Analysis
-
max time kernel
155s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
23/10/2023, 19:36
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.fb065f588dc78fdf3c2a87c022c07872_JC.exe
Resource
win7-20231020-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.fb065f588dc78fdf3c2a87c022c07872_JC.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.fb065f588dc78fdf3c2a87c022c07872_JC.exe
-
Size
237KB
-
MD5
fb065f588dc78fdf3c2a87c022c07872
-
SHA1
8ff8eef83dcd2d28f3aeaac90dfcf427917cb5e4
-
SHA256
39b9a73c4d500039a7f324674b13e2d01d963fd8f9f6c38f60f7ce8dc06d7c9a
-
SHA512
f8fa7d4f798daf6e99342ebb6b5d07208da76c2eb143f658b011b8b28ffcf011fc44bb08f61da42c35dc8080bbd5511ebdc37d372a650d0759bbf1fc9ceb9c47
-
SSDEEP
6144:Socrl+lzJjxobikQ76QwlkwsDkOlti7wnN:Ncr946QwqDtlr
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad NEAS.fb065f588dc78fdf3c2a87c022c07872_JC.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgphggpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlfniafa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aecialmb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjmjgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcmpgpkp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iheaqolo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iamoon32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joaojf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npfchkop.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kolaqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afockelf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcaeea32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmlhpaji.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nehekq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfgbec32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egiohh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpmmhpgp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfpidk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpqgjf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjqfmn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enigjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flmhclod.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obqopddf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egiohh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fapobl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eaddcnad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnngpj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfoamp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmddihfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enedio32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hahlnefd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfqjhmhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kajfdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gddqejni.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akgjnj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjgcgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pboblika.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfpcngdo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oefamoma.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcfkiock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Impldi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jacnegep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egpgehnb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jegohe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjqfmn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncbfcp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdhjpjjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgbfhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jqhphq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdjjgggk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Niohap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgpfmncg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oghgbe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odelpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhbnqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbgcch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pldcdhpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plimpg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lonnfg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paennh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmdmpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohdbkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agmehamp.exe -
Executes dropped EXE 64 IoCs
pid Process 3248 Jimldogg.exe 1992 Lcmodajm.exe 4704 Mofmobmo.exe 4296 Momcpa32.exe 3012 Nhegig32.exe 2900 Oblhcj32.exe 3384 Pjjfdfbb.exe 216 Qbonoghb.exe 416 Afockelf.exe 3128 Abjmkf32.exe 792 Biklho32.exe 2768 Ckpamabg.exe 4724 Dinael32.exe 3844 Dnngpj32.exe 4556 Dgihop32.exe 4168 Eaceghcg.exe 936 Ekngemhd.exe 4908 Fggdpnkf.exe 2156 Fjhmbihg.exe 4716 Hcedmkmp.exe 404 Igjbci32.exe 3888 Jjkdlall.exe 764 Koimbpbc.exe 2320 Kajfdk32.exe 4404 Loemnnhe.exe 3008 Logicn32.exe 1664 Ledoegkm.exe 3868 Lolcnman.exe 3808 Mhiabbdi.exe 4752 Nlnpio32.exe 4816 Nlqloo32.exe 3728 Nbdkhe32.exe 1220 Ohqpjo32.exe 2912 Odgqopeb.exe 5076 Oheienli.exe 868 Oooaah32.exe 1044 Pkoemhao.exe 1104 Pcijce32.exe 3776 Qbngeadf.exe 940 Akihcfid.exe 3484 Aecialmb.exe 3084 Acgfec32.exe 4680 Aidomjaf.exe 848 Bppcpc32.exe 1988 Bmddihfj.exe 2380 Beoimjce.exe 2352 Blknpdho.exe 4312 Bfabmmhe.exe 2892 Cmmgof32.exe 1292 Cbmlmmjd.exe 2700 Cmdmpe32.exe 3772 Cdnelpod.exe 1480 Dpefaq32.exe 1584 Dlncla32.exe 4688 Dpllbp32.exe 4184 Dlcmgqdd.exe 1096 Dmbiackg.exe 400 Emeffcid.exe 920 Eilfldoi.exe 4128 Egpgehnb.exe 4696 Elolco32.exe 2336 Fdhail32.exe 3556 Feljgd32.exe 2188 Fcpkph32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Jlmlbdad.dll Bcfkiock.exe File created C:\Windows\SysWOW64\Ifpddggh.dll Mbhina32.exe File opened for modification C:\Windows\SysWOW64\Biklho32.exe Abjmkf32.exe File created C:\Windows\SysWOW64\Flpbbbdk.dll Dgihop32.exe File opened for modification C:\Windows\SysWOW64\Iqdmghnp.exe Icnphd32.exe File opened for modification C:\Windows\SysWOW64\Pehnboko.exe Oefamoma.exe File created C:\Windows\SysWOW64\Mgmhgp32.dll Fcpkph32.exe File created C:\Windows\SysWOW64\Qodhmn32.dll Hqimlihn.exe File created C:\Windows\SysWOW64\Ihjjln32.exe Iapbodql.exe File created C:\Windows\SysWOW64\Dgcoaock.exe Cmdhnhkp.exe File opened for modification C:\Windows\SysWOW64\Knenffqf.exe Kdmjmqjf.exe File created C:\Windows\SysWOW64\Gbambkif.dll Aehpof32.exe File created C:\Windows\SysWOW64\Hjnmfk32.dll Mhiabbdi.exe File created C:\Windows\SysWOW64\Jckeokan.exe Jmamba32.exe File created C:\Windows\SysWOW64\Pljpbhin.dll Omjnhiiq.exe File opened for modification C:\Windows\SysWOW64\Gonilenb.exe Gdheol32.exe File created C:\Windows\SysWOW64\Emcjjqcg.dll Iocchhof.exe File created C:\Windows\SysWOW64\Niiaae32.exe Njceqili.exe File created C:\Windows\SysWOW64\Mghbke32.dll Khlinedh.exe File created C:\Windows\SysWOW64\Fkloka32.dll Hmpnqj32.exe File created C:\Windows\SysWOW64\Pnmjomlg.exe Pfpidk32.exe File created C:\Windows\SysWOW64\Dbjade32.exe Dhdmfljb.exe File opened for modification C:\Windows\SysWOW64\Gbecljnl.exe Eoindndf.exe File created C:\Windows\SysWOW64\Hafpiehg.exe Gbecljnl.exe File created C:\Windows\SysWOW64\Gakgdedc.dll Kkooep32.exe File created C:\Windows\SysWOW64\Pefmongg.dll Bleebc32.exe File opened for modification C:\Windows\SysWOW64\Dlfniafa.exe Dgieajgj.exe File created C:\Windows\SysWOW64\Egiohh32.exe Eqmjen32.exe File created C:\Windows\SysWOW64\Mhiabbdi.exe Lolcnman.exe File opened for modification C:\Windows\SysWOW64\Ebcdjc32.exe Eeodqocd.exe File opened for modification C:\Windows\SysWOW64\Pmipdq32.exe Pgphggpe.exe File created C:\Windows\SysWOW64\Bgicdc32.exe Bnaolm32.exe File opened for modification C:\Windows\SysWOW64\Ljoboloa.exe Lcdjba32.exe File opened for modification C:\Windows\SysWOW64\Kejeebpl.exe Kjdqhjpf.exe File opened for modification C:\Windows\SysWOW64\Bejhhd32.exe Bnppkj32.exe File created C:\Windows\SysWOW64\Ciogobcm.exe Blkgen32.exe File created C:\Windows\SysWOW64\Ginenk32.exe Gccmaack.exe File opened for modification C:\Windows\SysWOW64\Fdhail32.exe Elolco32.exe File opened for modification C:\Windows\SysWOW64\Fpqgjf32.exe Fibfbm32.exe File opened for modification C:\Windows\SysWOW64\Ffjkdc32.exe Egnhcgeb.exe File opened for modification C:\Windows\SysWOW64\Ahnclp32.exe Algbfo32.exe File created C:\Windows\SysWOW64\Oheienli.exe Odgqopeb.exe File opened for modification C:\Windows\SysWOW64\Dpefaq32.exe Cdnelpod.exe File created C:\Windows\SysWOW64\Aeohij32.dll Aecbge32.exe File opened for modification C:\Windows\SysWOW64\Eaceghcg.exe Dgihop32.exe File opened for modification C:\Windows\SysWOW64\Icnphd32.exe Hnokjm32.exe File created C:\Windows\SysWOW64\Kdbjbfjl.exe Khlinedh.exe File created C:\Windows\SysWOW64\Bekmei32.exe Bpodmb32.exe File created C:\Windows\SysWOW64\Ilcjgm32.exe Ieiajckh.exe File opened for modification C:\Windows\SysWOW64\Mbhina32.exe Mbfmha32.exe File opened for modification C:\Windows\SysWOW64\Mnaghb32.exe Mggolhaj.exe File created C:\Windows\SysWOW64\Kiadbknf.dll Gcqhcgqi.exe File created C:\Windows\SysWOW64\Lciokqqf.dll Jacnegep.exe File opened for modification C:\Windows\SysWOW64\Lkjhfh32.exe Loqjlg32.exe File created C:\Windows\SysWOW64\Gjdknjep.exe Gpgnjebd.exe File created C:\Windows\SysWOW64\Joaojf32.exe Jjnqap32.exe File opened for modification C:\Windows\SysWOW64\Enfjdh32.exe Dgcoaock.exe File opened for modification C:\Windows\SysWOW64\Egnhcgeb.exe Eqbcqnph.exe File created C:\Windows\SysWOW64\Opglcn32.dll Acbhhf32.exe File opened for modification C:\Windows\SysWOW64\Cdicje32.exe Cjcolm32.exe File created C:\Windows\SysWOW64\Eepbabjj.exe Enfjdh32.exe File created C:\Windows\SysWOW64\Bckecf32.dll Npkmcj32.exe File created C:\Windows\SysWOW64\Jdnoeb32.dll Qbonoghb.exe File opened for modification C:\Windows\SysWOW64\Logicn32.exe Loemnnhe.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7036 6044 Process not Found 1146 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kamonn32.dll" Eaceghcg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hphfac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehlolk32.dll" Akgjnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ljjicl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Midoph32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mminfech.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Acbhhf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmjkka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmnihk32.dll" Dqomdppm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgplai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qnlkllcf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Agmehamp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbecljnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhmdeink.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lbmqmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gcceifof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hagnihom.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abnnnjfh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahnclp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Piifjomf.dll" Blknpdho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkbgll32.dll" Jogeia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caikpked.dll" Jgpfmncg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mbhina32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qiocde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hqimlihn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbgdnelk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlnkgbhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocicekcm.dll" Aiejda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kijicm32.dll" Kaaaak32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Opiidhoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cldojg32.dll" Ahnclp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqkplq32.dll" Oblhcj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aiejda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gaccbaeq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lfpcngdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Npkmcj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Obbekn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpidhmoi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Enigjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Micheb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ihagfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpmmhpgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Apkhfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Icnphd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcaeea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pgphggpe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajlpepbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fchlhnlo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmlhpaji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ledoegkm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlqloo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Moeoje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpjkbcbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgkicol.dll" Eaddcnad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fcpkph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qdflaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dioiki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kolahq32.dll" Gmjcgb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aploae32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jkplilgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngofgcjo.dll" Hnokjm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Plejoode.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ipaeedpp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kolaqh32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1108 wrote to memory of 3248 1108 NEAS.fb065f588dc78fdf3c2a87c022c07872_JC.exe 84 PID 1108 wrote to memory of 3248 1108 NEAS.fb065f588dc78fdf3c2a87c022c07872_JC.exe 84 PID 1108 wrote to memory of 3248 1108 NEAS.fb065f588dc78fdf3c2a87c022c07872_JC.exe 84 PID 3248 wrote to memory of 1992 3248 Jimldogg.exe 85 PID 3248 wrote to memory of 1992 3248 Jimldogg.exe 85 PID 3248 wrote to memory of 1992 3248 Jimldogg.exe 85 PID 1992 wrote to memory of 4704 1992 Lcmodajm.exe 86 PID 1992 wrote to memory of 4704 1992 Lcmodajm.exe 86 PID 1992 wrote to memory of 4704 1992 Lcmodajm.exe 86 PID 4704 wrote to memory of 4296 4704 Mofmobmo.exe 87 PID 4704 wrote to memory of 4296 4704 Mofmobmo.exe 87 PID 4704 wrote to memory of 4296 4704 Mofmobmo.exe 87 PID 4296 wrote to memory of 3012 4296 Momcpa32.exe 88 PID 4296 wrote to memory of 3012 4296 Momcpa32.exe 88 PID 4296 wrote to memory of 3012 4296 Momcpa32.exe 88 PID 3012 wrote to memory of 2900 3012 Nhegig32.exe 89 PID 3012 wrote to memory of 2900 3012 Nhegig32.exe 89 PID 3012 wrote to memory of 2900 3012 Nhegig32.exe 89 PID 2900 wrote to memory of 3384 2900 Oblhcj32.exe 90 PID 2900 wrote to memory of 3384 2900 Oblhcj32.exe 90 PID 2900 wrote to memory of 3384 2900 Oblhcj32.exe 90 PID 3384 wrote to memory of 216 3384 Pjjfdfbb.exe 91 PID 3384 wrote to memory of 216 3384 Pjjfdfbb.exe 91 PID 3384 wrote to memory of 216 3384 Pjjfdfbb.exe 91 PID 216 wrote to memory of 416 216 Qbonoghb.exe 92 PID 216 wrote to memory of 416 216 Qbonoghb.exe 92 PID 216 wrote to memory of 416 216 Qbonoghb.exe 92 PID 416 wrote to memory of 3128 416 Afockelf.exe 93 PID 416 wrote to memory of 3128 416 Afockelf.exe 93 PID 416 wrote to memory of 3128 416 Afockelf.exe 93 PID 3128 wrote to memory of 792 3128 Abjmkf32.exe 94 PID 3128 wrote to memory of 792 3128 Abjmkf32.exe 94 PID 3128 wrote to memory of 792 3128 Abjmkf32.exe 94 PID 792 wrote to memory of 2768 792 Biklho32.exe 95 PID 792 wrote to memory of 2768 792 Biklho32.exe 95 PID 792 wrote to memory of 2768 792 Biklho32.exe 95 PID 2768 wrote to memory of 4724 2768 Ckpamabg.exe 96 PID 2768 wrote to memory of 4724 2768 Ckpamabg.exe 96 PID 2768 wrote to memory of 4724 2768 Ckpamabg.exe 96 PID 4724 wrote to memory of 3844 4724 Dinael32.exe 97 PID 4724 wrote to memory of 3844 4724 Dinael32.exe 97 PID 4724 wrote to memory of 3844 4724 Dinael32.exe 97 PID 3844 wrote to memory of 4556 3844 Dnngpj32.exe 98 PID 3844 wrote to memory of 4556 3844 Dnngpj32.exe 98 PID 3844 wrote to memory of 4556 3844 Dnngpj32.exe 98 PID 4556 wrote to memory of 4168 4556 Dgihop32.exe 99 PID 4556 wrote to memory of 4168 4556 Dgihop32.exe 99 PID 4556 wrote to memory of 4168 4556 Dgihop32.exe 99 PID 4168 wrote to memory of 936 4168 Eaceghcg.exe 100 PID 4168 wrote to memory of 936 4168 Eaceghcg.exe 100 PID 4168 wrote to memory of 936 4168 Eaceghcg.exe 100 PID 936 wrote to memory of 4908 936 Ekngemhd.exe 101 PID 936 wrote to memory of 4908 936 Ekngemhd.exe 101 PID 936 wrote to memory of 4908 936 Ekngemhd.exe 101 PID 4908 wrote to memory of 2156 4908 Fggdpnkf.exe 102 PID 4908 wrote to memory of 2156 4908 Fggdpnkf.exe 102 PID 4908 wrote to memory of 2156 4908 Fggdpnkf.exe 102 PID 2156 wrote to memory of 4716 2156 Fjhmbihg.exe 103 PID 2156 wrote to memory of 4716 2156 Fjhmbihg.exe 103 PID 2156 wrote to memory of 4716 2156 Fjhmbihg.exe 103 PID 4716 wrote to memory of 404 4716 Hcedmkmp.exe 104 PID 4716 wrote to memory of 404 4716 Hcedmkmp.exe 104 PID 4716 wrote to memory of 404 4716 Hcedmkmp.exe 104 PID 404 wrote to memory of 3888 404 Igjbci32.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.fb065f588dc78fdf3c2a87c022c07872_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.fb065f588dc78fdf3c2a87c022c07872_JC.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Windows\SysWOW64\Jimldogg.exeC:\Windows\system32\Jimldogg.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3248 -
C:\Windows\SysWOW64\Lcmodajm.exeC:\Windows\system32\Lcmodajm.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\SysWOW64\Mofmobmo.exeC:\Windows\system32\Mofmobmo.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4704 -
C:\Windows\SysWOW64\Momcpa32.exeC:\Windows\system32\Momcpa32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4296 -
C:\Windows\SysWOW64\Nhegig32.exeC:\Windows\system32\Nhegig32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\Oblhcj32.exeC:\Windows\system32\Oblhcj32.exe7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\Pjjfdfbb.exeC:\Windows\system32\Pjjfdfbb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3384 -
C:\Windows\SysWOW64\Qbonoghb.exeC:\Windows\system32\Qbonoghb.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:216 -
C:\Windows\SysWOW64\Afockelf.exeC:\Windows\system32\Afockelf.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:416 -
C:\Windows\SysWOW64\Abjmkf32.exeC:\Windows\system32\Abjmkf32.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3128 -
C:\Windows\SysWOW64\Biklho32.exeC:\Windows\system32\Biklho32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:792 -
C:\Windows\SysWOW64\Ckpamabg.exeC:\Windows\system32\Ckpamabg.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\Dinael32.exeC:\Windows\system32\Dinael32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4724 -
C:\Windows\SysWOW64\Dnngpj32.exeC:\Windows\system32\Dnngpj32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3844 -
C:\Windows\SysWOW64\Dgihop32.exeC:\Windows\system32\Dgihop32.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4556 -
C:\Windows\SysWOW64\Eaceghcg.exeC:\Windows\system32\Eaceghcg.exe17⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4168 -
C:\Windows\SysWOW64\Ekngemhd.exeC:\Windows\system32\Ekngemhd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:936 -
C:\Windows\SysWOW64\Fggdpnkf.exeC:\Windows\system32\Fggdpnkf.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4908 -
C:\Windows\SysWOW64\Fjhmbihg.exeC:\Windows\system32\Fjhmbihg.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\Hcedmkmp.exeC:\Windows\system32\Hcedmkmp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4716 -
C:\Windows\SysWOW64\Igjbci32.exeC:\Windows\system32\Igjbci32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:404 -
C:\Windows\SysWOW64\Jjkdlall.exeC:\Windows\system32\Jjkdlall.exe23⤵
- Executes dropped EXE
PID:3888 -
C:\Windows\SysWOW64\Koimbpbc.exeC:\Windows\system32\Koimbpbc.exe24⤵
- Executes dropped EXE
PID:764 -
C:\Windows\SysWOW64\Kajfdk32.exeC:\Windows\system32\Kajfdk32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2320 -
C:\Windows\SysWOW64\Loemnnhe.exeC:\Windows\system32\Loemnnhe.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4404 -
C:\Windows\SysWOW64\Logicn32.exeC:\Windows\system32\Logicn32.exe27⤵
- Executes dropped EXE
PID:3008 -
C:\Windows\SysWOW64\Ledoegkm.exeC:\Windows\system32\Ledoegkm.exe28⤵
- Executes dropped EXE
- Modifies registry class
PID:1664 -
C:\Windows\SysWOW64\Lolcnman.exeC:\Windows\system32\Lolcnman.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3868 -
C:\Windows\SysWOW64\Mhiabbdi.exeC:\Windows\system32\Mhiabbdi.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3808 -
C:\Windows\SysWOW64\Nlnpio32.exeC:\Windows\system32\Nlnpio32.exe31⤵
- Executes dropped EXE
PID:4752 -
C:\Windows\SysWOW64\Nlqloo32.exeC:\Windows\system32\Nlqloo32.exe32⤵
- Executes dropped EXE
- Modifies registry class
PID:4816 -
C:\Windows\SysWOW64\Nbdkhe32.exeC:\Windows\system32\Nbdkhe32.exe33⤵
- Executes dropped EXE
PID:3728 -
C:\Windows\SysWOW64\Ohqpjo32.exeC:\Windows\system32\Ohqpjo32.exe34⤵
- Executes dropped EXE
PID:1220 -
C:\Windows\SysWOW64\Odgqopeb.exeC:\Windows\system32\Odgqopeb.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2912 -
C:\Windows\SysWOW64\Oheienli.exeC:\Windows\system32\Oheienli.exe36⤵
- Executes dropped EXE
PID:5076 -
C:\Windows\SysWOW64\Oooaah32.exeC:\Windows\system32\Oooaah32.exe37⤵
- Executes dropped EXE
PID:868 -
C:\Windows\SysWOW64\Pkoemhao.exeC:\Windows\system32\Pkoemhao.exe38⤵
- Executes dropped EXE
PID:1044 -
C:\Windows\SysWOW64\Pcijce32.exeC:\Windows\system32\Pcijce32.exe39⤵
- Executes dropped EXE
PID:1104 -
C:\Windows\SysWOW64\Qbngeadf.exeC:\Windows\system32\Qbngeadf.exe40⤵
- Executes dropped EXE
PID:3776 -
C:\Windows\SysWOW64\Akihcfid.exeC:\Windows\system32\Akihcfid.exe41⤵
- Executes dropped EXE
PID:940 -
C:\Windows\SysWOW64\Aecialmb.exeC:\Windows\system32\Aecialmb.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3484 -
C:\Windows\SysWOW64\Acgfec32.exeC:\Windows\system32\Acgfec32.exe43⤵
- Executes dropped EXE
PID:3084 -
C:\Windows\SysWOW64\Aidomjaf.exeC:\Windows\system32\Aidomjaf.exe44⤵
- Executes dropped EXE
PID:4680 -
C:\Windows\SysWOW64\Bppcpc32.exeC:\Windows\system32\Bppcpc32.exe45⤵
- Executes dropped EXE
PID:848 -
C:\Windows\SysWOW64\Bmddihfj.exeC:\Windows\system32\Bmddihfj.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1988 -
C:\Windows\SysWOW64\Beoimjce.exeC:\Windows\system32\Beoimjce.exe47⤵
- Executes dropped EXE
PID:2380 -
C:\Windows\SysWOW64\Blknpdho.exeC:\Windows\system32\Blknpdho.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:2352 -
C:\Windows\SysWOW64\Bfabmmhe.exeC:\Windows\system32\Bfabmmhe.exe49⤵
- Executes dropped EXE
PID:4312 -
C:\Windows\SysWOW64\Cmmgof32.exeC:\Windows\system32\Cmmgof32.exe50⤵
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Cbmlmmjd.exeC:\Windows\system32\Cbmlmmjd.exe51⤵
- Executes dropped EXE
PID:1292 -
C:\Windows\SysWOW64\Cmdmpe32.exeC:\Windows\system32\Cmdmpe32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\Cdnelpod.exeC:\Windows\system32\Cdnelpod.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3772 -
C:\Windows\SysWOW64\Dpefaq32.exeC:\Windows\system32\Dpefaq32.exe54⤵
- Executes dropped EXE
PID:1480 -
C:\Windows\SysWOW64\Dlncla32.exeC:\Windows\system32\Dlncla32.exe55⤵
- Executes dropped EXE
PID:1584 -
C:\Windows\SysWOW64\Dpllbp32.exeC:\Windows\system32\Dpllbp32.exe56⤵
- Executes dropped EXE
PID:4688 -
C:\Windows\SysWOW64\Dlcmgqdd.exeC:\Windows\system32\Dlcmgqdd.exe57⤵
- Executes dropped EXE
PID:4184 -
C:\Windows\SysWOW64\Dmbiackg.exeC:\Windows\system32\Dmbiackg.exe58⤵
- Executes dropped EXE
PID:1096 -
C:\Windows\SysWOW64\Emeffcid.exeC:\Windows\system32\Emeffcid.exe59⤵
- Executes dropped EXE
PID:400 -
C:\Windows\SysWOW64\Eilfldoi.exeC:\Windows\system32\Eilfldoi.exe60⤵
- Executes dropped EXE
PID:920 -
C:\Windows\SysWOW64\Egpgehnb.exeC:\Windows\system32\Egpgehnb.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4128 -
C:\Windows\SysWOW64\Elolco32.exeC:\Windows\system32\Elolco32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4696 -
C:\Windows\SysWOW64\Fdhail32.exeC:\Windows\system32\Fdhail32.exe63⤵
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\Feljgd32.exeC:\Windows\system32\Feljgd32.exe64⤵
- Executes dropped EXE
PID:3556 -
C:\Windows\SysWOW64\Fcpkph32.exeC:\Windows\system32\Fcpkph32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2188 -
C:\Windows\SysWOW64\Fneoma32.exeC:\Windows\system32\Fneoma32.exe66⤵PID:812
-
C:\Windows\SysWOW64\Fdogjk32.exeC:\Windows\system32\Fdogjk32.exe67⤵PID:2400
-
C:\Windows\SysWOW64\Ffcpgcfj.exeC:\Windows\system32\Ffcpgcfj.exe68⤵PID:3824
-
C:\Windows\SysWOW64\Gddqejni.exeC:\Windows\system32\Gddqejni.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2820 -
C:\Windows\SysWOW64\Gjqinamq.exeC:\Windows\system32\Gjqinamq.exe70⤵PID:5064
-
C:\Windows\SysWOW64\Gdhjpjjd.exeC:\Windows\system32\Gdhjpjjd.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3964 -
C:\Windows\SysWOW64\Hfamia32.exeC:\Windows\system32\Hfamia32.exe72⤵PID:4016
-
C:\Windows\SysWOW64\Hqimlihn.exeC:\Windows\system32\Hqimlihn.exe73⤵
- Drops file in System32 directory
- Modifies registry class
PID:3340 -
C:\Windows\SysWOW64\Hgbfhc32.exeC:\Windows\system32\Hgbfhc32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3840 -
C:\Windows\SysWOW64\Hmpnqj32.exeC:\Windows\system32\Hmpnqj32.exe75⤵
- Drops file in System32 directory
PID:1100 -
C:\Windows\SysWOW64\Hnokjm32.exeC:\Windows\system32\Hnokjm32.exe76⤵
- Drops file in System32 directory
- Modifies registry class
PID:4592 -
C:\Windows\SysWOW64\Icnphd32.exeC:\Windows\system32\Icnphd32.exe77⤵
- Drops file in System32 directory
- Modifies registry class
PID:1616 -
C:\Windows\SysWOW64\Iqdmghnp.exeC:\Windows\system32\Iqdmghnp.exe78⤵PID:1764
-
C:\Windows\SysWOW64\Jegohe32.exeC:\Windows\system32\Jegohe32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1780 -
C:\Windows\SysWOW64\Jclljaei.exeC:\Windows\system32\Jclljaei.exe80⤵PID:3280
-
C:\Windows\SysWOW64\Jcaeea32.exeC:\Windows\system32\Jcaeea32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3672 -
C:\Windows\SysWOW64\Jaefne32.exeC:\Windows\system32\Jaefne32.exe82⤵PID:1804
-
C:\Windows\SysWOW64\Kjmjgk32.exeC:\Windows\system32\Kjmjgk32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4480 -
C:\Windows\SysWOW64\Kceoppmo.exeC:\Windows\system32\Kceoppmo.exe84⤵PID:2088
-
C:\Windows\SysWOW64\Kaioidkh.exeC:\Windows\system32\Kaioidkh.exe85⤵PID:4668
-
C:\Windows\SysWOW64\Kallod32.exeC:\Windows\system32\Kallod32.exe86⤵PID:4860
-
C:\Windows\SysWOW64\Kjdqhjpf.exeC:\Windows\system32\Kjdqhjpf.exe87⤵
- Drops file in System32 directory
PID:2444 -
C:\Windows\SysWOW64\Kejeebpl.exeC:\Windows\system32\Kejeebpl.exe88⤵PID:4324
-
C:\Windows\SysWOW64\Mginniij.exeC:\Windows\system32\Mginniij.exe89⤵PID:4288
-
C:\Windows\SysWOW64\Mejnlpai.exeC:\Windows\system32\Mejnlpai.exe90⤵PID:3288
-
C:\Windows\SysWOW64\Mobbdf32.exeC:\Windows\system32\Mobbdf32.exe91⤵PID:4656
-
C:\Windows\SysWOW64\Moeoje32.exeC:\Windows\system32\Moeoje32.exe92⤵
- Modifies registry class
PID:2460 -
C:\Windows\SysWOW64\Najagp32.exeC:\Windows\system32\Najagp32.exe93⤵PID:4580
-
C:\Windows\SysWOW64\Nhdicjfp.exeC:\Windows\system32\Nhdicjfp.exe94⤵PID:4100
-
C:\Windows\SysWOW64\Ndkjik32.exeC:\Windows\system32\Ndkjik32.exe95⤵PID:1012
-
C:\Windows\SysWOW64\Oolnabal.exeC:\Windows\system32\Oolnabal.exe96⤵PID:3004
-
C:\Windows\SysWOW64\Ohdbkh32.exeC:\Windows\system32\Ohdbkh32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:648 -
C:\Windows\SysWOW64\Pbapom32.exeC:\Windows\system32\Pbapom32.exe98⤵PID:524
-
C:\Windows\SysWOW64\Pfpidk32.exeC:\Windows\system32\Pfpidk32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:316 -
C:\Windows\SysWOW64\Pnmjomlg.exeC:\Windows\system32\Pnmjomlg.exe100⤵PID:3852
-
C:\Windows\SysWOW64\Qbkcek32.exeC:\Windows\system32\Qbkcek32.exe101⤵PID:1248
-
C:\Windows\SysWOW64\Qnbdjl32.exeC:\Windows\system32\Qnbdjl32.exe102⤵PID:180
-
C:\Windows\SysWOW64\Agmehamp.exeC:\Windows\system32\Agmehamp.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5144 -
C:\Windows\SysWOW64\Akjnnpcf.exeC:\Windows\system32\Akjnnpcf.exe104⤵PID:5180
-
C:\Windows\SysWOW64\Aecbge32.exeC:\Windows\system32\Aecbge32.exe105⤵
- Drops file in System32 directory
PID:5228 -
C:\Windows\SysWOW64\Bnppkj32.exeC:\Windows\system32\Bnppkj32.exe106⤵
- Drops file in System32 directory
PID:5268 -
C:\Windows\SysWOW64\Bejhhd32.exeC:\Windows\system32\Bejhhd32.exe107⤵PID:5304
-
C:\Windows\SysWOW64\Bpomem32.exeC:\Windows\system32\Bpomem32.exe108⤵PID:5352
-
C:\Windows\SysWOW64\Blkgen32.exeC:\Windows\system32\Blkgen32.exe109⤵
- Drops file in System32 directory
PID:5396 -
C:\Windows\SysWOW64\Ciogobcm.exeC:\Windows\system32\Ciogobcm.exe110⤵PID:5432
-
C:\Windows\SysWOW64\Cnlpgibd.exeC:\Windows\system32\Cnlpgibd.exe111⤵PID:5476
-
C:\Windows\SysWOW64\Cbqonf32.exeC:\Windows\system32\Cbqonf32.exe112⤵PID:5520
-
C:\Windows\SysWOW64\Dhpdkm32.exeC:\Windows\system32\Dhpdkm32.exe113⤵PID:5564
-
C:\Windows\SysWOW64\Dbehienn.exeC:\Windows\system32\Dbehienn.exe114⤵PID:5604
-
C:\Windows\SysWOW64\Dbgdnelk.exeC:\Windows\system32\Dbgdnelk.exe115⤵
- Modifies registry class
PID:5644 -
C:\Windows\SysWOW64\Dhdmfljb.exeC:\Windows\system32\Dhdmfljb.exe116⤵
- Drops file in System32 directory
PID:5688 -
C:\Windows\SysWOW64\Dbjade32.exeC:\Windows\system32\Dbjade32.exe117⤵PID:5732
-
C:\Windows\SysWOW64\Dblnid32.exeC:\Windows\system32\Dblnid32.exe118⤵PID:5776
-
C:\Windows\SysWOW64\Eifffoob.exeC:\Windows\system32\Eifffoob.exe119⤵PID:5824
-
C:\Windows\SysWOW64\Eoconenj.exeC:\Windows\system32\Eoconenj.exe120⤵PID:5868
-
C:\Windows\SysWOW64\Eoekde32.exeC:\Windows\system32\Eoekde32.exe121⤵PID:5916
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-