Analysis
-
max time kernel
155s -
max time network
166s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
01-11-2023 20:56
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.d606d6820cd4d45ef054a59017662990_JC.exe
Resource
win7-20231020-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.d606d6820cd4d45ef054a59017662990_JC.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
NEAS.d606d6820cd4d45ef054a59017662990_JC.exe
-
Size
349KB
-
MD5
d606d6820cd4d45ef054a59017662990
-
SHA1
3d2217de491c9b53e6a2e4d46ea4a15a6726fb55
-
SHA256
1dabfadcfc91816f345bb30d16cff9e933653f204f0c040421f24791a7836aaf
-
SHA512
77d3f0114df2dd8774bb84ddb3c0144a7849738403449a29c2128fe2eef31262a16dcc065c2c071f281f0bea9f8f1edc0cc74b4f1b36460b0628667cea2921c1
-
SSDEEP
6144:CdG8KpA5qARs+HsoTh3O64JVw/ekxgu8VZtK036E37JPwS0eeaB7DxB6HkM7ADPT:UKWQ0h3/4JVw/eK98VZtK03937JPwS0q
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfeccm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcagdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iihkjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohiefdhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fiheheka.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgfpdmho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elccpife.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emhahiep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkokma32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pohnnqgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Naokbokn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcpcehko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnlloj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipflcnln.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhpgca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mciokcgg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgbijg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihnbih32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llpchaqg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohaokbfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbnopbdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blhpjnbe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhheepbk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhjbjp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ononmo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kaonaekb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pibdff32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgnihd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acgacegg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfenga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfhgfaha.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jaekkfcm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldjhib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpkiklop.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Himqjpme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpnhof32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccbaoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpenoe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgffci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Doanno32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mokdllim.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghiogkfp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggpbcaei.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfanbpjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhocgqjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Poomom32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckeigc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epgpajdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnehgmob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Helkdnaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecmlmcmb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doanno32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igomeb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Finnef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bibpkiie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgmfel32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikdlmmbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plocob32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnbifmla.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajhdmplk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gneaelqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kaflio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kknfmdko.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmicee32.exe -
Executes dropped EXE 64 IoCs
pid Process 4260 Opqofe32.exe 2872 Baannc32.exe 2700 Bgbpaipl.exe 232 Cnaaib32.exe 1956 Ckebcg32.exe 2056 Chnlgjlb.exe 3252 Ekonpckp.exe 2524 Finnef32.exe 3948 Gokbgpeg.exe 2264 Gijmad32.exe 4912 Hlkfbocp.exe 4968 Heegad32.exe 1016 Ihkjno32.exe 3292 Ibegfglj.exe 3280 Jlbejloe.exe 1556 Jbagbebm.exe 4560 Kakmna32.exe 4764 Lllagh32.exe 212 Mledmg32.exe 1132 Njgqhicg.exe 1236 Omalpc32.exe 4888 Pcpnhl32.exe 4256 Afockelf.exe 4464 Banjnm32.exe 4420 Bpedeiff.exe 2644 Ckbncapd.exe 3852 Cpcpfg32.exe 4916 Dahfkimd.exe 2980 Dalofi32.exe 916 Ekimjn32.exe 3352 Ejojljqa.exe 4720 Ecikjoep.exe 1620 Fdmaoahm.exe 1384 Gcjdam32.exe 3368 Gjhfif32.exe 5064 Gglfbkin.exe 3884 Hcedmkmp.exe 2680 Hjfbjdnd.exe 2348 Iccpniqp.exe 4448 Ilmedf32.exe 1552 Jeaiij32.exe 4928 Kkbkmqed.exe 3956 Lahbei32.exe 560 Lajokiaa.exe 1248 Llpchaqg.exe 236 Moalil32.exe 3964 Mlemcq32.exe 2396 Mhnjna32.exe 4660 Mhpgca32.exe 4588 Ndnnianm.exe 320 Omaeem32.exe 4216 Pcpgmf32.exe 2440 Piolkm32.exe 4616 Aflpkpjm.exe 3896 Acppddig.exe 3840 Acgfec32.exe 4224 Bfabmmhe.exe 4752 Cdgolq32.exe 340 Cfjeckpj.exe 4812 Digmqe32.exe 4716 Feimadoe.exe 4240 Fgijkgeh.exe 5032 Gloejmld.exe 1756 Gdmcki32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Moljgeco.exe Mojmbf32.exe File created C:\Windows\SysWOW64\Cofnba32.exe Cocamaam.exe File created C:\Windows\SysWOW64\Efdenq32.dll Hehkjpod.exe File created C:\Windows\SysWOW64\Kanidd32.exe Kmncif32.exe File created C:\Windows\SysWOW64\Facjlhil.exe Fiheheka.exe File created C:\Windows\SysWOW64\Galonj32.exe Fppchile.exe File opened for modification C:\Windows\SysWOW64\Pidaleei.exe Poomom32.exe File opened for modification C:\Windows\SysWOW64\Aaiiffjj.exe Allpnplb.exe File created C:\Windows\SysWOW64\Nknjak32.dll Ndaboafl.exe File opened for modification C:\Windows\SysWOW64\Domdcpib.exe Dkokma32.exe File created C:\Windows\SysWOW64\Jenmlmll.exe Jekqgnno.exe File created C:\Windows\SysWOW64\Oblmnmjl.exe Ohdlke32.exe File opened for modification C:\Windows\SysWOW64\Omaeem32.exe Ndnnianm.exe File created C:\Windows\SysWOW64\Hnjaonij.exe Hqfqfj32.exe File created C:\Windows\SysWOW64\Bfieagka.exe Bkdqdokk.exe File created C:\Windows\SysWOW64\Hpaqqdjj.exe Fljedg32.exe File created C:\Windows\SysWOW64\Ideedj32.dll Alhpkldp.exe File created C:\Windows\SysWOW64\Giagjn32.dll Hknmgd32.exe File created C:\Windows\SysWOW64\Dofpqfof.exe Bahdje32.exe File created C:\Windows\SysWOW64\Hdedgjno.dll Cpcpfg32.exe File opened for modification C:\Windows\SysWOW64\Ononmo32.exe Oojalb32.exe File opened for modification C:\Windows\SysWOW64\Miipencp.exe Ladhkmno.exe File created C:\Windows\SysWOW64\Ccendc32.exe Cnhell32.exe File opened for modification C:\Windows\SysWOW64\Kafcadej.exe Kgpodk32.exe File opened for modification C:\Windows\SysWOW64\Mjnnmn32.exe Mdaedgdb.exe File opened for modification C:\Windows\SysWOW64\Jlkaahjg.exe Iihkjm32.exe File created C:\Windows\SysWOW64\Dljqjjnp.exe Dofpqfof.exe File created C:\Windows\SysWOW64\Hjcllilo.exe Gfcgpkhk.exe File created C:\Windows\SysWOW64\Cfkenogb.exe Canlfh32.exe File created C:\Windows\SysWOW64\Aggean32.exe Aqmldddb.exe File created C:\Windows\SysWOW64\Fgijkgeh.exe Feimadoe.exe File created C:\Windows\SysWOW64\Bdnhjgbo.dll Jbnopbdl.exe File opened for modification C:\Windows\SysWOW64\Akgcdc32.exe Acmomgoa.exe File opened for modification C:\Windows\SysWOW64\Imgbdh32.exe Idonlbff.exe File opened for modification C:\Windows\SysWOW64\Dohkhq32.exe Cofnba32.exe File created C:\Windows\SysWOW64\Kihnhc32.dll Ifihdi32.exe File created C:\Windows\SysWOW64\Nmhglopl.exe Nfnooe32.exe File opened for modification C:\Windows\SysWOW64\Ipflcnln.exe Igmgji32.exe File opened for modification C:\Windows\SysWOW64\Lqikfi32.exe Lqfnqjpi.exe File opened for modification C:\Windows\SysWOW64\Jjdgal32.exe Iebfmfdg.exe File opened for modification C:\Windows\SysWOW64\Nhdicjfp.exe Nahdapae.exe File opened for modification C:\Windows\SysWOW64\Incpdodg.exe Ionbcb32.exe File created C:\Windows\SysWOW64\Hpfiln32.dll Gcjdam32.exe File created C:\Windows\SysWOW64\Pjidgaoa.dll Bpaacblm.exe File created C:\Windows\SysWOW64\Kmmibk32.dll Ibjqlj32.exe File created C:\Windows\SysWOW64\Ldnkeajq.dll Kekljlkp.exe File opened for modification C:\Windows\SysWOW64\Affgno32.exe Qmnbej32.exe File created C:\Windows\SysWOW64\Pelacg32.exe Pnbifmla.exe File opened for modification C:\Windows\SysWOW64\Bcghlnih.exe Amcmie32.exe File opened for modification C:\Windows\SysWOW64\Dljqjjnp.exe Dofpqfof.exe File created C:\Windows\SysWOW64\Negfik32.dll Oibbjoij.exe File created C:\Windows\SysWOW64\Afdkme32.dll Milinkgf.exe File created C:\Windows\SysWOW64\Clbbjg32.dll Ajmgof32.exe File opened for modification C:\Windows\SysWOW64\Ajbmmcii.exe Aomipkic.exe File opened for modification C:\Windows\SysWOW64\Imcqacfq.exe Ifihdi32.exe File created C:\Windows\SysWOW64\Aphegjhc.exe Adadbi32.exe File created C:\Windows\SysWOW64\Dgdeikmo.dll Ldblon32.exe File created C:\Windows\SysWOW64\Fngebkna.dll Inkjao32.exe File created C:\Windows\SysWOW64\Ggpbcaei.exe Gngnjk32.exe File created C:\Windows\SysWOW64\Oaqbdc32.exe Oegejc32.exe File created C:\Windows\SysWOW64\Finnef32.exe Ekonpckp.exe File created C:\Windows\SysWOW64\Mkpeom32.dll Meoggpmd.exe File created C:\Windows\SysWOW64\Hahnld32.dll Cnebmgjj.exe File created C:\Windows\SysWOW64\Hpmpgfhd.exe Hgdlnp32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dajnol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkiclepa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohdlke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jqfejl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fnbjkj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lahbei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olhacdgi.dll" Oickbjmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmdbil32.dll" Mmokpglb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beglpldq.dll" Igpdph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhdicjfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adfdfinl.dll" Knhkkfod.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Acmomgoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Helkdnaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gglfbkin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ladhkmno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppoadkeg.dll" Kihdqkaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjkpif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpbbblhf.dll" Jdkkjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijgakgej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amblpikl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bpaacblm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dccjlblm.dll" Ahpdcn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbknhqbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmndkd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hphbpehj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpkngi32.dll" Gohhik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkmaja32.dll" Pojccmii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Demikn32.dll" Epikid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jgigfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecipcemb.dll" Finnef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfqndi32.dll" Jpenoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njonhjlo.dll" Fimhcbkh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pddokabk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qmlmjq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdheol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpnfbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dapnokng.dll" Bcghlnih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Miebkm32.dll" Fkflbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ppffec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knnicgle.dll" Hfniikha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ionbcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjicikhd.dll" Cfkenogb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmbpjm32.dll" Ckbncapd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lalchm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qlggcp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cggpfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dliffkod.dll" Dijgjpip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmolbbcj.dll" Domdcpib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inicjl32.dll" Iebfmfdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Odifjipd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fibfbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Negfik32.dll" Oibbjoij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgffci32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efkfkilj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hqfqfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aedfbe32.dll" Hjfbjdnd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Feoomd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" NEAS.d606d6820cd4d45ef054a59017662990_JC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfmojjnk.dll" Gdheol32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oiglen32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ammgifpn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node NEAS.d606d6820cd4d45ef054a59017662990_JC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nmbaggce.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iafgob32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2084 wrote to memory of 4260 2084 NEAS.d606d6820cd4d45ef054a59017662990_JC.exe 91 PID 2084 wrote to memory of 4260 2084 NEAS.d606d6820cd4d45ef054a59017662990_JC.exe 91 PID 2084 wrote to memory of 4260 2084 NEAS.d606d6820cd4d45ef054a59017662990_JC.exe 91 PID 4260 wrote to memory of 2872 4260 Opqofe32.exe 92 PID 4260 wrote to memory of 2872 4260 Opqofe32.exe 92 PID 4260 wrote to memory of 2872 4260 Opqofe32.exe 92 PID 2872 wrote to memory of 2700 2872 Baannc32.exe 93 PID 2872 wrote to memory of 2700 2872 Baannc32.exe 93 PID 2872 wrote to memory of 2700 2872 Baannc32.exe 93 PID 2700 wrote to memory of 232 2700 Bgbpaipl.exe 94 PID 2700 wrote to memory of 232 2700 Bgbpaipl.exe 94 PID 2700 wrote to memory of 232 2700 Bgbpaipl.exe 94 PID 232 wrote to memory of 1956 232 Cnaaib32.exe 95 PID 232 wrote to memory of 1956 232 Cnaaib32.exe 95 PID 232 wrote to memory of 1956 232 Cnaaib32.exe 95 PID 1956 wrote to memory of 2056 1956 Ckebcg32.exe 96 PID 1956 wrote to memory of 2056 1956 Ckebcg32.exe 96 PID 1956 wrote to memory of 2056 1956 Ckebcg32.exe 96 PID 2056 wrote to memory of 3252 2056 Chnlgjlb.exe 97 PID 2056 wrote to memory of 3252 2056 Chnlgjlb.exe 97 PID 2056 wrote to memory of 3252 2056 Chnlgjlb.exe 97 PID 3252 wrote to memory of 2524 3252 Ekonpckp.exe 98 PID 3252 wrote to memory of 2524 3252 Ekonpckp.exe 98 PID 3252 wrote to memory of 2524 3252 Ekonpckp.exe 98 PID 2524 wrote to memory of 3948 2524 Finnef32.exe 99 PID 2524 wrote to memory of 3948 2524 Finnef32.exe 99 PID 2524 wrote to memory of 3948 2524 Finnef32.exe 99 PID 3948 wrote to memory of 2264 3948 Gokbgpeg.exe 100 PID 3948 wrote to memory of 2264 3948 Gokbgpeg.exe 100 PID 3948 wrote to memory of 2264 3948 Gokbgpeg.exe 100 PID 2264 wrote to memory of 4912 2264 Gijmad32.exe 101 PID 2264 wrote to memory of 4912 2264 Gijmad32.exe 101 PID 2264 wrote to memory of 4912 2264 Gijmad32.exe 101 PID 4912 wrote to memory of 4968 4912 Hlkfbocp.exe 102 PID 4912 wrote to memory of 4968 4912 Hlkfbocp.exe 102 PID 4912 wrote to memory of 4968 4912 Hlkfbocp.exe 102 PID 4968 wrote to memory of 1016 4968 Heegad32.exe 103 PID 4968 wrote to memory of 1016 4968 Heegad32.exe 103 PID 4968 wrote to memory of 1016 4968 Heegad32.exe 103 PID 1016 wrote to memory of 3292 1016 Ihkjno32.exe 104 PID 1016 wrote to memory of 3292 1016 Ihkjno32.exe 104 PID 1016 wrote to memory of 3292 1016 Ihkjno32.exe 104 PID 3292 wrote to memory of 3280 3292 Ibegfglj.exe 105 PID 3292 wrote to memory of 3280 3292 Ibegfglj.exe 105 PID 3292 wrote to memory of 3280 3292 Ibegfglj.exe 105 PID 3280 wrote to memory of 1556 3280 Jlbejloe.exe 106 PID 3280 wrote to memory of 1556 3280 Jlbejloe.exe 106 PID 3280 wrote to memory of 1556 3280 Jlbejloe.exe 106 PID 1556 wrote to memory of 4560 1556 Jbagbebm.exe 107 PID 1556 wrote to memory of 4560 1556 Jbagbebm.exe 107 PID 1556 wrote to memory of 4560 1556 Jbagbebm.exe 107 PID 4560 wrote to memory of 4764 4560 Kakmna32.exe 108 PID 4560 wrote to memory of 4764 4560 Kakmna32.exe 108 PID 4560 wrote to memory of 4764 4560 Kakmna32.exe 108 PID 4764 wrote to memory of 212 4764 Lllagh32.exe 109 PID 4764 wrote to memory of 212 4764 Lllagh32.exe 109 PID 4764 wrote to memory of 212 4764 Lllagh32.exe 109 PID 212 wrote to memory of 1132 212 Mledmg32.exe 110 PID 212 wrote to memory of 1132 212 Mledmg32.exe 110 PID 212 wrote to memory of 1132 212 Mledmg32.exe 110 PID 1132 wrote to memory of 1236 1132 Njgqhicg.exe 111 PID 1132 wrote to memory of 1236 1132 Njgqhicg.exe 111 PID 1132 wrote to memory of 1236 1132 Njgqhicg.exe 111 PID 1236 wrote to memory of 4888 1236 Omalpc32.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.d606d6820cd4d45ef054a59017662990_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.d606d6820cd4d45ef054a59017662990_JC.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\Opqofe32.exeC:\Windows\system32\Opqofe32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4260 -
C:\Windows\SysWOW64\Baannc32.exeC:\Windows\system32\Baannc32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\Bgbpaipl.exeC:\Windows\system32\Bgbpaipl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\Cnaaib32.exeC:\Windows\system32\Cnaaib32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:232 -
C:\Windows\SysWOW64\Ckebcg32.exeC:\Windows\system32\Ckebcg32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\Chnlgjlb.exeC:\Windows\system32\Chnlgjlb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\Ekonpckp.exeC:\Windows\system32\Ekonpckp.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3252 -
C:\Windows\SysWOW64\Finnef32.exeC:\Windows\system32\Finnef32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\Gokbgpeg.exeC:\Windows\system32\Gokbgpeg.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3948 -
C:\Windows\SysWOW64\Gijmad32.exeC:\Windows\system32\Gijmad32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\SysWOW64\Hlkfbocp.exeC:\Windows\system32\Hlkfbocp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\Windows\SysWOW64\Heegad32.exeC:\Windows\system32\Heegad32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Windows\SysWOW64\Ihkjno32.exeC:\Windows\system32\Ihkjno32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1016 -
C:\Windows\SysWOW64\Ibegfglj.exeC:\Windows\system32\Ibegfglj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3292 -
C:\Windows\SysWOW64\Jlbejloe.exeC:\Windows\system32\Jlbejloe.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3280 -
C:\Windows\SysWOW64\Jbagbebm.exeC:\Windows\system32\Jbagbebm.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Windows\SysWOW64\Kakmna32.exeC:\Windows\system32\Kakmna32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4560 -
C:\Windows\SysWOW64\Lllagh32.exeC:\Windows\system32\Lllagh32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4764 -
C:\Windows\SysWOW64\Mledmg32.exeC:\Windows\system32\Mledmg32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:212 -
C:\Windows\SysWOW64\Njgqhicg.exeC:\Windows\system32\Njgqhicg.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1132 -
C:\Windows\SysWOW64\Omalpc32.exeC:\Windows\system32\Omalpc32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Windows\SysWOW64\Pcpnhl32.exeC:\Windows\system32\Pcpnhl32.exe23⤵
- Executes dropped EXE
PID:4888 -
C:\Windows\SysWOW64\Afockelf.exeC:\Windows\system32\Afockelf.exe24⤵
- Executes dropped EXE
PID:4256 -
C:\Windows\SysWOW64\Banjnm32.exeC:\Windows\system32\Banjnm32.exe25⤵
- Executes dropped EXE
PID:4464 -
C:\Windows\SysWOW64\Bpedeiff.exeC:\Windows\system32\Bpedeiff.exe26⤵
- Executes dropped EXE
PID:4420 -
C:\Windows\SysWOW64\Ckbncapd.exeC:\Windows\system32\Ckbncapd.exe27⤵
- Executes dropped EXE
- Modifies registry class
PID:2644 -
C:\Windows\SysWOW64\Cpcpfg32.exeC:\Windows\system32\Cpcpfg32.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3852 -
C:\Windows\SysWOW64\Dahfkimd.exeC:\Windows\system32\Dahfkimd.exe29⤵
- Executes dropped EXE
PID:4916 -
C:\Windows\SysWOW64\Dalofi32.exeC:\Windows\system32\Dalofi32.exe30⤵
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\Ekimjn32.exeC:\Windows\system32\Ekimjn32.exe31⤵
- Executes dropped EXE
PID:916 -
C:\Windows\SysWOW64\Ejojljqa.exeC:\Windows\system32\Ejojljqa.exe32⤵
- Executes dropped EXE
PID:3352 -
C:\Windows\SysWOW64\Ecikjoep.exeC:\Windows\system32\Ecikjoep.exe33⤵
- Executes dropped EXE
PID:4720 -
C:\Windows\SysWOW64\Fdmaoahm.exeC:\Windows\system32\Fdmaoahm.exe34⤵
- Executes dropped EXE
PID:1620 -
C:\Windows\SysWOW64\Gcjdam32.exeC:\Windows\system32\Gcjdam32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1384 -
C:\Windows\SysWOW64\Gjhfif32.exeC:\Windows\system32\Gjhfif32.exe36⤵
- Executes dropped EXE
PID:3368 -
C:\Windows\SysWOW64\Gglfbkin.exeC:\Windows\system32\Gglfbkin.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:5064 -
C:\Windows\SysWOW64\Hcedmkmp.exeC:\Windows\system32\Hcedmkmp.exe38⤵
- Executes dropped EXE
PID:3884 -
C:\Windows\SysWOW64\Hjfbjdnd.exeC:\Windows\system32\Hjfbjdnd.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:2680 -
C:\Windows\SysWOW64\Iccpniqp.exeC:\Windows\system32\Iccpniqp.exe40⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Ilmedf32.exeC:\Windows\system32\Ilmedf32.exe41⤵
- Executes dropped EXE
PID:4448 -
C:\Windows\SysWOW64\Jeaiij32.exeC:\Windows\system32\Jeaiij32.exe42⤵
- Executes dropped EXE
PID:1552 -
C:\Windows\SysWOW64\Kkbkmqed.exeC:\Windows\system32\Kkbkmqed.exe43⤵
- Executes dropped EXE
PID:4928 -
C:\Windows\SysWOW64\Lahbei32.exeC:\Windows\system32\Lahbei32.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:3956 -
C:\Windows\SysWOW64\Lajokiaa.exeC:\Windows\system32\Lajokiaa.exe45⤵
- Executes dropped EXE
PID:560 -
C:\Windows\SysWOW64\Llpchaqg.exeC:\Windows\system32\Llpchaqg.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1248 -
C:\Windows\SysWOW64\Moalil32.exeC:\Windows\system32\Moalil32.exe47⤵
- Executes dropped EXE
PID:236 -
C:\Windows\SysWOW64\Mlemcq32.exeC:\Windows\system32\Mlemcq32.exe48⤵
- Executes dropped EXE
PID:3964 -
C:\Windows\SysWOW64\Mhnjna32.exeC:\Windows\system32\Mhnjna32.exe49⤵
- Executes dropped EXE
PID:2396 -
C:\Windows\SysWOW64\Mhpgca32.exeC:\Windows\system32\Mhpgca32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4660 -
C:\Windows\SysWOW64\Ndnnianm.exeC:\Windows\system32\Ndnnianm.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4588 -
C:\Windows\SysWOW64\Omaeem32.exeC:\Windows\system32\Omaeem32.exe52⤵
- Executes dropped EXE
PID:320 -
C:\Windows\SysWOW64\Pcpgmf32.exeC:\Windows\system32\Pcpgmf32.exe53⤵
- Executes dropped EXE
PID:4216 -
C:\Windows\SysWOW64\Piolkm32.exeC:\Windows\system32\Piolkm32.exe54⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Aflpkpjm.exeC:\Windows\system32\Aflpkpjm.exe55⤵
- Executes dropped EXE
PID:4616 -
C:\Windows\SysWOW64\Acppddig.exeC:\Windows\system32\Acppddig.exe56⤵
- Executes dropped EXE
PID:3896 -
C:\Windows\SysWOW64\Acgfec32.exeC:\Windows\system32\Acgfec32.exe57⤵
- Executes dropped EXE
PID:3840 -
C:\Windows\SysWOW64\Bfabmmhe.exeC:\Windows\system32\Bfabmmhe.exe58⤵
- Executes dropped EXE
PID:4224 -
C:\Windows\SysWOW64\Cdgolq32.exeC:\Windows\system32\Cdgolq32.exe59⤵
- Executes dropped EXE
PID:4752 -
C:\Windows\SysWOW64\Cfjeckpj.exeC:\Windows\system32\Cfjeckpj.exe60⤵
- Executes dropped EXE
PID:340 -
C:\Windows\SysWOW64\Digmqe32.exeC:\Windows\system32\Digmqe32.exe61⤵
- Executes dropped EXE
PID:4812 -
C:\Windows\SysWOW64\Feimadoe.exeC:\Windows\system32\Feimadoe.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4716 -
C:\Windows\SysWOW64\Fgijkgeh.exeC:\Windows\system32\Fgijkgeh.exe63⤵
- Executes dropped EXE
PID:4240 -
C:\Windows\SysWOW64\Gloejmld.exeC:\Windows\system32\Gloejmld.exe64⤵
- Executes dropped EXE
PID:5032 -
C:\Windows\SysWOW64\Gdmcki32.exeC:\Windows\system32\Gdmcki32.exe65⤵
- Executes dropped EXE
PID:1756 -
C:\Windows\SysWOW64\Hjlhipbc.exeC:\Windows\system32\Hjlhipbc.exe66⤵PID:1392
-
C:\Windows\SysWOW64\Hqfqfj32.exeC:\Windows\system32\Hqfqfj32.exe67⤵
- Drops file in System32 directory
- Modifies registry class
PID:4400 -
C:\Windows\SysWOW64\Hnjaonij.exeC:\Windows\system32\Hnjaonij.exe68⤵PID:1080
-
C:\Windows\SysWOW64\Hmpnqj32.exeC:\Windows\system32\Hmpnqj32.exe69⤵PID:3228
-
C:\Windows\SysWOW64\Hjcojo32.exeC:\Windows\system32\Hjcojo32.exe70⤵PID:1952
-
C:\Windows\SysWOW64\Iggocbke.exeC:\Windows\system32\Iggocbke.exe71⤵PID:2752
-
C:\Windows\SysWOW64\Icnphd32.exeC:\Windows\system32\Icnphd32.exe72⤵PID:3060
-
C:\Windows\SysWOW64\Icciccmd.exeC:\Windows\system32\Icciccmd.exe73⤵PID:4580
-
C:\Windows\SysWOW64\Iebfmfdg.exeC:\Windows\system32\Iebfmfdg.exe74⤵
- Drops file in System32 directory
- Modifies registry class
PID:5168 -
C:\Windows\SysWOW64\Jjdgal32.exeC:\Windows\system32\Jjdgal32.exe75⤵PID:5216
-
C:\Windows\SysWOW64\Jelhcd32.exeC:\Windows\system32\Jelhcd32.exe76⤵PID:5256
-
C:\Windows\SysWOW64\Jmijnfgd.exeC:\Windows\system32\Jmijnfgd.exe77⤵PID:5296
-
C:\Windows\SysWOW64\Kmncif32.exeC:\Windows\system32\Kmncif32.exe78⤵
- Drops file in System32 directory
PID:5340 -
C:\Windows\SysWOW64\Kanidd32.exeC:\Windows\system32\Kanidd32.exe79⤵PID:5380
-
C:\Windows\SysWOW64\Lokldg32.exeC:\Windows\system32\Lokldg32.exe80⤵PID:5428
-
C:\Windows\SysWOW64\Mhkgnkoj.exeC:\Windows\system32\Mhkgnkoj.exe81⤵PID:5468
-
C:\Windows\SysWOW64\Meoggpmd.exeC:\Windows\system32\Meoggpmd.exe82⤵
- Drops file in System32 directory
PID:5508 -
C:\Windows\SysWOW64\Nahdapae.exeC:\Windows\system32\Nahdapae.exe83⤵
- Drops file in System32 directory
PID:5548 -
C:\Windows\SysWOW64\Nhdicjfp.exeC:\Windows\system32\Nhdicjfp.exe84⤵
- Modifies registry class
PID:5592 -
C:\Windows\SysWOW64\Naokbokn.exeC:\Windows\system32\Naokbokn.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5624 -
C:\Windows\SysWOW64\Nockkcjg.exeC:\Windows\system32\Nockkcjg.exe86⤵PID:5668
-
C:\Windows\SysWOW64\Nhkpdi32.exeC:\Windows\system32\Nhkpdi32.exe87⤵PID:5716
-
C:\Windows\SysWOW64\Noehac32.exeC:\Windows\system32\Noehac32.exe88⤵PID:5760
-
C:\Windows\SysWOW64\Odbpij32.exeC:\Windows\system32\Odbpij32.exe89⤵PID:5812
-
C:\Windows\SysWOW64\Oklifdmi.exeC:\Windows\system32\Oklifdmi.exe90⤵PID:5856
-
C:\Windows\SysWOW64\Oojalb32.exeC:\Windows\system32\Oojalb32.exe91⤵
- Drops file in System32 directory
PID:5900 -
C:\Windows\SysWOW64\Ononmo32.exeC:\Windows\system32\Ononmo32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5940 -
C:\Windows\SysWOW64\Odifjipd.exeC:\Windows\system32\Odifjipd.exe93⤵
- Modifies registry class
PID:5984 -
C:\Windows\SysWOW64\Pohnnqgo.exeC:\Windows\system32\Pohnnqgo.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6028 -
C:\Windows\SysWOW64\Pojjcp32.exeC:\Windows\system32\Pojjcp32.exe95⤵PID:6068
-
C:\Windows\SysWOW64\Andqol32.exeC:\Windows\system32\Andqol32.exe96⤵PID:6140
-
C:\Windows\SysWOW64\Bkdqdokk.exeC:\Windows\system32\Bkdqdokk.exe97⤵
- Drops file in System32 directory
PID:5176 -
C:\Windows\SysWOW64\Bfieagka.exeC:\Windows\system32\Bfieagka.exe98⤵PID:5244
-
C:\Windows\SysWOW64\Cifmoa32.exeC:\Windows\system32\Cifmoa32.exe99⤵PID:4976
-
C:\Windows\SysWOW64\Cnebmgjj.exeC:\Windows\system32\Cnebmgjj.exe100⤵
- Drops file in System32 directory
PID:5440 -
C:\Windows\SysWOW64\Dijgjpip.exeC:\Windows\system32\Dijgjpip.exe101⤵
- Modifies registry class
PID:5540 -
C:\Windows\SysWOW64\Dhbqalle.exeC:\Windows\system32\Dhbqalle.exe102⤵PID:5608
-
C:\Windows\SysWOW64\Dpihbjmg.exeC:\Windows\system32\Dpihbjmg.exe103⤵PID:5696
-
C:\Windows\SysWOW64\Eifffoob.exeC:\Windows\system32\Eifffoob.exe104⤵PID:5832
-
C:\Windows\SysWOW64\Elnehifk.exeC:\Windows\system32\Elnehifk.exe105⤵PID:5888
-
C:\Windows\SysWOW64\Fibfbm32.exeC:\Windows\system32\Fibfbm32.exe106⤵
- Modifies registry class
PID:5976 -
C:\Windows\SysWOW64\Fhgccijm.exeC:\Windows\system32\Fhgccijm.exe107⤵PID:6048
-
C:\Windows\SysWOW64\Fghcqq32.exeC:\Windows\system32\Fghcqq32.exe108⤵PID:5164
-
C:\Windows\SysWOW64\Fgmllpng.exeC:\Windows\system32\Fgmllpng.exe109⤵PID:2376
-
C:\Windows\SysWOW64\Fljedg32.exeC:\Windows\system32\Fljedg32.exe110⤵
- Drops file in System32 directory
PID:5416 -
C:\Windows\SysWOW64\Hpaqqdjj.exeC:\Windows\system32\Hpaqqdjj.exe111⤵PID:5492
-
C:\Windows\SysWOW64\Hfniikha.exeC:\Windows\system32\Hfniikha.exe112⤵
- Modifies registry class
PID:5576 -
C:\Windows\SysWOW64\Hcaibo32.exeC:\Windows\system32\Hcaibo32.exe113⤵PID:2732
-
C:\Windows\SysWOW64\Hhobjf32.exeC:\Windows\system32\Hhobjf32.exe114⤵PID:2916
-
C:\Windows\SysWOW64\Hcdfho32.exeC:\Windows\system32\Hcdfho32.exe115⤵PID:1212
-
C:\Windows\SysWOW64\Hjnndime.exeC:\Windows\system32\Hjnndime.exe116⤵PID:6036
-
C:\Windows\SysWOW64\Ifihdi32.exeC:\Windows\system32\Ifihdi32.exe117⤵
- Drops file in System32 directory
PID:2028 -
C:\Windows\SysWOW64\Imcqacfq.exeC:\Windows\system32\Imcqacfq.exe118⤵PID:5252
-
C:\Windows\SysWOW64\Ijgakgej.exeC:\Windows\system32\Ijgakgej.exe119⤵
- Modifies registry class
PID:2812 -
C:\Windows\SysWOW64\Jckeokan.exeC:\Windows\system32\Jckeokan.exe120⤵PID:5676
-
C:\Windows\SysWOW64\Kaflio32.exeC:\Windows\system32\Kaflio32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3520
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-