Analysis
-
max time kernel
152s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
02-11-2023 17:20
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.c7ee16e882bda3cdd0727fcc94db4541_JC.exe
Resource
win7-20231023-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.c7ee16e882bda3cdd0727fcc94db4541_JC.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
NEAS.c7ee16e882bda3cdd0727fcc94db4541_JC.exe
-
Size
960KB
-
MD5
c7ee16e882bda3cdd0727fcc94db4541
-
SHA1
d6f74acdf1acfa81c6c88d4ced4b431824c2557d
-
SHA256
240c0a21d5445223f1730457f690851901f2a489fb47583109907c94bdc3650e
-
SHA512
0b752c9d9fb163aa5e27c9cd0c83f9cbd8e7256861727b6c0100acce83015538381c3713d0469359e9c3f380aa18741723cc7af09065e371cbbaff973c775820
-
SSDEEP
24576:890NIVyeNIVy2jUxJm3mF7gN0ggggbzNIVyeNIVy2jd:Iyj2Kyjx
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmbdmg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kqnbea32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmdhmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oqbagd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adqghpbp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpimflqb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbbcofpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qlggcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbabblkg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cakghn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhnocbfa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amgekh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Folacfcd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eimegk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbknhqbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjqgpl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkoinlbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmlckhig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" NEAS.c7ee16e882bda3cdd0727fcc94db4541_JC.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icnphd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eikpan32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Libnapmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojllkcdk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aokceaoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkbddo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhpepoel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eapmedef.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plimpg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfonfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldeonbkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcepdl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knbaoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcffoben.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pakleh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Poliog32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohdbkh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jicdlc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hillnoif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Poliog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aljmal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojjoedfn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahgjnpna.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfkqcb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oafacn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhbqalle.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpknhfoq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chmnnamb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dapkho32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hglaookl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bngfli32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aihaifam.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abedil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgppgi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Feljgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkmapc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbknqeha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iehfno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhmbjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcnnjoam.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imjddmpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imjddmpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahacndjo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kknhjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fokbbcmo.exe -
Executes dropped EXE 64 IoCs
pid Process 5012 Eepkkefp.exe 4104 Feljgd32.exe 4880 Fgkfqgce.exe 3452 Gdhjpjjd.exe 864 Gqagkjne.exe 3628 Icnphd32.exe 4868 Jmbdmg32.exe 940 Lajhpbme.exe 3128 Mejnlpai.exe 5040 Nhdicjfp.exe 3008 Oafacn32.exe 4444 Ohdbkh32.exe 2752 Phneqf32.exe 2844 Abpmpkoh.exe 388 Bngfli32.exe 3484 Dhbqalle.exe 4848 Eikpan32.exe 4384 Fghcqq32.exe 4564 Fpcdof32.exe 2888 Gckcap32.exe 2332 Hllkqdli.exe 1428 Ifqoehhl.exe 5092 Jicdlc32.exe 8 Kcehejic.exe 1908 Lglcag32.exe 3124 Migcpneb.exe 4408 Maeaajpl.exe 1740 Nplkhf32.exe 704 Nhfoocaa.exe 408 Okiefn32.exe 4376 Oknnanhj.exe 1344 Opjgidfa.exe 4496 Onngci32.exe 1544 Pnhjig32.exe 4200 Qpmmfbfl.exe 2192 Aaofedkl.exe 3460 Aqfolqna.exe 5076 Bgjjoi32.exe 1900 Bnfoac32.exe 4004 Bilcol32.exe 3248 Cinpdl32.exe 3756 Ckoifgmb.exe 3608 Cbknhqbl.exe 444 Cnboma32.exe 3804 Djklgb32.exe 3684 Dilmeida.exe 2940 Dnienqbi.exe 4032 Dhfcae32.exe 4788 Ehmibdol.exe 3828 Ejnbdp32.exe 4536 Fbqiak32.exe 764 Gbjlgj32.exe 3200 Hocjaj32.exe 4040 Hhpheo32.exe 2532 Iibaeb32.exe 4124 Ifnkeb32.exe 448 Jcfejfag.exe 3120 Jfikaqme.exe 4872 Jjgcgo32.exe 3360 Kbedaand.exe 4840 Lkiiee32.exe 1416 Lcdjba32.exe 5008 Mcggga32.exe 2816 Mfofjk32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Opkfjgmh.exe Nppfnige.exe File created C:\Windows\SysWOW64\Qhkdob32.dll Cbofdg32.exe File created C:\Windows\SysWOW64\Dliffkod.dll Bngfli32.exe File opened for modification C:\Windows\SysWOW64\Kdeghfhj.exe Kfmmajed.exe File created C:\Windows\SysWOW64\Fafddb32.exe Fgppgi32.exe File opened for modification C:\Windows\SysWOW64\Kqnbea32.exe Knmicfnn.exe File created C:\Windows\SysWOW64\Lnmnpe32.dll Qlggcp32.exe File created C:\Windows\SysWOW64\Cakegg32.dll Aepklffh.exe File opened for modification C:\Windows\SysWOW64\Bohiliof.exe Bcahgh32.exe File created C:\Windows\SysWOW64\Jgmhaapa.dll Feljgd32.exe File opened for modification C:\Windows\SysWOW64\Nkagndmc.exe Ngaabfio.exe File created C:\Windows\SysWOW64\Mhkadh32.dll Mgddal32.exe File created C:\Windows\SysWOW64\Amfjfkhe.dll Fhofffjo.exe File created C:\Windows\SysWOW64\Cjlijp32.exe Ckkilhjm.exe File created C:\Windows\SysWOW64\Kffphhmj.exe Klnkoc32.exe File created C:\Windows\SysWOW64\Nppfnige.exe Nfpled32.exe File created C:\Windows\SysWOW64\Lidqbadl.dll Jmbhhkoa.exe File created C:\Windows\SysWOW64\Gbjlgj32.exe Fbqiak32.exe File created C:\Windows\SysWOW64\Kfleip32.dll Lkfeeo32.exe File created C:\Windows\SysWOW64\Pkilik32.dll Mnochl32.exe File created C:\Windows\SysWOW64\Abedil32.exe Adqghpbp.exe File created C:\Windows\SysWOW64\Nhdicjfp.exe Mejnlpai.exe File created C:\Windows\SysWOW64\Clhghiic.dll Mejnlpai.exe File opened for modification C:\Windows\SysWOW64\Fmlnomif.exe Fhofffjo.exe File created C:\Windows\SysWOW64\Fmknlled.dll Jhndepbi.exe File created C:\Windows\SysWOW64\Fihnhc32.exe Ffgegh32.exe File created C:\Windows\SysWOW64\Gkdhcqcj.exe Gpmgph32.exe File created C:\Windows\SysWOW64\Bocoqj32.exe Bbpoge32.exe File opened for modification C:\Windows\SysWOW64\Ifjfhh32.exe Iannpa32.exe File opened for modification C:\Windows\SysWOW64\Bnmcdm32.exe Oqfdgn32.exe File created C:\Windows\SysWOW64\Ncikop32.dll Ebejpp32.exe File created C:\Windows\SysWOW64\Llppob32.dll Qemhlp32.exe File created C:\Windows\SysWOW64\Abmcod32.dll Cbknhqbl.exe File opened for modification C:\Windows\SysWOW64\Mfofjk32.exe Mcggga32.exe File created C:\Windows\SysWOW64\Ackbfioj.exe Ahenip32.exe File opened for modification C:\Windows\SysWOW64\Mqimdomb.exe Laacmbkm.exe File created C:\Windows\SysWOW64\Igbhpned.exe Ijlkqj32.exe File created C:\Windows\SysWOW64\Ogegkehh.dll Gjlfkj32.exe File created C:\Windows\SysWOW64\Efhdlael.dll Nconal32.exe File created C:\Windows\SysWOW64\Oiaahllb.dll Blabakle.exe File opened for modification C:\Windows\SysWOW64\Nppfnige.exe Nfpled32.exe File created C:\Windows\SysWOW64\Fmfnig32.exe Flgaodbm.exe File created C:\Windows\SysWOW64\Poapio32.dll Modpch32.exe File created C:\Windows\SysWOW64\Hpeejfjm.exe Hndibn32.exe File opened for modification C:\Windows\SysWOW64\Mnochl32.exe Mpkbohhd.exe File opened for modification C:\Windows\SysWOW64\Jlkaahjg.exe Jeolonem.exe File created C:\Windows\SysWOW64\Bmijllek.dll Dpknhfoq.exe File opened for modification C:\Windows\SysWOW64\Eikpan32.exe Dhbqalle.exe File opened for modification C:\Windows\SysWOW64\Jnalem32.exe Endnohdp.exe File created C:\Windows\SysWOW64\Hmabnnhg.exe Hbknqeha.exe File opened for modification C:\Windows\SysWOW64\Oocdme32.exe Ocmchdmh.exe File opened for modification C:\Windows\SysWOW64\Dcnqid32.exe Dmdhmj32.exe File opened for modification C:\Windows\SysWOW64\Hocjaj32.exe Gbjlgj32.exe File created C:\Windows\SysWOW64\Kiikkada.exe Kpagbk32.exe File created C:\Windows\SysWOW64\Dblbapgo.dll Hglaookl.exe File opened for modification C:\Windows\SysWOW64\Nljgfn32.exe Nalpbf32.exe File created C:\Windows\SysWOW64\Hihimfag.exe Hpnhoqmi.exe File opened for modification C:\Windows\SysWOW64\Ddmaia32.exe Dkdmpl32.exe File created C:\Windows\SysWOW64\Adbijq32.dll Kbedaand.exe File created C:\Windows\SysWOW64\Dmmcch32.dll Gifadggi.exe File created C:\Windows\SysWOW64\Ffgegh32.exe Epkpdn32.exe File created C:\Windows\SysWOW64\Hifcqo32.exe Hpgigj32.exe File created C:\Windows\SysWOW64\Djklgb32.exe Cnboma32.exe File opened for modification C:\Windows\SysWOW64\Dnienqbi.exe Dilmeida.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knbmicga.dll" Jfaenqjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbjkbj32.dll" Jgngkmkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eehmnind.dll" Ebjckppa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhfcae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fnhppa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgpkkf32.dll" Lhiodm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdonje32.dll" Lgfojd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Midign32.dll" Hcnnjoam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gqagkjne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfhecfj.dll" Dobffj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fgdbgbof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmfalimb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpagbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egbnomjg.dll" Fgppgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Affgno32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhmejf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lnkedd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kffphhmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhpobmqh.dll" Hndibn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Liimgh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhofffjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjbboi32.dll" Fghcqq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqnkph32.dll" Iafgob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qemhlp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogedcm32.dll" Cbmdnmdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mgkoolil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Feljgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hcnnjoam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ppemmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bocoqj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhiodm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dobffj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nalpbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhfmic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lcdjba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ceqngekl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjnjbnof.dll" Ddonnq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pnhjig32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gnckjbfj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Milinkgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaafqjcd.dll" Bbpoge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqldhh32.dll" Nqklfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bodfkpfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbgongoo.dll" Ejmild32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkjmdeij.dll" Plndma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Joahjcgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dciqifgc.dll" Hllkqdli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfpnnijg.dll" Nbbldp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipllghgi.dll" Ednajepe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijlkqj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aqfolqna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gjlfkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajifbm32.dll" Chjaha32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Okedmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhabmjfd.dll" Lqjqab32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lkfeeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hbnjfefo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpdlajfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Koaaaaip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Klljhe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gifjjacn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbagkkgj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oblhlpne.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifqoehhl.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2892 wrote to memory of 5012 2892 NEAS.c7ee16e882bda3cdd0727fcc94db4541_JC.exe 90 PID 2892 wrote to memory of 5012 2892 NEAS.c7ee16e882bda3cdd0727fcc94db4541_JC.exe 90 PID 2892 wrote to memory of 5012 2892 NEAS.c7ee16e882bda3cdd0727fcc94db4541_JC.exe 90 PID 5012 wrote to memory of 4104 5012 Eepkkefp.exe 91 PID 5012 wrote to memory of 4104 5012 Eepkkefp.exe 91 PID 5012 wrote to memory of 4104 5012 Eepkkefp.exe 91 PID 4104 wrote to memory of 4880 4104 Feljgd32.exe 92 PID 4104 wrote to memory of 4880 4104 Feljgd32.exe 92 PID 4104 wrote to memory of 4880 4104 Feljgd32.exe 92 PID 4880 wrote to memory of 3452 4880 Fgkfqgce.exe 93 PID 4880 wrote to memory of 3452 4880 Fgkfqgce.exe 93 PID 4880 wrote to memory of 3452 4880 Fgkfqgce.exe 93 PID 3452 wrote to memory of 864 3452 Gdhjpjjd.exe 94 PID 3452 wrote to memory of 864 3452 Gdhjpjjd.exe 94 PID 3452 wrote to memory of 864 3452 Gdhjpjjd.exe 94 PID 864 wrote to memory of 3628 864 Gqagkjne.exe 96 PID 864 wrote to memory of 3628 864 Gqagkjne.exe 96 PID 864 wrote to memory of 3628 864 Gqagkjne.exe 96 PID 3628 wrote to memory of 4868 3628 Icnphd32.exe 97 PID 3628 wrote to memory of 4868 3628 Icnphd32.exe 97 PID 3628 wrote to memory of 4868 3628 Icnphd32.exe 97 PID 4868 wrote to memory of 940 4868 Jmbdmg32.exe 98 PID 4868 wrote to memory of 940 4868 Jmbdmg32.exe 98 PID 4868 wrote to memory of 940 4868 Jmbdmg32.exe 98 PID 940 wrote to memory of 3128 940 Lajhpbme.exe 99 PID 940 wrote to memory of 3128 940 Lajhpbme.exe 99 PID 940 wrote to memory of 3128 940 Lajhpbme.exe 99 PID 3128 wrote to memory of 5040 3128 Mejnlpai.exe 100 PID 3128 wrote to memory of 5040 3128 Mejnlpai.exe 100 PID 3128 wrote to memory of 5040 3128 Mejnlpai.exe 100 PID 5040 wrote to memory of 3008 5040 Nhdicjfp.exe 101 PID 5040 wrote to memory of 3008 5040 Nhdicjfp.exe 101 PID 5040 wrote to memory of 3008 5040 Nhdicjfp.exe 101 PID 3008 wrote to memory of 4444 3008 Oafacn32.exe 102 PID 3008 wrote to memory of 4444 3008 Oafacn32.exe 102 PID 3008 wrote to memory of 4444 3008 Oafacn32.exe 102 PID 4444 wrote to memory of 2752 4444 Ohdbkh32.exe 103 PID 4444 wrote to memory of 2752 4444 Ohdbkh32.exe 103 PID 4444 wrote to memory of 2752 4444 Ohdbkh32.exe 103 PID 2752 wrote to memory of 2844 2752 Phneqf32.exe 104 PID 2752 wrote to memory of 2844 2752 Phneqf32.exe 104 PID 2752 wrote to memory of 2844 2752 Phneqf32.exe 104 PID 2844 wrote to memory of 388 2844 Abpmpkoh.exe 105 PID 2844 wrote to memory of 388 2844 Abpmpkoh.exe 105 PID 2844 wrote to memory of 388 2844 Abpmpkoh.exe 105 PID 388 wrote to memory of 3484 388 Bngfli32.exe 107 PID 388 wrote to memory of 3484 388 Bngfli32.exe 107 PID 388 wrote to memory of 3484 388 Bngfli32.exe 107 PID 3484 wrote to memory of 4848 3484 Dhbqalle.exe 109 PID 3484 wrote to memory of 4848 3484 Dhbqalle.exe 109 PID 3484 wrote to memory of 4848 3484 Dhbqalle.exe 109 PID 4848 wrote to memory of 4384 4848 Eikpan32.exe 110 PID 4848 wrote to memory of 4384 4848 Eikpan32.exe 110 PID 4848 wrote to memory of 4384 4848 Eikpan32.exe 110 PID 4384 wrote to memory of 4564 4384 Fghcqq32.exe 111 PID 4384 wrote to memory of 4564 4384 Fghcqq32.exe 111 PID 4384 wrote to memory of 4564 4384 Fghcqq32.exe 111 PID 4564 wrote to memory of 2888 4564 Fpcdof32.exe 112 PID 4564 wrote to memory of 2888 4564 Fpcdof32.exe 112 PID 4564 wrote to memory of 2888 4564 Fpcdof32.exe 112 PID 2888 wrote to memory of 2332 2888 Gckcap32.exe 113 PID 2888 wrote to memory of 2332 2888 Gckcap32.exe 113 PID 2888 wrote to memory of 2332 2888 Gckcap32.exe 113 PID 2332 wrote to memory of 1428 2332 Hllkqdli.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.c7ee16e882bda3cdd0727fcc94db4541_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.c7ee16e882bda3cdd0727fcc94db4541_JC.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\Eepkkefp.exeC:\Windows\system32\Eepkkefp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Windows\SysWOW64\Feljgd32.exeC:\Windows\system32\Feljgd32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4104 -
C:\Windows\SysWOW64\Fgkfqgce.exeC:\Windows\system32\Fgkfqgce.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Windows\SysWOW64\Gdhjpjjd.exeC:\Windows\system32\Gdhjpjjd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3452 -
C:\Windows\SysWOW64\Gqagkjne.exeC:\Windows\system32\Gqagkjne.exe6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:864 -
C:\Windows\SysWOW64\Icnphd32.exeC:\Windows\system32\Icnphd32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3628 -
C:\Windows\SysWOW64\Jmbdmg32.exeC:\Windows\system32\Jmbdmg32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4868 -
C:\Windows\SysWOW64\Lajhpbme.exeC:\Windows\system32\Lajhpbme.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:940 -
C:\Windows\SysWOW64\Mejnlpai.exeC:\Windows\system32\Mejnlpai.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3128 -
C:\Windows\SysWOW64\Nhdicjfp.exeC:\Windows\system32\Nhdicjfp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\Windows\SysWOW64\Oafacn32.exeC:\Windows\system32\Oafacn32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\Ohdbkh32.exeC:\Windows\system32\Ohdbkh32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4444 -
C:\Windows\SysWOW64\Phneqf32.exeC:\Windows\system32\Phneqf32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Abpmpkoh.exeC:\Windows\system32\Abpmpkoh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\Bngfli32.exeC:\Windows\system32\Bngfli32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:388 -
C:\Windows\SysWOW64\Dhbqalle.exeC:\Windows\system32\Dhbqalle.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3484 -
C:\Windows\SysWOW64\Eikpan32.exeC:\Windows\system32\Eikpan32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Windows\SysWOW64\Fghcqq32.exeC:\Windows\system32\Fghcqq32.exe19⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4384 -
C:\Windows\SysWOW64\Fpcdof32.exeC:\Windows\system32\Fpcdof32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\Windows\SysWOW64\Gckcap32.exeC:\Windows\system32\Gckcap32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\Hllkqdli.exeC:\Windows\system32\Hllkqdli.exe22⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\Ifqoehhl.exeC:\Windows\system32\Ifqoehhl.exe23⤵
- Executes dropped EXE
- Modifies registry class
PID:1428 -
C:\Windows\SysWOW64\Jicdlc32.exeC:\Windows\system32\Jicdlc32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5092 -
C:\Windows\SysWOW64\Kcehejic.exeC:\Windows\system32\Kcehejic.exe25⤵
- Executes dropped EXE
PID:8 -
C:\Windows\SysWOW64\Lglcag32.exeC:\Windows\system32\Lglcag32.exe26⤵
- Executes dropped EXE
PID:1908 -
C:\Windows\SysWOW64\Migcpneb.exeC:\Windows\system32\Migcpneb.exe27⤵
- Executes dropped EXE
PID:3124 -
C:\Windows\SysWOW64\Maeaajpl.exeC:\Windows\system32\Maeaajpl.exe28⤵
- Executes dropped EXE
PID:4408 -
C:\Windows\SysWOW64\Nplkhf32.exeC:\Windows\system32\Nplkhf32.exe29⤵
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\Nhfoocaa.exeC:\Windows\system32\Nhfoocaa.exe30⤵
- Executes dropped EXE
PID:704 -
C:\Windows\SysWOW64\Okiefn32.exeC:\Windows\system32\Okiefn32.exe31⤵
- Executes dropped EXE
PID:408 -
C:\Windows\SysWOW64\Oknnanhj.exeC:\Windows\system32\Oknnanhj.exe32⤵
- Executes dropped EXE
PID:4376 -
C:\Windows\SysWOW64\Opjgidfa.exeC:\Windows\system32\Opjgidfa.exe33⤵
- Executes dropped EXE
PID:1344 -
C:\Windows\SysWOW64\Onngci32.exeC:\Windows\system32\Onngci32.exe34⤵
- Executes dropped EXE
PID:4496 -
C:\Windows\SysWOW64\Pnhjig32.exeC:\Windows\system32\Pnhjig32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:1544 -
C:\Windows\SysWOW64\Qpmmfbfl.exeC:\Windows\system32\Qpmmfbfl.exe36⤵
- Executes dropped EXE
PID:4200 -
C:\Windows\SysWOW64\Aaofedkl.exeC:\Windows\system32\Aaofedkl.exe37⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Aqfolqna.exeC:\Windows\system32\Aqfolqna.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:3460 -
C:\Windows\SysWOW64\Bgjjoi32.exeC:\Windows\system32\Bgjjoi32.exe39⤵
- Executes dropped EXE
PID:5076 -
C:\Windows\SysWOW64\Bnfoac32.exeC:\Windows\system32\Bnfoac32.exe40⤵
- Executes dropped EXE
PID:1900 -
C:\Windows\SysWOW64\Bilcol32.exeC:\Windows\system32\Bilcol32.exe41⤵
- Executes dropped EXE
PID:4004 -
C:\Windows\SysWOW64\Cinpdl32.exeC:\Windows\system32\Cinpdl32.exe42⤵
- Executes dropped EXE
PID:3248 -
C:\Windows\SysWOW64\Ckoifgmb.exeC:\Windows\system32\Ckoifgmb.exe43⤵
- Executes dropped EXE
PID:3756 -
C:\Windows\SysWOW64\Cbknhqbl.exeC:\Windows\system32\Cbknhqbl.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3608 -
C:\Windows\SysWOW64\Cnboma32.exeC:\Windows\system32\Cnboma32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:444 -
C:\Windows\SysWOW64\Djklgb32.exeC:\Windows\system32\Djklgb32.exe46⤵
- Executes dropped EXE
PID:3804 -
C:\Windows\SysWOW64\Dilmeida.exeC:\Windows\system32\Dilmeida.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3684 -
C:\Windows\SysWOW64\Dnienqbi.exeC:\Windows\system32\Dnienqbi.exe48⤵
- Executes dropped EXE
PID:2940 -
C:\Windows\SysWOW64\Dhfcae32.exeC:\Windows\system32\Dhfcae32.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:4032 -
C:\Windows\SysWOW64\Ehmibdol.exeC:\Windows\system32\Ehmibdol.exe50⤵
- Executes dropped EXE
PID:4788 -
C:\Windows\SysWOW64\Ejnbdp32.exeC:\Windows\system32\Ejnbdp32.exe51⤵
- Executes dropped EXE
PID:3828 -
C:\Windows\SysWOW64\Fbqiak32.exeC:\Windows\system32\Fbqiak32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4536 -
C:\Windows\SysWOW64\Gbjlgj32.exeC:\Windows\system32\Gbjlgj32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:764 -
C:\Windows\SysWOW64\Hocjaj32.exeC:\Windows\system32\Hocjaj32.exe54⤵
- Executes dropped EXE
PID:3200 -
C:\Windows\SysWOW64\Hhpheo32.exeC:\Windows\system32\Hhpheo32.exe55⤵
- Executes dropped EXE
PID:4040 -
C:\Windows\SysWOW64\Iibaeb32.exeC:\Windows\system32\Iibaeb32.exe56⤵
- Executes dropped EXE
PID:2532 -
C:\Windows\SysWOW64\Ifnkeb32.exeC:\Windows\system32\Ifnkeb32.exe57⤵
- Executes dropped EXE
PID:4124 -
C:\Windows\SysWOW64\Jcfejfag.exeC:\Windows\system32\Jcfejfag.exe58⤵
- Executes dropped EXE
PID:448 -
C:\Windows\SysWOW64\Jfikaqme.exeC:\Windows\system32\Jfikaqme.exe59⤵
- Executes dropped EXE
PID:3120 -
C:\Windows\SysWOW64\Jjgcgo32.exeC:\Windows\system32\Jjgcgo32.exe60⤵
- Executes dropped EXE
PID:4872 -
C:\Windows\SysWOW64\Kbedaand.exeC:\Windows\system32\Kbedaand.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3360 -
C:\Windows\SysWOW64\Lkiiee32.exeC:\Windows\system32\Lkiiee32.exe62⤵
- Executes dropped EXE
PID:4840 -
C:\Windows\SysWOW64\Lcdjba32.exeC:\Windows\system32\Lcdjba32.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:1416 -
C:\Windows\SysWOW64\Mcggga32.exeC:\Windows\system32\Mcggga32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5008 -
C:\Windows\SysWOW64\Mfofjk32.exeC:\Windows\system32\Mfofjk32.exe65⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Ppafpm32.exeC:\Windows\system32\Ppafpm32.exe66⤵PID:760
-
C:\Windows\SysWOW64\Pphlpl32.exeC:\Windows\system32\Pphlpl32.exe67⤵PID:2424
-
C:\Windows\SysWOW64\Qlomemlj.exeC:\Windows\system32\Qlomemlj.exe68⤵PID:4992
-
C:\Windows\SysWOW64\Qgdabflp.exeC:\Windows\system32\Qgdabflp.exe69⤵PID:4188
-
C:\Windows\SysWOW64\Qnniopcm.exeC:\Windows\system32\Qnniopcm.exe70⤵PID:3028
-
C:\Windows\SysWOW64\Apobakpn.exeC:\Windows\system32\Apobakpn.exe71⤵PID:3980
-
C:\Windows\SysWOW64\Akdfndpd.exeC:\Windows\system32\Akdfndpd.exe72⤵PID:3712
-
C:\Windows\SysWOW64\Admkgifd.exeC:\Windows\system32\Admkgifd.exe73⤵PID:4964
-
C:\Windows\SysWOW64\Aljmal32.exeC:\Windows\system32\Aljmal32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:60 -
C:\Windows\SysWOW64\Addahh32.exeC:\Windows\system32\Addahh32.exe75⤵PID:4628
-
C:\Windows\SysWOW64\Blabakle.exeC:\Windows\system32\Blabakle.exe76⤵
- Drops file in System32 directory
PID:4296 -
C:\Windows\SysWOW64\Bgggockk.exeC:\Windows\system32\Bgggockk.exe77⤵PID:3936
-
C:\Windows\SysWOW64\Ckiipa32.exeC:\Windows\system32\Ckiipa32.exe78⤵PID:3632
-
C:\Windows\SysWOW64\Cjofambd.exeC:\Windows\system32\Cjofambd.exe79⤵PID:1372
-
C:\Windows\SysWOW64\Dklomnmf.exeC:\Windows\system32\Dklomnmf.exe80⤵PID:2924
-
C:\Windows\SysWOW64\Eapmedef.exeC:\Windows\system32\Eapmedef.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5160 -
C:\Windows\SysWOW64\Endnohdp.exeC:\Windows\system32\Endnohdp.exe82⤵
- Drops file in System32 directory
PID:5240 -
C:\Windows\SysWOW64\Jnalem32.exeC:\Windows\system32\Jnalem32.exe83⤵PID:5364
-
C:\Windows\SysWOW64\Kfmmajed.exeC:\Windows\system32\Kfmmajed.exe84⤵
- Drops file in System32 directory
PID:5404 -
C:\Windows\SysWOW64\Kdeghfhj.exeC:\Windows\system32\Kdeghfhj.exe85⤵PID:5444
-
C:\Windows\SysWOW64\Klnkoc32.exeC:\Windows\system32\Klnkoc32.exe86⤵
- Drops file in System32 directory
PID:5484 -
C:\Windows\SysWOW64\Kffphhmj.exeC:\Windows\system32\Kffphhmj.exe87⤵
- Modifies registry class
PID:5540 -
C:\Windows\SysWOW64\Loodqn32.exeC:\Windows\system32\Loodqn32.exe88⤵PID:5604
-
C:\Windows\SysWOW64\Lkfeeo32.exeC:\Windows\system32\Lkfeeo32.exe89⤵
- Drops file in System32 directory
- Modifies registry class
PID:5664 -
C:\Windows\SysWOW64\Lilbdcfe.exeC:\Windows\system32\Lilbdcfe.exe90⤵PID:5704
-
C:\Windows\SysWOW64\Lfbpcgbl.exeC:\Windows\system32\Lfbpcgbl.exe91⤵PID:5784
-
C:\Windows\SysWOW64\Mihbpalh.exeC:\Windows\system32\Mihbpalh.exe92⤵PID:5848
-
C:\Windows\SysWOW64\Mbbcofpf.exeC:\Windows\system32\Mbbcofpf.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5900 -
C:\Windows\SysWOW64\Nfpled32.exeC:\Windows\system32\Nfpled32.exe94⤵
- Drops file in System32 directory
PID:6000 -
C:\Windows\SysWOW64\Nppfnige.exeC:\Windows\system32\Nppfnige.exe95⤵
- Drops file in System32 directory
PID:6104 -
C:\Windows\SysWOW64\Opkfjgmh.exeC:\Windows\system32\Opkfjgmh.exe96⤵PID:4216
-
C:\Windows\SysWOW64\Pidjcm32.exeC:\Windows\system32\Pidjcm32.exe97⤵PID:5204
-
C:\Windows\SysWOW64\Plimpg32.exeC:\Windows\system32\Plimpg32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5012 -
C:\Windows\SysWOW64\Affgno32.exeC:\Windows\system32\Affgno32.exe99⤵
- Modifies registry class
PID:5300 -
C:\Windows\SysWOW64\Amgekh32.exeC:\Windows\system32\Amgekh32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5392 -
C:\Windows\SysWOW64\Blnoad32.exeC:\Windows\system32\Blnoad32.exe101⤵PID:5716
-
C:\Windows\SysWOW64\Dcdpakii.exeC:\Windows\system32\Dcdpakii.exe102⤵PID:5836
-
C:\Windows\SysWOW64\Fnhppa32.exeC:\Windows\system32\Fnhppa32.exe103⤵
- Modifies registry class
PID:5196 -
C:\Windows\SysWOW64\Ggldde32.exeC:\Windows\system32\Ggldde32.exe104⤵PID:5932
-
C:\Windows\SysWOW64\Gnfmapqo.exeC:\Windows\system32\Gnfmapqo.exe105⤵PID:5924
-
C:\Windows\SysWOW64\Gmpcmkaa.exeC:\Windows\system32\Gmpcmkaa.exe106⤵PID:6076
-
C:\Windows\SysWOW64\Hfkdkqeo.exeC:\Windows\system32\Hfkdkqeo.exe107⤵PID:5772
-
C:\Windows\SysWOW64\Hdodeedi.exeC:\Windows\system32\Hdodeedi.exe108⤵PID:6140
-
C:\Windows\SysWOW64\Hndibn32.exeC:\Windows\system32\Hndibn32.exe109⤵
- Drops file in System32 directory
- Modifies registry class
PID:2740 -
C:\Windows\SysWOW64\Hpeejfjm.exeC:\Windows\system32\Hpeejfjm.exe110⤵PID:5216
-
C:\Windows\SysWOW64\Hfonfp32.exeC:\Windows\system32\Hfonfp32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5264 -
C:\Windows\SysWOW64\Hjmfmnhp.exeC:\Windows\system32\Hjmfmnhp.exe112⤵PID:5016
-
C:\Windows\SysWOW64\Jpjhlche.exeC:\Windows\system32\Jpjhlche.exe113⤵PID:2980
-
C:\Windows\SysWOW64\Jolhjj32.exeC:\Windows\system32\Jolhjj32.exe114⤵PID:2292
-
C:\Windows\SysWOW64\Jdkmgali.exeC:\Windows\system32\Jdkmgali.exe115⤵PID:5600
-
C:\Windows\SysWOW64\Kdmjmqjf.exeC:\Windows\system32\Kdmjmqjf.exe116⤵PID:1644
-
C:\Windows\SysWOW64\Kkioojpp.exeC:\Windows\system32\Kkioojpp.exe117⤵PID:3112
-
C:\Windows\SysWOW64\Khmoionj.exeC:\Windows\system32\Khmoionj.exe118⤵PID:3920
-
C:\Windows\SysWOW64\Kafcadej.exeC:\Windows\system32\Kafcadej.exe119⤵PID:3668
-
C:\Windows\SysWOW64\Kknhjj32.exeC:\Windows\system32\Kknhjj32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5192 -
C:\Windows\SysWOW64\Kpkqbq32.exeC:\Windows\system32\Kpkqbq32.exe121⤵PID:4064
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-