Analysis
-
max time kernel
153s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
16-10-2023 18:35
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.bfe8142a0411b2528b4514583eab67e0.exe
Resource
win7-20230831-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.bfe8142a0411b2528b4514583eab67e0.exe
Resource
win10v2004-20230915-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.bfe8142a0411b2528b4514583eab67e0.exe
-
Size
226KB
-
MD5
bfe8142a0411b2528b4514583eab67e0
-
SHA1
4c780c0c9ce9f069357fb51291867134f50600d4
-
SHA256
855649a4b6222cd62195ddff797f6494506a9f72c29a3d84debc82426f3de901
-
SHA512
f7acfaea1052f4326acba4349e05f1a57156c7c1428d501eca5961f3d4050284012f1158a6c861dc92e28bd8186f836abe71ec497cd554109253cf332d869898
-
SSDEEP
6144:slp+sUm/g7Rud5UXfxqySSKpRmSKeTk7eT5ABrnL8MdYg:egudG5IKrEAlnLAg
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ifljcanj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lifoia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ndaaclac.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljnqdhga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lgiobadq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jeenfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kffpcilf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipkhpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Njalacon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bneancnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kfioaaah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aobpfb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flqkjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ihjfolmn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpccnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Haiagm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cpccnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ikjjda32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emnelbdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Emnelbdi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kiccle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kiccle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dendcg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klmfmacc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Paihgboc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Djocbqpb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eikfdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Igqhpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Igbqdlea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cancif32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paihgboc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifgklp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ceqjla32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkdalb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lifoia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dpnmoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kqncnjan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbggqfca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Beqogc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcgqgd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qlggjlep.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eomdoj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkfnln32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihjfolmn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgqkbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hlijan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Heedbbdb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laccdp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehjqif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qjnoacdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mkpppmko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kfnpgg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fidmniqa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhjhdp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdhdcnng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Laccdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nmabjfek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aphjjf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgjpaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fhjhdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cfkkam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hhfkihon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nfmahkhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Khnqbhdi.exe -
Executes dropped EXE 64 IoCs
pid Process 2192 Jlhhndno.exe 3032 Ceeieced.exe 2736 Cpkmcldj.exe 2716 Dhkkbmnp.exe 1360 Dmojkc32.exe 2556 Ehmdgp32.exe 2544 Goiehm32.exe 1508 Iikifegp.exe 852 Jefpeh32.exe 2820 Kgclio32.exe 1144 Lgqkbb32.exe 1488 Mbcoio32.exe 2480 Pepcelel.exe 2852 Aakjdo32.exe 2364 Bjpaop32.exe 2232 Cnfqccna.exe 1860 Glchpp32.exe 1376 Iacjjacb.exe 1968 Kijkje32.exe 1612 Lkggmldl.exe 1804 Ljnqdhga.exe 1340 Mhhgpc32.exe 2380 Mneohj32.exe 2204 Nfgjml32.exe 2184 Nmabjfek.exe 1704 Oimmjffj.exe 1084 Pmmneg32.exe 2772 Aphjjf32.exe 3028 Aobpfb32.exe 2724 Dcdkef32.exe 2676 Djocbqpb.exe 2536 Dahkok32.exe 2548 Dhbdleol.exe 636 Eicpcm32.exe 328 Eikfdl32.exe 564 Gcgqgd32.exe 2828 Hjmlhbbg.exe 1672 Ifolhann.exe 1204 Igqhpj32.exe 2844 Khldkllj.exe 1544 Lidgcclp.exe 2064 Lkjmfjmi.exe 2108 Mkacfiga.exe 1656 Mgjpaj32.exe 888 Mlieoqgg.exe 2412 Nqbaic32.exe 2912 Hhfkihon.exe 880 Ifengpdh.exe 456 Ifgklp32.exe 672 Jgkdigfa.exe 2068 Kcmdjgbh.exe 2316 Lbgkfbbj.exe 2948 Ldhgnk32.exe 2440 Lmcilp32.exe 2576 Mlmoilni.exe 2604 Mgnfji32.exe 2900 Njalacon.exe 2708 Ocpfkh32.exe 2148 Oknhdjko.exe 2652 Obhpad32.exe 2960 Ppgcol32.exe 332 Piohgbng.exe 816 Pcdldknm.exe 1584 Pefhlcdk.exe -
Loads dropped DLL 64 IoCs
pid Process 2044 NEAS.bfe8142a0411b2528b4514583eab67e0.exe 2044 NEAS.bfe8142a0411b2528b4514583eab67e0.exe 2192 Jlhhndno.exe 2192 Jlhhndno.exe 3032 Ceeieced.exe 3032 Ceeieced.exe 2736 Cpkmcldj.exe 2736 Cpkmcldj.exe 2716 Dhkkbmnp.exe 2716 Dhkkbmnp.exe 1360 Dmojkc32.exe 1360 Dmojkc32.exe 2556 Ehmdgp32.exe 2556 Ehmdgp32.exe 2544 Goiehm32.exe 2544 Goiehm32.exe 1508 Iikifegp.exe 1508 Iikifegp.exe 852 Jefpeh32.exe 852 Jefpeh32.exe 2820 Kgclio32.exe 2820 Kgclio32.exe 1144 Lgqkbb32.exe 1144 Lgqkbb32.exe 1488 Mbcoio32.exe 1488 Mbcoio32.exe 2480 Pepcelel.exe 2480 Pepcelel.exe 2852 Aakjdo32.exe 2852 Aakjdo32.exe 2364 Bjpaop32.exe 2364 Bjpaop32.exe 2232 Cnfqccna.exe 2232 Cnfqccna.exe 1860 Glchpp32.exe 1860 Glchpp32.exe 1376 Iacjjacb.exe 1376 Iacjjacb.exe 1968 Kijkje32.exe 1968 Kijkje32.exe 1612 Lkggmldl.exe 1612 Lkggmldl.exe 1804 Ljnqdhga.exe 1804 Ljnqdhga.exe 1340 Mhhgpc32.exe 1340 Mhhgpc32.exe 2380 Mneohj32.exe 2380 Mneohj32.exe 2204 Nfgjml32.exe 2204 Nfgjml32.exe 2184 Nmabjfek.exe 2184 Nmabjfek.exe 1704 Oimmjffj.exe 1704 Oimmjffj.exe 1084 Pmmneg32.exe 1084 Pmmneg32.exe 2772 Aphjjf32.exe 2772 Aphjjf32.exe 3028 Aobpfb32.exe 3028 Aobpfb32.exe 2724 Dcdkef32.exe 2724 Dcdkef32.exe 2676 Djocbqpb.exe 2676 Djocbqpb.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Nfgjml32.exe Mneohj32.exe File created C:\Windows\SysWOW64\Efdmohmm.exe Eagdgaoe.exe File created C:\Windows\SysWOW64\Mpcjfa32.exe Kbonmjph.exe File opened for modification C:\Windows\SysWOW64\Pfnhkq32.exe Pmecbkgj.exe File opened for modification C:\Windows\SysWOW64\Ficilgai.exe Ekgfkl32.exe File created C:\Windows\SysWOW64\Oomlfpdi.exe Onlooh32.exe File opened for modification C:\Windows\SysWOW64\Lcqdidim.exe Khnqbhdi.exe File created C:\Windows\SysWOW64\Hhkakonn.exe Fioajqmb.exe File created C:\Windows\SysWOW64\Fnpeed32.dll Bjpaop32.exe File opened for modification C:\Windows\SysWOW64\Lgiobadq.exe Lekcffem.exe File created C:\Windows\SysWOW64\Lpejlf32.dll Oggghc32.exe File opened for modification C:\Windows\SysWOW64\Egchocif.exe Enjcfm32.exe File opened for modification C:\Windows\SysWOW64\Dpfpco32.exe Ceqlff32.exe File created C:\Windows\SysWOW64\Fefcmehe.exe Dnjalhpp.exe File created C:\Windows\SysWOW64\Lpfmefdc.exe Lilehl32.exe File opened for modification C:\Windows\SysWOW64\Pmecbkgj.exe Pdnkanfg.exe File created C:\Windows\SysWOW64\Mamjchoa.exe Mlikkbga.exe File created C:\Windows\SysWOW64\Fkonlh32.dll Jnlhbb32.exe File created C:\Windows\SysWOW64\Dcdkef32.exe Aobpfb32.exe File created C:\Windows\SysWOW64\Kmgdlnjc.dll Fpemhb32.exe File opened for modification C:\Windows\SysWOW64\Hjieapck.exe Fcoaebjc.exe File opened for modification C:\Windows\SysWOW64\Iijbnkne.exe Ipameehe.exe File created C:\Windows\SysWOW64\Blhkon32.exe Amlhmb32.exe File opened for modification C:\Windows\SysWOW64\Igbqdlea.exe Eqopfbfn.exe File created C:\Windows\SysWOW64\Mdpnaccc.dll Igbqdlea.exe File opened for modification C:\Windows\SysWOW64\Ndaaclac.exe Nlfmoidh.exe File opened for modification C:\Windows\SysWOW64\Peakkj32.exe Pjlgna32.exe File opened for modification C:\Windows\SysWOW64\Kkpekjie.exe Jdfqomom.exe File created C:\Windows\SysWOW64\Nndgeplo.exe Nchipb32.exe File created C:\Windows\SysWOW64\Eqopfbfn.exe Eomdoj32.exe File created C:\Windows\SysWOW64\Ickaaf32.exe Ipmeej32.exe File created C:\Windows\SysWOW64\Hgmamfed.dll Ehmdgp32.exe File created C:\Windows\SysWOW64\Mdkiio32.dll Mgnfji32.exe File created C:\Windows\SysWOW64\Odbhofjh.exe Omeged32.exe File opened for modification C:\Windows\SysWOW64\Kfnpgg32.exe Kgffpk32.exe File created C:\Windows\SysWOW64\Llmhgcfd.dll Flqkjo32.exe File created C:\Windows\SysWOW64\Cnacbj32.exe Cfkkam32.exe File created C:\Windows\SysWOW64\Bqnpke32.dll Ipkhpk32.exe File created C:\Windows\SysWOW64\Eqklhh32.exe Egchocif.exe File created C:\Windows\SysWOW64\Igehbokf.dll Eggajb32.exe File opened for modification C:\Windows\SysWOW64\Kqncnjan.exe Kfioaaah.exe File created C:\Windows\SysWOW64\Pikijafg.dll Mhhgpc32.exe File opened for modification C:\Windows\SysWOW64\Njmejaqb.exe Mkconepp.exe File created C:\Windows\SysWOW64\Okmpmg32.dll Qbggqfca.exe File created C:\Windows\SysWOW64\Pipklo32.exe Obffpa32.exe File created C:\Windows\SysWOW64\Icidlf32.exe Ipkhpk32.exe File created C:\Windows\SysWOW64\Kgkpck32.dll Pdnkanfg.exe File created C:\Windows\SysWOW64\Dnmada32.exe Peakkj32.exe File created C:\Windows\SysWOW64\Aeeafk32.dll Nljjqbfp.exe File opened for modification C:\Windows\SysWOW64\Oomlfpdi.exe Onlooh32.exe File created C:\Windows\SysWOW64\Icnnfilc.dll Ehbcnajn.exe File created C:\Windows\SysWOW64\Gfcqkafl.exe Gpihog32.exe File created C:\Windows\SysWOW64\Jlhhndno.exe NEAS.bfe8142a0411b2528b4514583eab67e0.exe File opened for modification C:\Windows\SysWOW64\Mbcoio32.exe Lgqkbb32.exe File created C:\Windows\SysWOW64\Kgffpk32.exe Kbjmhd32.exe File created C:\Windows\SysWOW64\Deeeafii.exe Dphmiokb.exe File opened for modification C:\Windows\SysWOW64\Ceeieced.exe Jlhhndno.exe File created C:\Windows\SysWOW64\Pmecbkgj.exe Pdnkanfg.exe File created C:\Windows\SysWOW64\Lgiobadq.exe Lekcffem.exe File created C:\Windows\SysWOW64\Okfmbm32.exe Nomphm32.exe File opened for modification C:\Windows\SysWOW64\Okfmbm32.exe Nomphm32.exe File created C:\Windows\SysWOW64\Eopcmb32.exe Ehaaei32.exe File created C:\Windows\SysWOW64\Odqknf32.dll Cfpgee32.exe File created C:\Windows\SysWOW64\Beqogc32.exe Boggkicf.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iilocklc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fikelhib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nomphm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Okfmbm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Edokna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Manjaldo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnoaan32.dll" Kcahjqfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Offklp32.dll" Kfioaaah.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kkhdohnm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Daplmimi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihnfpjjj.dll" Kmnnblmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Beqogc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnjkfei.dll" Cdmbiojc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gljdlq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkkeeb32.dll" Qbidffao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Boggkicf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Icidlf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ibehna32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Niednn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcoomf32.dll" Odnobj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Onlooh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjbmip32.dll" Hhfkihon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mepicf32.dll" Fhjhdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fbjeao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghdmjc32.dll" Kqncnjan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cagpldqg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ceeieced.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mkacfiga.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eopcmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeogmkbe.dll" Omeged32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Blhkon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lkggmldl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbnfjpai.dll" Pgjdmc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dcojbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mamjchoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pdhdcnng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeeafk32.dll" Nljjqbfp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Khnqbhdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgjbbnaj.dll" Ldokhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lilehl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adioke32.dll" Dphmiokb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bjpaop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ifgklp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Haiagm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgqffm32.dll" Hnljkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbmbeehf.dll" Ickaaf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mamjchoa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dpfpco32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kffqqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hnljkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpolmb32.dll" Ebekej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgnedbof.dll" Ajnlqgfo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nmabjfek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihjpll32.dll" Ifgklp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hggeeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmgkqq32.dll" Ihjfolmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifflnb32.dll" Lifoia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dbmkfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffmcdhob.dll" Ljjhdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pfnhkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Peiaij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oibiaa32.dll" Eopcmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Khnqbhdi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cajmbd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2044 wrote to memory of 2192 2044 NEAS.bfe8142a0411b2528b4514583eab67e0.exe 28 PID 2044 wrote to memory of 2192 2044 NEAS.bfe8142a0411b2528b4514583eab67e0.exe 28 PID 2044 wrote to memory of 2192 2044 NEAS.bfe8142a0411b2528b4514583eab67e0.exe 28 PID 2044 wrote to memory of 2192 2044 NEAS.bfe8142a0411b2528b4514583eab67e0.exe 28 PID 2192 wrote to memory of 3032 2192 Jlhhndno.exe 29 PID 2192 wrote to memory of 3032 2192 Jlhhndno.exe 29 PID 2192 wrote to memory of 3032 2192 Jlhhndno.exe 29 PID 2192 wrote to memory of 3032 2192 Jlhhndno.exe 29 PID 3032 wrote to memory of 2736 3032 Ceeieced.exe 30 PID 3032 wrote to memory of 2736 3032 Ceeieced.exe 30 PID 3032 wrote to memory of 2736 3032 Ceeieced.exe 30 PID 3032 wrote to memory of 2736 3032 Ceeieced.exe 30 PID 2736 wrote to memory of 2716 2736 Cpkmcldj.exe 31 PID 2736 wrote to memory of 2716 2736 Cpkmcldj.exe 31 PID 2736 wrote to memory of 2716 2736 Cpkmcldj.exe 31 PID 2736 wrote to memory of 2716 2736 Cpkmcldj.exe 31 PID 2716 wrote to memory of 1360 2716 Dhkkbmnp.exe 32 PID 2716 wrote to memory of 1360 2716 Dhkkbmnp.exe 32 PID 2716 wrote to memory of 1360 2716 Dhkkbmnp.exe 32 PID 2716 wrote to memory of 1360 2716 Dhkkbmnp.exe 32 PID 1360 wrote to memory of 2556 1360 Dmojkc32.exe 33 PID 1360 wrote to memory of 2556 1360 Dmojkc32.exe 33 PID 1360 wrote to memory of 2556 1360 Dmojkc32.exe 33 PID 1360 wrote to memory of 2556 1360 Dmojkc32.exe 33 PID 2556 wrote to memory of 2544 2556 Ehmdgp32.exe 34 PID 2556 wrote to memory of 2544 2556 Ehmdgp32.exe 34 PID 2556 wrote to memory of 2544 2556 Ehmdgp32.exe 34 PID 2556 wrote to memory of 2544 2556 Ehmdgp32.exe 34 PID 2544 wrote to memory of 1508 2544 Goiehm32.exe 35 PID 2544 wrote to memory of 1508 2544 Goiehm32.exe 35 PID 2544 wrote to memory of 1508 2544 Goiehm32.exe 35 PID 2544 wrote to memory of 1508 2544 Goiehm32.exe 35 PID 1508 wrote to memory of 852 1508 Iikifegp.exe 36 PID 1508 wrote to memory of 852 1508 Iikifegp.exe 36 PID 1508 wrote to memory of 852 1508 Iikifegp.exe 36 PID 1508 wrote to memory of 852 1508 Iikifegp.exe 36 PID 852 wrote to memory of 2820 852 Jefpeh32.exe 37 PID 852 wrote to memory of 2820 852 Jefpeh32.exe 37 PID 852 wrote to memory of 2820 852 Jefpeh32.exe 37 PID 852 wrote to memory of 2820 852 Jefpeh32.exe 37 PID 2820 wrote to memory of 1144 2820 Kgclio32.exe 38 PID 2820 wrote to memory of 1144 2820 Kgclio32.exe 38 PID 2820 wrote to memory of 1144 2820 Kgclio32.exe 38 PID 2820 wrote to memory of 1144 2820 Kgclio32.exe 38 PID 1144 wrote to memory of 1488 1144 Lgqkbb32.exe 39 PID 1144 wrote to memory of 1488 1144 Lgqkbb32.exe 39 PID 1144 wrote to memory of 1488 1144 Lgqkbb32.exe 39 PID 1144 wrote to memory of 1488 1144 Lgqkbb32.exe 39 PID 1488 wrote to memory of 2480 1488 Mbcoio32.exe 40 PID 1488 wrote to memory of 2480 1488 Mbcoio32.exe 40 PID 1488 wrote to memory of 2480 1488 Mbcoio32.exe 40 PID 1488 wrote to memory of 2480 1488 Mbcoio32.exe 40 PID 2480 wrote to memory of 2852 2480 Pepcelel.exe 41 PID 2480 wrote to memory of 2852 2480 Pepcelel.exe 41 PID 2480 wrote to memory of 2852 2480 Pepcelel.exe 41 PID 2480 wrote to memory of 2852 2480 Pepcelel.exe 41 PID 2852 wrote to memory of 2364 2852 Aakjdo32.exe 42 PID 2852 wrote to memory of 2364 2852 Aakjdo32.exe 42 PID 2852 wrote to memory of 2364 2852 Aakjdo32.exe 42 PID 2852 wrote to memory of 2364 2852 Aakjdo32.exe 42 PID 2364 wrote to memory of 2232 2364 Bjpaop32.exe 43 PID 2364 wrote to memory of 2232 2364 Bjpaop32.exe 43 PID 2364 wrote to memory of 2232 2364 Bjpaop32.exe 43 PID 2364 wrote to memory of 2232 2364 Bjpaop32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.bfe8142a0411b2528b4514583eab67e0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.bfe8142a0411b2528b4514583eab67e0.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\Jlhhndno.exeC:\Windows\system32\Jlhhndno.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\Ceeieced.exeC:\Windows\system32\Ceeieced.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\Cpkmcldj.exeC:\Windows\system32\Cpkmcldj.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Dhkkbmnp.exeC:\Windows\system32\Dhkkbmnp.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Dmojkc32.exeC:\Windows\system32\Dmojkc32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1360 -
C:\Windows\SysWOW64\Ehmdgp32.exeC:\Windows\system32\Ehmdgp32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\Goiehm32.exeC:\Windows\system32\Goiehm32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\Iikifegp.exeC:\Windows\system32\Iikifegp.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\SysWOW64\Jefpeh32.exeC:\Windows\system32\Jefpeh32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:852 -
C:\Windows\SysWOW64\Kgclio32.exeC:\Windows\system32\Kgclio32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\Lgqkbb32.exeC:\Windows\system32\Lgqkbb32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1144 -
C:\Windows\SysWOW64\Mbcoio32.exeC:\Windows\system32\Mbcoio32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Windows\SysWOW64\Pepcelel.exeC:\Windows\system32\Pepcelel.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\Aakjdo32.exeC:\Windows\system32\Aakjdo32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\Bjpaop32.exeC:\Windows\system32\Bjpaop32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\Cnfqccna.exeC:\Windows\system32\Cnfqccna.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2232 -
C:\Windows\SysWOW64\Glchpp32.exeC:\Windows\system32\Glchpp32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1860 -
C:\Windows\SysWOW64\Iacjjacb.exeC:\Windows\system32\Iacjjacb.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1376 -
C:\Windows\SysWOW64\Kijkje32.exeC:\Windows\system32\Kijkje32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1968 -
C:\Windows\SysWOW64\Lkggmldl.exeC:\Windows\system32\Lkggmldl.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1612 -
C:\Windows\SysWOW64\Ljnqdhga.exeC:\Windows\system32\Ljnqdhga.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1804 -
C:\Windows\SysWOW64\Mhhgpc32.exeC:\Windows\system32\Mhhgpc32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1340 -
C:\Windows\SysWOW64\Mneohj32.exeC:\Windows\system32\Mneohj32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2380 -
C:\Windows\SysWOW64\Nfgjml32.exeC:\Windows\system32\Nfgjml32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2204 -
C:\Windows\SysWOW64\Nmabjfek.exeC:\Windows\system32\Nmabjfek.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2184 -
C:\Windows\SysWOW64\Oimmjffj.exeC:\Windows\system32\Oimmjffj.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1704 -
C:\Windows\SysWOW64\Pmmneg32.exeC:\Windows\system32\Pmmneg32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1084 -
C:\Windows\SysWOW64\Aphjjf32.exeC:\Windows\system32\Aphjjf32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2772 -
C:\Windows\SysWOW64\Aobpfb32.exeC:\Windows\system32\Aobpfb32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:3028 -
C:\Windows\SysWOW64\Dcdkef32.exeC:\Windows\system32\Dcdkef32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2724 -
C:\Windows\SysWOW64\Djocbqpb.exeC:\Windows\system32\Djocbqpb.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2676 -
C:\Windows\SysWOW64\Dahkok32.exeC:\Windows\system32\Dahkok32.exe33⤵
- Executes dropped EXE
PID:2536 -
C:\Windows\SysWOW64\Dhbdleol.exeC:\Windows\system32\Dhbdleol.exe34⤵
- Executes dropped EXE
PID:2548 -
C:\Windows\SysWOW64\Eicpcm32.exeC:\Windows\system32\Eicpcm32.exe35⤵
- Executes dropped EXE
PID:636 -
C:\Windows\SysWOW64\Eikfdl32.exeC:\Windows\system32\Eikfdl32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:328 -
C:\Windows\SysWOW64\Gcgqgd32.exeC:\Windows\system32\Gcgqgd32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:564 -
C:\Windows\SysWOW64\Hjmlhbbg.exeC:\Windows\system32\Hjmlhbbg.exe38⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Ifolhann.exeC:\Windows\system32\Ifolhann.exe39⤵
- Executes dropped EXE
PID:1672 -
C:\Windows\SysWOW64\Igqhpj32.exeC:\Windows\system32\Igqhpj32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1204 -
C:\Windows\SysWOW64\Khldkllj.exeC:\Windows\system32\Khldkllj.exe41⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Lidgcclp.exeC:\Windows\system32\Lidgcclp.exe42⤵
- Executes dropped EXE
PID:1544 -
C:\Windows\SysWOW64\Lkjmfjmi.exeC:\Windows\system32\Lkjmfjmi.exe43⤵
- Executes dropped EXE
PID:2064 -
C:\Windows\SysWOW64\Mkacfiga.exeC:\Windows\system32\Mkacfiga.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:2108 -
C:\Windows\SysWOW64\Mgjpaj32.exeC:\Windows\system32\Mgjpaj32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1656 -
C:\Windows\SysWOW64\Mlieoqgg.exeC:\Windows\system32\Mlieoqgg.exe46⤵
- Executes dropped EXE
PID:888 -
C:\Windows\SysWOW64\Nqbaic32.exeC:\Windows\system32\Nqbaic32.exe47⤵
- Executes dropped EXE
PID:2412 -
C:\Windows\SysWOW64\Hhfkihon.exeC:\Windows\system32\Hhfkihon.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2912 -
C:\Windows\SysWOW64\Ifengpdh.exeC:\Windows\system32\Ifengpdh.exe49⤵
- Executes dropped EXE
PID:880 -
C:\Windows\SysWOW64\Ifgklp32.exeC:\Windows\system32\Ifgklp32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:456 -
C:\Windows\SysWOW64\Jgkdigfa.exeC:\Windows\system32\Jgkdigfa.exe51⤵
- Executes dropped EXE
PID:672 -
C:\Windows\SysWOW64\Kcmdjgbh.exeC:\Windows\system32\Kcmdjgbh.exe52⤵
- Executes dropped EXE
PID:2068 -
C:\Windows\SysWOW64\Lbgkfbbj.exeC:\Windows\system32\Lbgkfbbj.exe53⤵
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Ldhgnk32.exeC:\Windows\system32\Ldhgnk32.exe54⤵
- Executes dropped EXE
PID:2948 -
C:\Windows\SysWOW64\Lmcilp32.exeC:\Windows\system32\Lmcilp32.exe55⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Mlmoilni.exeC:\Windows\system32\Mlmoilni.exe56⤵
- Executes dropped EXE
PID:2576 -
C:\Windows\SysWOW64\Mgnfji32.exeC:\Windows\system32\Mgnfji32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2604 -
C:\Windows\SysWOW64\Njalacon.exeC:\Windows\system32\Njalacon.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2900 -
C:\Windows\SysWOW64\Ocpfkh32.exeC:\Windows\system32\Ocpfkh32.exe59⤵
- Executes dropped EXE
PID:2708 -
C:\Windows\SysWOW64\Oknhdjko.exeC:\Windows\system32\Oknhdjko.exe60⤵
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\Obhpad32.exeC:\Windows\system32\Obhpad32.exe61⤵
- Executes dropped EXE
PID:2652 -
C:\Windows\SysWOW64\Ppgcol32.exeC:\Windows\system32\Ppgcol32.exe62⤵
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\Piohgbng.exeC:\Windows\system32\Piohgbng.exe63⤵
- Executes dropped EXE
PID:332 -
C:\Windows\SysWOW64\Pcdldknm.exeC:\Windows\system32\Pcdldknm.exe64⤵
- Executes dropped EXE
PID:816 -
C:\Windows\SysWOW64\Pefhlcdk.exeC:\Windows\system32\Pefhlcdk.exe65⤵
- Executes dropped EXE
PID:1584 -
C:\Windows\SysWOW64\Qlggjlep.exeC:\Windows\system32\Qlggjlep.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:932 -
C:\Windows\SysWOW64\Dbmkfh32.exeC:\Windows\system32\Dbmkfh32.exe67⤵
- Modifies registry class
PID:788 -
C:\Windows\SysWOW64\Dnjalhpp.exeC:\Windows\system32\Dnjalhpp.exe68⤵
- Drops file in System32 directory
PID:2172 -
C:\Windows\SysWOW64\Fefcmehe.exeC:\Windows\system32\Fefcmehe.exe69⤵PID:2860
-
C:\Windows\SysWOW64\Flqkjo32.exeC:\Windows\system32\Flqkjo32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1624 -
C:\Windows\SysWOW64\Fhjhdp32.exeC:\Windows\system32\Fhjhdp32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2776 -
C:\Windows\SysWOW64\Fikelhib.exeC:\Windows\system32\Fikelhib.exe72⤵
- Modifies registry class
PID:2904 -
C:\Windows\SysWOW64\Fpemhb32.exeC:\Windows\system32\Fpemhb32.exe73⤵
- Drops file in System32 directory
PID:2080 -
C:\Windows\SysWOW64\Gjjafkpe.exeC:\Windows\system32\Gjjafkpe.exe74⤵PID:2360
-
C:\Windows\SysWOW64\Gfcopl32.exeC:\Windows\system32\Gfcopl32.exe75⤵PID:2192
-
C:\Windows\SysWOW64\Ikjjda32.exeC:\Windows\system32\Ikjjda32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1420 -
C:\Windows\SysWOW64\Kffqqm32.exeC:\Windows\system32\Kffqqm32.exe77⤵
- Modifies registry class
PID:2560 -
C:\Windows\SysWOW64\Ljplkonl.exeC:\Windows\system32\Ljplkonl.exe78⤵PID:628
-
C:\Windows\SysWOW64\Manjaldo.exeC:\Windows\system32\Manjaldo.exe79⤵
- Modifies registry class
PID:2352 -
C:\Windows\SysWOW64\Nchipb32.exeC:\Windows\system32\Nchipb32.exe80⤵
- Drops file in System32 directory
PID:2256 -
C:\Windows\SysWOW64\Nndgeplo.exeC:\Windows\system32\Nndgeplo.exe81⤵PID:2464
-
C:\Windows\SysWOW64\Odnobj32.exeC:\Windows\system32\Odnobj32.exe82⤵
- Modifies registry class
PID:1720 -
C:\Windows\SysWOW64\Oqjibkek.exeC:\Windows\system32\Oqjibkek.exe83⤵PID:924
-
C:\Windows\SysWOW64\Pdnkanfg.exeC:\Windows\system32\Pdnkanfg.exe84⤵
- Drops file in System32 directory
PID:2768 -
C:\Windows\SysWOW64\Pmecbkgj.exeC:\Windows\system32\Pmecbkgj.exe85⤵
- Drops file in System32 directory
PID:2600 -
C:\Windows\SysWOW64\Pfnhkq32.exeC:\Windows\system32\Pfnhkq32.exe86⤵
- Modifies registry class
PID:2640 -
C:\Windows\SysWOW64\Bpjnmlel.exeC:\Windows\system32\Bpjnmlel.exe87⤵PID:2448
-
C:\Windows\SysWOW64\Ceqjla32.exeC:\Windows\system32\Ceqjla32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2616 -
C:\Windows\SysWOW64\Dnqhkcdo.exeC:\Windows\system32\Dnqhkcdo.exe89⤵PID:2732
-
C:\Windows\SysWOW64\Dncdqcbl.exeC:\Windows\system32\Dncdqcbl.exe90⤵PID:436
-
C:\Windows\SysWOW64\Dcpmijqc.exeC:\Windows\system32\Dcpmijqc.exe91⤵PID:1456
-
C:\Windows\SysWOW64\Eomdoj32.exeC:\Windows\system32\Eomdoj32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2832 -
C:\Windows\SysWOW64\Eqopfbfn.exeC:\Windows\system32\Eqopfbfn.exe93⤵
- Drops file in System32 directory
PID:2852 -
C:\Windows\SysWOW64\Igbqdlea.exeC:\Windows\system32\Igbqdlea.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1884 -
C:\Windows\SysWOW64\Kpgdnp32.exeC:\Windows\system32\Kpgdnp32.exe95⤵PID:2596
-
C:\Windows\SysWOW64\Lekcffem.exeC:\Windows\system32\Lekcffem.exe96⤵
- Drops file in System32 directory
PID:2304 -
C:\Windows\SysWOW64\Lgiobadq.exeC:\Windows\system32\Lgiobadq.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2532 -
C:\Windows\SysWOW64\Lmfgkh32.exeC:\Windows\system32\Lmfgkh32.exe98⤵PID:1684
-
C:\Windows\SysWOW64\Lpddgd32.exeC:\Windows\system32\Lpddgd32.exe99⤵PID:2124
-
C:\Windows\SysWOW64\Ljjhdm32.exeC:\Windows\system32\Ljjhdm32.exe100⤵
- Modifies registry class
PID:2260 -
C:\Windows\SysWOW64\Mfqiingf.exeC:\Windows\system32\Mfqiingf.exe101⤵PID:2716
-
C:\Windows\SysWOW64\Mmkafhnb.exeC:\Windows\system32\Mmkafhnb.exe102⤵PID:2800
-
C:\Windows\SysWOW64\Nmmjjk32.exeC:\Windows\system32\Nmmjjk32.exe103⤵PID:968
-
C:\Windows\SysWOW64\Oggghc32.exeC:\Windows\system32\Oggghc32.exe104⤵
- Drops file in System32 directory
PID:1968 -
C:\Windows\SysWOW64\Pamlel32.exeC:\Windows\system32\Pamlel32.exe105⤵PID:1620
-
C:\Windows\SysWOW64\Pgjdmc32.exeC:\Windows\system32\Pgjdmc32.exe106⤵
- Modifies registry class
PID:1468 -
C:\Windows\SysWOW64\Pmfmej32.exeC:\Windows\system32\Pmfmej32.exe107⤵PID:1124
-
C:\Windows\SysWOW64\Qbmhdp32.exeC:\Windows\system32\Qbmhdp32.exe108⤵PID:2380
-
C:\Windows\SysWOW64\Biiiempl.exeC:\Windows\system32\Biiiempl.exe109⤵PID:2204
-
C:\Windows\SysWOW64\Bneancnc.exeC:\Windows\system32\Bneancnc.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3064 -
C:\Windows\SysWOW64\Bbfgiabg.exeC:\Windows\system32\Bbfgiabg.exe111⤵PID:852
-
C:\Windows\SysWOW64\Dchpnd32.exeC:\Windows\system32\Dchpnd32.exe112⤵PID:2752
-
C:\Windows\SysWOW64\Jpcdqpqj.exeC:\Windows\system32\Jpcdqpqj.exe113⤵PID:1712
-
C:\Windows\SysWOW64\Mcfbfaao.exeC:\Windows\system32\Mcfbfaao.exe114⤵PID:652
-
C:\Windows\SysWOW64\Mdmhfpkg.exeC:\Windows\system32\Mdmhfpkg.exe115⤵PID:2004
-
C:\Windows\SysWOW64\Nfmahkhh.exeC:\Windows\system32\Nfmahkhh.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2784 -
C:\Windows\SysWOW64\Nljjqbfp.exeC:\Windows\system32\Nljjqbfp.exe117⤵
- Drops file in System32 directory
- Modifies registry class
PID:2432 -
C:\Windows\SysWOW64\Nomphm32.exeC:\Windows\system32\Nomphm32.exe118⤵
- Drops file in System32 directory
- Modifies registry class
PID:1648 -
C:\Windows\SysWOW64\Okfmbm32.exeC:\Windows\system32\Okfmbm32.exe119⤵
- Modifies registry class
PID:2404 -
C:\Windows\SysWOW64\Ogpjmn32.exeC:\Windows\system32\Ogpjmn32.exe120⤵PID:2420
-
C:\Windows\SysWOW64\Ollcee32.exeC:\Windows\system32\Ollcee32.exe121⤵PID:960
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-