Analysis
-
max time kernel
161s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
03/11/2023, 01:08
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.ba2e78e607cc30695d97f93ce155e6a0_JC.exe
Resource
win7-20231020-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.ba2e78e607cc30695d97f93ce155e6a0_JC.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
NEAS.ba2e78e607cc30695d97f93ce155e6a0_JC.exe
-
Size
290KB
-
MD5
ba2e78e607cc30695d97f93ce155e6a0
-
SHA1
c2f97fd7d959df2ca670aa62e8552266fe28347b
-
SHA256
e7112ee0dc85e08b2cb64e66caf9468d1b83f9902c0b64294533104aa877ccb5
-
SHA512
603486ddba790fb685d5b016050e3bccb125d67adfa14cf959c7d8ad463a4d6a13421b5255b01de7cfc55430b4c791afcb70eda42370114b9778f0c166ec1d8a
-
SSDEEP
6144:CfGFbFZgydiDIWuQ6+ipDA+vlnKutqyydiDIWuQ6:Cf+FN1D8Gdhy1
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qclmmq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fppchile.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ghgbakhb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igfkpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Njaakf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjccpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Chibfa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eaaikn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eangjkkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Blenhmph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fdpgen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fdmfcn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khimhefk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kkbohc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fnegqjne.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phajgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ekladi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cnealfkf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogajid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fddqpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ggfombmd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ompmie32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncfbdfgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ofckao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Enhipo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fdfkhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Elfhmc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cccppgcp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eeeaibid.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfnbbg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbecgned.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fdkdcgpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cphgca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nqmocjdf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnegqjne.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chibfa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnmqegle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gbcaemdg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcgackke.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggqingie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ibjqlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Odjeepna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hnnlcpcl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmlicp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djlkhe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chnlbndj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaiqmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bjbnndgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fdegkdim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pjaciafc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdbndjld.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmfpeoga.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqfbihll.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pijjdial.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hmlicp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lilbdcfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ompmie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eagahnob.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cncnhh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnmfdpni.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcckcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Afclpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Knkokl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ccipelcf.exe -
Executes dropped EXE 64 IoCs
pid Process 1504 Aeeomegd.exe 2440 Ehpmbj32.exe 4240 Fpnkdfko.exe 3092 Fcaqka32.exe 1108 Hofmaq32.exe 724 Hfgloiqf.exe 4652 Ifqoehhl.exe 3280 Mhoind32.exe 4080 Nmedmj32.exe 860 Opjgidfa.exe 3356 Pdklebje.exe 4392 Phpklp32.exe 3740 Akenij32.exe 4340 Bdiamnpc.exe 1340 Cejjdlap.exe 4984 Dbijinfl.exe 208 Eangjkkd.exe 1060 Elfhmc32.exe 3828 Ebejem32.exe 4000 Fhflhcfa.exe 3816 Feofmf32.exe 2588 Gedohfmp.exe 1976 Hocjaj32.exe 3116 Hepoddcc.exe 1260 Ifphkbep.exe 4660 Jhcmbm32.exe 1808 Kiomnk32.exe 3792 Lpinac32.exe 3544 Mppdbb32.exe 880 Mbamcm32.exe 552 Pgbdmfnc.exe 4604 Qnniopcm.exe 1132 Alcfpm32.exe 3348 Agikne32.exe 4400 Bqokhi32.exe 3276 Dqdnjfpc.exe 2516 Eanqpdgi.exe 3076 Emdaee32.exe 1896 Fnmqegle.exe 2800 Fdmfcn32.exe 1476 Fnbjpf32.exe 516 Gdclcmba.exe 3468 Hmlicp32.exe 4728 Ilbclg32.exe 2180 Iaokdn32.exe 2264 Jaodkk32.exe 1280 Khimhefk.exe 4432 Knkokl32.exe 3136 Lilbdcfe.exe 4024 Mkadam32.exe 5016 Neaokboj.exe 3636 Npmjij32.exe 4524 Oeoklp32.exe 1212 Oimdbnip.exe 2156 Pbokab32.exe 536 Plgpjhnf.exe 3972 Albpff32.exe 3004 Aljefena.exe 3248 Bcfkiock.exe 4200 Bckddn32.exe 4368 Cnealfkf.exe 3536 Cljomc32.exe 2096 Cphgca32.exe 2732 Ccipelcf.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Elnipj32.dll Jaodkk32.exe File created C:\Windows\SysWOW64\Fgaeio32.dll Niklip32.exe File created C:\Windows\SysWOW64\Kabkpqgj.exe Kkechjib.exe File created C:\Windows\SysWOW64\Bekdmnio.exe Anobaa32.exe File created C:\Windows\SysWOW64\Fmfgoa32.exe Fnegqjne.exe File created C:\Windows\SysWOW64\Giafegnk.dll Mcpcnm32.exe File created C:\Windows\SysWOW64\Chaokbkj.dll Oaeegjeb.exe File created C:\Windows\SysWOW64\Ifmfdg32.dll Bgeabloo.exe File created C:\Windows\SysWOW64\Emphhhoh.exe Efepln32.exe File opened for modification C:\Windows\SysWOW64\Oqhooh32.exe Ofckao32.exe File created C:\Windows\SysWOW64\Lonqoi32.dll Hocjaj32.exe File opened for modification C:\Windows\SysWOW64\Kdcicipb.exe Kkkdjcjb.exe File created C:\Windows\SysWOW64\Eojpjafa.dll Mceccbpj.exe File created C:\Windows\SysWOW64\Jhcipkpg.dll Nljgfn32.exe File created C:\Windows\SysWOW64\Onhdlj32.dll Eddnbhfe.exe File created C:\Windows\SysWOW64\Ocicekcm.dll Alcfpm32.exe File opened for modification C:\Windows\SysWOW64\Denlgq32.exe Cediab32.exe File created C:\Windows\SysWOW64\Fbihdhhf.exe Fdegkdim.exe File created C:\Windows\SysWOW64\Djjmpi32.dll Ddgpfgil.exe File created C:\Windows\SysWOW64\Edgbbo32.exe Eojijg32.exe File opened for modification C:\Windows\SysWOW64\Mfpeeb32.exe Mbbloc32.exe File created C:\Windows\SysWOW64\Lnqkfl32.dll Mfpeeb32.exe File opened for modification C:\Windows\SysWOW64\Gjmmfq32.exe Ffjkdc32.exe File created C:\Windows\SysWOW64\Khaahimc.dll Opongobp.exe File created C:\Windows\SysWOW64\Kacpncqg.dll Gnckjbfj.exe File opened for modification C:\Windows\SysWOW64\Filicodb.exe Fpcdji32.exe File created C:\Windows\SysWOW64\Kmlmlo32.exe Kdcicipb.exe File created C:\Windows\SysWOW64\Phqdjm32.dll Eonmkkmj.exe File opened for modification C:\Windows\SysWOW64\Fmfgoa32.exe Fnegqjne.exe File created C:\Windows\SysWOW64\Klndopje.exe Kojdflkl.exe File created C:\Windows\SysWOW64\Cecnom32.dll Bpcgionf.exe File opened for modification C:\Windows\SysWOW64\Kdfmcobk.exe Kacgld32.exe File opened for modification C:\Windows\SysWOW64\Bjjjhifm.exe Aqoijcbo.exe File opened for modification C:\Windows\SysWOW64\Olfgbl32.exe Odjeepna.exe File created C:\Windows\SysWOW64\Maplgcdk.dll Daeioo32.exe File created C:\Windows\SysWOW64\Ebnocpfp.exe Ejbknnid.exe File created C:\Windows\SysWOW64\Ipnaen32.exe Ibjqlj32.exe File opened for modification C:\Windows\SysWOW64\Nbadmege.exe Nekgna32.exe File created C:\Windows\SysWOW64\Mkkkjn32.dll Fqdbnhco.exe File created C:\Windows\SysWOW64\Ochjmd32.exe Nhbfpl32.exe File created C:\Windows\SysWOW64\Ghphddfl.dll Pajekb32.exe File created C:\Windows\SysWOW64\Njfbkhnd.dll Mcdeof32.exe File created C:\Windows\SysWOW64\Gkianp32.exe Gdoiaf32.exe File created C:\Windows\SysWOW64\Lpinac32.exe Kiomnk32.exe File created C:\Windows\SysWOW64\Cajblmci.exe Clmjcfdb.exe File opened for modification C:\Windows\SysWOW64\Daeioo32.exe Dcdiahme.exe File created C:\Windows\SysWOW64\Ddoned32.dll Mhoind32.exe File opened for modification C:\Windows\SysWOW64\Ekefgi32.exe Ealanc32.exe File created C:\Windows\SysWOW64\Ojmfcpgm.dll Ihkigd32.exe File created C:\Windows\SysWOW64\Pbolkada.dll Ealopnol.exe File created C:\Windows\SysWOW64\Chdmnkig.dll Hmhhnmao.exe File created C:\Windows\SysWOW64\Eclkpa32.dll Odaphl32.exe File opened for modification C:\Windows\SysWOW64\Igfkpd32.exe Ikokkc32.exe File created C:\Windows\SysWOW64\Plkoji32.dll Klndopje.exe File created C:\Windows\SysWOW64\Okleqm32.dll Eangjkkd.exe File created C:\Windows\SysWOW64\Bqokhi32.exe Agikne32.exe File opened for modification C:\Windows\SysWOW64\Eoepohml.exe Edplapnf.exe File opened for modification C:\Windows\SysWOW64\Bdbndjld.exe Bkjikd32.exe File created C:\Windows\SysWOW64\Pgohgkgm.dll Apmhbf32.exe File created C:\Windows\SysWOW64\Npjpooea.dll Kdcicipb.exe File opened for modification C:\Windows\SysWOW64\Fdegkdim.exe Fcckcl32.exe File created C:\Windows\SysWOW64\Pqhammje.exe Odaphl32.exe File created C:\Windows\SysWOW64\Hfkhddge.dll Ahonbhig.exe File created C:\Windows\SysWOW64\Jceheoop.dll Apekha32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lcimmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hjdcfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ggqingie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eimegk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkachhph.dll" Aecnmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoamab32.dll" Kkbohc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Phajgf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bjjjhifm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qdldgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aiifeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Daeioo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kgeiokao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ghgbakhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlpefa32.dll" Pddhlnfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bhppap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpheoll.dll" Nacmnlkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oaeegjeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mnanpfdo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jocnem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljheeage.dll" Obebla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maplgcdk.dll" Daeioo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kbapdfkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Digeaenp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmbmdc32.dll" Agbgda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nijqml32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qpikao32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hpnhoqmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pdalfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Padeem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dpjfqljl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Feofmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kolkip32.dll" Gohhik32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fnegqjne.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Imdlgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpkgmegi.dll" Emphhhoh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Odjeepna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bojogb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kolahq32.dll" Fnbjpf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gbcaemdg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Adbiojfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bjjjhifm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dqdnjfpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gohhik32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ofhkgeij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfdjgm32.dll" Pjaciafc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpmlihnd.dll" Hoakpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjqqid32.dll" Fkllghoq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pogpcghp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Apekha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Foaeccgp.dll" Dbijinfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bjbnndgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndbhcn32.dll" Nqolii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnjambdq.dll" Oimdbnip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Chokcakp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cfdhdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngfnnqih.dll" Lmnjan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fqdbnhco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpokgb32.dll" Dgmhmggq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fjccpo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fnmqegle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bgkijp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Caagofme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nbphqahb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dfclmfhl.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5116 wrote to memory of 1504 5116 NEAS.ba2e78e607cc30695d97f93ce155e6a0_JC.exe 90 PID 5116 wrote to memory of 1504 5116 NEAS.ba2e78e607cc30695d97f93ce155e6a0_JC.exe 90 PID 5116 wrote to memory of 1504 5116 NEAS.ba2e78e607cc30695d97f93ce155e6a0_JC.exe 90 PID 1504 wrote to memory of 2440 1504 Aeeomegd.exe 91 PID 1504 wrote to memory of 2440 1504 Aeeomegd.exe 91 PID 1504 wrote to memory of 2440 1504 Aeeomegd.exe 91 PID 2440 wrote to memory of 4240 2440 Ehpmbj32.exe 92 PID 2440 wrote to memory of 4240 2440 Ehpmbj32.exe 92 PID 2440 wrote to memory of 4240 2440 Ehpmbj32.exe 92 PID 4240 wrote to memory of 3092 4240 Fpnkdfko.exe 94 PID 4240 wrote to memory of 3092 4240 Fpnkdfko.exe 94 PID 4240 wrote to memory of 3092 4240 Fpnkdfko.exe 94 PID 3092 wrote to memory of 1108 3092 Fcaqka32.exe 95 PID 3092 wrote to memory of 1108 3092 Fcaqka32.exe 95 PID 3092 wrote to memory of 1108 3092 Fcaqka32.exe 95 PID 1108 wrote to memory of 724 1108 Hofmaq32.exe 96 PID 1108 wrote to memory of 724 1108 Hofmaq32.exe 96 PID 1108 wrote to memory of 724 1108 Hofmaq32.exe 96 PID 724 wrote to memory of 4652 724 Hfgloiqf.exe 98 PID 724 wrote to memory of 4652 724 Hfgloiqf.exe 98 PID 724 wrote to memory of 4652 724 Hfgloiqf.exe 98 PID 4652 wrote to memory of 3280 4652 Ifqoehhl.exe 99 PID 4652 wrote to memory of 3280 4652 Ifqoehhl.exe 99 PID 4652 wrote to memory of 3280 4652 Ifqoehhl.exe 99 PID 3280 wrote to memory of 4080 3280 Mhoind32.exe 100 PID 3280 wrote to memory of 4080 3280 Mhoind32.exe 100 PID 3280 wrote to memory of 4080 3280 Mhoind32.exe 100 PID 4080 wrote to memory of 860 4080 Nmedmj32.exe 101 PID 4080 wrote to memory of 860 4080 Nmedmj32.exe 101 PID 4080 wrote to memory of 860 4080 Nmedmj32.exe 101 PID 860 wrote to memory of 3356 860 Opjgidfa.exe 103 PID 860 wrote to memory of 3356 860 Opjgidfa.exe 103 PID 860 wrote to memory of 3356 860 Opjgidfa.exe 103 PID 3356 wrote to memory of 4392 3356 Pdklebje.exe 104 PID 3356 wrote to memory of 4392 3356 Pdklebje.exe 104 PID 3356 wrote to memory of 4392 3356 Pdklebje.exe 104 PID 4392 wrote to memory of 3740 4392 Phpklp32.exe 105 PID 4392 wrote to memory of 3740 4392 Phpklp32.exe 105 PID 4392 wrote to memory of 3740 4392 Phpklp32.exe 105 PID 3740 wrote to memory of 4340 3740 Akenij32.exe 107 PID 3740 wrote to memory of 4340 3740 Akenij32.exe 107 PID 3740 wrote to memory of 4340 3740 Akenij32.exe 107 PID 4340 wrote to memory of 1340 4340 Bdiamnpc.exe 108 PID 4340 wrote to memory of 1340 4340 Bdiamnpc.exe 108 PID 4340 wrote to memory of 1340 4340 Bdiamnpc.exe 108 PID 1340 wrote to memory of 4984 1340 Cejjdlap.exe 109 PID 1340 wrote to memory of 4984 1340 Cejjdlap.exe 109 PID 1340 wrote to memory of 4984 1340 Cejjdlap.exe 109 PID 4984 wrote to memory of 208 4984 Dbijinfl.exe 110 PID 4984 wrote to memory of 208 4984 Dbijinfl.exe 110 PID 4984 wrote to memory of 208 4984 Dbijinfl.exe 110 PID 208 wrote to memory of 1060 208 Eangjkkd.exe 111 PID 208 wrote to memory of 1060 208 Eangjkkd.exe 111 PID 208 wrote to memory of 1060 208 Eangjkkd.exe 111 PID 1060 wrote to memory of 3828 1060 Elfhmc32.exe 112 PID 1060 wrote to memory of 3828 1060 Elfhmc32.exe 112 PID 1060 wrote to memory of 3828 1060 Elfhmc32.exe 112 PID 3828 wrote to memory of 4000 3828 Ebejem32.exe 113 PID 3828 wrote to memory of 4000 3828 Ebejem32.exe 113 PID 3828 wrote to memory of 4000 3828 Ebejem32.exe 113 PID 4000 wrote to memory of 3816 4000 Fhflhcfa.exe 114 PID 4000 wrote to memory of 3816 4000 Fhflhcfa.exe 114 PID 4000 wrote to memory of 3816 4000 Fhflhcfa.exe 114 PID 3816 wrote to memory of 2588 3816 Feofmf32.exe 115
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.ba2e78e607cc30695d97f93ce155e6a0_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.ba2e78e607cc30695d97f93ce155e6a0_JC.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5116 -
C:\Windows\SysWOW64\Aeeomegd.exeC:\Windows\system32\Aeeomegd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\SysWOW64\Ehpmbj32.exeC:\Windows\system32\Ehpmbj32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\Fpnkdfko.exeC:\Windows\system32\Fpnkdfko.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4240 -
C:\Windows\SysWOW64\Fcaqka32.exeC:\Windows\system32\Fcaqka32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3092 -
C:\Windows\SysWOW64\Hofmaq32.exeC:\Windows\system32\Hofmaq32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Windows\SysWOW64\Hfgloiqf.exeC:\Windows\system32\Hfgloiqf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:724 -
C:\Windows\SysWOW64\Ifqoehhl.exeC:\Windows\system32\Ifqoehhl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4652 -
C:\Windows\SysWOW64\Mhoind32.exeC:\Windows\system32\Mhoind32.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3280 -
C:\Windows\SysWOW64\Nmedmj32.exeC:\Windows\system32\Nmedmj32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4080 -
C:\Windows\SysWOW64\Opjgidfa.exeC:\Windows\system32\Opjgidfa.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Windows\SysWOW64\Pdklebje.exeC:\Windows\system32\Pdklebje.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3356 -
C:\Windows\SysWOW64\Phpklp32.exeC:\Windows\system32\Phpklp32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4392 -
C:\Windows\SysWOW64\Akenij32.exeC:\Windows\system32\Akenij32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3740 -
C:\Windows\SysWOW64\Bdiamnpc.exeC:\Windows\system32\Bdiamnpc.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4340 -
C:\Windows\SysWOW64\Cejjdlap.exeC:\Windows\system32\Cejjdlap.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1340 -
C:\Windows\SysWOW64\Dbijinfl.exeC:\Windows\system32\Dbijinfl.exe17⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4984 -
C:\Windows\SysWOW64\Eangjkkd.exeC:\Windows\system32\Eangjkkd.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:208 -
C:\Windows\SysWOW64\Elfhmc32.exeC:\Windows\system32\Elfhmc32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Windows\SysWOW64\Ebejem32.exeC:\Windows\system32\Ebejem32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3828 -
C:\Windows\SysWOW64\Fhflhcfa.exeC:\Windows\system32\Fhflhcfa.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4000 -
C:\Windows\SysWOW64\Feofmf32.exeC:\Windows\system32\Feofmf32.exe22⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3816 -
C:\Windows\SysWOW64\Gedohfmp.exeC:\Windows\system32\Gedohfmp.exe23⤵
- Executes dropped EXE
PID:2588 -
C:\Windows\SysWOW64\Hocjaj32.exeC:\Windows\system32\Hocjaj32.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1976 -
C:\Windows\SysWOW64\Hepoddcc.exeC:\Windows\system32\Hepoddcc.exe25⤵
- Executes dropped EXE
PID:3116 -
C:\Windows\SysWOW64\Ifphkbep.exeC:\Windows\system32\Ifphkbep.exe26⤵
- Executes dropped EXE
PID:1260 -
C:\Windows\SysWOW64\Jhcmbm32.exeC:\Windows\system32\Jhcmbm32.exe27⤵
- Executes dropped EXE
PID:4660 -
C:\Windows\SysWOW64\Kiomnk32.exeC:\Windows\system32\Kiomnk32.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1808 -
C:\Windows\SysWOW64\Lpinac32.exeC:\Windows\system32\Lpinac32.exe29⤵
- Executes dropped EXE
PID:3792 -
C:\Windows\SysWOW64\Mppdbb32.exeC:\Windows\system32\Mppdbb32.exe30⤵
- Executes dropped EXE
PID:3544 -
C:\Windows\SysWOW64\Mbamcm32.exeC:\Windows\system32\Mbamcm32.exe31⤵
- Executes dropped EXE
PID:880 -
C:\Windows\SysWOW64\Pgbdmfnc.exeC:\Windows\system32\Pgbdmfnc.exe32⤵
- Executes dropped EXE
PID:552 -
C:\Windows\SysWOW64\Qnniopcm.exeC:\Windows\system32\Qnniopcm.exe33⤵
- Executes dropped EXE
PID:4604 -
C:\Windows\SysWOW64\Alcfpm32.exeC:\Windows\system32\Alcfpm32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1132 -
C:\Windows\SysWOW64\Agikne32.exeC:\Windows\system32\Agikne32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3348 -
C:\Windows\SysWOW64\Bqokhi32.exeC:\Windows\system32\Bqokhi32.exe36⤵
- Executes dropped EXE
PID:4400 -
C:\Windows\SysWOW64\Dqdnjfpc.exeC:\Windows\system32\Dqdnjfpc.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:3276 -
C:\Windows\SysWOW64\Eanqpdgi.exeC:\Windows\system32\Eanqpdgi.exe38⤵
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Emdaee32.exeC:\Windows\system32\Emdaee32.exe39⤵
- Executes dropped EXE
PID:3076 -
C:\Windows\SysWOW64\Fnmqegle.exeC:\Windows\system32\Fnmqegle.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1896 -
C:\Windows\SysWOW64\Fdmfcn32.exeC:\Windows\system32\Fdmfcn32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Fnbjpf32.exeC:\Windows\system32\Fnbjpf32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:1476 -
C:\Windows\SysWOW64\Gdclcmba.exeC:\Windows\system32\Gdclcmba.exe43⤵
- Executes dropped EXE
PID:516 -
C:\Windows\SysWOW64\Hmlicp32.exeC:\Windows\system32\Hmlicp32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3468 -
C:\Windows\SysWOW64\Ilbclg32.exeC:\Windows\system32\Ilbclg32.exe45⤵
- Executes dropped EXE
PID:4728 -
C:\Windows\SysWOW64\Iaokdn32.exeC:\Windows\system32\Iaokdn32.exe46⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Jaodkk32.exeC:\Windows\system32\Jaodkk32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2264 -
C:\Windows\SysWOW64\Khimhefk.exeC:\Windows\system32\Khimhefk.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1280 -
C:\Windows\SysWOW64\Knkokl32.exeC:\Windows\system32\Knkokl32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4432 -
C:\Windows\SysWOW64\Lilbdcfe.exeC:\Windows\system32\Lilbdcfe.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3136 -
C:\Windows\SysWOW64\Mkadam32.exeC:\Windows\system32\Mkadam32.exe51⤵
- Executes dropped EXE
PID:4024 -
C:\Windows\SysWOW64\Neaokboj.exeC:\Windows\system32\Neaokboj.exe52⤵
- Executes dropped EXE
PID:5016 -
C:\Windows\SysWOW64\Npmjij32.exeC:\Windows\system32\Npmjij32.exe53⤵
- Executes dropped EXE
PID:3636 -
C:\Windows\SysWOW64\Oeoklp32.exeC:\Windows\system32\Oeoklp32.exe54⤵
- Executes dropped EXE
PID:4524 -
C:\Windows\SysWOW64\Oimdbnip.exeC:\Windows\system32\Oimdbnip.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:1212 -
C:\Windows\SysWOW64\Pbokab32.exeC:\Windows\system32\Pbokab32.exe56⤵
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Plgpjhnf.exeC:\Windows\system32\Plgpjhnf.exe57⤵
- Executes dropped EXE
PID:536 -
C:\Windows\SysWOW64\Albpff32.exeC:\Windows\system32\Albpff32.exe58⤵
- Executes dropped EXE
PID:3972 -
C:\Windows\SysWOW64\Aljefena.exeC:\Windows\system32\Aljefena.exe59⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Bcfkiock.exeC:\Windows\system32\Bcfkiock.exe60⤵
- Executes dropped EXE
PID:3248 -
C:\Windows\SysWOW64\Bckddn32.exeC:\Windows\system32\Bckddn32.exe61⤵
- Executes dropped EXE
PID:4200 -
C:\Windows\SysWOW64\Cnealfkf.exeC:\Windows\system32\Cnealfkf.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4368 -
C:\Windows\SysWOW64\Cljomc32.exeC:\Windows\system32\Cljomc32.exe63⤵
- Executes dropped EXE
PID:3536 -
C:\Windows\SysWOW64\Cphgca32.exeC:\Windows\system32\Cphgca32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2096 -
C:\Windows\SysWOW64\Ccipelcf.exeC:\Windows\system32\Ccipelcf.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\Cnndbecl.exeC:\Windows\system32\Cnndbecl.exe66⤵PID:3964
-
C:\Windows\SysWOW64\Dlcaca32.exeC:\Windows\system32\Dlcaca32.exe67⤵PID:4124
-
C:\Windows\SysWOW64\Dodjemee.exeC:\Windows\system32\Dodjemee.exe68⤵PID:1220
-
C:\Windows\SysWOW64\Dfnbbg32.exeC:\Windows\system32\Dfnbbg32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5108 -
C:\Windows\SysWOW64\Djlkhe32.exeC:\Windows\system32\Djlkhe32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1520 -
C:\Windows\SysWOW64\Dfclmfhl.exeC:\Windows\system32\Dfclmfhl.exe71⤵
- Modifies registry class
PID:1180 -
C:\Windows\SysWOW64\Dqhpjohb.exeC:\Windows\system32\Dqhpjohb.exe72⤵PID:4948
-
C:\Windows\SysWOW64\Eonmkkmj.exeC:\Windows\system32\Eonmkkmj.exe73⤵
- Drops file in System32 directory
PID:768 -
C:\Windows\SysWOW64\Fppchile.exeC:\Windows\system32\Fppchile.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4688 -
C:\Windows\SysWOW64\Ffjkdc32.exeC:\Windows\system32\Ffjkdc32.exe75⤵
- Drops file in System32 directory
PID:384 -
C:\Windows\SysWOW64\Gjmmfq32.exeC:\Windows\system32\Gjmmfq32.exe76⤵PID:1504
-
C:\Windows\SysWOW64\Hjdcfp32.exeC:\Windows\system32\Hjdcfp32.exe77⤵
- Modifies registry class
PID:696 -
C:\Windows\SysWOW64\Hdlhoefk.exeC:\Windows\system32\Hdlhoefk.exe78⤵PID:3304
-
C:\Windows\SysWOW64\Hnblmnfa.exeC:\Windows\system32\Hnblmnfa.exe79⤵PID:2880
-
C:\Windows\SysWOW64\Hfmqapcl.exeC:\Windows\system32\Hfmqapcl.exe80⤵PID:2828
-
C:\Windows\SysWOW64\Hjkigojc.exeC:\Windows\system32\Hjkigojc.exe81⤵PID:5132
-
C:\Windows\SysWOW64\Haeadi32.exeC:\Windows\system32\Haeadi32.exe82⤵PID:5212
-
C:\Windows\SysWOW64\Iplkje32.exeC:\Windows\system32\Iplkje32.exe83⤵PID:5276
-
C:\Windows\SysWOW64\Jognokdi.exeC:\Windows\system32\Jognokdi.exe84⤵PID:5336
-
C:\Windows\SysWOW64\Jajdff32.exeC:\Windows\system32\Jajdff32.exe85⤵PID:5380
-
C:\Windows\SysWOW64\Kacgld32.exeC:\Windows\system32\Kacgld32.exe86⤵
- Drops file in System32 directory
PID:5424 -
C:\Windows\SysWOW64\Kdfmcobk.exeC:\Windows\system32\Kdfmcobk.exe87⤵PID:5464
-
C:\Windows\SysWOW64\Kgeiokao.exeC:\Windows\system32\Kgeiokao.exe88⤵
- Modifies registry class
PID:5504 -
C:\Windows\SysWOW64\Lajmmc32.exeC:\Windows\system32\Lajmmc32.exe89⤵PID:5560
-
C:\Windows\SysWOW64\Mbfmha32.exeC:\Windows\system32\Mbfmha32.exe90⤵PID:5596
-
C:\Windows\SysWOW64\Mbhina32.exeC:\Windows\system32\Mbhina32.exe91⤵PID:5652
-
C:\Windows\SysWOW64\Nqifkl32.exeC:\Windows\system32\Nqifkl32.exe92⤵PID:5692
-
C:\Windows\SysWOW64\Nnmfdpni.exeC:\Windows\system32\Nnmfdpni.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5748 -
C:\Windows\SysWOW64\Nkagndmc.exeC:\Windows\system32\Nkagndmc.exe94⤵PID:5788
-
C:\Windows\SysWOW64\Nieggill.exeC:\Windows\system32\Nieggill.exe95⤵PID:5872
-
C:\Windows\SysWOW64\Oaeegjeb.exeC:\Windows\system32\Oaeegjeb.exe96⤵
- Drops file in System32 directory
- Modifies registry class
PID:5920 -
C:\Windows\SysWOW64\Onifpodl.exeC:\Windows\system32\Onifpodl.exe97⤵PID:5968
-
C:\Windows\SysWOW64\Ogajid32.exeC:\Windows\system32\Ogajid32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6012 -
C:\Windows\SysWOW64\Obgofmjb.exeC:\Windows\system32\Obgofmjb.exe99⤵PID:6080
-
C:\Windows\SysWOW64\Ppdbfpaa.exeC:\Windows\system32\Ppdbfpaa.exe100⤵PID:6128
-
C:\Windows\SysWOW64\Qpikao32.exeC:\Windows\system32\Qpikao32.exe101⤵
- Modifies registry class
PID:4256 -
C:\Windows\SysWOW64\Aehpof32.exeC:\Windows\system32\Aehpof32.exe102⤵PID:3092
-
C:\Windows\SysWOW64\Apndloif.exeC:\Windows\system32\Apndloif.exe103⤵PID:5332
-
C:\Windows\SysWOW64\Abqjci32.exeC:\Windows\system32\Abqjci32.exe104⤵PID:5376
-
C:\Windows\SysWOW64\Bhppap32.exeC:\Windows\system32\Bhppap32.exe105⤵
- Modifies registry class
PID:5452 -
C:\Windows\SysWOW64\Bbhqdhnm.exeC:\Windows\system32\Bbhqdhnm.exe106⤵PID:5536
-
C:\Windows\SysWOW64\Bekfkc32.exeC:\Windows\system32\Bekfkc32.exe107⤵PID:5584
-
C:\Windows\SysWOW64\Blenhmph.exeC:\Windows\system32\Blenhmph.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1100 -
C:\Windows\SysWOW64\Caagpdop.exeC:\Windows\system32\Caagpdop.exe109⤵PID:5688
-
C:\Windows\SysWOW64\Clgkmm32.exeC:\Windows\system32\Clgkmm32.exe110⤵PID:5736
-
C:\Windows\SysWOW64\Cadcfd32.exeC:\Windows\system32\Cadcfd32.exe111⤵PID:4056
-
C:\Windows\SysWOW64\Chnlbndj.exeC:\Windows\system32\Chnlbndj.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5896 -
C:\Windows\SysWOW64\Cccppgcp.exeC:\Windows\system32\Cccppgcp.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5964 -
C:\Windows\SysWOW64\Cojqdhid.exeC:\Windows\system32\Cojqdhid.exe114⤵PID:6072
-
C:\Windows\SysWOW64\Cediab32.exeC:\Windows\system32\Cediab32.exe115⤵
- Drops file in System32 directory
PID:4080 -
C:\Windows\SysWOW64\Denlgq32.exeC:\Windows\system32\Denlgq32.exe116⤵PID:5196
-
C:\Windows\SysWOW64\Eokjke32.exeC:\Windows\system32\Eokjke32.exe117⤵PID:4548
-
C:\Windows\SysWOW64\Ejbknnid.exeC:\Windows\system32\Ejbknnid.exe118⤵
- Drops file in System32 directory
PID:2496 -
C:\Windows\SysWOW64\Ebnocpfp.exeC:\Windows\system32\Ebnocpfp.exe119⤵PID:5448
-
C:\Windows\SysWOW64\Fcfocb32.exeC:\Windows\system32\Fcfocb32.exe120⤵PID:1632
-
C:\Windows\SysWOW64\Gbqeonfj.exeC:\Windows\system32\Gbqeonfj.exe121⤵PID:5728
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-