Analysis
-
max time kernel
167s -
max time network
171s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
02/11/2023, 00:11
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.cc31169b4bf7b175de7328845dac26e0_JC.exe
Resource
win7-20231023-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.cc31169b4bf7b175de7328845dac26e0_JC.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.cc31169b4bf7b175de7328845dac26e0_JC.exe
-
Size
194KB
-
MD5
cc31169b4bf7b175de7328845dac26e0
-
SHA1
b21ec1096266cebc7674318624349473ff62dfd0
-
SHA256
98bf8e1abaea507142f46f3e681984ee22b539431106325f5586e11b0a38bf2f
-
SHA512
385108d757ed610255aed0467b97d87d825be7552ef3c796eba17bde031aac192443012a918a85cbf1762457d97a1c6259c8467dd30edf8fd065dada241c9e07
-
SSDEEP
6144:s2BWbBVi7dSfUNRbCeKpNYxWlJ7mkD6pNY:NBiBV
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdpanj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcfphn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kafcmglb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijigfaol.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfcoekhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfjhdobb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnjqfeld.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Miqlpbap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjqkel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phgagb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnjnjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhegjdag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkkjfa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fabqdl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ochjmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Einmaaqb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nejpckgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nqkihpie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oaifin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngifef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omjnhiiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onaieifh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfnafpni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obphenpj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kanffogf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqmfnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blbodh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekkkip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbkoeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obikgppg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amfokf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgqhki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njogdldg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pqhammje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddfikaeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obnbjdfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldoadabi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekdolcbm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqmhlego.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eaklcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gganjh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chglkg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jialbf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqaini32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfeiedhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mehcnlie.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pahppihl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eekanh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfaaddlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jialbf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgjekc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdpkoalc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qakdke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lqbgcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghflgedf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lagekp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igdnkhoe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkmogbeo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncgiolkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdipce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Appaangd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kijcanhl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhfenc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dqhpjohb.exe -
Executes dropped EXE 64 IoCs
pid Process 1408 Ngifef32.exe 2136 Qghlmbae.exe 2256 Akjnnpcf.exe 3400 Aeglbeea.exe 3568 Bkdqdokk.exe 2528 Bpfcelml.exe 228 Cemndbci.exe 3748 Fepmgm32.exe 1504 Kmmmnp32.exe 1960 Kjcjmclj.exe 3860 Laiafl32.exe 2788 Mapgfk32.exe 2384 Nagngjmj.exe 2176 Omjnhiiq.exe 1968 Oickbjmb.exe 3512 Odhppclh.exe 4836 Phpklp32.exe 336 Qajlje32.exe 444 Qkcackeb.exe 3096 Aaofedkl.exe 3648 Abflfc32.exe 4400 Cebdcmhh.exe 2372 Ciqmjkno.exe 1948 Ciefek32.exe 724 Dgomaf32.exe 3332 Dehgejep.exe 2404 Eieplhlf.exe 872 Fkehdnee.exe 4108 Gekeie32.exe 1432 Ileflmpb.exe 3172 Ijigfaol.exe 4176 Iohlcg32.exe 4444 Mjehok32.exe 4684 Nfcoekhe.exe 3444 Ndgpnogo.exe 2268 Ollgiplp.exe 2316 Plcmiofg.exe 1216 Pljcjn32.exe 3100 Qmlmjq32.exe 3304 Apaofk32.exe 2420 Adadbi32.exe 3660 Almifk32.exe 5072 Bgbmdd32.exe 3676 Bjcfeola.exe 2772 Ccbaoc32.exe 2344 Cnhell32.exe 4864 Cggpfa32.exe 1128 Cqpdof32.exe 4352 Dqdnjfpc.exe 3816 Dnkkij32.exe 4060 Eaegqc32.exe 4420 Hoglbc32.exe 4604 Iamoon32.exe 1824 Ilbclg32.exe 4344 Ilglgfjd.exe 3340 Jojboa32.exe 5036 Jlnbhe32.exe 2364 Jdkdbgpd.exe 3036 Kklbop32.exe 2240 Kdipce32.exe 3432 Lndaaj32.exe 1164 Miqlpbap.exe 2548 Mbiphhhq.exe 4440 Mnbnchlb.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Lplgpkah.dll Olmficce.exe File created C:\Windows\SysWOW64\Gmhogppb.exe Goconkah.exe File opened for modification C:\Windows\SysWOW64\Mehcnlie.exe Majjgmco.exe File created C:\Windows\SysWOW64\Lfelpihk.dll Lbkkpb32.exe File opened for modification C:\Windows\SysWOW64\Mnjqfeld.exe Mnhdae32.exe File created C:\Windows\SysWOW64\Laiafl32.exe Kjcjmclj.exe File created C:\Windows\SysWOW64\Nagngjmj.exe Mapgfk32.exe File created C:\Windows\SysWOW64\Dnadmp32.dll Cdaigi32.exe File created C:\Windows\SysWOW64\Glhfnk32.dll Qjcidkpd.exe File opened for modification C:\Windows\SysWOW64\Lnmkpm32.exe Lnjnjn32.exe File created C:\Windows\SysWOW64\Eaklcj32.exe Eddodfhp.exe File created C:\Windows\SysWOW64\Ekneob32.dll Fajnoabh.exe File created C:\Windows\SysWOW64\Olkbkbih.dll Fmmmqnaf.exe File opened for modification C:\Windows\SysWOW64\Lalnfooo.exe Leenanik.exe File opened for modification C:\Windows\SysWOW64\Kdipce32.exe Kklbop32.exe File created C:\Windows\SysWOW64\Hpeohnhn.dll Ahhbfkbf.exe File opened for modification C:\Windows\SysWOW64\Hgdlnp32.exe Hjqkel32.exe File created C:\Windows\SysWOW64\Aeglbeea.exe Akjnnpcf.exe File created C:\Windows\SysWOW64\Dbcpapne.dll Jkkjfa32.exe File created C:\Windows\SysWOW64\Manfgh32.dll Bqhlpbjd.exe File created C:\Windows\SysWOW64\Gpaqkgba.exe Ghflgedf.exe File opened for modification C:\Windows\SysWOW64\Fadoii32.exe Flgfqb32.exe File created C:\Windows\SysWOW64\Qeekhd32.dll Gdeqaa32.exe File opened for modification C:\Windows\SysWOW64\Kjblcj32.exe Kokkqbog.exe File opened for modification C:\Windows\SysWOW64\Bgbmdd32.exe Almifk32.exe File opened for modification C:\Windows\SysWOW64\Gnaodbhl.exe Fajnoabh.exe File created C:\Windows\SysWOW64\Eoadmoig.dll Dnmaog32.exe File opened for modification C:\Windows\SysWOW64\Pfojmn32.exe Pmfedhie.exe File opened for modification C:\Windows\SysWOW64\Qghlmbae.exe Ngifef32.exe File opened for modification C:\Windows\SysWOW64\Cbphncfo.exe Cmcoflhh.exe File created C:\Windows\SysWOW64\Peiqme32.dll Nabfcegi.exe File created C:\Windows\SysWOW64\Hfafpcai.dll Mapgfk32.exe File opened for modification C:\Windows\SysWOW64\Eekanh32.exe Eaklcj32.exe File created C:\Windows\SysWOW64\Ndmdbf32.dll Fadoii32.exe File opened for modification C:\Windows\SysWOW64\Bjcfeola.exe Bgbmdd32.exe File created C:\Windows\SysWOW64\Gifadggi.exe Gpnmka32.exe File opened for modification C:\Windows\SysWOW64\Phajgf32.exe Pnfiia32.exe File created C:\Windows\SysWOW64\Glhabiom.dll Ghiogkfp.exe File created C:\Windows\SysWOW64\Akpcfnpa.dll Kafcmglb.exe File opened for modification C:\Windows\SysWOW64\Gjhdkajh.exe Fnacfp32.exe File created C:\Windows\SysWOW64\Ipckqnja.exe Ijcecgnl.exe File created C:\Windows\SysWOW64\Lkcaeige.exe Khkbcopl.exe File opened for modification C:\Windows\SysWOW64\Akpojpic.exe Aoioeo32.exe File created C:\Windows\SysWOW64\Fammoofd.dll Dqipeboj.exe File created C:\Windows\SysWOW64\Nfcoekhe.exe Mjehok32.exe File created C:\Windows\SysWOW64\Lndaaj32.exe Kdipce32.exe File created C:\Windows\SysWOW64\Bkieampj.dll Kgjggkqi.exe File created C:\Windows\SysWOW64\Ekkkip32.exe Dkokma32.exe File created C:\Windows\SysWOW64\Pkogmihf.dll Bocjdiol.exe File created C:\Windows\SysWOW64\Cpholohh.dll Didjkbim.exe File created C:\Windows\SysWOW64\Poajdlcq.exe Phgagb32.exe File created C:\Windows\SysWOW64\Ojnfbnbl.exe Obebla32.exe File opened for modification C:\Windows\SysWOW64\Lgkakm32.exe Kfjhdobb.exe File created C:\Windows\SysWOW64\Neobgf32.dll Fkqebg32.exe File created C:\Windows\SysWOW64\Mledgm32.exe Lfgboc32.exe File created C:\Windows\SysWOW64\Ladaigki.dll Dobffj32.exe File opened for modification C:\Windows\SysWOW64\Lndaaj32.exe Kdipce32.exe File created C:\Windows\SysWOW64\Gciagdlp.dll Pnaalghe.exe File created C:\Windows\SysWOW64\Cbcieqpd.exe Cdaigi32.exe File created C:\Windows\SysWOW64\Bdmmnd32.exe Bkdieo32.exe File created C:\Windows\SysWOW64\Npckji32.dll Ppeipfdm.exe File created C:\Windows\SysWOW64\Kmggegic.dll Lgffci32.exe File created C:\Windows\SysWOW64\Cffcilob.exe Bohbackj.exe File created C:\Windows\SysWOW64\Hdedfgcg.dll Imdlgm32.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 3568 4340 WerFault.exe 640 820 4340 WerFault.exe 640 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akdbojmi.dll" Mnjjmmkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdhhfnom.dll" Hhegjdag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fajnoabh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iehqncld.dll" Leenanik.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nelmik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljjjqd32.dll" Hbchnfei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gnckjbfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhdaao32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nobldfio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Olhlaoea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pnjeqbkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndoihadd.dll" Coigllel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aaofedkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kifhkkci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbqqeahl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajkgmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nppakcok.dll" Hjqkel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbkigk32.dll" Mlkejgfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pceihj32.dll" Ojajbdde.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkdieo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfjpda32.dll" Hfaaddlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhkkcfnf.dll" Lomqmoob.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hfoflj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jhndepbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ioikon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkpmnh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkigmiai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjcjmclj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ffhnocfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kppimogj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgflmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmbcka32.dll" Pnmojp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cebdcmhh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmapag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfoebq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghiogkfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhdlael.dll" Nigjifgc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pqpgnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhfenc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hiajeoip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ambgnl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbqeonfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eipmlo32.dll" Njogdldg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahhbfkbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfpmglkb.dll" Jmbhhkoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkkohp32.dll" Fabqdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgfbgipl.dll" Lagekp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Goconkah.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmcocn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jkhnab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpejop32.dll" Ilbclg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hhegjdag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ogljcokf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mngepb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jabglkpp.dll" Lfgboc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkogmihf.dll" Bocjdiol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibadoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dnkkij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkmlilej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jklkea32.dll" Kcndlf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omegdebp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkcfeodo.dll" Hbhbie32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eaegqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okbglp32.dll" Appaangd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2812 wrote to memory of 1408 2812 NEAS.cc31169b4bf7b175de7328845dac26e0_JC.exe 91 PID 2812 wrote to memory of 1408 2812 NEAS.cc31169b4bf7b175de7328845dac26e0_JC.exe 91 PID 2812 wrote to memory of 1408 2812 NEAS.cc31169b4bf7b175de7328845dac26e0_JC.exe 91 PID 1408 wrote to memory of 2136 1408 Ngifef32.exe 92 PID 1408 wrote to memory of 2136 1408 Ngifef32.exe 92 PID 1408 wrote to memory of 2136 1408 Ngifef32.exe 92 PID 2136 wrote to memory of 2256 2136 Qghlmbae.exe 93 PID 2136 wrote to memory of 2256 2136 Qghlmbae.exe 93 PID 2136 wrote to memory of 2256 2136 Qghlmbae.exe 93 PID 2256 wrote to memory of 3400 2256 Akjnnpcf.exe 94 PID 2256 wrote to memory of 3400 2256 Akjnnpcf.exe 94 PID 2256 wrote to memory of 3400 2256 Akjnnpcf.exe 94 PID 3400 wrote to memory of 3568 3400 Aeglbeea.exe 95 PID 3400 wrote to memory of 3568 3400 Aeglbeea.exe 95 PID 3400 wrote to memory of 3568 3400 Aeglbeea.exe 95 PID 3568 wrote to memory of 2528 3568 Bkdqdokk.exe 96 PID 3568 wrote to memory of 2528 3568 Bkdqdokk.exe 96 PID 3568 wrote to memory of 2528 3568 Bkdqdokk.exe 96 PID 2528 wrote to memory of 228 2528 Bpfcelml.exe 97 PID 2528 wrote to memory of 228 2528 Bpfcelml.exe 97 PID 2528 wrote to memory of 228 2528 Bpfcelml.exe 97 PID 228 wrote to memory of 3748 228 Cemndbci.exe 98 PID 228 wrote to memory of 3748 228 Cemndbci.exe 98 PID 228 wrote to memory of 3748 228 Cemndbci.exe 98 PID 3748 wrote to memory of 1504 3748 Fepmgm32.exe 99 PID 3748 wrote to memory of 1504 3748 Fepmgm32.exe 99 PID 3748 wrote to memory of 1504 3748 Fepmgm32.exe 99 PID 1504 wrote to memory of 1960 1504 Kmmmnp32.exe 100 PID 1504 wrote to memory of 1960 1504 Kmmmnp32.exe 100 PID 1504 wrote to memory of 1960 1504 Kmmmnp32.exe 100 PID 1960 wrote to memory of 3860 1960 Kjcjmclj.exe 101 PID 1960 wrote to memory of 3860 1960 Kjcjmclj.exe 101 PID 1960 wrote to memory of 3860 1960 Kjcjmclj.exe 101 PID 3860 wrote to memory of 2788 3860 Laiafl32.exe 102 PID 3860 wrote to memory of 2788 3860 Laiafl32.exe 102 PID 3860 wrote to memory of 2788 3860 Laiafl32.exe 102 PID 2788 wrote to memory of 2384 2788 Mapgfk32.exe 103 PID 2788 wrote to memory of 2384 2788 Mapgfk32.exe 103 PID 2788 wrote to memory of 2384 2788 Mapgfk32.exe 103 PID 2384 wrote to memory of 2176 2384 Nagngjmj.exe 104 PID 2384 wrote to memory of 2176 2384 Nagngjmj.exe 104 PID 2384 wrote to memory of 2176 2384 Nagngjmj.exe 104 PID 2176 wrote to memory of 1968 2176 Omjnhiiq.exe 105 PID 2176 wrote to memory of 1968 2176 Omjnhiiq.exe 105 PID 2176 wrote to memory of 1968 2176 Omjnhiiq.exe 105 PID 1968 wrote to memory of 3512 1968 Oickbjmb.exe 106 PID 1968 wrote to memory of 3512 1968 Oickbjmb.exe 106 PID 1968 wrote to memory of 3512 1968 Oickbjmb.exe 106 PID 3512 wrote to memory of 4836 3512 Odhppclh.exe 107 PID 3512 wrote to memory of 4836 3512 Odhppclh.exe 107 PID 3512 wrote to memory of 4836 3512 Odhppclh.exe 107 PID 4836 wrote to memory of 336 4836 Phpklp32.exe 108 PID 4836 wrote to memory of 336 4836 Phpklp32.exe 108 PID 4836 wrote to memory of 336 4836 Phpklp32.exe 108 PID 336 wrote to memory of 444 336 Qajlje32.exe 109 PID 336 wrote to memory of 444 336 Qajlje32.exe 109 PID 336 wrote to memory of 444 336 Qajlje32.exe 109 PID 444 wrote to memory of 3096 444 Qkcackeb.exe 110 PID 444 wrote to memory of 3096 444 Qkcackeb.exe 110 PID 444 wrote to memory of 3096 444 Qkcackeb.exe 110 PID 3096 wrote to memory of 3648 3096 Aaofedkl.exe 111 PID 3096 wrote to memory of 3648 3096 Aaofedkl.exe 111 PID 3096 wrote to memory of 3648 3096 Aaofedkl.exe 111 PID 3648 wrote to memory of 4400 3648 Abflfc32.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.cc31169b4bf7b175de7328845dac26e0_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.cc31169b4bf7b175de7328845dac26e0_JC.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\Ngifef32.exeC:\Windows\system32\Ngifef32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Windows\SysWOW64\Qghlmbae.exeC:\Windows\system32\Qghlmbae.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\SysWOW64\Akjnnpcf.exeC:\Windows\system32\Akjnnpcf.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\SysWOW64\Aeglbeea.exeC:\Windows\system32\Aeglbeea.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3400 -
C:\Windows\SysWOW64\Bkdqdokk.exeC:\Windows\system32\Bkdqdokk.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3568 -
C:\Windows\SysWOW64\Bpfcelml.exeC:\Windows\system32\Bpfcelml.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\Cemndbci.exeC:\Windows\system32\Cemndbci.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:228 -
C:\Windows\SysWOW64\Fepmgm32.exeC:\Windows\system32\Fepmgm32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3748 -
C:\Windows\SysWOW64\Kmmmnp32.exeC:\Windows\system32\Kmmmnp32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\SysWOW64\Kjcjmclj.exeC:\Windows\system32\Kjcjmclj.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\SysWOW64\Laiafl32.exeC:\Windows\system32\Laiafl32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3860 -
C:\Windows\SysWOW64\Mapgfk32.exeC:\Windows\system32\Mapgfk32.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\Nagngjmj.exeC:\Windows\system32\Nagngjmj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\Omjnhiiq.exeC:\Windows\system32\Omjnhiiq.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\SysWOW64\Oickbjmb.exeC:\Windows\system32\Oickbjmb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\Odhppclh.exeC:\Windows\system32\Odhppclh.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3512 -
C:\Windows\SysWOW64\Phpklp32.exeC:\Windows\system32\Phpklp32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4836 -
C:\Windows\SysWOW64\Qajlje32.exeC:\Windows\system32\Qajlje32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:336 -
C:\Windows\SysWOW64\Qkcackeb.exeC:\Windows\system32\Qkcackeb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:444 -
C:\Windows\SysWOW64\Aaofedkl.exeC:\Windows\system32\Aaofedkl.exe21⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3096 -
C:\Windows\SysWOW64\Abflfc32.exeC:\Windows\system32\Abflfc32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3648 -
C:\Windows\SysWOW64\Cebdcmhh.exeC:\Windows\system32\Cebdcmhh.exe23⤵
- Executes dropped EXE
- Modifies registry class
PID:4400 -
C:\Windows\SysWOW64\Ciqmjkno.exeC:\Windows\system32\Ciqmjkno.exe24⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Ciefek32.exeC:\Windows\system32\Ciefek32.exe25⤵
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\Cbnknpqj.exeC:\Windows\system32\Cbnknpqj.exe26⤵PID:4168
-
C:\Windows\SysWOW64\Dgomaf32.exeC:\Windows\system32\Dgomaf32.exe27⤵
- Executes dropped EXE
PID:724 -
C:\Windows\SysWOW64\Dehgejep.exeC:\Windows\system32\Dehgejep.exe28⤵
- Executes dropped EXE
PID:3332 -
C:\Windows\SysWOW64\Eieplhlf.exeC:\Windows\system32\Eieplhlf.exe29⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Fkehdnee.exeC:\Windows\system32\Fkehdnee.exe30⤵
- Executes dropped EXE
PID:872 -
C:\Windows\SysWOW64\Gekeie32.exeC:\Windows\system32\Gekeie32.exe31⤵
- Executes dropped EXE
PID:4108 -
C:\Windows\SysWOW64\Ileflmpb.exeC:\Windows\system32\Ileflmpb.exe32⤵
- Executes dropped EXE
PID:1432 -
C:\Windows\SysWOW64\Ijigfaol.exeC:\Windows\system32\Ijigfaol.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3172 -
C:\Windows\SysWOW64\Iohlcg32.exeC:\Windows\system32\Iohlcg32.exe34⤵
- Executes dropped EXE
PID:4176 -
C:\Windows\SysWOW64\Mjehok32.exeC:\Windows\system32\Mjehok32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4444 -
C:\Windows\SysWOW64\Nfcoekhe.exeC:\Windows\system32\Nfcoekhe.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4684 -
C:\Windows\SysWOW64\Ndgpnogo.exeC:\Windows\system32\Ndgpnogo.exe37⤵
- Executes dropped EXE
PID:3444 -
C:\Windows\SysWOW64\Ollgiplp.exeC:\Windows\system32\Ollgiplp.exe38⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Plcmiofg.exeC:\Windows\system32\Plcmiofg.exe39⤵
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Pljcjn32.exeC:\Windows\system32\Pljcjn32.exe40⤵
- Executes dropped EXE
PID:1216 -
C:\Windows\SysWOW64\Qmlmjq32.exeC:\Windows\system32\Qmlmjq32.exe41⤵
- Executes dropped EXE
PID:3100 -
C:\Windows\SysWOW64\Apaofk32.exeC:\Windows\system32\Apaofk32.exe42⤵
- Executes dropped EXE
PID:3304 -
C:\Windows\SysWOW64\Adadbi32.exeC:\Windows\system32\Adadbi32.exe43⤵
- Executes dropped EXE
PID:2420 -
C:\Windows\SysWOW64\Almifk32.exeC:\Windows\system32\Almifk32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3660 -
C:\Windows\SysWOW64\Bgbmdd32.exeC:\Windows\system32\Bgbmdd32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5072 -
C:\Windows\SysWOW64\Bjcfeola.exeC:\Windows\system32\Bjcfeola.exe46⤵
- Executes dropped EXE
PID:3676 -
C:\Windows\SysWOW64\Ccbaoc32.exeC:\Windows\system32\Ccbaoc32.exe47⤵
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\Cnhell32.exeC:\Windows\system32\Cnhell32.exe48⤵
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Cggpfa32.exeC:\Windows\system32\Cggpfa32.exe49⤵
- Executes dropped EXE
PID:4864 -
C:\Windows\SysWOW64\Cqpdof32.exeC:\Windows\system32\Cqpdof32.exe50⤵
- Executes dropped EXE
PID:1128 -
C:\Windows\SysWOW64\Dqdnjfpc.exeC:\Windows\system32\Dqdnjfpc.exe51⤵
- Executes dropped EXE
PID:4352 -
C:\Windows\SysWOW64\Dnkkij32.exeC:\Windows\system32\Dnkkij32.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:3816 -
C:\Windows\SysWOW64\Eaegqc32.exeC:\Windows\system32\Eaegqc32.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:4060 -
C:\Windows\SysWOW64\Hoglbc32.exeC:\Windows\system32\Hoglbc32.exe54⤵
- Executes dropped EXE
PID:4420 -
C:\Windows\SysWOW64\Iamoon32.exeC:\Windows\system32\Iamoon32.exe55⤵
- Executes dropped EXE
PID:4604 -
C:\Windows\SysWOW64\Ilbclg32.exeC:\Windows\system32\Ilbclg32.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:1824 -
C:\Windows\SysWOW64\Ilglgfjd.exeC:\Windows\system32\Ilglgfjd.exe57⤵
- Executes dropped EXE
PID:4344 -
C:\Windows\SysWOW64\Jojboa32.exeC:\Windows\system32\Jojboa32.exe58⤵
- Executes dropped EXE
PID:3340 -
C:\Windows\SysWOW64\Jlnbhe32.exeC:\Windows\system32\Jlnbhe32.exe59⤵
- Executes dropped EXE
PID:5036 -
C:\Windows\SysWOW64\Jdkdbgpd.exeC:\Windows\system32\Jdkdbgpd.exe60⤵
- Executes dropped EXE
PID:2364 -
C:\Windows\SysWOW64\Kklbop32.exeC:\Windows\system32\Kklbop32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3036 -
C:\Windows\SysWOW64\Kdipce32.exeC:\Windows\system32\Kdipce32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2240 -
C:\Windows\SysWOW64\Lndaaj32.exeC:\Windows\system32\Lndaaj32.exe63⤵
- Executes dropped EXE
PID:3432 -
C:\Windows\SysWOW64\Miqlpbap.exeC:\Windows\system32\Miqlpbap.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1164 -
C:\Windows\SysWOW64\Mbiphhhq.exeC:\Windows\system32\Mbiphhhq.exe65⤵
- Executes dropped EXE
PID:2548 -
C:\Windows\SysWOW64\Mnbnchlb.exeC:\Windows\system32\Mnbnchlb.exe66⤵
- Executes dropped EXE
PID:4440 -
C:\Windows\SysWOW64\Npfchkop.exeC:\Windows\system32\Npfchkop.exe67⤵PID:2280
-
C:\Windows\SysWOW64\Obnbjdfi.exeC:\Windows\system32\Obnbjdfi.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4396 -
C:\Windows\SysWOW64\Oflkqc32.exeC:\Windows\system32\Oflkqc32.exe69⤵PID:4944
-
C:\Windows\SysWOW64\Olidijjf.exeC:\Windows\system32\Olidijjf.exe70⤵PID:4408
-
C:\Windows\SysWOW64\Pblolb32.exeC:\Windows\system32\Pblolb32.exe71⤵PID:3792
-
C:\Windows\SysWOW64\Ppeipfdm.exeC:\Windows\system32\Ppeipfdm.exe72⤵
- Drops file in System32 directory
PID:4888 -
C:\Windows\SysWOW64\Pimmil32.exeC:\Windows\system32\Pimmil32.exe73⤵PID:4952
-
C:\Windows\SysWOW64\Qojeabie.exeC:\Windows\system32\Qojeabie.exe74⤵PID:4212
-
C:\Windows\SysWOW64\Abmhbplf.exeC:\Windows\system32\Abmhbplf.exe75⤵PID:3068
-
C:\Windows\SysWOW64\Amgekh32.exeC:\Windows\system32\Amgekh32.exe76⤵PID:2276
-
C:\Windows\SysWOW64\Cnealfkf.exeC:\Windows\system32\Cnealfkf.exe77⤵PID:4152
-
C:\Windows\SysWOW64\Dofgklcb.exeC:\Windows\system32\Dofgklcb.exe78⤵PID:4680
-
C:\Windows\SysWOW64\Djlkhe32.exeC:\Windows\system32\Djlkhe32.exe79⤵PID:2308
-
C:\Windows\SysWOW64\Dcdpakii.exeC:\Windows\system32\Dcdpakii.exe80⤵PID:2132
-
C:\Windows\SysWOW64\Dqhpjohb.exeC:\Windows\system32\Dqhpjohb.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:936 -
C:\Windows\SysWOW64\Enajobbf.exeC:\Windows\system32\Enajobbf.exe82⤵PID:4156
-
C:\Windows\SysWOW64\Fmmmqnaf.exeC:\Windows\system32\Fmmmqnaf.exe83⤵
- Drops file in System32 directory
PID:1144 -
C:\Windows\SysWOW64\Ffhnocfd.exeC:\Windows\system32\Ffhnocfd.exe84⤵
- Modifies registry class
PID:4532 -
C:\Windows\SysWOW64\Fnacfp32.exeC:\Windows\system32\Fnacfp32.exe85⤵
- Drops file in System32 directory
PID:4456 -
C:\Windows\SysWOW64\Gjhdkajh.exeC:\Windows\system32\Gjhdkajh.exe86⤵PID:2688
-
C:\Windows\SysWOW64\Gablgk32.exeC:\Windows\system32\Gablgk32.exe87⤵PID:4244
-
C:\Windows\SysWOW64\Gjagapbn.exeC:\Windows\system32\Gjagapbn.exe88⤵PID:4128
-
C:\Windows\SysWOW64\Hhegjdag.exeC:\Windows\system32\Hhegjdag.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3948 -
C:\Windows\SysWOW64\Hjmfmnhp.exeC:\Windows\system32\Hjmfmnhp.exe90⤵PID:2332
-
C:\Windows\SysWOW64\Ipjoee32.exeC:\Windows\system32\Ipjoee32.exe91⤵PID:5156
-
C:\Windows\SysWOW64\Kobnji32.exeC:\Windows\system32\Kobnji32.exe92⤵PID:5196
-
C:\Windows\SysWOW64\Khkbcopl.exeC:\Windows\system32\Khkbcopl.exe93⤵
- Drops file in System32 directory
PID:5248 -
C:\Windows\SysWOW64\Lkcaeige.exeC:\Windows\system32\Lkcaeige.exe94⤵PID:5300
-
C:\Windows\SysWOW64\Lgibjj32.exeC:\Windows\system32\Lgibjj32.exe95⤵PID:5344
-
C:\Windows\SysWOW64\Lqbgcp32.exeC:\Windows\system32\Lqbgcp32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5392 -
C:\Windows\SysWOW64\Ldpoinjq.exeC:\Windows\system32\Ldpoinjq.exe97⤵PID:5440
-
C:\Windows\SysWOW64\Lgqhki32.exeC:\Windows\system32\Lgqhki32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5480 -
C:\Windows\SysWOW64\Mbfmha32.exeC:\Windows\system32\Mbfmha32.exe99⤵PID:5588
-
C:\Windows\SysWOW64\Obphenpj.exeC:\Windows\system32\Obphenpj.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5668 -
C:\Windows\SysWOW64\Onifpodl.exeC:\Windows\system32\Onifpodl.exe101⤵PID:5716
-
C:\Windows\SysWOW64\Olmficce.exeC:\Windows\system32\Olmficce.exe102⤵
- Drops file in System32 directory
PID:5804 -
C:\Windows\SysWOW64\Pbndgl32.exeC:\Windows\system32\Pbndgl32.exe103⤵PID:5936
-
C:\Windows\SysWOW64\Appaangd.exeC:\Windows\system32\Appaangd.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5988 -
C:\Windows\SysWOW64\Aeofoe32.exeC:\Windows\system32\Aeofoe32.exe105⤵PID:6048
-
C:\Windows\SysWOW64\Aogkhjii.exeC:\Windows\system32\Aogkhjii.exe106⤵PID:5144
-
C:\Windows\SysWOW64\Bocjdiol.exeC:\Windows\system32\Bocjdiol.exe107⤵
- Drops file in System32 directory
- Modifies registry class
PID:5256 -
C:\Windows\SysWOW64\Cchikf32.exeC:\Windows\system32\Cchikf32.exe108⤵PID:5372
-
C:\Windows\SysWOW64\Dohmff32.exeC:\Windows\system32\Dohmff32.exe109⤵PID:5420
-
C:\Windows\SysWOW64\Dfbebpdq.exeC:\Windows\system32\Dfbebpdq.exe110⤵PID:5500
-
C:\Windows\SysWOW64\Dphipidf.exeC:\Windows\system32\Dphipidf.exe111⤵PID:400
-
C:\Windows\SysWOW64\Ebifha32.exeC:\Windows\system32\Ebifha32.exe112⤵PID:5560
-
C:\Windows\SysWOW64\Ehekjk32.exeC:\Windows\system32\Ehekjk32.exe113⤵PID:5628
-
C:\Windows\SysWOW64\Eckogc32.exeC:\Windows\system32\Eckogc32.exe114⤵PID:5700
-
C:\Windows\SysWOW64\Ecmlmcmb.exeC:\Windows\system32\Ecmlmcmb.exe115⤵PID:2432
-
C:\Windows\SysWOW64\Ejgdim32.exeC:\Windows\system32\Ejgdim32.exe116⤵PID:5744
-
C:\Windows\SysWOW64\Foifmcoa.exeC:\Windows\system32\Foifmcoa.exe117⤵PID:5840
-
C:\Windows\SysWOW64\Fjnjjlog.exeC:\Windows\system32\Fjnjjlog.exe118⤵PID:5900
-
C:\Windows\SysWOW64\Fcikhace.exeC:\Windows\system32\Fcikhace.exe119⤵PID:3784
-
C:\Windows\SysWOW64\Fmapag32.exeC:\Windows\system32\Fmapag32.exe120⤵
- Modifies registry class
PID:948 -
C:\Windows\SysWOW64\Gbqeonfj.exeC:\Windows\system32\Gbqeonfj.exe121⤵
- Modifies registry class
PID:6016
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-