exeC:\Windows\system32\Nolekd32.exe53⤵
- Executes dropped EXE
PID:1400 -
C:\Windows\SysWOW64\Nhdicjfp.exeC:\Windows\system32\Nhdicjfp.exe54⤵
- Executes dropped EXE
PID:2992 -
C:\Windows\SysWOW64\Nkjlqd32.exeC:\Windows\system32\Nkjlqd32.exe55⤵
- Executes dropped EXE
PID:4132 -
C:\Windows\SysWOW64\Philfgdh.exeC:\Windows\system32\Philfgdh.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4700 -
C:\Windows\SysWOW64\Pbfjjlgc.exeC:\Windows\system32\Pbfjjlgc.exe57⤵
- Executes dropped EXE
PID:1232 -
C:\Windows\SysWOW64\Qhghge32.exeC:\Windows\system32\Qhghge32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4284 -
C:\Windows\SysWOW64\Afkipi32.exeC:\Windows\system32\Afkipi32.exe59⤵
- Executes dropped EXE
PID:3260 -
C:\Windows\SysWOW64\Akogio32.exeC:\Windows\system32\Akogio32.exe60⤵
- Executes dropped EXE
PID:1440 -
C:\Windows\SysWOW64\Afdkfh32.exeC:\Windows\system32\Afdkfh32.exe61⤵
- Executes dropped EXE
PID:4224 -
C:\Windows\SysWOW64\Bejhhd32.exeC:\Windows\system32\Bejhhd32.exe62⤵
- Executes dropped EXE
PID:852 -
C:\Windows\SysWOW64\Bkfmjnii.exeC:\Windows\system32\Bkfmjnii.exe63⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\Bpfcelml.exeC:\Windows\system32\Bpfcelml.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:4668 -
C:\Windows\SysWOW64\Ceehcc32.exeC:\Windows\system32\Ceehcc32.exe65⤵
- Executes dropped EXE
PID:4892 -
C:\Windows\SysWOW64\Cehdib32.exeC:\Windows\system32\Cehdib32.exe66⤵
- Drops file in System32 directory
PID:3060 -
C:\Windows\SysWOW64\Cejaobel.exeC:\Windows\system32\Cejaobel.exe67⤵PID:1744
-
C:\Windows\SysWOW64\Dlicflic.exeC:\Windows\system32\Dlicflic.exe68⤵PID:5024
-
C:\Windows\SysWOW64\Dhbqalle.exeC:\Windows\system32\Dhbqalle.exe69⤵
- Modifies registry class
PID:3380 -
C:\Windows\SysWOW64\Dbjade32.exeC:\Windows\system32\Dbjade32.exe70⤵PID:2504
-
C:\Windows\SysWOW64\Epbkhhel.exeC:\Windows\system32\Epbkhhel.exe71⤵PID:1756
-
C:\Windows\SysWOW64\Ebagdddp.exeC:\Windows\system32\Ebagdddp.exe72⤵
- Drops file in System32 directory
PID:2428 -
C:\Windows\SysWOW64\Ehnpmkbg.exeC:\Windows\system32\Ehnpmkbg.exe73⤵PID:4360
-
C:\Windows\SysWOW64\Eeaqfo32.exeC:\Windows\system32\Eeaqfo32.exe74⤵PID:3548
-
C:\Windows\SysWOW64\Fplnogmb.exeC:\Windows\system32\Fplnogmb.exe75⤵PID:776
-
C:\Windows\SysWOW64\Fhllni32.exeC:\Windows\system32\Fhllni32.exe76⤵PID:4900
-
C:\Windows\SysWOW64\Fpcdof32.exeC:\Windows\system32\Fpcdof32.exe77⤵PID:4268
-
C:\Windows\SysWOW64\Fikihlmj.exeC:\Windows\system32\Fikihlmj.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4300 -
C:\Windows\SysWOW64\Gohapb32.exeC:\Windows\system32\Gohapb32.exe79⤵PID:4112
-
C:\Windows\SysWOW64\Gllajf32.exeC:\Windows\system32\Gllajf32.exe80⤵PID:2380
-
C:\Windows\SysWOW64\Googaaej.exeC:\Windows\system32\Googaaej.exe81⤵PID:4712
-
C:\Windows\SysWOW64\Hphfac32.exeC:\Windows\system32\Hphfac32.exe82⤵
- Modifies registry class
PID:1592 -
C:\Windows\SysWOW64\Ioppho32.exeC:\Windows\system32\Ioppho32.exe83⤵PID:3164
-
C:\Windows\SysWOW64\Icbbimih.exeC:\Windows\system32\Icbbimih.exe84⤵PID:4708
-
C:\Windows\SysWOW64\Jonlimkg.exeC:\Windows\system32\Jonlimkg.exe85⤵PID:2208
-
C:\Windows\SysWOW64\Jjjggede.exeC:\Windows\system32\Jjjggede.exe86⤵PID:2648
-
C:\Windows\SysWOW64\Kakednfj.exeC:\Windows\system32\Kakednfj.exe87⤵
- Modifies registry class
PID:5000 -
C:\Windows\SysWOW64\Kgemahmg.exeC:\Windows\system32\Kgemahmg.exe88⤵PID:3196
-
C:\Windows\SysWOW64\Lfaqcclf.exeC:\Windows\system32\Lfaqcclf.exe89⤵PID:1988
-
C:\Windows\SysWOW64\Lmneemaq.exeC:\Windows\system32\Lmneemaq.exe90⤵PID:1228
-
C:\Windows\SysWOW64\Mhjpceko.exeC:\Windows\system32\Mhjpceko.exe91⤵PID:4456
-
C:\Windows\SysWOW64\Mabdlk32.exeC:\Windows\system32\Mabdlk32.exe92⤵
- Drops file in System32 directory
PID:4672 -
C:\Windows\SysWOW64\Nkpbpp32.exeC:\Windows\system32\Nkpbpp32.exe93⤵PID:4872
-
C:\Windows\SysWOW64\Nandhi32.exeC:\Windows\system32\Nandhi32.exe94⤵PID:1672
-
C:\Windows\SysWOW64\Naqqmieo.exeC:\Windows\system32\Naqqmieo.exe95⤵PID:1752
-
C:\Windows\SysWOW64\Opfnne32.exeC:\Windows\system32\Opfnne32.exe96⤵PID:5136
-
C:\Windows\SysWOW64\Oahgnh32.exeC:\Windows\system32\Oahgnh32.exe97⤵PID:5180
-
C:\Windows\SysWOW64\Okpkgm32.exeC:\Windows\system32\Okpkgm32.exe98⤵PID:5224
-
C:\Windows\SysWOW64\Odhppclh.exeC:\Windows\system32\Odhppclh.exe99⤵PID:5268
-
C:\Windows\SysWOW64\Ppdjpcng.exeC:\Windows\system32\Ppdjpcng.exe100⤵PID:5308
-
C:\Windows\SysWOW64\Pgnblm32.exeC:\Windows\system32\Pgnblm32.exe101⤵
- Modifies registry class
PID:5356 -
C:\Windows\SysWOW64\Qdflaa32.exeC:\Windows\system32\Qdflaa32.exe102⤵
- Modifies registry class
PID:5400 -
C:\Windows\SysWOW64\Qjeaog32.exeC:\Windows\system32\Qjeaog32.exe103⤵PID:5444
-
C:\Windows\SysWOW64\Aqfolqna.exeC:\Windows\system32\Aqfolqna.exe104⤵PID:5484
-
C:\Windows\SysWOW64\Aklciimh.exeC:\Windows\system32\Aklciimh.exe105⤵
- Modifies registry class
PID:5528 -
C:\Windows\SysWOW64\Abflfc32.exeC:\Windows\system32\Abflfc32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5584 -
C:\Windows\SysWOW64\Bkcjjhgp.exeC:\Windows\system32\Bkcjjhgp.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5624 -
C:\Windows\SysWOW64\Bbmbgb32.exeC:\Windows\system32\Bbmbgb32.exe108⤵PID:5668
-
C:\Windows\SysWOW64\Bhgjcmfi.exeC:\Windows\system32\Bhgjcmfi.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5716 -
C:\Windows\SysWOW64\Cqghcn32.exeC:\Windows\system32\Cqghcn32.exe110⤵PID:5752
-
C:\Windows\SysWOW64\Cnkilbni.exeC:\Windows\system32\Cnkilbni.exe111⤵PID:5804
-
C:\Windows\SysWOW64\Ckcbaf32.exeC:\Windows\system32\Ckcbaf32.exe112⤵PID:5848
-
C:\Windows\SysWOW64\Celgjlpn.exeC:\Windows\system32\Celgjlpn.exe113⤵
- Modifies registry class
PID:5892 -
C:\Windows\SysWOW64\Dndlba32.exeC:\Windows\system32\Dndlba32.exe114⤵PID:5932
-
C:\Windows\SysWOW64\Dendok32.exeC:\Windows\system32\Dendok32.exe115⤵PID:5980
-
C:\Windows\SysWOW64\Dgmpkg32.exeC:\Windows\system32\Dgmpkg32.exe116⤵
- Modifies registry class
PID:6024 -
C:\Windows\SysWOW64\Deqqek32.exeC:\Windows\system32\Deqqek32.exe117⤵PID:6068
-
C:\Windows\SysWOW64\Ejglcq32.exeC:\Windows\system32\Ejglcq32.exe118⤵PID:6104
-
C:\Windows\SysWOW64\Eelpqi32.exeC:\Windows\system32\Eelpqi32.exe119⤵
- Modifies registry class
PID:4160 -
C:\Windows\SysWOW64\Elfhmc32.exeC:\Windows\system32\Elfhmc32.exe120⤵PID:5200
-
C:\Windows\SysWOW64\Ficlmf32.exeC:\Windows\system32\Ficlmf32.exe121⤵PID:3052
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-