Analysis
-
max time kernel
152s -
max time network
165s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
14-10-2023 14:11
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.1cf3d598368a85ce8957826ddc55aba0_JC.exe
Resource
win7-20230831-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.1cf3d598368a85ce8957826ddc55aba0_JC.exe
Resource
win10v2004-20230915-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.1cf3d598368a85ce8957826ddc55aba0_JC.exe
-
Size
74KB
-
MD5
1cf3d598368a85ce8957826ddc55aba0
-
SHA1
2c9750a6aad359354e741b7743d7a5c07b76d8a4
-
SHA256
49c523673825f958c00a3d931753e7ba171380a1f8666d6c64976a5de6f5e31d
-
SHA512
dd3c813c1a3f38309113853f4775e931744df40f1cd745807b93519f916bc684dcaac8b1e2d61f4350b632484f938701cfad1f5f96b0bdf8600dddba4cd00540
-
SSDEEP
1536:7/9J9jxjy/yu/vgMx7/fbXnpMYhz2iBoqq2Ee:pxjy/ym5HBoqqxe
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laiipofp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kolaqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lllagh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ocdnln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ngaabfio.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdibplaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ahofoogd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcaipa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nmjfodne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ilhkigcd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hepoddcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bdagpnbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kibeoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pcpnhl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibdplaho.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihagfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hldiinke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nmaciefp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cngnbfid.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjfgealk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ibdplaho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mmdekf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ielfgmnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cngnbfid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Knenffqf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ihpcinld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fpnfbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kpkqbq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nombnc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Figgdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gnblnlhl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inebjihf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcoljagj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oblhcj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kknhjj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngekmf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fijdjfdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ihdldn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joekag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Noppeaed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ihagfb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Filapfbo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nofmndkd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjlalkmd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Noblkqca.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eklajcmc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hifmmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hifmmb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boihcf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebfign32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ojhiogdd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knjhae32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkhdgfen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eklajcmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gqkhda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gghdaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Loqjlg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jllhpkfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jogqlpde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Enmjlojd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fijdjfdb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fniihmpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ihkjno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ojnfihmo.exe -
Executes dropped EXE 64 IoCs
pid Process 3352 Ahofoogd.exe 1912 Bdojjo32.exe 3596 Boenhgdd.exe 4612 Bdagpnbk.exe 1048 Bmjkic32.exe 5084 Bddcenpi.exe 3044 Boihcf32.exe 3236 Bhblllfo.exe 4592 Boldhf32.exe 4516 Cdimqm32.exe 3040 Cammjakm.exe 1600 Coqncejg.exe 4916 Chiblk32.exe 4088 Cnfkdb32.exe 4112 Cacckp32.exe 4236 Dqnjgl32.exe 752 Dqpfmlce.exe 5088 Dndgfpbo.exe 4808 Enfckp32.exe 244 Enhpao32.exe 5024 Eklajcmc.exe 2688 Ebfign32.exe 2852 Enmjlojd.exe 1952 Egened32.exe 3328 Ebkbbmqj.exe 2172 Ekcgkb32.exe 4636 Figgdg32.exe 1604 Foapaa32.exe 4892 Fijdjfdb.exe 2508 Fnfmbmbi.exe 2356 Filapfbo.exe 896 Fniihmpf.exe 2844 Finnef32.exe 4316 Fgcjfbed.exe 4104 Galoohke.exe 2300 Ganldgib.exe 2856 Gghdaa32.exe 4068 Gnblnlhl.exe 1636 Gihpkd32.exe 2836 Gbpedjnb.exe 4228 Hicpgc32.exe 2432 Hifmmb32.exe 2592 Hldiinke.exe 3756 Haaaaeim.exe 4688 Ihkjno32.exe 3840 Inebjihf.exe 3028 Ieojgc32.exe 1292 Ipdndloi.exe 2232 Iafkld32.exe 216 Ihpcinld.exe 2480 Iiopca32.exe 4460 Ipihpkkd.exe 892 Ihdldn32.exe 1388 Iondqhpl.exe 1308 Iehmmb32.exe 4948 Jlbejloe.exe 4932 Jifecp32.exe 2080 Joekag32.exe 4596 Jpegkj32.exe 1984 Jimldogg.exe 1532 Jllhpkfk.exe 4360 Khbiello.exe 4940 Kolabf32.exe 5040 Kibeoo32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Bddcenpi.exe Bmjkic32.exe File created C:\Windows\SysWOW64\Khkbcopl.exe Knenffqf.exe File created C:\Windows\SysWOW64\Ghjjdkjd.dll Nombnc32.exe File created C:\Windows\SysWOW64\Lllagh32.exe Lcclncbh.exe File created C:\Windows\SysWOW64\Anafep32.dll Mcoljagj.exe File created C:\Windows\SysWOW64\Ojnfihmo.exe Ocdnln32.exe File opened for modification C:\Windows\SysWOW64\Ggoaje32.exe Gjhdkajh.exe File opened for modification C:\Windows\SysWOW64\Enhpao32.exe Enfckp32.exe File created C:\Windows\SysWOW64\Ciipkkdj.dll Bhblllfo.exe File opened for modification C:\Windows\SysWOW64\Iehmmb32.exe Iondqhpl.exe File opened for modification C:\Windows\SysWOW64\Ilkhog32.exe Ieqpbm32.exe File opened for modification C:\Windows\SysWOW64\Ifipmo32.exe Ialhdh32.exe File opened for modification C:\Windows\SysWOW64\Ngaabfio.exe Nofmndkd.exe File opened for modification C:\Windows\SysWOW64\Enmjlojd.exe Ebfign32.exe File created C:\Windows\SysWOW64\Eojpkdah.dll Hicpgc32.exe File created C:\Windows\SysWOW64\Mmlmhc32.dll Coqncejg.exe File created C:\Windows\SysWOW64\Gefqdfdn.dll Idmafc32.exe File opened for modification C:\Windows\SysWOW64\Khplnn32.exe Knjhae32.exe File created C:\Windows\SysWOW64\Blcnqjjo.dll Pfccogfc.exe File created C:\Windows\SysWOW64\Ggjjlk32.exe Gqpapacd.exe File created C:\Windows\SysWOW64\Ibbcfa32.exe Ilhkigcd.exe File created C:\Windows\SysWOW64\Hfhgfaha.exe Gceaofmc.exe File created C:\Windows\SysWOW64\Jhocgqjj.exe Jaekkfcm.exe File created C:\Windows\SysWOW64\Mbmbiqqp.exe Mdibplaf.exe File opened for modification C:\Windows\SysWOW64\Onbpop32.exe Nieggill.exe File opened for modification C:\Windows\SysWOW64\Ekcgkb32.exe Ebkbbmqj.exe File opened for modification C:\Windows\SysWOW64\Ipihpkkd.exe Iiopca32.exe File created C:\Windows\SysWOW64\Pninea32.dll Mcdeeq32.exe File created C:\Windows\SysWOW64\Glkkmjeh.dll Pplhhm32.exe File created C:\Windows\SysWOW64\Jdinng32.dll Gnaecedp.exe File created C:\Windows\SysWOW64\Mfjddb32.dll Hndibn32.exe File created C:\Windows\SysWOW64\Jmqekg32.exe Jhdlbp32.exe File created C:\Windows\SysWOW64\Ojhiogdd.exe Omdieb32.exe File opened for modification C:\Windows\SysWOW64\Hjfbjdnd.exe Hejjanpm.exe File created C:\Windows\SysWOW64\Ofbmdj32.dll Ibbcfa32.exe File opened for modification C:\Windows\SysWOW64\Lomjicei.exe Laiipofp.exe File opened for modification C:\Windows\SysWOW64\Ookoaokf.exe Ojnfihmo.exe File created C:\Windows\SysWOW64\Maenpfhk.dll Ookoaokf.exe File created C:\Windows\SysWOW64\Indkpcdk.exe Ilfodgeg.exe File opened for modification C:\Windows\SysWOW64\Mkfnlmkl.exe Heohinog.exe File opened for modification C:\Windows\SysWOW64\Fpnfbi32.exe Ejjgic32.exe File created C:\Windows\SysWOW64\Cnkeod32.dll Jaekkfcm.exe File created C:\Windows\SysWOW64\Mcaipa32.exe Mpclce32.exe File opened for modification C:\Windows\SysWOW64\Noppeaed.exe Nmaciefp.exe File opened for modification C:\Windows\SysWOW64\Gnaecedp.exe Gkcigjel.exe File created C:\Windows\SysWOW64\Fkngbb32.dll Ggoaje32.exe File opened for modification C:\Windows\SysWOW64\Mbmbiqqp.exe Mdibplaf.exe File opened for modification C:\Windows\SysWOW64\Ahofoogd.exe NEAS.1cf3d598368a85ce8957826ddc55aba0_JC.exe File opened for modification C:\Windows\SysWOW64\Mlljnf32.exe Mcdeeq32.exe File created C:\Windows\SysWOW64\Ilfodgeg.exe Ielfgmnj.exe File created C:\Windows\SysWOW64\Jooeqo32.dll Indkpcdk.exe File created C:\Windows\SysWOW64\Enmjlojd.exe Ebfign32.exe File created C:\Windows\SysWOW64\Acbldmmh.dll Kolabf32.exe File created C:\Windows\SysWOW64\Ggjgofkd.exe Fjfgealk.exe File created C:\Windows\SysWOW64\Hicpgc32.exe Gbpedjnb.exe File created C:\Windows\SysWOW64\Ipihpkkd.exe Iiopca32.exe File created C:\Windows\SysWOW64\Hcmhel32.dll Ipihpkkd.exe File created C:\Windows\SysWOW64\Ngcglo32.dll Jifecp32.exe File created C:\Windows\SysWOW64\Fbbnpn32.dll Mjlalkmd.exe File opened for modification C:\Windows\SysWOW64\Ppikbm32.exe Piocecgj.exe File created C:\Windows\SysWOW64\Chiblk32.exe Coqncejg.exe File created C:\Windows\SysWOW64\Oiikeffm.dll Dqnjgl32.exe File created C:\Windows\SysWOW64\Figgdg32.exe Ekcgkb32.exe File created C:\Windows\SysWOW64\Khlaie32.dll Mpclce32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6568 4228 WerFault.exe 304 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cdimqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahfmjddg.dll" Kpqggh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lcclncbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlmmnd32.dll" Llcghg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mledmg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ggepalof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dndgfpbo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Joikdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Knldfe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hjfplo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bddcenpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cammjakm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kcjjhdjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mledmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naagioah.dll" Noppeaed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdockf32.dll" Nmjfodne.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jogqlpde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ifipmo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nieggill.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ahofoogd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jllhpkfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pimfpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Khkbcopl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Knldfe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717} NEAS.1cf3d598368a85ce8957826ddc55aba0_JC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acbldmmh.dll" Kolabf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ojnfihmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaiemjgf.dll" Ngekmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dndgfpbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ieojgc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Klpakj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfifen32.dll" Iodaikfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iodaikfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fecibala.dll" Lqbgcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oiikeffm.dll" Dqnjgl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Enmjlojd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbbnpn32.dll" Mjlalkmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nmaciefp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ielfgmnj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nkojheoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akpbem32.dll" Hjfbjdnd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cngnbfid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jhmfba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Knjhae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Boldhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbblob32.dll" Filapfbo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jlbejloe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaeidf32.dll" Likhem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Llcghg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ppgomnai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnkeod32.dll" Jaekkfcm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Boenhgdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Chiblk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Figgdg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ppikbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ainpoqfj.dll" Joikdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebggoi32.dll" Bdagpnbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iiopca32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kolabf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Micdgi32.dll" Mmdekf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibfafq32.dll" Mqbpjmeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Helbbkkj.dll" Figgdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ablmdkdf.dll" Kibeoo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Njedbjej.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3400 wrote to memory of 3352 3400 NEAS.1cf3d598368a85ce8957826ddc55aba0_JC.exe 87 PID 3400 wrote to memory of 3352 3400 NEAS.1cf3d598368a85ce8957826ddc55aba0_JC.exe 87 PID 3400 wrote to memory of 3352 3400 NEAS.1cf3d598368a85ce8957826ddc55aba0_JC.exe 87 PID 3352 wrote to memory of 1912 3352 Ahofoogd.exe 88 PID 3352 wrote to memory of 1912 3352 Ahofoogd.exe 88 PID 3352 wrote to memory of 1912 3352 Ahofoogd.exe 88 PID 1912 wrote to memory of 3596 1912 Bdojjo32.exe 90 PID 1912 wrote to memory of 3596 1912 Bdojjo32.exe 90 PID 1912 wrote to memory of 3596 1912 Bdojjo32.exe 90 PID 3596 wrote to memory of 4612 3596 Boenhgdd.exe 91 PID 3596 wrote to memory of 4612 3596 Boenhgdd.exe 91 PID 3596 wrote to memory of 4612 3596 Boenhgdd.exe 91 PID 4612 wrote to memory of 1048 4612 Bdagpnbk.exe 92 PID 4612 wrote to memory of 1048 4612 Bdagpnbk.exe 92 PID 4612 wrote to memory of 1048 4612 Bdagpnbk.exe 92 PID 1048 wrote to memory of 5084 1048 Bmjkic32.exe 93 PID 1048 wrote to memory of 5084 1048 Bmjkic32.exe 93 PID 1048 wrote to memory of 5084 1048 Bmjkic32.exe 93 PID 5084 wrote to memory of 3044 5084 Bddcenpi.exe 95 PID 5084 wrote to memory of 3044 5084 Bddcenpi.exe 95 PID 5084 wrote to memory of 3044 5084 Bddcenpi.exe 95 PID 3044 wrote to memory of 3236 3044 Boihcf32.exe 96 PID 3044 wrote to memory of 3236 3044 Boihcf32.exe 96 PID 3044 wrote to memory of 3236 3044 Boihcf32.exe 96 PID 3236 wrote to memory of 4592 3236 Bhblllfo.exe 97 PID 3236 wrote to memory of 4592 3236 Bhblllfo.exe 97 PID 3236 wrote to memory of 4592 3236 Bhblllfo.exe 97 PID 4592 wrote to memory of 4516 4592 Boldhf32.exe 98 PID 4592 wrote to memory of 4516 4592 Boldhf32.exe 98 PID 4592 wrote to memory of 4516 4592 Boldhf32.exe 98 PID 4516 wrote to memory of 3040 4516 Cdimqm32.exe 99 PID 4516 wrote to memory of 3040 4516 Cdimqm32.exe 99 PID 4516 wrote to memory of 3040 4516 Cdimqm32.exe 99 PID 3040 wrote to memory of 1600 3040 Cammjakm.exe 100 PID 3040 wrote to memory of 1600 3040 Cammjakm.exe 100 PID 3040 wrote to memory of 1600 3040 Cammjakm.exe 100 PID 1600 wrote to memory of 4916 1600 Coqncejg.exe 101 PID 1600 wrote to memory of 4916 1600 Coqncejg.exe 101 PID 1600 wrote to memory of 4916 1600 Coqncejg.exe 101 PID 4916 wrote to memory of 4088 4916 Chiblk32.exe 102 PID 4916 wrote to memory of 4088 4916 Chiblk32.exe 102 PID 4916 wrote to memory of 4088 4916 Chiblk32.exe 102 PID 4088 wrote to memory of 4112 4088 Cnfkdb32.exe 103 PID 4088 wrote to memory of 4112 4088 Cnfkdb32.exe 103 PID 4088 wrote to memory of 4112 4088 Cnfkdb32.exe 103 PID 4112 wrote to memory of 4236 4112 Cacckp32.exe 104 PID 4112 wrote to memory of 4236 4112 Cacckp32.exe 104 PID 4112 wrote to memory of 4236 4112 Cacckp32.exe 104 PID 4236 wrote to memory of 752 4236 Dqnjgl32.exe 106 PID 4236 wrote to memory of 752 4236 Dqnjgl32.exe 106 PID 4236 wrote to memory of 752 4236 Dqnjgl32.exe 106 PID 752 wrote to memory of 5088 752 Dqpfmlce.exe 107 PID 752 wrote to memory of 5088 752 Dqpfmlce.exe 107 PID 752 wrote to memory of 5088 752 Dqpfmlce.exe 107 PID 5088 wrote to memory of 4808 5088 Dndgfpbo.exe 108 PID 5088 wrote to memory of 4808 5088 Dndgfpbo.exe 108 PID 5088 wrote to memory of 4808 5088 Dndgfpbo.exe 108 PID 4808 wrote to memory of 244 4808 Enfckp32.exe 109 PID 4808 wrote to memory of 244 4808 Enfckp32.exe 109 PID 4808 wrote to memory of 244 4808 Enfckp32.exe 109 PID 244 wrote to memory of 5024 244 Enhpao32.exe 110 PID 244 wrote to memory of 5024 244 Enhpao32.exe 110 PID 244 wrote to memory of 5024 244 Enhpao32.exe 110 PID 5024 wrote to memory of 2688 5024 Eklajcmc.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.1cf3d598368a85ce8957826ddc55aba0_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.1cf3d598368a85ce8957826ddc55aba0_JC.exe"1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3400 -
C:\Windows\SysWOW64\Ahofoogd.exeC:\Windows\system32\Ahofoogd.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3352 -
C:\Windows\SysWOW64\Bdojjo32.exeC:\Windows\system32\Bdojjo32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\SysWOW64\Boenhgdd.exeC:\Windows\system32\Boenhgdd.exe4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3596 -
C:\Windows\SysWOW64\Bdagpnbk.exeC:\Windows\system32\Bdagpnbk.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4612 -
C:\Windows\SysWOW64\Bmjkic32.exeC:\Windows\system32\Bmjkic32.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Windows\SysWOW64\Bddcenpi.exeC:\Windows\system32\Bddcenpi.exe7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5084 -
C:\Windows\SysWOW64\Boihcf32.exeC:\Windows\system32\Boihcf32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\Bhblllfo.exeC:\Windows\system32\Bhblllfo.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3236 -
C:\Windows\SysWOW64\Boldhf32.exeC:\Windows\system32\Boldhf32.exe10⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4592 -
C:\Windows\SysWOW64\Cdimqm32.exeC:\Windows\system32\Cdimqm32.exe11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4516 -
C:\Windows\SysWOW64\Cammjakm.exeC:\Windows\system32\Cammjakm.exe12⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\Coqncejg.exeC:\Windows\system32\Coqncejg.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Windows\SysWOW64\Chiblk32.exeC:\Windows\system32\Chiblk32.exe14⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4916 -
C:\Windows\SysWOW64\Cnfkdb32.exeC:\Windows\system32\Cnfkdb32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4088 -
C:\Windows\SysWOW64\Cacckp32.exeC:\Windows\system32\Cacckp32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4112 -
C:\Windows\SysWOW64\Dqnjgl32.exeC:\Windows\system32\Dqnjgl32.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4236 -
C:\Windows\SysWOW64\Dqpfmlce.exeC:\Windows\system32\Dqpfmlce.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:752 -
C:\Windows\SysWOW64\Dndgfpbo.exeC:\Windows\system32\Dndgfpbo.exe19⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5088 -
C:\Windows\SysWOW64\Enfckp32.exeC:\Windows\system32\Enfckp32.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Windows\SysWOW64\Enhpao32.exeC:\Windows\system32\Enhpao32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:244 -
C:\Windows\SysWOW64\Eklajcmc.exeC:\Windows\system32\Eklajcmc.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5024 -
C:\Windows\SysWOW64\Ebfign32.exeC:\Windows\system32\Ebfign32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2688 -
C:\Windows\SysWOW64\Enmjlojd.exeC:\Windows\system32\Enmjlojd.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2852 -
C:\Windows\SysWOW64\Egened32.exeC:\Windows\system32\Egened32.exe25⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Ebkbbmqj.exeC:\Windows\system32\Ebkbbmqj.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3328 -
C:\Windows\SysWOW64\Ekcgkb32.exeC:\Windows\system32\Ekcgkb32.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2172 -
C:\Windows\SysWOW64\Figgdg32.exeC:\Windows\system32\Figgdg32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4636 -
C:\Windows\SysWOW64\Foapaa32.exeC:\Windows\system32\Foapaa32.exe29⤵
- Executes dropped EXE
PID:1604 -
C:\Windows\SysWOW64\Fijdjfdb.exeC:\Windows\system32\Fijdjfdb.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4892 -
C:\Windows\SysWOW64\Fnfmbmbi.exeC:\Windows\system32\Fnfmbmbi.exe31⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Filapfbo.exeC:\Windows\system32\Filapfbo.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2356 -
C:\Windows\SysWOW64\Fniihmpf.exeC:\Windows\system32\Fniihmpf.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:896 -
C:\Windows\SysWOW64\Finnef32.exeC:\Windows\system32\Finnef32.exe34⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Fgcjfbed.exeC:\Windows\system32\Fgcjfbed.exe35⤵
- Executes dropped EXE
PID:4316 -
C:\Windows\SysWOW64\Galoohke.exeC:\Windows\system32\Galoohke.exe36⤵
- Executes dropped EXE
PID:4104 -
C:\Windows\SysWOW64\Ganldgib.exeC:\Windows\system32\Ganldgib.exe37⤵
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Gghdaa32.exeC:\Windows\system32\Gghdaa32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Gnblnlhl.exeC:\Windows\system32\Gnblnlhl.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4068 -
C:\Windows\SysWOW64\Gihpkd32.exeC:\Windows\system32\Gihpkd32.exe40⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\Gbpedjnb.exeC:\Windows\system32\Gbpedjnb.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2836 -
C:\Windows\SysWOW64\Hicpgc32.exeC:\Windows\system32\Hicpgc32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4228 -
C:\Windows\SysWOW64\Hifmmb32.exeC:\Windows\system32\Hifmmb32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Hldiinke.exeC:\Windows\system32\Hldiinke.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Haaaaeim.exeC:\Windows\system32\Haaaaeim.exe45⤵
- Executes dropped EXE
PID:3756 -
C:\Windows\SysWOW64\Ihkjno32.exeC:\Windows\system32\Ihkjno32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4688 -
C:\Windows\SysWOW64\Inebjihf.exeC:\Windows\system32\Inebjihf.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3840 -
C:\Windows\SysWOW64\Ieojgc32.exeC:\Windows\system32\Ieojgc32.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:3028 -
C:\Windows\SysWOW64\Ipdndloi.exeC:\Windows\system32\Ipdndloi.exe49⤵
- Executes dropped EXE
PID:1292 -
C:\Windows\SysWOW64\Iafkld32.exeC:\Windows\system32\Iafkld32.exe50⤵
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\Ihpcinld.exeC:\Windows\system32\Ihpcinld.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:216 -
C:\Windows\SysWOW64\Iiopca32.exeC:\Windows\system32\Iiopca32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2480 -
C:\Windows\SysWOW64\Ipihpkkd.exeC:\Windows\system32\Ipihpkkd.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4460 -
C:\Windows\SysWOW64\Ihdldn32.exeC:\Windows\system32\Ihdldn32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:892 -
C:\Windows\SysWOW64\Iondqhpl.exeC:\Windows\system32\Iondqhpl.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1388 -
C:\Windows\SysWOW64\Iehmmb32.exeC:\Windows\system32\Iehmmb32.exe56⤵
- Executes dropped EXE
PID:1308 -
C:\Windows\SysWOW64\Jlbejloe.exeC:\Windows\system32\Jlbejloe.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:4948 -
C:\Windows\SysWOW64\Jifecp32.exeC:\Windows\system32\Jifecp32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4932 -
C:\Windows\SysWOW64\Joekag32.exeC:\Windows\system32\Joekag32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2080 -
C:\Windows\SysWOW64\Jpegkj32.exeC:\Windows\system32\Jpegkj32.exe60⤵
- Executes dropped EXE
PID:4596 -
C:\Windows\SysWOW64\Jimldogg.exeC:\Windows\system32\Jimldogg.exe61⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Jllhpkfk.exeC:\Windows\system32\Jllhpkfk.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1532 -
C:\Windows\SysWOW64\Khbiello.exeC:\Windows\system32\Khbiello.exe63⤵
- Executes dropped EXE
PID:4360 -
C:\Windows\SysWOW64\Kolabf32.exeC:\Windows\system32\Kolabf32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4940 -
C:\Windows\SysWOW64\Kibeoo32.exeC:\Windows\system32\Kibeoo32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:5040 -
C:\Windows\SysWOW64\Klpakj32.exeC:\Windows\system32\Klpakj32.exe66⤵
- Modifies registry class
PID:2380 -
C:\Windows\SysWOW64\Kcjjhdjb.exeC:\Windows\system32\Kcjjhdjb.exe67⤵
- Modifies registry class
PID:1404 -
C:\Windows\SysWOW64\Khgbqkhj.exeC:\Windows\system32\Khgbqkhj.exe68⤵PID:4936
-
C:\Windows\SysWOW64\Kcmfnd32.exeC:\Windows\system32\Kcmfnd32.exe69⤵PID:4664
-
C:\Windows\SysWOW64\Kpqggh32.exeC:\Windows\system32\Kpqggh32.exe70⤵
- Modifies registry class
PID:1916 -
C:\Windows\SysWOW64\Kadpdp32.exeC:\Windows\system32\Kadpdp32.exe71⤵PID:4392
-
C:\Windows\SysWOW64\Likhem32.exeC:\Windows\system32\Likhem32.exe72⤵
- Modifies registry class
PID:4020 -
C:\Windows\SysWOW64\Lcclncbh.exeC:\Windows\system32\Lcclncbh.exe73⤵
- Drops file in System32 directory
- Modifies registry class
PID:1500 -
C:\Windows\SysWOW64\Lllagh32.exeC:\Windows\system32\Lllagh32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1416 -
C:\Windows\SysWOW64\Laiipofp.exeC:\Windows\system32\Laiipofp.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5156 -
C:\Windows\SysWOW64\Lomjicei.exeC:\Windows\system32\Lomjicei.exe76⤵PID:5196
-
C:\Windows\SysWOW64\Lhenai32.exeC:\Windows\system32\Lhenai32.exe77⤵PID:5244
-
C:\Windows\SysWOW64\Lfiokmkc.exeC:\Windows\system32\Lfiokmkc.exe78⤵PID:5288
-
C:\Windows\SysWOW64\Llcghg32.exeC:\Windows\system32\Llcghg32.exe79⤵
- Modifies registry class
PID:5332 -
C:\Windows\SysWOW64\Loacdc32.exeC:\Windows\system32\Loacdc32.exe80⤵PID:5388
-
C:\Windows\SysWOW64\Mledmg32.exeC:\Windows\system32\Mledmg32.exe81⤵
- Modifies registry class
PID:5432 -
C:\Windows\SysWOW64\Mcoljagj.exeC:\Windows\system32\Mcoljagj.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5472 -
C:\Windows\SysWOW64\Mjidgkog.exeC:\Windows\system32\Mjidgkog.exe83⤵PID:5520
-
C:\Windows\SysWOW64\Mpclce32.exeC:\Windows\system32\Mpclce32.exe84⤵
- Drops file in System32 directory
PID:5568 -
C:\Windows\SysWOW64\Mcaipa32.exeC:\Windows\system32\Mcaipa32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5616 -
C:\Windows\SysWOW64\Mjlalkmd.exeC:\Windows\system32\Mjlalkmd.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5664 -
C:\Windows\SysWOW64\Mcdeeq32.exeC:\Windows\system32\Mcdeeq32.exe87⤵
- Drops file in System32 directory
PID:5720 -
C:\Windows\SysWOW64\Mlljnf32.exeC:\Windows\system32\Mlljnf32.exe88⤵PID:5768
-
C:\Windows\SysWOW64\Mbibfm32.exeC:\Windows\system32\Mbibfm32.exe89⤵PID:5812
-
C:\Windows\SysWOW64\Njbgmjgl.exeC:\Windows\system32\Njbgmjgl.exe90⤵PID:5856
-
C:\Windows\SysWOW64\Nmaciefp.exeC:\Windows\system32\Nmaciefp.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5904 -
C:\Windows\SysWOW64\Noppeaed.exeC:\Windows\system32\Noppeaed.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5948 -
C:\Windows\SysWOW64\Njedbjej.exeC:\Windows\system32\Njedbjej.exe93⤵
- Modifies registry class
PID:6000 -
C:\Windows\SysWOW64\Noblkqca.exeC:\Windows\system32\Noblkqca.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6044 -
C:\Windows\SysWOW64\Nmfmde32.exeC:\Windows\system32\Nmfmde32.exe95⤵PID:6088
-
C:\Windows\SysWOW64\Nqaiecjd.exeC:\Windows\system32\Nqaiecjd.exe96⤵PID:6132
-
C:\Windows\SysWOW64\Nimmifgo.exeC:\Windows\system32\Nimmifgo.exe97⤵PID:5180
-
C:\Windows\SysWOW64\Ncbafoge.exeC:\Windows\system32\Ncbafoge.exe98⤵PID:5284
-
C:\Windows\SysWOW64\Nmjfodne.exeC:\Windows\system32\Nmjfodne.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5356 -
C:\Windows\SysWOW64\Ocdnln32.exeC:\Windows\system32\Ocdnln32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5440 -
C:\Windows\SysWOW64\Ojnfihmo.exeC:\Windows\system32\Ojnfihmo.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5516 -
C:\Windows\SysWOW64\Ookoaokf.exeC:\Windows\system32\Ookoaokf.exe102⤵
- Drops file in System32 directory
PID:5576 -
C:\Windows\SysWOW64\Ofegni32.exeC:\Windows\system32\Ofegni32.exe103⤵PID:5648
-
C:\Windows\SysWOW64\Oblhcj32.exeC:\Windows\system32\Oblhcj32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5744 -
C:\Windows\SysWOW64\Oqmhqapg.exeC:\Windows\system32\Oqmhqapg.exe105⤵PID:5796
-
C:\Windows\SysWOW64\Omdieb32.exeC:\Windows\system32\Omdieb32.exe106⤵
- Drops file in System32 directory
PID:5872 -
C:\Windows\SysWOW64\Ojhiogdd.exeC:\Windows\system32\Ojhiogdd.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5932 -
C:\Windows\SysWOW64\Pcpnhl32.exeC:\Windows\system32\Pcpnhl32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6012 -
C:\Windows\SysWOW64\Pimfpc32.exeC:\Windows\system32\Pimfpc32.exe109⤵
- Modifies registry class
PID:6080 -
C:\Windows\SysWOW64\Ppgomnai.exeC:\Windows\system32\Ppgomnai.exe110⤵
- Modifies registry class
PID:5172 -
C:\Windows\SysWOW64\Pfagighf.exeC:\Windows\system32\Pfagighf.exe111⤵PID:5228
-
C:\Windows\SysWOW64\Piocecgj.exeC:\Windows\system32\Piocecgj.exe112⤵
- Drops file in System32 directory
PID:5420 -
C:\Windows\SysWOW64\Ppikbm32.exeC:\Windows\system32\Ppikbm32.exe113⤵
- Modifies registry class
PID:5548 -
C:\Windows\SysWOW64\Pfccogfc.exeC:\Windows\system32\Pfccogfc.exe114⤵
- Drops file in System32 directory
PID:5748 -
C:\Windows\SysWOW64\Pplhhm32.exeC:\Windows\system32\Pplhhm32.exe115⤵
- Drops file in System32 directory
PID:4540 -
C:\Windows\SysWOW64\Famhmfkl.exeC:\Windows\system32\Famhmfkl.exe116⤵PID:5512
-
C:\Windows\SysWOW64\Gqkhda32.exeC:\Windows\system32\Gqkhda32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5788 -
C:\Windows\SysWOW64\Ggepalof.exeC:\Windows\system32\Ggepalof.exe118⤵
- Modifies registry class
PID:6052 -
C:\Windows\SysWOW64\Gdiakp32.exeC:\Windows\system32\Gdiakp32.exe119⤵PID:5500
-
C:\Windows\SysWOW64\Gkcigjel.exeC:\Windows\system32\Gkcigjel.exe120⤵
- Drops file in System32 directory
PID:5672 -
C:\Windows\SysWOW64\Gnaecedp.exeC:\Windows\system32\Gnaecedp.exe121⤵
- Drops file in System32 directory
PID:6068 -
C:\Windows\SysWOW64\Gqpapacd.exeC:\Windows\system32\Gqpapacd.exe122⤵
- Drops file in System32 directory
PID:5852
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-