Analysis
-
max time kernel
119s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
03/11/2023, 14:11
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.0faff4cb92ee30f6e4442997675d9d10_JC.exe
Resource
win7-20231025-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.0faff4cb92ee30f6e4442997675d9d10_JC.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
NEAS.0faff4cb92ee30f6e4442997675d9d10_JC.exe
-
Size
80KB
-
MD5
0faff4cb92ee30f6e4442997675d9d10
-
SHA1
8cec18da88c47dd5bc3df82604230679688c21a5
-
SHA256
5c50c9371188a297e05f7b17ab823b6dbf98b00e965cb2a3015d4dbebb403dc1
-
SHA512
8b2edb79242d9688b90a5bf9145f5b837508c0a9fa1cb52bf6965ae8acb7e2e5d8133e191ae393c3f1632052fdc02f737421c82dbc9ce137a025d3a34a816e2e
-
SSDEEP
1536:RpQWzXbIUCfSsCUkRq6fdAmI/OeVJlKS12LsNCYrum8SPG2:RpQldV2jAmuoCVT8SL
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkbomgde.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcfqjmka.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghohdk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nphhfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fknimh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fafkoiji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhbpqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chagiqhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aqfolqna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qnniopcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qbbggeli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifcimb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mflgff32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mplapkoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lejgln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obnbjdfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgnekcei.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckidoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehcndkaa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ambgnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dopiqj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlcjaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iojgkbib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dadlmanj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aopmpq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bohiliof.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmliem32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjlijp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alcfpm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhbnqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecnbgian.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bplammmf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kekljlkp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olfolp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chnlbndj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kelaef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Palbpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qqdqilph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gehfepio.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhhldc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jedjkkmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgbccm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Niqnli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdkbgj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfngmd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkbohc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oeloebcb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djoohk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Donceaac.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jijaef32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmpcmkaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bonjnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpcffalc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfckjnjh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dakampio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elbhde32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jabgkpad.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngmpmd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkpoha32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifdohl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gacjkjgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdhbgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aepmjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmpcmkaa.exe -
Executes dropped EXE 64 IoCs
pid Process 2416 Moiheebb.exe 3684 Pgcbbc32.exe 4040 Qbkcek32.exe 1480 Afdkfh32.exe 2216 Bkdqdokk.exe 1392 Dpdogj32.exe 3172 Elilmi32.exe 3584 Fibfbm32.exe 4604 Fepmgm32.exe 2356 Geipnl32.exe 844 Hjpkjh32.exe 1348 Jfgefg32.exe 4404 Jihngboe.exe 4028 Kciaqi32.exe 2268 Lmiljn32.exe 3168 Mhjpceko.exe 408 Nfaijand.exe 1632 Nkpbpp32.exe 4704 Nhhldc32.exe 1152 Oajccgmd.exe 1548 Pkedbmab.exe 1988 Pgpobmca.exe 4428 Qhddgofo.exe 4964 Aamipe32.exe 3120 Aqfolqna.exe 4408 Agcdnjcl.exe 1456 Bkcjjhgp.exe 4912 Bbbkbbkg.exe 2396 Cbknhqbl.exe 3828 Dnkbcp32.exe 492 Eangjkkd.exe 3876 Elkbhbeb.exe 816 Foenplji.exe 4168 Gkeakl32.exe 3604 Hadcce32.exe 260 Hakidd32.exe 3676 Ioafchai.exe 4580 Jmepcj32.exe 4400 Kjqfmn32.exe 4764 Kfggbope.exe 3808 Mfjlolpp.exe 1184 Niblafgi.exe 3896 Ofmbkipk.exe 2288 Pgknlg32.exe 1528 Pcaoahio.exe 3564 Qdfefkll.exe 4872 Qnniopcm.exe 2280 Alcfpm32.exe 4544 Akipic32.exe 1960 Acdeneij.exe 1752 Bpmobi32.exe 2780 Bnclamqe.exe 4768 Cqfahh32.exe 4064 Djhiglji.exe 3180 Djoohk32.exe 1760 Ecjpfp32.exe 1192 Fcepbooa.exe 3720 Fjphoi32.exe 4900 Feella32.exe 4044 Gjkgkg32.exe 2960 Ghohdk32.exe 4748 Glmqjj32.exe 704 Hejono32.exe 2240 Hmjmnpmb.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Bplammmf.exe Bpidhmoi.exe File created C:\Windows\SysWOW64\Dakampio.exe Dcgackke.exe File opened for modification C:\Windows\SysWOW64\Ojmhaklf.exe Naecieef.exe File created C:\Windows\SysWOW64\Bpmobi32.exe Acdeneij.exe File created C:\Windows\SysWOW64\Fnepbphj.dll Glmqjj32.exe File created C:\Windows\SysWOW64\Gjcheq32.dll Niqnli32.exe File created C:\Windows\SysWOW64\Cbokheno.dll Iannpa32.exe File created C:\Windows\SysWOW64\Ljqhaa32.dll Gkeonggf.exe File created C:\Windows\SysWOW64\Iobhpakb.dll Hkaoiemi.exe File created C:\Windows\SysWOW64\Hmioicek.exe Hbcklkee.exe File opened for modification C:\Windows\SysWOW64\Oajccgmd.exe Nhhldc32.exe File created C:\Windows\SysWOW64\Oldficfh.dll Ioafchai.exe File created C:\Windows\SysWOW64\Cpbdbj32.dll Qqdqilph.exe File created C:\Windows\SysWOW64\Lafmjb32.dll Ngmpmd32.exe File created C:\Windows\SysWOW64\Cniekq32.dll Djoohk32.exe File opened for modification C:\Windows\SysWOW64\Gdncfl32.exe Gkeonggf.exe File created C:\Windows\SysWOW64\Hklqokmi.dll Cadllq32.exe File created C:\Windows\SysWOW64\Bkieampj.dll Kgjggkqi.exe File created C:\Windows\SysWOW64\Hmgjbc32.dll Jncapf32.exe File created C:\Windows\SysWOW64\Goabhl32.exe Fbkdjh32.exe File opened for modification C:\Windows\SysWOW64\Bgoalc32.exe Bfoebq32.exe File created C:\Windows\SysWOW64\Nhhljfmp.dll Ecgcpc32.exe File created C:\Windows\SysWOW64\Hlcjaq32.exe Hgdedj32.exe File opened for modification C:\Windows\SysWOW64\Djhiglji.exe Cqfahh32.exe File created C:\Windows\SysWOW64\Ndifai32.dll Ogjdheqd.exe File opened for modification C:\Windows\SysWOW64\Ikcdfbmc.exe Inpclnnj.exe File created C:\Windows\SysWOW64\Emkeho32.exe Emihbp32.exe File opened for modification C:\Windows\SysWOW64\Hgdedj32.exe Gpcffalc.exe File created C:\Windows\SysWOW64\Gejdiaok.dll Kdkdqinj.exe File created C:\Windows\SysWOW64\Fllfihmi.dll Hjpkjh32.exe File opened for modification C:\Windows\SysWOW64\Jmepcj32.exe Ioafchai.exe File created C:\Windows\SysWOW64\Cqfahh32.exe Bnclamqe.exe File created C:\Windows\SysWOW64\Pbaihddp.dll Fkpoha32.exe File created C:\Windows\SysWOW64\Apildl32.dll Gmcdolbn.exe File created C:\Windows\SysWOW64\Bfngmd32.exe Blecdn32.exe File created C:\Windows\SysWOW64\Jmkjpklj.dll Kfggbope.exe File created C:\Windows\SysWOW64\Fqkhidmg.dll Gbqeonfj.exe File opened for modification C:\Windows\SysWOW64\Pgcbbc32.exe Moiheebb.exe File created C:\Windows\SysWOW64\Fibfbm32.exe Elilmi32.exe File opened for modification C:\Windows\SysWOW64\Jdembk32.exe Jabgkpad.exe File created C:\Windows\SysWOW64\Ijjombcn.dll Nnlhod32.exe File created C:\Windows\SysWOW64\Blcmakcp.dll Egkgljkm.exe File created C:\Windows\SysWOW64\Pcffoben.exe Olqofjhn.exe File created C:\Windows\SysWOW64\Mjbkbj32.dll Geipnl32.exe File created C:\Windows\SysWOW64\Cllkcbnl.exe Cnealfkf.exe File created C:\Windows\SysWOW64\Ehedic32.dll Ejiqom32.exe File created C:\Windows\SysWOW64\Fhbpqb32.exe Fkopgn32.exe File opened for modification C:\Windows\SysWOW64\Fbkdjh32.exe Fhbpqb32.exe File created C:\Windows\SysWOW64\Dacmol32.dll Pmmelo32.exe File opened for modification C:\Windows\SysWOW64\Gkeonggf.exe Gehfepio.exe File created C:\Windows\SysWOW64\Kndodehf.exe Kgjggkqi.exe File opened for modification C:\Windows\SysWOW64\Mlflog32.exe Lejgln32.exe File opened for modification C:\Windows\SysWOW64\Ghcjedcj.exe Gpelchhp.exe File created C:\Windows\SysWOW64\Hidgpjoi.dll Ahnclp32.exe File created C:\Windows\SysWOW64\Ljmnibhi.dll Acicefid.exe File created C:\Windows\SysWOW64\Apgppaga.dll Deokhc32.exe File opened for modification C:\Windows\SysWOW64\Aichng32.exe Aqhcid32.exe File created C:\Windows\SysWOW64\Phgagb32.exe Pamikh32.exe File created C:\Windows\SysWOW64\Blecdn32.exe Boabkj32.exe File created C:\Windows\SysWOW64\Qcoaqo32.dll Bkcjjhgp.exe File created C:\Windows\SysWOW64\Hjpdjplo.dll Cbknhqbl.exe File created C:\Windows\SysWOW64\Podhaopm.dll Ckidoc32.exe File created C:\Windows\SysWOW64\Ealanc32.exe Eajehd32.exe File created C:\Windows\SysWOW64\Fmpjfn32.exe Ffcedd32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkdqdokk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cllkcbnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adnjna32.dll" Lnnidjcg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjffngap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bikojc32.dll" Fmmffhnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gienbe32.dll" Fihqfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqjdfpha.dll" Lpcedbjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Poaqocgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oghcbaif.dll" Gnhdea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olhgka32.dll" Phgagb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjlijp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ffahnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nkmmbe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Paqebike.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ceoillaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdpgen32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Idfaolpb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnlhod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apgppaga.dll" Deokhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dclknkfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ighnpeig.dll" Dikpla32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njghkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pamikh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khdiln32.dll" Elbhde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjnafn32.dll" Fppqjcli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkkdjcjb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkcepl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhcefm32.dll" Ealanc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fajnoabh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lnihod32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jqfejl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfclmfhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbikcgbb.dll" Mbhina32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Adockl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ecgcpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kknfmdko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Feella32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipjobhcc.dll" Ehcndkaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cghdlppn.dll" Jdembk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gempqo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgjggkqi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngodlgka.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebplhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkpqce32.dll" Ndmepe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbaiip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgjggkqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjgpoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Banmdk32.dll" Pcaoahio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lnikmjdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfdnhb32.dll" Plimpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blploo32.dll" Dldpde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bipjbe32.dll" Gehfepio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbcpibgf.dll" Ieoapl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogidij32.dll" Obgccn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dendcmjg.dll" Donceaac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhfepjoe.dll" Hojndd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Idfaolpb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ffcedd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehedic32.dll" Ejiqom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kihdqkaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqbfnnhd.dll" Opmaaodc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpaeap32.dll" Emjomf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cajcffka.dll" Nophfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeihnf32.dll" Gkeakl32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2148 wrote to memory of 2416 2148 NEAS.0faff4cb92ee30f6e4442997675d9d10_JC.exe 93 PID 2148 wrote to memory of 2416 2148 NEAS.0faff4cb92ee30f6e4442997675d9d10_JC.exe 93 PID 2148 wrote to memory of 2416 2148 NEAS.0faff4cb92ee30f6e4442997675d9d10_JC.exe 93 PID 2416 wrote to memory of 3684 2416 Moiheebb.exe 94 PID 2416 wrote to memory of 3684 2416 Moiheebb.exe 94 PID 2416 wrote to memory of 3684 2416 Moiheebb.exe 94 PID 3684 wrote to memory of 4040 3684 Pgcbbc32.exe 95 PID 3684 wrote to memory of 4040 3684 Pgcbbc32.exe 95 PID 3684 wrote to memory of 4040 3684 Pgcbbc32.exe 95 PID 4040 wrote to memory of 1480 4040 Qbkcek32.exe 96 PID 4040 wrote to memory of 1480 4040 Qbkcek32.exe 96 PID 4040 wrote to memory of 1480 4040 Qbkcek32.exe 96 PID 1480 wrote to memory of 2216 1480 Afdkfh32.exe 97 PID 1480 wrote to memory of 2216 1480 Afdkfh32.exe 97 PID 1480 wrote to memory of 2216 1480 Afdkfh32.exe 97 PID 2216 wrote to memory of 1392 2216 Bkdqdokk.exe 98 PID 2216 wrote to memory of 1392 2216 Bkdqdokk.exe 98 PID 2216 wrote to memory of 1392 2216 Bkdqdokk.exe 98 PID 1392 wrote to memory of 3172 1392 Dpdogj32.exe 100 PID 1392 wrote to memory of 3172 1392 Dpdogj32.exe 100 PID 1392 wrote to memory of 3172 1392 Dpdogj32.exe 100 PID 3172 wrote to memory of 3584 3172 Elilmi32.exe 102 PID 3172 wrote to memory of 3584 3172 Elilmi32.exe 102 PID 3172 wrote to memory of 3584 3172 Elilmi32.exe 102 PID 3584 wrote to memory of 4604 3584 Fibfbm32.exe 103 PID 3584 wrote to memory of 4604 3584 Fibfbm32.exe 103 PID 3584 wrote to memory of 4604 3584 Fibfbm32.exe 103 PID 4604 wrote to memory of 2356 4604 Fepmgm32.exe 104 PID 4604 wrote to memory of 2356 4604 Fepmgm32.exe 104 PID 4604 wrote to memory of 2356 4604 Fepmgm32.exe 104 PID 2356 wrote to memory of 844 2356 Geipnl32.exe 105 PID 2356 wrote to memory of 844 2356 Geipnl32.exe 105 PID 2356 wrote to memory of 844 2356 Geipnl32.exe 105 PID 844 wrote to memory of 1348 844 Hjpkjh32.exe 106 PID 844 wrote to memory of 1348 844 Hjpkjh32.exe 106 PID 844 wrote to memory of 1348 844 Hjpkjh32.exe 106 PID 1348 wrote to memory of 4404 1348 Jfgefg32.exe 107 PID 1348 wrote to memory of 4404 1348 Jfgefg32.exe 107 PID 1348 wrote to memory of 4404 1348 Jfgefg32.exe 107 PID 4404 wrote to memory of 4028 4404 Jihngboe.exe 108 PID 4404 wrote to memory of 4028 4404 Jihngboe.exe 108 PID 4404 wrote to memory of 4028 4404 Jihngboe.exe 108 PID 4028 wrote to memory of 2268 4028 Kciaqi32.exe 109 PID 4028 wrote to memory of 2268 4028 Kciaqi32.exe 109 PID 4028 wrote to memory of 2268 4028 Kciaqi32.exe 109 PID 2268 wrote to memory of 3168 2268 Lmiljn32.exe 110 PID 2268 wrote to memory of 3168 2268 Lmiljn32.exe 110 PID 2268 wrote to memory of 3168 2268 Lmiljn32.exe 110 PID 3168 wrote to memory of 408 3168 Mhjpceko.exe 111 PID 3168 wrote to memory of 408 3168 Mhjpceko.exe 111 PID 3168 wrote to memory of 408 3168 Mhjpceko.exe 111 PID 408 wrote to memory of 1632 408 Nfaijand.exe 112 PID 408 wrote to memory of 1632 408 Nfaijand.exe 112 PID 408 wrote to memory of 1632 408 Nfaijand.exe 112 PID 1632 wrote to memory of 4704 1632 Nkpbpp32.exe 113 PID 1632 wrote to memory of 4704 1632 Nkpbpp32.exe 113 PID 1632 wrote to memory of 4704 1632 Nkpbpp32.exe 113 PID 4704 wrote to memory of 1152 4704 Nhhldc32.exe 114 PID 4704 wrote to memory of 1152 4704 Nhhldc32.exe 114 PID 4704 wrote to memory of 1152 4704 Nhhldc32.exe 114 PID 1152 wrote to memory of 1548 1152 Oajccgmd.exe 115 PID 1152 wrote to memory of 1548 1152 Oajccgmd.exe 115 PID 1152 wrote to memory of 1548 1152 Oajccgmd.exe 115 PID 1548 wrote to memory of 1988 1548 Pkedbmab.exe 116
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.0faff4cb92ee30f6e4442997675d9d10_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.0faff4cb92ee30f6e4442997675d9d10_JC.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\Moiheebb.exeC:\Windows\system32\Moiheebb.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\Pgcbbc32.exeC:\Windows\system32\Pgcbbc32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3684 -
C:\Windows\SysWOW64\Qbkcek32.exeC:\Windows\system32\Qbkcek32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4040 -
C:\Windows\SysWOW64\Afdkfh32.exeC:\Windows\system32\Afdkfh32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\SysWOW64\Bkdqdokk.exeC:\Windows\system32\Bkdqdokk.exe6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\Dpdogj32.exeC:\Windows\system32\Dpdogj32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Windows\SysWOW64\Elilmi32.exeC:\Windows\system32\Elilmi32.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3172 -
C:\Windows\SysWOW64\Fibfbm32.exeC:\Windows\system32\Fibfbm32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3584 -
C:\Windows\SysWOW64\Fepmgm32.exeC:\Windows\system32\Fepmgm32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4604 -
C:\Windows\SysWOW64\Geipnl32.exeC:\Windows\system32\Geipnl32.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\Hjpkjh32.exeC:\Windows\system32\Hjpkjh32.exe12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:844 -
C:\Windows\SysWOW64\Jfgefg32.exeC:\Windows\system32\Jfgefg32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Windows\SysWOW64\Jihngboe.exeC:\Windows\system32\Jihngboe.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4404 -
C:\Windows\SysWOW64\Kciaqi32.exeC:\Windows\system32\Kciaqi32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4028 -
C:\Windows\SysWOW64\Lmiljn32.exeC:\Windows\system32\Lmiljn32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\SysWOW64\Mhjpceko.exeC:\Windows\system32\Mhjpceko.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3168 -
C:\Windows\SysWOW64\Nfaijand.exeC:\Windows\system32\Nfaijand.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:408 -
C:\Windows\SysWOW64\Nkpbpp32.exeC:\Windows\system32\Nkpbpp32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\SysWOW64\Nhhldc32.exeC:\Windows\system32\Nhhldc32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4704 -
C:\Windows\SysWOW64\Oajccgmd.exeC:\Windows\system32\Oajccgmd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\SysWOW64\Pkedbmab.exeC:\Windows\system32\Pkedbmab.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Windows\SysWOW64\Pgpobmca.exeC:\Windows\system32\Pgpobmca.exe23⤵
- Executes dropped EXE
PID:1988 -
C:\Windows\SysWOW64\Qhddgofo.exeC:\Windows\system32\Qhddgofo.exe24⤵
- Executes dropped EXE
PID:4428 -
C:\Windows\SysWOW64\Aamipe32.exeC:\Windows\system32\Aamipe32.exe25⤵
- Executes dropped EXE
PID:4964 -
C:\Windows\SysWOW64\Aqfolqna.exeC:\Windows\system32\Aqfolqna.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3120 -
C:\Windows\SysWOW64\Agcdnjcl.exeC:\Windows\system32\Agcdnjcl.exe27⤵
- Executes dropped EXE
PID:4408 -
C:\Windows\SysWOW64\Bkcjjhgp.exeC:\Windows\system32\Bkcjjhgp.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1456 -
C:\Windows\SysWOW64\Bbbkbbkg.exeC:\Windows\system32\Bbbkbbkg.exe29⤵
- Executes dropped EXE
PID:4912 -
C:\Windows\SysWOW64\Cbknhqbl.exeC:\Windows\system32\Cbknhqbl.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2396 -
C:\Windows\SysWOW64\Dnkbcp32.exeC:\Windows\system32\Dnkbcp32.exe31⤵
- Executes dropped EXE
PID:3828 -
C:\Windows\SysWOW64\Eangjkkd.exeC:\Windows\system32\Eangjkkd.exe32⤵
- Executes dropped EXE
PID:492 -
C:\Windows\SysWOW64\Elkbhbeb.exeC:\Windows\system32\Elkbhbeb.exe33⤵
- Executes dropped EXE
PID:3876 -
C:\Windows\SysWOW64\Foenplji.exeC:\Windows\system32\Foenplji.exe34⤵
- Executes dropped EXE
PID:816 -
C:\Windows\SysWOW64\Gkeakl32.exeC:\Windows\system32\Gkeakl32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:4168 -
C:\Windows\SysWOW64\Hadcce32.exeC:\Windows\system32\Hadcce32.exe36⤵
- Executes dropped EXE
PID:3604 -
C:\Windows\SysWOW64\Hakidd32.exeC:\Windows\system32\Hakidd32.exe37⤵
- Executes dropped EXE
PID:260 -
C:\Windows\SysWOW64\Ioafchai.exeC:\Windows\system32\Ioafchai.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3676 -
C:\Windows\SysWOW64\Jmepcj32.exeC:\Windows\system32\Jmepcj32.exe39⤵
- Executes dropped EXE
PID:4580 -
C:\Windows\SysWOW64\Kjqfmn32.exeC:\Windows\system32\Kjqfmn32.exe40⤵
- Executes dropped EXE
PID:4400 -
C:\Windows\SysWOW64\Kfggbope.exeC:\Windows\system32\Kfggbope.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4764 -
C:\Windows\SysWOW64\Mfjlolpp.exeC:\Windows\system32\Mfjlolpp.exe42⤵
- Executes dropped EXE
PID:3808 -
C:\Windows\SysWOW64\Niblafgi.exeC:\Windows\system32\Niblafgi.exe43⤵
- Executes dropped EXE
PID:1184 -
C:\Windows\SysWOW64\Ofmbkipk.exeC:\Windows\system32\Ofmbkipk.exe44⤵
- Executes dropped EXE
PID:3896 -
C:\Windows\SysWOW64\Pgknlg32.exeC:\Windows\system32\Pgknlg32.exe45⤵
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Pcaoahio.exeC:\Windows\system32\Pcaoahio.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:1528 -
C:\Windows\SysWOW64\Qdfefkll.exeC:\Windows\system32\Qdfefkll.exe47⤵
- Executes dropped EXE
PID:3564 -
C:\Windows\SysWOW64\Qnniopcm.exeC:\Windows\system32\Qnniopcm.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4872 -
C:\Windows\SysWOW64\Alcfpm32.exeC:\Windows\system32\Alcfpm32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2280 -
C:\Windows\SysWOW64\Akipic32.exeC:\Windows\system32\Akipic32.exe50⤵
- Executes dropped EXE
PID:4544 -
C:\Windows\SysWOW64\Acdeneij.exeC:\Windows\system32\Acdeneij.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1960 -
C:\Windows\SysWOW64\Bpmobi32.exeC:\Windows\system32\Bpmobi32.exe52⤵
- Executes dropped EXE
PID:1752 -
C:\Windows\SysWOW64\Bnclamqe.exeC:\Windows\system32\Bnclamqe.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2780 -
C:\Windows\SysWOW64\Cqfahh32.exeC:\Windows\system32\Cqfahh32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4768 -
C:\Windows\SysWOW64\Djhiglji.exeC:\Windows\system32\Djhiglji.exe55⤵
- Executes dropped EXE
PID:4064 -
C:\Windows\SysWOW64\Djoohk32.exeC:\Windows\system32\Djoohk32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3180 -
C:\Windows\SysWOW64\Ecjpfp32.exeC:\Windows\system32\Ecjpfp32.exe57⤵
- Executes dropped EXE
PID:1760 -
C:\Windows\SysWOW64\Fcepbooa.exeC:\Windows\system32\Fcepbooa.exe58⤵
- Executes dropped EXE
PID:1192 -
C:\Windows\SysWOW64\Fjphoi32.exeC:\Windows\system32\Fjphoi32.exe59⤵
- Executes dropped EXE
PID:3720 -
C:\Windows\SysWOW64\Feella32.exeC:\Windows\system32\Feella32.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:4900 -
C:\Windows\SysWOW64\Gjkgkg32.exeC:\Windows\system32\Gjkgkg32.exe61⤵
- Executes dropped EXE
PID:4044 -
C:\Windows\SysWOW64\Ghohdk32.exeC:\Windows\system32\Ghohdk32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\Glmqjj32.exeC:\Windows\system32\Glmqjj32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4748 -
C:\Windows\SysWOW64\Hejono32.exeC:\Windows\system32\Hejono32.exe64⤵
- Executes dropped EXE
PID:704 -
C:\Windows\SysWOW64\Hmjmnpmb.exeC:\Windows\system32\Hmjmnpmb.exe65⤵
- Executes dropped EXE
PID:2240 -
C:\Windows\SysWOW64\Hoiihcde.exeC:\Windows\system32\Hoiihcde.exe66⤵PID:1940
-
C:\Windows\SysWOW64\Hhbnqi32.exeC:\Windows\system32\Hhbnqi32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2028 -
C:\Windows\SysWOW64\Idinej32.exeC:\Windows\system32\Idinej32.exe68⤵PID:776
-
C:\Windows\SysWOW64\Ieoapl32.exeC:\Windows\system32\Ieoapl32.exe69⤵
- Modifies registry class
PID:3972 -
C:\Windows\SysWOW64\Jedjkkmo.exeC:\Windows\system32\Jedjkkmo.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3152 -
C:\Windows\SysWOW64\Jefgak32.exeC:\Windows\system32\Jefgak32.exe71⤵PID:4172
-
C:\Windows\SysWOW64\Knfepldb.exeC:\Windows\system32\Knfepldb.exe72⤵PID:676
-
C:\Windows\SysWOW64\Kdbjbfjl.exeC:\Windows\system32\Kdbjbfjl.exe73⤵PID:2604
-
C:\Windows\SysWOW64\Kdgcne32.exeC:\Windows\system32\Kdgcne32.exe74⤵PID:2300
-
C:\Windows\SysWOW64\Lnfngj32.exeC:\Windows\system32\Lnfngj32.exe75⤵PID:3344
-
C:\Windows\SysWOW64\Lnikmjdm.exeC:\Windows\system32\Lnikmjdm.exe76⤵
- Modifies registry class
PID:5008 -
C:\Windows\SysWOW64\Nfpled32.exeC:\Windows\system32\Nfpled32.exe77⤵PID:5144
-
C:\Windows\SysWOW64\Nlmdml32.exeC:\Windows\system32\Nlmdml32.exe78⤵PID:5188
-
C:\Windows\SysWOW64\Obnbjdfi.exeC:\Windows\system32\Obnbjdfi.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5248 -
C:\Windows\SysWOW64\Ofadlbhj.exeC:\Windows\system32\Ofadlbhj.exe80⤵PID:5292
-
C:\Windows\SysWOW64\Pfenga32.exeC:\Windows\system32\Pfenga32.exe81⤵PID:5336
-
C:\Windows\SysWOW64\Plimpg32.exeC:\Windows\system32\Plimpg32.exe82⤵
- Modifies registry class
PID:5384 -
C:\Windows\SysWOW64\Qojeabie.exeC:\Windows\system32\Qojeabie.exe83⤵PID:5436
-
C:\Windows\SysWOW64\Aepmjk32.exeC:\Windows\system32\Aepmjk32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5496 -
C:\Windows\SysWOW64\Cnealfkf.exeC:\Windows\system32\Cnealfkf.exe85⤵
- Drops file in System32 directory
PID:5580 -
C:\Windows\SysWOW64\Cllkcbnl.exeC:\Windows\system32\Cllkcbnl.exe86⤵
- Modifies registry class
PID:5620 -
C:\Windows\SysWOW64\Cpjdiadb.exeC:\Windows\system32\Cpjdiadb.exe87⤵PID:5664
-
C:\Windows\SysWOW64\Dlfniafa.exeC:\Windows\system32\Dlfniafa.exe88⤵PID:5708
-
C:\Windows\SysWOW64\Dgnolj32.exeC:\Windows\system32\Dgnolj32.exe89⤵PID:5756
-
C:\Windows\SysWOW64\Dfclmfhl.exeC:\Windows\system32\Dfclmfhl.exe90⤵
- Modifies registry class
PID:5800 -
C:\Windows\SysWOW64\Dqhpjohb.exeC:\Windows\system32\Dqhpjohb.exe91⤵PID:5840
-
C:\Windows\SysWOW64\Ejaecdnc.exeC:\Windows\system32\Ejaecdnc.exe92⤵PID:5884
-
C:\Windows\SysWOW64\Eopjakkg.exeC:\Windows\system32\Eopjakkg.exe93⤵PID:5924
-
C:\Windows\SysWOW64\Ecnbgian.exeC:\Windows\system32\Ecnbgian.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5968 -
C:\Windows\SysWOW64\Eqbcqnph.exeC:\Windows\system32\Eqbcqnph.exe95⤵PID:6012
-
C:\Windows\SysWOW64\Ffahnd32.exeC:\Windows\system32\Ffahnd32.exe96⤵
- Modifies registry class
PID:6064 -
C:\Windows\SysWOW64\Ffcedd32.exeC:\Windows\system32\Ffcedd32.exe97⤵
- Drops file in System32 directory
- Modifies registry class
PID:6108 -
C:\Windows\SysWOW64\Fmpjfn32.exeC:\Windows\system32\Fmpjfn32.exe98⤵PID:3892
-
C:\Windows\SysWOW64\Ffhnocfd.exeC:\Windows\system32\Ffhnocfd.exe99⤵PID:5288
-
C:\Windows\SysWOW64\Gpelchhp.exeC:\Windows\system32\Gpelchhp.exe100⤵
- Drops file in System32 directory
PID:5368 -
C:\Windows\SysWOW64\Ghcjedcj.exeC:\Windows\system32\Ghcjedcj.exe101⤵PID:5444
-
C:\Windows\SysWOW64\Gmpcmkaa.exeC:\Windows\system32\Gmpcmkaa.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5064 -
C:\Windows\SysWOW64\Hdaajd32.exeC:\Windows\system32\Hdaajd32.exe103⤵PID:5576
-
C:\Windows\SysWOW64\Ikifhm32.exeC:\Windows\system32\Ikifhm32.exe104⤵PID:3804
-
C:\Windows\SysWOW64\Jgbccm32.exeC:\Windows\system32\Jgbccm32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5720 -
C:\Windows\SysWOW64\Jpoagb32.exeC:\Windows\system32\Jpoagb32.exe106⤵PID:5764
-
C:\Windows\SysWOW64\Jncapf32.exeC:\Windows\system32\Jncapf32.exe107⤵
- Drops file in System32 directory
PID:5836 -
C:\Windows\SysWOW64\Kkgbjkac.exeC:\Windows\system32\Kkgbjkac.exe108⤵PID:5912
-
C:\Windows\SysWOW64\Lkenkhec.exeC:\Windows\system32\Lkenkhec.exe109⤵PID:6000
-
C:\Windows\SysWOW64\Lkldlgok.exeC:\Windows\system32\Lkldlgok.exe110⤵PID:2216
-
C:\Windows\SysWOW64\Mhpeelnd.exeC:\Windows\system32\Mhpeelnd.exe111⤵PID:6136
-
C:\Windows\SysWOW64\Mbhina32.exeC:\Windows\system32\Mbhina32.exe112⤵
- Modifies registry class
PID:2564 -
C:\Windows\SysWOW64\Mkegbfgp.exeC:\Windows\system32\Mkegbfgp.exe113⤵PID:4640
-
C:\Windows\SysWOW64\Nbbldp32.exeC:\Windows\system32\Nbbldp32.exe114⤵PID:996
-
C:\Windows\SysWOW64\Ngodlgka.exeC:\Windows\system32\Ngodlgka.exe115⤵
- Modifies registry class
PID:5416 -
C:\Windows\SysWOW64\Nkmmbe32.exeC:\Windows\system32\Nkmmbe32.exe116⤵
- Modifies registry class
PID:3684 -
C:\Windows\SysWOW64\Niqnli32.exeC:\Windows\system32\Niqnli32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5564 -
C:\Windows\SysWOW64\Nbkojo32.exeC:\Windows\system32\Nbkojo32.exe118⤵PID:5532
-
C:\Windows\SysWOW64\Okcccdkp.exeC:\Windows\system32\Okcccdkp.exe119⤵PID:5612
-
C:\Windows\SysWOW64\Ogjdheqd.exeC:\Windows\system32\Ogjdheqd.exe120⤵
- Drops file in System32 directory
PID:5740 -
C:\Windows\SysWOW64\Ophbja32.exeC:\Windows\system32\Ophbja32.exe121⤵PID:5896
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-