Analysis
-
max time kernel
118s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
03-11-2023 14:24
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.2d44aafdf315f3ded4db84f6caf7ffc0.exe
Resource
win7-20231020-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.2d44aafdf315f3ded4db84f6caf7ffc0.exe
Resource
win10v2004-20231020-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
NEAS.2d44aafdf315f3ded4db84f6caf7ffc0.exe
-
Size
99KB
-
MD5
2d44aafdf315f3ded4db84f6caf7ffc0
-
SHA1
4288dbb046239e43c94991a0307a7809f3dfd45e
-
SHA256
de7bcfd37a109c6e51cb770be459e16d3996a23da5058aea8ab1464fb3380408
-
SHA512
fef0c9ef40a60eac5f5c67d7cdd3bcc4afa0c74d4f91a7cd9167f9f5f1aea1aa034ffe06bcf3e2f5ae1910c7fb94c1bd12f565893dd97de2962cd18e29465bc5
-
SSDEEP
3072:3Yct3wofDvJp1PTuY1HeytpwoTRBmDRGGurhUI:3hJ7vpP6G+Dm7UI
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aakjdo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Heealhla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Idadnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Joiappkp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nekbmgcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Chkmkacq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Acfmcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jcpkpe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlbboiip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Liqoflfh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nidmfh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phcilf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbkbgjcc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fokdfajl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfgegnbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lpnmgdli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjfnomde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nfahomfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Abpcooea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhobddbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jlklnjoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lngnfnji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lfdmggnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jonbee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Adifpk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghiaof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jlbboiip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jbpdeogo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Opnbbe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pghfnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cnfqccna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jgdfdbhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pbkbgjcc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idfdcijh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kbokgpgg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nadpgggp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Knmdeioh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofadnq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnnhbjnk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlklnjoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nfoghakb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iapgkl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pohhna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gjngmmnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iggned32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hanogipc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jpiedieo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jenpajfb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfdenafn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iaeegh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhoice32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bieopm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eoigpa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmoqnhla.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ioooiack.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Meijhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qeaedd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ajpjakhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hfmddp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lkfddc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nncbdomg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kilfcpqm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlfojn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iimcclni.exe -
Executes dropped EXE 64 IoCs
pid Process 2744 Kilfcpqm.exe 2688 Kegqdqbl.exe 2568 Kbkameaf.exe 2148 Lclnemgd.exe 2604 Ljibgg32.exe 2544 Lfpclh32.exe 2748 Ljmlbfhi.exe 2944 Lfdmggnm.exe 1660 Mmneda32.exe 2192 Meijhc32.exe 580 Mlfojn32.exe 756 Mkklljmg.exe 1084 Meppiblm.exe 1808 Mkmhaj32.exe 544 Nhaikn32.exe 2356 Nplmop32.exe 1792 Niebhf32.exe 2292 Nlcnda32.exe 432 Ncmfqkdj.exe 1372 Nekbmgcn.exe 1772 Nodgel32.exe 2284 Npccpo32.exe 844 Nadpgggp.exe 2456 Nilhhdga.exe 1724 Nhohda32.exe 3048 Oohqqlei.exe 2008 Odeiibdq.exe 1788 Oaiibg32.exe 2300 Odjbdb32.exe 2828 Okdkal32.exe 3008 Onbgmg32.exe 2992 Ogkkfmml.exe 2728 Onecbg32.exe 1464 Oqcpob32.exe 1960 Pkidlk32.exe 2908 Pmjqcc32.exe 1680 Pmlmic32.exe 2816 Pokieo32.exe 1804 Pjpnbg32.exe 1736 Pomfkndo.exe 1328 Pbkbgjcc.exe 1636 Piekcd32.exe 1560 Poapfn32.exe 2880 Qflhbhgg.exe 2392 Qgmdjp32.exe 2388 Qngmgjeb.exe 2136 Qeaedd32.exe 1132 Qkkmqnck.exe 980 Aganeoip.exe 620 Ajpjakhc.exe 688 Bbikgk32.exe 3004 Chkmkacq.exe 2000 Cklfll32.exe 1212 Cddjebgb.exe 2188 Clooiddm.exe 2844 Cgdcgm32.exe 2796 Cicpch32.exe 2556 Cpmhpbkc.exe 2564 Chhldeho.exe 1364 Dobdqo32.exe 2476 Delmmigh.exe 2988 Dhkiid32.exe 3068 Dodafoni.exe 1352 Dhmfod32.exe -
Loads dropped DLL 64 IoCs
pid Process 2116 NEAS.2d44aafdf315f3ded4db84f6caf7ffc0.exe 2116 NEAS.2d44aafdf315f3ded4db84f6caf7ffc0.exe 2744 Kilfcpqm.exe 2744 Kilfcpqm.exe 2688 Kegqdqbl.exe 2688 Kegqdqbl.exe 2568 Kbkameaf.exe 2568 Kbkameaf.exe 2148 Lclnemgd.exe 2148 Lclnemgd.exe 2604 Ljibgg32.exe 2604 Ljibgg32.exe 2544 Lfpclh32.exe 2544 Lfpclh32.exe 2748 Ljmlbfhi.exe 2748 Ljmlbfhi.exe 2944 Lfdmggnm.exe 2944 Lfdmggnm.exe 1660 Mmneda32.exe 1660 Mmneda32.exe 2192 Meijhc32.exe 2192 Meijhc32.exe 580 Mlfojn32.exe 580 Mlfojn32.exe 756 Mkklljmg.exe 756 Mkklljmg.exe 1084 Meppiblm.exe 1084 Meppiblm.exe 1808 Mkmhaj32.exe 1808 Mkmhaj32.exe 544 Nhaikn32.exe 544 Nhaikn32.exe 2356 Nplmop32.exe 2356 Nplmop32.exe 1792 Niebhf32.exe 1792 Niebhf32.exe 2292 Nlcnda32.exe 2292 Nlcnda32.exe 432 Ncmfqkdj.exe 432 Ncmfqkdj.exe 1372 Nekbmgcn.exe 1372 Nekbmgcn.exe 1772 Nodgel32.exe 1772 Nodgel32.exe 2284 Npccpo32.exe 2284 Npccpo32.exe 844 Nadpgggp.exe 844 Nadpgggp.exe 2456 Nilhhdga.exe 2456 Nilhhdga.exe 1724 Nhohda32.exe 1724 Nhohda32.exe 3048 Oohqqlei.exe 3048 Oohqqlei.exe 2008 Odeiibdq.exe 2008 Odeiibdq.exe 1788 Oaiibg32.exe 1788 Oaiibg32.exe 2300 Odjbdb32.exe 2300 Odjbdb32.exe 2828 Okdkal32.exe 2828 Okdkal32.exe 3008 Onbgmg32.exe 3008 Onbgmg32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Ghmkjedk.exe Gbqbaofc.exe File opened for modification C:\Windows\SysWOW64\Knmdeioh.exe Mccbmh32.exe File created C:\Windows\SysWOW64\Pjclpeak.dll Ncmfqkdj.exe File opened for modification C:\Windows\SysWOW64\Nhaikn32.exe Mkmhaj32.exe File created C:\Windows\SysWOW64\Npkkbmjm.dll Hifmbmda.exe File created C:\Windows\SysWOW64\Aejiak32.dll Gfehan32.exe File created C:\Windows\SysWOW64\Dhlqnh32.dll Hfbhkb32.exe File created C:\Windows\SysWOW64\Cegoqlof.exe Cmpgpond.exe File created C:\Windows\SysWOW64\Cpmhpbkc.exe Cicpch32.exe File opened for modification C:\Windows\SysWOW64\Iimcclni.exe Ibckfa32.exe File created C:\Windows\SysWOW64\Jgqpkc32.exe Jlklnjoh.exe File created C:\Windows\SysWOW64\Hifhgh32.dll Mklcadfn.exe File created C:\Windows\SysWOW64\Ljmlbfhi.exe Lfpclh32.exe File created C:\Windows\SysWOW64\Ejaekc32.dll Qeaedd32.exe File created C:\Windows\SysWOW64\Heealhla.exe Hfbaql32.exe File created C:\Windows\SysWOW64\Nfoghakb.exe Nncbdomg.exe File created C:\Windows\SysWOW64\Cileqlmg.exe Cfmhdpnc.exe File opened for modification C:\Windows\SysWOW64\Onecbg32.exe Ogkkfmml.exe File created C:\Windows\SysWOW64\Gpkpedmh.exe Gjngmmnp.exe File opened for modification C:\Windows\SysWOW64\Kqfdnljm.exe Kbcdbp32.exe File opened for modification C:\Windows\SysWOW64\Nlnpgd32.exe Nedhjj32.exe File created C:\Windows\SysWOW64\Dchhemih.dll Jgqpkc32.exe File created C:\Windows\SysWOW64\Qdnpmb32.dll Ibfaopoi.exe File created C:\Windows\SysWOW64\Nnafnopi.exe Nidmfh32.exe File created C:\Windows\SysWOW64\Enemcbio.dll Oiffkkbk.exe File created C:\Windows\SysWOW64\Apknlk32.dll Dgdpfp32.exe File created C:\Windows\SysWOW64\Fmhjni32.exe Fcpfedki.exe File opened for modification C:\Windows\SysWOW64\Findhdcb.exe Aibcba32.exe File opened for modification C:\Windows\SysWOW64\Mejlalji.exe Mbkpeake.exe File created C:\Windows\SysWOW64\Oqcpob32.exe Onecbg32.exe File created C:\Windows\SysWOW64\Qgmdjp32.exe Qflhbhgg.exe File created C:\Windows\SysWOW64\Iggned32.exe Idiaii32.exe File created C:\Windows\SysWOW64\Komjgdhc.dll Adlcfjgh.exe File opened for modification C:\Windows\SysWOW64\Mjfnomde.exe Mclebc32.exe File created C:\Windows\SysWOW64\Cfnmapnj.dll Mbcoio32.exe File created C:\Windows\SysWOW64\Pmlmic32.exe Pmjqcc32.exe File created C:\Windows\SysWOW64\Chkmkacq.exe Bbikgk32.exe File created C:\Windows\SysWOW64\Jgqgle32.dll Delmmigh.exe File opened for modification C:\Windows\SysWOW64\Jnfomn32.exe Jcpkpe32.exe File created C:\Windows\SysWOW64\Gpgpdf32.dll Jjomgo32.exe File opened for modification C:\Windows\SysWOW64\Lfbbjpgd.exe Lohjnf32.exe File created C:\Windows\SysWOW64\Onbgmg32.exe Okdkal32.exe File created C:\Windows\SysWOW64\Dqnlqf32.dll Mbeiefff.exe File created C:\Windows\SysWOW64\Fkpejiad.dll Hhejnc32.exe File created C:\Windows\SysWOW64\Kaaded32.dll Phcilf32.exe File created C:\Windows\SysWOW64\Oohqqlei.exe Nhohda32.exe File created C:\Windows\SysWOW64\Dhmfod32.exe Dodafoni.exe File opened for modification C:\Windows\SysWOW64\Ibckfa32.exe Ipdojfgh.exe File opened for modification C:\Windows\SysWOW64\Kbcdbp32.exe Kkileele.exe File created C:\Windows\SysWOW64\Clooiddm.exe Cddjebgb.exe File opened for modification C:\Windows\SysWOW64\Jkkija32.exe Jhlmmfef.exe File created C:\Windows\SysWOW64\Lpnmgdli.exe Lhfefgkg.exe File opened for modification C:\Windows\SysWOW64\Boogmgkl.exe Bieopm32.exe File created C:\Windows\SysWOW64\Eflill32.exe Epoqde32.exe File created C:\Windows\SysWOW64\Iimcclni.exe Ibckfa32.exe File created C:\Windows\SysWOW64\Jgjiif32.dll Kbokgpgg.exe File created C:\Windows\SysWOW64\Jhoice32.exe Jepmgj32.exe File opened for modification C:\Windows\SysWOW64\Qiioon32.exe Qdlggg32.exe File created C:\Windows\SysWOW64\Iknpkd32.exe Iimcclni.exe File created C:\Windows\SysWOW64\Ffphgohm.dll Gnkmqkbi.exe File created C:\Windows\SysWOW64\Ccbpgj32.dll Gmbfggdo.exe File created C:\Windows\SysWOW64\Bkdbhahq.dll Knmdeioh.exe File created C:\Windows\SysWOW64\Oaoplfhc.dll Bqgmfkhg.exe File created C:\Windows\SysWOW64\Qfclkmib.dll Efnfbl32.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\system32†Edggmg32.¾ll Dpapaj32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbbobb32.dll" Nfahomfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obecdjcn.dll" Oococb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dnjngk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liobdl32.dll" Lohjnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Niebhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mifdih32.dll" Gaafhloq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kfnmpn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lohjnf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qcachc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kbkameaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfnkga32.dll" Qngmgjeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Loqhnifk.dll" Ilcoce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjngcolf.dll" Lfpclh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cgdcgm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lkfddc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Acfmcc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ebefgm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ehoocgeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihlfca32.dll" Kilfcpqm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cnkjnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ifffkncm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Heealhla.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kfkpknkq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Femijbfb.dll" Mgedmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfdkid32.dll" Ngealejo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faflglmh.dll" Oqcpob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Offmilba.dll" Hnkion32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciqnaaen.dll" Aibcba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ilcoce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lgmeid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mpamde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mpebmc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Okdkal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpgpdf32.dll" Jjomgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kpkpadnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oococb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgaebl32.dll" Kfkpknkq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lqqpgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmkkhgfk.dll" Fcpfedki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgjiif32.dll" Kbokgpgg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kfjggo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iinmfk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pidfdofi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Odeiibdq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cpmhpbkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gqlebf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kcopdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nfoghakb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkfnnoge.dll" Pebpkk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Piekcd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iimcclni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejecol32.dll" Hdoghdmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibcihh32.dll" Bieopm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pimkgkgm.dll" Idiaii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abbfnh32.dll" Findhdcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cegoqlof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcelfiph.dll" Mcnbhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nfahomfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgghom32.dll" Lcfbdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgloog32.dll" Cnkjnb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ljmlbfhi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jhoice32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcnfppba.dll" Omioekbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aganeoip.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2116 wrote to memory of 2744 2116 NEAS.2d44aafdf315f3ded4db84f6caf7ffc0.exe 28 PID 2116 wrote to memory of 2744 2116 NEAS.2d44aafdf315f3ded4db84f6caf7ffc0.exe 28 PID 2116 wrote to memory of 2744 2116 NEAS.2d44aafdf315f3ded4db84f6caf7ffc0.exe 28 PID 2116 wrote to memory of 2744 2116 NEAS.2d44aafdf315f3ded4db84f6caf7ffc0.exe 28 PID 2744 wrote to memory of 2688 2744 Kilfcpqm.exe 29 PID 2744 wrote to memory of 2688 2744 Kilfcpqm.exe 29 PID 2744 wrote to memory of 2688 2744 Kilfcpqm.exe 29 PID 2744 wrote to memory of 2688 2744 Kilfcpqm.exe 29 PID 2688 wrote to memory of 2568 2688 Kegqdqbl.exe 30 PID 2688 wrote to memory of 2568 2688 Kegqdqbl.exe 30 PID 2688 wrote to memory of 2568 2688 Kegqdqbl.exe 30 PID 2688 wrote to memory of 2568 2688 Kegqdqbl.exe 30 PID 2568 wrote to memory of 2148 2568 Kbkameaf.exe 31 PID 2568 wrote to memory of 2148 2568 Kbkameaf.exe 31 PID 2568 wrote to memory of 2148 2568 Kbkameaf.exe 31 PID 2568 wrote to memory of 2148 2568 Kbkameaf.exe 31 PID 2148 wrote to memory of 2604 2148 Lclnemgd.exe 32 PID 2148 wrote to memory of 2604 2148 Lclnemgd.exe 32 PID 2148 wrote to memory of 2604 2148 Lclnemgd.exe 32 PID 2148 wrote to memory of 2604 2148 Lclnemgd.exe 32 PID 2604 wrote to memory of 2544 2604 Ljibgg32.exe 33 PID 2604 wrote to memory of 2544 2604 Ljibgg32.exe 33 PID 2604 wrote to memory of 2544 2604 Ljibgg32.exe 33 PID 2604 wrote to memory of 2544 2604 Ljibgg32.exe 33 PID 2544 wrote to memory of 2748 2544 Lfpclh32.exe 34 PID 2544 wrote to memory of 2748 2544 Lfpclh32.exe 34 PID 2544 wrote to memory of 2748 2544 Lfpclh32.exe 34 PID 2544 wrote to memory of 2748 2544 Lfpclh32.exe 34 PID 2748 wrote to memory of 2944 2748 Ljmlbfhi.exe 35 PID 2748 wrote to memory of 2944 2748 Ljmlbfhi.exe 35 PID 2748 wrote to memory of 2944 2748 Ljmlbfhi.exe 35 PID 2748 wrote to memory of 2944 2748 Ljmlbfhi.exe 35 PID 2944 wrote to memory of 1660 2944 Lfdmggnm.exe 36 PID 2944 wrote to memory of 1660 2944 Lfdmggnm.exe 36 PID 2944 wrote to memory of 1660 2944 Lfdmggnm.exe 36 PID 2944 wrote to memory of 1660 2944 Lfdmggnm.exe 36 PID 1660 wrote to memory of 2192 1660 Mmneda32.exe 37 PID 1660 wrote to memory of 2192 1660 Mmneda32.exe 37 PID 1660 wrote to memory of 2192 1660 Mmneda32.exe 37 PID 1660 wrote to memory of 2192 1660 Mmneda32.exe 37 PID 2192 wrote to memory of 580 2192 Meijhc32.exe 38 PID 2192 wrote to memory of 580 2192 Meijhc32.exe 38 PID 2192 wrote to memory of 580 2192 Meijhc32.exe 38 PID 2192 wrote to memory of 580 2192 Meijhc32.exe 38 PID 580 wrote to memory of 756 580 Mlfojn32.exe 39 PID 580 wrote to memory of 756 580 Mlfojn32.exe 39 PID 580 wrote to memory of 756 580 Mlfojn32.exe 39 PID 580 wrote to memory of 756 580 Mlfojn32.exe 39 PID 756 wrote to memory of 1084 756 Mkklljmg.exe 40 PID 756 wrote to memory of 1084 756 Mkklljmg.exe 40 PID 756 wrote to memory of 1084 756 Mkklljmg.exe 40 PID 756 wrote to memory of 1084 756 Mkklljmg.exe 40 PID 1084 wrote to memory of 1808 1084 Meppiblm.exe 41 PID 1084 wrote to memory of 1808 1084 Meppiblm.exe 41 PID 1084 wrote to memory of 1808 1084 Meppiblm.exe 41 PID 1084 wrote to memory of 1808 1084 Meppiblm.exe 41 PID 1808 wrote to memory of 544 1808 Mkmhaj32.exe 42 PID 1808 wrote to memory of 544 1808 Mkmhaj32.exe 42 PID 1808 wrote to memory of 544 1808 Mkmhaj32.exe 42 PID 1808 wrote to memory of 544 1808 Mkmhaj32.exe 42 PID 544 wrote to memory of 2356 544 Nhaikn32.exe 43 PID 544 wrote to memory of 2356 544 Nhaikn32.exe 43 PID 544 wrote to memory of 2356 544 Nhaikn32.exe 43 PID 544 wrote to memory of 2356 544 Nhaikn32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.2d44aafdf315f3ded4db84f6caf7ffc0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.2d44aafdf315f3ded4db84f6caf7ffc0.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\SysWOW64\Kilfcpqm.exeC:\Windows\system32\Kilfcpqm.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\Kegqdqbl.exeC:\Windows\system32\Kegqdqbl.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Kbkameaf.exeC:\Windows\system32\Kbkameaf.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\Lclnemgd.exeC:\Windows\system32\Lclnemgd.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\Ljibgg32.exeC:\Windows\system32\Ljibgg32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\Lfpclh32.exeC:\Windows\system32\Lfpclh32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\Ljmlbfhi.exeC:\Windows\system32\Ljmlbfhi.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Lfdmggnm.exeC:\Windows\system32\Lfdmggnm.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\Mmneda32.exeC:\Windows\system32\Mmneda32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\SysWOW64\Meijhc32.exeC:\Windows\system32\Meijhc32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\Mlfojn32.exeC:\Windows\system32\Mlfojn32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:580 -
C:\Windows\SysWOW64\Mkklljmg.exeC:\Windows\system32\Mkklljmg.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Windows\SysWOW64\Meppiblm.exeC:\Windows\system32\Meppiblm.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\SysWOW64\Mkmhaj32.exeC:\Windows\system32\Mkmhaj32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Windows\SysWOW64\Nhaikn32.exeC:\Windows\system32\Nhaikn32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:544 -
C:\Windows\SysWOW64\Nplmop32.exeC:\Windows\system32\Nplmop32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2356 -
C:\Windows\SysWOW64\Niebhf32.exeC:\Windows\system32\Niebhf32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1792 -
C:\Windows\SysWOW64\Nlcnda32.exeC:\Windows\system32\Nlcnda32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2292 -
C:\Windows\SysWOW64\Ncmfqkdj.exeC:\Windows\system32\Ncmfqkdj.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:432 -
C:\Windows\SysWOW64\Nekbmgcn.exeC:\Windows\system32\Nekbmgcn.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1372 -
C:\Windows\SysWOW64\Nodgel32.exeC:\Windows\system32\Nodgel32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1772 -
C:\Windows\SysWOW64\Npccpo32.exeC:\Windows\system32\Npccpo32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2284 -
C:\Windows\SysWOW64\Nadpgggp.exeC:\Windows\system32\Nadpgggp.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:844 -
C:\Windows\SysWOW64\Nilhhdga.exeC:\Windows\system32\Nilhhdga.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2456 -
C:\Windows\SysWOW64\Nhohda32.exeC:\Windows\system32\Nhohda32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1724 -
C:\Windows\SysWOW64\Oohqqlei.exeC:\Windows\system32\Oohqqlei.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3048 -
C:\Windows\SysWOW64\Odeiibdq.exeC:\Windows\system32\Odeiibdq.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2008 -
C:\Windows\SysWOW64\Oaiibg32.exeC:\Windows\system32\Oaiibg32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1788 -
C:\Windows\SysWOW64\Odjbdb32.exeC:\Windows\system32\Odjbdb32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2300 -
C:\Windows\SysWOW64\Okdkal32.exeC:\Windows\system32\Okdkal32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2828 -
C:\Windows\SysWOW64\Onbgmg32.exeC:\Windows\system32\Onbgmg32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3008 -
C:\Windows\SysWOW64\Ogkkfmml.exeC:\Windows\system32\Ogkkfmml.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2992 -
C:\Windows\SysWOW64\Onecbg32.exeC:\Windows\system32\Onecbg32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2728 -
C:\Windows\SysWOW64\Oqcpob32.exeC:\Windows\system32\Oqcpob32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:1464 -
C:\Windows\SysWOW64\Pkidlk32.exeC:\Windows\system32\Pkidlk32.exe36⤵
- Executes dropped EXE
PID:1960 -
C:\Windows\SysWOW64\Pmjqcc32.exeC:\Windows\system32\Pmjqcc32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2908 -
C:\Windows\SysWOW64\Pmlmic32.exeC:\Windows\system32\Pmlmic32.exe38⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Pokieo32.exeC:\Windows\system32\Pokieo32.exe39⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Pjpnbg32.exeC:\Windows\system32\Pjpnbg32.exe40⤵
- Executes dropped EXE
PID:1804 -
C:\Windows\SysWOW64\Pomfkndo.exeC:\Windows\system32\Pomfkndo.exe41⤵
- Executes dropped EXE
PID:1736 -
C:\Windows\SysWOW64\Pbkbgjcc.exeC:\Windows\system32\Pbkbgjcc.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1328 -
C:\Windows\SysWOW64\Piekcd32.exeC:\Windows\system32\Piekcd32.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:1636 -
C:\Windows\SysWOW64\Poapfn32.exeC:\Windows\system32\Poapfn32.exe44⤵
- Executes dropped EXE
PID:1560 -
C:\Windows\SysWOW64\Qflhbhgg.exeC:\Windows\system32\Qflhbhgg.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2880 -
C:\Windows\SysWOW64\Qgmdjp32.exeC:\Windows\system32\Qgmdjp32.exe46⤵
- Executes dropped EXE
PID:2392 -
C:\Windows\SysWOW64\Qngmgjeb.exeC:\Windows\system32\Qngmgjeb.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:2388 -
C:\Windows\SysWOW64\Qeaedd32.exeC:\Windows\system32\Qeaedd32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2136 -
C:\Windows\SysWOW64\Qkkmqnck.exeC:\Windows\system32\Qkkmqnck.exe49⤵
- Executes dropped EXE
PID:1132 -
C:\Windows\SysWOW64\Aganeoip.exeC:\Windows\system32\Aganeoip.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:980 -
C:\Windows\SysWOW64\Ajpjakhc.exeC:\Windows\system32\Ajpjakhc.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:620 -
C:\Windows\SysWOW64\Bbikgk32.exeC:\Windows\system32\Bbikgk32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:688 -
C:\Windows\SysWOW64\Chkmkacq.exeC:\Windows\system32\Chkmkacq.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Cklfll32.exeC:\Windows\system32\Cklfll32.exe54⤵
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\Cddjebgb.exeC:\Windows\system32\Cddjebgb.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1212 -
C:\Windows\SysWOW64\Clooiddm.exeC:\Windows\system32\Clooiddm.exe56⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Cgdcgm32.exeC:\Windows\system32\Cgdcgm32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:2844 -
C:\Windows\SysWOW64\Cicpch32.exeC:\Windows\system32\Cicpch32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2796 -
C:\Windows\SysWOW64\Cpmhpbkc.exeC:\Windows\system32\Cpmhpbkc.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:2556 -
C:\Windows\SysWOW64\Chhldeho.exeC:\Windows\system32\Chhldeho.exe60⤵
- Executes dropped EXE
PID:2564 -
C:\Windows\SysWOW64\Dobdqo32.exeC:\Windows\system32\Dobdqo32.exe61⤵
- Executes dropped EXE
PID:1364 -
C:\Windows\SysWOW64\Delmmigh.exeC:\Windows\system32\Delmmigh.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2476 -
C:\Windows\SysWOW64\Dhkiid32.exeC:\Windows\system32\Dhkiid32.exe63⤵
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\Dodafoni.exeC:\Windows\system32\Dodafoni.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3068 -
C:\Windows\SysWOW64\Dhmfod32.exeC:\Windows\system32\Dhmfod32.exe65⤵
- Executes dropped EXE
PID:1352 -
C:\Windows\SysWOW64\Dognlnlf.exeC:\Windows\system32\Dognlnlf.exe66⤵PID:2168
-
C:\Windows\SysWOW64\Dnjngk32.exeC:\Windows\system32\Dnjngk32.exe67⤵
- Modifies registry class
PID:2864 -
C:\Windows\SysWOW64\Daejhjkj.exeC:\Windows\system32\Daejhjkj.exe68⤵PID:1412
-
C:\Windows\SysWOW64\Dhobddbf.exeC:\Windows\system32\Dhobddbf.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1356 -
C:\Windows\SysWOW64\Dknoaoaj.exeC:\Windows\system32\Dknoaoaj.exe70⤵PID:3024
-
C:\Windows\SysWOW64\Dahgni32.exeC:\Windows\system32\Dahgni32.exe71⤵PID:1164
-
C:\Windows\SysWOW64\Dgdpfp32.exeC:\Windows\system32\Dgdpfp32.exe72⤵
- Drops file in System32 directory
PID:1124 -
C:\Windows\SysWOW64\Dnnhbjnk.exeC:\Windows\system32\Dnnhbjnk.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1716 -
C:\Windows\SysWOW64\Eckpkamb.exeC:\Windows\system32\Eckpkamb.exe74⤵PID:2260
-
C:\Windows\SysWOW64\Efjlgmlf.exeC:\Windows\system32\Efjlgmlf.exe75⤵PID:1720
-
C:\Windows\SysWOW64\Epoqde32.exeC:\Windows\system32\Epoqde32.exe76⤵
- Drops file in System32 directory
PID:876 -
C:\Windows\SysWOW64\Eflill32.exeC:\Windows\system32\Eflill32.exe77⤵PID:2044
-
C:\Windows\SysWOW64\Efnfbl32.exeC:\Windows\system32\Efnfbl32.exe78⤵
- Drops file in System32 directory
PID:1548 -
C:\Windows\SysWOW64\Eogjka32.exeC:\Windows\system32\Eogjka32.exe79⤵PID:2640
-
C:\Windows\SysWOW64\Ebefgm32.exeC:\Windows\system32\Ebefgm32.exe80⤵
- Modifies registry class
PID:1440 -
C:\Windows\SysWOW64\Ehoocgeb.exeC:\Windows\system32\Ehoocgeb.exe81⤵
- Modifies registry class
PID:1756 -
C:\Windows\SysWOW64\Eoigpa32.exeC:\Windows\system32\Eoigpa32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2720 -
C:\Windows\SysWOW64\Fokdfajl.exeC:\Windows\system32\Fokdfajl.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2616 -
C:\Windows\SysWOW64\Fidhof32.exeC:\Windows\system32\Fidhof32.exe84⤵PID:2020
-
C:\Windows\SysWOW64\Fnqqgm32.exeC:\Windows\system32\Fnqqgm32.exe85⤵PID:2896
-
C:\Windows\SysWOW64\Fkdaqa32.exeC:\Windows\system32\Fkdaqa32.exe86⤵PID:524
-
C:\Windows\SysWOW64\Fncmmmma.exeC:\Windows\system32\Fncmmmma.exe87⤵PID:1780
-
C:\Windows\SysWOW64\Fcpfedki.exeC:\Windows\system32\Fcpfedki.exe88⤵
- Drops file in System32 directory
- Modifies registry class
PID:2548 -
C:\Windows\SysWOW64\Fmhjni32.exeC:\Windows\system32\Fmhjni32.exe89⤵PID:648
-
C:\Windows\SysWOW64\Fjlkgn32.exeC:\Windows\system32\Fjlkgn32.exe90⤵PID:1684
-
C:\Windows\SysWOW64\Gjngmmnp.exeC:\Windows\system32\Gjngmmnp.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2900 -
C:\Windows\SysWOW64\Gpkpedmh.exeC:\Windows\system32\Gpkpedmh.exe92⤵PID:2344
-
C:\Windows\SysWOW64\Gfehan32.exeC:\Windows\system32\Gfehan32.exe93⤵
- Drops file in System32 directory
PID:1368 -
C:\Windows\SysWOW64\Gmoqnhla.exeC:\Windows\system32\Gmoqnhla.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:592 -
C:\Windows\SysWOW64\Gfgegnbb.exeC:\Windows\system32\Gfgegnbb.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1860 -
C:\Windows\SysWOW64\Ghiaof32.exeC:\Windows\system32\Ghiaof32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1564 -
C:\Windows\SysWOW64\Gppipc32.exeC:\Windows\system32\Gppipc32.exe97⤵PID:2004
-
C:\Windows\SysWOW64\Gaafhloq.exeC:\Windows\system32\Gaafhloq.exe98⤵
- Modifies registry class
PID:872 -
C:\Windows\SysWOW64\Glgjednf.exeC:\Windows\system32\Glgjednf.exe99⤵PID:2440
-
C:\Windows\SysWOW64\Gbqbaofc.exeC:\Windows\system32\Gbqbaofc.exe100⤵
- Drops file in System32 directory
PID:868 -
C:\Windows\SysWOW64\Ghmkjedk.exeC:\Windows\system32\Ghmkjedk.exe101⤵PID:2664
-
C:\Windows\SysWOW64\Heakcjcd.exeC:\Windows\system32\Heakcjcd.exe102⤵PID:2596
-
C:\Windows\SysWOW64\Hfbhkb32.exeC:\Windows\system32\Hfbhkb32.exe103⤵
- Drops file in System32 directory
PID:2636 -
C:\Windows\SysWOW64\Hpkldg32.exeC:\Windows\system32\Hpkldg32.exe104⤵PID:2972
-
C:\Windows\SysWOW64\Hhbdee32.exeC:\Windows\system32\Hhbdee32.exe105⤵PID:2164
-
C:\Windows\SysWOW64\Hicqmmfc.exeC:\Windows\system32\Hicqmmfc.exe106⤵PID:992
-
C:\Windows\SysWOW64\Hpmiig32.exeC:\Windows\system32\Hpmiig32.exe107⤵PID:1052
-
C:\Windows\SysWOW64\Hifmbmda.exeC:\Windows\system32\Hifmbmda.exe108⤵
- Drops file in System32 directory
PID:2656 -
C:\Windows\SysWOW64\Hldjnhce.exeC:\Windows\system32\Hldjnhce.exe109⤵PID:2176
-
C:\Windows\SysWOW64\Hfjnla32.exeC:\Windows\system32\Hfjnla32.exe110⤵PID:832
-
C:\Windows\SysWOW64\Hlffdh32.exeC:\Windows\system32\Hlffdh32.exe111⤵PID:936
-
C:\Windows\SysWOW64\Hbqoqbho.exeC:\Windows\system32\Hbqoqbho.exe112⤵PID:1768
-
C:\Windows\SysWOW64\Hijgml32.exeC:\Windows\system32\Hijgml32.exe113⤵PID:2036
-
C:\Windows\SysWOW64\Ipdojfgh.exeC:\Windows\system32\Ipdojfgh.exe114⤵
- Drops file in System32 directory
PID:1480 -
C:\Windows\SysWOW64\Ibckfa32.exeC:\Windows\system32\Ibckfa32.exe115⤵
- Drops file in System32 directory
PID:1976 -
C:\Windows\SysWOW64\Iimcclni.exeC:\Windows\system32\Iimcclni.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1708 -
C:\Windows\SysWOW64\Iknpkd32.exeC:\Windows\system32\Iknpkd32.exe117⤵PID:2788
-
C:\Windows\SysWOW64\Idfdcijh.exeC:\Windows\system32\Idfdcijh.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2952 -
C:\Windows\SysWOW64\Ilnmdgkj.exeC:\Windows\system32\Ilnmdgkj.exe119⤵PID:2932
-
C:\Windows\SysWOW64\Imoilo32.exeC:\Windows\system32\Imoilo32.exe120⤵PID:2812
-
C:\Windows\SysWOW64\Idiaii32.exeC:\Windows\system32\Idiaii32.exe121⤵
- Drops file in System32 directory
- Modifies registry class
PID:2620
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-