Analysis
-
max time kernel
44s -
max time network
69s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
22-10-2023 15:24
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.faacba3788e300390ad23f4ac8368b5b_JC.exe
Resource
win7-20231020-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.faacba3788e300390ad23f4ac8368b5b_JC.exe
Resource
win10v2004-20230915-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
NEAS.faacba3788e300390ad23f4ac8368b5b_JC.exe
-
Size
59KB
-
MD5
faacba3788e300390ad23f4ac8368b5b
-
SHA1
8d41d46907b90e441c97e689382f691820e01c68
-
SHA256
76453a69b81eed18873ce9a4bdba8598ed7d263c5fb62b1b67471fa50a0fdda2
-
SHA512
aa8696f4aa8b229e6d1fac25523317334977a93cddc919786c2c084db17a9d62c6b01138604d9703b7ee21018299eac61ff13f1846ba1dd6e923fe46bf56cb84
-
SSDEEP
1536:3WavK/31VkpxnTO0gC9q2MRKe/87mpNCyVso:35231VkPPDMRrUCaeso
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekajec32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elhfbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Daollh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmjlkb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pojjcp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhaope32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aibibp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hebcao32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkepineo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egpgehnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkbfpeec.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjamhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omdieb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgiaemic.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnpaec32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbhbbn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laeoec32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgeogb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfodmdni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnmmboed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eajlhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llngbabj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cehlcikj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcgjhega.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Maoakaip.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eklajcmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngemjg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjhalkjc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fefjanml.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhplpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjlhipbc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Defajqko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibegfglj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkhjpn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oookgbpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Giecfejd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igjbci32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifaepolg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abbiej32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppgegd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlfhke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhbqalle.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfhnme32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddcebe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nocbfjmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Noehac32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnhacn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Geklckkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgcmbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmdqbg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onapdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fqphic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kopcbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Biljib32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njmejp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkedbmab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmbjcljl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifihdi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iiaggc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dajbaika.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbhool32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kallod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cehdib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iiaggc32.exe -
Executes dropped EXE 64 IoCs
pid Process 4480 Mnmmboed.exe 4800 Nmbjcljl.exe 3676 Nmdgikhi.exe 4808 Ncqlkemc.exe 2172 Npgmpf32.exe 4692 Njmqnobn.exe 2068 Nceefd32.exe 1180 Oplfkeob.exe 1588 Ompfej32.exe 4524 Oanokhdb.exe 1104 Oclkgccf.exe 3960 Onapdl32.exe 3004 Ofmdio32.exe 4176 Ocaebc32.exe 408 Ppgegd32.exe 1884 Cpbjkn32.exe 1344 Cpdgqmnb.exe 4016 Dnmaea32.exe 264 Dakikoom.exe 1424 Doojec32.exe 3044 Dgjoif32.exe 3392 Dbocfo32.exe 3892 Ebaplnie.exe 1744 Enhpao32.exe 452 Eklajcmc.exe 5052 Enmjlojd.exe 2976 Ekajec32.exe 4056 Eqncnj32.exe 4988 Fbmohmoh.exe 2352 Figgdg32.exe 3632 Fbplml32.exe 980 Fbbicl32.exe 5116 Fkjmlaac.exe 4184 Fecadghc.exe 1456 Fajbjh32.exe 4740 Gokbgpeg.exe 2880 Gnpphljo.exe 1364 Giecfejd.exe 3660 Glfmgp32.exe 2156 Glhimp32.exe 1032 Geanfelc.exe 3984 Hahokfag.exe 4552 Hpioin32.exe 2372 Hiacacpg.exe 316 Hhfpbpdo.exe 3056 Haodle32.exe 1316 Hppeim32.exe 2664 Ibqnkh32.exe 4968 Ieagmcmq.exe 1296 Ibegfglj.exe 2680 Iehmmb32.exe 3700 Jihbip32.exe 928 Jpegkj32.exe 1524 Jhplpl32.exe 2392 Kiphjo32.exe 5036 Klpakj32.exe 1668 Kcmfnd32.exe 2160 Kemooo32.exe 4444 Lafmjp32.exe 4832 Lpjjmg32.exe 4280 Loofnccf.exe 4492 Llcghg32.exe 4408 Mjggal32.exe 496 Mfpell32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Jfqqddpi.dll Fgiaemic.exe File created C:\Windows\SysWOW64\Nahakl32.dll Kifjip32.exe File created C:\Windows\SysWOW64\Bcicjbal.exe Amoknh32.exe File created C:\Windows\SysWOW64\Midbjmkg.dll Cbhbbn32.exe File created C:\Windows\SysWOW64\Chpnfc32.dll Fjeibc32.exe File created C:\Windows\SysWOW64\Hjlkfnim.dll Bkhjpn32.exe File created C:\Windows\SysWOW64\Jihbip32.exe Iehmmb32.exe File created C:\Windows\SysWOW64\Clpchk32.dll Jpegkj32.exe File created C:\Windows\SysWOW64\Jdiphhpk.dll Ihceigec.exe File created C:\Windows\SysWOW64\Nlqloo32.exe Nakhaf32.exe File created C:\Windows\SysWOW64\Opmcod32.exe Okpkgm32.exe File opened for modification C:\Windows\SysWOW64\Bpomem32.exe Biedhclh.exe File opened for modification C:\Windows\SysWOW64\Iqmplbpl.exe Hgdlcm32.exe File created C:\Windows\SysWOW64\Fdbdih32.dll Mfhgcbfo.exe File opened for modification C:\Windows\SysWOW64\Lpjjmg32.exe Lafmjp32.exe File created C:\Windows\SysWOW64\Nfldgk32.exe Nbnlaldg.exe File opened for modification C:\Windows\SysWOW64\Cpcpfg32.exe Ckdkhq32.exe File created C:\Windows\SysWOW64\Jjdokb32.exe Jdjfohjg.exe File created C:\Windows\SysWOW64\Lnnkldlf.dll Mjafoapj.exe File opened for modification C:\Windows\SysWOW64\Egpgehnb.exe Eilfldoi.exe File created C:\Windows\SysWOW64\Pifkigic.dll Pnhacn32.exe File opened for modification C:\Windows\SysWOW64\Qoocnpag.exe Pgeogb32.exe File created C:\Windows\SysWOW64\Iejecf32.dll Chddpn32.exe File created C:\Windows\SysWOW64\Hlhbih32.dll Fecadghc.exe File created C:\Windows\SysWOW64\Mejfbf32.dll Nkbfpeec.exe File created C:\Windows\SysWOW64\Gdhjpjjd.exe Gloejmld.exe File opened for modification C:\Windows\SysWOW64\Cehdib32.exe Chddpn32.exe File created C:\Windows\SysWOW64\Doqbifpl.exe Dhgjll32.exe File created C:\Windows\SysWOW64\Klpakj32.exe Kiphjo32.exe File created C:\Windows\SysWOW64\Flhoinbl.exe Fjjcmbci.exe File created C:\Windows\SysWOW64\Delcme32.dll Iqmplbpl.exe File created C:\Windows\SysWOW64\Igjhce32.dll Iiaggc32.exe File created C:\Windows\SysWOW64\Fpffjn32.dll Nmedmj32.exe File created C:\Windows\SysWOW64\Aiplmq32.exe Aadghn32.exe File created C:\Windows\SysWOW64\Mnhgglaj.dll Adgmoigj.exe File created C:\Windows\SysWOW64\Ggccllai.exe Fqfojblo.exe File created C:\Windows\SysWOW64\Cofaon32.dll Geipnl32.exe File opened for modification C:\Windows\SysWOW64\Oiccje32.exe Nfqnbjfi.exe File created C:\Windows\SysWOW64\Nkgoke32.exe Ndmgnkja.exe File created C:\Windows\SysWOW64\Dngjpgqp.dll Biljib32.exe File created C:\Windows\SysWOW64\Aagfblqi.dll Opjgidfa.exe File opened for modification C:\Windows\SysWOW64\Fgiaemic.exe Fqphic32.exe File created C:\Windows\SysWOW64\Hjegpf32.dll Pfdbpjmi.exe File opened for modification C:\Windows\SysWOW64\Ijgakgej.exe Iobmmoed.exe File opened for modification C:\Windows\SysWOW64\Mhhjhlqm.exe Maoakaip.exe File created C:\Windows\SysWOW64\Kfhnme32.exe Kakednfj.exe File created C:\Windows\SysWOW64\Liifnp32.exe Kggjghkd.exe File created C:\Windows\SysWOW64\Nccmog32.dll Njmejp32.exe File created C:\Windows\SysWOW64\Ojidbohn.dll Eklajcmc.exe File created C:\Windows\SysWOW64\Eacdhhjj.dll Fclhpo32.exe File created C:\Windows\SysWOW64\Ldicpljn.dll Fkjfakng.exe File opened for modification C:\Windows\SysWOW64\Gqbneq32.exe Gkefmjcj.exe File created C:\Windows\SysWOW64\Paenokbf.dll Aibibp32.exe File created C:\Windows\SysWOW64\Okkjkh32.dll Fncbha32.exe File created C:\Windows\SysWOW64\Emabga32.dll Kjbdbjbi.exe File created C:\Windows\SysWOW64\Pjjaci32.exe Phiekaql.exe File opened for modification C:\Windows\SysWOW64\Eklajcmc.exe Enhpao32.exe File opened for modification C:\Windows\SysWOW64\Nciopppp.exe Mhckcgpj.exe File opened for modification C:\Windows\SysWOW64\Omdieb32.exe Ojemig32.exe File created C:\Windows\SysWOW64\Ocknbglo.exe Omaeem32.exe File created C:\Windows\SysWOW64\Meajdj32.dll Fpnkdfko.exe File created C:\Windows\SysWOW64\Onqdhh32.exe Ohdlpa32.exe File created C:\Windows\SysWOW64\Icembg32.dll Edoencdm.exe File opened for modification C:\Windows\SysWOW64\Emioab32.exe Egpgehnb.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fqphic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Khkdad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjhalkjc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fgffka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gqbneq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkadoo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Biljib32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfqdid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjnnbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nmhijd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oikjkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbaahf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjeibc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Meoggpmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hhaope32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dahceqce.dll" Gnpphljo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Loofnccf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elmoqj32.dll" Jlfhke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjamhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nkdlkope.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onbiicqa.dll" Ohdlpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nceefd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aimhmkgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gflonn32.dll" Ojemig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjeplijj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjmjgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcpfdg32.dll" Ljncnhhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjacac32.dll" Mdokmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndmgnkja.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmbjcljl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Klmnkdal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kajfdk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkgfdgpq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pifkigic.dll" Pnhacn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkjohi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjmannfj.dll" Jacpcl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aijeme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfhnme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mogimj32.dll" Libido32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eknphfld.dll" Ajdbac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngkpgkbd.dll" Namegfql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpemkcck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pleapoon.dll" Jokpcmmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggfgji32.dll" Lkppchfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmbopm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Piocecgj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Medglemj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Midbjmkg.dll" Cbhbbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cplckbmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hqmggi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjmjgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amnioced.dll" Mjkiephp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjpjea32.dll" Igjbci32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdhjpjjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jepplk32.dll" Hmmakk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aeeomegd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mfhgcbfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aojmda32.dll" Egpgehnb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjhalkjc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dnmaea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Enmjlojd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnebjidl.dll" Kemooo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eepbdodb.dll" Jdjfohjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cboleq32.dll" Kbjbnnfg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3156 wrote to memory of 4480 3156 NEAS.faacba3788e300390ad23f4ac8368b5b_JC.exe 84 PID 3156 wrote to memory of 4480 3156 NEAS.faacba3788e300390ad23f4ac8368b5b_JC.exe 84 PID 3156 wrote to memory of 4480 3156 NEAS.faacba3788e300390ad23f4ac8368b5b_JC.exe 84 PID 4480 wrote to memory of 4800 4480 Mnmmboed.exe 85 PID 4480 wrote to memory of 4800 4480 Mnmmboed.exe 85 PID 4480 wrote to memory of 4800 4480 Mnmmboed.exe 85 PID 4800 wrote to memory of 3676 4800 Nmbjcljl.exe 86 PID 4800 wrote to memory of 3676 4800 Nmbjcljl.exe 86 PID 4800 wrote to memory of 3676 4800 Nmbjcljl.exe 86 PID 3676 wrote to memory of 4808 3676 Nmdgikhi.exe 87 PID 3676 wrote to memory of 4808 3676 Nmdgikhi.exe 87 PID 3676 wrote to memory of 4808 3676 Nmdgikhi.exe 87 PID 4808 wrote to memory of 2172 4808 Ncqlkemc.exe 88 PID 4808 wrote to memory of 2172 4808 Ncqlkemc.exe 88 PID 4808 wrote to memory of 2172 4808 Ncqlkemc.exe 88 PID 2172 wrote to memory of 4692 2172 Npgmpf32.exe 89 PID 2172 wrote to memory of 4692 2172 Npgmpf32.exe 89 PID 2172 wrote to memory of 4692 2172 Npgmpf32.exe 89 PID 4692 wrote to memory of 2068 4692 Njmqnobn.exe 90 PID 4692 wrote to memory of 2068 4692 Njmqnobn.exe 90 PID 4692 wrote to memory of 2068 4692 Njmqnobn.exe 90 PID 2068 wrote to memory of 1180 2068 Nceefd32.exe 91 PID 2068 wrote to memory of 1180 2068 Nceefd32.exe 91 PID 2068 wrote to memory of 1180 2068 Nceefd32.exe 91 PID 1180 wrote to memory of 1588 1180 Oplfkeob.exe 92 PID 1180 wrote to memory of 1588 1180 Oplfkeob.exe 92 PID 1180 wrote to memory of 1588 1180 Oplfkeob.exe 92 PID 1588 wrote to memory of 4524 1588 Ompfej32.exe 93 PID 1588 wrote to memory of 4524 1588 Ompfej32.exe 93 PID 1588 wrote to memory of 4524 1588 Ompfej32.exe 93 PID 4524 wrote to memory of 1104 4524 Oanokhdb.exe 94 PID 4524 wrote to memory of 1104 4524 Oanokhdb.exe 94 PID 4524 wrote to memory of 1104 4524 Oanokhdb.exe 94 PID 1104 wrote to memory of 3960 1104 Oclkgccf.exe 95 PID 1104 wrote to memory of 3960 1104 Oclkgccf.exe 95 PID 1104 wrote to memory of 3960 1104 Oclkgccf.exe 95 PID 3960 wrote to memory of 3004 3960 Onapdl32.exe 96 PID 3960 wrote to memory of 3004 3960 Onapdl32.exe 96 PID 3960 wrote to memory of 3004 3960 Onapdl32.exe 96 PID 3004 wrote to memory of 4176 3004 Ofmdio32.exe 97 PID 3004 wrote to memory of 4176 3004 Ofmdio32.exe 97 PID 3004 wrote to memory of 4176 3004 Ofmdio32.exe 97 PID 4176 wrote to memory of 408 4176 Ocaebc32.exe 98 PID 4176 wrote to memory of 408 4176 Ocaebc32.exe 98 PID 4176 wrote to memory of 408 4176 Ocaebc32.exe 98 PID 408 wrote to memory of 1884 408 Ppgegd32.exe 99 PID 408 wrote to memory of 1884 408 Ppgegd32.exe 99 PID 408 wrote to memory of 1884 408 Ppgegd32.exe 99 PID 1884 wrote to memory of 1344 1884 Cpbjkn32.exe 100 PID 1884 wrote to memory of 1344 1884 Cpbjkn32.exe 100 PID 1884 wrote to memory of 1344 1884 Cpbjkn32.exe 100 PID 1344 wrote to memory of 4016 1344 Cpdgqmnb.exe 101 PID 1344 wrote to memory of 4016 1344 Cpdgqmnb.exe 101 PID 1344 wrote to memory of 4016 1344 Cpdgqmnb.exe 101 PID 4016 wrote to memory of 264 4016 Dnmaea32.exe 102 PID 4016 wrote to memory of 264 4016 Dnmaea32.exe 102 PID 4016 wrote to memory of 264 4016 Dnmaea32.exe 102 PID 264 wrote to memory of 1424 264 Dakikoom.exe 103 PID 264 wrote to memory of 1424 264 Dakikoom.exe 103 PID 264 wrote to memory of 1424 264 Dakikoom.exe 103 PID 1424 wrote to memory of 3044 1424 Doojec32.exe 104 PID 1424 wrote to memory of 3044 1424 Doojec32.exe 104 PID 1424 wrote to memory of 3044 1424 Doojec32.exe 104 PID 3044 wrote to memory of 3392 3044 Dgjoif32.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.faacba3788e300390ad23f4ac8368b5b_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.faacba3788e300390ad23f4ac8368b5b_JC.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3156 -
C:\Windows\SysWOW64\Mnmmboed.exeC:\Windows\system32\Mnmmboed.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4480 -
C:\Windows\SysWOW64\Nmbjcljl.exeC:\Windows\system32\Nmbjcljl.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4800 -
C:\Windows\SysWOW64\Nmdgikhi.exeC:\Windows\system32\Nmdgikhi.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3676 -
C:\Windows\SysWOW64\Ncqlkemc.exeC:\Windows\system32\Ncqlkemc.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Windows\SysWOW64\Npgmpf32.exeC:\Windows\system32\Npgmpf32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\Njmqnobn.exeC:\Windows\system32\Njmqnobn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4692 -
C:\Windows\SysWOW64\Nceefd32.exeC:\Windows\system32\Nceefd32.exe8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\SysWOW64\Oplfkeob.exeC:\Windows\system32\Oplfkeob.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Windows\SysWOW64\Ompfej32.exeC:\Windows\system32\Ompfej32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Windows\SysWOW64\Oanokhdb.exeC:\Windows\system32\Oanokhdb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Windows\SysWOW64\Oclkgccf.exeC:\Windows\system32\Oclkgccf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Windows\SysWOW64\Onapdl32.exeC:\Windows\system32\Onapdl32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3960 -
C:\Windows\SysWOW64\Ofmdio32.exeC:\Windows\system32\Ofmdio32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\Ocaebc32.exeC:\Windows\system32\Ocaebc32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4176 -
C:\Windows\SysWOW64\Ppgegd32.exeC:\Windows\system32\Ppgegd32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:408 -
C:\Windows\SysWOW64\Cpbjkn32.exeC:\Windows\system32\Cpbjkn32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Windows\SysWOW64\Cpdgqmnb.exeC:\Windows\system32\Cpdgqmnb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1344 -
C:\Windows\SysWOW64\Dnmaea32.exeC:\Windows\system32\Dnmaea32.exe19⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4016 -
C:\Windows\SysWOW64\Dakikoom.exeC:\Windows\system32\Dakikoom.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:264 -
C:\Windows\SysWOW64\Doojec32.exeC:\Windows\system32\Doojec32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Windows\SysWOW64\Dgjoif32.exeC:\Windows\system32\Dgjoif32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\Dbocfo32.exeC:\Windows\system32\Dbocfo32.exe23⤵
- Executes dropped EXE
PID:3392 -
C:\Windows\SysWOW64\Ebaplnie.exeC:\Windows\system32\Ebaplnie.exe24⤵
- Executes dropped EXE
PID:3892 -
C:\Windows\SysWOW64\Enhpao32.exeC:\Windows\system32\Enhpao32.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1744 -
C:\Windows\SysWOW64\Eklajcmc.exeC:\Windows\system32\Eklajcmc.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:452 -
C:\Windows\SysWOW64\Enmjlojd.exeC:\Windows\system32\Enmjlojd.exe27⤵
- Executes dropped EXE
- Modifies registry class
PID:5052 -
C:\Windows\SysWOW64\Ekajec32.exeC:\Windows\system32\Ekajec32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Eqncnj32.exeC:\Windows\system32\Eqncnj32.exe29⤵
- Executes dropped EXE
PID:4056 -
C:\Windows\SysWOW64\Fbmohmoh.exeC:\Windows\system32\Fbmohmoh.exe30⤵
- Executes dropped EXE
PID:4988 -
C:\Windows\SysWOW64\Figgdg32.exeC:\Windows\system32\Figgdg32.exe31⤵
- Executes dropped EXE
PID:2352 -
C:\Windows\SysWOW64\Fbplml32.exeC:\Windows\system32\Fbplml32.exe32⤵
- Executes dropped EXE
PID:3632 -
C:\Windows\SysWOW64\Fbbicl32.exeC:\Windows\system32\Fbbicl32.exe33⤵
- Executes dropped EXE
PID:980 -
C:\Windows\SysWOW64\Fkjmlaac.exeC:\Windows\system32\Fkjmlaac.exe34⤵
- Executes dropped EXE
PID:5116 -
C:\Windows\SysWOW64\Fecadghc.exeC:\Windows\system32\Fecadghc.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4184 -
C:\Windows\SysWOW64\Fajbjh32.exeC:\Windows\system32\Fajbjh32.exe36⤵
- Executes dropped EXE
PID:1456 -
C:\Windows\SysWOW64\Gokbgpeg.exeC:\Windows\system32\Gokbgpeg.exe37⤵
- Executes dropped EXE
PID:4740 -
C:\Windows\SysWOW64\Gnpphljo.exeC:\Windows\system32\Gnpphljo.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:2880 -
C:\Windows\SysWOW64\Giecfejd.exeC:\Windows\system32\Giecfejd.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1364 -
C:\Windows\SysWOW64\Glfmgp32.exeC:\Windows\system32\Glfmgp32.exe40⤵
- Executes dropped EXE
PID:3660 -
C:\Windows\SysWOW64\Glhimp32.exeC:\Windows\system32\Glhimp32.exe41⤵
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Geanfelc.exeC:\Windows\system32\Geanfelc.exe42⤵
- Executes dropped EXE
PID:1032 -
C:\Windows\SysWOW64\Hahokfag.exeC:\Windows\system32\Hahokfag.exe43⤵
- Executes dropped EXE
PID:3984 -
C:\Windows\SysWOW64\Hpioin32.exeC:\Windows\system32\Hpioin32.exe44⤵
- Executes dropped EXE
PID:4552 -
C:\Windows\SysWOW64\Hiacacpg.exeC:\Windows\system32\Hiacacpg.exe45⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Hhfpbpdo.exeC:\Windows\system32\Hhfpbpdo.exe46⤵
- Executes dropped EXE
PID:316 -
C:\Windows\SysWOW64\Haodle32.exeC:\Windows\system32\Haodle32.exe47⤵
- Executes dropped EXE
PID:3056 -
C:\Windows\SysWOW64\Hppeim32.exeC:\Windows\system32\Hppeim32.exe48⤵
- Executes dropped EXE
PID:1316 -
C:\Windows\SysWOW64\Ibqnkh32.exeC:\Windows\system32\Ibqnkh32.exe49⤵
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\Ieagmcmq.exeC:\Windows\system32\Ieagmcmq.exe50⤵
- Executes dropped EXE
PID:4968 -
C:\Windows\SysWOW64\Ibegfglj.exeC:\Windows\system32\Ibegfglj.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1296 -
C:\Windows\SysWOW64\Iehmmb32.exeC:\Windows\system32\Iehmmb32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2680 -
C:\Windows\SysWOW64\Jihbip32.exeC:\Windows\system32\Jihbip32.exe53⤵
- Executes dropped EXE
PID:3700 -
C:\Windows\SysWOW64\Jpegkj32.exeC:\Windows\system32\Jpegkj32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:928 -
C:\Windows\SysWOW64\Jhplpl32.exeC:\Windows\system32\Jhplpl32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1524 -
C:\Windows\SysWOW64\Kiphjo32.exeC:\Windows\system32\Kiphjo32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2392 -
C:\Windows\SysWOW64\Klpakj32.exeC:\Windows\system32\Klpakj32.exe57⤵
- Executes dropped EXE
PID:5036 -
C:\Windows\SysWOW64\Kcmfnd32.exeC:\Windows\system32\Kcmfnd32.exe58⤵
- Executes dropped EXE
PID:1668 -
C:\Windows\SysWOW64\Kemooo32.exeC:\Windows\system32\Kemooo32.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:2160 -
C:\Windows\SysWOW64\Lafmjp32.exeC:\Windows\system32\Lafmjp32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4444 -
C:\Windows\SysWOW64\Lpjjmg32.exeC:\Windows\system32\Lpjjmg32.exe61⤵
- Executes dropped EXE
PID:4832 -
C:\Windows\SysWOW64\Loofnccf.exeC:\Windows\system32\Loofnccf.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:4280 -
C:\Windows\SysWOW64\Llcghg32.exeC:\Windows\system32\Llcghg32.exe63⤵
- Executes dropped EXE
PID:4492 -
C:\Windows\SysWOW64\Mjggal32.exeC:\Windows\system32\Mjggal32.exe64⤵
- Executes dropped EXE
PID:4408 -
C:\Windows\SysWOW64\Mfpell32.exeC:\Windows\system32\Mfpell32.exe65⤵
- Executes dropped EXE
PID:496 -
C:\Windows\SysWOW64\Mohidbkl.exeC:\Windows\system32\Mohidbkl.exe66⤵PID:3472
-
C:\Windows\SysWOW64\Mjnnbk32.exeC:\Windows\system32\Mjnnbk32.exe67⤵
- Modifies registry class
PID:4700 -
C:\Windows\SysWOW64\Mokfja32.exeC:\Windows\system32\Mokfja32.exe68⤵PID:2420
-
C:\Windows\SysWOW64\Mhckcgpj.exeC:\Windows\system32\Mhckcgpj.exe69⤵
- Drops file in System32 directory
PID:1720 -
C:\Windows\SysWOW64\Nciopppp.exeC:\Windows\system32\Nciopppp.exe70⤵PID:820
-
C:\Windows\SysWOW64\Nqmojd32.exeC:\Windows\system32\Nqmojd32.exe71⤵PID:3760
-
C:\Windows\SysWOW64\Nbnlaldg.exeC:\Windows\system32\Nbnlaldg.exe72⤵
- Drops file in System32 directory
PID:4304 -
C:\Windows\SysWOW64\Nfldgk32.exeC:\Windows\system32\Nfldgk32.exe73⤵PID:1248
-
C:\Windows\SysWOW64\Nodiqp32.exeC:\Windows\system32\Nodiqp32.exe74⤵PID:4364
-
C:\Windows\SysWOW64\Nmhijd32.exeC:\Windows\system32\Nmhijd32.exe75⤵
- Modifies registry class
PID:1484 -
C:\Windows\SysWOW64\Nfqnbjfi.exeC:\Windows\system32\Nfqnbjfi.exe76⤵
- Drops file in System32 directory
PID:4880 -
C:\Windows\SysWOW64\Oiccje32.exeC:\Windows\system32\Oiccje32.exe77⤵PID:2920
-
C:\Windows\SysWOW64\Ofgdcipq.exeC:\Windows\system32\Ofgdcipq.exe78⤵PID:1328
-
C:\Windows\SysWOW64\Ojemig32.exeC:\Windows\system32\Ojemig32.exe79⤵
- Drops file in System32 directory
- Modifies registry class
PID:5088 -
C:\Windows\SysWOW64\Omdieb32.exeC:\Windows\system32\Omdieb32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2828 -
C:\Windows\SysWOW64\Obqanjdb.exeC:\Windows\system32\Obqanjdb.exe81⤵PID:4628
-
C:\Windows\SysWOW64\Oikjkc32.exeC:\Windows\system32\Oikjkc32.exe82⤵
- Modifies registry class
PID:1348 -
C:\Windows\SysWOW64\Ppdbgncl.exeC:\Windows\system32\Ppdbgncl.exe83⤵PID:4616
-
C:\Windows\SysWOW64\Pmhbqbae.exeC:\Windows\system32\Pmhbqbae.exe84⤵PID:4484
-
C:\Windows\SysWOW64\Piocecgj.exeC:\Windows\system32\Piocecgj.exe85⤵
- Modifies registry class
PID:3936 -
C:\Windows\SysWOW64\Pcegclgp.exeC:\Windows\system32\Pcegclgp.exe86⤵PID:572
-
C:\Windows\SysWOW64\Pcgdhkem.exeC:\Windows\system32\Pcgdhkem.exe87⤵PID:2256
-
C:\Windows\SysWOW64\Pidlqb32.exeC:\Windows\system32\Pidlqb32.exe88⤵PID:1888
-
C:\Windows\SysWOW64\Pfhmjf32.exeC:\Windows\system32\Pfhmjf32.exe89⤵PID:1488
-
C:\Windows\SysWOW64\Qbonoghb.exeC:\Windows\system32\Qbonoghb.exe90⤵PID:1740
-
C:\Windows\SysWOW64\Qjhbfd32.exeC:\Windows\system32\Qjhbfd32.exe91⤵PID:3836
-
C:\Windows\SysWOW64\Acqgojmb.exeC:\Windows\system32\Acqgojmb.exe92⤵PID:700
-
C:\Windows\SysWOW64\Aadghn32.exeC:\Windows\system32\Aadghn32.exe93⤵
- Drops file in System32 directory
PID:4984 -
C:\Windows\SysWOW64\Aiplmq32.exeC:\Windows\system32\Aiplmq32.exe94⤵PID:1776
-
C:\Windows\SysWOW64\Adepji32.exeC:\Windows\system32\Adepji32.exe95⤵PID:844
-
C:\Windows\SysWOW64\Aibibp32.exeC:\Windows\system32\Aibibp32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:560 -
C:\Windows\SysWOW64\Adgmoigj.exeC:\Windows\system32\Adgmoigj.exe97⤵
- Drops file in System32 directory
PID:2384 -
C:\Windows\SysWOW64\Apnndj32.exeC:\Windows\system32\Apnndj32.exe98⤵PID:880
-
C:\Windows\SysWOW64\Ajdbac32.exeC:\Windows\system32\Ajdbac32.exe99⤵
- Modifies registry class
PID:4112 -
C:\Windows\SysWOW64\Biiobo32.exeC:\Windows\system32\Biiobo32.exe100⤵PID:856
-
C:\Windows\SysWOW64\Bapgdm32.exeC:\Windows\system32\Bapgdm32.exe101⤵PID:5128
-
C:\Windows\SysWOW64\Biklho32.exeC:\Windows\system32\Biklho32.exe102⤵PID:5172
-
C:\Windows\SysWOW64\Binhnomg.exeC:\Windows\system32\Binhnomg.exe103⤵PID:5216
-
C:\Windows\SysWOW64\Bfaigclq.exeC:\Windows\system32\Bfaigclq.exe104⤵PID:5256
-
C:\Windows\SysWOW64\Bpjmph32.exeC:\Windows\system32\Bpjmph32.exe105⤵PID:5304
-
C:\Windows\SysWOW64\Ckpamabg.exeC:\Windows\system32\Ckpamabg.exe106⤵PID:5348
-
C:\Windows\SysWOW64\Cpljehpo.exeC:\Windows\system32\Cpljehpo.exe107⤵PID:5388
-
C:\Windows\SysWOW64\Calfpk32.exeC:\Windows\system32\Calfpk32.exe108⤵PID:5440
-
C:\Windows\SysWOW64\Ckdkhq32.exeC:\Windows\system32\Ckdkhq32.exe109⤵
- Drops file in System32 directory
PID:5484 -
C:\Windows\SysWOW64\Cpcpfg32.exeC:\Windows\system32\Cpcpfg32.exe110⤵PID:5552
-
C:\Windows\SysWOW64\Cmgqpkip.exeC:\Windows\system32\Cmgqpkip.exe111⤵PID:5596
-
C:\Windows\SysWOW64\Dgpeha32.exeC:\Windows\system32\Dgpeha32.exe112⤵PID:5640
-
C:\Windows\SysWOW64\Ddcebe32.exeC:\Windows\system32\Ddcebe32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5684 -
C:\Windows\SysWOW64\Ddfbgelh.exeC:\Windows\system32\Ddfbgelh.exe114⤵PID:5724
-
C:\Windows\SysWOW64\Dajbaika.exeC:\Windows\system32\Dajbaika.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5764 -
C:\Windows\SysWOW64\Daollh32.exeC:\Windows\system32\Daollh32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5808 -
C:\Windows\SysWOW64\Egkddo32.exeC:\Windows\system32\Egkddo32.exe117⤵PID:5848
-
C:\Windows\SysWOW64\Edoencdm.exeC:\Windows\system32\Edoencdm.exe118⤵
- Drops file in System32 directory
PID:5888 -
C:\Windows\SysWOW64\Enhifi32.exeC:\Windows\system32\Enhifi32.exe119⤵PID:5932
-
C:\Windows\SysWOW64\Egpnooan.exeC:\Windows\system32\Egpnooan.exe120⤵PID:5972
-
C:\Windows\SysWOW64\Ecgodpgb.exeC:\Windows\system32\Ecgodpgb.exe121⤵PID:6016
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-