Analysis
-
max time kernel
130s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
03/11/2023, 01:33
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.adaef7fd03fdc688458904e44351f890_JC.exe
Resource
win7-20231020-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.adaef7fd03fdc688458904e44351f890_JC.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.adaef7fd03fdc688458904e44351f890_JC.exe
-
Size
95KB
-
MD5
adaef7fd03fdc688458904e44351f890
-
SHA1
dce685fe47e36d651980faa7f648c9e91a3985d9
-
SHA256
cd4c612ede1723bd3576c8534fb354a57117badc04092d86ec3b1b40368d9781
-
SHA512
aa1aa2fee62bea6944f725d07b410ca774298de569ef703568ade57c8cf9ea017396ee78865bb3bf20de7fa988c95f55fdf961135105e40d81ce8a9947c366d1
-
SSDEEP
1536:86PlyuV/7QKM7wxvvHPAi2YkML0ZjVUTd4ZOM6bOLXi8PmCofGV:8QlyuV/7QKM7wNvHPAQLyZDrLXfzoeV
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlooef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jbagkkgj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fplnogmb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfejme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Amhlpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mcdlil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hpfbmcaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mplfll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ehfjkn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnaighhk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpgfhddn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfjjqg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mabnlh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nihdhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Njahki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Agojdnng.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfimpfmj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iebnqofj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aifdcgcp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgipmdmn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eicemccc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Goepgg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebpqjmpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jeolonem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fibocnnj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijqmacpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ljaooodf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Baepjpea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fkiobhac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ifbbbl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onicbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lfgboc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mfkkjbnn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iafgob32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fibocnnj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idieob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mhoiih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Adanbffk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knchio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cobkbhgk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oajmdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Alimnj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agojdnng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pimkkfka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Doqpkq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljaooodf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Modgnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qopbjf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojfcmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dhgogojd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iimcgg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhckmmeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Icbbimih.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogmaneoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gnfhob32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkgleegf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hhmmkcko.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpfbmcaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ghnpmqef.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ganppk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kqknekjf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jikohe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mohingqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gmkibl32.exe -
Executes dropped EXE 64 IoCs
pid Process 4928 Nhdicjfp.exe 956 Qhekaejj.exe 4972 Akjnnpcf.exe 2084 Abdfkj32.exe 3920 Afboah32.exe 2612 Agckiqgg.exe 3964 Bghddp32.exe 2684 Beobcdoi.exe 1124 Bbeobhlp.exe 740 Chddpn32.exe 1468 Cifmoa32.exe 4528 Dfngcdhi.exe 1292 Dhdmfljb.exe 568 Eifffoob.exe 2024 Elilmi32.exe 4404 Fplnogmb.exe 4648 Fcodfa32.exe 4292 Fpeaeedg.exe 4792 Gojnfb32.exe 3092 Glqkefff.exe 4276 Glchjedc.exe 4024 Gledpe32.exe 4848 Hhleefhe.exe 4880 Hcipcnac.exe 1860 Iqmplbpl.exe 4992 Ifnbph32.exe 2088 Icbbimih.exe 4564 Jflnafno.exe 3824 Kmmmnp32.exe 1012 Lmkipncc.exe 1212 Migcpneb.exe 2400 Nagngjmj.exe 5004 Ngipjp32.exe 2184 Ogpfko32.exe 4320 Pjgemi32.exe 2992 Pjjaci32.exe 3140 Pjahchpb.exe 2416 Akenij32.exe 4436 Aglnnkid.exe 4252 Ahkkhnpg.exe 1076 Bqnemp32.exe 1072 Bkcjjhgp.exe 1816 Cjomldfp.exe 3080 Celgjlpn.exe 3656 Dhfcae32.exe 3932 Ebpqjmpd.exe 464 Fbnmkk32.exe 2316 Ghgeoq32.exe 2308 Hocjaj32.exe 3052 Ikejbjip.exe 4444 Ikjcmi32.exe 4684 Iadljc32.exe 388 Jbpkfa32.exe 4032 Kiajck32.exe 2596 Lcndab32.exe 1088 Lmfhjhdm.exe 3892 Mpnglbkf.exe 3164 Njahki32.exe 1276 Ollgiplp.exe 2828 Plhgdn32.exe 4520 Qmlmjq32.exe 1332 Qibmoa32.exe 5056 Agikne32.exe 2812 Angleokb.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Bfenncdp.exe Bfpdcc32.exe File created C:\Windows\SysWOW64\Jkligd32.exe Jdaajkfd.exe File created C:\Windows\SysWOW64\Bhojahae.dll Hnkonpeo.exe File created C:\Windows\SysWOW64\Cjodgeeo.dll Mpnglbkf.exe File created C:\Windows\SysWOW64\Flhpen32.dll Palkgi32.exe File opened for modification C:\Windows\SysWOW64\Ffpjihee.exe Eaoenjqa.exe File created C:\Windows\SysWOW64\Dainko32.dll Ljaooodf.exe File opened for modification C:\Windows\SysWOW64\Lcdcbokq.exe Lqfgfclm.exe File created C:\Windows\SysWOW64\Chibfa32.exe Coqnmkpd.exe File created C:\Windows\SysWOW64\Clhghiic.dll NEAS.adaef7fd03fdc688458904e44351f890_JC.exe File created C:\Windows\SysWOW64\Jflnafno.exe Icbbimih.exe File created C:\Windows\SysWOW64\Qibmoa32.exe Qmlmjq32.exe File created C:\Windows\SysWOW64\Bipjbe32.dll Gdkgam32.exe File created C:\Windows\SysWOW64\Bcokah32.exe Bkhcpkkb.exe File created C:\Windows\SysWOW64\Hkiclepa.exe Gmggac32.exe File created C:\Windows\SysWOW64\Ffjdjmpf.exe Fjccel32.exe File opened for modification C:\Windows\SysWOW64\Ijqmacpl.exe Ijnqld32.exe File opened for modification C:\Windows\SysWOW64\Ipjenn32.exe Ijqmacpl.exe File created C:\Windows\SysWOW64\Dpifhh32.dll Bkeppeii.exe File opened for modification C:\Windows\SysWOW64\Ehikmohb.exe Dhgogojd.exe File opened for modification C:\Windows\SysWOW64\Cfaddg32.exe Ccpkblqn.exe File opened for modification C:\Windows\SysWOW64\Emnbmoef.exe Epjadk32.exe File opened for modification C:\Windows\SysWOW64\Gpodfh32.exe Gmqgjl32.exe File created C:\Windows\SysWOW64\Pdkolm32.exe Pmafpchb.exe File created C:\Windows\SysWOW64\Kcmfgimm.exe Kpnjknni.exe File created C:\Windows\SysWOW64\Mplfll32.exe Lfgboc32.exe File created C:\Windows\SysWOW64\Plhllf32.dll Pjjaci32.exe File created C:\Windows\SysWOW64\Lddqbbco.dll Akenij32.exe File created C:\Windows\SysWOW64\Nnmojj32.exe Ngbgmpcq.exe File created C:\Windows\SysWOW64\Cefolk32.exe Ceoillaj.exe File created C:\Windows\SysWOW64\Aijjie32.dll Pafcjijo.exe File created C:\Windows\SysWOW64\Nomcig32.exe Nhckmmeg.exe File created C:\Windows\SysWOW64\Agckiqgg.exe Afboah32.exe File opened for modification C:\Windows\SysWOW64\Jnaighhk.exe Idieob32.exe File opened for modification C:\Windows\SysWOW64\Pfanmcao.exe Pjkmhblk.exe File created C:\Windows\SysWOW64\Fplnogmb.exe Elilmi32.exe File created C:\Windows\SysWOW64\Jpbdfgge.exe Immaimnj.exe File opened for modification C:\Windows\SysWOW64\Laiaqp32.exe Ljpideje.exe File opened for modification C:\Windows\SysWOW64\Ljbfiegb.exe Liqibm32.exe File created C:\Windows\SysWOW64\Epdaneff.exe Dflmep32.exe File opened for modification C:\Windows\SysWOW64\Gmqgjl32.exe Ggfombmd.exe File opened for modification C:\Windows\SysWOW64\Ahnghafl.exe Aepklffh.exe File opened for modification C:\Windows\SysWOW64\Hpaibe32.exe Hkeajn32.exe File created C:\Windows\SysWOW64\Hpqomfcl.dll Ijqmacpl.exe File created C:\Windows\SysWOW64\Fmancbji.exe Eicemccc.exe File opened for modification C:\Windows\SysWOW64\Qfkqcb32.exe Pnmojp32.exe File created C:\Windows\SysWOW64\Fopomipq.dll Aogbpo32.exe File created C:\Windows\SysWOW64\Pcnalbce.exe Pmdioh32.exe File created C:\Windows\SysWOW64\Bbeobhlp.exe Beobcdoi.exe File created C:\Windows\SysWOW64\Coepob32.exe Chkhbh32.exe File created C:\Windows\SysWOW64\Jendlnof.dll Edmjpoli.exe File opened for modification C:\Windows\SysWOW64\Gpkiklop.exe Gnlmai32.exe File created C:\Windows\SysWOW64\Bejoqm32.exe Bopgdcnc.exe File created C:\Windows\SysWOW64\Capbaacl.exe Cclagm32.exe File opened for modification C:\Windows\SysWOW64\Neglceej.exe Nmpdbh32.exe File opened for modification C:\Windows\SysWOW64\Fmcjiagf.exe Fnbjkj32.exe File opened for modification C:\Windows\SysWOW64\Oqgkadod.exe Ndfgfd32.exe File opened for modification C:\Windows\SysWOW64\Kiggln32.exe Kkcfbj32.exe File created C:\Windows\SysWOW64\Jnjecp32.exe Jkligd32.exe File opened for modification C:\Windows\SysWOW64\Dbkpokhf.exe Domdcpib.exe File created C:\Windows\SysWOW64\Ngikpjml.exe Mokmnm32.exe File opened for modification C:\Windows\SysWOW64\Bkglkapo.exe Bdkghg32.exe File created C:\Windows\SysWOW64\Hpgico32.dll Kihdqkaf.exe File created C:\Windows\SysWOW64\Nimioo32.exe Nohdaf32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 8432 9160 WerFault.exe 963 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qodgifnn.dll" Kiphcdkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jhlgpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmioon32.dll" Jkligd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ojbamj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mjlhpgfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ghnpmqef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekcqji32.dll" Neqoidmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ldpmlh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jbdliejl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mopoei32.dll" Hlefgphj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lookln32.dll" Mdhdkp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jiiiml32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Phajgf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qbddmejf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hoakpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Feoomd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mbbloc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eefhcimp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gpodfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bodfkpfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poeink32.dll" Bfnnhj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ljmmnf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Obgccn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkqokn32.dll" Fnipliip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpmdim32.dll" Hpfbmcaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Angfompn.dll" Bhgeao32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Loqejjad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Haqfon32.dll" Mplfll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qcobjk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oeclockl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Felkmnci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlpgmkgh.dll" Kcmfgimm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehhacc32.dll" Klapgq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkkfnjpp.dll" Kjkpif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fqhbgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ghgeoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgjno32.dll" Paqebike.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfhhqdjl.dll" Ichkpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kiphcdkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kcmfgimm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mpnglbkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iecbdhad.dll" Dfiiejnl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dnmhim32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fdiohnek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mambaa32.dll" Jpegeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpqellmb.dll" Qhekaejj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mcmall32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fclddi32.dll" Ikjcmi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bckknd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mlciobhj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fajgekol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pimkkfka.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jjeflc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Glchjedc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ogpfko32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Domdcpib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cpmajdig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jkligd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pmafpchb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qgmbkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbjofoen.dll" Mklkepal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jbpkfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gggoad32.dll" Bffkcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fkajoiok.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2380 wrote to memory of 4928 2380 NEAS.adaef7fd03fdc688458904e44351f890_JC.exe 91 PID 2380 wrote to memory of 4928 2380 NEAS.adaef7fd03fdc688458904e44351f890_JC.exe 91 PID 2380 wrote to memory of 4928 2380 NEAS.adaef7fd03fdc688458904e44351f890_JC.exe 91 PID 4928 wrote to memory of 956 4928 Nhdicjfp.exe 92 PID 4928 wrote to memory of 956 4928 Nhdicjfp.exe 92 PID 4928 wrote to memory of 956 4928 Nhdicjfp.exe 92 PID 956 wrote to memory of 4972 956 Qhekaejj.exe 93 PID 956 wrote to memory of 4972 956 Qhekaejj.exe 93 PID 956 wrote to memory of 4972 956 Qhekaejj.exe 93 PID 4972 wrote to memory of 2084 4972 Akjnnpcf.exe 94 PID 4972 wrote to memory of 2084 4972 Akjnnpcf.exe 94 PID 4972 wrote to memory of 2084 4972 Akjnnpcf.exe 94 PID 2084 wrote to memory of 3920 2084 Abdfkj32.exe 95 PID 2084 wrote to memory of 3920 2084 Abdfkj32.exe 95 PID 2084 wrote to memory of 3920 2084 Abdfkj32.exe 95 PID 3920 wrote to memory of 2612 3920 Afboah32.exe 96 PID 3920 wrote to memory of 2612 3920 Afboah32.exe 96 PID 3920 wrote to memory of 2612 3920 Afboah32.exe 96 PID 2612 wrote to memory of 3964 2612 Agckiqgg.exe 97 PID 2612 wrote to memory of 3964 2612 Agckiqgg.exe 97 PID 2612 wrote to memory of 3964 2612 Agckiqgg.exe 97 PID 3964 wrote to memory of 2684 3964 Bghddp32.exe 98 PID 3964 wrote to memory of 2684 3964 Bghddp32.exe 98 PID 3964 wrote to memory of 2684 3964 Bghddp32.exe 98 PID 2684 wrote to memory of 1124 2684 Beobcdoi.exe 99 PID 2684 wrote to memory of 1124 2684 Beobcdoi.exe 99 PID 2684 wrote to memory of 1124 2684 Beobcdoi.exe 99 PID 1124 wrote to memory of 740 1124 Bbeobhlp.exe 100 PID 1124 wrote to memory of 740 1124 Bbeobhlp.exe 100 PID 1124 wrote to memory of 740 1124 Bbeobhlp.exe 100 PID 740 wrote to memory of 1468 740 Chddpn32.exe 101 PID 740 wrote to memory of 1468 740 Chddpn32.exe 101 PID 740 wrote to memory of 1468 740 Chddpn32.exe 101 PID 1468 wrote to memory of 4528 1468 Cifmoa32.exe 102 PID 1468 wrote to memory of 4528 1468 Cifmoa32.exe 102 PID 1468 wrote to memory of 4528 1468 Cifmoa32.exe 102 PID 4528 wrote to memory of 1292 4528 Dfngcdhi.exe 103 PID 4528 wrote to memory of 1292 4528 Dfngcdhi.exe 103 PID 4528 wrote to memory of 1292 4528 Dfngcdhi.exe 103 PID 1292 wrote to memory of 568 1292 Dhdmfljb.exe 104 PID 1292 wrote to memory of 568 1292 Dhdmfljb.exe 104 PID 1292 wrote to memory of 568 1292 Dhdmfljb.exe 104 PID 568 wrote to memory of 2024 568 Eifffoob.exe 105 PID 568 wrote to memory of 2024 568 Eifffoob.exe 105 PID 568 wrote to memory of 2024 568 Eifffoob.exe 105 PID 2024 wrote to memory of 4404 2024 Elilmi32.exe 106 PID 2024 wrote to memory of 4404 2024 Elilmi32.exe 106 PID 2024 wrote to memory of 4404 2024 Elilmi32.exe 106 PID 4404 wrote to memory of 4648 4404 Fplnogmb.exe 107 PID 4404 wrote to memory of 4648 4404 Fplnogmb.exe 107 PID 4404 wrote to memory of 4648 4404 Fplnogmb.exe 107 PID 4648 wrote to memory of 4292 4648 Fcodfa32.exe 108 PID 4648 wrote to memory of 4292 4648 Fcodfa32.exe 108 PID 4648 wrote to memory of 4292 4648 Fcodfa32.exe 108 PID 4292 wrote to memory of 4792 4292 Fpeaeedg.exe 109 PID 4292 wrote to memory of 4792 4292 Fpeaeedg.exe 109 PID 4292 wrote to memory of 4792 4292 Fpeaeedg.exe 109 PID 4792 wrote to memory of 3092 4792 Gojnfb32.exe 110 PID 4792 wrote to memory of 3092 4792 Gojnfb32.exe 110 PID 4792 wrote to memory of 3092 4792 Gojnfb32.exe 110 PID 3092 wrote to memory of 4276 3092 Glqkefff.exe 111 PID 3092 wrote to memory of 4276 3092 Glqkefff.exe 111 PID 3092 wrote to memory of 4276 3092 Glqkefff.exe 111 PID 4276 wrote to memory of 4024 4276 Glchjedc.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.adaef7fd03fdc688458904e44351f890_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.adaef7fd03fdc688458904e44351f890_JC.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\Nhdicjfp.exeC:\Windows\system32\Nhdicjfp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4928 -
C:\Windows\SysWOW64\Qhekaejj.exeC:\Windows\system32\Qhekaejj.exe3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Windows\SysWOW64\Akjnnpcf.exeC:\Windows\system32\Akjnnpcf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Windows\SysWOW64\Abdfkj32.exeC:\Windows\system32\Abdfkj32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\Afboah32.exeC:\Windows\system32\Afboah32.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3920 -
C:\Windows\SysWOW64\Agckiqgg.exeC:\Windows\system32\Agckiqgg.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\Bghddp32.exeC:\Windows\system32\Bghddp32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3964 -
C:\Windows\SysWOW64\Beobcdoi.exeC:\Windows\system32\Beobcdoi.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\Bbeobhlp.exeC:\Windows\system32\Bbeobhlp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1124 -
C:\Windows\SysWOW64\Chddpn32.exeC:\Windows\system32\Chddpn32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:740 -
C:\Windows\SysWOW64\Cifmoa32.exeC:\Windows\system32\Cifmoa32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Windows\SysWOW64\Dfngcdhi.exeC:\Windows\system32\Dfngcdhi.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4528 -
C:\Windows\SysWOW64\Dhdmfljb.exeC:\Windows\system32\Dhdmfljb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Windows\SysWOW64\Eifffoob.exeC:\Windows\system32\Eifffoob.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:568 -
C:\Windows\SysWOW64\Elilmi32.exeC:\Windows\system32\Elilmi32.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\Fplnogmb.exeC:\Windows\system32\Fplnogmb.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4404 -
C:\Windows\SysWOW64\Fcodfa32.exeC:\Windows\system32\Fcodfa32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4648 -
C:\Windows\SysWOW64\Fpeaeedg.exeC:\Windows\system32\Fpeaeedg.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4292 -
C:\Windows\SysWOW64\Gojnfb32.exeC:\Windows\system32\Gojnfb32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4792 -
C:\Windows\SysWOW64\Glqkefff.exeC:\Windows\system32\Glqkefff.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3092 -
C:\Windows\SysWOW64\Glchjedc.exeC:\Windows\system32\Glchjedc.exe22⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4276 -
C:\Windows\SysWOW64\Gledpe32.exeC:\Windows\system32\Gledpe32.exe23⤵
- Executes dropped EXE
PID:4024 -
C:\Windows\SysWOW64\Hhleefhe.exeC:\Windows\system32\Hhleefhe.exe24⤵
- Executes dropped EXE
PID:4848 -
C:\Windows\SysWOW64\Hcipcnac.exeC:\Windows\system32\Hcipcnac.exe25⤵
- Executes dropped EXE
PID:4880 -
C:\Windows\SysWOW64\Iqmplbpl.exeC:\Windows\system32\Iqmplbpl.exe26⤵
- Executes dropped EXE
PID:1860 -
C:\Windows\SysWOW64\Ifnbph32.exeC:\Windows\system32\Ifnbph32.exe27⤵
- Executes dropped EXE
PID:4992 -
C:\Windows\SysWOW64\Icbbimih.exeC:\Windows\system32\Icbbimih.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2088 -
C:\Windows\SysWOW64\Jflnafno.exeC:\Windows\system32\Jflnafno.exe29⤵
- Executes dropped EXE
PID:4564 -
C:\Windows\SysWOW64\Kmmmnp32.exeC:\Windows\system32\Kmmmnp32.exe30⤵
- Executes dropped EXE
PID:3824 -
C:\Windows\SysWOW64\Lmkipncc.exeC:\Windows\system32\Lmkipncc.exe31⤵
- Executes dropped EXE
PID:1012 -
C:\Windows\SysWOW64\Migcpneb.exeC:\Windows\system32\Migcpneb.exe32⤵
- Executes dropped EXE
PID:1212 -
C:\Windows\SysWOW64\Nagngjmj.exeC:\Windows\system32\Nagngjmj.exe33⤵
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Ngipjp32.exeC:\Windows\system32\Ngipjp32.exe34⤵
- Executes dropped EXE
PID:5004 -
C:\Windows\SysWOW64\Ogpfko32.exeC:\Windows\system32\Ogpfko32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:2184 -
C:\Windows\SysWOW64\Pjgemi32.exeC:\Windows\system32\Pjgemi32.exe36⤵
- Executes dropped EXE
PID:4320 -
C:\Windows\SysWOW64\Pjjaci32.exeC:\Windows\system32\Pjjaci32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2992 -
C:\Windows\SysWOW64\Pjahchpb.exeC:\Windows\system32\Pjahchpb.exe38⤵
- Executes dropped EXE
PID:3140 -
C:\Windows\SysWOW64\Akenij32.exeC:\Windows\system32\Akenij32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2416 -
C:\Windows\SysWOW64\Aglnnkid.exeC:\Windows\system32\Aglnnkid.exe40⤵
- Executes dropped EXE
PID:4436 -
C:\Windows\SysWOW64\Ahkkhnpg.exeC:\Windows\system32\Ahkkhnpg.exe41⤵
- Executes dropped EXE
PID:4252 -
C:\Windows\SysWOW64\Bqnemp32.exeC:\Windows\system32\Bqnemp32.exe42⤵
- Executes dropped EXE
PID:1076 -
C:\Windows\SysWOW64\Bkcjjhgp.exeC:\Windows\system32\Bkcjjhgp.exe43⤵
- Executes dropped EXE
PID:1072 -
C:\Windows\SysWOW64\Cjomldfp.exeC:\Windows\system32\Cjomldfp.exe44⤵
- Executes dropped EXE
PID:1816 -
C:\Windows\SysWOW64\Celgjlpn.exeC:\Windows\system32\Celgjlpn.exe45⤵
- Executes dropped EXE
PID:3080 -
C:\Windows\SysWOW64\Dhfcae32.exeC:\Windows\system32\Dhfcae32.exe46⤵
- Executes dropped EXE
PID:3656 -
C:\Windows\SysWOW64\Ebpqjmpd.exeC:\Windows\system32\Ebpqjmpd.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3932 -
C:\Windows\SysWOW64\Fbnmkk32.exeC:\Windows\system32\Fbnmkk32.exe48⤵
- Executes dropped EXE
PID:464 -
C:\Windows\SysWOW64\Ghgeoq32.exeC:\Windows\system32\Ghgeoq32.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:2316 -
C:\Windows\SysWOW64\Hocjaj32.exeC:\Windows\system32\Hocjaj32.exe50⤵
- Executes dropped EXE
PID:2308 -
C:\Windows\SysWOW64\Ikejbjip.exeC:\Windows\system32\Ikejbjip.exe51⤵
- Executes dropped EXE
PID:3052 -
C:\Windows\SysWOW64\Ikjcmi32.exeC:\Windows\system32\Ikjcmi32.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:4444 -
C:\Windows\SysWOW64\Iadljc32.exeC:\Windows\system32\Iadljc32.exe53⤵
- Executes dropped EXE
PID:4684 -
C:\Windows\SysWOW64\Jbpkfa32.exeC:\Windows\system32\Jbpkfa32.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:388 -
C:\Windows\SysWOW64\Kiajck32.exeC:\Windows\system32\Kiajck32.exe55⤵
- Executes dropped EXE
PID:4032 -
C:\Windows\SysWOW64\Lcndab32.exeC:\Windows\system32\Lcndab32.exe56⤵
- Executes dropped EXE
PID:2596 -
C:\Windows\SysWOW64\Lmfhjhdm.exeC:\Windows\system32\Lmfhjhdm.exe57⤵
- Executes dropped EXE
PID:1088 -
C:\Windows\SysWOW64\Mpnglbkf.exeC:\Windows\system32\Mpnglbkf.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3892 -
C:\Windows\SysWOW64\Njahki32.exeC:\Windows\system32\Njahki32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3164 -
C:\Windows\SysWOW64\Ollgiplp.exeC:\Windows\system32\Ollgiplp.exe60⤵
- Executes dropped EXE
PID:1276 -
C:\Windows\SysWOW64\Plhgdn32.exeC:\Windows\system32\Plhgdn32.exe61⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Qmlmjq32.exeC:\Windows\system32\Qmlmjq32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4520 -
C:\Windows\SysWOW64\Qibmoa32.exeC:\Windows\system32\Qibmoa32.exe63⤵
- Executes dropped EXE
PID:1332 -
C:\Windows\SysWOW64\Agikne32.exeC:\Windows\system32\Agikne32.exe64⤵
- Executes dropped EXE
PID:5056 -
C:\Windows\SysWOW64\Angleokb.exeC:\Windows\system32\Angleokb.exe65⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Akkmocjl.exeC:\Windows\system32\Akkmocjl.exe66⤵PID:4828
-
C:\Windows\SysWOW64\Bdfnmhnj.exeC:\Windows\system32\Bdfnmhnj.exe67⤵PID:4340
-
C:\Windows\SysWOW64\Bckknd32.exeC:\Windows\system32\Bckknd32.exe68⤵
- Modifies registry class
PID:4908 -
C:\Windows\SysWOW64\Bdkghg32.exeC:\Windows\system32\Bdkghg32.exe69⤵
- Drops file in System32 directory
PID:5064 -
C:\Windows\SysWOW64\Bkglkapo.exeC:\Windows\system32\Bkglkapo.exe70⤵PID:2724
-
C:\Windows\SysWOW64\Cjabgm32.exeC:\Windows\system32\Cjabgm32.exe71⤵PID:2232
-
C:\Windows\SysWOW64\Ddkpoelb.exeC:\Windows\system32\Ddkpoelb.exe72⤵PID:3992
-
C:\Windows\SysWOW64\Dqgjoenq.exeC:\Windows\system32\Dqgjoenq.exe73⤵PID:2268
-
C:\Windows\SysWOW64\Dqigee32.exeC:\Windows\system32\Dqigee32.exe74⤵PID:4200
-
C:\Windows\SysWOW64\Dnmgni32.exeC:\Windows\system32\Dnmgni32.exe75⤵PID:1780
-
C:\Windows\SysWOW64\Fmpaqd32.exeC:\Windows\system32\Fmpaqd32.exe76⤵PID:3452
-
C:\Windows\SysWOW64\Gmggac32.exeC:\Windows\system32\Gmggac32.exe77⤵
- Drops file in System32 directory
PID:5128 -
C:\Windows\SysWOW64\Hkiclepa.exeC:\Windows\system32\Hkiclepa.exe78⤵PID:5168
-
C:\Windows\SysWOW64\Hdfapjbl.exeC:\Windows\system32\Hdfapjbl.exe79⤵PID:5224
-
C:\Windows\SysWOW64\Jojboa32.exeC:\Windows\system32\Jojboa32.exe80⤵PID:5264
-
C:\Windows\SysWOW64\Jdiglgbg.exeC:\Windows\system32\Jdiglgbg.exe81⤵PID:5304
-
C:\Windows\SysWOW64\Oimdbnip.exeC:\Windows\system32\Oimdbnip.exe82⤵PID:5568
-
C:\Windows\SysWOW64\Qefkcl32.exeC:\Windows\system32\Qefkcl32.exe83⤵PID:5640
-
C:\Windows\SysWOW64\Agojdnng.exeC:\Windows\system32\Agojdnng.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5684 -
C:\Windows\SysWOW64\Bidlqhgc.exeC:\Windows\system32\Bidlqhgc.exe85⤵PID:5732
-
C:\Windows\SysWOW64\Dcbckk32.exeC:\Windows\system32\Dcbckk32.exe86⤵PID:5800
-
C:\Windows\SysWOW64\Eqkmpo32.exeC:\Windows\system32\Eqkmpo32.exe87⤵PID:5844
-
C:\Windows\SysWOW64\Eqbcqnph.exeC:\Windows\system32\Eqbcqnph.exe88⤵PID:5936
-
C:\Windows\SysWOW64\Fcibchgq.exeC:\Windows\system32\Fcibchgq.exe89⤵PID:6000
-
C:\Windows\SysWOW64\Gmkibl32.exeC:\Windows\system32\Gmkibl32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6052 -
C:\Windows\SysWOW64\Hfkdkqeo.exeC:\Windows\system32\Hfkdkqeo.exe91⤵PID:6108
-
C:\Windows\SysWOW64\Hhmmkcko.exeC:\Windows\system32\Hhmmkcko.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1452 -
C:\Windows\SysWOW64\Ionlhlld.exeC:\Windows\system32\Ionlhlld.exe93⤵PID:5256
-
C:\Windows\SysWOW64\Ogmaneoa.exeC:\Windows\system32\Ogmaneoa.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5552 -
C:\Windows\SysWOW64\Ppkopail.exeC:\Windows\system32\Ppkopail.exe95⤵PID:4912
-
C:\Windows\SysWOW64\Palkgi32.exeC:\Windows\system32\Palkgi32.exe96⤵
- Drops file in System32 directory
PID:5672 -
C:\Windows\SysWOW64\Plapdb32.exeC:\Windows\system32\Plapdb32.exe97⤵PID:5716
-
C:\Windows\SysWOW64\Pldljbmn.exeC:\Windows\system32\Pldljbmn.exe98⤵PID:5796
-
C:\Windows\SysWOW64\Paqebike.exeC:\Windows\system32\Paqebike.exe99⤵
- Modifies registry class
PID:4928 -
C:\Windows\SysWOW64\Pbbnbkpe.exeC:\Windows\system32\Pbbnbkpe.exe100⤵PID:2612
-
C:\Windows\SysWOW64\Qhofjbnl.exeC:\Windows\system32\Qhofjbnl.exe101⤵PID:3084
-
C:\Windows\SysWOW64\Qecgcfmf.exeC:\Windows\system32\Qecgcfmf.exe102⤵PID:5944
-
C:\Windows\SysWOW64\Abqjci32.exeC:\Windows\system32\Abqjci32.exe103⤵PID:552
-
C:\Windows\SysWOW64\Abcgii32.exeC:\Windows\system32\Abcgii32.exe104⤵PID:6044
-
C:\Windows\SysWOW64\Bhgeao32.exeC:\Windows\system32\Bhgeao32.exe105⤵
- Modifies registry class
PID:6060 -
C:\Windows\SysWOW64\Cpjmok32.exeC:\Windows\system32\Cpjmok32.exe106⤵PID:3092
-
C:\Windows\SysWOW64\Dagiba32.exeC:\Windows\system32\Dagiba32.exe107⤵PID:564
-
C:\Windows\SysWOW64\Ejbknnid.exeC:\Windows\system32\Ejbknnid.exe108⤵PID:5160
-
C:\Windows\SysWOW64\Ffpadn32.exeC:\Windows\system32\Ffpadn32.exe109⤵PID:4916
-
C:\Windows\SysWOW64\Fqhbgf32.exeC:\Windows\system32\Fqhbgf32.exe110⤵
- Modifies registry class
PID:4992 -
C:\Windows\SysWOW64\Fjqgpl32.exeC:\Windows\system32\Fjqgpl32.exe111⤵PID:4564
-
C:\Windows\SysWOW64\Fjccel32.exeC:\Windows\system32\Fjccel32.exe112⤵
- Drops file in System32 directory
PID:3680 -
C:\Windows\SysWOW64\Ffjdjmpf.exeC:\Windows\system32\Ffjdjmpf.exe113⤵PID:4804
-
C:\Windows\SysWOW64\Gijmlh32.exeC:\Windows\system32\Gijmlh32.exe114⤵PID:5292
-
C:\Windows\SysWOW64\Gmmome32.exeC:\Windows\system32\Gmmome32.exe115⤵PID:5580
-
C:\Windows\SysWOW64\Gjapfjnb.exeC:\Windows\system32\Gjapfjnb.exe116⤵PID:5660
-
C:\Windows\SysWOW64\Hakhcd32.exeC:\Windows\system32\Hakhcd32.exe117⤵PID:5740
-
C:\Windows\SysWOW64\Hboaql32.exeC:\Windows\system32\Hboaql32.exe118⤵PID:720
-
C:\Windows\SysWOW64\Hihimfag.exeC:\Windows\system32\Hihimfag.exe119⤵PID:5852
-
C:\Windows\SysWOW64\Iafgob32.exeC:\Windows\system32\Iafgob32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2380 -
C:\Windows\SysWOW64\Ijolhg32.exeC:\Windows\system32\Ijolhg32.exe121⤵PID:1124
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-