Analysis
-
max time kernel
67s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
05-11-2023 17:46
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.c175fdb0828444027a43998e5fa33f10_JC.exe
Resource
win7-20231020-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.c175fdb0828444027a43998e5fa33f10_JC.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.c175fdb0828444027a43998e5fa33f10_JC.exe
-
Size
52KB
-
MD5
c175fdb0828444027a43998e5fa33f10
-
SHA1
eafe901d3bac1dcd407a2b422272adbed5f67b66
-
SHA256
dc55e78aad3684e97854bae4ef3a71bb69efa73b1593e7c5ed5e416fc211cc35
-
SHA512
0c78d603993c78f9f683ef70aa68d8c37e2c1f6654c2eab871e5b511d0a7b250486dc28c214dbbb02c67fade92b5da6fdfedfb2cda56bec58b3471a153229ab3
-
SSDEEP
768:QqCl+f7ZcjV46yIjN3XSdic+y4JtpCpqeqJrpMN/1H5F/snoMABvKWe:QqCUZcjxJAI5tpCpQruHAoMAdKZ
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmjinjnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apdkmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckfofe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plocob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdembk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdhfaj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhemfbnq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oelhljaq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aphegjhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjikeg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khifno32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Haafnf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hikkdc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pidamcgd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbljoh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcnpgf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmgdaokh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eecfah32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhbnqi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjhjae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dendok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlnqln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnbjpf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcmkjeko.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdfbbhdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Geklckkd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdaqhf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fiaogfai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iapbodql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Endnohdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfpfqiha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkgdfb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbpjbe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpepmkjl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jioajliq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hccomh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmkbeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdahek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onfbpi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flddoa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpidhmoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcpaiq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ioafchai.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bplhhc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndbefkjk.exe -
Executes dropped EXE 64 IoCs
pid Process 5072 Ohbfeh32.exe 4596 Oolnabal.exe 4320 Oeffnl32.exe 3940 Okcogc32.exe 2940 Oamgcm32.exe 4140 Ohgopgfj.exe 4648 Okeklcen.exe 2024 Pdnpeh32.exe 5108 Pnfdnnbo.exe 2068 Pdpmkhjl.exe 1188 Pkjegb32.exe 2628 Pgcbbc32.exe 4260 Pdgckg32.exe 1296 Qnpgdmjd.exe 4620 Qhekaejj.exe 4884 Andqol32.exe 4716 Adnilfnl.exe 3508 Aocmio32.exe 4836 Agobna32.exe 3272 Abdfkj32.exe 4876 Aohfdnil.exe 180 Aeeomegd.exe 1884 Anncek32.exe 4848 Bnppkj32.exe 1636 Biedhclh.exe 4988 Bnbmqjjo.exe 4360 Bgmnooom.exe 3996 Beaohcmf.exe 3848 Bnicai32.exe 1308 Cgagjo32.exe 5008 Cbglgg32.exe 1156 Ciaddaaj.exe 5012 Cehdib32.exe 4708 Clbmfm32.exe 3784 Cfgace32.exe 2040 Cldjkl32.exe 840 Cihjeq32.exe 2572 Cpbbak32.exe 1540 Dhmgfm32.exe 1696 Fpqgjf32.exe 2820 Fgjpfqpi.exe 1824 Flghognq.exe 2336 Fgmllpng.exe 3948 Fpeaeedg.exe 4044 Gebimmco.exe 2236 Gllajf32.exe 4960 Ggafgo32.exe 3040 Ghcbohpp.exe 5080 Gchflq32.exe 4440 Glqkefff.exe 3384 Gckcap32.exe 5052 Gpodkdll.exe 2240 Geklckkd.exe 888 Gledpe32.exe 4532 Hcommoin.exe 4496 Hjieii32.exe 4384 Hlhaee32.exe 212 Hcaibo32.exe 344 Hpejlc32.exe 2228 Hhaope32.exe 1900 Hokgmpkl.exe 3024 Hjpkjh32.exe 4676 Homcbo32.exe 3052 Hhehkepj.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Doeifpkk.exe Dememj32.exe File opened for modification C:\Windows\SysWOW64\Aappdj32.exe Process not Found File created C:\Windows\SysWOW64\Cjfaon32.exe Process not Found File created C:\Windows\SysWOW64\Ahafcp32.dll Adnbapjp.exe File created C:\Windows\SysWOW64\Aafghjbq.dll Nkkggl32.exe File opened for modification C:\Windows\SysWOW64\Jpojml32.exe Jidbpa32.exe File created C:\Windows\SysWOW64\Ndbnkefp.exe Nacboi32.exe File created C:\Windows\SysWOW64\Jmfjhp32.dll Hmabnnhg.exe File created C:\Windows\SysWOW64\Giacmggo.exe Gcdkdpih.exe File opened for modification C:\Windows\SysWOW64\Ndbnkefp.exe Nacboi32.exe File created C:\Windows\SysWOW64\Dfmcgm32.dll Hhaope32.exe File created C:\Windows\SysWOW64\Ajhndgjj.exe Ahgamo32.exe File created C:\Windows\SysWOW64\Bkamdi32.exe Bhbahm32.exe File created C:\Windows\SysWOW64\Kmnkaeeg.dll Jiphebml.exe File created C:\Windows\SysWOW64\Eonmkkmj.exe Process not Found File opened for modification C:\Windows\SysWOW64\Eonmkkmj.exe Process not Found File opened for modification C:\Windows\SysWOW64\Aonhblad.exe Qnlkllcf.exe File created C:\Windows\SysWOW64\Jmqefmcl.dll Nnolojhk.exe File opened for modification C:\Windows\SysWOW64\Jfllca32.exe Jcnpgf32.exe File opened for modification C:\Windows\SysWOW64\Djmima32.exe Deqqek32.exe File created C:\Windows\SysWOW64\Accfahjf.dll Jkeloa32.exe File opened for modification C:\Windows\SysWOW64\Albpff32.exe Abjkmqni.exe File created C:\Windows\SysWOW64\Empboc32.dll Process not Found File created C:\Windows\SysWOW64\Cncnbean.dll Poqckdap.exe File created C:\Windows\SysWOW64\Bedpjdoc.exe Bbecnipp.exe File created C:\Windows\SysWOW64\Hlnbhlof.dll Hillnoif.exe File created C:\Windows\SysWOW64\Fkgbli32.exe Process not Found File created C:\Windows\SysWOW64\Pdpmkhjl.exe Pnfdnnbo.exe File created C:\Windows\SysWOW64\Iibaeb32.exe Hchihhng.exe File created C:\Windows\SysWOW64\Oemjonmn.dll Gfbpfedp.exe File opened for modification C:\Windows\SysWOW64\Jaimko32.exe Jfdinf32.exe File opened for modification C:\Windows\SysWOW64\Okcogc32.exe Oeffnl32.exe File created C:\Windows\SysWOW64\Adjnaj32.exe Eahomk32.exe File created C:\Windows\SysWOW64\Bmkkdk32.dll Hejono32.exe File created C:\Windows\SysWOW64\Jpojml32.exe Jidbpa32.exe File opened for modification C:\Windows\SysWOW64\Alaaajmb.exe Process not Found File opened for modification C:\Windows\SysWOW64\Cpbbak32.exe Cihjeq32.exe File created C:\Windows\SysWOW64\Aochga32.exe Process not Found File created C:\Windows\SysWOW64\Bchgnoai.exe Bpjkbcbe.exe File opened for modification C:\Windows\SysWOW64\Mnndhi32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ihkila32.exe Ihhmgaqb.exe File created C:\Windows\SysWOW64\Fnpapfnf.dll Process not Found File created C:\Windows\SysWOW64\Dfikjkob.dll Process not Found File created C:\Windows\SysWOW64\Andqol32.exe Qhekaejj.exe File opened for modification C:\Windows\SysWOW64\Ndliin32.exe Njceqili.exe File created C:\Windows\SysWOW64\Enfjdh32.exe Eglbhnkp.exe File created C:\Windows\SysWOW64\Cfiiggpg.exe Cpmqoqbp.exe File created C:\Windows\SysWOW64\Ajfhhp32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ocqncp32.exe Onceji32.exe File opened for modification C:\Windows\SysWOW64\Pjnipc32.exe Process not Found File created C:\Windows\SysWOW64\Fhemfbnq.exe Fffqjfom.exe File created C:\Windows\SysWOW64\Igghilhi.exe Ioppho32.exe File created C:\Windows\SysWOW64\Pjlalacf.dll Cafpkc32.exe File created C:\Windows\SysWOW64\Jfdinf32.exe Jdembk32.exe File opened for modification C:\Windows\SysWOW64\Lpinac32.exe Lmkbeg32.exe File created C:\Windows\SysWOW64\Oodnao32.dll Jcnpgf32.exe File created C:\Windows\SysWOW64\Kpfkkl32.dll Process not Found File created C:\Windows\SysWOW64\Fndinf32.dll Bchgnoai.exe File opened for modification C:\Windows\SysWOW64\Fchdnkpi.exe Fkalmn32.exe File opened for modification C:\Windows\SysWOW64\Jacnegep.exe Ikifhm32.exe File created C:\Windows\SysWOW64\Npjelo32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ihnbih32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Pdpmkhjl.exe Pnfdnnbo.exe File created C:\Windows\SysWOW64\Hkpgkc32.dll Ddklnh32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6772 4396 Process not Found 2067 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Anncek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qcccom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Komhkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acemfcjn.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpilqfoh.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edldoc32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hodgei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpeaeedg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmiealgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmlcae32.dll" Hebkid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dcqmpa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmdcamko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bplhhc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gqohge32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dcalae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jggapj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ljjicl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lcpledob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egbnomjg.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjnfnn32.dll" Mdgejmdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pddokabk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Llngmeja.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Coijja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jofaqlji.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cplhopqe.dll" Fcjimnjl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbkdgj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbecnipp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghagagc.dll" Bopgdcnc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gllajf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhbiql32.dll" Hkjjfkcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Flmhclod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijgaeo32.dll" Qnlkllcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Caapfnkd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fofigd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ocldhqgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnmjmmpa.dll" Ipmjkh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Okcogc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmjinjnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdfnmhnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Koggehff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehbpho32.dll" Obgofmjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhgkgdjo.dll" Gfkjef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejbonb32.dll" Hillnoif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Caapfnkd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hhbnqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckpkcp32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oehpnnpl.dll" Jhdlbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjklcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcmbia32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmmcgbnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hholim32.dll" Jjgcgo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Okcmingd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ibncmchl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Akgjnj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hccomh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Elagjihh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Alaaajmb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pgcbbc32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4756 wrote to memory of 5072 4756 NEAS.c175fdb0828444027a43998e5fa33f10_JC.exe 33 PID 4756 wrote to memory of 5072 4756 NEAS.c175fdb0828444027a43998e5fa33f10_JC.exe 33 PID 4756 wrote to memory of 5072 4756 NEAS.c175fdb0828444027a43998e5fa33f10_JC.exe 33 PID 5072 wrote to memory of 4596 5072 Ohbfeh32.exe 34 PID 5072 wrote to memory of 4596 5072 Ohbfeh32.exe 34 PID 5072 wrote to memory of 4596 5072 Ohbfeh32.exe 34 PID 4596 wrote to memory of 4320 4596 Oolnabal.exe 35 PID 4596 wrote to memory of 4320 4596 Oolnabal.exe 35 PID 4596 wrote to memory of 4320 4596 Oolnabal.exe 35 PID 4320 wrote to memory of 3940 4320 Oeffnl32.exe 36 PID 4320 wrote to memory of 3940 4320 Oeffnl32.exe 36 PID 4320 wrote to memory of 3940 4320 Oeffnl32.exe 36 PID 3940 wrote to memory of 2940 3940 Okcogc32.exe 42 PID 3940 wrote to memory of 2940 3940 Okcogc32.exe 42 PID 3940 wrote to memory of 2940 3940 Okcogc32.exe 42 PID 2940 wrote to memory of 4140 2940 Oamgcm32.exe 37 PID 2940 wrote to memory of 4140 2940 Oamgcm32.exe 37 PID 2940 wrote to memory of 4140 2940 Oamgcm32.exe 37 PID 4140 wrote to memory of 4648 4140 Ohgopgfj.exe 38 PID 4140 wrote to memory of 4648 4140 Ohgopgfj.exe 38 PID 4140 wrote to memory of 4648 4140 Ohgopgfj.exe 38 PID 4648 wrote to memory of 2024 4648 Okeklcen.exe 39 PID 4648 wrote to memory of 2024 4648 Okeklcen.exe 39 PID 4648 wrote to memory of 2024 4648 Okeklcen.exe 39 PID 2024 wrote to memory of 5108 2024 Pdnpeh32.exe 41 PID 2024 wrote to memory of 5108 2024 Pdnpeh32.exe 41 PID 2024 wrote to memory of 5108 2024 Pdnpeh32.exe 41 PID 5108 wrote to memory of 2068 5108 Pnfdnnbo.exe 40 PID 5108 wrote to memory of 2068 5108 Pnfdnnbo.exe 40 PID 5108 wrote to memory of 2068 5108 Pnfdnnbo.exe 40 PID 2068 wrote to memory of 1188 2068 Pdpmkhjl.exe 61 PID 2068 wrote to memory of 1188 2068 Pdpmkhjl.exe 61 PID 2068 wrote to memory of 1188 2068 Pdpmkhjl.exe 61 PID 1188 wrote to memory of 2628 1188 Pkjegb32.exe 60 PID 1188 wrote to memory of 2628 1188 Pkjegb32.exe 60 PID 1188 wrote to memory of 2628 1188 Pkjegb32.exe 60 PID 2628 wrote to memory of 4260 2628 Pgcbbc32.exe 80 PID 2628 wrote to memory of 4260 2628 Pgcbbc32.exe 80 PID 2628 wrote to memory of 4260 2628 Pgcbbc32.exe 80 PID 4260 wrote to memory of 1296 4260 Pdgckg32.exe 72 PID 4260 wrote to memory of 1296 4260 Pdgckg32.exe 72 PID 4260 wrote to memory of 1296 4260 Pdgckg32.exe 72 PID 1296 wrote to memory of 4620 1296 Qnpgdmjd.exe 73 PID 1296 wrote to memory of 4620 1296 Qnpgdmjd.exe 73 PID 1296 wrote to memory of 4620 1296 Qnpgdmjd.exe 73 PID 4620 wrote to memory of 4884 4620 Qhekaejj.exe 74 PID 4620 wrote to memory of 4884 4620 Qhekaejj.exe 74 PID 4620 wrote to memory of 4884 4620 Qhekaejj.exe 74 PID 4884 wrote to memory of 4716 4884 Andqol32.exe 75 PID 4884 wrote to memory of 4716 4884 Andqol32.exe 75 PID 4884 wrote to memory of 4716 4884 Andqol32.exe 75 PID 4716 wrote to memory of 3508 4716 Adnilfnl.exe 76 PID 4716 wrote to memory of 3508 4716 Adnilfnl.exe 76 PID 4716 wrote to memory of 3508 4716 Adnilfnl.exe 76 PID 3508 wrote to memory of 4836 3508 Aocmio32.exe 77 PID 3508 wrote to memory of 4836 3508 Aocmio32.exe 77 PID 3508 wrote to memory of 4836 3508 Aocmio32.exe 77 PID 4836 wrote to memory of 3272 4836 Agobna32.exe 78 PID 4836 wrote to memory of 3272 4836 Agobna32.exe 78 PID 4836 wrote to memory of 3272 4836 Agobna32.exe 78 PID 3272 wrote to memory of 4876 3272 Abdfkj32.exe 79 PID 3272 wrote to memory of 4876 3272 Abdfkj32.exe 79 PID 3272 wrote to memory of 4876 3272 Abdfkj32.exe 79 PID 4876 wrote to memory of 180 4876 Aohfdnil.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.c175fdb0828444027a43998e5fa33f10_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.c175fdb0828444027a43998e5fa33f10_JC.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4756 -
C:\Windows\SysWOW64\Ohbfeh32.exeC:\Windows\system32\Ohbfeh32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\Windows\SysWOW64\Oolnabal.exeC:\Windows\system32\Oolnabal.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Windows\SysWOW64\Oeffnl32.exeC:\Windows\system32\Oeffnl32.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4320 -
C:\Windows\SysWOW64\Okcogc32.exeC:\Windows\system32\Okcogc32.exe5⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3940 -
C:\Windows\SysWOW64\Oamgcm32.exeC:\Windows\system32\Oamgcm32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2940
-
-
-
-
-
-
C:\Windows\SysWOW64\Ohgopgfj.exeC:\Windows\system32\Ohgopgfj.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4140 -
C:\Windows\SysWOW64\Okeklcen.exeC:\Windows\system32\Okeklcen.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4648 -
C:\Windows\SysWOW64\Pdnpeh32.exeC:\Windows\system32\Pdnpeh32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\Pnfdnnbo.exeC:\Windows\system32\Pnfdnnbo.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5108
-
-
-
-
C:\Windows\SysWOW64\Pdpmkhjl.exeC:\Windows\system32\Pdpmkhjl.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\SysWOW64\Pkjegb32.exeC:\Windows\system32\Pkjegb32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1188
-
-
C:\Windows\SysWOW64\Pgcbbc32.exeC:\Windows\system32\Pgcbbc32.exe1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Pdgckg32.exeC:\Windows\system32\Pdgckg32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4260
-
-
C:\Windows\SysWOW64\Qnpgdmjd.exeC:\Windows\system32\Qnpgdmjd.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Windows\SysWOW64\Qhekaejj.exeC:\Windows\system32\Qhekaejj.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\Windows\SysWOW64\Andqol32.exeC:\Windows\system32\Andqol32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4884 -
C:\Windows\SysWOW64\Adnilfnl.exeC:\Windows\system32\Adnilfnl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4716 -
C:\Windows\SysWOW64\Aocmio32.exeC:\Windows\system32\Aocmio32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3508 -
C:\Windows\SysWOW64\Agobna32.exeC:\Windows\system32\Agobna32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4836 -
C:\Windows\SysWOW64\Abdfkj32.exeC:\Windows\system32\Abdfkj32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3272 -
C:\Windows\SysWOW64\Aohfdnil.exeC:\Windows\system32\Aohfdnil.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4876 -
C:\Windows\SysWOW64\Aeeomegd.exeC:\Windows\system32\Aeeomegd.exe9⤵
- Executes dropped EXE
PID:180 -
C:\Windows\SysWOW64\Anncek32.exeC:\Windows\system32\Anncek32.exe10⤵
- Executes dropped EXE
- Modifies registry class
PID:1884 -
C:\Windows\SysWOW64\Bnppkj32.exeC:\Windows\system32\Bnppkj32.exe11⤵
- Executes dropped EXE
PID:4848 -
C:\Windows\SysWOW64\Biedhclh.exeC:\Windows\system32\Biedhclh.exe12⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\Bnbmqjjo.exeC:\Windows\system32\Bnbmqjjo.exe13⤵
- Executes dropped EXE
PID:4988 -
C:\Windows\SysWOW64\Bgmnooom.exeC:\Windows\system32\Bgmnooom.exe14⤵
- Executes dropped EXE
PID:4360 -
C:\Windows\SysWOW64\Beaohcmf.exeC:\Windows\system32\Beaohcmf.exe15⤵
- Executes dropped EXE
PID:3996 -
C:\Windows\SysWOW64\Bnicai32.exeC:\Windows\system32\Bnicai32.exe16⤵
- Executes dropped EXE
PID:3848 -
C:\Windows\SysWOW64\Cgagjo32.exeC:\Windows\system32\Cgagjo32.exe17⤵
- Executes dropped EXE
PID:1308 -
C:\Windows\SysWOW64\Cbglgg32.exeC:\Windows\system32\Cbglgg32.exe18⤵
- Executes dropped EXE
PID:5008 -
C:\Windows\SysWOW64\Ciaddaaj.exeC:\Windows\system32\Ciaddaaj.exe19⤵
- Executes dropped EXE
PID:1156 -
C:\Windows\SysWOW64\Cehdib32.exeC:\Windows\system32\Cehdib32.exe20⤵
- Executes dropped EXE
PID:5012 -
C:\Windows\SysWOW64\Clbmfm32.exeC:\Windows\system32\Clbmfm32.exe21⤵
- Executes dropped EXE
PID:4708 -
C:\Windows\SysWOW64\Cfgace32.exeC:\Windows\system32\Cfgace32.exe22⤵
- Executes dropped EXE
PID:3784 -
C:\Windows\SysWOW64\Cldjkl32.exeC:\Windows\system32\Cldjkl32.exe23⤵
- Executes dropped EXE
PID:2040 -
C:\Windows\SysWOW64\Cihjeq32.exeC:\Windows\system32\Cihjeq32.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:840 -
C:\Windows\SysWOW64\Cpbbak32.exeC:\Windows\system32\Cpbbak32.exe25⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Dhmgfm32.exeC:\Windows\system32\Dhmgfm32.exe26⤵
- Executes dropped EXE
PID:1540 -
C:\Windows\SysWOW64\Fpqgjf32.exeC:\Windows\system32\Fpqgjf32.exe27⤵
- Executes dropped EXE
PID:1696 -
C:\Windows\SysWOW64\Fgjpfqpi.exeC:\Windows\system32\Fgjpfqpi.exe28⤵
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Flghognq.exeC:\Windows\system32\Flghognq.exe29⤵
- Executes dropped EXE
PID:1824 -
C:\Windows\SysWOW64\Fgmllpng.exeC:\Windows\system32\Fgmllpng.exe30⤵
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\Fpeaeedg.exeC:\Windows\system32\Fpeaeedg.exe31⤵
- Executes dropped EXE
- Modifies registry class
PID:3948 -
C:\Windows\SysWOW64\Gebimmco.exeC:\Windows\system32\Gebimmco.exe32⤵
- Executes dropped EXE
PID:4044 -
C:\Windows\SysWOW64\Gllajf32.exeC:\Windows\system32\Gllajf32.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:2236 -
C:\Windows\SysWOW64\Ggafgo32.exeC:\Windows\system32\Ggafgo32.exe34⤵
- Executes dropped EXE
PID:4960 -
C:\Windows\SysWOW64\Ghcbohpp.exeC:\Windows\system32\Ghcbohpp.exe35⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Gchflq32.exeC:\Windows\system32\Gchflq32.exe36⤵
- Executes dropped EXE
PID:5080 -
C:\Windows\SysWOW64\Glqkefff.exeC:\Windows\system32\Glqkefff.exe37⤵
- Executes dropped EXE
PID:4440 -
C:\Windows\SysWOW64\Gckcap32.exeC:\Windows\system32\Gckcap32.exe38⤵
- Executes dropped EXE
PID:3384 -
C:\Windows\SysWOW64\Gpodkdll.exeC:\Windows\system32\Gpodkdll.exe39⤵
- Executes dropped EXE
PID:5052 -
C:\Windows\SysWOW64\Geklckkd.exeC:\Windows\system32\Geklckkd.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2240 -
C:\Windows\SysWOW64\Gledpe32.exeC:\Windows\system32\Gledpe32.exe41⤵
- Executes dropped EXE
PID:888 -
C:\Windows\SysWOW64\Hcommoin.exeC:\Windows\system32\Hcommoin.exe42⤵
- Executes dropped EXE
PID:4532 -
C:\Windows\SysWOW64\Hjieii32.exeC:\Windows\system32\Hjieii32.exe43⤵
- Executes dropped EXE
PID:4496 -
C:\Windows\SysWOW64\Hlhaee32.exeC:\Windows\system32\Hlhaee32.exe44⤵
- Executes dropped EXE
PID:4384 -
C:\Windows\SysWOW64\Hcaibo32.exeC:\Windows\system32\Hcaibo32.exe45⤵
- Executes dropped EXE
PID:212 -
C:\Windows\SysWOW64\Hpejlc32.exeC:\Windows\system32\Hpejlc32.exe46⤵
- Executes dropped EXE
PID:344 -
C:\Windows\SysWOW64\Hhaope32.exeC:\Windows\system32\Hhaope32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2228 -
C:\Windows\SysWOW64\Hokgmpkl.exeC:\Windows\system32\Hokgmpkl.exe48⤵
- Executes dropped EXE
PID:1900 -
C:\Windows\SysWOW64\Hjpkjh32.exeC:\Windows\system32\Hjpkjh32.exe49⤵
- Executes dropped EXE
PID:3024 -
C:\Windows\SysWOW64\Homcbo32.exeC:\Windows\system32\Homcbo32.exe50⤵
- Executes dropped EXE
PID:4676 -
C:\Windows\SysWOW64\Hhehkepj.exeC:\Windows\system32\Hhehkepj.exe51⤵
- Executes dropped EXE
PID:3052 -
C:\Windows\SysWOW64\Ioppho32.exeC:\Windows\system32\Ioppho32.exe52⤵
- Drops file in System32 directory
PID:3096 -
C:\Windows\SysWOW64\Igghilhi.exeC:\Windows\system32\Igghilhi.exe53⤵PID:4892
-
C:\Windows\SysWOW64\Ihheqd32.exeC:\Windows\system32\Ihheqd32.exe54⤵PID:4856
-
C:\Windows\SysWOW64\Igieoleg.exeC:\Windows\system32\Igieoleg.exe55⤵PID:4144
-
C:\Windows\SysWOW64\Ijgakgej.exeC:\Windows\system32\Ijgakgej.exe56⤵PID:5048
-
C:\Windows\SysWOW64\Iqaiga32.exeC:\Windows\system32\Iqaiga32.exe57⤵PID:872
-
C:\Windows\SysWOW64\Icpecm32.exeC:\Windows\system32\Icpecm32.exe58⤵PID:3160
-
C:\Windows\SysWOW64\Ijjnpg32.exeC:\Windows\system32\Ijjnpg32.exe59⤵PID:2596
-
C:\Windows\SysWOW64\Iqdfmajd.exeC:\Windows\system32\Iqdfmajd.exe60⤵PID:4940
-
C:\Windows\SysWOW64\Ignnjk32.exeC:\Windows\system32\Ignnjk32.exe61⤵PID:2792
-
C:\Windows\SysWOW64\Imjgbb32.exeC:\Windows\system32\Imjgbb32.exe62⤵PID:2860
-
C:\Windows\SysWOW64\Icdoolge.exeC:\Windows\system32\Icdoolge.exe63⤵PID:4452
-
C:\Windows\SysWOW64\Ijngkf32.exeC:\Windows\system32\Ijngkf32.exe64⤵PID:980
-
C:\Windows\SysWOW64\Jmmcgbnf.exeC:\Windows\system32\Jmmcgbnf.exe65⤵
- Modifies registry class
PID:4556 -
C:\Windows\SysWOW64\Jcgldl32.exeC:\Windows\system32\Jcgldl32.exe66⤵PID:3664
-
C:\Windows\SysWOW64\Jjqdafmp.exeC:\Windows\system32\Jjqdafmp.exe67⤵PID:4740
-
C:\Windows\SysWOW64\Jqklnp32.exeC:\Windows\system32\Jqklnp32.exe68⤵PID:264
-
C:\Windows\SysWOW64\Jgedjjki.exeC:\Windows\system32\Jgedjjki.exe69⤵PID:4696
-
C:\Windows\SysWOW64\Jjcqffkm.exeC:\Windows\system32\Jjcqffkm.exe70⤵PID:1328
-
C:\Windows\SysWOW64\Jmamba32.exeC:\Windows\system32\Jmamba32.exe71⤵PID:4308
-
C:\Windows\SysWOW64\Jopiom32.exeC:\Windows\system32\Jopiom32.exe72⤵PID:2584
-
C:\Windows\SysWOW64\Jggapj32.exeC:\Windows\system32\Jggapj32.exe73⤵
- Modifies registry class
PID:2352 -
C:\Windows\SysWOW64\Jjemle32.exeC:\Windows\system32\Jjemle32.exe74⤵PID:4288
-
C:\Windows\SysWOW64\Jmdjha32.exeC:\Windows\system32\Jmdjha32.exe75⤵PID:5168
-
C:\Windows\SysWOW64\Jcnbekok.exeC:\Windows\system32\Jcnbekok.exe76⤵PID:5212
-
C:\Windows\SysWOW64\Jjhjae32.exeC:\Windows\system32\Jjhjae32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5248 -
C:\Windows\SysWOW64\Jmffnq32.exeC:\Windows\system32\Jmffnq32.exe78⤵PID:5296
-
C:\Windows\SysWOW64\Jglkkiea.exeC:\Windows\system32\Jglkkiea.exe79⤵PID:5344
-
C:\Windows\SysWOW64\Kqdodo32.exeC:\Windows\system32\Kqdodo32.exe80⤵PID:5392
-
C:\Windows\SysWOW64\Kcbkpj32.exeC:\Windows\system32\Kcbkpj32.exe81⤵PID:5436
-
C:\Windows\SysWOW64\Kjlcmdbb.exeC:\Windows\system32\Kjlcmdbb.exe82⤵PID:5476
-
C:\Windows\SysWOW64\Kmkpipaf.exeC:\Windows\system32\Kmkpipaf.exe83⤵PID:5516
-
C:\Windows\SysWOW64\Kjopbd32.exeC:\Windows\system32\Kjopbd32.exe84⤵PID:5572
-
C:\Windows\SysWOW64\Kaihonhl.exeC:\Windows\system32\Kaihonhl.exe85⤵PID:5616
-
C:\Windows\SysWOW64\Kfeagefd.exeC:\Windows\system32\Kfeagefd.exe86⤵PID:5656
-
C:\Windows\SysWOW64\Kakednfj.exeC:\Windows\system32\Kakednfj.exe87⤵PID:5704
-
C:\Windows\SysWOW64\Kjcjmclj.exeC:\Windows\system32\Kjcjmclj.exe88⤵PID:5744
-
C:\Windows\SysWOW64\Kanbjn32.exeC:\Windows\system32\Kanbjn32.exe89⤵PID:5784
-
C:\Windows\SysWOW64\Kfjjbd32.exeC:\Windows\system32\Kfjjbd32.exe90⤵PID:5828
-
C:\Windows\SysWOW64\Lmdbooik.exeC:\Windows\system32\Lmdbooik.exe91⤵PID:5872
-
C:\Windows\SysWOW64\Lcnkli32.exeC:\Windows\system32\Lcnkli32.exe92⤵PID:5916
-
C:\Windows\SysWOW64\Lfmghdpl.exeC:\Windows\system32\Lfmghdpl.exe93⤵PID:5976
-
C:\Windows\SysWOW64\Lpelqj32.exeC:\Windows\system32\Lpelqj32.exe94⤵PID:6020
-
C:\Windows\SysWOW64\Lglcag32.exeC:\Windows\system32\Lglcag32.exe95⤵PID:6068
-
C:\Windows\SysWOW64\Limpiomm.exeC:\Windows\system32\Limpiomm.exe96⤵PID:6112
-
C:\Windows\SysWOW64\Lhopgg32.exeC:\Windows\system32\Lhopgg32.exe97⤵PID:5132
-
C:\Windows\SysWOW64\Ljmmcbdp.exeC:\Windows\system32\Ljmmcbdp.exe98⤵PID:5200
-
C:\Windows\SysWOW64\Lcealh32.exeC:\Windows\system32\Lcealh32.exe99⤵PID:5280
-
C:\Windows\SysWOW64\Ljoiibbm.exeC:\Windows\system32\Ljoiibbm.exe100⤵PID:5320
-
C:\Windows\SysWOW64\Laiafl32.exeC:\Windows\system32\Laiafl32.exe101⤵PID:5444
-
C:\Windows\SysWOW64\Ldgnbg32.exeC:\Windows\system32\Ldgnbg32.exe102⤵PID:5508
-
C:\Windows\SysWOW64\Mffjnc32.exeC:\Windows\system32\Mffjnc32.exe103⤵PID:5592
-
C:\Windows\SysWOW64\Midfjnge.exeC:\Windows\system32\Midfjnge.exe104⤵PID:5672
-
C:\Windows\SysWOW64\Mpnngh32.exeC:\Windows\system32\Mpnngh32.exe105⤵PID:5740
-
C:\Windows\SysWOW64\Mfhgcbfo.exeC:\Windows\system32\Mfhgcbfo.exe106⤵PID:5816
-
C:\Windows\SysWOW64\Mankaked.exeC:\Windows\system32\Mankaked.exe107⤵PID:5908
-
C:\Windows\SysWOW64\Mfkcibdl.exeC:\Windows\system32\Mfkcibdl.exe108⤵PID:5984
-
C:\Windows\SysWOW64\Mmdlflki.exeC:\Windows\system32\Mmdlflki.exe109⤵PID:6052
-
C:\Windows\SysWOW64\Mpchbhjl.exeC:\Windows\system32\Mpchbhjl.exe110⤵PID:2832
-
C:\Windows\SysWOW64\Mfmpob32.exeC:\Windows\system32\Mfmpob32.exe111⤵PID:5220
-
C:\Windows\SysWOW64\Mdaqhf32.exeC:\Windows\system32\Mdaqhf32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5324 -
C:\Windows\SysWOW64\Mmiealgc.exeC:\Windows\system32\Mmiealgc.exe113⤵
- Modifies registry class
PID:5412 -
C:\Windows\SysWOW64\Nipffmmg.exeC:\Windows\system32\Nipffmmg.exe114⤵PID:5580
-
C:\Windows\SysWOW64\Nagngjmj.exeC:\Windows\system32\Nagngjmj.exe115⤵PID:5692
-
C:\Windows\SysWOW64\Nfdfoala.exeC:\Windows\system32\Nfdfoala.exe116⤵PID:5796
-
C:\Windows\SysWOW64\Nplkhf32.exeC:\Windows\system32\Nplkhf32.exe117⤵PID:5936
-
C:\Windows\SysWOW64\Nkboeobh.exeC:\Windows\system32\Nkboeobh.exe118⤵PID:6008
-
C:\Windows\SysWOW64\Nmpkakak.exeC:\Windows\system32\Nmpkakak.exe119⤵PID:2912
-
C:\Windows\SysWOW64\Niglfl32.exeC:\Windows\system32\Niglfl32.exe120⤵PID:5312
-
C:\Windows\SysWOW64\Ndmpddfe.exeC:\Windows\system32\Ndmpddfe.exe121⤵PID:5484
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-