Analysis
-
max time kernel
144s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
05-11-2023 17:59
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.d6c6c31cff27e8a601ed98113718a910_JC.exe
Resource
win7-20231020-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.d6c6c31cff27e8a601ed98113718a910_JC.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.d6c6c31cff27e8a601ed98113718a910_JC.exe
-
Size
416KB
-
MD5
d6c6c31cff27e8a601ed98113718a910
-
SHA1
c8123bdcd7266fc9df28691764eb3659ea3e4317
-
SHA256
53cef3dfc23050a87ef94f1878a01e8ef8e309abaa391e108e9651f2d072dbbc
-
SHA512
2328e22d195ec609bb00914b31b3836a1e97247e98601d98f0a4769a38656d4103eece88bfbeac41315202500213dd33b82f86afb9aef4dbbb4f38a53b884f16
-
SSDEEP
3072:iuUzJoZMz1VAURfE+HAokWmvEie0RFz3yE2ZwVh16Mz7GFD0AlWP:mz6ZMz1Rs+HLlD0rN2ZwVht740PP
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Geanfelc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qcnjijoe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eohhie32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcabhido.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Haaocp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppgeff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dncnnd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffjkdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgbljkca.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nehjmnei.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fefjanml.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfpqap32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omdnbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jojboa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aogbfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhaggp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hppeim32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llpchaqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mddidm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlkafdco.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eippgckc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nboiekjd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnmmmbll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnpjlajn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdhbpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okeklcen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgomaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihkila32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfjeckpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flfjjkgi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kaonaekb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bblcfo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iebfmfdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mabdlk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nboiekjd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcomonkq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgmfel32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idfkednq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggicbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Giokid32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oikngeoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckiipa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omopjcjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddfbgelh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pohnnqgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohkijc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmfhjhdm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjheejff.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egaejeej.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eeomfioh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecccmo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blknpdho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjqfmn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofalfi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iacepmik.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kojkeogp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odnfonag.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfnfhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkghqo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdkdibjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eilfldoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odgjdibf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hohjgpmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opdpih32.exe -
Executes dropped EXE 64 IoCs
pid Process 2788 Pdenmbkk.exe 2956 Aogbfi32.exe 2416 Aokkahlo.exe 3084 Akdilipp.exe 1136 Bahdob32.exe 1920 Caojpaij.exe 4948 Dhphmj32.exe 1068 Dqpfmlce.exe 4504 Egaejeej.exe 1664 Edgbii32.exe 1216 Edionhpn.exe 1528 Fndpmndl.exe 400 Feqeog32.exe 1768 Fohfbpgi.exe 1792 Gpolbo32.exe 4428 Ggmmlamj.exe 2928 Geanfelc.exe 2716 Hhaggp32.exe 2424 Heegad32.exe 3528 Hppeim32.exe 3160 Ilfennic.exe 4936 Ieccbbkn.exe 1368 Jhgiim32.exe 4292 Jeocna32.exe 2400 Kolabf32.exe 1520 Kamjda32.exe 3112 Kcoccc32.exe 1332 Legben32.exe 3156 Lplfcf32.exe 2272 Mcoljagj.exe 4360 Mbdiknlb.exe 3692 Noppeaed.exe 3588 Nbphglbe.exe 2356 Nqcejcha.exe 3844 Ookoaokf.exe 3776 Omopjcjp.exe 492 Omalpc32.exe 3440 Oflmnh32.exe 3476 Pfojdh32.exe 4304 Pfccogfc.exe 3092 Pbjddh32.exe 4012 Qfjjpf32.exe 3096 Qcnjijoe.exe 4344 Apggckbf.exe 408 Aiplmq32.exe 1064 Adepji32.exe 2696 Adgmoigj.exe 3340 Ampaho32.exe 4404 Bdlfjh32.exe 692 Bpcgpihi.exe 2208 Bfolacnc.exe 2784 Cajjjk32.exe 2432 Cgiohbfi.exe 5000 Cpacqg32.exe 116 Dgpeha32.exe 3868 Dknnoofg.exe 4332 Ddfbgelh.exe 2452 Dckoia32.exe 4084 Dkedonpo.exe 2600 Enhifi32.exe 4460 Ecdbop32.exe 2932 Enlcahgh.exe 3904 Enopghee.exe 1644 Fnalmh32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Edlann32.exe Dlcmgqdd.exe File created C:\Windows\SysWOW64\Mbfola32.dll Hecadm32.exe File created C:\Windows\SysWOW64\Chjjqebm.dll Pfojdh32.exe File created C:\Windows\SysWOW64\Odehaccj.dll Kdmlkfjb.exe File created C:\Windows\SysWOW64\Pimdleea.dll Bclppboi.exe File created C:\Windows\SysWOW64\Jgjjlakk.dll Enlcahgh.exe File opened for modification C:\Windows\SysWOW64\Gdfhil32.exe Glkdejcd.exe File opened for modification C:\Windows\SysWOW64\Ikjmcc32.exe Idkkki32.exe File created C:\Windows\SysWOW64\Eneilj32.dll Oinbgk32.exe File created C:\Windows\SysWOW64\Llebel32.dll Jndhkmfe.exe File created C:\Windows\SysWOW64\Nlloco32.dll Iandjg32.exe File created C:\Windows\SysWOW64\Ohnncn32.dll Jdmcdhhe.exe File created C:\Windows\SysWOW64\Kchhih32.dll Llpchaqg.exe File opened for modification C:\Windows\SysWOW64\Oibdhd32.exe Ofalfi32.exe File opened for modification C:\Windows\SysWOW64\Bjhpqn32.exe Bdkghg32.exe File created C:\Windows\SysWOW64\Bdepoj32.dll Egaejeej.exe File created C:\Windows\SysWOW64\Enhifi32.exe Dkedonpo.exe File created C:\Windows\SysWOW64\Hbfhni32.dll Lojfin32.exe File created C:\Windows\SysWOW64\Pdbiphhi.exe Pkjegb32.exe File created C:\Windows\SysWOW64\Pcmibojk.dll Gdfhil32.exe File opened for modification C:\Windows\SysWOW64\Fnhppa32.exe Egnhcgeb.exe File created C:\Windows\SysWOW64\Lndkebgi.dll Ijbbfc32.exe File opened for modification C:\Windows\SysWOW64\Lihpdj32.exe Kmaooihb.exe File opened for modification C:\Windows\SysWOW64\Gmqjga32.exe Gdheol32.exe File opened for modification C:\Windows\SysWOW64\Dncnnd32.exe Dlcaca32.exe File created C:\Windows\SysWOW64\Elekoe32.dll Bdlfjh32.exe File opened for modification C:\Windows\SysWOW64\Flodilma.exe Fjphoi32.exe File created C:\Windows\SysWOW64\Jmqpie32.dll Omdnbd32.exe File created C:\Windows\SysWOW64\Cclflc32.dll Locnlmoe.exe File created C:\Windows\SysWOW64\Joabhd32.dll Pkjegb32.exe File opened for modification C:\Windows\SysWOW64\Phiekaql.exe Phfhfa32.exe File created C:\Windows\SysWOW64\Hojpbigq.exe Hohcmjic.exe File created C:\Windows\SysWOW64\Kkkldg32.exe Joaojf32.exe File opened for modification C:\Windows\SysWOW64\Jmjojh32.exe Imgbdh32.exe File opened for modification C:\Windows\SysWOW64\Gjqinamq.exe Fpckjlje.exe File opened for modification C:\Windows\SysWOW64\Cicjokll.exe Ckoifgmb.exe File opened for modification C:\Windows\SysWOW64\Fjphoi32.exe Emlgedge.exe File created C:\Windows\SysWOW64\Oflkqc32.exe Omdghmfo.exe File created C:\Windows\SysWOW64\Gcceifof.exe Gadimkpb.exe File opened for modification C:\Windows\SysWOW64\Mmjlkb32.exe Mgngih32.exe File opened for modification C:\Windows\SysWOW64\Mnggnh32.exe Mndjhhjp.exe File created C:\Windows\SysWOW64\Kdhbpf32.exe Kbeibo32.exe File created C:\Windows\SysWOW64\Omalpc32.exe Omopjcjp.exe File created C:\Windows\SysWOW64\Hjpkjh32.exe Hohjgpmo.exe File opened for modification C:\Windows\SysWOW64\Mdlgmgdh.exe Mjdbda32.exe File opened for modification C:\Windows\SysWOW64\Jeolckne.exe Jjihfbno.exe File created C:\Windows\SysWOW64\Gimoce32.exe Ghmbib32.exe File opened for modification C:\Windows\SysWOW64\Ndjldo32.exe Npldnp32.exe File created C:\Windows\SysWOW64\Bdhkchlg.exe Bnobfn32.exe File opened for modification C:\Windows\SysWOW64\Ejnbdp32.exe Eimelg32.exe File created C:\Windows\SysWOW64\Jlhdoibc.dll Gaepgacn.exe File created C:\Windows\SysWOW64\Dofgklcb.exe Dcpffk32.exe File created C:\Windows\SysWOW64\Kbpkkeen.dll Bpcgpihi.exe File created C:\Windows\SysWOW64\Cmmgof32.exe Bedbhi32.exe File created C:\Windows\SysWOW64\Hnmnengg.exe Gmfkjl32.exe File created C:\Windows\SysWOW64\Fgkelj32.dll Gbjlgj32.exe File opened for modification C:\Windows\SysWOW64\Aogbfi32.exe Pdenmbkk.exe File created C:\Windows\SysWOW64\Fmnfcojj.dll Fdhail32.exe File created C:\Windows\SysWOW64\Lelmqm32.dll Iobmmoed.exe File created C:\Windows\SysWOW64\Cbhkkpon.dll Bedbhi32.exe File created C:\Windows\SysWOW64\Cpnhfn32.dll Fpckjlje.exe File created C:\Windows\SysWOW64\Ikbfbdgf.exe Iolfmcbb.exe File opened for modification C:\Windows\SysWOW64\Dkedonpo.exe Dckoia32.exe File opened for modification C:\Windows\SysWOW64\Pdenmbkk.exe NEAS.d6c6c31cff27e8a601ed98113718a910_JC.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7932 7828 WerFault.exe 650 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odnfonag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Giidol32.dll" NEAS.d6c6c31cff27e8a601ed98113718a910_JC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaadlo32.dll" Mbdiknlb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmbkfjko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odgjdibf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paenokbf.dll" Adepji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Adepji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jamhflqq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nmjdaoni.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpckjlje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjndfpnf.dll" Mgebfhcl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmjdaoni.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qfjjpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohqpjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgbqpa32.dll" Ndpcdjho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eblgon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iacepmik.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eilfldoi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fkiapn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmheph32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oibdhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fiaogfai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbpbhmcg.dll" Oikngeoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Apggckbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddfbgelh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmlcae32.dll" Hohcmjic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dlcmgqdd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ejkndijd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fjdajhbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oflmnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifcnk32.dll" Fjocbhbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdfmkjlg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifphkbep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gnfooe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aimhmkgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qbmpjkqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oidfpeba.dll" Pdbiphhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eoljhi32.dll" Nlknbb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fndpmndl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgpeha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jnpjlajn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfhhml32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gqkhda32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eohhie32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjpllgme.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Edlann32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oamgcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfemoei.dll" Eohhie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Najjmjkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phiaee32.dll" Epgdch32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nkpbpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Npfchkop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhammfci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmkohkha.dll" Eegpkcbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmpaqd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pikqcl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdenmbkk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcoljagj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdlfjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldhdlnli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhphmj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eibmlc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iopgjjag.dll" Mjehok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egleni32.dll" Lfkich32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2296 wrote to memory of 2788 2296 NEAS.d6c6c31cff27e8a601ed98113718a910_JC.exe 91 PID 2296 wrote to memory of 2788 2296 NEAS.d6c6c31cff27e8a601ed98113718a910_JC.exe 91 PID 2296 wrote to memory of 2788 2296 NEAS.d6c6c31cff27e8a601ed98113718a910_JC.exe 91 PID 2788 wrote to memory of 2956 2788 Pdenmbkk.exe 92 PID 2788 wrote to memory of 2956 2788 Pdenmbkk.exe 92 PID 2788 wrote to memory of 2956 2788 Pdenmbkk.exe 92 PID 2956 wrote to memory of 2416 2956 Aogbfi32.exe 93 PID 2956 wrote to memory of 2416 2956 Aogbfi32.exe 93 PID 2956 wrote to memory of 2416 2956 Aogbfi32.exe 93 PID 2416 wrote to memory of 3084 2416 Aokkahlo.exe 94 PID 2416 wrote to memory of 3084 2416 Aokkahlo.exe 94 PID 2416 wrote to memory of 3084 2416 Aokkahlo.exe 94 PID 3084 wrote to memory of 1136 3084 Akdilipp.exe 95 PID 3084 wrote to memory of 1136 3084 Akdilipp.exe 95 PID 3084 wrote to memory of 1136 3084 Akdilipp.exe 95 PID 1136 wrote to memory of 1920 1136 Bahdob32.exe 96 PID 1136 wrote to memory of 1920 1136 Bahdob32.exe 96 PID 1136 wrote to memory of 1920 1136 Bahdob32.exe 96 PID 1920 wrote to memory of 4948 1920 Caojpaij.exe 97 PID 1920 wrote to memory of 4948 1920 Caojpaij.exe 97 PID 1920 wrote to memory of 4948 1920 Caojpaij.exe 97 PID 4948 wrote to memory of 1068 4948 Dhphmj32.exe 98 PID 4948 wrote to memory of 1068 4948 Dhphmj32.exe 98 PID 4948 wrote to memory of 1068 4948 Dhphmj32.exe 98 PID 1068 wrote to memory of 4504 1068 Dqpfmlce.exe 99 PID 1068 wrote to memory of 4504 1068 Dqpfmlce.exe 99 PID 1068 wrote to memory of 4504 1068 Dqpfmlce.exe 99 PID 4504 wrote to memory of 1664 4504 Egaejeej.exe 100 PID 4504 wrote to memory of 1664 4504 Egaejeej.exe 100 PID 4504 wrote to memory of 1664 4504 Egaejeej.exe 100 PID 1664 wrote to memory of 1216 1664 Edgbii32.exe 101 PID 1664 wrote to memory of 1216 1664 Edgbii32.exe 101 PID 1664 wrote to memory of 1216 1664 Edgbii32.exe 101 PID 1216 wrote to memory of 1528 1216 Edionhpn.exe 102 PID 1216 wrote to memory of 1528 1216 Edionhpn.exe 102 PID 1216 wrote to memory of 1528 1216 Edionhpn.exe 102 PID 1528 wrote to memory of 400 1528 Fndpmndl.exe 103 PID 1528 wrote to memory of 400 1528 Fndpmndl.exe 103 PID 1528 wrote to memory of 400 1528 Fndpmndl.exe 103 PID 400 wrote to memory of 1768 400 Feqeog32.exe 104 PID 400 wrote to memory of 1768 400 Feqeog32.exe 104 PID 400 wrote to memory of 1768 400 Feqeog32.exe 104 PID 1768 wrote to memory of 1792 1768 Fohfbpgi.exe 105 PID 1768 wrote to memory of 1792 1768 Fohfbpgi.exe 105 PID 1768 wrote to memory of 1792 1768 Fohfbpgi.exe 105 PID 1792 wrote to memory of 4428 1792 Gpolbo32.exe 106 PID 1792 wrote to memory of 4428 1792 Gpolbo32.exe 106 PID 1792 wrote to memory of 4428 1792 Gpolbo32.exe 106 PID 4428 wrote to memory of 2928 4428 Ggmmlamj.exe 107 PID 4428 wrote to memory of 2928 4428 Ggmmlamj.exe 107 PID 4428 wrote to memory of 2928 4428 Ggmmlamj.exe 107 PID 2928 wrote to memory of 2716 2928 Geanfelc.exe 108 PID 2928 wrote to memory of 2716 2928 Geanfelc.exe 108 PID 2928 wrote to memory of 2716 2928 Geanfelc.exe 108 PID 2716 wrote to memory of 2424 2716 Hhaggp32.exe 109 PID 2716 wrote to memory of 2424 2716 Hhaggp32.exe 109 PID 2716 wrote to memory of 2424 2716 Hhaggp32.exe 109 PID 2424 wrote to memory of 3528 2424 Heegad32.exe 110 PID 2424 wrote to memory of 3528 2424 Heegad32.exe 110 PID 2424 wrote to memory of 3528 2424 Heegad32.exe 110 PID 3528 wrote to memory of 3160 3528 Hppeim32.exe 111 PID 3528 wrote to memory of 3160 3528 Hppeim32.exe 111 PID 3528 wrote to memory of 3160 3528 Hppeim32.exe 111 PID 3160 wrote to memory of 4936 3160 Ilfennic.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.d6c6c31cff27e8a601ed98113718a910_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.d6c6c31cff27e8a601ed98113718a910_JC.exe"1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\SysWOW64\Pdenmbkk.exeC:\Windows\system32\Pdenmbkk.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\Aogbfi32.exeC:\Windows\system32\Aogbfi32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\Aokkahlo.exeC:\Windows\system32\Aokkahlo.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\Akdilipp.exeC:\Windows\system32\Akdilipp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3084 -
C:\Windows\SysWOW64\Bahdob32.exeC:\Windows\system32\Bahdob32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Windows\SysWOW64\Caojpaij.exeC:\Windows\system32\Caojpaij.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\SysWOW64\Dhphmj32.exeC:\Windows\system32\Dhphmj32.exe8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4948 -
C:\Windows\SysWOW64\Dqpfmlce.exeC:\Windows\system32\Dqpfmlce.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Windows\SysWOW64\Egaejeej.exeC:\Windows\system32\Egaejeej.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Windows\SysWOW64\Edgbii32.exeC:\Windows\system32\Edgbii32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\SysWOW64\Edionhpn.exeC:\Windows\system32\Edionhpn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Windows\SysWOW64\Fndpmndl.exeC:\Windows\system32\Fndpmndl.exe13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\SysWOW64\Feqeog32.exeC:\Windows\system32\Feqeog32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:400 -
C:\Windows\SysWOW64\Fohfbpgi.exeC:\Windows\system32\Fohfbpgi.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\SysWOW64\Gpolbo32.exeC:\Windows\system32\Gpolbo32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\SysWOW64\Ggmmlamj.exeC:\Windows\system32\Ggmmlamj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4428 -
C:\Windows\SysWOW64\Geanfelc.exeC:\Windows\system32\Geanfelc.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\Hhaggp32.exeC:\Windows\system32\Hhaggp32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Heegad32.exeC:\Windows\system32\Heegad32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\Hppeim32.exeC:\Windows\system32\Hppeim32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3528 -
C:\Windows\SysWOW64\Ilfennic.exeC:\Windows\system32\Ilfennic.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3160 -
C:\Windows\SysWOW64\Ieccbbkn.exeC:\Windows\system32\Ieccbbkn.exe23⤵
- Executes dropped EXE
PID:4936 -
C:\Windows\SysWOW64\Jhgiim32.exeC:\Windows\system32\Jhgiim32.exe24⤵
- Executes dropped EXE
PID:1368 -
C:\Windows\SysWOW64\Jeocna32.exeC:\Windows\system32\Jeocna32.exe25⤵
- Executes dropped EXE
PID:4292 -
C:\Windows\SysWOW64\Kolabf32.exeC:\Windows\system32\Kolabf32.exe26⤵
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Kamjda32.exeC:\Windows\system32\Kamjda32.exe27⤵
- Executes dropped EXE
PID:1520 -
C:\Windows\SysWOW64\Kcoccc32.exeC:\Windows\system32\Kcoccc32.exe28⤵
- Executes dropped EXE
PID:3112 -
C:\Windows\SysWOW64\Legben32.exeC:\Windows\system32\Legben32.exe29⤵
- Executes dropped EXE
PID:1332 -
C:\Windows\SysWOW64\Lplfcf32.exeC:\Windows\system32\Lplfcf32.exe30⤵
- Executes dropped EXE
PID:3156 -
C:\Windows\SysWOW64\Mcoljagj.exeC:\Windows\system32\Mcoljagj.exe31⤵
- Executes dropped EXE
- Modifies registry class
PID:2272 -
C:\Windows\SysWOW64\Mbdiknlb.exeC:\Windows\system32\Mbdiknlb.exe32⤵
- Executes dropped EXE
- Modifies registry class
PID:4360 -
C:\Windows\SysWOW64\Noppeaed.exeC:\Windows\system32\Noppeaed.exe33⤵
- Executes dropped EXE
PID:3692 -
C:\Windows\SysWOW64\Nbphglbe.exeC:\Windows\system32\Nbphglbe.exe34⤵
- Executes dropped EXE
PID:3588 -
C:\Windows\SysWOW64\Nqcejcha.exeC:\Windows\system32\Nqcejcha.exe35⤵
- Executes dropped EXE
PID:2356 -
C:\Windows\SysWOW64\Ookoaokf.exeC:\Windows\system32\Ookoaokf.exe36⤵
- Executes dropped EXE
PID:3844 -
C:\Windows\SysWOW64\Omopjcjp.exeC:\Windows\system32\Omopjcjp.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3776 -
C:\Windows\SysWOW64\Omalpc32.exeC:\Windows\system32\Omalpc32.exe38⤵
- Executes dropped EXE
PID:492 -
C:\Windows\SysWOW64\Oflmnh32.exeC:\Windows\system32\Oflmnh32.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:3440 -
C:\Windows\SysWOW64\Pfojdh32.exeC:\Windows\system32\Pfojdh32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3476 -
C:\Windows\SysWOW64\Pfccogfc.exeC:\Windows\system32\Pfccogfc.exe41⤵
- Executes dropped EXE
PID:4304 -
C:\Windows\SysWOW64\Pbjddh32.exeC:\Windows\system32\Pbjddh32.exe42⤵
- Executes dropped EXE
PID:3092 -
C:\Windows\SysWOW64\Qfjjpf32.exeC:\Windows\system32\Qfjjpf32.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:4012 -
C:\Windows\SysWOW64\Qcnjijoe.exeC:\Windows\system32\Qcnjijoe.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3096 -
C:\Windows\SysWOW64\Apggckbf.exeC:\Windows\system32\Apggckbf.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:4344 -
C:\Windows\SysWOW64\Aiplmq32.exeC:\Windows\system32\Aiplmq32.exe46⤵
- Executes dropped EXE
PID:408 -
C:\Windows\SysWOW64\Adepji32.exeC:\Windows\system32\Adepji32.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:1064 -
C:\Windows\SysWOW64\Adgmoigj.exeC:\Windows\system32\Adgmoigj.exe48⤵
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\Ampaho32.exeC:\Windows\system32\Ampaho32.exe49⤵
- Executes dropped EXE
PID:3340 -
C:\Windows\SysWOW64\Bdlfjh32.exeC:\Windows\system32\Bdlfjh32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4404 -
C:\Windows\SysWOW64\Bpcgpihi.exeC:\Windows\system32\Bpcgpihi.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:692 -
C:\Windows\SysWOW64\Bfolacnc.exeC:\Windows\system32\Bfolacnc.exe52⤵
- Executes dropped EXE
PID:2208 -
C:\Windows\SysWOW64\Cajjjk32.exeC:\Windows\system32\Cajjjk32.exe53⤵
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\Cgiohbfi.exeC:\Windows\system32\Cgiohbfi.exe54⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Cpacqg32.exeC:\Windows\system32\Cpacqg32.exe55⤵
- Executes dropped EXE
PID:5000 -
C:\Windows\SysWOW64\Dgpeha32.exeC:\Windows\system32\Dgpeha32.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:116 -
C:\Windows\SysWOW64\Dknnoofg.exeC:\Windows\system32\Dknnoofg.exe57⤵
- Executes dropped EXE
PID:3868 -
C:\Windows\SysWOW64\Ddfbgelh.exeC:\Windows\system32\Ddfbgelh.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4332 -
C:\Windows\SysWOW64\Dckoia32.exeC:\Windows\system32\Dckoia32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2452 -
C:\Windows\SysWOW64\Dkedonpo.exeC:\Windows\system32\Dkedonpo.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4084 -
C:\Windows\SysWOW64\Enhifi32.exeC:\Windows\system32\Enhifi32.exe61⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Ecdbop32.exeC:\Windows\system32\Ecdbop32.exe62⤵
- Executes dropped EXE
PID:4460 -
C:\Windows\SysWOW64\Enlcahgh.exeC:\Windows\system32\Enlcahgh.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2932 -
C:\Windows\SysWOW64\Enopghee.exeC:\Windows\system32\Enopghee.exe64⤵
- Executes dropped EXE
PID:3904 -
C:\Windows\SysWOW64\Fnalmh32.exeC:\Windows\system32\Fnalmh32.exe65⤵
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\Fdkdibjp.exeC:\Windows\system32\Fdkdibjp.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1448 -
C:\Windows\SysWOW64\Fjocbhbo.exeC:\Windows\system32\Fjocbhbo.exe67⤵
- Modifies registry class
PID:1996 -
C:\Windows\SysWOW64\Gqkhda32.exeC:\Windows\system32\Gqkhda32.exe68⤵
- Modifies registry class
PID:1948 -
C:\Windows\SysWOW64\Gkalbj32.exeC:\Windows\system32\Gkalbj32.exe69⤵PID:4300
-
C:\Windows\SysWOW64\Gdknpp32.exeC:\Windows\system32\Gdknpp32.exe70⤵PID:3284
-
C:\Windows\SysWOW64\Gjhfif32.exeC:\Windows\system32\Gjhfif32.exe71⤵PID:3020
-
C:\Windows\SysWOW64\Gnfooe32.exeC:\Windows\system32\Gnfooe32.exe72⤵
- Modifies registry class
PID:3960 -
C:\Windows\SysWOW64\Hegmlnbp.exeC:\Windows\system32\Hegmlnbp.exe73⤵PID:4852
-
C:\Windows\SysWOW64\Hjdedepg.exeC:\Windows\system32\Hjdedepg.exe74⤵PID:3444
-
C:\Windows\SysWOW64\Ielfgmnj.exeC:\Windows\system32\Ielfgmnj.exe75⤵PID:3572
-
C:\Windows\SysWOW64\Ijbbfc32.exeC:\Windows\system32\Ijbbfc32.exe76⤵
- Drops file in System32 directory
PID:5136 -
C:\Windows\SysWOW64\Jnpjlajn.exeC:\Windows\system32\Jnpjlajn.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5188 -
C:\Windows\SysWOW64\Jdmcdhhe.exeC:\Windows\system32\Jdmcdhhe.exe78⤵
- Drops file in System32 directory
PID:5232 -
C:\Windows\SysWOW64\Jbncbpqd.exeC:\Windows\system32\Jbncbpqd.exe79⤵PID:5276
-
C:\Windows\SysWOW64\Jjihfbno.exeC:\Windows\system32\Jjihfbno.exe80⤵
- Drops file in System32 directory
PID:5312 -
C:\Windows\SysWOW64\Jeolckne.exeC:\Windows\system32\Jeolckne.exe81⤵PID:5368
-
C:\Windows\SysWOW64\Jlidpe32.exeC:\Windows\system32\Jlidpe32.exe82⤵PID:5408
-
C:\Windows\SysWOW64\Jlkafdco.exeC:\Windows\system32\Jlkafdco.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5456 -
C:\Windows\SysWOW64\Kbeibo32.exeC:\Windows\system32\Kbeibo32.exe84⤵
- Drops file in System32 directory
PID:5520 -
C:\Windows\SysWOW64\Kdhbpf32.exeC:\Windows\system32\Kdhbpf32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5556 -
C:\Windows\SysWOW64\Kongmo32.exeC:\Windows\system32\Kongmo32.exe86⤵PID:5608
-
C:\Windows\SysWOW64\Kdmlkfjb.exeC:\Windows\system32\Kdmlkfjb.exe87⤵
- Drops file in System32 directory
PID:5652 -
C:\Windows\SysWOW64\Kbnlim32.exeC:\Windows\system32\Kbnlim32.exe88⤵PID:5688
-
C:\Windows\SysWOW64\Klgqabib.exeC:\Windows\system32\Klgqabib.exe89⤵PID:5752
-
C:\Windows\SysWOW64\Lojfin32.exeC:\Windows\system32\Lojfin32.exe90⤵
- Drops file in System32 directory
PID:5796 -
C:\Windows\SysWOW64\Lajokiaa.exeC:\Windows\system32\Lajokiaa.exe91⤵PID:5836
-
C:\Windows\SysWOW64\Llpchaqg.exeC:\Windows\system32\Llpchaqg.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5888 -
C:\Windows\SysWOW64\Mdnebc32.exeC:\Windows\system32\Mdnebc32.exe93⤵PID:5948
-
C:\Windows\SysWOW64\Mdbnmbhj.exeC:\Windows\system32\Mdbnmbhj.exe94⤵PID:5992
-
C:\Windows\SysWOW64\Mcfkpjng.exeC:\Windows\system32\Mcfkpjng.exe95⤵PID:6032
-
C:\Windows\SysWOW64\Nlgbon32.exeC:\Windows\system32\Nlgbon32.exe96⤵PID:6076
-
C:\Windows\SysWOW64\Okmpqjad.exeC:\Windows\system32\Okmpqjad.exe97⤵PID:6116
-
C:\Windows\SysWOW64\Ohqpjo32.exeC:\Windows\system32\Ohqpjo32.exe98⤵
- Modifies registry class
PID:5160 -
C:\Windows\SysWOW64\Pdngpo32.exeC:\Windows\system32\Pdngpo32.exe99⤵PID:5220
-
C:\Windows\SysWOW64\Pbddobla.exeC:\Windows\system32\Pbddobla.exe100⤵PID:5324
-
C:\Windows\SysWOW64\Pkoemhao.exeC:\Windows\system32\Pkoemhao.exe101⤵PID:5392
-
C:\Windows\SysWOW64\Pcijce32.exeC:\Windows\system32\Pcijce32.exe102⤵PID:5464
-
C:\Windows\SysWOW64\Qmanljfo.exeC:\Windows\system32\Qmanljfo.exe103⤵PID:5544
-
C:\Windows\SysWOW64\Amfhgj32.exeC:\Windows\system32\Amfhgj32.exe104⤵PID:5620
-
C:\Windows\SysWOW64\Aimhmkgn.exeC:\Windows\system32\Aimhmkgn.exe105⤵
- Modifies registry class
PID:5700 -
C:\Windows\SysWOW64\Aioebj32.exeC:\Windows\system32\Aioebj32.exe106⤵PID:2456
-
C:\Windows\SysWOW64\Apkjddke.exeC:\Windows\system32\Apkjddke.exe107⤵PID:5780
-
C:\Windows\SysWOW64\Aidomjaf.exeC:\Windows\system32\Aidomjaf.exe108⤵PID:5876
-
C:\Windows\SysWOW64\Bblcfo32.exeC:\Windows\system32\Bblcfo32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5928 -
C:\Windows\SysWOW64\Bmagch32.exeC:\Windows\system32\Bmagch32.exe110⤵PID:6008
-
C:\Windows\SysWOW64\Bclppboi.exeC:\Windows\system32\Bclppboi.exe111⤵
- Drops file in System32 directory
PID:6068 -
C:\Windows\SysWOW64\Bihhhi32.exeC:\Windows\system32\Bihhhi32.exe112⤵PID:5128
-
C:\Windows\SysWOW64\Bmfqngcg.exeC:\Windows\system32\Bmfqngcg.exe113⤵PID:5244
-
C:\Windows\SysWOW64\Blknpdho.exeC:\Windows\system32\Blknpdho.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5360 -
C:\Windows\SysWOW64\Bedbhi32.exeC:\Windows\system32\Bedbhi32.exe115⤵
- Drops file in System32 directory
PID:5500 -
C:\Windows\SysWOW64\Cmmgof32.exeC:\Windows\system32\Cmmgof32.exe116⤵PID:5676
-
C:\Windows\SysWOW64\Cbjogmlf.exeC:\Windows\system32\Cbjogmlf.exe117⤵PID:2604
-
C:\Windows\SysWOW64\Cmpcdfll.exeC:\Windows\system32\Cmpcdfll.exe118⤵PID:3720
-
C:\Windows\SysWOW64\Cfhhml32.exeC:\Windows\system32\Cfhhml32.exe119⤵
- Modifies registry class
PID:5924 -
C:\Windows\SysWOW64\Cleqfb32.exeC:\Windows\system32\Cleqfb32.exe120⤵PID:6052
-
C:\Windows\SysWOW64\Cfjeckpj.exeC:\Windows\system32\Cfjeckpj.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5200
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-