Analysis
-
max time kernel
148s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231025-en -
resource tags
arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system -
submitted
02/11/2023, 16:42
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.383121ec2523c00131a38ee162362f50.exe
Resource
win7-20231025-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.383121ec2523c00131a38ee162362f50.exe
Resource
win10v2004-20231025-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.383121ec2523c00131a38ee162362f50.exe
-
Size
95KB
-
MD5
383121ec2523c00131a38ee162362f50
-
SHA1
814cb9c860238bc8dba1a1655ebb21dfcc508d61
-
SHA256
75affaf3d8d5ea76d477c58048a1f22c8ca2d51cf7b459e636cba3678c195f38
-
SHA512
3070b6577cde294bb52800abe7b871037a8dea622014990a7fea2c4e624f70413e76b0fb7108c364d77af797ce7c8ade929e3458bc7cfbfbd4e5fe5e034b2537
-
SSDEEP
1536:So3qjkyrfYmJGLAB/DQwxH3WROQ79SGBgEfmPCjDp8Sg+SOM6bOLXi8PmCofGV:UkyrlJGcBBxH3Wd9Syg9rzDrLXfzoeV
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nbmaon32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifbphh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jdflqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Keqkofno.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kajiigba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kjchmclb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kccbgh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppbfmdfo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofmknifp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Panboflg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Olmela32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Llhocfnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pppnia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ckajqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dqmkflcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lljolodf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ogfagmck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jgfghodj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kkjcplpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mjhjdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jfieigio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jinfli32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcakbjpl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbnkha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eabeal32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mebpchmb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkhhhd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljldnhid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bhbpahan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gcakbjpl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jocflgga.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aojabdlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hefginae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mcfpmlll.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnidchqp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbbngf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfieigio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lkbmbl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nknimnap.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmflee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bpdkajic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oidiekdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pikkfilp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Llnhgn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmplcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ldheebad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cappnf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Didgig32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfokinhf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahpifj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldheebad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nggggoda.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nikkkn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chickknc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkfagfop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kalipcmb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgkonj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljnqdhga.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cllmdcej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ogadkajl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odkgec32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lchqcd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fihcdkom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mamjchoa.exe -
Executes dropped EXE 64 IoCs
pid Process 2304 Faigdn32.exe 1308 Gmpgio32.exe 2848 Ghelfg32.exe 2524 Ganpomec.exe 2540 Glgaok32.exe 2528 Gikaio32.exe 3064 Gebbnpfp.exe 2868 Hbfbgd32.exe 2504 Hkaglf32.exe 1080 Hlqdei32.exe 2584 Hmbpmapf.exe 592 Hkfagfop.exe 1288 Hgmalg32.exe 760 Habfipdj.exe 2956 Ikkjbe32.exe 1548 Iompkh32.exe 2112 Ipllekdl.exe 3036 Ijdqna32.exe 2100 Ioaifhid.exe 2416 Ifkacb32.exe 900 Jocflgga.exe 2484 Jjpcbe32.exe 332 Jmplcp32.exe 2280 Jmbiipml.exe 3044 Jghmfhmb.exe 2316 Kqqboncb.exe 1724 Kbbngf32.exe 2668 Kkjcplpa.exe 2864 Kcakaipc.exe 2664 Kebgia32.exe 2412 Knmhgf32.exe 2836 Kicmdo32.exe 3060 Llcefjgf.exe 240 Lapnnafn.exe 2252 Lgjfkk32.exe 2408 Badnhbce.exe 1156 Cillkbac.exe 1264 Kdklfe32.exe 2324 Kkeecogo.exe 2692 Kaompi32.exe 1300 Khielcfh.exe 2392 Kaajei32.exe 1100 Knkgpi32.exe 2148 Kgclio32.exe 1044 Knmdeioh.exe 1668 Kpkpadnl.exe 1804 Lgehno32.exe 1432 Ljddjj32.exe 3028 Lpnmgdli.exe 1600 Lclicpkm.exe 1568 Lklgbadb.exe 2988 Lohccp32.exe 2660 Lhpglecl.exe 2824 Mnmpdlac.exe 2768 Mdghaf32.exe 2180 Mgedmb32.exe 2856 Mjcaimgg.exe 2832 Mqnifg32.exe 1504 Mggabaea.exe 1968 Mmdjkhdh.exe 1644 Mjhjdm32.exe 2304 Mqbbagjo.exe 2732 Mfokinhf.exe 2868 Mklcadfn.exe -
Loads dropped DLL 64 IoCs
pid Process 2176 NEAS.383121ec2523c00131a38ee162362f50.exe 2176 NEAS.383121ec2523c00131a38ee162362f50.exe 2304 Faigdn32.exe 2304 Faigdn32.exe 1308 Gmpgio32.exe 1308 Gmpgio32.exe 2848 Ghelfg32.exe 2848 Ghelfg32.exe 2524 Ganpomec.exe 2524 Ganpomec.exe 2540 Glgaok32.exe 2540 Glgaok32.exe 2528 Gikaio32.exe 2528 Gikaio32.exe 3064 Gebbnpfp.exe 3064 Gebbnpfp.exe 2868 Hbfbgd32.exe 2868 Hbfbgd32.exe 2504 Hkaglf32.exe 2504 Hkaglf32.exe 1080 Hlqdei32.exe 1080 Hlqdei32.exe 2584 Hmbpmapf.exe 2584 Hmbpmapf.exe 592 Hkfagfop.exe 592 Hkfagfop.exe 1288 Hgmalg32.exe 1288 Hgmalg32.exe 760 Habfipdj.exe 760 Habfipdj.exe 2956 Ikkjbe32.exe 2956 Ikkjbe32.exe 1548 Iompkh32.exe 1548 Iompkh32.exe 2112 Ipllekdl.exe 2112 Ipllekdl.exe 3036 Ijdqna32.exe 3036 Ijdqna32.exe 2100 Ioaifhid.exe 2100 Ioaifhid.exe 2416 Ifkacb32.exe 2416 Ifkacb32.exe 900 Jocflgga.exe 900 Jocflgga.exe 2484 Jjpcbe32.exe 2484 Jjpcbe32.exe 332 Jmplcp32.exe 332 Jmplcp32.exe 2280 Jmbiipml.exe 2280 Jmbiipml.exe 3044 Jghmfhmb.exe 3044 Jghmfhmb.exe 2316 Kqqboncb.exe 2316 Kqqboncb.exe 1724 Kbbngf32.exe 1724 Kbbngf32.exe 2668 Kkjcplpa.exe 2668 Kkjcplpa.exe 2864 Kcakaipc.exe 2864 Kcakaipc.exe 2664 Kebgia32.exe 2664 Kebgia32.exe 2412 Knmhgf32.exe 2412 Knmhgf32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Qiioon32.exe Qdlggg32.exe File created C:\Windows\SysWOW64\Bjpaop32.exe Bniajoic.exe File opened for modification C:\Windows\SysWOW64\Bgqeea32.exe Adeiobgc.exe File opened for modification C:\Windows\SysWOW64\Kemjieol.exe Kclmbm32.exe File created C:\Windows\SysWOW64\Cmgpnn32.dll Lepfoe32.exe File created C:\Windows\SysWOW64\Manjaldo.exe Ladgkmlj.exe File created C:\Windows\SysWOW64\Baiingae.exe Bgqeea32.exe File created C:\Windows\SysWOW64\Jfdnjb32.dll Ghelfg32.exe File created C:\Windows\SysWOW64\Njbfnjeg.exe Ncinap32.exe File created C:\Windows\SysWOW64\Jaopcbga.exe Jpndkj32.exe File created C:\Windows\SysWOW64\Oagcgibo.dll Ganpomec.exe File created C:\Windows\SysWOW64\Mjbkcgmo.dll Jocflgga.exe File created C:\Windows\SysWOW64\Nbmaon32.exe Nidmfh32.exe File opened for modification C:\Windows\SysWOW64\Nffenj32.exe Nchiao32.exe File created C:\Windows\SysWOW64\Obeacl32.exe Opfegp32.exe File opened for modification C:\Windows\SysWOW64\Llebnfpe.exe Lmbabj32.exe File opened for modification C:\Windows\SysWOW64\Pooaaink.exe Ohbmppia.exe File created C:\Windows\SysWOW64\Ckgogfmg.exe Chickknc.exe File created C:\Windows\SysWOW64\Adqaqk32.dll Ngealejo.exe File opened for modification C:\Windows\SysWOW64\Qlgkki32.exe Qiioon32.exe File created C:\Windows\SysWOW64\Lllkaobc.exe Linoeccp.exe File created C:\Windows\SysWOW64\Mebpchmb.exe Mdqclpgd.exe File created C:\Windows\SysWOW64\Gjjafkpe.exe Gbcien32.exe File opened for modification C:\Windows\SysWOW64\Idbnmgll.exe Iadbqlmh.exe File created C:\Windows\SysWOW64\Jkkleb32.dll Adppdckh.exe File created C:\Windows\SysWOW64\Nhlkkabh.exe Nabcog32.exe File opened for modification C:\Windows\SysWOW64\Mqehjecl.exe Mkipao32.exe File created C:\Windows\SysWOW64\Ohqngjgk.dll Obbdml32.exe File created C:\Windows\SysWOW64\Gkedjo32.exe Gjjafkpe.exe File opened for modification C:\Windows\SysWOW64\Ndjfgkha.exe Negeln32.exe File opened for modification C:\Windows\SysWOW64\Hpgakh32.exe Hijmin32.exe File created C:\Windows\SysWOW64\Dmnicmpm.dll Jcmhmp32.exe File created C:\Windows\SysWOW64\Lmbabj32.exe Lekjal32.exe File opened for modification C:\Windows\SysWOW64\Gknfaehi.exe Gqhadmhc.exe File opened for modification C:\Windows\SysWOW64\Noojfpbi.exe Nffenj32.exe File created C:\Windows\SysWOW64\Keqkofno.exe Kijkje32.exe File opened for modification C:\Windows\SysWOW64\Oflpgnld.exe Odmckcmq.exe File created C:\Windows\SysWOW64\Gbmlkl32.exe Gkedjo32.exe File created C:\Windows\SysWOW64\Ccaipaho.exe Cabldeik.exe File opened for modification C:\Windows\SysWOW64\Ldmopa32.exe Lanbdf32.exe File created C:\Windows\SysWOW64\Qppkfhlc.exe Ppnnai32.exe File created C:\Windows\SysWOW64\Mmkhejmb.dll Gjjafkpe.exe File created C:\Windows\SysWOW64\Eqfifnoj.dll Immkiodb.exe File created C:\Windows\SysWOW64\Cbokoa32.exe Clbbfj32.exe File created C:\Windows\SysWOW64\Oiqaed32.exe Oqiidg32.exe File created C:\Windows\SysWOW64\Dqhooh32.dll Idbnmgll.exe File created C:\Windows\SysWOW64\Qokdamgl.dll Diencmcj.exe File opened for modification C:\Windows\SysWOW64\Hlnbqijd.exe Hpgakh32.exe File opened for modification C:\Windows\SysWOW64\Onejjm32.exe Ojjnioae.exe File opened for modification C:\Windows\SysWOW64\Djfooa32.exe Dclgbgbh.exe File opened for modification C:\Windows\SysWOW64\Adppdckh.exe Anfggicl.exe File created C:\Windows\SysWOW64\Qbeemg32.dll Fdcncg32.exe File created C:\Windows\SysWOW64\Kmdlca32.dll Oplelf32.exe File created C:\Windows\SysWOW64\Haqnea32.exe Hkahgk32.exe File created C:\Windows\SysWOW64\Lgkkmm32.exe Ldmopa32.exe File opened for modification C:\Windows\SysWOW64\Mcofid32.exe Manjaldo.exe File created C:\Windows\SysWOW64\Eedohjpf.dll Hpgakh32.exe File created C:\Windows\SysWOW64\Hbddhc32.dll Ibgglfdl.exe File opened for modification C:\Windows\SysWOW64\Ojjnioae.exe Nkmkgc32.exe File created C:\Windows\SysWOW64\Oonmbkfe.dll Jmlobg32.exe File created C:\Windows\SysWOW64\Gmnmce32.dll Ogfagmck.exe File created C:\Windows\SysWOW64\Bjkeingq.dll Jfieigio.exe File created C:\Windows\SysWOW64\Peapmhnk.exe Pdpcep32.exe File created C:\Windows\SysWOW64\Hedabb32.dll Nhlkkabh.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ibklddof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cehkbgdf.dll" Gikaio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nqokpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Imkndofe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ogadkajl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pghklq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cillkbac.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iichjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pppiae32.dll" Geaaolbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbbnekdd.dll" Qiioon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjdepgcg.dll" Hkmollme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kbkdpnil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nlnpgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqleff32.dll" Onggom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iociomhg.dll" Gifhkpgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbldmm32.dll" Iompkh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Adeiobgc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Onggom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Biebdbhl.dll" Cghkepdm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dlepjbmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjqplmck.dll" Emieflec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gifhkpgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kclmbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hkfagfop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhfpnk32.dll" Kgclio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cancif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ijkocg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akmjae32.dll" Imkndofe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jepjpajn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Keiqlihp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agenobhd.dll" Gdodjlda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebjdjpda.dll" Chickknc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ccgahe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aochck32.dll" Obpbhk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Llcefjgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ppiapp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dkfcqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paodbg32.dll" Neknki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gmobin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jieaofmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apjlggne.dll" Njeccjcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Diencmcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kaompi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gmhbkohm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jjnhhjjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pkjphcff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ladgkmlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aomekckd.dll" Aamekk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dceehbdo.dll" Ckgogfmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fdefgimi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kmkodd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lhgeao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfcqihha.dll" Kfibhjlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egncgo32.dll" Olbogqoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnmbihjf.dll" Iadbqlmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ekjikadb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ojjnioae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jcekbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbellj32.dll" Kkeecogo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Njnmbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeqfhb32.dll" Eabeal32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eabeal32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ihedan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbcppkf.dll" Mlikkbga.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2176 wrote to memory of 2304 2176 NEAS.383121ec2523c00131a38ee162362f50.exe 28 PID 2176 wrote to memory of 2304 2176 NEAS.383121ec2523c00131a38ee162362f50.exe 28 PID 2176 wrote to memory of 2304 2176 NEAS.383121ec2523c00131a38ee162362f50.exe 28 PID 2176 wrote to memory of 2304 2176 NEAS.383121ec2523c00131a38ee162362f50.exe 28 PID 2304 wrote to memory of 1308 2304 Faigdn32.exe 29 PID 2304 wrote to memory of 1308 2304 Faigdn32.exe 29 PID 2304 wrote to memory of 1308 2304 Faigdn32.exe 29 PID 2304 wrote to memory of 1308 2304 Faigdn32.exe 29 PID 1308 wrote to memory of 2848 1308 Gmpgio32.exe 30 PID 1308 wrote to memory of 2848 1308 Gmpgio32.exe 30 PID 1308 wrote to memory of 2848 1308 Gmpgio32.exe 30 PID 1308 wrote to memory of 2848 1308 Gmpgio32.exe 30 PID 2848 wrote to memory of 2524 2848 Ghelfg32.exe 31 PID 2848 wrote to memory of 2524 2848 Ghelfg32.exe 31 PID 2848 wrote to memory of 2524 2848 Ghelfg32.exe 31 PID 2848 wrote to memory of 2524 2848 Ghelfg32.exe 31 PID 2524 wrote to memory of 2540 2524 Ganpomec.exe 32 PID 2524 wrote to memory of 2540 2524 Ganpomec.exe 32 PID 2524 wrote to memory of 2540 2524 Ganpomec.exe 32 PID 2524 wrote to memory of 2540 2524 Ganpomec.exe 32 PID 2540 wrote to memory of 2528 2540 Glgaok32.exe 33 PID 2540 wrote to memory of 2528 2540 Glgaok32.exe 33 PID 2540 wrote to memory of 2528 2540 Glgaok32.exe 33 PID 2540 wrote to memory of 2528 2540 Glgaok32.exe 33 PID 2528 wrote to memory of 3064 2528 Gikaio32.exe 34 PID 2528 wrote to memory of 3064 2528 Gikaio32.exe 34 PID 2528 wrote to memory of 3064 2528 Gikaio32.exe 34 PID 2528 wrote to memory of 3064 2528 Gikaio32.exe 34 PID 3064 wrote to memory of 2868 3064 Gebbnpfp.exe 35 PID 3064 wrote to memory of 2868 3064 Gebbnpfp.exe 35 PID 3064 wrote to memory of 2868 3064 Gebbnpfp.exe 35 PID 3064 wrote to memory of 2868 3064 Gebbnpfp.exe 35 PID 2868 wrote to memory of 2504 2868 Hbfbgd32.exe 36 PID 2868 wrote to memory of 2504 2868 Hbfbgd32.exe 36 PID 2868 wrote to memory of 2504 2868 Hbfbgd32.exe 36 PID 2868 wrote to memory of 2504 2868 Hbfbgd32.exe 36 PID 2504 wrote to memory of 1080 2504 Hkaglf32.exe 37 PID 2504 wrote to memory of 1080 2504 Hkaglf32.exe 37 PID 2504 wrote to memory of 1080 2504 Hkaglf32.exe 37 PID 2504 wrote to memory of 1080 2504 Hkaglf32.exe 37 PID 1080 wrote to memory of 2584 1080 Hlqdei32.exe 38 PID 1080 wrote to memory of 2584 1080 Hlqdei32.exe 38 PID 1080 wrote to memory of 2584 1080 Hlqdei32.exe 38 PID 1080 wrote to memory of 2584 1080 Hlqdei32.exe 38 PID 2584 wrote to memory of 592 2584 Hmbpmapf.exe 39 PID 2584 wrote to memory of 592 2584 Hmbpmapf.exe 39 PID 2584 wrote to memory of 592 2584 Hmbpmapf.exe 39 PID 2584 wrote to memory of 592 2584 Hmbpmapf.exe 39 PID 592 wrote to memory of 1288 592 Hkfagfop.exe 40 PID 592 wrote to memory of 1288 592 Hkfagfop.exe 40 PID 592 wrote to memory of 1288 592 Hkfagfop.exe 40 PID 592 wrote to memory of 1288 592 Hkfagfop.exe 40 PID 1288 wrote to memory of 760 1288 Hgmalg32.exe 41 PID 1288 wrote to memory of 760 1288 Hgmalg32.exe 41 PID 1288 wrote to memory of 760 1288 Hgmalg32.exe 41 PID 1288 wrote to memory of 760 1288 Hgmalg32.exe 41 PID 760 wrote to memory of 2956 760 Habfipdj.exe 42 PID 760 wrote to memory of 2956 760 Habfipdj.exe 42 PID 760 wrote to memory of 2956 760 Habfipdj.exe 42 PID 760 wrote to memory of 2956 760 Habfipdj.exe 42 PID 2956 wrote to memory of 1548 2956 Ikkjbe32.exe 43 PID 2956 wrote to memory of 1548 2956 Ikkjbe32.exe 43 PID 2956 wrote to memory of 1548 2956 Ikkjbe32.exe 43 PID 2956 wrote to memory of 1548 2956 Ikkjbe32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.383121ec2523c00131a38ee162362f50.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.383121ec2523c00131a38ee162362f50.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\SysWOW64\Faigdn32.exeC:\Windows\system32\Faigdn32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\SysWOW64\Gmpgio32.exeC:\Windows\system32\Gmpgio32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1308 -
C:\Windows\SysWOW64\Ghelfg32.exeC:\Windows\system32\Ghelfg32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\Ganpomec.exeC:\Windows\system32\Ganpomec.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\Glgaok32.exeC:\Windows\system32\Glgaok32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\Gikaio32.exeC:\Windows\system32\Gikaio32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\Gebbnpfp.exeC:\Windows\system32\Gebbnpfp.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SysWOW64\Hbfbgd32.exeC:\Windows\system32\Hbfbgd32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\Hkaglf32.exeC:\Windows\system32\Hkaglf32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\Hlqdei32.exeC:\Windows\system32\Hlqdei32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Windows\SysWOW64\Hmbpmapf.exeC:\Windows\system32\Hmbpmapf.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\Hkfagfop.exeC:\Windows\system32\Hkfagfop.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:592 -
C:\Windows\SysWOW64\Hgmalg32.exeC:\Windows\system32\Hgmalg32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1288 -
C:\Windows\SysWOW64\Habfipdj.exeC:\Windows\system32\Habfipdj.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Windows\SysWOW64\Ikkjbe32.exeC:\Windows\system32\Ikkjbe32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\Iompkh32.exeC:\Windows\system32\Iompkh32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1548 -
C:\Windows\SysWOW64\Ipllekdl.exeC:\Windows\system32\Ipllekdl.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2112 -
C:\Windows\SysWOW64\Ijdqna32.exeC:\Windows\system32\Ijdqna32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3036 -
C:\Windows\SysWOW64\Ioaifhid.exeC:\Windows\system32\Ioaifhid.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2100 -
C:\Windows\SysWOW64\Ifkacb32.exeC:\Windows\system32\Ifkacb32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2416 -
C:\Windows\SysWOW64\Jocflgga.exeC:\Windows\system32\Jocflgga.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:900 -
C:\Windows\SysWOW64\Jjpcbe32.exeC:\Windows\system32\Jjpcbe32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2484 -
C:\Windows\SysWOW64\Jmplcp32.exeC:\Windows\system32\Jmplcp32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:332 -
C:\Windows\SysWOW64\Jmbiipml.exeC:\Windows\system32\Jmbiipml.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2280 -
C:\Windows\SysWOW64\Jghmfhmb.exeC:\Windows\system32\Jghmfhmb.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3044 -
C:\Windows\SysWOW64\Kqqboncb.exeC:\Windows\system32\Kqqboncb.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2316 -
C:\Windows\SysWOW64\Kbbngf32.exeC:\Windows\system32\Kbbngf32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1724 -
C:\Windows\SysWOW64\Kkjcplpa.exeC:\Windows\system32\Kkjcplpa.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2668 -
C:\Windows\SysWOW64\Kcakaipc.exeC:\Windows\system32\Kcakaipc.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2864 -
C:\Windows\SysWOW64\Kebgia32.exeC:\Windows\system32\Kebgia32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2664 -
C:\Windows\SysWOW64\Knmhgf32.exeC:\Windows\system32\Knmhgf32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2412 -
C:\Windows\SysWOW64\Kicmdo32.exeC:\Windows\system32\Kicmdo32.exe33⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Llcefjgf.exeC:\Windows\system32\Llcefjgf.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:3060 -
C:\Windows\SysWOW64\Lapnnafn.exeC:\Windows\system32\Lapnnafn.exe35⤵
- Executes dropped EXE
PID:240 -
C:\Windows\SysWOW64\Lgjfkk32.exeC:\Windows\system32\Lgjfkk32.exe36⤵
- Executes dropped EXE
PID:2252 -
C:\Windows\SysWOW64\Badnhbce.exeC:\Windows\system32\Badnhbce.exe37⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Cillkbac.exeC:\Windows\system32\Cillkbac.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:1156 -
C:\Windows\SysWOW64\Kdklfe32.exeC:\Windows\system32\Kdklfe32.exe39⤵
- Executes dropped EXE
PID:1264 -
C:\Windows\SysWOW64\Kkeecogo.exeC:\Windows\system32\Kkeecogo.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:2324 -
C:\Windows\SysWOW64\Kaompi32.exeC:\Windows\system32\Kaompi32.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:2692 -
C:\Windows\SysWOW64\Khielcfh.exeC:\Windows\system32\Khielcfh.exe42⤵
- Executes dropped EXE
PID:1300 -
C:\Windows\SysWOW64\Kaajei32.exeC:\Windows\system32\Kaajei32.exe43⤵
- Executes dropped EXE
PID:2392 -
C:\Windows\SysWOW64\Knkgpi32.exeC:\Windows\system32\Knkgpi32.exe44⤵
- Executes dropped EXE
PID:1100 -
C:\Windows\SysWOW64\Kgclio32.exeC:\Windows\system32\Kgclio32.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:2148 -
C:\Windows\SysWOW64\Knmdeioh.exeC:\Windows\system32\Knmdeioh.exe46⤵
- Executes dropped EXE
PID:1044 -
C:\Windows\SysWOW64\Kpkpadnl.exeC:\Windows\system32\Kpkpadnl.exe47⤵
- Executes dropped EXE
PID:1668 -
C:\Windows\SysWOW64\Lgehno32.exeC:\Windows\system32\Lgehno32.exe48⤵
- Executes dropped EXE
PID:1804 -
C:\Windows\SysWOW64\Ljddjj32.exeC:\Windows\system32\Ljddjj32.exe49⤵
- Executes dropped EXE
PID:1432 -
C:\Windows\SysWOW64\Lpnmgdli.exeC:\Windows\system32\Lpnmgdli.exe50⤵
- Executes dropped EXE
PID:3028 -
C:\Windows\SysWOW64\Lclicpkm.exeC:\Windows\system32\Lclicpkm.exe51⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\Lklgbadb.exeC:\Windows\system32\Lklgbadb.exe52⤵
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\Lohccp32.exeC:\Windows\system32\Lohccp32.exe53⤵
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\Lhpglecl.exeC:\Windows\system32\Lhpglecl.exe54⤵
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\Mnmpdlac.exeC:\Windows\system32\Mnmpdlac.exe55⤵
- Executes dropped EXE
PID:2824 -
C:\Windows\SysWOW64\Mdghaf32.exeC:\Windows\system32\Mdghaf32.exe56⤵
- Executes dropped EXE
PID:2768 -
C:\Windows\SysWOW64\Mgedmb32.exeC:\Windows\system32\Mgedmb32.exe57⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Mjcaimgg.exeC:\Windows\system32\Mjcaimgg.exe58⤵
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Mqnifg32.exeC:\Windows\system32\Mqnifg32.exe59⤵
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\Mggabaea.exeC:\Windows\system32\Mggabaea.exe60⤵
- Executes dropped EXE
PID:1504 -
C:\Windows\SysWOW64\Mmdjkhdh.exeC:\Windows\system32\Mmdjkhdh.exe61⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Mjhjdm32.exeC:\Windows\system32\Mjhjdm32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\Mqbbagjo.exeC:\Windows\system32\Mqbbagjo.exe63⤵
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Mfokinhf.exeC:\Windows\system32\Mfokinhf.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\Mklcadfn.exeC:\Windows\system32\Mklcadfn.exe65⤵
- Executes dropped EXE
PID:2868 -
C:\Windows\SysWOW64\Nfahomfd.exeC:\Windows\system32\Nfahomfd.exe66⤵PID:2584
-
C:\Windows\SysWOW64\Nlnpgd32.exeC:\Windows\system32\Nlnpgd32.exe67⤵
- Modifies registry class
PID:2956 -
C:\Windows\SysWOW64\Nfdddm32.exeC:\Windows\system32\Nfdddm32.exe68⤵PID:2396
-
C:\Windows\SysWOW64\Ngealejo.exeC:\Windows\system32\Ngealejo.exe69⤵
- Drops file in System32 directory
PID:1268 -
C:\Windows\SysWOW64\Nameek32.exeC:\Windows\system32\Nameek32.exe70⤵PID:2872
-
C:\Windows\SysWOW64\Nidmfh32.exeC:\Windows\system32\Nidmfh32.exe71⤵
- Drops file in System32 directory
PID:2612 -
C:\Windows\SysWOW64\Nbmaon32.exeC:\Windows\system32\Nbmaon32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2080 -
C:\Windows\SysWOW64\Neknki32.exeC:\Windows\system32\Neknki32.exe73⤵
- Modifies registry class
PID:1588 -
C:\Windows\SysWOW64\Njhfcp32.exeC:\Windows\system32\Njhfcp32.exe74⤵PID:2200
-
C:\Windows\SysWOW64\Obhdcanc.exeC:\Windows\system32\Obhdcanc.exe75⤵PID:1700
-
C:\Windows\SysWOW64\Ojomdoof.exeC:\Windows\system32\Ojomdoof.exe76⤵PID:1784
-
C:\Windows\SysWOW64\Oplelf32.exeC:\Windows\system32\Oplelf32.exe77⤵
- Drops file in System32 directory
PID:2340 -
C:\Windows\SysWOW64\Offmipej.exeC:\Windows\system32\Offmipej.exe78⤵PID:1032
-
C:\Windows\SysWOW64\Oidiekdn.exeC:\Windows\system32\Oidiekdn.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2144 -
C:\Windows\SysWOW64\Ooabmbbe.exeC:\Windows\system32\Ooabmbbe.exe80⤵PID:3024
-
C:\Windows\SysWOW64\Oekjjl32.exeC:\Windows\system32\Oekjjl32.exe81⤵PID:812
-
C:\Windows\SysWOW64\Oococb32.exeC:\Windows\system32\Oococb32.exe82⤵PID:2796
-
C:\Windows\SysWOW64\Oabkom32.exeC:\Windows\system32\Oabkom32.exe83⤵PID:2068
-
C:\Windows\SysWOW64\Phlclgfc.exeC:\Windows\system32\Phlclgfc.exe84⤵PID:2292
-
C:\Windows\SysWOW64\Pkjphcff.exeC:\Windows\system32\Pkjphcff.exe85⤵
- Modifies registry class
PID:2788 -
C:\Windows\SysWOW64\Pofkha32.exeC:\Windows\system32\Pofkha32.exe86⤵PID:2288
-
C:\Windows\SysWOW64\Ppnnai32.exeC:\Windows\system32\Ppnnai32.exe87⤵
- Drops file in System32 directory
PID:2644 -
C:\Windows\SysWOW64\Qppkfhlc.exeC:\Windows\system32\Qppkfhlc.exe88⤵PID:2516
-
C:\Windows\SysWOW64\Qdlggg32.exeC:\Windows\system32\Qdlggg32.exe89⤵
- Drops file in System32 directory
PID:3056 -
C:\Windows\SysWOW64\Qiioon32.exeC:\Windows\system32\Qiioon32.exe90⤵
- Drops file in System32 directory
- Modifies registry class
PID:2776 -
C:\Windows\SysWOW64\Qlgkki32.exeC:\Windows\system32\Qlgkki32.exe91⤵PID:2460
-
C:\Windows\SysWOW64\Qgmpibam.exeC:\Windows\system32\Qgmpibam.exe92⤵PID:1656
-
C:\Windows\SysWOW64\Qjklenpa.exeC:\Windows\system32\Qjklenpa.exe93⤵PID:1000
-
C:\Windows\SysWOW64\Apedah32.exeC:\Windows\system32\Apedah32.exe94⤵PID:2852
-
C:\Windows\SysWOW64\Accqnc32.exeC:\Windows\system32\Accqnc32.exe95⤵PID:3064
-
C:\Windows\SysWOW64\Ahpifj32.exeC:\Windows\system32\Ahpifj32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:576 -
C:\Windows\SysWOW64\Apgagg32.exeC:\Windows\system32\Apgagg32.exe97⤵PID:2112
-
C:\Windows\SysWOW64\Aojabdlf.exeC:\Windows\system32\Aojabdlf.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2248 -
C:\Windows\SysWOW64\Aomnhd32.exeC:\Windows\system32\Aomnhd32.exe99⤵PID:1064
-
C:\Windows\SysWOW64\Afffenbp.exeC:\Windows\system32\Afffenbp.exe100⤵PID:2920
-
C:\Windows\SysWOW64\Akcomepg.exeC:\Windows\system32\Akcomepg.exe101⤵PID:2056
-
C:\Windows\SysWOW64\Abmgjo32.exeC:\Windows\system32\Abmgjo32.exe102⤵PID:1768
-
C:\Windows\SysWOW64\Agjobffl.exeC:\Windows\system32\Agjobffl.exe103⤵PID:2280
-
C:\Windows\SysWOW64\Bkhhhd32.exeC:\Windows\system32\Bkhhhd32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2400 -
C:\Windows\SysWOW64\Bnfddp32.exeC:\Windows\system32\Bnfddp32.exe105⤵PID:2152
-
C:\Windows\SysWOW64\Bniajoic.exeC:\Windows\system32\Bniajoic.exe106⤵
- Drops file in System32 directory
PID:2132 -
C:\Windows\SysWOW64\Bjpaop32.exeC:\Windows\system32\Bjpaop32.exe107⤵PID:1160
-
C:\Windows\SysWOW64\Bgcbhd32.exeC:\Windows\system32\Bgcbhd32.exe108⤵PID:2492
-
C:\Windows\SysWOW64\Bqlfaj32.exeC:\Windows\system32\Bqlfaj32.exe109⤵PID:2864
-
C:\Windows\SysWOW64\Foolgh32.exeC:\Windows\system32\Foolgh32.exe110⤵PID:2344
-
C:\Windows\SysWOW64\Fleifl32.exeC:\Windows\system32\Fleifl32.exe111⤵PID:2860
-
C:\Windows\SysWOW64\Gaihob32.exeC:\Windows\system32\Gaihob32.exe112⤵PID:2676
-
C:\Windows\SysWOW64\Gmhbkohm.exeC:\Windows\system32\Gmhbkohm.exe113⤵
- Modifies registry class
PID:2552 -
C:\Windows\SysWOW64\Hbdjcffd.exeC:\Windows\system32\Hbdjcffd.exe114⤵PID:2628
-
C:\Windows\SysWOW64\Hjlbdc32.exeC:\Windows\system32\Hjlbdc32.exe115⤵PID:1652
-
C:\Windows\SysWOW64\Hkmollme.exeC:\Windows\system32\Hkmollme.exe116⤵
- Modifies registry class
PID:1688 -
C:\Windows\SysWOW64\Hokhbj32.exeC:\Windows\system32\Hokhbj32.exe117⤵PID:892
-
C:\Windows\SysWOW64\Hkahgk32.exeC:\Windows\system32\Hkahgk32.exe118⤵
- Drops file in System32 directory
PID:2176 -
C:\Windows\SysWOW64\Haqnea32.exeC:\Windows\system32\Haqnea32.exe119⤵PID:596
-
C:\Windows\SysWOW64\Hcojam32.exeC:\Windows\system32\Hcojam32.exe120⤵PID:2000
-
C:\Windows\SysWOW64\Ijibng32.exeC:\Windows\system32\Ijibng32.exe121⤵PID:3036
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-