Analysis
-
max time kernel
22s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
01/11/2023, 05:18
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.c5489d5bc28f93d430875b843606a040.exe
Resource
win7-20231020-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.c5489d5bc28f93d430875b843606a040.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.c5489d5bc28f93d430875b843606a040.exe
-
Size
55KB
-
MD5
c5489d5bc28f93d430875b843606a040
-
SHA1
e688aa080abf3fcc902a1200c13209c700f48ece
-
SHA256
2ad3c53c8d61850ffa1d040537e4cd8e1a4c617e9a108f9e2b19af41d01961f3
-
SHA512
ec3285ae74feed1e61a2926493f1623ce2a63d3e735b3afb483a669439aecb6051a53b83398bab129f177c7c533a9400706bee97b711869c38bcb943c82b294a
-
SSDEEP
768:9BFpjg1pkHFtmax9HjJoxBhLVq0pGpSqAl63t4vTQJ1lvNflDJZ/1H57zXdnh:1ps1pSvfoxBzq0mSqN3t3J1lvNfzNx
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opnpimdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjcabmga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fafcdh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfikmh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmdgbp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jeadap32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abfnpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjekfd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enakbp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhajdblk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dphjcf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iefamlak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ledibnco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qcpofbjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmmkcoap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpbbdfik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okojkf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpekon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Naalga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgegok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgbafl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfgngh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpjgifpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekknjcfh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onecbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eqamje32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfhfab32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnfblgca.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkofjijm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anafhopc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dggcffhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlpkdkkd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnalad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjdmmdnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Meicnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojfaijcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikhjki32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqnejn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkjapglg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ooclji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkiefp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnjdhmdo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfobbc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgagfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jchhkjhn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcbhee32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmfhil32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjdhbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eknkpbdf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fafcdh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbqbaofc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cafecmlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inifnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jqilooij.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajbggjfq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chhldeho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glbqje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gppipc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmifhq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnjdhmdo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gepehphc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iapebchh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kebgia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdkgocpm.exe -
Executes dropped EXE 64 IoCs
pid Process 3000 Oddpfc32.exe 2740 Ogeigofa.exe 2700 Ombapedi.exe 2868 Oopnlacm.exe 2052 Ojfaijcc.exe 2620 Omdneebf.exe 2448 Onhgbmfb.exe 1916 Pnjdhmdo.exe 2832 Pbhmnkjf.exe 2528 Pciifc32.exe 1844 Pjcabmga.exe 1948 Pclfkc32.exe 2524 Pnajilng.exe 1352 Pflomnkb.exe 2796 Qmfgjh32.exe 2272 Qcpofbjl.exe 1616 Qjjgclai.exe 2252 Alnqqd32.exe 1144 Aehboi32.exe 1620 Ahgnke32.exe 952 Anafhopc.exe 1044 Adnopfoj.exe 2492 Alegac32.exe 3016 Amfcikek.exe 2164 Aemkjiem.exe 888 Bjlqhoba.exe 1272 Bafidiio.exe 2040 Bkommo32.exe 2336 Blpjegfm.exe 2904 Bidjnkdg.exe 2704 Bblogakg.exe 2588 Blgpef32.exe 2848 Ccahbp32.exe 2640 Cafecmlj.exe 2064 Cddaphkn.exe 1632 Cgcmlcja.exe 2792 Cahail32.exe 2680 Chbjffad.exe 2012 Ckafbbph.exe 1936 Caknol32.exe 2232 Cdikkg32.exe 776 Ckccgane.exe 320 Cldooj32.exe 844 Cdlgpgef.exe 2984 Dglpbbbg.exe 2068 Dhnmij32.exe 2296 Dhpiojfb.exe 1700 Dojald32.exe 2464 Dcenlceh.exe 1660 Ddgjdk32.exe 1388 Dfffnn32.exe 1868 Dggcffhg.exe 1028 Enakbp32.exe 1944 Eqpgol32.exe 2160 Egjpkffe.exe 896 Ekelld32.exe 3052 Endhhp32.exe 2036 Ebodiofk.exe 2496 Ecqqpgli.exe 2940 Ejkima32.exe 1716 Emieil32.exe 2888 Eccmffjf.exe 2896 Egoife32.exe 2604 Ejmebq32.exe -
Loads dropped DLL 64 IoCs
pid Process 1412 NEAS.c5489d5bc28f93d430875b843606a040.exe 1412 NEAS.c5489d5bc28f93d430875b843606a040.exe 3000 Oddpfc32.exe 3000 Oddpfc32.exe 2740 Ogeigofa.exe 2740 Ogeigofa.exe 2700 Ombapedi.exe 2700 Ombapedi.exe 2868 Oopnlacm.exe 2868 Oopnlacm.exe 2052 Ojfaijcc.exe 2052 Ojfaijcc.exe 2620 Omdneebf.exe 2620 Omdneebf.exe 2448 Onhgbmfb.exe 2448 Onhgbmfb.exe 1916 Pnjdhmdo.exe 1916 Pnjdhmdo.exe 2832 Pbhmnkjf.exe 2832 Pbhmnkjf.exe 2528 Pciifc32.exe 2528 Pciifc32.exe 1844 Pjcabmga.exe 1844 Pjcabmga.exe 1948 Pclfkc32.exe 1948 Pclfkc32.exe 2524 Pnajilng.exe 2524 Pnajilng.exe 1352 Pflomnkb.exe 1352 Pflomnkb.exe 2796 Qmfgjh32.exe 2796 Qmfgjh32.exe 2272 Qcpofbjl.exe 2272 Qcpofbjl.exe 1616 Qjjgclai.exe 1616 Qjjgclai.exe 2252 Alnqqd32.exe 2252 Alnqqd32.exe 1144 Aehboi32.exe 1144 Aehboi32.exe 1620 Ahgnke32.exe 1620 Ahgnke32.exe 952 Anafhopc.exe 952 Anafhopc.exe 1044 Adnopfoj.exe 1044 Adnopfoj.exe 2492 Alegac32.exe 2492 Alegac32.exe 3016 Amfcikek.exe 3016 Amfcikek.exe 2164 Aemkjiem.exe 2164 Aemkjiem.exe 888 Bjlqhoba.exe 888 Bjlqhoba.exe 1272 Bafidiio.exe 1272 Bafidiio.exe 2040 Bkommo32.exe 2040 Bkommo32.exe 2336 Blpjegfm.exe 2336 Blpjegfm.exe 2904 Bidjnkdg.exe 2904 Bidjnkdg.exe 2704 Bblogakg.exe 2704 Bblogakg.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Dhobddbf.exe Dphjcf32.exe File created C:\Windows\SysWOW64\Opkekoll.dll Ihdmihpn.exe File opened for modification C:\Windows\SysWOW64\Oehklddp.exe Ogekpg32.exe File opened for modification C:\Windows\SysWOW64\Pnopldgn.exe Pgegok32.exe File created C:\Windows\SysWOW64\Iefhhbef.exe Inkccpgk.exe File opened for modification C:\Windows\SysWOW64\Ajecmj32.exe Apoooa32.exe File opened for modification C:\Windows\SysWOW64\Cdanpb32.exe Cilibi32.exe File created C:\Windows\SysWOW64\Chhldeho.exe Candgk32.exe File opened for modification C:\Windows\SysWOW64\Egafleqm.exe Ejmebq32.exe File opened for modification C:\Windows\SysWOW64\Jgagfi32.exe Jnicmdli.exe File created C:\Windows\SysWOW64\Mkklljmg.exe Mhloponc.exe File opened for modification C:\Windows\SysWOW64\Knjegqif.exe Kdbpnk32.exe File created C:\Windows\SysWOW64\Ipdblg32.dll Gaafhloq.exe File opened for modification C:\Windows\SysWOW64\Opnpimdf.exe Oidglb32.exe File created C:\Windows\SysWOW64\Ffqofohj.exe Fgnokb32.exe File opened for modification C:\Windows\SysWOW64\Ikbifcpb.exe Ihdmihpn.exe File created C:\Windows\SysWOW64\Kbcdbp32.exe Kjllab32.exe File created C:\Windows\SysWOW64\Mabphn32.exe Mjhhld32.exe File created C:\Windows\SysWOW64\Lghniakc.dll NEAS.c5489d5bc28f93d430875b843606a040.exe File opened for modification C:\Windows\SysWOW64\Omdneebf.exe Ojfaijcc.exe File opened for modification C:\Windows\SysWOW64\Jqnejn32.exe Jjdmmdnh.exe File opened for modification C:\Windows\SysWOW64\Nkpegi32.exe Mpjqiq32.exe File created C:\Windows\SysWOW64\Heldepab.dll Oopnlacm.exe File created C:\Windows\SysWOW64\Mffimglk.exe Mmneda32.exe File opened for modification C:\Windows\SysWOW64\Pcaepg32.exe Olgmcmgh.exe File created C:\Windows\SysWOW64\Ocgcbd32.dll Bjmbqhif.exe File created C:\Windows\SysWOW64\Lbemfbdk.exe Lklejh32.exe File created C:\Windows\SysWOW64\Eqpgol32.exe Enakbp32.exe File opened for modification C:\Windows\SysWOW64\Fmmkcoap.exe Fllnlg32.exe File opened for modification C:\Windows\SysWOW64\Bphbeplm.exe Bhajdblk.exe File opened for modification C:\Windows\SysWOW64\Eqamje32.exe Ehjehh32.exe File created C:\Windows\SysWOW64\Oohfokgp.dll Qoeeolig.exe File opened for modification C:\Windows\SysWOW64\Onhgbmfb.exe Omdneebf.exe File opened for modification C:\Windows\SysWOW64\Dhobddbf.exe Dphjcf32.exe File opened for modification C:\Windows\SysWOW64\Mjekfd32.exe Meicnm32.exe File opened for modification C:\Windows\SysWOW64\Pnjfae32.exe Pohfehdi.exe File opened for modification C:\Windows\SysWOW64\Ljffag32.exe Kkaiqk32.exe File created C:\Windows\SysWOW64\Mioabp32.exe Mfaefd32.exe File created C:\Windows\SysWOW64\Cmicaonb.dll Pclfkc32.exe File created C:\Windows\SysWOW64\Lelpgepb.dll Anafhopc.exe File opened for modification C:\Windows\SysWOW64\Dhnmij32.exe Dglpbbbg.exe File opened for modification C:\Windows\SysWOW64\Fagjnn32.exe Fhneehek.exe File opened for modification C:\Windows\SysWOW64\Ekelld32.exe Egjpkffe.exe File created C:\Windows\SysWOW64\Haiccald.exe Gfobbc32.exe File created C:\Windows\SysWOW64\Ledibnco.exe Lbemfbdk.exe File created C:\Windows\SysWOW64\Mimemp32.exe Mjjdacik.exe File opened for modification C:\Windows\SysWOW64\Nbjcqe32.exe Nlpkdkkd.exe File created C:\Windows\SysWOW64\Gaiedd32.dll Olgmcmgh.exe File opened for modification C:\Windows\SysWOW64\Qndigd32.exe Pnalad32.exe File created C:\Windows\SysWOW64\Heihnoph.exe Hanlnp32.exe File created C:\Windows\SysWOW64\Kocbkk32.exe Jghmfhmb.exe File opened for modification C:\Windows\SysWOW64\Biojif32.exe Bfpnmj32.exe File created C:\Windows\SysWOW64\Ikpmpc32.exe Ilnmdgkj.exe File created C:\Windows\SysWOW64\Hjphijco.dll Afkdakjb.exe File created C:\Windows\SysWOW64\Anafhopc.exe Ahgnke32.exe File created C:\Windows\SysWOW64\Chbjffad.exe Cahail32.exe File created C:\Windows\SysWOW64\Fbldmm32.dll Iheddndj.exe File opened for modification C:\Windows\SysWOW64\Pgbafl32.exe Pokieo32.exe File opened for modification C:\Windows\SysWOW64\Helngnie.exe Geoonjeg.exe File created C:\Windows\SysWOW64\Ihdmihpn.exe Iefamlak.exe File created C:\Windows\SysWOW64\Amfcikek.exe Alegac32.exe File opened for modification C:\Windows\SysWOW64\Hhehek32.exe Homclekn.exe File opened for modification C:\Windows\SysWOW64\Inifnq32.exe Ikkjbe32.exe File created C:\Windows\SysWOW64\Ilfila32.dll Pckoam32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmicaonb.dll" Pclfkc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Balkchpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chhldeho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iknpkd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Caknol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lapnnafn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dpjgifpa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gaafhloq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbmqec32.dll" Kgnpeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njabih32.dll" Bidjnkdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oifckj32.dll" Ogekpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcmmdp32.dll" Gbqbaofc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Haiccald.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hanlnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bipikqbi.dll" Jqnejn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbemfmf.dll" Onecbg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eknkpbdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fafcdh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omdneebf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enbfpg32.dll" Onhgbmfb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hipkdnmf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfgngh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ipgbjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alfadj32.dll" Kkaiqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eknkpbdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mbhjlbbh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chkmkacq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaoaahnn.dll" Giahhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maapdeaa.dll" Idfdcijh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmkehj32.dll" Lbemfbdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndpicm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Anafhopc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onjnkb32.dll" Amfcikek.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Heihnoph.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jnkpbcjg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qqeicede.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Egiiapci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qjjgclai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jqnejn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olgmcmgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhhbld32.dll" Gohjaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljhcccai.dll" Aecaidjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccigfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aijpnfif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idhlad32.dll" Ciqcmiei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjlqhoba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfjnod32.dll" Cddaphkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hapicp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deeieqod.dll" Kicmdo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qjnmlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Napoohch.dll" Anlfbi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fidhof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lklejh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dglpbbbg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkfceo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpicodoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gejebk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbhgbm32.dll" Pkofjijm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgalgjnb.dll" Jnicmdli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aeqabgoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nmkncofl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdbahpec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndjfeo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fqcfnhjb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1412 wrote to memory of 3000 1412 NEAS.c5489d5bc28f93d430875b843606a040.exe 28 PID 1412 wrote to memory of 3000 1412 NEAS.c5489d5bc28f93d430875b843606a040.exe 28 PID 1412 wrote to memory of 3000 1412 NEAS.c5489d5bc28f93d430875b843606a040.exe 28 PID 1412 wrote to memory of 3000 1412 NEAS.c5489d5bc28f93d430875b843606a040.exe 28 PID 3000 wrote to memory of 2740 3000 Oddpfc32.exe 29 PID 3000 wrote to memory of 2740 3000 Oddpfc32.exe 29 PID 3000 wrote to memory of 2740 3000 Oddpfc32.exe 29 PID 3000 wrote to memory of 2740 3000 Oddpfc32.exe 29 PID 2740 wrote to memory of 2700 2740 Ogeigofa.exe 30 PID 2740 wrote to memory of 2700 2740 Ogeigofa.exe 30 PID 2740 wrote to memory of 2700 2740 Ogeigofa.exe 30 PID 2740 wrote to memory of 2700 2740 Ogeigofa.exe 30 PID 2700 wrote to memory of 2868 2700 Ombapedi.exe 31 PID 2700 wrote to memory of 2868 2700 Ombapedi.exe 31 PID 2700 wrote to memory of 2868 2700 Ombapedi.exe 31 PID 2700 wrote to memory of 2868 2700 Ombapedi.exe 31 PID 2868 wrote to memory of 2052 2868 Oopnlacm.exe 32 PID 2868 wrote to memory of 2052 2868 Oopnlacm.exe 32 PID 2868 wrote to memory of 2052 2868 Oopnlacm.exe 32 PID 2868 wrote to memory of 2052 2868 Oopnlacm.exe 32 PID 2052 wrote to memory of 2620 2052 Ojfaijcc.exe 33 PID 2052 wrote to memory of 2620 2052 Ojfaijcc.exe 33 PID 2052 wrote to memory of 2620 2052 Ojfaijcc.exe 33 PID 2052 wrote to memory of 2620 2052 Ojfaijcc.exe 33 PID 2620 wrote to memory of 2448 2620 Omdneebf.exe 34 PID 2620 wrote to memory of 2448 2620 Omdneebf.exe 34 PID 2620 wrote to memory of 2448 2620 Omdneebf.exe 34 PID 2620 wrote to memory of 2448 2620 Omdneebf.exe 34 PID 2448 wrote to memory of 1916 2448 Onhgbmfb.exe 35 PID 2448 wrote to memory of 1916 2448 Onhgbmfb.exe 35 PID 2448 wrote to memory of 1916 2448 Onhgbmfb.exe 35 PID 2448 wrote to memory of 1916 2448 Onhgbmfb.exe 35 PID 1916 wrote to memory of 2832 1916 Pnjdhmdo.exe 36 PID 1916 wrote to memory of 2832 1916 Pnjdhmdo.exe 36 PID 1916 wrote to memory of 2832 1916 Pnjdhmdo.exe 36 PID 1916 wrote to memory of 2832 1916 Pnjdhmdo.exe 36 PID 2832 wrote to memory of 2528 2832 Pbhmnkjf.exe 37 PID 2832 wrote to memory of 2528 2832 Pbhmnkjf.exe 37 PID 2832 wrote to memory of 2528 2832 Pbhmnkjf.exe 37 PID 2832 wrote to memory of 2528 2832 Pbhmnkjf.exe 37 PID 2528 wrote to memory of 1844 2528 Pciifc32.exe 38 PID 2528 wrote to memory of 1844 2528 Pciifc32.exe 38 PID 2528 wrote to memory of 1844 2528 Pciifc32.exe 38 PID 2528 wrote to memory of 1844 2528 Pciifc32.exe 38 PID 1844 wrote to memory of 1948 1844 Pjcabmga.exe 39 PID 1844 wrote to memory of 1948 1844 Pjcabmga.exe 39 PID 1844 wrote to memory of 1948 1844 Pjcabmga.exe 39 PID 1844 wrote to memory of 1948 1844 Pjcabmga.exe 39 PID 1948 wrote to memory of 2524 1948 Pclfkc32.exe 40 PID 1948 wrote to memory of 2524 1948 Pclfkc32.exe 40 PID 1948 wrote to memory of 2524 1948 Pclfkc32.exe 40 PID 1948 wrote to memory of 2524 1948 Pclfkc32.exe 40 PID 2524 wrote to memory of 1352 2524 Pnajilng.exe 41 PID 2524 wrote to memory of 1352 2524 Pnajilng.exe 41 PID 2524 wrote to memory of 1352 2524 Pnajilng.exe 41 PID 2524 wrote to memory of 1352 2524 Pnajilng.exe 41 PID 1352 wrote to memory of 2796 1352 Pflomnkb.exe 42 PID 1352 wrote to memory of 2796 1352 Pflomnkb.exe 42 PID 1352 wrote to memory of 2796 1352 Pflomnkb.exe 42 PID 1352 wrote to memory of 2796 1352 Pflomnkb.exe 42 PID 2796 wrote to memory of 2272 2796 Qmfgjh32.exe 43 PID 2796 wrote to memory of 2272 2796 Qmfgjh32.exe 43 PID 2796 wrote to memory of 2272 2796 Qmfgjh32.exe 43 PID 2796 wrote to memory of 2272 2796 Qmfgjh32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.c5489d5bc28f93d430875b843606a040.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.c5489d5bc28f93d430875b843606a040.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Windows\SysWOW64\Oddpfc32.exeC:\Windows\system32\Oddpfc32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\Ogeigofa.exeC:\Windows\system32\Ogeigofa.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\Ombapedi.exeC:\Windows\system32\Ombapedi.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\Oopnlacm.exeC:\Windows\system32\Oopnlacm.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\Ojfaijcc.exeC:\Windows\system32\Ojfaijcc.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\Omdneebf.exeC:\Windows\system32\Omdneebf.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\Onhgbmfb.exeC:\Windows\system32\Onhgbmfb.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\SysWOW64\Pnjdhmdo.exeC:\Windows\system32\Pnjdhmdo.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\SysWOW64\Pbhmnkjf.exeC:\Windows\system32\Pbhmnkjf.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\Pciifc32.exeC:\Windows\system32\Pciifc32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\Pjcabmga.exeC:\Windows\system32\Pjcabmga.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Windows\SysWOW64\Pclfkc32.exeC:\Windows\system32\Pclfkc32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\SysWOW64\Pnajilng.exeC:\Windows\system32\Pnajilng.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\Pflomnkb.exeC:\Windows\system32\Pflomnkb.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Windows\SysWOW64\Qmfgjh32.exeC:\Windows\system32\Qmfgjh32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\Qcpofbjl.exeC:\Windows\system32\Qcpofbjl.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2272 -
C:\Windows\SysWOW64\Qjjgclai.exeC:\Windows\system32\Qjjgclai.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1616 -
C:\Windows\SysWOW64\Alnqqd32.exeC:\Windows\system32\Alnqqd32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2252 -
C:\Windows\SysWOW64\Aehboi32.exeC:\Windows\system32\Aehboi32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1144 -
C:\Windows\SysWOW64\Ahgnke32.exeC:\Windows\system32\Ahgnke32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1620 -
C:\Windows\SysWOW64\Anafhopc.exeC:\Windows\system32\Anafhopc.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:952 -
C:\Windows\SysWOW64\Adnopfoj.exeC:\Windows\system32\Adnopfoj.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1044 -
C:\Windows\SysWOW64\Alegac32.exeC:\Windows\system32\Alegac32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2492 -
C:\Windows\SysWOW64\Amfcikek.exeC:\Windows\system32\Amfcikek.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3016 -
C:\Windows\SysWOW64\Aemkjiem.exeC:\Windows\system32\Aemkjiem.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2164 -
C:\Windows\SysWOW64\Bjlqhoba.exeC:\Windows\system32\Bjlqhoba.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:888 -
C:\Windows\SysWOW64\Bafidiio.exeC:\Windows\system32\Bafidiio.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1272 -
C:\Windows\SysWOW64\Bkommo32.exeC:\Windows\system32\Bkommo32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2040 -
C:\Windows\SysWOW64\Blpjegfm.exeC:\Windows\system32\Blpjegfm.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2336 -
C:\Windows\SysWOW64\Bidjnkdg.exeC:\Windows\system32\Bidjnkdg.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2904 -
C:\Windows\SysWOW64\Bblogakg.exeC:\Windows\system32\Bblogakg.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2704 -
C:\Windows\SysWOW64\Blgpef32.exeC:\Windows\system32\Blgpef32.exe33⤵
- Executes dropped EXE
PID:2588 -
C:\Windows\SysWOW64\Ccahbp32.exeC:\Windows\system32\Ccahbp32.exe34⤵
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\Cafecmlj.exeC:\Windows\system32\Cafecmlj.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Cddaphkn.exeC:\Windows\system32\Cddaphkn.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:2064 -
C:\Windows\SysWOW64\Cgcmlcja.exeC:\Windows\system32\Cgcmlcja.exe37⤵
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\Cahail32.exeC:\Windows\system32\Cahail32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2792 -
C:\Windows\SysWOW64\Chbjffad.exeC:\Windows\system32\Chbjffad.exe39⤵
- Executes dropped EXE
PID:2680 -
C:\Windows\SysWOW64\Ckafbbph.exeC:\Windows\system32\Ckafbbph.exe40⤵
- Executes dropped EXE
PID:2012 -
C:\Windows\SysWOW64\Caknol32.exeC:\Windows\system32\Caknol32.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:1936 -
C:\Windows\SysWOW64\Cdikkg32.exeC:\Windows\system32\Cdikkg32.exe42⤵
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\Ckccgane.exeC:\Windows\system32\Ckccgane.exe43⤵
- Executes dropped EXE
PID:776 -
C:\Windows\SysWOW64\Cldooj32.exeC:\Windows\system32\Cldooj32.exe44⤵
- Executes dropped EXE
PID:320 -
C:\Windows\SysWOW64\Cdlgpgef.exeC:\Windows\system32\Cdlgpgef.exe45⤵
- Executes dropped EXE
PID:844 -
C:\Windows\SysWOW64\Dglpbbbg.exeC:\Windows\system32\Dglpbbbg.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2984 -
C:\Windows\SysWOW64\Dhnmij32.exeC:\Windows\system32\Dhnmij32.exe47⤵
- Executes dropped EXE
PID:2068 -
C:\Windows\SysWOW64\Dhpiojfb.exeC:\Windows\system32\Dhpiojfb.exe48⤵
- Executes dropped EXE
PID:2296 -
C:\Windows\SysWOW64\Dojald32.exeC:\Windows\system32\Dojald32.exe49⤵
- Executes dropped EXE
PID:1700 -
C:\Windows\SysWOW64\Dcenlceh.exeC:\Windows\system32\Dcenlceh.exe50⤵
- Executes dropped EXE
PID:2464 -
C:\Windows\SysWOW64\Ddgjdk32.exeC:\Windows\system32\Ddgjdk32.exe51⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Dfffnn32.exeC:\Windows\system32\Dfffnn32.exe52⤵
- Executes dropped EXE
PID:1388 -
C:\Windows\SysWOW64\Dggcffhg.exeC:\Windows\system32\Dggcffhg.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1868 -
C:\Windows\SysWOW64\Enakbp32.exeC:\Windows\system32\Enakbp32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1028 -
C:\Windows\SysWOW64\Eqpgol32.exeC:\Windows\system32\Eqpgol32.exe55⤵
- Executes dropped EXE
PID:1944 -
C:\Windows\SysWOW64\Egjpkffe.exeC:\Windows\system32\Egjpkffe.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2160 -
C:\Windows\SysWOW64\Ekelld32.exeC:\Windows\system32\Ekelld32.exe57⤵
- Executes dropped EXE
PID:896 -
C:\Windows\SysWOW64\Endhhp32.exeC:\Windows\system32\Endhhp32.exe58⤵
- Executes dropped EXE
PID:3052 -
C:\Windows\SysWOW64\Ebodiofk.exeC:\Windows\system32\Ebodiofk.exe59⤵
- Executes dropped EXE
PID:2036 -
C:\Windows\SysWOW64\Ecqqpgli.exeC:\Windows\system32\Ecqqpgli.exe60⤵
- Executes dropped EXE
PID:2496 -
C:\Windows\SysWOW64\Ejkima32.exeC:\Windows\system32\Ejkima32.exe61⤵
- Executes dropped EXE
PID:2940 -
C:\Windows\SysWOW64\Emieil32.exeC:\Windows\system32\Emieil32.exe62⤵
- Executes dropped EXE
PID:1716 -
C:\Windows\SysWOW64\Eccmffjf.exeC:\Windows\system32\Eccmffjf.exe63⤵
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Egoife32.exeC:\Windows\system32\Egoife32.exe64⤵
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\Ejmebq32.exeC:\Windows\system32\Ejmebq32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2604 -
C:\Windows\SysWOW64\Egafleqm.exeC:\Windows\system32\Egafleqm.exe66⤵PID:1156
-
C:\Windows\SysWOW64\Fenmdm32.exeC:\Windows\system32\Fenmdm32.exe67⤵PID:1976
-
C:\Windows\SysWOW64\Fhneehek.exeC:\Windows\system32\Fhneehek.exe68⤵
- Drops file in System32 directory
PID:2784 -
C:\Windows\SysWOW64\Fagjnn32.exeC:\Windows\system32\Fagjnn32.exe69⤵PID:2044
-
C:\Windows\SysWOW64\Fllnlg32.exeC:\Windows\system32\Fllnlg32.exe70⤵
- Drops file in System32 directory
PID:1104 -
C:\Windows\SysWOW64\Fmmkcoap.exeC:\Windows\system32\Fmmkcoap.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2236 -
C:\Windows\SysWOW64\Gjdhbc32.exeC:\Windows\system32\Gjdhbc32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:564 -
C:\Windows\SysWOW64\Gmbdnn32.exeC:\Windows\system32\Gmbdnn32.exe73⤵PID:268
-
C:\Windows\SysWOW64\Gfjhgdck.exeC:\Windows\system32\Gfjhgdck.exe74⤵PID:536
-
C:\Windows\SysWOW64\Giieco32.exeC:\Windows\system32\Giieco32.exe75⤵PID:1932
-
C:\Windows\SysWOW64\Gdniqh32.exeC:\Windows\system32\Gdniqh32.exe76⤵PID:340
-
C:\Windows\SysWOW64\Gepehphc.exeC:\Windows\system32\Gepehphc.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3064 -
C:\Windows\SysWOW64\Gohjaf32.exeC:\Windows\system32\Gohjaf32.exe78⤵
- Modifies registry class
PID:396 -
C:\Windows\SysWOW64\Gfobbc32.exeC:\Windows\system32\Gfobbc32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1696 -
C:\Windows\SysWOW64\Haiccald.exeC:\Windows\system32\Haiccald.exe80⤵
- Modifies registry class
PID:2476 -
C:\Windows\SysWOW64\Hipkdnmf.exeC:\Windows\system32\Hipkdnmf.exe81⤵
- Modifies registry class
PID:1096 -
C:\Windows\SysWOW64\Homclekn.exeC:\Windows\system32\Homclekn.exe82⤵
- Drops file in System32 directory
PID:1984 -
C:\Windows\SysWOW64\Hhehek32.exeC:\Windows\system32\Hhehek32.exe83⤵PID:2324
-
C:\Windows\SysWOW64\Hoopae32.exeC:\Windows\system32\Hoopae32.exe84⤵PID:2100
-
C:\Windows\SysWOW64\Hanlnp32.exeC:\Windows\system32\Hanlnp32.exe85⤵
- Drops file in System32 directory
- Modifies registry class
PID:1580 -
C:\Windows\SysWOW64\Heihnoph.exeC:\Windows\system32\Heihnoph.exe86⤵
- Modifies registry class
PID:1612 -
C:\Windows\SysWOW64\Hgjefg32.exeC:\Windows\system32\Hgjefg32.exe87⤵PID:2596
-
C:\Windows\SysWOW64\Hapicp32.exeC:\Windows\system32\Hapicp32.exe88⤵
- Modifies registry class
PID:2988 -
C:\Windows\SysWOW64\Hdnepk32.exeC:\Windows\system32\Hdnepk32.exe89⤵PID:2612
-
C:\Windows\SysWOW64\Hpefdl32.exeC:\Windows\system32\Hpefdl32.exe90⤵PID:2768
-
C:\Windows\SysWOW64\Ikkjbe32.exeC:\Windows\system32\Ikkjbe32.exe91⤵
- Drops file in System32 directory
PID:3068 -
C:\Windows\SysWOW64\Inifnq32.exeC:\Windows\system32\Inifnq32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1584 -
C:\Windows\SysWOW64\Ipgbjl32.exeC:\Windows\system32\Ipgbjl32.exe93⤵
- Modifies registry class
PID:2812 -
C:\Windows\SysWOW64\Idcokkak.exeC:\Windows\system32\Idcokkak.exe94⤵PID:1792
-
C:\Windows\SysWOW64\Inkccpgk.exeC:\Windows\system32\Inkccpgk.exe95⤵
- Drops file in System32 directory
PID:860 -
C:\Windows\SysWOW64\Iefhhbef.exeC:\Windows\system32\Iefhhbef.exe96⤵PID:528
-
C:\Windows\SysWOW64\Iheddndj.exeC:\Windows\system32\Iheddndj.exe97⤵
- Drops file in System32 directory
PID:1484 -
C:\Windows\SysWOW64\Ipllekdl.exeC:\Windows\system32\Ipllekdl.exe98⤵PID:1228
-
C:\Windows\SysWOW64\Ihgainbg.exeC:\Windows\system32\Ihgainbg.exe99⤵PID:3024
-
C:\Windows\SysWOW64\Iapebchh.exeC:\Windows\system32\Iapebchh.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2372 -
C:\Windows\SysWOW64\Ikhjki32.exeC:\Windows\system32\Ikhjki32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1020 -
C:\Windows\SysWOW64\Jfnnha32.exeC:\Windows\system32\Jfnnha32.exe102⤵PID:1624
-
C:\Windows\SysWOW64\Jhljdm32.exeC:\Windows\system32\Jhljdm32.exe103⤵PID:1648
-
C:\Windows\SysWOW64\Jkjfah32.exeC:\Windows\system32\Jkjfah32.exe104⤵PID:1724
-
C:\Windows\SysWOW64\Jnicmdli.exeC:\Windows\system32\Jnicmdli.exe105⤵
- Drops file in System32 directory
- Modifies registry class
PID:2248 -
C:\Windows\SysWOW64\Jgagfi32.exeC:\Windows\system32\Jgagfi32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2140 -
C:\Windows\SysWOW64\Jnkpbcjg.exeC:\Windows\system32\Jnkpbcjg.exe107⤵
- Modifies registry class
PID:2752 -
C:\Windows\SysWOW64\Jqilooij.exeC:\Windows\system32\Jqilooij.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1864 -
C:\Windows\SysWOW64\Jchhkjhn.exeC:\Windows\system32\Jchhkjhn.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2312 -
C:\Windows\SysWOW64\Jmplcp32.exeC:\Windows\system32\Jmplcp32.exe110⤵PID:2020
-
C:\Windows\SysWOW64\Jdgdempa.exeC:\Windows\system32\Jdgdempa.exe111⤵PID:2712
-
C:\Windows\SysWOW64\Jgfqaiod.exeC:\Windows\system32\Jgfqaiod.exe112⤵PID:2572
-
C:\Windows\SysWOW64\Jjdmmdnh.exeC:\Windows\system32\Jjdmmdnh.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2824 -
C:\Windows\SysWOW64\Jqnejn32.exeC:\Windows\system32\Jqnejn32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:764 -
C:\Windows\SysWOW64\Jghmfhmb.exeC:\Windows\system32\Jghmfhmb.exe115⤵
- Drops file in System32 directory
PID:1968 -
C:\Windows\SysWOW64\Kocbkk32.exeC:\Windows\system32\Kocbkk32.exe116⤵PID:524
-
C:\Windows\SysWOW64\Kfmjgeaj.exeC:\Windows\system32\Kfmjgeaj.exe117⤵PID:572
-
C:\Windows\SysWOW64\Kkjcplpa.exeC:\Windows\system32\Kkjcplpa.exe118⤵PID:2992
-
C:\Windows\SysWOW64\Kbdklf32.exeC:\Windows\system32\Kbdklf32.exe119⤵PID:2348
-
C:\Windows\SysWOW64\Kebgia32.exeC:\Windows\system32\Kebgia32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:956 -
C:\Windows\SysWOW64\Kklpekno.exeC:\Windows\system32\Kklpekno.exe121⤵PID:1924
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-