Analysis
-
max time kernel
141s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
21-10-2023 19:52
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.f8dbc7eb9642cfdece009cb99ad2a76b_JC.exe
Resource
win7-20231020-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.f8dbc7eb9642cfdece009cb99ad2a76b_JC.exe
Resource
win10v2004-20231020-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.f8dbc7eb9642cfdece009cb99ad2a76b_JC.exe
-
Size
111KB
-
MD5
f8dbc7eb9642cfdece009cb99ad2a76b
-
SHA1
e049666d564eb58105f040d3968401311147bc10
-
SHA256
c02f2d4bcb0c831b8da02e4e38bfc5b3168917daaf58e72f4789a09de82cb959
-
SHA512
9bb07b5593244e4524207e6bd529d28a752e070c1b96b64f3fae73a9baeec3ef1bf892f69127ee729c7fa23700ac22cf16203a89e2ebab8fd0c8d3eca7785f97
-
SSDEEP
1536:L4lmmBgNBbRIcDF+zhuONgWxv1nniskW+mrGt04OV9HL5Sus6YU6iYXkNgY/z:L40mqbRtZ+9uHO9niG+4GsQU6iY0z
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npgihn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qoeeolig.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knmdeioh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lekghdad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pqemdbaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akmjfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgbfamff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekknjcfh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baadng32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jliohkak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpkpadnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iknpkd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amnocpdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhomkcoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nckjkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okoafmkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjaimn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhffnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdecha32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Golbnm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkdgpo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecnmpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eoigpa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnjplo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfjnla32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijnbcmkk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhgkil32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egikjh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lifbmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpqnhadq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmclhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkbdkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pafbadcm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abmdafpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcjqdmla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbokgpgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpoolael.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Loqmba32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpkldg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nemhhpmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgnadkic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmbknddp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oomjlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amnfnfgg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhkiid32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anolkh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgcnahoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnndan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbleeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjllab32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epecbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdnmma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Naimccpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jajala32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkeecogo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfhfab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kadfkhkf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmfpmc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Niebhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nilhhdga.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohhkjp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cebcmdlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjhcag32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmkomchi.exe -
Executes dropped EXE 64 IoCs
pid Process 2020 Lbiqfied.exe 2256 Mbkmlh32.exe 2260 Mieeibkn.exe 2864 Moanaiie.exe 2300 Mkhofjoj.exe 2744 Mencccop.exe 2612 Mkklljmg.exe 1992 Maedhd32.exe 776 Nhaikn32.exe 544 Naimccpo.exe 2152 Nckjkl32.exe 2468 Niebhf32.exe 2812 Ndjfeo32.exe 1568 Nmbknddp.exe 2360 Niikceid.exe 1728 Nofdklgl.exe 2040 Nilhhdga.exe 1932 Oagmmgdm.exe 108 Okoafmkm.exe 2428 Oaiibg32.exe 892 Oomjlk32.exe 1356 Oalfhf32.exe 1040 Okdkal32.exe 952 Onbgmg32.exe 3004 Ohhkjp32.exe 3028 Okfgfl32.exe 2508 Oqcpob32.exe 2516 Pkidlk32.exe 2024 Pqemdbaj.exe 2112 Pcdipnqn.exe 2532 Pjnamh32.exe 2708 Pqhijbog.exe 2840 Pjpnbg32.exe 2876 Pqjfoa32.exe 2728 Pcibkm32.exe 1216 Pfgngh32.exe 2584 Pkdgpo32.exe 812 Pihgic32.exe 772 Poapfn32.exe 1620 Qkhpkoen.exe 1516 Qbbhgi32.exe 1700 Aaheie32.exe 1644 Akmjfn32.exe 756 Amnfnfgg.exe 2908 Achojp32.exe 2932 Ajbggjfq.exe 2320 Aaloddnn.exe 1988 Afiglkle.exe 1320 Apalea32.exe 1068 Apdhjq32.exe 1044 Bpfeppop.exe 1936 Becnhgmg.exe 3036 Bphbeplm.exe 2252 Bbgnak32.exe 2440 Bjbcfn32.exe 2704 Balkchpi.exe 2860 Bjdplm32.exe 2324 Bmclhi32.exe 2576 Bejdiffp.exe 2680 Bfkpqn32.exe 2640 Baadng32.exe 784 Cdoajb32.exe 1948 Cbdnko32.exe 2232 Cinfhigl.exe -
Loads dropped DLL 64 IoCs
pid Process 2348 NEAS.f8dbc7eb9642cfdece009cb99ad2a76b_JC.exe 2348 NEAS.f8dbc7eb9642cfdece009cb99ad2a76b_JC.exe 2020 Lbiqfied.exe 2020 Lbiqfied.exe 2256 Mbkmlh32.exe 2256 Mbkmlh32.exe 2260 Mieeibkn.exe 2260 Mieeibkn.exe 2864 Moanaiie.exe 2864 Moanaiie.exe 2300 Mkhofjoj.exe 2300 Mkhofjoj.exe 2744 Mencccop.exe 2744 Mencccop.exe 2612 Mkklljmg.exe 2612 Mkklljmg.exe 1992 Maedhd32.exe 1992 Maedhd32.exe 776 Nhaikn32.exe 776 Nhaikn32.exe 544 Naimccpo.exe 544 Naimccpo.exe 2152 Nckjkl32.exe 2152 Nckjkl32.exe 2468 Niebhf32.exe 2468 Niebhf32.exe 2812 Ndjfeo32.exe 2812 Ndjfeo32.exe 1568 Nmbknddp.exe 1568 Nmbknddp.exe 2360 Niikceid.exe 2360 Niikceid.exe 1728 Nofdklgl.exe 1728 Nofdklgl.exe 2040 Nilhhdga.exe 2040 Nilhhdga.exe 1932 Oagmmgdm.exe 1932 Oagmmgdm.exe 108 Okoafmkm.exe 108 Okoafmkm.exe 2428 Oaiibg32.exe 2428 Oaiibg32.exe 892 Oomjlk32.exe 892 Oomjlk32.exe 1356 Oalfhf32.exe 1356 Oalfhf32.exe 1040 Okdkal32.exe 1040 Okdkal32.exe 952 Onbgmg32.exe 952 Onbgmg32.exe 3004 Ohhkjp32.exe 3004 Ohhkjp32.exe 3028 Okfgfl32.exe 3028 Okfgfl32.exe 2508 Oqcpob32.exe 2508 Oqcpob32.exe 2516 Pkidlk32.exe 2516 Pkidlk32.exe 2024 Pqemdbaj.exe 2024 Pqemdbaj.exe 2112 Pcdipnqn.exe 2112 Pcdipnqn.exe 2532 Pjnamh32.exe 2532 Pjnamh32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Obmgfhhe.dll Dcfpel32.exe File created C:\Windows\SysWOW64\Medgge32.dll Eniclh32.exe File opened for modification C:\Windows\SysWOW64\Hakkgc32.exe Hidcef32.exe File created C:\Windows\SysWOW64\Pqkobqhd.exe Pnmcfeia.exe File created C:\Windows\SysWOW64\Pjcckf32.exe Pgegok32.exe File opened for modification C:\Windows\SysWOW64\Kkjpggkn.exe Kdphjm32.exe File opened for modification C:\Windows\SysWOW64\Leikbd32.exe Libjncnc.exe File created C:\Windows\SysWOW64\Picanc32.dll Cemjae32.exe File created C:\Windows\SysWOW64\Ebaijflc.dll Fhbnbpjc.exe File opened for modification C:\Windows\SysWOW64\Hbleeb32.exe Hajinjff.exe File created C:\Windows\SysWOW64\Ooqpdj32.exe Oidglb32.exe File created C:\Windows\SysWOW64\Ndqbnp32.dll Pqphnp32.exe File opened for modification C:\Windows\SysWOW64\Cikbhc32.exe Cadjgf32.exe File opened for modification C:\Windows\SysWOW64\Hcgjmo32.exe Hmmbqegc.exe File created C:\Windows\SysWOW64\Iknpkd32.exe Ihpdoh32.exe File created C:\Windows\SysWOW64\Odebolpe.exe Oionacqo.exe File created C:\Windows\SysWOW64\Fdiogq32.exe Fajbke32.exe File created C:\Windows\SysWOW64\Kbmome32.exe Kjeglh32.exe File created C:\Windows\SysWOW64\Jcbemfmf.dll Pkidlk32.exe File created C:\Windows\SysWOW64\Jemoqj32.dll Fnndan32.exe File created C:\Windows\SysWOW64\Knjegqif.exe Kgpmjf32.exe File created C:\Windows\SysWOW64\Pnalad32.exe Pggdejno.exe File created C:\Windows\SysWOW64\Eoompl32.exe Ddiibc32.exe File opened for modification C:\Windows\SysWOW64\Ekhkjm32.exe Epbfmd32.exe File created C:\Windows\SysWOW64\Oopijc32.exe Jbpdeogo.exe File created C:\Windows\SysWOW64\Kcpnnfqg.dll Naimccpo.exe File created C:\Windows\SysWOW64\Pjpnbg32.exe Pqhijbog.exe File opened for modification C:\Windows\SysWOW64\Qbbhgi32.exe Qkhpkoen.exe File opened for modification C:\Windows\SysWOW64\Ipdojfgh.exe Hijgml32.exe File opened for modification C:\Windows\SysWOW64\Jcpkpe32.exe Ipbocjlg.exe File created C:\Windows\SysWOW64\Kkgahoel.exe Khielcfh.exe File created C:\Windows\SysWOW64\Kcecbq32.exe Kadfkhkf.exe File created C:\Windows\SysWOW64\Loqmba32.exe Lpnmgdli.exe File opened for modification C:\Windows\SysWOW64\Hnjplo32.exe Heakcjcd.exe File opened for modification C:\Windows\SysWOW64\Ihpdoh32.exe Ipdojfgh.exe File created C:\Windows\SysWOW64\Gnnphemi.dll Lifbmn32.exe File created C:\Windows\SysWOW64\Lnhdqdnd.exe Lmfhil32.exe File created C:\Windows\SysWOW64\Opnkglik.dll Gonocmbi.exe File opened for modification C:\Windows\SysWOW64\Kqdhhm32.exe Kobkpdfa.exe File created C:\Windows\SysWOW64\Meekooeb.dll Qoeeolig.exe File created C:\Windows\SysWOW64\Cikbhc32.exe Cadjgf32.exe File created C:\Windows\SysWOW64\Hgpjhn32.exe Hcdnhoac.exe File created C:\Windows\SysWOW64\Cpehmcmg.dll Jgabdlfb.exe File opened for modification C:\Windows\SysWOW64\Gnbjlpom.exe Ghiaof32.exe File created C:\Windows\SysWOW64\Ikbifcpb.exe Iefamlak.exe File created C:\Windows\SysWOW64\Oihqgbhd.exe Ocohkh32.exe File opened for modification C:\Windows\SysWOW64\Hmmbqegc.exe Hjofdi32.exe File created C:\Windows\SysWOW64\Kpkpadnl.exe Knmdeioh.exe File created C:\Windows\SysWOW64\Ipbkjl32.dll Kgcnahoo.exe File opened for modification C:\Windows\SysWOW64\Acekjjmk.exe Aipfmane.exe File opened for modification C:\Windows\SysWOW64\Dpqnhadq.exe Cmbalfem.exe File created C:\Windows\SysWOW64\Hmmbqegc.exe Hjofdi32.exe File opened for modification C:\Windows\SysWOW64\Hcigco32.exe Hakkgc32.exe File created C:\Windows\SysWOW64\Mbellj32.dll Koaqcn32.exe File created C:\Windows\SysWOW64\Achdqg32.dll Pnmcfeia.exe File created C:\Windows\SysWOW64\Ogfdej32.dll Epbfmd32.exe File created C:\Windows\SysWOW64\Mbbhfl32.dll Kageia32.exe File opened for modification C:\Windows\SysWOW64\Niebhf32.exe Nckjkl32.exe File opened for modification C:\Windows\SysWOW64\Lnhdqdnd.exe Lmfhil32.exe File opened for modification C:\Windows\SysWOW64\Efdhpjok.exe Egahen32.exe File created C:\Windows\SysWOW64\Fjjpjgjj.exe Fgldnkkf.exe File opened for modification C:\Windows\SysWOW64\Iamdkfnc.exe Ioohokoo.exe File created C:\Windows\SysWOW64\Majdmi32.dll Jhbold32.exe File created C:\Windows\SysWOW64\Khielcfh.exe Kaompi32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2984 5060 WerFault.exe 465 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fnejbmko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdboig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Odebolpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmdnng32.dll" Pgckjk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Egahen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Goiehm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qmifhq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cohkpj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Endjaief.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddfebnoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgdfdnfj.dll" Gncldi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Laahme32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhlqjone.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhaikn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efqbglen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoiicijl.dll" Jpfhoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Npgihn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Comdkipe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikmpacaf.dll" Ecploipa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Libjncnc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eklqcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oqcpob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pqemdbaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dobdqo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fgkbeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdeeaobo.dll" Konndhmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndqbnp32.dll" Pqphnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cadjgf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Flhmfbim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpfeppop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aipfmane.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oopijc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fkpjnkig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hidcef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmkihbho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poceplpj.dll" NEAS.f8dbc7eb9642cfdece009cb99ad2a76b_JC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gnbjlpom.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mbeiefff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fohlogok.dll" Hmmbqegc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijnbcmkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkkapd32.dll" Jajcdjca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amnfnfgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Knjegqif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cikbhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfnpea32.dll" Gmmfaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmalldcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qkhpkoen.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amnfnfgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhpeoj32.dll" Ajbggjfq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lfolaang.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jojkco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpehmcmg.dll" Jgabdlfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipbkjl32.dll" Kgcnahoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljacemio.dll" Bfkpqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jnhlbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cohkpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Endjaief.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okbekdoi.dll" Amnfnfgg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjcckf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Anolkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hepiihgc.dll" Pkdgpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjmpbopd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojbapc32.dll" Pqnlhpfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaaphj32.dll" Cedpbd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2348 wrote to memory of 2020 2348 NEAS.f8dbc7eb9642cfdece009cb99ad2a76b_JC.exe 28 PID 2348 wrote to memory of 2020 2348 NEAS.f8dbc7eb9642cfdece009cb99ad2a76b_JC.exe 28 PID 2348 wrote to memory of 2020 2348 NEAS.f8dbc7eb9642cfdece009cb99ad2a76b_JC.exe 28 PID 2348 wrote to memory of 2020 2348 NEAS.f8dbc7eb9642cfdece009cb99ad2a76b_JC.exe 28 PID 2020 wrote to memory of 2256 2020 Lbiqfied.exe 29 PID 2020 wrote to memory of 2256 2020 Lbiqfied.exe 29 PID 2020 wrote to memory of 2256 2020 Lbiqfied.exe 29 PID 2020 wrote to memory of 2256 2020 Lbiqfied.exe 29 PID 2256 wrote to memory of 2260 2256 Mbkmlh32.exe 30 PID 2256 wrote to memory of 2260 2256 Mbkmlh32.exe 30 PID 2256 wrote to memory of 2260 2256 Mbkmlh32.exe 30 PID 2256 wrote to memory of 2260 2256 Mbkmlh32.exe 30 PID 2260 wrote to memory of 2864 2260 Mieeibkn.exe 31 PID 2260 wrote to memory of 2864 2260 Mieeibkn.exe 31 PID 2260 wrote to memory of 2864 2260 Mieeibkn.exe 31 PID 2260 wrote to memory of 2864 2260 Mieeibkn.exe 31 PID 2864 wrote to memory of 2300 2864 Moanaiie.exe 32 PID 2864 wrote to memory of 2300 2864 Moanaiie.exe 32 PID 2864 wrote to memory of 2300 2864 Moanaiie.exe 32 PID 2864 wrote to memory of 2300 2864 Moanaiie.exe 32 PID 2300 wrote to memory of 2744 2300 Mkhofjoj.exe 33 PID 2300 wrote to memory of 2744 2300 Mkhofjoj.exe 33 PID 2300 wrote to memory of 2744 2300 Mkhofjoj.exe 33 PID 2300 wrote to memory of 2744 2300 Mkhofjoj.exe 33 PID 2744 wrote to memory of 2612 2744 Mencccop.exe 34 PID 2744 wrote to memory of 2612 2744 Mencccop.exe 34 PID 2744 wrote to memory of 2612 2744 Mencccop.exe 34 PID 2744 wrote to memory of 2612 2744 Mencccop.exe 34 PID 2612 wrote to memory of 1992 2612 Mkklljmg.exe 35 PID 2612 wrote to memory of 1992 2612 Mkklljmg.exe 35 PID 2612 wrote to memory of 1992 2612 Mkklljmg.exe 35 PID 2612 wrote to memory of 1992 2612 Mkklljmg.exe 35 PID 1992 wrote to memory of 776 1992 Maedhd32.exe 36 PID 1992 wrote to memory of 776 1992 Maedhd32.exe 36 PID 1992 wrote to memory of 776 1992 Maedhd32.exe 36 PID 1992 wrote to memory of 776 1992 Maedhd32.exe 36 PID 776 wrote to memory of 544 776 Nhaikn32.exe 37 PID 776 wrote to memory of 544 776 Nhaikn32.exe 37 PID 776 wrote to memory of 544 776 Nhaikn32.exe 37 PID 776 wrote to memory of 544 776 Nhaikn32.exe 37 PID 544 wrote to memory of 2152 544 Naimccpo.exe 38 PID 544 wrote to memory of 2152 544 Naimccpo.exe 38 PID 544 wrote to memory of 2152 544 Naimccpo.exe 38 PID 544 wrote to memory of 2152 544 Naimccpo.exe 38 PID 2152 wrote to memory of 2468 2152 Nckjkl32.exe 40 PID 2152 wrote to memory of 2468 2152 Nckjkl32.exe 40 PID 2152 wrote to memory of 2468 2152 Nckjkl32.exe 40 PID 2152 wrote to memory of 2468 2152 Nckjkl32.exe 40 PID 2468 wrote to memory of 2812 2468 Niebhf32.exe 39 PID 2468 wrote to memory of 2812 2468 Niebhf32.exe 39 PID 2468 wrote to memory of 2812 2468 Niebhf32.exe 39 PID 2468 wrote to memory of 2812 2468 Niebhf32.exe 39 PID 2812 wrote to memory of 1568 2812 Ndjfeo32.exe 41 PID 2812 wrote to memory of 1568 2812 Ndjfeo32.exe 41 PID 2812 wrote to memory of 1568 2812 Ndjfeo32.exe 41 PID 2812 wrote to memory of 1568 2812 Ndjfeo32.exe 41 PID 1568 wrote to memory of 2360 1568 Nmbknddp.exe 42 PID 1568 wrote to memory of 2360 1568 Nmbknddp.exe 42 PID 1568 wrote to memory of 2360 1568 Nmbknddp.exe 42 PID 1568 wrote to memory of 2360 1568 Nmbknddp.exe 42 PID 2360 wrote to memory of 1728 2360 Niikceid.exe 43 PID 2360 wrote to memory of 1728 2360 Niikceid.exe 43 PID 2360 wrote to memory of 1728 2360 Niikceid.exe 43 PID 2360 wrote to memory of 1728 2360 Niikceid.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.f8dbc7eb9642cfdece009cb99ad2a76b_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.f8dbc7eb9642cfdece009cb99ad2a76b_JC.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\Lbiqfied.exeC:\Windows\system32\Lbiqfied.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\SysWOW64\Mbkmlh32.exeC:\Windows\system32\Mbkmlh32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\SysWOW64\Mieeibkn.exeC:\Windows\system32\Mieeibkn.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\SysWOW64\Moanaiie.exeC:\Windows\system32\Moanaiie.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\Mkhofjoj.exeC:\Windows\system32\Mkhofjoj.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\SysWOW64\Mencccop.exeC:\Windows\system32\Mencccop.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\Mkklljmg.exeC:\Windows\system32\Mkklljmg.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\Maedhd32.exeC:\Windows\system32\Maedhd32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\SysWOW64\Nhaikn32.exeC:\Windows\system32\Nhaikn32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:776 -
C:\Windows\SysWOW64\Naimccpo.exeC:\Windows\system32\Naimccpo.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:544 -
C:\Windows\SysWOW64\Nckjkl32.exeC:\Windows\system32\Nckjkl32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\Niebhf32.exeC:\Windows\system32\Niebhf32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2468
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\Ndjfeo32.exeC:\Windows\system32\Ndjfeo32.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\Nmbknddp.exeC:\Windows\system32\Nmbknddp.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Windows\SysWOW64\Niikceid.exeC:\Windows\system32\Niikceid.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\Nofdklgl.exeC:\Windows\system32\Nofdklgl.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1728 -
C:\Windows\SysWOW64\Nilhhdga.exeC:\Windows\system32\Nilhhdga.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2040 -
C:\Windows\SysWOW64\Oagmmgdm.exeC:\Windows\system32\Oagmmgdm.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1932 -
C:\Windows\SysWOW64\Okoafmkm.exeC:\Windows\system32\Okoafmkm.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:108 -
C:\Windows\SysWOW64\Oaiibg32.exeC:\Windows\system32\Oaiibg32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2428 -
C:\Windows\SysWOW64\Oomjlk32.exeC:\Windows\system32\Oomjlk32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:892 -
C:\Windows\SysWOW64\Oalfhf32.exeC:\Windows\system32\Oalfhf32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1356 -
C:\Windows\SysWOW64\Okdkal32.exeC:\Windows\system32\Okdkal32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1040 -
C:\Windows\SysWOW64\Onbgmg32.exeC:\Windows\system32\Onbgmg32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
PID:952 -
C:\Windows\SysWOW64\Ohhkjp32.exeC:\Windows\system32\Ohhkjp32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:3004 -
C:\Windows\SysWOW64\Okfgfl32.exeC:\Windows\system32\Okfgfl32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3028 -
C:\Windows\SysWOW64\Oqcpob32.exeC:\Windows\system32\Oqcpob32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2508 -
C:\Windows\SysWOW64\Pkidlk32.exeC:\Windows\system32\Pkidlk32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2516 -
C:\Windows\SysWOW64\Pqemdbaj.exeC:\Windows\system32\Pqemdbaj.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2024 -
C:\Windows\SysWOW64\Pcdipnqn.exeC:\Windows\system32\Pcdipnqn.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2112 -
C:\Windows\SysWOW64\Pjnamh32.exeC:\Windows\system32\Pjnamh32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2532 -
C:\Windows\SysWOW64\Pqhijbog.exeC:\Windows\system32\Pqhijbog.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2708 -
C:\Windows\SysWOW64\Pjpnbg32.exeC:\Windows\system32\Pjpnbg32.exe21⤵
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\Pqjfoa32.exeC:\Windows\system32\Pqjfoa32.exe22⤵
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Pcibkm32.exeC:\Windows\system32\Pcibkm32.exe23⤵
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\Pfgngh32.exeC:\Windows\system32\Pfgngh32.exe24⤵
- Executes dropped EXE
PID:1216 -
C:\Windows\SysWOW64\Pkdgpo32.exeC:\Windows\system32\Pkdgpo32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2584 -
C:\Windows\SysWOW64\Pihgic32.exeC:\Windows\system32\Pihgic32.exe26⤵
- Executes dropped EXE
PID:812 -
C:\Windows\SysWOW64\Poapfn32.exeC:\Windows\system32\Poapfn32.exe27⤵
- Executes dropped EXE
PID:772 -
C:\Windows\SysWOW64\Qkhpkoen.exeC:\Windows\system32\Qkhpkoen.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1620 -
C:\Windows\SysWOW64\Qbbhgi32.exeC:\Windows\system32\Qbbhgi32.exe29⤵
- Executes dropped EXE
PID:1516 -
C:\Windows\SysWOW64\Aaheie32.exeC:\Windows\system32\Aaheie32.exe30⤵
- Executes dropped EXE
PID:1700 -
C:\Windows\SysWOW64\Akmjfn32.exeC:\Windows\system32\Akmjfn32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\Amnfnfgg.exeC:\Windows\system32\Amnfnfgg.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:756 -
C:\Windows\SysWOW64\Achojp32.exeC:\Windows\system32\Achojp32.exe33⤵
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Ajbggjfq.exeC:\Windows\system32\Ajbggjfq.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:2932 -
C:\Windows\SysWOW64\Aaloddnn.exeC:\Windows\system32\Aaloddnn.exe35⤵
- Executes dropped EXE
PID:2320 -
C:\Windows\SysWOW64\Afiglkle.exeC:\Windows\system32\Afiglkle.exe36⤵
- Executes dropped EXE
PID:1988 -
C:\Windows\SysWOW64\Apalea32.exeC:\Windows\system32\Apalea32.exe37⤵
- Executes dropped EXE
PID:1320 -
C:\Windows\SysWOW64\Apdhjq32.exeC:\Windows\system32\Apdhjq32.exe38⤵
- Executes dropped EXE
PID:1068 -
C:\Windows\SysWOW64\Bpfeppop.exeC:\Windows\system32\Bpfeppop.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:1044 -
C:\Windows\SysWOW64\Becnhgmg.exeC:\Windows\system32\Becnhgmg.exe40⤵
- Executes dropped EXE
PID:1936 -
C:\Windows\SysWOW64\Bphbeplm.exeC:\Windows\system32\Bphbeplm.exe41⤵
- Executes dropped EXE
PID:3036 -
C:\Windows\SysWOW64\Bbgnak32.exeC:\Windows\system32\Bbgnak32.exe42⤵
- Executes dropped EXE
PID:2252 -
C:\Windows\SysWOW64\Bjbcfn32.exeC:\Windows\system32\Bjbcfn32.exe43⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Balkchpi.exeC:\Windows\system32\Balkchpi.exe44⤵
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Bjdplm32.exeC:\Windows\system32\Bjdplm32.exe45⤵
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\Bmclhi32.exeC:\Windows\system32\Bmclhi32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2324 -
C:\Windows\SysWOW64\Bejdiffp.exeC:\Windows\system32\Bejdiffp.exe47⤵
- Executes dropped EXE
PID:2576 -
C:\Windows\SysWOW64\Bfkpqn32.exeC:\Windows\system32\Bfkpqn32.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:2680 -
C:\Windows\SysWOW64\Baadng32.exeC:\Windows\system32\Baadng32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Cdoajb32.exeC:\Windows\system32\Cdoajb32.exe50⤵
- Executes dropped EXE
PID:784 -
C:\Windows\SysWOW64\Cbdnko32.exeC:\Windows\system32\Cbdnko32.exe51⤵
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\Cinfhigl.exeC:\Windows\system32\Cinfhigl.exe52⤵
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\Cgbfamff.exeC:\Windows\system32\Cgbfamff.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:364 -
C:\Windows\SysWOW64\Dobdqo32.exeC:\Windows\system32\Dobdqo32.exe54⤵
- Modifies registry class
PID:1480 -
C:\Windows\SysWOW64\Dhkiid32.exeC:\Windows\system32\Dhkiid32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2920 -
C:\Windows\SysWOW64\Ddajoelp.exeC:\Windows\system32\Ddajoelp.exe56⤵PID:1796
-
C:\Windows\SysWOW64\Dgbcpq32.exeC:\Windows\system32\Dgbcpq32.exe57⤵PID:616
-
C:\Windows\SysWOW64\Dahgni32.exeC:\Windows\system32\Dahgni32.exe58⤵PID:2176
-
C:\Windows\SysWOW64\Dpmdofno.exeC:\Windows\system32\Dpmdofno.exe59⤵PID:1668
-
C:\Windows\SysWOW64\Eobapbbg.exeC:\Windows\system32\Eobapbbg.exe60⤵PID:1808
-
C:\Windows\SysWOW64\Ecnmpa32.exeC:\Windows\system32\Ecnmpa32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1660 -
C:\Windows\SysWOW64\Eodnebpd.exeC:\Windows\system32\Eodnebpd.exe62⤵PID:2368
-
C:\Windows\SysWOW64\Ekknjcfh.exeC:\Windows\system32\Ekknjcfh.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2316 -
C:\Windows\SysWOW64\Efqbglen.exeC:\Windows\system32\Efqbglen.exe64⤵
- Modifies registry class
PID:1724 -
C:\Windows\SysWOW64\Eoigpa32.exeC:\Windows\system32\Eoigpa32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1708 -
C:\Windows\SysWOW64\Edfpih32.exeC:\Windows\system32\Edfpih32.exe66⤵PID:2124
-
C:\Windows\SysWOW64\Ekpheb32.exeC:\Windows\system32\Ekpheb32.exe67⤵PID:2312
-
C:\Windows\SysWOW64\Fnndan32.exeC:\Windows\system32\Fnndan32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1684 -
C:\Windows\SysWOW64\Fidhof32.exeC:\Windows\system32\Fidhof32.exe69⤵PID:2832
-
C:\Windows\SysWOW64\Fkbdkb32.exeC:\Windows\system32\Fkbdkb32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2872 -
C:\Windows\SysWOW64\Fblmglgm.exeC:\Windows\system32\Fblmglgm.exe71⤵PID:584
-
C:\Windows\SysWOW64\Fdjidgfa.exeC:\Windows\system32\Fdjidgfa.exe72⤵PID:1588
-
C:\Windows\SysWOW64\Femeig32.exeC:\Windows\system32\Femeig32.exe73⤵PID:1628
-
C:\Windows\SysWOW64\Fgkbeb32.exeC:\Windows\system32\Fgkbeb32.exe74⤵
- Modifies registry class
PID:2784 -
C:\Windows\SysWOW64\Fnejbmko.exeC:\Windows\system32\Fnejbmko.exe75⤵
- Modifies registry class
PID:2248 -
C:\Windows\SysWOW64\Fcbbjcif.exeC:\Windows\system32\Fcbbjcif.exe76⤵PID:2948
-
C:\Windows\SysWOW64\Fmjgcipg.exeC:\Windows\system32\Fmjgcipg.exe77⤵PID:1488
-
C:\Windows\SysWOW64\Fpicodoj.exeC:\Windows\system32\Fpicodoj.exe78⤵PID:832
-
C:\Windows\SysWOW64\Gjngmmnp.exeC:\Windows\system32\Gjngmmnp.exe79⤵PID:2352
-
C:\Windows\SysWOW64\Gcglec32.exeC:\Windows\system32\Gcglec32.exe80⤵PID:1560
-
C:\Windows\SysWOW64\Gicdnj32.exeC:\Windows\system32\Gicdnj32.exe81⤵PID:2996
-
C:\Windows\SysWOW64\Gfgegnbb.exeC:\Windows\system32\Gfgegnbb.exe82⤵PID:1748
-
C:\Windows\SysWOW64\Ghiaof32.exeC:\Windows\system32\Ghiaof32.exe83⤵
- Drops file in System32 directory
PID:3020 -
C:\Windows\SysWOW64\Gnbjlpom.exeC:\Windows\system32\Gnbjlpom.exe84⤵
- Modifies registry class
PID:2168 -
C:\Windows\SysWOW64\Gihniioc.exeC:\Windows\system32\Gihniioc.exe85⤵PID:1976
-
C:\Windows\SysWOW64\Gjijqa32.exeC:\Windows\system32\Gjijqa32.exe86⤵PID:2128
-
C:\Windows\SysWOW64\Gacbmk32.exeC:\Windows\system32\Gacbmk32.exe87⤵PID:2952
-
C:\Windows\SysWOW64\Gdboig32.exeC:\Windows\system32\Gdboig32.exe88⤵
- Modifies registry class
PID:3040 -
C:\Windows\SysWOW64\Gmjcblbb.exeC:\Windows\system32\Gmjcblbb.exe89⤵PID:2616
-
C:\Windows\SysWOW64\Heakcjcd.exeC:\Windows\system32\Heakcjcd.exe90⤵
- Drops file in System32 directory
PID:1640 -
C:\Windows\SysWOW64\Hnjplo32.exeC:\Windows\system32\Hnjplo32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2044 -
C:\Windows\SysWOW64\Hpkldg32.exeC:\Windows\system32\Hpkldg32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2792 -
C:\Windows\SysWOW64\Hajinjff.exeC:\Windows\system32\Hajinjff.exe93⤵
- Drops file in System32 directory
PID:1476 -
C:\Windows\SysWOW64\Hbleeb32.exeC:\Windows\system32\Hbleeb32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1804 -
C:\Windows\SysWOW64\Hmaick32.exeC:\Windows\system32\Hmaick32.exe95⤵PID:2928
-
C:\Windows\SysWOW64\Hldjnhce.exeC:\Windows\system32\Hldjnhce.exe96⤵PID:2132
-
C:\Windows\SysWOW64\Hfjnla32.exeC:\Windows\system32\Hfjnla32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1772 -
C:\Windows\SysWOW64\Hihjhl32.exeC:\Windows\system32\Hihjhl32.exe98⤵PID:1144
-
C:\Windows\SysWOW64\Hijgml32.exeC:\Windows\system32\Hijgml32.exe99⤵
- Drops file in System32 directory
PID:912 -
C:\Windows\SysWOW64\Ipdojfgh.exeC:\Windows\system32\Ipdojfgh.exe100⤵
- Drops file in System32 directory
PID:2120 -
C:\Windows\SysWOW64\Ihpdoh32.exeC:\Windows\system32\Ihpdoh32.exe101⤵
- Drops file in System32 directory
PID:2052 -
C:\Windows\SysWOW64\Iknpkd32.exeC:\Windows\system32\Iknpkd32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1692 -
C:\Windows\SysWOW64\Iecdhm32.exeC:\Windows\system32\Iecdhm32.exe103⤵PID:1192
-
C:\Windows\SysWOW64\Ilnmdgkj.exeC:\Windows\system32\Ilnmdgkj.exe104⤵PID:2972
-
C:\Windows\SysWOW64\Iajemnia.exeC:\Windows\system32\Iajemnia.exe105⤵PID:2456
-
C:\Windows\SysWOW64\Iefamlak.exeC:\Windows\system32\Iefamlak.exe106⤵
- Drops file in System32 directory
PID:2896 -
C:\Windows\SysWOW64\Ikbifcpb.exeC:\Windows\system32\Ikbifcpb.exe107⤵PID:2568
-
C:\Windows\SysWOW64\Inafbooe.exeC:\Windows\system32\Inafbooe.exe108⤵PID:576
-
C:\Windows\SysWOW64\Idknoi32.exeC:\Windows\system32\Idknoi32.exe109⤵PID:1960
-
C:\Windows\SysWOW64\Ikefkcmo.exeC:\Windows\system32\Ikefkcmo.exe110⤵PID:2496
-
C:\Windows\SysWOW64\Ipbocjlg.exeC:\Windows\system32\Ipbocjlg.exe111⤵
- Drops file in System32 directory
PID:1584 -
C:\Windows\SysWOW64\Jcpkpe32.exeC:\Windows\system32\Jcpkpe32.exe112⤵PID:860
-
C:\Windows\SysWOW64\Jjjclobg.exeC:\Windows\system32\Jjjclobg.exe113⤵PID:1872
-
C:\Windows\SysWOW64\Jliohkak.exeC:\Windows\system32\Jliohkak.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2332 -
C:\Windows\SysWOW64\Jjmpbopd.exeC:\Windows\system32\Jjmpbopd.exe115⤵
- Modifies registry class
PID:2080 -
C:\Windows\SysWOW64\Jnhlbn32.exeC:\Windows\system32\Jnhlbn32.exe116⤵
- Modifies registry class
PID:1996 -
C:\Windows\SysWOW64\Jpfhoi32.exeC:\Windows\system32\Jpfhoi32.exe117⤵
- Modifies registry class
PID:2264 -
C:\Windows\SysWOW64\Jcedkd32.exeC:\Windows\system32\Jcedkd32.exe118⤵PID:2960
-
C:\Windows\SysWOW64\Jjomgo32.exeC:\Windows\system32\Jjomgo32.exe119⤵PID:560
-
C:\Windows\SysWOW64\Jlmicj32.exeC:\Windows\system32\Jlmicj32.exe120⤵PID:1428
-
C:\Windows\SysWOW64\Jajala32.exeC:\Windows\system32\Jajala32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1420
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-