Analysis
-
max time kernel
140s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
07/10/2023, 11:22
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.bb253712710ac1e6494b695e5c923e88_JC.exe
Resource
win7-20230831-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.bb253712710ac1e6494b695e5c923e88_JC.exe
Resource
win10v2004-20230915-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.bb253712710ac1e6494b695e5c923e88_JC.exe
-
Size
391KB
-
MD5
bb253712710ac1e6494b695e5c923e88
-
SHA1
9a5ddd5a4724f80ce863920374ba7189f5f81685
-
SHA256
5ecd13ca055b630fd01e682413e8a7ef8deb095cafede074a681060386920647
-
SHA512
2ba1ea267aeaea88e9ae0bc715f8076ac45f9610f53af1302d09198b2ab721c80a5edcce4bc104afce82509bab391c3f57d3539d74f71b83e6df7d548f9e0db4
-
SSDEEP
12288:Ti6T9XvEhdfJkKSkU3kHyuaRB5t6k0IJogZ+SZE:Gm9XvEhdfJkKSkU3kHyuaRB5t6k0IJon
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dhmgfm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdiamnpc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhcfleff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hehdfdek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ilkoim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aplaoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Peempn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogqmee32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhfcae32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcgpni32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lplfcf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpljehpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mdghhb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpdfpmoo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igkadlcd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccdihbgg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dajbaika.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Clpgkcdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ohgopgfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hgbonm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbbeml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bflham32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glchjedc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ohaokbfd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhhcne32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oajccgmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ecbeip32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcjldk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cleqfb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eennefib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lajhpbme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nblolm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pbimjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ddhhbngi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kakednfj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpccmhdg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocgkan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Abpcja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qkchna32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdocph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dblnid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lmkipncc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbibfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bgdemb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Enpknplq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Imknli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cqiehnml.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clgmkbna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fgffka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nkdlkope.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nhhldc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dgeenfog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hnlodjpa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofgdcipq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dggkipii.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nonbqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fdadpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Icgbob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bdcmkgmm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cienon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mddkbbfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pcijce32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hokgmpkl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfhofnpp.exe -
Executes dropped EXE 64 IoCs
pid Process 4660 Jcfggkac.exe 4448 Jlolpq32.exe 5080 Kjblje32.exe 4596 Kgflcifg.exe 968 Kgiiiidd.exe 1284 Klfaapbl.exe 2692 Klhnfo32.exe 1984 Kgnbdh32.exe 3060 Lcgpni32.exe 4412 Lgdidgjg.exe 1652 Lcnfohmi.exe 3816 Modgdicm.exe 1164 Mogcihaj.exe 2664 Mnhdgpii.exe 412 Mmmqhl32.exe 2124 Mcifkf32.exe 4608 Nnojho32.exe 4788 Nflkbanj.exe 2940 Nnhmnn32.exe 4800 Omnjojpo.exe 1904 Onmfimga.exe 2160 Onocomdo.exe 4736 Opclldhj.exe 2564 Bkphhgfc.exe 4996 Bnoddcef.exe 4120 Ckbemgcp.exe 3328 Cocjiehd.exe 4976 Cdpcal32.exe 5048 Cogddd32.exe 1388 Dpiplm32.exe 4384 Dojqjdbl.exe 1760 Dgeenfog.exe 2180 Dhdbhifj.exe 1980 Doagjc32.exe 4424 Dglkoeio.exe 4168 Ebaplnie.exe 396 Egohdegl.exe 4516 Egaejeej.exe 512 Edeeci32.exe 4940 Eqlfhjig.exe 4764 Egened32.exe 1348 Enpfan32.exe 3324 Eiekog32.exe 3740 Fnbcgn32.exe 3812 Fgjhpcmo.exe 2116 Fndpmndl.exe 4036 Fijdjfdb.exe 4900 Fbbicl32.exe 5092 Fofilp32.exe 4816 Finnef32.exe 452 Fkofga32.exe 4124 Gicgpelg.exe 1856 Gnpphljo.exe 4628 Gejhef32.exe 4320 Gaqhjggp.exe 3688 Geoapenf.exe 1376 Giljfddl.exe 4192 Hnibokbd.exe 1712 Hhaggp32.exe 3712 Hnlodjpa.exe 2944 Hiacacpg.exe 3660 Hpkknmgd.exe 4852 Hehdfdek.exe 1324 Haodle32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Mapgfk32.exe Miipencp.exe File created C:\Windows\SysWOW64\Cildom32.exe Caqpkjcl.exe File created C:\Windows\SysWOW64\Jbbmmo32.exe Jacpcl32.exe File opened for modification C:\Windows\SysWOW64\Gdhjpjjd.exe Glabolja.exe File created C:\Windows\SysWOW64\Fhbghb32.dll Eekjep32.exe File created C:\Windows\SysWOW64\Lagqnoge.dll Kidmcqeg.exe File created C:\Windows\SysWOW64\Lelncp32.dll Pnjgog32.exe File created C:\Windows\SysWOW64\Modgdicm.exe Lcnfohmi.exe File created C:\Windows\SysWOW64\Lhkdqh32.dll Jhgiim32.exe File opened for modification C:\Windows\SysWOW64\Igneda32.exe Iqdmghnp.exe File created C:\Windows\SysWOW64\Ogqmee32.exe Onhhmpoo.exe File created C:\Windows\SysWOW64\Mmdcde32.dll Dhfcae32.exe File created C:\Windows\SysWOW64\Haodle32.exe Hehdfdek.exe File created C:\Windows\SysWOW64\Dkheoa32.dll Mlemcq32.exe File opened for modification C:\Windows\SysWOW64\Ohqpjo32.exe Oohkai32.exe File opened for modification C:\Windows\SysWOW64\Mdokmm32.exe Mhhjhlqm.exe File created C:\Windows\SysWOW64\Iknmmg32.dll Mnhdgpii.exe File opened for modification C:\Windows\SysWOW64\Jaqcnl32.exe Jjgkab32.exe File opened for modification C:\Windows\SysWOW64\Oojalb32.exe Ohpiphlb.exe File created C:\Windows\SysWOW64\Phkaqqoi.exe Paaidf32.exe File created C:\Windows\SysWOW64\Mcifkf32.exe Mmmqhl32.exe File created C:\Windows\SysWOW64\Iijfhbhl.exe Inebjihf.exe File created C:\Windows\SysWOW64\Jckeokan.exe Jqmicpbj.exe File created C:\Windows\SysWOW64\Noaeqjpe.exe Nlcidopb.exe File created C:\Windows\SysWOW64\Omcbkl32.exe Ofijnbkb.exe File created C:\Windows\SysWOW64\Abgcqjhp.exe Akmjdpac.exe File opened for modification C:\Windows\SysWOW64\Fpeaeedg.exe Fepmgm32.exe File created C:\Windows\SysWOW64\Hhaggp32.exe Hnibokbd.exe File opened for modification C:\Windows\SysWOW64\Ofgdcipq.exe Oonlfo32.exe File created C:\Windows\SysWOW64\Egkddo32.exe Daollh32.exe File created C:\Windows\SysWOW64\Kefbdjgm.exe Kkpnga32.exe File opened for modification C:\Windows\SysWOW64\Glchjedc.exe Gjdknjep.exe File created C:\Windows\SysWOW64\Mgpilmfi.dll Geoapenf.exe File created C:\Windows\SysWOW64\Kiphjo32.exe Jbepme32.exe File opened for modification C:\Windows\SysWOW64\Nlqloo32.exe Nakhaf32.exe File created C:\Windows\SysWOW64\Ddhhbngi.exe Defheg32.exe File created C:\Windows\SysWOW64\Jfpqiega.dll Mpeiie32.exe File created C:\Windows\SysWOW64\Egcpgp32.dll Mbibfm32.exe File created C:\Windows\SysWOW64\Kakednfj.exe Kidmcqeg.exe File created C:\Windows\SysWOW64\Jaqcnl32.exe Jjgkab32.exe File created C:\Windows\SysWOW64\Dpefaq32.exe Cmgjee32.exe File created C:\Windows\SysWOW64\Nblipdgh.dll Fnglcqio.exe File opened for modification C:\Windows\SysWOW64\Malnklgg.exe Mffjnc32.exe File created C:\Windows\SysWOW64\Mglpdp32.dll Jlolpq32.exe File created C:\Windows\SysWOW64\Gkhbbi32.exe Gqbneq32.exe File created C:\Windows\SysWOW64\Bechccgd.dll Ddhhbngi.exe File created C:\Windows\SysWOW64\Ejnphkkg.dll Laglkb32.exe File opened for modification C:\Windows\SysWOW64\Gipbck32.exe Gojnfb32.exe File created C:\Windows\SysWOW64\Kifjip32.exe Kgemahmg.exe File created C:\Windows\SysWOW64\Agiahlkf.exe Aqpika32.exe File created C:\Windows\SysWOW64\Jjgkab32.exe Jejbhk32.exe File opened for modification C:\Windows\SysWOW64\Glabolja.exe Gcimfg32.exe File created C:\Windows\SysWOW64\Icncngca.dll Hfhbipdb.exe File opened for modification C:\Windows\SysWOW64\Ckoifgmb.exe Cqiehnml.exe File opened for modification C:\Windows\SysWOW64\Mhoahh32.exe Mbdiknlb.exe File created C:\Windows\SysWOW64\Hpfohk32.dll Nbbeml32.exe File opened for modification C:\Windows\SysWOW64\Hbiapb32.exe Hgcmbj32.exe File created C:\Windows\SysWOW64\Haafdi32.dll Piceflpi.exe File created C:\Windows\SysWOW64\Hqkefo32.dll Hfgloiqf.exe File created C:\Windows\SysWOW64\Mffjnc32.exe Ldgnbg32.exe File created C:\Windows\SysWOW64\Bfcjjj32.dll Dgeenfog.exe File opened for modification C:\Windows\SysWOW64\Pbhgoh32.exe Piocecgj.exe File opened for modification C:\Windows\SysWOW64\Ekqckmfb.exe Eqkondfl.exe File created C:\Windows\SysWOW64\Dlcmgqdd.exe Deidjf32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6976 7020 WerFault.exe 798 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eodeek32.dll" Fepmgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfafpcai.dll" Nipffmmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Djpfbahm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnijfj32.dll" Egened32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdbbme32.dll" Cibain32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmglfe32.dll" Blgddd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggajho32.dll" Pfdbpjmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjjcnl32.dll" Hnhkdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elnfkp32.dll" Lndfchdj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mmhofbma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjnjammf.dll" Mmhofbma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pjaleemj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Poidhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ffnglc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mgngih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mgpcohcb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eiekog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mhckcgpj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Odgqopeb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gloejmld.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eekjep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggbkdkip.dll" Fhllni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldnemdgd.dll" Jnpjlajn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Llngbabj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bemlhj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hokgmpkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Phfhfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ifoijonj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Keekjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Onjebpml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Akjgdjoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Biklho32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bfhofnpp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Icklhnop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmjkhghe.dll" Cnmebblf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glkkmjeh.dll" Fkcpql32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oooaah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqhckhgq.dll" Kmhccpci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiidnkam.dll" Koonge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmdcde32.dll" Dhfcae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jqhdfhck.dll" Aqpika32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Iafkld32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jjgkab32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Npcaie32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ifoijonj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnihje32.dll" Bigbmpco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mejcig32.dll" Nocbfjmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahoino32.dll" Bhgjcmfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Khcgfo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oamgcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Appgnf32.dll" Hladlc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nlcidopb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qkcackeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ihkjno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Legben32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mfbaalbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kceoppmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Onhhmpoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijiflg32.dll" Aecbge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnolia32.dll" Mpqklh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dabhomea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cmbgdl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eajlhg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hjlhipbc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3080 wrote to memory of 4660 3080 NEAS.bb253712710ac1e6494b695e5c923e88_JC.exe 82 PID 3080 wrote to memory of 4660 3080 NEAS.bb253712710ac1e6494b695e5c923e88_JC.exe 82 PID 3080 wrote to memory of 4660 3080 NEAS.bb253712710ac1e6494b695e5c923e88_JC.exe 82 PID 4660 wrote to memory of 4448 4660 Jcfggkac.exe 83 PID 4660 wrote to memory of 4448 4660 Jcfggkac.exe 83 PID 4660 wrote to memory of 4448 4660 Jcfggkac.exe 83 PID 4448 wrote to memory of 5080 4448 Jlolpq32.exe 88 PID 4448 wrote to memory of 5080 4448 Jlolpq32.exe 88 PID 4448 wrote to memory of 5080 4448 Jlolpq32.exe 88 PID 5080 wrote to memory of 4596 5080 Kjblje32.exe 84 PID 5080 wrote to memory of 4596 5080 Kjblje32.exe 84 PID 5080 wrote to memory of 4596 5080 Kjblje32.exe 84 PID 4596 wrote to memory of 968 4596 Kgflcifg.exe 85 PID 4596 wrote to memory of 968 4596 Kgflcifg.exe 85 PID 4596 wrote to memory of 968 4596 Kgflcifg.exe 85 PID 968 wrote to memory of 1284 968 Kgiiiidd.exe 86 PID 968 wrote to memory of 1284 968 Kgiiiidd.exe 86 PID 968 wrote to memory of 1284 968 Kgiiiidd.exe 86 PID 1284 wrote to memory of 2692 1284 Klfaapbl.exe 87 PID 1284 wrote to memory of 2692 1284 Klfaapbl.exe 87 PID 1284 wrote to memory of 2692 1284 Klfaapbl.exe 87 PID 2692 wrote to memory of 1984 2692 Klhnfo32.exe 90 PID 2692 wrote to memory of 1984 2692 Klhnfo32.exe 90 PID 2692 wrote to memory of 1984 2692 Klhnfo32.exe 90 PID 1984 wrote to memory of 3060 1984 Kgnbdh32.exe 91 PID 1984 wrote to memory of 3060 1984 Kgnbdh32.exe 91 PID 1984 wrote to memory of 3060 1984 Kgnbdh32.exe 91 PID 3060 wrote to memory of 4412 3060 Lcgpni32.exe 92 PID 3060 wrote to memory of 4412 3060 Lcgpni32.exe 92 PID 3060 wrote to memory of 4412 3060 Lcgpni32.exe 92 PID 4412 wrote to memory of 1652 4412 Lgdidgjg.exe 93 PID 4412 wrote to memory of 1652 4412 Lgdidgjg.exe 93 PID 4412 wrote to memory of 1652 4412 Lgdidgjg.exe 93 PID 1652 wrote to memory of 3816 1652 Lcnfohmi.exe 94 PID 1652 wrote to memory of 3816 1652 Lcnfohmi.exe 94 PID 1652 wrote to memory of 3816 1652 Lcnfohmi.exe 94 PID 3816 wrote to memory of 1164 3816 Modgdicm.exe 95 PID 3816 wrote to memory of 1164 3816 Modgdicm.exe 95 PID 3816 wrote to memory of 1164 3816 Modgdicm.exe 95 PID 1164 wrote to memory of 2664 1164 Mogcihaj.exe 96 PID 1164 wrote to memory of 2664 1164 Mogcihaj.exe 96 PID 1164 wrote to memory of 2664 1164 Mogcihaj.exe 96 PID 2664 wrote to memory of 412 2664 Mnhdgpii.exe 97 PID 2664 wrote to memory of 412 2664 Mnhdgpii.exe 97 PID 2664 wrote to memory of 412 2664 Mnhdgpii.exe 97 PID 412 wrote to memory of 2124 412 Mmmqhl32.exe 98 PID 412 wrote to memory of 2124 412 Mmmqhl32.exe 98 PID 412 wrote to memory of 2124 412 Mmmqhl32.exe 98 PID 2124 wrote to memory of 4608 2124 Mcifkf32.exe 99 PID 2124 wrote to memory of 4608 2124 Mcifkf32.exe 99 PID 2124 wrote to memory of 4608 2124 Mcifkf32.exe 99 PID 4608 wrote to memory of 4788 4608 Nnojho32.exe 100 PID 4608 wrote to memory of 4788 4608 Nnojho32.exe 100 PID 4608 wrote to memory of 4788 4608 Nnojho32.exe 100 PID 4788 wrote to memory of 2940 4788 Nflkbanj.exe 101 PID 4788 wrote to memory of 2940 4788 Nflkbanj.exe 101 PID 4788 wrote to memory of 2940 4788 Nflkbanj.exe 101 PID 2940 wrote to memory of 4800 2940 Nnhmnn32.exe 102 PID 2940 wrote to memory of 4800 2940 Nnhmnn32.exe 102 PID 2940 wrote to memory of 4800 2940 Nnhmnn32.exe 102 PID 4800 wrote to memory of 1904 4800 Omnjojpo.exe 103 PID 4800 wrote to memory of 1904 4800 Omnjojpo.exe 103 PID 4800 wrote to memory of 1904 4800 Omnjojpo.exe 103 PID 1904 wrote to memory of 2160 1904 Onmfimga.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.bb253712710ac1e6494b695e5c923e88_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.bb253712710ac1e6494b695e5c923e88_JC.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3080 -
C:\Windows\SysWOW64\Jcfggkac.exeC:\Windows\system32\Jcfggkac.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4660 -
C:\Windows\SysWOW64\Jlolpq32.exeC:\Windows\system32\Jlolpq32.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4448 -
C:\Windows\SysWOW64\Kjblje32.exeC:\Windows\system32\Kjblje32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5080
-
-
-
-
C:\Windows\SysWOW64\Kgflcifg.exeC:\Windows\system32\Kgflcifg.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Windows\SysWOW64\Kgiiiidd.exeC:\Windows\system32\Kgiiiidd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:968 -
C:\Windows\SysWOW64\Klfaapbl.exeC:\Windows\system32\Klfaapbl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Windows\SysWOW64\Klhnfo32.exeC:\Windows\system32\Klhnfo32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Kgnbdh32.exeC:\Windows\system32\Kgnbdh32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SysWOW64\Lcgpni32.exeC:\Windows\system32\Lcgpni32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\Lgdidgjg.exeC:\Windows\system32\Lgdidgjg.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4412 -
C:\Windows\SysWOW64\Lcnfohmi.exeC:\Windows\system32\Lcnfohmi.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\SysWOW64\Modgdicm.exeC:\Windows\system32\Modgdicm.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3816 -
C:\Windows\SysWOW64\Mogcihaj.exeC:\Windows\system32\Mogcihaj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Windows\SysWOW64\Mnhdgpii.exeC:\Windows\system32\Mnhdgpii.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Mmmqhl32.exeC:\Windows\system32\Mmmqhl32.exe12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:412 -
C:\Windows\SysWOW64\Mcifkf32.exeC:\Windows\system32\Mcifkf32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\Nnojho32.exeC:\Windows\system32\Nnojho32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4608 -
C:\Windows\SysWOW64\Nflkbanj.exeC:\Windows\system32\Nflkbanj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4788 -
C:\Windows\SysWOW64\Nnhmnn32.exeC:\Windows\system32\Nnhmnn32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\Omnjojpo.exeC:\Windows\system32\Omnjojpo.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4800 -
C:\Windows\SysWOW64\Onmfimga.exeC:\Windows\system32\Onmfimga.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Windows\SysWOW64\Onocomdo.exeC:\Windows\system32\Onocomdo.exe19⤵
- Executes dropped EXE
PID:2160 -
C:\Windows\SysWOW64\Opclldhj.exeC:\Windows\system32\Opclldhj.exe20⤵
- Executes dropped EXE
PID:4736 -
C:\Windows\SysWOW64\Bkphhgfc.exeC:\Windows\system32\Bkphhgfc.exe21⤵
- Executes dropped EXE
PID:2564 -
C:\Windows\SysWOW64\Bnoddcef.exeC:\Windows\system32\Bnoddcef.exe22⤵
- Executes dropped EXE
PID:4996 -
C:\Windows\SysWOW64\Ckbemgcp.exeC:\Windows\system32\Ckbemgcp.exe23⤵
- Executes dropped EXE
PID:4120 -
C:\Windows\SysWOW64\Cocjiehd.exeC:\Windows\system32\Cocjiehd.exe24⤵
- Executes dropped EXE
PID:3328 -
C:\Windows\SysWOW64\Cdpcal32.exeC:\Windows\system32\Cdpcal32.exe25⤵
- Executes dropped EXE
PID:4976 -
C:\Windows\SysWOW64\Cogddd32.exeC:\Windows\system32\Cogddd32.exe26⤵
- Executes dropped EXE
PID:5048 -
C:\Windows\SysWOW64\Dpiplm32.exeC:\Windows\system32\Dpiplm32.exe27⤵
- Executes dropped EXE
PID:1388 -
C:\Windows\SysWOW64\Dojqjdbl.exeC:\Windows\system32\Dojqjdbl.exe28⤵
- Executes dropped EXE
PID:4384 -
C:\Windows\SysWOW64\Dgeenfog.exeC:\Windows\system32\Dgeenfog.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1760 -
C:\Windows\SysWOW64\Dhdbhifj.exeC:\Windows\system32\Dhdbhifj.exe30⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Doagjc32.exeC:\Windows\system32\Doagjc32.exe31⤵
- Executes dropped EXE
PID:1980 -
C:\Windows\SysWOW64\Dglkoeio.exeC:\Windows\system32\Dglkoeio.exe32⤵
- Executes dropped EXE
PID:4424 -
C:\Windows\SysWOW64\Ebaplnie.exeC:\Windows\system32\Ebaplnie.exe33⤵
- Executes dropped EXE
PID:4168 -
C:\Windows\SysWOW64\Egohdegl.exeC:\Windows\system32\Egohdegl.exe34⤵
- Executes dropped EXE
PID:396 -
C:\Windows\SysWOW64\Egaejeej.exeC:\Windows\system32\Egaejeej.exe35⤵
- Executes dropped EXE
PID:4516 -
C:\Windows\SysWOW64\Edeeci32.exeC:\Windows\system32\Edeeci32.exe36⤵
- Executes dropped EXE
PID:512 -
C:\Windows\SysWOW64\Eqlfhjig.exeC:\Windows\system32\Eqlfhjig.exe37⤵
- Executes dropped EXE
PID:4940 -
C:\Windows\SysWOW64\Egened32.exeC:\Windows\system32\Egened32.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:4764 -
C:\Windows\SysWOW64\Enpfan32.exeC:\Windows\system32\Enpfan32.exe39⤵
- Executes dropped EXE
PID:1348 -
C:\Windows\SysWOW64\Eiekog32.exeC:\Windows\system32\Eiekog32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:3324 -
C:\Windows\SysWOW64\Fnbcgn32.exeC:\Windows\system32\Fnbcgn32.exe41⤵
- Executes dropped EXE
PID:3740 -
C:\Windows\SysWOW64\Fgjhpcmo.exeC:\Windows\system32\Fgjhpcmo.exe42⤵
- Executes dropped EXE
PID:3812 -
C:\Windows\SysWOW64\Fndpmndl.exeC:\Windows\system32\Fndpmndl.exe43⤵
- Executes dropped EXE
PID:2116 -
C:\Windows\SysWOW64\Fijdjfdb.exeC:\Windows\system32\Fijdjfdb.exe44⤵
- Executes dropped EXE
PID:4036 -
C:\Windows\SysWOW64\Fbbicl32.exeC:\Windows\system32\Fbbicl32.exe45⤵
- Executes dropped EXE
PID:4900 -
C:\Windows\SysWOW64\Fofilp32.exeC:\Windows\system32\Fofilp32.exe46⤵
- Executes dropped EXE
PID:5092 -
C:\Windows\SysWOW64\Finnef32.exeC:\Windows\system32\Finnef32.exe47⤵
- Executes dropped EXE
PID:4816 -
C:\Windows\SysWOW64\Fkofga32.exeC:\Windows\system32\Fkofga32.exe48⤵
- Executes dropped EXE
PID:452 -
C:\Windows\SysWOW64\Gicgpelg.exeC:\Windows\system32\Gicgpelg.exe49⤵
- Executes dropped EXE
PID:4124 -
C:\Windows\SysWOW64\Gnpphljo.exeC:\Windows\system32\Gnpphljo.exe50⤵
- Executes dropped EXE
PID:1856 -
C:\Windows\SysWOW64\Gejhef32.exeC:\Windows\system32\Gejhef32.exe51⤵
- Executes dropped EXE
PID:4628 -
C:\Windows\SysWOW64\Gaqhjggp.exeC:\Windows\system32\Gaqhjggp.exe52⤵
- Executes dropped EXE
PID:4320 -
C:\Windows\SysWOW64\Geoapenf.exeC:\Windows\system32\Geoapenf.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3688 -
C:\Windows\SysWOW64\Giljfddl.exeC:\Windows\system32\Giljfddl.exe54⤵
- Executes dropped EXE
PID:1376 -
C:\Windows\SysWOW64\Hnibokbd.exeC:\Windows\system32\Hnibokbd.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4192 -
C:\Windows\SysWOW64\Hhaggp32.exeC:\Windows\system32\Hhaggp32.exe56⤵
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\Hnlodjpa.exeC:\Windows\system32\Hnlodjpa.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3712 -
C:\Windows\SysWOW64\Hiacacpg.exeC:\Windows\system32\Hiacacpg.exe58⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Hpkknmgd.exeC:\Windows\system32\Hpkknmgd.exe59⤵
- Executes dropped EXE
PID:3660 -
C:\Windows\SysWOW64\Hehdfdek.exeC:\Windows\system32\Hehdfdek.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4852 -
C:\Windows\SysWOW64\Haodle32.exeC:\Windows\system32\Haodle32.exe61⤵
- Executes dropped EXE
PID:1324 -
C:\Windows\SysWOW64\Hhimhobl.exeC:\Windows\system32\Hhimhobl.exe62⤵PID:2204
-
C:\Windows\SysWOW64\Haaaaeim.exeC:\Windows\system32\Haaaaeim.exe63⤵PID:4948
-
C:\Windows\SysWOW64\Ihkjno32.exeC:\Windows\system32\Ihkjno32.exe64⤵
- Modifies registry class
PID:2960 -
C:\Windows\SysWOW64\Inebjihf.exeC:\Windows\system32\Inebjihf.exe65⤵
- Drops file in System32 directory
PID:3032 -
C:\Windows\SysWOW64\Iijfhbhl.exeC:\Windows\system32\Iijfhbhl.exe66⤵PID:4480
-
C:\Windows\SysWOW64\Iafkld32.exeC:\Windows\system32\Iafkld32.exe67⤵
- Modifies registry class
PID:3676 -
C:\Windows\SysWOW64\Ilkoim32.exeC:\Windows\system32\Ilkoim32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3340 -
C:\Windows\SysWOW64\Iahgad32.exeC:\Windows\system32\Iahgad32.exe69⤵PID:1384
-
C:\Windows\SysWOW64\Ihbponja.exeC:\Windows\system32\Ihbponja.exe70⤵PID:3540
-
C:\Windows\SysWOW64\Iolhkh32.exeC:\Windows\system32\Iolhkh32.exe71⤵PID:4972
-
C:\Windows\SysWOW64\Ihdldn32.exeC:\Windows\system32\Ihdldn32.exe72⤵PID:1432
-
C:\Windows\SysWOW64\Ibjqaf32.exeC:\Windows\system32\Ibjqaf32.exe73⤵PID:3940
-
C:\Windows\SysWOW64\Iehmmb32.exeC:\Windows\system32\Iehmmb32.exe74⤵PID:4992
-
C:\Windows\SysWOW64\Jhgiim32.exeC:\Windows\system32\Jhgiim32.exe75⤵
- Drops file in System32 directory
PID:2848 -
C:\Windows\SysWOW64\Jaonbc32.exeC:\Windows\system32\Jaonbc32.exe76⤵PID:1644
-
C:\Windows\SysWOW64\Jppnpjel.exeC:\Windows\system32\Jppnpjel.exe77⤵PID:4560
-
C:\Windows\SysWOW64\Jaajhb32.exeC:\Windows\system32\Jaajhb32.exe78⤵PID:4944
-
C:\Windows\SysWOW64\Jpbjfjci.exeC:\Windows\system32\Jpbjfjci.exe79⤵PID:944
-
C:\Windows\SysWOW64\Jikoopij.exeC:\Windows\system32\Jikoopij.exe80⤵PID:3988
-
C:\Windows\SysWOW64\Jeapcq32.exeC:\Windows\system32\Jeapcq32.exe81⤵PID:2080
-
C:\Windows\SysWOW64\Jllhpkfk.exeC:\Windows\system32\Jllhpkfk.exe82⤵PID:1280
-
C:\Windows\SysWOW64\Jbepme32.exeC:\Windows\system32\Jbepme32.exe83⤵
- Drops file in System32 directory
PID:2384 -
C:\Windows\SysWOW64\Kiphjo32.exeC:\Windows\system32\Kiphjo32.exe84⤵PID:2192
-
C:\Windows\SysWOW64\Kolabf32.exeC:\Windows\system32\Kolabf32.exe85⤵PID:5012
-
C:\Windows\SysWOW64\Kefiopki.exeC:\Windows\system32\Kefiopki.exe86⤵PID:4620
-
C:\Windows\SysWOW64\Koonge32.exeC:\Windows\system32\Koonge32.exe87⤵
- Modifies registry class
PID:5132 -
C:\Windows\SysWOW64\Keifdpif.exeC:\Windows\system32\Keifdpif.exe88⤵PID:5184
-
C:\Windows\SysWOW64\Kpnjah32.exeC:\Windows\system32\Kpnjah32.exe89⤵PID:5232
-
C:\Windows\SysWOW64\Kapfiqoj.exeC:\Windows\system32\Kapfiqoj.exe90⤵PID:5300
-
C:\Windows\SysWOW64\Klekfinp.exeC:\Windows\system32\Klekfinp.exe91⤵PID:5344
-
C:\Windows\SysWOW64\Kcoccc32.exeC:\Windows\system32\Kcoccc32.exe92⤵PID:5396
-
C:\Windows\SysWOW64\Kiikpnmj.exeC:\Windows\system32\Kiikpnmj.exe93⤵PID:5448
-
C:\Windows\SysWOW64\Kpccmhdg.exeC:\Windows\system32\Kpccmhdg.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5500 -
C:\Windows\SysWOW64\Lepleocn.exeC:\Windows\system32\Lepleocn.exe95⤵PID:5548
-
C:\Windows\SysWOW64\Lljdai32.exeC:\Windows\system32\Lljdai32.exe96⤵PID:5596
-
C:\Windows\SysWOW64\Lafmjp32.exeC:\Windows\system32\Lafmjp32.exe97⤵PID:5644
-
C:\Windows\SysWOW64\Lllagh32.exeC:\Windows\system32\Lllagh32.exe98⤵PID:5684
-
C:\Windows\SysWOW64\Lcfidb32.exeC:\Windows\system32\Lcfidb32.exe99⤵PID:5724
-
C:\Windows\SysWOW64\Lhcali32.exeC:\Windows\system32\Lhcali32.exe100⤵PID:5760
-
C:\Windows\SysWOW64\Lomjicei.exeC:\Windows\system32\Lomjicei.exe101⤵PID:5804
-
C:\Windows\SysWOW64\Legben32.exeC:\Windows\system32\Legben32.exe102⤵
- Modifies registry class
PID:5848 -
C:\Windows\SysWOW64\Lplfcf32.exeC:\Windows\system32\Lplfcf32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5900 -
C:\Windows\SysWOW64\Lfiokmkc.exeC:\Windows\system32\Lfiokmkc.exe104⤵PID:5948
-
C:\Windows\SysWOW64\Mapppn32.exeC:\Windows\system32\Mapppn32.exe105⤵PID:5996
-
C:\Windows\SysWOW64\Mpapnfhg.exeC:\Windows\system32\Mpapnfhg.exe106⤵PID:6040
-
C:\Windows\SysWOW64\Mcoljagj.exeC:\Windows\system32\Mcoljagj.exe107⤵PID:6092
-
C:\Windows\SysWOW64\Mhldbh32.exeC:\Windows\system32\Mhldbh32.exe108⤵PID:6136
-
C:\Windows\SysWOW64\Mbdiknlb.exeC:\Windows\system32\Mbdiknlb.exe109⤵
- Drops file in System32 directory
PID:5168 -
C:\Windows\SysWOW64\Mhoahh32.exeC:\Windows\system32\Mhoahh32.exe110⤵PID:5240
-
C:\Windows\SysWOW64\Mpeiie32.exeC:\Windows\system32\Mpeiie32.exe111⤵
- Drops file in System32 directory
PID:5340 -
C:\Windows\SysWOW64\Mfbaalbi.exeC:\Windows\system32\Mfbaalbi.exe112⤵
- Modifies registry class
PID:5440 -
C:\Windows\SysWOW64\Mqhfoebo.exeC:\Windows\system32\Mqhfoebo.exe113⤵PID:5484
-
C:\Windows\SysWOW64\Mbibfm32.exeC:\Windows\system32\Mbibfm32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5564 -
C:\Windows\SysWOW64\Mhckcgpj.exeC:\Windows\system32\Mhckcgpj.exe115⤵
- Modifies registry class
PID:5652 -
C:\Windows\SysWOW64\Nblolm32.exeC:\Windows\system32\Nblolm32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5692 -
C:\Windows\SysWOW64\Njbgmjgl.exeC:\Windows\system32\Njbgmjgl.exe117⤵PID:5772
-
C:\Windows\SysWOW64\Nckkfp32.exeC:\Windows\system32\Nckkfp32.exe118⤵PID:5872
-
C:\Windows\SysWOW64\Nhhdnf32.exeC:\Windows\system32\Nhhdnf32.exe119⤵PID:5944
-
C:\Windows\SysWOW64\Nqoloc32.exeC:\Windows\system32\Nqoloc32.exe120⤵PID:6008
-
C:\Windows\SysWOW64\Nfldgk32.exeC:\Windows\system32\Nfldgk32.exe121⤵PID:6068
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-