Analysis
-
max time kernel
38s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
13-10-2023 20:33
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.a15b97878313e854c4a9ca8aea110ac0.exe
Resource
win7-20230831-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.a15b97878313e854c4a9ca8aea110ac0.exe
Resource
win10v2004-20230915-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.a15b97878313e854c4a9ca8aea110ac0.exe
-
Size
128KB
-
MD5
a15b97878313e854c4a9ca8aea110ac0
-
SHA1
8c4355399d1a8bb5b4bb3e2b4a794dfce2a25298
-
SHA256
71111023fa9626a0fb0be4c44711197b527def3e4b116b30cf46c0ef0d5b27b7
-
SHA512
fc53531a193336acc4ee1fba288b972739a944dddeff43f4277c00e60d54c5dbcbd5d94d884713457f055ba1feabb4f9d1c4806d901278248ffd8736d9d62b14
-
SSDEEP
3072:8vrR6LINHNVf2WPkegSJdEN0s4WE+3S9pui6yYPaI7DX:4rwUV9ZENm+3Mpui6yYPaI/
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gcmoda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Edaalk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jpepkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oninhgae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Olkfmi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jaoqqflp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgchgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Macilmnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kambcbhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Imiigiab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Opnbbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Emgioakg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nipdkieg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cgaaah32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jaecod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kijkje32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdadjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Foafdoag.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekfpmf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Homdhjai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eeojcmfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iakino32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ifffkncm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccdmnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fccglehn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iocgfhhc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnqjnhge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnqlmq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgaaah32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mopbgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Difqji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iipejmko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cblfdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mfokinhf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcjcme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nhbciaki.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnkakl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Akiobk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dgeaoinb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oeindm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gcjmmdbf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjbeofpp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iamdkfnc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dljmlj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdcpkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lhcafa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ndlpdbnj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Biolanld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jpdnbbah.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhbdleol.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fggmldfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ddnfop32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edlfhc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afdiondb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Feiddbbj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgngbmjp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Difqji32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbeded32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fleifl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mqklqhpg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jenbjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Npdhaq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjihmmbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfpdkl32.exe -
Executes dropped EXE 64 IoCs
pid Process 3020 Ddnfop32.exe 3036 Dhplhc32.exe 2632 Dcfpel32.exe 2628 Ddiibc32.exe 2664 Edlfhc32.exe 2516 Egmojnlf.exe 2568 Elldgehk.exe 1600 Egahen32.exe 300 Eqjmncna.exe 2856 Fjbafi32.exe 760 Fcjeon32.exe 1948 Foafdoag.exe 1492 Foccjood.exe 1888 Fgadda32.exe 2076 Gbfiaj32.exe 588 Gqlebf32.exe 2328 Gjdjklek.exe 984 Gcmoda32.exe 2300 Gfmgelil.exe 2008 Gljpncgc.exe 1664 Hfpdkl32.exe 2000 Heealhla.exe 612 Hpjeialg.exe 2584 Hlafnbal.exe 1368 Hhhgcc32.exe 880 Hndlem32.exe 1464 Idadnd32.exe 1628 Imiigiab.exe 2692 Ifampo32.exe 3028 Iibfajdc.exe 2772 Ifffkncm.exe 2528 Ioakoq32.exe 2616 Iigpli32.exe 2564 Jodhdp32.exe 656 Jdaqmg32.exe 2976 Jdcmbgkj.exe 2168 Jnkakl32.exe 2816 Jhafhe32.exe 1968 Ljieppcb.exe 1048 Lgmeid32.exe 1844 Mfdopp32.exe 1804 Mejlalji.exe 1308 Mpopnejo.exe 2404 Mgjebg32.exe 476 Macilmnk.exe 2812 Maefamlh.exe 2444 Nmlgfnal.exe 1480 Nfdkoc32.exe 1884 Najpll32.exe 772 Nmqpam32.exe 2372 Njdqka32.exe 1032 Ndmecgba.exe 1616 Nenakoho.exe 1572 Noffdd32.exe 1716 Olkfmi32.exe 2792 Oioggmmc.exe 2708 Obgkpb32.exe 1040 Olophhjd.exe 3048 Ohfqmi32.exe 2640 Oanefo32.exe 2992 Ogknoe32.exe 1064 Oaqbln32.exe 2484 Pkifdd32.exe 1832 Ppfomk32.exe -
Loads dropped DLL 64 IoCs
pid Process 2456 NEAS.a15b97878313e854c4a9ca8aea110ac0.exe 2456 NEAS.a15b97878313e854c4a9ca8aea110ac0.exe 3020 Ddnfop32.exe 3020 Ddnfop32.exe 3036 Dhplhc32.exe 3036 Dhplhc32.exe 2632 Dcfpel32.exe 2632 Dcfpel32.exe 2628 Ddiibc32.exe 2628 Ddiibc32.exe 2664 Edlfhc32.exe 2664 Edlfhc32.exe 2516 Egmojnlf.exe 2516 Egmojnlf.exe 2568 Elldgehk.exe 2568 Elldgehk.exe 1600 Egahen32.exe 1600 Egahen32.exe 300 Eqjmncna.exe 300 Eqjmncna.exe 2856 Fjbafi32.exe 2856 Fjbafi32.exe 760 Fcjeon32.exe 760 Fcjeon32.exe 1948 Foafdoag.exe 1948 Foafdoag.exe 1492 Foccjood.exe 1492 Foccjood.exe 1888 Fgadda32.exe 1888 Fgadda32.exe 2076 Gbfiaj32.exe 2076 Gbfiaj32.exe 588 Gqlebf32.exe 588 Gqlebf32.exe 2328 Gjdjklek.exe 2328 Gjdjklek.exe 984 Gcmoda32.exe 984 Gcmoda32.exe 2300 Gfmgelil.exe 2300 Gfmgelil.exe 2008 Gljpncgc.exe 2008 Gljpncgc.exe 1664 Hfpdkl32.exe 1664 Hfpdkl32.exe 2000 Heealhla.exe 2000 Heealhla.exe 612 Hpjeialg.exe 612 Hpjeialg.exe 2584 Hlafnbal.exe 2584 Hlafnbal.exe 1368 Hhhgcc32.exe 1368 Hhhgcc32.exe 880 Hndlem32.exe 880 Hndlem32.exe 1464 Idadnd32.exe 1464 Idadnd32.exe 1628 Imiigiab.exe 1628 Imiigiab.exe 2692 Ifampo32.exe 2692 Ifampo32.exe 3028 Iibfajdc.exe 3028 Iibfajdc.exe 2772 Ifffkncm.exe 2772 Ifffkncm.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Nqnpei32.dll Iibfajdc.exe File opened for modification C:\Windows\SysWOW64\Faonom32.exe Fkefbcmf.exe File created C:\Windows\SysWOW64\Glbaei32.exe Gcjmmdbf.exe File opened for modification C:\Windows\SysWOW64\Onfabgch.exe Biiljjnk.exe File created C:\Windows\SysWOW64\Behjbjcf.dll Kkgahoel.exe File created C:\Windows\SysWOW64\Qoblpdnf.dll Adifpk32.exe File created C:\Windows\SysWOW64\Gdgqdaoh.dll Cbblda32.exe File opened for modification C:\Windows\SysWOW64\Cagienkb.exe Ckjamgmk.exe File opened for modification C:\Windows\SysWOW64\Edaalk32.exe Emgioakg.exe File opened for modification C:\Windows\SysWOW64\Gcmamj32.exe Gkalhgfd.exe File opened for modification C:\Windows\SysWOW64\Mopbgn32.exe Mhfjjdjf.exe File created C:\Windows\SysWOW64\Pkfope32.dll Inhanl32.exe File opened for modification C:\Windows\SysWOW64\Agpeaa32.exe Adaiee32.exe File opened for modification C:\Windows\SysWOW64\Iocgfhhc.exe Hbofmcij.exe File created C:\Windows\SysWOW64\Oaigib32.exe Ogabql32.exe File created C:\Windows\SysWOW64\Paiaplin.exe Phqmgg32.exe File opened for modification C:\Windows\SysWOW64\Fapeic32.exe Flclam32.exe File opened for modification C:\Windows\SysWOW64\Ifgicg32.exe Iiqldc32.exe File created C:\Windows\SysWOW64\Jlnjjadh.dll Jjnhhjjk.exe File created C:\Windows\SysWOW64\Acejfl32.dll Kpfplo32.exe File opened for modification C:\Windows\SysWOW64\Lgkkmm32.exe Lanbdf32.exe File created C:\Windows\SysWOW64\Pmehdh32.exe Oejcpf32.exe File created C:\Windows\SysWOW64\Kneoni32.dll Dlgjldnm.exe File created C:\Windows\SysWOW64\Odifibfn.dll Fkefbcmf.exe File opened for modification C:\Windows\SysWOW64\Obgkpb32.exe Oioggmmc.exe File opened for modification C:\Windows\SysWOW64\Foolgh32.exe Feggob32.exe File created C:\Windows\SysWOW64\Njfaognh.dll Fggmldfp.exe File created C:\Windows\SysWOW64\Nhpfip32.dll Gcjmmdbf.exe File created C:\Windows\SysWOW64\Mejlalji.exe Mfdopp32.exe File opened for modification C:\Windows\SysWOW64\Kpojkp32.exe Jpmmfp32.exe File opened for modification C:\Windows\SysWOW64\Jpgmpk32.exe Jfohgepi.exe File created C:\Windows\SysWOW64\Kdbbgdjj.exe Kgnbnpkp.exe File created C:\Windows\SysWOW64\Jncnhl32.dll Mfjann32.exe File created C:\Windows\SysWOW64\Bjmeiq32.exe Bdqlajbb.exe File opened for modification C:\Windows\SysWOW64\Ckjamgmk.exe Cepipm32.exe File created C:\Windows\SysWOW64\Oejcpf32.exe Onqkclni.exe File opened for modification C:\Windows\SysWOW64\Ponklpcg.exe Piabdiep.exe File opened for modification C:\Windows\SysWOW64\Lpqlemaj.exe Kmkihbho.exe File created C:\Windows\SysWOW64\Nmlnjo32.dll Amcbankf.exe File created C:\Windows\SysWOW64\Ccdmnj32.exe Clmdmm32.exe File opened for modification C:\Windows\SysWOW64\Mfjann32.exe Mclebc32.exe File opened for modification C:\Windows\SysWOW64\Nplimbka.exe Nlnpgd32.exe File created C:\Windows\SysWOW64\Gdnfjl32.exe Gncnmane.exe File created C:\Windows\SysWOW64\Dqkhngff.dll Gbfiaj32.exe File opened for modification C:\Windows\SysWOW64\Cnnnnh32.exe Ciaefa32.exe File created C:\Windows\SysWOW64\Hilcfe32.dll Daplkmbg.exe File opened for modification C:\Windows\SysWOW64\Ifpcchai.exe Iacjjacb.exe File created C:\Windows\SysWOW64\Mflgih32.exe Mobomnoq.exe File opened for modification C:\Windows\SysWOW64\Mhjcec32.exe Mflgih32.exe File created C:\Windows\SysWOW64\Hgeefjhh.dll Hadcipbi.exe File opened for modification C:\Windows\SysWOW64\Kambcbhb.exe Jpjifjdg.exe File created C:\Windows\SysWOW64\Hhhgcc32.exe Hlafnbal.exe File created C:\Windows\SysWOW64\Agjobffl.exe Alqnah32.exe File opened for modification C:\Windows\SysWOW64\Egajnfoe.exe Eaebeoan.exe File opened for modification C:\Windows\SysWOW64\Pioeoi32.exe Ppfafcpb.exe File created C:\Windows\SysWOW64\Njdqka32.exe Nmqpam32.exe File created C:\Windows\SysWOW64\Kjokokha.exe Kdbbgdjj.exe File created C:\Windows\SysWOW64\Fdekpjbk.dll Khadpa32.exe File opened for modification C:\Windows\SysWOW64\Mokilo32.exe Ljnqdhga.exe File created C:\Windows\SysWOW64\Apoahgqd.dll Pioeoi32.exe File created C:\Windows\SysWOW64\Nohaklfk.exe Mhninb32.exe File opened for modification C:\Windows\SysWOW64\Hifpke32.exe Hcigco32.exe File opened for modification C:\Windows\SysWOW64\Poklngnf.exe Pecgea32.exe File created C:\Windows\SysWOW64\Cfeepelg.exe Cnnnnh32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldmffpom.dll" Afgmodel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qlfdac32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Igebkiof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcmobfna.dll" Gcmamj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdekpjbk.dll" Khadpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpmacdgo.dll" Nkkmgncb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmplbgpm.dll" Ijaaae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naffihgj.dll" Ddnfop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Olkfmi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fleifl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojefmknj.dll" Pofkha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Alnalh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eicpcm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Olkfmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Olophhjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojefcohi.dll" Djgkii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocphim.dll" Cgaaah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okqcnknc.dll" Eeiheo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mqjefamk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bnapnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ifolhann.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpbbmeon.dll" Kjokokha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnjeilhc.dll" Kgclio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lbcbjlmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kielkojm.dll" Macilmnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjnalhgb.dll" Cfpldf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cagienkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgmdailj.dll" Bdqlajbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmaebf32.dll" Jdcpkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phcgcahd.dll" Nhbciaki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbdpeq32.dll" Mfdopp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Odchbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aqbdkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mffbkj32.dll" Gdnfjl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Neiaeiii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fcpacf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acejfl32.dll" Kpfplo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkaobghp.dll" Iipejmko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Giipab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kgnbnpkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edpijbip.dll" Fglfgd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gbadjg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ldjbkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdapnj32.dll" Nfgjml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kcdlhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gefcmp32.dll" Popgboae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogbogkjn.dll" Ifolhann.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kbmfgk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aaejojjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlcgpm32.dll" Lgchgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chnlno32.dll" Gdegfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gkalhgfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jpepkk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nfbjhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfomkg32.dll" Hndlem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbhmhk32.dll" Jigbebhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oejcpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqdekgib.dll" Dbabho32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Afdiondb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jaecod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nmofdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfdkid32.dll" Nlnpgd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Paiaplin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lnqjnhge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2456 wrote to memory of 3020 2456 NEAS.a15b97878313e854c4a9ca8aea110ac0.exe 28 PID 2456 wrote to memory of 3020 2456 NEAS.a15b97878313e854c4a9ca8aea110ac0.exe 28 PID 2456 wrote to memory of 3020 2456 NEAS.a15b97878313e854c4a9ca8aea110ac0.exe 28 PID 2456 wrote to memory of 3020 2456 NEAS.a15b97878313e854c4a9ca8aea110ac0.exe 28 PID 3020 wrote to memory of 3036 3020 Ddnfop32.exe 29 PID 3020 wrote to memory of 3036 3020 Ddnfop32.exe 29 PID 3020 wrote to memory of 3036 3020 Ddnfop32.exe 29 PID 3020 wrote to memory of 3036 3020 Ddnfop32.exe 29 PID 3036 wrote to memory of 2632 3036 Dhplhc32.exe 30 PID 3036 wrote to memory of 2632 3036 Dhplhc32.exe 30 PID 3036 wrote to memory of 2632 3036 Dhplhc32.exe 30 PID 3036 wrote to memory of 2632 3036 Dhplhc32.exe 30 PID 2632 wrote to memory of 2628 2632 Dcfpel32.exe 31 PID 2632 wrote to memory of 2628 2632 Dcfpel32.exe 31 PID 2632 wrote to memory of 2628 2632 Dcfpel32.exe 31 PID 2632 wrote to memory of 2628 2632 Dcfpel32.exe 31 PID 2628 wrote to memory of 2664 2628 Ddiibc32.exe 32 PID 2628 wrote to memory of 2664 2628 Ddiibc32.exe 32 PID 2628 wrote to memory of 2664 2628 Ddiibc32.exe 32 PID 2628 wrote to memory of 2664 2628 Ddiibc32.exe 32 PID 2664 wrote to memory of 2516 2664 Edlfhc32.exe 33 PID 2664 wrote to memory of 2516 2664 Edlfhc32.exe 33 PID 2664 wrote to memory of 2516 2664 Edlfhc32.exe 33 PID 2664 wrote to memory of 2516 2664 Edlfhc32.exe 33 PID 2516 wrote to memory of 2568 2516 Egmojnlf.exe 34 PID 2516 wrote to memory of 2568 2516 Egmojnlf.exe 34 PID 2516 wrote to memory of 2568 2516 Egmojnlf.exe 34 PID 2516 wrote to memory of 2568 2516 Egmojnlf.exe 34 PID 2568 wrote to memory of 1600 2568 Elldgehk.exe 35 PID 2568 wrote to memory of 1600 2568 Elldgehk.exe 35 PID 2568 wrote to memory of 1600 2568 Elldgehk.exe 35 PID 2568 wrote to memory of 1600 2568 Elldgehk.exe 35 PID 1600 wrote to memory of 300 1600 Egahen32.exe 39 PID 1600 wrote to memory of 300 1600 Egahen32.exe 39 PID 1600 wrote to memory of 300 1600 Egahen32.exe 39 PID 1600 wrote to memory of 300 1600 Egahen32.exe 39 PID 300 wrote to memory of 2856 300 Eqjmncna.exe 38 PID 300 wrote to memory of 2856 300 Eqjmncna.exe 38 PID 300 wrote to memory of 2856 300 Eqjmncna.exe 38 PID 300 wrote to memory of 2856 300 Eqjmncna.exe 38 PID 2856 wrote to memory of 760 2856 Fjbafi32.exe 37 PID 2856 wrote to memory of 760 2856 Fjbafi32.exe 37 PID 2856 wrote to memory of 760 2856 Fjbafi32.exe 37 PID 2856 wrote to memory of 760 2856 Fjbafi32.exe 37 PID 760 wrote to memory of 1948 760 Fcjeon32.exe 36 PID 760 wrote to memory of 1948 760 Fcjeon32.exe 36 PID 760 wrote to memory of 1948 760 Fcjeon32.exe 36 PID 760 wrote to memory of 1948 760 Fcjeon32.exe 36 PID 1948 wrote to memory of 1492 1948 Foafdoag.exe 40 PID 1948 wrote to memory of 1492 1948 Foafdoag.exe 40 PID 1948 wrote to memory of 1492 1948 Foafdoag.exe 40 PID 1948 wrote to memory of 1492 1948 Foafdoag.exe 40 PID 1492 wrote to memory of 1888 1492 Foccjood.exe 41 PID 1492 wrote to memory of 1888 1492 Foccjood.exe 41 PID 1492 wrote to memory of 1888 1492 Foccjood.exe 41 PID 1492 wrote to memory of 1888 1492 Foccjood.exe 41 PID 1888 wrote to memory of 2076 1888 Fgadda32.exe 42 PID 1888 wrote to memory of 2076 1888 Fgadda32.exe 42 PID 1888 wrote to memory of 2076 1888 Fgadda32.exe 42 PID 1888 wrote to memory of 2076 1888 Fgadda32.exe 42 PID 2076 wrote to memory of 588 2076 Gbfiaj32.exe 43 PID 2076 wrote to memory of 588 2076 Gbfiaj32.exe 43 PID 2076 wrote to memory of 588 2076 Gbfiaj32.exe 43 PID 2076 wrote to memory of 588 2076 Gbfiaj32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.a15b97878313e854c4a9ca8aea110ac0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.a15b97878313e854c4a9ca8aea110ac0.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\Ddnfop32.exeC:\Windows\system32\Ddnfop32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\SysWOW64\Dhplhc32.exeC:\Windows\system32\Dhplhc32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\Dcfpel32.exeC:\Windows\system32\Dcfpel32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Ddiibc32.exeC:\Windows\system32\Ddiibc32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Edlfhc32.exeC:\Windows\system32\Edlfhc32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Egmojnlf.exeC:\Windows\system32\Egmojnlf.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\Elldgehk.exeC:\Windows\system32\Elldgehk.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\Egahen32.exeC:\Windows\system32\Egahen32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Windows\SysWOW64\Eqjmncna.exeC:\Windows\system32\Eqjmncna.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:300
-
-
-
-
C:\Windows\SysWOW64\Ahmpfc32.exeC:\Windows\system32\Ahmpfc32.exe8⤵PID:3768
-
C:\Windows\SysWOW64\Apheke32.exeC:\Windows\system32\Apheke32.exe9⤵PID:4988
-
C:\Windows\SysWOW64\Afamgpga.exeC:\Windows\system32\Afamgpga.exe10⤵PID:1348
-
C:\Windows\SysWOW64\Bpahad32.exeC:\Windows\system32\Bpahad32.exe11⤵PID:4532
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\Foafdoag.exeC:\Windows\system32\Foafdoag.exe1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\SysWOW64\Foccjood.exeC:\Windows\system32\Foccjood.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\SysWOW64\Fgadda32.exeC:\Windows\system32\Fgadda32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Windows\SysWOW64\Gbfiaj32.exeC:\Windows\system32\Gbfiaj32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\SysWOW64\Gqlebf32.exeC:\Windows\system32\Gqlebf32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:588 -
C:\Windows\SysWOW64\Gjdjklek.exeC:\Windows\system32\Gjdjklek.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2328 -
C:\Windows\SysWOW64\Gcmoda32.exeC:\Windows\system32\Gcmoda32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:984 -
C:\Windows\SysWOW64\Gfmgelil.exeC:\Windows\system32\Gfmgelil.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2300 -
C:\Windows\SysWOW64\Gljpncgc.exeC:\Windows\system32\Gljpncgc.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2008 -
C:\Windows\SysWOW64\Hfpdkl32.exeC:\Windows\system32\Hfpdkl32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1664 -
C:\Windows\SysWOW64\Heealhla.exeC:\Windows\system32\Heealhla.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2000 -
C:\Windows\SysWOW64\Hpjeialg.exeC:\Windows\system32\Hpjeialg.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
PID:612 -
C:\Windows\SysWOW64\Hlafnbal.exeC:\Windows\system32\Hlafnbal.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2584 -
C:\Windows\SysWOW64\Hhhgcc32.exeC:\Windows\system32\Hhhgcc32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1368 -
C:\Windows\SysWOW64\Hndlem32.exeC:\Windows\system32\Hndlem32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:880 -
C:\Windows\SysWOW64\Idadnd32.exeC:\Windows\system32\Idadnd32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1464 -
C:\Windows\SysWOW64\Imiigiab.exeC:\Windows\system32\Imiigiab.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1628 -
C:\Windows\SysWOW64\Ifampo32.exeC:\Windows\system32\Ifampo32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2692 -
C:\Windows\SysWOW64\Iibfajdc.exeC:\Windows\system32\Iibfajdc.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:3028 -
C:\Windows\SysWOW64\Ifffkncm.exeC:\Windows\system32\Ifffkncm.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2772 -
C:\Windows\SysWOW64\Ioakoq32.exeC:\Windows\system32\Ioakoq32.exe21⤵
- Executes dropped EXE
PID:2528 -
C:\Windows\SysWOW64\Iigpli32.exeC:\Windows\system32\Iigpli32.exe22⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Jodhdp32.exeC:\Windows\system32\Jodhdp32.exe23⤵
- Executes dropped EXE
PID:2564 -
C:\Windows\SysWOW64\Jdaqmg32.exeC:\Windows\system32\Jdaqmg32.exe24⤵
- Executes dropped EXE
PID:656 -
C:\Windows\SysWOW64\Jdcmbgkj.exeC:\Windows\system32\Jdcmbgkj.exe25⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Jnkakl32.exeC:\Windows\system32\Jnkakl32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Jhafhe32.exeC:\Windows\system32\Jhafhe32.exe27⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Ljieppcb.exeC:\Windows\system32\Ljieppcb.exe28⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Lgmeid32.exeC:\Windows\system32\Lgmeid32.exe29⤵
- Executes dropped EXE
PID:1048 -
C:\Windows\SysWOW64\Mfdopp32.exeC:\Windows\system32\Mfdopp32.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1844 -
C:\Windows\SysWOW64\Mejlalji.exeC:\Windows\system32\Mejlalji.exe31⤵
- Executes dropped EXE
PID:1804 -
C:\Windows\SysWOW64\Mpopnejo.exeC:\Windows\system32\Mpopnejo.exe32⤵
- Executes dropped EXE
PID:1308 -
C:\Windows\SysWOW64\Mgjebg32.exeC:\Windows\system32\Mgjebg32.exe33⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Macilmnk.exeC:\Windows\system32\Macilmnk.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:476 -
C:\Windows\SysWOW64\Maefamlh.exeC:\Windows\system32\Maefamlh.exe35⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Nmlgfnal.exeC:\Windows\system32\Nmlgfnal.exe36⤵
- Executes dropped EXE
PID:2444 -
C:\Windows\SysWOW64\Nfdkoc32.exeC:\Windows\system32\Nfdkoc32.exe37⤵
- Executes dropped EXE
PID:1480 -
C:\Windows\SysWOW64\Najpll32.exeC:\Windows\system32\Najpll32.exe38⤵
- Executes dropped EXE
PID:1884 -
C:\Windows\SysWOW64\Nmqpam32.exeC:\Windows\system32\Nmqpam32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:772 -
C:\Windows\SysWOW64\Njdqka32.exeC:\Windows\system32\Njdqka32.exe40⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Ndmecgba.exeC:\Windows\system32\Ndmecgba.exe41⤵
- Executes dropped EXE
PID:1032 -
C:\Windows\SysWOW64\Nenakoho.exeC:\Windows\system32\Nenakoho.exe42⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Noffdd32.exeC:\Windows\system32\Noffdd32.exe43⤵
- Executes dropped EXE
PID:1572 -
C:\Windows\SysWOW64\Olkfmi32.exeC:\Windows\system32\Olkfmi32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1716 -
C:\Windows\SysWOW64\Oioggmmc.exeC:\Windows\system32\Oioggmmc.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2792 -
C:\Windows\SysWOW64\Obgkpb32.exeC:\Windows\system32\Obgkpb32.exe46⤵
- Executes dropped EXE
PID:2708 -
C:\Windows\SysWOW64\Olophhjd.exeC:\Windows\system32\Olophhjd.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:1040 -
C:\Windows\SysWOW64\Ohfqmi32.exeC:\Windows\system32\Ohfqmi32.exe48⤵
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\Oanefo32.exeC:\Windows\system32\Oanefo32.exe49⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Ogknoe32.exeC:\Windows\system32\Ogknoe32.exe50⤵
- Executes dropped EXE
PID:2992 -
C:\Windows\SysWOW64\Oaqbln32.exeC:\Windows\system32\Oaqbln32.exe51⤵
- Executes dropped EXE
PID:1064 -
C:\Windows\SysWOW64\Pkifdd32.exeC:\Windows\system32\Pkifdd32.exe52⤵
- Executes dropped EXE
PID:2484 -
C:\Windows\SysWOW64\Ppfomk32.exeC:\Windows\system32\Ppfomk32.exe53⤵
- Executes dropped EXE
PID:1832 -
C:\Windows\SysWOW64\Pecgea32.exeC:\Windows\system32\Pecgea32.exe54⤵
- Drops file in System32 directory
PID:108 -
C:\Windows\SysWOW64\Poklngnf.exeC:\Windows\system32\Poklngnf.exe55⤵PID:1292
-
C:\Windows\SysWOW64\Ppkhhjei.exeC:\Windows\system32\Ppkhhjei.exe56⤵PID:540
-
C:\Windows\SysWOW64\Plaimk32.exeC:\Windows\system32\Plaimk32.exe57⤵PID:944
-
C:\Windows\SysWOW64\Pldebkhj.exeC:\Windows\system32\Pldebkhj.exe58⤵PID:2312
-
C:\Windows\SysWOW64\Qqfkln32.exeC:\Windows\system32\Qqfkln32.exe59⤵PID:336
-
C:\Windows\SysWOW64\Adcdbl32.exeC:\Windows\system32\Adcdbl32.exe60⤵PID:1432
-
C:\Windows\SysWOW64\Afgmodel.exeC:\Windows\system32\Afgmodel.exe61⤵
- Modifies registry class
PID:1336 -
C:\Windows\SysWOW64\Aopahjll.exeC:\Windows\system32\Aopahjll.exe62⤵PID:112
-
C:\Windows\SysWOW64\Amcbankf.exeC:\Windows\system32\Amcbankf.exe63⤵
- Drops file in System32 directory
PID:1976 -
C:\Windows\SysWOW64\Aflfjc32.exeC:\Windows\system32\Aflfjc32.exe64⤵PID:2020
-
C:\Windows\SysWOW64\Akiobk32.exeC:\Windows\system32\Akiobk32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:892 -
C:\Windows\SysWOW64\Beackp32.exeC:\Windows\system32\Beackp32.exe66⤵PID:1748
-
C:\Windows\SysWOW64\Bbeded32.exeC:\Windows\system32\Bbeded32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2368 -
C:\Windows\SysWOW64\Biolanld.exeC:\Windows\system32\Biolanld.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3044 -
C:\Windows\SysWOW64\Bjbeofpp.exeC:\Windows\system32\Bjbeofpp.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2636 -
C:\Windows\SysWOW64\Bkbaii32.exeC:\Windows\system32\Bkbaii32.exe70⤵PID:2324
-
C:\Windows\SysWOW64\Bflbigdb.exeC:\Windows\system32\Bflbigdb.exe71⤵PID:2696
-
C:\Windows\SysWOW64\Cmhglq32.exeC:\Windows\system32\Cmhglq32.exe72⤵PID:2960
-
C:\Windows\SysWOW64\Cfpldf32.exeC:\Windows\system32\Cfpldf32.exe73⤵
- Modifies registry class
PID:1596 -
C:\Windows\SysWOW64\Clmdmm32.exeC:\Windows\system32\Clmdmm32.exe74⤵
- Drops file in System32 directory
PID:2172 -
C:\Windows\SysWOW64\Ccdmnj32.exeC:\Windows\system32\Ccdmnj32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:564 -
C:\Windows\SysWOW64\Ciaefa32.exeC:\Windows\system32\Ciaefa32.exe76⤵
- Drops file in System32 directory
PID:1964 -
C:\Windows\SysWOW64\Cnnnnh32.exeC:\Windows\system32\Cnnnnh32.exe77⤵
- Drops file in System32 directory
PID:2340 -
C:\Windows\SysWOW64\Cfeepelg.exeC:\Windows\system32\Cfeepelg.exe78⤵PID:1160
-
C:\Windows\SysWOW64\Clbnhmjo.exeC:\Windows\system32\Clbnhmjo.exe79⤵PID:936
-
C:\Windows\SysWOW64\Cblfdg32.exeC:\Windows\system32\Cblfdg32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1732 -
C:\Windows\SysWOW64\Difnaqih.exeC:\Windows\system32\Difnaqih.exe81⤵PID:2068
-
C:\Windows\SysWOW64\Djgkii32.exeC:\Windows\system32\Djgkii32.exe82⤵
- Modifies registry class
PID:2400 -
C:\Windows\SysWOW64\Daacecfc.exeC:\Windows\system32\Daacecfc.exe83⤵PID:1096
-
C:\Windows\SysWOW64\Dlfgcl32.exeC:\Windows\system32\Dlfgcl32.exe84⤵PID:1636
-
C:\Windows\SysWOW64\Ddblgn32.exeC:\Windows\system32\Ddblgn32.exe85⤵PID:1344
-
C:\Windows\SysWOW64\Dklddhka.exeC:\Windows\system32\Dklddhka.exe86⤵PID:320
-
C:\Windows\SysWOW64\Dphmloih.exeC:\Windows\system32\Dphmloih.exe87⤵PID:2396
-
C:\Windows\SysWOW64\Dgbeiiqe.exeC:\Windows\system32\Dgbeiiqe.exe88⤵PID:2464
-
C:\Windows\SysWOW64\Dgeaoinb.exeC:\Windows\system32\Dgeaoinb.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2876 -
C:\Windows\SysWOW64\Giipab32.exeC:\Windows\system32\Giipab32.exe90⤵
- Modifies registry class
PID:2596 -
C:\Windows\SysWOW64\Gbadjg32.exeC:\Windows\system32\Gbadjg32.exe91⤵
- Modifies registry class
PID:2648 -
C:\Windows\SysWOW64\Hjofdi32.exeC:\Windows\system32\Hjofdi32.exe92⤵PID:2660
-
C:\Windows\SysWOW64\Hidcef32.exeC:\Windows\system32\Hidcef32.exe93⤵PID:2504
-
C:\Windows\SysWOW64\Hcigco32.exeC:\Windows\system32\Hcigco32.exe94⤵
- Drops file in System32 directory
PID:2964 -
C:\Windows\SysWOW64\Hifpke32.exeC:\Windows\system32\Hifpke32.exe95⤵PID:2480
-
C:\Windows\SysWOW64\Hpphhp32.exeC:\Windows\system32\Hpphhp32.exe96⤵PID:2828
-
C:\Windows\SysWOW64\Hpbdmo32.exeC:\Windows\system32\Hpbdmo32.exe97⤵PID:2852
-
C:\Windows\SysWOW64\Iikifegp.exeC:\Windows\system32\Iikifegp.exe98⤵PID:1848
-
C:\Windows\SysWOW64\Inhanl32.exeC:\Windows\system32\Inhanl32.exe99⤵
- Drops file in System32 directory
PID:2200 -
C:\Windows\SysWOW64\Iimfld32.exeC:\Windows\system32\Iimfld32.exe100⤵PID:2488
-
C:\Windows\SysWOW64\Ijnbcmkk.exeC:\Windows\system32\Ijnbcmkk.exe101⤵PID:2560
-
C:\Windows\SysWOW64\Ihbcmaje.exeC:\Windows\system32\Ihbcmaje.exe102⤵PID:1360
-
C:\Windows\SysWOW64\Inlkik32.exeC:\Windows\system32\Inlkik32.exe103⤵PID:324
-
C:\Windows\SysWOW64\Iefcfe32.exeC:\Windows\system32\Iefcfe32.exe104⤵PID:1812
-
C:\Windows\SysWOW64\Ifgpnmom.exeC:\Windows\system32\Ifgpnmom.exe105⤵PID:1820
-
C:\Windows\SysWOW64\Iamdkfnc.exeC:\Windows\system32\Iamdkfnc.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1056 -
C:\Windows\SysWOW64\Ihglhp32.exeC:\Windows\system32\Ihglhp32.exe107⤵PID:2936
-
C:\Windows\SysWOW64\Jaoqqflp.exeC:\Windows\system32\Jaoqqflp.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1472 -
C:\Windows\SysWOW64\Jfliim32.exeC:\Windows\system32\Jfliim32.exe109⤵PID:1556
-
C:\Windows\SysWOW64\Jpdnbbah.exeC:\Windows\system32\Jpdnbbah.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2060 -
C:\Windows\SysWOW64\Jpgjgboe.exeC:\Windows\system32\Jpgjgboe.exe111⤵PID:3056
-
C:\Windows\SysWOW64\Jolghndm.exeC:\Windows\system32\Jolghndm.exe112⤵PID:2508
-
C:\Windows\SysWOW64\Jajcdjca.exeC:\Windows\system32\Jajcdjca.exe113⤵PID:2292
-
C:\Windows\SysWOW64\Jondnnbk.exeC:\Windows\system32\Jondnnbk.exe114⤵PID:2968
-
C:\Windows\SysWOW64\Jehlkhig.exeC:\Windows\system32\Jehlkhig.exe115⤵PID:1608
-
C:\Windows\SysWOW64\Kekiphge.exeC:\Windows\system32\Kekiphge.exe116⤵PID:2412
-
C:\Windows\SysWOW64\Kkgahoel.exeC:\Windows\system32\Kkgahoel.exe117⤵
- Drops file in System32 directory
PID:1324 -
C:\Windows\SysWOW64\Kpdjaecc.exeC:\Windows\system32\Kpdjaecc.exe118⤵PID:852
-
C:\Windows\SysWOW64\Kgnbnpkp.exeC:\Windows\system32\Kgnbnpkp.exe119⤵
- Drops file in System32 directory
- Modifies registry class
PID:808 -
C:\Windows\SysWOW64\Kdbbgdjj.exeC:\Windows\system32\Kdbbgdjj.exe120⤵
- Drops file in System32 directory
PID:2912 -
C:\Windows\SysWOW64\Kjokokha.exeC:\Windows\system32\Kjokokha.exe121⤵
- Modifies registry class
PID:2124
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-