Analysis
-
max time kernel
160s -
max time network
134s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
22-10-2023 17:29
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.da68ceab943600f66469320f3a9cacf0.exe
Resource
win7-20231020-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.da68ceab943600f66469320f3a9cacf0.exe
Resource
win10v2004-20231020-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
NEAS.da68ceab943600f66469320f3a9cacf0.exe
-
Size
42KB
-
MD5
da68ceab943600f66469320f3a9cacf0
-
SHA1
2a16d1ac9fd11ca7800f43f5be26285bc561553c
-
SHA256
2ca4bcee0c68cf3202c0eff600127ec33281035a839b3cdd16b41b4fd39580d8
-
SHA512
e7e3b322fb5272ed1ff5a970659d5d88751926f9f3f5a16e0cc501ccf84e01e6dd7d6590f1ee390e0a6524b419dc2b9854aed2e983b658abfce2c22ffdc35e33
-
SSDEEP
768:/xipWZiaDWELYlh3pm0/i40+/IPlS0vt24Bjv3C/N/BfcC+mT/1H5e/:/cWZiaDWELYlh3p9i4Nwk0PvSV/BfGw+
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Linfpi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgckoofa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Malmllfb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhikhefb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qiioon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fefpfi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkggel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hqhiab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljfapjbi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dflmpebj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnimeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejgeogmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knhjjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikapdqoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgjgepqm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hekefkig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nabopjmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dopfpkng.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpbenpqh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpfpco32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcqombic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hofjem32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knohpo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhhfgcgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkelcenm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qbhpddbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgfdjfkh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mghfdcdi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hechkfkc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joepjokm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lahaqm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdnihiad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qlqdmj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohfqmi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehpalp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Neiaeiii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbqgolpf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfnneb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmjdaqgi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjljij32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llbqfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhogaamj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqipkhbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lqipkhbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfegjknm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcodcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iflhjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lddjmb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Liqcei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdjihgef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmhpfl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfoqephq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmijajbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgjcdc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaahmd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aknlofim.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efeoedjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omlahqeo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hchbcmlh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klgpmgod.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbkkepio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhcehngk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mllhne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kekkkm32.exe -
Executes dropped EXE 64 IoCs
pid Process 2024 Nfnneb32.exe 1684 Ooicid32.exe 2668 Obdojcef.exe 2712 Oioggmmc.exe 2596 Odhhgkib.exe 2728 Omqlpp32.exe 2636 Ohfqmi32.exe 1704 Ogknoe32.exe 676 Pilfpqaa.exe 1312 Pcdkif32.exe 1368 Pphkbj32.exe 1584 Plolgk32.exe 1644 Pciddedl.exe 2748 Phfmllbd.exe 860 Pkdihhag.exe 2084 Pejmfqan.exe 2416 Qobbofgn.exe 2176 Qfljkp32.exe 2396 Qkibcg32.exe 1996 Qackpado.exe 1928 Ajnpecbj.exe 1808 Aknlofim.exe 1868 Amohfo32.exe 1060 Anneqafn.exe 1564 Ackmih32.exe 2508 Ajeeeblb.exe 1792 Aflfjc32.exe 2192 Aijbfo32.exe 1804 Bcpgdhpp.exe 1492 Beackp32.exe 1692 Bkklhjnk.exe 2164 Bfqpecma.exe 2672 Bkpeci32.exe 1216 Bnnaoe32.exe 2820 Bmcnqama.exe 2560 Bcmfmlen.exe 2580 Cpdgbm32.exe 3056 Cfnoogbo.exe 476 Cmhglq32.exe 1916 Cbepdhgc.exe 284 Cjlheehe.exe 760 Cmjdaqgi.exe 1512 Cpiqmlfm.exe 1480 Cbgmigeq.exe 1524 Ceeieced.exe 2916 Cfeepelg.exe 1832 Cpmjhk32.exe 1736 Cblfdg32.exe 2400 Dejbqb32.exe 2428 Dhiomn32.exe 1000 Ddpobo32.exe 1316 Doecog32.exe 2476 Dmhdkdlg.exe 1936 Dmjqpdje.exe 2052 Dphmloih.exe 1756 Dknajh32.exe 2516 Dahifbpk.exe 1228 Ddfebnoo.exe 2172 Elajgpmj.exe 2532 Eggndi32.exe 2680 Eiekpd32.exe 2584 Ecnoijbd.exe 2572 Elfcbo32.exe 3052 Ecploipa.exe -
Loads dropped DLL 64 IoCs
pid Process 2296 NEAS.da68ceab943600f66469320f3a9cacf0.exe 2296 NEAS.da68ceab943600f66469320f3a9cacf0.exe 2024 Nfnneb32.exe 2024 Nfnneb32.exe 1684 Ooicid32.exe 1684 Ooicid32.exe 2668 Obdojcef.exe 2668 Obdojcef.exe 2712 Oioggmmc.exe 2712 Oioggmmc.exe 2596 Odhhgkib.exe 2596 Odhhgkib.exe 2728 Omqlpp32.exe 2728 Omqlpp32.exe 2636 Ohfqmi32.exe 2636 Ohfqmi32.exe 1704 Ogknoe32.exe 1704 Ogknoe32.exe 676 Pilfpqaa.exe 676 Pilfpqaa.exe 1312 Pcdkif32.exe 1312 Pcdkif32.exe 1368 Pphkbj32.exe 1368 Pphkbj32.exe 1584 Plolgk32.exe 1584 Plolgk32.exe 1644 Pciddedl.exe 1644 Pciddedl.exe 2748 Phfmllbd.exe 2748 Phfmllbd.exe 860 Pkdihhag.exe 860 Pkdihhag.exe 2084 Pejmfqan.exe 2084 Pejmfqan.exe 2416 Qobbofgn.exe 2416 Qobbofgn.exe 2176 Qfljkp32.exe 2176 Qfljkp32.exe 2396 Qkibcg32.exe 2396 Qkibcg32.exe 1996 Qackpado.exe 1996 Qackpado.exe 1928 Ajnpecbj.exe 1928 Ajnpecbj.exe 1808 Aknlofim.exe 1808 Aknlofim.exe 1868 Amohfo32.exe 1868 Amohfo32.exe 1060 Anneqafn.exe 1060 Anneqafn.exe 1564 Ackmih32.exe 1564 Ackmih32.exe 2508 Ajeeeblb.exe 2508 Ajeeeblb.exe 1792 Aflfjc32.exe 1792 Aflfjc32.exe 2192 Aijbfo32.exe 2192 Aijbfo32.exe 1804 Bcpgdhpp.exe 1804 Bcpgdhpp.exe 1492 Beackp32.exe 1492 Beackp32.exe 1692 Bkklhjnk.exe 1692 Bkklhjnk.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Hqhiab32.exe Hnimeg32.exe File created C:\Windows\SysWOW64\Jhgnbehe.exe Ifceemdj.exe File created C:\Windows\SysWOW64\Mcinbihe.dll Kppohf32.exe File created C:\Windows\SysWOW64\Caligc32.exe Conmkh32.exe File created C:\Windows\SysWOW64\Dmhdkdlg.exe Doecog32.exe File created C:\Windows\SysWOW64\Pmpbdm32.exe Pgfjhcge.exe File created C:\Windows\SysWOW64\Cofohkgi.exe Cqcomn32.exe File created C:\Windows\SysWOW64\Hbblpf32.exe Hgmhcm32.exe File created C:\Windows\SysWOW64\Moelgh32.dll Efjklh32.exe File created C:\Windows\SysWOW64\Hmefad32.exe Hijjpeha.exe File created C:\Windows\SysWOW64\Laknfmgd.exe Lkafib32.exe File created C:\Windows\SysWOW64\Kikokf32.exe Kjhopjqi.exe File created C:\Windows\SysWOW64\Ijppackl.dll Cmjdaqgi.exe File created C:\Windows\SysWOW64\Ghbhhnhk.exe Gdflgo32.exe File created C:\Windows\SysWOW64\Feobac32.exe Facfpddd.exe File opened for modification C:\Windows\SysWOW64\Jcmhmp32.exe Jaolad32.exe File created C:\Windows\SysWOW64\Ogjbid32.dll Eogmcjef.exe File created C:\Windows\SysWOW64\Oefdbdjo.dll Obmnna32.exe File created C:\Windows\SysWOW64\Hjdjbd32.dll Hememgdi.exe File created C:\Windows\SysWOW64\Befddlni.dll Ckkenikc.exe File created C:\Windows\SysWOW64\Mojaceln.exe Mqgahh32.exe File created C:\Windows\SysWOW64\Lbnbpcde.dll Jbbenlof.exe File created C:\Windows\SysWOW64\Kdoaackf.exe Kmeiei32.exe File opened for modification C:\Windows\SysWOW64\Eqmbca32.exe Ehfjbd32.exe File created C:\Windows\SysWOW64\Mjkgjl32.exe Mcqombic.exe File created C:\Windows\SysWOW64\Nmlfpfpl.dll Aohdmdoh.exe File opened for modification C:\Windows\SysWOW64\Glpbiaqg.exe Giafmfad.exe File created C:\Windows\SysWOW64\Ohopjjqj.dll Flphccbp.exe File created C:\Windows\SysWOW64\Pfmmge32.dll Hfmbfkhf.exe File opened for modification C:\Windows\SysWOW64\Kikpgk32.exe Kcahjqfa.exe File created C:\Windows\SysWOW64\Qlnghj32.exe Pojgnf32.exe File created C:\Windows\SysWOW64\Qpabid32.dll Hhjhgpcn.exe File created C:\Windows\SysWOW64\Cilbnian.dll Cpccnp32.exe File created C:\Windows\SysWOW64\Dbnddjom.dll Ecbfmm32.exe File created C:\Windows\SysWOW64\Elpldp32.exe Ehdpcahk.exe File created C:\Windows\SysWOW64\Gailehfk.dll Hdpqhc32.exe File created C:\Windows\SysWOW64\Hocmpm32.exe Ghidcceo.exe File created C:\Windows\SysWOW64\Dlchfp32.exe Dgfpni32.exe File opened for modification C:\Windows\SysWOW64\Dmalmdcg.exe Dfgdpj32.exe File created C:\Windows\SysWOW64\Ocaiehfo.dll Gnenfjdh.exe File created C:\Windows\SysWOW64\Nndhpqma.exe Mkelcenm.exe File created C:\Windows\SysWOW64\Jhckimed.dll Amdmkb32.exe File created C:\Windows\SysWOW64\Aijbfo32.exe Aflfjc32.exe File created C:\Windows\SysWOW64\Jbhcim32.exe Jlnklcej.exe File created C:\Windows\SysWOW64\Edbminqj.dll Cbfhjfdk.exe File created C:\Windows\SysWOW64\Ijcbdhqk.dll Kfopdk32.exe File opened for modification C:\Windows\SysWOW64\Lhbjmg32.exe Lednal32.exe File opened for modification C:\Windows\SysWOW64\Ckdnpicb.exe Chfadndo.exe File opened for modification C:\Windows\SysWOW64\Epflbbpp.exe Engpfgql.exe File created C:\Windows\SysWOW64\Qcield32.dll Gijplg32.exe File created C:\Windows\SysWOW64\Glpgibbn.exe Fllaopcg.exe File created C:\Windows\SysWOW64\Nflpan32.dll Nikkkn32.exe File created C:\Windows\SysWOW64\Amponajh.dll Cpiqmlfm.exe File created C:\Windows\SysWOW64\Fijbkbjk.dll Ehpalp32.exe File created C:\Windows\SysWOW64\Lfimpl32.dll Fmjkbfnh.exe File opened for modification C:\Windows\SysWOW64\Ldndng32.exe Lndlamke.exe File created C:\Windows\SysWOW64\Macnjk32.exe Mkiemqdo.exe File created C:\Windows\SysWOW64\Pkknha32.dll Okkfoikl.exe File opened for modification C:\Windows\SysWOW64\Ajeeeblb.exe Ackmih32.exe File opened for modification C:\Windows\SysWOW64\Knaeeo32.exe Kkciic32.exe File opened for modification C:\Windows\SysWOW64\Jnbifl32.exe Jkcmjpma.exe File created C:\Windows\SysWOW64\Endbib32.dll Cdfgmnpa.exe File created C:\Windows\SysWOW64\Dpaqmnap.exe Dncdqcbl.exe File created C:\Windows\SysWOW64\Mieiglio.dll Fjqhef32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ipdolbbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ilmlfcel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbldcifi.dll" Hjpnjheg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcodcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlcgpm32.dll" Mkndhabp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fopako32.dll" Iqllghon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emdpcf32.dll" Hechkfkc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mgjpcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbpfll32.dll" Hclhjpjc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ioefdpne.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ffiepg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijbjpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbnbpcde.dll" Jbbenlof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbbdemnl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node NEAS.da68ceab943600f66469320f3a9cacf0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qkfocaki.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gklkdn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efjklh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fcfohlmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cneiki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pladek32.dll" Dmalmdcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebghkjjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eigbfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmeqilpj.dll" Kfnmnojj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dflmpebj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ialadj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gcfioj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qchjfo32.dll" Neibanod.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lohiob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Noieei32.dll" Ehdpcahk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Niqcoabo.dll" Fefpfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcinbihe.dll" Kppohf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Benbbcmf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aknlofim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfebhg32.dll" Nlcibc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iionacad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efeaqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Giafmfad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mcqombic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bcbedm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gopnca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ejnqkh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nkfkidmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kdfmlc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iaaoqf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekkcanhb.dll" Kkilgb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kfopdk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eefdgeig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmcceiaj.dll" Cconcjae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdmdnmic.dll" Knkbimbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poajppaa.dll" Jdlacfca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lodnjboi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnodjb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcmhmp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Idgglb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfmdfe32.dll" Joepjokm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fimoek32.dll" Jgbmco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eghenfkp.dll" Bgfdjfkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Faimkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkqeij32.dll" Hgmhcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Paknelgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghmnmo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ejlnjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Flbehbqm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2296 wrote to memory of 2024 2296 NEAS.da68ceab943600f66469320f3a9cacf0.exe 27 PID 2296 wrote to memory of 2024 2296 NEAS.da68ceab943600f66469320f3a9cacf0.exe 27 PID 2296 wrote to memory of 2024 2296 NEAS.da68ceab943600f66469320f3a9cacf0.exe 27 PID 2296 wrote to memory of 2024 2296 NEAS.da68ceab943600f66469320f3a9cacf0.exe 27 PID 2024 wrote to memory of 1684 2024 Nfnneb32.exe 28 PID 2024 wrote to memory of 1684 2024 Nfnneb32.exe 28 PID 2024 wrote to memory of 1684 2024 Nfnneb32.exe 28 PID 2024 wrote to memory of 1684 2024 Nfnneb32.exe 28 PID 1684 wrote to memory of 2668 1684 Ooicid32.exe 29 PID 1684 wrote to memory of 2668 1684 Ooicid32.exe 29 PID 1684 wrote to memory of 2668 1684 Ooicid32.exe 29 PID 1684 wrote to memory of 2668 1684 Ooicid32.exe 29 PID 2668 wrote to memory of 2712 2668 Obdojcef.exe 30 PID 2668 wrote to memory of 2712 2668 Obdojcef.exe 30 PID 2668 wrote to memory of 2712 2668 Obdojcef.exe 30 PID 2668 wrote to memory of 2712 2668 Obdojcef.exe 30 PID 2712 wrote to memory of 2596 2712 Oioggmmc.exe 31 PID 2712 wrote to memory of 2596 2712 Oioggmmc.exe 31 PID 2712 wrote to memory of 2596 2712 Oioggmmc.exe 31 PID 2712 wrote to memory of 2596 2712 Oioggmmc.exe 31 PID 2596 wrote to memory of 2728 2596 Odhhgkib.exe 32 PID 2596 wrote to memory of 2728 2596 Odhhgkib.exe 32 PID 2596 wrote to memory of 2728 2596 Odhhgkib.exe 32 PID 2596 wrote to memory of 2728 2596 Odhhgkib.exe 32 PID 2728 wrote to memory of 2636 2728 Omqlpp32.exe 33 PID 2728 wrote to memory of 2636 2728 Omqlpp32.exe 33 PID 2728 wrote to memory of 2636 2728 Omqlpp32.exe 33 PID 2728 wrote to memory of 2636 2728 Omqlpp32.exe 33 PID 2636 wrote to memory of 1704 2636 Ohfqmi32.exe 34 PID 2636 wrote to memory of 1704 2636 Ohfqmi32.exe 34 PID 2636 wrote to memory of 1704 2636 Ohfqmi32.exe 34 PID 2636 wrote to memory of 1704 2636 Ohfqmi32.exe 34 PID 1704 wrote to memory of 676 1704 Ogknoe32.exe 35 PID 1704 wrote to memory of 676 1704 Ogknoe32.exe 35 PID 1704 wrote to memory of 676 1704 Ogknoe32.exe 35 PID 1704 wrote to memory of 676 1704 Ogknoe32.exe 35 PID 676 wrote to memory of 1312 676 Pilfpqaa.exe 36 PID 676 wrote to memory of 1312 676 Pilfpqaa.exe 36 PID 676 wrote to memory of 1312 676 Pilfpqaa.exe 36 PID 676 wrote to memory of 1312 676 Pilfpqaa.exe 36 PID 1312 wrote to memory of 1368 1312 Pcdkif32.exe 37 PID 1312 wrote to memory of 1368 1312 Pcdkif32.exe 37 PID 1312 wrote to memory of 1368 1312 Pcdkif32.exe 37 PID 1312 wrote to memory of 1368 1312 Pcdkif32.exe 37 PID 1368 wrote to memory of 1584 1368 Pphkbj32.exe 38 PID 1368 wrote to memory of 1584 1368 Pphkbj32.exe 38 PID 1368 wrote to memory of 1584 1368 Pphkbj32.exe 38 PID 1368 wrote to memory of 1584 1368 Pphkbj32.exe 38 PID 1584 wrote to memory of 1644 1584 Plolgk32.exe 39 PID 1584 wrote to memory of 1644 1584 Plolgk32.exe 39 PID 1584 wrote to memory of 1644 1584 Plolgk32.exe 39 PID 1584 wrote to memory of 1644 1584 Plolgk32.exe 39 PID 1644 wrote to memory of 2748 1644 Pciddedl.exe 40 PID 1644 wrote to memory of 2748 1644 Pciddedl.exe 40 PID 1644 wrote to memory of 2748 1644 Pciddedl.exe 40 PID 1644 wrote to memory of 2748 1644 Pciddedl.exe 40 PID 2748 wrote to memory of 860 2748 Phfmllbd.exe 41 PID 2748 wrote to memory of 860 2748 Phfmllbd.exe 41 PID 2748 wrote to memory of 860 2748 Phfmllbd.exe 41 PID 2748 wrote to memory of 860 2748 Phfmllbd.exe 41 PID 860 wrote to memory of 2084 860 Pkdihhag.exe 42 PID 860 wrote to memory of 2084 860 Pkdihhag.exe 42 PID 860 wrote to memory of 2084 860 Pkdihhag.exe 42 PID 860 wrote to memory of 2084 860 Pkdihhag.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.da68ceab943600f66469320f3a9cacf0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.da68ceab943600f66469320f3a9cacf0.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\SysWOW64\Nfnneb32.exeC:\Windows\system32\Nfnneb32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\Ooicid32.exeC:\Windows\system32\Ooicid32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\SysWOW64\Obdojcef.exeC:\Windows\system32\Obdojcef.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\Oioggmmc.exeC:\Windows\system32\Oioggmmc.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Odhhgkib.exeC:\Windows\system32\Odhhgkib.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Omqlpp32.exeC:\Windows\system32\Omqlpp32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Ohfqmi32.exeC:\Windows\system32\Ohfqmi32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\Ogknoe32.exeC:\Windows\system32\Ogknoe32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\SysWOW64\Pilfpqaa.exeC:\Windows\system32\Pilfpqaa.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:676 -
C:\Windows\SysWOW64\Pcdkif32.exeC:\Windows\system32\Pcdkif32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Windows\SysWOW64\Pphkbj32.exeC:\Windows\system32\Pphkbj32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\SysWOW64\Plolgk32.exeC:\Windows\system32\Plolgk32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\SysWOW64\Pciddedl.exeC:\Windows\system32\Pciddedl.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\SysWOW64\Phfmllbd.exeC:\Windows\system32\Phfmllbd.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Pkdihhag.exeC:\Windows\system32\Pkdihhag.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Windows\SysWOW64\Pejmfqan.exeC:\Windows\system32\Pejmfqan.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2084 -
C:\Windows\SysWOW64\Qobbofgn.exeC:\Windows\system32\Qobbofgn.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2416 -
C:\Windows\SysWOW64\Qfljkp32.exeC:\Windows\system32\Qfljkp32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2176 -
C:\Windows\SysWOW64\Qkibcg32.exeC:\Windows\system32\Qkibcg32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2396 -
C:\Windows\SysWOW64\Qackpado.exeC:\Windows\system32\Qackpado.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1996 -
C:\Windows\SysWOW64\Ajnpecbj.exeC:\Windows\system32\Ajnpecbj.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1928 -
C:\Windows\SysWOW64\Aknlofim.exeC:\Windows\system32\Aknlofim.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1808 -
C:\Windows\SysWOW64\Amohfo32.exeC:\Windows\system32\Amohfo32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1868 -
C:\Windows\SysWOW64\Anneqafn.exeC:\Windows\system32\Anneqafn.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1060 -
C:\Windows\SysWOW64\Ackmih32.exeC:\Windows\system32\Ackmih32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1564 -
C:\Windows\SysWOW64\Ajeeeblb.exeC:\Windows\system32\Ajeeeblb.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2508 -
C:\Windows\SysWOW64\Aflfjc32.exeC:\Windows\system32\Aflfjc32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1792 -
C:\Windows\SysWOW64\Aijbfo32.exeC:\Windows\system32\Aijbfo32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2192 -
C:\Windows\SysWOW64\Bcpgdhpp.exeC:\Windows\system32\Bcpgdhpp.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1804 -
C:\Windows\SysWOW64\Beackp32.exeC:\Windows\system32\Beackp32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1492 -
C:\Windows\SysWOW64\Bkklhjnk.exeC:\Windows\system32\Bkklhjnk.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1692 -
C:\Windows\SysWOW64\Bfqpecma.exeC:\Windows\system32\Bfqpecma.exe33⤵
- Executes dropped EXE
PID:2164 -
C:\Windows\SysWOW64\Bkpeci32.exeC:\Windows\system32\Bkpeci32.exe34⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Bnnaoe32.exeC:\Windows\system32\Bnnaoe32.exe35⤵
- Executes dropped EXE
PID:1216 -
C:\Windows\SysWOW64\Bmcnqama.exeC:\Windows\system32\Bmcnqama.exe36⤵
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Bcmfmlen.exeC:\Windows\system32\Bcmfmlen.exe37⤵
- Executes dropped EXE
PID:2560 -
C:\Windows\SysWOW64\Cpdgbm32.exeC:\Windows\system32\Cpdgbm32.exe38⤵
- Executes dropped EXE
PID:2580 -
C:\Windows\SysWOW64\Cfnoogbo.exeC:\Windows\system32\Cfnoogbo.exe39⤵
- Executes dropped EXE
PID:3056 -
C:\Windows\SysWOW64\Cmhglq32.exeC:\Windows\system32\Cmhglq32.exe40⤵
- Executes dropped EXE
PID:476 -
C:\Windows\SysWOW64\Cbepdhgc.exeC:\Windows\system32\Cbepdhgc.exe41⤵
- Executes dropped EXE
PID:1916 -
C:\Windows\SysWOW64\Cjlheehe.exeC:\Windows\system32\Cjlheehe.exe42⤵
- Executes dropped EXE
PID:284 -
C:\Windows\SysWOW64\Cmjdaqgi.exeC:\Windows\system32\Cmjdaqgi.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:760 -
C:\Windows\SysWOW64\Cpiqmlfm.exeC:\Windows\system32\Cpiqmlfm.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1512 -
C:\Windows\SysWOW64\Cbgmigeq.exeC:\Windows\system32\Cbgmigeq.exe45⤵
- Executes dropped EXE
PID:1480 -
C:\Windows\SysWOW64\Ceeieced.exeC:\Windows\system32\Ceeieced.exe46⤵
- Executes dropped EXE
PID:1524 -
C:\Windows\SysWOW64\Cfeepelg.exeC:\Windows\system32\Cfeepelg.exe47⤵
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\Cpmjhk32.exeC:\Windows\system32\Cpmjhk32.exe48⤵
- Executes dropped EXE
PID:1832 -
C:\Windows\SysWOW64\Cblfdg32.exeC:\Windows\system32\Cblfdg32.exe49⤵
- Executes dropped EXE
PID:1736 -
C:\Windows\SysWOW64\Dejbqb32.exeC:\Windows\system32\Dejbqb32.exe50⤵
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Dhiomn32.exeC:\Windows\system32\Dhiomn32.exe51⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Ddpobo32.exeC:\Windows\system32\Ddpobo32.exe52⤵
- Executes dropped EXE
PID:1000 -
C:\Windows\SysWOW64\Doecog32.exeC:\Windows\system32\Doecog32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1316 -
C:\Windows\SysWOW64\Dmhdkdlg.exeC:\Windows\system32\Dmhdkdlg.exe54⤵
- Executes dropped EXE
PID:2476 -
C:\Windows\SysWOW64\Dmjqpdje.exeC:\Windows\system32\Dmjqpdje.exe55⤵
- Executes dropped EXE
PID:1936 -
C:\Windows\SysWOW64\Dphmloih.exeC:\Windows\system32\Dphmloih.exe56⤵
- Executes dropped EXE
PID:2052 -
C:\Windows\SysWOW64\Dknajh32.exeC:\Windows\system32\Dknajh32.exe57⤵
- Executes dropped EXE
PID:1756 -
C:\Windows\SysWOW64\Dahifbpk.exeC:\Windows\system32\Dahifbpk.exe58⤵
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Ddfebnoo.exeC:\Windows\system32\Ddfebnoo.exe59⤵
- Executes dropped EXE
PID:1228 -
C:\Windows\SysWOW64\Elajgpmj.exeC:\Windows\system32\Elajgpmj.exe60⤵
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Eggndi32.exeC:\Windows\system32\Eggndi32.exe61⤵
- Executes dropped EXE
PID:2532 -
C:\Windows\SysWOW64\Eiekpd32.exeC:\Windows\system32\Eiekpd32.exe62⤵
- Executes dropped EXE
PID:2680 -
C:\Windows\SysWOW64\Ecnoijbd.exeC:\Windows\system32\Ecnoijbd.exe63⤵
- Executes dropped EXE
PID:2584 -
C:\Windows\SysWOW64\Elfcbo32.exeC:\Windows\system32\Elfcbo32.exe64⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Ecploipa.exeC:\Windows\system32\Ecploipa.exe65⤵
- Executes dropped EXE
PID:3052 -
C:\Windows\SysWOW64\Ehmdgp32.exeC:\Windows\system32\Ehmdgp32.exe66⤵PID:304
-
C:\Windows\SysWOW64\Eogmcjef.exeC:\Windows\system32\Eogmcjef.exe67⤵
- Drops file in System32 directory
PID:2772 -
C:\Windows\SysWOW64\Ehpalp32.exeC:\Windows\system32\Ehpalp32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2044 -
C:\Windows\SysWOW64\Hpkompgg.exeC:\Windows\system32\Hpkompgg.exe69⤵PID:568
-
C:\Windows\SysWOW64\Hakkgc32.exeC:\Windows\system32\Hakkgc32.exe70⤵PID:1232
-
C:\Windows\SysWOW64\Hpphhp32.exeC:\Windows\system32\Hpphhp32.exe71⤵PID:2788
-
C:\Windows\SysWOW64\Idgglb32.exeC:\Windows\system32\Idgglb32.exe72⤵
- Modifies registry class
PID:2796 -
C:\Windows\SysWOW64\Ilnomp32.exeC:\Windows\system32\Ilnomp32.exe73⤵PID:2040
-
C:\Windows\SysWOW64\Ijqoilii.exeC:\Windows\system32\Ijqoilii.exe74⤵PID:2332
-
C:\Windows\SysWOW64\Idicbbpi.exeC:\Windows\system32\Idicbbpi.exe75⤵PID:1144
-
C:\Windows\SysWOW64\Ioohokoo.exeC:\Windows\system32\Ioohokoo.exe76⤵PID:1624
-
C:\Windows\SysWOW64\Ippdgc32.exeC:\Windows\system32\Ippdgc32.exe77⤵PID:1004
-
C:\Windows\SysWOW64\Jpbalb32.exeC:\Windows\system32\Jpbalb32.exe78⤵PID:2448
-
C:\Windows\SysWOW64\Jbqmhnbo.exeC:\Windows\system32\Jbqmhnbo.exe79⤵PID:2368
-
C:\Windows\SysWOW64\Jmfafgbd.exeC:\Windows\system32\Jmfafgbd.exe80⤵PID:992
-
C:\Windows\SysWOW64\Jpdnbbah.exeC:\Windows\system32\Jpdnbbah.exe81⤵PID:1372
-
C:\Windows\SysWOW64\Jeafjiop.exeC:\Windows\system32\Jeafjiop.exe82⤵PID:2440
-
C:\Windows\SysWOW64\Jpgjgboe.exeC:\Windows\system32\Jpgjgboe.exe83⤵PID:2088
-
C:\Windows\SysWOW64\Jhbold32.exeC:\Windows\system32\Jhbold32.exe84⤵PID:2868
-
C:\Windows\SysWOW64\Jlnklcej.exeC:\Windows\system32\Jlnklcej.exe85⤵
- Drops file in System32 directory
PID:2824 -
C:\Windows\SysWOW64\Jbhcim32.exeC:\Windows\system32\Jbhcim32.exe86⤵PID:2064
-
C:\Windows\SysWOW64\Jhdlad32.exeC:\Windows\system32\Jhdlad32.exe87⤵PID:2616
-
C:\Windows\SysWOW64\Jehlkhig.exeC:\Windows\system32\Jehlkhig.exe88⤵PID:812
-
C:\Windows\SysWOW64\Khghgchk.exeC:\Windows\system32\Khghgchk.exe89⤵PID:1676
-
C:\Windows\SysWOW64\Kkeecogo.exeC:\Windows\system32\Kkeecogo.exe90⤵PID:2244
-
C:\Windows\SysWOW64\Kaompi32.exeC:\Windows\system32\Kaompi32.exe91⤵PID:1760
-
C:\Windows\SysWOW64\Kdnild32.exeC:\Windows\system32\Kdnild32.exe92⤵PID:1396
-
C:\Windows\SysWOW64\Kocmim32.exeC:\Windows\system32\Kocmim32.exe93⤵PID:2036
-
C:\Windows\SysWOW64\Khkbbc32.exeC:\Windows\system32\Khkbbc32.exe94⤵PID:1556
-
C:\Windows\SysWOW64\Knhjjj32.exeC:\Windows\system32\Knhjjj32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:436 -
C:\Windows\SysWOW64\Kpgffe32.exeC:\Windows\system32\Kpgffe32.exe96⤵PID:1100
-
C:\Windows\SysWOW64\Kcecbq32.exeC:\Windows\system32\Kcecbq32.exe97⤵PID:1036
-
C:\Windows\SysWOW64\Kjokokha.exeC:\Windows\system32\Kjokokha.exe98⤵PID:560
-
C:\Windows\SysWOW64\Kddomchg.exeC:\Windows\system32\Kddomchg.exe99⤵PID:3020
-
C:\Windows\SysWOW64\Kffldlne.exeC:\Windows\system32\Kffldlne.exe100⤵PID:1816
-
C:\Windows\SysWOW64\Lonpma32.exeC:\Windows\system32\Lonpma32.exe101⤵PID:1616
-
C:\Windows\SysWOW64\Llbqfe32.exeC:\Windows\system32\Llbqfe32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2716 -
C:\Windows\SysWOW64\Ljfapjbi.exeC:\Windows\system32\Ljfapjbi.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2876 -
C:\Windows\SysWOW64\Lcofio32.exeC:\Windows\system32\Lcofio32.exe104⤵PID:2604
-
C:\Windows\SysWOW64\Lhknaf32.exeC:\Windows\system32\Lhknaf32.exe105⤵PID:580
-
C:\Windows\SysWOW64\Lnhgim32.exeC:\Windows\system32\Lnhgim32.exe106⤵PID:592
-
C:\Windows\SysWOW64\Lhnkffeo.exeC:\Windows\system32\Lhnkffeo.exe107⤵PID:2152
-
C:\Windows\SysWOW64\Lnjcomcf.exeC:\Windows\system32\Lnjcomcf.exe108⤵PID:1048
-
C:\Windows\SysWOW64\Lqipkhbj.exeC:\Windows\system32\Lqipkhbj.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2652 -
C:\Windows\SysWOW64\Mkndhabp.exeC:\Windows\system32\Mkndhabp.exe110⤵
- Modifies registry class
PID:1728 -
C:\Windows\SysWOW64\Mqklqhpg.exeC:\Windows\system32\Mqklqhpg.exe111⤵PID:2304
-
C:\Windows\SysWOW64\Mcjhmcok.exeC:\Windows\system32\Mcjhmcok.exe112⤵PID:400
-
C:\Windows\SysWOW64\Mjcaimgg.exeC:\Windows\system32\Mjcaimgg.exe113⤵PID:956
-
C:\Windows\SysWOW64\Mmbmeifk.exeC:\Windows\system32\Mmbmeifk.exe114⤵PID:2316
-
C:\Windows\SysWOW64\Mdiefffn.exeC:\Windows\system32\Mdiefffn.exe115⤵PID:2504
-
C:\Windows\SysWOW64\Mjfnomde.exeC:\Windows\system32\Mjfnomde.exe116⤵PID:1976
-
C:\Windows\SysWOW64\Mmdjkhdh.exeC:\Windows\system32\Mmdjkhdh.exe117⤵PID:2848
-
C:\Windows\SysWOW64\Mgjnhaco.exeC:\Windows\system32\Mgjnhaco.exe118⤵PID:2256
-
C:\Windows\SysWOW64\Mfmndn32.exeC:\Windows\system32\Mfmndn32.exe119⤵PID:2128
-
C:\Windows\SysWOW64\Mikjpiim.exeC:\Windows\system32\Mikjpiim.exe120⤵PID:2968
-
C:\Windows\SysWOW64\Mmgfqh32.exeC:\Windows\system32\Mmgfqh32.exe121⤵PID:3040
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-