Analysis
-
max time kernel
108s -
max time network
168s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
14/10/2023, 12:30
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.0fda5059b10d6e1cc5cc4467607a62d0_JC.exe
Resource
win7-20230831-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.0fda5059b10d6e1cc5cc4467607a62d0_JC.exe
Resource
win10v2004-20230915-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.0fda5059b10d6e1cc5cc4467607a62d0_JC.exe
-
Size
416KB
-
MD5
0fda5059b10d6e1cc5cc4467607a62d0
-
SHA1
320025077ff1e5dc3a660fb92c6b4e3b05af1b1b
-
SHA256
e06e2c5a07b0db4d2e3127788e111b447ea1a76ea95f1060d9d8b175748ab5b9
-
SHA512
7ca6821046fcc2e7a17815cd01cc222c4fc71173f9e284c14befbdb0856e63d7ba53202f03b05b49543f1a4f71408829ba01d472d1aac7220c03fe611cac9d43
-
SSDEEP
12288:QXR/DYTEYJ07kE0KoFtw2gu9RxrBIUbPLwH96/I0lOZ0vbqFB:QdYwYJ07kE0KoFtw2gu9RxrBIUbPLwHh
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfalhgni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bagmpoco.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfgopnbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cndidlfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ocopncke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bpemkcck.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Maaoaa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggoaje32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjqgpl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fikbhiaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oflfdbip.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfjchn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eciilj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bblcfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gamjea32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmbkfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cekhihig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dmbiackg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngifef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ampkil32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eemgkpef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qgllpf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhdeinhb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldblon32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcagjndj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlefgphj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nlnbqjjq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkklbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dbhlikpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jdfcla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mjhqcmjo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpilekqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dgnolj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghgjlaln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dehnpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mhmmieil.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebnocpfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hmolbene.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dolinf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Agkgceeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eciilj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mglhgg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjepkk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbkagfba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kifcnjpi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekeacmel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Niiaae32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Biklho32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebpqjmpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Onaieifh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jmpgfjmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qhofjbnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pfilfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lhkghofb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nedjdp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfilfm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjjaci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dhndil32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbocng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Heochp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nigjifgc.exe -
Executes dropped EXE 64 IoCs
pid Process 2808 Oophlo32.exe 1340 Omfekbdh.exe 3308 Piapkbeg.exe 1412 Qbonoghb.exe 4516 Qpbnhl32.exe 3064 Abfdpfaj.exe 1640 Ajaelc32.exe 3328 Biklho32.exe 460 Bipecnkd.exe 3936 Cdmoafdb.exe 1200 Dkkaiphj.exe 752 Dgbanq32.exe 3360 Fggdpnkf.exe 2444 Fglnkm32.exe 3128 Fqikob32.exe 3540 Gggmgk32.exe 4564 Gnfooe32.exe 4048 Hjolie32.exe 4560 Hnmeodjc.exe 5064 Hannao32.exe 3832 Ilfodgeg.exe 1400 Ieqpbm32.exe 1840 Inkaqb32.exe 2572 Jehfcl32.exe 4016 Jlkafdco.exe 1596 Kefbdjgm.exe 4192 Khfkfedn.exe 3544 Kocphojh.exe 3612 Klgqabib.exe 3972 Ledoegkm.exe 3404 Lehhqg32.exe 4760 Mkepineo.exe 2556 Mepnaf32.exe 1664 Nkapelka.exe 2228 Nlqloo32.exe 5008 Odgqopeb.exe 3000 Oflfdbip.exe 2636 Pkklbh32.exe 4232 Pmjhlklg.exe 3640 Piceflpi.exe 3392 Qcncodki.exe 4568 Abgjkpll.exe 1104 Aehbmk32.exe 856 Bblcfo32.exe 1088 Bmddihfj.exe 4756 Bpemkcck.exe 1060 Cpifeb32.exe 2828 Clpgkcdj.exe 4888 Cekhihig.exe 444 Dedkogqm.exe 2896 Dbhlikpf.exe 4724 Dmbiackg.exe 1692 Ecoaijio.exe 2588 Eepkkefp.exe 3884 Elolco32.exe 3656 Ffnglc32.exe 4300 Fdogjk32.exe 1304 Gqkajk32.exe 4340 Gqokekph.exe 4152 Gflcnanp.exe 5096 Hcbpme32.exe 4004 Hmkeekag.exe 3728 Hjoeoo32.exe 1704 Hcgjhega.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Fgiabhkn.dll Bnppkj32.exe File opened for modification C:\Windows\SysWOW64\Hcfcmnce.exe Hpcmfchg.exe File opened for modification C:\Windows\SysWOW64\Jmnheggo.exe Jdfcla32.exe File created C:\Windows\SysWOW64\Hqphkjmi.dll Klddgfbl.exe File created C:\Windows\SysWOW64\Hepanfbj.dll Anjngp32.exe File created C:\Windows\SysWOW64\Fecmjq32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Aihfjd32.exe Abnnnjfh.exe File created C:\Windows\SysWOW64\Iafgob32.exe Hikfbeod.exe File created C:\Windows\SysWOW64\Ogoibgad.dll Kpccgk32.exe File created C:\Windows\SysWOW64\Occnjp32.dll Hcimei32.exe File created C:\Windows\SysWOW64\Odhman32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Hkaoiemi.exe Hojndd32.exe File created C:\Windows\SysWOW64\Fodobp32.dll Fnofpqff.exe File opened for modification C:\Windows\SysWOW64\Bjdkcd32.exe Balfko32.exe File created C:\Windows\SysWOW64\Kmnnnj32.dll Nigjifgc.exe File opened for modification C:\Windows\SysWOW64\Odmgmmhf.exe Oflfoepg.exe File created C:\Windows\SysWOW64\Mikepg32.exe Mcnmhpoj.exe File created C:\Windows\SysWOW64\Qgdabflp.exe Pgbdmfnc.exe File created C:\Windows\SysWOW64\Nqdfipld.dll Egnhcgeb.exe File opened for modification C:\Windows\SysWOW64\Nojfic32.exe Niqnli32.exe File created C:\Windows\SysWOW64\Moccao32.dll Ahfmka32.exe File created C:\Windows\SysWOW64\Fofigd32.exe Ejiqom32.exe File created C:\Windows\SysWOW64\Pempol32.dll Ghgjlaln.exe File opened for modification C:\Windows\SysWOW64\Pcgmiiii.exe Pmmelo32.exe File opened for modification C:\Windows\SysWOW64\Moobkh32.exe Mhdjonng.exe File created C:\Windows\SysWOW64\Ifmldo32.exe Inagpm32.exe File created C:\Windows\SysWOW64\Milgmknm.dll Icdoolge.exe File opened for modification C:\Windows\SysWOW64\Nfabok32.exe Mjjbjjdd.exe File created C:\Windows\SysWOW64\Nojfic32.exe Niqnli32.exe File opened for modification C:\Windows\SysWOW64\Hojndd32.exe Gddigk32.exe File created C:\Windows\SysWOW64\Obdbqm32.exe Okkidceh.exe File created C:\Windows\SysWOW64\Ehqabj32.dll Ebifha32.exe File created C:\Windows\SysWOW64\Jeaidn32.exe Process not Found File created C:\Windows\SysWOW64\Pfdbknda.exe Pokjnd32.exe File opened for modification C:\Windows\SysWOW64\Gjojkpdp.exe Gmkibl32.exe File opened for modification C:\Windows\SysWOW64\Jjhonfjg.exe Idnfal32.exe File created C:\Windows\SysWOW64\Qkhlkj32.dll Process not Found File created C:\Windows\SysWOW64\Bhdbaihi.exe Process not Found File created C:\Windows\SysWOW64\Bjdkcd32.exe Balfko32.exe File created C:\Windows\SysWOW64\Labcdffd.dll Dhdkig32.exe File created C:\Windows\SysWOW64\Cclhbcho.exe Bmbpeiaa.exe File created C:\Windows\SysWOW64\Donlkjng.exe Dajlafon.exe File created C:\Windows\SysWOW64\Objhpiqa.dll Ionbcb32.exe File opened for modification C:\Windows\SysWOW64\Jinloboo.exe Jpegfm32.exe File created C:\Windows\SysWOW64\Abngccbl.exe Ahhbfkbf.exe File created C:\Windows\SysWOW64\Qkpdbm32.dll Eamhhjbd.exe File created C:\Windows\SysWOW64\Ildkpiqo.exe Iciflfcd.exe File created C:\Windows\SysWOW64\Dendok32.exe Ckafkfkp.exe File created C:\Windows\SysWOW64\Qmjpdddo.dll Bleebc32.exe File created C:\Windows\SysWOW64\Jllimj32.dll Cbqlpabf.exe File created C:\Windows\SysWOW64\Qnhjcg32.dll Donceaac.exe File created C:\Windows\SysWOW64\Jpgmaf32.exe Jeaidn32.exe File opened for modification C:\Windows\SysWOW64\Knpmcl32.exe Kgfdfbhj.exe File created C:\Windows\SysWOW64\Lgglmb32.dll Aaldngqg.exe File created C:\Windows\SysWOW64\Ljkgpamj.dll Pbpjbe32.exe File created C:\Windows\SysWOW64\Ocopncke.exe Process not Found File created C:\Windows\SysWOW64\Piapkbeg.exe Omfekbdh.exe File created C:\Windows\SysWOW64\Cmmbmhdc.dll Hcfcmnce.exe File created C:\Windows\SysWOW64\Hkggfe32.exe Hmcfma32.exe File created C:\Windows\SysWOW64\Kbocng32.exe Kmbkfp32.exe File opened for modification C:\Windows\SysWOW64\Kmdqai32.exe Process not Found File created C:\Windows\SysWOW64\Pqmjhm32.exe Pcijoh32.exe File opened for modification C:\Windows\SysWOW64\Jiageecb.exe Jbgoik32.exe File opened for modification C:\Windows\SysWOW64\Pfdbpjmi.exe Pkonbamc.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 8096 7084 Process not Found 1388 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nnlhod32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nboggf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cpifeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Maaoaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bkdqdokk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hfjmajbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Baocpnmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kieaqe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lnepbm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mknjgajl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qqfmnk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mimphakb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hkggfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lbpmbipk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Moccao32.dll" Ahfmka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nagcnpqi.dll" Fjqgpl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dfeibf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lqdcio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qbonoghb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bigpblgh.dll" Cdmoafdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjbah32.dll" Khfkfedn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hghhgh32.dll" Cemndbci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmcqcpof.dll" Nboggf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcmeff32.dll" Ehpmbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cljmka32.dll" Hpcmfchg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gakahfoj.dll" Nbepdfnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qeoeaq32.dll" Dpphcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoqbbhcm.dll" Clqncl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qqdqilph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cclhbcho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bnppkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clbbjg32.dll" Ajodef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djeopjhd.dll" Bkhceh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cpcnhbjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jdfcla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkeado32.dll" Gbenjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clopal32.dll" Jfeoip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ollgiplp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bleebc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ddbbngjb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ijjekn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Golcak32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jfeoip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gamjea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jhbfgflc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dfbebpdq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mkbcbp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ehgqed32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Abgjkpll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacjdgkj.dll" Migcpneb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjldieop.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oqdgan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ehpmbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edcfpa32.dll" Gojnfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fcfocb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eoneah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmekbhdn.dll" Ngifef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mikiin32.dll" Lbpmbipk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mgceqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ogjdheqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dlgddkpc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2420 wrote to memory of 2808 2420 NEAS.0fda5059b10d6e1cc5cc4467607a62d0_JC.exe 88 PID 2420 wrote to memory of 2808 2420 NEAS.0fda5059b10d6e1cc5cc4467607a62d0_JC.exe 88 PID 2420 wrote to memory of 2808 2420 NEAS.0fda5059b10d6e1cc5cc4467607a62d0_JC.exe 88 PID 2808 wrote to memory of 1340 2808 Oophlo32.exe 89 PID 2808 wrote to memory of 1340 2808 Oophlo32.exe 89 PID 2808 wrote to memory of 1340 2808 Oophlo32.exe 89 PID 1340 wrote to memory of 3308 1340 Omfekbdh.exe 90 PID 1340 wrote to memory of 3308 1340 Omfekbdh.exe 90 PID 1340 wrote to memory of 3308 1340 Omfekbdh.exe 90 PID 3308 wrote to memory of 1412 3308 Piapkbeg.exe 91 PID 3308 wrote to memory of 1412 3308 Piapkbeg.exe 91 PID 3308 wrote to memory of 1412 3308 Piapkbeg.exe 91 PID 1412 wrote to memory of 4516 1412 Qbonoghb.exe 92 PID 1412 wrote to memory of 4516 1412 Qbonoghb.exe 92 PID 1412 wrote to memory of 4516 1412 Qbonoghb.exe 92 PID 4516 wrote to memory of 3064 4516 Qpbnhl32.exe 93 PID 4516 wrote to memory of 3064 4516 Qpbnhl32.exe 93 PID 4516 wrote to memory of 3064 4516 Qpbnhl32.exe 93 PID 3064 wrote to memory of 1640 3064 Abfdpfaj.exe 94 PID 3064 wrote to memory of 1640 3064 Abfdpfaj.exe 94 PID 3064 wrote to memory of 1640 3064 Abfdpfaj.exe 94 PID 1640 wrote to memory of 3328 1640 Ajaelc32.exe 95 PID 1640 wrote to memory of 3328 1640 Ajaelc32.exe 95 PID 1640 wrote to memory of 3328 1640 Ajaelc32.exe 95 PID 3328 wrote to memory of 460 3328 Biklho32.exe 96 PID 3328 wrote to memory of 460 3328 Biklho32.exe 96 PID 3328 wrote to memory of 460 3328 Biklho32.exe 96 PID 460 wrote to memory of 3936 460 Bipecnkd.exe 97 PID 460 wrote to memory of 3936 460 Bipecnkd.exe 97 PID 460 wrote to memory of 3936 460 Bipecnkd.exe 97 PID 3936 wrote to memory of 1200 3936 Cdmoafdb.exe 98 PID 3936 wrote to memory of 1200 3936 Cdmoafdb.exe 98 PID 3936 wrote to memory of 1200 3936 Cdmoafdb.exe 98 PID 1200 wrote to memory of 752 1200 Dkkaiphj.exe 99 PID 1200 wrote to memory of 752 1200 Dkkaiphj.exe 99 PID 1200 wrote to memory of 752 1200 Dkkaiphj.exe 99 PID 752 wrote to memory of 3360 752 Dgbanq32.exe 100 PID 752 wrote to memory of 3360 752 Dgbanq32.exe 100 PID 752 wrote to memory of 3360 752 Dgbanq32.exe 100 PID 3360 wrote to memory of 2444 3360 Fggdpnkf.exe 101 PID 3360 wrote to memory of 2444 3360 Fggdpnkf.exe 101 PID 3360 wrote to memory of 2444 3360 Fggdpnkf.exe 101 PID 2444 wrote to memory of 3128 2444 Fglnkm32.exe 102 PID 2444 wrote to memory of 3128 2444 Fglnkm32.exe 102 PID 2444 wrote to memory of 3128 2444 Fglnkm32.exe 102 PID 3128 wrote to memory of 3540 3128 Fqikob32.exe 103 PID 3128 wrote to memory of 3540 3128 Fqikob32.exe 103 PID 3128 wrote to memory of 3540 3128 Fqikob32.exe 103 PID 3540 wrote to memory of 4564 3540 Gggmgk32.exe 104 PID 3540 wrote to memory of 4564 3540 Gggmgk32.exe 104 PID 3540 wrote to memory of 4564 3540 Gggmgk32.exe 104 PID 4564 wrote to memory of 4048 4564 Gnfooe32.exe 105 PID 4564 wrote to memory of 4048 4564 Gnfooe32.exe 105 PID 4564 wrote to memory of 4048 4564 Gnfooe32.exe 105 PID 4048 wrote to memory of 4560 4048 Hjolie32.exe 106 PID 4048 wrote to memory of 4560 4048 Hjolie32.exe 106 PID 4048 wrote to memory of 4560 4048 Hjolie32.exe 106 PID 4560 wrote to memory of 5064 4560 Hnmeodjc.exe 107 PID 4560 wrote to memory of 5064 4560 Hnmeodjc.exe 107 PID 4560 wrote to memory of 5064 4560 Hnmeodjc.exe 107 PID 5064 wrote to memory of 3832 5064 Hannao32.exe 108 PID 5064 wrote to memory of 3832 5064 Hannao32.exe 108 PID 5064 wrote to memory of 3832 5064 Hannao32.exe 108 PID 3832 wrote to memory of 1400 3832 Ilfodgeg.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.0fda5059b10d6e1cc5cc4467607a62d0_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.0fda5059b10d6e1cc5cc4467607a62d0_JC.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\Oophlo32.exeC:\Windows\system32\Oophlo32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\Omfekbdh.exeC:\Windows\system32\Omfekbdh.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1340 -
C:\Windows\SysWOW64\Piapkbeg.exeC:\Windows\system32\Piapkbeg.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3308 -
C:\Windows\SysWOW64\Qbonoghb.exeC:\Windows\system32\Qbonoghb.exe5⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Windows\SysWOW64\Qpbnhl32.exeC:\Windows\system32\Qpbnhl32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4516 -
C:\Windows\SysWOW64\Abfdpfaj.exeC:\Windows\system32\Abfdpfaj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SysWOW64\Ajaelc32.exeC:\Windows\system32\Ajaelc32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\SysWOW64\Biklho32.exeC:\Windows\system32\Biklho32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3328 -
C:\Windows\SysWOW64\Bipecnkd.exeC:\Windows\system32\Bipecnkd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:460 -
C:\Windows\SysWOW64\Cdmoafdb.exeC:\Windows\system32\Cdmoafdb.exe11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3936 -
C:\Windows\SysWOW64\Dkkaiphj.exeC:\Windows\system32\Dkkaiphj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Windows\SysWOW64\Dgbanq32.exeC:\Windows\system32\Dgbanq32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:752 -
C:\Windows\SysWOW64\Fggdpnkf.exeC:\Windows\system32\Fggdpnkf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3360 -
C:\Windows\SysWOW64\Fglnkm32.exeC:\Windows\system32\Fglnkm32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\SysWOW64\Fqikob32.exeC:\Windows\system32\Fqikob32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3128 -
C:\Windows\SysWOW64\Gggmgk32.exeC:\Windows\system32\Gggmgk32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3540 -
C:\Windows\SysWOW64\Gnfooe32.exeC:\Windows\system32\Gnfooe32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\Windows\SysWOW64\Hjolie32.exeC:\Windows\system32\Hjolie32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4048 -
C:\Windows\SysWOW64\Hnmeodjc.exeC:\Windows\system32\Hnmeodjc.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4560 -
C:\Windows\SysWOW64\Hannao32.exeC:\Windows\system32\Hannao32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5064 -
C:\Windows\SysWOW64\Ilfodgeg.exeC:\Windows\system32\Ilfodgeg.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3832 -
C:\Windows\SysWOW64\Ieqpbm32.exeC:\Windows\system32\Ieqpbm32.exe23⤵
- Executes dropped EXE
PID:1400 -
C:\Windows\SysWOW64\Inkaqb32.exeC:\Windows\system32\Inkaqb32.exe24⤵
- Executes dropped EXE
PID:1840 -
C:\Windows\SysWOW64\Jehfcl32.exeC:\Windows\system32\Jehfcl32.exe25⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Jdopjh32.exeC:\Windows\system32\Jdopjh32.exe26⤵PID:4860
-
C:\Windows\SysWOW64\Jlkafdco.exeC:\Windows\system32\Jlkafdco.exe27⤵
- Executes dropped EXE
PID:4016 -
C:\Windows\SysWOW64\Kefbdjgm.exeC:\Windows\system32\Kefbdjgm.exe28⤵
- Executes dropped EXE
PID:1596 -
C:\Windows\SysWOW64\Khfkfedn.exeC:\Windows\system32\Khfkfedn.exe29⤵
- Executes dropped EXE
- Modifies registry class
PID:4192 -
C:\Windows\SysWOW64\Kocphojh.exeC:\Windows\system32\Kocphojh.exe30⤵
- Executes dropped EXE
PID:3544 -
C:\Windows\SysWOW64\Klgqabib.exeC:\Windows\system32\Klgqabib.exe31⤵
- Executes dropped EXE
PID:3612 -
C:\Windows\SysWOW64\Ledoegkm.exeC:\Windows\system32\Ledoegkm.exe32⤵
- Executes dropped EXE
PID:3972 -
C:\Windows\SysWOW64\Lehhqg32.exeC:\Windows\system32\Lehhqg32.exe33⤵
- Executes dropped EXE
PID:3404 -
C:\Windows\SysWOW64\Mkepineo.exeC:\Windows\system32\Mkepineo.exe34⤵
- Executes dropped EXE
PID:4760 -
C:\Windows\SysWOW64\Mepnaf32.exeC:\Windows\system32\Mepnaf32.exe35⤵
- Executes dropped EXE
PID:2556 -
C:\Windows\SysWOW64\Nkapelka.exeC:\Windows\system32\Nkapelka.exe36⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\Nlqloo32.exeC:\Windows\system32\Nlqloo32.exe37⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Odgqopeb.exeC:\Windows\system32\Odgqopeb.exe38⤵
- Executes dropped EXE
PID:5008 -
C:\Windows\SysWOW64\Oflfdbip.exeC:\Windows\system32\Oflfdbip.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Pkklbh32.exeC:\Windows\system32\Pkklbh32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Pmjhlklg.exeC:\Windows\system32\Pmjhlklg.exe41⤵
- Executes dropped EXE
PID:4232 -
C:\Windows\SysWOW64\Piceflpi.exeC:\Windows\system32\Piceflpi.exe42⤵
- Executes dropped EXE
PID:3640 -
C:\Windows\SysWOW64\Qcncodki.exeC:\Windows\system32\Qcncodki.exe43⤵
- Executes dropped EXE
PID:3392 -
C:\Windows\SysWOW64\Abgjkpll.exeC:\Windows\system32\Abgjkpll.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:4568 -
C:\Windows\SysWOW64\Aehbmk32.exeC:\Windows\system32\Aehbmk32.exe45⤵
- Executes dropped EXE
PID:1104 -
C:\Windows\SysWOW64\Bblcfo32.exeC:\Windows\system32\Bblcfo32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:856 -
C:\Windows\SysWOW64\Bmddihfj.exeC:\Windows\system32\Bmddihfj.exe47⤵
- Executes dropped EXE
PID:1088 -
C:\Windows\SysWOW64\Bpemkcck.exeC:\Windows\system32\Bpemkcck.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4756 -
C:\Windows\SysWOW64\Cpifeb32.exeC:\Windows\system32\Cpifeb32.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:1060 -
C:\Windows\SysWOW64\Clpgkcdj.exeC:\Windows\system32\Clpgkcdj.exe50⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Cekhihig.exeC:\Windows\system32\Cekhihig.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4888 -
C:\Windows\SysWOW64\Dedkogqm.exeC:\Windows\system32\Dedkogqm.exe52⤵
- Executes dropped EXE
PID:444 -
C:\Windows\SysWOW64\Dbhlikpf.exeC:\Windows\system32\Dbhlikpf.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\Dmbiackg.exeC:\Windows\system32\Dmbiackg.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4724 -
C:\Windows\SysWOW64\Ecoaijio.exeC:\Windows\system32\Ecoaijio.exe55⤵
- Executes dropped EXE
PID:1692 -
C:\Windows\SysWOW64\Eepkkefp.exeC:\Windows\system32\Eepkkefp.exe56⤵
- Executes dropped EXE
PID:2588 -
C:\Windows\SysWOW64\Elolco32.exeC:\Windows\system32\Elolco32.exe57⤵
- Executes dropped EXE
PID:3884 -
C:\Windows\SysWOW64\Ffnglc32.exeC:\Windows\system32\Ffnglc32.exe58⤵
- Executes dropped EXE
PID:3656 -
C:\Windows\SysWOW64\Fdogjk32.exeC:\Windows\system32\Fdogjk32.exe59⤵
- Executes dropped EXE
PID:4300 -
C:\Windows\SysWOW64\Gqkajk32.exeC:\Windows\system32\Gqkajk32.exe60⤵
- Executes dropped EXE
PID:1304 -
C:\Windows\SysWOW64\Gqokekph.exeC:\Windows\system32\Gqokekph.exe61⤵
- Executes dropped EXE
PID:4340 -
C:\Windows\SysWOW64\Gflcnanp.exeC:\Windows\system32\Gflcnanp.exe62⤵
- Executes dropped EXE
PID:4152 -
C:\Windows\SysWOW64\Hcbpme32.exeC:\Windows\system32\Hcbpme32.exe63⤵
- Executes dropped EXE
PID:5096 -
C:\Windows\SysWOW64\Hmkeekag.exeC:\Windows\system32\Hmkeekag.exe64⤵
- Executes dropped EXE
PID:4004 -
C:\Windows\SysWOW64\Hjoeoo32.exeC:\Windows\system32\Hjoeoo32.exe65⤵
- Executes dropped EXE
PID:3728 -
C:\Windows\SysWOW64\Hcgjhega.exeC:\Windows\system32\Hcgjhega.exe66⤵
- Executes dropped EXE
PID:1704 -
C:\Windows\SysWOW64\Hmbkfjko.exeC:\Windows\system32\Hmbkfjko.exe67⤵PID:4780
-
C:\Windows\SysWOW64\Iggocbke.exeC:\Windows\system32\Iggocbke.exe68⤵PID:4796
-
C:\Windows\SysWOW64\Inagpm32.exeC:\Windows\system32\Inagpm32.exe69⤵
- Drops file in System32 directory
PID:2112 -
C:\Windows\SysWOW64\Ifmldo32.exeC:\Windows\system32\Ifmldo32.exe70⤵PID:2552
-
C:\Windows\SysWOW64\Ienlbf32.exeC:\Windows\system32\Ienlbf32.exe71⤵PID:2080
-
C:\Windows\SysWOW64\Ijjekn32.exeC:\Windows\system32\Ijjekn32.exe72⤵
- Modifies registry class
PID:3660 -
C:\Windows\SysWOW64\Igneda32.exeC:\Windows\system32\Igneda32.exe73⤵PID:820
-
C:\Windows\SysWOW64\Imknli32.exeC:\Windows\system32\Imknli32.exe74⤵PID:3280
-
C:\Windows\SysWOW64\Igqbiacj.exeC:\Windows\system32\Igqbiacj.exe75⤵PID:1212
-
C:\Windows\SysWOW64\Iaifbg32.exeC:\Windows\system32\Iaifbg32.exe76⤵PID:1880
-
C:\Windows\SysWOW64\Jjakkmpk.exeC:\Windows\system32\Jjakkmpk.exe77⤵PID:3252
-
C:\Windows\SysWOW64\Jakchf32.exeC:\Windows\system32\Jakchf32.exe78⤵PID:3348
-
C:\Windows\SysWOW64\Kfidgk32.exeC:\Windows\system32\Kfidgk32.exe79⤵PID:4320
-
C:\Windows\SysWOW64\Kejeebpl.exeC:\Windows\system32\Kejeebpl.exe80⤵PID:1496
-
C:\Windows\SysWOW64\Kjfmminc.exeC:\Windows\system32\Kjfmminc.exe81⤵PID:3220
-
C:\Windows\SysWOW64\Lacbpccn.exeC:\Windows\system32\Lacbpccn.exe82⤵PID:5012
-
C:\Windows\SysWOW64\Ldckan32.exeC:\Windows\system32\Ldckan32.exe83⤵PID:5168
-
C:\Windows\SysWOW64\Lhadgmge.exeC:\Windows\system32\Lhadgmge.exe84⤵PID:5212
-
C:\Windows\SysWOW64\Loniiflo.exeC:\Windows\system32\Loniiflo.exe85⤵PID:5256
-
C:\Windows\SysWOW64\Mkdiog32.exeC:\Windows\system32\Mkdiog32.exe86⤵PID:5300
-
C:\Windows\SysWOW64\Maaoaa32.exeC:\Windows\system32\Maaoaa32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5344 -
C:\Windows\SysWOW64\Mhmcck32.exeC:\Windows\system32\Mhmcck32.exe88⤵PID:5388
-
C:\Windows\SysWOW64\Necqbo32.exeC:\Windows\system32\Necqbo32.exe89⤵PID:5432
-
C:\Windows\SysWOW64\Nkbfpeec.exeC:\Windows\system32\Nkbfpeec.exe90⤵PID:5476
-
C:\Windows\SysWOW64\Ngifef32.exeC:\Windows\system32\Ngifef32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5524 -
C:\Windows\SysWOW64\Nockkcjg.exeC:\Windows\system32\Nockkcjg.exe92⤵PID:5568
-
C:\Windows\SysWOW64\Nemchn32.exeC:\Windows\system32\Nemchn32.exe93⤵PID:5612
-
C:\Windows\SysWOW64\Oeopnmoa.exeC:\Windows\system32\Oeopnmoa.exe94⤵PID:5656
-
C:\Windows\SysWOW64\Ogefqeaj.exeC:\Windows\system32\Ogefqeaj.exe95⤵PID:5700
-
C:\Windows\SysWOW64\Oggbfdog.exeC:\Windows\system32\Oggbfdog.exe96⤵PID:5744
-
C:\Windows\SysWOW64\Pgllad32.exeC:\Windows\system32\Pgllad32.exe97⤵PID:5784
-
C:\Windows\SysWOW64\Pnfdnnbo.exeC:\Windows\system32\Pnfdnnbo.exe98⤵PID:5832
-
C:\Windows\SysWOW64\Pfpidk32.exeC:\Windows\system32\Pfpidk32.exe99⤵PID:5876
-
C:\Windows\SysWOW64\Pkonbamc.exeC:\Windows\system32\Pkonbamc.exe100⤵
- Drops file in System32 directory
PID:5920 -
C:\Windows\SysWOW64\Pfdbpjmi.exeC:\Windows\system32\Pfdbpjmi.exe101⤵PID:5972
-
C:\Windows\SysWOW64\Agjhbbob.exeC:\Windows\system32\Agjhbbob.exe102⤵PID:6008
-
C:\Windows\SysWOW64\Andqol32.exeC:\Windows\system32\Andqol32.exe103⤵PID:6060
-
C:\Windows\SysWOW64\Abbiej32.exeC:\Windows\system32\Abbiej32.exe104⤵PID:6108
-
C:\Windows\SysWOW64\Bichcc32.exeC:\Windows\system32\Bichcc32.exe105⤵PID:1772
-
C:\Windows\SysWOW64\Bnppkj32.exeC:\Windows\system32\Bnppkj32.exe106⤵
- Drops file in System32 directory
- Modifies registry class
PID:5176 -
C:\Windows\SysWOW64\Bkdqdokk.exeC:\Windows\system32\Bkdqdokk.exe107⤵
- Modifies registry class
PID:5244 -
C:\Windows\SysWOW64\Bfnnmg32.exeC:\Windows\system32\Bfnnmg32.exe108⤵PID:4216
-
C:\Windows\SysWOW64\Blkgen32.exeC:\Windows\system32\Blkgen32.exe109⤵PID:5384
-
C:\Windows\SysWOW64\Becknc32.exeC:\Windows\system32\Becknc32.exe110⤵PID:5464
-
C:\Windows\SysWOW64\Cblebgfh.exeC:\Windows\system32\Cblebgfh.exe111⤵PID:4200
-
C:\Windows\SysWOW64\Chinkndp.exeC:\Windows\system32\Chinkndp.exe112⤵PID:5508
-
C:\Windows\SysWOW64\Cppelkeb.exeC:\Windows\system32\Cppelkeb.exe113⤵PID:5600
-
C:\Windows\SysWOW64\Cemndbci.exeC:\Windows\system32\Cemndbci.exe114⤵
- Modifies registry class
PID:5664 -
C:\Windows\SysWOW64\Cpbbak32.exeC:\Windows\system32\Cpbbak32.exe115⤵PID:5728
-
C:\Windows\SysWOW64\Deokja32.exeC:\Windows\system32\Deokja32.exe116⤵PID:5792
-
C:\Windows\SysWOW64\Dngobghg.exeC:\Windows\system32\Dngobghg.exe117⤵PID:5860
-
C:\Windows\SysWOW64\Deagoa32.exeC:\Windows\system32\Deagoa32.exe118⤵PID:5944
-
C:\Windows\SysWOW64\Dojlhg32.exeC:\Windows\system32\Dojlhg32.exe119⤵PID:6028
-
C:\Windows\SysWOW64\Dolinf32.exeC:\Windows\system32\Dolinf32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6104 -
C:\Windows\SysWOW64\Dehnpp32.exeC:\Windows\system32\Dehnpp32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3568
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-