Analysis
-
max time kernel
116s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
14-10-2023 12:28
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.0f77b55bdfb348769d63b6f899e9bf10_JC.exe
Resource
win7-20230831-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.0f77b55bdfb348769d63b6f899e9bf10_JC.exe
Resource
win10v2004-20230915-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.0f77b55bdfb348769d63b6f899e9bf10_JC.exe
-
Size
272KB
-
MD5
0f77b55bdfb348769d63b6f899e9bf10
-
SHA1
a97138fec0c3348802ae4c30bf17f23e69309c8c
-
SHA256
6b77725179ef9f0c11b5aacb087401e86f39a5a9a677fbee3555747e7527856a
-
SHA512
8ae9024db0f2189cb9850bb5201b2a51bf14752e665efe22a9cfbfd8d0ebef06632d43548012e60c0977f7d1c6ce0cfe1a9e8bd46f44edba0713c1368fc711e9
-
SSDEEP
6144:kb9XKByvZ6Mxv5Rar3O6B9fZSLhZmzbByvZ6Mxv5R:kx6ByvNv54B9f01ZmHByvNv5
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mlialb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfgjcb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khkbcopl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjnjjlog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iojgkbib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jhijjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ajbmmcii.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkbomgde.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knlbipjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iefnjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qojeabie.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mojhphij.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpmgph32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgngkmkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bjnmib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dkbomgde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Meepne32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpfkna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ikagpcof.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qgkeep32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjfngi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mlflog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Njdeklca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qemhlp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejfeij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gamjea32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgjggkqi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffjignde.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcdafg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbfjljhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gofkckoe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gamjea32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fajnoabh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Odooqo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eljcae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eiobbgcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kddpnpdn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpkbohhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aqijdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ighhed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jqhaolli.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbpacmbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pnlcdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kifcnjpi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbneij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Poaqocgl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjejdglp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjdjhgdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nkghqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hllcfnhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mnggnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fkllghoq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ikjapden.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kjdjhgdb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmjdaoni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Babmjj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfogohpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jgngkmkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kkomgkoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lgfojd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epkpdn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkfnnjnl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igdnkhoe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nameql32.exe -
Executes dropped EXE 64 IoCs
pid Process 2820 Mphamg32.exe 976 Nkghqo32.exe 1992 Oiqomj32.exe 2800 Onqdhh32.exe 2044 Pkgaglpp.exe 3880 Pacfjfej.exe 2840 Pphckb32.exe 3160 Pnlcdg32.exe 4624 Qkcackeb.exe 4324 Ahgamo32.exe 1484 Bnoiqd32.exe 3332 Bjfjee32.exe 3276 Bhgjcmfi.exe 3984 Bndblcdq.exe 584 Cebdcmhh.exe 1812 Ciefek32.exe 1292 Cgjcfgoa.exe 1444 Dnghhqdk.exe 2540 Djbbhafj.exe 3948 Eangjkkd.exe 4128 Eeomfioh.exe 4196 Eiobbgcl.exe 3736 Falcli32.exe 3288 Flbhia32.exe 3760 Gogjflhf.exe 4144 Ghbkdald.exe 2120 Gehice32.exe 4772 Gkeakl32.exe 4180 Hcabhido.exe 2460 Hllcfnhm.exe 2440 Ikejbjip.exe 4544 Ileflmpb.exe 2524 Ikmpcicg.exe 2988 Jhqqlmba.exe 4252 Jhjcbljf.exe 3632 Kofheeoq.exe 2244 Kmjinjnj.exe 5004 Kjnihnmd.exe 1320 Kcfnqccd.exe 4444 Kkabefqp.exe 1016 Kifcnjpi.exe 4148 Lbnggpfj.exe 3352 Lobhqdec.exe 4912 Lpdefc32.exe 3036 Lmkbeg32.exe 2368 Ljoboloa.exe 2672 Mpkkgbmi.exe 4336 Mldhacpj.exe 3516 Mihikgod.exe 2836 Mpbaga32.exe 4044 Mlialb32.exe 3256 Nfabok32.exe 1276 Nmmgae32.exe 3860 Npnqcpmc.exe 4552 Nmbamdkm.exe 2148 Ofooqinh.exe 4716 Ojmgggdo.exe 2640 Plcmiofg.exe 2372 Pmbjcb32.exe 4368 Ppccemjk.exe 1736 Pkkdhe32.exe 3848 Adjnaj32.exe 3268 Admkgifd.exe 2976 Ajjcoqdl.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Popbqhhf.dll Agglld32.exe File created C:\Windows\SysWOW64\Nbnmmaoj.dll Hnodkjhq.exe File created C:\Windows\SysWOW64\Ghbkdald.exe Gogjflhf.exe File opened for modification C:\Windows\SysWOW64\Fokbbcmo.exe Fjnjjlog.exe File created C:\Windows\SysWOW64\Lobogqeq.dll Jklpakam.exe File created C:\Windows\SysWOW64\Enigek32.exe Eodjdocj.exe File created C:\Windows\SysWOW64\Qipjokik.exe Qojeabie.exe File created C:\Windows\SysWOW64\Cfdbblqn.dll Fjnjjlog.exe File created C:\Windows\SysWOW64\Ekhjgoga.exe Echkgnnl.exe File opened for modification C:\Windows\SysWOW64\Gacjkjgb.exe Gneaelqk.exe File created C:\Windows\SysWOW64\Gdphod32.dll Jnfcbg32.exe File created C:\Windows\SysWOW64\Bnblognf.dll Djjemlhf.exe File opened for modification C:\Windows\SysWOW64\Ncgkma32.exe Ncenga32.exe File created C:\Windows\SysWOW64\Aoleqi32.dll Fcanmlea.exe File opened for modification C:\Windows\SysWOW64\Ddmaia32.exe Dmcilgco.exe File created C:\Windows\SysWOW64\Ndajcnag.dll Gfcgpkhk.exe File created C:\Windows\SysWOW64\Ighhed32.exe Ikagpcof.exe File created C:\Windows\SysWOW64\Ndcoeq32.exe Nnfgmjfb.exe File opened for modification C:\Windows\SysWOW64\Bdmpljlj.exe Bhfogiff.exe File created C:\Windows\SysWOW64\Glhabiom.dll Ighhed32.exe File created C:\Windows\SysWOW64\Pknqhh32.exe Peahpa32.exe File created C:\Windows\SysWOW64\Aljldk32.dll Onqdhh32.exe File created C:\Windows\SysWOW64\Fkgeam32.dll Pacfjfej.exe File created C:\Windows\SysWOW64\Fokbbcmo.exe Fjnjjlog.exe File opened for modification C:\Windows\SysWOW64\Iohjebkd.exe Ihnbih32.exe File opened for modification C:\Windows\SysWOW64\Inmplh32.exe Ijlkqj32.exe File created C:\Windows\SysWOW64\Jjfngi32.exe Ibjibg32.exe File opened for modification C:\Windows\SysWOW64\Dblgja32.exe Dkbomgde.exe File opened for modification C:\Windows\SysWOW64\Ndcoeq32.exe Nnfgmjfb.exe File opened for modification C:\Windows\SysWOW64\Qbhnga32.exe Qipjokik.exe File created C:\Windows\SysWOW64\Kipibaoi.dll Ojhijjll.exe File created C:\Windows\SysWOW64\Qebpipij.exe Qnihlf32.exe File created C:\Windows\SysWOW64\Dchnan32.dll Donlkjng.exe File opened for modification C:\Windows\SysWOW64\Cpbbln32.exe Cjejdglp.exe File created C:\Windows\SysWOW64\Pecefa32.exe Pknqhh32.exe File opened for modification C:\Windows\SysWOW64\Jdgjgh32.exe Jojboa32.exe File opened for modification C:\Windows\SysWOW64\Eqopqh32.exe Dfbebpdq.exe File created C:\Windows\SysWOW64\Qbapebjm.dll Bbemdb32.exe File opened for modification C:\Windows\SysWOW64\Jncfmgfi.exe Jhgneqha.exe File created C:\Windows\SysWOW64\Pkgaglpp.exe Onqdhh32.exe File created C:\Windows\SysWOW64\Amcpkpmh.dll Nliakd32.exe File created C:\Windows\SysWOW64\Jcihcbcl.dll Eangjkkd.exe File created C:\Windows\SysWOW64\Cfpfqiha.exe Bjielh32.exe File created C:\Windows\SysWOW64\Cjjlep32.exe Cbphncfo.exe File created C:\Windows\SysWOW64\Fnacfp32.exe Fclohg32.exe File created C:\Windows\SysWOW64\Pbmnlf32.exe Pghiomqi.exe File created C:\Windows\SysWOW64\Idebniil.exe Iohjebkd.exe File created C:\Windows\SysWOW64\Illiee32.dll Jhgneqha.exe File opened for modification C:\Windows\SysWOW64\Oopjchnh.exe Odjeepna.exe File created C:\Windows\SysWOW64\Mnggnh32.exe Mbpfig32.exe File created C:\Windows\SysWOW64\Paifqemd.dll Aonokdce.exe File opened for modification C:\Windows\SysWOW64\Epmmjnkp.exe Ebimqi32.exe File created C:\Windows\SysWOW64\Dafkoa32.dll Jklihbol.exe File created C:\Windows\SysWOW64\Ofocia32.dll Qojeabie.exe File created C:\Windows\SysWOW64\Ohfpng32.dll Ageofe32.exe File opened for modification C:\Windows\SysWOW64\Lklbnb32.exe Ljmfdp32.exe File opened for modification C:\Windows\SysWOW64\Glkdejcd.exe Glhgojef.exe File created C:\Windows\SysWOW64\Ljmfdp32.exe Lcbngeqo.exe File opened for modification C:\Windows\SysWOW64\Gechnpid.exe Glkdejcd.exe File opened for modification C:\Windows\SysWOW64\Khpcid32.exe Kbfjljhf.exe File created C:\Windows\SysWOW64\Glgediop.dll Cpfkna32.exe File created C:\Windows\SysWOW64\Ndpafe32.exe Ncpelbap.exe File created C:\Windows\SysWOW64\Elncjc32.exe Eceoanpo.exe File opened for modification C:\Windows\SysWOW64\Mhbmin32.exe Mojhphij.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 8544 9136 Process not Found 1148 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cflofl32.dll" Njdeklca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nnfgmjfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oefamoma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipfkga32.dll" Eceoanpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hkdbik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccbqnakn.dll" Gamjea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcfeablh.dll" Igkkdigp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fagjolao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lgglnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oadjbbmp.dll" Ebimqi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ngpcmj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gekckpgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmgdee32.dll" Hkhdjdgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bjaqih32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dfjgjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mihikgod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecmamo32.dll" Kklkej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Igneng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fodobp32.dll" Fmbflm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Glgjfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eehnnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gloecbaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jngjmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ahjoljqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cebdcmhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mldhacpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kjdjhgdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gjebbfni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmefomdo.dll" Pnlcdg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eplgod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qkcackeb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Knhbflbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mphamg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lkchpoka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kghjakbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Deokhc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dfhjefhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oleiga32.dll" Cofemg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Glgjfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nopkoobi.dll" Dnghhqdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fnacfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ipjoee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiilph32.dll" Ceihffad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gpmgph32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iemdkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oecopk32.dll" Qmnbej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Iefnjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfddoq32.dll" Oefamoma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ijlkqj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lmeapbpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jjfngi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kbpkdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcdqnmmm.dll" Flbhia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcccjf32.dll" Eckfaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kpanmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fckhnaab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hnagkp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pebfen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aomipkic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofocia32.dll" Qojeabie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qlmhfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hnagkp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ajbmmcii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Flbhia32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3784 wrote to memory of 2820 3784 NEAS.0f77b55bdfb348769d63b6f899e9bf10_JC.exe 89 PID 3784 wrote to memory of 2820 3784 NEAS.0f77b55bdfb348769d63b6f899e9bf10_JC.exe 89 PID 3784 wrote to memory of 2820 3784 NEAS.0f77b55bdfb348769d63b6f899e9bf10_JC.exe 89 PID 2820 wrote to memory of 976 2820 Mphamg32.exe 91 PID 2820 wrote to memory of 976 2820 Mphamg32.exe 91 PID 2820 wrote to memory of 976 2820 Mphamg32.exe 91 PID 976 wrote to memory of 1992 976 Nkghqo32.exe 92 PID 976 wrote to memory of 1992 976 Nkghqo32.exe 92 PID 976 wrote to memory of 1992 976 Nkghqo32.exe 92 PID 1992 wrote to memory of 2800 1992 Oiqomj32.exe 93 PID 1992 wrote to memory of 2800 1992 Oiqomj32.exe 93 PID 1992 wrote to memory of 2800 1992 Oiqomj32.exe 93 PID 2800 wrote to memory of 2044 2800 Onqdhh32.exe 94 PID 2800 wrote to memory of 2044 2800 Onqdhh32.exe 94 PID 2800 wrote to memory of 2044 2800 Onqdhh32.exe 94 PID 2044 wrote to memory of 3880 2044 Pkgaglpp.exe 95 PID 2044 wrote to memory of 3880 2044 Pkgaglpp.exe 95 PID 2044 wrote to memory of 3880 2044 Pkgaglpp.exe 95 PID 3880 wrote to memory of 2840 3880 Pacfjfej.exe 96 PID 3880 wrote to memory of 2840 3880 Pacfjfej.exe 96 PID 3880 wrote to memory of 2840 3880 Pacfjfej.exe 96 PID 2840 wrote to memory of 3160 2840 Pphckb32.exe 97 PID 2840 wrote to memory of 3160 2840 Pphckb32.exe 97 PID 2840 wrote to memory of 3160 2840 Pphckb32.exe 97 PID 3160 wrote to memory of 4624 3160 Pnlcdg32.exe 98 PID 3160 wrote to memory of 4624 3160 Pnlcdg32.exe 98 PID 3160 wrote to memory of 4624 3160 Pnlcdg32.exe 98 PID 4624 wrote to memory of 4324 4624 Qkcackeb.exe 99 PID 4624 wrote to memory of 4324 4624 Qkcackeb.exe 99 PID 4624 wrote to memory of 4324 4624 Qkcackeb.exe 99 PID 4324 wrote to memory of 1484 4324 Ahgamo32.exe 100 PID 4324 wrote to memory of 1484 4324 Ahgamo32.exe 100 PID 4324 wrote to memory of 1484 4324 Ahgamo32.exe 100 PID 1484 wrote to memory of 3332 1484 Bnoiqd32.exe 101 PID 1484 wrote to memory of 3332 1484 Bnoiqd32.exe 101 PID 1484 wrote to memory of 3332 1484 Bnoiqd32.exe 101 PID 3332 wrote to memory of 3276 3332 Bjfjee32.exe 102 PID 3332 wrote to memory of 3276 3332 Bjfjee32.exe 102 PID 3332 wrote to memory of 3276 3332 Bjfjee32.exe 102 PID 3276 wrote to memory of 3984 3276 Bhgjcmfi.exe 103 PID 3276 wrote to memory of 3984 3276 Bhgjcmfi.exe 103 PID 3276 wrote to memory of 3984 3276 Bhgjcmfi.exe 103 PID 3984 wrote to memory of 584 3984 Bndblcdq.exe 104 PID 3984 wrote to memory of 584 3984 Bndblcdq.exe 104 PID 3984 wrote to memory of 584 3984 Bndblcdq.exe 104 PID 584 wrote to memory of 1812 584 Cebdcmhh.exe 105 PID 584 wrote to memory of 1812 584 Cebdcmhh.exe 105 PID 584 wrote to memory of 1812 584 Cebdcmhh.exe 105 PID 1812 wrote to memory of 1292 1812 Ciefek32.exe 106 PID 1812 wrote to memory of 1292 1812 Ciefek32.exe 106 PID 1812 wrote to memory of 1292 1812 Ciefek32.exe 106 PID 1292 wrote to memory of 1444 1292 Cgjcfgoa.exe 107 PID 1292 wrote to memory of 1444 1292 Cgjcfgoa.exe 107 PID 1292 wrote to memory of 1444 1292 Cgjcfgoa.exe 107 PID 1444 wrote to memory of 2540 1444 Dnghhqdk.exe 108 PID 1444 wrote to memory of 2540 1444 Dnghhqdk.exe 108 PID 1444 wrote to memory of 2540 1444 Dnghhqdk.exe 108 PID 2540 wrote to memory of 3948 2540 Djbbhafj.exe 109 PID 2540 wrote to memory of 3948 2540 Djbbhafj.exe 109 PID 2540 wrote to memory of 3948 2540 Djbbhafj.exe 109 PID 3948 wrote to memory of 4128 3948 Eangjkkd.exe 110 PID 3948 wrote to memory of 4128 3948 Eangjkkd.exe 110 PID 3948 wrote to memory of 4128 3948 Eangjkkd.exe 110 PID 4128 wrote to memory of 4196 4128 Eeomfioh.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.0f77b55bdfb348769d63b6f899e9bf10_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.0f77b55bdfb348769d63b6f899e9bf10_JC.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3784 -
C:\Windows\SysWOW64\Mphamg32.exeC:\Windows\system32\Mphamg32.exe2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\Nkghqo32.exeC:\Windows\system32\Nkghqo32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:976 -
C:\Windows\SysWOW64\Oiqomj32.exeC:\Windows\system32\Oiqomj32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\SysWOW64\Onqdhh32.exeC:\Windows\system32\Onqdhh32.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\Pkgaglpp.exeC:\Windows\system32\Pkgaglpp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\Pacfjfej.exeC:\Windows\system32\Pacfjfej.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3880 -
C:\Windows\SysWOW64\Pphckb32.exeC:\Windows\system32\Pphckb32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\Pnlcdg32.exeC:\Windows\system32\Pnlcdg32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3160 -
C:\Windows\SysWOW64\Qkcackeb.exeC:\Windows\system32\Qkcackeb.exe10⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4624 -
C:\Windows\SysWOW64\Ahgamo32.exeC:\Windows\system32\Ahgamo32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4324 -
C:\Windows\SysWOW64\Bnoiqd32.exeC:\Windows\system32\Bnoiqd32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\SysWOW64\Bjfjee32.exeC:\Windows\system32\Bjfjee32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3332 -
C:\Windows\SysWOW64\Bhgjcmfi.exeC:\Windows\system32\Bhgjcmfi.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3276 -
C:\Windows\SysWOW64\Bndblcdq.exeC:\Windows\system32\Bndblcdq.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3984 -
C:\Windows\SysWOW64\Cebdcmhh.exeC:\Windows\system32\Cebdcmhh.exe16⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:584 -
C:\Windows\SysWOW64\Ciefek32.exeC:\Windows\system32\Ciefek32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Windows\SysWOW64\Cgjcfgoa.exeC:\Windows\system32\Cgjcfgoa.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Windows\SysWOW64\Dnghhqdk.exeC:\Windows\system32\Dnghhqdk.exe19⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Windows\SysWOW64\Djbbhafj.exeC:\Windows\system32\Djbbhafj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\Eangjkkd.exeC:\Windows\system32\Eangjkkd.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3948 -
C:\Windows\SysWOW64\Eeomfioh.exeC:\Windows\system32\Eeomfioh.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4128 -
C:\Windows\SysWOW64\Eiobbgcl.exeC:\Windows\system32\Eiobbgcl.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4196 -
C:\Windows\SysWOW64\Falcli32.exeC:\Windows\system32\Falcli32.exe24⤵
- Executes dropped EXE
PID:3736 -
C:\Windows\SysWOW64\Flbhia32.exeC:\Windows\system32\Flbhia32.exe25⤵
- Executes dropped EXE
- Modifies registry class
PID:3288 -
C:\Windows\SysWOW64\Gogjflhf.exeC:\Windows\system32\Gogjflhf.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3760 -
C:\Windows\SysWOW64\Ghbkdald.exeC:\Windows\system32\Ghbkdald.exe27⤵
- Executes dropped EXE
PID:4144 -
C:\Windows\SysWOW64\Gehice32.exeC:\Windows\system32\Gehice32.exe28⤵
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Gkeakl32.exeC:\Windows\system32\Gkeakl32.exe29⤵
- Executes dropped EXE
PID:4772 -
C:\Windows\SysWOW64\Hcabhido.exeC:\Windows\system32\Hcabhido.exe30⤵
- Executes dropped EXE
PID:4180 -
C:\Windows\SysWOW64\Hllcfnhm.exeC:\Windows\system32\Hllcfnhm.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Ikejbjip.exeC:\Windows\system32\Ikejbjip.exe32⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Ileflmpb.exeC:\Windows\system32\Ileflmpb.exe33⤵
- Executes dropped EXE
PID:4544 -
C:\Windows\SysWOW64\Ikmpcicg.exeC:\Windows\system32\Ikmpcicg.exe34⤵
- Executes dropped EXE
PID:2524 -
C:\Windows\SysWOW64\Jhqqlmba.exeC:\Windows\system32\Jhqqlmba.exe35⤵
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\Jhjcbljf.exeC:\Windows\system32\Jhjcbljf.exe36⤵
- Executes dropped EXE
PID:4252 -
C:\Windows\SysWOW64\Kofheeoq.exeC:\Windows\system32\Kofheeoq.exe37⤵
- Executes dropped EXE
PID:3632 -
C:\Windows\SysWOW64\Kmjinjnj.exeC:\Windows\system32\Kmjinjnj.exe38⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Kjnihnmd.exeC:\Windows\system32\Kjnihnmd.exe39⤵
- Executes dropped EXE
PID:5004 -
C:\Windows\SysWOW64\Kcfnqccd.exeC:\Windows\system32\Kcfnqccd.exe40⤵
- Executes dropped EXE
PID:1320 -
C:\Windows\SysWOW64\Kkabefqp.exeC:\Windows\system32\Kkabefqp.exe41⤵
- Executes dropped EXE
PID:4444 -
C:\Windows\SysWOW64\Kifcnjpi.exeC:\Windows\system32\Kifcnjpi.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1016 -
C:\Windows\SysWOW64\Lbnggpfj.exeC:\Windows\system32\Lbnggpfj.exe43⤵
- Executes dropped EXE
PID:4148 -
C:\Windows\SysWOW64\Lobhqdec.exeC:\Windows\system32\Lobhqdec.exe44⤵
- Executes dropped EXE
PID:3352 -
C:\Windows\SysWOW64\Lpdefc32.exeC:\Windows\system32\Lpdefc32.exe45⤵
- Executes dropped EXE
PID:4912 -
C:\Windows\SysWOW64\Lmkbeg32.exeC:\Windows\system32\Lmkbeg32.exe46⤵
- Executes dropped EXE
PID:3036 -
C:\Windows\SysWOW64\Ljoboloa.exeC:\Windows\system32\Ljoboloa.exe47⤵
- Executes dropped EXE
PID:2368 -
C:\Windows\SysWOW64\Mpkkgbmi.exeC:\Windows\system32\Mpkkgbmi.exe48⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Mldhacpj.exeC:\Windows\system32\Mldhacpj.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:4336 -
C:\Windows\SysWOW64\Mihikgod.exeC:\Windows\system32\Mihikgod.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:3516 -
C:\Windows\SysWOW64\Mpbaga32.exeC:\Windows\system32\Mpbaga32.exe51⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Mlialb32.exeC:\Windows\system32\Mlialb32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4044 -
C:\Windows\SysWOW64\Nfabok32.exeC:\Windows\system32\Nfabok32.exe53⤵
- Executes dropped EXE
PID:3256 -
C:\Windows\SysWOW64\Nmmgae32.exeC:\Windows\system32\Nmmgae32.exe54⤵
- Executes dropped EXE
PID:1276 -
C:\Windows\SysWOW64\Npnqcpmc.exeC:\Windows\system32\Npnqcpmc.exe55⤵
- Executes dropped EXE
PID:3860 -
C:\Windows\SysWOW64\Nmbamdkm.exeC:\Windows\system32\Nmbamdkm.exe56⤵
- Executes dropped EXE
PID:4552 -
C:\Windows\SysWOW64\Ofooqinh.exeC:\Windows\system32\Ofooqinh.exe57⤵
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\Ojmgggdo.exeC:\Windows\system32\Ojmgggdo.exe58⤵
- Executes dropped EXE
PID:4716 -
C:\Windows\SysWOW64\Plcmiofg.exeC:\Windows\system32\Plcmiofg.exe59⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Pmbjcb32.exeC:\Windows\system32\Pmbjcb32.exe60⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Ppccemjk.exeC:\Windows\system32\Ppccemjk.exe61⤵
- Executes dropped EXE
PID:4368 -
C:\Windows\SysWOW64\Pkkdhe32.exeC:\Windows\system32\Pkkdhe32.exe62⤵
- Executes dropped EXE
PID:1736 -
C:\Windows\SysWOW64\Adjnaj32.exeC:\Windows\system32\Adjnaj32.exe63⤵
- Executes dropped EXE
PID:3848 -
C:\Windows\SysWOW64\Admkgifd.exeC:\Windows\system32\Admkgifd.exe64⤵
- Executes dropped EXE
PID:3268 -
C:\Windows\SysWOW64\Ajjcoqdl.exeC:\Windows\system32\Ajjcoqdl.exe65⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Angleokb.exeC:\Windows\system32\Angleokb.exe66⤵PID:3856
-
C:\Windows\SysWOW64\Almifk32.exeC:\Windows\system32\Almifk32.exe67⤵PID:1896
-
C:\Windows\SysWOW64\Bknidbhi.exeC:\Windows\system32\Bknidbhi.exe68⤵PID:4244
-
C:\Windows\SysWOW64\Bdfnmhnj.exeC:\Windows\system32\Bdfnmhnj.exe69⤵PID:4380
-
C:\Windows\SysWOW64\Bckknd32.exeC:\Windows\system32\Bckknd32.exe70⤵PID:1340
-
C:\Windows\SysWOW64\Bldogjib.exeC:\Windows\system32\Bldogjib.exe71⤵PID:5000
-
C:\Windows\SysWOW64\Bkglkapo.exeC:\Windows\system32\Bkglkapo.exe72⤵PID:568
-
C:\Windows\SysWOW64\Cddjofbj.exeC:\Windows\system32\Cddjofbj.exe73⤵PID:4692
-
C:\Windows\SysWOW64\Cqkkcghn.exeC:\Windows\system32\Cqkkcghn.exe74⤵PID:4204
-
C:\Windows\SysWOW64\Cnokmkfh.exeC:\Windows\system32\Cnokmkfh.exe75⤵PID:1720
-
C:\Windows\SysWOW64\Ccldebeo.exeC:\Windows\system32\Ccldebeo.exe76⤵PID:4928
-
C:\Windows\SysWOW64\Ddkpoelb.exeC:\Windows\system32\Ddkpoelb.exe77⤵PID:5084
-
C:\Windows\SysWOW64\Dqbadf32.exeC:\Windows\system32\Dqbadf32.exe78⤵PID:3868
-
C:\Windows\SysWOW64\Djjemlhf.exeC:\Windows\system32\Djjemlhf.exe79⤵
- Drops file in System32 directory
PID:4904 -
C:\Windows\SysWOW64\Dmknog32.exeC:\Windows\system32\Dmknog32.exe80⤵PID:4300
-
C:\Windows\SysWOW64\Debfpd32.exeC:\Windows\system32\Debfpd32.exe81⤵PID:4540
-
C:\Windows\SysWOW64\Dgcoaock.exeC:\Windows\system32\Dgcoaock.exe82⤵PID:3388
-
C:\Windows\SysWOW64\Eanqpdgi.exeC:\Windows\system32\Eanqpdgi.exe83⤵PID:4476
-
C:\Windows\SysWOW64\Ejfeij32.exeC:\Windows\system32\Ejfeij32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3652 -
C:\Windows\SysWOW64\Ekeacmel.exeC:\Windows\system32\Ekeacmel.exe85⤵PID:4260
-
C:\Windows\SysWOW64\Ecafgo32.exeC:\Windows\system32\Ecafgo32.exe86⤵PID:4200
-
C:\Windows\SysWOW64\Eepbabjj.exeC:\Windows\system32\Eepbabjj.exe87⤵PID:3740
-
C:\Windows\SysWOW64\Fnmqegle.exeC:\Windows\system32\Fnmqegle.exe88⤵PID:3896
-
C:\Windows\SysWOW64\Fmbnfcam.exeC:\Windows\system32\Fmbnfcam.exe89⤵PID:2436
-
C:\Windows\SysWOW64\Flcndk32.exeC:\Windows\system32\Flcndk32.exe90⤵PID:1188
-
C:\Windows\SysWOW64\Fndgfffm.exeC:\Windows\system32\Fndgfffm.exe91⤵PID:456
-
C:\Windows\SysWOW64\Glhgojef.exeC:\Windows\system32\Glhgojef.exe92⤵
- Drops file in System32 directory
PID:3748 -
C:\Windows\SysWOW64\Glkdejcd.exeC:\Windows\system32\Glkdejcd.exe93⤵
- Drops file in System32 directory
PID:4528 -
C:\Windows\SysWOW64\Gechnpid.exeC:\Windows\system32\Gechnpid.exe94⤵PID:5132
-
C:\Windows\SysWOW64\Gajibq32.exeC:\Windows\system32\Gajibq32.exe95⤵PID:5176
-
C:\Windows\SysWOW64\Heohinog.exeC:\Windows\system32\Heohinog.exe96⤵PID:5224
-
C:\Windows\SysWOW64\Haeino32.exeC:\Windows\system32\Haeino32.exe97⤵PID:5268
-
C:\Windows\SysWOW64\Iefnjm32.exeC:\Windows\system32\Iefnjm32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5304 -
C:\Windows\SysWOW64\Ikbfbdgf.exeC:\Windows\system32\Ikbfbdgf.exe99⤵PID:5356
-
C:\Windows\SysWOW64\Iaokdn32.exeC:\Windows\system32\Iaokdn32.exe100⤵PID:5400
-
C:\Windows\SysWOW64\Iemdkl32.exeC:\Windows\system32\Iemdkl32.exe101⤵
- Modifies registry class
PID:5440 -
C:\Windows\SysWOW64\Ilglgfjd.exeC:\Windows\system32\Ilglgfjd.exe102⤵PID:5480
-
C:\Windows\SysWOW64\Jklihbol.exeC:\Windows\system32\Jklihbol.exe103⤵
- Drops file in System32 directory
PID:5520 -
C:\Windows\SysWOW64\Jddnah32.exeC:\Windows\system32\Jddnah32.exe104⤵PID:5560
-
C:\Windows\SysWOW64\Jojboa32.exeC:\Windows\system32\Jojboa32.exe105⤵
- Drops file in System32 directory
PID:5600 -
C:\Windows\SysWOW64\Jdgjgh32.exeC:\Windows\system32\Jdgjgh32.exe106⤵PID:5640
-
C:\Windows\SysWOW64\Jnoopm32.exeC:\Windows\system32\Jnoopm32.exe107⤵PID:5680
-
C:\Windows\SysWOW64\Jookjpam.exeC:\Windows\system32\Jookjpam.exe108⤵PID:5720
-
C:\Windows\SysWOW64\Joahop32.exeC:\Windows\system32\Joahop32.exe109⤵PID:5760
-
C:\Windows\SysWOW64\Jdnqgg32.exeC:\Windows\system32\Jdnqgg32.exe110⤵PID:5800
-
C:\Windows\SysWOW64\Knhbflbp.exeC:\Windows\system32\Knhbflbp.exe111⤵
- Modifies registry class
PID:5832 -
C:\Windows\SysWOW64\Khnfce32.exeC:\Windows\system32\Khnfce32.exe112⤵PID:5880
-
C:\Windows\SysWOW64\Kbfjljhf.exeC:\Windows\system32\Kbfjljhf.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5920 -
C:\Windows\SysWOW64\Khpcid32.exeC:\Windows\system32\Khpcid32.exe114⤵PID:5960
-
C:\Windows\SysWOW64\Kojkeogp.exeC:\Windows\system32\Kojkeogp.exe115⤵PID:6004
-
C:\Windows\SysWOW64\Kfdcbiol.exeC:\Windows\system32\Kfdcbiol.exe116⤵PID:6052
-
C:\Windows\SysWOW64\Kkaljpmd.exeC:\Windows\system32\Kkaljpmd.exe117⤵PID:6096
-
C:\Windows\SysWOW64\Kbkdgj32.exeC:\Windows\system32\Kbkdgj32.exe118⤵PID:6140
-
C:\Windows\SysWOW64\Lkchpoka.exeC:\Windows\system32\Lkchpoka.exe119⤵
- Modifies registry class
PID:5184 -
C:\Windows\SysWOW64\Lbpmbipk.exeC:\Windows\system32\Lbpmbipk.exe120⤵PID:5256
-
C:\Windows\SysWOW64\Lmeapbpa.exeC:\Windows\system32\Lmeapbpa.exe121⤵
- Modifies registry class
PID:5280
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-