Analysis
-
max time kernel
28s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231025-en -
resource tags
arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system -
submitted
28-10-2023 18:03
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.13200399371c01393cd01b9edbf88770.exe
Resource
win7-20231025-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.13200399371c01393cd01b9edbf88770.exe
Resource
win10v2004-20231020-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.13200399371c01393cd01b9edbf88770.exe
-
Size
96KB
-
MD5
13200399371c01393cd01b9edbf88770
-
SHA1
37e08c74be3064ab25052d5b58b1440cde3cc5a7
-
SHA256
06c1e65c4e7d6db90374c8b827417ab0686f4f6efb20bad0da461cf4a35dfdba
-
SHA512
bba73c1b51d779e67587bf264a4749e70514a032a2d475d92fee1e92ef5cac4fbe89e96a164a5773202677fa018b16a5e439aaf57a80adf4144905e6066d7bf4
-
SSDEEP
1536:DdTYri6Gt1pEsMQ/scJ5gIJdjjnvgp23isPZ0Xm/BOmDCMy0QiLiizHNQNdq:DdTYrz89rJ9bvX/iXm5OmDCMyELiAHOi
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdlkiepd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehakigbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Baohhgnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hddlof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pkacpihj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmbemb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cmmhaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Olmhdf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfhladfn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqcpob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pmccjbaf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aniimjbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eamilh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cdikkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qqbecp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnkakl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpjhkjde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qijdocfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cmgechbh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enkpahon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpjngh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jdejhfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Onmdoioa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pjbjhgde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dcnqanhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mhilph32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Heglio32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mofglh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qqdbiopj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pcfefmnk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odbeilbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kfmjgeaj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcagpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ikefkcmo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ooqpdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jkhldafl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Epgphcqd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffmkfifa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgalqkbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aganeoip.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Candgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dodafoni.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clgbno32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cllkin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fofpoo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gqnbhf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgfcja32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okfgfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ilicig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cedpbd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnmifk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qpgpkcpp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmldme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lflplbpi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npijoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cafgle32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdoghdmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kbfhbeek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kklikejc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bmibgd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hebdfind.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ceaadk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpmiig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oifdbb32.exe -
Executes dropped EXE 64 IoCs
pid Process 2128 Nkgbbo32.exe 2732 Nkiogn32.exe 2752 Npfgpe32.exe 2544 Ngpolo32.exe 1500 Olmhdf32.exe 1800 Ogblbo32.exe 892 Onmdoioa.exe 2968 Ocimgp32.exe 2608 Ojcecjee.exe 2772 Oopnlacm.exe 1716 Ohibdf32.exe 772 Obafnlpn.exe 844 Okikfagn.exe 1312 Pfoocjfd.exe 1960 Pklhlael.exe 576 Pkndaa32.exe 1144 Pnlqnl32.exe 1992 Pkpagq32.exe 2096 Pnomcl32.exe 436 Peiepfgg.exe 1764 Pmdjdh32.exe 568 Pgioaa32.exe 2212 Qimhoi32.exe 832 Qpgpkcpp.exe 2012 Aipddi32.exe 2416 Alnqqd32.exe 2612 Aefeijle.exe 1612 Ahdaee32.exe 2788 Aamfnkai.exe 2720 Albjlcao.exe 1272 Aaobdjof.exe 2548 Ajhgmpfg.exe 2684 Adpkee32.exe 2984 Amhpnkch.exe 1740 Bdbhke32.exe 2144 Bioqclil.exe 2188 Bdeeqehb.exe 2192 Bdgafdfp.exe 2488 Bblogakg.exe 2916 Bifgdk32.exe 1524 Bppoqeja.exe 936 Bemgilhh.exe 1268 Ccahbp32.exe 2316 Cdbdjhmp.exe 2352 Cklmgb32.exe 3044 Cafecmlj.exe 2148 Ceaadk32.exe 1660 Cgcmlcja.exe 1700 Cdgneh32.exe 1768 Ckafbbph.exe 1752 Cnobnmpl.exe 1584 Cdikkg32.exe 2348 Cjfccn32.exe 2792 Cldooj32.exe 2556 Dgjclbdi.exe 1812 Djhphncm.exe 2528 Dcadac32.exe 2848 Dfoqmo32.exe 2324 Dogefd32.exe 1032 Dbfabp32.exe 2036 Djmicm32.exe 564 Dknekeef.exe 344 Dbhnhp32.exe 1520 Dhbfdjdp.exe -
Loads dropped DLL 64 IoCs
pid Process 2604 NEAS.13200399371c01393cd01b9edbf88770.exe 2604 NEAS.13200399371c01393cd01b9edbf88770.exe 2128 Nkgbbo32.exe 2128 Nkgbbo32.exe 2732 Nkiogn32.exe 2732 Nkiogn32.exe 2752 Npfgpe32.exe 2752 Npfgpe32.exe 2544 Ngpolo32.exe 2544 Ngpolo32.exe 1500 Olmhdf32.exe 1500 Olmhdf32.exe 1800 Ogblbo32.exe 1800 Ogblbo32.exe 892 Onmdoioa.exe 892 Onmdoioa.exe 2968 Ocimgp32.exe 2968 Ocimgp32.exe 2608 Ojcecjee.exe 2608 Ojcecjee.exe 2772 Oopnlacm.exe 2772 Oopnlacm.exe 1716 Ohibdf32.exe 1716 Ohibdf32.exe 772 Obafnlpn.exe 772 Obafnlpn.exe 844 Okikfagn.exe 844 Okikfagn.exe 1312 Pfoocjfd.exe 1312 Pfoocjfd.exe 1960 Pklhlael.exe 1960 Pklhlael.exe 576 Pkndaa32.exe 576 Pkndaa32.exe 1144 Pnlqnl32.exe 1144 Pnlqnl32.exe 1992 Pkpagq32.exe 1992 Pkpagq32.exe 2096 Pnomcl32.exe 2096 Pnomcl32.exe 436 Peiepfgg.exe 436 Peiepfgg.exe 1764 Pmdjdh32.exe 1764 Pmdjdh32.exe 568 Pgioaa32.exe 568 Pgioaa32.exe 2212 Qimhoi32.exe 2212 Qimhoi32.exe 832 Qpgpkcpp.exe 832 Qpgpkcpp.exe 2012 Aipddi32.exe 2012 Aipddi32.exe 2416 Alnqqd32.exe 2416 Alnqqd32.exe 2612 Aefeijle.exe 2612 Aefeijle.exe 1612 Ahdaee32.exe 1612 Ahdaee32.exe 2788 Aamfnkai.exe 2788 Aamfnkai.exe 2720 Albjlcao.exe 2720 Albjlcao.exe 1272 Aaobdjof.exe 1272 Aaobdjof.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Qndigd32.exe Qfmafg32.exe File created C:\Windows\SysWOW64\Ccbpgj32.dll Hebdfind.exe File created C:\Windows\SysWOW64\Jpjngh32.exe Jnkakl32.exe File created C:\Windows\SysWOW64\Bdfiaojk.dll Gqnbhf32.exe File created C:\Windows\SysWOW64\Iaeegh32.exe Imiigiab.exe File created C:\Windows\SysWOW64\Qmbbdq32.dll Fbamma32.exe File created C:\Windows\SysWOW64\Cjakbabj.dll Pjnamh32.exe File created C:\Windows\SysWOW64\Aeqmqeba.dll Poapfn32.exe File created C:\Windows\SysWOW64\Hcabof32.dll Iggned32.exe File created C:\Windows\SysWOW64\Lahmbo32.exe Lklejh32.exe File created C:\Windows\SysWOW64\Mjcial32.dll Fqlicclo.exe File created C:\Windows\SysWOW64\Jkmeoa32.exe Jofejpmc.exe File opened for modification C:\Windows\SysWOW64\Fbamma32.exe Fglipi32.exe File created C:\Windows\SysWOW64\Jmihnd32.dll Ohcaoajg.exe File created C:\Windows\SysWOW64\Cjoffbmm.dll Eolmip32.exe File opened for modification C:\Windows\SysWOW64\Ekelld32.exe Edkcojga.exe File created C:\Windows\SysWOW64\Gjejlhlg.dll Fglipi32.exe File created C:\Windows\SysWOW64\Hfjiem32.dll Lclnemgd.exe File created C:\Windows\SysWOW64\Dhobddbf.exe Dphjcf32.exe File created C:\Windows\SysWOW64\Bfkifhib.exe Bbonei32.exe File created C:\Windows\SysWOW64\Oalfhf32.exe Oomjlk32.exe File created C:\Windows\SysWOW64\Qiladcdh.exe Qqeicede.exe File opened for modification C:\Windows\SysWOW64\Cafgle32.exe Cohkpj32.exe File opened for modification C:\Windows\SysWOW64\Ohcaoajg.exe Ocfigjlp.exe File opened for modification C:\Windows\SysWOW64\Cnobnmpl.exe Ckafbbph.exe File opened for modification C:\Windows\SysWOW64\Mieeibkn.exe Mffimglk.exe File created C:\Windows\SysWOW64\Imjcfnhk.dll Qbbhgi32.exe File created C:\Windows\SysWOW64\Ebodiofk.exe Ekelld32.exe File created C:\Windows\SysWOW64\Lbgafalg.dll Jocflgga.exe File created C:\Windows\SysWOW64\Mpjqiq32.exe Mmldme32.exe File created C:\Windows\SysWOW64\Dnjngk32.exe Ddajoelp.exe File created C:\Windows\SysWOW64\Bifgdk32.exe Bblogakg.exe File created C:\Windows\SysWOW64\Nhhbld32.dll Gljnej32.exe File created C:\Windows\SysWOW64\Jgqgle32.dll Delmmigh.exe File created C:\Windows\SysWOW64\Egmojnlf.exe Epbfmd32.exe File opened for modification C:\Windows\SysWOW64\Cldooj32.exe Cjfccn32.exe File opened for modification C:\Windows\SysWOW64\Fcjcfe32.exe Eqdajkkb.exe File created C:\Windows\SysWOW64\Jlephdnl.dll Nhdocl32.exe File opened for modification C:\Windows\SysWOW64\Odbeilbg.exe Npgihn32.exe File created C:\Windows\SysWOW64\Ebbgbdkh.dll Ojcecjee.exe File created C:\Windows\SysWOW64\Aganeoip.exe Aecaidjl.exe File opened for modification C:\Windows\SysWOW64\Cpkkjc32.exe Ciqcmiei.exe File created C:\Windows\SysWOW64\Ifkedenn.dll Fgnokb32.exe File opened for modification C:\Windows\SysWOW64\Ilicig32.exe Hbqoqbho.exe File created C:\Windows\SysWOW64\Jhljdm32.exe Jabbhcfe.exe File created C:\Windows\SysWOW64\Kqiaclhj.exe Kklikejc.exe File opened for modification C:\Windows\SysWOW64\Epbfmd32.exe Eapfagno.exe File created C:\Windows\SysWOW64\Fmcjhdbc.exe Fjdnlhco.exe File opened for modification C:\Windows\SysWOW64\Fdpkbf32.exe Ffmkfifa.exe File created C:\Windows\SysWOW64\Malllmgi.dll Kkaiqk32.exe File created C:\Windows\SysWOW64\Elfaifaq.exe Eflill32.exe File created C:\Windows\SysWOW64\Ndqbnp32.dll Pmdmmalf.exe File created C:\Windows\SysWOW64\Aidphq32.exe Anolkh32.exe File opened for modification C:\Windows\SysWOW64\Aamfnkai.exe Ahdaee32.exe File opened for modification C:\Windows\SysWOW64\Albjlcao.exe Aamfnkai.exe File opened for modification C:\Windows\SysWOW64\Dbfabp32.exe Dogefd32.exe File created C:\Windows\SysWOW64\Jfdnjb32.dll Gfhladfn.exe File created C:\Windows\SysWOW64\Epbfmd32.exe Eapfagno.exe File created C:\Windows\SysWOW64\Hifmbmda.exe Hfgafadm.exe File opened for modification C:\Windows\SysWOW64\Mlkail32.exe Mbcmpfhi.exe File created C:\Windows\SysWOW64\Bafple32.dll Hpjeialg.exe File created C:\Windows\SysWOW64\Pefgcifd.dll Fnkjhb32.exe File created C:\Windows\SysWOW64\Jocflgga.exe Idnaoohk.exe File created C:\Windows\SysWOW64\Cbfhib32.dll Qqbecp32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dhdcji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cdgneh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpggbq32.dll" Afiglkle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odifab32.dll" Dbfabp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijmkck32.dll" Candgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hfgafadm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bmbemb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pkpagq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhbkakib.dll" Pcfefmnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cmgechbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mmfdhojb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lmikibio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lnhdqdnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pkacpihj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jonpde32.dll" Pkpagq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nbhfke32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bekmle32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Edqocbkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eolmip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebhchpcd.dll" Hnkion32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jnkakl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jbpdeogo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ceaadk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ohhkjp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bobhal32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ehmbng32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jeadap32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aeggbbci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jchgdg32.dll" Aeggbbci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ffmkfifa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jlhhndno.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fcefji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lcojjmea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ammmql32.dll" Onocmadb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hdlhjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nabkgh32.dll" Gcheib32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dhkiid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjjgcb32.dll" Mbhjlbbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cohkpj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cmbalfem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onkkja32.dll" Ikefkcmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cmmhaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipgljgoi.dll" Pdaheq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fcmiod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inahjg32.dll" Jkebjf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kqknil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ambnnc32.dll" Cadjgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkhgoi32.dll" Jdehon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oalfhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dakmfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fqlicclo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ijmipn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ehgbhbgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iefhhbef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbdalp32.dll" Ngdifkpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iecdhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Daipqhdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mieeibkn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ndhipoob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pmccjbaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Labehg32.dll" Mlkail32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fglipi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fnkjhb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eamilh32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2604 wrote to memory of 2128 2604 NEAS.13200399371c01393cd01b9edbf88770.exe 28 PID 2604 wrote to memory of 2128 2604 NEAS.13200399371c01393cd01b9edbf88770.exe 28 PID 2604 wrote to memory of 2128 2604 NEAS.13200399371c01393cd01b9edbf88770.exe 28 PID 2604 wrote to memory of 2128 2604 NEAS.13200399371c01393cd01b9edbf88770.exe 28 PID 2128 wrote to memory of 2732 2128 Nkgbbo32.exe 29 PID 2128 wrote to memory of 2732 2128 Nkgbbo32.exe 29 PID 2128 wrote to memory of 2732 2128 Nkgbbo32.exe 29 PID 2128 wrote to memory of 2732 2128 Nkgbbo32.exe 29 PID 2732 wrote to memory of 2752 2732 Nkiogn32.exe 30 PID 2732 wrote to memory of 2752 2732 Nkiogn32.exe 30 PID 2732 wrote to memory of 2752 2732 Nkiogn32.exe 30 PID 2732 wrote to memory of 2752 2732 Nkiogn32.exe 30 PID 2752 wrote to memory of 2544 2752 Npfgpe32.exe 34 PID 2752 wrote to memory of 2544 2752 Npfgpe32.exe 34 PID 2752 wrote to memory of 2544 2752 Npfgpe32.exe 34 PID 2752 wrote to memory of 2544 2752 Npfgpe32.exe 34 PID 2544 wrote to memory of 1500 2544 Ngpolo32.exe 33 PID 2544 wrote to memory of 1500 2544 Ngpolo32.exe 33 PID 2544 wrote to memory of 1500 2544 Ngpolo32.exe 33 PID 2544 wrote to memory of 1500 2544 Ngpolo32.exe 33 PID 1500 wrote to memory of 1800 1500 Olmhdf32.exe 31 PID 1500 wrote to memory of 1800 1500 Olmhdf32.exe 31 PID 1500 wrote to memory of 1800 1500 Olmhdf32.exe 31 PID 1500 wrote to memory of 1800 1500 Olmhdf32.exe 31 PID 1800 wrote to memory of 892 1800 Ogblbo32.exe 32 PID 1800 wrote to memory of 892 1800 Ogblbo32.exe 32 PID 1800 wrote to memory of 892 1800 Ogblbo32.exe 32 PID 1800 wrote to memory of 892 1800 Ogblbo32.exe 32 PID 892 wrote to memory of 2968 892 Onmdoioa.exe 35 PID 892 wrote to memory of 2968 892 Onmdoioa.exe 35 PID 892 wrote to memory of 2968 892 Onmdoioa.exe 35 PID 892 wrote to memory of 2968 892 Onmdoioa.exe 35 PID 2968 wrote to memory of 2608 2968 Ocimgp32.exe 36 PID 2968 wrote to memory of 2608 2968 Ocimgp32.exe 36 PID 2968 wrote to memory of 2608 2968 Ocimgp32.exe 36 PID 2968 wrote to memory of 2608 2968 Ocimgp32.exe 36 PID 2608 wrote to memory of 2772 2608 Ojcecjee.exe 37 PID 2608 wrote to memory of 2772 2608 Ojcecjee.exe 37 PID 2608 wrote to memory of 2772 2608 Ojcecjee.exe 37 PID 2608 wrote to memory of 2772 2608 Ojcecjee.exe 37 PID 2772 wrote to memory of 1716 2772 Oopnlacm.exe 38 PID 2772 wrote to memory of 1716 2772 Oopnlacm.exe 38 PID 2772 wrote to memory of 1716 2772 Oopnlacm.exe 38 PID 2772 wrote to memory of 1716 2772 Oopnlacm.exe 38 PID 1716 wrote to memory of 772 1716 Ohibdf32.exe 39 PID 1716 wrote to memory of 772 1716 Ohibdf32.exe 39 PID 1716 wrote to memory of 772 1716 Ohibdf32.exe 39 PID 1716 wrote to memory of 772 1716 Ohibdf32.exe 39 PID 772 wrote to memory of 844 772 Obafnlpn.exe 40 PID 772 wrote to memory of 844 772 Obafnlpn.exe 40 PID 772 wrote to memory of 844 772 Obafnlpn.exe 40 PID 772 wrote to memory of 844 772 Obafnlpn.exe 40 PID 844 wrote to memory of 1312 844 Okikfagn.exe 41 PID 844 wrote to memory of 1312 844 Okikfagn.exe 41 PID 844 wrote to memory of 1312 844 Okikfagn.exe 41 PID 844 wrote to memory of 1312 844 Okikfagn.exe 41 PID 1312 wrote to memory of 1960 1312 Pfoocjfd.exe 42 PID 1312 wrote to memory of 1960 1312 Pfoocjfd.exe 42 PID 1312 wrote to memory of 1960 1312 Pfoocjfd.exe 42 PID 1312 wrote to memory of 1960 1312 Pfoocjfd.exe 42 PID 1960 wrote to memory of 576 1960 Pklhlael.exe 43 PID 1960 wrote to memory of 576 1960 Pklhlael.exe 43 PID 1960 wrote to memory of 576 1960 Pklhlael.exe 43 PID 1960 wrote to memory of 576 1960 Pklhlael.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.13200399371c01393cd01b9edbf88770.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.13200399371c01393cd01b9edbf88770.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\Nkgbbo32.exeC:\Windows\system32\Nkgbbo32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\Nkiogn32.exeC:\Windows\system32\Nkiogn32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Npfgpe32.exeC:\Windows\system32\Npfgpe32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Ngpolo32.exeC:\Windows\system32\Ngpolo32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2544
-
-
-
-
-
C:\Windows\SysWOW64\Ogblbo32.exeC:\Windows\system32\Ogblbo32.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\SysWOW64\Onmdoioa.exeC:\Windows\system32\Onmdoioa.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:892 -
C:\Windows\SysWOW64\Ocimgp32.exeC:\Windows\system32\Ocimgp32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\Ojcecjee.exeC:\Windows\system32\Ojcecjee.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Oopnlacm.exeC:\Windows\system32\Oopnlacm.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Ohibdf32.exeC:\Windows\system32\Ohibdf32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\SysWOW64\Obafnlpn.exeC:\Windows\system32\Obafnlpn.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:772 -
C:\Windows\SysWOW64\Okikfagn.exeC:\Windows\system32\Okikfagn.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:844 -
C:\Windows\SysWOW64\Pfoocjfd.exeC:\Windows\system32\Pfoocjfd.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Windows\SysWOW64\Pklhlael.exeC:\Windows\system32\Pklhlael.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\SysWOW64\Pkndaa32.exeC:\Windows\system32\Pkndaa32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
PID:576 -
C:\Windows\SysWOW64\Pnlqnl32.exeC:\Windows\system32\Pnlqnl32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1144 -
C:\Windows\SysWOW64\Pkpagq32.exeC:\Windows\system32\Pkpagq32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1992 -
C:\Windows\SysWOW64\Pnomcl32.exeC:\Windows\system32\Pnomcl32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2096 -
C:\Windows\SysWOW64\Peiepfgg.exeC:\Windows\system32\Peiepfgg.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
PID:436 -
C:\Windows\SysWOW64\Pmdjdh32.exeC:\Windows\system32\Pmdjdh32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1764 -
C:\Windows\SysWOW64\Pgioaa32.exeC:\Windows\system32\Pgioaa32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:568 -
C:\Windows\SysWOW64\Qimhoi32.exeC:\Windows\system32\Qimhoi32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2212 -
C:\Windows\SysWOW64\Qpgpkcpp.exeC:\Windows\system32\Qpgpkcpp.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:832 -
C:\Windows\SysWOW64\Aipddi32.exeC:\Windows\system32\Aipddi32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2012 -
C:\Windows\SysWOW64\Alnqqd32.exeC:\Windows\system32\Alnqqd32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2416 -
C:\Windows\SysWOW64\Aefeijle.exeC:\Windows\system32\Aefeijle.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2612 -
C:\Windows\SysWOW64\Ahdaee32.exeC:\Windows\system32\Ahdaee32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1612 -
C:\Windows\SysWOW64\Aamfnkai.exeC:\Windows\system32\Aamfnkai.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2788 -
C:\Windows\SysWOW64\Albjlcao.exeC:\Windows\system32\Albjlcao.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2720 -
C:\Windows\SysWOW64\Aaobdjof.exeC:\Windows\system32\Aaobdjof.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1272 -
C:\Windows\SysWOW64\Ajhgmpfg.exeC:\Windows\system32\Ajhgmpfg.exe27⤵
- Executes dropped EXE
PID:2548 -
C:\Windows\SysWOW64\Adpkee32.exeC:\Windows\system32\Adpkee32.exe28⤵
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\Amhpnkch.exeC:\Windows\system32\Amhpnkch.exe29⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Bdbhke32.exeC:\Windows\system32\Bdbhke32.exe30⤵
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\Bioqclil.exeC:\Windows\system32\Bioqclil.exe31⤵
- Executes dropped EXE
PID:2144 -
C:\Windows\SysWOW64\Bdeeqehb.exeC:\Windows\system32\Bdeeqehb.exe32⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Bdgafdfp.exeC:\Windows\system32\Bdgafdfp.exe33⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Bblogakg.exeC:\Windows\system32\Bblogakg.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2488 -
C:\Windows\SysWOW64\Bifgdk32.exeC:\Windows\system32\Bifgdk32.exe35⤵
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\Bppoqeja.exeC:\Windows\system32\Bppoqeja.exe36⤵
- Executes dropped EXE
PID:1524 -
C:\Windows\SysWOW64\Bemgilhh.exeC:\Windows\system32\Bemgilhh.exe37⤵
- Executes dropped EXE
PID:936 -
C:\Windows\SysWOW64\Ccahbp32.exeC:\Windows\system32\Ccahbp32.exe38⤵
- Executes dropped EXE
PID:1268 -
C:\Windows\SysWOW64\Cdbdjhmp.exeC:\Windows\system32\Cdbdjhmp.exe39⤵
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Cklmgb32.exeC:\Windows\system32\Cklmgb32.exe40⤵
- Executes dropped EXE
PID:2352 -
C:\Windows\SysWOW64\Cafecmlj.exeC:\Windows\system32\Cafecmlj.exe41⤵
- Executes dropped EXE
PID:3044 -
C:\Windows\SysWOW64\Ceaadk32.exeC:\Windows\system32\Ceaadk32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2148 -
C:\Windows\SysWOW64\Cgcmlcja.exeC:\Windows\system32\Cgcmlcja.exe43⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Cdgneh32.exeC:\Windows\system32\Cdgneh32.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:1700 -
C:\Windows\SysWOW64\Ckafbbph.exeC:\Windows\system32\Ckafbbph.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1768 -
C:\Windows\SysWOW64\Cnobnmpl.exeC:\Windows\system32\Cnobnmpl.exe46⤵
- Executes dropped EXE
PID:1752 -
C:\Windows\SysWOW64\Cdikkg32.exeC:\Windows\system32\Cdikkg32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1584 -
C:\Windows\SysWOW64\Cjfccn32.exeC:\Windows\system32\Cjfccn32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2348 -
C:\Windows\SysWOW64\Cldooj32.exeC:\Windows\system32\Cldooj32.exe49⤵
- Executes dropped EXE
PID:2792 -
C:\Windows\SysWOW64\Dgjclbdi.exeC:\Windows\system32\Dgjclbdi.exe50⤵
- Executes dropped EXE
PID:2556 -
C:\Windows\SysWOW64\Djhphncm.exeC:\Windows\system32\Djhphncm.exe51⤵
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\Dcadac32.exeC:\Windows\system32\Dcadac32.exe52⤵
- Executes dropped EXE
PID:2528 -
C:\Windows\SysWOW64\Dfoqmo32.exeC:\Windows\system32\Dfoqmo32.exe53⤵
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\Dogefd32.exeC:\Windows\system32\Dogefd32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2324 -
C:\Windows\SysWOW64\Dbfabp32.exeC:\Windows\system32\Dbfabp32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:1032 -
C:\Windows\SysWOW64\Djmicm32.exeC:\Windows\system32\Djmicm32.exe56⤵
- Executes dropped EXE
PID:2036 -
C:\Windows\SysWOW64\Dknekeef.exeC:\Windows\system32\Dknekeef.exe57⤵
- Executes dropped EXE
PID:564 -
C:\Windows\SysWOW64\Dbhnhp32.exeC:\Windows\system32\Dbhnhp32.exe58⤵
- Executes dropped EXE
PID:344 -
C:\Windows\SysWOW64\Dhbfdjdp.exeC:\Windows\system32\Dhbfdjdp.exe59⤵
- Executes dropped EXE
PID:1520 -
C:\Windows\SysWOW64\Dolnad32.exeC:\Windows\system32\Dolnad32.exe60⤵PID:1516
-
C:\Windows\SysWOW64\Dhdcji32.exeC:\Windows\system32\Dhdcji32.exe61⤵
- Modifies registry class
PID:1736 -
C:\Windows\SysWOW64\Dkcofe32.exeC:\Windows\system32\Dkcofe32.exe62⤵PID:3008
-
C:\Windows\SysWOW64\Enakbp32.exeC:\Windows\system32\Enakbp32.exe63⤵PID:1460
-
C:\Windows\SysWOW64\Edkcojga.exeC:\Windows\system32\Edkcojga.exe64⤵
- Drops file in System32 directory
PID:1344 -
C:\Windows\SysWOW64\Ekelld32.exeC:\Windows\system32\Ekelld32.exe65⤵
- Drops file in System32 directory
PID:396 -
C:\Windows\SysWOW64\Ebodiofk.exeC:\Windows\system32\Ebodiofk.exe66⤵PID:2052
-
C:\Windows\SysWOW64\Ednpej32.exeC:\Windows\system32\Ednpej32.exe67⤵PID:2200
-
C:\Windows\SysWOW64\Ekhhadmk.exeC:\Windows\system32\Ekhhadmk.exe68⤵PID:2448
-
C:\Windows\SysWOW64\Eqdajkkb.exeC:\Windows\system32\Eqdajkkb.exe69⤵
- Drops file in System32 directory
PID:2484 -
C:\Windows\SysWOW64\Fcjcfe32.exeC:\Windows\system32\Fcjcfe32.exe70⤵PID:1616
-
C:\Windows\SysWOW64\Ffhpbacb.exeC:\Windows\system32\Ffhpbacb.exe71⤵PID:2380
-
C:\Windows\SysWOW64\Fpqdkf32.exeC:\Windows\system32\Fpqdkf32.exe72⤵PID:2716
-
C:\Windows\SysWOW64\Fglipi32.exeC:\Windows\system32\Fglipi32.exe73⤵
- Drops file in System32 directory
- Modifies registry class
PID:2800 -
C:\Windows\SysWOW64\Fbamma32.exeC:\Windows\system32\Fbamma32.exe74⤵
- Drops file in System32 directory
PID:2872 -
C:\Windows\SysWOW64\Fhneehek.exeC:\Windows\system32\Fhneehek.exe75⤵PID:2560
-
C:\Windows\SysWOW64\Fnhnbb32.exeC:\Windows\system32\Fnhnbb32.exe76⤵PID:2132
-
C:\Windows\SysWOW64\Febfomdd.exeC:\Windows\system32\Febfomdd.exe77⤵PID:1148
-
C:\Windows\SysWOW64\Fcefji32.exeC:\Windows\system32\Fcefji32.exe78⤵
- Modifies registry class
PID:2944 -
C:\Windows\SysWOW64\Fnkjhb32.exeC:\Windows\system32\Fnkjhb32.exe79⤵
- Drops file in System32 directory
- Modifies registry class
PID:2760 -
C:\Windows\SysWOW64\Ghcoqh32.exeC:\Windows\system32\Ghcoqh32.exe80⤵PID:2840
-
C:\Windows\SysWOW64\Gmpgio32.exeC:\Windows\system32\Gmpgio32.exe81⤵PID:2020
-
C:\Windows\SysWOW64\Gdjpeifj.exeC:\Windows\system32\Gdjpeifj.exe82⤵PID:2948
-
C:\Windows\SysWOW64\Gfhladfn.exeC:\Windows\system32\Gfhladfn.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1964 -
C:\Windows\SysWOW64\Ganpomec.exeC:\Windows\system32\Ganpomec.exe84⤵PID:632
-
C:\Windows\SysWOW64\Gbomfe32.exeC:\Windows\system32\Gbomfe32.exe85⤵PID:1060
-
C:\Windows\SysWOW64\Giieco32.exeC:\Windows\system32\Giieco32.exe86⤵PID:552
-
C:\Windows\SysWOW64\Gpcmpijk.exeC:\Windows\system32\Gpcmpijk.exe87⤵PID:1696
-
C:\Windows\SysWOW64\Gfmemc32.exeC:\Windows\system32\Gfmemc32.exe88⤵PID:2412
-
C:\Windows\SysWOW64\Gljnej32.exeC:\Windows\system32\Gljnej32.exe89⤵
- Drops file in System32 directory
PID:2136 -
C:\Windows\SysWOW64\Gfobbc32.exeC:\Windows\system32\Gfobbc32.exe90⤵PID:612
-
C:\Windows\SysWOW64\Gebbnpfp.exeC:\Windows\system32\Gebbnpfp.exe91⤵PID:2224
-
C:\Windows\SysWOW64\Hojgfemq.exeC:\Windows\system32\Hojgfemq.exe92⤵PID:1244
-
C:\Windows\SysWOW64\Haiccald.exeC:\Windows\system32\Haiccald.exe93⤵PID:2160
-
C:\Windows\SysWOW64\Hkaglf32.exeC:\Windows\system32\Hkaglf32.exe94⤵PID:2700
-
C:\Windows\SysWOW64\Heglio32.exeC:\Windows\system32\Heglio32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2744 -
C:\Windows\SysWOW64\Hdlhjl32.exeC:\Windows\system32\Hdlhjl32.exe96⤵
- Modifies registry class
PID:2644 -
C:\Windows\SysWOW64\Hapicp32.exeC:\Windows\system32\Hapicp32.exe97⤵PID:2636
-
C:\Windows\SysWOW64\Hdqbekcm.exeC:\Windows\system32\Hdqbekcm.exe98⤵PID:2996
-
C:\Windows\SysWOW64\Iimjmbae.exeC:\Windows\system32\Iimjmbae.exe99⤵PID:2688
-
C:\Windows\SysWOW64\Iedkbc32.exeC:\Windows\system32\Iedkbc32.exe100⤵PID:1588
-
C:\Windows\SysWOW64\Inkccpgk.exeC:\Windows\system32\Inkccpgk.exe101⤵PID:2764
-
C:\Windows\SysWOW64\Iefhhbef.exeC:\Windows\system32\Iefhhbef.exe102⤵
- Modifies registry class
PID:320 -
C:\Windows\SysWOW64\Ioolqh32.exeC:\Windows\system32\Ioolqh32.exe103⤵PID:640
-
C:\Windows\SysWOW64\Iamimc32.exeC:\Windows\system32\Iamimc32.exe104⤵PID:1556
-
C:\Windows\SysWOW64\Ihgainbg.exeC:\Windows\system32\Ihgainbg.exe105⤵PID:1640
-
C:\Windows\SysWOW64\Ioaifhid.exeC:\Windows\system32\Ioaifhid.exe106⤵PID:1988
-
C:\Windows\SysWOW64\Idnaoohk.exeC:\Windows\system32\Idnaoohk.exe107⤵
- Drops file in System32 directory
PID:1228 -
C:\Windows\SysWOW64\Jocflgga.exeC:\Windows\system32\Jocflgga.exe108⤵
- Drops file in System32 directory
PID:2172 -
C:\Windows\SysWOW64\Jabbhcfe.exeC:\Windows\system32\Jabbhcfe.exe109⤵
- Drops file in System32 directory
PID:1664 -
C:\Windows\SysWOW64\Jhljdm32.exeC:\Windows\system32\Jhljdm32.exe110⤵PID:2616
-
C:\Windows\SysWOW64\Jnicmdli.exeC:\Windows\system32\Jnicmdli.exe111⤵PID:1724
-
C:\Windows\SysWOW64\Jhngjmlo.exeC:\Windows\system32\Jhngjmlo.exe112⤵PID:2248
-
C:\Windows\SysWOW64\Jkmcfhkc.exeC:\Windows\system32\Jkmcfhkc.exe113⤵PID:2116
-
C:\Windows\SysWOW64\Jbgkcb32.exeC:\Windows\system32\Jbgkcb32.exe114⤵PID:2728
-
C:\Windows\SysWOW64\Jdehon32.exeC:\Windows\system32\Jdehon32.exe115⤵
- Modifies registry class
PID:2536 -
C:\Windows\SysWOW64\Jjbpgd32.exeC:\Windows\system32\Jjbpgd32.exe116⤵PID:1248
-
C:\Windows\SysWOW64\Jmplcp32.exeC:\Windows\system32\Jmplcp32.exe117⤵PID:1592
-
C:\Windows\SysWOW64\Jcjdpj32.exeC:\Windows\system32\Jcjdpj32.exe118⤵PID:2824
-
C:\Windows\SysWOW64\Jjdmmdnh.exeC:\Windows\system32\Jjdmmdnh.exe119⤵PID:2900
-
C:\Windows\SysWOW64\Joaeeklp.exeC:\Windows\system32\Joaeeklp.exe120⤵PID:876
-
C:\Windows\SysWOW64\Jghmfhmb.exeC:\Windows\system32\Jghmfhmb.exe121⤵PID:1216
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-