Analysis
-
max time kernel
200s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
18/11/2023, 03:45
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.0af59e69bf4e31a81289bdf6e6cfd870.exe
Resource
win7-20231023-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.0af59e69bf4e31a81289bdf6e6cfd870.exe
Resource
win10v2004-20231025-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
NEAS.0af59e69bf4e31a81289bdf6e6cfd870.exe
-
Size
165KB
-
MD5
0af59e69bf4e31a81289bdf6e6cfd870
-
SHA1
b3b478d0c8405da5f073f195d1e88bf5c9599476
-
SHA256
c69b33fb2a65bf4149a164c8678c9a8876ec69d84c9beb6970298c92adae4e48
-
SHA512
b801fa302f09390dbd238a6f0f7915b6d6c878d408065eaef3bfaa700af21d95bdf9b0f10dbe7a794fc6651a9e3a8cade0a9110be8966e2ccc9752691cad835a
-
SSDEEP
3072:dM+ZFkI12Edd9iL0mpZCuT3vQfEdArGzHq+egM5bylnO/hZP:dLxUE7IL0KZCubQMdArGzHregqgnO
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paihgboc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpplfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Naebmppm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agjahooi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cohoqd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfimnmoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oecnkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdgoll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdgkkppm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njbanida.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhqmogam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iiiogoac.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbdepe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aohbaq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pogegeoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hahoodqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bakkad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfjmia32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlqakaqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cobkja32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkepnalk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmmcfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdcbjhme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bomhnb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kiifjd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oecnkk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfhjmpam.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldjmkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgcooh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bojogp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cibpoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eilodk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkolmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkolmk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmlfcn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohleappp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eaiqnmgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmaeoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgogbano.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agjahooi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpoeac32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlbaljhn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pqlhbo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Momqbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eogckqkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aghdboal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eloekf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghnaaljp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iccnmk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkjggmal.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ooaflp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iomaaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cigijhne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hllffmbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmbeecaq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iniebmfg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngajeg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eghflc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmlfcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngdgkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iccnmk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opaeok32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Noojfpbi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igjckcbo.exe -
Executes dropped EXE 64 IoCs
pid Process 2848 Iopeoknn.exe 2536 Oihdjk32.exe 2216 Oeoeplfn.exe 2032 Oddbqhkf.exe 2452 Oecnkk32.exe 2780 Pkepnalk.exe 1876 Pogegeoj.exe 1104 Poibmdmh.exe 2244 Pmmcfi32.exe 548 Aglmbfdk.exe 1204 Acbnggjo.exe 2228 Ajociq32.exe 2256 Agccbenc.exe 2152 Acjdgf32.exe 2348 Bleilh32.exe 1756 Bfjmia32.exe 1592 Bebfpm32.exe 1316 Bomhnb32.exe 1320 Bdipfi32.exe 1548 Cmaeoo32.exe 2980 Dchpnd32.exe 2056 Dooqceid.exe 2836 Dlbaljhn.exe 2484 Dglbmg32.exe 2864 Dgoobg32.exe 2664 Dadcppbp.exe 2716 Dkmghe32.exe 1664 Ehlkfn32.exe 1444 Cabldeik.exe 2172 Fdmjmenh.exe 1524 Kiafff32.exe 2432 Opkpme32.exe 1400 Pmoqfi32.exe 988 Glgqlkdl.exe 1984 Gadidabc.exe 2116 Ghnaaljp.exe 2092 Gdgoll32.exe 2428 Gkaghf32.exe 904 Hekhid32.exe 2476 Hpplfm32.exe 1904 Hafbid32.exe 1580 Hllffmbb.exe 2644 Hahoodqi.exe 2912 Hdgkkppm.exe 2764 Igeggkoq.exe 2924 Iggdmkmn.exe 2260 Inaliedk.exe 2612 Igjabj32.exe 2832 Imgija32.exe 768 Iglngj32.exe 1988 Inffdd32.exe 1252 Iccnmk32.exe 2240 Ijmfiefj.exe 1092 Iqgofo32.exe 1748 Jfdgnf32.exe 268 Jkqpfmje.exe 1552 Jeidob32.exe 2112 Jnaihhgf.exe 2836 Jfhqiegh.exe 2664 Jkeialfp.exe 784 Jboanfmm.exe 2292 Jiiikq32.exe 1892 Jjjfbikh.exe 2916 Jadnoc32.exe -
Loads dropped DLL 64 IoCs
pid Process 2772 NEAS.0af59e69bf4e31a81289bdf6e6cfd870.exe 2772 NEAS.0af59e69bf4e31a81289bdf6e6cfd870.exe 2848 Iopeoknn.exe 2848 Iopeoknn.exe 2536 Oihdjk32.exe 2536 Oihdjk32.exe 2216 Oeoeplfn.exe 2216 Oeoeplfn.exe 2032 Oddbqhkf.exe 2032 Oddbqhkf.exe 2452 Oecnkk32.exe 2452 Oecnkk32.exe 2780 Pkepnalk.exe 2780 Pkepnalk.exe 1876 Pogegeoj.exe 1876 Pogegeoj.exe 1104 Poibmdmh.exe 1104 Poibmdmh.exe 2244 Pmmcfi32.exe 2244 Pmmcfi32.exe 548 Aglmbfdk.exe 548 Aglmbfdk.exe 1204 Acbnggjo.exe 1204 Acbnggjo.exe 2228 Ajociq32.exe 2228 Ajociq32.exe 2256 Agccbenc.exe 2256 Agccbenc.exe 2152 Acjdgf32.exe 2152 Acjdgf32.exe 2348 Bleilh32.exe 2348 Bleilh32.exe 1756 Bfjmia32.exe 1756 Bfjmia32.exe 1592 Bebfpm32.exe 1592 Bebfpm32.exe 1316 Bomhnb32.exe 1316 Bomhnb32.exe 1320 Bdipfi32.exe 1320 Bdipfi32.exe 1548 Cmaeoo32.exe 1548 Cmaeoo32.exe 2980 Dchpnd32.exe 2980 Dchpnd32.exe 2056 Dooqceid.exe 2056 Dooqceid.exe 2836 Dlbaljhn.exe 2836 Dlbaljhn.exe 2484 Dglbmg32.exe 2484 Dglbmg32.exe 2864 Dgoobg32.exe 2864 Dgoobg32.exe 2664 Dadcppbp.exe 2664 Dadcppbp.exe 2716 Dkmghe32.exe 2716 Dkmghe32.exe 1664 Ehlkfn32.exe 1664 Ehlkfn32.exe 1444 Cabldeik.exe 1444 Cabldeik.exe 2172 Fdmjmenh.exe 2172 Fdmjmenh.exe 1524 Kiafff32.exe 1524 Kiafff32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Lhhhjhkf.exe Lanpmn32.exe File created C:\Windows\SysWOW64\Ldbjai32.dll Napfihmn.exe File opened for modification C:\Windows\SysWOW64\Nkfpefme.exe Mbkladpj.exe File opened for modification C:\Windows\SysWOW64\Afmack32.exe Agjahooi.exe File opened for modification C:\Windows\SysWOW64\Ceiadj32.exe Cchdlb32.exe File created C:\Windows\SysWOW64\Lmajfp32.dll Lepihndm.exe File opened for modification C:\Windows\SysWOW64\Ngdgkf32.exe Ndekok32.exe File opened for modification C:\Windows\SysWOW64\Mdnffpif.exe Liibigjq.exe File opened for modification C:\Windows\SysWOW64\Kagkebpb.exe Jccjln32.exe File created C:\Windows\SysWOW64\Kmbeecaq.exe Kfhmhi32.exe File created C:\Windows\SysWOW64\Paihgboc.exe Phacnm32.exe File created C:\Windows\SysWOW64\Fclckhlb.dll Dbbkhnbc.exe File created C:\Windows\SysWOW64\Nngobapl.dll Bghcjk32.exe File opened for modification C:\Windows\SysWOW64\Bojogp32.exe Bllcke32.exe File opened for modification C:\Windows\SysWOW64\Hekhid32.exe Gkaghf32.exe File opened for modification C:\Windows\SysWOW64\Kmphpc32.exe Kffpcilf.exe File opened for modification C:\Windows\SysWOW64\Pinchq32.exe Pgfpoimj.exe File created C:\Windows\SysWOW64\Bkqnod32.dll Eghflc32.exe File created C:\Windows\SysWOW64\Dnfhnm32.dll Oddbqhkf.exe File created C:\Windows\SysWOW64\Pdopmade.dll Jadnoc32.exe File created C:\Windows\SysWOW64\Djoajm32.dll Lalchnfl.exe File created C:\Windows\SysWOW64\Oddbqhkf.exe Oeoeplfn.exe File created C:\Windows\SysWOW64\Jkqpfmje.exe Jfdgnf32.exe File created C:\Windows\SysWOW64\Hbbhdlgk.dll Jcjffc32.exe File created C:\Windows\SysWOW64\Mhpgeh32.dll Eiibok32.exe File created C:\Windows\SysWOW64\Jdnpck32.exe Jndgfqlh.exe File opened for modification C:\Windows\SysWOW64\Koogdg32.exe Kjbnlqld.exe File opened for modification C:\Windows\SysWOW64\Lebemmbk.exe Lkjadh32.exe File created C:\Windows\SysWOW64\Hepfllhh.dll Pbjpmmij.exe File created C:\Windows\SysWOW64\Komhoebi.dll Mdnffpif.exe File opened for modification C:\Windows\SysWOW64\Mhgbpb32.exe Mamjchoa.exe File created C:\Windows\SysWOW64\Mieimpkc.dll Nkmdmm32.exe File created C:\Windows\SysWOW64\Kjfhgp32.exe Koacjg32.exe File opened for modification C:\Windows\SysWOW64\Oekaab32.exe Opohil32.exe File opened for modification C:\Windows\SysWOW64\Cigijhne.exe Cfimnmoa.exe File created C:\Windows\SysWOW64\Oecnkk32.exe Oddbqhkf.exe File created C:\Windows\SysWOW64\Lebemmbk.exe Lkjadh32.exe File opened for modification C:\Windows\SysWOW64\Bfdhdj32.exe Bojogp32.exe File created C:\Windows\SysWOW64\Kjopnh32.exe Kgqcam32.exe File created C:\Windows\SysWOW64\Nkmdmm32.exe Nkjggmal.exe File opened for modification C:\Windows\SysWOW64\Iccnmk32.exe Inffdd32.exe File created C:\Windows\SysWOW64\Jfhqiegh.exe Jnaihhgf.exe File created C:\Windows\SysWOW64\Dclibfjc.dll Cojlfckj.exe File opened for modification C:\Windows\SysWOW64\Eebpil32.exe Ebddmq32.exe File opened for modification C:\Windows\SysWOW64\Bcodol32.exe Bpqgcq32.exe File created C:\Windows\SysWOW64\Bbdjgbdg.dll Oihdjk32.exe File opened for modification C:\Windows\SysWOW64\Npeaapmb.exe Eonhbg32.exe File created C:\Windows\SysWOW64\Agacff32.dll Poibmdmh.exe File opened for modification C:\Windows\SysWOW64\Hahoodqi.exe Hllffmbb.exe File opened for modification C:\Windows\SysWOW64\Aoeflamd.exe Afmack32.exe File created C:\Windows\SysWOW64\Gholdkmk.dll Bqbbpghe.exe File created C:\Windows\SysWOW64\Hafbid32.exe Hpplfm32.exe File created C:\Windows\SysWOW64\Ojbachjd.dll Kmbeecaq.exe File created C:\Windows\SysWOW64\Biehmiaj.dll Momckfid.exe File opened for modification C:\Windows\SysWOW64\Mlacdj32.exe Mfdklc32.exe File created C:\Windows\SysWOW64\Igmalekk.dll Ceiadj32.exe File opened for modification C:\Windows\SysWOW64\Lgaaiian.exe Lebemmbk.exe File created C:\Windows\SysWOW64\Obaqpg32.dll Lgcooh32.exe File opened for modification C:\Windows\SysWOW64\Cmaeoo32.exe Bdipfi32.exe File created C:\Windows\SysWOW64\Iccnmk32.exe Inffdd32.exe File opened for modification C:\Windows\SysWOW64\Ogfagmck.exe Noojfpbi.exe File opened for modification C:\Windows\SysWOW64\Mfdklc32.exe Momckfid.exe File created C:\Windows\SysWOW64\Bjgoff32.exe Bghcjk32.exe File created C:\Windows\SysWOW64\Djnjmoea.dll Glgqlkdl.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngmcpn32.dll" Dchpnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfhmhi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngdgkf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hahoodqi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdcinjpo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmijmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afmack32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgkfepdj.dll" Dmpedk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebjpqc32.dll" Ehaleg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfjmia32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Imgija32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohgnoeii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgcooh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geflbg32.dll" Ahnjefcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Agccbenc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mbdepe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cibpoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Acbnggjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lihkjgpf.dll" Jiiikq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odcqbapk.dll" Mhgbpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obogji32.dll" Nnnmoh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lnkjfcik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmeocnah.dll" Laidie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjbcfc32.dll" Eogckqkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhqmogam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chdhmoac.dll" Nnfgnibb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Opaeok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aodkcd32.dll" Pogegeoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Noojfpbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ooaflp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghqobdnq.dll" Oeidlc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pbjpmmij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Liibigjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efmgjcjl.dll" Mmlfcn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Naebmppm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dlhblc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bakkad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dchpnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldljqpli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jojaje32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kigkmmql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lepihndm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngajeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndekok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmncadpc.dll" Eebpil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjgoff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Opaeok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dkmghe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hahoodqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igmalekk.dll" Ceiadj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lomdcj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpjndh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cokdcc32.dll" Jccjln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilfmedlj.dll" Lepfoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljaplc32.dll" Liibigjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmpepjid.dll" Hebqbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iapghlbe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgnjof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhlkkabh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mdnffpif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgbckhmc.dll" Noajmlnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Napfihmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Paihgboc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bojogp32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2772 wrote to memory of 2848 2772 NEAS.0af59e69bf4e31a81289bdf6e6cfd870.exe 29 PID 2772 wrote to memory of 2848 2772 NEAS.0af59e69bf4e31a81289bdf6e6cfd870.exe 29 PID 2772 wrote to memory of 2848 2772 NEAS.0af59e69bf4e31a81289bdf6e6cfd870.exe 29 PID 2772 wrote to memory of 2848 2772 NEAS.0af59e69bf4e31a81289bdf6e6cfd870.exe 29 PID 2848 wrote to memory of 2536 2848 Iopeoknn.exe 30 PID 2848 wrote to memory of 2536 2848 Iopeoknn.exe 30 PID 2848 wrote to memory of 2536 2848 Iopeoknn.exe 30 PID 2848 wrote to memory of 2536 2848 Iopeoknn.exe 30 PID 2536 wrote to memory of 2216 2536 Oihdjk32.exe 31 PID 2536 wrote to memory of 2216 2536 Oihdjk32.exe 31 PID 2536 wrote to memory of 2216 2536 Oihdjk32.exe 31 PID 2536 wrote to memory of 2216 2536 Oihdjk32.exe 31 PID 2216 wrote to memory of 2032 2216 Oeoeplfn.exe 32 PID 2216 wrote to memory of 2032 2216 Oeoeplfn.exe 32 PID 2216 wrote to memory of 2032 2216 Oeoeplfn.exe 32 PID 2216 wrote to memory of 2032 2216 Oeoeplfn.exe 32 PID 2032 wrote to memory of 2452 2032 Oddbqhkf.exe 33 PID 2032 wrote to memory of 2452 2032 Oddbqhkf.exe 33 PID 2032 wrote to memory of 2452 2032 Oddbqhkf.exe 33 PID 2032 wrote to memory of 2452 2032 Oddbqhkf.exe 33 PID 2452 wrote to memory of 2780 2452 Oecnkk32.exe 34 PID 2452 wrote to memory of 2780 2452 Oecnkk32.exe 34 PID 2452 wrote to memory of 2780 2452 Oecnkk32.exe 34 PID 2452 wrote to memory of 2780 2452 Oecnkk32.exe 34 PID 2780 wrote to memory of 1876 2780 Pkepnalk.exe 35 PID 2780 wrote to memory of 1876 2780 Pkepnalk.exe 35 PID 2780 wrote to memory of 1876 2780 Pkepnalk.exe 35 PID 2780 wrote to memory of 1876 2780 Pkepnalk.exe 35 PID 1876 wrote to memory of 1104 1876 Pogegeoj.exe 36 PID 1876 wrote to memory of 1104 1876 Pogegeoj.exe 36 PID 1876 wrote to memory of 1104 1876 Pogegeoj.exe 36 PID 1876 wrote to memory of 1104 1876 Pogegeoj.exe 36 PID 1104 wrote to memory of 2244 1104 Poibmdmh.exe 37 PID 1104 wrote to memory of 2244 1104 Poibmdmh.exe 37 PID 1104 wrote to memory of 2244 1104 Poibmdmh.exe 37 PID 1104 wrote to memory of 2244 1104 Poibmdmh.exe 37 PID 2244 wrote to memory of 548 2244 Pmmcfi32.exe 38 PID 2244 wrote to memory of 548 2244 Pmmcfi32.exe 38 PID 2244 wrote to memory of 548 2244 Pmmcfi32.exe 38 PID 2244 wrote to memory of 548 2244 Pmmcfi32.exe 38 PID 548 wrote to memory of 1204 548 Aglmbfdk.exe 39 PID 548 wrote to memory of 1204 548 Aglmbfdk.exe 39 PID 548 wrote to memory of 1204 548 Aglmbfdk.exe 39 PID 548 wrote to memory of 1204 548 Aglmbfdk.exe 39 PID 1204 wrote to memory of 2228 1204 Acbnggjo.exe 40 PID 1204 wrote to memory of 2228 1204 Acbnggjo.exe 40 PID 1204 wrote to memory of 2228 1204 Acbnggjo.exe 40 PID 1204 wrote to memory of 2228 1204 Acbnggjo.exe 40 PID 2228 wrote to memory of 2256 2228 Ajociq32.exe 41 PID 2228 wrote to memory of 2256 2228 Ajociq32.exe 41 PID 2228 wrote to memory of 2256 2228 Ajociq32.exe 41 PID 2228 wrote to memory of 2256 2228 Ajociq32.exe 41 PID 2256 wrote to memory of 2152 2256 Agccbenc.exe 42 PID 2256 wrote to memory of 2152 2256 Agccbenc.exe 42 PID 2256 wrote to memory of 2152 2256 Agccbenc.exe 42 PID 2256 wrote to memory of 2152 2256 Agccbenc.exe 42 PID 2152 wrote to memory of 2348 2152 Acjdgf32.exe 43 PID 2152 wrote to memory of 2348 2152 Acjdgf32.exe 43 PID 2152 wrote to memory of 2348 2152 Acjdgf32.exe 43 PID 2152 wrote to memory of 2348 2152 Acjdgf32.exe 43 PID 2348 wrote to memory of 1756 2348 Bleilh32.exe 44 PID 2348 wrote to memory of 1756 2348 Bleilh32.exe 44 PID 2348 wrote to memory of 1756 2348 Bleilh32.exe 44 PID 2348 wrote to memory of 1756 2348 Bleilh32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.0af59e69bf4e31a81289bdf6e6cfd870.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.0af59e69bf4e31a81289bdf6e6cfd870.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Iopeoknn.exeC:\Windows\system32\Iopeoknn.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\Oihdjk32.exeC:\Windows\system32\Oihdjk32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\Oeoeplfn.exeC:\Windows\system32\Oeoeplfn.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\Oddbqhkf.exeC:\Windows\system32\Oddbqhkf.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\Oecnkk32.exeC:\Windows\system32\Oecnkk32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\SysWOW64\Pkepnalk.exeC:\Windows\system32\Pkepnalk.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\Pogegeoj.exeC:\Windows\system32\Pogegeoj.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Windows\SysWOW64\Poibmdmh.exeC:\Windows\system32\Poibmdmh.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Windows\SysWOW64\Pmmcfi32.exeC:\Windows\system32\Pmmcfi32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\Aglmbfdk.exeC:\Windows\system32\Aglmbfdk.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Windows\SysWOW64\Acbnggjo.exeC:\Windows\system32\Acbnggjo.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Windows\SysWOW64\Ajociq32.exeC:\Windows\system32\Ajociq32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\SysWOW64\Agccbenc.exeC:\Windows\system32\Agccbenc.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\SysWOW64\Acjdgf32.exeC:\Windows\system32\Acjdgf32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\Bleilh32.exeC:\Windows\system32\Bleilh32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\Bfjmia32.exeC:\Windows\system32\Bfjmia32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1756 -
C:\Windows\SysWOW64\Bebfpm32.exeC:\Windows\system32\Bebfpm32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1592 -
C:\Windows\SysWOW64\Bomhnb32.exeC:\Windows\system32\Bomhnb32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1316 -
C:\Windows\SysWOW64\Bdipfi32.exeC:\Windows\system32\Bdipfi32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1320 -
C:\Windows\SysWOW64\Cmaeoo32.exeC:\Windows\system32\Cmaeoo32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1548 -
C:\Windows\SysWOW64\Dchpnd32.exeC:\Windows\system32\Dchpnd32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2980 -
C:\Windows\SysWOW64\Dooqceid.exeC:\Windows\system32\Dooqceid.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2056 -
C:\Windows\SysWOW64\Dlbaljhn.exeC:\Windows\system32\Dlbaljhn.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2836 -
C:\Windows\SysWOW64\Dglbmg32.exeC:\Windows\system32\Dglbmg32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2484 -
C:\Windows\SysWOW64\Dgoobg32.exeC:\Windows\system32\Dgoobg32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2864 -
C:\Windows\SysWOW64\Dadcppbp.exeC:\Windows\system32\Dadcppbp.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2664 -
C:\Windows\SysWOW64\Dkmghe32.exeC:\Windows\system32\Dkmghe32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2716 -
C:\Windows\SysWOW64\Ehlkfn32.exeC:\Windows\system32\Ehlkfn32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1664 -
C:\Windows\SysWOW64\Cabldeik.exeC:\Windows\system32\Cabldeik.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1444 -
C:\Windows\SysWOW64\Fdmjmenh.exeC:\Windows\system32\Fdmjmenh.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2172 -
C:\Windows\SysWOW64\Kiafff32.exeC:\Windows\system32\Kiafff32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1524 -
C:\Windows\SysWOW64\Opkpme32.exeC:\Windows\system32\Opkpme32.exe33⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Pmoqfi32.exeC:\Windows\system32\Pmoqfi32.exe34⤵
- Executes dropped EXE
PID:1400 -
C:\Windows\SysWOW64\Glgqlkdl.exeC:\Windows\system32\Glgqlkdl.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:988 -
C:\Windows\SysWOW64\Gadidabc.exeC:\Windows\system32\Gadidabc.exe36⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Ghnaaljp.exeC:\Windows\system32\Ghnaaljp.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2116 -
C:\Windows\SysWOW64\Gdgoll32.exeC:\Windows\system32\Gdgoll32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2092 -
C:\Windows\SysWOW64\Gkaghf32.exeC:\Windows\system32\Gkaghf32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2428 -
C:\Windows\SysWOW64\Hekhid32.exeC:\Windows\system32\Hekhid32.exe40⤵
- Executes dropped EXE
PID:904 -
C:\Windows\SysWOW64\Hpplfm32.exeC:\Windows\system32\Hpplfm32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2476 -
C:\Windows\SysWOW64\Hafbid32.exeC:\Windows\system32\Hafbid32.exe42⤵
- Executes dropped EXE
PID:1904 -
C:\Windows\SysWOW64\Hllffmbb.exeC:\Windows\system32\Hllffmbb.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1580 -
C:\Windows\SysWOW64\Hahoodqi.exeC:\Windows\system32\Hahoodqi.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2644 -
C:\Windows\SysWOW64\Hdgkkppm.exeC:\Windows\system32\Hdgkkppm.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Igeggkoq.exeC:\Windows\system32\Igeggkoq.exe46⤵
- Executes dropped EXE
PID:2764 -
C:\Windows\SysWOW64\Iggdmkmn.exeC:\Windows\system32\Iggdmkmn.exe47⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Inaliedk.exeC:\Windows\system32\Inaliedk.exe48⤵
- Executes dropped EXE
PID:2260 -
C:\Windows\SysWOW64\Igjabj32.exeC:\Windows\system32\Igjabj32.exe49⤵
- Executes dropped EXE
PID:2612 -
C:\Windows\SysWOW64\Imgija32.exeC:\Windows\system32\Imgija32.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:2832 -
C:\Windows\SysWOW64\Iglngj32.exeC:\Windows\system32\Iglngj32.exe51⤵
- Executes dropped EXE
PID:768 -
C:\Windows\SysWOW64\Inffdd32.exeC:\Windows\system32\Inffdd32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1988 -
C:\Windows\SysWOW64\Iccnmk32.exeC:\Windows\system32\Iccnmk32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1252 -
C:\Windows\SysWOW64\Ijmfiefj.exeC:\Windows\system32\Ijmfiefj.exe54⤵
- Executes dropped EXE
PID:2240 -
C:\Windows\SysWOW64\Iqgofo32.exeC:\Windows\system32\Iqgofo32.exe55⤵
- Executes dropped EXE
PID:1092 -
C:\Windows\SysWOW64\Jfdgnf32.exeC:\Windows\system32\Jfdgnf32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1748 -
C:\Windows\SysWOW64\Jkqpfmje.exeC:\Windows\system32\Jkqpfmje.exe57⤵
- Executes dropped EXE
PID:268 -
C:\Windows\SysWOW64\Jeidob32.exeC:\Windows\system32\Jeidob32.exe58⤵
- Executes dropped EXE
PID:1552 -
C:\Windows\SysWOW64\Jnaihhgf.exeC:\Windows\system32\Jnaihhgf.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2112 -
C:\Windows\SysWOW64\Jfhqiegh.exeC:\Windows\system32\Jfhqiegh.exe60⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Jkeialfp.exeC:\Windows\system32\Jkeialfp.exe61⤵
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\Jboanfmm.exeC:\Windows\system32\Jboanfmm.exe62⤵
- Executes dropped EXE
PID:784 -
C:\Windows\SysWOW64\Jiiikq32.exeC:\Windows\system32\Jiiikq32.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:2292 -
C:\Windows\SysWOW64\Jjjfbikh.exeC:\Windows\system32\Jjjfbikh.exe64⤵
- Executes dropped EXE
PID:1892 -
C:\Windows\SysWOW64\Jadnoc32.exeC:\Windows\system32\Jadnoc32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2916 -
C:\Windows\SysWOW64\Jccjln32.exeC:\Windows\system32\Jccjln32.exe66⤵
- Drops file in System32 directory
- Modifies registry class
PID:1312 -
C:\Windows\SysWOW64\Kagkebpb.exeC:\Windows\system32\Kagkebpb.exe67⤵PID:1980
-
C:\Windows\SysWOW64\Kgqcam32.exeC:\Windows\system32\Kgqcam32.exe68⤵
- Drops file in System32 directory
PID:2264 -
C:\Windows\SysWOW64\Kjopnh32.exeC:\Windows\system32\Kjopnh32.exe69⤵PID:872
-
C:\Windows\SysWOW64\Kmnljc32.exeC:\Windows\system32\Kmnljc32.exe70⤵PID:2436
-
C:\Windows\SysWOW64\Kcgdgnmc.exeC:\Windows\system32\Kcgdgnmc.exe71⤵PID:1256
-
C:\Windows\SysWOW64\Kffpcilf.exeC:\Windows\system32\Kffpcilf.exe72⤵
- Drops file in System32 directory
PID:2164 -
C:\Windows\SysWOW64\Kmphpc32.exeC:\Windows\system32\Kmphpc32.exe73⤵PID:2892
-
C:\Windows\SysWOW64\Kcjqlm32.exeC:\Windows\system32\Kcjqlm32.exe74⤵PID:2688
-
C:\Windows\SysWOW64\Kfhmhi32.exeC:\Windows\system32\Kfhmhi32.exe75⤵
- Drops file in System32 directory
- Modifies registry class
PID:2516 -
C:\Windows\SysWOW64\Kmbeecaq.exeC:\Windows\system32\Kmbeecaq.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2352 -
C:\Windows\SysWOW64\Kleeqp32.exeC:\Windows\system32\Kleeqp32.exe77⤵PID:2976
-
C:\Windows\SysWOW64\Kfkjnh32.exeC:\Windows\system32\Kfkjnh32.exe78⤵PID:2524
-
C:\Windows\SysWOW64\Kiifjd32.exeC:\Windows\system32\Kiifjd32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2808 -
C:\Windows\SysWOW64\Kpcngnob.exeC:\Windows\system32\Kpcngnob.exe80⤵PID:2800
-
C:\Windows\SysWOW64\Lepfoe32.exeC:\Windows\system32\Lepfoe32.exe81⤵
- Modifies registry class
PID:1816 -
C:\Windows\SysWOW64\Lpekln32.exeC:\Windows\system32\Lpekln32.exe82⤵PID:1620
-
C:\Windows\SysWOW64\Lebcdd32.exeC:\Windows\system32\Lebcdd32.exe83⤵PID:1628
-
C:\Windows\SysWOW64\Lkolmk32.exeC:\Windows\system32\Lkolmk32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1448 -
C:\Windows\SysWOW64\Laidie32.exeC:\Windows\system32\Laidie32.exe85⤵
- Modifies registry class
PID:576 -
C:\Windows\SysWOW64\Llnhgn32.exeC:\Windows\system32\Llnhgn32.exe86⤵PID:1780
-
C:\Windows\SysWOW64\Lomdcj32.exeC:\Windows\system32\Lomdcj32.exe87⤵
- Modifies registry class
PID:592 -
C:\Windows\SysWOW64\Ldjmkq32.exeC:\Windows\system32\Ldjmkq32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2368 -
C:\Windows\SysWOW64\Lmbadfdl.exeC:\Windows\system32\Lmbadfdl.exe89⤵PID:876
-
C:\Windows\SysWOW64\Ldljqpli.exeC:\Windows\system32\Ldljqpli.exe90⤵
- Modifies registry class
PID:896 -
C:\Windows\SysWOW64\Liibigjq.exeC:\Windows\system32\Liibigjq.exe91⤵
- Drops file in System32 directory
- Modifies registry class
PID:2668 -
C:\Windows\SysWOW64\Mdnffpif.exeC:\Windows\system32\Mdnffpif.exe92⤵
- Drops file in System32 directory
- Modifies registry class
PID:2464 -
C:\Windows\SysWOW64\Mikooghn.exeC:\Windows\system32\Mikooghn.exe93⤵PID:1356
-
C:\Windows\SysWOW64\Mcccglnn.exeC:\Windows\system32\Mcccglnn.exe94⤵PID:2024
-
C:\Windows\SysWOW64\Mojdlm32.exeC:\Windows\system32\Mojdlm32.exe95⤵PID:2276
-
C:\Windows\SysWOW64\Momqbm32.exeC:\Windows\system32\Momqbm32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1964 -
C:\Windows\SysWOW64\Mefiog32.exeC:\Windows\system32\Mefiog32.exe97⤵PID:1788
-
C:\Windows\SysWOW64\Mlqakaqi.exeC:\Windows\system32\Mlqakaqi.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1680 -
C:\Windows\SysWOW64\Mamjchoa.exeC:\Windows\system32\Mamjchoa.exe99⤵
- Drops file in System32 directory
PID:1596 -
C:\Windows\SysWOW64\Mhgbpb32.exeC:\Windows\system32\Mhgbpb32.exe100⤵
- Modifies registry class
PID:2860 -
C:\Windows\SysWOW64\Noajmlnj.exeC:\Windows\system32\Noajmlnj.exe101⤵
- Modifies registry class
PID:1516 -
C:\Windows\SysWOW64\Napfihmn.exeC:\Windows\system32\Napfihmn.exe102⤵
- Drops file in System32 directory
- Modifies registry class
PID:2896 -
C:\Windows\SysWOW64\Nhjofbdk.exeC:\Windows\system32\Nhjofbdk.exe103⤵PID:2232
-
C:\Windows\SysWOW64\Nnfgnibb.exeC:\Windows\system32\Nnfgnibb.exe104⤵
- Modifies registry class
PID:2616 -
C:\Windows\SysWOW64\Nhlkkabh.exeC:\Windows\system32\Nhlkkabh.exe105⤵
- Modifies registry class
PID:2792 -
C:\Windows\SysWOW64\Nkjggmal.exeC:\Windows\system32\Nkjggmal.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2552 -
C:\Windows\SysWOW64\Nkmdmm32.exeC:\Windows\system32\Nkmdmm32.exe107⤵
- Drops file in System32 directory
PID:2632 -
C:\Windows\SysWOW64\Nqjmec32.exeC:\Windows\system32\Nqjmec32.exe108⤵PID:2004
-
C:\Windows\SysWOW64\Nchiao32.exeC:\Windows\system32\Nchiao32.exe109⤵PID:2776
-
C:\Windows\SysWOW64\Njbanida.exeC:\Windows\system32\Njbanida.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2804 -
C:\Windows\SysWOW64\Nnnmoh32.exeC:\Windows\system32\Nnnmoh32.exe111⤵
- Modifies registry class
PID:2536 -
C:\Windows\SysWOW64\Noojfpbi.exeC:\Windows\system32\Noojfpbi.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2032 -
C:\Windows\SysWOW64\Ogfagmck.exeC:\Windows\system32\Ogfagmck.exe113⤵PID:1916
-
C:\Windows\SysWOW64\Ohgnoeii.exeC:\Windows\system32\Ohgnoeii.exe114⤵
- Modifies registry class
PID:1908 -
C:\Windows\SysWOW64\Ooaflp32.exeC:\Windows\system32\Ooaflp32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:676 -
C:\Windows\SysWOW64\Cefpmiji.exeC:\Windows\system32\Cefpmiji.exe116⤵PID:1316
-
C:\Windows\SysWOW64\Eogckqkk.exeC:\Windows\system32\Eogckqkk.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2268 -
C:\Windows\SysWOW64\Hebqbl32.exeC:\Windows\system32\Hebqbl32.exe118⤵
- Modifies registry class
PID:940 -
C:\Windows\SysWOW64\Hhqmogam.exeC:\Windows\system32\Hhqmogam.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2824 -
C:\Windows\SysWOW64\Hojeka32.exeC:\Windows\system32\Hojeka32.exe120⤵PID:944
-
C:\Windows\SysWOW64\Iedmhlqf.exeC:\Windows\system32\Iedmhlqf.exe121⤵PID:3000
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-