Analysis
-
max time kernel
142s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
22/10/2023, 13:37
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.e5c5405afffc73d0a4cf8558406a3310_JC.exe
Resource
win7-20230831-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.e5c5405afffc73d0a4cf8558406a3310_JC.exe
Resource
win10v2004-20231020-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.e5c5405afffc73d0a4cf8558406a3310_JC.exe
-
Size
81KB
-
MD5
e5c5405afffc73d0a4cf8558406a3310
-
SHA1
ba434a3e03534f4f9e2809df77cda110d251132d
-
SHA256
287b10d67d703b1d3622aa5e288ae710b6bd1e20f03cee5765e70e1ac7c9fdb6
-
SHA512
afcee50b7bab3a3ccc9146be3f10c18169f3542d641aa2a9e18895afd538dcfe6ccd98af74ac5373f8988a5d4199747081303f651ce9bd099b3fe661ce920c94
-
SSDEEP
1536:BY8j4fUXFmdefAXi36qMEGh8UInQ7m4LO++/+1m6KadhYxU33HX0L:qiAU13AXi36qMEGh8UInQ/LrCimBaH8f
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndmpddfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikjcmi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnhdbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eggmge32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdcmnfop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fifhbf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpdgbkab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdcnpd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnojcb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egijmegb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfgfpp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fefcgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffjkdc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnacfp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Locnlmoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onlipd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipcakd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oooodcci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgdgijhp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfkcibdl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aofemaog.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcbckk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jajdff32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hejjanpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbpfig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nppfnige.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nofmndkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddqbbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flbhia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfpqap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olidijjf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgdgijhp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnikmjdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pblolb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idjdqc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojdgnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcedmkmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgcmbj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfnjbdep.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eggmge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aghdco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejaecdnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emoaopnf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Negoaj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbqinm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmgjee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfhgcbfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flddoa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boohcpgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkldlgok.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mggolhaj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohqpjo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijdnka32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbdkhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kaajfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oghgbe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejjgic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knldfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdkoef32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgpcklpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Galonj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkabbgol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfonnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nieoal32.exe -
Executes dropped EXE 64 IoCs
pid Process 2748 Djgjlelk.exe 4824 Dmefhako.exe 928 Ddonekbl.exe 1592 Dkifae32.exe 1688 Dhmgki32.exe 3904 Dgbdlf32.exe 216 Dahhio32.exe 4460 Ehapfiem.exe 1576 Eefaomcg.exe 1612 Eggmge32.exe 1132 Eonehbjg.exe 2760 Egijmegb.exe 4804 Eaonjngh.exe 2716 Fgppmd32.exe 3880 Feapkk32.exe 4432 Ojdgnn32.exe 1252 Cdmfllhn.exe 2784 Epffbd32.exe 3608 Fjjjgh32.exe 3024 Fnhbmgmk.exe 4776 Fklcgk32.exe 2936 Gbkdod32.exe 1056 Gkcigjel.exe 1460 Hkjohi32.exe 2972 Hcedmkmp.exe 4300 Hbfdjc32.exe 3360 Hgcmbj32.exe 1736 Hbiapb32.exe 4980 Hgeihiac.exe 2340 Hejjanpm.exe 4268 Ibnjkbog.exe 648 Ijiopd32.exe 4480 Icachjbb.exe 1548 Ibbcfa32.exe 1296 Ilkhog32.exe 5068 Iecmhlhb.exe 2268 Inkaqb32.exe 3116 Iloajfml.exe 5036 Jdjfohjg.exe 4236 Jblflp32.exe 1948 Jjgkab32.exe 4148 Jhkljfok.exe 4288 Jacpcl32.exe 2296 Jjkdlall.exe 3488 Jlkafdco.exe 3836 Khabke32.exe 764 Koljgppp.exe 1068 Kajfdk32.exe 4100 Khdoqefq.exe 4956 Kdkoef32.exe 2432 Kejloi32.exe 4048 Kkgdhp32.exe 3876 Lbqinm32.exe 3420 Ldfoad32.exe 3480 Mojopk32.exe 1832 Napameoi.exe 2248 Nhjjip32.exe 2660 Nfnjbdep.exe 4360 Nlgbon32.exe 4752 Nbdkhe32.exe 5024 Ohncdobq.exe 4368 Obfhmd32.exe 1468 Ohqpjo32.exe 5032 Obidcdfo.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Dhhcgogn.dll Mfkcibdl.exe File opened for modification C:\Windows\SysWOW64\Plimpg32.exe Peodcmeg.exe File opened for modification C:\Windows\SysWOW64\Cfiiggpg.exe Cckmklac.exe File created C:\Windows\SysWOW64\Kejloi32.exe Kdkoef32.exe File created C:\Windows\SysWOW64\Pnpmgngb.dll Bpgnmcdh.exe File opened for modification C:\Windows\SysWOW64\Fqiiamjp.exe Fnjmea32.exe File created C:\Windows\SysWOW64\Aaiqmepi.dll Aoalba32.exe File created C:\Windows\SysWOW64\Bamjca32.dll Dcbckk32.exe File opened for modification C:\Windows\SysWOW64\Ecblbi32.exe Eqdpfm32.exe File created C:\Windows\SysWOW64\Oooaah32.exe Oheienli.exe File opened for modification C:\Windows\SysWOW64\Cdlhgpag.exe Cdjlap32.exe File created C:\Windows\SysWOW64\Dinjjf32.exe Dfonnk32.exe File opened for modification C:\Windows\SysWOW64\Aemqdk32.exe Abodhpic.exe File opened for modification C:\Windows\SysWOW64\Aofemaog.exe Algiaepd.exe File opened for modification C:\Windows\SysWOW64\Cfpfqiha.exe Cnealfkf.exe File created C:\Windows\SysWOW64\Ncpmjj32.dll Mdgejmdi.exe File opened for modification C:\Windows\SysWOW64\Oooodcci.exe Oghgbe32.exe File opened for modification C:\Windows\SysWOW64\Knphfklg.exe Kkaljpmd.exe File opened for modification C:\Windows\SysWOW64\Oianmm32.exe Ofcaab32.exe File created C:\Windows\SysWOW64\Nacemc32.dll Pblolb32.exe File created C:\Windows\SysWOW64\Ndghli32.dll Onecof32.exe File created C:\Windows\SysWOW64\Jhdlbp32.exe Jajdff32.exe File opened for modification C:\Windows\SysWOW64\Jlkafdco.exe Jjkdlall.exe File created C:\Windows\SysWOW64\Cefoni32.exe Cdebfago.exe File created C:\Windows\SysWOW64\Fbggkl32.exe Fhbbmc32.exe File opened for modification C:\Windows\SysWOW64\Mbbcofpf.exe Mpdgbkab.exe File created C:\Windows\SysWOW64\Ejqmmlpm.dll Migcpneb.exe File created C:\Windows\SysWOW64\Poifgc32.dll Jbghpc32.exe File created C:\Windows\SysWOW64\Kffphhmj.exe Knphfklg.exe File created C:\Windows\SysWOW64\Aeikhe32.dll Mkadam32.exe File created C:\Windows\SysWOW64\Npjlfcgj.dll Mbpfig32.exe File created C:\Windows\SysWOW64\Ofcaab32.exe Onlipd32.exe File created C:\Windows\SysWOW64\Ffbmfk32.dll Djjobedk.exe File opened for modification C:\Windows\SysWOW64\Dcbckk32.exe Dmhkoaco.exe File opened for modification C:\Windows\SysWOW64\Dgbdlf32.exe Dhmgki32.exe File created C:\Windows\SysWOW64\Koljgppp.exe Khabke32.exe File created C:\Windows\SysWOW64\Icakofel.exe Ikjcmi32.exe File created C:\Windows\SysWOW64\Adfdfinl.dll Kdbchp32.exe File created C:\Windows\SysWOW64\Hmdlhk32.exe Hanlcjgh.exe File created C:\Windows\SysWOW64\Dcmnee32.dll Jjkdlall.exe File created C:\Windows\SysWOW64\Jjnqap32.exe Jbghpc32.exe File opened for modification C:\Windows\SysWOW64\Olidijjf.exe Oflkqc32.exe File created C:\Windows\SysWOW64\Mnjqhcno.exe Lkldlgok.exe File created C:\Windows\SysWOW64\Hgcmbj32.exe Hbfdjc32.exe File created C:\Windows\SysWOW64\Effjdd32.dll Hchihhng.exe File opened for modification C:\Windows\SysWOW64\Niadfpcn.exe Nbgljf32.exe File opened for modification C:\Windows\SysWOW64\Mfmpob32.exe Mmdlflki.exe File opened for modification C:\Windows\SysWOW64\Qojeabie.exe Pmiijjcf.exe File opened for modification C:\Windows\SysWOW64\Ffahnd32.exe Ecblbi32.exe File created C:\Windows\SysWOW64\Fnjmea32.exe Ffcedd32.exe File created C:\Windows\SysWOW64\Nqgiel32.exe Nofmndkd.exe File created C:\Windows\SysWOW64\Gidbim32.dll Djgjlelk.exe File opened for modification C:\Windows\SysWOW64\Dhmgki32.exe Dkifae32.exe File created C:\Windows\SysWOW64\Ilkhog32.exe Ibbcfa32.exe File created C:\Windows\SysWOW64\Eccoloed.dll Mmfjfp32.exe File created C:\Windows\SysWOW64\Djgbmffn.exe Dgieajgj.exe File created C:\Windows\SysWOW64\Hebkid32.exe Hafpiehg.exe File created C:\Windows\SysWOW64\Qfpmdman.dll Jmepcj32.exe File opened for modification C:\Windows\SysWOW64\Lilbdcfe.exe Lbbjhini.exe File created C:\Windows\SysWOW64\Kjgegjko.dll Mjiloqjb.exe File opened for modification C:\Windows\SysWOW64\Kmhlijpm.exe Kjipmoai.exe File created C:\Windows\SysWOW64\Ohmjcpmd.dll Cfbcfh32.exe File created C:\Windows\SysWOW64\Hejpbbip.dll Dcdpakii.exe File opened for modification C:\Windows\SysWOW64\Fcibchgq.exe Fmpjfn32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 8824 8608 WerFault.exe 541 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aeffgkkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifhac32.dll" Ndmpddfe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jkhpogij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eciilj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aohcbiop.dll" Kaajfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjikhb32.dll" Fongpm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aebjokda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfcnchpa.dll" Dmjgdq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Famqbcdp.dll" Mbmbiqqp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Flddoa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Giokid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjhndf32.dll" Npfchkop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ionlhlld.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmmdjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hgcmbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdfmgqph.dll" Bikeni32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjiloqjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hadcce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbghpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecpppjmd.dll" Mfiedfmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpmqoqbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldibcl32.dll" Knldfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnaopd32.dll" Eaonjngh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpbpecen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajepci32.dll" Gahcgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ifphkbep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lfimmhkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Meepoc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfnbbg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ejaecdnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pbimjb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfonnk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ehmibdol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Joobdfei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfdnhb32.dll" Pmiijjcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjakkgha.dll" Alelkf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dokqfl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Begcjjql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpqnog32.dll" Hkgnalep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Algiaepd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bpgnmcdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipenifka.dll" Ikdlmmbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdmoejcc.dll" Egijmegb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pbgqdb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Naqqmieo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Acdioc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndjcne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbappaql.dll" Ceeaim32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdbchp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ibnjkbog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdkoef32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfppoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imkbooff.dll" Jacnegep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndmpddfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbkbkbfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgjkkopi.dll" Nilkkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Affgno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glgediop.dll" Ccipelcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emoaopnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhpobmqh.dll" Hpchdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eonehbjg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbfdjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Famnbgil.dll" Acdioc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmhlijpm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2568 wrote to memory of 2748 2568 NEAS.e5c5405afffc73d0a4cf8558406a3310_JC.exe 88 PID 2568 wrote to memory of 2748 2568 NEAS.e5c5405afffc73d0a4cf8558406a3310_JC.exe 88 PID 2568 wrote to memory of 2748 2568 NEAS.e5c5405afffc73d0a4cf8558406a3310_JC.exe 88 PID 2748 wrote to memory of 4824 2748 Djgjlelk.exe 90 PID 2748 wrote to memory of 4824 2748 Djgjlelk.exe 90 PID 2748 wrote to memory of 4824 2748 Djgjlelk.exe 90 PID 4824 wrote to memory of 928 4824 Dmefhako.exe 89 PID 4824 wrote to memory of 928 4824 Dmefhako.exe 89 PID 4824 wrote to memory of 928 4824 Dmefhako.exe 89 PID 928 wrote to memory of 1592 928 Ddonekbl.exe 91 PID 928 wrote to memory of 1592 928 Ddonekbl.exe 91 PID 928 wrote to memory of 1592 928 Ddonekbl.exe 91 PID 1592 wrote to memory of 1688 1592 Dkifae32.exe 92 PID 1592 wrote to memory of 1688 1592 Dkifae32.exe 92 PID 1592 wrote to memory of 1688 1592 Dkifae32.exe 92 PID 1688 wrote to memory of 3904 1688 Dhmgki32.exe 93 PID 1688 wrote to memory of 3904 1688 Dhmgki32.exe 93 PID 1688 wrote to memory of 3904 1688 Dhmgki32.exe 93 PID 3904 wrote to memory of 216 3904 Dgbdlf32.exe 94 PID 3904 wrote to memory of 216 3904 Dgbdlf32.exe 94 PID 3904 wrote to memory of 216 3904 Dgbdlf32.exe 94 PID 216 wrote to memory of 4460 216 Dahhio32.exe 95 PID 216 wrote to memory of 4460 216 Dahhio32.exe 95 PID 216 wrote to memory of 4460 216 Dahhio32.exe 95 PID 4460 wrote to memory of 1576 4460 Ehapfiem.exe 96 PID 4460 wrote to memory of 1576 4460 Ehapfiem.exe 96 PID 4460 wrote to memory of 1576 4460 Ehapfiem.exe 96 PID 1576 wrote to memory of 1612 1576 Eefaomcg.exe 97 PID 1576 wrote to memory of 1612 1576 Eefaomcg.exe 97 PID 1576 wrote to memory of 1612 1576 Eefaomcg.exe 97 PID 1612 wrote to memory of 1132 1612 Eggmge32.exe 98 PID 1612 wrote to memory of 1132 1612 Eggmge32.exe 98 PID 1612 wrote to memory of 1132 1612 Eggmge32.exe 98 PID 1132 wrote to memory of 2760 1132 Eonehbjg.exe 99 PID 1132 wrote to memory of 2760 1132 Eonehbjg.exe 99 PID 1132 wrote to memory of 2760 1132 Eonehbjg.exe 99 PID 2760 wrote to memory of 4804 2760 Egijmegb.exe 100 PID 2760 wrote to memory of 4804 2760 Egijmegb.exe 100 PID 2760 wrote to memory of 4804 2760 Egijmegb.exe 100 PID 4804 wrote to memory of 2716 4804 Eaonjngh.exe 101 PID 4804 wrote to memory of 2716 4804 Eaonjngh.exe 101 PID 4804 wrote to memory of 2716 4804 Eaonjngh.exe 101 PID 2716 wrote to memory of 3880 2716 Fgppmd32.exe 102 PID 2716 wrote to memory of 3880 2716 Fgppmd32.exe 102 PID 2716 wrote to memory of 3880 2716 Fgppmd32.exe 102 PID 3880 wrote to memory of 4432 3880 Feapkk32.exe 105 PID 3880 wrote to memory of 4432 3880 Feapkk32.exe 105 PID 3880 wrote to memory of 4432 3880 Feapkk32.exe 105 PID 4432 wrote to memory of 1252 4432 Ojdgnn32.exe 107 PID 4432 wrote to memory of 1252 4432 Ojdgnn32.exe 107 PID 4432 wrote to memory of 1252 4432 Ojdgnn32.exe 107 PID 1252 wrote to memory of 2784 1252 Cdmfllhn.exe 108 PID 1252 wrote to memory of 2784 1252 Cdmfllhn.exe 108 PID 1252 wrote to memory of 2784 1252 Cdmfllhn.exe 108 PID 2784 wrote to memory of 3608 2784 Epffbd32.exe 109 PID 2784 wrote to memory of 3608 2784 Epffbd32.exe 109 PID 2784 wrote to memory of 3608 2784 Epffbd32.exe 109 PID 3608 wrote to memory of 3024 3608 Fjjjgh32.exe 110 PID 3608 wrote to memory of 3024 3608 Fjjjgh32.exe 110 PID 3608 wrote to memory of 3024 3608 Fjjjgh32.exe 110 PID 3024 wrote to memory of 4776 3024 Fnhbmgmk.exe 111 PID 3024 wrote to memory of 4776 3024 Fnhbmgmk.exe 111 PID 3024 wrote to memory of 4776 3024 Fnhbmgmk.exe 111 PID 4776 wrote to memory of 2936 4776 Fklcgk32.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.e5c5405afffc73d0a4cf8558406a3310_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.e5c5405afffc73d0a4cf8558406a3310_JC.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\Djgjlelk.exeC:\Windows\system32\Djgjlelk.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Dmefhako.exeC:\Windows\system32\Dmefhako.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4824
-
-
-
C:\Windows\SysWOW64\Ddonekbl.exeC:\Windows\system32\Ddonekbl.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:928 -
C:\Windows\SysWOW64\Dkifae32.exeC:\Windows\system32\Dkifae32.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Windows\SysWOW64\Dhmgki32.exeC:\Windows\system32\Dhmgki32.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\Dgbdlf32.exeC:\Windows\system32\Dgbdlf32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3904 -
C:\Windows\SysWOW64\Dahhio32.exeC:\Windows\system32\Dahhio32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:216 -
C:\Windows\SysWOW64\Ehapfiem.exeC:\Windows\system32\Ehapfiem.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4460 -
C:\Windows\SysWOW64\Eefaomcg.exeC:\Windows\system32\Eefaomcg.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Windows\SysWOW64\Eggmge32.exeC:\Windows\system32\Eggmge32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\SysWOW64\Eonehbjg.exeC:\Windows\system32\Eonehbjg.exe9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1132 -
C:\Windows\SysWOW64\Egijmegb.exeC:\Windows\system32\Egijmegb.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Eaonjngh.exeC:\Windows\system32\Eaonjngh.exe11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4804 -
C:\Windows\SysWOW64\Fgppmd32.exeC:\Windows\system32\Fgppmd32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Feapkk32.exeC:\Windows\system32\Feapkk32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3880 -
C:\Windows\SysWOW64\Ojdgnn32.exeC:\Windows\system32\Ojdgnn32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4432 -
C:\Windows\SysWOW64\Cdmfllhn.exeC:\Windows\system32\Cdmfllhn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Windows\SysWOW64\Epffbd32.exeC:\Windows\system32\Epffbd32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\Fjjjgh32.exeC:\Windows\system32\Fjjjgh32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3608 -
C:\Windows\SysWOW64\Fnhbmgmk.exeC:\Windows\system32\Fnhbmgmk.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\Fklcgk32.exeC:\Windows\system32\Fklcgk32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4776 -
C:\Windows\SysWOW64\Gbkdod32.exeC:\Windows\system32\Gbkdod32.exe20⤵
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Gkcigjel.exeC:\Windows\system32\Gkcigjel.exe21⤵
- Executes dropped EXE
PID:1056 -
C:\Windows\SysWOW64\Hkjohi32.exeC:\Windows\system32\Hkjohi32.exe22⤵
- Executes dropped EXE
PID:1460 -
C:\Windows\SysWOW64\Hcedmkmp.exeC:\Windows\system32\Hcedmkmp.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2972 -
C:\Windows\SysWOW64\Hbfdjc32.exeC:\Windows\system32\Hbfdjc32.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4300 -
C:\Windows\SysWOW64\Hgcmbj32.exeC:\Windows\system32\Hgcmbj32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3360 -
C:\Windows\SysWOW64\Hbiapb32.exeC:\Windows\system32\Hbiapb32.exe26⤵
- Executes dropped EXE
PID:1736 -
C:\Windows\SysWOW64\Hgeihiac.exeC:\Windows\system32\Hgeihiac.exe27⤵
- Executes dropped EXE
PID:4980 -
C:\Windows\SysWOW64\Hejjanpm.exeC:\Windows\system32\Hejjanpm.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2340 -
C:\Windows\SysWOW64\Ibnjkbog.exeC:\Windows\system32\Ibnjkbog.exe29⤵
- Executes dropped EXE
- Modifies registry class
PID:4268 -
C:\Windows\SysWOW64\Ijiopd32.exeC:\Windows\system32\Ijiopd32.exe30⤵
- Executes dropped EXE
PID:648 -
C:\Windows\SysWOW64\Icachjbb.exeC:\Windows\system32\Icachjbb.exe31⤵
- Executes dropped EXE
PID:4480 -
C:\Windows\SysWOW64\Ibbcfa32.exeC:\Windows\system32\Ibbcfa32.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1548 -
C:\Windows\SysWOW64\Ilkhog32.exeC:\Windows\system32\Ilkhog32.exe33⤵
- Executes dropped EXE
PID:1296 -
C:\Windows\SysWOW64\Iecmhlhb.exeC:\Windows\system32\Iecmhlhb.exe34⤵
- Executes dropped EXE
PID:5068 -
C:\Windows\SysWOW64\Inkaqb32.exeC:\Windows\system32\Inkaqb32.exe35⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Iloajfml.exeC:\Windows\system32\Iloajfml.exe36⤵
- Executes dropped EXE
PID:3116 -
C:\Windows\SysWOW64\Jdjfohjg.exeC:\Windows\system32\Jdjfohjg.exe37⤵
- Executes dropped EXE
PID:5036 -
C:\Windows\SysWOW64\Jblflp32.exeC:\Windows\system32\Jblflp32.exe38⤵
- Executes dropped EXE
PID:4236 -
C:\Windows\SysWOW64\Jjgkab32.exeC:\Windows\system32\Jjgkab32.exe39⤵
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\Jhkljfok.exeC:\Windows\system32\Jhkljfok.exe40⤵
- Executes dropped EXE
PID:4148 -
C:\Windows\SysWOW64\Jacpcl32.exeC:\Windows\system32\Jacpcl32.exe41⤵
- Executes dropped EXE
PID:4288 -
C:\Windows\SysWOW64\Jjkdlall.exeC:\Windows\system32\Jjkdlall.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2296 -
C:\Windows\SysWOW64\Jlkafdco.exeC:\Windows\system32\Jlkafdco.exe43⤵
- Executes dropped EXE
PID:3488 -
C:\Windows\SysWOW64\Khabke32.exeC:\Windows\system32\Khabke32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3836 -
C:\Windows\SysWOW64\Koljgppp.exeC:\Windows\system32\Koljgppp.exe45⤵
- Executes dropped EXE
PID:764 -
C:\Windows\SysWOW64\Kajfdk32.exeC:\Windows\system32\Kajfdk32.exe46⤵
- Executes dropped EXE
PID:1068 -
C:\Windows\SysWOW64\Khdoqefq.exeC:\Windows\system32\Khdoqefq.exe47⤵
- Executes dropped EXE
PID:4100 -
C:\Windows\SysWOW64\Kdkoef32.exeC:\Windows\system32\Kdkoef32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4956 -
C:\Windows\SysWOW64\Kejloi32.exeC:\Windows\system32\Kejloi32.exe49⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Kkgdhp32.exeC:\Windows\system32\Kkgdhp32.exe50⤵
- Executes dropped EXE
PID:4048 -
C:\Windows\SysWOW64\Lbqinm32.exeC:\Windows\system32\Lbqinm32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3876 -
C:\Windows\SysWOW64\Ldfoad32.exeC:\Windows\system32\Ldfoad32.exe52⤵
- Executes dropped EXE
PID:3420 -
C:\Windows\SysWOW64\Mojopk32.exeC:\Windows\system32\Mojopk32.exe53⤵
- Executes dropped EXE
PID:3480 -
C:\Windows\SysWOW64\Napameoi.exeC:\Windows\system32\Napameoi.exe54⤵
- Executes dropped EXE
PID:1832 -
C:\Windows\SysWOW64\Nhjjip32.exeC:\Windows\system32\Nhjjip32.exe55⤵
- Executes dropped EXE
PID:2248 -
C:\Windows\SysWOW64\Nfnjbdep.exeC:\Windows\system32\Nfnjbdep.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\Nlgbon32.exeC:\Windows\system32\Nlgbon32.exe57⤵
- Executes dropped EXE
PID:4360 -
C:\Windows\SysWOW64\Nbdkhe32.exeC:\Windows\system32\Nbdkhe32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4752 -
C:\Windows\SysWOW64\Ohncdobq.exeC:\Windows\system32\Ohncdobq.exe59⤵
- Executes dropped EXE
PID:5024 -
C:\Windows\SysWOW64\Obfhmd32.exeC:\Windows\system32\Obfhmd32.exe60⤵
- Executes dropped EXE
PID:4368 -
C:\Windows\SysWOW64\Ohqpjo32.exeC:\Windows\system32\Ohqpjo32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1468 -
C:\Windows\SysWOW64\Obidcdfo.exeC:\Windows\system32\Obidcdfo.exe62⤵
- Executes dropped EXE
PID:5032 -
C:\Windows\SysWOW64\Ochamg32.exeC:\Windows\system32\Ochamg32.exe63⤵PID:1612
-
C:\Windows\SysWOW64\Oheienli.exeC:\Windows\system32\Oheienli.exe64⤵
- Drops file in System32 directory
PID:5092 -
C:\Windows\SysWOW64\Oooaah32.exeC:\Windows\system32\Oooaah32.exe65⤵PID:3240
-
C:\Windows\SysWOW64\Ohhfknjf.exeC:\Windows\system32\Ohhfknjf.exe66⤵PID:2360
-
C:\Windows\SysWOW64\Pmeoqlpl.exeC:\Windows\system32\Pmeoqlpl.exe67⤵PID:2540
-
C:\Windows\SysWOW64\Pkklbh32.exeC:\Windows\system32\Pkklbh32.exe68⤵PID:532
-
C:\Windows\SysWOW64\Pcbdcf32.exeC:\Windows\system32\Pcbdcf32.exe69⤵PID:4112
-
C:\Windows\SysWOW64\Pfppoa32.exeC:\Windows\system32\Pfppoa32.exe70⤵
- Modifies registry class
PID:2844 -
C:\Windows\SysWOW64\Pbgqdb32.exeC:\Windows\system32\Pbgqdb32.exe71⤵
- Modifies registry class
PID:3440 -
C:\Windows\SysWOW64\Peempn32.exeC:\Windows\system32\Peempn32.exe72⤵PID:4196
-
C:\Windows\SysWOW64\Pbimjb32.exeC:\Windows\system32\Pbimjb32.exe73⤵
- Modifies registry class
PID:3908 -
C:\Windows\SysWOW64\Pkabbgol.exeC:\Windows\system32\Pkabbgol.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2700 -
C:\Windows\SysWOW64\Qfgfpp32.exeC:\Windows\system32\Qfgfpp32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4448 -
C:\Windows\SysWOW64\Qbngeadf.exeC:\Windows\system32\Qbngeadf.exe76⤵PID:2512
-
C:\Windows\SysWOW64\Qcncodki.exeC:\Windows\system32\Qcncodki.exe77⤵PID:3640
-
C:\Windows\SysWOW64\Aijlgkjq.exeC:\Windows\system32\Aijlgkjq.exe78⤵PID:380
-
C:\Windows\SysWOW64\Acppddig.exeC:\Windows\system32\Acppddig.exe79⤵PID:3708
-
C:\Windows\SysWOW64\Abemep32.exeC:\Windows\system32\Abemep32.exe80⤵PID:2760
-
C:\Windows\SysWOW64\Apimodmh.exeC:\Windows\system32\Apimodmh.exe81⤵PID:116
-
C:\Windows\SysWOW64\Acdioc32.exeC:\Windows\system32\Acdioc32.exe82⤵
- Modifies registry class
PID:4984 -
C:\Windows\SysWOW64\Aeffgkkp.exeC:\Windows\system32\Aeffgkkp.exe83⤵
- Modifies registry class
PID:1952 -
C:\Windows\SysWOW64\Ammnhilb.exeC:\Windows\system32\Ammnhilb.exe84⤵PID:1792
-
C:\Windows\SysWOW64\Aidomjaf.exeC:\Windows\system32\Aidomjaf.exe85⤵PID:1856
-
C:\Windows\SysWOW64\Bifkcioc.exeC:\Windows\system32\Bifkcioc.exe86⤵PID:4676
-
C:\Windows\SysWOW64\Bppcpc32.exeC:\Windows\system32\Bppcpc32.exe87⤵PID:1432
-
C:\Windows\SysWOW64\Bfjllnnm.exeC:\Windows\system32\Bfjllnnm.exe88⤵PID:1016
-
C:\Windows\SysWOW64\Bpbpecen.exeC:\Windows\system32\Bpbpecen.exe89⤵
- Modifies registry class
PID:2068 -
C:\Windows\SysWOW64\Bikeni32.exeC:\Windows\system32\Bikeni32.exe90⤵
- Modifies registry class
PID:3956 -
C:\Windows\SysWOW64\Beaecjab.exeC:\Windows\system32\Beaecjab.exe91⤵PID:4820
-
C:\Windows\SysWOW64\Bfabmmhe.exeC:\Windows\system32\Bfabmmhe.exe92⤵PID:928
-
C:\Windows\SysWOW64\Bmkjig32.exeC:\Windows\system32\Bmkjig32.exe93⤵PID:4376
-
C:\Windows\SysWOW64\Cdebfago.exeC:\Windows\system32\Cdebfago.exe94⤵
- Drops file in System32 directory
PID:5056 -
C:\Windows\SysWOW64\Cefoni32.exeC:\Windows\system32\Cefoni32.exe95⤵PID:2956
-
C:\Windows\SysWOW64\Cmmgof32.exeC:\Windows\system32\Cmmgof32.exe96⤵PID:1300
-
C:\Windows\SysWOW64\Cbjogmlf.exeC:\Windows\system32\Cbjogmlf.exe97⤵PID:4884
-
C:\Windows\SysWOW64\Cehlcikj.exeC:\Windows\system32\Cehlcikj.exe98⤵PID:752
-
C:\Windows\SysWOW64\Clbdpc32.exeC:\Windows\system32\Clbdpc32.exe99⤵PID:2168
-
C:\Windows\SysWOW64\Cdjlap32.exeC:\Windows\system32\Cdjlap32.exe100⤵
- Drops file in System32 directory
PID:2704 -
C:\Windows\SysWOW64\Cdlhgpag.exeC:\Windows\system32\Cdlhgpag.exe101⤵PID:4832
-
C:\Windows\SysWOW64\Cpcila32.exeC:\Windows\system32\Cpcila32.exe102⤵PID:2436
-
C:\Windows\SysWOW64\Cbaehl32.exeC:\Windows\system32\Cbaehl32.exe103⤵PID:376
-
C:\Windows\SysWOW64\Cepadh32.exeC:\Windows\system32\Cepadh32.exe104⤵PID:4328
-
C:\Windows\SysWOW64\Cmgjee32.exeC:\Windows\system32\Cmgjee32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1464 -
C:\Windows\SysWOW64\Ddqbbo32.exeC:\Windows\system32\Ddqbbo32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4904 -
C:\Windows\SysWOW64\Dfonnk32.exeC:\Windows\system32\Dfonnk32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:3356 -
C:\Windows\SysWOW64\Dinjjf32.exeC:\Windows\system32\Dinjjf32.exe108⤵PID:4724
-
C:\Windows\SysWOW64\Dllffa32.exeC:\Windows\system32\Dllffa32.exe109⤵PID:5124
-
C:\Windows\SysWOW64\Ddcogo32.exeC:\Windows\system32\Ddcogo32.exe110⤵PID:5176
-
C:\Windows\SysWOW64\Dfakcj32.exeC:\Windows\system32\Dfakcj32.exe111⤵PID:5216
-
C:\Windows\SysWOW64\Dipgpf32.exeC:\Windows\system32\Dipgpf32.exe112⤵PID:5260
-
C:\Windows\SysWOW64\Dpjompqc.exeC:\Windows\system32\Dpjompqc.exe113⤵PID:5304
-
C:\Windows\SysWOW64\Dgdgijhp.exeC:\Windows\system32\Dgdgijhp.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5672 -
C:\Windows\SysWOW64\Mjafoapj.exeC:\Windows\system32\Mjafoapj.exe115⤵PID:5716
-
C:\Windows\SysWOW64\Mpnngh32.exeC:\Windows\system32\Mpnngh32.exe116⤵PID:5756
-
C:\Windows\SysWOW64\Mhefhf32.exeC:\Windows\system32\Mhefhf32.exe117⤵PID:5800
-
C:\Windows\SysWOW64\Mfhgcbfo.exeC:\Windows\system32\Mfhgcbfo.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5848 -
C:\Windows\SysWOW64\Migcpneb.exeC:\Windows\system32\Migcpneb.exe119⤵
- Drops file in System32 directory
PID:5892 -
C:\Windows\SysWOW64\Mankaked.exeC:\Windows\system32\Mankaked.exe120⤵PID:5936
-
C:\Windows\SysWOW64\Mfkcibdl.exeC:\Windows\system32\Mfkcibdl.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5980
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-